Next Page >>
Proof of Concept
------------------------------------------------------------------------------------------------------------------------
These vulnerabilities were discovered and researched by Andrew Horton
(urbanadventurer) from MorningStar Security.
8. Technical Description / Proof of Concept
------------------------------------------------------------------------------------------------------------------------
8.1 Introduction
Many past advisories have been published for Cute News. An unpatched LFI
This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies during Bugweek 2009 [1].
8. *Technical Description / Proof of Concept Code*
8.1. *Excel / Word - OfficeArtSpgr container - invalid recType value
leads to attacker controlled pointer usage [MSRC 9368]*
----------------------------------------------------------------------------------------------
These vulnerabilities were discovered and researched by Andrew Horton
(urbanadventurer) from MorningStar Security.
8. Technical Description / Proof of Concept
----------------------------------------------------------------------------------------------
8.1 Introduction
Open Auto Classifieds powers many car dealer websites. No advisories for
*Credits*
This vulnerability was discovered by Lucas Lavarello from the CORE
Security Consulting Services (CORE SCS) team.
*Technical Description / Proof of Concept Code*
The standard protocol that AIM clients use to communicate is called OSCAR
(Open System for CommunicAtion in Realtime), which is a closed protocol
also used by AOL's secondary Instant Messaging client, ICQ (I Seek You).
On top of the OSCAR protocol, AIM clients have implemented support for
*Credits*
This vulnerability was discovered by Lucas Lavarello from the CORE
Security Consulting Services (CORE SCS) team.
*Technical Description / Proof of Concept Code*
The standard protocol that AIM clients use to communicate is called OSCAR
(Open System for CommunicAtion in Realtime), which is a closed protocol
also used by AOL's secondary Instant Messaging client, ICQ (I Seek You).
On top of the OSCAR protocol, AIM clients have implemented support for
O 0 LastErr 00000000 ERROR_SUCCESS
EFL 00250202 (NO,NB,NE,A,NS,PO,GE,G)
...
The rest is omitted.
For more information see Proof of Concept screen shot.
Proof of Concept code:
http://www.kil13r.info/data/aaa.zip
Proof of Concept screen shot:
echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
nc localhost 80 < payload
C) "Cherokee" log escape sequence injection
The following Proof Of Concept can be used in order to verify the
vulnerability.
curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
D) "thttpd" log escape sequence injection
7. *Credits*
This vulnerability was discovered by Nicolas Economou from Core Security
Technologies. Technical analysis and proof-of-concept tools were
developed by Nicolas Economou and Diego Juarez from Core's Exploit
Writers Team.
8. *Technical Description / Proof of Concept Code*
This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies during Bugweek 2009 [1].
8. *Technical Description / Proof of Concept Code*
An exploitable vulnerability was found in Windows Movie Maker, which can
be triggered by a remote attacker by sending a specially crafted .MSWMM
file and enticing the user to open it. This vulnerability results in a
write access violation and can lead to remote code execution.
Olea and Nahuel Riva from Core Security Technologies. Publication of
this advisory was coordinated by Carlos Sarraute from Core Security
Advisories team.
8. *Technical Description / Proof of Concept Code*
XnView is prone to a security vulnerability when processing MBM files.
The version used in our tests in XnView 1.97.4 running on Windows 2000
SP4. By enticing the user of XnView to open a specially crafted file, a
remote attacker may exploit this vulnerability to gain arbitrary code
After the successful installation of WordPress, a malicious user can inject
malicious PHP code via the WordPress Themes editor. In addition, with control
of the database store, malicious Javascript can be injected into the content
of WordPress yielding persistent Cross Site Scripting.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
W.X.Y.Z = Malicious User's MySQL Instance
--- CUT ---
First column is the offset so vulnerability is executed like it should be
(negative offsets). Second column is byte which is read out-of-bound.
How to run this very primitive Proof of Concept?
$ gcc p_cve-2011-4362.c -o p_cve-2011-4362
$ ./p_cve-2011-4362
...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...
The WebCacheCleaner ActiveX Control provides the method FileDelete()
which, working as advertised, allows the attacker to delete arbitrary
files on the client.
=== Proof of Concept 1 (VBScript) ===
dim o
Set o = CreateObject("MLWebCacheCleaner.WebCacheCleaner.1")
o.FileDelete("c:\bla\bla")
Cross Site Script Redirection:
The "returnUrl" GET-request within ViewIssue.jspa is not sanitizing
user-input in a sufficient way allowing the Data URI scheme to be
used in an attack.
Proof of Concept URL:
ViewIssue.jspa?id=[VALID_ID]&watch=true&returnUrl=data:text/html,<script>alert(0)</script>
Non-Persistent Script Injection:
The "returnUrl" GET-request within default.jspa is not sanitizing
1) Multiple Local File Inclusion vulnerabilities in OpenEMR
1.1 Input passed via the "formname" GET parameter to /contrib/acog/print_form.php is not properly verified before being used to include local files.
This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.
The following PoC (Proof of Concept) demostrates the vulnerability:
http://[host]/contrib/acog/print_form.php?formname=../../../etc/passwd%00
1.2 Input passed via the "formname" GET parameter to /interface/patient_file/encounter/load_form.php, /interface/patient_file/encounter/view_form.php and /interface/patient_file/encounter/trend_form.php is not properly verified before being used to include local files.
This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.
Since more then enough \..\..\ will just bring the path to the disk root, the
attacker can choose any location on the disk to write the file to. The file can
for example overwrite a critical system file, or create a file in the Autostart
folder.
See Proof of Concept exploit at the bottom of this advisory.
2. Remote FTP DoS
When connecting to a malformed FTP, the Unreal Commander sends a CWD /
command. If the malformed FTP replies with a "550 CWD Operation not permitted"
This vulnerability was discovered and researched by Jorge Luis Alvarez
Medina from Core Security Consulting Services (SCS). Additional research
was made by Federico Muttis from Core Security Exploit Writers Team (EWT).
8. *Technical Description / Proof of Concept Code*
Internet Explorer uses a feature known as URL Security Zones [2], which
defines a set of privileges for Web sites and applications depending on
their apparent level of trustworthiness. The zones available in the
product include:
These vulnerabilities were discovered and researched by Oren Isacson
from Core Security Technologies.
7. *Technical Description / Proof of Concept Code*
Several buffer overflows have been found in HP OpenView Network Node
Manager, which can be exploited to remotely compromise a user's system.
While working on an exploit for the vulnerabilities disclosed in the
This vulnerability was discovered and researched by Anibal Sacco from
the CORE IMPACT Exploit Writing Team (EWT) at Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
This vulnerability identified in CUPS is caused by a bad 'ip' structure
initialization in the function 'ippReadIO()', located in 'cups/ipp.c',
when processing a specially crafted IPP (Internet Printing Protocol)
with two consecutives 'IPP_TAG_UNSUPPORTED' tags. This flaw could be
These vulnerabilities were discovered and researched by Federico Muttis,
from CORE IMPACT's Exploit Writing Team (EWT), Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
Multiple cross-site scripting vulnerabilities have been found in
Openfire, which may lead to arbitrary remote code execution on the
server running Openfire server due to unauthorized upload of Java plugin
code.
the fact that it is possible to send a malicious attachment with a
seemingly innocuous file name and extension such and have the Lotus Note
client show a graphic icon for the attachment that corresponds to the
filename extension and not to the actual contents of the file.
Proof of concept snippets
The following snippet of Python code generates a .123 file that triggers
the bug when it is processed by vulnerable versions of the library. The
proof-of-concept file will only trigger an exception for debugging
purposes (int 3) but it makes it evident that exploitation of the bug in
order to execute any arbitrary code is possible.
9. *Report Timeline*
. 2010-10-04:
Core Security Technologies contacts Cisco PSIRT using their provided PGP
key notifying them of the vulnerabilities and sending an advisory draft,
a proof of concept for the WebEx Player vulnerability, and a proof of
concept for the Meeting Center vulnerability including details of how to
reproduce both vulnerabilities, and details about the behaviour of the
PoC for the Player vulnerability on Windows XP SP2 (which overwrites EIP
with 0x41414141 on that platform). October 18th 2010 (a two weeks
timeframe) is set as a potential release date for the advisory.
6.Technical description
6.1.NTLMv1 authentication protocol
6.2.The Flaws
6.3.Detecting if the SMB service generates duplicate 8-byte challenges
6.4.Exploiting duplicate challenges
6.4.1.Proof-of-Concept Exploit
6.5.Predicting challenges
6.5.1.SMB service: challenge generation process
6.5.2.Proof-of-Concept Exploit
7.References
8.Disclaimer
This condition occurs if a TEL URI is activated at the same time
Safari is closed by launching an external application, for example
launching the SMS application (in order to handle a SMS URI [2]). The
SMS application can be launched through placing a SMS URI as the
source of an iframe. This is shown in the first proof-of-concept
exploit below.
Further investigation showed that this behavior can be reproduced by
launching other applications such as: Maps, YouTube, and iTunes.
Launching these applications can be achieved through loading special
>
> This condition occurs if a TEL URI is activated at the same time
> Safari is closed by launching an external application, for example
> launching the SMS application (in order to handle a SMS URI [2]). The
> SMS application can be launched through placing a SMS URI as the
> source of an iframe. This is shown in the first proof-of-concept
> exploit below.
>
> Further investigation showed that this behavior can be reproduced by
> launching other applications such as: Maps, YouTube, and iTunes.
> Launching these applications can be achieved through loading special
>>
>> This condition occurs if a TEL URI is activated at the same time
>> Safari is closed by launching an external application, for example
>> launching the SMS application (in order to handle a SMS URI [2]). The
>> SMS application can be launched through placing a SMS URI as the
>> source of an iframe. This is shown in the first proof-of-concept
>> exploit below.
>>
>> Further investigation showed that this behavior can be reproduced by
>> launching other applications such as: Maps, YouTube, and iTunes.
>> Launching these applications can be achieved through loading special
>>>
>>> This condition occurs if a TEL URI is activated at the same time
>>> Safari is closed by launching an external application, for example
>>> launching the SMS application (in order to handle a SMS URI [2]). The
>>> SMS application can be launched through placing a SMS URI as the
>>> source of an iframe. This is shown in the first proof-of-concept
>>> exploit below.
>>>
>>> Further investigation showed that this behavior can be reproduced by
>>> launching other applications such as: Maps, YouTube, and iTunes.
>>> Launching these applications can be achieved through loading special
SiteX CMS contains third-party scripts from FCKeditor. One of them is:
"includes/fck/editor/filemanager/upload/php/upload.php". This particular
script does not have any checks against user validity and anyone can try
to upload files to SiteX-powered website.
Here is proof-of-concept file for testing:
------------>[proof-of-concept]<-----------
<html>
<body>
<center>
Since more then enough \..\..\ will just bring the path to the disk root, the
attacker can choose any location on the disk to write the file to. The file can
for example overwrite a critical system file, or create a file in the Autostart
folder.
See Proof of Concept exploit at the bottom of this advisory.
== Vendor status and solution ==
The vendor has been informed and has released a new version (7.02) with this
issue being fixed.
/*
Family Connection <= 1.8.2 - Remote Command Execution
Proof of Concept - Written by Salvatore "drosophila" Fresta
The following software will create a file (rce.php) in the
specified path using Blind SQL Injection bug. To exec remote
commands, you must open the file using a browser.
Next Page>>
|
