Next Page >>
folder
HTC devices running Android 2.1 and Android 2.2 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and read arbitrary files, via a ../ in a pathname.
Description:
In the present HTC / Android phones include a Bluetooth stack, which provides Bluetooth communications with other remote devices. The File Transfer Profile (OBEX FTP) is one among all the Bluetooth services that may be implemented in the stack.
The OBEX FTP service is a software implementation of the File Transfer Profile (FTP). The File Transfer Profile (FTP) is intended for data exchange and it is based on the OBEX communications client-server protocol. The service is present in a large number of Bluetooth mobile phones. This service can be used for sending files from the phone to other remote devices and also allows remote devices to browse shared folders and download files from the phone.
In HTC / Android phones, the default directory of the OBEX FTP Server is the SDCard. Only files placed in the directory of the SDCard can be shared. The user cannot select other directory so sensitive files related to the operating system are not exposed.
There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Android 2.1 and Android 2.2. The OBEX FTP Server is a 3rd party driver developed by HTC and installed on HTC devices running Android operating system, so the vulnerability affects to this vendor specifically.
Full path to the file with backup is the next:
http://site/wp-content/backup-xxxxx/database_wp_20070605_704.sql.gz
To get to backup it's needed to reveal folder name and file name. At that
they can be revealed separately - first reveal folder and already then file.
1. Folder name (backup-xxxxx) - it's "backup-" + 5 chars of md5-alphabet and
it's 1048576 combination.
1. 32Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------
During installation of Panda Security for Desktops/File Servers the
permissions for installation folder
%ProgramFiles%\Panda Software\AVTC\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
1. 32Bit Version of Panda Security for Desktops/File Servers
+-----------------------------------------------------------
During installation of Panda Security for Desktops/File Servers the
permissions for installation folder
%ProgramFiles%\Panda Software\AVTC\
by default are set to Everyone:Full Control. Few services
(e.g. PAVSRV51.EXE) are started from this folder. Services are started
addition it is possible to load a file in a less privileged security
zone through one of the following mechanisms:
- Mark of the Web (MOTW).
- Zone.Identifier Alternate Data Stream.
- Page is loaded from a special folder, such as the Temporary Internet
Files folder.
Elevation to a higher privileged security zone is not possible through
the listed mechanisms. ClickOnce does not support these mechanisms when
evaluating the security zone of a ClickOnce application. Thus if an
Windows systems should be aware of these aliases and handle them
appropriately.
Often, by using 8.3 aliases for files, one can bypass IDS/IPS detection,
and evade filters and file restrictions. This can be a result of the
fact that only the long versions of file and folder names will be
restricted and the alias will not match the long filename.
Referencing files using their 8.3 aliases can even change how the files
are handled, due to truncation of the file extension in the event that
the file extension is longer than three characters. This problem is
Vulnerability 1: Backdoor to Mailboxes
--------------------------------------
For some reasons, Xerox decided to integrate a backdoor into the scan
system of the WorkCentre 5665 / 5675 / 5678 web interface. Scan folders
("mailboxes") can be protected with a password. The documentation says
on folder passwords:
"A folder password may or may not be required depending on the Scan
Policies set by the administrator. If a password is required to create
$method = intval(trim($_POST['method']));
$handle = opendir($path);
$_folders = array();
$i = 0;
while (false !== ($file = readdir($handle)))
{
[FILE CONTENTS]
- -----------/
Cookies are stored in independent text files (one for each domain)
inside the cookies folder (usually located at '\Documents and
settings\USERNAME\Cookies' in all Windows NT based implementations). The
cookie file name is structured in the following manner:
/-----------
- HTC devices running Windows Mobile 5.0
- Other vendors’ Windows Mobile devices
References: http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/HTC-Windows-Mobile-OBEX-FTP-Service-Directory-Traversal.html
Summary:
HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service. Exploiting this issue allows a remote authenticated attacker to list arbitrary directories, and write or read arbitrary files, via a ../ in a pathname. This can be leveraged for code execution by writing to a Startup folder.
Description:
There exists a Directory Traversal vulnerability in the OBEX FTP Service in the Bluetooth Stack implemented in HTC devices running Windows Mobile 6 and Windows Mobile 6.1. The OBEX FTP server is located in \Windows\obexfile.dll. Microsoft states this is a 3rd party driver developed by HTC and installed on HTC devices running Windows Mobile, so the vulnerability only affects to this vendor specifically.
A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP or gnomevfs-ls from a Linux box to traverse to parent directories out of the default Bluetooth shared folder by using ../ or ..\\ marks.
-----------------------------
A] upload directory traversal
-----------------------------
An attacker can upload a specific file outside the destination folder
with the possibility of overwriting those already existent using the
upload feature available for the user's folder, the forum and the other
possible virtual folders.
The attacker must have the needed privileges for uploading files (by
poll.php ;
Lines 2,3,4 ;
$folder = "poll"; // Folder in which poll files are -- (default folder is "poll")
include("".$_SERVER[DOCUMENT_ROOT]."/$folder/functions.php");
include("".$_SERVER[DOCUMENT_ROOT]."/$folder/config.php");
pollarchive.php
Source file: /var/www/zenphoto_1_3/zp-core/functions-db.php line: 65
Additional details:
SQL Query:
SELECT `id`, `album_theme` FROM `zp_albums` WHERE `folder` LIKE
"1ACUSTART'"*" OR `folder` LIKE "1ACUSTART'"*/
ACUEND"
Stack trace:
1. query([string] "SELECT `id`, `album_theme` FROM `zp_albums` WHERE
~ Core Security Technologies - CoreLabs Advisory
~ http://www.coresecurity.com/corelabs
Path Traversal vulnerability in VMware's shared folders implementation
*Advisory Information*
Title: Path Traversal vulnerability in VMware's shared folders implementation
Advisory ID: CORE-2007-0930
Quality Center (QC) is a web-based QA testing and management tool. It is a product from HP when they took over Mercury Interactive last year.
The front-end of the application is composed of COM components that plug into the web browser. Quality Center provides a customization capability (called workflow) which allow the administrator to modify the default behavior. This workflow is driven by VBScript functions that are called whenever a particular event occurs on the client front-end.
In order to optimize the interaction speed of the application, a cache folder is created on the client machine. By default, this folder is located at %tmp%/TD_80. Whenever a user connects to a Quality Center project, 2 folders are created within the cache folder. One of these folders contain a copy of the workflow scripts used to customize the application. Indeed, those files are required on the client machine because the workflow is execute on the client, not on the server.
There exists 1 VBScript workflow file per feature. Those are:
* Login/Logout (common.tds)
* Defects module (defects.tds)
* Manual Test Execution (manrun.tds)
"Change the database name:
When using an Access database, all the data is stored in a single file,
unlike the other databases. So caution should be taken in where you store
your Access database as it can be downloaded by anyone if they know the
path.
If you store your Access database in a folder outside of your www folder (or
wherever you keep the files for the rest of your site), then you should be
safe because no one can download your database if it is outside of your www
folder.
If you store your database in a cgi-bin folder, or in your www folder, then
it is strongly recommended that you change the default database name from
Notes feature of the Timbuktu Pro client.
Timbuktu Pro is able to send Flash Notes (like an instant message) and
attach files to those notes. Both the message (which will be written to
a text file once received by the target) and the files attached to the
note are transferred to a temporal folder on the target installation
folder (default path is C:\Program Files\Timbuktu Pro\). The file
transfer begins and it is unnoticed by the target user. Once the
transfer is complete, the target user is shown a dialogue on the screen
that displays the message with the names of the files attached.
perl -MCPAN -e shell
install Filesys::SmbClientParser
III. DESCRIPTION
-------------------------
If a host scans your shared folder whith a tool that uses this module,
you can execute shell commands in his host.
This module has the following snippet of code:
my @var = `$pargs`;
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Information Leakage. Database path disclosure in "/cms/include/trigger.asp" and/or "/cms/include/common2.asp".
2.3.1. Exploit:
Check the exploit/POC section.
2.4. Failure to Restrict URL Access. Attacker can delete any folder on the server by "/cms/assetmanager/folderdel_.asp".
2.4.1. Exploit:
Check the exploit/POC section.
2.5. Failure to Restrict URL Access. Attacker can create folder on the server by "/cms/assetmanager/foldernew.asp".
2.5.1. Exploit:
Check the exploit/POC section.
Avast! Professional Edition <= 4.8.1356
Avast! Home Edition <= 4.8.1356
DETAILS
Avast! installs some program files with insecure permissions. "Everyone" group has "Full Control" rights to the files/folders in the following path: "%Program Files%\Alwil Software\Avast4\Data". Its mean that any unprivileged user can modify, delete or change permissions of any file in DATA folder. The folder consists of data, executable and configuration files. In result multiple attack vectors are possible.
Vulnerability #1 Local privilege escalation (CVE-2009-3524)
A local attacker (unprivileged user) can modify %Program Files%\Alwil Software\Avast4\Data\avast4.ini file. "ISAPIFilter1" parameter in avast4.ini contains filename or full path to ISAPI filter module – originally "ashWsFtr.dll". An attacker can replace the original path by path to the attackers malicious dynamic library (DLL). After restart attackers DLL will be loaded with SYSTEM privileges. This is local privilege escalation vulnerability.
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Information Leakage. Database path disclosure in "/cms/include/trigger.asp" and/or "/cms/include/common2.asp".
2.3.1. Exploit:
Check the exploit/POC section.
2.4. Failure to Restrict URL Access. Attacker can delete any folder on the server by "/cms/assetmanager/folderdel_.asp".
2.4.1. Exploit:
Check the exploit/POC section.
2.5. Failure to Restrict URL Access. Attacker can create folder on the server by "/cms/assetmanager/foldernew.asp".
2.5.1. Exploit:
Check the exploit/POC section.
-----------------------------------------------
A] authorization bypassing in log visualization
-----------------------------------------------
The FTPLogServer folder available in the WS_FTP WebService is used for
the visualization and the downloading of the log entries collected by
the Logger Server used for any logging operation of the IpSwitch
servers (like both WS_FTP and the same WebService).
Naturally for watching the logs is needed to know the administration
References: http://www.seguridadmobile.com/windows-mobile/windows-mobile-security/Microsoft-Bluetooth-Stack-Directory-Traversal.html
Description:
Most Windows Mobile 5.0 & 6 devices are shipped with Microsoft Bluetooth stack, only few of them use others like Widcomm Bluetooth stack. Among all the Bluetooth services that may be implemented in the stack, OBEX FTP is the most common service.
OBEX FTP Bluetooth service can be used to share files through Bluetooth, not only by sending files but also by allowing remote devices to browse local shared folders and download files. Usually, the service is configured in such a way that a specific directory is shared and the user can place there all the files he would like to share with other people. The default directory is My Device\My Documents\Bluetooth Share. A different directory may be selected by the user, however the Bluetooth wizard usually doesn't allow specifying any other from the filesystem out of My Device\My Documents\ or Memory Card\My Documents\ paths. This is because of safety reasons, so the user can't expose sensitive files or information through Bluetooth.
There exists a Directory Traversal vulnerability in the OBEX FTP Service in Microsoft Bluetooth Stack implemented in Windows Mobile 5.0 & 6 devices. A remote attacker (who previously owned authentication and authorization rights) can use tools like ObexFTP to traverse to parent directories out of the default Bluetooth shared folder. This means the attacker can browse folders located on a lower level, download files contained in those folders as well as upload files to those folders.
The only requirement is that the attacker must have authentication and authorization privileges over the OBEX FTP service. Pairing up with the remote Windows Mobile device should be enough to get it. In case the attacker succeeded in getting the proper privileges, further actions will be transparent to the user.
view is set to user and task is set to save_usercategory
is not properly sanitised before being used in a SQL
query. This can be exploited to manipulate SQL queries
by injecting arbitrary SQL code.
The parameter folder passed to imagehandler.php is not
properly sanitised before used in a SQL query. This can
be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
The following is the affected code.
#!/usr/bin/perl
###############################################################
# COMRaider Idefense Labs CreateFolder() and Copy() Insecure Method (Hard Disk Filler Exploit)
#
# Discovered and Exploited by : Khashayar Fereidani
# Http://IRCRASH.com & Http://Fereidani.ir
#
###############################################################
# Help :
# perl comraider.pl
======
2) Bug
======
HFS allows the uploading of files to the real folders added to the
Virtual File System.
The problem is that an attacker can upload files outside the
destination folder reaching the root or any other directory on the disk
in which is located the upload folder using the ../ pattern.
----- HTTP POST request ------------------------------------------------
<iq sid="73aaafec4a8db27af49c4c43bca4ac13"
uid="1239870305230" type="get" format="json">
<query xmlns="webmail:iq:items">
<account uid="user@example.com">
<folder uid="Files">
<item>
<values>
<evntitle> </evntitle>
<evnnote> </evnnote>
[..]
Vulnerable are WordPress 2.6 - 2.7.1.
Information Leakage (WASC-13) + Directory Traversal (WASC-33):
At page (in list under the link "Click to view entire list of files which
will be deleted") the list of files in current folder and subfolders is
shown.
In folder http://site/wp-content/plugins/:
http://site/wp-admin/plugins.php?_wpnonce=e0dc6c722b&action=delete-selected&checked[]=
2.2.1. Exploit:
Check the exploit/POC section.
2.3. Information Leakage. Database path disclosure in "/cms/include/trigger.asp" and/or "/cms/include/common2.asp".
2.3.1. Exploit:
Check the exploit/POC section.
2.4. Failure to Restrict URL Access. Attacker can delete any folder on the server by "/cms/assetmanager/folderdel_.asp".
2.4.1. Exploit:
Check the exploit/POC section.
2.5. Failure to Restrict URL Access. Attacker can create folder on the server by "/cms/assetmanager/foldernew.asp".
2.5.1. Exploit:
Check the exploit/POC section.
~ VMware Server 1.0.4 and earlier
~ VMware Fusion 1.1 and earlier
3. Problem description:
~ a. Host to guest shared folder (HGFS) traversal vulnerability
~ On Windows hosts, if you have configured a VMware host to guest
~ shared folder (HGFS), it is possible for a program running in the
~ guest to gain access to the host's file system and create or modify
~ executable files in sensitive locations.
Next Page>>
|
