ush.it - a beautiful place

Aerohive HiveManager Classic Privilege Escalation Vulnerability

September 4, 2017 at 5:12 pm - Filed under Hacks - 706 words, reading time ~2 minutes - Permalink - Comments

Sandro "guly" Zaccarini found a critical vulnerability in Aerohive HiveManager Classic 8.1r1. The vulnerability allows a local unprivileged user, normally restricted in a Tenant-environment, to execute code on underlying system.

QNAP QTS Domain Privilege Escalation Vulnerability

March 22, 2017 at 4:49 pm - Filed under Hacks - 1222 words, reading time ~4 minutes - Permalink - Comments

Pasquale "sid" Fiorillo found a critical vulnerability in QNAP QTS allowing the recovery of the Domain Admin password. Such password is "encrypted" with XOR and the key is a single byte! Any web application or extraneous software running in your QNAP system can access such configuration file and jeopardize your entire network if the NAS uses domain authentication for it's users.

Veeam Backup & Replication Local Privilege Escalation Vulnerability

October 8, 2015 at 5:02 pm - Filed under Hacks - 1737 words, reading time ~5 minutes - Permalink - Comments

Pasquale "sid" Fiorillo found a critical vulnerability in Veeam Backup & Replication version 6, 7 and 8. At the time of writing this impact a very large of updated and outdated/legacy Veeam deployments. The vulnerability allows a local unprivileged user of a Windows guest to gain Local and/or Domain Administrator access when VeeamVixProxy is active, the de-facto default in VMWare and Hyper-V environments.

ARC v2011-12-01 Multiple vulnerabilities

November 22, 2012 at 11:34 am - Filed under Hacks - 1408 words, reading time ~4 minutes - Permalink - Comments

Simone "negator" Onofri and Luca "beinux3" Napolitano found multiple issues in ARC2, providing RDF and SPARQL functionalities to PHP applications and working with MySQL as backend. Found vulnerabilities include SQL Injection and XSS.

Pixelpost (Calendar addon 1.1.6) 1.7.3 Multiple vulnerabilities

April 7, 2011 at 5:46 pm - Filed under Hacks - 1033 words, reading time ~3 minutes - Permalink - Comments

Simone "negator" Onofri found multiple issues in a nice image gallery script that was going to use for his personal purposes, perhaps it's better to wait a couple of releases before using this in production. Since the vendor was not responsive this is a forced release. Found vulnerabilities include Blind SQL Injection and XSS.

Vtiger CRM 5.2.0 Multiple Vulnerabilities

November 16, 2010 at 10:46 pm - Filed under Hacks - 1279 words, reading time ~4 minutes - Permalink - Comments

Giovanni "evilaliv3" Pellerano and Alessandro "jekil" Tanasi found multiple vulnerabilities in Vtiger CRM 5.2.0, a software we already audited in the past. High impact (for a web application) findings include a Remote Command Execution issue (thanks to a possible bypass in the file upload extension blacklist) and a Local File Inclusion that can be exploited by unauthenticated users. Two separate Cross Site Scripting issues have been found, the first on the login.

Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection

January 11, 2010 at 2:16 am - Filed under Hacks, Language EN - 2587 words, reading time ~8 minutes - Permalink - Comments

If you have read our previous article Jetty 6.x and 7.x Multiple Vulnerabilities your are already familiar to an attack vector called log escape sequence injection. It allows remote attackers to remotely exploit terminal emulator vulnerabilities that may happen when displaying in an unsafe manner files containing escape sequences. While the real issue belong to the terminals, programs that does not sanitize outputs make this vector relevant in the real world.

Jetty 6.x and 7.x Multiple Vulnerabilities

October 25, 2009 at 5:00 am - Filed under Hacks, Language EN - 2607 words, reading time ~8 minutes - Permalink - Comments

Jetty is a pure Java application server used by big players like Google (Google AppEngine, Google Web Toolkit) and many projects and products like Eclipse, Alfresco Developers, Bea WebLogic Business Connect and WebLogic Event Server, Cisco Subscriber Edge Services Manager, Sybase EAServer, Apache Geronimo, HP OpenView Interconnect Tools and HP Openview Self-Healing, JFox, Zimbra Desktop and others (here a more complete list http://docs.codehaus.org/display/JETTY/Jetty+Powered). Finding a bug in such a wildspread component is something definitely interesting as the exploitation scenarios are many. We were procrastinating a little too much on this advisory but a CORE advisory burned some of our research and this month we found the time to contact the vendor and follow our disclosure procedure. As always enjoy the reading!

Vtiger CRM 5.0.4 Multiple Vulnerabilities

August 18, 2009 at 3:55 pm - Filed under Hacks, Language EN - 1780 words, reading time ~5 minutes - Permalink - Comments

In our publication PHP filesystem attack vectors - Take Two we highlighted some issues that can occur in applications written in PHP that make use of filesystem operations. This advisory for the Vtiger CRM, version 5.0.4, application is an example on how such generic issues can impact the security of a real world application.

PHP filesystem attack vectors - Take Two

July 26, 2009 at 2:31 am - Filed under Hacks, Language EN - 2669 words, reading time ~8 minutes - Permalink - Comments

Did you enjoyed our previous "PHP filesystem attack vectors" research? This is the second part and continuation of that paper and highlight new ways to evade filters using some path normalization issues. Have a nice reading!

SugarCRM 5.2.0e Remote Code Execution

June 13, 2009 at 6:44 pm - Filed under Hacks, Language EN - 1524 words, reading time ~5 minutes - Permalink - Comments

FormMail 1.92 Multiple Vulnerabilities

May 12, 2009 at 4:19 am - Filed under Hacks, Language EN - 1928 words, reading time ~6 minutes - Permalink - Comments

Do you remember FormMail? I hope so. It's PERL code belonging to the past, the glorious 1995 Internet era. FromMail is a CGI script used to create contact forms, but not a common one, it's historical with millions of downloads and has a dedicated Wikipedia page (http://en.wikipedia.org/wiki/FormMail). By the way it's still used in both small and big deployments. FromMail development stopped in 1996, with the exception of security updates and the last security issue is from April 19, 2002. Now one could expect a software to be bugfree after 13 years of feature freeze and "stable" status. Well.. this is why we are here : ) Don't expect code execution, just enjoy the reading.

Zabbix 1.6.2 Frontend Multiple Vulnerabilities

March 3, 2009 at 9:10 pm - Filed under Hacks, Language EN - 1792 words, reading time ~5 minutes - Permalink - Comments

Multiple Vulnerabilities exist in Zabbix front end software ranging from Remote Code Execution (RCE), to Cross Site Request Forgery (CSRF) and Local File Inclusion (LFI).

PHP filesystem attack vectors

February 8, 2009 at 3:13 am - Filed under Hacks, Language EN - 6792 words, reading time ~22 minutes - Permalink - Comments

On Apr 07, 2008 I spoke with Kuza55 and Wisec about an attack I found some time before that was a new attack vector for filesystem functions (fopen, (include|require)[_once]?, file_(put|get)_contents, etc) for the PHP language. It was a path normalization issue and I asked them to keep it "secret" [4], this was a good idea cause my analisys was mostly incomplete and erroneous but the idea was good and the bug was real and disposable.

XSS Cheat Sheet: non repeating payloads

January 26, 2009 at 12:40 pm - Filed under Hacks, Language EN - 206 words, reading time ~0 minutes - Permalink - Comments

We always try to add something on topics discussed in old articles, if you liked XSS Cheat Sheet: the PLAINTEXT tag and XSS Cheat Sheet: two stage payloads perhaps you'll like this one. This article contains a more complete list of ways to avoid multiple execution of your payloads, it's a fast reading!

25C3 (CCC Congress 2008) Tricks: makes you smile

January 6, 2009 at 10:58 pm - Filed under Team, Hacks, Language EN - 969 words, reading time ~3 minutes - Permalink - Comments

Finally back from CCC Conference 2008, thanks Berlin you always provide heaps of fun!

Remote Command Execution in Moodle

December 16, 2008 at 4:30 pm - Filed under Hacks, Language EN - 926 words, reading time ~3 minutes - Permalink - Comments

Last week we released on Bugtraq and FD an advisory about a remote command execution in Moodle 1.9.3. Unluckily the vendor refused to issue a security release to allow an easy fix of the problem since there are too many issues related to register_globals On in Moodle. We strongly advise end users to manually disable the vulnerable code removing the file "filter/tex/texed.php" ad exploits are emerging in the wild.

Collabtive 0.4.8 Multiple Vulnerabilities

November 11, 2008 at 1:42 pm - Filed under Hacks, Language EN - 913 words, reading time ~3 minutes - Permalink - Comments

Luckily sometimes there's the time to publish advisories and do the lengthy "responsible"-disclosure process. Antonio discovered multiple vulnerabilities in Collabtive, a project management software, ranging from a stored XSS, an authentication bypass that lead to the creation of additional administrative users to an arbitrary file upload vulnerability mixed with weak seeding. Have a good reading.

Shared hosting "file" handler PHP session dumper

September 9, 2008 at 6:02 pm - Filed under Hacks, Language EN - 519 words, reading time ~1 minutes - Permalink - Comments

[Note: safely skip the descriptive part and go directly to the tool if you already know how PHP does session handling.] Sessions are a great feature as they allow developers to store sensitive data for a limited amount of time (the session lifetime) without having to ping-pong the whole dataset to and from the client. A session mechanism can be implemented at the "user" level in the application code but most of the languages used to develop web applications provide various build-ins to accomplish the task. This is the case of PHP and its famous "session" module (Session Support in phpinfo()). The $_SESSION array can be used transparently and the session has just to be started with session_start() (or even automatically started at the configuration level with session.auto_start).

LFI2RCE (Local File Inclusion to Remote Code Execution) advanced exploitation: /proc shortcuts

August 18, 2008 at 12:47 pm - Filed under Hacks, Language EN - 1388 words, reading time ~4 minutes - Permalink - Comments

mod_negotiation: directory listing, filename bruteforcing

July 2, 2008 at 2:40 pm - Filed under Hacks, Language EN - 2259 words, reading time ~7 minutes - Permalink - Comments

As the first of a set of three this paper explains in detail how to abuse some functionalities exposed by mod_negotiation, an Apache module enable by default on many (most?) vanilla setups. Reference platform is a fresh installed Debian Etch system. The "Accept:" HTTP request header allows to optimize the number of requests to discover (bruteforce) filenames and extensions in absence of directory listing. Details follow, a good reading for an hot summer!

Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities

May 20, 2008 at 3:38 pm - Filed under Hacks, Language EN - 1568 words, reading time ~5 minutes - Permalink - Comments

Together with Antonio "s4tan" Parata we are glad to release a forced disclosure advisory "Mantis Bug Tracker 1.1.1 Multiple Vulnerabilities" cause CVE were emerging about the same issues disclosed to the vendor. The advisory includes an XSS for return_dynamic_filters.php, a CSRF for manage_user_create.php that allow the creation of administrative accounts and code execution in adm_config_set.php.

WiKID wClient-PHP <= 3.0-2 Multiple XSS Vulnerabilities

April 11, 2008 at 4:27 pm - Filed under Hacks, Language EN - 782 words, reading time ~2 minutes - Permalink - Comments

We found multiple XSS issues in the sample code of the PHP Network client for WiKID, a Strong Authentication System. In detail identified reflected XSS were on the "login" page forms. Pretty standard issue from a technical standpoint: $PHP_SELF was not properly escaped and sanitized before being echoed back to the client, definitely a known scenario that still affect many different software.

Cacti 0.8.7a Multiple Vulnerabilities

April 4, 2008 at 12:33 am - Filed under Hacks, Language EN - 1934 words, reading time ~6 minutes - Permalink - Comments

Together with my friend Antonio "s4tan" Parata we released this advisory affecting Cacti 0.8.7a. Found issues include XSS, SQL Injection, Path Disclosure and HTTP Response Splitting. Some bugs are logical flaws related to the use of $_REQUEST, in detail filters were applied to $_GET or $_POST but later $_REQUEST was used. Since $_REQUEST is build in an order defined in php.ini (normally GPC) it was possible to bypass the check and inject the malicious payload in POST or COOKIE for GET and COOKIE for POST.

Detect NoScript POC

October 11, 2007 at 6:40 pm - Filed under Hacks, Language EN - 816 words, reading time ~2 minutes - Permalink - Comments

I was looking for a NoScript detector, something that could tell me if the user has JS disabled in the Firefox preferences or by the NoScript plugin written by Maone, and found nothing. To repair this i wrote this trivial POC that is able to accomplish the task, it performs fingerprinting based on the behavior of the browser under the different possible conditions and is really reliable from the measurements done until now.

GreenSQL, a MySQL firewall, bypassed.

October 4, 2007 at 6:17 pm - Filed under Hacks, Language EN - 546 words, reading time ~1 minutes - Permalink - Comments

Today on the ml one of our pupils, remix, posted about GreenSQL, "an Open Source database firewall used to protect databases from SQL injection attacks". In other words something that stands to SQL as mod_security stands to HTTP.

Original Photo Gallery Remote Command Execution

October 2, 2007 at 9:54 pm - Filed under Hacks, Language EN - 666 words, reading time ~2 minutes - Permalink - Comments

We found a severe vulnerability in the Original script, a photo gallery software. Remote command (directly into an exec()) execution is possible with register globals on regardless the PHP version.

Scanning DMZ hosts with remote file opening

August 29, 2007 at 8:03 pm - Filed under Hacks, Language EN - 886 words, reading time ~2 minutes - Permalink - Comments

Today Stefano had a nice idea on how to (ab)use remote furl enabled functions that normally could lead to a mere DoS. Options are Drive By Pharming, Bruteforcing routers and http based authentications and Full Lan Scan. Sounds interesting? It is.

Architecture detection by PHP anomaly

August 22, 2007 at 1:09 am - Filed under Hacks, Language EN - 595 words, reading time ~1 minutes - Permalink - Comments

Sometimes it's right to enjoy a more relaxed entry.

XSS Cheat Sheet: two stage payloads

June 27, 2007 at 12:34 am - Filed under Hacks, Language EN - 2093 words, reading time ~6 minutes - Permalink - Comments

When exploiting XSS holes often you find yourself working around size/length and characters limitations. To avoid this type of problems a technique called "two stage payloads" comes to help. It's generally used when exploiting memory management vulnerabilities but applies to the XSS world too. The very basic idea is to have the payload divided in two parts: one that has to be injected in the entry point (PAY_ENTRY) and one that contains the actual data (PAY_DATA).

XSS Cheat Sheet: the PLAINTEXT tag

June 10, 2007 at 10:21 pm - Filed under Hacks, Language EN - 775 words, reading time ~2 minutes - Permalink - Comments

When performing XSS attacks often happens that the payload is displayed, and executed, multiple times occurring in unwanted and unexpected behaviors. This can be avoided in many ways, for example using global variables in JS (eg: window['started'] = true;) and checking for the variable existence at the very beginning of the payload, but when the filters are crazy and every char requires a notable effort (or when you are just hurry) one cheat gets the job done: the <PLAINTEXT> tag.

Firefox <= 2.0.0.3 DOM Keylogger (bypass same-origin policy)

June 3, 2007 at 9:20 pm - Filed under Hacks, Language EN - 542 words, reading time ~1 minutes - Permalink - Comments

On 30 May Mozilla Foundation announced in its MFSA (Mozilla Foundation Security Advisory) 2007-16 a bug discovered by moz_bug_r_a4 able to bypass the same-origin policy using the addEventListener helper. Needless to say you can do really nasty things by exploiting this hole, ranging from xss attacks to keystrokes logging, with no same origin limitation. If you are impatient jump directly to the demo DOM Event Keylogger.

Shadowpage vulnerability: the page that doesn't exists (Multiple browsers affected)

May 7, 2007 at 12:15 pm - Filed under Hacks, Language EN - 179 words, reading time ~0 minutes - Permalink - Comments

Yesterday I (Francesco `ascii` Ongaro) found a low impact bug: basically it is possible to make the user visit a page that is not listed in the back/next button history. The fun happens when self.location.replace() is pointing to a page that issues an HTTP/1.x 302 Redirect + Location. Both initial and redirect page will not be listed.

PHP import_request_variables() arbitrary variable overwrite

March 9, 2007 at 3:29 am - Filed under Hacks, Language EN - 1401 words, reading time ~4 minutes - Permalink - Comments

My friend Stefano di Paola and I have discovered that a PHP function used to emulate register_globals on is able to overwrite any variable (also $_SESSION and $_SERVER) with the exception of $GLOBALS. Naturally during the Month of PHP bugs :)

Php Nuke wild POST XSS

March 9, 2007 at 12:47 am - Filed under Hacks, Language EN - 1530 words, reading time ~5 minutes - Permalink - Comments

To demonstrate the import_request_variables() bug i've exploited a XSS flaw in PHP NUKE 8.0 that has an anti-CSRF routine. The import_request_variables() vulnerability will permit you to exploit a wide range of vectors (XSS, remote file inclusion, remote code execution, SQL injections, etc.) on software that makes use of it.

Bad url redirections (AKA: Many thanks to our partners!)

January 30, 2007 at 1:36 am - Filed under Hacks, Language EN - 724 words, reading time ~2 minutes - Permalink - Comments

This story is mostly funsec, if you can't handle funsec stop reading :) You have just developed you brand new application, it's name is EVIL.EXE. It's a very good application but nobody will install it without good partners.. You need somebody trusted from users that is willing to distribuite it. So.. Let's go! Find out some good partners.

Pseudo threading with BASH

January 27, 2007 at 7:17 pm - Filed under Hacks, Language EN - 567 words, reading time ~1 minutes - Permalink - Comments

This night i was in the process of mirroring all the tmbo.org daily pics for fast viewing. Their site has to be hosted on an ADSL link (like ush.it, hey this site is on a 200kbs/300kbs link, very unprofessional but no one can raid [stupid wordpress plug-in, this is not RAID in the sense of Redundant Disk Array but raid the verb] our server without our knowledge, think about the autistici/inventati aruba raid for example).

HttpOnly Cookies and Mozilla Firefox

July 28, 2006 at 12:04 am - Filed under Hacks, Language EN - 800 words, reading time ~2 minutes - Permalink - Comments

This is an english translation of "HttpOnly e Firefox" a whitepaper of my friend Stefano Di Paola written in italian.
Versione originale italiana: http://www.wisec.it/sectou.php

EXIF Phun

May 30, 2006 at 3:00 pm - Filed under Hacks, Language IT - 1130 words, reading time ~3 minutes - Permalink - Comments

WARNING: MASSIVE PR0N USE

LugVR Contest 01: Google Maps Reverse Solution

May 9, 2006 at 9:52 pm - Filed under Hacks, Language IT - 1944 words, reading time ~6 minutes - Permalink - Comments

Google Maps reversato, questa e' la soluzione del primo LugVR Contest con argomento: reverse di Google Maps. Visita l'articolo di inizio contest per maggiori informazioni. Nota: questo reverse di Google Maps e' stato effettuato da zero, ignorando le altre risorse sull'argomento, che comunque trovate listate a fondo articolo.

LugVR Contest 01: Google Maps Reverse

May 9, 2006 at 8:44 pm - Filed under Hacks, Language IT - 571 words, reading time ~1 minutes - Permalink - Comments

Il 7 e' terminato il primo LugVR Contest, argomento: reverse di Google Maps. Interessante vero? Per tutti quelli che si sono stancati di usare le API e l'interfaccia ufficiale. Il prossimo articolo sara' la soluzione del contest.

Pratical XSS n1

April 14, 2006 at 3:06 am - Filed under Hacks, Language EN - 503 words, reading time ~1 minutes - Permalink - Comments

This is a short email i wrote in reply to v9 AT fakehalo.us on vuln-dev@securityfocus.com focused on how to exploit XSS vulnerabilities in the real world.

Milkeyway Captive Portal Multiple Vulnerabilities

March 16, 2006 at 3:31 am - Filed under Hacks, Language EN - 560 words, reading time ~1 minutes - Permalink - Comments

Milkeyway is a software for the management and administration of internet access within public structures and frameworks, where the service supplying must be submitted to a scrupulous inspection. Nearly all SQL queries are vulnerable to SQL injection vulnerabilities. There are also some XSS vulnerabilities.

PmWiki remote file inclusion exploit

February 1, 2006 at 3:59 am - Filed under Hacks, Language EN - 881 words, reading time ~2 minutes - Permalink - Comments

The purpose of this article is to make easily understandable the impact of some vulns exposed in the PmWiki Multiple Vulnerabilities and PHP5 Globals Vulnerability advisories.

Port scanning with online services

January 29, 2006 at 3:12 am - Filed under Hacks, Insecurity, Language EN - 45 words, reading time ~0 minutes - Permalink - Comments

Some service misuse examples.

PHP5 Globals Vulnerability

January 25, 2006 at 9:30 pm - Filed under Hacks, Language EN - 769 words, reading time ~2 minutes - Permalink - Comments

PHP5 Globals Vulnerability: with ?GLOBALS[foobar] you can set the value of the un-initialized $foobar variable.

PmWiki Multiple Vulnerabilities

January 24, 2006 at 7:23 pm - Filed under Hacks, Language EN - 1063 words, reading time ~3 minutes - Permalink - Comments

This is both a PmWiki and PHP advisory, and works only with register_globals on. I totally missed the PHP GLOBALS[] GPC injection vulnerability and rediscovered that by my own (if just few month before! arg!). Basically in the worst scenario we are in front of two separate vulnerabilities: one regarding arbitrary remote file inclusion and code execution in PmWiki on PHP 5.x with globals on and the other about the reintroduction of a bug that should have been fixed in 5.0.5 but work (at last) on the 2 most recent version of PHP5.

Port scanner with dnsstuff

January 14, 2006 at 6:47 pm - Filed under Hacks, Insecurity, Language EN - 805 words, reading time ~2 minutes - Permalink - Comments

Dnsstuff is a great service often integrated in browser, widget and extension. They offer a number of tests (DNS Report, DNS Timing, WHOIS Lookup, Abuse Lookup, Domain Info, Spam database lookup, Reverse DNS lookup, IPWHOIS Lookup, City From IP, IP Routing Lookup, DNS lookup, Traceroute, Ping, ISP cached DNS lookup) and other conversion/math tools (URL deobfuscator, Free E-mail Lookup, CIDR/Netmask, E-mail Test, CSE HTML Validator, Decimal IPs). When applicable the tool is both ipv4 and ipv6 capable.

WebCalendar Multiple Vulnerabilities

November 28, 2005 at 2:05 pm - Filed under Hacks, Language EN - 1131 words, reading time ~3 minutes - Permalink - Comments

WebCalendar is vulnerable to four SQL Injection (files activity_log.php, admin_handler.php, edit_template.php and export_handler.php) and one local file overwrite (export_handler.php), input validation will fix.

Free Web Stat Multiple XSS Vulnerabilities

November 25, 2005 at 2:15 am - Filed under Hacks, Language EN - 1095 words, reading time ~3 minutes - Permalink - Comments

FreeWebStat 1.0 rev37 (the last version at the write time) is vulnerable to multiple XSS. The impact is a little bigger since datas will be stored in a flat file and the result of a single query will persist for some time on the backend. A well-timed loop of requests will assure the XSS to be permanent.

Php Web Statistik Multiple Vulnerabilities

November 19, 2005 at 5:19 pm - Filed under Hacks, Language EN - 596 words, reading time ~1 minutes - Permalink - Comments

Php Web Statistik is vulnerable to javascript and html injection using the unchecked lastnumber variable, proper input validation will fix. Just place an intval() at the right row. Other vulnerabilities has been discovered later.

PHP iCalendar XSS

October 24, 2005 at 11:33 pm - Filed under Hacks, Language EN - 1203 words, reading time ~4 minutes - Permalink - Comments

PHP iCalendar is vulnerable to Cross Site Scripting cause of a wrong input validation in index.php and will include an arbitrary file ending with .php.

Truffa ai sondaggi di mambo

October 5, 2005 at 11:43 pm - Filed under Hacks, Language IT - 684 words, reading time ~2 minutes - Permalink - Comments

A dimostrazione della teoria "se puoi farlo col browser lo puo' fare anche un bot o un grabber" dimostriamo come sia semplice truccare i sondaggi di Mambo CMS, che, almeno in teoria, essendo un cms per comunita', dovrebbe limitare questo tipo di "spamming" (inteso in senso lato tutto cio' che puo' turbare il tranquillo e naturale vivere della comunita').

Reed's Alert! Got something burning? Tell USH team.
THP USH Wisec DigitalBullets