I was able to find a tiny session management vulnerability in the Oculus website and Yay! got acknowledged by Facebook 🙂
https://www.facebook.com/whitehat/thanks/
Uncategorized
Escalating Local Privileges Using Mobile Partner
Mobile Partner is a very popular software that ships with Huawei internet dongles. Recently I noticed the fact that the “Mobile Partner” directory and all subdirectories, files by default has full permissions granted the Users group. This means that any User in your system can plant a malicious executable and escalate privileges when the Administrator runs Mobile Partner. Why not bind the exe using msfpayload or msfvenom? 😉
Proof of Concept
By default in my dongle I had Mobile Partner 11.302.09.00.03 and if you are using versions below you might find out that this folder and it’s contents has been granted full permissions not only to the Users group but also to Everyone which means any random user can plant anything inside this directory.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
C:\Program Files (x86)>cacls "Mobile Partner" C:\Program Files (x86)\Mobile Partner Everyone:(OI)(CI)F BUILTIN\Users:(OI)(CI)F NT SERVICE\TrustedInstaller:(ID)F NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F NT AUTHORITY\SYSTEM:(ID)F NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Administrators:(OI)(CI)(IO)(ID)F CREATOR OWNER:(OI)(CI)(IO)(ID)F APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(ID)(special access:) GENERIC_READ GENERIC_EXECUTE C:\Program Files>cd "Mobile Partner" C:\Program Files (x86)\Mobile Partner>cacls "Mobile Partner.exe" C:\Program Files (x86)\Mobile Partner\Mobile Partner.exe Everyone:F BUILTIN\Users:F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R |
Share this:
Rewarded by Freshdesk
I was able to find out few web application related security issues in the Freshdesk website. They had a responsible disclosure policy, so I was able to report them. http://freshdesk.com/security
Share this:
MySQL name_const Crash
This is a small crash I found in MySQL 5.0.45 in the name_const function. I’ve tested this in a Windows 8 environment. However this function won’t allow performing select queries in latest versions. In older versions greater than or equal to 5.0.12 you can reproduce this issue.
I fuzzed the name_const() function and I noticed that when performing a conditional statement inside a sub query we can make the MySQL application freeze. Once we press ^c twice we get the error message. (more…)
Share this:
Wi-Fi Hash Decrypter
My previous tool needs admin privileges. I thought of writing two applications, one application for dumping the encrypted hashes from the system and another for decrypting the hashes. Since CryptUnprotectData() function needs a local system account run the decrypter application using PsExec. I have written a batch file for it. (more…)
Share this:
Wi-Fi Freak
This is a small tool I’ve coded for Windows operating systems to recover the stored Wi-Fi Passwords. Use this for educational purposes.
Download:
https://github.com/OsandaMalith/Wi-Fi-Freak
Share this:
Moodle 2.7 Persistent XSS
Overview
I hope you all have heard about the Moodle project. The full form is Moodle Modular Object-Oriented Dynamic Learning Environment. This project is a free open-source project which focuses in teaching and learning online courses effectively. Most of the universities, colleges, educational institutes use this application in interacting with students. You can read and research more information on Wikipedia.
Vulnerability and Exploit
This is a persistent XSS I found in Moodle 2.7. Well, this vulnerability was present from the version 2.4.9 till 2.7 so far hidden from the eye 😉 luckily I spotted this while I was fuzzing random stuff against the application.
Edit your user profile and under “Optional” you can see “Skype ID”. Let’s inject some HTML into the Skype ID field and check the output
[code language=”html”]
“>>><h1>Hello World</h1>
[/code]
It seems like our input is echoed back thrice. In one line the input is being URL encoded since it should be the URL of the user and in another it is being converted to HTML entities, while in the other field it seems like our input is being filtered out. I love to break filters. Here is my quick and small analysis in detail.
Output 1:
[code language=”html”]
<a href=”skype:%22%3E%3E%3EHello+World?call”>
[/code]
Output 2:
[code language=”html”]
">>>Hello World
[/code] (more…)
Share this:
For the 3rd Time Acknowledged by Oracle
Once again for reporting a web application security issue I got acknowledged by Oracle 🙂
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
https://pbs.twimg.com/media/BsoZO8mCUAAZpMn.png
http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/2225373.xml
https://pbs.twimg.com/media/BsoY6TOCQAEOyKx.png
Share this:
Concrete 5.6.2.1 Multiple XSS
While I was playing around with Concrete 5.6.2.1 CMS, I wanted to know how this application shows us a hyperlink to the “Back” button. I found something interesting in the “download_file.php” file.
\concrete\single_pages\download_file.php
line 27
[code language=”php” highlight=”5″]
<form action="<?php echo View::url(‘/download_file’, ‘submit_password’, $fID) ?>" method="post">
<?php if(isset($force)) { ?>
<input type="hidden" value="<?php echo $force ?>" name="force" />
<?php } ?>
<input type="hidden" value="<?php echo $returnURL ?>" name="returnURL" />
<input type="hidden" value="<?php echo $rcID ?>" name="rcID"/>
<label for="password"><?php echo t(‘Password’)?>: <input type="password" name="password" /></label>
<br /><br />
<button type="submit"><?php echo t(‘Download’)?></button>
</form>
[/code]
Let’s have a look at the “$returnURL” variable. (more…)
