SSD Advisory – Forma LMS scorm.php Directory Traversal Vulnerability and Remote Code Execution

Vulnerability Description
A remote authenticated user (student) could place malicious PHP files inside a public web path and execute arbitrary code/commands (note that self-registration will be probably enabled on most implementations).

This is because the insitem() function inside /appLms/modules/scorm/scorm.php which subsequently calls into /addons/pclzip/pclzip.lib.php to extract uploaded zip files.

If the zip file contains a malicious file entry with directory traversal specifiers (like ex. ./../../../../plugins/index.php) the application will not strip them and will cause the file to be written outside the temporary newly created folder.

As attachment, proof of concept code. Configure it. Finally launch from the command line.
Continue reading SSD Advisory – Forma LMS scorm.php Directory Traversal Vulnerability and Remote Code Execution

SSD Advisory – Wget Arbitrary Commands Execution

Vulnerability Description
A vulnerability in the way wget handles redirects allows attackers that are able to hijack a connection initiated by wget or compromise a server from which wget is downloading files from, would allow them to cause the user running wget to execute arbitrary commands. The commands are executed with the privileges with which wget is running. This could prove to be quite severe when wget is launched as ‘root’.

Continue reading SSD Advisory – Wget Arbitrary Commands Execution

HITB 2016 PHP Challenge Write Up

UPDATE: I got word that rileykidd has posted his own write-up, if you would like to see another solution go to: http://rileykidd.com/2016/06/09/hack-in-the-box-2016-misc400-writeup-part-1/

The following is a write-up on our Hack in the Box 2016 PHP Challenge that was part of the CTF. The CTF’s goal was to give researchers and security researcher (as CTF was with security orientation) with a challenge that is more than “just” an SQL injection or “just” code execution.

If you would like the CTF challenge files, send us an email to ssd[]beyondsecurity.com.
Continue reading HITB 2016 PHP Challenge Write Up

SSD Advisory – Zyxel Remote Unauthenticated Code Execution (NSA310)

Vulnerability Description
A remote unauthenticated code execution vulnerability in Zyxel NSA310 allows remote attackers to execute arbitrary code as a ‘root’ user. The product is being actively sold by Zyxel – http://www.amazon.com/s/ref=nb_sb_noss?url=search-alias%3Daps&field-keywords=ZyXEL+NSA310 – originally the vendor stated that “NSA310 for reasons being that it has been out End of life for over 2 years” which left every customer buying this product vulnerable to a serious security flaw without having any solution or remediation to it.

UPDATE Zyxel has released a new firmware, that claims to resolved the vulnerabilities listed below, we no longer have access to the hardware so we cannot confirm that it does
https://zyxel.box.com/s/ebm31culmcokm8bf7xymjx1v6z6zezrj

Continue reading SSD Advisory – Zyxel Remote Unauthenticated Code Execution (NSA310)