bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/multiple/dos/39644.txt
Offensive Security 5de0917681 DB: 2016-04-01 
4 new exploits

Apache 1.3.x mod_mylo Remote Code Execution Exploit
Apache 1.3.x mod_mylo - Remote Code Execution Exploit

Apache <= 1.3.31 mod_include Local Buffer Overflow Exploit
Apache <= 1.3.31 mod_include - Local Buffer Overflow Exploit

Sire 2.0 (lire.php) Remote File Inclusion/Arbitary File Upload Vulnerability
Sire 2.0 (lire.php) - Remote File Inclusion/Arbitrary File Upload Vulnerability

HP Digital Imaging (hpqxml.dll 2.0.0.133) Arbitary Data Write Exploit
HP Digital Imaging (hpqxml.dll 2.0.0.133) - Arbitrary Data Write Exploit

SecureBlackbox (PGPBBox.dll 5.1.0.112) Arbitary Data Write Exploit
SecureBlackbox (PGPBBox.dll 5.1.0.112) - Arbitrary Data Write Exploit

Kwalbum <= 2.0.2 Arbitary File Upload Vulnerability
Kwalbum <= 2.0.2 - Arbitrary File Upload Vulnerability

ZaoCMS (PhpCommander) Arbitary Remote File Upload Vulnerability
ZaoCMS (PhpCommander) - Arbitrary Remote File Upload Vulnerability

CMS Balitbang 3.3 Arbitary File Upload Vulnerability
CMS Balitbang 3.3 - Arbitrary File Upload Vulnerability

CMS Lokomedia 1.5 Arbitary File Upload Vulnerability
CMS Lokomedia 1.5 - Arbitrary File Upload Vulnerability

Apache 1.3.12 WebDAV Directory Listings Vulnerability
Apache 1.3.12 - WebDAV Directory Listings Vulnerability

Apache 1.3 Web Server with Php 3 File Disclosure Vulnerability
Apache 1.3 Web Server with PHP 3 - File Disclosure Vulnerability

NCSA 1.3/1.4.x/1.5_Apache httpd 0.8.11/0.8.14 ScriptAlias Source Retrieval Vulnerability
NCSA 1.3/1.4.x/1.5_ Apache httpd 0.8.11/0.8.14 - ScriptAlias Source Retrieval Vulnerability
Apache 1.3 Artificially Long Slash Path Directory Listing Vulnerability (1)
Apache 1.3 Artificially Long Slash Path Directory Listing Vulnerability (2)
Apache 1.3 Artificially Long Slash Path Directory Listing Vulnerability (3)
Apache 1.3 Artificially Long Slash Path Directory Listing Vulnerability (4)
Apache 1.3 - Artificially Long Slash Path Directory Listing Vulnerability (1)
Apache 1.3 - Artificially Long Slash Path Directory Listing Vulnerability (2)
Apache 1.3 - Artificially Long Slash Path Directory Listing Vulnerability (3)
Apache 1.3 - Artificially Long Slash Path Directory Listing Vulnerability (4)

Shareplex 2.1.3.9/2.2.2 beta - Arbitary Local File Disclosure Vulnerability
Shareplex 2.1.3.9/2.2.2 beta - Arbitrary Local File Disclosure Vulnerability

Apache 1.3 Possible Directory Index Disclosure Vulnerability
Apache 1.3 - Possible Directory Index Disclosure Vulnerability

Apache 1.0/1.2/1.3 Server Address Disclosure Vulnerability
Apache 1.0/1.2/1.3 - Server Address Disclosure Vulnerability

Apache 1.3/2.0.x Server Side Include Cross-Site Scripting Vulnerability
Apache 1.3/2.0.x - Server Side Include Cross-Site Scripting Vulnerability

sendmail 8.11.6 Address Prescan Memory Corruption Vulnerability
SendMail 8.11.6 - Address Prescan Memory Corruption Vulnerability

Apache 1.3.x mod_include Local Buffer Overflow Vulnerability
Apache 1.3.x mod_include - Local Buffer Overflow Vulnerability
Apache 1.3.x HTDigest Realm Command Line Argument Buffer Overflow Vulnerability (1)
Apache 1.3.x HTDigest Realm Command Line Argument Buffer Overflow Vulnerability (2)
Apache 1.3.x - HTDigest Realm Command Line Argument Buffer Overflow Vulnerability (1)
Apache 1.3.x - HTDigest Realm Command Line Argument Buffer Overflow Vulnerability (2)

PodHawk 1.85 - Arbitary File Upload Vulnerability
PodHawk 1.85 - Arbitrary File Upload Vulnerability

LibrettoCMS File Manager Arbitary File Upload Vulnerability
LibrettoCMS File Manager - Arbitrary File Upload Vulnerability

DotNetNuke DNNspot Store 3.0.0 Arbitary File Upload
DotNetNuke DNNspot Store 3.0.0 - Arbitrary File Upload

Axway Secure Transport 5.1 SP2 - Arbitary File Upload via CSRF
Axway Secure Transport 5.1 SP2 - Arbitrary File Upload via CSRF

Apache Spark Cluster 1.3.x - Arbitary Code Execution
Apache Spark Cluster 1.3.x - Arbitrary Code Execution

Elastix 'graph.php' Local File Include Vulnerability
Elastix 2.2.0 - 'graph.php' Local File Include Vulnerability
MOBOTIX Video Security Cameras - CSRF Add Admin Exploit
Apache OpenMeetings 1.9.x - 3.1.0 - ZIP File path Traversal
Apache Jetspeed Arbitrary File Upload
Wireshark - dissect_pktc_rekey Heap-based Out-of-Bounds Read
2016-04-01 05:03:13 +00:00

98 lines
5.9 KiB
Text
Executable file
Raw Blame History

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=754
The following crash due to a heap-based out-of-bounds read can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark ("$ ./tshark -nVxr /path/to/file"):
--- cut ---
==17304==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b00001335c at pc 0x0000004507c1 bp 0x7fff09b13420 sp 0x7fff09b12bd0
READ of size 1431 at 0x61b00001335c thread T0
#0 0x4507c0 in __interceptor_strlen llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:581
#1 0x7fead8aeeb02 in g_strdup (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x65b02)
#2 0x7feae0a0b1ef in string_fvalue_set_string wireshark/epan/ftypes/ftype-string.c:51:30
#3 0x7feae09e83f8 in fvalue_set_string wireshark/epan/ftypes/ftypes.c:530:2
#4 0x7feae0867874 in proto_tree_set_string wireshark/epan/proto.c:3572:3
#5 0x7feae088ae05 in proto_tree_add_string wireshark/epan/proto.c:3478:2
#6 0x7feae088b135 in proto_tree_add_string_format_value wireshark/epan/proto.c:3492:7
#7 0x7feae213aa61 in dissect_pktc_rekey wireshark/epan/dissectors/packet-pktc.c:436:5
#8 0x7feae2139f71 in dissect_pktc wireshark/epan/dissectors/packet-pktc.c:624:16
#9 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#10 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9
#11 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9
#12 0x7feae0805dc4 in dissector_try_uint wireshark/epan/packet.c:1186:9
#13 0x7feae296ebf5 in decode_udp_ports wireshark/epan/dissectors/packet-udp.c:583:7
#14 0x7feae297dc90 in dissect wireshark/epan/dissectors/packet-udp.c:1081:5
#15 0x7feae29719d0 in dissect_udp wireshark/epan/dissectors/packet-udp.c:1087:3
#16 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#17 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9
#18 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9
#19 0x7feae19601db in ip_try_dissect wireshark/epan/dissectors/packet-ip.c:1978:7
#20 0x7feae19cf7c1 in dissect_ipv6 wireshark/epan/dissectors/packet-ipv6.c:2431:14
#21 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#22 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9
#23 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9
#24 0x7feae0805dc4 in dissector_try_uint wireshark/epan/packet.c:1186:9
#25 0x7feae1fde9c9 in dissect_null wireshark/epan/dissectors/packet-null.c:458:12
#26 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#27 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9
#28 0x7feae080521d in dissector_try_uint_new wireshark/epan/packet.c:1160:9
#29 0x7feae1542dd5 in dissect_frame wireshark/epan/dissectors/packet-frame.c:493:11
#30 0x7feae08130d1 in call_dissector_through_handle wireshark/epan/packet.c:626:8
#31 0x7feae0805a4a in call_dissector_work wireshark/epan/packet.c:701:9
#32 0x7feae080f58e in call_dissector_only wireshark/epan/packet.c:2674:8
#33 0x7feae0800f4f in call_dissector_with_data wireshark/epan/packet.c:2687:8
#34 0x7feae0800324 in dissect_record wireshark/epan/packet.c:509:3
#35 0x7feae07b36c9 in epan_dissect_run_with_taps wireshark/epan/epan.c:376:2
#36 0x52f11b in process_packet wireshark/tshark.c:3748:5
#37 0x52840c in load_cap_file wireshark/tshark.c:3504:11
#38 0x51e71c in main wireshark/tshark.c:2213:13
0x61b00001335c is located 0 bytes to the right of 1500-byte region [0x61b000012d80,0x61b00001335c)
allocated by thread T0 here:
#0 0x4c2148 in malloc llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
#1 0x7fead8ad7610 in g_malloc (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4e610)
#2 0x7feaed2fef08 in wtap_open_offline wireshark/wiretap/file_access.c:1082:2
#3 0x52473d in cf_open wireshark/tshark.c:4215:9
#4 0x51e12d in main wireshark/tshark.c:2204:9
SUMMARY: AddressSanitizer: heap-buffer-overflow llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:581 in __interceptor_strlen
Shadow bytes around the buggy address:
0x0c367fffa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c367fffa660: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa
0x0c367fffa670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffa680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c367fffa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c367fffa6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17304==ABORTING
--- cut ---
The crash was reported at https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12242. Attached is a file which triggers the crash.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39644.zip
Reference in a new issue View git blame Copy permalink