dc5e5785d4
3 new exploits Linux Kernel 2.6.13 <= 2.6.17.4 - prctl() Local Root Exploit (logrotate) Linux Kernel 2.6.13 <= 2.6.17.4 - logrotate prctl() Local Root Exploit Linux Kernel 2.6 (Debian / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit Linux Kernel 2.6 (Debian 4.0 / Ubuntu / Gentoo) - UDEV Local Privilege Escalation Exploit Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android Edition) Linux Kernel 2.x - sock_sendpage() Local Root Exploit (Android) Linux Kernel Solaris < 5.10 138888-01 - Local Root Exploit Linux Kernel (Solaris 10 / < 5.10 138888-01) - Local Root Exploit DEC Alpha Linux <= 3.0 - Local Root Exploit Linux Kernel <= 2.6.28 / <= 3.0 (DEC Alpha Linux) - Local Root Exploit Linux Kernel <= 2.2.18 (RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root Vulnerability (1) Linux Kernel <= 2.2.18 (RH 7.0 and RH 6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root Vulnerability (2) Linux Kernel <= 2.2.18 (RH 7.0/6.2 / 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root Vulnerability (1) Linux Kernel <= 2.2.18 (RH 7.0/6.2 & 2.2.14 / 2.2.18 / 2.2.18ow4) - ptrace/execve Race Condition Local Root Vulnerability (2) Archlinux x86-64 3.3.x - 3.7.x x86-64 - sock_diag_handlers[] Local Root Linux Kernel < 3.3.x - 3.7.x (Arch Linux x86-64) - sock_diag_handlers[] Local Root Ovidentia FX Remote File Include Vulnerability Ovidentia FX - Remote File Include Vulnerability Linux Kernel 2.6.x / <= 2.6.9 / <= 2.6.11 (RHEL4) - SYS_EPoll_Wait Local Integer Overflow Local Root Vulnerability (2) Linux Kernel 2.6.x (RHEL4 <= 2.6.9 / <= 2.6.11) - SYS_EPoll_Wait Local Integer Overflow Local Root Vulnerability (2) Linux Kernel (Redhat) (32bit/64bit) - 'MSR' Driver Local Privilege Escalation Linux Kernel <= 3.7.6 (Redhat) (32bit/64bit) - 'MSR' Driver Local Privilege Escalation ovidentia 5.6.x/5.8 approb.php babInstallPath Parameter Remote File Inclusion ovidentia 5.6.x/5.8 vacadmb.php babInstallPath Parameter Remote File Inclusion ovidentia 5.6.x/5.8 vacadma.php babInstallPath Parameter Remote File Inclusion ovidentia 5.6.x/5.8 vacadm.php babInstallPath Parameter Remote File Inclusion ovidentia 5.6.x/5.8 statart.php babInstallPath Parameter Remote File Inclusion ovidentia 5.6.x/5.8 - search.php babInstallPath Parameter Remote File Inclusion ovidentia 5.6.x/5.8 posts.php babInstallPath Parameter Remote File Inclusion ovidentia 5.6.x/5.8 options.php babInstallPath Parameter Remote File Inclusion Ovidentia 5.6.x/5.8 - approb.php babInstallPath Parameter Remote File Inclusion Ovidentia 5.6.x/5.8 - vacadmb.php babInstallPath Parameter Remote File Inclusion Ovidentia 5.6.x/5.8 - vacadma.php babInstallPath Parameter Remote File Inclusion Ovidentia 5.6.x/5.8 - vacadm.php babInstallPath Parameter Remote File Inclusion Ovidentia 5.6.x/5.8 - statart.php babInstallPath Parameter Remote File Inclusion Ovidentia 5.6.x/5.8 - search.php babInstallPath Parameter Remote File Inclusion Ovidentia 5.6.x/5.8 - posts.php babInstallPath Parameter Remote File Inclusion Ovidentia 5.6.x/5.8 - options.php babInstallPath Parameter Remote File Inclusion Linux Kernel 3.14-rc1 <= 3.15-rc4 - Raw Mode PTY Local Echo Race Condition (x64) Local Privilege Escalation Linux Kernel 3.14-rc1 <= 3.15-rc4 - Raw Mode PTY Local Echo Race Condition Local Privilege Escalation (x64) Linux Kernel <= 4.3.3 overlayfs - Local Privilege Escalation Linux Kernel <= 4.3.3 - overlayfs Local Privilege Escalation Linux Kernel 3.10.0-229.x (RHEL 7.1. CentOS) - snd-usb-audio Crash PoC Linux Kernel 3.10.0-229.x (RHEL 7.1. CentOS) - iowarrior driver Crash PoC Linux Kernel 3.10.0-229.x (RHEL 7.1 / CentOS) - snd-usb-audio Crash PoC Linux Kernel 3.10.0-229.x (RHEL 7.1 / CentOS) - iowarrior driver Crash PoC Microsoft Windows Media Center .MCL File Processing Remote Code Execution (MS16-059) TrendMicro - Multiple HTTP Problems with CoreServiceShell.exe Microsoft Windows 7-10 & Server 2008-2012 - Local Privilege Escalation (x32/x64) (MS16-032) (C#)
32 lines
1.8 KiB
Text
Executable file
32 lines
1.8 KiB
Text
Executable file
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=775
|
|
|
|
The main component of Trend Micro Antivirus is CoreServiceShell.exe, which runs as NT AUTHORITY\SYSTEM.
|
|
|
|
The CoreServiceShell includes an HTTP daemon, which is used for redirecting network content inspection among other things. For example, if you attempt to visit a blacklisted page, the request is redirected to http://localhost:37848/ and a warning page is displayed.
|
|
|
|
There are multiple problems with this daemon, first of all, there's a trivial path traversal in the /loadhelp/ and /wtp/ endpoints. The daemon checks paths for "../..", but this doesn't work because you can just do "..\..", which is an entirely valid path separator on Windows.
|
|
|
|
There's also some trivial header injection bugs, e.g:
|
|
|
|
http://localhost:37848/continue/TiCredToken=29579&Source=&URL=%0aContent-Type:%20text/html%0aContent-Length:%2032%0a%0a<h1>hello</h1>
|
|
|
|
By combining these two issues, you can remotely access files as SYSTEM on a Trend Micro machine.
|
|
|
|
I happened to notice another problem, the file loader.html has an obvious XSS if the window is 10px wide. I know that's an odd condition, but an attacker can easily force that with something like
|
|
|
|
<iframe width="26px" scrolling="no" src="http://localhost:37848/LocalHelp/loader?javascript:alert(1)">
|
|
|
|
The code is like this:
|
|
|
|
var st = getStyle("a", "width");
|
|
|
|
if (st == "10px") {
|
|
var queryString = window.location.search;
|
|
if (queryString.length > 0 && queryString.charAt(0) == "?") {
|
|
var url = queryString.substr(1);
|
|
}
|
|
window.location.href = url;
|
|
}
|
|
|
|
I honestly have no idea what the author intended, but this bug can be used with the path traversal to access arbitrary local files, or even authenticated remote files by forcing them to be downloaded (<a href=foo download>.click())
|
|
|