Last Login: August 05, 2020
zeroSteiner's Contributions (42)
A buffer overflow exists within GRUB2 affecting how it handles it’s configuration file. An exception occurs when the contents of the configuration are too large for the buffer that is incorrectly handled causing the contents to be written anyways, thus over flowing the buffer.
In order to exploit this, an attacker would likely need either:
- Physical access to an affected device and sufficient time to mount the disk and corrupt / infect the GRUB configuration file
- Administrative access to running system to corrupt / infect the GRUB configuration file
Successful exploitation of this vulnerability could corrupt the secure boot process and compromise the integrity of the system over all. This would effectively allow the installation and utilization of a bootkit. Developing a weaponized exploit would be aided by the lack of modern memory protections such as address space layout randomization (ASLR).
Patching is a complicated process involving updating the firmware from the vendor and applying a denylist which must be done manually (for now at least).
For more information see the Grubbing Secure Boot the Wrong Way: CVE-2020-10173.
A deserialization vulnerability exists within Microsoft Sharepoint that could allow an attacker to execute code on the server within the context of the service account. The attacker would need to authenticate to Sharepoint and submit a specially crafted
POST request to a specific resource that implements the
InputFormContactLinksSuggestionsMicroView control. The following two resources meet this requirement:
Alternatively, an attacker with the correct privileges may create a page which implements this.
For more information, see the details analysis posted to srcincite.io by Steven Seeley.
The AnyDesk GUI is vulnerable to a remotely exploitable format string vulnerability. By sending a specially
crafted discovery packet, an attacker can corrupt the front end process when it loads or refreshes. While the
discovery service is always running, the GUI frontend must be started to trigger the vulnerability. On
successful exploitation, code is executed within the context of the user who started the AnyDesk GUI.
The public PoC works out of the box on Ubuntu 18.04 x64 but requires some work to update the target for newer versions of Ubuntu and other versions of Linux such as Fedora. While the exploit seems reasonably stable for the first exploitation attempt, the GUI becomes unresponsive and subsequent attempts require restarting the service
sudo systemctl restart anydesk and restarting the GUI.
A legitimate discovery frame can be sent to a target host to trigger a response. This can be used by an attacker to verify that the service is running, leak the hostname, and determine the operating system.
A vulnerability exists with the Windows kernel that can be used to bypass the NULL page mitigation feature that prevents users from allocating the memory that exists at the literal address 0. This is required for exploiting the class of memory corruption vulnerabilities known as NULL Page Dereferece or NULL Pointer Derefernce. This vulnerability would not be useful on it’s own but rather would make exploitation of another vulnerability practical.
In order to leverage this vulnerability, Intel’s SGX functionality must be available on the host. From my testing, the required functionality does not appear to be available from within virtual machines, meaning that a vulnerable environment would likely have to run on hardware. The vulnerability exists within the implementation of the
NtCreateEnclave is exposed through ntdll, was added in Windows 10 v1511 and uses the following signature (according to Process Hacker):
NTSYSAPI NTSTATUS NTAPI NtCreateEnclave( _In_ HANDLE ProcessHandle, _Inout_ PVOID* BaseAddress, _In_ ULONG_PTR ZeroBits, _In_ SIZE_T Size, _In_ SIZE_T InitialCommitment, _In_ ULONG EnclaveType, _In_reads_bytes_(EnclaveInformationLength) PVOID EnclaveInformation, _In_ ULONG EnclaveInformationLength, _Out_opt_ PULONG EnclaveError );
NtCreateEnclave will return 0xc00000bb (STATUS_NOT_SUPPORTED) if the necessary SGX capabilities are unavailable, making identification relatively easy.
I flag this as “No useful access” because it’s most valuable as an exploit primitive, and does not provide any access or information on it’s on.
A vulnerability exists within
splwow64.exe that can be exploited via an LPC to execute code within the context of that process. The
splwow64.exe process is started when a 32-bit process on a 64-bit version of Windows attempts to print. The process is spawned as the same user and thus, the code would be executed as that user. Because of this, the vulnerability could not be used to escalate privileges but rather is limited to use as a sandbox escape from a Low integrity process (such as an Internet Explorer window) to a High integrity process. I rate this as low attacker value because the utility class is pretty limited to use as a sandbox escape.
Exploiting this vulnerability involves opening a handle to it and creating a shared section that when combined with the LPC can be leveraged into a write-what-where primitive. This can then be used with knowledge of the the base address of key DLLS to overwrite a pointer within the
.data section that can be referenced for controlled code execution.
This vulnerability reportedly still affects 64-bit versions of Windows 7 and has no public PoC code.
Analysis based on Chronicles of a Sandbox Escape: Deep Analysis of CVE-2019-0880,
This particular vulnerability is related to insecure permissions created on the install location of the SmartDraw application. This can be leveraged for privilege escalation (or persistence) by dropping an executable within this directory. A scheduled task will run the executable as the user who installed SmartDraw. While it’s possible to install SmartDraw as a non-Admin user, it is most likely to be installed with administrative privileges, allowing the attacker to run within this context.
It should be noted that this vulnerability has been patched, however installations that were installed before the patch was released will remain vulnerable after upgrading. In order to remediate the vulnerability and correct the permissions issue, the application must first be uninstalled and then the patched version must be reinstalled in it’s place.
See the original disclosure here.
A vulnerability exists within the Win32k subsystem (provided by the
win32kfull.sys drivers) on Windows 10 that can be leveraged to trigger a Use-After-Free condition where by freed memory is used by
From my testing of the public PoC, I found this bug unreliable to trigger. Even with Driver Verifier enabled and standard settings (including SpecialPool) enabled, no exception and Blue Screen occurred. From reading through the PoC it looks like there is some kind of edge condition (possibly a race) that requires the PoC to re-execute itself (via
CreateProcessA) to attempt to trigger the vulnerability.
Do to the unreliable nature of the PoC and the difficulty of replacing the freed memory within the heap, I believe this vulnerability would be difficult to exploit reliably. Successful execution however would take place within the Windows Kernel, effectively offering a complete compromise of the affected system.
A vulnerability exists in how Microsoft’s XPS documents are processed using .NET that can be leveraged to execute code using a deserialization attack. XPS files are effectively ZIP archives containing multiple member, of which ones
.fpage can be used as triggers. While this vulnerability was patched in May of 2020, it’s related to a similar vulnerability patched in January of 2020, which patched the same usage of the XPS document’s
.fdseq member file types.
The default XPS viewer in Windows does not use .NET to render the XPS document making it unaffected by this vulnerability. A vulnerable application would need to be configured to process a maliciously crafted XPS document. Due to this, it is unclear if in practice this vulnerability will require user interaction or authentication to leverage.
A vulnerability exists within
PathCchCanonicalize that can be leveraged by a malicious RDP server to write files on a connected RDP client system. The vulnerability is related to how forward and back slash characters are processed and is related to the older CVE-2019-0887 in the sense that this vulnerability is a bypass for the mitigation which it introduced.
Exploiting this vulnerability would involve an attacker configuring a malicious RDP server and then tricking a client to connect to it, authenticate to it and then initiate a copy and paste operation from the malicious server to their client system.
The following analysis is based on CODESYS 126.96.36.199:
- Installer file:
CODESYS 188.8.131.52.exe, SHA-1
- Library file:
CODESYS v3 Web Server is vulnerable to a heap-based buffer overflow which can be triggered by an unauthenticated attacker with a specially crafted HTTP request. The vulnerability is due to an integer overflow. This can be used by an attacker to overwrite the heap buffer directly following the under-sized allocation. The web server is only present when a web-based visualization has been configured by the operator.
The vulnerable overwrite occurs in a call to
CmpWebServerHandlerV3+3a16. This can be used to corrupt the following heap structure, however a crash occurs 2 stack frames up form this within the same request at
CmpWebServerHandlerV3+14ac. This is due to a call to
memcpy use the original size field without the overflow operation applied to it. Due to the nature of integer overflow, this value is very high, typically
0xffffffff (though any value -92 / 0xffffffa4 through -1 / 0xffffff could be used to trigger the overflow.
There are two branches that could be taken to avoid this condition for reliable code execution:
CmpWebServerHandlerV3+146e— This branch is based on the return value from the previous function call and is boiled up from the overwrite operation. This branch can not be used while still trigger the overwrite.
CmpWebServerHandlerV3+1498— This branch could potentialy be used if the return value from
CmpWebServer+6bc0could be forced to be 0. This path warrants further analysis.
Without avoiding the memcpy, reliable code execution seems unlikely due to the nature of the vulnerability. Typically heap overwrites require manipulation of the heap that would not be possible if the server crashes after the overwrite while processing the HTTP request. While most modules loaded into the process have ASLR available, there are a small handful of application-specific ones that do not that could be viable candidates for use in a ROP chain.
Successful exploitation would yield code execution within the context of the CODESYSControlServer.exe process which, in PLC development scenarios at least, runs with user privileges.
This CVE collectively describes 5218 unique crashes that were reported to Samsung by a Google Project Zero researcher. The crashes occur within the Skia library and are related to the processing of Qmage images. The Qmage image format was developed by a third-party company but was added to the Skia Android library on Samsung phones. These bugs can be triggered remotely and without interaction by sending MMS messages to the target device.
The vulnerability does not affect all Android devices, only those with the modified Skia library distributed by Samsung on their phones. It’s likely that other exploit delivery scenarios are viable but may require user interaction to trigger rendering the image.
Successful exploitation requires bypassing ASLR which reportedly can be achieved remotely by sending multiple messages to the target. Further details on this aspect of the exploit are not currently public and contribute to the complexity of weaponizing a PoC for this vulnerability. Successfully exploiting the vulnerability yields code execution within the context of the exploited process. In the case of the messenger application, this could be used to leak text messages.
Apache Shiro v1.2.4 is vulnerable to a Java deserialization vulnerability. An
unauthenticated user can submit a YSoSerial payload to the Apache Shiro web
server as the value to the
rememberMe cookie. This will result in code
execution in the context of the web server.
CommonsCollections2 payload is known to work and is the one
leveraged by the Metasploit module.
An out of bounds dereference exists within the kernel-mode function
win32kfull!vStrWrite01 that can be triggered from user-mode by calling
gdi32!StretchBlt with a specially sized canvas and a specific raster operation (
StretchBlt(hdc, 0x0, 0x2, 0x100, 0x1, hdc, 0x0, 0x0, 0x400, 0x8000, SRCERASE)
The vulnerability could be leveraged as an information leak.
A vulnerability in Apache server versions 2.4.17–2.4.38 caused by an out-of-bounds array access can lead to an arbitrary function call. An attacker can trigger this to execute code in the context of the parent Apache process which often runs as root. In order for the exploit to trigger however, the Apache process must gracefully restart. This can be done on demand using
apache2ctl graceful, but is also done automatically once at day by the
logrotate utility (according to the original disclosure).
This exploit is a Local Privilege Escalation (LPE) vulnerability, so an attacker would already need to have some control on the system. This likely could be achieved through some kind of application vulnerability depending on what the Apache server is running.
The Metasploit Framework’s
libnotify plugin contains a vulnerability which can allow an attacker to execute an operating system command as the user running Metasploit. Exploiting the vulnerability requires the target user to have the
libnotify plugin loaded, and then to load a malicious file using
The root of the problem is the way in which arguments are passed to Ruby’s
system function to execute the operating system command. A maliciously crafted service name can add additional arguments and commands to this call, leading to code execution. The vulnerable code path will only be hit the first time the service is reported, i.e. repeatedly loading the malicious file with
db_import will not result in the command being executed multiple times unless the user deletes the service between attempts.
This vulnerability was patched in https://github.com/rapid7/metasploit-framework/pull/13266.
A vulnerability exists in how SMB3 Compressed data is handled that can be leveraged to write data out of normal bounds. This vulnerability is triggered by sending a specially crafted
COMPRESSION_TRANSFORM_HEADER as defined in subsections of MS-SMB2 2.2.42. The
OriginalCompressedSegmentSize value triggers an integer overflow when it is set to a large value. This vulnerability could be triggered prior to authenticating to the server.
When details of this vulnerability were first made public, the vulnerability was unpatched. The official recommendation from Microsoft was to disable SMB3 compression as a temporary fix.
Due to modern mitigation technologies, exploiting this vulnerability remotely to obtain code execution is non-trivial. Public PoCs do exist which trigger the vulnerable code path, and one serves as an example of using this vulnerability in the context of a local privilege escalation technique.
This vulnerability exists within the Apache Struts OGNL method dispatch routine. An attacker can submit a specially crafted HTTP request to a vulnerable web server. Specifically an attacker can taint the
name parameter passed to
Exploitation of this vulnerability would lead to code execution within the context of the Java process powering the server. An indicator of compromise will be present in the logs at the
DEBUG level. This IOC will look like a malformed value in the
Executing action method = message.
The default configuration is not vulnerable. The
alwaysSelectFullNamespace option must be enabled. This can be done by adding
<constant name="struts.mapper.alwaysSelectFullNamespace" value="true" /> to the
struts.xml configuration file.
A use-after-free vulnerability exists within the Microsoft Remote Desktop Protocol stack. The vulnerability is triggered when a T.125
maxChannelIds field is less than or equal to 5. This vulnerability can be levered prior to authenticating to the RDP service and can lead to code execution within the context of the Windows Kernel.
Extensive technical details were published in the original disclosure.
The major hurdle to reliable code execution is properly grooming the kernel heap.
A missing boundary check causes versions of OpenSSL 1.0.1 – 1.0.1f to be vulnerable to an out of bounds read as part of an SSL Heartbeat message. This vulnerability can be leveraged without authenticating in many instances to leak sensitive information such as passwords and private keys. Due to the vulnerability being in the OpenSSL library, exploits are implementation specific and may require changes to implement the applicable protocol.
The vulnerability was fixed in this patch.
This vulnerability is a Use-After-Free in the Microsoft VBScript engine. Originally exploited in the wild, attackers used a technique to force the exploit code to be opened with Internet Explorer by embedding a resource into a Rich Text File (RTF). This technique would allow attackers to more reliably exploit targets, even when a non-IE browser was configured as the default.
The Use After Free is related to arbitrary VB object. When two arrays reference the same object, and one array is deleted, the second array is left with a dangling reference.
A .NET deserialization vulnerability exists within SharePoint that can be exploited remotely. The vulnerability was actively being exploited in the wild around the May 2019 time frame. Per the ZDI Advisory the vulnerability is due to a lack of validation on user supplied data to an encoder class which can be leveraged to deserialize attacker-supplied data resulting in remote code execution.
The SharePoint WorkFlow component is affected by a vulnerability within .NET which can be abused to run arbitrary code when compiling XOML files. An authenticated user would need to issue an HTTP request with crafted XOML-formatted data (for which there are public examples). The vulnerability was patched for on-premises installations of SharePoint on January 2020.
A correct crafted XOML request will result in extra C# code being written to a temporary file on disk as part of the exploitation process. This is how an OS command is then executed.
Both patched and unpatched systems will return compiler error information in the XML response to the HTTP request. A patched system will have an error stating
"Compilation failed. The type name: ... is not a valid language-independent type name.". Malformed requests will include relevant information in the compiler error text, which is usually a character escaping issue. For best results escape all characters that are non-alphanumeric as unicode like
A .NET deserialization vulnerability exists within Exchange when configured with Unified Messaging (UM). An attacker needs to be able to authenticate as an Exchange user with a configured UM voice mailbox. After doing so they utilize Exchange Web Services (EWS) to upload a malicious payload before calling the target user to leave a voice mail resulting in code execution. The target user does not need to listen to the voice mail in order for the payload to be executed.
A crafted .RESX file can be used to execute code when deserialized by .NET reflector. The attacker would need to generate the
.RESX file, compile it into a
.RESOURCES file, before combining that with a C# executable to create a malicious binary.
The binary would then need to be opened by the target user in .NET reflector and inspected (it looks like by expanding a node within the tree view) in order to cause the resource to be deserialized and the code to be executed. The resulting execution context would be as the user inspecting the file.
Analysis performed using ipnathlp.dll from Windows Server 2019 x64 (sha256: c5bfdd192eaac8ffa8c0ee9c5fbb719eb739518a0635dc5cba42f52ab7efefa9)
CVE-2020-0662 is a stack based buffer overflow occurring in
svchost.exe due to an unchecked size argument to a
memcpy call in
ipnathlp.dll!DhcpAddArpEntry. The size argument is restricted to 0-255 inclusive as it must fit in a
uint8_t variable. The size argument for the affected memcpy call is taken from the “Hardware address length” field from a DHCP/BootP message.
In order to hit the vulnerable code path and trigger the bug, the size (hardware address length) field must be sufficiently large, and the DHCP option 53 / 0x34 (DHCP Message Type) must be omitted.
The following protocon script can be used to trigger the crash:
# Dynamic Host Configuration Protocol # Message type: Boot Request (1) # Hardware type: Ethernet (0x01) # Hardware address length: 255 # Hops: 0 # Transaction ID: 0x5df26992 # Seconds elapsed: 1 # Bootp flags: 0x0000 (Unicast) # Client IP address: 0.0.0.0 # Your (client) IP address: 0.0.0.0 # Next server IP address: 0.0.0.0 # Relay agent IP address: 0.0.0.0 # Client MAC address: Vmware_84:05:fd (00:0c:29:84:05:fd) # Client hardware address padding: 00000000000000000000 # Server host name not given # Boot file name not given # Magic cookie: DHCP # Option: (255) End # Option End: 255 set encoding hex send 0101ff005df269920001000000000000000000000000000000000000000c298405fd0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000063825363ff exit
On a Windows Server 2019 installation, this process is protected by stack cookies making exploitation non-trival. The cookie value would need to be leaked and the service which hosts the DLL is not configured to automatically start. To make a system vulnerable, an interface must be marked as “Shared”. To do this:
- Open the power user menu with
Win+Xand select “Network Connections”
- From the Network Connections window, select “Change adapter options”
- Right click an adapter which has an internet connection and select “Properties”
- Navigate to the “Sharing” tab and check “Allow other network users to connect through this computer’s Internet connection”
- Click “OK”
Vulnerable Code Path
- Only invoked if the DHCP Message Type option is omitted
- Only invoked if the DHCP Message Type option is omitted
memcpycall is the vulnerability, the size argument is
under attacker control
The target process uses stack canaries, so overwriting the stack would
require a leak. The original structure is a MIB_IPNET_ROW2
instance. Of note here is that the
PhysicalAddressLength field is
located after the
PhysicalAddress field and is set before the
call. This could allow an attacker to overwrite the this field.
Immediately following this operation, the row is passed to
iphlpapi!CreateIpNetEntry2 where the
is subjected to proper boundary checking (<= 0x20).
Windows 7 Notes
Windows 7 does not appear to be a viable exploit target because the affected
memcpy call is not present due to an older API being used. There is a
memcmp instruction to which the size parameter can be controlled but this would result in a OOB read which is much less useful.
This is a serialization bug in the Exchange Control Panel component of Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as
NT_AUTHORITY\SYSTEM on the server.
The root of the issue is that the
validationKey is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.
The important values from the write up are:
validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF validationalg = SHA1
I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the
Domain Users group and have a configured mailbox in Exchange.
Thew ViewState must be transfered within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.
This vulnerability leverages a TOCTOU vulnerability in the “Standard Collector Service” used by Visual Studio. If an attacker can change the contents of an ETL file by winning a race condition, the file can then be written to an arbitrary location using a symlink. This can then be used to load an attacker controlled DLL into another process.
This vulnerability can be used to trigger a memory exhaustion attack on affected routers within the CDP process. Once the process is out of memory it will crash and the router will reboot causing a denial of service condition for the network. Exploiting this vulnerability would not yield access to sensitive information or bypass segmentation (unless an improperly configured fail over setup is in place).
An attacker would need to be on the local area network, attached to the vulnerable router. This is due to CDP traffic not being forwarded across network boundaries. An attacker leveraging this vulnerability would likely either be physically in the building or have compromised a host which is physically in the building.
This is a heap buffer overflow vulnerability in the parser of CDP packets in the Cisco 8000 Series IP cameras. Successfully exploiting this vulnerability would lead to a denial of service condition or potentially access to the video feed. The affected binary reportedly lacks ASLR support, which would aid efforts to produce a functioning exploit.
An attacker would need to be on the local area network as the affected IP camera This is due to CDP traffic not being forwarded across network boundaries. An attacker leveraging this vulnerability would likely either be physically in the building or have compromised a host which is physically in the building.
This vulnerability can reportedly only be used to trigger a denial of service condition on VoIP phones, potentially in a wide spread fashion. This would likely disrupt business but would not grant the attacker access to any sensitive information. Business in which affected VoIP phones are used to generate revenue such as commercial and support call centers.
An attacker would need to be on the local area network, directly attached to the vulnerable switch running IOS-XR. This is due to CDP traffic not being forwarded across network boundaries. An attacker leveraging this vulnerability would likely either be physically in the building or have compromised a host which is physically in the building. Successful exploitation would create a denial of service condition..
This vulnerability is described as a format string vulnerability by the original disclosure notice. This class of vulnerabilities is well documented and relatively reliable to exploit given the necessary primitives.
An attacker would need to be on the local area network, directly attached to the vulnerable switch running IOS-XR. This is due to CDP traffic not being forwarded across network boundaries. An attacker leveraging this vulnerability would likely either be physically in the building or have compromised a host which is physically in the building. Successful exploitation could create a denial of service or allow the attacker to hop VLANs. The later is effectively bypassing segmentation and would be of great concern within PCI environments where segmentation is mandated through regulations. Additionally due to the affected device being a router, it’s possible that an attacker could use this vantage point to manipulate, intercept and eavesdrop on traffic.
This vulnerability is described as a “Stack overflow” by the original disclosure notice.
An attacker would need to be on the local area network, directly attached to the vulnerable switch running NX-OS. This is due to CDP traffic not being forwarded across network boundaries. An attacker leveraging this vulnerability would likely either be physically in the building or have compromised a host which is physically in the building. Successful exploitation could create a denial of service of allow the attacker to hop VLANs. The later is effectively bypassing segmentation and would be of great concern within PCI environments where segmentation is mandated through regulations.
This vulnerability originally outlined by bishopfox is a variation on CVE-2017-11317. The patch for CVE-2017-11317 introduced encryption on the object which prevents an attacker from modifying the object in such a way to achieve file upload as the original did. This mitigation, however uses a default value for the encryption key of
Users should change their encryption key (as recommended by Telerik) to a strong password and restart their server to mitigate this vulnerability. At that point an attacker would have to recover that secret value to leverage this attack chain. Versions after and including R2 2017 SP1 are not configured with a default encryption key, making exploiting this dependent on recovering the key through another means.
Mitigation Strength set to 3/5 due to it being dependent on the strength of the password.
The attacker utility for this particular vulnerability is limited by the hardware dependency. Additionally the vulnerability as described in the original disclosure can not be used for privilege escalation, only VMWare escapes.
vmware-vmx.exe process on the host OS runs as the user which started VMware which is why the vulnerability would not yield SYSTEM privileges on the host. At the time of this writing, the
vmware-vmx.exe process does not utilize the new Control Flow Guard which would make it easier to overwrite an entry in the vtable with a function pointer, aiding in exploit development.
While a failed exploit attempt would not crash the host OS because the vulnerability is not kernel mode, the VMWare guest maybe affected and become unresponsive.
The request to /gateway.php references a vulnerable function
LSRoom_Remoting.doCommand within the encoded AMF data. The original parameter for the vulnerable function is “pref -l /var/system/upgrade/status” Replace this part with the command to be executed. Authentication to the web application is not necessary however a valid PHP session ID must be passed within the request.
The FirebirdSQL server is vulnerable to a stack buffer overflow that can be triggered when an unauthenticated user sends a specially crafted packet. The result can lead to remote code execution as the user which runs the FirebirdSQL server.
A lack of ASLR in some modules makes exploiting this vulnerability easier as memory locations do not need to be leaked. If the service crashes, it will automatically be restarted in the default configuration.
The SQL injection vulnerability is boolean-based blind. Exploitation is relatively simple but the attacker needs to be able to authenticate to Wordpress and possess the privileges to create a new post to attach the vulnerable widget.
This vulnerability appears to be based on a web request to a
/vpns/ resource containing a directory traversal reference. The traversal reference seems to grant access to the admin portal. This specifically is blocked by the
skip_systemaccess_policyeval flag in the interim fix published by Citrix. Based on what information is available publicly, the vulnerability can be exploited to gain code execution on the Citrix server without authentication information. This would be very useful to an attacker because it could be exploited remotely, without authentication and due to the nature of Citrix servers often having a lot of traffic which could facilitate an attacker’s efforts to obfuscate their activity.
In some environments, Cirtix servers may not be patched as frequently as other systems due to their mission critical nature of providing applications for external users. In this case, attackers may have an easier time in escalating their privileges once code execution has been obtained. This would only be necessary if the initial vector did not already yield
NT_AUTHORITY\SYSTEM privileges which the current information does not specify.
A vulnerability exists within the Razer Synapse driver
rzpnk.sys in the IOCTL dispatch routine for 0x226048 that can allow an attacker to pass an input buffer which can trigger an out of bounds read operation. A handle can be opened to issue this IOCTL from
\\.\47CD78C9-64C3-47C2-B80F-677B887CF095. The result will cause a denial of service condition on the system in the form of a blue screen of death (BSOD).
The first four bytes of the buffer are used as the size, first to allocate space and then to read from the source. Since the allocation is of the proper size, an out of bounds write can not be accomplished. If however the specified size is larger than the buffer, then the
memcpywill continue to read data after the buffer ends.
Build the buffer to trigger the exception in Python:
# the first 4 bytes are the size then it must be padded to at least 0x220 bytes buffer_ = struct.pack('I', 0x70000000) + (b'\x00' * 0x21c)
Proof of Concept code:
The Razer rzpnk.sys driver exposes a device
\\.\47CD78C9-64C3-47C2-B80F-677B887CF095 which can be used to open an handle to an arbitrary process from any user. A user needs to open a handle to this device and issue
NtDeviceIoControlFile using the IOCTL
0x22a050 to trigger the vulnerable code path. The buffer to be passed to the process is the target PID to open and 0 packed as two QWORD values (
buffer = [pid, 0].pack('QQ'). This ultimately leads to a call to
ZwOpenProcess which does not perform as many security checks as
NtOpenProcess, thus allowing a user to open a handle to an arbitrary process.
To gain code execution from this vulnerability, the
user32!LockWindowStatoin function can be hooked within the
winlogon process. This process and function are ideal targets because
winlogon runs as
NT_AUTHORITY\SYSTEM and the function can be triggered on demand. As a by product of exploiting this, the screen will be locked, which may tip off an observant user who is interacting with the system at the time of exploitation.
Exploitation of this vulnerability is quite reliable as it does not rely on memory corruption.
Analysis performed using rdpcorets.dll from Windows 8.1 x64 (sha256:
The vulnerability exists within
rdpcorets.dll loaded in the process
svchost.exe -k NetworkService running as
NT AUTHORITY\NETWORK SERVICE. This is started by the service “Remote Desktop Services”.
The bug is triggered by sending a specially crafted request over the
drdynvc channel which must be setup. Use the flags
RDPConstants::CHAN_INITIALIZED | RDPConstants::CHAN_ENCRYPT_RDP when initializing it.
After the DynVC channel has been initialized, the overflow is triggered by sending segmented data (
DYNVC_DATA_COMPRESSED) frame, see MS-RDPEDYC:25 for details. Note that segmented data is different than a data segment.
The compressed frame includes a payload as defined in MS-RDPEGFX section 2.2.5. The below snippet can be used to build a compatible data segment. The RDP segmented data field contains a length field which is the root cause of the vulnerability.
# see [MS-RDPEGFX] section 184.108.40.206 def build_rdp_data_segment(data) # RDP_DATA_SEGMENT encoded = [data.length + 1].pack("L<") encoded << "\x04" encoded << data end def build_trigger # see [MS-RDPEGFX] section 2.2.5 rdp_data_segment = build_rdp_data_segment(("\x41" * 0x50) + [0xdead1337dead1337].pack('Q')) rdp_segmented_data = [0xe1, 1, 0x40 - 0x2000].pack("CS<l<") + rdp_data_segment end
An object needs to be created and corrupted, potential candidates are below.
|Object Name||Breakpoint Address||Size||Can Create?|
||0x138||Static number can be created|
rdpcorets+f67dc ".printf \"CRdpDynVCMgr::HandleIncomingDvcData\\n\"; db rdx"
rdpcorets+1dcc89 ".printf \"memcpy(dst=%N, src=%N, size=%N)\\n\", rcx, rdx, r8; g
memcpycall that copies the buffer to the target and overflows it
rdpcorets+c9538 ".printf \"CRdpDynVC::Initialize\\n\"; g"
- Watch object creation instances
- Watch object creation instances
msvcrt+1e00 ".printf \"operator new(size=%N)\", rcx; gu; .printf \" = %N\\n\", rax; g"
Read Access Violation
The following stack trace was taken during a RAV after having corrupted an object using the target memcpy call.
0:001> g (138c.13b4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. rdpcorets+0xd9d36: 00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=???????????????? 0:033> k Child-SP RetAddr Call Site 00000050`beaaf478 00007fff`a5b79c7f rdpcorets+0xd9d36 00000050`beaaf480 00007fff`a5b7c3bf rdpcorets+0xd9c7f 00000050`beaaf4c0 00007fff`a5b91190 rdpcorets+0xdc3bf 00000050`beaaf5f0 00007fff`a5b90cb1 rdpcorets+0xf1190 00000050`beaaf690 00007fff`a5bf2893 rdpcorets+0xf0cb1 00000050`beaaf720 00007fff`c9ed13d2 rdpcorets!DllGetClassObject+0x75b3 00000050`beaaf7e0 00007fff`caf654f4 KERNEL32!BaseThreadInitThunk+0x22 00000050`beaaf810 00000000`00000000 ntdll!RtlUserThreadStart+0x34 0:033> u rdpcorets+0xd9d36: 00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx 00007fff`a5b79d3a 498d5028 lea rdx,[r8+28h] 00007fff`a5b79d3e 41c7401038000000 mov dword ptr [r8+10h],38h 00007fff`a5b79d46 4d89481c mov qword ptr [r8+1Ch],r9 00007fff`a5b79d4a 45894824 mov dword ptr [r8+24h],r9d 00007fff`a5b79d4e 8d0c8510000000 lea ecx,[rax*4+10h] 00007fff`a5b79d55 4803ca add rcx,rdx 00007fff`a5b79d58 44890a mov dword ptr [rdx],r9d 0:033> r rax=0000000000000000 rbx=00007fffa5b79d10 rcx=00000050bf0c1940 rdx=0000000000000001 rsi=00000050bdcba9a0 rdi=00000050bf0c1940 rip=00007fffa5b79d36 rsp=00000050beaaf478 rbp=00000050bf0c7450 r8=4141414141414141 r9=0000000000000000 r10=0000000000000007 r11=00000050beaaf4b8 r12=00000050bf0c1f40 r13=00000050bf0c23c0 r14=0000000000000000 r15=00000050bdccfdc0 iopl=0 nv up ei pl zr na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 rdpcorets+0xd9d36: 00007fff`a5b79d36 49895014 mov qword ptr [r8+14h],rdx ds:41414141`41414155=????????????????